Editing 1247: The Mother of All Suspicious Files

Jump to: navigation, search

Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.
Latest revision Your text
Line 8: Line 8:
  
 
==Explanation==
 
==Explanation==
Modern operating systems try to intercept malicious files before they can be downloaded. This comic depicts a {{w|dialog box}} requiring the user to confirm if they want to download a potentially dangerous file — and it turns out the file being downloaded is absolutely filled with a truly absurd number of file extensions. Many of the {{w|file extension|extensions}} used inside there indicate executable code; multiple file extensions are sometimes used to disguise a {{w|Trojan horse (computing)|trojan program}} as a document. The sheer number of extensions in the comic wouldn't just look out of place on a safe file, it's also far more than an actual computer virus would bother to have, thus the humor.
+
The save dialogue shows a download from [http://www.utrace.de/?query=65.222.202.53 65.222.202.53], an IP address that hosted JavaScript malware during a recent attack on the Tor anonymity network, with a very long file title. Many of the extensions used inside there indicate executable code; multiple file extensions are sometimes used to disguise a trojan program as a document.
  
The first part of the suspicious file's name is <tt><nowiki>http://65.222.202.53</nowiki></tt>, an {{w|IP address}} that hosted {{w|JavaScript}} {{w|malware}} during a recent attack on the {{w|Tor anonymity network}}, with a very long file title.  
+
You also see common download syntax for a pirated movie, {{w|Hackers (film)|Hackers}}, likely included to appear malicious to anyone skimming but is actually a movie about hackers, making it a benign reference rather than malicious. It is described as "_BLURAY_CAM", which contradicts itself ("_BLURAY" would mean it was ripped from a copy on Blu-Ray Disc, while "_CAM" would mean it was copied by pointing a camera at the screen in the cinema). "_BLURAY_CAM" would probably indicate a search-keyword-stuffed fake copy; fake pirated media often contain viruses (although this is more likely to be a problem with newer media, before the first real pirated copy appears).
  
You can also see common download syntax for a pirated movie, {{w|Hackers (film)|''Hackers''}}, likely included to appear malicious to anyone skimming but is actually a movie about hackers, making it a benign reference rather than malicious. It is described as "<tt>_BLURAY_CAM</tt>", which contradicts itself ("<tt>_BLURAY</tt>" would imply it was ripped from a copy on {{w|Blu-ray Disc}}, while "<tt>_CAM</tt>" would mean it was copied by pointing a camera at the screen in the cinema). "<tt>_BLURAY_CAM</tt>" would probably indicate a search-keyword-stuffed fake copy; fake pirated media often contain viruses (although this is more likely to be a problem with newer media, before the first real pirated copy appears).
+
The {{w|URL}} contains the path "~tilde/pub/cia-bin/etc". The first part is a public folder of a user named tilde (which is also the name for the ~ symbol), "cgi-bin" is a common folder on a Web-Server for server side executables ([[Randall]] jokes with the name), and "etc" is a standard folder for configuration files – normally never accessible through a webserver. The program "init.dll" isn't executable at all, it's a {{w|Windows Dynamic Link Library}} which can't be run standalone, and is rarely referenced in URLs (even though such syntax is still being employed, even on [https://www.google.com/search?q=site:edu+filetype:dll reputable websites (Google search)] or here at [https://signin.ebay.com/ws/eBayISAPI.dll eBay], indicating the webserver is a Microsoft {{w|Active Server Pages|ASP}} server). The question mark indicates the start of a parameter list, and in this case we have only one named "FILE".
  
The {{w|URL}} contains the path "<tt>~tilde/pub/cia-bin/etc</tt>". The first part is a public folder of a user named "tilde" (which is also the name for the {{w|tilde|~ symbol}}), "<tt>cgi-bin</tt>" is a common folder on a web server for server-side executables ([[Randall]] changes the name to "<tt>[[CIA|cia]]-bin</tt>"), and "<tt>etc</tt>" is a standard folder for configuration files – normally never accessible through a web server. The program "init.dll" isn't executable at all, it's a {{w|Dynamic-link library}} which can't be run standalone, and is rarely referenced in URLs (even though such syntax is still being employed, even on [https://www.google.com/search?q=site:edu+filetype:dll reputable websites (Google search)] or here at [https://signin.ebay.com/ws/eBayISAPI.dll eBay], indicating the webserver is a Microsoft {{w|Active Server Pages|ASP}} server). The question mark indicates the start of a parameter list, and in this case we have only one named "<tt>FILE</tt>".
+
The "Save" button is disabled; you can only click the "Cancel" button. This can be different when the server detects that you are using a secure (https) connection.
  
The "Save" button is greyed out, suggesting that it is disabled; you can click only the "Cancel" button. For security reasons, some browsers (like Firefox) disable the "Save" button for a few seconds before enabling it. This prevents users from accidentally accepting a download while entering input, like a malicious CAPTCHA.
+
The complete content sent to the server, starting with "/~TILDE..." and ending with "...OUT.EXE", is exactly 256 characters long. On {{w|HTML 3}} specifications you have a limitation of 1024 characters, whereas later HTML specifications don't have this limit; it just depends on the web server's capabilities. But posting parameters directly at the URL is still a worse choice.
  
The complete content sent to the server, starting with "<tt>/~tilde...</tt>" and ending with "<tt>...out.exe</tt>", is exactly 256 characters long. On {{w|HTML 3}} specifications you have a limitation of 1024 characters, whereas later HTML specifications don't have this limit; it just depends on the web server's capabilities. But posting parameters directly at the URL is still a worse choice.
+
The content of the parameter is shown here:
 +
* __ (underscore underscore) - used in the C programming language to denote that a symbol is really not for public consumption
 +
* {{w|AUTOEXEC.BAT}} - a file which is automatically run during startup on Windows/DOS operating systems, and was often modified by viruses, which added malicious code to be run on each boot.
 +
* MY%20OSX%20DOCUMENTS - referencing the {{w|OSX}} operating system ({{w|URL_encoding#Character_data|%20}} is a representation of a space in a URL, i.e. it reads as "MY OSX DOCUMENTS").
 +
* INSTALL.EXE - a typical {{w|Installer#Installer|installer}}
 +
* {{w|RAR}} - a compressed archive file type
 +
* {{w|INI_file|INI}} - a configuration file type
 +
* {{w|Tar_(computing)|TAR}} - a file archive popular in UNIX and UNIX-like operating systems. TAR has been mentioned [[1168:_tar|before]].
 +
* DOÇX - {{w|docx}} is an Office Open XML file, i.e. a word processing format used by Microsoft Word 2007 and above, but has no cedilla (¸). The addition of a cedilla may be a reference to exploits that rely on rare characters being mistaken for more common ones that look similar, such as the {{w|IDN homograph attack}}.
 +
* PHPHPHP - a play on {{w|PHP}} files, a kind of server-based web page file type. PHP originally stood for "Personal Home Page" but was later redefined as the recursive abbreviation "PHP: Hypertext Preprocessor".
 +
* {{w|XHTML}} - another web page file type
 +
* {{w|TransducerML|TML}} - stands for Transducer Markup Language, an XML based markup language that specifies how to capture, time-tag and describe sensor data
 +
* XTL - possibly a play on XHTML
 +
* TXXT - a play on {{w|Text_file|TXT}} file types
 +
* 0DAY.HACK - a reference to a {{w|zero-day exploit}} (overlaps with the next entry)
 +
* HACK.ERS_(1995)_BLURAY_CAM-XVID - a reference to the 1995 {{W|Hackers (film)|''Hackers''}} movie, but pirated movies would either be a BlurayRIP/DVDRIP or CAM, but not both at the same time unless you used a camera to record the Blu-ray movie as it played.
 +
* {{w|EXE}} - an executable file type used by Microsoft Windows
 +
* [SCR] - a tag used by movie pirates to denote a '{{w|Screener}}', the DVD copy of films given to critics prior to theater release. Usually the highest quality available at the time, rare, and thus good bait for a virus-laden download. "{{w|.scr}}" is also the extension for screensaver files, really just an exe file with a different extension and one of the classical ways to distribute infected files.
 +
* {{w|Lisp (programming language)|LISP}} - programming language
 +
* {{w|Windows_Installer|MSI}} - an installation file used by Microsoft Installer
 +
* {{w|.lnk|LNK}} - an extension used by Microsoft Windows for shortcuts. The extension is normally hidden to the user.
 +
* LNK, ZDA, GNN - references to {{w|Link_(The_Legend_of_Zelda)|Link}}, {{w|Princess_Zelda|Zelda}}, and {{w|Ganon|Ganon}}, important characters from ''{{w|The_Legend_of_Zelda|The Legend of Zelda}}'' video game franchise
 +
* {{w|White_Rabbit#Television_and_films|WRBT.OBJ}} - A reference to the line of code Dennis Nedry used in {{w|Jurassic Park (film)|Jurassic Park}} to shut down key systems
 +
* {{w|Object_file|O}} - The extension for a linker file, an intermediary created when compiling C code.
 +
* {{w|Header_file|H}} - The file extension of a header file in C code.
 +
* {{w|SWF}} - Shockwave Flash file type
 +
* {{w|Dpkg|DPKG}} - The Debian package management, although the package files use the file suffix ''.deb''
 +
* APP - an application on Mac OS X operating system
 +
* {{w|ZIP_%28file_format%29|ZIP}} - compressed archive file type
 +
* CO - the {{w|List_of_Internet_top-level_domains|top-level domain (TLD)}} for Colombia, but marketed as a global domain. Some countries use .co.''TLD'' for general use, e.g. ''.co.uk'' in the United Kingdom. But the TLD ''.gz'' does not exist and thus ''.co.gz'' is invalid.
 +
* {{w|Gzip|GZ}} - a compressed file using GNU zip
 +
* {{w|A.out|A.OUT}} - Default filename when creating an executable on Linux or other UNIX-like operating systems if none was specified for the compiler.
  
The content of the parameter is shown here:
+
The title text suggests changing from ''http'' to ''https'', as if encrypting a suspicious file before downloading it is somehow better than downloading it unencrypted. http (Hyper Text Transfer Protocol) and https (Hyper Text Transfer Protocol - Secure) are the two common protocols for getting web pages and web downloads. http is the simple download, whereas https adds an SSL encryption layer so the item being downloaded cannot be viewed unencrypted by anyone except the end recipient. Changing ''http'' to ''https'' is a common suggestion to improve security when browsing the web from an insecure network (such as a public WiFi hotspot) to avoid surveillance or hijacking to a malicious website; Google automatically switches to https for all mail accounts and is starting to do so with searches. The end recipient will still get whatever nasties were in the original, however - encrypting it doesn't change the content at all.
*<tt>__</tt> (underscore underscore) — used in the {{w|C programming language}} to denote that a symbol is really not for public consumption.
 
*<tt>{{w|autoexec.bat}}</tt> — a {{w|batch file}} which is automatically run during startup on {{w|MS-DOS}} and {{w|Windows}} operating systems, and was often modified by viruses, which added malicious code to be run on each boot.
 
*<tt>My%20OSX%20Documents</tt> — referencing Apple's {{w|OS X}} operating system (<tt>{{w|URL encoding#Character data|%20}}</tt> is a representation of a space in a URL, i.e. it reads as "<tt>My OSX Documents</tt>").
 
*<tt>install.exe</tt> — a typical {{w|Installer#Installer|installer}}.
 
*<tt>{{w|RAR|.rar}}</tt> — a compressed archive file type.
 
*<tt>{{w|INI file|.ini}}</tt> — a configuration file type.
 
*<tt>{{w|Tar (computing)|.tar}}</tt> — a {{w|file}} archive popular in {{w|Unix}} and {{w|Unix-like}} operating systems. tar has been mentioned [[1168: tar|before]].
 
*<tt>.doçx</tt> — <tt>{{w|docx|.docx}}</tt> is an {{w|Office Open XML}} file, i.e. a word processing format used by {{w|Microsoft Word 2007}} and above, but has no {{w|cedilla}} (¸). The addition of a cedilla may be a reference to exploits that rely on rare characters being mistaken for more common ones that look similar, such as the {{w|IDN homograph attack}}.
 
*<tt>.phphphp</tt> — a play on {{w|PHP}} files, a kind of server-based web page file type. PHP originally stood for "Personal Home Page" but was later redefined as the recursive abbreviation "PHP: Hypertext Preprocessor".
 
*<tt>{{w|XHTML|.xhtml}}</tt> — another web page file type.
 
*<tt>{{w|TransducerML|.tml}}</tt> — stands for Transducer Markup Language, an {{w|XML}}-based {{w|markup language}} that specifies how to capture, time-tag and describe sensor data.
 
*<tt>.xtl</tt> — possibly a play on XHTML.
 
*<tt>.txxt</tt> — a play on <tt>{{w|Text file|.txt}}</tt> file types.
 
*<tt>0DAY.HACK</tt> — a reference to a {{w|zero-day exploit}}. (overlaps with the next entry)
 
*<tt>HACK.ERS_(1995)_BLURAY_CAM-XVID</tt> — a reference to the 1995 {{W|Hackers (film)|''Hackers''}} movie, but pirated movies would either be a <tt>BLURAYRIP/DVDRIP</tt> or <tt>CAM</tt>, but not both at the same time unless you used a camera to record a {{w|Blu-Ray}} movie as it played.
 
*<tt>{{w|EXE|.exe}}</tt> — an executable file type used by Microsoft Windows.
 
*<tt>[SCR]</tt> — a tag used by movie pirates to denote a '{{w|Screener}}', the DVD copy of films given to critics prior to theater release. Usually the highest quality available at the time, rare, and thus good bait for a virus-laden download. "{{w|.scr}}" is also the extension for screensaver files, really just an exe file with a different extension and one of the classical ways to distribute infected files.
 
*<tt>{{w|Lisp (programming language)|Lisp}}</tt> — programming language.
 
*<tt>{{w|Windows Installer|.msi}}</tt> — an installation file used by Microsoft Installer.
 
*<tt>{{w|.lnk}}</tt> — an extension used by Microsoft Windows for shortcuts. The extension is normally hidden to the user.
 
*<tt>.lnk.zda.gnn</tt> — references to {{w|Link (The Legend of Zelda)|Link}}, {{w|Princess Zelda|Zelda}}, and {{w|Ganon}}, important characters from ''{{w|The Legend of Zelda}}'' video game franchise.
 
*<tt>{{w|White Rabbit#Films|wrbt.obj}}</tt> — A reference to the line of code Dennis Nedry used in ''{{w|Jurassic Park}}'' to shut down key systems.
 
*<tt>{{w|Object file|.o}}</tt> — The extension for a {{w|Linker (computing)|linker file}}, an intermediary created when compiling {{w|C programming language|C code}}.
 
*<tt>{{w|Header file|.h}}</tt> — The file extension of a {{w|header file}} in C code.
 
*<tt>{{w|.swf}}</tt> — {{w|Shockwave Flash}} file type.
 
*<tt>{{w|Dpkg|.dpkg}}</tt> — The {{w|Debian}} package management, although the package files use the file suffix <tt>.deb</tt>.
 
*<tt>.app</tt> — an application on the {{w|Mac OS X}} operating system.
 
*<tt>{{w|ZIP (file format)|.zip}}</tt> — compressed archive file type.
 
*<tt>.co</tt> — the {{w|List of Internet top-level domains|top-level domain (TLD)}} for Colombia, but marketed as a global domain. Some countries use <tt>.co.''TLD''</tt> for general use, e.g. <tt>.co.uk</tt> in the United Kingdom. But the TLD <tt>.gz</tt> does not exist and thus <tt>.co.gz</tt> is invalid.
 
*<tt>{{w|Gzip|.gz}}</tt> — a compressed file using {{w|GNU}} zip.
 
*<tt>{{w|A.out|.a.out}}</tt> — Default filename when creating an executable on {{w|Linux}} or other Unix-like operating systems if none was specified for the compiler.
 
  
The title text suggests changing from <tt>http</tt> to <tt>https</tt>, as if encrypting a suspicious file before downloading it is somehow better than downloading it unencrypted. <tt>{{w|http}}</tt> (Hypertext Transfer Protocol) and <tt>{{w|https}}</tt> (Hypertext Transfer Protocol – Secure) are the two common protocols for getting web pages and web downloads. http is the simple download, whereas https adds an SSL encryption layer so the item being downloaded cannot be viewed unencrypted by anyone except the end recipient. Changing <tt>http</tt> to <tt>https</tt> is a common suggestion to improve security when browsing the web from an insecure network (such as a public {{w|WiFi}} hotspot) to avoid surveillance or hijacking to a malicious website; Google automatically switches to <tt>https</tt> for all mail accounts and is starting to do so with searches. The end recipient will still get whatever nasties were in the original, however — encrypting it doesn't change the content at all.
+
The IP address referenced in the comic, 65.222.202.53, is currently being used by the shellcode of a JavaScript 0-day exploit for the Tor Browser Bundle being run by the FBI to phone home over the clearnet [http://thehackernews.com/2013/08/Firefox-Exploit-Tor-Network-child-pornography-Freedom-Hosting.html] and de-anonymize visitors to websites on Freedom Hosting that are serving child pornography. [http://www.reddit.com/r/onions/comments/1jmrta/founder_of_the_freedom_hosting_arrested_held/]
  
The {{w|IP address}} referenced in the comic, <tt>65.222.202.53</tt>, was, at the time this article was authored, being used by the shellcode of a {{w|JavaScript}} {{w|zero-day exploit}} for the {{w|Tor Browser Bundle}} being run by the {{w|FBI}} to phone home over the clearnet [https://thehackernews.com/2013/08/Firefox-Exploit-Tor-Network-child-pornography-Freedom-Hosting.html] and deanonymize visitors to websites on Freedom Hosting that are serving child pornography. [https://www.reddit.com/r/onions/comments/1jmrta]
+
The title of this comic, "The Mother of All Suspicious Files", is a reference to [http://www.youtube.com/watch?v=JfIgzSoTMOs The Mother of All Demos] from {{w|Douglas Engelbart}}.
 
 
As the last extension in the file is .exe, a Windows computer would run the file like an application. Usually, it is not safe to run unknown .exe files.
 
  
 
==Transcript==
 
==Transcript==
:[Browser download warning box containing the following text.]
+
:[Browser download warning box containing the following text]
 
:WARNING!
 
:WARNING!
 
:This type of file can harm your computer! Are you sure you want to download:
 
:This type of file can harm your computer! Are you sure you want to download:
 
:<small><nowiki>http://65.222.202.53/~TILDE/PUB/CIA-BIN/ETC/INIT.DLL?FILE=__AUTOEXEC.BAT.MY%20OSX%20DOCUMENTS-INSTALL.EXE.RAR.INI.TAR.DOÇX.PHPHPHP.XHTML.TML.XTL.TXXT.0DAY.HACK.ERS_(1995)_BLURAY_CAM-XVID.EXE.TAR.[SCR].LISP.MSI.LNK.ZDA.GNN.WRBT.OBJ.O.H.SWF.DPKG.APP.ZIP.TAR.TAR.CO.GZ.A.OUT.EXE</nowiki></small>
 
:<small><nowiki>http://65.222.202.53/~TILDE/PUB/CIA-BIN/ETC/INIT.DLL?FILE=__AUTOEXEC.BAT.MY%20OSX%20DOCUMENTS-INSTALL.EXE.RAR.INI.TAR.DOÇX.PHPHPHP.XHTML.TML.XTL.TXXT.0DAY.HACK.ERS_(1995)_BLURAY_CAM-XVID.EXE.TAR.[SCR].LISP.MSI.LNK.ZDA.GNN.WRBT.OBJ.O.H.SWF.DPKG.APP.ZIP.TAR.TAR.CO.GZ.A.OUT.EXE</nowiki></small>
:[Cancel and Save buttons (Save button disabled)]
+
:[Cancel and Save buttons]
  
 
{{comic discussion}}
 
{{comic discussion}}
 
[[Category:Comics with color]]
 
[[Category:Comics with color]]
 
[[Category:Computers]]
 
[[Category:Computers]]
[[Category:Video games]]
 

Please note that all contributions to explain xkcd may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see explain xkcd:Copyrights for details). Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following CAPTCHA:

Cancel | Editing help (opens in new window)

Templates used on this page:

Retrieved from "https://www.explainxkcd.com/wiki/index.php/1247:_The_Mother_of_All_Suspicious_Files"