PDA

View Full Version : Latest Macro Virus Worm How Does It disable ....



darrenez
19th September 2003, 21:08
Swen installs various files to ensure that it is launched every time the system boots up. It also disables the user's ability to edit the Registry.

from silicon something or other

Huh?
How does it do that folks ?

I mean I go to a dos prompt and type
regedit or regedt32

Does it roger the binary or damage the security
on the actual registry.

I want to know so I can create havoc around the globe.

Cheers.

reynolds
20th September 2003, 12:37
maybe something to do with the murky world of assembly code

terotech
21st September 2003, 10:10
not 100% sure what the question is here so if I'm way off, apologies now.

Each registry key can have privileges assigned to it, ie. who can read it, who can edit it, who can delete it etc. etc. When a program writes a value to the registry (new or existing) it can specify the privileges required to read/edit/delete etc. normally the program is running within the context of a user (the person running the program) and so the default security requirements for the registry key include the users security info. If you wanted to make a special registry key *extra* secure your code just supplies another security identifier, ie one other than the current users. this method will ensure that no-one or thing can access the registry key except for your code. I use this method regularly to store sensitive data in the registry (database connection attributes etc.) the only way that anyone can change these values is via the supplied 'admin' tool. This ensures that 'fred bloggs' can't go messing around in the system registry and completely **** up the application. It also helps to ensure that the sensitive data is kept hidden from prying eyes.

hope this explanation helps...

D

darrenez
21st September 2003, 15:55
When I created a secure payments application
the NT Server had reasons to use the registry.

So as part of the code I put some very heavy security
around certain values in the registry.

The point was that in some cases the security was heaviest
around dummy values entered into the registry.

Thus any hacker would probably have been keen to get
at these values since they were so well protected.

What the article implied was not individual protection
on certain keys ( in which your post is very correct )

but the entire registry.

I kind of concluded that they could somehow get at the
administrators group on the local machine to actually
stop access to the registry.

reynolds
22nd September 2003, 16:46
but isnt the registry just a huge text file? ie. system.dat or something?

AtW
22nd September 2003, 19:44
read/write rights to that file should be limited to Admin and internal system account.