If you read my post “Spyware, Hacking, & Sexual Exploitation and read the story about Luis Mijangos, you probably read over the part in the article at the OC Register where it says:
…where Mijangos used peer-to-peer networks to infect computers around the world with malicious computer code. Mijangos induced victims to download the malware onto their computers by making the files appear to be popular songs, according to the affidavit.
I immediately thought, “Fricken idiots. Didn’t you notice the .exe instead of the .mp3???”
Then it dawned on me. Maybe it’s not (entirely) their fault. This may actually be Windows fault (go figure). I’ll admit that I do whatever I can to blame Windows & Microsoft for all of the problems in the world, but this one may be legitimately their fault! Honest! 
First, every version of Windows that I’ve ever touched has this option set, by default, right out of the box:
So, lets assume for a moment that this was checked and that the extension wasn’t actually visible to the end user.
“But what about the icon? They should know the difference between what an icon for an exe looks like an an mp3 looks like”
Fair… unless Mijangos changed the icon.
There are a lots of programs floating around the internet that will allow you to easily change the icon for an executable. I don’t run Windows, but I have a vmware image of XP that I use for this purpose. I use a piece of software called “Icon Changer” from Shell Labs.
I’ll use a trojan I made as an example. This is probably an identical trojan to what Mijanos used, but, undoubtedly, mine is better. 
Anyway, here’s the trojan before manipulating it in any way.
Now, this part would require some guess work (or research).. but, lets say that I know the person that I’m attacking uses Winamp to play their MP3′s…
Right click on the file and:
Find the icon that you want to use and then click “Set” and you’ll see:
Choose the first, because you want the icon to remain even if the exe is sent to another box.
Now we have something that looks like this:
Now I turn on the “Hide file extensions for known file types” and we have:
Pretty convincing, if you ask me. To be entirely honest, I think most people would click on that if it found its way into your MP3 directory and had a real name of a song.
This is a quite effective method for attacking targets. There are, however, some caveats. The biggest one being the whole antivirus thing. If the end user is using an up to date antivirus and you’re not using a packer with 0day stubs, it’s probably going to be detected.
Related posts:
But many users don’t use an up to date antivirus
Take for instance OEM prepacked systems, the end user receive a win box with some partner security software, say mcafee, symantec or whatever. This software would be the trial version for three or so months. The user at some point start receiving messages that the antivirus has expired and then, nothing happens!
If I have had a dollar for every time I’ve help friends and when I ask “did you notice the antivirus has expired?” “oh, yeah, but it said I should buy it and I don’t want to, I just turned off those annoying messages” I surely be millionaire by now. Malware wins!
@netalien: Yeah, no doubt. But… the underlying AV engine has built in detection rules that look for certain patterns, heuristics and what not, which will often times identify one of these trojans, even if it’s a new one. I don’t spend a whole lot of time in the virus/trojan world, because it’s kind of like, the underbelly of the computer world.. but.. it has it’s place.
Also, because of the freely available AV’s, and the new embedded AV in Vista/7.. it’s becoming even more difficult.
That said, coming across 0day stubs isn’t terribly difficult. If you can’t find a free one, you can find someone to make one for you for like, $5.
Yeah, true that, although disabling the av engine have been a common thing in many cases and packers are a complex issue to solve because the availability and constant changing.
I guess until users start using common sense, things like this will just go on :-/
[...] As far as the vulnerability, I don’t know. I’m a bit torn on it’s seriousness. Essentially, it’s a social engineering attack that works a lot like what I did in my post “Convincing End Users That Black is White“. [...]