 SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5
| reply to jvmorris
Re: Analysis of Backstealth technology -- How big is BackStealth.exe? 58,368 bytes
-- How big is BackDLL.dll? 55,808 bytes quote:
Re FindWindow(), now are you saying you KNOW it only searches for these signature windows or are you assuming that?
I'm looking at the disassembled code, not strings in the binary: this is all it looks for. But in general, it's not in concept looking for "firewall processes" as it is "processes known to be trusted". My guess is that it could inject itself into IE with the same ease - most of the time IE is trusted as well, and this hidden worker thread would not likely go through all the security setup imposed by the browser. quote:
Re AdjustTokenPriviileges(), effectively Win 9X/ME users would consequently have no protection against this call (assuming it works on those OSs)
This is true in any case. On an operating system with no real hardware protection of memory (as you have on the Win 9x/ME), there is next to nothing you can do to keep really mal-intentioned code from behaving badly. It may be a lot of work, but once bad code gets the CPU, you're finished.
Edit: - typos
Steve
--
Stephen J. Friedl • Security Consultant • Tustin, California USA • »www.unixwiz.net
[text was edited by author 2002-05-02 14:44:07] |
