New Worm targets BlackICE vulnerability

F

FromTheRafters

Gabriele Neukam said:
On that special day, Axel Pettinger, ([email protected]) said...


Overwrites the first 64k of the defective dll, or of the hard disk?
Click to expand...

My guess is that it grabs nearby data in RAM to write to disk
(defective dll) It makes an API call and uses the return data in
some sort of algorthm to "ramdomize" its choosing of which
sector to write to. It is a "version dependency" because the
API call it uses in the randomizer routine yields no return in
some version(s) of a DLL and the randomizer always causes
the first sector to be the result. Like a call to a 'tick count' that
in some version(s) is not supported so each time the call is
made the retun is the same (either an error code or a 'nothing'
each time.
 
C

cquirke (MVP Win9x)

What are you talking about here? Sure, any program can write to an NTFS
protected system based on the security context of the account being used at
the time of the compromise.
Click to expand...

But only through the file system, not to raw disk. IOW, you can't
dump over file system structures or boot code, only the files you open
to write to. And NTFS is supposed to add value to that my mediating
further when it comes to which files you are allowed to open.

OTOH, as described, Witty writes directly to arbitrary sectors. Even
Win9x DOS mode doesn't allow that (Lock required first).
You're going to need to come-up with some proof here with some
*hard* evidence showing that something can be written to a NTFS
protected system if the account being used at the time doesn't have
write permission to back up your statements.
Click to expand...

If Witty trashes NTFS file systems by writing to arbitrary sector
addresses, even when these are parts of NTFS's code structure, then
that is the proof required. If OTOH Witty mearely opens arbitrary
files and writes garbage inside, that would be different - and I'd
expect it would have been described differently.

It's meningless to talk file and user permissions if you have raw
access to overwrite arbitrary sectors.


-------------------- ----- ---- --- -- - - - -
Click to expand...
Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.
 
D

Duane Arnold

But only through the file system, not to raw disk. IOW, you can't
dump over file system structures or boot code, only the files you open
to write to. And NTFS is supposed to add value to that my mediating
further when it comes to which files you are allowed to open.

OTOH, as described, Witty writes directly to arbitrary sectors. Even
Win9x DOS mode doesn't allow that (Lock required first).


If Witty trashes NTFS file systems by writing to arbitrary sector
addresses, even when these are parts of NTFS's code structure, then
that is the proof required. If OTOH Witty mearely opens arbitrary
files and writes garbage inside, that would be different - and I'd
expect it would have been described differently.

It's meningless to talk file and user permissions if you have raw
access to overwrite arbitrary sectors.
Click to expand...

It would be nice to see some article on this before I'll completely buy
into it. But OTOH, I cannot dispute what you're saying either. :)

Duane :)
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Unpatched Microsoft XML Core Services flaw increasingly targeted inattacks 1
New Zero Day IE vulnerability 0
Homeland Security: Fix your Windows (XP that is) 2
Windows 8 is the most vulnerable Windows OS -> you can thank Adobe Flashfor that 1
Safeguard Your PC Against the Downadup Worm 18
A new version of the IIS worm from June 6
New Java 0day exploited in the wild 3
REPOST, U.S. Dept. of Homeland Security urges Windows users to update their Operating Systems. 3

Top