13

If you've used legacy Windows, you probably know about program information files aka PIF files.

At some point, when Internet usage became widespread, these files became a vector of infection for computers and some of you probably remember mail spam with PIF file attachments.

How exactly could a PIF file act maliciously as it's solely a configuration file?

Eric Cartman
  • 6,760
  • 5
  • 35
  • 59

2 Answers2

25

Real PIFs are indeed “only” configuration files, but they are executable: running a PIF will run the corresponding program, with the configuration specified by the PIF. This can be used as-is: a “real” PIF can be sent to a user, and if that user runs it, the commands specified in the PIF will be run; starting with VMM 4.0 (Windows 95), PIFs can even include CONFIG.SYS and AUTOEXEC.BAT instructions, so multiple commands can be chained.

However malware disseminated using PIFs generally relies on the fact that DOS and Windows don’t use an executable file’s extension to determine how it is run, only to determine that it is an executable. COM, EXE, and PIF mark files as executable, equally. So you can take a regular Windows EXE file (with nefarious content, in this scenario), rename it with a PIF extension (thus evading naïvely-configured mail filters, and seeming less dangerous to users unlikely to be aware of this file extension), and Windows will execute it — its PIF extension marks it as executable content, and when Windows is asked to execute it, it won’t complain that it doesn’t contain a PIF database, it will see that it’s a program and run it.

(Executable content is identified by its MZ and PE signatures.)

Stephen Kitt
  • 121,835
  • 17
  • 505
  • 462
  • 3
    There is another attack vector you may want to include by having the PIF file start dome other program or with optional command switches. While not as flexible as hiding an EXE as PIF, it still enables unintended action. It became at least as usefull with the inclusion of an config/autoexec section with Windows 95 (IIRC). Now any kind of batch script could be added and executed. – Raffzahn May 18 '20 at 10:50
  • 1
    True, thanks; I don’t know whether any malware used that, but I’ve mentioned it now. – Stephen Kitt May 18 '20 at 11:27
  • 1
    Does BAT not similarly mark the file as executable? – Ruslan May 18 '20 at 20:13
  • 1
    @Ruslan, yes, as does SCR, and probably some even more obscure ones. – Mark May 18 '20 at 20:30
  • @Mark I wonder then how DOS distinguishes COM and BAT files. Presumably, it still does look at filename extension to know that one is a script and another is machine code, because what looks like text can easily be a sequence of valid x86 instructions. – Ruslan May 18 '20 at 20:39
  • @Ruslan DOS doesn’t execute BAT files, you need to pass them to COMMAND.COM explicitly. I’m not sure off-hand of all the details under Windows, which is why I didn’t list more than COM/EXE/PIF — but yes, BAT files are also considered executable, as are CMD files, and a few others (look at the PATHEXT environment variable). – Stephen Kitt May 18 '20 at 20:53
  • (And PIF isn’t included in PATHEXT, but there’s seemingly some special-case there which quickly falls back to regular MZ/PE handling.) – Stephen Kitt May 18 '20 at 21:08
3

PIF files still used as a bodyless-malware. For example, in Windows 10x86, where you have a DOS VM, that help running a 16-bit code, executing pif file will run the DOS Virtual Machine, where the malware command of a pif-file can be executed in DOS regime.

Also, for example, for the *.lnk file the thing is to put a string of a malware script into a file properties, like Target: "C:\Windows\System32\mshta.exe "javascript...""

The same goes for WMI and MSTASK files.

hgrev
  • 31
  • 2