Two questions for security experts...

Discussion in 'other security issues & news' started by Zapco_force, Mar 23, 2015.

  1. Zapco_force

    Zapco_force Registered Member

    Joined:
    May 17, 2013
    Posts:
    84
    Location:
    Italy
    Good evening, I would need two clarifications:

    1) How to check if MBR of my hdd system is clean (or infected)?

    2) Files with innocuous extensions such as .reg .sim .jpg .dat .xml etc, may contain and/or transmit malware?

    Thanks.
     
  2. anon

    anon Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    4,101
    Last edited: Mar 23, 2015
  3. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    All of those can potentially be used to deliver malware or serve as components of malware. Several years ago, JPGs were being actively used for just that purpose. A .reg file that removes the startup entries for security apps would be another example.
     
  4. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Unless you're using an outdated version of popular software to open them, the contained malware are highly unlikely to execute and will usually result in a corrupt file.
     
  5. Zapco_force

    Zapco_force Registered Member

    Joined:
    May 17, 2013
    Posts:
    84
    Location:
    Italy
    I've just used Avast aswMBR, but unfortunately can not finish the scan because it always crashes :(....and strangely the crash always occours
    when it scan the folder C: \ Windows \ assembly
    However, at beginning of scan report, I can read: "Windows 7 default MBR code" and "disk0 default boot code".
    So I hope that my hdd is ok, and that MBR is clean .... right?
     
  6. krustytheclown2

    krustytheclown2 Registered Member

    Joined:
    Nov 18, 2014
    Posts:
    210
    Any scanner is almost certainly only going to check if the MBR contains files that match the MD5 of known malware, which I don't think is particularly effective.

    A .reg is a registry file which can screw up all sorts of important settings, for example disabling Task Manager. Pretty much any file imaginable can contain some sort of exploit.
     
  7. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    That statement would apply to known exploits. With new ones, who knows. Office file formats are still regularly used to deliver malware. Several in that list are text files, reg, xml, many dat files. To that you can add .bat, .ini, hta, all script formats, and others. Plain old text files can be nasty if the file extension gets changed. Internet Explorer used to treat hta's like trusted sites, no matter what they did or where they connected to.
     
  8. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    136
    Beware, even .txt files can contain malware! An example is discussed in the following blog post:
    http://hexatomium.github.io/2015/03/31/why/
     
  9. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    I experienced the same issue, it stopped (not crash) in assembly folder. I found some others also experienced it. I temporarily blocked access for the folder by old version of Toolwiz TimeFreeze and it worked, but Avast should fix this.

    As krustytheclown2 said, most scanner checks MBR for known bootkit and its derivations (heuristics) tho not by MD5, but good scanner also compare behavior btwn through OS and through direct disk access upon system boot as well as nerwork activity, so saying they can only detect known bootkit is bit too much.

    Other than disguised extension, any extension can hide malware as steganography but attacker needs another executable or script to launch those hidden malware. It's true any file types can contain exploit but exploit is not malware, and practically what J_L said is true as 0day exploit is rare unless you're targeted by skilled attacker.

    Disclaimer: I'm not an expert.
     
Loading...