from the Mick-Dundee-mode:-THAT'S-an-infection dept.
Antivirus doesn't stand a chance [because] there's nothing for it to scan
Researchers have detailed a rare form of Windows malware that maintains infection on machines and steals data without installing files.
The malware resides in the computer registry only and is therefore not easy to detect.
[Its] code reaches machines through a malicious Microsoft Word document before creating a hidden encoded autostart registry key, malware researcher and black hat exterminator Paul Rascagneres (@r00tbsd) says. It then creates and executes shellcode and a payload Windows binary.
"All activities are stored in the registry. No file is ever created," Rascagneres said in a post.
"So, attackers are able to circumvent classic anti-malware file scan techniques with such an approach and are able to carry out any desired action when they reach the innermost layer of [a machine] even after a system re-boot.
"To prevent attacks like this, anti-virus solutions have to either catch the initial Word document before it is executed (if there is one), preferably before it reached the customer's email inbox."
Windows Regedit cannot read or open the non-ASCII key entry. Rascagneres said the feature set was akin to a Matryoshka Doll due to its subsequent and continual 'stacked' execution of code.
The non-ASCII trick is a tool Microsoft uses to hide its source code from being copied, but the feature was later cracked.Security kit can alternatively detect the software exploit, or as a final step monitor the registry for unusual behaviour, he said.
(Score: 5, Insightful) by evilviper on Tuesday August 05 2014, @05:41AM
That sounds like something for AV to scan...
Every time I run Spybot, it finds and deletes potentially malicious registry entries.
"Classic" techniques" as in what AV software for MS-DOS did... before the registry existed.
That's how it has always worked. If you allow the user to run infected files, your system will be horribly rootkit'd and/or your AV crippled or entirely disabled.
Hydrogen cyanide is a delicious and necessary part of the human diet.
(Score: 2, Flamebait) by Hairyfeet on Tuesday August 05 2014, @06:39AM
What I love is for a good 99.95% of these "exploits" to work you HAVE to have the user do something REALLY FUCKING STUPID. I don't just mean a little dumb, I mean full pants on head supertard that frankly would never work IRL. I mean seriously who is gonna just open a random Word doc from somebody they've never heard of? And how would it even GET to them as every email provider has scanned attachments for...what like 12+ years now? So I have to call bullshit on this one as I've seen just about every nasty one can get working at the PC shop but I have to say I haven't seen infected Word docs be the source of an infection since the days of Windows ME. The email providers killed that shit after the whole code red/netsky bit, its just not a good attack vector anymore.
BTW if anybody is curious what the big attack vector is now? Its the same as it has been for awhile and something I've bitched about for ages...stupid fucking JavaScript. We should find the guy who thought that running code from unknown places on a browser was a good idea and beat his ass because that is what I see over and over, from "The FBI Porn Bug" to the "firefox Yahoo mail spam trick" they all start with stupid JavaScript running shit that it shouldn't. this is why I recommend the free Comodo IS, because I have yet to see a JavaScript nasty get out of the sandbox browsers run in by default in CIS.
ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
(Score: 5, Insightful) by evilviper on Tuesday August 05 2014, @07:20AM
Anybody who's job involves them getting such e-mailed documents/attachments from all across the company all the time. Blaming users is foolish, when bad technology makes this far, far too easy.
Malware gets ultra trivial modifications on an hourly basis, spreads through networks for days, before anti-malware providers notice, and send out updated definitions to catch it. It slips through e-mail constantly.
Hydrogen cyanide is a delicious and necessary part of the human diet.
(Score: 4, Insightful) by elgrantrolo on Tuesday August 05 2014, @08:35AM
Amen! even if we disregard the possibility of opening an attachment by mistake, there are office based people getting documents from countless sources. All it takes is the sender spoofing the name and Joe User will probably open an email and attachments sent from the *wrong* Jane Smith thinking it's a legitimate source.
I am not too keen on email for internal communications and think that Yammer and SharePoint (or similar) should be the normal ways to share files in and across teams. That may help with this attack vector but let's not forget that there's a lot of in bound/outbound communication that will never be practical with anything other than email.
(Score: 3, Insightful) by epitaxial on Tuesday August 05 2014, @12:43PM
A few years ago I was at work and looking for a source for high pressure mercury vapor lamps. Found a link on google to a pdf file that looked exactly like a spec sheet. Turned out it was a pdf full of keywords and also an exploit. Took a few hours to get that mess cleaned up.
(Score: 1, Flamebait) by Hairyfeet on Tuesday August 05 2014, @06:36PM
Then your IT is a mountain of fail and SHOULD BE FIRED ASAP because they aren't doing their fucking jobs! If I'd have EVAR let a virus infected .doc into my network they wouldn't have had to fire me, I'd have left from the shame of being soooo damned incompetent. We've had heuristics and sandboxing for HOW many years now? Frankly they should never leave the network storage, that is fuckup #1, and #2 they should have already been rung through the ringer so that anything that could possibly be infected should have already been caught and trashed.
I mean look at some of the dumb shit below you "I downloaded and ran a .PDF, turned out to be a bug, herpa derp"...that isn't his fault, that is IT DEPT FAILING to have even a tiny bit of fricking security on their network! If THIS is what passes for competent IT these days? Then thank Christ I got out of corp work, I knew the race to the bottom would turn IT to shit but I didn't realize it would turn into Bangalore help desk levels of shit THIS quickly. Christ what badly run companies!
ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
(Score: 2) by evilviper on Tuesday August 05 2014, @07:05PM
Those writing (and modifying) the viruses can test it against all the various AV programs quite quickly and easily. They will keep (self-) modifying and self-encrypting, until none of the scanners pick it up, even with their most aggressive heuristics settings. Only then will the next iteration get blasted out to another million potential victims.
There are two sides to every arms race. When good malware defenses become common, malware has to grow more sophisticated to get around them, and so it has. Obviously more sophisticated than you can imagine.
Hydrogen cyanide is a delicious and necessary part of the human diet.
(Score: 3, Informative) by Arik on Tuesday August 05 2014, @02:58PM
The idea you could get a virus from simply opening an email was an urban myth at first. The boneheadedly stupid decision to parse javascript in *emails* in Outlook is what made it reality.
You SHOULD be able to open your email, and opened attached documents, with no worry of infection. This sort of thing SHOULD be technically impossible. Emails are flat text and any scripts they contain should be displayed as text, not parsed and run invisibly. And document files with embedded executable content are a similar abomination.
These are all threats created, not by sloppiness, not by a misplaced parenthesis or a buffer overflow, but by defective design.
If laughter is the best medicine, who are the best doctors?
(Score: 2) by Hairyfeet on Wednesday August 06 2014, @12:43AM
If the IT dept was doing their damned jobs you COULD open your email without fear! Scraping text from docs is NOT hard and any attempt by the writer on the other end to block this (such as putting the doc in a locked zip) should let you know that its malware and should be automatically sent to file 13.
ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
(Score: 1) by Arik on Thursday August 07 2014, @03:20PM
In a sane email client it's all inert anyway.
If laughter is the best medicine, who are the best doctors?
(Score: 2) by cafebabe on Wednesday August 06 2014, @04:47PM
I could make the same argument about enabling macros by default. When most users don't understand the tab key, macros are an unnecessary burden. Even for power users, macros should be enabled after installation. Dangerous defaults are well understood and macros are well understood to be dangerous in the context of being able to copy themselves between documents, insert rude words, enumerate address books, edit registry settings [microsoft.com] and other functions.
Opening a text document, from any source, shouldn't open anyone to ridicule. I believe your expectations have been skewed and/or you are a Microsoft apologist. To everyone else: I apologize for ad hominem argument but after being included in the set of "full pants on head supertards", I believe it is justified.
Regarding Microsoft Word documents and JavaScript, I hoped that your opinions on the deliberate mixing of code and data would be consistent in both contexts.
1702845791×2
(Score: 2) by Hairyfeet on Thursday August 07 2014, @12:36AM
Noo I'm no MSFT apologist, in fact I would argue that ACLs beat the primitive R/W/E design of FOSS by leaps and bounds. No I'm used to both being a competent admin and dealing with competent admins, which reading for the other posts is sadly becoming as rare as a helpdesk worker who speaks English as a first language.
I mean letting users just download email attachments from anywhere? NO SCANS or heuristic checks or anything? WTF people? Is this IT by Mickey D or what? One guy just downloaded a random PDF from the web, apparently had NO virus scanner or anything, oh and to top it off he had ADMIN rights? Jesus Tap Dancing Christ if I walked in and found out my IT guys had allowed shit THAT tarded to happen on my network? They'd be looking for a job before the hour was up!
Let me make something PERFECTLY CLEAR...there is NOTHING, I repeat NOTHING wrong with either Word or Outlook! They have an extensive set of tools that let you make the security as coarse or fine as you could ever want...but if your IT dept is either too lazy or too dumb to use the tools that have been handed to them? Well only God can fix stupid, not a damned thing MSFT can do about that. Oh and FYI but Libre office has a scripting language too and last I checked it too will run BASE scripting with no user prompting, so FOSS won't save you from stupid either.
ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
(Score: 2) by urza9814 on Thursday August 07 2014, @01:07AM
Correct me if I'm wrong, but your argument seems to be this:
In Microsoft's document format (.doc[a-z]?) it's IT's job to lock it down and keep everything secure; the fact that it lets arbitrary code execute by default is perfectly fine.
In standards-based document formats (.html/.js) it's not IT's job to lock it down and keep everything secure; the standard shouldn't allow arbitrary code to execute by default.
So why is it OK when Microsoft makes the decision, but not OK when the W3C makes *the same decision*?
BOTH are completely fucking moronic, and both should be called out for it.
(Score: 2) by Hairyfeet on Thursday August 07 2014, @11:51AM
So I'M not allowed to have it because YOU or your IT dept is too lazy to use a tool properly? Better ban forks while you are at it, you might put an eye out!
You have ACLs, you have GPOs, and you have OS permissions...now if you simply REFUSE to use ANY of those tools given to you how EXACTLY is that MSFT's fault? Are you gonna argue next that its MSFT's fault if you get a virus since after all they DID give you the option of running as admin?
Its a tool, you either use it correctly or you don't, you can't babyproof the world. If one can't even use the tools they are given properly perhaps they shouldn't use those tools? After all there is a 100% free Word Viewer offered by MSFT that does just that, view Word files. Again do you blame LibreOffice for having scripting enabled by default?
As for the W3C that is VERY simple, they took a language designed to show a document and bolted OS functionality on it. I was one of the first to point out how fucking stupid ActiveX was but MSFT was smart enough to realize they fucked up and dump that shit, W3C doesn't have that foresight.
ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
(Score: 2) by urza9814 on Friday August 08 2014, @11:03PM
That's not at all what I said.
.doc is ALSO a format designed to show a document, with OS functionality bolted on.
Let me rephrase my argument in a way you might understand:
Point being -- it's just as easy for your IT dept to disable Javascript as it is for them to disable Word macros. So again, why bash Javascript but not macros? They're damn near the same functionality, both bolted on to a document display format, both enabled by default, and both can be easily disabled by any marginally competent sys admin.
(Score: 2) by cafebabe on Thursday August 07 2014, @05:29AM
I agree with your view regarding the cautious use of privileged accounts even if this is a poor substitute for a full capability based operating system.
I disagree with your views regarding file permissions, attachment scanning and dangerous defaults.
I would be curious to know where ACLs are required. Unix permissions have subtleties which allow large subsystems to be carved almost out of nothing. For example, mail spools, UseNet spools, print spools, databases and web servers. It also allows collaborative working to occur in a fairly secure manner. For example, branches of CVS can be restricted to different groups of users.
Regarding attachment scanning, I don't see it as an unreasonable expectation to download a document and look at it without incurring virulent, self-replicating code. Unless your scanner solves the halting problem [wikipedia.org] or knows every place where malware can hide, you have incomplete coverage. A more sensible solution is to not run code.
You had me worried about my settings for a moment. My configuration allows trusted signed macros to run without intervention. However, I appear to have no certificates installed. In the unlikely event that I require a certificate to be installed, I am confident that no further changes to the configuration are required. This is a sensible default. Regarding your configuration, I recommend that you contact your vendor to ensure that your applications are distributed without dangerous defaults. Unfortunately, your vendor has ignored such requests for approximately 20 years and is likely to continue distribution of poorly configured software. As a secondary line of defense, I recommend that you disable all macros by default. Unfortunately, this may not protect you from BMPs, JPGs, PDFs, SWFs or indeed anything with text or pixels. Actually, how do you cope? As a Windows administrator, do you live in constant fear?
1702845791×2
(Score: 2) by Hairyfeet on Thursday August 07 2014, @12:10PM
Oh please! Unless you trust the NSA with SELinux then Linux and their R/W/E is a bad joke. Perhaps you should read about ACLs [microsoft.com] and how they work. This is an old page because it gets much more fine grained from here, wouldn't want to go info overload on you.
And you can make smarmy all you want, won't change the fact that Linux is as dead as BeOS. Its at 1%, been at 1% for 20 years, wanna guess where it'll be in 5 years? 1%. Nobody wants it, if anybody wanted to infect it it would be trivial [geekzone.co.nz] using the same trick they use on Windows but its just not big enough to even bother with. Oh and before you start talking about Android you might want to know it passed a million infections last year [techworld.com] proving once again that Linux much vaunted "security" is security by obscurity. Hell even kernel.org was pwned [slashdot.org] and that was not a fluke [slashdot.org] by any means [theregister.co.uk].
So sorry I had to burst your bubble, nothing magical about Linux, its just soo teeny tiny most crooks won't bother. Nothing wrong with the tools MSFT makes, I have systems half a decade old in the field right now with ZERO infections. I had systems over a decade but I moved them all to Win 7 for XP hit EOL. Come back in 6 years and I'm sure those Win 7 systems will be pushing the decade mark, again perfectly fine while running MS Office and having Internet access. of course I don't have my users running as admins and actually use the tools given to me, surprising what a difference that makes.
ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
(Score: 2) by cafebabe on Thursday August 07 2014, @06:48PM
I looked at Microsoft ACLs and the Unix heritage remains apparent. From the reference you gave me, it appears that that GUI MMC is used to maintain ACLs (subdivided into DACLs and SACLs) which consist of an ordered list of ACEs for SIDs and groups sourced from four (or more?) places. However, the GUI MMC doesn't work over SMB, so the CLI has to be used instead. Thankfully, both work with the TPS report system. Is this correct?
The ACL system faithfully implements Unix's conflated directory traverse/file execute privilege. This would be acceptable and secure in isolation. However, instead of implementing Unix umasks, the ACL system has a system of privilege inheritance. Therefore, any enumerable directory may contain executable files. This is dangerous. There appears to be a second line of defence in which execution privileges may be restricted. This is not failsafe and is therefore dangerous. Furthermore, classes of users (legacy users, power users, wheel accounts) are exempt from the restriction. This is also dangerous.
Regardless, I specifically asked for one of your use cases which was not satisfied by Unix permissions and none has been forthcoming.
You are being disingenuous regarding a conflation of Unix, Linux and distributions (of which Android is one branch). There is also the matter what is or is not a fully-fledged computer. Personally, I find it intolerable to use a computer in which I do not have:-
By this definition, the average ADSL router comes closer than the average Windows desktop. Regardless, various commentators have noted that users do not truly own a system unless they have root access and can make meaningful changes to the data *and* code of the system. Phones are a pernicious case in which network providers wish to minimize bandwidth and support costs while maximizing the number of users. While I appreciate both sides of the argument, we have the situation in which when something malicious gets through, users don't have privileges to undo.
If we were to devise a hierarchy of undesirable computer behaviour, the ability to undo would be a significant factor:-
What are the major causes of the most inconvenient failures?
These causes are only weakly related market share or user/administrator competence. They are unavoidable fundamentals and closed source software has the worst record because the delay for fixes is worst. Some open source advocates don't like having to go through code to make emergency fixes. However, the alternative is complete impotence. What are you supposed to do? Switch off your computers until whatever-it-is-called Tuesday [soylentnews.org] comes around? Or maybe the next one? Or maybe the one after? (Keep buying the licences and we might fix stuff!) Meanwhile, your competitors have a patch in place and are competing more effectively than you. Patching your own code deployments isn't ideally but it sure beats hoping someone else will do it in a reasonable timescale, if ever.
I dispute your desktop deployment figures (and find this focus disingenuous) because it is easy to do mass installs of open source software. I've helped ex-colleagues install Linux on 160 laptops. However, given that none of them required licence keys, that was only one download. Schools and government departments are making a similarly low impression. It is a similar matter for cluster computing where thousands of cores are installed from one copy of BSD [freebsd.org] or Linux.
However, if you don't like using Linux then please don't access SoylentNews [soylentnews.org], SlashDot, Reddit, EBay, Google, Facebook, Instagram, Amazon, NetFlix, LoveFilm, Uber or almost anything else available via a web browser or centralized app.
If you don't like using Unix then please don't access Yahoo, use a landline or telephone 97% of smartphone users. Actually, if you don't like using Unix, don't use any telephone company.
If you don't like companies which use Unix for a substantial part of their business then please stop taking any brand name medication, stop driving, stop reading newspapers and magazines and stop watching television and films. You can, however, continue listening to music but that's not a particularly profitable business [salon.com].
Finally, given that the average time to Windows infection [sans.edu] is four minutes [chron.com] (less than the time it takes to fetch updates), most Windows users have only been able to get onto the Internet because they're behind Linux firewalls. Anyhow, if you don't like using Linux, please get off the Internet.
(Score: 4, Informative) by Dunbal on Tuesday August 05 2014, @09:08AM
Maybe if you had actually read the summary, you'd understand.
"Every time I run Spybot, it finds and deletes potentially malicious registry entries."
Except this is not a registry entry at all. It hides as a non-ascii entry that you or your spybot will never see but windows will - because an undocumented feature of windows is treating some non ascii, unreadable entries as commands from Microsoft.
(Score: 0) by Anonymous Coward on Wednesday August 06 2014, @06:40AM
It IS a registry entry. Why is your post even being modded informative?
https://blog.gdatasoftware.com/blog/article/poweliks-the-persistent-malware-without-a-file.html [gdatasoftware.com]
(Score: 2) by FatPhil on Tuesday August 05 2014, @09:03PM
Sounds like someone is deliberately forgetting about boot sector (or bootloader, more recently) viruses.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by acharax on Tuesday August 05 2014, @05:42AM
The method sounds interesting but it's not very threatening, any half-decent HIPS (or AV with enabled heuristics) will ask the user for permission before new autostart entries can be written (assuming of course the user didn't whitelist whatever Word does beforehand). Further, it is wrong to say this doesn't use files, the registry hives themselves are files.
(Score: 5, Insightful) by aristarchus on Tuesday August 05 2014, @05:46AM
Windows virus, leaves no files, no registry settings, totally undetectable . . .. I got it! It's Windows! The operating system is the virus! There are so many levels of cool to this! I mean, what kind of criminal mastermind could come up with such a nefarious ploy? And not monologue about it? (This comes from experience with my favorite Windows error message: "There has been an undetectable error in your system." Love that, undetectable error! Are you sure? Maybe it is just yourself pulling your own finger? How could one detect an undetectable error, anyway? Oh crap, I am fading off into off-topic territory, or would be if Windows could tell. . . . )
(Score: 2, Interesting) by ThG on Tuesday August 05 2014, @07:51AM
http://www.heise.de/tp/artikel/5/5263/1.html [heise.de]
(Score: 2, Funny) by Anonymous Coward on Tuesday August 05 2014, @07:59AM
Well, it didn't detect an error, so it clearly wasn't a detectable error. Thus it must have been an undetectable error. You might now argue that there might not have been an error at all. But this is Windows we're speaking of. It is completely impossible that there was no error after it has run for some time. So if there was no detectable error, there must have been an undetectable one. ;-)
(Score: 2, Interesting) by Anonymous Coward on Tuesday August 05 2014, @06:15AM
https://www.blackhat.com/html/bh-us-12/bh-us-12-archives.html#Brossard [blackhat.com]
(Score: 2, Funny) by Anonymous Coward on Tuesday August 05 2014, @07:35AM
I name this a "computer prion".
(Score: 2) by wonkey_monkey on Tuesday August 05 2014, @08:55AM
Well, except for the registry, which it can scan. Or the initial malicious Word doc, which it could also scan.
Sounds like it might be pretty easy to detect. You start by looking for new non-ASCII registry start-up entries...
Is it me, or does this story amount to "new virus can't be detected yet" - much the same situation for any sufficiently novel virus?
systemd is Roko's Basilisk
(Score: 1, Informative) by Anonymous Coward on Tuesday August 05 2014, @01:22PM
Well, except for the registry, which it can scan
Or look for the 'boot' app that is reading the registry. Such as a docx file sitting in the run registry entry. Or an ole container there...
Cant scan the registry. Heh... Pull the other one :)
(Score: 2) by nightsky30 on Tuesday August 05 2014, @04:05PM
Exactly what I was thinking.
(Score: 4, Insightful) by Justin Case on Tuesday August 05 2014, @10:52AM
> All activities are stored in the registry. No file is ever created
Despite what people think about Windows, it isn't raw magic. Anything that persists has to be written somewhere. The registry has to be written somewhere. So it is a file.
This malware doesn't create its own file; it infects an existing file. Like viruses have been doing since computers were powered by coal.
When someone displays such raw ignorance front and center, it makes it difficult for me to take anything else they say seriously.
(Score: 3, Interesting) by VLM on Tuesday August 05 2014, @11:23AM
I'm not saying this is the case in this example, but I wonder if you can hack the tokenizer or some kind of regex.
So you've got hundreds of registry entries, all really boring and don't look weird by themselves. So a scan wouldn't think there's anything interesting. However if you try to run a tree traversal the buggy traverser or regex or parser has a buffer overflow.
So a 100 deep tree and the deepest entry is UTF-8 crashes every time. Well a dumb scanner wouldn't be able to find structure in the tree, or wouldn't mind some UTF-8 (assuming windows is advanced enough to use UTF-8, I don't use that legacy stuff)
(Score: 3, Interesting) by bzipitidoo on Tuesday August 05 2014, @02:54PM
Introduced in Windows 95, the registry was a much criticized replacement for .ini files used in Windows 3.1 and earlier. MS thought they could keep users from screwing up configurations, and from committing piracy and breaking trivially easy DRM, by hiding the data that used to go into .ini files. They wanted to be better able to enforce the 30 or 60 or whatever day limit on trial software. There's hardly any decision that MS makes that they don't queer and conflate with DRM concerns. To them, "security" is more than security against malware, it's also security for them against those evil pirates, which means you, me, and everyone. They've released, and quickly backpedaled on versions of their Malicious Software Removal Tool that in addition to removing malware, they programmed to check for pirate copies of Windows and MS Office, something that no user asked for.
A few false positives on Joe Officeworker's Office software was all it took to show what a bad idea that was. Even when the piracy check got it right, MS discovered that sometimes people had legitimate reasons for having pirated MS software. For instance, a hard drive with a legit installation of MS Office crashed in the middle of the day, and in order to get the user up and running as quick as possible, computer system maintenance slapped a pirate copy of MS Office on a new hard drive as a stopgap, until the correct licensing info could be found or obtained, something that might have to wait until the evening so as not to disrupt work any more than necessary.
All the registry really did was add needless complexity. It quacks just like a file no matter how much MS tries to hide it. Any simple text editor worked on .ini files, no need for a specialized tool like regedit. The registry is totally security through obscurity.
(Score: 1) by acharax on Tuesday August 05 2014, @06:55PM
The registry might've been a mess, but what it replaced wasn't any better. INI files were prone to race conditions and lacked an official specification (Microsoft apparently wasn't keen on having standards, even for their own nonsense). The registry itself is stored in basic files (ntuser.dat comes to mind for the current user's hive) but access to it is synchronized by the appropriate API (which can't be bypassed as easily as the old INI related API).
(Score: 2) by tangomargarine on Tuesday August 05 2014, @03:03PM
Wikipedia says the registry is stored as a hierarchical database, which I could see the argument for not really being a "file" per se, but it must live in one.
If you get down low enough, I suppose you could just write text to the disk somewhere that you could still access as long as the system knows where to look and how to read it. In that case it's not really a file since it doesn't have headers, right? E.g. old-school bootloaders, which just conform to a standardized layout where positions X bits from the start of the disk are assumed IIRC.
But I'm just splitting hairs. You're correct for 99% of cases.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 5, Interesting) by PizzaRollPlinkett on Tuesday August 05 2014, @11:09AM
So the registry is not Turing complete, it's just a value that causes a buffer overflow? Yes: "It then creates and executes shellcode and a payload Windows binary." So can't MS just fix the registry so the overflow does not happen?
Back when Win95 introduced the registry, I was never comfortable with Windows depending on a binary garbage dump of settings in a tree format, and the fact that they gave it at least four roots (probably more now?) with duplicated trees made it worse. It's an inscrutable mess, and one big binary file that can easily be taken out. I've always preferred the UNIX .rc file approach, or even the horror of .INI files. At least you can edit text files if the OS is kaput, and they're much easier to back up. (Putting everything from most recently used lists for word processors to device driver information in the same binary file never made much sense.)
Still, the bug is not in the registry as much as in a routine that reads values from the registry which ought to sanitize its input. I don't know why they'd trust the registry, since it's public and anyone can create entries. I wouldn't be surprised if the code that reads autostart entries goes back to Win95 before security was ever an issue. That's the trouble with closed source. Would be really interesting to know what routine had this problem. Maybe they're using scanf() or something.
(E-mail me if you want a pizza roll!)
(Score: 2) by NCommander on Tuesday August 05 2014, @03:32PM
There is at least a partial justification on why Microsoft depreciated INI files for the registry on Raymond Chen's blog [msdn.com]. I disagree with most of his reasoning, but you can read part of the idea of why Windows migrated from INI files to the registry there.
Still always moving
(Score: 2) by PizzaRollPlinkett on Tuesday August 05 2014, @05:43PM
That's a really interesting read, thanks! The only problem is the cure (registry) was much worse than the disease (INI files), and killed the patient. Too late now, hard to believe we're hitting the 20th anniversary of the registry - tempus fugit.
Speaking of old timers, the registry is a hierarchical database similar to IMS. Seeing how it worked for the first time was a surreal experience. Did MS know it had reinvented IMS for a new generation, or did they reinvent the wheel? I would much rather they just used a relational database - you'd get everything the registry offers now plus a lot more sanity. But SQLite didn't exist back then, I don't think.
(E-mail me if you want a pizza roll!)
(Score: 2) by nightsky30 on Tuesday August 05 2014, @04:02PM
Can spybot incorporate a new type of non-ascii registry scan for the specific code snippet we need to locate? Can that be hashed vs a file?
(Score: 0) by Anonymous Coward on Tuesday August 05 2014, @05:11PM
next years default octacore at 5 GHz will run ALL known viruses and trojan without batting a eye-lid ... at the same time.