• Welcome to Valhalla Legends Archive.
 

Help please, I think I'm trojanned!

Started by brew, April 18, 2007, 07:03 PM

Previous topic - Next topic

Warrior

There is no macron in latin, it's a little thing added to help with the sounds (long vs short letters)
Quote from: effect on March 09, 2006, 11:52 PM
Islam is a steaming pile of fucking dog shit. Everything about it is flawed, anybody who believes in it is a terrorist, if you disagree with me, then im sorry your wrong.

Quote from: Rule on May 07, 2006, 01:30 PM
Why don't you stop being American and start acting like a decent human?

brew

#31
Quote from: rabbit on April 21, 2007, 04:20 PM
I also took 4 years of Latin.  The macron is used in teaching Latin because it helps forming sounds, but ancient Latin didn't have a macron, or even a lower case, actually.  Anyway, my point is, it's vir, a regular 3rd declension masculine noun, and virus, a regular 2nd declension masculine noun.

Rabbit, you're an idiot. We call it a macron-- they didn't call it anything.  It's just a "long vowel". And if you look at ancient roman ruins you would see, they DO use macrons in their text. One more thing-- vir is NOT a 3rd declention noun, it's 2nd. Go look anywhere, puh-lease. Stop trying to outsmart me, especially in Latin. I am a three time ACL/NJCL National Latin Exam Summa cum laude winner (gold metal). So really, sum possum dicere Latinum perfectum. Et tu?

EDIT*** Also, you're wrong. Virus is neuter.
<3 Zorm
Quote[01:08:05 AM] <@Zorm> haha, me get pussy? don't kid yourself quik
Scio te esse, sed quid sumne? :P

Newby

Quote from: brew on April 21, 2007, 03:20 PM
Could low privlaged accounts inject dlls into system processes? I'm using XP Home Edition 2600.

2600? That's pretty far off into the future. Internal leak?
- Newby

Quote[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

Quote<TehUser> Man, I can't get Xorg to work properly.  This sucks.
<torque> you should probably kill yourself
<TehUser> I think I will.  Thanks, torque.

brew

Quote from: Newby on April 21, 2007, 04:30 PM
Quote from: brew on April 21, 2007, 03:20 PM
Could low privlaged accounts inject dlls into system processes? I'm using XP Home Edition 2600.

2600? That's pretty far off into the future. Internal leak?

...5.1.2600.
<3 Zorm
Quote[01:08:05 AM] <@Zorm> haha, me get pussy? don't kid yourself quik
Scio te esse, sed quid sumne? :P

Warrior

... Did you seriously call Windows XP by its build number? Moron.
Quote from: effect on March 09, 2006, 11:52 PM
Islam is a steaming pile of fucking dog shit. Everything about it is flawed, anybody who believes in it is a terrorist, if you disagree with me, then im sorry your wrong.

Quote from: Rule on May 07, 2006, 01:30 PM
Why don't you stop being American and start acting like a decent human?

Barabajagal

You can inject code into things no matter what. Modular coding is basically injecting a DLL into a running EXE and calling a function out of it.

Kp

Quote from: brew on April 21, 2007, 03:20 PM
Could low privlaged accounts inject dlls into system processes? I'm using XP Home Edition 2600.

There would not be much point in having the concept of privilege if low privileged users could tamper with highly privileged processes.  That said, I have read that XPHome skips security checks, so it might allow the behavior you are worried about.  I know that XPPro does not allow it.  Hopefully, someone will report whether XPHome enforces the relevant checks.

Quote from: RεalityRipplε on April 21, 2007, 07:56 PM
You can inject code into things no matter what. Modular coding is basically injecting a DLL into a running EXE and calling a function out of it.

A properly secured DACL on the injectee will grant the would-be injector either no rights or read-only rights.  It is possible that there would be a privileged process with an insecure DACL, but I think all the services in a base install are OK.
[19:20:23] (BotNet) <[vL]Kp> Any idiot can make a bot with CSB, and many do!

Barabajagal

Quote from: Kp on April 21, 2007, 08:10 PM
Quote from: RεalityRipplε on April 21, 2007, 07:56 PM
You can inject code into things no matter what. Modular coding is basically injecting a DLL into a running EXE and calling a function out of it.

A properly secured DACL on the injectee will grant the would-be injector either no rights or read-only rights.  It is possible that there would be a privileged process with an insecure DACL, but I think all the services in a base install are OK.
In which case you overwrite the original file (rename the original to something else, create a copy) and disable the DACL protection, use the SetEntriesInAcl and SetSecurityInfo APIs, and then inject the DLL :) .

Joe[x86]

Quote from: Warrior on April 21, 2007, 07:45 PM
... Did you seriously call Windows XP by its build number? Moron.

Why wouldn't he, if he's discussing a trojan for a specific build of Windows?

By the way, if you read anything other than the 2600, you'd realize that he said he's using Windows XP Home Edition. Nice try at being whitty but it ultimately failed.
Quote from: brew on April 25, 2007, 07:33 PM
that made me feel like a total idiot. this entire thing was useless.

Newby

Quote from: Joex86] link=topic=16626.msg168251#msg168251 date=1177263258]
Quote from: Warrior on April 21, 2007, 07:45 PM
... Did you seriously call Windows XP by its build number? Moron.

Why wouldn't he, if he's discussing a trojan for a specific build of Windows?

By the way, if you read anything other than the 2600, you'd realize that he said he's using Windows XP Home Edition. Nice try at being whitty but it ultimately failed.

The trojan was specific to his build of Windows? This is incredible. Now they're writing trojans for specific operating systems written hundreds of years in the future. What will malware writers do next? Write trojans for people's clothing?

I also don't get the "try at being witty" comment.
- Newby

Quote[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

Quote<TehUser> Man, I can't get Xorg to work properly.  This sucks.
<torque> you should probably kill yourself
<TehUser> I think I will.  Thanks, torque.

Warrior

Quote from: Joex86] link=topic=16626.msg168251#msg168251 date=1177263258]
Quote from: Warrior on April 21, 2007, 07:45 PM
... Did you seriously call Windows XP by its build number? Moron.

Why wouldn't he, if he's discussing a trojan for a specific build of Windows?

By the way, if you read anything other than the 2600, you'd realize that he said he's using Windows XP Home Edition. Nice try at being whitty but it ultimately failed.

Because unless you're using a Beta version of XP, the RTM build number is 2600. It can be assumed that 99.9% of the Computers running XP are running build 2600. It's really retarded to call it anything else. It's Windows XP and nothing fundementally changes build to build if (and only if) there so happens to be a build revision in the near future.
Quote from: effect on March 09, 2006, 11:52 PM
Islam is a steaming pile of fucking dog shit. Everything about it is flawed, anybody who believes in it is a terrorist, if you disagree with me, then im sorry your wrong.

Quote from: Rule on May 07, 2006, 01:30 PM
Why don't you stop being American and start acting like a decent human?

Kp

Quote from: RεalityRipplε on April 21, 2007, 09:10 PM
Quote from: Kp on April 21, 2007, 08:10 PM
Quote from: RεalityRipplε on April 21, 2007, 07:56 PMYou can inject code into things no matter what. Modular coding is basically injecting a DLL into a running EXE and calling a function out of it.
A properly secured DACL on the injectee will grant the would-be injector either no rights or read-only rights.  It is possible that there would be a privileged process with an insecure DACL, but I think all the services in a base install are OK.
In which case you overwrite the original file (rename the original to something else, create a copy) and disable the DACL protection, use the SetEntriesInAcl and SetSecurityInfo APIs, and then inject the DLL :) .

Doing that would require an insecure DACL on the files and/or directories used by the target process.  Although possible, it would be rather silly to see a process where someone managed to get the process DACL right, but left the file DACLs insecure.
[19:20:23] (BotNet) <[vL]Kp> Any idiot can make a bot with CSB, and many do!

Barabajagal

Quote from: Kp on April 22, 2007, 02:32 PM
Quote from: RεalityRipplε on April 21, 2007, 09:10 PM
Quote from: Kp on April 21, 2007, 08:10 PM
Quote from: RεalityRipplε on April 21, 2007, 07:56 PMYou can inject code into things no matter what. Modular coding is basically injecting a DLL into a running EXE and calling a function out of it.
A properly secured DACL on the injectee will grant the would-be injector either no rights or read-only rights.  It is possible that there would be a privileged process with an insecure DACL, but I think all the services in a base install are OK.
In which case you overwrite the original file (rename the original to something else, create a copy) and disable the DACL protection, use the SetEntriesInAcl and SetSecurityInfo APIs, and then inject the DLL :) .

Doing that would require an insecure DACL on the files and/or directories used by the target process.  Although possible, it would be rather silly to see a process where someone managed to get the process DACL right, but left the file DACLs insecure.
I've never found a program I can't make a copy of and edit.

Skywing

Quote from: brew on April 20, 2007, 08:01 PM
Quote from: Skywing on April 20, 2007, 02:54 PM
No way to know for sure without reverse engineering the particular piece of malware in question.
Exactly why I am interested in reverse engineering this malware.
You're probably not interested in reverse engineering it.  If you don't, and nobody else has (with verification that the code on your box is identical), then you should wipe the system clean.

Skywing

Quote from: RεalityRipplε on April 22, 2007, 03:00 PM
I've never found a program I can't make a copy of and edit.

That doesn't really get you anything.  You'll have no way to place the modified version of the binary where it will be run, assuming file ACLs are set properly and the lack of a security hole allowing an unprivileged user to convince a privileged process to load a binary from an untrusted location.

If you run the modified version of the binary yourself, it will be executing with the privileges of your (unprivileged) account and thus will not be able to perform things outside the sandbox of that user account.

|