Jump to content

Virus In Pqs?

Mr Lost

By Mr Lost
in Website

Followers 1

Recommended Posts

ibycus

+ibycus

Posted
Posted

That isn't to say that text files can't contain viruses though (although I'd be REALLY surprised if someone managed to create a GPX based virus), think .vbs files. They are text and can be viruses (actually I've yet to see a legit .vbs file sent via e-mail...)

 

From the bottom of the page where you set up pocket queries:

 

Known issues:

 

Some Internet Service Providers (ISPs) don't like *.loc or *.gpx files, and some email clients corrupt these files. It is recommended to zip them before sending.

It has been reported that occasionally these emailed files are tagged as viruses by antivirus software. Since the files do not execute they should not be capable of delivering viruses. Zipping the files normally solves this problem.

Did we mention you should probably zip your pocket queries?

 

Hopefully that answers your question :laughing:

Link to comment
SilverLynx

SilverLynx

Posted
Posted
Yes, but .vbs (Visual Basic Script) files, while text, are essentially source code, which is intended to be executed. GPX files are data, and cannot be executed

True but its simple to change file extension. Also it wasn't all that long ago that microsoft scrambled to distribute a security patch because people were using altered graphics files to gain information/control of other peoples computers. Graphics files contain no code, pretty much strictly data. Before that they had a problem with windows media player providing a security hole to hackers when users player specially designed MP3's and video files.

 

First of all, there aren't any real virii anymore. Original Virii would actually infect a file, either by attaching itself to the end and modifying its load instruction, or overwritting it. Todays virii are classed more as worms, trojans or maleware.

 

The next logical step in XML's evolution is to add executable code (scripting language) into the name spaces, or as part of the format itself.

Link to comment
ibycus

+ibycus

Posted
Posted
Yes, but .vbs (Visual Basic Script) files, while text, are essentially source code, which is intended to be executed. GPX files are data, and cannot be executed

Yep, but as was hinted at, a potential bug in the interpreter of the XML file might be exploitable in such a way that a carefully crafted XML could be in fact have a malicious intent (here I'm avoiding calling it a virus or a trojan or what ever, honestly I don't care what you call it). I think, and I have no justification for thinking this, that most apps that handle XML use the same interpreter at their core, the target *might* be big enough to create a viable attack.

Link to comment
Prime Suspect

+Prime Suspect

Posted
Posted (edited)
Original Virii would actually infect a file, either by attaching itself to the end and modifying its load instruction, or overwritting it. Todays virii are classed more as worms, trojans or maleware.

Just FYI:

 

Virii would be the plural of virius, which, as a word, doesn't exist in either English or Latin. Only Latin nouns that end in -ius form the plural with -ii.

 

Viri is equally wrong, as that is the Latin plural of vir, meaning "man".

 

In classical Latin, there was no plural form of virus. It was considered a mass noun. In English, there is only one correct plural for virus, and it's viruses.

 

(And yes, I've heard the joke that the plural of "Virus" is "Windows". )

 

Class dismissed. ;)

Edited by Prime Suspect
Link to comment
SilverLynx

SilverLynx

Posted
Posted

Alright, alright, so I need to brush up on my latin, plurals, and purchase a dictionary. :mad:

 

But the essence of the post remains true, even human readable text files (if the OS treats them as executable) can be dangerous, anyone remember destructive batch files and ansi bombs? or am I showing my age? :(

Link to comment
Maeglin

+Maeglin

Posted
Posted

You can change a file extension, but that doesn't automatically change the format of the data in it. If you change the extension of an XML file from .gpx to .vbs, the Windows Scripting Host is only going to take one look at it and go "Eh?"

 

Data files (such as your reference to the media player bug) can contain data that is completely out of the ordinary and designed to break and exploit bugs in things meant to read them, but that doesn't make the content of every legitimate file of that same format executable content. Any competent reader of those files should see the malformed data and reject it before it can do any harm. Considering Microsoft's track record in that regard, the fact that a media file can infect through their player software only makes sense.

 

Batch files, Javascript and macro viruses are in the form of content that is designed to be executable. ANSI bombs, well, that's an example of the malformed data that should have been rejected.

Link to comment
crackhead

+crackhead

Posted
Posted (edited)
Can't happen. GPX files are text. You have an overzealous virus detector. Zip 'em.

 

Not true...Sort of. GPX Files can be executables, depending on how your gpx reader handles the file in question. ;)

 

1st, Writing code in plain text can be executed if you were to change the files extension to a known executable, such as .vbs or .bat. This we all know... But, That's always a problem with malicious code. For example, all a .bat file is IS plain text. Same with the .gpx files, to some extent. The problem is .gpx files use XML markup laguage, and it is easy to add malicious code into a file without really being detected. XML is the closest thing to executable "in plain text" as you can get since it is such a rich coding language. Its used in almost all areas of programming these days, from software written by IBM, Microsoft, SUN, Apple etc...

 

People used to say you couldn't get a JavaScript file in html to execute extra code, and that is was a safe scripting language. We all know that is not true. Just look at adware and spyware and how they manage to spread so quickly. (although it is not very easy to execute remote code without detection). That is one of the reasons there are so many problems in Internet Explorer.

 

One example, IF extra code were crammed into a .gpx file and it was executed by the reader program and lets say a buffer overflow took place, the code in question could execute other functions. There is always a chance for an exploit, regardless of the format a file is in. Also, GPX files are executable, if your reader program makes itself the default program for opening the file, otherwise when clicking the file under windows(or whatever OS you use) it would, or should ask you what program to use to open the file if it were unknown. Also, knwoing any exploit for the reader program would leave a GPX file open to tinkering of exploitable code.

 

On another note, only a plain file with a non executable extention such as .txt or no extension would be a safe download, IMO, but even in plain text a virus scanner should pick up the file as a virus if it contained any known code. I usually save attachments as text (.txt) so they cant execute, and then scan them first to make sure they are not a virus. If it contains one, it won't matter what the extension is, it will find it. I have done this to many files and if it had a virus, it would notify me, so I know it works in this manner.

 

So, While I agree that is is probably a problem with Yahoo's scanner detection, it may have had a legitimate exploit or virus/worm code in it. And while the reader program would have probably ignored it, there could have been place for it to run. Most worms run off of plain text exploited code that reads html type files in any format they are written in. And since .gpx files contain URL's and html type hooks, there might have been a link to a worm or trojan in the gpx file. How I know this, is because one of the sites I run, www.saintsinnerent.com had a host related worm that had nothing to do with our computers or the files I uploaded to the site for people to view, but our host's system, had a virus that was writing extra code into all of our web sites pages, sending users to the viruses code it wanted to execute on their site. Here is part of an email response from my host:

Response (Mark Potter) - 01/18/2005 02:54 PM

Dear Customer,

 

This was done via the sanity worm and the vulnerability has been resolved with the upgrade of php...

 

In actuality it was a variant of the Santy worm. It was only when I realized that it was NOT coming from our own computer's files that I contacted our host and they found the problem was on their side. Since the server side is where I do not have access to scan for such things. While it lied on their internal network, evey time I removed the code, a few days later it would come back. They weren't even aware of it until I notified them! There are many variations of this exploit. Same thing could have happened with his file, either by way of Yahoo itself or from geocaching.com, but if coming from geocahcing.com I would suspect it is probably ok.

 

If a file is in question, always scan it with your own virus software first and always use your best judgement before opening any file, of any extention. A file downloaded ok one day may be correcpted the next. ;)

 

More on XML exploits from google: http://www.google.com/search?num=50&hl=en&...2XML+exploit%22

Edited by crackhead
Link to comment
Guest
This topic is now closed to further replies.
Followers 1
Go to topic listing
×
×
  • Create New...