Registry-infecting reboot-resisting malware has NO FILES - Page 2

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Re: Registry-infecting reboot-resisting malware has NO FILES

"Wolf K" wrote:

Quoted text here. Click to load it

Because that's pretty much the definition of a file.

Quoted text here. Click to load it

Not at all.

Quoted text here. Click to load it

Initially, yes.


The average user is computer-illiterate. Misnaming things like the
bios and mbr code as files doesn't help.

Quoted text here. Click to load it

In all contexts.

Quoted text here. Click to load it

If nit-picking is important then you should know the difference
between files and other objects.

Actually, this malware lives in the registry, the registry is
contained in a set of files but it's not helpful to think of the
malware as a file. It's not hiding from the OS or a knowlegeable user
who knows about registry autorun keys.



Re: Registry-infecting reboot-resisting malware has NO FILES


Quoted text here. Click to load it

It's always been that as far as I know.

Quoted text here. Click to load it

Nope...not at all. It only adds to confusion. Take for example, AM vs AV  
products. It's quite difficult to explain to the average user why both  
exist.
  
Quoted text here. Click to load it

Agreed.  
  
Quoted text here. Click to load it

An awful set of files that make up the registry hive, yes. :) It's a proof  
of concept... but, the idea was discussed a long long time ago. I found it  
quite interesting to see that the executable program section actually has  
a complete? MZ/PE header in the front...  

Must admit, it's a cute trick with the extended ascii to hide it's  
presence from the typical user. :)  




--  
Take it easy... Don't let the sound of your own wheels drive you crazy.  
Lighten up while you still can. Don't even try to understand. Just find a  
place to make your stand and take it easy!  


Re: Registry-infecting reboot-resisting malware has NO FILES

Dustin wrote on 8/7/2014 :

[...]

Quoted text here. Click to load it

Sounds almost familiar. :)

Was the encoding of the script with screnc.exe or equivalent actually  
necessary?



Re: Registry-infecting reboot-resisting malware has NO FILES


Quoted text here. Click to load it

LOL. I didn't even think about that at the time I was writing the text  
above..
  
Quoted text here. Click to load it

No. It was just a minor annoyance to get around. They were already okay the  
moment they opted for a high ascii value(s) as the registry keys name. It's  
just like using extended ascii on file names. Windows Explorer has a fit.

Do you remember the hidden space trick? putting alt+255 then a space, then  
alt+255 again? :) Every time you'd go to click on it in older versions of  
windows, it would tell you the file didn't exist. [g]


--  
Take it easy... Don't let the sound of your own wheels drive you crazy.
Lighten up while you still can. Don't even try to understand. Just find a
place to make your stand and take it easy!  


Re: Registry-infecting reboot-resisting malware has NO FILES

Dustin brought next idea :
Quoted text here. Click to load it

Yes, and I mentioned that elsewhere. I did it with directories, just  
naming it with alt+255 and it would show up with an underscore  
character as a name under the folder icon. Clicking the icon caused the  
message that what you just clicked on 'does not exist' - yet how could  
you have clicked on it if it didn't - Microsoft eh, I have a desktop on  
my dekstop displaying a desktop and I have to push start to turn it  
off.



Re: Registry-infecting reboot-resisting malware has NO FILES


Quoted text here. Click to load it

Now we're getting into the semantics of what a file is. I do agree the
boot sector and bios contain data. I don't agree that they are files.
A file has a name, that is accessible from the os. Neither of the
above have names. While some programs can read/write them, a general
file browser cannot.

Regards, Dave Hodgins

--  
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)

Re: Registry-infecting reboot-resisting malware has NO FILES


Quoted text here. Click to load it
files.

I agree with you and FTR on this one.  



--  
Take it easy... Don't let the sound of your own wheels drive you crazy.  
Lighten up while you still can. Don't even try to understand.  
Just find a place to make your stand and take it easy!


Re: Registry-infecting reboot-resisting malware has NO FILES

Dustin was thinking very hard :
Quoted text here. Click to load it

However, this is what a "file" is becoming most likely. This context is  
quite different from the context we should be using here.

http://research.microsoft.com/apps/pubs/?id=154539



Re: Registry-infecting reboot-resisting malware has NO FILES

@news2.open-news-network.org:

Quoted text here. Click to load it
wrote:
Quoted text here. Click to load it

You can obviously see the potential for abuse this will provide?
  
Quoted text here. Click to load it

Frightening....

We suggest that one aspect of this adaptation is to encompass metadata  
within a file abstraction; another has to do what such a shift would mean  
for enduring user actions such as ?copy? and ?delete? applicable to the  
deriving file types. We finish by arguing that there is an especial need to  
support the notion of ?ownership? that adequately serves both users and  
engineers as they engage with the world of networked sociality.

engineers? What a fancy term for er, Microsoft programmer. :)


--  
Take it easy... Don't let the sound of your own wheels drive you crazy.  
Lighten up while you still can. Don't even try to understand.  
Just find a place to make your stand and take it easy!


Re: Registry-infecting reboot-resisting malware has NO FILES

After serious thinking Dustin wrote :
Quoted text here. Click to load it

I can see it now
Definition:

File - an internet standard devised by Microsoft to create an  
abstraction for anything a user might need an abstraction for.



Re: Registry-infecting reboot-resisting malware has NO FILES


Quoted text here. Click to load it

That's purrrrfect! I'm sure it'll get the pooh lexicon approval; might
even get an award.  


--  
Take it easy... Don't let the sound of your own wheels drive you crazy.
Lighten up while you still can. Don't even try to understand. Just find a
place to make your stand and take it easy!  


Re: Registry-infecting reboot-resisting malware has NO FILES


Quoted text here. Click to load it

Rafty thank you for the info. When you said something is under the
abstraction then is that the same thing as an "abstraction layer" in
computing? Just wondering.

--  
Jax        

Re: Registry-infecting reboot-resisting malware has NO FILES

Jax brought next idea :

[...]

Quoted text here. Click to load it

I don't recall saying (writing) that, but an "abstraction layer" in  
computing is indeed an abstraction. Abstractions aren't unique to  
computer science though.



Re: Registry-infecting reboot-resisting malware has NO FILES



Quoted text here. Click to load it
Frightening....
‘copyâââ€
šÂ¬Ã¢â€žÂ¢ and
Quoted text here. Click to load it
‘deleteâââ€
šÂ¬Ã¢â€žÂ¢ applicable to the
Quoted text here. Click to load it
‘ownershipâââ
€šÂ¬Ã¢â€žÂ¢ that adequately
Quoted text here. Click to load it

                                  Abstraction in the Human
                            Thought processes or Computer
                                  All the some processes

                        Hardware  Database_abstraction_layer
                 < http://en.wikipedia.org/wiki/Abstraction_layer
< http://whatis.techtarget.com/definition/hardware-abstraction-layer-HAL
Quoted text here. Click to load it
         < http://en.wikipedia.org/wiki/Database_abstraction_layer
  


Re: Registry-infecting reboot-resisting malware has NO FILES

Quoted text here. Click to load it
‘copy’ and
Quoted text here. Click to load it
the deriving file types. We finish by
Quoted text here. Click to load it
adequately serves both users and engineers
Quoted text here. Click to load it
more
close.
transfer a
in
file
data
treated
a
buttons



        Wolf there more then one kind of "libraries" for Windows

< http://msdn.microsoft.com/en-us/library/aa288466(v=vs.71).aspx >
   < http://msdn.microsoft.com/en-us/magazine/cc163305.aspx >
  


Re: Registry-infecting reboot-resisting malware has NO FILES

On 2014-09-06 2:12 AM, Hot-Text wrote:
[...]
Quoted text here. Click to load it

Precisely.

Now explain them to the average user so they won't inadvertently lose  
precious photos and stuff.

Try it. You'll like it. Not.

--  
Best,
Wolf K
kirkwood40.blogspot.ca

"Windows DYNAMIC LINK LIBRARY" for Dummies

Quoted text here. Click to load it

 Wolf K
 I not here to write a Book

"Windows DYNAMIC LINK LIBRARY"  for Dummies  


Re: "Windows DYNAMIC LINK LIBRARY" for Dummies

Hot-Text brought next idea :
Quoted text here. Click to load it

Always, to the best of my knowledge, a library is a collection  
(compilation) of items with a similarity of use. So, a media library  
and a code library are easy enough to explain.

My "that's easy" comment was more about code libraries and how they  
evolved from subroutines.



Re: "Windows Calling a DLL Function" for Dummies

Quoted text here. Click to load it
lose  
Quoted text here. Click to load it
and a  
Quoted text here. Click to load it

True!

But I would bet Wolf!

Would like to know
How to call up code
Libraries Function List

< http://msdn.microsoft.com/en-us/library/be80xase(v=vs.110).aspx >

Calling a DLL Function
Passing Structures
Callback Functions
How to: Implement Callback Functions

  


Re: "Windows Calling a DLL Function" for Dummies

Hot-Text was thinking very hard :
Quoted text here. Click to load it

More likely, from a more recent post, he was addressing the need to  
explain Windows libraries to the uninitiated. That is, to the 'clueless  
newbies' in the computer user realm.



Site Timeline