Dustin  wrote in
news:XnsA3D7C855C651AC9X238BHEUFHHI5RJ791@192.254.233.145: 

> B00ze/Empire  wrote in
> news:m313uv$88c$1@dont-email.me: 
> 
>> Windows still ends-up running something, be it a PE file or
>> Javascript, off the registry key. Some bug in the registry
>> routines makes reading the key overwrite a return address or
>> something? I'm afraid I'm not good enough to understand how that
>> works (I program COBOL and did lots of Motorola assembler, but
>> never coded on Windoze). To me it looks like Windoze really has a
>> way to execute registry keys, I mean as a feature... 
> 
> It's running a PE file when it decodes into memory, and instead of
> asking the api to parse a header like it would on disk, it's
> pointing to the memory location instead. Nobody has ever said you
> couldn't pass control to something you loaded into memory.
> *hehehe* 
>  
>>> Now, they don't have any choice in the matter. They can't deny
>>> it's possible anymore. Someone had enough of their bull####.
>>> They wrote and released a demonstration of it. This is one of
>>> those cases where full disclosure is being used, because other
>>> methods of making this issue known had failed. Full disclosure
>>> being a viable, ITW sample; demonstrating that it works. 
>> 
>> Watch them, they will wait until Windoze 12 to fix it. Microsoft
>> is really slow sometimes... 
> 
> I don't see any easy fix per say. But, they could fix regedit so
> that it can handle null and extended ascii registry entries. That
> would be very useful.
>  
>>> Good thing this particular sample isn't actually viral and is
>>> only trying to steal some time from your browser. It could have
>>> been written to do some serious damage and know, atleast for a
>>> while, no automated AV/AM tool would be hunting for it. As it
>>> is, any AV/AM tool that can scan for it, HAS BEEN RETOOLED to do
>>> it. IE: additional code was added to their engines, not just a
>>> definitions update. In order for them to detect and deal with
>>> this. 
>> 
>> Good to know; thanks to you guys for having spread the word!
> 
> I'm retired Vx. :) This neat registry malware sample isn't my
> work. 
>  
>> Found this:
>> http://www.securiteam.com/securitynews/2CUQFS0S0S.html Pretty
>> good for a 6k program! I suspect long hours coding... 
> 
> Ayep. One minor thing though, it's not written in pascal. [g]
>  
>> Even reputable AV companies do this today. There was this study 
>> advertised here recently, where one guy found that installing an 
>> AntiVirus actually increased the attack surface of your PC
>> because lots of AV have flaws in their designs. He says several
>> companies, including one I recall, Kaspersky, just ignored him. 
> 
> hehehehe... he has a point.
>  
>> Lol, indeed if all the program does is checksum files, especially
>> if the checksums are stored in an easy to engineer format, then
>> you extract the checksum routine and you can certify any files
>> you want yourself. It's very hard to protect software. When I
>> think about it I think the best way is to run several levels deep
>> of crazy interpreters to hide the code. I'm not good enough at
>> Math to think of anything else. Obfuscation is the best thing I
>> know. 
> 
> It's a cobbled together set of utilities actually. It uses
> multiple methods to try and detect unknown malware. It's change
> detection technology relies on checksum like files though. [g]
>  
> 
>>> I didn't stop there though. I told him that his product would
>>> not only fail to detect me or changes I might make, it'll fail
>>> to remove me with his 'cure all' too. he wasn't saving enough
>>> information about the files original state and my virus was a
>>> prepender, something his software was really ill equipped to
>>> handle. I went on to tell him that my virus could actually
>>> infect his software and ride along it, infecting a machine as it
>>> pleased and he would not only be a carrier, but he wouldn't be
>>> aware he was carrying me. :-) 
>> 
>> Lol!
> 
> Well, it's a prepender. It *HAS TO* restore the host, preferrably
> to the very byte, before it can execute it. :) So... it stands to
> reason, most self checks/sanity checks are going to fail to find
> the changes; as when they're put into use, the file has been
> restored to perfect condition. [g]
>  
>> The first virus that hit me (on my Amiga) was VERY destructive,
>> it proceeded deleting all the files on all disks, from newest to
>> oldest. When I ran the file and the hard disks went full-busy for
>> 3 minutes I knew something was wrong. "Viruses" have evolved so
>> much since then... 
> 
> Well.. sort of. What you're describing sounds like a trojan. :)
> Viruses replicate. Detonating a payload on the first run if the
> virus contains one is suicide for the virus. It wants to live. On
> your machine(s), on your friends machine(s), on your families
> machines(s), etc. 
>  
>>> His programs self check functions all failed to detect changes,
>>> because my virus would clean itself from the host prior to
>>> executing it, and put itself back when the host process(s) all
>>> terminated. It was sitting in memory watching and waiting, like
>>> a good little virus. minding it's manners. [g] 
>> 
>> There might be ways to detect you've not been loaded with the
>> system loader, I dont know enough about it to tell... 
> 
> Ayep. One of my own fellow Vxers did it. They trapped my virus. As
> soon as it restored the host and tried to launch it, they
> terminated me. Walla; self clean. [g] An Aver who posted to
> alt.comp.virus took advantage of it too... lol, in a different
> way, but the result was the same. they were both able to trick my
> virus into cleaning the file being executed and not returning to
> it. 

Interesting..... well, sort of.

-- 
Jax        
--- NewsGate v1.0 gamma 2