Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CPP extension as an executable? Can it be used for execution purpose?


  • Please log in to reply
9 replies to this topic

#1 H.A.V Aravinda

H.A.V Aravinda

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sri Lanka
  • Local time:07:54 PM

Posted 05 June 2014 - 01:39 AM

Normally executables are in extensions such as exe, dll, .scr, bat, com etc etc.. But I recently came across some issues related to cpp extension which I believe it should be for c++ source code that is to be opened via notepad and/or related compiler.. Ie http://file.org/extension/cpp

But some unwanted/malicious programs seem to be using cpp extension in startup/rundll/task scheduler. 

http://www.avgthreatlabs.com/virus-and-malware-information/info/cpp/

http://answers.microsoft.com/en-us/protect/forum/protect_other-protect_scanning/rundll-cannot-load-module-nbiuscpp/dea61f70-a6ba-4486-8812-62f6cb7db3c6

http://answers.microsoft.com/en-us/windows/forum/windows_7-performance/message-on-start-up/26fe6859-cc39-4ac3-9c6a-cad2f8173712

Just wondering, other than using as a source code extension, how it is used as an executable? Or any other use of it? Anyone having similar experience ? Kindly  share your thoughts.. 


Edited by H.A.V Aravinda , 05 June 2014 - 02:13 AM.


BC AdBot (Login to Remove)

 


#2 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,750 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:24 PM

Posted 05 June 2014 - 03:11 AM

CPP is indeed C++ source code. For example, you will find these files in Visual Studio C++ projects.

 

It is a pure text file.

 

Are you sure that the malicious use of .CPP extension is done with a pure text file? Because there are many places in Windows were you can configure DLLs to be loaded,

and this works with arbitrary extensions.

So FILENAME.CPP could also be a DLL.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#3 H.A.V Aravinda

H.A.V Aravinda
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sri Lanka
  • Local time:07:54 PM

Posted 05 June 2014 - 03:24 AM


 

Are you sure that the malicious use of .CPP extension is done with a pure text file? Because there are many places in Windows were you can configure DLLs to be loaded,

and this works with arbitrary extensions.

So FILENAME.CPP could also be a DLL.

Hi Didier 

Thanks for sharing .. I myself have not seen it .. If i have seen it i could have checked.. but some users in some forums... Not sure it is running with some other things inconjunction.. I mean you know exe and txt can be both combined using ADS/ntfs streams..  Obviously as you confirmed stand alone cpp cannot be an execute..

But im not sure what you mean by this "So FILENAME.CPP could also be a DLL." ?

 

and just like other common malware that sets to run a dll files with the aid of rundll32.dll, some user have reported cpp is running like that.. 

 

clt7v26j2.cpp  http://answers.microsoft.com/en-us/windows/forum/windows_7-system/rundll-error-after-logging-on/49b58c02-c9a2-410b-a4e3-136e30298446

 

​I have dealt with dll's attached to rundll32.. and easily it could be figured out by viewing command line using process viewer/ task manager .. 

 

Still not got any clue how these cpp is working............



#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,750 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:24 PM

Posted 05 June 2014 - 03:29 AM


But im not sure what you mean by this "So FILENAME.CPP could also be a DLL." ?

 

 

I mean that the malicious file with extension .CPP is actually not a pure text file, but a DLL.

That it is masquerading as a .CPP file.

When you look at the content of the file, it is not pure text (C++ source code), but a binary executable (DLL).

DLLs are PE files, and PE files always start with the characters MZ.


Edited by Didier Stevens, 05 June 2014 - 03:30 AM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#5 H.A.V Aravinda

H.A.V Aravinda
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sri Lanka
  • Local time:07:54 PM

Posted 05 June 2014 - 03:43 AM

 

But im not sure what you mean by this "So FILENAME.CPP could also be a DLL." ?

 

 

I mean that the malicious file with extension .CPP is actually not a pure text file, but a DLL.

That it is masquerading as a .CPP file.

When you look at the content of the file, it is not pure text (C++ source code), but a binary executable (DLL).

DLLs are PE files, and PE files always start with the characters MZ.

 

 

ooooh.. you mean the same way the old malware .bat virus are embedded with dll.. Interesting thought !! 

 

This is a old windows xp bat virus copied via flash.. 

2rfprn4.png

 

Same way.. ? Then the dll can run under bat extension as well ? just like cpp? 

 

But there also once again cannot figure out, why it was cpp that is hard to run without a compiler.. 



#6 SleepyDude

SleepyDude

  • Malware Response Team
  • 3,172 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:02:24 PM

Posted 05 June 2014 - 03:50 AM


But there also once again cannot figure out, why it was cpp that is hard to run without a compiler.. 

 

 

Most likely they use a file extension "know to be safe" to avoid some Antivirus that relies on the file extension when scanning.

There are several ways the malware can use to load files without meaningful file extensions. For example isn't uncommon to see malware that uses .tmp files to load and infect machines.


• Please do not PM me asking for support. Post on the forums instead it will increases the chances of getting help for your problem by one of us.
• Posts in the Malware section that are not replied to within 4 days will be closed. PM me or a moderator to reactivate.
• Please post your final results, good or bad. We like to know! Thank you!

 
Proud graduate of GeekU and member of UNITE
___
Rui

 
 


#7 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,750 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:24 PM

Posted 05 June 2014 - 03:54 AM

Yes, look at the MZ characters at the start of the file in Notepad.

 

C++ needs to be compiled to be executed. It is not a script (interpreted).

https://en.wikipedia.org/wiki/Interpreter_%28computing%29#Compilers_versus_interpreters


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#8 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,750 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:24 PM

Posted 05 June 2014 - 03:57 AM

Most likely they use a file extension "know to be safe" to avoid some Antivirus that relies on the file extension when scanning.
 

 

Not all AVs consider CPP (and source code in general) as safe. I've had several occasions where my AV triggers on source code of PoC and malware.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#9 SleepyDude

SleepyDude

  • Malware Response Team
  • 3,172 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:02:24 PM

Posted 05 June 2014 - 04:03 AM

 

Most likely they use a file extension "know to be safe" to avoid some Antivirus that relies on the file extension when scanning.
 

 

Not all AVs consider CPP (and source code in general) as safe. I've had several occasions where my AV triggers on source code of PoC and malware.

 

 

Yes I know and in some it's a setting you can change to check all files or use the file extensions for a faster scan.


• Please do not PM me asking for support. Post on the forums instead it will increases the chances of getting help for your problem by one of us.
• Posts in the Malware section that are not replied to within 4 days will be closed. PM me or a moderator to reactivate.
• Please post your final results, good or bad. We like to know! Thank you!

 
Proud graduate of GeekU and member of UNITE
___
Rui

 
 


#10 H.A.V Aravinda

H.A.V Aravinda
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sri Lanka
  • Local time:07:54 PM

Posted 05 June 2014 - 04:59 AM

Its very nice of you to share these details ..Real awesome discussion . Thanks once again both of you.. I will dig much more and if I find real scenario that deals with cpp I will share .. To a greater extent I got much more clues.. 


Edited by H.A.V Aravinda , 05 June 2014 - 05:00 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users