1247: The Mother of All Suspicious Files
|The Mother of All Suspicious Files|
Title text: Better change the URL to 'https' before downloading.
You can also see common download syntax for a pirated movie, Hackers, likely included to appear malicious to anyone skimming but is actually a movie about hackers, making it a benign reference rather than malicious. It is described as "_BLURAY_CAM", which contradicts itself ("_BLURAY" would mean it was ripped from a copy on Blu-ray Disc, while "_CAM" would mean it was copied by pointing a camera at the screen in the cinema). "_BLURAY_CAM" would probably indicate a search-keyword-stuffed fake copy; fake pirated media often contain viruses (although this is more likely to be a problem with newer media, before the first real pirated copy appears).
The URL contains the path "~tilde/pub/cia-bin/etc". The first part is a public folder of a user named tilde (which is also the name for the ~ symbol), "cgi-bin" is a common folder on a Web-Server for server side executables (Randall changes the name to CIA-bin), and "etc" is a standard folder for configuration files – normally never accessible through a webserver. The program "init.dll" isn't executable at all, it's a Windows Dynamic Link Library which can't be run standalone, and is rarely referenced in URLs (even though such syntax is still being employed, even on reputable websites (Google search) or here at eBay, indicating the webserver is a Microsoft ASP server). The question mark indicates the start of a parameter list, and in this case we have only one named "FILE".
The "Save" button is greyed out, suggesting that it is disabled; you can only click the "Cancel" button. This can be different when the server detects that you are using a secure (https) connection.
The complete content sent to the server, starting with "/~TILDE..." and ending with "...OUT.EXE", is exactly 256 characters long. On HTML 3 specifications you have a limitation of 1024 characters, whereas later HTML specifications don't have this limit; it just depends on the web server's capabilities. But posting parameters directly at the URL is still a worse choice.
The content of the parameter is shown here:
- __ (underscore underscore) — used in the C programming language to denote that a symbol is really not for public consumption.
- AUTOEXEC.BAT — a file which is automatically run during startup on Windows/DOS operating systems, and was often modified by viruses, which added malicious code to be run on each boot.
- MY%20OSX%20DOCUMENTS — referencing the OSX operating system (%20 is a representation of a space in a URL, i.e. it reads as "MY OSX DOCUMENTS").
- INSTALL.EXE — a typical installer.
- RAR — a compressed archive file type.
- INI — a configuration file type.
- TAR — a file archive popular in UNIX and UNIX-like operating systems. TAR has been mentioned before.
- DOÇX — docx is an Office Open XML file, i.e. a word processing format used by Microsoft Word 2007 and above, but has no cedilla (¸). The addition of a cedilla may be a reference to exploits that rely on rare characters being mistaken for more common ones that look similar, such as the IDN homograph attack.
- PHPHPHP — a play on PHP files, a kind of server-based web page file type. PHP originally stood for "Personal Home Page" but was later redefined as the recursive abbreviation "PHP: Hypertext Preprocessor".
- XHTML — another web page file type.
- TML — stands for Transducer Markup Language, an XML based markup language that specifies how to capture, time-tag and describe sensor data.
- XTL — possibly a play on XHTML.
- TXXT — a play on TXT file types.
- 0DAY.HACK — a reference to a zero-day exploit. (overlaps with the next entry)
- HACK.ERS_(1995)_BLURAY_CAM-XVID — a reference to the 1995 Hackers movie, but pirated movies would either be a BlurayRIP/DVDRIP or CAM, but not both at the same time unless you used a camera to record the Blu-ray movie as it played.
- EXE — an executable file type used by Microsoft Windows.
- [SCR] — a tag used by movie pirates to denote a 'Screener', the DVD copy of films given to critics prior to theater release. Usually the highest quality available at the time, rare, and thus good bait for a virus-laden download. ".scr" is also the extension for screensaver files, really just an exe file with a different extension and one of the classical ways to distribute infected files.
- LISP — programming language.
- MSI — an installation file used by Microsoft Installer.
- LNK — an extension used by Microsoft Windows for shortcuts. The extension is normally hidden to the user.
- LNK, ZDA, GNN — references to Link, Zelda, and Ganon, important characters from The Legend of Zelda video game franchise.
- WRBT.OBJ — A reference to the line of code Dennis Nedry used in Jurassic Park to shut down key systems.
- O — The extension for a linker file, an intermediary created when compiling C code.
- H — The file extension of a header file in C code.
- SWF — Shockwave Flash file type.
- DPKG — The Debian package management, although the package files use the file suffix .deb.
- APP — an application on Mac OS X operating system.
- ZIP — compressed archive file type.
- CO — the top-level domain (TLD) for Colombia, but marketed as a global domain. Some countries use .co.TLD for general use, e.g. .co.uk in the United Kingdom. But the TLD .gz does not exist and thus .co.gz is invalid.
- GZ — a compressed file using GNU zip.
- A.OUT — Default filename when creating an executable on Linux or other UNIX-like operating systems if none was specified for the compiler.
The title text suggests changing from http to https, as if encrypting a suspicious file before downloading it is somehow better than downloading it unencrypted. http (Hyper Text Transfer Protocol) and https (Hyper Text Transfer Protocol - Secure) are the two common protocols for getting web pages and web downloads. http is the simple download, whereas https adds an SSL encryption layer so the item being downloaded cannot be viewed unencrypted by anyone except the end recipient. Changing http to https is a common suggestion to improve security when browsing the web from an insecure network (such as a public WiFi hotspot) to avoid surveillance or hijacking to a malicious website; Google automatically switches to https for all mail accounts and is starting to do so with searches. The end recipient will still get whatever nasties were in the original, however — encrypting it doesn't change the content at all.
- [Browser download warning box containing the following text.]
- This type of file can harm your computer! Are you sure you want to download:
- [Cancel and Save buttons (Save button disabled)]
add a comment! ⋅ add a topic (use sparingly)! ⋅ refresh comments!