How to disable Windows "Magic Bytes" behavior?

Discussion in 'other security issues & news' started by Devinco, Jun 28, 2006.

Thread Status:
Not open for further replies.
  1. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Is there any way to disable Windows "Magic Bytes" behavior?
    A registry tweak, utility, or patch?

    Not something that merely masks the behavior or its effects, like say running a limited user account that would limit the amount of damage that an exploit would cause.
    Something that actually stops the behavior from occurring in the first place.
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    Is this a real security issue? Do you perhaps have more info on how malware might use this tech, I never really thought about it. :shifty:
     
  3. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Hi Rasheed187,

    Yes, and here's why.
    The "Magic Bytes" behavior appears to boil down to this: For at least some file types, Windows XP will process the file based on its content instead of its extension. This unecessary behavior allows exploitive malware to hide masked as another file type. It is not the "Magic Bytes" that are the problem. Anti-Virus often use them as part of the malware identification process.
    It is what Windows XP does with the "Magic Bytes" (the behavior) that allows a file's extension to be completely bypassed. It also allows malware exploits to have more impact and linger more than they should.
    This has occurred during the WMF Exploit last December and it surely will be used again. It's a handy way for malware authors to extend the life of their exploits that MS has given them.

    I don't want this type of behavior on my computer and I want it disabled.
    It is basically no different than someone wanting to disable a potentially vulnerable service in Windows XP. This behavior exists somewhere in the OS, maybe a dll or two, the registry, or a service, but it's there.

    Just as hueristics have been used with great success to detect new malware based on behaviors, maybe we should start looking at the underlying behaviors of the OS and software that allow malware to exist in the first place. Instead of just patching over the symptoms, we should be curing the real problems.
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    And what about the "Open files based on content, not file extension" setting in IE´s security options, has this setting anything to do with the "Magic Bytes" behaviour? I still don´t know if it´s best to enable or disable this setting. But it might have nothing to do with your problem, see the part about "MIME Handling Enforcement".

    http://www.microsoft.com/windows/ie/community/columns/improvements.mspx
     
    Last edited: Jun 30, 2006
  5. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Thanks for the link to the article.

    "MIME Handling Enforcement" appears to be related or similar, but how, I don't have a clue.
    I still can't figure out how to make the LMZ icon appear in the internet properties security tab as shown in the article. In order to look at the settings in the LMZ, it needs to be unlocked. And how to lock LMZ again?
     
  6. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    see this page and scroll down to Showing the "My Computer" security zone.

    some software like Samurai HIPS also have an option to show this zone.
     
  7. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Thank you WSFuser! :)
     
  8. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Wisemen and Wisewomen of Wilders,

    Do you know the answer to any of these questions?

    1. Is the "Magic Bytes" behavior as described here WMF Exploit New Windows Vulnerability Post 32 equal to MIME Handling Enforcement (Open files based on content, not file extension)?
    2. If these are different, where is the "Magic Bytes" behavior controlled from?

    3. During the WMF Exploit early this year, would disabling "Open files based on content, not file extension" in the LMZ prevent a renamed .wmf exploit file (renamed to .jpg) from executing within windows explorer?

    4. By doing this (in all the zones), would it help to prevent similar future exploits from hiding as other file types? One could then simply filter out the vulnerable file type until the exploit is patched.
     
  9. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Does anybody know where I might find the answer to these questions?
    It appears that the two things are related (maybe the same), but I don't know where to look or who to ask for the answers.
     
Loading...
Thread Status:
Not open for further replies.