File extensions matter
A file extension is a suffix to the name of a file. In Windows based systems, file extensions have the following characteristic:
filename.extension
i.e. loveletter.txt
An extension indicates what type the file is. For example: .txt refers to a text file, .jpg refers to a picture compressed with the JPEG format, .mp3 refers to an audio file compressed with the mp3 format.
For convenience, most PCs come with file extensions hidden by default. True, most people won’t ever need to know what extension a file is, they’ll just double click to open it.
We get used to certain programs and assume accordingly that any icon that looks like it is a media file, should be a media file.
Well, to show how that beaviour may be dangerous, we collected a couple dozen of files from our malware samples. In the screenshot below you can see several files bearing the icon of well known Windows or other software programs. Note how none of the file has a visible extension:
In reality, all those files are malware. Now, let’s show what their extensions are:
As you can see, all those files are Windows executables. When you double click on them, they will execute a certain payload crafted by the malware writer. If you were expecting the annual report to be a spreadsheet, you got it all wrong. It turns out that it is a dangerous Trojan. It is a very common thing to use legit programs icons to lure people.
To avoid being duped so easily, show the file extensions.
On XP do the following:
When browsing folders, click on the Tools menu, then Folder Options. Uncheck “Hide extensions for known file types”.
On Vista, do the following:
Click on Organize, then Folder and Search Options, then Uncheck “Hide extensions for known file types”.
After a while you will be more familiar with all file extensions. You will quickly recognize that a .pdf belongs to Acrobat Reader, or .avi is a video format.
Finally, remember that the file extension is always at the very end of a filename. Malware writers use tricks such as doubling the extension: coolpicture.jpg.exe
Very sneaky and effective.
JSegura
-
by
-
by
-
by
-
by
-
by
-
by
-
by
Comments:
|
|
