The problem described can be reproduced in Microsoft Windows family of operating systems (i.e. Windows XP, Vista, 7, 8.1 Enterprise/Pro, 10 Enterprise 21H2, 11 Home 21H2). This is only a sample of operating systems set. Most probably, it exists in all Windows system versions but with a bit different behaviour – described later in this text. This quite unusual problem was encountered by coincidence.
Most computer users have stored at least one directory on a disk and store some data in it. It is also usual that some other directory is created on the same directory-tree level. Some folder names, with special characters, may surprise the user and influence user data.
What is this problem and how can one reproduce it?
Definitions
Denote base folder as folder name with “-“ characters (short hyphen minus), e.g. "a - b" (please note that name is in quotation marks, they are not part of a name). Additional spaces around minus are required.
Denote a secondary folder as the folder name with at least one “–“ character (long hyphen minus), e.g. "a – b". Please note a special dash in the middle of the word. Additional spaces characters are required too.
Reproducing a problem
We create a secondary directory with the simple name "a – b" and copy some files to it.
Then we return from this folder and create a new one, i.e. base folder, on the same directory-level and name it "a - b".
And now, the whole content of the secondary folder appears in the base folder too. However, it looks like a link, because memory usage does not change after base folder creation (Figure 1a). Similarly works reverse operation, i.e. file removal. If ”name2.ext2” is erased from one folder, then it automatically disappears from the second folder as well (Figure 1b).
Please note it is important that the problem appears only when the base folder is created and at least one secondary folder is created.
From now on, we will also call this problem the hyphen minus problem or just minus problem.
OS differences
There is a little difference in, for example, Windows 10. When the base folder is created first, then if trying to make a secondary folder, OS asks to merge these folders. However, if a secondary folder is created first, then the base folder is treated as a physically different folder and the above mentioned problem is reproduced as well. One may also reproduce the problem in Windows XP, Vista, 7 and 8.1 on an arbitrary pendrive or hard drive with FAT 32 file system, and then check that the folders’ content in Windows 10 is the same. Folder creation can be reproduced,
e. g., with Listings 1 and 2.
Note that if the base folder is created first, after trying to create a secondary folder, the program from Listing 2 fails with ERROR_ALREADY_EXISTS error.
However, if one uses Windows File explorer (not in Windows 10 as described before) then it is possible to make a folder in two directions, i.e., make base folder then make secondary folder and vice versa - make secondary folder, then make base folder without any warnings.
Folder removing
There is also another problem when the folder is removed using Windows File explorer. If a secondary folder is removed first, then it is not possible to remove the base folder. The Windows file explorer must be refreshed (F5) after removing the secondary folder. Afterwards, the base folder can be removed but please note that its name has changed to the secondary folder name.
Hidden files and user security
Suppose that only secondary folders exist and some files in them. Each folder has its own file copies. When the base folder is created, the files disappear from all folders. When the base folder is removed, the content of secondary folders reappears. Please note that the user may think that some data could have been lost (if he/she does not remove the base folder) but they are hidden, admittedly.
MacOS test
This problem is not reproducible in MacOS (version from about 2019) and it seems MacOS works correctly in this case.
Probably, there was one case (cannot be reproduced) when base and secondary folders were created on Windows with some content, and this content was duplicated in MacOS too.
However, if the experiment is done in MacOS only, if a file is created in one folder, then it appears in this folder only.
In MacOS, the secondary folder is empty and only the base folder contains files. Of course, it depends on which folder the files were first stored in.
Suppose also base and secondary folders are made using Listing 3.
If some file is copied to MacOS secondary folder, this file is not found when read in Windows. However, if the base folder is removed, this file appears in the secondary folder. This is similar to the situation described in the “Hidden files and user security” statement.
ReactOS and virtual WinXP (virtual FAT32 disk, not USB) test
Minus problem is not reproducible in ReactOS [8]. When different types of files are created in base and secondary folders, then WinXP shows, wrongly, only one type of file in those two folders.
Another FAT32 implementation test
The other test was done under the DiskGenius [9] application. There is no minus problem either.
Enhanced experiment, Morse code directory names
The same experiment can be done for an arbitrary number of characters ”-”. Consider a word ”a ---...--- b”, where #”-”=n. Note it is also a base folder. Then, a number of problematic words as a folder name is 2n (Figure 1c). Therefore, we may create 2n folders and copying or removing a file in one of the folders, causes that it appears/disappears in remaining 2n-1 secondary folders. We can make another ”-”, ”–” and letters from extended alphabet = {a,b,…,z} combinations too (for example "a - b - x - y"), which are far more than 2n. It is important to make spaces around alphabet characters, at least one space between each pair of characters, for example "a - b - x -y".
Conclusion
With this knowledge, it is currently hard to say if it is an operating system problem or USB driver. However, experiments done on MacOS or ReactOS or DiskGenius suggests it is most probably a Windows operating system problem, in particular in FAT32 implementation.
The experiment was done with different pen drives and disks. Most probably it applies for all disk manufacturers. We will show how the minus problem influences some antivirus software.
Hiding files from Antivirus
It is possible to hide files from antivirus scanners. As an example, we take the Avast Free Antivirus program (version from about 2019) into consideration.
Content is pasted as a bitmap to avoid text pattern scanning.
In the first step, it is needed to create a virus on a USB pendrive like in Figure 2 [5, 6]. The file “vir.txt” is stored in any secondary folder, e.g. “Z:/test/a – b/vir.txt”. When folder “test” is chosen in Avast program, the scanner finds a problem (Figure 3).
In the next step, we create a base folder in the test folder, e.g. “test/a - b” and restart the scan for the same virus. In this case, the secondary folder is empty now. Therefore, Avast does not find any problem in the “test” folder (Figure 4). When the base folder is erased, Avast finds the virus again, like in Figure 3.
Running application or computer malware (e.g. on bootload) from USB
It is possible to run an application from USB on bootload. However, a simpler use case is also considered in the conclusion below. The application may be used to indirectly run a computer malware can be implemented, like on Figure 5. Examples of computer malware are: keylogger, trojan horse, worm or rootkit [1,2,3,4].
(e.g. keylogger, trojan horse, worm or rootkit) [1,2,3,4].
Conclusion
Using ideas described in this chapter, it is possible to hide dangerous applications from antivirus programs. Also, it shows directions that an attack from a USB device is possible on any Windows computer. Note that the application from Figure 5 is a simple program that should not be recognized as a malware and may indirectly run a worm, for example, from a USB on bootload. Note that Boot-Time Scan is also possible (In this case, an open question is whether the minus problem can be reproduced on bootload too, because Windows has not started yet. Possibly not, because MacOS behaves correctly as described in the first chapter.), but in the sample use case we may assume it is switched off and the flash drive has been scanned earlier during normal Windows runtime. In a very simple use case, we may even run such an application on computer A without antivirus protection, after successfully checking the USB flash drive on computer B with antivirus protection. Note that the application on computer A and B is running in Windows, not on bootload. Experiment was done in Windows 8.1, but it should be reproduced in the latest Windows operating system version too.
Possible computer attack – proof of concept
We show that the minus problem may be used for computer attack. Several use cases will be considered in this paper as a proof that computer attack using USB error is possible.
First, two C/C++ listings will be introduced. First sample (Listing 4) is a modified version of [7]. The second one (Listing 5) uses ideas [5, 6] and makes this executable a malware (at least it is treated by the antivirus program as a virus).
Use case 1
Precondition: Suppose that process.exe is saved in “Z:/test” folder and process2.exe is saved in a folder that is not a base, nor a secondary folder, e.g. “z:/test/a x b”.
We run cmd.exe in “z:/test” folder and run process.exe. Now process2 should be removed (Figure 6) by Antivirus software. File “vir2.exe” has not been stored into disk, i.e. “test/a x b” is empty.
Use case 2
Precondition: We change process.cpp like in Listing 6 and recompile. process2.exe is copied to a secondary folder, e.g. “test/a – b”. We also change process2.cpp like in Listing 7.
We run cmd.exe and process.exe. process2.exe is also removed by antivirus software. File “vir2.exe” has not been stored on a disk either.
Use case 3
Preconditions: The same as in use case 2.
We store process2.exe in the secondary folder, and then manually create the base folder “test/a - b”. Now secondary and base folders are empty.
We run cmd.exe and process.exe. Process creation fails with code error = 2 (Figure 7).
Use case 4
Preconditions: The same as in use case 3 and “a - b” subfolder must be created after process2.exe is stored in a secondary folder.
We change process.cpp as in Listing 8 (process2 is changed as in the previous use case). In this case, the base folder is removed by process.exe, and process.exe has access to process2 in the secondary folder. Process2 is executed but is not removed by antivirus. However, antivirus’ shields control (or Windows undefined behaviour) prevents process2.exe from saving vir2.exe to USB disk.
After the use case is over, and the base folder is manually removed, then process2.exe reappears in the secondary folder.
Use case 5 – race hazard
Preconditions are the same as in the previous case.
We show that it is possible to store vir2.exe on the external disk. We make use of processes’ race. Therefore, we change the order of last instructions in Listing 5, which is presented in Listing 9. After several attempts, the computer has been successfully attacked (Figure 8). The vir2.exe has successfully been stored in a base folder (and in a secondary folder too).
Note that after manually removing the base folder, process2.exe does not exist in the secondary folder. Antivirus shield control managed to remove process2.exe, but could not prevent the process2.exe from storing vir2.exe to disk. It means that the potential malware is running in Windows system now.
The vir2.exe has been successfully stored in base folder (and in secondary folder too).
Conclusion
We showed that computer malware can be installed despite the scanner. Software errors may lead to unexpected behaviour described in use cases. Antivirus shield control has been successfully bypassed and virus attack became possible.
Brief history of the minus problem and last conclusions
The problem was observed in 2019 or even earlier. Most of the analysis of descriptions and experiments were done in 2019/2020. The minus problem exists in all checked and FAT32 formatted pen drives, external/internal HDD disks in Windows environment. It may be an old problem as it exists in Windows XP too. DIR command function shows the same wrong directory content as Windows Explorer GUI.
However, DiskGenius’ own FAT32 implementation behaves correctly. Similarly, there is no issue in ReactOS.
Note there are other Windows file systems, like NTFS, exFAT. Then, the minus problem does not exist there. However, most USB pen drives are FAT32 factory formatted.
References:
“Techniki twórców złośliwego oprogramowania, elementarz programisty”, Dawid Farbaniec
“Wirusy. Pisanie wirusów i antywirusów”, Adam Błaszczyk
”Jak pisać wirusy i antywirusy”, Adam Błaszczyk
”Jak pisać wirusy”, ”Jak pisać wirusy. Sztuka programowania”, Andrzej Dudek
https://www.eicar.org/download-anti-malware-testfile/
https://docs.microsoft.com/pl-pl/windows/win32/procthread/creating-processes