What if there were a type of file that could hide its nature from you; might appear to be any file type, and when clicked with your mouse, could run as a program -- potentially as a hostile program -- when you least expected?
Such a file type does exist. Presently, most Windows users don't know of its existence.
But let's start at the beginning, shall we?
Starting back in the days of Windows 3.1 (around 1992 I believe), Microsoft introduced an old idea under a new name: Object Linking and Embedding (OLE). Complex in its details, OLE is simple in concept. It allows the inclusion of data from one type of file or document, within another; and it allows multiple applications on the same desktop to share information.
It's the "Embedding" part of OLE we're most interested in at the moment. A common example, familiar to many users of office applications, is the inclusion of spreadsheet data in a word processor document. Often the most your word processor can do with such data is to display it. It may sometimes do no more than to show an icon. Double-clicking on the object or icon will open your spreadsheet application and viola! you can view and edit the specialized type of data using its native application. Microsoft Word, for instance, will open Excel in the "background" so that a spreadsheet object -- still embedded in the Word document -- can be directly manipulated.
This is very handy of course. OLE is behind a lot of the convenient behavior you've come to take for granted in Windows.
Naturally it's important to be able to transport "objects" which are embedded in documents, etc., from one place to another, embedding them wherever one pleases. OLE provides for this, using a file format of its own. That file format contains the embedded data in a sort of "wrapper." Thus, you can have a standalone file which is readily pasted into any application that uses OLE, carrying along with it the important information about its type, original location and so forth. A file of this type is called a Shell Scrap Object and uses the extension .SHS. I also see it called a Scrap Object.
The standalone SHS file will behave conveniently just as it did when embedded. A double-click will cause its contents to be opened in the appropriate application... or executed. That's right. Executable files can be embedded too. This is where the fun starts.
Tear a Scrap off Your Notepad
Let's make an executable scrap file, shall we?
First, find and open Wordpad; it's in your Start Menu under Accessories.
Now, using Explorer or the Find dialog, locate Notepad.exe in your Windows folder.
Using the mouse, drag and drop Notepad.exe into the Wordpad window. You should wind up with the Notepad icon right there in the document, like the illustration at right. If you double-click the embedded icon, Notepad will open.
(If you're using Windows 2000, at this point you must alter the object's attributes using the Object Packager for the next steps to work; see below for an example.)
Right-click on the Notepad icon in Wordpad. Select "Copy."
Right-click on your desktop. Select "Paste."
This icon: should now appear on your desktop. Notice how similar that is to the default text icon?
Note, too, that the file is named simply "Scrap" -- even if you have set Windows to show you all file extensions!
Now, right-click on the Scrap icon and select Properties. The Properties dialog clearly shows that the file's actual name is SCRAP.SHS.
Close the Properties dialog. Now, right-click on the Scrap icon again and select Rename. Rename the file to "urgent.txt" (minus the quotes). It will look like this: It could pass rather easily for a genuine text file. Its real name, of course, is URGENT.TXT.SHS.
Now... double-click that file. The Notepad program that's within the scrap object will obligingly open.
(Hold onto that file. We'll be doing something more with it later.)
That isn't all. Even if the object in a scrap file is not executable, a command can be associated with the object, which will be executed when it is double-clicked!
I created an example of this capability, which you can find here: format_a.shs. This scrap file will format drive A: -- so use it with care! You may wish to test it on a blank floppy. (Netscape users will have to hold down Shift while clicking on that link in order to save the file to disk.)
To make this file, here's what I did...
The icon of this Wordpad object can be dragged to the desktop and it will take on the default scrap icon and the Scrap.shs filename. Here's the document containing the object: spoof.doc
When clicked upon, either as a scrap file or while in the document, this object will immediately open a DOS window and format drive A: -- permanently erasing all data on the drive. Incidentally, I provide this as an example of the fact that powerful commands can be executed by a scrap file. As a real exploit, the format command would not work on any drive (such as C:) which is in use by running processes. For instance, if a program located on drive A: is in use, you'll see this message:
Drive A: is currently in use by another process. Aborting Format.
However, as you can see, the icon and the label need have nothing whatsoever to do with the object. And, even if the file contained in the object is totally innocent, it can carry a command.
In case it hasn't aready dawned on you... scrap files and embedded objects present some really sneaky possibilities for concealing a hostile program or command. Anyone who doesn't know what a scrap object is, or who fails to recognize that icons and labels can lie so convincingly might easily regard a hostile scrap file or embedded object as being quite safe to open.
Why does the extension stay hidden?
In the Windows Registry, under the key HKEY_CLASSES_ROOT\ShellScrap there is a value named "NeverShowExt" -- which is what causes this behavior. Its presence forces Windows, regardless of other settings, to hide the file extension.
This "NeverShowExt" value occurs elsewhere in the Registry as well. The various types of shortcuts on the Desktop are familiar examples. Shortcuts typically have the extension .LNK, which users rarely ever see.
Removal of the "NeverShowExt" value (its actual deletion) will cause Windows to display the .SHS extension. For most users, I would recommend doing so. Those familiar with DOS commands (file extensions always show up in a DOS listing) and/or who are already alert to the facts might consider it a minor issue on their own machines.
What about deceptive icons and labels?
The command associated with an embedded object (one that's in a document) can be seen using the Object Packager. Just follow the steps that I used above to change the command. To determine the actual contents of an object that has been given a new icon and label, the best method I know would be to open it in the Object Packager (again as above), and select File... Save Contents; place the file where desired and then examine the saved file (which will not be a scrap file but the original embedded file), preferably with a binary file editor such as WinVi32.
A "loose" scrap file can be dragged into a document and accessed with the Packager from there.
By all rights, it should be easier to tell what's in a scrap file. By all rights, the extension shouldn't be so hard to view. Why has Microsoft has set these things up this way? I can only speculate. And when I do try to speculate -- I'm at a loss! I have absolutely no idea!
|Aha! There's another way to view a scrap. The image
below illustrates... On Tuesday, 20 June 2000
It turns out that if you go under File Types/Folder Options you can "Enable Quick View" for the Shell Scrap and Shortcut into Document file types. This usually leaves you looking at a binary file in text mode -- less than desirable, and when i selected "Open File for Editing" it executed instead (!) but since the package prominently features the name of the executable file that was packaged, and since you can scan for fishy and/or informative string literals, it's a q&d* better than nothing.*q&d=quick & dirty
Quick View once enabled will appear as a right-click option. Results may vary.
By The Way...
There is another "scrap file" type. The .SHB extension marks a file type called "Shortcut into a document," intended to point to an embedded object within a document. You can see it listed in the illustration just above.
I had no success generating a .SHB file using Wordpad. But if a .SHS "object" is renamed to carry the .SHB extension, it will behave exactly the same way. The NeverShowExt Registry value (this time located in HKEY_CLASSES_ROOT\DocShortcut) prevents the .SHB extension from being displayed.
Everything you are reading here about the behavior of .SHS applies equally to .SHB.
Something I found interesting about this mechanism is how long it existed before it appears to have been exploited.
But it certainly has been exploited. The technique even has a name. An executable in a scrap file is said to be "scrap-wrapped."
I spent quite some time searching the Web and the Deja.com UseNet archives for information, warnings and exploits of scrap objects. I found that surprisingly little has been said about it, even to the present day. Here's what I found:
12 August 1998
Stiller Research, an AV vendor, appears to have publicized the threat of scrap files earlier than anyone else. Their page is however not fully informative and it's angled to sell their product: Warning about SHS files in Email26 May 1999
Nine months later, the subject is raised in a web board discussion at Packetstorm.10 June 1999
It comes up again after a couple of weeks, in a web board discussion at Slashdot.14 June 1999
Perhaps not coincidentally, just days after the Slashdot discussion, an email exploit of .SHS appeared, aimed at AOL users. The writer falsely claimed he worked for TPA Software. TPA exposed the password-stealing scam on its website: Scam Alert!11 August 1999
A UseNet message titled "Some Passwords" was posted to the za.ads.jobs, za.humour, and za.schools newsgroups, containing a file named "passwords.txt [many spaces] .shs". The original message containing the attachment is not in Deja.com's archive, but responses to it (such as this one) remain. It was reportedly also a password-stealing trojan.1 November 1999
Finjan Software, a security software vendor, issued a warning to its customers which was picked up by various news services: Microsoft Scrap File Trojan
AV vendor F-Secure Corporation carries a prudent warning about .SHS files, date unknown.
Amazingly, the links above comprise the bulk of the material on this exploit that I was able to find! It is mentioned in numerous places as an executable file type, sometimes with caution advised; and an overblown email hoax on the subject was circulated. But the rather sneaky characteristics of .SHS files and their use as an exploit have gotten very little exposure overall.
Even more amazingly, although you will find .SHB listed as an executable type, not one of the warnings I have seen about the .SHS file type has made any mention whatsoever about the identical behavior of the .SHB extension.
So Now What?
First of all, let's find out how your browser and your email application behave with respect to .SHS and .SHB files. Those are the primary points of entry to your system; so you need to know how scrap objects are handled.
I have provided two scrap object files. Both are identical, made with Wordpad by the steps outlined above. They contain Notepad.exe.
As a simple test, you can download these files to test your browser's response. Does it recognize them as executables? Does it offer a choice to save or run the files? Does it try to display them as if they were text? Try it out and see:
If your browser offers you the option to run the scrap object file, go ahead and try it. (It's just Notepad, don't worry.) Does it provide any additional warning or alert?
As far as I know, Netscape and Opera will try to display these files as if they were texts. (To save to disk, Netscape users will need to hold down Shift as they click on the links.) Internet Explorer will offer to save or open the files, with a mild warning. Choosing to open will run the embedded executable or command.
If you get any results you think people should know about, send me an email. Tell me what browser and version you're using, and what happens. I'll add important details to this page, and credit you for your assistance if you wish.
A simple, sure-fire way to check your email application's response is to email a copy of your scrap object file to yourself.
Go ahead and do that with the file you made earlier (see above). If you don't know how, try opening a new message and just drag and drop the file's icon into the message window. This works with most email apps.
Send the message, then retrieve it from your mailbox.
Does your email application display the entire filename? Or does it hide the .SHS extension? Does it produce any sort of warning or alert when you double-click on the file?
I can tell you that Eudora Pro version 3.x shows the entire filename. It ignores the Windows settings. But as with all executables, it produces no alert when the file is run.
Eudora Pro version 4 and above can produce a warning before opening any file type, as specified by a line in the file eudora.ini. This is the line, modified to include scrap files and some of the VB Script extensions:
The line must end with the "|" character.
Reportedly, Lotus Notes offers three user options for any file attachment: View (which applies Lotus default apps as viewers), Launch, and Detach.
Lotus Notes does reveal the file extension, and the options behave as follows: View finds no applicable Lotus viewer. Launch executes a scrap file without warning. Detach saves to disk.
Microsoft issued a patch for Outlook which, it claims, produces a warning whenever executable files are run from within the email application. Outlook users can find the patch here: Outlook E-mail Attachment Security Update
The update page claims:
Once installed, the patch will provide more explicit warning language when attachments are opened. You will be required to save the attachment to the file system before opening it. These patches can help you avoid accidentally releasing viruses that hide in certain files.
It also says:
The attachment warning runs for all attachments with executable file name extensions.
But Outlook users who have applied the patch report that the warning (which is certainly helpful) comes up no matter what the file type is, executable or not; and that it doesn't force the user to save. The image at right, sent in by Gordon Hutchison, illustrates.
The alert dialog offers a checkbox option: "Always ask before opening this type of file". For .EXE and a number of other executable file types the option is grayed out, meaning the alert cannot be disabled for that file type. But for .SHS and .SHB files, the checkbox is enabled; so the alert can be disabled. So evidently scrap files are not recognized as executables in this context.
(Hold The Presses: New Outlook Update)
Now (16 May 2000), as a result of the LoveLetter worm incident and the richly-deserved criticism that followed, Microsoft has issued yet another patch: Outlook E-mail Security Update
This new update actually does deliver on the false promise of the abovementioned patch. It forces the user to save executables, after which they must be opened as a totally separate action independent of the email application.
This will sometimes be inconvenient, especially to users unfamiliar enough with their own machines to find and run the resulting file. But then, those are the very users who're most likely to foolishly run hostile attachments! So I think it's a fairly good idea, especially for business environments and novice users.
The patch does somewhat more to absolve Microsoft of responsibility than it does to correct the more basic problem, which is a matter of the user's exercise of good judgement. The much more dire warning about potential consequences is, in my opinion, the most on-target aspect of this update. Some users find this update as much a problem as a solution. I don't consider it important for a savvy user to install.
Predictably, the list of file types restricted by the update includes .SHS files but not .SHB. If you want to include the equally hazardous .SHB extension in the restricted list, you'll have to add it manually.
Thursday, 22 June 2000 Sue Mosher <firstname.lastname@example.org>
You might find my page at http://www.slipstick.com/outlook/esecup.htm interesting, since it pulls together much of the information on the Outlook E-mail Security Update that Microsoft has scattered through the MSKB*. I think it may include .shb files. At least, I sure can't get an .shb file to go into an Outlook message on my patched system. You cannot add file types to the released version of the patch, though this feature was in the beta. FYI, the reason that the earlier Attachment Security Update does not block shs or shb files from being opened from within Outlook is that the list of blocked file types is woefully incomplete. (It does not block vbs files, for example.) Blocked files show a completely different dialog from the one on your page. The update included in Office 2000 SR1/1a does block vbs files, but I haven't tested it with shs files (and can't on the machine I'm typing on, since it has the more recent security update installed). The SR1/1a version also allows you to customize the blocked files list with registry entries. See http://www.slipstick.com/addins/utilities/attsecup.htm.*MKSB=Microsoft Knowledge Base
Sue's site is a wonderful reference source for Outlook users.
For Outlook Express users, I haven't seen a patch or update that addresses the scrap object file types. OE reportedly shows the file extension, but may truncate longer filenames depending upon how it is set to display attachments.
As with Outlook, a popup dialog offers options to Save or Open. Text of the dialog seems to vary somewhat with version.
I'd like to hear from Outlook Express and Outlook users if they discover any further change or important issue, so I can report it here.. Please be sure to tell me your Windows version and Outlook or Outlook Express version, and what updates you've installed.
It has probably already occurred to you that knowing all about scrap objects, you're now very unlikely to be fooled by them. You know what the .SHS and .SHB extensions represent, and you'll be alert to the "Scrap" icon. You also know that running objects in documents can be hazardous.
However, you or someone in your household might still be fooled, with disastrous results. In addition to patching your browser and email applications, here are a few precautions you can take:
Alter or remove both file types in the File Types dialog. (Open an Explorer window, and select View... Options... and the File Types tab. Look for Shell Scrap Object and Shortcut to Document.)
To disable scrap files very thoroughly, remove or rename the shscrap.dll file in your System folder.
Scrap objects and embedded objects, if they are known to the user, are not a major threat. The problem is simply that the hidden scrap file extension allows the files to masquerade as another file type, and the obscurity of these objects (lots of people just don't know about them) means that some users might fail to recognize them as executable programs.
Given the information on this page, plus the exercise of ordinary caution which should always apply to programs of unknown origin, you need never suffer from any scrap file exploit.
If you should discover anything more of interest about scrap objects that you think should be included on this page, please feel free to drop me a line.
Many thanks to those helpful persons who've contributed to the
info on this page, including but not limited to: Milly, Steve A.,
Stan, Ojatex, Gordon, Darius and Buzz.