LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-24-2017, 09:34 AM   #1
linux4evr5581
Member
 
Registered: Sep 2016
Location: USA
Posts: 275

Rep: Reputation: Disabled
Can malware hide in .txt files?


And if it can would a text editor like vi reveal the code?
 
Old 04-24-2017, 09:42 AM   #2
Zyblin
Member
 
Registered: Oct 2013
Distribution: Linux Mint 18.3 (64)
Posts: 178

Rep: Reputation: 20
...

Last edited by Zyblin; 04-25-2017 at 07:40 AM.
 
Old 04-24-2017, 10:03 AM   #3
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Here's something you can "play" with.
Code:
X5o!p%@ap[4\pzx54(p^)7cc)7}$eicar-standard-antivirus-test-file!$h+h*
I think the OP confused about what obfuscated is or means.

Here's a site to read up on what text can do...https://aw-snap.info/
 
Old 04-24-2017, 10:17 AM   #4
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,078
Blog Entries: 4

Rep: Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187
Malware is software, therefore it must be executed. (And, once executed, it must be capable of malice using your privileges alone.)

A true .txt file is not executable, but some operating systems consider only the "magic bytes" within the file, not its extension. If the content appears to be an executable program – regardless of its misleading-to-humans .txt extension – they might conceivably try to execute it.

However, "basically, 'no.'"

Remember: this is not biology we are talking about! While you can "catch" a cold by walking into the wrong elevator, your computer cannot. Unlike, say, a yellow fever organism that's lurking in the ground of a graveyard, malware cannot "hide" anywhere, nor can it "infect" anything.

Last edited by sundialsvcs; 04-24-2017 at 10:26 AM.
 
Old 04-24-2017, 10:21 AM   #5
linux4evr5581
Member
 
Registered: Sep 2016
Location: USA
Posts: 275

Original Poster
Rep: Reputation: Disabled
No I was aware that malware can "mask" itself as a text file, but I was wondering if there were any more methods so to speak. But yeah thanks guys I'll check out that link, but I have no idea what to do with that code lol (do I put that in a script?). And thanks Sundial good to know, i'll just make sure their not executable and do some online scans, or maybe just keep them on a Raspberry Pie.

Last edited by linux4evr5581; 04-24-2017 at 10:30 AM.
 
Old 04-24-2017, 04:33 PM   #6
jmccue
Member
 
Registered: Nov 2008
Location: US
Distribution: slackware
Posts: 393

Rep: Reputation: 197Reputation: 197
One case I can think of is if a text file has vim commands inside it.

IIRC there is a way one can put vim commands inside of a text file. When you edit the text file with these commands, the commands auto execute from vim.

I forgot how to do that, but I suppose one can do some nasty things that way.

You can also disable this globally in your ~/.vimrc
 
Old 04-24-2017, 05:27 PM   #7
linux4evr5581
Member
 
Registered: Sep 2016
Location: USA
Posts: 275

Original Poster
Rep: Reputation: Disabled
Hmmm interesting, I'll definitely look into that thanks a lot.
 
Old 04-25-2017, 06:26 AM   #8
TenTenths
Senior Member
 
Registered: Aug 2011
Location: Dublin
Distribution: Centos 5 / 6 / 7
Posts: 3,164

Rep: Reputation: 1361Reputation: 1361Reputation: 1361Reputation: 1361Reputation: 1361Reputation: 1361Reputation: 1361Reputation: 1361Reputation: 1361Reputation: 1361
From the command line, shells can be told to attempt to execute any file with the x (execute) permission set. If this is not a binary file and there isn't a "magic" #! then generally the system will attempt to use the users default shell as the interpreter.

So despite what others have said it is ENTIRELY possible for malware to "hide" within a .txt file. Especially if it's distributed as a tarball or some other archive format that can preserve file permissions.

Whether you actually EXECUTE that file is another matter.
 
1 members found this post helpful.
Old 04-25-2017, 06:37 AM   #9
TenTenths
Senior Member
 
Registered: Aug 2011
Location: Dublin
Distribution: Centos 5 / 6 / 7
Posts: 3,164

Rep: Reputation: 1361Reputation: 1361Reputation: 1361Reputation: 1361Reputation: 1361Reputation: 1361Reputation: 1361Reputation: 1361Reputation: 1361Reputation: 1361
Oh, and as a follow up to my previous post:

Quote:
Originally Posted by linux4evr5581 View Post
And if it can would a text editor like vi reveal the code?
Not necessarily. Take this highly simplistic text file:

Code:
echo "bHMgLWwK" | base64 -d > /tmp/Xaljfhsd;chmod 755 /tmp/Xaljfhsd;/tmp/Xaljfhsd
While I'm sure you can work it out, other than it's attempting to create and execute something in /tmp it's not entirely obvious what the actual end result will be.
 
Old 04-25-2017, 06:38 AM   #10
syg00
LQ Veteran
 
Registered: Aug 2003
Location: Australia
Distribution: Lots ...
Posts: 19,593

Rep: Reputation: 3509Reputation: 3509Reputation: 3509Reputation: 3509Reputation: 3509Reputation: 3509Reputation: 3509Reputation: 3509Reputation: 3509Reputation: 3509Reputation: 3509


If I was designing an exploit, I'd aim at somewhere where everyone said it was impossible. Not that I'm that smart, but there are plenty of others who are.
 
Old 04-25-2017, 10:42 AM   #11
linux4evr5581
Member
 
Registered: Sep 2016
Location: USA
Posts: 275

Original Poster
Rep: Reputation: Disabled
Thanks TenTenths good stuff but that would still be noticeable in a .txt file (unless it's text file of command notes, or something). Nevertheless pretty cool how it lists directories without the ls command, it's like magic... Im gonna concatenate futher into what these and similar commands do, and see what's going on here, thank you!
 
Old 04-26-2017, 07:52 AM   #12
TenTenths
Senior Member
 
Registered: Aug 2011
Location: Dublin
Distribution: Centos 5 / 6 / 7
Posts: 3,164

Rep: Reputation: 1361Reputation: 1361Reputation: 1361Reputation: 1361Reputation: 1361Reputation: 1361Reputation: 1361Reputation: 1361Reputation: 1361Reputation: 1361
Quote:
Originally Posted by linux4evr5581 View Post
Thanks TenTenths good stuff but that would still be noticeable in a .txt file
Oh believe me that was intentional that it wasn't totally obfuscated It was just to prove my point that malicious code can be almost anywhere!
 
Old 04-26-2017, 08:05 AM   #13
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,078
Blog Entries: 4

Rep: Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187
Note that the "executable" bit does not mean that Linux would automatically attempt to execute it, if merely asked to open the file.

This bit does allow the file to be referenced from the command-line, which is understood to be a request to execute it.

If the file begins with a #!shebang line, this specifically identifies it as a program written in a particular programming language. Otherwise, the shell will attempt to execute it as a script.

And if the file actually contains a copy of Lincoln's Gettysburg Address, it won't get far. (However, famously, there was a COBOL compiler which tried to compile it!)
 
Old 04-26-2017, 10:52 AM   #14
linux4evr5581
Member
 
Registered: Sep 2016
Location: USA
Posts: 275

Original Poster
Rep: Reputation: Disabled
COBOL seems interesting i'm probably going to pick that up along with Lua, Python, and C.. Anyways thanks everyone all very cool stuff!
 
Old 04-26-2017, 11:44 AM   #15
dugan
LQ Guru
 
Registered: Nov 2003
Location: Canada
Distribution: distro hopper
Posts: 9,985

Rep: Reputation: 4569Reputation: 4569Reputation: 4569Reputation: 4569Reputation: 4569Reputation: 4569Reputation: 4569Reputation: 4569Reputation: 4569Reputation: 4569Reputation: 4569
Under DOS, it was possible for text files to have ANSI escape sequences that would, say, mess up the terminal when you displayed them.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] awk question - read in txt files, offset data by given amount, output new txt files pomico Programming 19 09-17-2012 11:43 AM
Copy the contents of a txt file to other txt files (with similar names) by cp command TheIndependentAquarius Linux - Newbie 7 07-03-2010 12:54 AM
cat onelinefile.txt >> newfile.txt; cat twofile.txt >> newfile.txt keep newline? tmcguinness Programming 4 02-12-2009 06:38 AM
Where would a virus/malware hide on Slackware? digger95 Slackware 10 02-08-2009 02:23 PM
how do I hide files? joshknape Linux - Newbie 11 09-12-2005 09:26 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:15 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration