Protecting against .scr

[Psych]

I know that .scr (screensaver files) are executables, so is there a safe way to determine whether or not one is acting as a screensaver, or as a (malicious) program? I got an E-mail the other day, with a .scr and I might, MIGHT have opened it if I hadn't deleted the E-mail out of habit.

Then comes the question of whether legitimate looking screensavers aren't actually doing something else at the same time. Is there already some built-in protection against this?

 

[Nonsequitur]

... short of investing in an antivirus tool? you can google some free antivirus tools, but i'm not sure how effective they are.

 

[13black]

The simple answer is if you don't trust the source don't run it. I scan everything I download for a virus. My e-mail attachments are scaned autoimaticaly. If you don't have one and or can't afford an anti-virus app I would recomend Avast antivirus. They have a free home version that you can download. http://www.avast.com/ It hase internet mail, instant messaging, and P2P aplication protection.

 

[Psych]

So there is no real protection? There should really be a safe application interface for .scr files so people don't have to worry about their screensaver destroying their computer.

 

[13black]

Originally posted by: Psych
So there is no real protection? There should really be a safe application interface for .scr files so people don't have to worry about their screensaver destroying their computer.

Sure there is, it's called an anti-virus program. Double clicking a "scr" file is no worse than double clicking any other "exe" you just downloaded. The odds of finding a virus in an exictable are probably higher.

 

[Nothinman]

So there is no real protection? There should really be a safe application interface for .scr files so people don't have to worry about their screensaver destroying their computer.

There's really no difference between screensavers and 'normal' executables other than screensavers need to accept two CLI parameters, one for preview and one for fullscreen. Other than that they're just normal Win32 PE executables just like any other.

 

[tart666]

couldn't you make a group policy application restriction? only allow scr files in the system folder ?

edit: Just set it up, worked like a charm, made two path rules: restrict all "*.scr" everywhere, and allow "c\windows\system32\*.scr"

Now you are NOT allowed to run any scr files, unless they are in the system32 folder. Of course, you could get tighter if instead you add hash rules allowing only the known good screensavers to run...

(linkin)

 

[Psych]

As a side question, do you Macs have some sort of remotely related problem like this?

 

[Nothinman]

I'm not sure about MacOS, but on Linux screensavers are also just normal executables, so the same problem (if you could call it that) exists and I would guess that atleast OS X is the same.

 

[drag]

All of the operating systems I've ever used running a random executable is going to be a potential security issue.

That's why no matter what you use you shouldn't ever do anything, except the bare neccessities, thru a root/administrator accounts.

Although that won't be able to solve all your problems...
For example:

In Linux you have a $PATH variable that tells the command line enviroment were to find executable programs.

There is a command called su that you use to assume root privilages in order to accomplish administrative stuff.

So normally just type "su" it asks for your root password, and then once you give the correct password you are now effectively root.

So say I want to "hack" your machine. So then I write a executable program and somehow trick you into trying to run it (maybe saying it's a fancy new screen saver).

Now since your not root the program, say, couldn't go create a new account for me, since the maximum amount of privilages the program could run as would be the same as the user. So it isn't going to be that easy.

Now instead of breaking the security of the system, what this program will do is add this line to your .bashrc file: PATH=~/.crappy/:$PATH; export PATH

And it will add a script called "su" to a new directory called "~/.crappy/"

So next time you try to use su to become root, your PATH will indicate to go look in .crappy folder first. My su script will run and it will ask for your password 3 times and then fail. It will then e-mail what you just typed in to a couple hotmail accounts, and then delete the new entry to the .bashrc file and the .crappy directory.

Since it's common to mistype your password, then you will simply think you messed up and then re-run the su program and it will work that time.

So you wouldn't know it, but I just got the root password to your computer.

So no matter what OS your using you still have to be carefull about using programs from untrusted sources.

 

[tart666]

sounds like this sort of thing is a lot easier with windows and application restriction rules...

 

[n0cmonkey]

mmm systrace.

 

[VirtualLarry]

Originally posted by: Psych
So there is no real protection? There should really be a safe application interface for .scr files so people don't have to worry about their screensaver destroying their computer.

No, not until Windows runs each and every bit of executable content in it's own sandbox, with capabilities and mandatory access-control. Those sorts of features are probably years, maybe even decades away, knowing the glacial progress of Microsoft's feature development. (Real, useful, features, not "integration" for the sake of monopolizing markets.)

 

[drag]

Originally posted by: VirtualLarry

Originally posted by: Psych
So there is no real protection? There should really be a safe application interface for .scr files so people don't have to worry about their screensaver destroying their computer.

No, not until Windows runs each and every bit of executable content in it's own sandbox, with capabilities and mandatory access-control. Those sorts of features are probably years, maybe even decades away, knowing the glacial progress of Microsoft's feature development. (Real, useful, features, not "integration" for the sake of monopolizing markets.)

You can do that sort of thing now with SELinux... It supports mandated access control.

But it's not fun. Actually a big pain in the but to do much of anything. You can end up doing things like restricting access based on "roles" not usernames, so you can do stuff like give out root passwords like candy and have anybody who logs in remotely be unable to do anything, while still having root keep all the traditional administrative freedoms.

Fedora Core2 is the only distro that I know of that current supports these sort of controls right out of the box, but it's disabled by default. You have to enable it during the install. see here for details. Gentoo can be made to support it, and I know Debian is working on a version as is probably most distros.

It makes things pretty complicated, though.

 

[tart666]

Originally posted by: drag

Originally posted by: VirtualLarry

Originally posted by: Psych
So there is no real protection? There should really be a safe application interface for .scr files so people don't have to worry about their screensaver destroying their computer.

No, not until Windows runs each and every bit of executable content in it's own sandbox, with capabilities and mandatory access-control. Those sorts of features are probably years, maybe even decades away, knowing the glacial progress of Microsoft's feature development. (Real, useful, features, not "integration" for the sake of monopolizing markets.)

You can do that sort of thing now with SELinux... It supports mandated access control.

But it's not fun. Actually a big pain in the but to do much of anything. You can end up doing things like restricting access based on "roles" not usernames, so you can do stuff like give out root passwords like candy and have anybody who logs in remotely be unable to do anything, while still having root keep all the traditional administrative freedoms.

Fedora Core2 is the only distro that I know of that current supports these sort of controls right out of the box, but it's disabled by default. You have to enable it during the install. see here for details. Gentoo can be made to support it, and I know Debian is working on a version as is probably most distros.

It makes things pretty complicated, though.

but windows makes it VERY EASY. The "software restrictions" in group policy take 20 sec to set up, have a (oh no) GUI, and are very flexible. In fact, you can DISALLOW ALL executables except for the ones you want ... Specifying the ones you want in the GUI as hash rules read the instructions here

 

[Psych]

Microsoft probably doesn't have the time and inclination to create a difference between trusted executables and controlled restricted executables. ACLs, NTFS permissions, Software Restriction Policies, Registry permissions, Encryption, and Auditing all used together is usually enough for very crafty and intelligent people, though.

 

[AtTheGates]

Great tip tart666. I just set it up the same way you did. Works well and I think I'll make rules for other extensions.

 

[drag]

but windows makes it VERY EASY. The "software restrictions" in group policy take 20 sec to set up, have a (oh no) GUI, and are very flexible. In fact, you can DISALLOW ALL executables except for the ones you want ... Specifying the ones you want in the GUI as hash rules read the instructions here

Not anywere close to the same thing.

 

[tart666]

Originally posted by: drag

but windows makes it VERY EASY. The "software restrictions" in group policy take 20 sec to set up, have a (oh no) GUI, and are very flexible. In fact, you can DISALLOW ALL executables except for the ones you want ... Specifying the ones you want in the GUI as hash rules read the instructions here

Not anywere close to the same thing.

but does what OP wanted, no?

 

[drag]

Originally posted by: tart666

Originally posted by: drag

but windows makes it VERY EASY. The "software restrictions" in group policy take 20 sec to set up, have a (oh no) GUI, and are very flexible. In fact, you can DISALLOW ALL executables except for the ones you want ... Specifying the ones you want in the GUI as hash rules read the instructions here

Not anywere close to the same thing.

but does what OP wanted, no?

Sure. but it's still not what I talking about.

In linux (well any Unix-like OS, generally) making things not executable is easy, too. In fact things you download are not executable by default and you have to turn it on. That way a file isn't executable based on the last 3 letters of name of the file like they are in Windows.

If you want to compare what is and what is not easy, that is.