Home Messages Index
[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index

Re: [News] Word Vulnerability Gets an Exploit, Can Already Comprimise Windows Boxes

  • Subject: Re: [News] Word Vulnerability Gets an Exploit, Can Already Comprimise Windows Boxes
  • From: "T.G. Reaper" <Reaper@xxxxxxxxxxxxx>
  • Date: Mon, 29 May 2006 18:12:11 -0700
  • Newsgroups: comp.os.linux.advocacy
  • Organization: Desperate Images
  • References: <19162512.cYxouEC2Sp@schestowitz.com>
  • User-agent: Pan/0.14.2 (This is not a psychotic episode. It's a cleansing moment of clarity.)
  • Xref: news.mcc.ac.uk comp.os.linux.advocacy:1113805
On Mon, 22 May 2006 13:46:26 +0100, Roy Schestowitz wrote:

> Following the Symantec Advisory from Saturday, this severe Word hack is
> already being exploited.
> 
> Hackers have developed malicious code designed to exploit an
> unpatched vulnerability in Microsoft Word 2002 and 2003.

This, as with nearly 100% of all malware, is only a problem if
intended victim is logged on under an account that has admin rights.

You'd be hard pressed to find any malware that is capable of any serious
damage that doesn't assume the user has admin rights. If that assumption
turns out to be invalid most malware falls flat on it's face and is
rendered relatively harmless.

Look at what this latest word/excel document exploit tries to do:

*************************************************************************
technical details

When Backdoor.Ginwui is executed, it performs the following actions:

   1. Creates the following files:
          * %System%\Winguis.dll
          * %System%\drivers\IsPubDRV.sys
          * %System%\drivers\RVdPort.sys
          * %System%\drivers\DetPort.sys


   2. Adds the following registry entry:

      "AppInit_DLLs" = "%System%\Winguis.dll"

      to the registry subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

      so that it is executed every time Windows starts:

   3. Creates the following Mutex:

      Global\\GUI40ServiceStart

   4. Hooks the following APIs to hide itself:

# EnumProcessModules
# GetModuleFileNameExW
# Module32NextW
# FindFirstFileW
# FindNextFileW
# AllocateAndGetTcpExTableFromStack
# AllocateAndGetTcpTableFromStack
# InternalGetTcpTable
# GetTcpTable
# EnumServicesStatusA
# EnumServicesStatusW
# RegEnumKeyA
# RegEnumKeyW
# RegEnumKeyExA
# RegEnumKeyExW
# RegEnumValueA
# RegEnumValueW
# RegSetValueExA
# RegSetValueExW
# RegQueryValueExA
# RegQueryValueExW

***********************************************************************


All of those things will fail if attempted as a regular user. So how
is the machine going to get infected if the word document is opened by a
normal user?

And don't tell me that Windows machines aren't "useable" unless you log on
as admin, it's simply not true, and can't be supported with specific real
world examples.

-- 
Regards
T.G. Reaper

[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index