2

I was trying to download something off a sketchy website, and ISO was a reasonable extension for what I was trying to get, but I was still pretty sure it was malicious. I didn't put much thought into it, and went "well, ISO isn't directly executable, right? It's just an archive." and downloaded it, scanned it with microsoft defender, and opened it as an archive (NOT mounting it or whatever, opening it like you would a .ZIP) and then opened a sub-archive. I didn't run anything from it, because I'm not a complete idiot, and yep, everything in it looked super generic and sketchy, not what I was trying to download. I checked an ICO file in it with paint.NET, too, just to confirm.

I read What damage can a malicious .iso file cause without explicitly executing it? but it doesn't mention if opening it as an archive without running anything inside can allow it to harm my computer. Same goes for most other stuff I've googled.

(Running Windows 10, downloaded via Firefox, if that helps.)

Emily Cravens
  • 23
  • 4
  • Any file can potentially do things. even opening it in different ways. as a result the awnser is either "Yes", or "Potentially".... in all cases. – LvB Jul 20 '22 at 13:41
  • That's very vague. Does opening an ISO file like that have the capability to do harm to my PC, either by design of the filetype or by known exploits? Or is it most likely that they were just counting on me triggering the auto-run file by mounting it as a disk? – Emily Cravens Jul 20 '22 at 13:51
  • 1
    See [this page](https://security.gentoo.org/glsa/201701-27) for an example of a vulnerability in an archive reading program. There is a possibility that exploits similar to that exist in whichever program you use to open the ISO file. – user Jul 20 '22 at 13:52
  • Thanks. I'm not seeing Windows Explorer on there, and my version of 7zip is above their listed version for the exploit patch, although I used that for a ZIP inside the ISO. (I suppose my question also extends to ZIP files, but those aren't intended for use in the same way as ISO files, so I assume the answer is generally "no.") – Emily Cravens Jul 20 '22 at 13:59
  • @EmilyCravens are you seriously asking me for what any potential attacker was thinking? Cause last time I checked “Mind reading” wasn’t one of my skills. – LvB Jul 20 '22 at 14:00
  • 1
    @EmilyCravens The awnser generally isn’t “No” it’s “we don’t know”. Don’t assume you are safe unless you got a reason to assume so. (In this case you don’t). – LvB Jul 20 '22 at 14:02

1 Answers1

2

If the ISO file was specially crafted to exploit a vulnerability in the executable you used to open the ZIP (such as 7zip or Windows explorer.exe), the payload inside it could execute any command using the access rights of this piece of software. I.e. it could execute a malware. While this scenario is possible, it is unlikely.

Most likely, the ISO is expected by their author to be mounted and the autorun used to automatically execute the payload. It can also be just a piece of malware embedded into an archive, waiting for user to execute it by double-clicking on "launch.exe" (or whatever its name is).

To be sure, the content of this particular ISO should be deeply analyzed. Your description does not contain enough information to do more than educated guesses.

A. Hersean
  • 10,173
  • 3
  • 29
  • 42
  • The contents was a bunch of executable stuff, so I'm guessing it was intended to be run via the autorun file, if that helps. – Emily Cravens Jul 20 '22 at 14:01
  • @EmilyCravens The ISO could contain an exploit against 7zip and an autorun file. The presence of one attack path does not exclude others. – A. Hersean Jul 20 '22 at 14:06
  • Yeah. Another comment pointed out a page to see known exploits, and my version of 7zip is above the last version known to have an exploit, although I'm not sure if that applies to Windows since it's a Gentoo page. Currently running some scans. Thanks for your help. (Should/how would I go about "deeply analyzing" it? I'm not smart, in case you couldn't tell from the fact I opened it in the first place.) – Emily Cravens Jul 20 '22 at 14:09
  • @EmilyCravens You can find the list of publicly known vulnerabilities against 7zip here: https://nvd.nist.gov/vuln/search/results?form_type=Basic&results_type=overview&query=7zip&search_type=all&isCpeNameSearch=false Please note that 7zip might have vulnerabilities that are not yet publicly known, but still exploited. – A. Hersean Jul 20 '22 at 14:12
  • @EmilyCravens From your description and comments, I would guess that you are *probably* safe, because most attacks are not that sophisticated. But you might have found an exception. – A. Hersean Jul 20 '22 at 14:13
  • @EmilyCravens "deeply" analyzing it would require experience in reverse engineering and multiple days of analysis. You can spend years learning the trade, or pay a specialized expert to do it for you. That's not something that can be explained in a few sentences. – A. Hersean Jul 20 '22 at 14:17
  • That's about what I figured. :P – Emily Cravens Jul 20 '22 at 14:26