Home > ParetoLogic Blogs > Malware Diaries > File extensions matter
Reply
 
Thread Tools Display Modes
  #1  
Old 05-21-2008, 12:39 AM
Michael Michael is offline
Administrator
Join Date: May 2007
Posts: 313
Default File extensions matter
A file extension is a suffix to the name of a file. In Windows based systems, file extensions have the following characteristic:

filename.extension
i.e. loveletter.txt

An extension indicates what type the file is. For example: .txt refers to a text file, .jpg refers to a picture compressed with the JPEG format, .mp3 refers to an audio file compressed with the mp3 format.

For convenience, most PCs come with file extensions hidden by default. True, most people won't ever need to know what extension a file is, they'll just double click to open it.

We get used to certain programs and assume accordingly that any icon that looks like it is a media file, should be a media file.

Well, to show how that behaviour may be dangerous, we collected a couple dozen of files from our malware samples. In the screenshot below you can see several files bearing the icon of well known Windows or other software programs. Note how none of the file has a visible extension:

http://blogs.paretologic.com/malware...8/05/noext.png

In reality, all those files are malware. Now, let's show what their extensions are:

http://blogs.paretologic.com/malware...008/05/ext.png

As you can see, all those files are Windows executables. When you double click on them, they will execute a certain payload crafted by the malware writer. If you were expecting the annual report to be a spreadsheet, you got it all wrong. It turns out that it is a dangerous Trojan. It is a very common thing to use legit programs icons to lure people.

To avoid being duped so easily, show the file extensions.

On XP do the following:

When browsing folders, click on the Tools menu, then Folder Options. Uncheck "Hide extensions for known file types".

http://blogs.paretologic.com/malware.../optionsxp.png

On Vista, do the following:

Click on Organize, then Folder and Search Options, then�Uncheck "Hide extensions for known file types".

http://blogs.paretologic.com/malware...tionsvista.png

After a while you will be more familiar with all file extensions. You will quickly recognize that a .pdf belongs to Acrobat Reader, or .avi is a video format.

Finally, remember that the file extension is always at the very end of a filename. Malware writers use tricks such as doubling the extension: coolpicture.jpg.exe

Very sneaky and effective.

JSegura
Reply With Quote
  #2  
Old 10-02-2008, 12:17 AM
Wipqjsim Wipqjsim is offline
Junior Member
Join Date: Oct 2008
Posts: 2
Default great web
nice blog, thanks*****
Reply With Quote
Reply

« Previous Thread | Next Thread »

Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


Terms of Use