IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

New Undetectable VX2!!!!!!
Cleaning up a Sony Viao Windows XP Home notebook brought in yesterday was seeming a bit difficult, but Adaware finally gave it a clean sweep - but a few minutes later Adaware came up with a full infection of Ezula, which hadn't been on the machine before - and without an Internet connection or rebooting or running a Web browser.
  • Option Explicit's DLLCompare showed a massive infection - over 40 invisible dlls.

  • The reason this VX2 didn't show up is that only the invisible back-end engine is being used without the detectable VX2 front end. Since Windows can't see the protected dlls scanners can't find them. The back end is being used to launch other infections, apparently from encrypted files.

  • Adaware "Smart Scan" came up empty handed, but a "Full System Scan" did find one VX2 file, possibly the source of the infection.

  • Unlike in my [link|http://z.iwethey.org/forums/render/content/show?contentid=189280|previous VX2 post], the VX2 front end was never relaunched.

  • Regedit could not delete certain keys in the "Run" folder - just gave an error saying they couldn't be deleted.

  • Debug mode was turned off even for Administrator.

  • HijackThis showed only calls the fresh infections of conventional parasites that mysteriously appeared.

  • The LSP protocol stack had strange protocol interceptors appear every once in a while.

  • Search redirects reappeared in the hosts file withen seconds of editing that file. If I deleted the hosts file, a new one appeared within a few seconds. The deleted hosts file did not appear in the Recycle Bin.

  • The Recycle Bin claimed there were 6 files in it but none appeared and "Empty Recycle Bin" had no effect on the count. After cleaning up the dlls (a tedious procedure) and rebooting, I removed the desktop.ini from the recycle bin and the files appeared on the next reboot.
This is getting very bad. My prediction that by the end of the year people will not be able to afford to use a Windows computer on the Internet may have been a bit optomistic.
[link|http://www.aaxnet.com|AAx]
New Maybe because it isn't the traditional one?
[link|http://www.theregister.co.uk/2005/03/11/alternative_slimeware/|Java Based VX2 like] malware installer.

ICK.
--
[link|mailto:greg@gregfolkert.net|greg],
[link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ iwethey

[link|http://it.slashdot.org/comments.pl?sid=134485&cid=11233230|"Microsoft Security" is an even better oxymoron than "Military Intelligence"]
No matter how much Microsoft supporters whine about how Linux and other operating systems have just as many bugs as their operating systems do, the bottom line is that the serious, gut-wrenching problems happen on Windows, not on Linux, not on Mac OS. -- [link|http://www.eweek.com/article2/0,1759,1622086,00.asp|source]
New This one was real VX2 . .
. . just with the detectable part cut off.

That Java thing looks real nasty - I'll watch for it. One more nail in the Wndows Inet coffin.
[link|http://www.aaxnet.com|AAx]
New Is there even room to fit one more nail? ;-)
New Depends on how many infections a given machine has.
I have come to believe that idealism without discipline is a quick road to disaster, while discipline without idealism is pointless. -- Aaron Ward (my brother)
New Re: Undetectable VX2!!!!!!
Did you win the battle?

Did you use killbox to get rid of the invisible dlls?

A
Play I Some Music w/ Papa Andy
Saturday 8 PM - 11 PM ET
All Night Rewind 11 PM - 5 PM
Reggae, African and Caribbean Music
[link|http://wxxe.org|Tune In]
New Of course.
[link|http://www.aaxnet.com|AAx]
New Yeap, just like that.
*WHICH* one.

I know which one, but some of us aren't that clued into all the success you've had over the past few.
--
[link|mailto:greg@gregfolkert.net|greg],
[link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ iwethey

[link|http://it.slashdot.org/comments.pl?sid=134485&cid=11233230|"Microsoft Security" is an even better oxymoron than "Military Intelligence"]
No matter how much Microsoft supporters whine about how Linux and other operating systems have just as many bugs as their operating systems do, the bottom line is that the serious, gut-wrenching problems happen on Windows, not on Linux, not on Mac OS. -- [link|http://www.eweek.com/article2/0,1759,1622086,00.asp|source]
New My root post for this thread did refer to . .
. . the root post of my my original [link|http://z.iwethey.org/forums/render/content/show?contentid=189280|VX2 thread] which lists the tools to use (Option^Explicit's dllcompare.exe, killbox.exe and VX2Finder), so I plead "not entirely guilty".

A google search will find these tools and they can be downloaded free.
[link|http://www.aaxnet.com|AAx]
New Assuming that I am a complete dolt,
could you explain how Windows is harder to protect than Unix? If I never login as admin on my windows machine (just as I never log-in as root on my Unix machine), if I don't download malware, if I have a firewall - how is my Windows machine more vulnerable?
And, if I run as root on Unix, if I run all sorts of garbage from the Internet - my Unix machine will be just as susceptable.
--


And what are we doing when the two most powerful nations on earth -- America and Israel -- stomp on the elementary rights of human beings?

-- letter to the editor from W. Ostermeier, Liechtenstein

New Rootkit worms for windows abound
they only need be put on the internet.
--\n-------------------------------------------------------------------\n* Jack Troughton                            jake at consultron.ca *\n* [link|http://consultron.ca|http://consultron.ca]                   [link|irc://irc.ecomstation.ca|irc://irc.ecomstation.ca] *\n* Kingston Ontario Canada               [link|news://news.consultron.ca|news://news.consultron.ca] *\n-------------------------------------------------------------------
New Well, just for starters . .
  • Windows XP Home automatically assigns the first (and most often only) user login as an administrator. On other versions of Windows the user assigns themselves as an administrator the first time they try to install some software and it won't let them.

  • A strong set of exploitable automation tools all guaranteed to be there on every machine and be exactly the same on every machine.

  • Tight integration among applications and the operating system, so if you're in at one point, you have it all.

  • 99.73% of users haven't one clue in hell how to secure their computers and wouldn't take the trouble if they did.

  • A huge percentage of the users are easily fooled by even the most simplistic ploys.

  • A huge number of users are kids who haven't the slightest suspicion of the word "free" because everything has always been free.

  • Firewalls are pretty much useless since the malware comes in by user action and does all its dirty work from the inside with the users (administrator) privileges.

  • There are enough systems out there that aren't patched up to date to make it economical to exploit flaws as they are found, even if Microsoft has already issued a patch. Actually, I haven't seen a Windows machine yet that was patched up to date.

  • A vast number of systems on completely unprotected DSL and Cable connections. They get new IP addresses periodically, but most modern scumware doesn't need a static IP, it's automated and works from inside.

[link|http://www.aaxnet.com|AAx]
New Apart from the first point
it's all a function of user base, not of the OS. And if MS doesn't address the first point in the next release, they are even worse morons than I thought they were.

The problem boils down to the fact that 90% of people who want to use computers should not be using computers, at least not unsupervised. Yes, Gates can be blamed for that, but only in some indirect way.
--


And what are we doing when the two most powerful nations on earth -- America and Israel -- stomp on the elementary rights of human beings?

-- letter to the editor from W. Ostermeier, Liechtenstein

New Let's see, point #3
"Tight integration among applications and the operating system, so if you're in at one point, you have it all."

How exactly is that a function of the user base? Sounds more like a function of the MSFT dept. responsible for MS Office.
--\n-------------------------------------------------------------------\n* Jack Troughton                            jake at consultron.ca *\n* [link|http://consultron.ca|http://consultron.ca]                   [link|irc://irc.ecomstation.ca|irc://irc.ecomstation.ca] *\n* Kingston Ontario Canada               [link|news://news.consultron.ca|news://news.consultron.ca] *\n-------------------------------------------------------------------
New Sounds like the OS/2 WPS (ducks, runs)
--
Chris Altmann
New Nah, Office has users.
Dives over you into trench.


Peter
[link|http://www.ubuntulinux.org|Ubuntu Linux]
[link|http://www.kuro5hin.org|There is no K5 Cabal]
[link|http://guildenstern.dyndns.org|Home]
Use P2P for legitimate purposes!
New :)
Of course, we all know the difference between Dos*, Win*, PM*, and WP* API calls, don't we:)

Though the point is reasonably well taken for the WPS stuff, though some progress has been made on that front by the user community over the last couple of years.
--\n-------------------------------------------------------------------\n* Jack Troughton                            jake at consultron.ca *\n* [link|http://consultron.ca|http://consultron.ca]                   [link|irc://irc.ecomstation.ca|irc://irc.ecomstation.ca] *\n* Kingston Ontario Canada               [link|news://news.consultron.ca|news://news.consultron.ca] *\n-------------------------------------------------------------------
New Sounds like Gnome
And, the 90% really want integration. Makes life easier.
--


And what are we doing when the two most powerful nations on earth -- America and Israel -- stomp on the elementary rights of human beings?

-- letter to the editor from W. Ostermeier, Liechtenstein

Expand Edited by Arkadiy March 14, 2005, 07:35:05 PM EST
New No, another disagreement here.
Sounds like Gnome and, the 90% really want integration. Makes life easier.
No, GNOME has a very good abstraction of Privs, it is called "only has the privs of the user using the environment"

Which effectively removes the possibility of system exploits, causing heartache for the whole machine. Restore you User $HOMEDIR and you are golden. Of just re-populate with /etc/skel setup and you'll be working in no time.

The Integration is vastly different in comparison of WindowsXP and GNOME.

First of, the integratoin in GNOME does not have the ability to run as another user, unless specifically configured to run different from default. Second, GNOME is seperate from the GUI, which is seperate from the OS, which runs the GUI outside priv'd ring-0. Which then again operates everything as a file. *NIX does exactly what you tell it. *NIX is also tremendously more predictable when the integration actually is working. Documentation, sure there ar a scribbles here and there. But sometimes that is really all you need. I figure it is better to have the facts rather than REEMS of fluff-in-stuff.

Windows, the integration can be exploited to run as a priv'd user without any configuration required. Second the Integration and the GUI both run in the priv'd Ring-0. Windows running things directly in Ring-0 is dangerous. By default you can do things in Windows you should NEVER be able to do period as any user. Windows second guessses you all the time. Therfore Windows is tough to predict with any certainty. Documentation, sure plethora of Docs that were written by people that are paid by the Line. Yeap. Perfect.
--
[link|mailto:greg@gregfolkert.net|greg],
[link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ iwethey

[link|http://it.slashdot.org/comments.pl?sid=134485&cid=11233230|"Microsoft Security" is an even better oxymoron than "Military Intelligence"]
No matter how much Microsoft supporters whine about how Linux and other operating systems have just as many bugs as their operating systems do, the bottom line is that the serious, gut-wrenching problems happen on Windows, not on Linux, not on Mac OS. -- [link|http://www.eweek.com/article2/0,1759,1622086,00.asp|source]
New On our network...
all computers have had their administrator account name changed, administrator accounts have been locked down with strong passwords, and full administrative rights have been disabled on normal users (work group managers and LAN administrators have full rights still of course).

But still we find this kind of adware on computers where the user has browsed the wrong places and clicked the wrong ads. To make things worse, some of these can only be removed by logging into that administrator account even though the user couldn't have been signed into that account.

Tell me that's anywhere near as secure as a Unix box.
~~~)-Steven----

"I want you to remember that no bastard ever won a war by dying for his country.
He won it by making the other poor dumb bastard die for his country..."

General George S. Patton
New Win32 message service
No, I'm not talking about the messaging that pops up spamming all kinds of crap - if any app can get access to the Win32 message queue, it can send a message to any other app on the machine pretending it is any app on the machine, with any priority level.

Getting access to the Win32 message queue is as simple as running Win32 code natively on the computer, even as guest. I think you can figure out the rest.
The most exciting phrase to hear in science, the one that heralds the most discoveries, is not "Eureka!" but "That's funny..."
-Isaac Asimov
New If you're not an admin, you don't have
anything on your desktop that can do much damage. Also, I thihk that message queues are somehow protected - I don't remember the details.

The main vulnerable point seems to be that you have to be an admin to do anything useful...
--


And what are we doing when the two most powerful nations on earth -- America and Israel -- stomp on the elementary rights of human beings?

-- letter to the editor from W. Ostermeier, Liechtenstein

New Nope. I have a machine at work.
This user is the Bossman/Owner.

I had to rebuild his machine from scratch recently. He never installs anything but browses... ummm websites that are full of Pictures.

This was the second time I rebuilt it. First time he was a local machine admin. After the rebuild I asked him to have me install anything that needed installing. Sure enough, I was very careful. I had local policies lock-down so tight at one point he couldn't even run IE. We worked it out to a very acceptable set of local policies. He could not install, or do anything harmful to the computer. Not even change the desktop mode, workstation only login was disabled, the Administrator user was pretty much disabled on the machine.

He did login to my Samba Domain, and in his personal login script... I force a check of sizes and e-mail them to me everytime he logs in.

This last time, 4200+ identified problems. It happened in one day. I got a message ~1PM from the log watcher stating he had logged in. I found Shiite loads of changes files. Plus additional files that should never have been able to get there where they were. This was Post SP2 and hot-fixes available on Feb 28th. Literally everything was up to date, Virus, a coupla of sweepers, file activity monitors... tons of precautionary things.

He explained he went to one of his "usual" sites and the machine literally just slowed to a crawl. Lucky for me, there are no outbound connections allowed from his machine. He was using a proxy. Specifically configured DHCP to give him a certain address.

Woo.

Now tell me Ark, how did this happen? How did a NON-Admin, Non-Operator, Non-anything, except straight user with runas turned off, service starting or stopping impossible as him... the message queue was used, new files in system areas he had zero rights to modify, delete or add anything to these areas. And make changes to the Registry in protected areas, not normally USER writable anyway, but for sure only READ ONLY to him.

How, did this happen? Hmmm. He wasn't admin, nothing bigger than a lowly user. And actually tightened down quite significantly.

Explain that.



I usually don't talk about this crap, mainly because I get Pissed about having to fix it.

And, on a properly maintained *NIX system, The worst that can happen is your own data gets blown up, erased, removed. That is what backups are for.

There is no common sense way to admin a Windows machine (or group of machines) that has any access to the Internet with a browser and Lookout as an e-mail client. It is all watch and wait for the problems to start.
--
[link|mailto:greg@gregfolkert.net|greg],
[link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ iwethey

[link|http://it.slashdot.org/comments.pl?sid=134485&cid=11233230|"Microsoft Security" is an even better oxymoron than "Military Intelligence"]
No matter how much Microsoft supporters whine about how Linux and other operating systems have just as many bugs as their operating systems do, the bottom line is that the serious, gut-wrenching problems happen on Windows, not on Linux, not on Mac OS. -- [link|http://www.eweek.com/article2/0,1759,1622086,00.asp|source]
New I don't know :(
For a non-admin user to change admin-only writable files requires a (probably local) root exploit. Windows has those (did you manage to figure out which exactly was used?). But so does Unix. Just a few months ago, one of our regulars got owned - don't remember who. Our Linux firewall at work got owned once. Shit happens. And if you have lusers who go around nosing in obviously dangerous environments, shit happens more often.
--


And what are we doing when the two most powerful nations on earth -- America and Israel -- stomp on the elementary rights of human beings?

-- letter to the editor from W. Ostermeier, Liechtenstein

New I don't agree with your assessment.
It was not a local root exploit. No escalation of privs. Not any other external service associated with SAMBA or Windows.

an ActiveX cmd prompt was involved. But it self deleted after wards. But during the seconds it spawns more than 4 processes. The processes execute even before the GDI gets going. IOW, during the Nice neat boot screen they start. It is evident, the scrolling nearly stalls.

I ended up having to use PV to even see what was running. When I sat down at his machine I found nearly 50 processes trying to get out.

I went to the Firewall logs... sure enough. More than 100 attempts per second. Glad I used the MAC address to block from.

The whole reason it was able to change things was the pre-execution it was able to shim in, using a CMD prompt.

Sure shit happens, but come on, how often is the ownage you speak of due to lack of maintenance.

Same as windows, But Ironclad lack of privs in Windows is not the same as Ironclad lack of privs in *NIX.

I have had exploits to try and run using Mod_Perl, PHP, etc... and it always comes down to a proper reduction in exploitable services (hint hint, windows has by default 5 services you cannot reduce to localhost only) and containment of privs. If you take care of that, in *NIX you can be relatively restful at night. There is really no such thing as containment of privs and hence no restful sleep at night.
--
[link|mailto:greg@gregfolkert.net|greg],
[link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ iwethey

[link|http://it.slashdot.org/comments.pl?sid=134485&cid=11233230|"Microsoft Security" is an even better oxymoron than "Military Intelligence"]
No matter how much Microsoft supporters whine about how Linux and other operating systems have just as many bugs as their operating systems do, the bottom line is that the serious, gut-wrenching problems happen on Windows, not on Linux, not on Mac OS. -- [link|http://www.eweek.com/article2/0,1759,1622086,00.asp|source]
New That I don't understand
Even an ActiveX control runnning as a user cannot write to registry where that user does not have writing permissions. Nor can it write to directories where that user has writing permissions. Much like Gnome, everything on Windows desktop is running as one user, the one that logged in. There must have been some privildge escalation...
--


And what are we doing when the two most powerful nations on earth -- America and Israel -- stomp on the elementary rights of human beings?

-- letter to the editor from W. Ostermeier, Liechtenstein

New That's where messaging comes in.
There IS no security on the Win32 message system.

Seriously.

People have been crowing about it for some time. Practical exploitation of it is difficult, but doable.
The most exciting phrase to hear in science, the one that heralds the most discoveries, is not "Eureka!" but "That's funny..."
-Isaac Asimov
New Not like Windows...
The GUI in Windows IS NOT, I repeat IS NOT running as the user.

It is running in Ring-0 of the Windows Kernel. That means Direct access to hardware and direct ability to manipulate these programmatically.

The GNOME Desktop Environment is NOT the GUI. The DE rides on top of the GUI. Windows has no distinction between GUI and Desktop Environment.

Windows provides the Integration through the GUI that is running in Ring-0 of the "supposed to be" protect core of the OS Kernel. Therefore, integration with the GUI and said service in Windows... allows for problems due to lack of proper seperation of privs in a system.

GNOME on the other hand, is a process that uses the abstraction layer of the GUI, which in turn uses the Abstraction Layer of the OS to communicate to the Hardware. Please understand, when I say Abstraction Layer you understand the meaning I use. I use it as "Logical connection to" or Pseudo-Physical Break in chain. Can't really have a physical break in a there, so you have to imagine it. It is real, and functional.

Example common things in these two examples: We have monitor, keyboard, mouse, Hard disk drive, memory, processor, CD/DVD Writer, Motherboard chipsets, video card, network interface card, sound card. All of these are the addressable items.

Windows example:
Windows, as an OS has to manage all of these devices. How Microsoft decided to address the speed problems in Windows NTv4.0 (server/workstation) (not to worry, Win95 had a hand in the decision), They took the tried and true design of v3.51 and took out the abstraction layers between the different Kernel Layers in Windows Kernel. They also decided to allow integration to become embedded into said rings without restraints.

There are a few "services" (5 to be coy) which cannot be contained within a sandbox. Why? because it would force Microsoft to change the Developmental process in place since before Windows NT4 actually was released. Also, do you remember Service Pack 3 for Windows NT4? That was an attempt to put some of the restriction back in place, after the horse was already in the field.

Okay, hoping you understand this, shall we proceed?

Okay, given that there are basically non-existant abstraction layers in Windows, that means the GUI has no problem directly addressing the Graphics card... ever heard of DirectX? It isn't named that for shits and grins. If the GUI has direct access to the graphics device, what is to prevent it from addressing the Sound Card... oh wait... Directsound... Well, okay, then why for not the Hard Drive hmmm looks like Directmedia has already beat me to it. Microsoft has turned the bad design of Ringless Broke non-ring design Kernel structure into a Marketing Force.

This then presents many options to the average ActiveX cracker/assailant. ActiveX, Windows Scripting using Direct access methods. Let us take Internet Explorer. It has been proven that IE is the most insecure Product being used for web-browsing. Even with SP2+hot-patches.(let us not forget we now get them 1 month later than we used to). There are certain things that cause people grief in Internet Explorer. To many questions and no ability to run javascript/java/flash/etc. Even opening up Internet explorer a little bit is so fo like a 2 state-flood-gate. 0 the flood gate is closed, 1 the flood gate is open. But, Microsoft has put flow restrictions, though useless once one piece gets by, to try and stem the problems. They don't work. IE even with tons of infection protection, virus stomping, malware watcher... ad-infinitum is going to get smacked up pretty good sooner or later. (probably sooner than later).

Now, since we are on Windows, we need to touch on Outlook express. By default Outlook *NOW* comes with opening of attachments off. Here we go with the 2 state Flood gate thinger. Either it is Closed and causes tons of irritation by not being able to save or open attachemnts, or you get the wholw ball of wax, though with restrictions again, which again useless. Since Outlook uses IE services and other things internall it could be seen as just a glamorous Internet Explorer. Since These service being used by outlook are provided by IE and IE is fully integrated into the OS... there we go, direct access to the hardware again... and to any file on the hardware. Crackers just have to tell which service to properly work with the stuff in the payload. Still the Win32 Messaging is just a plain socket... well let us open a CMD prompt and execute a little startup script which place a winint command message in the queue. The also extracts the deliverable and cleans itself up while spawning a ka-jillion processes to hind your work really going on. Causing the user to reboot... which then on reboot, my winint command gets processed before GDI and lo and behold... the cracker has another potential zombie to work with or mail-realy or something.

This can happen pretty much with ANY program the runs on Windows. As long as these services are available, and tricky programmers understand the common machine layout of Windows... it is trivial.

Now, onto the GNOME Desktop Environment Machine:
GNOME is a desktop environment, that runs as the user, all services and processes controlled by the GNOME DE is running as the privs of the Normal user on a unix system. The Desktop Environment is seperated in privs by and abstraction layer or API/ABI designed to only do what the GUI is supposed to do. The GUI, then has to make decisions on what to do, then it makes calls to the OS through another Abstraction Layer or API/ABI interface that once again only allows restricted commands to be forwarded to the OS. The OS then is what allows the driver filter to message a file (or device file commonly referred to as a device node), with the commands never reaching Ring-0. Never having direct access, never being able to change the command in-stream or through a stack corruption (well it does happen but far, far, far less than it could).

Now, let us just take a look at the integration offered by GNOME. It has many benefits, many of which do exactly the same function Windows does, but without the risk. Why do I say risk? Because, the machine no matter HOW bad you are screwed in your environment... is still completely functional, completely usable by someone else that has an account on it, etc... Services still are running as they should without issues. The only thing that is LOST IS YOUR DATA YOU HAVE RIGHTS TO. If you do not have backups... well you are SOL.

Before you bring it up: "How am I supposed to start working again then?" Well two options, since you have zero data in your $HOMEDIR, GNOME will auto populate your $HOMEDIR with a fresh set of settings. BASH will auto-write a coupla default files for you. From there it is all a matter of rebuilding. But the machine is still running without having to be re-built from scratch or hours and hours of compiling or etc... If you have a restorabl backup. Shoot, slap that baby in there, and login.

As far as Integration goes, GNOME has many easily settable default applications you can customize and/or select from your installed distros settings. Of course, those distro that have the average user run as root... are just asking for trouble.


I hope this helps you understand. And please I hope you are being intentionally obtuse.
--
[link|mailto:greg@gregfolkert.net|greg],
[link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ iwethey

[link|http://it.slashdot.org/comments.pl?sid=134485&cid=11233230|"Microsoft Security" is an even better oxymoron than "Military Intelligence"]
No matter how much Microsoft supporters whine about how Linux and other operating systems have just as many bugs as their operating systems do, the bottom line is that the serious, gut-wrenching problems happen on Windows, not on Linux, not on Mac OS. -- [link|http://www.eweek.com/article2/0,1759,1622086,00.asp|source]
New It was quite helpful
And yes, I was _partly_ being intentionally obtuse. But, I still can't believe what you're saying. Are you saying that the DirectX APIs bypass all the security and let you have raw disk access?

Update: checked DirectX docs - no mention of direct access to disk. Is it an undocumented backdoor?
--


And what are we doing when the two most powerful nations on earth -- America and Israel -- stomp on the elementary rights of human beings?

-- letter to the editor from W. Ostermeier, Liechtenstein

Expand Edited by Arkadiy March 15, 2005, 05:05:47 PM EST
New It isn't documneted the way you'd think.
Direct Media can use the alternative Streams of NTFS.

Umm, that would be direct DISK access.
--
[link|mailto:greg@gregfolkert.net|greg],
[link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ iwethey

[link|http://it.slashdot.org/comments.pl?sid=134485&cid=11233230|"Microsoft Security" is an even better oxymoron than "Military Intelligence"]
No matter how much Microsoft supporters whine about how Linux and other operating systems have just as many bugs as their operating systems do, the bottom line is that the serious, gut-wrenching problems happen on Windows, not on Linux, not on Mac OS. -- [link|http://www.eweek.com/article2/0,1759,1622086,00.asp|source]
New Well, the only things that grant access to file system
(that I found in the docs) are IFileSourceFilter, IFileSinkFilter and IFileSinkFIlter2.

All of them take a filename. I did not test it, but I doubt that the access control on the file name is bypassed by any of these interfaces.
--


And what are we doing when the two most powerful nations on earth -- America and Israel -- stomp on the elementary rights of human beings?

-- letter to the editor from W. Ostermeier, Liechtenstein

New Then how do you explain the fact that it happens?
Without escalation of Privs?

And, the fact of the matter... not that they by-pass them, are they even checked? By assumption or by method something has to be getting around it.

And the Local Policy over rides the others. So if the Citrix thinger you and andread are talking about, it doesn't amtter what DS groups memberships. It ain't supposed to be able to do that. But does.
--
[link|mailto:greg@gregfolkert.net|greg],
[link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ iwethey

[link|http://it.slashdot.org/comments.pl?sid=134485&cid=11233230|"Microsoft Security" is an even better oxymoron than "Military Intelligence"]
No matter how much Microsoft supporters whine about how Linux and other operating systems have just as many bugs as their operating systems do, the bottom line is that the serious, gut-wrenching problems happen on Windows, not on Linux, not on Mac OS. -- [link|http://www.eweek.com/article2/0,1759,1622086,00.asp|source]
Expand Edited by folkert March 16, 2005, 11:35:43 AM EST
New I have no explanation that I am sure of.
I think you don't either.

My guess is a security hole, a bug.

Your guess is an inherent deficiency of architecture.

Neither of us is in a position to prove our guesses. You are in a somewhat better position to investigate - you actually have logs and what not from your co-worker's breakage. But, unless you understand _exactly_ how the malware gained access to the protected areas of the system, we still don't know for sure.
--


And what are we doing when the two most powerful nations on earth -- America and Israel -- stomp on the elementary rights of human beings?

-- letter to the editor from W. Ostermeier, Liechtenstein

New Thank you. (new thread)
Created as new thread #199000 titled [link|/forums/render/content/show?contentid=199000|Thank you.]
--
[link|mailto:greg@gregfolkert.net|greg],
[link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ iwethey

[link|http://it.slashdot.org/comments.pl?sid=134485&cid=11233230|"Microsoft Security" is an even better oxymoron than "Military Intelligence"]
No matter how much Microsoft supporters whine about how Linux and other operating systems have just as many bugs as their operating systems do, the bottom line is that the serious, gut-wrenching problems happen on Windows, not on Linux, not on Mac OS. -- [link|http://www.eweek.com/article2/0,1759,1622086,00.asp|source]
New Re: That I don't understand
I used to think that
but in my Citrix farm all users are members of
a special group
that group has no registry writing permission
and the program files folder has security set
to prohibit the users from writng to it

result

the registry is changed all the time
spyware and other junk are installed in program files

job security for me

A
Play I Some Music w/ Papa Andy
Saturday 8 PM - 11 PM ET
All Night Rewind 11 PM - 5 PM
Reggae, African and Caribbean Music
[link|http://wxxe.org|Tune In]
New Are they members of other groups?
Could the permissions be granted by those memberships?
--


And what are we doing when the two most powerful nations on earth -- America and Israel -- stomp on the elementary rights of human beings?

-- letter to the editor from W. Ostermeier, Liechtenstein

New Domain Users
Play I Some Music w/ Papa Andy
Saturday 8 PM - 11 PM ET
All Night Rewind 11 PM - 5 PM
Reggae, African and Caribbean Music
[link|http://wxxe.org|Tune In]
New There is a way.
Simple example: use at to open a cmd prompt. You'll be surprised at what that prompt has access to. (hint: it's *more* than Administrator.) Disclaimer: I have not tested this as a pleb.

I saw this some months ago as a way to modify some certain Registry Keys in the locals Users area* that even Administrator can't even see, let alone change. Windows security is just so complex and poorly documented...**

Wade.

* not the local user's area, the local users area.
** to which I suspect people are going to disagree. :-)

Is it enough to love
Is it enough to breathe
Somebody rip my heart out
And leave me here to bleed
 
Is it enough to die
Somebody save my life
I'd rather be Anything but Ordinary
Please

-- "Anything but Ordinary" by Avril Lavigne.

New It's LocalSystem
And yes, it's more than Administrator, on local machine.
I could not find an easy way to disable it, apart from disabling the schedule service. What a sordid mess! It should run as the user that scheduled the action, not as LocalSystem.

--


And what are we doing when the two most powerful nations on earth -- America and Israel -- stomp on the elementary rights of human beings?

-- letter to the editor from W. Ostermeier, Liechtenstein

New VX2 on 2 servers
thanks Andrew for your Paul Revere-ing on this issue
I wouldn't have even been able to guess what was happening without
these warnings

A
Play I Some Music w/ Papa Andy
Saturday 8 PM - 11 PM ET
All Night Rewind 11 PM - 5 PM
Reggae, African and Caribbean Music
[link|http://wxxe.org|Tune In]
     Undetectable VX2!!!!!! - (Andrew Grygus) - (39)
         Maybe because it isn't the traditional one? - (folkert) - (3)
             This one was real VX2 . . - (Andrew Grygus) - (2)
                 Is there even room to fit one more nail? ;-) -NT - (n3jja) - (1)
                     Depends on how many infections a given machine has. -NT - (ben_tilly)
         Re: Undetectable VX2!!!!!! - (andread) - (3)
             Of course. -NT - (Andrew Grygus) - (2)
                 Yeap, just like that. - (folkert) - (1)
                     My root post for this thread did refer to . . - (Andrew Grygus)
         Assuming that I am a complete dolt, - (Arkadiy) - (29)
             Rootkit worms for windows abound - (jake123)
             Well, just for starters . . - (Andrew Grygus) - (8)
                 Apart from the first point - (Arkadiy) - (7)
                     Let's see, point #3 - (jake123) - (5)
                         Sounds like the OS/2 WPS (ducks, runs) -NT - (altmann) - (2)
                             Nah, Office has users. - (pwhysall)
                             :) - (jake123)
                         Sounds like Gnome - (Arkadiy) - (1)
                             No, another disagreement here. - (folkert)
                     On our network... - (Steven A S)
             Win32 message service - (inthane-chan) - (18)
                 If you're not an admin, you don't have - (Arkadiy) - (17)
                     Nope. I have a machine at work. - (folkert) - (16)
                         I don't know :( - (Arkadiy) - (13)
                             I don't agree with your assessment. - (folkert) - (12)
                                 That I don't understand - (Arkadiy) - (11)
                                     That's where messaging comes in. - (inthane-chan)
                                     Not like Windows... - (folkert) - (6)
                                         It was quite helpful - (Arkadiy) - (5)
                                             It isn't documneted the way you'd think. - (folkert) - (4)
                                                 Well, the only things that grant access to file system - (Arkadiy) - (3)
                                                     Then how do you explain the fact that it happens? - (folkert) - (2)
                                                         I have no explanation that I am sure of. - (Arkadiy) - (1)
                                                             Thank you. (new thread) - (folkert)
                                     Re: That I don't understand - (andread) - (2)
                                         Are they members of other groups? - (Arkadiy) - (1)
                                             Domain Users -NT - (andread)
                         There is a way. - (static) - (1)
                             It's LocalSystem - (Arkadiy)
         VX2 on 2 servers - (andread)

I love RedBrick, it's the only database I've met than can consistently give different results for
Select count(*) from table
versus
select count(*) from table where 1=1
272 ms