Tip

SSCP Domain 7: Malicious code -- Blocking file extensions

Customers may not know the difference between a virus and a worm, but understanding the different types of malware will help you protect their systems -- and pass the SSCP certification exam. This

    Requires Free Membership to View

excerpt, from the Official (ISC)²® Guide to the SSCP® CBK® Domain 7: Malicious Code, by Diana-Lynn Contesti, takes a look at double file extensions. Download the full Domain as a PDF to learn about the different types of malware and their payloads.

Viruses, worms and Trojan horses all make use of the double file extension. The Windows operating systems allows the creation of files names with a number of spaces in it. This trick is intended to fool users into believing that the file they are viewing cannot be executed. as in this example:

PLAIN.TXT.EXE

The .EXE at the end of the spaces, makes the program executable. Unfortunately in e-mail, users will only see the .TXT and potentially believe that the file is simply a Text file. This is why much has been done to educate users on not running e-mail attachments.

As a number of file extensions can be used to deliver or contain malicious code, it is recommended that the administrators block specific File Extensions at the Firewall. Table 7.3 is a partial list of suggested file extensions that should be blocked.

It is difficult for end users to understand all the file extensions that can be used and those that may be considered dangerous or Executable. Therefore, it is a good idea to develop a list of extensions that will be blocked at the Firewall by default. Every organization is unique and the list that is correct for one organization may not be correct for another. It is a good idea to educate users on some of the basic file extensions that you may not be able to block (i.e., .EXE, .PIF, .SCR, .COM).

A complete list of file extensions and their meanings is available at The File Extension Source; also view Every File Extension in the World from WhatIs.com.

Table 7.3 A Partial List of File Extensions That Should Be Blocked

File Extension Descriptions
.API
Acrobat Plug-in
Used to view Adobe Acrobat files
.BAT
Batch processing file
Used to execute a series of commands in a sequential order
.BPL
Borland package libraries
Used in programs developed with the Delphi software language
.CHM
Compiled HTML Help file
Could include a link that would download and execute malicious code
.COM
Command File
Contains scripts and executables for DOS or Windows
.DLL
Dynamic Link Library
Executable code that is shared by other programs on the system
.DRV
Device Driver
Used to extend the hardware support of a Windows machine
.EXE
Windows binary executable program
.OCX
Object linking and embedding (OLE) control
Used to orchestrate the interaction of several programs on a Windows machine
.PIF
Program Information File
Used to tell windows how to run non-Windows applications
.SCR
Screen saver programs
Includes binary executable code
.SYS
System configuration file
Used to establish system settings
.VB
Visual Basic® files (VBE and VBS)
Used to script in visual basic which is built into many Windows-based machines
.WSH
Windows Script Host Settings File
Used to configure the script interpreter program on Windows machines

Official (ISC)²® Guide to the SSCP® CBK®
By Diana-Lynn Contesti, Douglas Andre, Eric Waxvik, Paul A. Henry, Bonnie A. Goins
Published by (ISC)2 Press
ISBN # 9780849327742; Copyright 2007; Pages: 573; Edition: 1st

Chapter: Domain 7: Malicious Code
By Diana-Lynn Contesti, CISSP-ISSAP, ISSMP, SSCP


This was first published in August 2007

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.