Comments on: Conficker shows us the future – and it sucks http://www.dnorth.net/2009/03/27/conficker-and-the-future-of-home-computing/ The scribblings of an Oxford-based geek Tue, 23 Nov 2010 22:31:48 +0000 hourly 1 http://wordpress.org/?v=3.0.5 By: akenyon http://www.dnorth.net/2009/03/27/conficker-and-the-future-of-home-computing/#comment-16 akenyon Tue, 31 Mar 2009 11:33:43 +0000 http://www.dnorth.net/?p=110#comment-16 Here is an exciting article about Conficker which i read coincidentally about a minute before i came here: http://news.bbc.co.uk/1/hi/technology/7973131.stm Here is an exciting article about Conficker which i read coincidentally about a minute before i came here:

http://news.bbc.co.uk/1/hi/technology/7973131.stm

]]> By: michael http://www.dnorth.net/2009/03/27/conficker-and-the-future-of-home-computing/#comment-15 michael Mon, 30 Mar 2009 13:06:01 +0000 http://www.dnorth.net/?p=110#comment-15 >The question has to be asked, though - why the hell is it possible for code running > as a limited user - or, come to that, any user - to intercept API calls like this? Erm, I think you'll find that the user hasn't run Windows Update very recently (were they still on SP2?), and so they've been hit by an exploit that uses a known and patched vulnerability that allows privilege escalation. And once you're an admin, well, you've generally got the right to modify memory. FWIW, in recent cases I've had to deal with like this, my professional advice has been "pull your data off, let me scan it for nasties (mmm, autoruns), and re-install Windows. And then maybe we'll let you back on the network". >The question has to be asked, though – why the hell is it possible for code running
> as a limited user – or, come to that, any user – to intercept API calls like this?

Erm, I think you’ll find that the user hasn’t run Windows Update very recently (were they still on SP2?), and so they’ve been hit by an exploit that uses a known and patched vulnerability that allows privilege escalation. And once you’re an admin, well, you’ve generally got the right to modify memory.

FWIW, in recent cases I’ve had to deal with like this, my professional advice has been “pull your data off, let me scan it for nasties (mmm, autoruns), and re-install Windows. And then maybe we’ll let you back on the network”.

]]>