Results 1 to 30 of 40

Thread: Gah! Need better anti-bug stuff

Threaded View

Previous Post Previous Post   Next Post Next Post
  1. 12-07-2009, 09:38 #25
    Sevis
    Sevis is offline
    Member Member Sevis's Avatar
    Join Date
    Oct 2009
    Location
    Netherlands
    Posts
    165



    Default Re: Gah! Need better anti-bug stuff

    Quote Originally Posted by Tellos Athenaios View Post
    I do not know where you got that idea from. But in short: it is wrong. First of all: many of those are container formats (thus: containing fairly arbitrary data by design). Secondly some of these formats (e.g. GIF) are actually a relatively well-known attack factor: these formats can act as a mask for download scripts for instance.

    But even if the other 2 arguments are not a concern: by design a file on an NTFS partition contains an *arbitrary* amount of *arbitrary* data streams. You can access them socket-style: \\path\to\file:streamId. So it is the easiest thing in the world for a piece of malware to simply attach another, arbitrary data stream to given data.

    This is the actual reason why it would indeed be a bad thing to copy DLL's or EXE files. Not because those file formats themselves are so insecure (indeed, these formats take more data-integrity precautions than most; embedding checksums for instance) but because these formats contain executable code -- which combined with the NTFS idea of a file means that it becomes possible to inject *executable* code in other files. A decent AV kit should check for such attached data streams though.
    The fact they are container formats - and thus they are supposed to contain arbitrary data - is a reason to consider them safe. They are not supposed to be executed under any conditions. A viewer that runs any sort of script from a .gif is highly insecure and should not be used, period.

    I didn't know about the NTFS data streams (and I still see very little point in such a function), but what would trigger those streams? Are they opened at the same time as the main file (in which case, they can do as much damage as the file itself - thus, in the case of a .dll or .exe, lots, but none as a plain text), or must they be called separately? And, if they must indeed be called separately, what would call them on a freshly installed system?

    EDIT: And would copying the files over to the tmpfs, before moving them over to a FAT32 not get rid of these streams? Does FAT32 even support them?
    Last edited by Sevis; 12-07-2009 at 09:59.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules

Single Sign On provided by vBSSO