On 2014-10-30 22:56, Dustin  wrote:

> B00ze/Empire  wrote in
> news:m2ufiq$od7$1@dont-email.me:
>
>> On 2014-10-30 15:23, Dustin  wrote:
>>
>>> Dustin  wrote in
>>> news:XnsA3D682CC1C8A0C9X238BHEUFHHI5RJ791@192.254.233.145:
>>>> B00ze/Empire  wrote in
>>>>
>>>>> So HOW do you remove it? If I recall, RegEdit will not let you
>>>>> delete the key, so what's the trick? Please tell :-)
>>>>
>>>> Hehehehe.. It's piss easy. First, stop explorer.exe, then
>>>> terminate all dllhost processes. Make sure you leave yourself a
>>>> console prompt and have sysinternals regdelnull utility. :)
>>>>
>>>> Remove the registry keys that you can with regedit, finish up by
>>>> running the utility I mentioned above on ALL the system hives.
>>>
>>> Just so you know, I left out one detail, so I can ask virusguy
>>> about it later if he chimes in trying to take credit for what I
>>> told you to remove the beastie. I'd asked him days ago if he knew
>>> how. I know he doesn't, and I know as long as I skip certain
>>> things, I can determine if he's figured it out on his own, or is
>>> going by what I wrote.
>>>
>>> Also, while regedit won't let you do certain things with the
>>> registry; the API itself as well as other apps certainly will.
>>> The null character issue as well as the extended ascii characters
>>> are a regedit.exe issue only. Blame typical MS programmers. The
>>> same people who told filemanager that directories don't exist if
>>> their using extended ascii in their filenames are the people I
>>> suspect wrote regedit with the silly limits it has.
>>>
>>> The malware itself is probably one of the easiest ones I've dealt
>>> with in years. Even though it has no actual file based home. it's
>>> very easy to remove and is not very well protected at all. One
>>> might even say because of the way it's loading into the system,
>>> it's extremely vulnerable.
>>
>> Thanks! I got RegDelNull downloaded :-) What's amazing is that
>> Windows can actually execute registry keys, it boggles the mind.
>> What the hell were they thinking; Microsoft sometimes...
>
> It's not executing a registry key, per say. The program decodes
> itself from javascript back to it's real executable self and makes a
> standard API call to run from memory there. Now, this will make you
> wonder what they were thinking: The very POC (which is what this
> actually was) was discussed on IRC #virus nearly 17 years or so ago;
> MS has known this could happen for nearly two decades. AV was
> informed of this, nearly two decades ago. NOBODY from MS or the AV
> companies took myself or my fellow VX associates seriously.

Windows still ends-up running something, be it a PE file or Javascript, 
off the registry key. Some bug in the registry routines makes reading 
the key overwrite a return address or something? I'm afraid I'm not good 
enough to understand how that works (I program COBOL and did lots of 
Motorola assembler, but never coded on Windoze). To me it looks like 
Windoze really has a way to execute registry keys, I mean as a feature...

> Now, they don't have any choice in the matter. They can't deny it's
> possible anymore. Someone had enough of their bull####. They wrote
> and released a demonstration of it. This is one of those cases where
> full disclosure is being used, because other methods of making this
> issue known had failed. Full disclosure being a viable, ITW sample;
> demonstrating that it works.

Watch them, they will wait until Windoze 12 to fix it. Microsoft is 
really slow sometimes...

> Good thing this particular sample isn't actually viral and is only
> trying to steal some time from your browser. It could have been
> written to do some serious damage and know, atleast for a while, no
> automated AV/AM tool would be hunting for it. As it is, any AV/AM
> tool that can scan for it, HAS BEEN RETOOLED to do it. IE: additional
> code was added to their engines, not just a definitions update. In
> order for them to detect and deal with this.

Good to know; thanks to you guys for having spread the word!

> [snip]

> I wrote the toadie virus to demonstrate a serious security issue I
> felt Pegasus email client had. I'd already tried contacting it's
> author several months before the first toadie made it itw. The author
> blew me off with the sorry ass excuse; NO virus exploits my software,
> I'm not worried about this what if scenario you've presented me.
> what if scenario is it? Well, let's see about that. Now, if you
> google toadie, pegasus is stuck with the association; they HAD TO fix
> the program. They WOULD NOT have fixed it, had Toadie not existe

Found this: http://www.securiteam.com/securitynews/2CUQFS0S0S.html
Pretty good for a 6k program! I suspect long hours coding...

> I wrote the anticheck virus to demonstrate several flaws with the
> program known as Chekmate (a snake oil program, imo). I chatted with
> its author on usenet (alt.comp.virus) for sometime. He got upset to
> the point where he thought publishing my real name would shut me up.
> :) He even resorted to lame trickery to acquire my real name. He
> denied he got the file I sent him, twice. He claimed he wouldn't
> download it from my website and until he'd seen it, he stated his
> program was safe from it and I was blowing smoke up peoples asses.

Even reputable AV companies do this today. There was this study 
advertised here recently, where one guy found that installing an 
AntiVirus actually increased the attack surface of your PC because lots 
of AV have flaws in their designs. He says several companies, including 
one I recall, Kaspersky, just ignored him.

> I also did this with a person known as Zvi Netiv, creator of the
> snake oil program known as Invircible. He claimed it could
> detect/prevent and reverse infections even by unknown viruses. He and
> I went back and forth about this for quite sometime. I even published
> demo source in asic no less showing how to read his 'checksum' files
> and fix them; so if you modified a file, invircible wouldn't notice
> it. [g] That REALLY pissed him off. He threatened to sue me for
> unauthorized reverse engineering. LOL!

Lol, indeed if all the program does is checksum files, especially if the 
checksums are stored in an easy to engineer format, then you extract the 
checksum routine and you can certify any files you want yourself. It's 
very hard to protect software. When I think about it I think the best 
way is to run several levels deep of crazy interpreters to hide the 
code. I'm not good enough at Math to think of anything else. Obfuscation 
is the best thing I know.

[snip]

> I didn't stop there though. I told him that his product would not
> only fail to detect me or changes I might make, it'll fail to remove
> me with his 'cure all' too. he wasn't saving enough information about
> the files original state and my virus was a prepender, something his
> software was really ill equipped to handle. I went on to tell him
> that my virus could actually infect his software and ride along it,
> infecting a machine as it pleased and he would not only be a carrier,
> but he wouldn't be aware he was carrying me. :-)

Lol!

> He denied all of that too. This caught the attention of a reporter.
> That was very bad for him. The reporter took a sample of my krile
> virus and several types of viruses and tested them against
> Invircible. The result? Invircible was determined to be something you
> should avoid. I've still got a complete copy of the article, I'd be
> happy to post it if you'd like to read it for nostalgic purposes.
>
> Zvi even went so far as to claim that Krile was a destructive
> overwriter and that's why he couldn't clean files infected with it.
> Well, the problem is, overwriting viruses destroy their host during
> the infection process; there's no going back. The original progam
> will never run. You'll *know* something is wrong after you try to run
> it the first time. Programs infected by krile would still run,
> although they would spread the virus to more programs.

The first virus that hit me (on my Amiga) was VERY destructive, it 
proceeded deleting all the files on all disks, from newest to oldest. 
When I ran the file and the hard disks went full-busy for 3 minutes I 
knew something was wrong. "Viruses" have evolved so much since then...

> His programs self check functions all failed to detect changes,
> because my virus would clean itself from the host prior to executing
> it, and put itself back when the host process(s) all terminated. It
> was sitting in memory watching and waiting, like a good little virus.
> minding it's manners. [g]

There might be ways to detect you've not been loaded with the system 
loader, I dont know enough about it to tell...

Best Regards,

-- 
! _\|/_  Sylvain / B00ze64@hotmail.com
! (o o)   Member-+-David-Suzuki-Foundation/EFF/Planetary-Society-+-
oO-( )-Oo  Gravity is a myth  The earth sucks.

--- NewsGate v1.0 gamma 2