Wrong File Extension Scanner

Discussion in 'other software & services' started by EASTER.2010, Mar 5, 2007.

Thread Status:
Not open for further replies.
  1. EASTER.2010

    EASTER.2010 Guest

    Can anyone offer up some suggestions to a freeware scanner like mentioned that can search out and find "incorrect" file extensions?

    I'm still googling for any hits to them so any links, names, etc. are welcome of course.

    Thanks.
     
  2. EASTER.2010

    EASTER.2010 Guest

    BUMP*

    Come one anyone, you must know of some small utility that does this.
     
  3. Alphalutra1

    Alphalutra1 Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    1,160
    Location:
    127.0.0.0/255.0.0.0
    I think this would be incredibly hard to implement if you think about it. How would a program be able to differentiate between the files? It would have to do something like a hex edit on the program and keep track of all the different signatures and stuff inside the file I guess o_O

    So, the application most likely does not exist due to the great difficulty it would require to make it and have accurate results, and it would probably be fairly large and slow.

    But, maybe list bump will brin it to someones attention who has one o_O

    Cheers,

    Alphalutra1
     
  4. EASTER.2010

    EASTER.2010 Guest

    Somebody somewhere out there has run across this before and no doubt found a program to to do that.

    I know it cannot be that hard to fashion.

    Google turns up nothing of any real interest as to a porgram, only reading material. I bet Nirfsoft would take up a tiny project like this,
     
    Last edited by a moderator: Mar 8, 2007
  5. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Hello EASTER.2010

    Yeah, I always handle extensions manually, and it's a real pain. But what exactly is "incorrect" here? Alphalutra1 has a point, Windows has a lot of unassociated extensions by default. If you have a problem with a few associations, I can give you a hand, but it seems to me that you are searching for a CLASSES registry editor here. Well, a thought... :)

    Regards
     
  6. EASTER.2010

    EASTER.2010 Guest

    Thanks for reply.

    You see, with all the malwares releasing payloads all the time it occurred to me a very elementary possiblity that old 98 virus writers used to employ. Not so much hiding an exe inside a bmp graphics file although that is very relevant and has happened more than a few times.

    I did a simple test. I renamed some files locally from say a exe to a dll and also from wmv to dat and so forth.

    How on earth would we possibly know if one of our Non-System files were targeted by having it's extension changed to something other than it's authentic ext? We wouldn't. Possibly only a very good AV would pick up on it but then only if a malicious file matched it's signature base.

    Does this picture become clearer now. I hope so. Nirsoft is a software/freeware site that specializes in driving right to the heart of many items and making clear exact files as they should be but i have yet to find a single program that could do a simple scan of all files and verify that they have genuine extensions and if not would flag for us those that the extensions were not authentic.

    This to me would complete the circle of possibilities which could take place where we as users would have no idea if a dat was in fact some exe or dll hiding well disguised untill called on to do some damage or compromise files on our machine that even AV's wouldn't be able to pick up on.

    Thus my quest for some program that can do a scan to accurately report those results.

    Thanks EASTER
     
  7. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Hello EASTER.2010.

    Well, you should've stated that initially. This thread is taking a sharp U-turn. Now I agree with Alphalutra1 completely. So,


    I believe a good AV with good heuristics would pick up on that.

    Regards
     
  8. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Good AVs have a proper filetype engine.
     
  9. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Hi,

    If that's the question, then a file-integrity-checker will do it ;)
     
  10. EASTER.2010

    EASTER.2010 Guest

    Thanks guys and i really appreciate your inputs but something tells me that there has to be a simple scanner out there someplace that was fashioned to particurly to do that simple scan and then indicate exactly which file extensions have been renamed either by design or deliberately and show thoses.

    I would think something on this order would be right up NirSoft's alley because they are Masters at designing small standalone programs that reveal all sorts of discoveries not found in most products.

    This is very important because i suspect they will reach back at some point and devise such an intrusion technique again, because lets face it, we wouldn't have a clue if they suddendly bombarded the internet with a trick like the old 98 days.

    And i can see from the replies so far that you too are at a loss too just like me to offer any kind of program (be it simple or not) that could perform a file ext integrity check like i'm looking to find.

    Thanks
     
  11. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    EASTER.2010,

    If you find such standalone, by all means repost back here with info. :)

    Cheers ;)
     
  12. Tarq57

    Tarq57 Registered Member

    Joined:
    Oct 7, 2006
    Posts:
    966
    Location:
    Wellington NZ
    Not a scanner, but applications to monitor attempted file changes are around.
    A HIPS program should do it.
    I have two applications that monitor file type changes; Winpatrol and SpywareTerminator.
    Winpatrol won't scan, but does guard, and can (usually) reverse changes.
    SpywareTerminator monitors in real time, and will pop up a warning every time an attempted change is detected.
     
  13. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564

    Both NISFileCheck and ADinf32 Pro will do it (depending on your settings for them).
    Both are on-demand file-integrity-checkers.

    Suppose you have test.txt file.
    Later you want to be sure that it has not been changed into test.exe .

    NISFileCheck:
    You don't need to have the file test.txt in its database.
    You run NISFileCheck and let it search for new files with extension .exe
    NISFileCheck will detect the new file test.exe .
    So now it is up to you to ask yourself what has happened.
    Of course it would have been easier if you had the file test.txt in its database already.

    ADinf32 Pro:
    Let it build its database while the file test.txt is on your system.
    I assume you have ADinf32 set up to look for all files.
    Change test.txt into test.exe and run ADinf32 again.
    ADinf32 will warn you (it is always wise to check its logfile).
     
    Last edited: Mar 9, 2007
  14. yankinNcrankin

    yankinNcrankin Registered Member

    Joined:
    May 6, 2006
    Posts:
    406
    To EASTER.2010 I think I have what you wanted and I think it was you that used to use this. Tiny Watcher can be configured to monitor all files on your OS for change and or deletion. Here is an example of me renaming one of my programs .dll file to .txt. Although I renamed it and did not delete it Tiny flags it as saying that something has happened to it. Even though it doesnt specifically say the files' extension was renamed this alone will alert you as to something not being right. Tiny Watcher is very excellent as an on demand scanner I have it configured to scan all files to do this just delete all entries in the options area of the Volatile files & the Ignored files area. I like this program cause it takes but 10 seconds or less to the scanning, it even covers areas of the registry both seen and hidden. I have personally tested this scanner against several types of "live maleware and RKs' it caught the new and hidden stuff that these baddies created. :) For this to work best always have tiny set up on a totally clean system that has all your configurations and other stuff already set. This scanner willl even alert you when the real files' contents have been modified. This scanner is 1 of 4 things I use all of them taking less than 10 seconds which will tell me to do a clean system restore or not.
     

    Attached Files:

    Last edited: Mar 9, 2007
  15. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    PS:

    Hi yankinNcrankin,

    Do you have a link to the website of that Tiny Watcher?

    TIA
     
  16. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,748
    Location:
    The Netherlands
  17. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
  18. EASTER.2010

    EASTER.2010 Guest

    I already have WATCHER but it only watches from Windows down, guess i could expand it's coverage but i like a fast boot up.

    Looks like i'll resort to the normal file checkers scan and then having to do another one a day later to compare results because i not found anything that can scan the system and confirm a file extension is been changed on-the-fly and that's exactly what some malwares work at doing.
     
  19. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    I guess that FileChangeAlarm (the brother of NISFileCheck) can do it. But Albert's site is off-line.
    And then there is another app that probably will do it, but then you have to pay several thousands of dollars...
     
  20. MikeNAS

    MikeNAS Registered Member

    Joined:
    Sep 28, 2006
    Posts:
    697
    Location:
    FiNLAND
    Can you tell all of those 4 prorgrams, please?!

    -MikeNAS
     
  21. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,694
    Hello,
    Easter, let's say malware hides in an .exe that was renamed to .txt. Well, when you open it in a text editor, it will simply display characters, it will not run. So no harm there. I thought you aimed at this from the functionality point of view.
    Mrk
     
Loading...
Thread Status:
Not open for further replies.