View Full Version : Me code write good: The l33t skillz of the virus writer
Kayaker
April 17th, 2007, 16:41
I just loved the title is all...
Nico's latest blog post about a bug in some malware reminded me of this.
Quote:
From exploitable vulnerabilities in their code to incomprehensible goofs there’s no shortage of evidence that a large proportion of virus writers aren’t quite as capable as they would like others to think. This paper will take a look at the legacy of these slightly less than expert level virus writers, and examine the threat they continue to pose. |
Me code write good: The l33t skillz of the virus writer.
http://www.symantec.com/avcenter/reference/me.code.write.good.pdf
quetzalcoatl
April 17th, 2007, 19:26
yea.. I have already seen some malware bugs of this quality, too

disavowed
April 17th, 2007, 20:52
Ugh... I actually saw this talk given in person by its author. It was horrible. Boring and uneducational.
ancev
April 17th, 2007, 23:25
come on...
we know that 95% of the virus-coders sux - but also is a fact that 99% of the av-coders sux
in fact, the only real good av-coder was eugene kasperksy (in the old times, before he turned CEO, when avp encyclopedia showed us the virus graphical/musical payloads)... the rest are below-than-mediocre programmers that got "fame and fortune" exploiting the users atavic fear of viruses.
also, the "media hype" about some bad viruses that the author talk - we cant forget - was created by av companies, to fill their pockets.
almost all times, wasnt the author that said he was so good coder that his virus will destroy the world, but the av company that said so, to scare users and gain more money.
so, he would better say "large proportion of virus writers aren’t quite as capable as *AV COMPANIES* would like others to think". Except for IRC bragging (a old tradition), few vxers claim to be so good programmers.
not satisfect with the "fame and fortune", some avers attack virus coders... in fact, they have nothing but envy of these guys that, even with so-and-so skills, spend his time and talent (and have the balls to), for free, try to code artificial life - and arent slaves of the money
well, at least none of my virus appear in the article as example of bad coding (altought my english is so bad that i can be the inspiration for "Me code write good"

.
vecna
ps: the title of the article suggest also that bad english is a sign of bad coding... i guess how good is John Canavanīs russian, chinese, or spanish
0xf001
April 18th, 2007, 04:11
hi,
hm vecna i am fully with u, u save me writing a reply

but i decided to reply anyway hehe
so virii can contain bad code. ahaa

damn, i always knew it!! shall we complain about it? contact the author to fix that?
i dont know i think its pure virus coder bashing. everybody who coded virii will know that its very easy in that field to make mistakes, and testing is limited to systems/architectures you have at home. now in the age of VMs that is much better than using spare, old hardware for testing.
on the other side, it makes me a bit angry that the mass of virus coders seem to be such dumbasses, copy kids, script kiddies. but that makes the innovative just more outstanding
some 10-15 years ago i was very fascinated by virii and thought it as one of the highest coding ___ARTS___. not a fame magnet, an art

. period.
so what can we learn from this article? "commonon pitfalls" in virus coding? i doubt that is the intention of the document. its almost useless imho.
and i think we all had minimum 1 experience where a so called "AV" product fucked up the whole system, besides slowing it down and eating resources (or just deleting your files).
maybe we make a follow up:
me.av.hero.code.shit.too
regards, 0xf001
Maximus
April 18th, 2007, 05:43
15 years ago writing a virus was an optimization challenge.
DAV was <1.5k, many virus were 4-900 bytes, and some notable piece were <200 or even <100 (!!).
Today? probably the only interesting field is rootkit. The fun of shrinking down to the last bit while keeping 'everything in' is gone. The fun of locating a damn place to load your code is gone (rootkit apart, but in a different manner).
Not sure what is fascinating in today's viruses, which looks to my unexperienced eyes more on the trojan-side than the virus-side.
0xf001
April 18th, 2007, 06:49
Maximus,
yes I think its all "taste" based. Interests are different, i am still more interested in pure virii than trojans or rootkits, which are for me not so interesting (now)
whats fascinating in the world of todays virii?
when you widen your horizon from windows up to other OSs then there is plenty of space to develop interesting virii. i currently make a kind of private study about virii on linux. there i found how to "overtake root" from user space in a quite interesting way. which is one major step to make virii on linux "useful"
its too early to announce anything, i will make an article and probably proof of concept virus out of it ... that i find very interesting. and the "need" to code asm of course. OSX would be another canditate to explore.
cheers, 0xf001
blurcode
April 18th, 2007, 09:54
True true,
Look how the following virus is bad written: http://cyberdust.wordpress.com/2006/04/12/mcafees-gone-wild/
Please note that the virus is not W95/CTX

Nico
April 18th, 2007, 18:09
Well, i think there is a difference between virus authors (as in the old school ones doing PE infections and stuff), and todays malwares authors.
There are very little pe infectors those days, and most of the new ones are really simple appender.
We do see a lot of custom packers though. Some are really nice.
Anyway, most of the malwares we see nowadays are made to make profit of some sort.. Mostly stolen money.
In my two last blog posts, the PE virus didn't seem to be bugged, but the userland rootkit part was.. and The whole thing was a SPAM engine.
In the other blog post, people used search engine poisoning to get people to download malicious codes.. Half assed downloaders, and yet, they made a mistakes like "i detect tracing and VM but don't do anything eitherway". The ultimate goal is to target banks users = money.
The hobbyist trying to do artificial lives aren't the ones making the most malwares now.. We just see tons of malwares made by people who just want to make money.. Some are total crap, and some are very well written.
My english sucks, i write buggy code at times, don't hit me ;-)
OHPen
April 19th, 2007, 06:59
Lo all,
@nico: I agree to your assumption that there is a difference between old virus writers and today malware authors in general.
But isn't it in every scene like this ?
There are only a few professionals who are only interestend in research and gaining more knowledge but the major part has only rudimentary knowledge in order to reproduce well know and well documented topics cause of lower motives or only to braw with.
At the beginning you only saw a few virus writers who had extended knowledge, then another years passed almost each "kiddie" which is able to code can produce a simple virus, cause the topic got well documented and availible for all.
I think that this example shows that there is only a kind of time shifting. Formerly l33t techniques will become only standard techniques and so on...
Regards,
PAPiLLiON
CrackZ
April 19th, 2007, 15:00
Quite simply a horrible PDF expose of malware/trojan/virus *bugs* (insert whatever you want to call it today), almost like the guy is challenging authors to write something more entertaining for him to run inside his VMWare logging environment.
As many others have noted there just simply isn't the requirement to write code that is highly optimised any longer (only perhaps when devising exploit shellcode and even that path is well-trodden), I remember looking at virii code in the 1990's analysed by virus researchers where they'd written stuff like "this code has been really well optimised, like a swiss watch", it was almost a respect, now any idiot can download the source code and build a variant trojan of their choice, modify it very slightly, pack it 5 times, add some vmprotect and try and make something from it.
My greatest conspiracy theory actually runs something like this, the AV industry *needs* a next generation of threat to maintain its market, virtually all of the AV scanners out there seem to use nothing more sophisticated than their own custom unpacking engines and signature scans to identify trojan.variant.ABZ.103. All this guarantees is increasing numbers of AV co.'s claiming how many more malwares their product detects than the competition.
Just telling end-users not to run 'britney_spears_nude.jpg.exe' just doesn't seem to cut it these days ;-).
Regards
CrackZ.
bart
April 19th, 2007, 15:12
Maybe someone should write an article titled "Me av engine too weak to fully unpack xxx".
They are writing such crap just to piss off people (the same thing is done with virus naming eg. SkyNet <-> NetSky) and get more money.
quetzalcoatl
April 19th, 2007, 16:23
Hm.. what you say now about poor badware (nice term I think) code quality and yet poorer AV-software code quality reminds me about my small hypothesis:
The AV industry really needs:
- be sure that some badware exists
- be sure that the threat is controled
so.. how to achieve that..? look at the old coder gods, those who created art of writing a tiny optimised 'V'iruses.. many of them earned great respect and ended in or even started their own .. AV companies. And how to achieve those two goals essential to be successful AV company? its really simple.. those guys were the best, no one could beat them, so they were the best Virus creators and continued to do so. And they had also the best knowledge how to fight them, so they were the people who wrote AV-scanners, too! Endless virus generations, threating the naiive people, but hey! we have AV that will save you! Gold, bah, diamond business..
Later, technology got boosted, optimisation was not required any longer, both in the normal software and the badware, too, coding skills of average hired coder dropped dramatically (nth-level languages, cool colorful code generating IDE, lower knowledge level at end of education, etc) what directly led to tons of dumb bugs everywhere.. Bufferoverflow?? christ.. did YOU people ever use on-stack char buf[512] on the input and did not make sure your program doesnt write after its memory block? I doubt. I was 2-month C++ programmer and I carefully checked every buffer, and I was not worried about hackers! I had no idea back then that someday someone may inject code through some unchecked buffer! Actually I was checking them because idiots using my programs happened to love unpredictabely big blocks of data and forgetting terminators... I was shocked when I heard about bufferoverflow security probems for the first time. Not by the code injection itself (well.. actually I played with some), but by that that someone DID NOT CHECK THAT BUFFERS' END in critical security software context??? D'OH!!
Anyways, maybe not all of them, but I'm sure that there are many AV companies both writing badware and counter-badware. It's too good idea to have badware at controlled level and still keep ourselves needed by everyone and make sure that the cash wont stop flowing! Its almost like the "piracy", "crackers" and windows and the games.. Ever wondered why all those uber-super-protections are defeated in a first month or two? Because *there*is*no*better*advertisement*. Just think.. would Windows ever get to the current market share, if not that all cracked windows' at homes? Now see Vista.. You'd think that they learned something from the past. Nope. They simply used slightly modified old well known protection mechanisms. And "oopsie" got defeated again.. Allright.. end of ranting :}
Woodmann
April 19th, 2007, 21:59
Howdy,
While I would like to agree with the "conspiracy" theory.....
AV companies must have something to do with their ongoing success from the unending creation of virii..........
Why is it so unreasonable to think that people code virii just for the challenge.
Is it not the virii coders ultimate challenge to write something that is the most difficult to detect and stop?
Dont forget, this is not only about virus and malware but also exploits.
People spend a large amount of time finding holes in the latest greatest softwares. I read my log files. It amazes me at what some people will try.
Sometimes people code things just to see if they will work and for no other reason.
Woodmann
0xf001
April 20th, 2007, 04:45
Quote:
Is it not the virii coders ultimate challenge to write something that is the most difficult to detect and stop? |
Quote:
Sometimes people code things just to see if they will work and for no other reason. |
just soooooooooooooooooooooo right
about the conspiracy theory ..... I think the AV companies need not worry, as in my opinion, "there will always be" people who want "to make a virus". where i mostly mean the copyists, script kiddies, virus creation tool users.
its quite logical for (former) virus authors to work or create their own AV company. I think it depends on the individual if that person then "still" creates some virii. I doubt its necessary to do it for business, I think more maybe for fun - while remembering good old times "on the other side"
if that would come out, it would be unpredictable damage for such a company, its too much risk, or not?
cheers, 0xf001
disavowed
April 20th, 2007, 10:28
Quote:
[Originally Posted by OHPen;65025]At the beginning you only saw a few virus writers who had extended knowledge, then another years passed almost each "kiddie" which is able to code can produce a simple virus, cause the topic got well documented and availible for all.
I think that this example shows that there is only a kind of time shifting. Formerly l33t techniques will become only standard techniques and so on... |
But this is not the case at all. Today's malware authors are not using "standard techniques" developed by yesteryear's "virus author experts". Today we're seeing the bad guys using high-level-languages just to write programs that do naughty things. No prior education necessary in the history of viruses if you just want to write a program that connects to IRC and opens a reverse shell.
CrackZ
April 20th, 2007, 15:59
Uncle Woody ;-),
"Conspiracy theory" is perhaps my rather strong way of stating the obvious - that never-ending *perceived* threats from trojans/virii is rather a great marketing tool for AV co's, even though they'd deny it.
"Its not unreasonable to think people code virii for the challenge"
Indeed a *very few* people will craft their *own* virii for their *own* challenge but they'll be crushed a million-fold by the stampede of those that simply don't need to ;-), download the latest trojan/virii codebase, some obscure packers, hey presto instant trojan variant for the good old AV's to detect and maintain the upgrade cycle.
I'm not sure I'd lump virii and exploits into the same category nor the businesses associated with devising/finding them, those looking and capable of finding exploits IMHO are different animals to those reacting to files dropped in their inbox for analysis in their VMWare labs.
My biggest problems with this paper were really twofold;
Firstly was simply its patronising tone with regards to virii authors code, I'm sure Symantec would be happy to submit all of its code for analysis so that we can all have a good *laugh* at their coding ineptitude, but then again maybe they won't.....
Secondly, I just found the paper hopelessly naive, this AV researcher obviously believes the guff peddled by his marketing department.
AV in my mind ought to be a dead in the water product, its placebo-ware of the highest order for the masses, its been dead in the water technology wise for 15 years else you'd not be needing to update your *definition files* every week.
Regards
CrackZ.
quetzalcoatl
April 20th, 2007, 19:33
Woodman, 0xf001 - of course I didn't mean that all the badware comes from there.. I just meant that most of the now crawling things are so poorly made, because the creators have no interest in making them better! and that matches the AV companies, which by definition would not only be not interested in completely stopping, but could even be interested in propagating viruses, too.. that's true that "copyists, script kiddies, virus creation tool users" will allways be there, but, hey.. the very first sources and those vir-creation tools must have been made by someone, right? neither copyist nor script kiddie would make it. Whoever made them - freelancers for their glory or AV companies for keeping the business up - all the script kiddies will not manage to go beyond those tools. They are bound to the well known methods and exploit types, and simply cannot make something 'brand new', well, maybe accidentally. Only real professionals can, and those at AV companies have both the knowledge and wages and could have even the fame - in their environment. But I have to admit that if sucha thing come out, the damage to the whole AV industry would be huge, so you've got a point, too

deroko
April 21st, 2007, 09:14
disavowed
April 21st, 2007, 11:24
Quote:
[Originally Posted by CrackZ;65058]AV in my mind ought to be a dead in the water product, its placebo-ware of the highest order for the masses, its been dead in the water technology wise for 15 years else you'd not be needing to update your *definition files* every week. |
I agree that AV software is far from perfect. However, what do you propose instead for the average user?
Telling grandmothers to not open e-mail attachments doesn't work because they'll still open them anyway, and for those users, AV is better than nothing.
And if your solution is to tell grandmothers to use Linux or MacOS instead of Windows (since there are less viruses for those platforms), then how do you propose to make that actually happen? The open-source community and Apple have been trying for years to get that to happen and they haven't been able to fully succeed yet.
So if not AV software, what is your proposed solution for the average user?
0xf001
April 21st, 2007, 11:35
haha,
Quote:
And if your solution is to tell grandmothers to use Linux or MacOS instead of Windows |
i cant refrain from saying something ..... how do i do that without getting into a flamewar?
i dont know. but i would say that really would be the solution. until malware authors switch, too of course. i am not so naive to think that platforms are immune. though by design a lot more immune.
[EDIT] i cut out the offensive off topic part. the discussion is good and i am afraid to start a flamewar with it.
back to topic, i am sure to see special ubuntu and osx virii in the future. lets see if they can do more than trying to infect a home directory, where they potentially dont even find a binary. not to speak from r/o mounted /usr/bin file systems etc.
beat that, microsoft! i honestly think that not only because the mentioned OSs have a less userbase they dont have that kind of malware, i really believe its mostly because windows is flawed by itself.
the elf format is so easy to infect. but what does that help when u cant write to the binaries? a linux virus without having root is almost useless in my mind. there need to be innovative ways to get root. i am sure they will come. i am also sure they will be fixed in 1 day.
that is no flamewar, its something i stand for, and would argue it. even on this board, where i am a minority maybe LOL.
cheers, 0xf001
PS CrackZ: nod nod nodnodnodnodnodnod
PPS: i am fine to delete / move my post, i understand it invites for a flamewar. but this is what i think to it.
0xf001
April 21st, 2007, 11:45
Quote:
The open-source community and Apple have been trying for years to get that to happen and they haven't been able to fully succeed yet. |
i am not fully with that. i think the linux community really does not care about the blabla user. there are advocates, i do it too sometimes
but its not so much interest to get other people use it. nooooooooo, we want to make it better and better. who does not see this, his fault when he does not want it. fair enough everybody should please use what he wants.
companies with $$$ in their eyes probably want to establish linux on desktops, not because they find it more advaced, or better, or .... ok, maybe a bit possible? mostly in order to make more $$$. i am fine when i use it. i could tell others why i use it and where i find it "better" in my case.
but the linux developing community really does not care so much about the every day (l)user imho.
regards, 0xf001
Maximus
April 21st, 2007, 13:16
Flamewar!
Well... M$ security model is impressive, and it is comparable to Unix/Linux. Unfortunately, 1 good thing stacked upon 1 trillion bad ones cant work. I even believe, seen Vista mindless 'security' implementation, that even M$ developers does _not_ know how the M$ security work (or how to use it effectively, the same). 1+ years spent developing such XYZK 'security', uh?!
Linux is not 'more secure' due to the inherent linux design, it is more secure because you did not train users to log as root for most. If all Linux users where logged as root, well... tell me where your security is^^
1% of Linux users are accounted to admin, 99% of win users are accounted to admin. If 99% linux users were logged as admins, well...
(more, the way standard privileges are set in windows is to take into account, but that's another m$ problem)
about linux distribution... I ***strongly*** believe into the .NET M$ technology future

0xf001
April 21st, 2007, 13:43
maximus,
yes - the superuser problematic was probably the most important security bypass. root users on linux, of course .... then all is going down.
i try to make it short. my example of a structured filesystem layout shows 1 design fact which i find by default more secure:
system binaries in /bin, mounted ro, and no write perms of course to users even if mounted rw.
also installable 3rdparty software: installed as root into /usr/local/bin/ where it can also remain without write perms.
if the app has changing data - this goes seperate into /var.
-> the file permission stuff alone i find more "thought through". note, that are not really "more secure software" aspects.
when i look at my "program files" folder, there is a totall mess. i cant make it non writable so easy.
in that way i can find many examples where i find a design factor "more secure by default".
regards, 0xf001
Maximus
April 21st, 2007, 14:34
eheh, I edited my post and removed exactly a smal notice about what you say.
that is a a design flaw of app writers _and_ m$.
You do have an 'application data' folder in m$ user account, which should be the correct way of saving user's data, but guess what?
Most applications save data within their program files folder, taking advantage of their admin rights. Whys does this happens? not sure, but maybe because microsoft does not set default app dirrectory to the proper \user folder, and you need to force a path by code.
and take a look to this...
Code:
bool PidlFree(LPITEMIDLIST &IdList)
{
IMalloc *Malloc;
bool Res;
Res = False;
if (IdList ==NULL)
Res = true;
else {
if ( SHGetMalloc(&Malloc)==0 && Malloc->DidAlloc(IdList) > 0 )
{
Malloc->Free(IdList);
IdList = NULL;
Res = true;
}
}
return Res;
}
AnsiString PidlToPath(LPITEMIDLIST IdList)
{
char buf[MAX_PATH];
AnsiString Res;
memset(buf,0,MAX_PATH);
if ( SHGetPathFromIDList(IdList, buf)!=0 )
Res = AnsiString(buf);
else
Res = "";
return Res;
}
AnsiString GetSpecialFolderLocation(int Folder)
{
LPITEMIDLIST FolderPidl;
AnsiString Res;
if ( SHGetSpecialFolderLocation(0, Folder, &FolderPidl)==0 ) {
Res = PidlToPath(FolderPidl);
PidlFree(FolderPidl);
} else {
Res = "";
}
return Res;
}
AnsiString GetCommonAppdataFolder()
{
return GetSpecialFolderLocation(CSIDL_COMMON_APPDATA);
}
...UGH! next time will I need to start OLE machine to get a damn default path without tweaks?!
edit----
in case, I'm NOT defending Windows, is just the sake of discussion
I would NEVER use Windows in a real security context (i am not SO idiot... even if 'defending' windows is a proof I'm becaming

)
0xf001
April 21st, 2007, 14:46
hi,
to position myself correctly:
Quote:
M$ security model is impressive, and it is comparable to Unix/Linux |
i think i agree to that. i was also shown by a damn good virus author, in a discussion, that the memory management model in the windows kernel provides more comfortable ways to work with, than with linux's malloc. in particular to get to know the size of an allocated block.
the windows os is not by default shit
i have some respect to it. but i dont want to work with it anymore hahaha
regards, 0xf001
Maximus
April 21st, 2007, 14:48
Quote:
[Originally Posted by 0xf001;65076]
but i dont want to work with it anymore hahaha
|
I wish I could
...but one day I shall

quetzalcoatl
April 21st, 2007, 16:43
not conspiracy.. just simple business

Silver
April 22nd, 2007, 05:09
Part of the "Microsoft problem" is their determination to be backwards compatible as much as possible, which causes them all sorts of issues (including security ones).
I was reading an interesting article about the next (or next+1) generation of Windows - apparently it will be built from scratch again, possibly dumping lots of legacy support.
It will raise interesting questions for users and software developers - if developers have to learn an entirely new environment and code from scratch, and users have to learn a new operating system (and repurchase their software), what's to stop them from looking at the alternatives?
Microsoft maintain their position in the market partly through inertia; this would change that significantly...
deroko
April 22nd, 2007, 06:26
It is not MS fault that 90% of ms users want to see pictures of naked Ana Kurnikova.
Now since 90% of windows users are stupid they don't allow for .exe to be opened in outlook express 2007...
0xf001
April 22nd, 2007, 07:22
baaaaaaaaahahahaha
Quote:
It is not MS fault that 90% of ms users want to see pictures of naked Ana Kurnikova. |
sorry for just increasing my post count! deroko, u bring complicated issues easy to the point. i like that
i want to see these pictures too
cheers, 0xf001
quetzalcoatl
April 22nd, 2007, 12:08
Quote:
[Originally Posted by deroko;65087]It is not MS fault that 90% of ms users want to see pictures of naked Ana Kurnikova. Now since 90% of windows users are stupid they don't allow for .exe to be opened in outlook express 2007... |
hm.. IMHO, they just made a bit too userfriendly system, so all the stupid can use it and do so

and with this came the idea that the system should know better than the user what the latter really want to do. check the Vista.. Have you seen/read about the new User Account Control? Want to install new drivers? Give admin login & password. Want to install new software? Give admin login & password. Wanna change screen resolution? Give admin login & password. Wanna change wallpaper?.. rotfl. And the .exes as attachements.. goosh.. how many times people asked me to re-send the attachement in different format because 'their mailreader' cant open this-or-that extension.. And the face expression of the people that sometimes must use my laptop and cant find explorer in the start menu! priceless.. and everything is getting even more and more like multimedia platform targetting gadget maniacs than the system. Pitifully the trend got into many linux distros, too. Everyone wants to pack into the system just everything that anyone may ever want to launch adding to that streams of colors and fx effects. But Vista with its "1GB RAM recommended".. I can imagine windows in a few year, with some FPP, RTS, Soccer, MMORPG and flight simulator embedded into system.. hah
Woodmann
April 22nd, 2007, 22:21
OK, back to the topic................
You all MUST admit having some AV is better than none at all.
Here is an example of the types of things I get asked to fix a few times a week.
The scenario: remote pc/laptop I have no access to.
The problem: My AV has found these 4 files that are bad.
After the AV deletes them they come back again. Help me fix this.
So, what am I left to think? Self replicating? MBR? freaky morphing shit?
Remember, the person that has asked for my help is a moron.
They can use Outlook and Hotmail/Yahoo. They dont have any idea how to start a browser independently from their bundled software. Google? How do I do that.
This is exactly the type of person AV was made for. AND, they far out number the people on this forum by about 4 bazillion to 3500.
After many communications, I find out the moron has clicked on some links in an email.
Lovely

.
Remember when mom told you to stay out of the cookie jar.
You didnt listen to her and got smacked. You still went back to that cookie jar DAMN WELL KNOWING the potential consequences.
OK, back to the topic.
Because I dont have access to the pc/laptop, I can only search the file name to see what it is. Well, just by looking at the file name of one of them I know this cant be good, phisbank.(many dif ext).
Now I can only imagine the email :
Hi customer X,
Due to security upgrades, you will need to log in here: http://www(youmoron).com and enter your bank account information starting with your name, social security number and bank account numbers.
At the prompt you will be asked to enter a new username and password.
How do I fix this? At this point I dont give two shits. I send them to an AV site and wish them luck. WHY you may ask, because this person is a MORON who paid for an AV program, too fucking lazy to read the alerts that come DAILY. They think just because the little icon is down in the right hand corner they are secure.
Now, with my little rant finished, my point. Shit did I have a point

.
Someone with the lamest of skills can cut and paste some code and get just one chump to take the bait. It only takes ONE moron to start this mess.
Oh, this would be the same chump who RE-INFECTS them self
3 more times before they get it hammered in their head to not click on the fucking link that is in the same email but has a different subject line.
Anyway, as lame as some of those 733t fuckers think they are, they know it only takes one moron to start a chain reaction.
I gotta go, I have some new emails from my new friends on MySpace.
Woodmann
blabberer
April 23rd, 2007, 04:32
well how about morons who inspite of being told by av that this .pif file is a virus and then personnally by a supervisor not to open download or save files with extensions that ends in .pif ( a 102 point banner stuck in front of computer that says the same is available too) somehow kills the av downloads the shit and then complains cant read this file
you simply cant stop these idiots
oh virginialily has sent me a link to view her nude in cam i gotta click that bye
0xf001
April 23rd, 2007, 04:42
so can we come to the conclusion, that sexual implications are the root cause for even computer infections?

0xf001
April 23rd, 2007, 07:07
just stumbled accross that article, from kaspersky lab about vista vs virus ...
http://www.viruslist.com/en/analysis?pubid=204791916
not to expect mega internals, but a nice read for in between probably
regards, 0xf001
disavowed
April 23rd, 2007, 11:08
Quote:
[Originally Posted by quetzalcoatl;65094]Wanna change screen resolution? Give admin login & password. Wanna change wallpaper?.. rotfl. |
Actually, you don't need to provide credentials to change resolution or wallpaper in Vista.
Regarding the reason malware is so prevalent... it has NOTHING to do with the fact that most Windows users run as Administrator. The fact that most malware is only functional if the user is running as Administrator is a side effect of the fact that most users run as Administrator. If all Windows users ran as limited non-Administrators, then malware could still infect the user's environment (ransomware for the limited user's documents, sending e-mail as the limited user, connecting to botnets as the limited user, stealing bank account info from the limited user, etc.). There are very few things that malware can do that would be useful to a malware author that can't be done from the context of a limited user (as opposed to Administrator). So if no Windows users ran as Administrator, this would still have no effect on the malware situation.
The fact of the matter is that as long as a user (limited or Administrator, Windows or non-Windows) can choose what they're allowed to execute then there will be malware to take advantage of them.
The most ideal solution is ridiculous amounts of user education, but that's never going to happen.
The next best solution is massive white-listing of applications (and not allowing limited users to run anything not already on the whitelist), however this doesn't solve the problem of malicious documents exploiting the whitelisted applications and executing arbitrary code from the context of a whitelisted program. This is one place where AV is *really* useful -- picking up exploits in documents.
CrackZ
April 23rd, 2007, 15:43
"The most ideal solution is ridiculous amounts of user education, but that's never going to happen."
I'm an idealist, but it doesn't pay well and we'll all agree on that ;-). Before I let my neophyte parents run wild on the Internet with their very first computer (an out of the box unpatched XP I might add) I took about 1/2hr to patch and secure it and educate them just slightly about the things NOT to do.
Thus far they have resisted Anna Kournikova and opening / replying to emails purporting to be from various banks, lotteries and firms offering 6" longer penises.....*nix users know where to get non-trojanised Anna Kournikova pics anyway ;-).
Whitelisting feels to me like another half-baked solution, a bit like AV really.
User ignorance and crass stupidity is really the root cause of the majority of trojan/virii infections; by that definition and by my assumption, if the user falls into one of those categories they are lost anyway, doesn't really matter what they are running as *protection*, if anything its a false sense of security.
What use is the AV program that pops up saying "program x wants to communicate with the Internet or *might* be infected with Trojan.ABC.X.Y.Z.SkyNet, do you wish to allow it?" when they will blindly say yes, what use is the software personal firewall (another scam in itself) that pops up "program x is trying to connect to <some.ip.here> port <here>" when the user doesn't even understand what the hell it means.
The AV industry has no reason to bite the hand that feeds it, so rather than educate, it pushes out neverending *updates*, and when a really clever trojan slips through the net theres yet more publicity to feed the upgrade cycle..... I'm cynical I know, but I'll take that link to virgin_lily_cam anytime ;-).
Without risking any OS war, I'm not advocating everyone burn their copy of Windows and install some *nix flavour either, no OS can save you from stupidity.
Regards
CrackZ.
Aimless
April 23rd, 2007, 16:06
And that is why, Crackz, I always send you msgs by post and not email

. From the amt of posting I'd say you finally got that slack day. Have Phun.
disavowed
April 24th, 2007, 01:08
Hah... looks like Mark Russinovich just echoed exactly what I said above: http://blogs.zdnet.com/security/?p=175
LLXX
April 24th, 2007, 02:22
Quote:
[Originally Posted by disavowed;65124]The next best solution is massive white-listing of applications (and not allowing limited users to run anything not already on the whitelist), however this doesn't solve the problem of malicious documents exploiting the whitelisted applications and executing arbitrary code from the context of a whitelisted program. This is one place where AV is *really* useful -- picking up exploits in documents. |
That sounds so Orwellian that I'm beginning to wonder if the future of computer software will be to protect users from
themselves.
I say we educate the users, and if they're too stupid to take the advice, they deserve the consequences.
0xf001
April 24th, 2007, 03:23
Hi,
CrackZ:
Quote:
What use is the AV program that pops up saying "program x wants to communicate with the Internet or *might* be infected with Trojan.ABC.X.Y.Z.SkyNet, do you wish to allow it?" when they will blindly say yes, ... |
i am an idealist, too, by the way, reality can byte, be warned ...

hehe
i agree very much with your post, especially about Ana Kournikova pics
though I tend to agree with woodmann, that some tool is better than nothing for the ordinary user. besides asking, it usually blocks without notice what is already (pre-)configured, not giving the chance to click the wrong button.
does not save the user completely, but its better than nothing for at least most basic threats.
disavowed:
Quote:
... looks like Mark Russinovich just echoed exactly what I said above:
|
probably you were "right" ?
users running as admin, give chance to compromise the system more enduring. in terms of a virus and not malware in general, i think there u can say that users running as admin gave the malware (virii) better chance to spread?
LLXX:
Quote:
I say we educate the users, and if they're too stupid to take the advice, they deserve the consequences. |
... exactly
regards, 0xf001
Silver
April 25th, 2007, 04:23
disa:
Quote:
There are very few things that malware can do that would be useful to a malware author that can't be done from the context of a limited user (as opposed to Administrator). So if no Windows users ran as Administrator, this would still have no effect on the malware situation |
I disagree here. In the absence of other security flaws, a limited user account should not be able to mess with the (higher privileged) system. Therefore pervasive low-level malware like rootkits should not have any way of installing itself. No question that malware can still do everything the user context can do, but if the user context is properly limited then the impact of the malware is limited too. It might not reduce the volume of malware, but it would definitely reduce the impact/severity.
I still believe it's a design flaw of Windows that so many applications/actions need elevated privileges. I don't fully buy the "it's the application developer's fault" because the developer is constrained to the architecture of Windows - there's no "please enter admin password" when playing games on the xbox360, is there...
And for all the benefit of UAC and IE7 protected mode (UIPI etc) supposedly brings, malcode can still elevate or drop its integrity as necessary. Besides, everyone I know who uses Vista has turned UAC off because it's bloody annoying - and these are non-technical end users too.
quetzalcoatl
April 25th, 2007, 05:37
well.. IMHO, the malware will allways be able to do exactly what a user would be able to. Limiting the malware can be done only through limiting the user. XBox? well.. its a toy for launching games, my watch also doesn't ask me to give password when I adjust the time, and neither my mp3player. I myself would expect something more from a computer.. With constantly better machines and software one expects more and more flexibility, not yet another constraints.
About limiting the user.. One may think that some things very useful for malware like modifying code pages in running processes, or starting your own threads in not yours process, are sooo low-level and are totally needless for present software.. But wait, look at Java. Relatively safe and sealed runtime environment, dynamic classloading and reflection, very rich available libraries. And what is one of the biggest changes in the very engine in JRE6? Bytecode injection! Now you can inject bytecode into running java threads.. I doubt that was made especially for malware use. Feature is so hazardous that adding it had to have very serious reasons - ie. easier or now possible instrumenting, debugging and extending existing (runnning!) code..
It may sound like a bit harsh, but such is life: I think that if a dumb user wants to stick a pencil into his own eye, we should not interfere.. Next time he will be smarter with that experiece, and other dumb users which saw what happened will get a bit smarter, too.. Even putting a label "WARNING: do not eat. do not stick into eyes. too small for kids under 3yrs." has doubtful effect, who reads it anyways? What we could only do is to prevent possibility of sticking that pencil into another one's eye. But then, if both of them want it.. I think that the only reasonable and ethical solution is to make every OS's and software in two version: first for idiots and dumbasses, second for techguys and idiot-kamikazes.. First sealed, limited, knowing better than the user, and the second totally open, fully customizable, DIY.. That may even be the one and the same version, but with such a switch choosable at installation, completely unchangeable at runtime..
deroko
April 25th, 2007, 07:24
Quote:
[Originally Posted by 0xf001;65118]so can we come to the conclusion, that sexual implications are the root cause for even computer infections?  |
It seems so

autarky
April 25th, 2007, 08:13
Quote:
[Originally Posted by disavowed;65124]
The next best solution is massive white-listing of applications (and not allowing limited users to run anything not already on the whitelist), however this doesn't solve the problem of malicious documents exploiting the whitelisted applications and executing arbitrary code from the context of a whitelisted program. This is one place where AV is *really* useful -- picking up exploits in documents. |
As far as I know, that is what all the big AV vendors are working on for their enterprise products. Along with configuration and patch management. Draconian as it may be, I think it's reasonable enough in a large corporate environment.
disavowed
April 25th, 2007, 11:08
Quote:
[Originally Posted by LLXX;65145]That sounds so Orwellian that I'm beginning to wonder if the future of computer software will be to protect users from themselves. |
It's not the future, it's the present
Quote:
[Originally Posted by 0xf001]users running as admin, give chance to compromise the system more enduring. |
Malware can load itself into HKCU\Software\Microsoft\Windows\CurrentVersion\Run just as easily as it can load itself into HKLM\Software\Microsoft\Windows\CurrentVersion\Run.
Quote:
[Originally Posted by 0xf001]in terms of a virus and not malware in general, i think there u can say that users running as admin gave the malware (virii) better chance to spread? |
Depends on the type of virus. If it's infecting EXEs only, then yes, you're right (since the limited user shouldn't have write-access to most EXEs on the system). If it's infecting documents/pictures/etc. then it would probably spread just as easily if run by limited user as if run as admin.
Quote:
[Originally Posted by Silver]In the absence of other security flaws, a limited user account should not be able to mess with the (higher privileged) system. Therefore pervasive low-level malware like rootkits should not have any way of installing itself. No question that malware can still do everything the user context can do, but if the user context is properly limited then the impact of the malware is limited too. It might not reduce the volume of malware, but it would definitely reduce the impact/severity. |
Silver, I agree with all of this. However, stealthing (via rootkit technology) is not the end-goal of malware; the end-goal is to steal credit card numbers, send spam, join a botnet for doing DDoS, etc., none of which require stealthing or admin privileges. So yes, while kernel-mode rootkits wouldn't work on non-admins (assuming no elevation-of-privilege vulnerabilities are exploited), malware would still have the same impact as it does today. And then of course you have user-mode rootkits anyway...
thE_GB_Man
May 12th, 2007, 05:15
ok first i must quote
Quote:
Anyway, as lame as some of those 733t fuckers think they are, they know it only takes one moron to start a chain reaction.
|
teet fuckers.... sounds naughty... like an english version of titty.... well you all know what im getting at. !
so, conspiricy and what not.
Sadly enough, i work as a tech for GS (Geek Squad), the people that grandma and grandpa come to because they saw our 15 mins of fame on 60 minutes.
Side note: i actually had an old guy come up to me and say "! Your the boys i saw on 60 minutes! can you help me!?"
any whoo... what some one stated long ago in this article was very true... i have your usual idiot come up to me and go ... my computer runs slow as hell and i keep getting all of the pop ups? what happened?
Well... you clicked on the talking smily you dumb sh**!!!!!!!!!11!! << intentional :P
*oh how i wish i could say that

*
k, back to what i was saying...
these people are so dumb they actually fall for the paypal ... "enter your account number and password here please becaue we said so..." btw our site is www.fakepaypal.com
so what we did was open up a virtual machine. we went to every known virus site, we had bonzai buddy we had 180 search assistant, we had every thing you could imagine. however in the end we only had 44 things of spyware and viruses total... so the question still remained to be un answered... how do people end up with 84 things of spyware and viruses?
Plain and simple... stupidity.
So, yes people do need more than a concience... dont think that was spelled right.

oh well.. and sadly common sense is no longer common. so when that ad telling uncle dave that he won 1 million dollars, all he needs to do is put in his name and email... and his credit card, he sure as hell is going to do it. People need a Big red thing in the bottom right hand corner (or middle if your norton) saying, hey... you, dumbass... dont download this, its bad, also if you give those ppl your credit card # they're going to screw you...
thats my input, if my language was a little foul, sorry, i feel very stronly on the issue.
PPS... the views and thougts said herein are not represented or endoresed by GeekSquad or businesses assosciated with them... these are purely my own thoughts... thought i would cover my and my employers ass

blurcode
May 25th, 2007, 20:34
Symantec Updates Cause Chaos in China:
http://it.slashdot.org/article.pl?sid=07/05/19/1427240&from=rss
blabberer
May 26th, 2007, 02:07
arrgh nowadays symantec doesnt code

it uses microsofts products to do it s job
if some of you noticed you can see norton antivris is running a non killable instance of regedit (yes legitimate microsofts REGEDIT.EXE the windows registry editor) in background
the parent process being ccpwdsvc.exe
the command line being regedit.exe /e "some file in shared folder of symantec"
in a few years symantec will probably be running every ms applicaton in back ground
probably good technique :devilish
file is in use so virus wont be able to use that file so no virus so no extra work for symantec (they can simply laugh thier way to banks)
blurcode
May 26th, 2007, 08:24
blabberer is this true? lol
0xf001
May 26th, 2007, 08:31
lol,
is it necessary to open the registry via a full regedit executable? just curious and too lazy to google, and not really interested (

), but ignorantly i am sure there must be a better solution per default
and i dont say what i want to say about all the av, and security crapware one needs to install. i feel so "free"
cheers, 0xf001
________
I MUST NOT start flamewars

blabberer
May 26th, 2007, 09:59
i dont know blurcode but i think so unless i have some zeroday rootkit doing magic in this computer or if processexplorer by mark is lying and cheating on me
and tasklist is bluffing
Code:
C:\>tasklist /v /fi "imagename eq regedi*" /fo "list"
Image Name: REGEDIT.EXE
PID: 1768
Session Name: Console
Session#: 0
Mem Usage: 396 K
Status: Running
User Name: NT AUTHORITY\SYSTEM
CPU Time: 0:00:04
Window Title: N/A
C:\>
and tlist is also playing two timing games
Code:
c:\>tlist "rege*"
1768 REGEDIT.EXE
CWD: C:\WINDOWS\system32\
CmdLine: REGEDIT.EXE /E "C:\Program Files\Common Files\Symantec Shared\ccReg.
dat
VirtualSize: 22132 KB PeakVirtualSize: 29932 KB
WorkingSetSize: 396 KB PeakWorkingSetSize: 1864 KB
NumberOfThreads: 1
1168 Win32StartAddr:0x01008ac5 LastErr:0x80070490 State:Waiting
c:\>tlist -t
System Process (0)
System (4)
SMSS.EXE (376)
CSRSS.EXE (548)
WINLOGON.EXE (580) NetDDE Agent
SERVICES.EXE (1112)
SVCHOST.EXE (1300)
SVCHOST.EXE (1392)
SVCHOST.EXE (1548)
SVCHOST.EXE (1560)
ccEvtMgr.exe (1600)
SPOOLSV.EXE (1808)
Navapsvc.exe (228)
UTSCSI.EXE (452)
ccPwdSvc.exe (1432)
REGEDIT.EXE (1768)
SVCHOST.EXE (148)
i believe im right

LLXX
May 27th, 2007, 06:57
Well, it looks like it's exporting the whole registry to ccReg.dat, which would probably be easier to do by spawning regedit.exe than via API.
(Does ccReg.dat really contain a copy of the whole registry? Check the size.)
blabberer
May 27th, 2007, 11:09
litana i was just playing and threw that answer as a reply to the question about symantec bugggy coding
with your question you are almost nearer to the end
/e means exporting whole hklm and hkcu yes you are right
no there is no big file (the ccreg.dat is just 2kb)
once i saw that command line i exported them myself to some temp place
and my file is very big see below
05/27/2007 08:11 PM 63,540,434 foo.reg
so ill finish
symantec is waiting for a reply (a message box has been spawned possibly in a seperate desktop and it wants someone from symantec to click ok on it but no one from from symantec is coming forth so it is sitting there eating my resources)
and the other craps have bugs in the sense they dont show the full commandline

unicode parsing bug feature or maybe thats how its done in unicode maybe (some mskb describing this may exist i didnt check) the full commandline consists of three arguments
/e filename and pathname but all unicode parsers display only two
lets attach this regedit and see

whats the original commandline
Code:
77E7E59B kernel32.GetCommandLineW A1 0470ED77 MOV EAX, DWORD PTR DS:[77ED7004]
[77ED7004]=00020648
00020648 REGEDIT.EXE /E "C:\Program Files\Common Files\Symantec Shared\cc
000206C8 Reg.dat. "HKEY_LOCAL_MACHINE\Software\Symantec\ccReg..C:\WINDOWS
00020748 \REGEDIT.EXE....
77E7E358 kernel32.GetCommandLineA A1 1476ED77 MOV EAX, DWORD PTR DS:[77ED7614]
[77ED7614]=00092310
00092310 REGEDIT.EXE /E "C:\Program Files\Common Files\Symantec Shared\cc
00092350 Reg.dat" "HKEY_LOCAL_MACHINE\Software\Symantec\ccReg"
so it is trying to export only one entry and not whole hklm and hkcu
may be me and my ollydbg are dumb
lets kill this regedit with olldybg and make it spawn new regedit
and attach with windbg
and try finding the commandline again
Code:
0:001> !str kernel32!BaseAnsiCommandLine
String(131,132) kernel32!BaseAnsiCommandLine+00000000 at 77ed7610: REGEDIT.EXE /E "C:\Program Files\Common Files\Symantec Shared\CommonClient.dat" "HKEY_LOCAL_MACHINE\Software\Symantec\CommonClient"
see ascii string is right

ok ascii is right lets check unicode
Code:
0:001> !ustr BaseUnicodeCommandLine
String(262,264) kernel32!BaseUnicodeCommandLine+00000000 at 77ed7000: REGEDIT.EXE /E "C:\Program Files\Common Files\Symantec Shared\CommonClient.dat
it simply screwed up
ok we will check it differently
Code:
0:001> du poi(kernel32!BaseUnicodeCommandLine+4)
00020648 "REGEDIT.EXE /E "C:\Program Files"
00020688 "\Common Files\Symantec Shared\Co"
000206c8 "mmonClient.dat"
screwed up again
if you view with db it simply is there so these dont parse the double null terminators properly
Code:
00020648 R E G E D I T . E X E / E " C : \ P r o g r a m F i l e s \ C o m m o
00020694 n F i l e s \ S y m a n t e c S h a r e d \ C o m m o n C l i e n t . d
000206e0 a t . " H K E Y _ L O C A L _ M A C H I N E \ S o f t w a r e \ S y m a n
0002072c t e c \ C o m m o n C l i e n t . . C : \ W I N D O W S \ R E G E D I T . E
00020778 X E
lets check !peb windbg shows only half the command line
Code:
77f767cd cc int 3
0:001> ~*kb
0 Id: 280.d8 Suspend: 1 Teb: 7ffde000 Unfrozen
ChildEBP RetAddr Args to Child
0006f58c 77d43c6b 77d4b406 00000000 00000000 SharedUserData!SystemCallStub+0x4
0006f590 77d4b406 00000000 00000000 00000000 USER32!NtUserWaitMessage+0xc
0006f5c4 77d4d9aa 000200e6 00000000 00000001 USER32!DialogBox2+0x1fb
0006f5ec 77d662f4 77d40000 00097610 00000000 USER32!InternalDialogBox+0xce
0006f8a4 77d65d77 00010010 0006fe98 00000000 USER32!SoftModalMessageBox+0x72c
0006f9ec 77d66441 00000001 00000028 00000000 USER32!MessageBoxWorker+0x267
0006fa40 77d70989 00000000 00095350 0006fe98 USER32!MessageBoxTimeoutW+0x78
0006fa60 77d7096d 00000000 00095350 0006fe98 USER32!MessageBoxExW+0x19
0006fa78 01008e98 00000000 00095350 0006fe98 USER32!MessageBoxW+0x44
0006ff3c 0100646c 01000000 00000000 0000008a REGEDIT!InternalMessageBox+0x9f
0006ff60 01008a56 00000000 00000000 00020668 REGEDIT!RegEdit_ExportRegFile+0x6b
0006ff88 01008b33 a3ac7be1 f93b00e0 7ffdf000 REGEDIT!ParseCommandLine+0x128
0006ffc0 77e814c7 a3ac7be1 f93b00e0 7ffdf000 REGEDIT!ModuleEntry+0x6e
0006fff0 00000000 01008ac5 00000000 78746341 kernel32!BaseProcessStart+0x23
# 1 Id: 280.714 Suspend: 1 Teb: 7ffdd000 Unfrozen
ChildEBP RetAddr Args to Child
0056ffc8 77f7285c 00000005 00000004 00000001 ntdll!DbgBreakPoint
0056fff4 00000000 00000000 00000000 00000000 ntdll!DbgUiRemoteBreakin+0x36
0:001> !peb
PEB at 7ffdf000
InheritedAddressSpace: No
ReadImageFileExecOptions: No
BeingDebugged: Yes
ImageBaseAddress: 01000000
Ldr 00191e90
Ldr.Initialized: Yes
Ldr.InInitializationOrderModuleList: 00191f28 . 00192a80
Ldr.InLoadOrderModuleList: 00191ec0 . 00192a70
Ldr.InMemoryOrderModuleList: 00191ec8 . 00192a78
Base TimeStamp Module
1000000 3d6dd63b Aug 29 13:37:23 2002 C:\WINDOWS\REGEDIT.EXE
77f50000 3d6dfa28 Aug 29 16:10:40 2002 C:\WINDOWS\System32\ntdll.dll
77e60000 3d6dfa28 Aug 29 16:10:40 2002 C:\WINDOWS\system32\kernel32.dll
77c10000 3d6dfa27 Aug 29 16:10:39 2002 C:\WINDOWS\system32\msvcrt.dll
77dd0000 3d6dfa28 Aug 29 16:10:40 2002 C:\WINDOWS\system32\ADVAPI32.dll
78000000 3d6dfa29 Aug 29 16:10:41 2002 C:\WINDOWS\system32\RPCRT4.dll
77c70000 3d6dfa27 Aug 29 16:10:39 2002 C:\WINDOWS\system32\GDI32.dll
77d40000 3d6dfa28 Aug 29 16:10:40 2002 C:\WINDOWS\system32\USER32.dll
71950000 3d6df9b6 Aug 29 16:08:46 2002 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\COMCTL32.dll
70a70000 3d6dfa02 Aug 29 16:10:02 2002 C:\WINDOWS\system32\SHLWAPI.dll
763b0000 3d6dfa1d Aug 29 16:10:29 2002 C:\WINDOWS\system32\comdlg32.dll
773d0000 3d6dfa23 Aug 29 16:10:35 2002 C:\WINDOWS\system32\SHELL32.dll
76cc0000 3b7dfe12 Aug 18 11:03:06 2001 C:\WINDOWS\System32\AUTHZ.dll
71550000 3b7dfe39 Aug 18 11:03:45 2001 C:\WINDOWS\System32\ACLUI.dll
771b0000 3d6dfa22 Aug 29 16:10:34 2002 C:\WINDOWS\system32\ole32.dll
77120000 3d6dfa22 Aug 29 16:10:34 2002 C:\WINDOWS\system32\OLEAUT32.dll
71fa0000 3b7dfe2f Aug 18 11:03:35 2001 C:\WINDOWS\System32\ulib.dll
6f2b0000 3b7dfe63 Aug 18 11:04:27 2001 C:\WINDOWS\System32\clb.dll
5ad70000 3d6df9da Aug 29 16:09:22 2002 C:\WINDOWS\System32\uxtheme.dll
SubSystemData: 00000000
ProcessHeap: 00090000
ProcessParameters: 00020000
WindowTitle: 'C:\WINDOWS\REGEDIT.EXE'
ImageFile: 'C:\WINDOWS\REGEDIT.EXE'
CommandLine: 'REGEDIT.EXE /E "C:\Program Files\Common Files\Symantec Shared\CommonClient.dat'
see the commandline parameter ? its half

bug feature i dont know
last but not least in the windbg paste i have posted the call stack for regedit
if you see there is a softmodaldialogbox and WaitForMessage () in stack
so here is a snipped stack for it from ollydbg for wrapping this up
Code:
ESP ==> > 77D43C6B RETURN to USER32.77D43C6B
ESP+4 > 77D4B406 RETURN to USER32.77D4B406 from USER32.WaitMessage
ESP+14 > 000100E6 UNICODE "EEP-HIV61JSZLV"
ESP+34 >/0006F5EC
ESP+38 >|77D4D9AA RETURN to USER32.77D4D9AA from USER32.77D4B279
ESP+3C >|000100E6 UNICODE "EEP-HIV61JSZLV"
ESP+5C >\0006F830
ESP+60 > 77D662F4 RETURN to USER32.77D662F4 from USER32.77D4D8F6
ESP+64 > 77D40000 USER32.77D40000
ESP+68 > 000954E8
ESP+6C > 00000000
ESP+70 > 77D69117 USER32.77D69117
ESP+98 > 00000000
ESP+9C > 00020668 UNICODE "C:\Program Files\Common Files\Symantec Shared\ccReg.dat"
ESP+A0 > 00000000
ESP+A4 > 0006F680
ESP+A8 > 77F54EA7 RETURN to ntdll.77F54EA7 from ntdll.77F5502A
ESP+C0 > 6F2B1170 UNICODE "LBS_OWNERDRAWFIXED"
ESP+E8 > 0006FB20 UNICODE "e system error."
ESP+EC > 77F79005 ntdll.77F79005
ESP+F0 > 77F6D5C8 ntdll.77F6D5C8
ESP+F4 > FFFFFFFF
ESP+F8 > 77F5166A RETURN to ntdll.77F5166A from ntdll.77F78C4E
ESP+FC > 77D48CCF RETURN to USER32.77D48CCF from ntdll.RtlFreeHeap
ESP+10C > 77F51566 RETURN to ntdll.77F51566 from ntdll.77F78C4E
ESP+11C > 6F2B00D8 ASCII "PE"
ESP+12C > 77F79005 ntdll.77F79005
ESP+130 > 77F6D5B8 ntdll.77F6D5B8
ESP+134 > FFFFFFFF
ESP+138 > 77F51566 RETURN to ntdll.77F51566 from ntdll.77F78C4E
ESP+13C > 77D44790 RETURN to USER32.77D44790 from ntdll.RtlImageNtHeader
ESP+140 > 77D447BE RETURN to USER32.77D447BE from USER32.77D43998
ESP+144 > FFFF0000
ESP+148 > 0000C12E
ESP+14C > 6F2B0000 clb.6F2B0000
ESP+150 > 00000004
ESP+154 > 6F2B00D8 ASCII "PE"
ESP+158 > 00000000
ESP+15C > 0006F6D4
ESP+160 > 77D44FC3 RETURN to USER32.77D44FC3 from USER32.77D447C1
ESP+164 > 0006FB20 UNICODE "e system error."
ESP+168 > 77D6EDBF USER32.77D6EDBF
ESP+16C > 77D95130 USER32.77D95130
ESP+170 > FFFFFFFF
ESP+174 > 77D447BE RETURN to USER32.77D447BE from USER32.77D43998
ESP+178 > 77D44FDA RETURN to USER32.77D44FDA from USER32.77D44761
ESP+17C > 6F2B0000 clb.6F2B0000
ESP+180 > 0006F9D4
ESP+184 > 0006F748
ESP+188 > 00090000
ESP+18C > 77F517E6 RETURN to ntdll.77F517E6 from ntdll.77F78C4E
ESP+190 > 00000024
ESP+194 > 00090D48
ESP+198 > 00090000
ESP+19C > 000942A8 UNICODE "Cannot export C:\Program Files\Common Files\Symantec Shared\ccReg.dat: Error opening the file. There"
=============================================================
000942A8 Cannot export C:\Program Files\Common Files\Symantec Shared\ccRe
00094328 g.dat: Error opening the file. There may be a disk or file syste
000943A8 m error
=====================================================================
ESP+1D8 > 00020668 UNICODE "C:\Program Files\Common Files\Symantec Shared\ccReg.dat"
ESP+1EC > 77D44A8D RETURN to USER32.77D44A8D from USER32.77D449B7
ESP+1F0 > 77D9C3A4 UNICODE "USER32"
ESP+1F4 > 00007F00
ESP+1F8 > 0006F9A0
ESP+1FC > 6F2B0000 clb.6F2B0000
ESP+200 > 6F2B1F56 clb.<ModuleEntryPoint>
ESP+2B4 > 000942A8 UNICODE "Cannot export C:\Program Files\Common Files\Symantec Shared\ccReg.dat: Error opening the file. There"
ESP+314 >/0006F978
ESP+318 >|77D65D77 RETURN to USER32.77D65D77 from USER32.SoftModalMessageBox
ESP+31C >|00010010 UNICODE "PROFILE=C:\Documents and Settings\All Users"
ESP+320 >|0006FE98 UNICODE "Registry Editor"
ESP+324 >|00000000
ESP+328 >|00000000
ESP+32C >|0000005C
ESP+330 >|77F51566 RETURN to ntdll.77F51566 from ntdll.77F78C4E
ESP+334 >|0006FA98 UNICODE "Cannot export %1: Error opening the file. There may be a disk or file system error."
ESP+3C8 >|000942A8 UNICODE "Cannot export C:\Program Files\Common Files\Symantec Shared\ccReg.dat: Error opening the file. There"
ESP+3E4 >|FFFFFFFF
ESP+3E8 >\77F517B2 RETURN to ntdll.77F517B2 from ntdll.77F78C4E
ESP+3EC > 77E7A6D4 RETURN to kernel32.77E7A6D4 from ntdll.RtlAllocateHeap
ESP+43C > 00350850 UNICODE "OK"
ESP+45C >/0006FA40
ESP+460 >|77D66441 RETURN to USER32.77D66441 from USER32.77D65C3D
ESP+474 >|000942A8 UNICODE "Cannot export C:\Program Files\Common Files\Symantec Shared\ccReg.dat: Error opening the file. There"
ESP+478 >|0006FE98 UNICODE "Registry Editor"
ESP+47C >|00010010 UNICODE "PROFILE=C:\Documents and Settings\All Users"
ESP+4B4 >|77D70989 RETURN to USER32.77D70989 from USER32.MessageBoxTimeoutW
ESP+4B8 >|00000000
ESP+4BC >|000942A8 UNICODE "Cannot export C:\Program Files\Common Files\Symantec Shared\ccReg.dat: Error opening the file. There"
ESP+4C0 >|0006FE98 UNICODE "Registry Editor"
ESP+4C4 >|00010010 UNICODE "PROFILE=C:\Documents and Settings\All Users"
ESP+4D4 >|77D7096D RETURN to USER32.77D7096D from USER32.MessageBoxExW
ESP+4D8 >|00000000
ESP+4DC >|000942A8 UNICODE "Cannot export C:\Program Files\Common Files\Symantec Shared\ccReg.dat: Error opening the file. There"
ESP+4E0 >|0006FE98 UNICODE "Registry Editor"
ESP+4E4 >|00010010 UNICODE "PROFILE=C:\Documents and Settings\All Users"
ESP+4E8 >|00000000
ESP+4EC >|01008E98 RETURN to REGEDIT.01008E98 from USER32.MessageBoxW
ESP+4F0 >|00000000
ESP+4F4 >|000942A8 UNICODE "Cannot export C:\Program Files\Common Files\Symantec Shared\ccReg.dat: Error opening the file. There"
ESP+4F8 >|0006FE98 UNICODE "Registry Editor"
ESP+4FC >|00010010 UNICODE "PROFILE=C:\Documents and Settings\All Users"
ESP+500 >|000206DC UNICODE "HKEY_LOCAL_MACHINE\Software\Symantec\ccReg"
ESP+504 >|00020668 UNICODE "C:\Program Files\Common Files\Symantec Shared\ccReg.dat"
ESP+668 >|000206DC UNICODE "HKEY_LOCAL_MACHINE\Software\Symantec\ccReg"
ESP+66C >|0070006E
ESP+670 >|00020668 UNICODE "C:\Program Files\Common Files\Symantec Shared\ccReg.dat"
ESP+688 >|77F5156B ntdll.RtlFreeHeap
ESP+68C >|C0000022
ESP+690 >|77F5119A RETURN to ntdll.77F5119A from ntdll.RtlNtStatusToDosErrorNoTeb
ESP+694 >|77F5119F RETURN to ntdll.77F5119F from ntdll.77F78C4E
ESP+698 >|00000000
ESP+69C >|77F5156B ntdll.RtlFreeHeap
ESP+6DC >|000206DC UNICODE "HKEY_LOCAL_MACHINE\Software\Symantec\ccReg"
ESP+714 >|00020702 UNICODE "Software\Symantec\ccReg"
ESP+738 >|77F758B6 RETURN to ntdll.77F758B6
ESP+73C >|77DD17B9 RETURN to ADVAPI32.77DD17B9 from ntdll.ZwClose
ESP+740 >|00000050
ESP+744 >|00000000
ESP+748 >|0006FF4C
ESP+74C >|77DD1859 RETURN to ADVAPI32.77DD1859 from ADVAPI32.77DD1772
ESP+750 >|0006FCE8
ESP+754 >|0100A93C RETURN to REGEDIT.0100A93C from ADVAPI32.RegCloseKey
ESP+758 >|00000000
ESP+75C >|000206DC UNICODE "HKEY_LOCAL_MACHINE\Software\Symantec\ccReg"
ESP+760 >|00020668 UNICODE "C:\Program Files\Common Files\Symantec Shared\ccReg.dat"
ESP+850 >|01008AC5 REGEDIT.<ModuleEntryPoint>
ESP+934 >|77DD193B RETURN to ADVAPI32.77DD193B from ADVAPI32.77DD16AD
ESP+938 >|010018C0 UNICODE "Software\Microsoft\Windows\CurrentVersion\Policies\System"
ESP+968 >|010018C0 UNICODE "Software\Microsoft\Windows\CurrentVersion\Policies\System"
ESP+998 >|00020666 UNICODE ""C:\Program Files\Common Files\Symantec Shared\ccReg.dat"
ESP+99C >|0006FF5C
ESP+9A0 >|77E7E106 RETURN to kernel32.77E7E106 from kernel32.77E7E175
ESP+9A4 >|000206DC UNICODE "HKEY_LOCAL_MACHINE\Software\Symantec\ccReg"
ESP+9A8 >|00000000
ESP+9AC >]0006FF60
ESP+9B0 >|0100646C RETURN to REGEDIT.0100646C from REGEDIT.01008DF9
ESP+9B4 >|01000000 REGEDIT.01000000
ESP+9B8 >|00000000
ESP+9BC >|0000008A
ESP+9C0 >|000942A8 UNICODE "Cannot export C:\Program Files\Common Files\Symantec Shared\ccReg.dat: Error opening the file. There"
ESP+9C4 >|00000010
ESP+9C8 >|00020668 UNICODE "C:\Program Files\Common Files\Symantec Shared\ccReg.dat"
ESP+9CC >|00020668 UNICODE "C:\Program Files\Common Files\Symantec Shared\ccReg.dat"
ESP+9D0 >\00000001
ESP+9D4 > 01008A56 RETURN to REGEDIT.01008A56 from REGEDIT.01006401
ESP+9E0 > 00020668 UNICODE "C:\Program Files\Common Files\Symantec Shared\ccReg.dat"
ESP+9E4 > 000206DC UNICODE "HKEY_LOCAL_MACHINE\Software\Symantec\ccReg"
ESP+9FC > 01008B33 RETURN to REGEDIT.01008B33 from REGEDIT.0100892E
ESP+A20 > 77F764A6 RETURN to ntdll.77F764A6
ESP+A24 > 77E814C4 RETURN to kernel32.77E814C4 from ntdll.ZwSetInformationThread
ESP+A34 > 77E814C7 RETURN to kernel32.77E814C7
ESP+A50 > FFFFFFFF End of SEH chain
ESP+A54 > 77E94809 SE handler
ESP+A58 > 77E91210 kernel32.77E91210
ESP+A5C > 00000000
ESP+A60 > 00000000
ESP+A64 > 00000000
ESP+A68 > 01008AC5 REGEDIT.<ModuleEntryPoint>
ESP+A6C > 00000000
deroko
May 29th, 2007, 11:27
Quote:
[Originally Posted by blurcode;65951]Symantec Updates Cause Chaos in China:
http://it.slashdot.org/article.pl?sid=07/05/19/1427240&from=rss |
haha best protection -> stop user from using computer

blurcode
June 8th, 2007, 13:13
Ok this is ... strange
http://www.flexispy.com/remove-fsecure-malware.htm
deroko
June 9th, 2007, 08:14
infact AVs sometimes really act like malware.
Who gave right to the kav, mcafee and symantec to bsod my system when softice is active? Who gave them right to hook almost every single procedure in ntoskrnl.exe? can't wait to see how they will deal with patch guard... tnx God that MS is finally protecting users from such lame products.
disavowed
June 9th, 2007, 12:21
Quote:
[Originally Posted by deroko;66273]Who gave right to the kav, mcafee and symantec to bsod my system when softice is active? Who gave them right to hook almost every single procedure in ntoskrnl.exe? |
You did, when you accepted their EULAs.
deroko
June 9th, 2007, 13:19
nope, they didn't say anything about hooking and making my system unstable.
quote from EULA:
Quote:
You shall not decompile, reverse engineer, disassemble
|
I didn't but still my system gets BSOD.
disavowed
June 11th, 2007, 00:15
Would you mind pasting the EULA into this thread? (yes, I'm serious)
blurcode
June 11th, 2007, 03:54
Part of License Agreement for antivirus software i use:
Quote:
3. Limited Warranty:
<<NAME OF COMPANY>> warrants that the media on which the Software is distributed will be free from defects for a period of thirty (30) days from the date of delivery of the Software to You. Your sole remedy in the event of a breach of this warranty will be that <<NAME OF COMPANY>> will, at its option, replace any defective media returned to <<NAME OF COMPANY>> within the warranty period or refund the money You paid for the Software. <<NAME OF COMPANY>> does not warrant that the Software will meet Your requirements or that operation of the Software will be uninterrupted or that the Software will be error-free.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE ABOVE WARRANTY IS EXCLUSIVE AND IN LIEU OF ALL OTHER WARRANTIES, WHETHER EXPRESS OR IMPLIED, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS. THIS WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS. YOU MAY HAVE OTHER RIGHTS, WHICH VARY FROM STATE TO STATE AND COUNTRY TO COUNTRY.
4. Disclaimer of Damages:
SOME STATES AND COUNTRIES, INCLUDING MEMBER COUNTRIES OF THE EUROPEAN ECONOMIC AREA, DO NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE BELOW LIMITATION OR EXCLUSION MAY NOT APPLY TO YOU.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW AND REGARDLESS OF WHETHER ANY REMEDY SET FORTH HEREIN FAILS OF ITS ESSENTIAL PURPOSE, IN NO EVENT WILL <<NAME OF COMPANY>> BE LIABLE TO YOU FOR ANY SPECIAL, CONSEQUENTIAL, INDIRECT, OR SIMILAR DAMAGES, INCLUDING ANY LOST PROFITS OR LOST DATA ARISING OUT OF THE USE OR INABILITY TO USE THE SOFTWARE EVEN IF <<NAME OF COMPANY>> HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
IN NO CASE SHALL <<NAME OF COMPANY>>’S LIABILITY EXCEED THE PURCHASE PRICE FOR THE SOFTWARE. The disclaimers and limitations set forth above will apply regardless of whether or not You accept the Software.
|
I think it is very clear. Ofcourse depending the laws of your country, you can sue them for your bsod you get

(and this is another story)
Maximus
June 11th, 2007, 07:35
nope.
You missed the real point. The red sentence is the additional mitigation clause that is used whenever the total mitigation clause cannot be applied. It is needed because invalidating the mitigation part of the license might left the licenser exposed.
Let me translate in short:
Whatever happens to you and your PC, you are responsible for whatever happens. Your PC blows up? you responsible. Do they know it might blow up? You are responsible, even if they delayed patch.
To date, To sue a software producer the user's must prove that it cannot work in (almost) every circumstance, and that it has been (almost) done intentionally or with great, great/total absence of effort or care.
To be fair, you use commercial software exactly as you use free software: AS IS.
Cool, eh?
Sorry Deroko, EULAs are made to prevent any responsibility of the software producer against any type of juridical action. Someone even adds personal injuries (i'm sure this is on m$ license, i cannot imagine a monitoring software that used the "stable" '98 lol, better using an abacus).
deroko
June 11th, 2007, 07:54
disawoved you may download kav trial and read EULA. You will see that it doesn't mention anything about hoking windows core. Now tell me who gave them right to hook ntoskrnl/ntkrnlpa/ntkrnlmp? Because I didn't by accepting eula.
blurcode, I don't care aout bsod, when something bsods my system I simply send it to recycle bin

maximus, I don't care about damage, I'm just curious, who gave them right to hook my system. Where is that in EULA?
Silver
June 11th, 2007, 08:10
Quote:
[Originally Posted by deroko;66311]disawoved you may download kav trial and read EULA. You will see that it doesn't mention anything about hoking windows core. Now tell me who gave them right to hook ntoskrnl/ntkrnlpa/ntkrnlmp? Because I didn't by accepting eula.
blurcode, I don't care aout bsod, when something bsods my system I simply send it to recycle bin 
maximus, I don't care about damage, I'm just curious, who gave them right to hook my system. Where is that in EULA? |
EULAs are written on legal principles. The laws in most countries lag behind technology by 10, 20, 30 years. In Europe, there is a copyright law that directly contravenes a disability discrimination law. It's the one that allows Adobe to prevent the use of screen readers (for blind people) with PDFs.
blabberer
June 11th, 2007, 10:42
i guess a lawyer reading this will incorporate we can hook clause in the next EULA in near future if there isnt one

deroko
June 11th, 2007, 12:34
nope there is no such statemant in existing EULAs, so yes, if they want to hook they better put that into their EULA.
disavowed
June 13th, 2007, 00:23
Quote:
[Originally Posted by deroko;66311]You will see that it doesn't mention anything about hoking windows core. Now tell me who gave them right to hook ntoskrnl/ntkrnlpa/ntkrnlmp? Because I didn't by accepting eula. |
You also didn't give them explicit permission to use the EAX register on your processor, but I'm sure they're doing that as well.
If the hooking bothers you so much then get a lawyer and sue.
deroko
June 13th, 2007, 12:29
That's all I wanted to know. Noone gave them right to hook.
blabberer
June 14th, 2007, 12:42
ok some one might remember the dig about symantec using regedit and what why thought there was a bug
on an unrelated note i was tweaking something and happened to read about
setting services as interactive to logged on user in a codeproject article
i didnt need to download that article i knew i can implement what he was talking from commandline
now there is a nice additional utility in xp called sc.exe ?
if you ever use it you will find its awesome crap
so i just did start -> cmd
sc config ccPwdSvc type= own type= interact (the interact bit is from codeproject it was in hex as regkey.value | 256)
and rebooted
voila i see the hidden messagebox
thats sitting there waiting for someone from symantec to come to my pc and click ok on it
and the callstack
Code:
0006FA40 ]0006FA60
0006FA44 |77D70989 RETURN to USER32.MessageBoxExW+19 from USER32.MessageBoxTimeoutW
0006FA48 |00000000
0006FA4C |00095500 UNICODE "Cannot export C:\Program Files\Common Files\Symantec Shared\CommonClient.dat: Error opening the file"
0006FA50 |0006FE98 UNICODE "Registry Editor"
0006FA54 |00010010 UNICODE "PROFILE=C:\Documents and Settings\All Users"
0006FA58 |00000000
0006FA5C |FFFFFFFF <<<< ----- timeout is infinite

0006FA60 ]0006FF3C
funny at least
blurcode
June 14th, 2007, 15:12
Cool, but the error message is from regedit.exe right? Bad bad Microsoft didn't know that Symantec will use Registry Editor this way, next version of Windows will fix this error
PS: You can also make a service to interact with desktop through Service Manager. (Also notice the name of the service. I suppose bad coding is spreading like virus

)
nikolatesla20
July 28th, 2007, 07:55
Hmm looks like the are using the export command of regedit to get a dat file that they can either read from that point, or to use to compare against last time. I don't see anything wrong with it...except when it doesn't work like this, and hangs forever :P
-nt20
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.