Can a .txt file contain malware?

The Internet Crime Complaint Center reported that some email messages are impersonating it in an attempt to get malware onto target computers. That’s clearly worth knowing about, but this part of the report is odd:

The unknown actors also attached a text document (.txt) to download, complete, and return to the perpetrators. The text file contained malware which was designed to further victimize the recipient.

It really shouldn’t be possible to run malware by opening a .txt file. It should just open in a text editor, with no execution of code. There’s no further explanation.

Perhaps what’s really happening is the double-extension trick. Microsoft decided that file extensions should be hidden by default, even though that’s a huge security flaw. Apple did the same because it has to be like Microsoft. Microsoft did it because it’s Microsoft. With extension hiding, a file named evil.txt.exe will appear to be called evil.txt, but when you open it, it will run as an executable file.

However, that’s not actually a .txt file. I wondered if any other tricks are possible.

I can imagine a text editor that opens files and then treats them as executable HTML, Python, or batch script depending on their content. It would be a dumb idea, but that wouldn’t keep it from being done. I’m not aware of any text editors that do this.

Could someone devise an invalid UTF-8 string that would trigger a bug in Notepad, making it execute arbitrary code? It’s possible in principle, but I can’t find any evidence that it’s ever been done. Unicode has been used to disguise malware, but it won’t be executed until the file is run as something other than a text file.

An owner can change a computer’s file associations to open a .txt file with something else that would execute it. That would be unlikely and self-destructive. Malware could do the same thing. It would have to be a two-step process, first changing the file associations and then getting the user to open the text file. It’s rather obvious when the wrong application starts opening text files, so this doesn’t seem like a likely way to attack computers.

In the absence of any evidence that it’s possible to run malware by opening a text file, I’ll assume that the IC3 handed the report to someone with insufficient technical knowledge, who garbled the report. It’s still safe to open arbitrary .txt files with a text editor.

However, turn off that stupid option that hides file extensions! It’s completely irresponsible of Microsoft and Apple to make that the default. Also, be suspicious of any email you get that claims to be from the FBI or other government agencies. They rarely send official notifications that way.

Comments are closed.