Computer Viruses - please settle a debate for me.

I’ve been discussing virus risks with a colleague at work, in relation to an e-business application that we’re developing.

His position is that a virus can attach itself to virtually anything.

My position is that a virus can only attach itself to a file which has executable content (and by this I mean any file which contains instructions, macros, scripts too); I don’t believe that there’s any way for a virus to spread by attaching itself to, say a CSV text file unless somebody tries to interpret that file as a set of instructions.

But he maintains that it is now possible for a virus to be carried by a plain text file that will only ever be opened as plain text.

So, am I wrong, or is he?

From this site

Basically, you’re right and your mate is wrong, but Exercise Due Care in any event.

or even this site, which is the same, only without me stuffing up the coding. Sorry about that.

A virus can be in any type of file you want, but it won’t infect or spread unless ‘run’ in one way or another.

So, yes, you could in theory have a virus in a text file, but it will be completely dormant until converted into some executable format (macro, script, exe, whatever) or treated as if it was. This is why as its unlikely any virus would be designed to replicate in this manner and virus scanners’ default settings are usually to ignore such files.

But then, who knows? I would treat an infected ‘dormant’ virus with as much care as a live one. I’m sure one day someone will find a way of using them to replicate, probably exploiting another nifty feature MS has crammed in without consideration to security. :slight_smile:

jpeg’s and wav’s can also carry active viruses.

Cisco wrote

No they can’t. Mangetout is correct; only code that is either a direct or interpreted executable can contain a virus.

Virus scanners actually look for fragments of viruses, pieces of executavle code that are common to an entire class of virus.

Some people have set their virus scanners set to scan non-executable files like JPEGS and data files, so occasionally false positives happen when the arrangement of bytes in a data file just happens to match a code fragment that the virus scanner is looking for.

Bill and Mangetout, are correct, but it should also be noted that it is possible that the program used to view/play those files may have a flaw which would allow hostile code to be executed.

About a year ago, a flaw in Netscape’s jpeg display code was found that caused a buffer overflow. It would technically be possible to create a jpeg which carried a virus which would be inserted when that buffer overflow occurred. This jpeg would be completely harmless to any viewer without the buffer overflow problem, but could theoretically infect a system if it was viewed with Netscape on the proper platform.

if the following picture crashes your browser (should only affect netscape prior to 4.74 and only some platforms), you need to update.

TheNerd wrote

True. But I want to emphasize the word “theoretically”. No actual exploit of that particular bug is known to exist or even suspected to be possible.

Yea…you’re probably right. Mind if I send you some jpegs? Howzaboot some mp3’s?

[sub]anything with a header stack can contain a virus[/sub]

Also remember that executable files can sometimes look like data files. The most common trick is to name a file something like readme.txt.exe - by default Windows hides the .exe extention and all you see is readme.txt.

Cisco wrote

Please clarify.

I’m very knowledgable about viruses and network security in general. (In fact, I’m a speaker on a network security panel this weekend at a fairly large “Annual Conference and Leadership Awards”. If you’re in San Jose, come by and laugh at me.) I’m also pretty knowlegable about coding. The words “header” and “stack” mean something to me, but I’ve never heard of them together. Most importantly, I’ve never heard of a “header stack” relating to jpegs. In the hopes that I was missing something, I went to Google and entered “header stack” jpeg and got one hit in checkoslavakia (sp?), and it was irrelevant.

However, I know in general how jpegs are constructed (I confess to not being an expert), and there does exist a header (though it’s not a stack). Here is one page with a description: http://www.obrador.com/essentialjpeg/HeaderInfo.htm

Please tell me exactly which data field in the jpeg header you would modify to cause your code to begin executing on a machine.

Wait, it was a trick question; data does not get executed on machines. (unless as was pointed out by others it’s interpretive code or there is a flaw in the viewer, but neither of those are relevant here.)

It clicked on it and it crashed my browser and I may have to do you bodily harm. But What exactley happened there?

hello gentlemen, in reading your opinions on wiether or not only executable code has the abilty to carry out malicious behavior on an operating system you have to understand that it strongly depends on the parent application that the file extentions belong to. for example… Real Audio has the ability to display Macromedia Flash files inside its ever popular .ra audio streaming format ( with band information, song lyrics, pictures and so on) it is possible to link a url to a .vbs or .js file from flash. so you could then have a .ra file that when viewed writes a .vbs file which would be executed by the browser (given the proper security level is set). Now in all of your defense the .ra indeedy can not hurt the system, its only a transport, but it infected you therfore its termed a virus. Also, we all have Microsoft to thank for creating the ever so lovely ActiveX platform. a .ocx or .dll file can be more deadly than any script. in fact if you boys are really nice ill teach all of you how with just a few short lines of ASM and a browser you can Fdisk a logical DOS partition. anyway to be direct, yes only executable code and spread a virus. a virus can not just spring to life on its own. however almost anything can be a transport, it all depends on your ability to find the proper container applications and a sucker.
keep up the hard work.

skitch
ps your all right but yet your all wrong. and for those of you that would like to put this to a test i will gladly trade you a URL for all of your machines passwords -=)

First of all let me give you some information to let you decide weather or not the text I’m about to enlighten you with will be credible enough for you to believe.

My alias is “pimpshiz” and I am a “world famous hacker.” Hehe, how do you like that for an intro? The title was given to me by many media outlets in 2000. I was on the radio, tv and in magazines, web-news outlets, and newspapers for about 5-6 months. In December of 2000 I was raided by the FBI, Department of Defense, local DA, local police, NASA and god knows who else. All for hacking into some of the worlds most secure computers…supposedly most secure. Victims included NASA, the Defense Information Systems Agency, Verizon Wireless\Airtouch, Nike, Honda, Mitsubishi, UCLA, and many more.(200) I started programming when I was just turning 12. I am now 17 and run a software company. You can learn more by searching for “pimpshiz” at google.com. ANYWAYS…

Cisco and Skitch are correct. I began writing petty viruses when I was 14. As I’m sure they started early too. I then began scamming and social engineering thousands of internet users for valuable information. Tricking them into downloading certain files that would eventually obtain the information I was looking for and report them back to me. How did I do it? “Hey there, got a picture? Let’s trade.” – “Hey there, go to my new website, it’s cool!” – You get the point. Those are just examples behind the truly intelligent scams I utilized in the past.

The fact is, I can, you can, anyone can infect anyone with a virus in many manners, if you he subject were informed. Just like any hacker could expand their skills past virtual fences, and if so inclined cause real-life damage. Physical damage. Most hackers look past the physical damage part because they don’t see themselves as inclined enough. However, things of the sort are extremely easy if they were informed. So now are you beginning to understand what I am talking about? In a way like “You can’t miss what you’ve never had” – If I didn’t know how to read, I wouldn’t know how to hack. Put knowledge against an obstacle and transcendence is no longer the question, distance is.

Back to the lecture at hand…bottom line is, a 5 year old kid can infect you with a virus by you running a .JPG file, if I told him how to, once. He could then do it to thousands of others, by himself. You’ve got to face the sureal sooner or later. Why not sooner? The possibilities are endless and so is the amount of information one can try and deter. Stay ahead and think forward.

Last note…Bill H wrote:

“(In fact, I’m a speaker on a network security panel this weekend at a fairly large “Annual Conference and Leadership Awards”. If you’re in San Jose, come by and laugh at me.)”

As a matter of fact I live about 15-20 minutes away from San Jose, so maybe I WILL come by and laugh at you. :} - I’m kidding, there wont be any laughing unless you say something completely idiotic. I’ll be in a black shirt with the white text “i read your e-mail” printed on the front(seriously, I will.) – By the way, I think San Jose falls under the county my City falls under, you probably got the newspaper I was in :\

Anyways, I hope you all have learned something, and those who oppose to everything I just wrote about. I’d be thrilled to infect your computer.(under legal contract of course, I’m still finishing up with court) – Wouldn’t want to get in anymore trouble now would I? :}

Keep those minds ticking. Knowledge Reigns Supreme.

Go on then, I’m up for taking on the jpeg virus. I simply don’t believe you. Here’s what I’m happy to do:

Send me the URL to the jpeg, and I’ll download it on my machine. Then I’ll user Photoshop to view the jpeg. I promise no litigation - it’d be my fault entirely if I get infected. But I really don’t see how that’s possible.

:slight_smile:

By the way, no matter what icon the file might have, I’m going to check its extension.

Oh yeah, and I won’t get into an ICQ chat.

Thanks.

I’ve heard that one of the more recent mail viruses to make its way around (I think it was nimda), could infect Outlook and/or Outlook Express by simply reading the text part of the message, without even opening an attachment. Is this true?

I had always been very careful about attachments, but didn’t think twice about reading the text of a message. I heard the above danger when the virus was new, so I’m not sure it was accurate. If true, what kind of hole in Microsoft’s software was it exploiting?

Ummm…wait a sec…

What about macro viruses? Ya know, Melissa and all that. I think this is what CurtC was referring to. Basically, that exploited the macro function in Microsoft Outlook to basically replicate itself and send itself to everyone in your address book. Basically, it tied up e-mail systems…didn’t do anything specifically to your computer IIRC. And it activated itself upon opening an infected e-mail in Microsoft Outlook.

I can’t even spell pee-cee, but I’d like to make a few comments from a unix perspective.

In unix, a program gets divided up into “memory segments”. There is a text segment that contains the code and some constants. There is a data segment where some user data goes. And there is a stack which also contains some user data.

When a program calls a subroutine, the return address goes on the stack. The address points back to a place in the text segment where the subroutine should go when it finishes. There is also a notion of “automatic variables” that are placed on the stack. That way they vanish when the subroutine finishes.

I think what is being discussed in this thread is evil data that abuses the stack concept. Yes this requires a bug in the program, but sadly programs with bugs are common. The evil data blows an array in such a way as to insert some code on the stack. It further overlays the return pointer of the current subroutine with the address of the code on the stack. When the subroutine “returns”, it actually jumps into the evil code and starts to run.

Unix has always had read and read/write type protection on memory segments, but this can’t stop this class of attack. Sun has introduced a “noexec_user_stack” parameter that, when set, closes the door on this entire class of attacks. Until all unix systems have this, we can only repair the bugs in programs as we find them.

I do agree that “virus” is not the best term for this attack. I would go with “trojan horse”.

Can any of you pea-see guys tell me if they allow the execution of code on a stack? Or do you even have segments?