High-Risk Windows Files | Professional Windows Desktop and Server Hardening (Programmer to Programmer)

Microsoft Windows installs with hundreds of executables and programs in the Windows and Windows\System32 directories. By default, all users have Read and Execute permissions. Again, what Windows system files are considered high risk depends on each administrator's environment. Table 5-2 lists the files the author considers high risk. All files are located in %Windir%\System32 unless notated. Even though all files listed in the table are considered high risk (i.e., more likely to be used maliciously than legitimately), not all risk is the same. Risk factor was determined by how often the file is used for exploitation and what the file can do.

Table 5-2
File Name	Description and Risk	Risk
Command.com	16-bit command-line shell. Can often be used much like Cmd.exe. Disable if not needed. Cannot be disabled by Software Restriction Policies (see below).	High
Ftp.exe	File Transfer Protocol (FTP) client. Used by malware programs and attackers. Disable if not needed by end users.	High
Ntdvm.exe	Controls 16-bit DOS Virtual Machine environment. Disable to prevent 16-bit program execution.	High
Reg.exe	Allows manipulation of the registry.	High
Regedit.exe	Legacy registry editor. Non-admin users should not be able to manually view or manipulate the registry. Located in %Windir%.	High
Regedt32.exe	32-bit Registry editor. Non-admin end users do not need access.	High
Tftp.exe	Trivial file transfer protocol (TFTP) client. Used to initiate unauthenticated FTP sessions. Frequently used by malware programs and attackers.	High
Tlntsvr.exe	Telnet server. Disable if not used. Can be used by attackers to gain access.	High
Wscript.exe	Windows Scripting Host for running VBScript and JavaScript scripts outside of Internet Explorer. Disable if not used.	High
Clipsrv.exe	Clip book service. Allows remote access to the data stored in the local computer's clipboard. Disabled by default.	High-Medium
Cmd.exe	32-bit command-line shell. End users should not have access to DOS command-line shells unless access is needed or they run .BAT or .CMD files.	High-Medium
Cscript.exe	Command-line version of Windows Scripting Host. Not needed unless VBScript or JScript programs are run outside of Internet Explorer.	High-Medium
Mshta.exe	Allows HTML Applications (HTAs) to run outside of Internet Explorer. HTAs have been exploited several times. Disable if not needed.	High-Medium
Debug.exe	Legacy assembly program. Can easily be exploited. Rarely needed by legitimate users, administrators, or programmers.	Medium
Format.com	Used to format hard drives and floppy disks from the command line. Rarely needed anymore. Disable if not needed.	Medium
Ntbackup.exe	Windows backup utility. Can be used to copy unauthorized information if the logged in user has backup privileges.	Medium
Ntdsutil.exe	Powerful Active Directory "swiss-army knife" utility tool. Not needed by non-administrators.	Medium
Regsvr32.exe	Allows users to register and unregister COM objects and .DLLs. Not needed by non-admin users.	Medium
Savedump.exe	Saves memory dump to a file. Not normally needed by end users.	Medium
Sc.exe	Used to view and modify services nformation. Not ineeded by non-admin users.	Medium
Schtasks.exe	Used to view, modify, and schedule tasks in Task Scheduler.	Medium
Secedit.exe	Used to view, apply, and compare security templates to a given PC.	Medium
Shutdown.exe	Used to shut down local or remote computers. Not normally needed by most end users.	Medium
Taskkill.exe	Allows user to kill running task. Not normally needed by end users. Occasionally used by malware.	Medium
Tscon.exe	Attaches user to a new Terminal Server (RDP) session. There have been some announced issues (including http://support.microsoft.com/default.aspx?scid=kb;en-us;302801).	Medium
Arp.exe	Address Resolution Protocol interface utility. Could be used to create false ARP entries and be involved with redirection attacks.	Medium/Low
At.exe	Legacy scheduling interface to Task Scheduler. Regular end users should not be able to schedule new tasks.	Medium/Low
Attrib.exe	Displays standard file attributes. Could be used to hide malicious files.	Medium/Low
Bootcfg.exe	Would allow a user to change many booting parameters.	Medium/Low
Edit.com	16-bit legacy command-line editor. Disable if not needed. Cannot be limited by Software Restriction Policies (see below).	Medium/Low
Rasdial.exe	Makes RAS connections. Disable if not needed.	Medium/Low
Tsshutdn	Allows user to shut down local or remote Terminal Server (RDP). There have been some DoS vulnerabilities announced.	Medium/Low
Alg.exe	Service controlling Microsoft Internet Connection Sharing and Internet Connection Firewall/Windows Firewall. Non-admin users should be prevented from executing. Normally executes in the LocalService context.	Low
Append.exe	Legacy executable. Allows a user to extend the path statement variable to access files as if they were in the current directory when they are in fact in the appended path. This doesn't use the Path variable.	Low
Auditusr.exe	New API program interface to Per-User Selective Auditing feature introduced in XP Service Pack 2 and Server 2003 Service Pack 1. Use would display any Per-User auditing categories enabled.	Low
Cacls.exe	Allows users to view and manipulate NTFS permissions.	Low
Ddeshare.exe	Used to create DDE shares. Normally not needed by most end users.	Low
Dsadd.exe, Dsget.exe, Dsmove.exe, Dsrem, Dsquery	Active Directory command-line tools. Not normally needed by end users, although not popularly exploited at this time.	Low
Edlin.exe	Legacy command-line text editor. Not commonly used by anyone.	Low
Eventcreate.exe	Used to create custom events (http://support.microsoft.com/default.aspx?scid=kb;en-us;324145). Not needed by end users.	Low
Eventtriggers.exe	Used to define custom events that generate events. Not needed by end users.	Low
Exe2bin.exe	Can convert small .EXE files to .COM files. Not needed by end users.	Low
Finger.exe	Legacy application used to collect information from Finger identification services. Not needed by end users.	Low
Hh.exe	Windows Help. Only disable if concerned about Help file exploits or if a new, widespread Help file exploit has been announced that is not yet patched. Located in %Windir%.	Low
Mmc.exe	Microsoft Management Console. Disable if not needed by end users.	Low
Msconfig.exe	System Configuration Utility used to display and modify some common Windows startup locations. Located in %Windir%\PCHealth\HelpCtr\Binaries. Like Regedit and Task Manager, this useful manual defense tool is often disabled by malware.	Low
Netdde.exe	Used to create DDE channels. Sometimes needed for applications that use DDE. Disable if not needed.	Low
Rcp.exe	TCP/IP Remote Copy Program. Not needed by regular end users.	Low
Recover.exe	Recovers lost file fragments. Can cause problems with data recovery. Disable unless needed.	Low
Regtrace.exe	Programming troubleshooting utility.	Low
Replace.exe	Allows files from source to replace files on destination. Not normally used by end users.	Low
Reset.exe	Resets Terminal Server (RDP) sessions. Not normally needed by end users.	Low
Rexec.exe	TCP/IP client command that runs commands on remote hosts running the REXECD service. Not normally needed by end users.	Low
Route.exe	Allows users to view and modify a Windows TCP/IP routing table. Could be used to set malicious routes.	Low
Rsh.exe	TCP/IP client utility that runs commands on remote hosts running the RSH service. Not normally needed by end users.	Low
Rsm.exe	Removable Storage Manager command-line interface, used for tape/storage media manipulation.	Low
Subst.exe	Legacy command, allows users to map a network drive path to a drive letter. Not normally used.	Low
Sysedit.exe	System Configuration Editor, legacy program used to view and modify legacy startup files.	Low
Telnet.exe	Telnet client. Disable if not used.	Low
Tskill.exe	Allows users to kill running Terminal Server (RDP) session. Not normally used by end users.
Xcopy.exe	Allows files to be copied, including their attributes.	Low

Again, there are probably files that some readers can add or delete to the list. Files that are frequently used by the company (for example, ftp.exe) should not be listed as high-risk for that organization. Non-admin end users should be prevented from running the files listed in Table 5-2. Most of the files in the table are located at %Windir%\System32. Knowing a file's normal location is important because attackers will often create look-alike files with the same name, but in different locations.

Other Windows Files Needing Protection

Table 5-3 lists other common Windows files that need investigation. In most cases, regular end users need access to them, but administrators should audit their use and prevent modification if applicable.

Table 5-3
File Name	Default Location	Description
Hosts	%windir%\System32\Drivers\Etc in NT and above systems	Used for static DNS resolution
Lmhosts	%windir%\System32\Drivers\Etc in NT and above systems	Used for static NetBIOS resolution
Autoexec.bat, Autoexec.nt	Root directory for Autoexec.bat, %Windir%\System32 or %Windir%\Repair for Autoexec.nt	In legacy systems, loads real-mode programs prior to Windows loading. Can be used to install malicious programs.
Autorun.inf	In the root directory on removable media (e.g., CD-ROM disks)	Can be used to automatically run commands or programs referenced by file. If concerned, you can disable Autorun using registry edit using the NoDriveTypeAutoRun registry value. The typical setting is 91 or 95 and should be changed to 9D (if you want CD disks to be autorun), BD (if both CD and hard drive autorun are to be suppressed), or FF (to suppress all devices). The settings are set per user.
Boot.ini	Root directory of system volume	File used by NT OS file to determine which OS image to load. A malicious Boot.ini entry can point to any file, anywhere, of any "DOS-visible" name, to be run as raw code on boot if that "OS" is selected. Not popularly exploited at this time.
Bootsect.dos	Root directory of boot volume	DOS boot sector on NT and later dual-boot machines. Can be maliciously modified. There's an equivalent Boot-sect.dat for Recovery Console, if theRecovery Console is installed to HD.
Config.sys, config.nt	Root directory for config.sys, %Windir%\System32 or %Windir%\Repair for config.nt	In legacy systems, loads real-mode programs prior to Windows loading. Can be used to install malicious programs.
Desktop.ini	Can be located in any folder location	Used to modify desktop folder appearance, and can be used to launch new malicious code
Iereset.inf	%Windir%\Inf	Used as IE default values. Not used in the wild, yet. Proposed by Andrew Aronoff of SilentRunners.org.
Msdos.sys, Io.sys	Root directory	Only on legacy systems, contains DOS boot code
Dosstart.bat	%Windir%	If it exists, it should be examined or protected. Used by Win 9x for DOS programs set to run in DOS mode using the same configuration as Windows, which is the default mode for "Exit to DOS.pif" that is used for Shutdown, Restart in MS-DOS mode. If DOS mode .pif are set to "Specify a new…" then DOSStart.bat is ignored and the private startup files hidden in the .Pif are used instead.
Msdos.sys	Root directory	Legacy file. Can determine path to Windows and startup control in Win 9x environments. Was an OS boot file in MS-DOS.
Normal.dot	In \Documents and Settings\%UserProfile%\Application Data\Microsoft\Templates on non-legacy systems	Default template file for Microsoft Word. Commonly used by older macro viruses.
Ntldr	Root directory of system volume	NT and later boot code loader program. So far, not exploited but could be.
Rasphone.pbk	\Documents and Settings\%UserProfile%\Application Data\Microsoft\Network\Connections\Pbk	Could be used to modify dial-up network settings
Startup folders	\Documents and Settings\%UserProfile%\Start Menu\Programs\Startup	Any program, script, or executable files located in Startup folders will be automatically executed when the user logs in.
System.ini	%Windir%, if present	Legacy file. Could load malicious programs.
Win.ini	%Windir%, if present	Legacy file. Could load malicious programs.
Winboot.ini	Boot sector, if present	Legacy file. Can determine path to Windows and startup control in Win 9x environments.
Winboot.sys	Root directory, if present	Legacy file. Copied over C:\IO.SYS and then run by partition boot code at bootup.
Winstart.bat	%Windir%, if present	Legacy file. Could load malicious programs in Win 9x and earlier.
Wininit.ini	%Windir%, if present	"Run once" legacy file. Could load malicious programs.
.Dos, .W40, .App, .Wos	Root directory, if present	Legacy files for Win 9x, Startup settings and code files for "Previous version of MS-DOS" options on dual-boot systems.

The files listed in Tables 5-2 and 5-3 represent some of the most important Windows files, and the ones most likely to be involved with a malicious attack. Table 5-1 lists other types of files, including application files, that can be used in a rogue manner. Administrators should review the files in these tables to determine which of these should or shouldn't be running on their network.

Good web sites for looking up file names are Windows Process Library (www.liutilities.com/products/wintaskspro/processlibrary), I Am Not a Geek (www.iamnotageek.com/a/file_info.php), and Security Task Manager (www.neuber.com/taskmanager/process).

Malicious File Tricks

Malicious attackers have used a variety of rogue methods over the years to accomplish their activities. Here are some other tricks hackers have used to get their malware executed.

File Naming Tricks

Hackers have made an art out of renaming files for malicious purposes, and Microsoft is mostly to blame for this problem. By default, Windows will hide file extensions of known file types, although this behavior should be turned off (in Windows Explorer). Because this behavior is turned on by default, a malicious hacker can send a user a malicious executable called Readme.txt.exe and Windows will display just Readme.txt by default. Now, Windows contains several ways for the user to verify the extension:

Hovering the mouse cursor over the file's path or full name
Viewing file properties will reveal the file name
The file's icon will be represented by the application associated with the file extension (in most cases).

Revealing File Extensions

You can tell Windows to display even registered file types by choosing the Tools menu option in Windows Explorer, then Folder Options, and the View tab (see Figure 5-3). Deselect the Hide Extensions for Known File Types. You should disable Hide protected operating system files (Recommended) to allow users to view Windows system files and profiles, and select Show hidden files and folders.

image from book
Figure 5-3

Super Hidden File Extensions

To make matters worse, even if you tell Windows not to hide well-known file extensions as discussed above, some register file extensions will still stay hidden (e.g., Scrap files). These file extensions are known as the "Super Hidden" file extensions. Each file association in the registry can be enabled or disabled regarding its Super Hidden status. Dozens of file extension associations have a registry value called NeverShowExt, including the high-risk files in Table 5-4.

Table 5-4
File Type/HR_CR Designation	File Extension
Internet Shortcuts	.Url
Desktop Shortcuts	.Lnk
Pif files	.Pif
ShellScrap file	.Shs
Explorer Command	.Scf

Super hidden file extensions allow hackers to name files like Readme.Txt.url that are really Internet browser links and will automatically download remote code, or Readme.Txt.shs, where the scrap file is really a shortcut pointing to an executable that is run instead. You should implement a registry edit or GPO to remove the NeverShowExt value for the file types listed in Table 5-4.

Note

Be warned: If you reveal .Lnk and .Pif files, you will see the file extension revealed all over the desktop for many legitimate Windows files. Normally, this is not a problem, but it may surprise some users. The benefit gained by revealing the hidden extension overrides any temporary discomfort.

Windows will always reveal or hide an extension depending on the existence of the AlwaysShowExt or NeverShowExt entry in the file type's registry subkey. The value of the entry doesn't matter, as long as the entry exists and is spelled correctly. When both values are present, the NeverShowExt value overrides the AlwaysShowExt value, which means it is hard to disable the NeverShowExt with a GPO (i.e., GPOs don't delete registry keys).

To delete existing registry keys, you can use an .Inf, scripts, or .Reg files. To manually remove the NeverShowExt value manually, use Regedit.exe and search for the NeverShowExt value. Delete it where found. The only issue to be aware of is that if you delete the NeverShowExt value, the file extensions related to those links will appear. For example, desktop shortcuts will end in an .Lnk extension. While this is a safe practice, you need to be aware of the results from the change, and warn end users if you deploy this suggestion widely. If you are pushing the change using a GPO, you'll need to deny Read permissions to the NeverShowExt registry key (if it exists).

Long File Names and Unprintable Characters

Hackers have also made file name roots containing something harmless-looking like Readme.txt that in reality was Readme.txt.exe. The intervening spaces between the .txt portion of the file name and the real file extension (i.e., .exe) contained non-printable characters. Most screens that display the file name have an adjustable width for the file name column, and the default size would show Readme.txt. The true name would not be shown unless the user manually widened the column.

Sound-a-likes, Different Locations

When forensically investigating a computer for intrusion, always be on the lookout for sound-a-likes and files spelled right but in the wrong location. By default, WFP prevents Windows system files from being modified, deleted, or renamed. Instead, malware will install new rogue executables with official-sounding names in the normal system directories, or install a file with an identical name in a new location. Sound-a-like file names are ones like Svchosts.exe (instead of Svchost.exe) and Regsrv32.exe (instead of Regsvr32.exe). Or they load the malicious file, with a name identical to a normal system file, but from a non-default location. It can be hard to notice if you aren't familiar with file locations. For instance, is Taskman.exe loaded from %Windir% or %Windir%\System32? It's the former.

Rename Tricks

Any valid Windows system executable (at least .Exes and .Coms files) can be renamed to any file extension and still function identically on the command line (although not from the Windows Explorer GUI or Start, Run procedure). Thus Format.com can be renamed Frog.gif and still be executed. A new hacker trick is to upload their exploit tools to the victim's Internet Explorer Temporary Internet Files folder and name them after picture files. All users have access to the Temporary Internet File folder, and unless the user clears out the folder, the tools will probably stay undetected longer. Don't forget that any file format using the OLE2 file format (e.g., Microsoft Office documents) can be renamed without any file extension and it will still be executed by its appropriate related application if opened in the Windows GUI (doesn't work on the command line) or the application. Thus, an Excel spreadsheet named Readme will still be opened in Excel.

MIME Type Mismatch

When files are being downloaded in Internet Explorer and other multi-media-enabled applications, often Windows will look for the file's Multi-Purpose Internet Mail Extensions (or MIME) type. MIME was originally created so that SMTP mail servers and clients could exchange objects and media files beyond normal plaintext e-mail. Today, most web servers (and many other types of servers) send a file's MIME data type descriptor along with the file. The receiving application or operating system reads the MIME type descriptor and opens the file in the requested application.

Most MIME type descriptors are registered with the Internet Assigned Numbers Authority (www.iana.org), described in several RFCs, including RFC 1521 (www.faqs.org/rfcs/rfc1521.html). MIME type descriptors look something like this:

Content-Type: text/plain
type=" application/x-shockwave-flash

The MIME type descriptor is read by the incoming application, which then looks up the application associated with each particular MIME type. In Windows, the MIME type application association is stored in the HKCR registry key under the appropriate application's file extension. In the first example, the Notepad.exe application is associated with the text/plain MIME type. In the latter, the Shockwave Flash application is associated with application/x-shockwave-flash.

Malicious exploits have been initiated by an intentionally malicious web server marking a file as one particular type of MIME file when the file's true contents were something else. The MIME type mismatch can cause application loading problems, DoS attacks, and even buffer overflows. MIME type mismatch issues have often been the reason why some security scanners failed to correctly catch malware problems.

Alternate Data Streams

Ever since Windows NT, Microsoft allows files and directories on an NTFS-formatted volume to have Alternate Data Streams (ADS). ADS was initially created to support Macintosh "resource forks" when Macintosh file support was added to NT. The idea is that one file or folder representation can have several other files associated with it. If copied or created with the appropriate ADS-aware tools, one copied file can contain all the support files its needs. When an ADS component is "attached" to a file, an extended attribute is attached to the file, and the ADS file is stored elsewhere on the disk. However, when the ADS file is needed, the file's extended attribute tells Windows that an ADS file is attached to the parent file and then where to look for the ADS file.

Although Microsoft uses ADS with some of its applications, ADS files never caught on big with other third-party legitimate programmers. Existing legitimate uses of ADS include the following:

Handling "resource fork" material from Apple Macs (why ADS were invented)
To store thumbnails
By MS Office, to store document summary metadata
By some antivirus (av) scanners, to hold integrity information

Hackers, however, occasionally use files with ADS to hide their malware or hacking tools. Because the ADS file is not stored directly with the file, even when the parent file (or directory) is modified to have an ADS stream, its file integrity does not change. This means that a hacker can basically store any number of programs or viruses attached to any file they like and MD5 hash checksum programs will not report different results. Although antivirus scanner programs can scan ADS files, they don't by default. It's an option that has to be turned on manually, and most administrators don't.

If you want to experiment with ADS files, try these steps:

Make a directory called C:\ADSTemp.
Copy Notepad.exe into C:\ADSTemp.
Copy Sol.exe (Solitaire) into C:\ADSTemp.
Do a directory (DIR) to get the file size and timestamps of Notepad.exe or run any hash integrity program you like.
Type Sol.exe > Notepad.exe:Hidden.exe and press Enter.
Now do another directory and checksum on the Notepad.exe file. Note that the information is the same, including size, date, and checksum. Figure 5-4 shows similar results.
Type in Start c:\ADSTemp\Notepad.exe:Hidden.exe and press Enter. The Solitaire program should have started.
Look in Task Manager (Ctl+Alt+Del) and see whether Notepad.exe is running as a process, and whether that reference indicates the difference between Notepad.exe and the ADS properly identified as Notepad.exe:Hidden.exe.
If you have a host-based firewall that does outbound blocking, repeat the preceding procedure, replacing Notepad.exe with an application that is allowed to pass through the firewall, and replacing Sol.exe with an application that will try to access the Internet but would normally be blocked from doing so by the firewall. Does the firewall pass or block the ADS?

image from book
Figure 5-4

In this case, it was just two legitimate files, but it could have been a hacker tool just as easily. ADS file streams can be called using the Start.exe command and via browsers over HTTP. To find ADS files, you must download a Microsoft Resource Kit utility or use a third-party tool. My favorites are Foundstone's Sfind (www.foundstone.com/?subnav=resources/navigation) and Sysinternal's (www.sysinternals.com/Utilities/Streams.html).

Several risks associated with ADS have already being leveraged by malware:

ADS aren't visible in Windows Explorer.
Code running in an ADS is listed in Task Manager as the name of the parent file only in Windows 2000 and NT.
Although antivirus programs can scan ADS files, they aren't checked for or scanned by default.
As ADS have no directory entry, they can't be managed with NTFS permissions.

Note

ADS files are an example of maliciousness from unintended consequences. When Microsoft created them, little thought was given to their potential abuses. The author of this book immediately saw the potential malicious use of ADS when NT 4.0 first appeared and reported it to a top AV vendor. They replied that they also knew about the potential problem, but that it wasn't a top priority since ADS files weren't being exploited. Years later when the first ADS viruses showed up, it wasn't surprising that several antivirus companies had solutions ready in a few days. It also taught me that many "zero-day" exploits are known by computer software defenders prior to their public release, but the defenses aren't released until after the public announcement to slow down the hacker vs. good guy war.

Dangerous Unused Applications

It is also important to remember that even when a file or application isn't used by the user, if it is installed, then it can be exploited. A common exploit method is for hackers to call a particular application via its URL moniker (this will be covered in more detail in Chapter 10, "Securing Internet Explorer"). A URL moniker is another file association type stored in HK_CR.

For example, the URL moniker Telnet:// will call the Windows telnet client to activate (see Figure 5-5). Suppose there were a known buffer overflow issue with the Microsoft Telnet.exe client program. A hacker could send a user an e-mail containing an embedded link that when clicked or automatically downloaded launched the client's Telnet program to contact the attacker's remote server, where a client-side buffer overflow was waiting. Similar tactics have been used against many programs.

image from book
Figure 5-5

Another real-life example is the URL moniker aim://, which calls America Online's Instant Messaging (AIM) client. In the past, at least two exploits have been documented whereby a user is sent a simple URL link. Unknown to the user, the link contains the aim:// moniker; and with related commands fed to the user's browser, AIM is started and a file transfer initiated. The files transferred caused a buffer overflow in one instance, and allowed the unauthorized copying of files in the other.

Just an application being installed increases risk. Sometimes whether a user actually uses a particular program isn't a factor. In fact, when users don't use a program, they probably won't keep it patched and updated. How many times have you updated a program you never use?

Buffer Overflows

Lastly, any running program or service that can be overflowed gives an attacker a way to exploit a system. Buffer overflows (actually, there are over a dozen types of overflows besides a buffer overflow, but we'll just keep the discussion simple) either cause a DoS attack or allow complete compromise of the attacked system. When a program or service is overflowed, the attacker usually gets system access with the security context in which the program was running. In Windows, this is often the local system. You'll find out more about this in Chapter 7, "Tightening Services."