. Mind you, this is the little bugger that'll allow us to get a real Winlogon chain with a working gina! These are the foundations for a stable running logon session.What do you wish most for the next major release after 0.30?
Moderator: Moderator Team
When LSASS gets implemented, can you do me a HUGE favor?
There exists some EVIL spyware that impersonates LSASS by loading from the /winnt folder, instead of the /winnt/system32 folder.......... Once running, windows (Both 2K AND XP) refuse to let you terminate its process, citing that it is a "Vital system service" (which the REAL LSASS is!)
Is there any way to ensure that LSASS does NOT load from anyplace OTHER than the /system32 folder? And or, do some version testing to ensure that it REALLY IS a valid LSASS process before telling you that you cannot terminate it?
There exists some EVIL spyware that impersonates LSASS by loading from the /winnt folder, instead of the /winnt/system32 folder.......... Once running, windows (Both 2K AND XP) refuse to let you terminate its process, citing that it is a "Vital system service" (which the REAL LSASS is!)
Is there any way to ensure that LSASS does NOT load from anyplace OTHER than the /system32 folder? And or, do some version testing to ensure that it REALLY IS a valid LSASS process before telling you that you cannot terminate it?
-
Pharaoh_Atem
- Posts: 129
- Joined: Sun Feb 26, 2006 5:33 am
Yes--- I spent 10 hours trying to eliminate this particular infection... It was particularly nasty:
It consisted of a multi-part "Anti-removal" system, in which the 'protected' LSASS was a kingpin. It worked like this:
A file that gets called at system start up checks to see if the EEEVIL LSASS impersonator is loaded. If it isnt, it loads it itself. This file can exist in a multitude of locations, and seems to pick one at random every removal attempt. Common places include the INF folder, the FONTs folder, the TEMP folder, the Temporary Internet Files folder, and the /program files/common files folder. It can exist in any, or even ALL of these places, and moves around constantly when you try to eliminate it. It has the capability of generating the bogus LSASS executable, if it detects that it isnt present.
The LSASS impersonator checks to see if its failsafe is present. If it isnt, it re-creates it, and loads it-- and uses system level security to re-add its registry entries. While it is running, it protects its failsafe by preventing the user from having permission to delete it.
This cripples normal Adware removal tools' ability to remove the spyware.
After trying various methods of imposing registry security on the Services and RUN registry keys, deleting files in safe mode, and having several of my hairs turn grey from the stress, I finally decided that the ONLY way to remove the blasted thing was to fake it out....
I made a copy of the REAL LSASS.EXE and placed it in the Winnt folder under a different name (Since it wouldnt let me overwrite it in normal or safe modes)... I deleted the known failsafes in safemode, and fixed the registry keys for where it was being loaded from... I then booted into the emergency repair console.
I used the repair console to forcibly DELETE the offending impersonator, then renamed the copied version of the REAL LSASS.EXE, back to LSASS.EXE, and then set "Read Only" and "System" attributes on it.
I then rebooted the computer. After doing this, I was able to successfully remove the last traces of the spyware... But this came only after several hours of fighting, and after I had become more than just a little infuriated.
This particular spyware is insanely vicious, in that it disables the XP firewall services, and then installs several "Friends" that live in the TCP/IP protocol stack chain. It prevents you from fixing these problems, as long as its bogus system service remains running.
Nipping this kind of *SHIT* in the bud would really make my day.
It consisted of a multi-part "Anti-removal" system, in which the 'protected' LSASS was a kingpin. It worked like this:
A file that gets called at system start up checks to see if the EEEVIL LSASS impersonator is loaded. If it isnt, it loads it itself. This file can exist in a multitude of locations, and seems to pick one at random every removal attempt. Common places include the INF folder, the FONTs folder, the TEMP folder, the Temporary Internet Files folder, and the /program files/common files folder. It can exist in any, or even ALL of these places, and moves around constantly when you try to eliminate it. It has the capability of generating the bogus LSASS executable, if it detects that it isnt present.
The LSASS impersonator checks to see if its failsafe is present. If it isnt, it re-creates it, and loads it-- and uses system level security to re-add its registry entries. While it is running, it protects its failsafe by preventing the user from having permission to delete it.
This cripples normal Adware removal tools' ability to remove the spyware.
After trying various methods of imposing registry security on the Services and RUN registry keys, deleting files in safe mode, and having several of my hairs turn grey from the stress, I finally decided that the ONLY way to remove the blasted thing was to fake it out....
I made a copy of the REAL LSASS.EXE and placed it in the Winnt folder under a different name (Since it wouldnt let me overwrite it in normal or safe modes)... I deleted the known failsafes in safemode, and fixed the registry keys for where it was being loaded from... I then booted into the emergency repair console.
I used the repair console to forcibly DELETE the offending impersonator, then renamed the copied version of the REAL LSASS.EXE, back to LSASS.EXE, and then set "Read Only" and "System" attributes on it.
I then rebooted the computer. After doing this, I was able to successfully remove the last traces of the spyware... But this came only after several hours of fighting, and after I had become more than just a little infuriated.
This particular spyware is insanely vicious, in that it disables the XP firewall services, and then installs several "Friends" that live in the TCP/IP protocol stack chain. It prevents you from fixing these problems, as long as its bogus system service remains running.
Nipping this kind of *SHIT* in the bud would really make my day.
What about implementing signing into ROS? Meanwhile even Debian signs it's packages, and it is possible to let even the Linux-Kernel check for hashes of modules (device-drivers), so they get not replaced or sth.
That would prevent a lot of such things.
And yeah. This is indeed something, which is related to TCPA/TPM. But first, you can do it in Software too, and second, if it's done OpenSource, it's done the good way and for the common good.
MoKrates
That would prevent a lot of such things.
And yeah. This is indeed something, which is related to TCPA/TPM. But first, you can do it in Software too, and second, if it's done OpenSource, it's done the good way and for the common good.
MoKrates
-
Pharaoh_Atem
- Posts: 129
- Joined: Sun Feb 26, 2006 5:33 am
The Win32 platform is so insanely big that it is nearly impossible to do... However, the ReactOS system itself could be digitally signed, and then drivers that are not digitally signed are verified with the user. If the user says that he/she wants to install the drivers, then ReactOS will sign the drivers so that spyware cannot replace it without it being detected... This would be extremely complex. And trusted FOSS software should be given special signed keys, so that installations with them go smoothly... Such as the Nullsoft Install System should have an install key to work with ReactOS. Mozilla Firefox and Mozilla Thunderbird should be given ones as well... This might be too much, but there are a lot of Firefox installer impersonations...mokrates wrote:What about implementing signing into ROS? Meanwhile even Debian signs it's packages, and it is possible to let even the Linux-Kernel check for hashes of modules (device-drivers), so they get not replaced or sth.
That would prevent a lot of such things.
And yeah. This is indeed something, which is related to TCPA/TPM. But first, you can do it in Software too, and second, if it's done OpenSource, it's done the good way and for the common good.
MoKrates
-
ThePhysicist
- Developer
- Posts: 509
- Joined: Mon Apr 25, 2005 12:46 pm
In fact I would appreciate if ROS would make folders like "ReactOS\", "ReactOS\bin", "ReactOS\lib" and so on, wich can defenately not be written into by 3rd party apps. Let the damn system32 folder empty only for apps that really want to put something in there.
I had a bad Spyware sometime ago, too. There were several randomly named .exes in a randomly named folder under program files. They were started by a registry key. When I tried to kill one of the processes, it was instantly recreated by one of the other processes. When I tried to remove the registy entries, they were instantly recreated by the processes. So I rejected the right of creating keys inside that registry folder for everybody. Even system and admin. I deleted the keys and restarted regedit, they were there again, don't know how this can be done, maybe by directly writing into the registry hive file. So I rejected complete read access to the folder where the exes were for everybody and restarted. It worked! I regained the posession of that folder, deleted everything and then rejected evreything for everybody again. This worked for me.
Some time later I got a PC from a friend, who told me, that things were working bad. So I looked and found the same thing. But this time my method didn't work. The spyware regained the acess to the folder and started. I found that there was a root kit on the PC. So I used the emergency recovery console and deleted the folder and the rootkit driver. After that everything was fine again. Oh, what would I do without that fine recovery console? It's quick and easy and works almost all the time! I have seen "solutions" in somethreads that were pages long and very difficult, using several different appöications like rootkit revealer and other stuff.
And since I have WinPooch installed I never had any problems with spyware again! It may have some bugs, but it's still beta but already sufficient for me. I don't have another desktop firewall. After half a year not a single spyware entry found by SB S&D. And it's ver easy to use and OSS. I can recommend it.
It doesn't work on ROS, it say that there was regprotect and another system protection application installed and that it couldn't start. I think that is good, ROS seems already safer than XP!
I had a bad Spyware sometime ago, too. There were several randomly named .exes in a randomly named folder under program files. They were started by a registry key. When I tried to kill one of the processes, it was instantly recreated by one of the other processes. When I tried to remove the registy entries, they were instantly recreated by the processes. So I rejected the right of creating keys inside that registry folder for everybody. Even system and admin. I deleted the keys and restarted regedit, they were there again, don't know how this can be done, maybe by directly writing into the registry hive file. So I rejected complete read access to the folder where the exes were for everybody and restarted. It worked! I regained the posession of that folder, deleted everything and then rejected evreything for everybody again. This worked for me.
Some time later I got a PC from a friend, who told me, that things were working bad. So I looked and found the same thing. But this time my method didn't work. The spyware regained the acess to the folder and started. I found that there was a root kit on the PC. So I used the emergency recovery console and deleted the folder and the rootkit driver. After that everything was fine again. Oh, what would I do without that fine recovery console? It's quick and easy and works almost all the time! I have seen "solutions" in somethreads that were pages long and very difficult, using several different appöications like rootkit revealer and other stuff.
And since I have WinPooch installed I never had any problems with spyware again! It may have some bugs, but it's still beta but already sufficient for me. I don't have another desktop firewall. After half a year not a single spyware entry found by SB S&D. And it's ver easy to use and OSS. I can recommend it.
It doesn't work on ROS, it say that there was regprotect and another system protection application installed and that it couldn't start. I think that is good, ROS seems already safer than XP!
Who is online
Users browsing this forum: Bing [Bot], Google [Bot] and 25 guests