File extension: .timp?

Discussion in 'Computer Science & Culture' started by Tiassa, Oct 24, 2009.

Thread Status:
Not open for further replies.
  1. Tiassa Let us not launch the boat ... Valued Senior Member

    Messages:
    37,884
    I'm just curious because lately some advertisers have been successfully slipping through Apple's security measures and automatically downloading small files to the desktop. Routinely, I delete the files and generally don't worry about it. The last random virus and spyware detections I ran say the system is fine, which is, of course, comforting.

    But I am curious as to why these files are making it to my desktop. In all the years I've used Apple, I've never seen this until recently, which makes me wonder whether advertising software developers have found a way around Apple's safeguards or there was a bug in the latest security update. I'm tracking that question down through the usual sites, so I'm not worried. I'll have my answer soon. (Apple users are notoriously bitchy about this sort of thing, so problematic issues become well-known quickly. Even I have thrown at least one public tantrum about bugs in the operating system.)

    But I'm curious about the latest. AlterNet, of all sites, just downloaded an allegedly blank (zero kb) file called ad.timp.

    I've never encountered this file extension before. Indeed, I looked it up on Google and got a flock of results for .tmp files, but nothing on .timp.

    Anyone? Anyone? What is this file extension? Is it some silly typo for a .tmp? Is it something new? Or maybe old but very, very obscure? What does it do?

    I hope not to be paranoid about this, since my system appears to be just fine right now, but I'm always curious when I encounter a file extension I've never seen before. Even some now-classic file extensions I use so rarely that I have to go back and look them up when I encounter them.

    Thanks.
     
  2. Google AdSense Guest Advertisement



    to hide all adverts.
  3. EntropyAlwaysWins TANSTAAFL. Registered Senior Member

    Messages:
    1,123
    When I encounter an unusual file extension, this site is quite helpful.
    However it doesn't seem to have any record of it which suggests its either *very* obscure (i.e., someone decided to invent their own file extension that noone else uses) or a typo.
     
  4. Google AdSense Guest Advertisement



    to hide all adverts.
  5. Tiassa Let us not launch the boat ... Valued Senior Member

    Messages:
    37,884
    Strange one, indeed

    Yeah, I tried FileXT, and they had nothing. Couldn't find anything with a Google search for .timp file extension. So I just gave up for the night and went and watched some porn. I mention that only because I sat through one of the most insanely bad home videos I've ever seen. Absolutely amazing. I mean, I know sex can be dull and boring, but holy flirking schnit.

    Everything's running fine so I'll check in with the user community about the security issue tomorrow. Later today. Something like that.
     
  6. Google AdSense Guest Advertisement



    to hide all adverts.
  7. draqon Banned Banned

    Messages:
    35,006
    have you tried renaming the file extension to .tmp? perhaps its a mistake on the programmer's part.
     
  8. draqon Banned Banned

    Messages:
    35,006
    also TIM is a texture image file for Playstation.
     
  9. draqon Banned Banned

    Messages:
    35,006
    and are you sure .timp is an actual extension of that file? what if its just a name?
     
  10. PsychoTropicPuppy Bittersweet life? Valued Senior Member

    Messages:
    1,538
    Reminds me of a programmable instant messaging platform..accidentally called TIMP.
    Anywaaaay,
    these downloads are most probably javascript ads from servers that instead of popping up in a window(maybe you have blocked pop-up windows?) are getting downloaded as an empty file/folder.
    There are javascript/flash blockers for Safari as far as I know..get them, and it may fix the problem. Though, I admit, I'm just guessing, and can't say that I'm a Mac connaisseur.
     
  11. Tiassa Let us not launch the boat ... Valued Senior Member

    Messages:
    37,884
    Notes Around

    The basic file information:

    Please Register or Log in to view the hidden image!


    Indeed, I'm becoming more comfortable with this file extension, as I had to go back and download it anew just for that image. Still, I don't get the zero k thing.

    • • •​

    The underlying—nearly disturbing—issue is the fact of the automatic download. As I said, that's new behavior, and it's not so much a matter of a new ad blocker yet. Apple itself will likely fix whatever pathway the thing followed in the next security update. So the only real question left is to figure out what the file is about.

    I'm actually inclined toward Draqon's suggestion right now, that it is some sort of "error". Which reminds me:

    • • •​

    No. And I won't. As I understand it, .tmp files can carry hostile software. So as I see it, I would have to be foolish to change the extension and possibly empower something. To the other, I don't recall ever seeing my computer make or use a .tmp file; I think Apple uses something different, or else it's only accessible to root-level users (the standard user setup is to cut off the user's root access, because, well, people can be stupid and it's very easy to screw up the OS by moving or deleting the wrong file).

    If this was somehow a hostile file, though, I'm also not particularly worried about it, as it would most likely be aimed at Windows users.
     
  12. Stryder Keeper of "good" ideas. Valued Senior Member

    Messages:
    13,105
    From the look of it the web server running the adverts has specified it's own Handler. This basically means that the server defines an extension to run as script, in this instance .timp

    For some reason you are downloading the .timp file from the server while it parses something else. It's possible this file is acting as an anonymous tracker. (Namely it doesn't keep data on you, but should it be picked upon on your computer through a virus, or just adware, it can identify that your computer is susceptible to that sort of file push. It would be easily be found considering it's a personalised extension.

    It is possible that the programmer of the script has made a mistake in their code and that no file should be created from using the URL. It's also possible that they were suppose to have a 1 x 1 pixels in it's place but generated a zero-byte file instead. (This is a standard practice when used for iterating scripts in PHP that require CRON events to be triggered without direct access to CRON)

    On it's own, it isn't anything to worry about, especially if your operating system hasn't got a configured handler for that extension.

    In short I guess I'm saying, Ignore it, it's nothing too dangerous.
     
  13. PsychoTropicPuppy Bittersweet life? Valued Senior Member

    Messages:
    1,538
    Hmm, Tiassa, what Mac OS /browser are you using?

    Are you using Tiger 10.4.11 / Safari 4.03 ?

    You said that it was happening quite often lately, right? After an update? What were the other files named? Did they also have extensions, or none? Were they also 0 Kb?
     
  14. Tiassa Let us not launch the boat ... Valued Senior Member

    Messages:
    37,884
    This and that

    Safari 4.03 on 10.4.11.

    I wouldn't go so far as to say quite often. It's happened twice that I know about. The other was a .pdf download generated by an ad server on a porn site I was viewing with Camino 1.6.10. That was a .pdf that originated from a website I couldn't find. I destroyed it, as well, immediately, and I probably can't reproduce it as easily as I managed to get another version of ad.timp. And I do not recall that the .pdf was zero k.

    • • •​

    Note for Stryder:

    I also posted the situation on my blog, to cast a wider net for advice. Can I reproduce your insight there, as well (with credit and a thread link)?

    • • •​

    Aside from a perpetually broken heart, no. I need to quit smoking again, because my health is finally starting to remind me of my age. And, frankly, at thirty-six, I shouldn't be feeling so poorly. I'll know more next month after a physical, or even Monday after I have a damaged tooth fixed and find out if I'm carrying a related infection.

    As to jogging, I got a shock when I tried to take it up last year. When I tried to quit smoking a couple years ago, I put on thirty pounds. Thinking I would just start exercising to lose the weight, I was surprised to discover that no, the heavy people I know weren't just bitching when they said they "couldn't" run. The cardiovascular aspect is one thing, but the impact shock of carrying the extra thirty pounds on a bone structure unaccustomed to that weight was tremendous. I still need to drop about fifteen pounds before I can run for exercise again.

    Right next to Tacoma? That could be either good or bad these days. I'm curious as to where, but you can send that to me privately if you're so inclined, or not if not. I understand. (I mean, you can post it publicly, too, but some people are wary of that from the outset.)
     
    Last edited: Oct 24, 2009
  15. Stryder Keeper of "good" ideas. Valued Senior Member

    Messages:
    13,105
    You could do but I by no means am an authority on the subject. I would query if somehow your /Desktop folder is being used for temporary storing files from your browser. If that was the case, the simplest solution to your current file problem is to perhaps look through your browser settings to see where it's been told to store tempfiles.
     
  16. John99 Banned Banned

    Messages:
    22,046
    timp is 'total instant moron protocol'.
     
    Last edited: Oct 25, 2009
  17. Tiassa Let us not launch the boat ... Valued Senior Member

    Messages:
    37,884
    The temporary mysteries?

    TMP is a name for a hidden directory in OS X; in truth, I have no idea what our temporary files are actually called. I never see them, never need to. (Those who are familiar with BSD—or UNIX or LINUX—will know much, much more about OS X file and directory structure than I do.)

    The Desktop is the default download target. Apple users are accustomed to simply downloading, throwing the files into a newly-created directory, and then moving that directory to where it needs be. It's a clean, simple process. But temporary files are stored—as I understand it—according to each application's design; that is, there is no uniform temporary-file storage directory.
     
  18. Stryder Keeper of "good" ideas. Valued Senior Member

    Messages:
    13,105
    Tiassa, perhaps your should query Dave if you still speak to him. I'm pretty sure that he timp file was just a temporary file that somehow ended up left on your desktop, perhaps during saving a website page or something like that. Dave would have more of a clue in regards to how files are allocated temporarily.
     
  19. Tiassa Let us not launch the boat ... Valued Senior Member

    Messages:
    37,884
    This and that

    Stryder

    I haven't communicated with Dave in years. I've a local contact that can probably answer the question if I can track him down; he's been off the grid for a couple months to the point that I don't even know if he's alive. I mean, I would figure to hear if died or something, but wherever he is, he's in a dark state of mind right now; last I heard, he was watching his father die slowly of a degenerative disease.

    However, the idea of a pathway error makes sense. I don't use AlterNet that much, but I've never thought of them as complete bastards. And this file extension seems to be some sort of freak occurrence, because nobody seems to have a record on it, and that's just not like the tech community.

    All that's left is the how and why, and, frankly, I'm leaving that up to Apple. We're due for a general update in the next couple weeks; it's been almost a month since the last one, so we'll see what they come up with. Last time, I threw a hissy fit about a couple of application bugs in the update, which was resolved, quite literally, the next day by a new update.

    Meanwhile, I haven't found a whole lot of noise about unauthorized downloads at the usual user community sites, so I think the problem is just now emerging as a result of coincidence; a bug in the security setup, a coincidence of pathways, and the like. It will likely be taken care of soon, else we're witnessing the leading edge of what will become a major embarrassment for Apple as more and more websites find the pathway and start dropping things onto the desktop.

    I think the pathway for where the file was supposed to go is /Users/(username)/Library/Safari/LocalStorage.

    With Camino and Firefox, it's a little more complicated, but I think I found the files I'm looking for, because ....

    • • •​

    PsychoTropicPuppy

    Found it. The other file that made it to my desktop was zaz.klqpof.info/lpvz/xd/pdf.pdf. The Google Safe Browsing report on the file isn't encouraging.

    I found the filename recorded in Camino's downloads.plist and dropped it into Google:

    What is the current listing status for zaz.klqpof.info?

    This site is not currently listed as suspicious.​

    What happened when Google visited this site?

    Of the 4 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-10-04, and the last time suspicious content was found on this site was on 2009-10-04.

    Malicious software includes 2 exploit(s), 1 scripting exploit(s).

    This site was hosted on 1 network(s) including AS30099 (SB).​

    Has this site acted as an intermediary resulting in further distribution of malware?

    Over the past 90 days, zaz.klqpof.info did not appear to function as an intermediary for the infection of any sites.​

    Has this site hosted malware?

    Yes, this site has hosted malicious software over the past 90 days. It infected 1 domain(s), including downloadmedicinebooks.blogspot.com/.​

    I'm trying to think if I hit the infected site recently. Or ever. I do have a BlogSpot (blogger.com) account, but it's highly unlikely that the malware in question could make it through that network without Google knowing about it. BlogSpot/Blogger are part of the Google structure.
     
  20. Stryder Keeper of "good" ideas. Valued Senior Member

    Messages:
    13,105
    According a search on the internet, the pdf.pdf file would have likely been a trojan payloader that would attempt to exploit Adobe's Acrobat Reader. If you've update Acrobat or are using a third party pdf reader then the exploitation wouldn't work, and even if it did I think the payload was written for a Windows architecture so it would just deposit the output somewhere else other than where it was suppose to go. (In this instance Desktop as a catch all)

    In essense I think your Good Tiassa, of course it will now concern Windows users.
     
  21. ellevt Registered Member

    Messages:
    2
    Similar problems with safari

    Hello, I'm new to this forum but this is the first I've seen some one else having the same problem, anywhere on the internet.

    I've been getting automatic downloads of the ad.timp files and also these blank text files all named download.txt (or download-1, -2 etc). I can definitely trace this to the new update of safari 4.0.3. I don't seem to have the problem at all using firefox. Also certain websites seem to be worse, especially fark --or maybe i just spend proportionately more (too much) of my time there...

    I have norton antivirus that updates and scans weekly, and so far nothing has shown up. I feel the same way though; it bothers me that these things are downloading automatically to my desktop. I delete them as they come, but at the very least it's annoying!

    Do I have anything to worry about? Do you all think my computer is protected enough with the norton (I am not particularly tech savvy) ?
     
  22. Tiassa Let us not launch the boat ... Valued Senior Member

    Messages:
    37,884
    The general outlook says you're safe, for now

    The ad.timp file seems harmless for now. The pdf.pdf file is toxic, but we think it's aimed at Windows users, so if you just delete the file when it turns up, it should be fine.

    (As a precautionary measure, check the file information on some random file on your desktop. Make sure the Preview section is closed, so that the system doesn't try to access the file data when you bring up file information on suspected malware.)

    Oh, and welcome to our humble bedlam. We hope you enjoy your time with us.
     
  23. PsychoTropicPuppy Bittersweet life? Valued Senior Member

    Messages:
    1,538
    Hmm, this issue is prevalent in Tiger/Safari 4.0.3. - apparently it has something to do with how it deals with certain http calls, and eventually considers them as downloadable files and just downloads them.
    I would say that it's more of a matter of it being annoying, but not malicious(so far).
    But true, I would say that this is a serious vulnerability issue as it doesn't even ask you whether to download it or not..it just downloads it, and honestly it could be considered as a possible malware vector.
    And obviously this issue hasn't been solved yet, and therefore I would suggest that you revert back to a previous Safari version(4.0.). But then you'd be also lacking quite a few security patches...so I suggest that you'd rather use Mozilla..-- but thinking about it..it's better to revert back to a previous version of Safari as I consider automated downloads that do act without the consent of the user as a bigger threat. But that's just me..

    Other than that there are several threads on apple.com discussing this issue about the Safari 4.0.3.
    From what I've noted this problem exists since around August and has still not been taken care of. Talking about poor support.

    Looks to me that Tiassa's Safari is also suffering from that vulnerability issue..though it's really strange that it downloads .pdf, and .timp, of which about the latter I've never ever heard before, and first thought that it's just the name of the file: ad.timp -- I was actually wondering if you were suffering from the same issue as ellevt, but somehow your case is slightly different..-- like you've mentioned the .pdf was in camino..-- which again could also mean that the .pdf is unrelated to the .timp dl. Or uhm...*cough* f*ck knows.

    Some people were complaining that whenever they visited a website the download thingy would appear suddenly, but when they'd look at the download location(like some have it set up that all downloads get downloaded to the desktop, etc) there was nothing. Apparently those files, and folders were downloaded to a completely different location...as they've found out later.
     
    Last edited: Oct 25, 2009
Thread Status:
Not open for further replies.

Share This Page