And I continue to ask why all AV/AM products are LAME, LAME I say,
because they can't scan the registry of a drive that's been connected as
a slave to a known/good system.
At least in Windows 9x/me, you can boot into DOS and switch your
system.dat and user.dat files to a previous version or backup.
"The non-ASCII trick is a tool Microsoft uses to hide its source
code from being copied, but the feature was later cracked."
Let me guess. These "non-ascii" registry entries were introduced /
enabled by Macro$haft at some point in the deployment of the NT-based
line of Windoze, and as such are not possible under 9x/me - right?
What have I said before?
The Windoze NT line of Operating Systems: The bloat and vulnerabilies
go in before the name goes on.
------------------------------------
Registry-infecting reboot-resisting malware has NO FILES
Anti-virus doesn't stand a chance becuase there's nothing for it to scan
By Darren Pauli, 4 Aug 2014
Researchers have detailed a rare form of malware that maintains
infection on machines and steals data without installing files.
The malware resides in the computer registry only and is therefore not
easy to detect.
It code reaches machines through a malicious Microsoft Word document
before creating a hidden encoded autostart registry key, malware
researcher and black hat exterminator Paul Rascagneres (@r00tbsd) says.
It then creates and executes shellcode and a payload Windows binary.
"All activities are stored in the registry. No file is ever created,"
Rascagneres said in a post.
"So, attackers are able to circumvent classic anti-malware file scan
techniques with such an approach and are able to carry out any desired
action when they reach the innermost layer of [a machine] even after a
system re-boot.
"To prevent attacks like this, anti-virus solutions have to either catch
the initial Word document before it is executed (if there is one),
preferably before it reached the customer's email inbox."
Windows Regedit cannot read or open the non-ASCII key entry. Rascagneres
said the feature set was akin to a Matryoshka Doll due to its subsequent
and continual 'stacked' execution of code.
The non-ASCII trick is a tool Microsoft uses to hide its source code
from being copied, but the feature was later cracked.
Security kit can alternatively detect the software exploit, or as a
final step monitor the registry for unusual behaviour, he said.
Malware geeks on the KernelMode.info forum last month analysed one
sample which exploited the flaws explained in CVE-2012-0158 that
affected Microsoft products including Office.
Deviants distributed the malware under the guise of Canada Post and UPS
emails purportedly carrying tracking information.
"This trick prevents a lot of tools from processing this malicious entry
at all and it could generate a lot of trouble for incident response
teams during the analysis. The mechanism can be used to start any
program on the infected system and this makes it very powerful,"
Rascagneres said.
Rascagneres has made a name ripping malware and bots to uncover and
undermine black hat operations. He won last years' Pwnie Award at Black
Hat Las Vegas for tearing through the infrastructure of Chinese hacker
group APT1.
http://www.theregister.co.uk/2014/08/04/registryinfecting_rebootresisting_malwa
re_has_no_files/
--- NewsGate v1.0 gamma 2
* Origin: News Gate @ Net396 -Huntsville, AL - USA (1:396/4)
|