There have been a number of recent malicious programs exploiting the default behavior of Windows operating systems to hide file extensions from the user. This behavior can be used to trick users into executing malicious code by making a file appear to be something it is not.
Multiple email-borne viruses are known to exploit the fact that Microsoft Windows operating systems hide certain file extensions. The first major attack incorporating an element of file extension obfuscation was the VBS/LoveLetter worm which contained an email attachment named "LOVE-LETTER-FOR-YOU.TXT.vbs". Other malicious programs have since incorporated similar naming schemes.
Windows operating systems contain an option to "Hide file extensions for known file types". The option is enabled by default, but a user may choose to disable this option in order to have file extensions displayed by Windows. After disabling this option, there are still some file extensions that, by default, will continue to remain hidden from the user.
There is a registry value which, if set, will cause Windows to hide certain file extensions regardless of user configuration choices elsewhere in the operating system. The "NeverShowExt" registry value is used to hide the extensions for basic Windows file types. For example, the ".LNK" extension associated with Windows shortcuts remains hidden even after a user has turned off the option to hide extensions.
We have seen attacks which leverage file extensions that are, by default, hidden using the "NeverShowExt" registry value. One such extension, ".SHS", is associated with Shell Scrap Object files. SHS files are typically associated with OLE objects and can include executable contents. Reports indicate that SHS files are being used to distribute malicious code in email attachments. One recent example is a malicious VBScript program wrapped in a Shell Scrap Object file that is sent as an email file attachment named "LIFE_STAGES.TXT.SHS".
Users can be tricked into opening a file that appears to be something it is not. A file that appears to be innocent based on it's viewable file name may contain malicious executable code.
In an environment where file types are mapped to functionality by the extension used in the file name, it is important for the user to know the complete and unobfuscated file name in the course of making informed decisions impacting security.
The CERT/CC encourages sites to evaluate the following suggested steps against security and usability policies at your site. To configure Windows operating systems to display entire and complete file names for all files to the user:
Windows 9x and Windows NT 4.0:
Authors: Brian King, Kevin Houle