Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Transferrring files from an "infected" computer to one without an antivirus


  • Please log in to reply
15 replies to this topic

#1 rp88

rp88

  • Members
  • 2,895 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:15 PM

Posted 25 October 2014 - 12:23 PM

This is a semi-theoretical question but i could use having an answer to it. Imagine the following setup:



computer a ) this is infected with any and every infection you care to imagine, it still boots up and technically works and the files haven't been encrypted but for the sake of argument it's got every virus that exists.



computer b ) this is an old machine, somethign like xp, which hasn't been online for months, and won't ever go online again. Technically you might say it had an antivirus, but given xp is an old unsupported and vulnerable OS, and givn that the antivirus has not had a definitons update for many many months it might as well have no antivirus.


Now a user wants to copy files from computer A to computer B, in such a way that there is no risk of the virus being spread to computer B, the files are wide range of things (including some which are opened by programs which have vulnerabilities in them) but none of them are .exe files. Computer B can NEVER go online, even just to open a gmail account and download files from there. Computer A, is as we've said infected but still capable of normal operation. It will happily write files to usb or cd, but who knows if it's writing virus files alongside them at the same time. Use of a third or fourth machine is not allowed. How can the user transfer the files


(.jpg, .avi, .png, .gif, .tga, .skp, .skb, .blend, .blend1, .blend2, .obj, .dae, .tga, .xcf, .doc, .docx, .7z, .zip, .mpg, .wmv, .txt, .ppt, .pptx, .pdf, .pub, .rtf, .html, .rar, )


between the machines without ricking the virus going along for the ride, either hidden within a file or on the transfer medium?


Why do i ask this: as far as i know neither of my computers is infected, but my xp machine is old, hasn't gone online since before the end-of-suport date and doesn't have up-to-date definitons for it's antivirus, nor does it have programs updated, some of those programs have been found to have vulnerabilities since the end of support date. The (windows 8)machine with the files on should be clean but given the circumstances it is better to treat it as infected so that on the very small chance that it is then copying the files over won't give the infection to the old machine. It might be a little paranoid to think like this but for these pruposes treating the new machine as if it were infected is the best way to ensure security throughout the copying process. What is the most risk-free way of copying files acrosss under the circumstances i have described. It's also kind of useful to know this incase anything ever goes really wrong in future.



Thanks

Edited by rp88, 25 October 2014 - 12:24 PM.

Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

BC AdBot (Login to Remove)

 


m

#2 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,620 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:15 PM

Posted 25 October 2014 - 04:23 PM

I make regular backups. If I would be in a case like yours, I would recover the files from my backup, not from the infected computer.

 

But say I don't have backups. This is what I would do:

 

1) boot the infected PC from a Live Windows CD

2) calculate a cryptographic hash (MD5) of all the files I want to copy. I have a tool that does this (and a lot more, for example, it inspects the start of the file to detect the true file type): FileScanner http://blog.didierstevens.com/2014/09/18/filescanner-exe-part-4/

3) search VirusTotal with the MD5s I calculated. I also have a tool for this: virustotal-search http://blog.didierstevens.com/programs/virustotal-tools/

4) then I would copy all files known by VirusTotal and with a detection rate of zero to a USB drive, and then connect that to another PC

5) now I'm left with files that a) are not known by VirusTotal or b ) are reported to be infected by VirusTotal

 

For files of case a, I can submit them to VirusTotal with another tool (virustotal-submit), provided I don't consider them to be private data.

For files of case b, I would need to decided which files I really need to recover, and would then use my malware analysis skills to check each file.

 

Now, aside from backups, I also run regular scans with my FileScanner tool, to have a baseline with MD5s.

If I have an infection, then all files which have not changed (e.g. MD5 is identical) are considered safe then.


Edited by Didier Stevens, 25 October 2014 - 04:25 PM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#3 rp88

rp88
  • Topic Starter

  • Members
  • 2,895 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:15 PM

Posted 25 October 2014 - 05:13 PM

I can see the sense in trying a virustotal upload before copying anyhting onto transfer media, thanks for that idea. I am assuming that your mention of taking hashes is merely so you can do the process more quickly and with less data bandwidth used than if you uploaded each file to virus toal one by one. But doesn't virus total work purely on "blacklist" style principles and simply report detections on files whose hash is recognised as the same as a previously known infected file, virus total wouldn't report anything if some word document, pdf, jpg image, avi video or other file that you had yourself created had been on your machine and then modified by the virus when the virus arrived. That means that as the only copy of that particular file IN THE WORLD would be the one on your harddrive virustotal could never find a matching hash to compare with. As for live CDs, i don't really know much about them. As for the transfer medium would a USB or CD-RW be safer, or are both identical for these purposes, i know an infected file is an infected file whatever media it is on, and a clean file is a clean file whatever media it is on but USBs can have their "hardware" infected and autorun files added and such(new usb drives always take a second to do some sort of "installing" when you plug them into a computer, even if you have disabaled the standard autorun feature), can CD-RW discs suffer the same sort of autorun or "hardware" infections.
Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,620 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:15 PM

Posted 25 October 2014 - 05:23 PM

Not only to I search for hashes because then I don't have to wait for the file to upload, but I'm also sure I'm not uploading my private data files to VirusTotal.

And yes, a file that is modified by a virus has changed and thus has a different cryptographic hash. So it's likely not present in the VirusTotal database.

That is why I mentioned step 5).

 

The reason for using a live CD is to stop all malware from running. You said the PC was infected, i.e. that malware is active on it.

I don't want malware to interfere with the scanning and copy process, so I boot from a live CD. This way, the original operating system doesn't boot and the malwares on it don't run.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,587 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:15 PM

Posted 26 October 2014 - 08:18 AM

IMO...the safest practice is not to restore any executable files (*.exe), screensavers (*.scr), dynamic link library (*.dll), .ini, .bat, .com, .cmd, .msi, .pif, or script files (.php, .asp, .htm, .html, .xml) files because they may be infected by malware. Avoid restoring compressed files (.zip, .cab, .rar) that have executables inside them as some types of malware can penetrate compressed files and infect the .exe files within them. Other types of malware may even disguise itself by hiding a file extension or by adding double file extensions and/or space(s) in the file's name to hide the real extension as shown here (click Figure 1 to enlarge) so be sure you look closely at the full file name. If you cannot see the file extension, you may need to reconfigure Windows to show file name extensions.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 rp88

rp88
  • Topic Starter

  • Members
  • 2,895 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:15 PM

Posted 26 October 2014 - 09:40 AM

and with the file types listed, or with zips that contain only the listed(in my list in the first post of this thread)file types? when malware penetrates a zip file would it just add a malicious exe wthin it, in such a way that the zip file would be safe to be opened and the other stuff copied out as long as the nasty exe wasn't touched, or would it get into and modify all the non-executable stuff contained within the zip in such a way that opening and copying out even something like a .jpg would be enough to infect you? I've spent my whole life with full file extensions shown on windows and never intend to change that.
Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#7 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,620 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:15 PM

Posted 26 October 2014 - 09:43 AM

when malware penetrates a zip file would it just add a malicious exe wthin it, in such a way that the zip file would be safe to be opened and the other stuff copied out as long as the nasty exe wasn't touched, or would it get into and modify all the non-executable stuff contained within the zip in such a way that opening and copying out even something like a .jpg would be enough to infect you?

 

Both can be done by malware: altering a zip file by adding files or by changing files (inside the archive).


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#8 rp88

rp88
  • Topic Starter

  • Members
  • 2,895 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:15 PM

Posted 08 December 2014 - 08:59 PM

Regarding this matter, i'm planning to transfer some files across from my windows 8 computer to my xp computer (air gapped) soon. I have already written 3 identical cd-rw discs with the files (jpg, png, blend, dae, obj, mtl, skp, skb, zip, 7z, txt)on them from when i booted up the windows 8 computer just after a system "reinstall" from a system image.

I'm thinking that if i can confirm one of those discs is utterly clean of infections i therefore know the other two, all burnt within minutes of each other, must also be clean. None of the three discs have been inserted into any machine since creation so as when i was writing them the computer was offline and i didn't open any files or programs during the time from starting writing the first disc to ejecting the last they are either all clean or all equally infected.

Before i insert one of them into my xp machine how can i fully confirm, using any of the other two discs that there are no infections on it, either infections which are in the disc's "firmware" (i know this can happen with usb sticks so guess equivalents occur with cd discs), infections set to autorun, exe files sneakily hidden on the discs or infections invading the jpg, png, blend, skp, skb, obj ,mtl, dae, txt, zip, 7z files on the discs.

I know this sounds a little paranoid(i don't have any reason to currently think my windows 8 machine has an infection, but i'm breaching an air gap here so want to make sure that the disc has nothing malicious on it.) but i'm breaching an air gap so want to make sure that the disc going to the otherwise fully unconnected xp machine is not in any way infected. The zip and 7z fles are on all the discs but i could, when inserting the disc in the xp machine just copy over the folders with the blend, jpg, skp, skb, png, mtl, dae ,txt ,obj files in them. The zip and 7z archives don't contain anything which isn't already in a folder on the discs.

Also what about "thumbs.db" files, they appear sometimes when folders are copied to places, should i copy files individually one by one(rather than copying whole folders) from the disc onto the xp machine to avoid this risk, or are the thumbs.db files which appear in folders not something that can be carriers for malware, or can thumbs.db files cause infections even if you don't open them or copy them across?

You might not have heard of some of the formats, although others are very common, to clarify they are:
.blend this is a 3d model file used by blender
.skp this is a 3d model file used by sketchup
.skb this is much like an skp file but acts as a sort of backup, they carry information about a previous version of an skp file, if you make a change you regret in skethcup and save the altered file you can open the skb file to revert to the previous vesion.
.dae this is a 3d format which can import into both blender and sketchup
.obj this is a 3d model file that can import into blender and many other 3d programs
.mtl this is a file accompanying an obj file which tells the obj file where textures are saved

and the very common file formats are

.jpg and .png image file types, can be used as normal images but alos used as textures in blender and for obj and dae files
.txt just a normal text file, opens with notepad
.zip archive format for containing folders
.7z another archive format, these can be encrypted so a password is needed to open them
Thanks

Edited by rp88, 08 December 2014 - 09:02 PM.

Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#9 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,620 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:15 PM

Posted 09 December 2014 - 01:51 PM

There is no need to copy the thumbs.db files. They cache the thumbprint views, and will be regenerated when needed.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#10 rp88

rp88
  • Topic Starter

  • Members
  • 2,895 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:15 PM

Posted 09 December 2014 - 02:44 PM

They are already on the disc, would it be harmful if they were amongst the files i copy from the disc to a folder on the xp machine when i insert the disc? Should i just copy each file on the disc individually into new folders when i insert the disc into the xp machine to avoid any of the thumbs.db files being copied from the disc onto the xp machine? can this file type carry infections?

Thanks

Edited by rp88, 09 December 2014 - 02:44 PM.

Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#11 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,620 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:15 PM

Posted 09 December 2014 - 03:44 PM

Actually, I don't know. I haven't looked into the structure of thumbs.db files. But it would surprise me if they contained executable code, e.g. that they could be infected.

So just copy them.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#12 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,620 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:15 PM

Posted 09 December 2014 - 03:55 PM

I just took a look at one my my thumbs.db files. It actually uses the OLE file format (the same used by .doc, .xls, ...).

So in theory, it can contain anything, but explorer.exe only looks for thumb images.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#13 rp88

rp88
  • Topic Starter

  • Members
  • 2,895 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:15 PM

Posted 10 December 2014 - 10:33 AM

"but explorer.exe only looks for thumb images."

So Thumbs.db files can carry anything but the only type of content that is used when a program opens them is any images stored within. Therefore ,unless an attacker can develop a way to hide executing code within an image which will execute when the image is seen from the explorer.exe file browser, thumbs.db files can't carry viruses?
As i siad the thumbs.db files are already on the disc so will be "used" by explorer.exe as soon as i open a folder on the disc to copy files from the cd-rw onto the xp machine.

Edited by rp88, 10 December 2014 - 10:33 AM.

Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#14 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,620 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:15 PM

Posted 10 December 2014 - 04:42 PM

Correct, the file format used for thumbs.db is very versatile. http://en.wikipedia.org/wiki/Compound_File_Binary_Format


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#15 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:10:15 AM

Posted 10 December 2014 - 07:46 PM

http://www.sitepoint.com/switch-off-thumbs-db-in-windows/
782-switch-off-thumbsdb-2.png


Thumbs.db as malware.

Thumbs.db.exe (3e0fe07e5b9c54a954f8a6634c40a283) https://forums.malwarebytes.org/index.php?/topic/93015-thumbsdbexe/
http://www.2-spyware.com/file-thumbs-db.html
https://www.f-secure.com/v-descs/trojan_js_agent_jp.shtml
Thumbs.db PHP file [malware analysis] https://www.osirt.com/2011/07/thumbs-db-php-file-malware-analysis/
Location of Thumbs.db and Associated Malware. http://www.exterminate-it.com/malpedia/file/thumbs.db


Thumbs.db Viewer. http://thumbs-db-viewer.soft112.com/download.html

Thumbs.db Viewer was written to give the computer user tools to reconstruct Thumbs.db, ehthumbs.db, thumbcache_*.db (Windows Vista,Windows 7) and iconcache_*.db (Windows 8) database records. Thumbs.db is a hidden system file generated automatically by Windows when you view the contents of a folder in \"Thumbnail\" or \"Filmstrip\" view. Thumbs.db contains a copy of each of the tiny preview images generated for image files in that folder so that they load up quickly the next time you browse that folder.
Thumbs.db is actually a database of the miniature images that exist in the folder from which they were initiated. The early versions of Thumbs.db files as they appeared in Windows ME/W2k contained not only the thumbnail image of the parent file, but also the filename, drive letter, and path to that image. Later versions, Windows XP, store the image and its filename but not the path. In Windows Vista/7/8 the Thumbs.db file has been replaced by several \"thumbcache_*.db\" files which are now located within the user`s profile.
Deleting the Thumbs.db file in Windows has no affect on your operating system: the Thumbs.db file is recreated in each folder each time you view thumbnails.
Even though the images have been deleted in the folder they could still exist in the Thumbs.db file along with their modification dates.
Thumbs.db Viewer allows displaying Thumbs.db (thumbcache_*.db,iconcache_*.db) database records as well as the miniature graphics generated in each (with metadata: original file name and timestamp); collects all the thumbcache files in and below the specified folder; searches the Recycle Bin for deleted thumbcache files; extracts and views all or selected pictures as HTML representations; view with external image viewer any of the original file corresponding to stored in an Thumbs.db thumbnail`s metadata (if it exists); view the image in full size or as the best fit for program`s window; rotate images; the program can search swap and hibernation files for a JPG
 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users