Difference between revisions of "1247: The Mother of All Suspicious Files"
(Added the fact that autoexec.bat as modified by viruses.)
(Noted the reference to Douglas Engelbart's "The Mother of All Demos" in the title (The Mother of All Suspicious Files))
|Line 54:||Line 54:|
Revision as of 11:05, 13 August 2013
|The Mother of All Suspicious Files|
Title text: Better change the URL to 'https' before downloading.
You also see common download syntax for a pirated movie, Hackers, likely included to appear malicious to anyone skimming but is actually a movie about hackers, making it a benign reference rather than malicious. It is described as "_BLURAY_CAM", which contradicts itself ("_BLURAY" would mean it was ripped from a copy on Blu-Ray Disc, while "_CAM" would mean it was copied by pointing a camera at the screen in the cinema). "_BLURAY_CAM" would probably indicate a search-keyword-stuffed fake copy; fake pirated media often contain viruses (although this is more likely to be a problem with newer media, before the first real pirated copy appears).
The URL contains the path "~tilde/pub/cia-bin/etc". The first part is a public folder of a user named tilde (which is also the name for the ~ symbol), "cgi-bin" is a common folder on a Web-Server for server side executables (Randall jokes with the name), and "etc" is a standard folder for configuration files – normally never accessible through a webserver. The program "init.dll" isn't executable at all, it's a Windows Dynamic Link Library which can't be run standalone, and is rarely referenced in URLs (even though such syntax is still being employed, even on reputable websites (Google search) or here at eBay, indicating the webserver is a Microsoft ASP server). The question mark indicates the start of a parameter list, and in this case we have only one named "FILE".
The "Save" button is disabled; you still only can click the "Cancel" button. This can be different when the server detects that you are using a secure (https) connection.
The complete content sent to the server, starting with "/~TILDE..." and ending with "...OUT.EXE", is exactly 256 characters long. On HTML 3 specifications you have a limitation of 1024 characters, whereas later HTML specifications don't have this limit; it just depends on the web server's capabilities. But posting parameters directly at the URL is still a worse choice.
The content of the parameter is shown here:
- __ (underscore underscore) - used in the C programming language to denote that a symbol is really not for public consumption
- AUTOEXEC.BAT - a file which is automatically run during startup on Windows/DOS operating systems, and was often modified by viruses, which added malicious code to be run on each boot.
- MY%20OSX%20DOCUMENTS - referencing the OSX operating system (%20 is a representation of a space in a URL, i.e. it reads as "MY OSX DOCUMENTS").
- INSTALL.EXE - a typical installer
- RAR - a compressed archive file type
- INI - a configuration file type
- TAR - a file archive popular in UNIX and UNIX-like operating systems. TAR has been mentioned before.
- DOÇX - docx is an Office Open XML file, i.e. a word processing format used by Microsoft Word 2007 and above, but has no cedilla (¸)
- PHPHPHP - a play on PHP files, a kind of server-based web page file type. PHP is a recursive abbreviation ("PHP: Hypertext Preprocessor")
- XHTML - another web page file type
- TML - stands for Transducer Markup Language, an XML based markup language that specifies how to capture, time-tag and describe sensor data
- XTL - another play on XHTML?
- TXXT - a play on TXT file types
- 0DAY - a reference to a zero-day exploit
- HACK.ERS_(1995)_BLURAY_CAM-XVID - a reference to the 1995 Hackers movie, but pirated movies would either be a BlurayRIP/DVDRIP or CAM, but not both at the same time unless you used a camera to record the Blu-ray movie as it played.
- EXE - an executable file type used by Microsoft Windows
- [SCR] - a tag used by movie pirates to denote a 'Screener', the DVD copy of films given to critics prior to theater release. Usually the highest quality available at this time, rare, and therefor good bait for a virus laden download. ".scr" is also the extension for screen saver files, really just an exe file with a different extension and one of the classical ways to distribute infected files
- LISP - programming language
- MSI - an installation file used by Microsoft Installer
- LNK - an extension used by Microsoft Windows for shortcuts. The extension is normally hidden to the user.
- LNK, ZDA, GNN - references to Link, Zelda, and Ganon, important characters from The Legend of Zelda video game franchise
- WRBT OBJ - A reference to the line of code Dennis Nedry used in Jurassic Park to shut down key systems
- O - The extension for a linker file, an intermediary created when compiling C code.
- H - The file extension of a header file in C code.
- SWF - Shockwave Flash file type
- DPKG - The Debian package management, although the package files use the file suffix ".deb"
- APP - an application on Mac OS X operating system
- ZIP - compressed archive file type
- CO - looks like a top-level domain. Many countries use .co.tld in front of their main TLD, e.g. .co.uk. .co.gz doesn't exist.
- GZ - a compressed file using GNU zip
- A.OUT - Default filename when creating an executable on Linux or other UNIX-like operating systems if none was specified for the compiler.
The title text suggests changing from http to https, as if encrypting a suspicious file before downloading it is somehow better than downloading it unencrypted. http (Hyper Text Transfer Protocol) and https (Hyper Text Transfer Protocol - Secure) are the two common protocols for getting web pages and web downloads. http is the simple download, whereas https adds an SSL encryption layer so the item being downloaded cannot be viewed unencrypted by anyone except the end recipient. Changing "http" to "https" is a common suggestion to improve security when browsing the web from an insecure network (such as a public wifi hotspot) to avoid surveillance or hijacking to a malicious website; Google automatically switches to https for all mail accounts and is starting to do so with searches. The end recipient will still get whatever nasties were in the original, however - encrypting it doesn't change the content at all.
- [Browser download warning box containing the following text]
- This type of file can harm your computer! Are you sure you want to download: http://220.127.116.11/~TILDE/PUB/CIA-BIN/ETC/INIT.DLL?FILE=__AUTOEXEC.BAT.MY%20OSX%20DOCUMENTS-INSTALL.EXE.RAR.INI.TAR.DOÇX.PHPHPHP.XHTML.TML.XTL.TXXT.0DAY.HACK.ERS_(1995)_BLURAY_CAM-XVID.EXE.TAR.[SCR].LISP.MSI.LNK.ZDA.GNN.WRBT.OBJ.O.H.SWF.DPKG.APP.ZIP.TAR.TAR.CO.GZ.A.OUT.EXE
- [Cancel and Save buttons]
add a comment! ⋅ add a topic (use sparingly)! ⋅ refresh comments!