Editing 1247: The Mother of All Suspicious Files

{{comic
| number    = 1247
| date      = August 5, 2013
| title     = The Mother of All Suspicious Files
| image     = the_mother_of_all_suspicious_files.png
| titletext = Better change the URL to 'https' before downloading.
}}

==Explanation==
The save {{w|dialog box}} shows a download from <tt><nowiki>http://65.222.202.53</nowiki></tt>, an {{w|IP address}} that hosted {{w|JavaScript}} {{w|malware}} during a recent attack on the {{w|Tor anonymity network}}, with a very long file title. Many of the {{w|file extension|extensions}} used inside there indicate executable code; multiple file extensions are sometimes used to disguise a {{w|Trojan horse (computing)|trojan program}} as a document.

You can also see common download syntax for a pirated movie, {{w|Hackers (film)|''Hackers''}}, likely included to appear malicious to anyone skimming but is actually a movie about hackers, making it a benign reference rather than malicious. It is described as "<tt>_BLURAY_CAM</tt>", which contradicts itself ("<tt>_BLURAY</tt>" would imply it was ripped from a copy on {{w|Blu-ray Disc}}, while "<tt>_CAM</tt>" would mean it was copied by pointing a camera at the screen in the cinema). "<tt>_BLURAY_CAM</tt>" would probably indicate a search-keyword-stuffed fake copy; fake pirated media often contain viruses (although this is more likely to be a problem with newer media, before the first real pirated copy appears).

The {{w|URL}} contains the path "<tt>~tilde/pub/cia-bin/etc</tt>". The first part is a public folder of a user named "tilde" (which is also the name for the {{w|tilde|~ symbol}}), "<tt>cgi-bin</tt>" is a common folder on a web server for server-side executables ([[Randall]] changes the name to "<tt>[[CIA|cia]]-bin</tt>"), and "<tt>etc</tt>" is a standard folder for configuration files – normally never accessible through a web server. The program "init.dll" isn't executable at all, it's a {{w|Windows Dynamic Link Library}} which can't be run standalone, and is rarely referenced in URLs (even though such syntax is still being employed, even on [https://www.google.com/search?q=site:edu+filetype:dll reputable websites (Google search)] or here at [https://signin.ebay.com/ws/eBayISAPI.dll eBay], indicating the webserver is a Microsoft {{w|Active Server Pages|ASP}} server). The question mark indicates the start of a parameter list, and in this case we have only one named "<tt>FILE</tt>".

The "Save" button is greyed out, suggesting that it is disabled; you can click only the "Cancel" button. For security reasons, some browsers (like Firefox) disable the "Save" button for a few seconds before enabling it. This prevents users from accidentally accepting a download while entering input, like a malicious CAPTCHA.

The complete content sent to the server, starting with "<tt>/~tilde...</tt>" and ending with "<tt>...out.exe</tt>", is exactly 256 characters long. On {{w|HTML 3}} specifications you have a limitation of 1024 characters, whereas later HTML specifications don't have this limit; it just depends on the web server's capabilities. But posting parameters directly at the URL is still a worse choice.

The content of the parameter is shown here:
*<tt>__</tt> (underscore underscore) — used in the {{w|C programming language}} to denote that a symbol is really not for public consumption.
*<tt>{{w|autoexec.bat}}</tt> — a {{w|batch file}} which is automatically run during startup on {{w|MS-DOS}} and {{w|Windows}} operating systems, and was often modified by viruses, which added malicious code to be run on each boot.
*<tt>My%20OSX%20Documents</tt> — referencing Apple's {{w|OS X}} operating system (<tt>{{w|URL encoding#Character data|%20}}</tt> is a representation of a space in a URL, i.e. it reads as "<tt>My OSX Documents</tt>").
*<tt>install.exe</tt> — a typical {{w|Installer#Installer|installer}}.
*<tt>{{w|RAR|.rar}}</tt> — a compressed archive file type.
*<tt>{{w|INI file|.ini}}</tt> — a configuration file type.
*<tt>{{w|Tar (computing)|.tar}}</tt> — a {{w|file}} archive popular in {{w|Unix}} and {{w|Unix-like}} operating systems. tar has been mentioned [[1168: tar|before]].
*<tt>.doçx</tt> — <tt>{{w|docx|.docx}}</tt> is an {{w|Office Open XML}} file, i.e. a word processing format used by {{w|Microsoft Word 2007}} and above, but has no {{w|cedilla}} (¸). The addition of a cedilla may be a reference to exploits that rely on rare characters being mistaken for more common ones that look similar, such as the {{w|IDN homograph attack}}.
*<tt>.phphphp</tt> — a play on {{w|PHP}} files, a kind of server-based web page file type. PHP originally stood for "Personal Home Page" but was later redefined as the recursive abbreviation "PHP: Hypertext Preprocessor".
*<tt>{{w|XHTML|.xhtml}}</tt> — another web page file type.
*<tt>{{w|TransducerML|.tml}}</tt> — stands for Transducer Markup Language, an {{w|XML}}-based {{w|markup language}} that specifies how to capture, time-tag and describe sensor data.
*<tt>.xtl</tt> — possibly a play on XHTML.
*<tt>.txxt</tt> — a play on <tt>{{w|Text file|.txt}}</tt> file types.
*<tt>0DAY.HACK</tt> — a reference to a {{w|zero-day exploit}}. (overlaps with the next entry)
*<tt>HACK.ERS_(1995)_BLURAY_CAM-XVID</tt> — a reference to the 1995 {{W|Hackers (film)|''Hackers''}} movie, but pirated movies would either be a <tt>BLURAYRIP/DVDRIP</tt> or <tt>CAM</tt>, but not both at the same time unless you used a camera to record a {{w|Blu-Ray}} movie as it played.
*<tt>{{w|EXE|.exe}}</tt> — an executable file type used by Microsoft Windows.
*<tt>[SCR]</tt> — a tag used by movie pirates to denote a '{{w|Screener}}', the DVD copy of films given to critics prior to theater release. Usually the highest quality available at the time, rare, and thus good bait for a virus-laden download. "{{w|.scr}}" is also the extension for screensaver files, really just an exe file with a different extension and one of the classical ways to distribute infected files.
*<tt>{{w|Lisp (programming language)|Lisp}}</tt> — programming language.
*<tt>{{w|Windows Installer|.msi}}</tt> — an installation file used by Microsoft Installer.
*<tt>{{w|.lnk}}</tt> — an extension used by Microsoft Windows for shortcuts. The extension is normally hidden to the user.
*<tt>.lnk.zda.gnn</tt> — references to {{w|Link (The Legend of Zelda)|Link}}, {{w|Princess Zelda|Zelda}}, and {{w|Ganon}}, important characters from ''{{w|The Legend of Zelda}}'' video game franchise.
*<tt>{{w|White Rabbit#Television and films|wrbt.obj}}</tt> — A reference to the line of code Dennis Nedry used in ''{{w|Jurassic Park}}'' to shut down key systems.
*<tt>{{w|Object file|.o}}</tt> — The extension for a {{w|linker file}}, an intermediary created when compiling {{w|C programming language|C code}}.
*<tt>{{w|Header file|.h}}</tt> — The file extension of a {{w|header file}} in C code.
*<tt>{{w|.swf}}</tt> — {{w|Shockwave Flash}} file type.
*<tt>{{w|Dpkg|.dpkg}}</tt> — The {{w|Debian}} package management, although the package files use the file suffix <tt>.deb</tt>.
*<tt>.app</tt> — an application on the {{w|Mac OS X}} operating system.
*<tt>{{w|ZIP (file format)|.zip}}</tt> — compressed archive file type.
*<tt>.co</tt> — the {{w|List of Internet top-level domains|top-level domain (TLD)}} for Colombia, but marketed as a global domain. Some countries use <tt>.co.''TLD''</tt> for general use, e.g. <tt>.co.uk</tt> in the United Kingdom. But the TLD <tt>.gz</tt> does not exist and thus <tt>.co.gz</tt> is invalid.
*<tt>{{w|Gzip|.gz}}</tt> — a compressed file using {{w|GNU}} zip.
*<tt>{{w|A.out|.a.out}}</tt> — Default filename when creating an executable on {{w|Linux}} or other Unix-like operating systems if none was specified for the compiler.

The title text suggests changing from <tt>http</tt> to <tt>https</tt>, as if encrypting a suspicious file before downloading it is somehow better than downloading it unencrypted. <tt>{{w|http}}</tt> (Hypertext Transfer Protocol) and <tt>{{w|https}}</tt> (Hypertext Transfer Protocol – Secure) are the two common protocols for getting web pages and web downloads. http is the simple download, whereas https adds an SSL encryption layer so the item being downloaded cannot be viewed unencrypted by anyone except the end recipient. Changing <tt>http</tt> to <tt>https</tt> is a common suggestion to improve security when browsing the web from an insecure network (such as a public {{w|WiFi}} hotspot) to avoid surveillance or hijacking to a malicious website; Google automatically switches to <tt>https</tt> for all mail accounts and is starting to do so with searches. The end recipient will still get whatever nasties were in the original, however — encrypting it doesn't change the content at all.

The {{w|IP address}} referenced in the comic, <tt>65.222.202.53</tt>, is currently being used by the shellcode of a {{w|JavaScript}} {{w|zero-day exploit}} for the {{w|Tor Browser Bundle}} being run by the {{w|FBI}} to phone home over the clearnet [http://thehackernews.com/2013/08/Firefox-Exploit-Tor-Network-child-pornography-Freedom-Hosting.html] and deanonymize visitors to websites on Freedom Hosting that are serving child pornography. [http://www.reddit.com/r/onions/comments/1jmrta/founder_of_the_freedom_hosting_arrested_held/]

As the last extension in the file is .exe, a Windows computer would run the file like an application, usually, it is not safe to run unknown .exe files

==Transcript==
:[Browser download warning box containing the following text.]
:WARNING!
:This type of file can harm your computer! Are you sure you want to download:
:<small><nowiki>http://65.222.202.53/~TILDE/PUB/CIA-BIN/ETC/INIT.DLL?FILE=__AUTOEXEC.BAT.MY%20OSX%20DOCUMENTS-INSTALL.EXE.RAR.INI.TAR.DOÇX.PHPHPHP.XHTML.TML.XTL.TXXT.0DAY.HACK.ERS_(1995)_BLURAY_CAM-XVID.EXE.TAR.[SCR].LISP.MSI.LNK.ZDA.GNN.WRBT.OBJ.O.H.SWF.DPKG.APP.ZIP.TAR.TAR.CO.GZ.A.OUT.EXE</nowiki></small>
:[Cancel and Save buttons (Save button disabled)]

{{comic discussion}}
[[Category:Comics with color]]
[[Category:Computers]]
[[Category:Video games]]