Dangerous Attachments and How a Healthy Security Culture can Help
Exploring Attachments such as PDF and PPT files in Emails, SPAM, Phishing and more, supporting organizations and their security awareness programs to build a health security culture.
Can we simply identify dangerous attachments and stop them from running? Images such as JPG files contain pretty pictures, surely they cannot be dangerous? Its relatively common knowledge files with an EXE are executable programs that run and can install files, like viruses. But an EXE are genuine programs running on operating systems like Windows – in fact your browser is likely an EXE. There are certain tricks we can recommend and whilst this can become a very technical subject, we’ll do our best to show you the basics, so you don’t get caught out. For the sake of simplicity, we will focus on Windows, other operating systems like Linux based systems and Mac OS view the world differently.
- What are file types and extensions?
- What is a magic byte?
- What is steganography and why is it dangerous?
- What can a great security culture do?
File types and extensions
Files are given a type, such as a text document differs from a jpeg image. This primarily is to know which programs will open the file, and how to interpret the data within. There are a great number of formal file types, and variations within, such as Microsoft Office Word documents use doc and docx to differentiate between versions. Each file is given an extension that resides on the end of the file name such as, docx. This is to help the system know what filetype it is formatted in and what program to use to open it.
By default, file extensions are hidden. Follow these steps to view the type of file within windows explorer (Not to be confused with Internet Explorer):
- Within Windows Explorer, locate a file you would like to view its extension.
- At the top of Windows Explorer, select view to display a new menu ribbon.
- Within the Show/hide ribbon section, check the box File name extensions.
- The file should now display its predefined extension.
Without getting too technical, the data within files can be viewed in many differing ways. One of the more common is known as hex view, whereby the data is converted into hexadecimal code. If you’ve heard of binary code before, think of it as an alternative version of code for computers to read.
When files are viewed in hexadecimal, data is broken down into pairs comprising of 0-9 and A-F representing a number for computers to read. All we need to know here is, the first snippet of code is known as the magic byte and it is here, we find out the files true file format.
But didn’t we just say the extension was the file type? Unfortunately, no. The extension we reviewed in the first part is meta data, in short, it is a simple way to indicate what the file is believed to be and what program should open it. In addition, we can easily change the meta data extension without impacting any of the code within the file.
Follow these steps for a little experiment in to tricking the computer into thinking a text file is a picture:
- Go back to Windows Explorer and open your Documents.
- Right click a clear space and select New Text Document.
- Open the file and make a little hidden message for yourself. Save and close.
- Right click the file and select rename.
- Rename the file, but this time, remove the ‘txt’ suffix and replace it with ‘jpg’.
- The icon will now display a picture icon. If you try to open it, it will likely open an image viewing program, but fail to show any picture.
- Right click the file again, select open with, and select notepad.
- Your secret message is still there, untouched!
Magic bytes can help us identify the true file, even if the extension is a trick!
Of course, it cannot be that simple! What if a picture said it was a picture, looked like a picture, but was more than a picture?
Steganography is the technique of hiding information within another object. Image files along with any other filetype can be a genuine file with additional code hidden within. Malware has been seen within images in previous attacks, although, this typically requires a machine to be infected and that malware laced image is read and understood by the malware running on the computer.
The primary purpose of this particular technique is to hide in plain sight, fooling security teams there is nothing illicit occurring. This is a deeply technical and fascinating area, something far too complex for this blog.
Whilst technically every file can contain malware, we cannot expect most staff to be able to identify hidden malware. Thankfully it is uncommon to see such types of techniques and it is great to raise awareness that files, even images are potentially unsafe. Building the organizations security awareness is key to success.
What can I do? (If everything can be malware)
There are a few simple tricks organizations can do to reduce the likelihood of malware and stop infections before it’s too late.
IT departments can prevent certain files reaching users mailboxes. While EXE files are commonplace, they’re certainly not commonly sent via email. Files that are high risk such as executables and scripts (I.e. EXE, CMD, BAT, VBS) should be blocked by default. Organizations should put processes in place that require individuals to submit a request for such files to be accepted on a case-by-case basis.
Common phishing attachments are office-based documents, such as PDF, XLS and DOC, as well as files that can run scripts (I.e. HTML, JAR). Office-based documents are typically essential to business and thus impossible to block in most circumstances, albeit local security controls can prevent these files from running scripts. One common example is macros, which is where the malware resides within the benign office document. It is worth reviewing acceptable file types marrying that list against existing controls and the organizations risk appetite.
Subscribe for more
Tackling phishing. Empowering people.