The ability to make a file look like a different type of file, by hiding the file's extension for exemple, was only the first aspect of the research project. For a virus to be viable, we also need to be able to run code. From the list of hidden extensions displayed in chapter 3, I wanted to find out which of these extensions could be used to execute code, which means that it can potentially be used to propagate a virus or other type of malware. My point? That current mail filtering softwares that block certain types of attachment simply don't work. I never thought that this method was a sufficient guard to protect against viruses, since these software will always block the same commonly-used file extensions like .EXE, .COM, .VBS, .SHS, .DLL and the like. But these softwares weren't blocking .SHS before IRC/Stages.worm (Life Stages). And the same will happen when a virus uses one of the flaw described in this paper to propagate itself, because of mainly two things: 1)the products are not proactive, they are reactive, i.e. the software (or software makers) make very little efforts to block never-used-before file extensions that can spread viruses and will update their products accordingly only after it have been ssen in the wild, and 2) people still use some version of Outlook, which is the weakest link of the chain. Instead of reinforcing the chain by replacing the weakest link, they reinforce the other links of the chain, so it is sure that the weakest link (Outlook in this case) will be the culprit when the next virus hype comes on their PCs and networks (the chain breaks). I'll cite as an example the last place I worked at. They were an IT shop that purchased some months back a small computer security firm, because they decided that they wanted to sell security(!). They were using Outlook, even if people from the security shop (including me) tried to convince them that it was not a good idea. The risks were too great to be infected and have a virus send itself to our customers from our mailboxes. That would kill all our credibility right there. But they decided to keep it, and even forced us to use it, so we could be using the same software as everybody else. Guess what happened? Yep! One morning, 2 PCs got infected with the charmant Kournikova virus, sending some copies of itself internally. Luckily, the 2 people disconnected their PC right away and this prevented any customers to receive the virus from us. That was a close call. The Kournikova virus slipped our firewall (which makes sense, since one is not designed to block the other), our MailSweeper box that filters e-mails against bad attachments, and the Norton Antivirus installed on the PCs. Had they not been using Outlook, the infection would have never occured.
In fact, the CLSID vulnerability (let's call things with their real names) only makes the problem worse than I originally estimated. While at the beginning of this project, I was worried that unknown file extensions could be used to fool people to click on it and activate virulent code, now thanks to CLSID we also have to worry about already known file extensions as well, as they can be made invisible too without even thinkering with the system (as opposed to the NeverShowExt registry key, which needs to be added in the registry in order to hide a "normal" extension) and unblocked by filtering software (does your mail filtering agent blocks attachements of the {48123bc4-99d9-11d1-a6b3-00c04fd91555} type?). To have an idea of how many systems objects are defined by CLSIDs, check out the registry under [HKEY_CLASSES_ROOT\CLSID]. Just about every component of all the software you know about on your machine is there, and there is even more from the software you probably didn't even know about. That means you can create a file of any defined type in the system and hide it's properties by changing the file's extension by the corresponding CLSID.
The "executability" of a given extension is a relative thing, the things you can and cannot do varies from one file type to another. As one reader noted, you can have different type of "executable files". The first type, the more common, files that contains code that is activated by the OS when the file is launched. This includes, but is not limited to, .EXE, .BAT, .COM, .VBS, .PL and the like. The second type ressembles the first type very much, but the code will be run in a sandboxed environment, instead of running with full privileges. Such files would be .HTML, .PS and .JS. Then some extensions contain executable fully-priviledged code, but cannot be ran directly: .386, .ASP, .DLL, .DRV and .VXD. Finally, some files contains code that can be runned in a sandboxed envrironment, but cannot be executed directly from the OS. Such a file type is .CSS.
This research focuses mainly on the first type of files, but the other types can probably be used on some attack scenario too. It's mostly a matter on ingenuity and imagination to find new ways to do old things :-) The thing is to find out if the extensions displayed in chapter 3 can be used to run code. I haven't done much testing on this topic yet (if you happen to play on this topic, let me know of your findings), but it would appear that it is feasible. For example, .CNF (SpeedDial) could potentially be used to make a file that once cliked on, would hang up the modem and make it call a number overseas for phone fraud purposes. Preliminary testing shows that the conditions needed for this scenario to be possible makes it very unprobable to happen in the wild, but technically feasible. But who knows what these other extensions hold? And when you think that still a lot of people are gullible enough to click on a .TXT.VBS file, think what will happen when the .VBS part will be concealed with .{B54F3741-5B07-11cf-A4B0-00AA004A55E8}?
4. CLSID
6. Conclusion
Table of contents