InformationWeek
Defining The Business Value Of Technology
October 20, 1999
The Danger Of Stealth Executables| Threads |
|
SHS and other little-known or seemingly benign file types (often completely ignored by antivirus applications) can disguise malicious executables and macro viruses.
Were you aware of the SHS and RTF exploits? Are there other exploits you know of you can share? Do you use centralized antivirus protection at the server or firewall, desktop-level protection, or both? How often do you encounter viruses? And is constant antivirus monitoring (as a background process) worth the cost in system resources, or is once-a-day, idle-time scanning sufficient? Join in the discussion! Join in the discussion! |
| Recent Columns |
|
How Fast Is Fast Enough? More Windows Than Fleas On A Dog |
| Bio |
| Fred Langa is a senior consulting editor and columnist for Windows Magazine. Fred's free weekly newsletter is available via subscribe@langa.com. You can contact him at fred@langa.com or via his website at http://www.langa.com. |
Doug Findlay, a reader from Canada, recently had an eye-opening experience that's instructive to us all:
Fred:
I recently came across something that concerned me VERY much--and could possibly be used to cause damage or execute viruses on a user's machine.
Recently, a friend sent me a harmless executable file (it was a sound bite), but it was embedded in an MS Word 97 document. To hear the sound bite was frustrating, requiring me to load Word and then double-click on the embedded file. So, in MS Word, I selected the executable that was embedded in the document, copied it, and pasted it to my desktop.
Not surprisingly, it showed up as an MS Word "Scrap," file. The file extension for scrap files is ".shs." For some reason, Windows hides this file extension.
So, with a file named "Scrap" on the desktop, double-clicking it ran the executable without problem. In fact, I tried changing the name of the file to something else, with a different extension (i.e. ".bmp"). Renaming it "test.bmp," the icon remained the same and the new name appeared, once again with the ".shs" extension hidden. Now it appeared as a harmless image file; however, double-clicking it ran the executable as before.
Call me paranoid, but could I not do the same thing with a more sinister executable and rename it as a ".txt" file? The "scrap" icon looks like a text file icon--and an unknowing user would open the "text" file, but really run the executable.
When attaching this type of file to an E-mail message, the extension becomes visible. But an unsophisticated user would go ahead and save the attachment and--voila--no more "shs" extension! Looks fine! Double-click and whammo.
Doug's right. Because Windows normally hides the SHS extension (you have to select file/properties to see it) many users have never even heard of it. Thus, even though SHS files can contain directly executable content, users might well click on an SHS file (disguised or not) without a second thought.
What's more, many commercial antivirus apps do not scan SHS files by default, and must be manually adjusted to include "Scraps" in their scans.
And it's not just SHS files. Trojan-horse infectors can reside in a wide variety of files with little-known or seemingly benign file extensions. For example, if you follow antivirus activity, you may recall that a few months back some malicious souls started circulating the Melissa virus in RTF rather than the more common DOC files. Some companies and users who had religiously updated their virus definitions to include the Melissa signature got infected anyway because their antivirus applications, by default, didn't scan RTF files. (By the way, two new strains of Melissa were discovered just last week, so it's a safe bet that the RTF exploit will turn up again, and soon.)
I checked the major antivirus vendor sites and found very little on SHS and similar vulnerabilities. The Symantec/Norton site did have some information buried pretty deep, but a search of the Computer Associates, Trend Micro, and McAfee antivirus sites, for example, turned up exactly zero hits on "SHS."
The Symantec recommendations are good, once you find them, and they actually apply to just about any antivirus app: They suggest that you scan "all files" even though the software's default may be to scan only common executables.
If scanning all files takes too long, Symantec recommends that you manually adjust your software to include all these extensions in your scans: 386, ADT, BIN, CBT, CLA, COM, CPL, DLL, DOC, DOT, DRV, EXE, HTM, HTT, JS, MDB, MSO, OV?, POT, PPT, RTF, SCR, SHS, SYS, VBS, XL?. Only a fraction of those are included by default, and I'll bet that you'll see a few file types in there you hadn't thought to include in your scans.
There was a time when virus scares were quite overblown-- you had to be really careless in order to be at serious risk from viruses and other malicious programs. But today, it seems everyone needs to keep the shields up at all times, whether at the corporate firewall or at the individual PC.
What's your take? Were you aware of the SHS and RTF exploits? Are there other exploits you know of you can share? Do you use centralized antivirus protection at the server or firewall, desktop-level protection, or both? How often do you encounter viruses? And is constant antivirus monitoring (as a background process) worth the cost in system resources, or is once-a-day, idle-time scanning sufficient? Join in the discussion!
Boeing seeking Software Engineer 5 in Anaheim, CA
KForce seeking Inside Sales Associate in San Diego, CA
Amalgamated Bank seeking Chief Information Officer in New York, NY
Apollo College seeking Medical Billing and Coding Instructors in Albuquerque, NM
Allstate seeking Exlusive Agent in Las Vegas, NV
For more great jobs, career-related news, features and services, please visit our Career Center.
