This post mentions many file extensions

June 30, 2022 in Archaeology, File Formats ZOO

What are Windows file extensions of interest ?

Is there a single superset of all possible file extensions that are of interest from a security perspective?

I tried to answer these questions before.

Today I wanted to re-visit it and approach it from a different angle:
– what large sampleset can teach us about existing file extensions?

To answer the question we could use regexes that focus on finding strings (references to wildcards of any sort) that look like an asterisk followed by a set of alphanumeric characters, digits, etc) but… this is a naive approach.

We can do better.

For instance, we can leverage the way applications use standard Windows dialog boxes. The filters that are provided to OPENFILENAME structure in a predictable form are perfect (potentially binary!) string targets we can find inside many samples.

There is also a popular convention of saving many such file extension filter strings using pipes which often look like this:

JPEG files (.jpg)|.jpg
GIF files (.gif)|.gif
PNG files (.png)|.png
PCX files (.pcx)|.pcx
VML files (.htm)|.htm
PDF files (.pdf)|.pdf

and more complex examples:

All_files (.)|.ALL Archives ALL Archives All_files (.)|.ALL Archives |.ace;.arc;.arj;.bh;.cab;.enc;.exe;.gz;.ha;.jar;.lha;.lzh;.mbf;.mim;.pak;.pk3;.pk_;.rar;.tar;.tgz;.uue;.war;.xxe;.z;.zip;.zlib;.zooExecutables (.exe)]
[450, All_files (.)|.ALL Archives |.ace;.arc;.arj;.bh;.cab;.enc;.exe;.gz;.ha;.jar;.lha;.lzh;.mbf;.mim;.pak;.pk3;.pk_;.rar;.tar;.tgz;.uue;.war;.xxe;.z;.zip;.zlib;.zooExecutables (.exe)]

They are not only very precise, but they also give us rough context about what these file extensions actually mean to be! From a technical perspective – we can find many of these strings embedded directly inside the samples as they are often a part of PE sections loaded to memory or are stored inside the resources..

The third option is to narrow down our research to installers only, and after decompiling their scripts, look for any registry changes that imply adding file extensions in a similar way I did research protocols. In this case we will be able to grab some metadata about what the file extensions are meant to be as well.

The search for pipe-separated strings yields so many results that this is pretty much all we need. Looking at example results we can see that:

  • nothing is reliable; some people call TXT files ‘Colon delimited text files’ 😉
  • CSV files are not what you thought they were:
*.csv Comma delimited text files
*.csv Comma-separated files (*.csv)
*.csv Text Files comma delimited (*.csv)
*.csv CSV files (*.csv)
*.txt;.csv Text Files (.txt,*csv)
*.csv Comma Separated File (*.csv)
*.csv CSV Files (*.csv)
*.csv (*.csv)
*.CSV Memories CSV Files (*.CSV)
*.csv;*.xyz Comma Delim.(.csv,.xyz)
*.csv;.txt;.xyz Comma Delim.(.csv,.txt,.xyz)
.csv;.txt;*.xyz 3Ascii / XYZ
*.csv MCSV Files (*.csv)
*.csv Export files (*.csv)
*.csv Excel CSV (*.csv)
*.csv Comma Delimited files (*.csv)
*.csv Comma Delimited CSV Files (*.csv)
*.csv CSV files
*.csv CSV Files
*.csv CSV - Comma Delimited (*.csv)
*.csv 5Comma Delimited (*.csv)
*.CSV CSV Files
.CSV CSV Files (.CSV)
  • same goes for .exe files (note localization issues):
.exe    Projector (.exe)
 .exe    SFX Files (.EXE)
 .exe    Projection (.exe)
 .exe    Self Extracting Archives (.exe)
 .exe    Proyector (.exe)
 .exe    Projektor (.exe)
 .exe    Proiettore (.exe)
 .exe    Executables (.exe)
 *.exe    Executable Files
 *.EXE    .exe;Self-Extracting Zip Files (.exe)
 *.EXE    *.*.exe;Self-Extracting Zip Files (.exe)
 .exe    Executable Files (.exe)
 .exe;.dll;.ico    Icon files (.exe, *.dll, *.ico)
 .exe    Exe Files (.exe)
 *.exe    Exe Files
 *.exe    Executables Files
 .exe    EXE Files (.exe)
 *.EXE    Program Files
 *.EXE    Executable Files
 *.exe    Executable files
 *.exe    EXE Files
 *.exe    Exe files
 *.ptx;.exe    E-Transcript Files (.ptx; *.exe)
 *.exe    Executables files
 .exe    Executable files (.exe)
 .EXE;.DLL    PE Files
 *.EXE    EXE files
 *.exe    .Image Files (*.exe)
 *.exe;.dll    EXE or DLL Files (.exe; *.dll)
 *.exe    executive files (*.exe)
 *.exe;*.exe    Exe Files
 *.exe    exe files
 .exe    ExE files (.exe)
 .EXE    ,Executable files (.EXE)
 .exe    -Executables (.exe)
 *.EXE       *.exe;Self-Extracting Zip Files (*.exe)
 *.exe    programs (*.exe)
 *.exe    Program files (*.exe)
 *.exe    MapleStory Execute Files
 .exe    Exe-files (.exe)
 .exe    2Executable Files (.exe)
 .exe;.scr    Execute Files (.exe;.scr)
 .exe;.ico    Executable and Icon files
 .exe    Hiddukel files (.exe)
 .exe    Application Files (.exe)
 .exe;.com;.bat    Executable Files (.exe;.com;.bat)
 .exe;.com    Executable files (.exe;.com)
 .exe    exe files (.exe)
 .exe    Win32 PE Files (.exe)
 *.exe    Program Files
 *.exe    PHP Interpreter (*.exe) 
 *.exe    GOP File (*.exe)
 *.exe    ExecutableFiles (*.exe)
 *.exe    Executable (*.exe)
 *.exe    Exe files (*.exe)
 *.exe    EXE files
 .exe    Applications (.exe)
 .exe    -Application (.exe)
 .exe    +Exe Files (.exe)
 .exe    (.exe)
 .exe     (.exe)
 *.EXE    Executable files
 *.tarCAB (*.cab)    *.bh;.exeTAR (.tar)
 .ico;.dll;*.exe    Icon Files
 *.exe;.dll;.ico;    All supported Files
 .exe;.com;.scr    Programs (.exe;.com;.scr)
 .exe;.com;.bat    Programs (.exe;.com;.bat)
 .exe    PE Files
 .exe    veis (.exe)
 .exe    executable files (.exe)
 .exe    WExecutable files (.exe)
 .exe    Victim programm (.exe)
 .exe    Trojan server files (.exe)
 .exe    Programs (.exe)
 *.exe    PE FILES
 *.exe    Move Item DownrExecutable (*.exe)
 *.exe    Executeable Files
 *.exe    Application files
 *.exe    ,Executable (*.exe)
 *.com;.exe;.dll    Programs (.com,.exe,*.dll)
 *.EXE    EXE Files (.)
 .    Program Files (*.exe)
 *.exe;.scr;.bat;.pif;.com    NExecutable Files
 .exe;.lnk    Executable Files (*.exe, *.lnk)
 .exe;.exe_    executable files (*.exe)
 *.exe;.dll;.ocx    Executable Files (.exe;.dll;*.ocx)
 *.exe;.dll    Applications (.exe *.dll)
 *.exe;.cab       DFront-End Patch Files (.exe,*.cab)
 *.exe; .dll    Executable files (.exe;*.dll)
 *.exe;    Exe-Files (*.exe)
 *.exe, .dll     (.exe; *.dll)
 *.exe*    Executable files
 .exe     Executable files (.exe)
 .exe    gApplications (.exe)
 .exe    Trojan files (.exe)
 .exe    Text Files (.exe)
 .exe    Servers (.exe)
 .exe    SFX-ZIP files (.exe)
 .exe    RouterUtility (.exe)
 *.exe    Program files
 *.exe    Program (*.exe)
 *.exe    PE Files (*.exe)
 *.exe    PE Files
 *.exe    Logon Screen Files
 *.exe    Execuvel (*.exe)
 *.exe    Execution Files (*.exe)
 *.exe    Executeable Files (*.exe)
 *.exe    Execute Files
 .exe    Executavel (.exe)
 .exe    Executables Files (.exe)
 .exe    Executable Files(.exe)
 .exe    Exec Files (.exe)
 *.exe    ExeFiles
 *.exe    ExeCutable Files
 .exe    EXE files (.EXE)
 *.exe    EXE FILES
 *.exe    Diagnostic Utility (*.exe)
 *.exe    Choose quarantine folder.0Applications (*.exe)
 *.exe    Application files (*.exe)
 *.exe    2Executeable files (*.exe)
 *.exe    2Executeable Files (*.exe)
 *.exe    .PE EXE files (*.exe)
 *.exe    *.exe
 *.exe    %s (*.exe)
 *.exe     Programmi (*.exe)
 *.exe       .Lmgrd files (*.EXE)
 *.bmp;.ico;.exe    Picture files
 .atm;.exe    Executable Files (.atm;.exe)
 *.Exe    Portable Executable Files
 *.Exe    Executable Files
 .Exe    Exe Files (.Exe)
 .EXE;.DLL;.ICO    Command BoxHIcon Files (.exe, *.dll, *.ico)
 .EXE;.DLL    Executable File Images (.EXE;.DLL)
 .EXE;.COM    Executable Files
 .EXE    Program files (.exe)
 .EXE    Program Files (.EXE)
 *.EXE    Executable PE files
 *.EXE    Exe Files
 *.EXE    EXE Files
 *.EXE    Application (*.EXE)
 *.EXE       ;Self-Extracting Zip Files (*.exe)

My script is still running so I will update the file linked above once the processing is completed.

The bottom line is that there are so many software applications out there registering so many file extensions that vulnerabilities inside these software packages are here to stay, for years. There will also never be a perfect superset ‘file extension’ list that you can use to block your environment from. Quite the opposite, this post is very 2010 in nature as many ‘platforms’ created over last few years created completely new environments where email attachment is no longer the only option of getting in. Attachments added to support tickets, resumes/CVs uploaded directly to ‘job portals’ and bypassing traditional email filters, as well as any sort of malicious schema or script adjustments uploads that are ‘features’ of ‘platforms’ in disguise are the new frontier and EDR won’t save your from it – we are now oscillating back from endpoint security back to network security, but on a different layer of abstraction…

Comments are closed.