The Malware So Tricky Even Programmers Fall For It
HTML-код
- Опубликовано: 28 июн 2024
- Sponsored: Discover the new Bitdefender Scamio (Free, easy-to-use AI chatbot for detecting and preventing scams): www.bitdefender.com/solutions...
▼ Time Stamps: ▼
0:00 - Intro
0:27 - What Are Hackers Doing This Time?
0:45 - A Very Good Thing
2:07 - The Hacker's 1st Technique
4:20 - The 2nd Technique
6:32 - Some General Tips
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
• My Gear & Equipment ⇨ kit.co/ThioJoe
• Merch ⇨ teespring.com/stores/thiojoe
• My Desktop Wallpapers ⇨ thiojoe.art/
⇨ / thiojoe
⇨ / thiojoe
⇨ / thiojoetv
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬ 
Наука
Of note on modern Linux desktops (at least in Gnome and KDE), file managers will ask before executing files by default, so remember to keep that option enabled!
Maybe newer versions of GNOME/Plasma should make it more clear because some people just click ok on popups
It is already quite clear but if people are doing this it means it works, which isn't good.
@@AlfiesFuntime Isn't that the truth. Also wish KDE would get rid of that "Don't ask me again" checkbox.
One issue is the KDE dialog has a rather stupid "don't ask again" checkbox. Sounds reasonable right? Yeah, no. "Don't ask again" means "never ask me how I want to run an executable ever again" not "don't ask me about running this executable again". Clicking that checkbox once permanently turns off that security measure completely unless you specifically reenable it, after which you need to deal with the pop up everytime you want to run any executable directly, even if you trust it.
@@AlfiesFuntimenope. Its purpose is to clarify the action that will be taken, not protect people from themselves. If you don't read the warnings thats your problem. Its there to tell/ask you whether to run the executable, not protect you from yourself if you don't read warnings.
Fool-proof is one thing, but Linus-proofing is a futile effort that just makes the UX worse for no reason. Linus proved pretty plainly that if you're willing to ignore one warning you're willing to ignore 5 more.
@@GeekIWGthey can keep the checkbox, they just need to make it file-specific. If a user wants to turn it off completely put that setting somewhere else, but the pop-up checkbox should be "Don't ask me again for this file" because as it currently is it's unacceptably ambiguous.
new fear unlocked: unicode period pretending to be a file extension separator
on windows, no extension would say what do you want to do with this file with no extention, notepad, paint? so we're probably safe, jut linux users to worry about.
@@WindowsDaily but.. i am a linux user...
Just use bind mount with noexec option for you downloads directory.
$ cat /etc/fstab | tail -n1
/home/x-user/downloads /home/x-user/downloads none bind,noexec,nofail,x-systemd.device-timeout=2 0 0
@@cindrmonmost file managers have a setting to show a "do you want to run this file" popup when doubleclicking executables
@@cindrmon what would that do? file names don't mean anything, so that wouldn't change the functionality of the file, would it?
30 years experience in IT and I can honestly say that I might have fallen for it.
I would have checked the file with VirusTotal, even if it actually had ".pdf" extension, because PDF files can contain viruses, and I don't trust any e-mail attachment, even if it came from a legitimate source, because that person could not know that his PC is infected.
Yup, especially the first one.
I think it says a lot about our industry practices (using npm without care).
Especially how unicode has devolved into a diarrhea of gotchas. Namely, by allowing it to mix with ASCII
Plot twist: the job application is for a cybersecurity position, and their challenge is to not fall for the less obvious hacks
Nice idea but obviously it would still be illegal
@@sayvenMaybe the cybersecurity position is actually hiring black-hat hackers. So the first test does double-duty: If you detect the problem, you get to the next round. If you don't, they still profit from you.
@@__christopher__ This is mad clever fr
bruh mind blowing
4:09 That malicious package has 285k downloads. I probably would have trusted it too... Although the description starts with 'A' instead of 'An', so maybe not so much.
That pdf executable is really smart.
So people who make a grammar mistake are automatically people giving you a virus?
I wouldn't even trust a download counter. I'll have to run the file through file command
The download counter is a trophy for the hacker who made that tactic.
I had a scam from a "recruiter" once where they wanted me to set up an account with them and they required a password to be my last four SS number. That flagged me and they held firm after I called them out on it. I also held firm. It was a major known corp that I wanted to work for, but I still believe it was a scammer working through the resume sites.
some places like Capital One ask you to enter your SS # but it is optional
@@edwardmacnab354It's ALWAYS optional to use your SS# for anything that doesn't directly deal with your employment or personal taxes. Even banks can't require your SS#, even though most of their employees have been trained to tell you that the patriot act requires them to get it from you. It's actually illegal, in most cases, for them to even ask for it. I ran into a situation several years back when I was given a corporate debit card so I could withdraw money to pay for vehicles. Wells Fargo gave me a huge issue over refusing to give them my SS# for a few weeks, but after consulting with their legal department, they told me that I was 100% correct about everything that I told them, and they gave me the card. Even if it had been an interest bearing account, it would not have directly, or even indirectly, been related to MY taxes. The only impact on taxes would have been on the company I worked for. I had an AMEX card, and cards from BoA, Wells Fargo, and TD bank, all with my name and the company name on them, and I never gave any of them my SS#, because you're NEVER supposed to give that to anyone except your employer and whoever is doing your taxes.
It's scary they are targeting software Devs they could infect thier releases
Another good reason to sign your commits and software packages!
Possibly hunting for access to a good supply chain, e.g. Solarwinds or Linux kernel contributors.
@@dingokidneys luckily the kernel is safe since everything has to pass through Linus before getting merged
@@FlooferLand I have great faith in the kernel development team and of course Linus, but if bad actors keep nibbling at the edges there's a possibility that something nefarious could creep in, if not all at once, in little bits over time. Nation State actors play the long game so we have to be on our toes at all times.
The fact that some binary BLOBS of proprietary software are accepted in drivers, like the official nVidia driver, means that if someone can get into the nVidia driver team, they could possibly sneak something effectively into the kernel without review by the kernel team. This is why Stallman and Debian (previously) were so adamant about keeping proprietary software, especially that where the source was not open, out of the ecosystem.
Not just them. Any "company" may ask you to download some form for their rebate or promotion.
The malicious NPM is really scary, you will get hacked even before run the code. There's a something called "preinstall script" in NPM which is will be executed when downloading the package. This is known technique for attack called "Dependency Confusion"
This is terrible and hopeless!
I don't think the preinstall script runs the code though.
@@markusklyver6277 there's a lot of article explaining about Dependency Confusion, read and understand it
Malware targeting Linux users? Wow, the year of the Linux desktop is truly upon us!
Though seriously, thanks for spreading the word on these scams! This could easily fool anyone
That’s unironically very encouraging in regards to the future of Linux in the home. Adoption of Linux is getting high enough for attackers to target end-users and not just servers
I fear the day i have to use an antivirus on linux
A new linux thing was a fake Exodus snap package, which asked people to input their 12-words phrase to import wallet. Then of course, the crypto got stolen.
The money was spent on a diamond encrusted gold toilet for Kim Jong Un. It's very lavish but awfully painful to sit on. Being a dictator has it's costs.
as if anyone needed more reasons to avoid flatshit, snapshit and other kinds of shit
@@shinobuoshino5066 holy shit
@@shinobuoshino5066 If you don't like Flatpak or Snap, that's fine. And Snap has closed-source elements, which is also perfectly reasonable to dislike. But the original intention behind Flatpak is that it is on average more secure because the installer never has to leave userspace.
You can see the +x as a different color on cli so 😉
also you'd never ./ a pdf file, you'd run `evince` (or whatever pdf reader you use) on it
@@KingJellyfishII or xdg-open path/to/pdf and this also didn't launch malware executable. IMHO only mc (or other curses file managers) users at risk if they try to open this fake PDF file by selecting it and hitting enter.
furthermore, while double clicking in a file manager may run it, xdg-open will never run the executable
@@aarond309the run function normally requires a prompt or can be deactivated
@@KingJellyfishIIyou don't use Firefox?
Personally, I would not have fallen for either.
NPM, VS Code, GitHub and other similar repos are known to be vectors of malicious packages, even worse on NPM for a lot of typo-squatting packages.
If I really had to install something like that, I would probably make into a disposable virtual machine with Clam-AV scanning after any install. (yes, sometimes paranoia pays off)
The second one is a lot more obvious for some reasons:
1. Many terminals, specially simpler ones are not UTF-8 (a.k.a. Unicode) piped, so listing the file would show up as file[?]pdf or file``~~pdf
2. Even if it displays correctly the name, many terminal emulators would highlight the document in the executable colors, different from the regular documents (that are usally uncolored)
3. As many other comments mention, file managers typically warn against executing files that are not generated by known compilers
4. In many file managers, the thumbnail would be absent, wrong or use the thumbnail of the language of the file
5. The options in "open with" would be devoid of any PDF reader
The only terminal I can think of off the top of my head that doesn't support unicode is xterm, which isn't very widely used
6. People ususlly don't "./file.pdf", they usually do " file.pdf"
Couldn’t the second one also work on Mac? Because the Mac has these Unix Executables which also don’t have a File Extension. Although these will probably immediately get terminated by the typical „Dude don’t download from Internet use App Store“ Window.
Mark-of-the-Web is one of the few ideas Microsoft was genuinely _right_ about on a conceptual level, I think (as long as an option is provided to "run away, I know what I'm doing").
“Yes, I want to execute this picture, why the hell are you asking?..”
>computer starts making noises
“Must be rendering those pixels or something”
Correction: that window is not about the App Store. It's about code signing. You can run anything that has a valid signature on a Mac by default.
@@null-nl5su Yes I know that. My comment was supposed to be funny :)
MacOS Gatekeeper would have stopped the execution of the file if it wasn't signed (interesting name for a sec tool lol)
ThioJoe, I always like the way you share your thoughts on different topics about Security, PCs, and Preventing Scams! Keep up the good work!
That Linux exploit is pretty clever.
Yet only affects windows users who installed linux and tried best they could to make it work like windows.
Anyone using GNU/Linux as intended, from the terminal would be told that file is corrupt if they tab, or not found if they wrote full filename with extension.
There's 0 risk of them executing it as the way you open files in terminal is write out the program of choice that will open the file, and only then giving it the file to open... Also if you use ls beforehand to look at files anyone will immediately see that file is suspiciously marked as executable, pdf files also are distinct color on my system.
And best part is that opening files from terminal is faster than fumbling through GUI with your mouse, so GUIdiots deserve anything coming their way.
@@shinobuoshino5066 So, how does RUclips look like in terminal?
@@user255 wintoddler grasping straws now, after I posted this comment on firefox... started from terminal.
@@shinobuoshino5066 Oh, I thought GUIs were only for GUIdiots.
@@shinobuoshino5066 If you're not using GET and POST while parsing through all the html with your mind you're not a real terminal truther.
Well that's first time I've rewinded to hear an ad ever I think
On Linux, most file managers don't actually use extensions to determine file type like on Windows. They use something called "magic bytes" which are present at the very beginning of a file and associates files to a particular program(s). So it should be obviouse that it wasn't a PDF file regardless of extension in good file managers.
Yeah, as a longtime Linux user, I was a bit confused that the hackers bothered to use a fake period to create a "file extension". Most of the time Linux doesn't care what the "file extension" is. On the other hand, I'm not so sure that common file managers would make it obvious that it's not a PDF. A sufficiently clever attacker could come up with various ways of making it look like a normal PDF at first glance.
Huh, I tried it with my own silly little executables and was surprised to find that, while Linux itself might not care, Dolphin actually cared rather a lot about the file extension. If the file ended in .pdf, it would give it a PDF icon and never try to execute it, instead trying to open it in a PDF viewer, regardless of the junk content. If it had no extension, it wouldn't get the PDF icon, but I would be prompted to confirm that I wanted to execute it. Learned something new today.
as a programmer, i can confirm that i would 110% fall for this malware.
first one, probably.. second one, very unlikely
@@dvorakgigachad1444 ma mans a giga
Printing hello world doesnt make you a programmer
Thanks for the information about scamio - probably the first advertisement that I can actually use.
Really appreciate your channel and the time you spend teaching and keeping us informed !
i agree, i used it and i identified some scams, would recommend
The first thing you do when you clone an Node.js repo is install the dependencies, some devs simply won't check what the dependencies are and will install everything straight away, and for the ones who do check the top-level dependencies, the attacker company could create a completely legit package which in turn uses a dependency meant to do harm, ransom, theft and what not, making it harder to detect. The best part about NPM is that you don't even have to run the dependencies, there are plenty of ways for post-install scripts to be ran once you install your project dependencies.
How do I know that? - I'm sorry for myself, but I'm a web dev.
This issue makes me think about the whole *npm install everything* if anyone remembers that old issue.
Or you can just realize that JS is the devil, and not use it. JS has been known for serious security holes ever since it was first created, and it's never gotten any better.
Thanks for another informative video, ThioJoe! Your clear explanations and engaging style make learning fun.
Always appreciate your dedication to tackling complex topics in such an accessible way. Keep up the great work!
Oh it only took 30 years for hackers to discover that you can put executable files on linux by using an archive.
The no-extension trick works because linux does not check the extension to determine what to do with the file.
So jpg files are opened with the picture viewer even when they have no extension.
Yep its called magic number and is the first few bytes of the file.
As always, thank you for the proper subtitles!
As others pointed out, most file managers pop up a warning asking the user if they really want to run an executable. Also, I'd be suspicious of the file being in a zip as stated in the video, but also, PDF files always get an icon of a PDF file, or a preview of the actual document, whereas executables get another icon or just a general 'file' icon. I'd be suspicious of that immediately.
I guess the advice is as always, be very very careful with what you download and run.. Whether it's files from a zip or libraries to use.
Can't the icon be changed? why would it be a generic icon?
@@lukkkasz323 On some systems you can change the icon, but you have to do it manually.
The generic 'file' icon appears when the system doesn't recognize what kind of file it is. Executables often get a general 'file' icon or an icon clearly indicating it's executable. Not something like a PDF icon.
This is why I stay familiar with what icons go with what filetype. If a PDF does not have the icon my system uses for PDFs, I will be very suspicious and investigate, ESPECIALLY if other, known ok PDFs have their icons!
Imagine being the only person that didn't get caught out in a large scale attack because you used a custom icon pack
I use XFCE and my icon pack makes PDF files pretty obvious. Also Thunar labels the file type when you single click a file
I use terminal so this by default would never work on me even if I wasn't paying attention.
Your videos always make my day. Keep shining!
Linux has had the run as .exe option for a very long time. I'm amazed it has taken this long for some hacker to use it in such a way.
Thanks for the video!
Now even the job applications must to be made in a VM. Can't have job in this world Orvus.
Great video appreciate.
Or just create new user account, it's not that hard.
Or don't run as a user with sudo privilege. Every time you make a 'convenience' decision that is lowering your security.
❤ This Scamio looks really cool
First time I completely saw a sponsered segment. Scamio sounds really useful if it works.
Thank you so much and I had these problems when I had a computer! I only use an IPhone now but I still enjoy watching your videos as many of the scams I understand apply to all computer based appliances!
Love your videos, keep up the good work, it is very helpful
Your videos are very helpful❤
Thank you for this Great Information.
Excellent video 👍 Thank you 💜
on linux the icon of pdf file and executable file are different. so user can easily identify that.
true, on my system it would try to generate a preview for a pdf.
Thio, you saved me the other week! I had just watched you talking about downloaded files having a password to uncompress them, and on Facebook I came across a cool AI system to download "for free". -- I almost fell for it.
Thanx again, Thio!
Thank you! ❤
I'm so proud of myself that I figured out that hackers can put files in zip folder to be left with executable property enabled before you said that in the video :)
Thanks for letting us know. Usually coding challenges are done in a sandboxed online environment and don't require downloading anything, but I still might have fallen for it.
As a linux user, the only reason why I wouldn't have falled for it is my setup - either I would try to open it from `vifm`, in which case it wouldn't have recognised the file and just opened it in a text editor, or I would have tried to open it from the terminal with `zathura`, in which case it would have complained about unrecognised file format.
Even better is when actual companies use LLMs (AI) to create packages and the LLM hallucinates dependencies. There was a research study recently where the researchers created a bunch of packages that way and then (as a test) typo-squatted a few of the hallucinated dependencies. They actually found a few large tech companies accidentally using them. In one case, the hallucinated dependency was supposed to be another package by the same company!
Oh no... that is astoundingly devious. I think I would have fallen for it.
You are a life saver!
Believe it or not but some antiviruses can scan encrypted zip files. They do so by checking the CRC32 checksum of the file and its unpacked filesize. This prevents heuristic or more generalized patterns and the like, but simple signatures work.
This is making me long for my days in college using the keypunch machine to generate the lines of code for programs.
You can still do that if you wish. ;)
Thanks - did not know that stuff.
Fortunately, the last (and only) remote coding challenge was for a known company, and I didn't have to run anything but a Groovy script, which I read first. But the second scam got me thinking that I should be more careful on things I install on my system, specially if not from the package manager. Thanks for the awareness!
This is wild! I'm a Linux user, and although I'm pretty careful about where I download files from and who I trust, I can see how an unsuspecting or new Linux user could fall for this! I always say, the best antivirus is the user and his or her common sense! Be careful out there, no matter what system you're using!
GNU/Linux user who has any sense would use terminal to do everything, not some shitty Windows clone DE.
Great video, we have reached a level where it is very difficult to stay vigilant, just like zip files, git repositories also retain +x attribute on files. And it can lead to similar issues.
Hi Joe, how are you doing? thanks for the quality of your videos. Was wondering if Bitdefender scamio is available for detecting fishing in French and Spanish.
just swapped to linux(lmde) and didn’t knew that! thanks a lot
*Thank you.*
ngl that had to be the most enticing ad
glad to see this channel go from lemon usb charger to something legit
always do email access via windows hyper-v sandbox or sandbox in general,have separate emails for everything don't login at same time
As someone who always looks at packages that are being installed, checks file properties, and reviews source code before running anything I wouldn’t have fallen for this. When it is a binary file I will either open a hex editor or delete it without a second thought.
Wow. I think they'd easily get me with both tricks. I'm not a Linux user, but NPM... I'd love to learn more about that security policies that protected you
Not really a Linux specific thing, but I dislike file managers showing items not in a list with details -- that might allow you to catch something like that, too.
Things like that second one are the reason I run more and more things through the 'file' command in a Linux shell, which reads (without executing) the beginning of the file to determine the filetype, usually based on the file's magic number.
I almost never use .zip in linux but thank you for this info. Never download anythng you don't already trust but always do it in a sandbox or isolated VM first .
As a linux user, I will say that in my system I get a warning if something is going to execute. I am currently running a version of Arch.
Same here. Running Fedora and the file manager (Nautilus) won't even run a script unless you right-click it.
“I use arch btw” - average arch user
@NB6G lmao so true usually but I only clarified so no one would be like "oh but what do you use" blah blah
Thanks for the heads-up. I am a *nix user, and did not know that 😨
pdf documents, i usually drag-and-drop those into a browser tab to open them... but this could 100% fool me damn
I said that npm is wildlife everyday since like 5 years ago :D. Pretty sure most ppl already agreed with that but I am happy for any awareness spread on this.
as a somewhat familiar with the system linux user, i did not know archives would extract files with their meta + the exeuctable meta bit, so thats interesting to know
tar with some flags even can preserve xattrs attributes of file such as SELinux labels. It's often used for making full system backups.
At least the linux one can't do that much harm since they're gonna get at most access to user space. Still plenty of room to do bad things but as long as you consider your user space to be unsafe (and you have taken measures around that) you could be fine. Protecting your user config such as your bashrc with root locks is a must to prevent this kind of attacks to work.
Best sponsor segment I've ever seen. Thanks bitdefender!
I never double-click an unknown PDF file to open it. I load the reader software and "Open" the file I want to read. That small step can protect you from a world of hurt.
It actually doesn't hurt double clicking a pdf file on linux, the video is misleading. If it was an executable, there would be a popup warning asking you whether you want to run the file.
As the technological economy becomes harder to compete in, more genuinely skilled professionals will resort to things like scams, and so scams will start to become more skillful.
Well.. sort of, but not really. The main reason scams are (usually) so simplistic isn't that the scammers are really that dumb that they couldn't do anything better, but rather because it's just more lucrative to target idiots than it is to target tech savvy people. In the same amount of effort it takes to scam 1 tech savvy person you could've scammed dozens of idiots instead, so it's kind of just a waste of time making the scams more complicated like that - you can trick them of course, but not quickly enough for it to be economical for the scammer to focus on it unless you're doing a much more targeted attack where you're trying to target a specific person instead of just trying to scam anybody.
That first technique is pretty clever
The reason that Linux thing works is that "running a text-file" is something that you are expected to do
My recommendation is to (in a terminal) run something like 'file sus.pdf'
It will take a look at the file and tell you about its content (and file type)
You can also do 'cat sus.pdf' but that might garble your terminal session if it's actually a pdf
One alternative is to do 'head -1 sus.pdf ', which should just give you the first line
Scripts usually start with '#!/usr/bin/bash' or something similar
1:00 Great tool for scammers to run their schemes by until one isn't flagged a scam.
I remember being able to remove the file extension of a video file on Raspbian and it still ran as a movie.
Yes, a well-written program won't assume what a file is from its extension or lack thereof.
1:24 : Cool! Thank you!
Wow this video did actually teach me something I didn't know, great content! I don't know if I'd fall for the fake extension file trick, because thanks to Windows, I'm very suspicious if a PDF or ZIP file doesn't show the right icon. 🤓
btw one could also set -x on a directory level (E.g. tmp or where one downloads the files.) for all users, and AFAIK this would override the permissions on the file level.
Scams are getting progressively harder and harder to detect. Scary
thiojoe, please add this "verified" spammer to your youtube comment block list or something i forgot what it is
This Scamio does really seem like a great tool
The second one is a mismatch between higher levels of abstraction (file manager automagically selecting the correct program) and lower levels of abstraction (file extensions don't exist and "executable" is a permission)
yep, the linux trick will get me for sure... thx for sharing..
That Linux one is quite smart, lots of different things packed into one. I totally would have fallen for this kind of stuff
I probably wouldn't fall for this, but you never know.
Password protecting a zip is something I didn't know had that effect, but it does make sense and it now gives me an out to send files to work that don't get canned by the email protection there. previously I had to stuff around with a download service.
Actually first noti - I think. already know it’s gonna be a bagner
On a Mac you will get a warning telling you something along the lines of "do you really want to execute this random application from an unidentified developer that you downloaded from the internet?" (or, by default, will tell you it can't run it because it's from an unidentified developer, although you can still run it if you want, just not with a simple double click). Even if they did register as developers and sign the application, you will still get a warning the first time because it's an application downloaded from the web, so you get a heads up.
in linux when you feel that your computer is doing something wrong just do sudo lsof -i you will get a list of connections pids and proc names then continue analysing in your way
Thanks for sharing!
I'm a Linux user and never heard about zip hack, especially with unicode dot.. That's something new to be alerted and to warn my daughter too.
Sometimes, I saw before single files compressed in Zip and, at preview, always wondering and thinking about reason for that, usually, before zip extraction.. 😂
About executable, now I will check file properties before clicking..
Just learn how to use terminal and suddenly all these problems that target GUIdiots are completely nullified even if you aren't even aware of the fact that you're dealing with a malicious file.
can you make a video about Kernel Power Failure Error - Event ID 41? There seems to be no way out from this, I tried a lot of things, but nothing is working out.
that sounds like a massive time investment on the hackers' part
Well now I'll be paranoid of any take home assignments
The npm example is why it’s best nowadays to do JavaScript projects in ether something like webcontainers (stackblitz) or just remote github workspaces (vscode server). That way you are never running random npm packages on your system unsandboxed.
Could you tell us more about this unicode character, what is it?
4:17 - Can you talk about that security policy? What exactly? Maybe short 2 min video.
There's a whole video about it on his channel, it's called AppLocker.
He will hardly do. It may work for scammers.
Check his "I seriously almost got hacked" video (which is shown on the screen at that time). It's about AppLocker.
On KDE you would see a different symbol if it ends with pdf but is a executable. Also if you want to start it you would get ask if you really want to and probably need a sudo password.
IDK about Unix Systems (MacOS/Linux) but on Windows when you change the file extension it asks you "are you sure?", so it would be that simple if you want to make sure of the file's extension
I usually download things like github projects on my phone, open it and check what the code is before sending it to my pc. Since my phone can't run those files if I accidentally open them
At least in Cinnamon's file manager nemo (but also in nautilus, GNOME's file manager) double-clicking a file asks you i you want to run it with or without a terminal, or just open with another program and not run. So the 2nd technique wouldn't work on me because I keep that asking enabled.
One way to test for this, is force the OS to open the file you're suspicious of in a text editor. Most of these formats aren't compatible with just being "read" from a text editor, however these files will not only be plain "English," if you're savvy you can call out the bash script.
For context, attempt to force a PDF or image into Notepad. Most files forced into notepad will look like gibberish and symbols. The malware here won't.
No, I did not know that execution protection is bypassed via archives. Realistically speaking archive extractors should really just remove the execution permission always. Sure it would be annoying to re-add those permissions for legitimate ones but that's still preferable to sneaky attacks getting though.
Not a completely good idea.
If an archive includes subdirectories, then _always_ removing the exec bit will make the lower directories inaccessible - in a directory file the exec permission means you can search that directory for files when trying to read those files: you have to know what the files are called. The read bit on a directory allows you to list the contents of that directory (to see the names of the files in that directory).
@@cigmorfil4101You realise I meant in the context of files right? Also the search and read should've been bundled into just one permission. There's no valid use case where you would want to be able to search for files you can't even read.
@@zxuiji directories are files, hope you realise that.