| ▲ | azalemeth 6 hours ago |
| This all sounds like a wonderful way to write some truly annoying malware. I expect to see hidden mounts on SQL-escape-type-maliciously-named drives soon... |
|
| ▲ | Someone1234 5 hours ago | parent | next [-] |
| I understand your point; but I'm struggling to see how this could be weaponized. Keep in mind, that these Dos compatible drive letters need to map to a real NT path endpoint (e.g. a drive/volume); so it isn't clear how the malware could both have a difficult to scan Dos tree while also not exposing that same area elsewhere for trivial scanning. |
| |
| ▲ | rwmj 4 hours ago | parent | next [-] | | I'm betting there's some badly written AV software out there which will crash on non-standard drive letters, allowing at least a bit of mayhem. | |
| ▲ | avidiax an hour ago | parent | prev | next [-] | | Not sure if it is natively supported, but the malware can just decrypt a disk image to RAM and create a RAM disk mounted to +. Or it can maybe have a user space driver for a loop device, so the sectors of the drive are only decrypted on the fly. It would likely break a lot of analysis tools and just generally make things very difficult. | |
| ▲ | buzer 3 hours ago | parent | prev [-] | | The recovery partition might work if it exists. |
|
|
| ▲ | ahoka 4 hours ago | parent | prev | next [-] |
| Wait until your learn about Alternate Data Streams… |
| |
| ▲ | p_ing 3 hours ago | parent | next [-] | | They had their use when running Services for Macintosh. | | |
| ▲ | jeroenhd 2 hours ago | parent [-] | | They're still actively used to apply the Mark of the Web to indicate a file has been downloaded from an untrusted zone and should be handled with caution. I believe macOS also applies similar metadata. There are a few other places where they also show up, but the MotW is the most prevalent one I've found. Most antivirus programs will warn you for unusual alternate data streams regardless of what they contain. |
| |
| ▲ | boston_clone 3 hours ago | parent | prev [-] | | Decent writeup from CS with that evasion method described - https://www.crowdstrike.com/en-us/blog/anatomy-of-alpha-spid... |
|
|
| ▲ | hulitu 5 hours ago | parent | prev [-] |
| > This all sounds like a wonderful way to write some truly annoying malware. AFAIK you need admin priviledges to play with drives in Windows. |
