Still more creative uses for CAPTCHA

re: Still more creative uses for CAPTCHA

Jack Mathews — Tue, 16 Mar 2004 14:52:00 GMT

Actually, a virus checker could just get the ZIP header, so I think they're just checking the headers for common file names and sizes. But that could easily be fixed with randomness.

I think it's really funny how people are going more and more out of their way to damage their own computers. Soon viruses'll be asking people to forward the email, run to the supermarket, pick up some milk, and pour it inside their PC's. And 2 million people will do it the next day.

Raymond comments on viruses

Hurricane Blog — Tue, 16 Mar 2004 18:11:00 GMT

One of my favorite bloggers, Raymond Chen, posted this entry that is related to spam and viruses. Lke all of Raymond's posts, he provides some interesting insights into the problems we face as programmers....

re: Still more creative uses for CAPTCHA

Henk devos — Tue, 16 Mar 2004 15:32:00 GMT

I don't really see why virus scanners need the password.
They should scan the files that are generated after unzipping instead, before they can get executed.

re: Still more creative uses for CAPTCHA

Raymond Chen — Tue, 16 Mar 2004 15:38:00 GMT

But how can a scanner unzip the file if it doesn't have the password?

re: Still more creative uses for CAPTCHA

SteveM — Tue, 16 Mar 2004 15:43:00 GMT

The scanner doesn't have to unzip the file.
It just waits until stupid Joe User unzips the file, THEN checks it for viruses.

re: Still more creative uses for CAPTCHA

Raymond Chen — Tue, 16 Mar 2004 15:49:00 GMT

Oh you're thinking about a scanner that runs on the end-user's machine. I'm thinking about a scanner that runs on the mail server. (ISPs can scan mail at the server but it can't do anything about the end-user's computer.)

re: Still more creative uses for CAPTCHA

SteveM — Tue, 16 Mar 2004 15:53:00 GMT

Ah - that would be me thinking small!
Sorry Raymond, you're quite right of course. I'll leave answering that question to someone much cleverer than me :-)

re: Still more creative uses for CAPTCHA

Edward — Tue, 16 Mar 2004 16:11:00 GMT

I thought the standard zip encryption was quite trivial to crack. A bit more load on the mail server but then it could look inside the zip files without having to locate the password. There are loads of shareware apps that claim to be able to find the passwords for zip files so it can't be that hard.

re: Still more creative uses for CAPTCHA

Rob Meyer — Tue, 16 Mar 2004 16:23:00 GMT

It's a weak encryption algorithm, especially when trying to decode a particular zip file when you might know some of the contents, but in general it would probably take more time than a mail server has to spend on each message. That would then also create a denial of service attack against the email server, by sending lots and lots of small password protected zipfile attachments (particularly if it also tried to decrypt the bounce backs).

Other name for CAPTCHA

Dumky — Tue, 16 Mar 2004 17:40:00 GMT

Another name for the common CAPTCHAs is HIP, Human Interactive Proof. It's easier to remember and type correctly, but obviously is more ambiguous when searched on Google...

re: Still more creative uses for CAPTCHA

Mike Dunn — Tue, 16 Mar 2004 18:24:00 GMT

Build an idiot-proof system, and tomorrow someone will build a better idiot ;)

re: Still more creative uses for CAPTCHA

Tue, 16 Mar 2004 19:37:00 GMT

I got this email virus the other day, thought you might enjoy it:

SUBJECT: Mexican Virus Alert

BUENOS DIAS!!
JOU HAVE YUST RECEIVED A MEHICAN COMPUTER BIRUS!!!!!
SINCE WE ARE NOT SO TECHNOLOGICALLY ADVANCED
IN MEHICO, DIS IS A MANUAL BIRUS.

FIRST SEND THIS E-MAIL TO EVERYONE JOU KNOW,
THEN DELETE ALL THE FILES ON JOUR HARD DRIVE.

TANK JOU FOR YELPING ME.

JULIO MANUEL GARCIA - HACKER PRIMERO

re: Still more creative uses for CAPTCHA

Centaur — Tue, 16 Mar 2004 20:34:00 GMT

Shows the uselessness of antiviruses. If your head works well, you don’t need an antivirus; if it doesn’t, none will help.

Actually, recall the recent epidemy of Novarg. It doesn’t come with an IFrame.Download exploit to autostart itself; it doesn’t exploit a WinZip vulnerability; it… it cannot do anything by itself, you have to actively assist it in infecting your machine. But no — certain users have not yet matured to an age when they no longer take everything they pick up to their mouth. And then the toilet is occupied for the whole day :)

re: Still more creative uses for CAPTCHA

Centaur — Tue, 16 Mar 2004 20:42:00 GMT

Oh, and by the way, in Longhorn, what will the default setting for “Hide lots-of-spaces and [.exe/.pif/.scr] extensions for files of registered types [Windows application/Shortcut to MS-DOS program/Screen saver] with a Text Document icon” be?

re: Still more creative uses for CAPTCHA

asdf — Tue, 16 Mar 2004 21:01:00 GMT

"Image Copyright F-Secure Corporation", well it looks like we know who made the Bagle.N virus.

re: Still more creative uses for CAPTCHA

Norman Diamond — Wed, 17 Mar 2004 00:09:00 GMT

3/16/2004 1:34 PM Centaur
> Shows the uselessness of antiviruses. If
> your head works well, you don’t need an
> antivirus; if it doesn’t, none will help.

Wrong. If your head works well, then when you receive .doc and .pdf and .txt and .zip attachments from known senders, you save them to disk files and run an antivirus on the disk files before deciding whether or not to open them.

If an attachment is .txt or .eml or .jpg or .gif then you have to open up OE options and disable the security check before it will let you save the attachment. Funny how OE doesn't allow saving .jpg or .gif unless you disable the security check, but it will display them automatically regardless. Funny how OE doesn't allow saving .txt unless you disable the security check, but it lets all users open .doc files directly without saving to disk and running antivirus on them. Between .txt and .doc, which is more likely to contain a macro virus?

Possible reasons for scanning attachments from known senders include more than the fact that the faked sender might not be the real sender. Sometimes the sender really is the real sender and the sender is infected. For example one certain giant computer company has a department dedicated to Linux, but their Linux office uses Microsoft-based machines for internet communication[*], they got infected with Badtrans and they sent Badtrans to both my home and my office. Then when I sent them a complaint, they bounced my complaint because their scanner detected the message source of the base-64 encoding of Badtrans in my quotation of the message source of their infected message. I blew up at that and sent a complaint of average nastiness about their operation of transmitting viruses and bouncing complaints. Next example, one certain international standards agency got infected with Sobig and they sent Sobig to me. But they didn't bounce my complaint, and they disinfected themselves within an hour.

Plus there are some mail and news programs that automatically execute various kinds of code even before the user gets to see what attachments there are and decide to save them and scan them.

Yes you need a working head, but you ALSO need an antivirus.

[* I also use Microsoft-based tools for internet communication, but I'm not dedicated to Linux as that computer company's Linux office is.]

re: Still more creative uses for CAPTCHA

Slaven — Wed, 17 Mar 2004 01:10:00 GMT

"If your head works well, then when you receive .doc and .pdf and .txt and .zip attachments from known senders, you save them to disk files and run an antivirus on the disk files before deciding whether or not to open them."

Well, you shouldn't have to explicitly save the attachment, OE does it for you when you try to open it (the attachment has to be saved as a real, albeit temporary file in order to launch it), so good AV software should stop it there. That said, in the days of new viruses spreading everywhere in a matter of hours I wouldn't rely 100% on my AV software to stop anything dangerous, as AV companies often need a couple of hours to update their virus definitions.

I've been having problems lately sending people zipped files (with an EXE patch inside) due to overzelaous AV filters, so I've had to rename them to .ZZZ and ask recipients to rename them back to .ZIP before extracting. I wonder how long until viruses start asking the same thing...?

re: Still more creative uses for CAPTCHA

Ebbe Kristensen — Wed, 17 Mar 2004 10:10:00 GMT

"Why do people feel the urge the create some strained cutesy acronym for their little invention?"

Because they can. My favourite is:

Abbreviated
Coded
Rendition
Of
Name
Yielding
Meaning

re: Still more creative uses for CAPTCHA

Moi — Wed, 17 Mar 2004 13:49:00 GMT

Blocking all mails with zip files in is a prety stupid thing to do. Sooner or later the recipients are going to notice, complain, and either move their business somewhere else (that doesn't have such a filter) or get that filter removed. Either way, it is a win for the virus writers.

re: Still more creative uses for CAPTCHA

Centaur — Wed, 17 Mar 2004 14:07:00 GMT

> If your head works well, then when you receive
> .doc and .pdf and .txt and .zip attachments
> from known senders, you save them to disk files
> and run an antivirus on the disk files before
> deciding whether or not to open them.

Actually, you first wonder why they send such things as attachments. You contact them back, ask if they sent you anything, and ask them to use a safer format next time, and to upload the file to your ftp site, logging in as ___ with password ___. Then, if they say they didn’t send anything, you drop the attachment on the floor.

If they say they did, you do some other precautions depending on the format.

By the way, why is .txt in that list? Which well-known text file viewer is vulnerable and exploitable with a text file?

re: Still more creative uses for CAPTCHA

Norman Diamond — Thu, 18 Mar 2004 05:11:00 GMT

Replying to 3/17/2004 7:07 AM Centaur.

I don't know why .txt is in the list. As far as I can tell, the list is OS-dependent. At least in Windows 98 and Windows 2000, Microsoft put .txt in the list. In order to save a .txt attachment, I had to go to OE's security options and disable the option that prevented opening and saving of attachments. (By the way, why aren't there separate options to disable immediate opening and to disable saving to a named file?)

As for contacting back the senders and ask if they sent the attachments deliberately, in the two cases I mentioned the sending companies were a few orders of magnitude too big to submit a question like that randomly. After verifying that the attachments were viruses, I could guess relevant addresses to submit complaints to.

Pardon me while I don't give other people the password for uploading to my ftp site. I think you know why, but even if you don't, at least let's expect my ISP would terminate my account immediately if I did such things.

re: Still more creative uses for CAPTCHA

foo — Thu, 18 Mar 2004 12:32:00 GMT

I'm sure there was a buffer overflow bug in notepad and instead of fixing it they declared TXT files "dangerous".

Balancing Security and Usability

Office Development, Security, Randomness... — Sun, 21 Mar 2004 02:58:00 GMT

re: Still more creative uses for CAPTCHA

vic10us — Thu, 22 Apr 2004 20:18:00 GMT

BTW, WTF happened to the topic?

I think we were talking about CAPTCHA?

re: A sample of desktop icon text effects

The Old New Thing — Thu, 25 Nov 2004 18:39:00 GMT