166

When a machine has been infected with malware, most of us here immediately identify the appropriate action as "nuke it from orbit" - i.e. wipe the system and start over. Unfortunately, this is often costly for a company, especially if backups are configured in a less-than-optimal fashion. This can produce resistance from management and users who just want to carry on using the machine for work. After all, as far as they're concerned, they can "just run AV over it" and everything will be fine.

How do you explain the problem to management and users of a non-technical nature? I could easily produce a technical reason, but I'm having trouble coming up with the appropriate wording for non-technical users. I'd especially appreciate any way of speaking that the recipient can identify with, e.g. appealing to a manager's sense of risk management.

Gilles 'SO- stop being evil'
  • 51,415
  • 13
  • 121
  • 180
Polynomial
  • 133,763
  • 43
  • 302
  • 380
  • 6
    More to the point. How can a user's data safely be transferred to a new machine. This is a problem I run into. – k to the z Nov 19 '12 at 16:17
  • 6
    @ktothez It's better to not transfer user data; e.g., rely on a safe backup from before infection. However, if necessary I'd do something like [my answer](http://security.stackexchange.com/a/24221/2568) convert MS Office docs to plaintext docs/CSV files on the infected machine, boot into a linux live cd on the infected computer, mount the infected hard drive with `-noexec`, and then selectively copy the limited number of plain-text documents from the infected machine to another computer. However, be suspicious of your files being maliciously altered--e.g., config files, passwords, data, etc. – dr jimbob Nov 19 '12 at 20:15
  • Is it not enough merely to say that the course of action you propose is the only one which guarantees the desired outcome (assuming of course that it is the only course of action which guarantees the desired outcome)? – jah Nov 19 '12 at 22:10
  • @ dr. jimbob I do something similar. – k to the z Nov 19 '12 at 22:29
  • 9
    @ jah unfortunately IT doesn't run the show most places. IT decisions are often overridden by people lacking IT knowledge. – k to the z Nov 19 '12 at 22:29
  • 24
    @jah Sadly, no. The desired outcome for them is absolutely minimal expenditure in order to mitigate the risk. The desired outcome for me is absolutely minimal risk. The trick is to find a balance that works well for both sides of the coin. Unfortunately, that balance can't easily be reached unless both sides understand each other. – Polynomial Nov 19 '12 at 22:53
  • 2
    "Oh, my car got a flat tire." "NUKE IT FROM ORBIT!" – Chloe Nov 20 '12 at 18:43
  • @Polynomial: Something everyone understand (or should) is Return On Investment. The long term best ROI is probably your recommendation - minimize the risk. Minimal expenditure is probably more costly in the long run. Even management would unerstand that (if they trust you). – Zano Nov 28 '12 at 10:47
  • -1 *Who says* every little infections requires nuking from orbit though? If my hand starts hurting are you going to require amputation just because you think it *might* be something that could spread to the rest of my body? And *who says* even nuking from orbit might be sufficient? There's always a chance (however remote) that your malware has e.g. infected the firmware and will survive a wipe. Really, this question makes no sense. – user541686 May 12 '16 at 00:00
  • 1
    @Mehrdad It depends on your risk model. If you're running a desktop system at home, maybe it's no big deal. If you're running a web server which handles customer data, then replacing the system makes sense in a lot of scenarios. Also, the upvote/downvote buttons are, usually, for use when the *quality* of a question is poor, not when you think the asker is wrong. If you disagree with the premise, write an answer to that effect. – Polynomial May 12 '16 at 09:16
  • 2
    @Polynomial: You said *none* of that in your question! *"It depends on the risk model"*...? Yes, that's exactly what I was saying, and that's exactly what your question is ignoring. *"A web server which handles customer data"*...? Nowhere in your question did you assume that was the case; you just said "machine", and for all the reader knows, you could be talking about your engineers' workstations, or servers that don't deal with customer data. *"Replacing the system"*...? You said wipe, not replace, hence the last part of my previous comment. To me the question *is* of low quality... – user541686 May 12 '16 at 09:48
  • 7
    @Mehrdad Fair points. I wrote the question without including these things as I wanted to avoid the somewhat philosophical discussion of risk appetite and incident response approaches. Of course these things matter in making a decision on *whether* to nuke a system from orbit, but the question was posed from a perspective where (at least from the perspective of a security manager) nuking it from orbit has *already* been chosen as the most appropriate action. Trying to elucidate the reasoning for this to a non-technical person is difficult, and that's what this question is about. – Polynomial May 12 '16 at 10:55

10 Answers10

156

In my experience management doesn't like to listen to clever analogies. Depending on the person they care about the bottom line in dollars or hours of productivity. I would explain:

The actual bottom line is that a compromise of our data will cost the company approximately X dollars + Y hours to recover. This is Z% likely to happen given the malware that is on this machine. A new install will cost A dollars + B hours to recover. You pick the appropriate action.

It's short and clear and doesn't really leave them any room to argue. They will clearly understand the risk and should make the right decision.

KDEx
  • 5,011
  • 2
  • 21
  • 35
  • 80
    The problem is the fundamental _uncertainty_ regarding X% - once an infection has occurred, it could be anywhere between 0% and 100%. There's no way to tell where, and there's only one way to get it down to 0%. This is a more fiddly concept than risk. Also, for clarity, I'd suggest using different variables for dollars and hours, e.g. Y and Z. – user3490 Nov 19 '12 at 17:03
  • 5
    Good answer, KDEx: security is an economic good, with a cost and a value. My own thought is that the X% of malware is probably wildly overestimated, leading the the "nuke it from orbit" habit, but I've only really dealt with Solaris and Linux malware. Windows malware certainly sounds weirder and more persistent. – Bruce Ediger Nov 19 '12 at 19:09
  • 1
    The problem is in costing the effect of downtime - but that shouldn't be your responsibility - however you do need to know that to cost the potential solutions. But do beware if relying on AV as a fix: Art Taylor estimates a 30% likelihood of a good outcome - but IMHO this is rather optimistic - you'll likely end up just temporarily removing some of the symptoms. – symcbean Nov 19 '12 at 21:49
  • 2
    @KDEx you need to consider your audience and tailor your answer to them. $X > $Y can be the best answer for certain audiences, but not all managers think so concretely, even having the numbers laid out. If they did, they would not be trying to override the expert in the situation with their own technical solution (run AV over it!). Granted, you need to know your numbers when the discussion gets to this point, but even you state there is room for interpretation (X%), which means there is always room to argue. – schroeder Nov 19 '12 at 22:28
  • It's not always just a comparison of dollars, it's a risk-assessment. By providing dollars, time, and risk of varying solutions, your are assisting management in making an intelligent risk-assessment. The comments about uncertainty regarding risk (X%) is moot - it's an estimate based on expert opinion and experience. If management doesn't trust you enough to take your expert opinion as such and argues your estimates, then you've already lost and won't succeed in convincing anyone no matter how clever your analogy. – Cypher Nov 19 '12 at 23:53
  • 1
    @BruceEdiger There is proof of concept malware that can even hid in the laptop battery making a reinstall from scratch ineffective, luckily it's proof of concept. All it takes is a little fiddling with the MBR and it's very difficult to detect and will be able to reinstall itself each boot. There are numerous other places in the system for malware to hide, the problem is and always has been finding them all. – ewanm89 Nov 20 '12 at 01:16
  • The difficulty here is providing them with a reasonable estimate of X% and costs, in the confines of an elevator pitch. They don't want a long conversation - they just want reassurance that the most cost-effective option is the one we're going for. Cost-effectiveness might hinge on risk assessment in the long run, but attempting to give a reasonable estimate of X% is a knife edge. Stray too low, and they're likely to take the AV approach instead. Go too high, and you risk coming across as a FUD peddler. Even if you get it right, you *might still get owned*, which leaves you in hot water. – Polynomial Nov 20 '12 at 08:30
  • 1
    @Polynomial that sounds like a lot of uncertainty...which to many in management (depending on industry) _is_ the definition of risk. Therefore by definition it's a hard estimate. Being an expert in the field you are the most well positioned person to make that assessment and provide it to the decision makers, no? – KDEx Nov 20 '12 at 12:53
  • Regarding the cost of down time, there really is no cost, as in any proper environment you will have a staging server ready to go. Transfer the staging image to the production server and you are done, more or less (depends on how well your development environment is kept up). – Drunken Code Monkey Sep 21 '16 at 03:24
57

I would avoid the biological or non-business analogies (unless this is a hospital). Your job is to assess risk, cost, and provide options. Your management's job is to make the decision based on your analysis and advice.

Generally, an approach in a tabular format is best. "approach", "likelihood of correcting the problem", "cost" are the minimum needed. You can call the second "Vegas" if you absolutely have to get cute.

For example, in this case, you may have the following.

Approach                       Prognosis     Cost
Run anti-virus on machine      30%           4 hours IT, 4 hours downtime
Replace machine w/new machine  75%           $3,000, 16 hours IT, 4 hours downtime
AV machine, copy user files, 
    replace machine, restore   60%           $3,000, 24 hours IT, 4 hours user, 8 hours
    files                                        downtime

In this list (assuming a user desktop), the real problem is user behavior. You'll want to document why the prognosis is < 100% for the various options, and why anything involving user files is less effective than "nuking from orbit".

Depending on the issue, you may want to add "doing nothing" or "waiting" that will inform your management of the risks to the business at large.

Art Taylor
  • 671
  • 4
  • 4
  • 11
    +1 for the cost-benefit table. This is really what most management wants to see. – Cypher Nov 19 '12 at 19:07
  • 1
    This is a very good answer. The table of course, and also the scenarios of doing nothing or waiting that you mentioned, even if you can't quantify the downside risk that well. They are nevertheless viable options, and that's great that you included them. Context specific analogies are great but only if directly relevant to the business. If you can't do it with certainty, best not to try, and definitely better not to frame things in terms that will reinforce tedious stereotypes about IT and security staff work culture. – Ellie Kesselman Nov 19 '12 at 20:07
  • Interesting answer, the downside in my opinion with a hard numbers answer is where do the percentage likelihoods come from? In a lot of security when people try to quantify things like probabilities and costs the numbers have an element of "best guess" as there really is no good way to predict them and then if challenged on why they are that level, it's hard to defend them.. – Rory McCune Nov 19 '12 at 22:07
  • @RoryMcCune While I don't know if it's what ArtTaylor has in mind, I would think of it along the lines of IT saying _"This is what we want you to do"_... While still leaving the final decision in their hands – Izkata Nov 20 '12 at 19:15
  • Why would you replace the machine? Why wouldn't you just wipe the hard drive and reinstall the OS? – naught101 Nov 21 '12 at 09:40
  • Quite often, an IT department will have a number of machines staged for replacement or delivery to new hires, either new machines or machines that have been cleaned after someone has left the company. Hiring managers often stink at letting them know that someone is starting on a particular date, so they buffer hardware. In this case, it's often simpler and less expensive (not to mention less disruptive) to walk to the person's desk, take their laptop, give them a "new" laptop, and wait for them to befoul it. – Art Taylor Nov 21 '12 at 20:23
  • 1
    @RoryMcCune if you haven't established trust so management will take your estimates without debate on a small issue such as this, you have to work on that first. Until then, you need to use historical numbers from the usual sources (Gartner, Forrester, AMR, etc.). – Art Taylor Nov 21 '12 at 20:25
  • @ArtTaylor but if you haven't established trust is giving numbers that you can't back up really a good idea. Interesting point on historical numbers but for this scenario (i.e. the probability of a given A-V product removing a specific infection) there are no historical numbers which would actually stand scrutiny as far as I'm aware, if there are a link would be a good update :) – Rory McCune Nov 22 '12 at 08:22
34

You can drink all the red wine anti-virus you want to try and prevent getting cancer, but once you get that first tumor, more drinking isn't going to help. You need to cut it out and make sure that you get all of it, because if you don't it will come back again.

Once you get infected with a virus, the obvious symptoms are an annoyance, but it is what you cannot see where the true danger lies. Backdoors, rootkits, and botnets can all hide without any indication that there is anything wrong. Sometimes the hidden dangers are combined with obvious dangers so you feel secure once the obvious symptoms are gone, but the obvious is a distraction from the hidden.

Once you know that you have been infected, you do not know how far the infection goes, and not knowing that means you do not know what is at risk. The most basic course of action is to nuke it from orbit. That way you know where you are and you know what your risk is, even if there is a significant cost to starting over from scratch.

Giacomo1968
  • 1,184
  • 5
  • 16
schroeder
  • 125,553
  • 55
  • 289
  • 326
  • 68
    Your cancer analogy doesn't hold up well. "Nuke it from orbit" corresponds to "shoot the cancer victim and start with his most recent clone", not the preferred solution generally. – CodesInChaos Nov 19 '12 at 15:24
  • 12
    @CodesInChaos, that entirely depends on the user in question. ;) – GdD Nov 19 '12 at 15:24
  • 14
    It holds up fine. We can't replace all cells in a human body, but we wish we could. Cancer is never 'cured' it is 'survived' because we can never be sure all cancer cells are removed. With a computer, we have the ability to replace all the cells to ensure that all malignant elements are no longer a factor. – schroeder Nov 19 '12 at 15:30
  • 2
    I'd say iodine rather than red wine, but I do like that cancer analogy. Needing to cut it out of the network works quite nicely. – Polynomial Nov 19 '12 at 15:48
22

That's easy - just finish the quote in your question, from Aliens.

It's the only way to be sure.

That's really all there is to it. Nothing more, nothing less. Let them know that if you run the AV software on it and the software says it has found and removed the virus, then maybe they're ok. Maybe. If the virus was really removed. If that was really the only virus.

To respond to what someone else posted about "How to save user data from the machine" the answer is that you don't. "TAKE OFF AND NUKE THE ENTIRE SITE FROM ORBIT" That means you restore from backup and they lose anything that wasn't backed up. It's not the easy thing to do, it's the right thing to do.

Because it's the only way to be sure.

Mark Allen
  • 320
  • 2
  • 6
14

Try spies. The last James Bond opus appears to make millions of entries, so the crowd at large is, for now, receptive to spy stories. Explain that once unreliable/hostile people are in charge (that's the "compromised" setup), there is no way to recover proper security by asking them to do it; and yet, that's what running an AV on an infected machine is about. Spy networks around the world have always been seggregated into autonomous cells precisely so that the rotten parts can be severed. Once an agent has been subverted, you can perhaps subvert him back, but never will you trust him again.

To make the demonstration more complete, talk about infected keyboard firmwares, which highlights the necessity to really put the machine to fire. Reusing the hardware, even after a wipeout, is risky. Therefore, managers/users should feel grateful that we accept not to do the full cleansing, and limit ourselves to logical nuking, not physical. Make it felt that it already is a grave compromission on your part.

Thomas Pornin
  • 322,884
  • 58
  • 787
  • 955
  • 3
    Whilst this is a good way of putting it from a literary perspective, I fear that such an explanation would leave most middle-management dumbfounded from a completely different point of view. – Polynomial Nov 19 '12 at 15:50
  • Do you know if Apple did anything about the keyboard firmware hack, or if it's been seen in the wild? – Dan Is Fiddling By Firelight Nov 19 '12 at 16:39
  • I am not aware of anything done against it, or of any sigthing in the wild. But this does not prove much... – Thomas Pornin Nov 19 '12 at 18:03
  • @ThomasPornin, Besides throwing away the hardware (that has nothing wrong withn it), If the keyboard firmware is infected, Is a reset-to-factory-default still a possible remedy? – Pacerier May 05 '15 at 05:01
14

To be the devil's advocate, management has heard all of this. Security is risk management and they need to make the decision. Just remind them of the tools.

Risk = Probability of occurance X impact of occurance

100% chance of production downtime during the rebuild and costs of rebuild vs. 0.01% chance of malicious software or backdoors remaining in the system.

Who would control the back doors? Cybercriminals performing serial crimes from China, Russia or Eastern Europe. What would they have access to? system data, file shares, keyboard sniffers, microphones, cameras, etc. How much would they be able to sell that information for? How long could they go undetected?

What does that mean for the machine in question and the information on it?

Then provide your assessment of the target (using your limited information), and let them make the decision. They know the finances and they have more insight as to the true value of the target.

There are plenty of other vectors for attack. Disgruntled employees, contractors and their equipment, backdoors in legit software, misconfigured security systems, unencrypted drives, etc. It's an imperfect world. The money and time spent rebuliding might be better spent elsewhere, like fixing the password policy, hardening your email servers, improving backups, etc.

mgjk
  • 7,545
  • 2
  • 21
  • 34
6

From the technician's point of view, you're certainly correct. But the CEO is not looking at this from the technician's point of view. So you either have to make the argument in terms that make sense to him.

No solution is absolutely 100% effective. Not even "nuke it from orbit". What you get is probabilities. Put that on a cost-benefit table, and you're speaking language the CEO can understand: (numbers here are examples only)

  • So if I clean off the obvious malware alone, then the cost is lowest (1 hour labor/downtime) and perhaps that 20% effective (80% of the time, the attacker will quickly return).

  • If I clean off the obvious malware and spend extra time examining any files changed in the past 48 hours, then I get a higher success rate and higher cost: 6 hours labor/downtime, 60% success rate

  • Perhaps if I do all the above plus reinstall all the system packages (e.g. on RH systems: yum reinstall openssh-server etc), then the cost and success rates go higher: 12 hours labor/downtime, 95% success rate

  • If I do all the above, plus spend additional time checking/removing any files in /bin, /sbin/ etc., that are not owned by any package, then perhaps that adds another 4 hours, and give me an extra 3% points on my success rate.

  • Finally, if I "nuke it from orbit", I get the highest cost and success rate: 48 hours labor/downtime, 99.995% success rate

Then from there, we figure out how much each hour of work/downtime costs, plus add the per-incident cost of each exploit, and we start to get an idea of which solution will likely cost the least/most in the long term. And now it's a simple business decision. CEOs are good at that.

Of course, the solutions listed above assume a *NIX environment, but you could come up with a similar list for Windows systems. Make sure you throw AV in there as an option with a realistic associated success rate.

Here's the rub: the probabilities are hard to come up with. Unless you've done or seen a lot of these half-way solutions, you probably don't have any basis to go on. Plus convincing a security professional to go along with solution 3 above when he knows that he's specifically ignoring some potentially serious threats is going to be a tough sell.

But the decision and the risk are the responsibility of the CEO, not the security professional. He may decide to go with a less secure option, but as long as he knows what risks he's taking, then he should be free to do so.

tylerl
  • 82,665
  • 26
  • 149
  • 230
  • 1
    The real problem is that when the CEO decides on something less than nuking from orbit and the infection ends up surviving and doing serious damage the suit is liable to turn around and say that since the option done was 95% effective and failed that 95% of the blame goes to the sysadmin who did the recovery and since someone needs to be sacked as a scapegoat for the fiasco it should obviously be the person who failed to successfully clean the infection. – Dan Is Fiddling By Firelight Nov 19 '12 at 18:49
  • @DanNeely That's certainly the sort of thing you'd expect to worry about. But as long everything is properly explained and documented, it shouldn't be. If purchase a product with a documented 2% defect rate in your contract, you can't lay 98% of the blame of the defects on the manufacturer. It's 100% the decision maker. If you are in a workplace where this is a concern, you should simply (a) flatly refuse to do what the CEO tells you to do, and/or (b) find a new job. – tylerl Nov 19 '12 at 18:56
  • 1
    *`yum reinstall openssh-server` etc* depends on your being able to trust `yum` to do what it is supposed to. Do you? – user Nov 19 '12 at 19:45
  • 2
    @MichaelKjörling typically, yes. Again, we're playing on probabilities and averages. ssh/sshd are *frequently* trojaned, as are coreutils including md5sum. But so far on the thousands of hacked systems I've examined, they haven't trojaned yum or python or rpm. It's not impossible, it's just not popular (yet). – tylerl Nov 19 '12 at 20:27
3

That's a tough one. You have to use concepts that the average person will understand, and find a way to make them care. I would use biological viruses and how they work to explain how computer viruses work because it's something everybody has experience with, and has a potential to get the user to be "sympathetic" to the computer's situation.

A biological virus subverts a cell, making it do what the virus wants. The virus becomes essentially a zombie. You can't trust the cell to do what it is supposed to do, and you can't stop the virus-infected cell and make it normal again, the machinery has been taken control of so thoroughly you can only kill it.

Older computer virus didn't mimic biological viruses very closely. Their level of sophistication was such that they were able to do some things, but not infect systems to to the level they couldn't be removed. Their survival depended more on there not being an AV on the system.

Now computer viruses mimic biological ones much more closely, they are able to subvert a system so thoroughly that you can never be sure they are clear. It may say it's clear, but the virus is so totally in control it can prevent an AV from detecting it. The computer's like a zombie cell, and the only way to prevent the virus from spreading is to kill it.

GdD
  • 17,321
  • 2
  • 41
  • 63
3

Imagine we're living in a horror movie. Your fiancé or fiancée (as the case may be) has been cursed by a witch and is now spewing projectile vomit while spinning their head unnaturally.

You, as an exorcist and amateur brain surgeon, have two options:

  1. Cast out the demons totally and restore your beloved's soul to ownership of their body.
  2. Attempt days-long and delicate brain surgery on a supernaturally strong and dangerous body that will fight your every attempt.

Option 1 is simple, cheap, and works (in horror movies).

Option 2 requires teams of highly trained and expensive doctors, and probably won't work because you can't anaesthetize demons.


Restoring software from backup is analogous to option 1, and unlike exorcism works IRL.

Option 2 is analogous to employing sysadmins to check program binaries, data files, and configurations against a known good copy that they could just have installed on the machine in the first place.

Mike Samuel
  • 3,873
  • 18
  • 25
  • I think you've misunderstood. I can provide a technical explanation just fine, but I'm looking for a way to explain it to a non-technical user or manager. Also, 100MB is nothing compared to a typical OS installation these days - you're looking at tens of gigabytes for Windows 7 or 8. – Polynomial Nov 19 '12 at 15:40
  • @Polynomial, this was my attempt to provide an explanation at a level of detail that could be grasped by non-technical user.s Yes, 100's of MBs is a slim install for a user-facing OS these days. Many special purpose servers though still run slimmer OSes. – Mike Samuel Nov 19 '12 at 15:44
  • @Polynomial please see my edits. – Mike Samuel Nov 19 '12 at 16:00
  • 4
    I would personally have put a zombie slant on this - if a fellow survivor is bitten, do you a) apply first aid, and let them shrug it off, or do you b) kill them right there to prevent them from harming anyone else, and burn their corpse afterwards? – user3490 Nov 19 '12 at 16:50
  • @user3490, I'd think that people will take the first option. – Pacerier May 05 '15 at 05:06
3

Its worth pointing out, that it is usually ok to transfer valuable non-executable data (with no recent backup) from an infected machine, before nuking from orbit (wiping hard drive, reinstall OS from a safe source). Stuff like plaintext docs (e.g., latex manuscript or source code) or important media files (e.g., images of family vacation) may be worth recovering if there is no recent backup. However, you need to be suspicious that the virus let an attacker have full control of the infected system, and the attacker may have modified your data. This could include introduce backdoors into your source code, creating their own admin users in your databases, altering configuration files so the system is in a weak configuration that can be attacked again, etc. (I would read through all source code with a fine toothed comb to make sure no subtle changes were made -- and that's only if it is not security critical). Also be careful of some media files potentially contain viruses, e.g., MS Office documents with macro viruses (this case best, I'd export the copy the text content out of the .doc/.xls into a plain-text file from the infected system when its not connected to anything). Also be careful transferring the data off the infected machine (to not reinfect the other machine); e.g., I'd probably do something like boot off a linux live cd, mount the infected hard drive with -noexec, connect to the internet, and selectively copy important files, and if possible try comparing them to the most recent backup.

The reason for nuking from orbit is its the only way you can have any confidence to safely use that computer again. Anti-virus software works by identifying known malware and as such cannot do so with 100% accuracy (and anti-virus software running on an infected computer may have been tampered with by the virus significantly lowering its chances of completely removing the virus). Starting back at a safe point means you won't have your valuable data get stolen, or have to repeat the process again in a week (possibly on more PCs as the infection spread). Re-installation can be automated and takes under a day; roughly an equivalent time to run a full virus scan that has no guarantee of effectiveness. If downtime is an issue, there needs to be redundancy in the amount of computing resources available to the organization.

dr jimbob
  • 38,936
  • 8
  • 92
  • 162
  • 1
    And then there are the fonts/images/... that cause buffer overrun attacks in the viewers or the PDFs that break out of the viewers - you can never be sure if the system hasn't been hit by a targeted 0-day caused by some data file. – Martin Schröder Nov 22 '12 at 23:29
  • 2
    @MartinSchröder - I agree that pdfs (like *.doc) are dangerous as they aren't simple plaintext, but will often auto-execute embedded scripts. I disagree with images which will generally be safe when viewed through mature viewers. In principle, image viewers could be susceptible to buffer-overflow attacks, but only if poorly written [(e.g., unsafe language with unsafe libraries never doing bounds checking)](http://en.wikipedia.org/wiki/Buffer_overflow#Protective_countermeasures). I'll browse the web and view whatever images are presented with no danger of viruses (unlike pdf/doc). – dr jimbob Nov 26 '12 at 17:23
  • I wonder if .txt files could be infected also by doing some kind of unicode buffer overflow. – Spikolynn Mar 06 '18 at 17:32