Guest Larry(LJL269) Posted December 1, 2008 Posted December 1, 2008 If so, how difficult would it be to accomplish? Your help is MUCH appreciated. Thanks- bye- Larry ---------------------------------------------------------------------- A working unsecure OS is infinitely better than non-working secure OS. Just spent 1 week cleaning up the mess WUpdate made preventing hypothetical security problems. http://microscum.com/comsense/ Quote
Guest David H. Lipman Posted December 1, 2008 Posted December 1, 2008 From: "Larry(LJL269)" <NO@EMAIL.COM> | If so, how difficult would it be to accomplish? | Your help is MUCH appreciated. Thanks- bye- Larry Yes, it's easy. Just inject a DLL in a process that loads in both Normal and Safe Modes. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest Stefan Kanthak Posted December 1, 2008 Posted December 1, 2008 "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote: <span style="color:blue"> > From: "Larry(LJL269)" <NO@EMAIL.COM> > > | If so, how difficult would it be to accomplish? > > | Your help is MUCH appreciated. Thanks- bye- Larry > > Yes, it's easy. Just inject a DLL in a process that loads in both Normal and Safe Modes.</span> Which process but injects this DLL? And who starts the injector process? Back to square one! Malware has to install a driver/service and create the necessary registry entries beyond [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\<driver/service>] to start automatically in safe mode, for example. Stefan Quote
Guest FromTheRafters Posted December 1, 2008 Posted December 1, 2008 Safe Mode only reduces the number of programs run at startup to those needed by the OS and GUI. "Larry(LJL269)" <NO@EMAIL.COM> wrote in message news:en67j4lk0nr7qcb5044fpqjnpiph1cpo0i@4ax.com...<span style="color:blue"> > If so, how difficult would it be to accomplish? > > Your help is MUCH appreciated. Thanks- bye- Larry > > ---------------------------------------------------------------------- > > A working unsecure OS is infinitely better than non-working secure OS. > Just spent 1 week cleaning up the mess WUpdate made preventing > hypothetical security problems. http://microscum.com/comsense/ </span> Quote
Guest David H. Lipman Posted December 1, 2008 Posted December 1, 2008 From: "Stefan Kanthak" <postmaster@[127.0.0.1]> | Which process but injects this DLL? And who starts the injector | process? | Back to square one! A trojan dropper or trojan downloader may inject the process | Malware has to install a driver/service and create the necessary | registry entries | beyond | [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\<driver/service>] | to | start automatically in safe mode, for example. | Stefan One of many places to inject a DLL is... HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify Two others using EXE files are under... HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit C:\WINDOWS\system32\userinit.exe, malware_name.exe Shell Explorer.exe malware_name.exe -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest Stefan Kanthak Posted December 1, 2008 Posted December 1, 2008 "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote: <span style="color:blue"> > From: "Stefan Kanthak" <postmaster@[127.0.0.1]> > > > | Which process but injects this DLL? And who starts the injector > | process? > | Back to square one! > > A trojan dropper or trojan downloader may inject the process</span> Yes. But this dropper/downloader needs to run then already, therefore it has to be started somehow. The OPs question was: is this possible in safe mode too? DLL injection does NOT start any malware in the first place, DLL injection is the result when malware uses this attack vector. <span style="color:blue"> > | Malware has to install a driver/service and create the necessary > | registry entries > | beyond > > | [HKLMSYSTEMCurrentControlSetControlSafeBootMinimal<driver/service>] > > | to > | start automatically in safe mode, for example.</span> ~~~~~~~~~~~<span style="color:blue"> > | Stefan > > > One of many places to inject a DLL is...</span> OK, so your definition of "DLL injection" differs from mine: I did not consider that "static" and more or less trivial way of DLL injection. <span style="color:blue"> > HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotify</span> In safe mode too? I don't know this for sure. <span style="color:blue"> > Two others using EXE files are under... > HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon > > Userinit > C:WINDOWSsystem32userinit.exe, malware_name.exe > > Shell > Explorer.exe malware_name.exe</span> The latter not in "safe mode with command line only"! Stefan Quote
Guest David H. Lipman Posted December 1, 2008 Posted December 1, 2008 From: "Stefan Kanthak" <postmaster@[127.0.0.1]> | "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote: | Yes. But this dropper/downloader needs to run then already, therefore | it has to be started somehow. | The OPs question was: is this possible in safe mode too? | DLL injection does NOT start any malware in the first place, | DLL injection is the result when malware uses this attack vector. Yes. But once executed the damage is done and the modifications have been made. <span style="color:blue"><span style="color:green"> >> | Malware has to install a driver/service and create the necessary >> | registry</span></span> | entries<span style="color:blue"><span style="color:green"> >> | beyond</span></span> <span style="color:blue"><span style="color:green"> >> |</span></span> | [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\<driver/service>] <span style="color:blue"><span style="color:green"> >> | to >> |</span></span> | start automatically in safe mode, for example. | | ~~~~~~~~~~~<span style="color:blue"><span style="color:green"> >> | Stefan</span></span> <span style="color:blue"><span style="color:green"> >> One of many places to inject a DLL is...</span></span> | OK, so your | definition of "DLL injection" differs from mine: I did | not consider that "static" and | more or less trivial way of DLL | injection. <span style="color:blue"><span style="color:green"> >> HKLMSOFTWAREMicrosoftWindows</span></span> | NT\CurrentVersion\Winlogon\Notify | In safe mode too? I don't know this for sure. Sure. I only mentioned the Winlogon/Notify. Thaere are many starup points that can be done. Too many to elaborate on. <span style="color:blue"><span style="color:green"> >> Two others using EXE files are under... >> HKLMSOFTWAREMicrosoftWindows</span></span> s | NT\CurrentVersion\Winlogon <span style="color:blue"><span style="color:green"> >> Userinit >> C:WINDOWSsystem32userinit.exe,</span></span> | malware_name.exe <span style="color:blue"><span style="color:green"> >> Shell >> Explorer.exe malware_name.exe</span></span> | The latter not in "safe mode | with command line only"! | Stefan Maybe but Safe Mode with Command Prompt Only" is not the way a user would use the PC. It may be used for modifications or corrections but since it doesn't create a GUI nor load the OS fully, a PC user will not be using this mode on a daily or even monthly basis. The question was "Can Malware Automatically Startup in Safe Mode?" The answer is yes. With followup question "If so, how difficult would it be to accomplish?" The answer is it is not difficult at all. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.