Re: Any Protection against the Phrack 55-5 hack ?

Michael Siwinski (siwinskiKODAK.COM)
Wed, 6 Oct 1999 15:09:49 -0400

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: Peter da Silva: "Re: What if you cannot trust your antivirus-software?"
• Previous message: Exchange: "Re: Any Protection against the Phrack 55-5 hack ?"
• Maybe in reply to: AS: "Any Protection against the Phrack 55-5 hack ?"
• Next in thread: Matthew Mucker: "Re: Any Protection against the Phrack 55-5 hack ?"

Here is an interesting note about this subject. It appears that there is
a virus out that attempts to patch the NT kernel, to give full file access
to all users. You can read about it at:
http://www.sarc.com/avcenter/venc/data/w32.bolzano.html

Adam Shostack wrote:

> No argument with the assertion that you can quickly patch any OS;
> perhaps not in 4 bytes,

SARC wrote:

> The virus modifies only 2 bytes in an undocumented security API called
> SeAccessCheck that is part of ntoskrnl.exe. This way Bolzano is able to
> give full access to all users to each file regardless of its protection . . . .

> If the kernel gets corrupted ntldr is supposed to stop
> loading ntoskrnl.exe and display an error message even before
> a "blue screen" appears. In order to avoid this particular
> problem W32.Bolzano also patches the ntldr so that no error
> message will be displayed and Windows NT will boot just fine
> even if its checksum does not match with the original.

• Next message: Peter da Silva: "Re: What if you cannot trust your antivirus-software?"
• Previous message: Exchange: "Re: Any Protection against the Phrack 55-5 hack ?"
• Maybe in reply to: AS: "Any Protection against the Phrack 55-5 hack ?"
• Next in thread: Matthew Mucker: "Re: Any Protection against the Phrack 55-5 hack ?"

This archive was generated by hypermail 2.0b3 on Thu Oct 07 1999 - 14:52:40 CDT