Tuesday, January 13, 2009
Ah, so that's why it's so hard to clean a Windows box
M: Yes. I should probably first speak about how adware works. Most adware targets Internet Explorer (IE) users because obviously they're the biggest share of the market. In addition, they tend to be the less-savvy chunk of the market. If you're using IE, then either you don't care or you don't know about all the vulnerabilities that IE has.
IE has a mechanism called a Browser Helper Object (BHO) which is basically a gob of executable code that gets informed of web requests as they're going …
If you also have an installer, a little executable, you can make a Registry entry and every time this thing reboots, the installer will check to make sure the BHO is there …
The next thing … I did … was make a poller which continuously polls about every 10 seconds or so to see if the BHO was there and alive …
Next we made a function shuffler, which would go into an executable, take the functions and randomly shuffle them …
We then made a bootstrapper, which was a tiny tiny piece of code written in Assembler which would decrypt the executable in memory, and then just run it …
So we've progressed now from having just a Registry key entry, to having an executable, to having a randomly-named executable, to having an executable which is shuffled around a little bit on each machine, to one that's encrypted—really more just obfuscated—to an executable that doesn't even run as an executable. It runs merely as a series of threads. Now, those threads can communicate with one another, they would check to make sure that the BHO was there and up, and that the whatever other software we had was also up.
…
We did create unwritable registry keys and file names, by exploiting an “impedance mismatch” between the Win32 API and the NT API …
We also wrote a device driver and then a printer driver. When you write a device driver you get to do all sorts of crazy things …
There was also of course Scheme. Eventually, we got sick of writing a new C program every time we wanted to go kick somebody off of a machine. Everybody said, “What we need is something configurable.” I said, “Let's install a Turing-complete language,” and for that I used tinyScheme, which is a BSD licensed, very small, very fast implementation of Scheme that can be compiled down into about a 20K executable if you know what you're doing. Eventually, instead of writing individual executables every time a worm came out, I would just write some Scheme code, put that up on the server, and then immediately all sorts of things would go dark. It amounted to a distributed code war on a 4-10 million-node network.
S: In your professional opinion, how can people avoid adware?
M: Um, run UNIX.
Via Flutterby, philosecurity » Blog Archive » Interview with an Adware Author
Sorry for the long quote here, but just reading through what this adware programmer was able to do to under Windows is just stunning. Because of what this programmer was able to do, I'm half in awe (like splitting a program to run parastically among other processes) and half in horror (because there's no single “process” to kill).
Wow …
