Wrong File Extension Scanner

Can anyone offer up some suggestions to a freeware scanner like mentioned that can search out and find "incorrect" file extensions?

I'm still googling for any hits to them so any links, names, etc. are welcome of course.

Thanks.

 

BUMP*

Come one anyone, you must know of some small utility that does this.

 

I think this would be incredibly hard to implement if you think about it. How would a program be able to differentiate between the files? It would have to do something like a hex edit on the program and keep track of all the different signatures and stuff inside the file I guess

So, the application most likely does not exist due to the great difficulty it would require to make it and have accurate results, and it would probably be fairly large and slow.

But, maybe list bump will brin it to someones attention who has one

Cheers,

Alphalutra1

 

Somebody somewhere out there has run across this before and no doubt found a program to to do that.

I know it cannot be that hard to fashion.

Google turns up nothing of any real interest as to a porgram, only reading material. I bet Nirfsoft would take up a tiny project like this,

 

Hello EASTER.2010

Yeah, I always handle extensions manually, and it's a real pain. But what exactly is "incorrect" here? Alphalutra1 has a point, Windows has a lot of unassociated extensions by default. If you have a problem with a few associations, I can give you a hand, but it seems to me that you are searching for a CLASSES registry editor here. Well, a thought...

Regards

 

Thanks for reply.

You see, with all the malwares releasing payloads all the time it occurred to me a very elementary possiblity that old 98 virus writers used to employ. Not so much hiding an exe inside a bmp graphics file although that is very relevant and has happened more than a few times.

I did a simple test. I renamed some files locally from say a exe to a dll and also from wmv to dat and so forth.

How on earth would we possibly know if one of our Non-System files were targeted by having it's extension changed to something other than it's authentic ext? We wouldn't. Possibly only a very good AV would pick up on it but then only if a malicious file matched it's signature base.

Does this picture become clearer now. I hope so. Nirsoft is a software/freeware site that specializes in driving right to the heart of many items and making clear exact files as they should be but i have yet to find a single program that could do a simple scan of all files and verify that they have genuine extensions and if not would flag for us those that the extensions were not authentic.

This to me would complete the circle of possibilities which could take place where we as users would have no idea if a dat was in fact some exe or dll hiding well disguised untill called on to do some damage or compromise files on our machine that even AV's wouldn't be able to pick up on.

Thus my quest for some program that can do a scan to accurately report those results.

Thanks EASTER

 

Hello EASTER.2010.

Well, you should've stated that initially. This thread is taking a sharp U-turn. Now I agree with Alphalutra1 completely. So,

I believe a good AV with good heuristics would pick up on that.

Regards

 

Good AVs have a proper filetype engine.

 

Hi,

If that's the question, then a file-integrity-checker will do it

 

Thanks guys and i really appreciate your inputs but something tells me that there has to be a simple scanner out there someplace that was fashioned to particurly to do that simple scan and then indicate exactly which file extensions have been renamed either by design or deliberately and show thoses.

I would think something on this order would be right up NirSoft's alley because they are Masters at designing small standalone programs that reveal all sorts of discoveries not found in most products.

This is very important because i suspect they will reach back at some point and devise such an intrusion technique again, because lets face it, we wouldn't have a clue if they suddendly bombarded the internet with a trick like the old 98 days.

And i can see from the replies so far that you too are at a loss too just like me to offer any kind of program (be it simple or not) that could perform a file ext integrity check like i'm looking to find.

Thanks

 

EASTER.2010,

If you find such standalone, by all means repost back here with info.

Cheers

 

Not a scanner, but applications to monitor attempted file changes are around.
A HIPS program should do it.
I have two applications that monitor file type changes; Winpatrol and SpywareTerminator.
Winpatrol won't scan, but does guard, and can (usually) reverse changes.
SpywareTerminator monitors in real time, and will pop up a warning every time an attempted change is detected.

 

Both NISFileCheck and ADinf32 Pro will do it (depending on your settings for them).
Both are on-demand file-integrity-checkers.

Suppose you have test.txt file.
Later you want to be sure that it has not been changed into test.exe .

NISFileCheck:
You don't need to have the file test.txt in its database.
You run NISFileCheck and let it search for new files with extension .exe
NISFileCheck will detect the new file test.exe .
So now it is up to you to ask yourself what has happened.
Of course it would have been easier if you had the file test.txt in its database already.

ADinf32 Pro:
Let it build its database while the file test.txt is on your system.
I assume you have ADinf32 set up to look for all files.
Change test.txt into test.exe and run ADinf32 again.
ADinf32 will warn you (it is always wise to check its logfile).

 

To EASTER.2010 I think I have what you wanted and I think it was you that used to use this. Tiny Watcher can be configured to monitor all files on your OS for change and or deletion. Here is an example of me renaming one of my programs .dll file to .txt. Although I renamed it and did not delete it Tiny flags it as saying that something has happened to it. Even though it doesnt specifically say the files' extension was renamed this alone will alert you as to something not being right. Tiny Watcher is very excellent as an on demand scanner I have it configured to scan all files to do this just delete all entries in the options area of the Volatile files & the Ignored files area. I like this program cause it takes but 10 seconds or less to the scanning, it even covers areas of the registry both seen and hidden. I have personally tested this scanner against several types of "live maleware and RKs' it caught the new and hidden stuff that these baddies created. For this to work best always have tiny set up on a totally clean system that has all your configurations and other stuff already set. This scanner willl even alert you when the real files' contents have been modified. This scanner is 1 of 4 things I use all of them taking less than 10 seconds which will tell me to do a clean system restore or not.

 

PS:

Hi yankinNcrankin,

Do you have a link to the website of that Tiny Watcher?

TIA

 

http://www.donationcoders.com/kubicle/watcher/

Gerard

 

Bedankt Gerard !

Groetjes, Jan.

(in English: Thanks Gerard !)

 

I already have WATCHER but it only watches from Windows down, guess i could expand it's coverage but i like a fast boot up.

Looks like i'll resort to the normal file checkers scan and then having to do another one a day later to compare results because i not found anything that can scan the system and confirm a file extension is been changed on-the-fly and that's exactly what some malwares work at doing.

 

I guess that FileChangeAlarm (the brother of NISFileCheck) can do it. But Albert's site is off-line.
And then there is another app that probably will do it, but then you have to pay several thousands of dollars...

 

Can you tell all of those 4 prorgrams, please?!

-MikeNAS

 

Hello,
Easter, let's say malware hides in an .exe that was renamed to .txt. Well, when you open it in a text editor, it will simply display characters, it will not run. So no harm there. I thought you aimed at this from the functionality point of view.
Mrk