Hiding Windows File Extensions Could Be Risky

plat

Level 29
Thread author
Top Poster
Sep 13, 2018
1,793
"Microsoft hides file extensions in Windows by default even though it's a security risk that is commonly abused by phishing emails and malware distributors to trick people into opening malicious files.

A file extension is the letters immediately shown after the last period in a file name and is used by the operating system to determine what program is used to open, view, and utilize the file.

For example, the file report.txt has an extension of .txt, which is associated with the Windows Notepad program to open and view its contents.

By default, Microsoft decides to hide file extensions in Windows so that a file named 'report.txt' is simply shown in File Explorer as 'report'.

The original reason for this was probably to make it less confusing to users, but regardless of the reason, it is a security risk that attackers abuse.

Windows default settings abused by attackers
To illustrate how the hiding of file extensions is a security risk, let's take a look at the following folder containing two files.

With file extensions disabled, they look like the same PDF file as they both have the same name and the same icon.

File extensions are hidden in Windows


File extensions are hidden in Windows
If we enable extensions, though, we quickly see that these are two different files with one being a PDF as expected, but the other being an executable file that uses a PDF icon.

File extensions are now enabled


File extensions are now enabled
In this case, the malware executable purposely used the PDF icon normally shown by Adobe Reader to trick users who have file extensions disable that it is a PDF file.

This is not to say strange PDFs you receive via email cannot be a risk, but receiving executables disguised as PDFs should definitely raise more alarms."

......
 

TairikuOkami

Level 35
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,452
I don't understand why this default setting is inherited.
Because by renaming the file, people tend to remove the extension as well and thus rendering the file "broken". IT support would love it. o_O

P.S.: As @Andy Ful once said, you can also use spaces to somewhat hide the extension.
 

Attachments

  • capture_03012020_004440.jpg
    capture_03012020_004440.jpg
    7.1 KB · Views: 151
L

Local Host

I don't understand why this default setting is inherited. In general, many users judge by the icon, and I think people who care about the file extension don't like to hide it. :unsure:
Microsoft always took convenience over security, showing extensions by default would confuse casual users (not to mention what @TairikuOkami said).

I also doubt the majorly are using image view (as detailed view is the default one, and shows the extension in one of the tabs).
 
B

BVLon

I go as far as saying that, any program containing logic that changes this setting, should be deemed malware, without any further analysis. I don't even know why Windows has the option to hide file extensions, it doesn't make too much sense. MS will sooner or later remove it.
In addition, rules should be created for behavioural blockers to detect anything that has media icons (adobe reader, ms office, etc), but it's extension is *.exe.
Bitdefender BHAVE actually got this rule.
 
Last edited by a moderator:
B

BVLon

Can you elaborate this? How does it work? If such file is executed then Bitdefender would block it?
Some of you may already have forgotten Bitdefender Heuristic Analyses in Virtual Environment as it's been removed from the UI now. It is a highly-effective heuristic engine, that was capable of blocking 70-80% of malware alone, when others could barely get 10-20. Of course, those were the old times.
Whitepapers point out that the system checks the icons as well and is able to recognise when an executable is pretending to be a known windows file (spoofing) or a media file. Bitdefender has not elaborated any further how the technology works, but we can safely assume it's got a database of icons and some sort of image similarity algorithm. So yes, as this icon is 1:1 with the Adobe Reader's original icon, it has not even been resized or touched somehow, Bitdefender will be able to block the "pdf" without any further analysis.
 
Last edited by a moderator:
L

Local Host

Some of you may already have forgotten Bitdefender Heuristic Analyses in Virtual Environment as it's been removed from the UI now. It is a highly-effective heuristic engine, that was capable of blocking 70-80% of malware alone, when others could barely get 10-20. Of course, those were the old times.
Whitepapers point out that the system checks the icons as well and is able to recognise when an executable is pretending to be a known windows file (spoofing) or a media file. Bitdefender has not elaborated any further how the technology works, but we can safely assume it's got a database of icons and some sort of image similarity algorithm. So yes, as this icon is 1:1 with the Adobe Reader's original icon, it has not even been resized or touched somehow, Bitdefender will be able to block the "pdf" without any further analysis.
An icon database doesn't make any sense, is way easier to detect multiple extensions and warn the user, much like what Kaspersky does.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top