5

I am using Windows 8.1 pro with Mozilla Thunderbird for my email requirements.

I have my Thunderbird set to auto download all email attachments, however upon runnning a Virus scan I am seeing many .exe, .zip and .rar files flag up as Viruses - Which I then tell my AV to delete.

As these .exe, .zip and .rar files have only been downloaded to my HD, can they do any damage just sitting their?

To my knowledge I must atleast execute them (.exe)or uncompress and double click(.zip, .rar), but perhaps I am wrong.

DavidWrighten
  • 51
  • 1
  • 2
  • It really depends on what the malware is exploiting. If it's exploiting the download mechanism then they could gain execution just by downloading. Good practice is to **not** automatically download attachments. – RoraΖ May 02 '15 at 13:14
  • Also pay attention to what exact "virus" was detected by the AV. For instance, I got an issue with a corporate antivirus blocking an archive contaminated by the "Too many files" virus... The archive was too large, the AV was too lazy, so he just considered it harmful by default... – WhiteWinterWolf May 02 '15 at 13:31
  • @raz could you explain a bit further? If a .exe is compressed inside a **.zip** file and Thunderbird auto downloads it, how can the **.exe** run itself from inside the **.zip**? – DavidWrighten May 02 '15 at 14:22
  • You're think like it's actually an exe. A file can pose as any format. Malicious code performs actions that are abnormal but perfectly valid for the application that is processing the file. You can't think of it in terms of what a file **should** do, but in terms of what it is **capable** of doing. – RoraΖ May 02 '15 at 14:38
  • @raz Yes I agree that a **.png** could be a **.exe**, but the user must still open the **.png**(secretly the **.exe**), so the user's actions are still required in this case. Your most recent comment makes it sound that there are certain types of files which just execute themselves(or have some similar capability), to my knowledge this doesnt exist, but please enlighten me of any and some examples. Thanks – DavidWrighten May 03 '15 at 00:17

7 Answers7

2

Firstly I would like to explain differences between Viruses, Trojans and Malware.

Malware - is the short form of Malicious Software. It is basically a software written to cause damage or infiltrate computer systems without the owner informed consent. It is general term used to represent various forms of intrusive, hostile and annoying code.

Virus - is a software that copies itself and spreads without permission or knowledge of the owner. Viruses do not spread via exploiting vulnerabilities (the ones that do that are called Worms). The only way viruses are supposed to spread is with the host - at least in their rigorous classification. Let say that a virus has infected a file, now if the owner moves the file to any system, the virus has thus chance to spread and survive.

Viruses can be classified into the following sub-categories:

  • Resident type: which one executed becomes memory resident(and waits for some triggers such loading of other program). It the infects other programs and so on.
  • No resident type: once a virus is executed, it will search for files it can infect.Then after infecting them, it will quit. When the infected program is run again, it will again find new targets and so on.
  • Boot sector, which spreads via boot sector and Multi partite type with several types of infection mechanisms.

Trojan - is a kind of malware that appears to the user to perform a function but in fact facilitates unauthorized access to the system. Moreover, they are quite different from viruses. They are not self replicating unlike viruses.

So in general a virus cannot execute itself, unless it has the cooperation of the operating system or software bugs or the user intervention.

If the operating system allows files to be executed automatically because of their name or location (for example an email attachment) then a virus can masquerade as a legitimate file and be executed by the operating system without the user authorization. This used to be the default behaviour in early email clients.

Also, if the operating system is not patched or specific software has errors that a virus can exploit to run its code, then a virus can start itself.

So to answer your question: Yes you can infect your machine by downloading and storing malware on your hard drive without executing.

Michal Koczwara
  • 1,580
  • 3
  • 15
  • 27
2

Generally, a virus just sitting there isn't an issue, but it's a problem waiting to happen. I have viruses on a dedicated PC just for analysis and forensics.

Here is the paranoid answer:

STUXNET was (in part) created by a vulnerability in the icon creation process when generating the icon for a file, where a buffer overflow occurred.

I can assume that any computer process that opens, scans, previews, formats, or copies a binary object (EXE or ZIP doesn't matter) may be vulnerable to a zero day attack even if the file isn't opened per se

makerofthings7
  • 50,090
  • 54
  • 250
  • 536
  • Here is a great read about Stuxnet. https://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet When average Joe is targeted with this level of sophistication, we'll just have to cutoff our electricity, sell all of our Tesla shares before it nose-dive, and live happily after. – K4M Aug 02 '20 at 13:28
1

Files, in and of themselves, cannot execute without some software causing them to run. In other words, until some sort of software tries to interpret the data as code or some particular format, either by accident or intent, they're just random bytes of data that are completely harmless. Coincidentally, the term "save to hard drive" is a bit misleading, because by the time Thunderbird has downloaded the email, the attachments may already be stored on your hard drive, in the email database file (particularly if you're using not using a web-based email system, like Hotmail).

To get to the question posed here, assuming Thunderbird saves the file without trying to parse the file in any way, the file will then safely sit there until something else tries to process the data. All bets are off, however, if you attempt to preview or open the files. As such, I would strongly advise against automatically saving attachments to the hard drive, not because of the risk of infection from files reaching your hard drive, but rather because all unknown files must be treated with utmost caution until they are proven safe; it's likely you'll slip sooner or later and just happen to run that one virus you meant to delete.

Anecdotally, I used to download viruses from BBSes and various websites and read their source code as a matter of expanding my knowledge of how computers worked and how systems were exploited. One particular gold mine was a zip file that contained many zip files that contained one zip file, each one that had a binary and a single source file (most viruses back then were written in assembler/machine code). Those files sat harmlessly on my computer for ages, until I one day accidentally typed in the name of the virus mirror instead of typing in edit mirror.asm, and it executed, showing me a fun time, and trashing my master boot record. Thankfully, these days we can just spin up virtual machines to reduce the risk.

phyrfox
  • 5,724
  • 20
  • 24
0

I agree with all previous comments, that a virus, trojan or malicious piece of software will not, by itself, pose a threat to any system. The code in itself is dormant until activated.

Why then does a file get activated?

There are circumstances where a vulnerability exists, that will allow otherwise legitimate files to parse information which will lead to files being executed, which will then execute the dormant code.

Such a vulnerability was part of the distribution of the Stuxnet Trojan as discussed in the following articles:

Disclaimer: Clicking on any link in the internet may pose a risk to your system.

Geoff Chappell, Software Analyst:
The CPL Icon Loading Vulnerability
The MRXCLS.SYS Malware Loader

Eset NOD Antivirus:
Stuxnet Under the Microsope

So while any malicious code in itself is dormant until activated, there are attack vectors (vulnerabilities) that will allow malicious code to be executed even though totally unexpected.

To answer your initial question:

As these .exe, .zip and .rar files have only been downloaded to my HD, can they do any damage just sitting their?

Answer:

...just sitting there?
NO, but...
...can they do any damage ...
...on their way from your mail program to your hard disk, the files could have been activated depending on the then current vulnerabilities in your system or in the programs you were using.

So parsing a file to determine its function can lead to an infection of a system if a vulnerability existed in the parsing chain.

John K. N.
  • 141
  • 5
0

It's true that zero-day could happen with any activity that causes a CPU cycle that consumes the file's content as data source. For example: it could happen when Thunderbird is saving the file to disk, if Thunderbird has a zero-day in file saving process. It could even happen when your anti-virus is scanning the file if your anti-virus has zero-day and they target it. If your anti-virus is set to scan compressed files (ZIP, RAR etc.) too, then the content of these compressed files will also be a concern because anti-virus needs to extract the files to be able to read it.

But, since these zero-days are valuable and quickly fixed when known, I wouldn't expect them to be at the hands of regular malware writers (the ones who keeps sending you those phishing emails with malware). They simply rely on simple user clicks. That being said, if this computer is in a critical company that could be targeted, then that's a different story. Otherwise, you can ignore it. If you want to be extra careful, turn off the auto-download feature.

This assumes you are keeping your critical (i.e most targeted) software up-to-date (operating system, anti-virus, mail client, PDF reader, browser, office applications). This is because once zero-day becomes a public knowledge, it becomes accessible to average malware writers too. That's usually not a concern if you're keeping your software up-to-date. So yes, there is a risk, I admit it :)

K4M
  • 542
  • 3
  • 8
0

You should set the Security settings of your PC starting with whatever Browser you are using. (In your case, Firefox.) You can also set your AV Software to automatically scan any new item that is loaded/downloaded into your "Downloads" folder. This is usually called "On-Access Scanning."

user58700
  • 126
  • 6
0

I'll go against previous answer and say no you can't execute a program inside a Zip file without extracting it first. Windows explorer can open zip files and show it's content but it must decompress the program before execution. The zip file itself could in theory contain intentionally malformed data that in combination with a software bug can leads to arbitrary code execution. Any program who parses the file metadata or content should be considered potentially at risk. Examples of this includes parsing the file to determine it's datatype and enumarating the archive content.

user94592
  • 67
  • 3