[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] RE: Full-Disclosure Digest, Vol 8, Issue 3
- To: "Cooper, Christopher" <Christopher.Cooper@xxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] RE: Full-Disclosure Digest, Vol 8, Issue 3
- From: "Morning Wood" <se_cur_ity@xxxxxxxxxxx>
- Date: Mon, 3 Oct 2005 15:43:06 -0700
>Can you give me an example of a trojan, worm, or another program which has
added the last USB device installed in the >Windows Registry,
yes, see below
>or how about a program, worm, trojan -
some ASM code... ( edited )
any_key1 db "SYSTEM\CurrentControlSet\AnyKeyIWant", 0
another_key2 db "SYSTEM\CurrentControlSet\AnotherKeyIWant", 0
invoke RegCreateKeyEx, HKEY_LOCAL_MACHINE, addr any_key1, 0, NULL,
REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, addr hRegkey, NULL
invoke wsprintf, addr senddata, addr some_value3, addr port
invoke wsprintf, addr recvdata, addr another_value2, addr port
invoke RegSetValueEx, hRegkey, addr senddata, 0, REG_SZ, addr recvdata,
eax
invoke RegCloseKey, hRegkey
( repeat for another_key2 )
easily done in .c too
or
c:\>regedt32 -s somebad.reg
( will silently install ANY key you want )
>which caused something to be added to the last typed URL?
VNC ( or aformentioned key writes )
how do you think malware writes startup keys? I am confused by your
statement...
once a system has been compromised, ANYTHING can be written to the registry
( especialy is the attacker has SYSTEM privs )
my2bits,
M.W
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/