Sysinternals Homepage
Forum Home Forum Home > Windows Discussions > Malware
  New Posts New Posts RSS Feed: Trojans using forbidden file names
  FAQ FAQ  Forum Search   Calendar   Register Register  Login Login

Trojans using forbidden file names
 Post Reply Post Reply Page  12>
Author
Message
  Topic Search Topic Search  Topic Options Topic Options
EP_X0FF View Drop Down
Senior Member
Senior Member
Avatar

Joined: 08 March 2006
Location: Russian Federation
Online Status: Offline
Posts: 4753 		  Quote EP_X0FF Quote  Post ReplyReply Direct Link To This Post Topic: Trojans using forbidden file names
    Posted: 12 February 2008 at 11:08pm
Hello,

I'm looking for trojan samples which creates a forbidden named files/directories in the process of their work.

For example some USB flash trojan creates runauto.. directory and places itself inside. Such directory will be unaccessible for Explorer and for some AV's. Or trojan names its files as "lpt1", "com", "con".

If you have something like this, please send me PM :)
Thank you.
Ring0 - the source of inspiration
Back to Top
fcukdat View Drop Down
Senior Member
Senior Member
Avatar

Joined: 02 September 2006
Location: United Kingdom
Online Status: Offline
Posts: 370 		  Quote fcukdat Quote  Post ReplyReply Direct Link To This Post Posted: 12 February 2008 at 11:25pm
Original Gromozon infection was using Encrypting File System (EFS)
 
I have samplesWink
___________
Ade Gill
Malwarebytes Researcher

Back to Top
Elite View Drop Down
Senior Member
Senior Member
Avatar

Joined: 15 April 2007
Location: United States
Online Status: Offline
Posts: 152 		  Quote Elite Quote  Post ReplyReply Direct Link To This Post Posted: 13 February 2008 at 12:51am
Not necessarily a trojan (depends who you ask), but SecuROM 7 stores it's Application Data (in SecuROM folder) in files which have illegal file names. You cannot delete them with Explorer. You need a special wildcard with the "del" command in command prompt.
4 > 1
Back to Top
SystemPro View Drop Down
Senior Member
Senior Member
Avatar

Joined: 26 April 2007
Location: Germany
Online Status: Offline
Posts: 465 		  Quote SystemPro Quote  Post ReplyReply Direct Link To This Post Posted: 13 February 2008 at 1:28am

I'm looking for trojan samples which creates a forbidden named files/directories in the process of their work.

For example some USB flash trojan creates runauto.. directory and places itself inside. Such directory will be unaccessible for Explorer and for some AV's. Or trojan names its files as "lpt1", "com", "con".

I am wondering why you donīt have samples of your own and wondering for which reason you need that..

Not necessarily a trojan (depends who you ask), but SecuROM 7 stores it's Application Data (in SecuROM folder) in files which have illegal file names. You cannot delete them with Explorer. You need a special wildcard with the "del" command in command prompt.
I also wonder why Microsoft is not able to fix this bug to force companies to use legal methods.
SecuRom is company that rely on exploits crazy that this seems to be widely accepted.


Edited by SystemPro - 13 February 2008 at 1:34am
Back to Top
EP_X0FF View Drop Down
Senior Member
Senior Member
Avatar

Joined: 08 March 2006
Location: Russian Federation
Online Status: Offline
Posts: 4753 		  Quote EP_X0FF Quote  Post ReplyReply Direct Link To This Post Posted: 13 February 2008 at 1:38am
@SystemPro
I also wonder why Microsoft is not able to fix this bug to force companies to use legal methods.


This is not a bug. This is limitations of Win32 API. I can tell, that such things will work even on Vista with SP1.

@fcukdat
Yes, Gromozon was one of the such trojans, if you have "alive" samples it will be very good if you can share them with me.

@Elite
And additionally SecuROM creates a registry key with embedded nulls under the HKCU\Software\SecuROM. 


Edited by EP_X0FF - 13 February 2008 at 1:40am
Ring0 - the source of inspiration
Back to Top
SystemPro View Drop Down
Senior Member
Senior Member
Avatar

Joined: 26 April 2007
Location: Germany
Online Status: Offline
Posts: 465 		  Quote SystemPro Quote  Post ReplyReply Direct Link To This Post Posted: 13 February 2008 at 1:48am
This is not a bug. This is limitations of Win32 API. I can tell, that such things will work even on Vista with SP1.
and what happens in 64bit?
Back to Top
Elite View Drop Down
Senior Member
Senior Member
Avatar

Joined: 15 April 2007
Location: United States
Online Status: Offline
Posts: 152 		  Quote Elite Quote  Post ReplyReply Direct Link To This Post Posted: 13 February 2008 at 2:04am
Originally posted by SystemPro

This is not a bug. This is limitations of Win32 API. I can tell, that such things will work even on Vista with SP1.
and what happens in 64bit?


Probably same thing.
4 > 1
Back to Top
EP_X0FF View Drop Down
Senior Member
Senior Member
Avatar

Joined: 08 March 2006
Location: Russian Federation
Online Status: Offline
Posts: 4753 		  Quote EP_X0FF Quote  Post ReplyReply Direct Link To This Post Posted: 13 February 2008 at 3:46am
Originally posted by SystemPro

and what happens in 64bit?


On my 64 bit Vista Ultimate I still able to crash/confuse Windows Shell by using long file names, forbidden names, etc. Nothing new in Shell directory listing / file access algorithms. More to say - NTFS hard link causes unnecessary shell warnings (e.g. try to open Documents and Settings folder on Vista with Explorer).

Forbidden file names such as "lpt", "con", "com", folder names "..", "." is a 16 bit legacy and exist as I understand in compatibility reasons. Internally Windows is able to operate with such file system object through Native API routines and in some cases UNC.

All trojans can work in the same manner as on Windows XP for example. And AFAIK XP SP3 doesn't contains these shell changes so necessary for security.
Ring0 - the source of inspiration
Back to Top
fcukdat View Drop Down
Senior Member
Senior Member
Avatar

Joined: 02 September 2006
Location: United Kingdom
Online Status: Offline
Posts: 370 		  Quote fcukdat Quote  Post ReplyReply Direct Link To This Post Posted: 13 February 2008 at 11:42am
EP,
 
I have many working samples(droppers) that install Gromozon RK infection which incorperates the EFS service file.
 
Just to make sure i got gromozoned to the eyeballs againLOL
 
Dropper>>>
 
Amongst other nasty Gromozon infection components drops this 'lil beautyThumbs%20Up
HJT Entry-
O23 - Service: LogPrf - Unknown owner - \\?\C:\Program Files\Windows NT\aux.exe (file missing)
 
Space inserted in file title when copied using IceSword inorder to facilitate uploading to VT serviceWink
 
 
Grmozon had landed and is about to get expungedLOLLOL
 
 
 
 


Edited by fcukdat - 13 February 2008 at 12:14pm
___________
Ade Gill
Malwarebytes Researcher

Back to Top
SystemPro View Drop Down
Senior Member
Senior Member
Avatar

Joined: 26 April 2007
Location: Germany
Online Status: Offline
Posts: 465 		  Quote SystemPro Quote  Post ReplyReply Direct Link To This Post Posted: 13 February 2008 at 4:07pm
Nice 7.tmp moved to windir temp
On my 64 bit Vista Ultimate I still able to crash/confuse Windows Shell by using long file names, forbidden names, etc. Nothing new in Shell directory listing / file access algorithms. More to say - NTFS hard link causes unnecessary shell warnings (e.g. try to open Documents and Settings folder on Vista with Explorer).

Forbidden file names such as "lpt", "con", "com", folder names "..", "." is a 16 bit legacy and exist as I understand in compatibility reasons. Internally Windows is able to operate with such file system object through Native API routines and in some cases UNC.

All trojans can work in the same manner as on Windows XP for example. And AFAIK XP SP3 doesn't contains these shell changes so necessary for security.
The same is valid for SP2? So hell gates remain because of compatibility reasons.
Back to Top
 Post Reply Post Reply Page  12>

Forum Jump Forum Permissions View Drop Down

Privacy Statement