A General Question - Can A Windows Prefetch File Be A Vehicle For Malware?

[Bobn]

If I were to explain why I'm asking this question, you would have a lot to read - it is rather involved and twisted.

 

Let me ask the question and see what happens. If more information is needed, I'll explain where I'm coming from on this.

 

Can a Windows prefetch file be a vehicle for malware?

 

That is, can malware be inserted into a prefetch file so that that malware could then be "used" to damage, etc a system?

 

My reading says No. Prefetch files contain data,not code, and are never "executed."

 

And I've also seen entries on the immunet.com forum - such as: http://support.immunet.com/index.php?/topic/242-default-exclusions/?hl=prefetch which seem to say that prefetch files cannot be dangerous and are actually excluded from their scanning.

 

So - can a prefetch file, or more generally, a file with file name extention .pf be used by a "bad" guy to make an attack?

 

And to add a twist to the question - could such an attack, if possible, be used against an Apache server instaltion on a system running Linux?

 

Bob

[ritchie58]

Some interesting questions. First, prefetch files actually are system files that are used to more quickly launch automatic system services, start up & other installed third-party programs. These system files are generally not accessible by other third-party software since they're hidden system files. However, as hackers get more devious in their methods of propagating malware it is not, in my opinion, out of the realm of possibilities.

 

I have no additional information if servers running Linux are vulnerable to prefetch file infections however.
 

Best wishes, Ritchie...

[Bobn]

Thanks for the reply.

 

But if the file only contains information which Windows uses to launch an application faster the next time it is started, how could an  anything injected into the file cause any problems.

 

That post I referred to http://support.immunet.com/index.php?/topic/242-default-exclusions/?hl=prefetch%C2%A0 says that prefetch files are excluded from the scan. The reason given is:

 

"2) We exclude things that take long time to scan with no protection benefit. An example of this is %WINDIR%\Prefetch. The Prefetch folder is internal for windows processes and the files are somewhere else on the disk.."

 

I take that to mean that there is no point scanning a prefetch file because it provides no protection because no harmful injection can be done. I assume that if the data is corrupted, Windows will simply find it to be an invalid prefetch file and would delete it and create a new one.

 

The reference to the files being somewhere else means, I think, that the actual executable files are elsewhere.

 

As for Linux, personally I can't conceive that there would be a danger, but as I can't say a definitive No, I asked the question.

[ritchie58]

Bob I didn't mean to scare you. In all probabilities your prefetch files are not infected for the simple reason I outlined in the last post. They cannot be accessed by outside sources other than the program it was intended for. That's why it's normally not a critical issue to scan the prefetch files. Besides Windows will re-write these files on a regular basis to keep current on which programs are being used.

Cheers, Ritchie...