53

If a file is downloaded from the Internet, and saved on disk, but is not opened by a user (if we keep autorun off), are there any chances that malicious code (e.g. a virus) in the file could trigger?

I'm not asking about attacks that could be made while downloading, or on browsing to a site - imagine the file has somehow been stored onto the disk with no attack taking place. What risk do I then face from malware?

Rory Alsop
  • 61,474
  • 12
  • 117
  • 321
ahinath
  • 547
  • 1
  • 4
  • 3
  • 1
    Is this a Windows-specific question? – Daniel Griscom Jul 19 '15 at 11:48
  • 4
    1. What's your threat model? In any threat model where you are visiting a possibly-malicious website, there are other ways that the website might be able to compromise you (e.g., by a zero-day exploit), so I'm not convinced it makes sense to focus only on downloads, and I don't think it's possible to "only download that file" (you'll also be visiting a page that could execute Javascript that could try to exploit any vulnerability in your browser). 2. What research have you done? – D.W. Jul 20 '15 at 08:36
  • 1
    Viruses *per se* usually can't be triggered or spread when they are not opened, as a virus needs to be executed to spread or do damage. See the answers below for some scary exceptions. However, there are other types of malware, like worms, that can. In fact, many of the pieces of code described in the answers are not truly viruses. – trysis Jul 20 '15 at 13:57
  • 1
    D.W. file downloads can occur through other means than a browser, ie wget or FTP. OP seems to specifically asking about being infected by a file on disk, not the download process itself. – wireghoul Jul 20 '15 at 21:26

5 Answers5

81

There are a few cases where simply downloading a file without opening it could lead to execution of attacker controlled code from within the file. It usually involves exploiting a known vulnerability within a program which will handle the file in some way. Here are some examples, but other cases are sure to exist:

  • The file targets a vulnerability in your antivirus which triggers when the file is scanned
  • The file targets a vulnerability in your file system such as NTFS where the filename or another property could trigger the bug
  • The file targets a bug which can be triggered when generating a file preview such as PDF or image thumbnail
  • A library file (ex. dll) could get executed when saved to the same directory where an application vulnerable to binary planting is executed from
  • The file is a special file that can change the configuration of a program such as downloading a .wgetrc file with wget on Linux
  • …and more
wireghoul
  • 5,755
  • 2
  • 17
  • 26
  • 10
    Not that there's anything wrong with this answer, but I think it's worth noting that all these methods involve the file somehow inserting itself (or its name) into executable code somewhere. The point being that _something_ has to be executed to spread a virus - it doesn't happen simply because of bytes being stored on a drive. – David Z Jul 20 '15 at 06:19
  • 3
    @DavidZ True, but the DLL part in particular is frighteningly relevant - anyone who runs *any* executables from their downloads directory is in danger. And you'll only get the warning on the exe (legit), not the malicious DLL. – Luaan Jul 20 '15 at 09:10
  • 1
    When targeting parser or other bugs in an AV engine the only requirement is storage of the file. – wireghoul Jul 20 '15 at 09:56
  • @DavidZ I think it's also pretty clear that the OP was asking about the case where he/she doesn't go out of his/her way to execute the file and takes some basic steps to prevent the file itself from being executed; not the case where the file's presence causes some other code to execute. After all, if we're not considering any situation that causes code to execute, viruses are excluded by definition. – Daniel Jul 20 '15 at 12:57
  • 1
    @Daniel well, yes, your last sentence was exactly the point of my comment. Some people don't know that, after all. – David Z Jul 20 '15 at 13:08
  • The proper hypothetical question is 'can malicious code trigger without a thread parsing the file content and associated metadata'. The answer to that question is no but in practice it's impossible to download without a thread processing the file content and metadata. As soon as the downloader software pulls metadata on the wire (ex: server location) there is a possibility of an exploit. – user94592 Jul 21 '15 at 18:21
18

Windows will try to extract information from the file to display the icon and preview when looking at the folder inside explorer. One example was the Windows Metafile Vulnerability which could be exploited only by previewing the file in explorer.

Another attack vectors is the builtin Windows Search. To extract the information necessary for a full text search Windows will scan the files in the background and use the file parser to extract the content. A bug in the file parser can thus lead to code execution.

Also, if the path is known to an attacker (i.e. inside the default download folder) opening could be enforced by embedding the file as image, flash file, PDF etc using a file:///... link inside a web page you visit.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
  • 1
    Technically your last paragraph also requires targeting a vulnerability in e.g. the image viewer, flash, PDF viewer, etc. – Random832 Jul 19 '15 at 12:04
  • @Random832: not only the last paragraph needs a vulnerability, but all of my examples. But I doubt that you will find a system with no vulnerabilities, only with no (yet) publicly known vulnerabilities. – Steffen Ullrich Jul 19 '15 at 13:37
6

Autorun applies mostly to external drives connected to the machine, less to downloaded files.

If you do not execute the downloaded file, in theory you should be safe. However, practically, your computer may open it itself for your convenience and without asking your approval, whether it is to generate some kind of thumbnail or preview of the document, to index it for file search application, etc.

For instance, you will find here an example of exploit affecting older Windows Media Player software: no need to open the file, simply browsing to the directory containing the file is sufficient to execute the malware...

WhiteWinterWolf
  • 19,142
  • 4
  • 59
  • 107
1

It depends on the type of virus you may have downloaded.

  • Macro viruses: when you open an infected document using the program it is designed to attack. Same thing occurs with program viruses that infect other programs of your machine if the program infected by them are activated by executing them.
  • Boot sector viruses: they infect your hard drives by their simple presence (without clicking to open them) or by just restarting your machine
  • 4
    Boot sector virus need to be installed in some way (ie some offensive code must be executed at some point by the user), it will not be downloaded directly from the internet to the boot sector of the hard drive. – WhiteWinterWolf Jul 19 '15 at 08:04
  • @WhiteWinterWolf No, not necessarily: if you have a USB stick infected by such a virus, you plug it into your computer and start it on then the HDDs will be infected without needing to open (click) the virus on the USB. Orginally, this type of viruses follow this schema using a floppy disk –  Jul 19 '15 at 08:07
  • The question here is about files downloaded from the Internet. – WhiteWinterWolf Jul 19 '15 at 08:13
  • @WhiteWinterWolf Yes, file download, I agree, but my former comment was answer to yours :) –  Jul 19 '15 at 08:14
  • And my comment was only relevant in the context of the question. Actually your computer may be compromised even without downloading, using any USB key or interacting with it in any way for that matters, as long as someone founds a way to execute some code on it ;). – WhiteWinterWolf Jul 19 '15 at 08:21
0

The simplest and most common type of malware depends on you executing it, but malware can target vulnerabilities in any program that processes the data. Image a piece of malware that targeted a known vulnerability in your antivirus software, or your spam filtering software.

ddyer
  • 1,984
  • 1
  • 12
  • 20