Re: Talk about text files and embedded malware...

On May 27, 4:33 pm, "David H. Lipman" <DLipman~nosp...@xxxxxxxxxxx>
wrote:
From: "PantsOnFire" <m...@xxxxxxxxxxxx>

| Let's say I have a process which can check the entire content of a
| file.  This process can determine that the entire file is made up of
| ASCII characters only.
|
| So my questions are:
|
| 1.  What can be written in ASCII that can be a threat (e.g. a Perl
| script or VBS script)?

Yes if is eecutable or interpreted.  For example VBS:Psyme or HTML:Trojan.Generic type
detections.

|
| 2.  What needs happen to have this threat executed?

It could be on a web site or in email are set in the Registry to load the interpreter
automatically.

|
| 3.  Can I limit the number of acceptable ASCII characters such that
| threats cannot execute (e.g. do not allow characters like + < > _ \ /
| & % $ @ # : ; " , etc....)

No.  Won't help.

|
| 4.  Do I need to worry about obfuscated malware even given my limiting
| of the characters allowed.

Yes.  Many Javascripts are encoded to obfuscate their malicious intent.

--
Davehttp://www.claymania.com/removal-trojan-adware.html
Multi-AV -http://www.pctipp.ch/downloads/dl/35905.asp

Thanks Dave,

Just a quick followup.

Say a file called "bad.txt" contains some perl script. Assuming there
is no hidden extension, double-clicking on this should open notepad
(WindowsXP) and the contents will be viewed as text. Someone who
knows perl could recognize the structure. However, it is possible to
go into the file associations and change the program that
executes .txt files to perl.

So am right to assume that:

1. This is now bad that .txt is associated with perl and thus any
user double-clicking a bad file will execute some code?

2. Can a network policy be set such that users cannot change file
associations and thus administrators can offer some protection in that
manner?

3. Dragging and dropping this bad file into an open notepad window
will not execute the script?
.

Relevant Pages

  • Re: New Application Extension reports 404
    ... You actually want .RUN to be handled by Perl, ... please add a Web Service Extension ... /command1.run will execute Perl script1.pl ... but IIS4 had the "RUN" extension mapped to execute a predefined perl script. ...
    (microsoft.public.inetserver.iis)
  • Re: Linux
    ... You almost certainly have Perl already installed. ... But the actual command line interpreter should be the same between them. ... put the shebang line as the first line of the script. ... You can then execute the program ...
    (perl.beginners)
  • Re: Executing scripts using C#
    ... You can simply call the Perl interpreter from your program and pass the *.pl ... files you want to execute as parameter. ... .cs files with some block as <Script> like we do in HTML? ... > public void invokeScript() ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Memory: measuring 5 limitations
    ... >> This will give you information about the execution of the script. ... > Yeah I have shell access and I can execute the time command. ... If you can execute your script *without* typing in perl at the ...
    (comp.lang.perl.misc)
  • Re: error in printing unicode
    ... Perl that your script is written in UTF-8." ... ASCII characters don't change in UTF-8 encoding. ...
    (perl.beginners)