Malware Taps Windows' 'God Mode' 114
Reader wiredmikey writes: Researchers at McAfee have discovered a piece of malware dubbed "Dynamer" that is taking advantage of a Windows Easter Egg -- or a power user feature, as many see it -- called "God Mode" to gain persistency (warning: annoying popup ads) on an infected machine. God Mode, as many of you know, is a handy tool for administrators as it is essentially a shortcut to accessing the operating system's various control settings. Dynamer malware is abusing the function by installing itself into a folder inside of the %AppData% directory and creating a registry run key that persists across reboots. Using a "com4" name, Windows considers the folder as being a device, meaning that the user cannot easily delete it. Given that Windows treats the folder "com4" folder differently, Windows Explorer or typical console commands are useless when attempting to delete it.Fortunately, there's a way to remove it. McAfee writes: Fortunately, there is a way to defeat this foe. First, the malware must be terminated (via Task Manager or other standard tools). Next, run this specially crafted command from the command prompt (cmd.exe): > rd "\\.\%appdata%\com4.{241D7C96-F8BF-4F85-B01F-E2B043341A4B}" /S /Q.
Payload? (Score:4, Interesting)
Nice that Macaffe found the uninstall instructions for this... but what is the payload they were trying to deploy. The God Mode install of a file device is a way to get in that must be closed. but what did this do if left installed? Knowing what this does if left alone leads to who to blame.
How to remove ANY special filename in Windows (Score:5, Informative)
To remove any of those "special" file/foldernames after the fact, all you need is look for the short 8.3 notation of the filename that the filesystem uses behind the scenes, and which the GUI hides from the end user.
Open a command prompt and navigate to the folder that contains the special name
dir
You can directly remove/rename/etc the file from the command prompt when referring to these short names:
remove a file: del co~123
remove a folder with its contents: rd co~123
Re: (Score:2, Insightful)
dir /x will show the associated "short" filename, e.g. co~123 instead of COM4
Wait a minute... Windows is still using that bastardized dual naming system, 20 years in?
God help you a Windows users...
Re: (Score:1)
Yes it does. One of the reasons why is that some utilities and programs cannot handle spaces in paths. The other is that some programs expect 8.3 by default.
Re:How to remove ANY special filename in Windows (Score:5, Insightful)
spaces in paths are an abomination any way
Re: (Score:2)
Some badly written utilities and programs. Also, I'd be pretty surprised if there were any programs expecting 8.3 filenames in common use today.
Re: (Score:1)
God forbid someone's Windows 95 application stops working suddenly 20 years later!
Re:How to remove ANY special filename in Windows (Score:5, Insightful)
Backwards compatibility is important. Why drop it? 16-bit support is finally gone, but I suspect only because everything anyone still uses (games) has been virtualized already.
Re: (Score:2, Interesting)
Backwards compatibility is important. Why drop it? 16-bit support is finally gone, but I suspect only because everything anyone still uses (games) has been virtualized already.
16 bit is only gone if you are running the 64 bit version of Windows. if you are running the 32 bit version, which for some bizaare reason still exists, even in Windows 10, then you can still run 16 bit programs.
Re: (Score:3)
16 bit is gone because AMD64 does not support it. It was an architectural decision. Win64 can only run Win64 and Win32 apps
Re: (Score:2)
Because programs written 20 years ago and have not been updated are universally insecure and have no business having access to your core OS, which many of these older programs require. I wouldn't even trust them if they did run fully in user space. If you have to use them, they should be in fully sandboxed VMs, not running on your host OS.
Re: (Score:1)
> Because programs written 20 years ago and have not been updated are universally insecure and have no business having access to your core OS, which many of these older programs require.
That is simply not the case. It is perfectly possible to use a 20-year old Linux program on an updated system (if they don't use deprecated system calls, that is). Actually we can use programs which are older than Linux without any problems, like vi (vim is more advanced, but one might to want old vi for an old machine).
I
Re: (Score:2)
That is simply not the case. It is perfectly possible to use a 20-year old Linux program on an updated system (if they don't use deprecated system calls, that is).
It's not unusual to have library problems with older programs, which is why Loki_Compat exists, for example.
You can use VMs indeed, no big deal, but such old programs were developed for stand-alone PCs,
Yes, and thus they are too dumb to know about virtualization, and will work fine.
And it's not like Linux dropping 386 support after some 20 years...
That still seems like a shame to me. There are still 386-based SoCs and PC104 PCs (that is, the same size as a PC104 expansion module) out there.
Re: (Score:2)
That is simply not the case. It is perfectly possible to use a 20-year old Linux program on an updated system (if they don't use deprecated system calls, that is).
Apples and oranges. Linux uses shared libraries that are updated for security. This is why old applications break and need fixing on linux. In my opinion, this is a good thing. If your linux program will not compile with current libraries then you have to get an updated version or VM it with outdated libraries. On Windows, programs have their own, outdated libraries already compiled into the binary blobs that you cannot independently update. This is one of the reasons why Windows has so many more secu
Re: (Score:1)
"Nope, they didn't. It's still same loose spaghetti all the way down it's been since they ever started."
After digestion, I presume.
Re: (Score:2)
Re: (Score:1)
Yes, but you've been able to disable that 'feature' since about win2003\xp, I think you could even do it in win2k.
Re: (Score:1)
> But when you disabled it all sorts of stuff started breaking. Like nortonAV.
Yes, that was another advantage.
Re: (Score:3)
Apropos your user ID.
It's called backwards compatibility.
Re: (Score:3)
Uh huh. And the main drive is still called C: because A: and B: were floppy drives once. Some things aren't worth changing, simply because it'd break lots of existing code for no particular reason. For example I think the Linux (POSIX?) file system was written before they invented autocomplete, it's all TLAs like /var/usr/bin/lib/wtf. But I care roughly as much as that drives in Windows start on C:, which is to say very very little.
Unix Filesystem Heirarchy (Score:2)
For example I think the Linux (POSIX?) file system was written before they invented autocomplete, it's all TLAs like /var/usr/bin/lib/wtf.
In this case it's the file system hierarchy [wikipedia.org], not the file system. Personally, I think the argument for longer filenames is bogus. Using longer filenames isn't necessarily going to make their purpose any more clear, and for everything outside of the home folder, the novice user should probably not be touching that stuff, any more than they should be poking around in C:\Windows. Being user friendly is not a feature for things that are not intended for casual use. Autocomplete is an even worse argument: I'm no
Re: (Score:3)
Re: (Score:2)
Of course, these days it's all a mish-mash and a binary can be somewhere - dynamics in /sbin, statics in /bin, executables in /opt and /var, etc.
Which is one reason why Fedora and company are simplifying things by shoving everything in /usr. Unix was not originally designed to have different executables in different places, Thompson and Ritchie simply ran out of disk space, and in the era of small disks it was a sensible enough partitioning scheme. With the BSDs and commercial Unixes, it also makes more sense to distinguish between binaries supplied by the vendor and user-provided binaries, but Linux is more along the lines of "ship it all, and let
Re: (Score:2)
I knew that if I didn't put a disclaimer on the last line, people would take it seriously, and look! Vindication.
Thank you slashdot, for living up to the lowest of my expectations.
Re: (Score:2)
How are we going to teach children of today what an 8.3 filename is? It seems like DOS must still exist in schools at some point.
Re: (Score:1)
How are we going to teach children of today what an 8.3 filename is? It seems like DOS must still exist in schools at some point.
I recommend making kids to learn to use DOS 5.x and Windows 3.1 in Year 1, by providing this as their personal computing device, then in Year 2 switch them over to Linux, and in Year 3 they have access to both Windows 7 and Linux, in Year 4 they will learn how to disassemble and assemble computer from components.
At end of Year 4 give a test where the kid will demonstrate
Re: (Score:2)
You left something out... you need to give them Windows 10 today in order for them to process the current media. You don't want to leave sesamestreet.com to insecure browsers only.
Re: How to remove ANY special filename in Windows (Score:2)
You know I heard there is an app for that for these kids
Re: (Score:2)
Make them work it in their head by issuing word coins in fixed denominations, and they get 25 extra points by making exact change. At other times, the reward coins will be issued with a "Pick Stack #1, Stack #2, or Stack #3" option
And the 3 stacks will be different numbers of coins in different denominations.
Re: How to remove ANY special filename in Windows (Score:2)
Re:How to remove ANY special filename in Windows (Score:5, Informative)
The Windows GUI will prevent creation and removal of any 'special' foldername that looks like a device: LPT1, COM6, CON, etc.
To remove any of those "special" file/foldernames after the fact, all you need is look for the short 8.3 notation of the filename that the filesystem uses behind the scenes, and which the GUI hides from the end user.
Open a command prompt and navigate to the folder that contains the special name
dir /x will show the associated "short" filename, e.g. co~123 instead of COM4
You can directly remove/rename/etc the file from the command prompt when referring to these short names:
remove a file: del co~123
remove a folder with its contents: rd co~123 /s
In addition to what xlsior said,
Regarding the so-called "specially crafted command" in the example, /S /Q),
(rd “\\.\%appdata%\com4.{241D7C96-F8BF-4F85-B01F-E2B043341A4B}”
All it is doing is using the \\.\ prefix to tell the parser to skip reserved-word checking.
For example, you cannot create a folder c:\com4 using MKDIR C:\com4. but MKDIR "\\.\C:\com4" succeeds.
Likewise with the RMDIR
Re: (Score:3)
Fix Only From Command Prompt? (Score:5, Insightful)
What? Clearly windows is not ready for the desktop!
Yeah, you fucked it up, Slashdot (Score:1)
Next, run this specially crafted command from the command prompt (cmd.exe): > rd âoe\\.\%appdata%\com4.{241D7C96-F8BF-4F85-B01F-E2B043341A4B}â /S /Q.
Fix the bloody quotes, will you?
At least under the old owners we didn't see any sign of Unicode.
Blast from the past... (Score:2)
After all these years, God Mode finally made it into the psDooM system admin tool.
https://slashdot.org/story/99/10/20/1110242/kill--9-with-a-doom-shotgun [slashdot.org]
http://psdoom.sourceforge.net/ [sourceforge.net]
Bad security as a result of paradoxical goals (Score:3, Insightful)
Re: (Score:2, Troll)
Feature, not a bug. Windows is by design a malware delivery system.
Re: Bad security as a result of paradoxical goals (Score:2)
Re: (Score:2)
Linux is like being a kid at the first Home Depot in Atlanta... it's amazing that company wasn't killed there.
Home Depot thrives on illegal alien labor (Score:1)
Re: (Score:2)
There's a reason each Home Depot has a cluster of undocumented people hanging out just beyond the parking lot: their business model is to sell cheap pre-fab stuff so you can hire cheap labor and do your home at half the cost, and almost the quality of having a pro builder do it.
The only thing standing in the way of productivity and getting things done in places like USA and Canada is obsessive, compulsive government regulation. Layer after layer of rules, regulations, laws, by-laws. Theres no end to it. No one knows where they stand, even the police and cities don't know what they are actually supposed to enforce.
So this kind of thing is actually essential in these societies. Much like bribery and corruption are essential in many 3rd world countries; without it you just don't get
Negativity bias (Score:1)
We tend to notice negatives more than positives. Negativity bias explains that. [nih.gov]
This being said, I do not believe in any "system" that claims to "run itself," whether capitalism, democracy or the wisdom of crowds. There must always be enlightened leaders, although I prefer a form distinct from the Canadian government.
Re: (Score:2)
Out of curiosity, I'm curious if you're right wing.
All I see are companies abusing the hell out of everyone they can get their hands on.
Sell drm'd crap... make it insanely difficult to change companies, offer inferior quality (US is like 50th in bandwidth).
Thankfully.in Canada, the government stepped in and (for example) allow you to take your phone number to any service (cell, home and voip) if you're ever unhappy with the provider. It's ridiculously easy - you don't even need to inform the old company.
I'm not really any wing. And companies abusing the hell out of everyone, thats what hiring someone for cash-only from outside Home Depot avoids, doesn't it? They aren't working for some big faceless corporate that abuses the hell out of them. They work for cash for some ordinary home owner who just needs to get some work done.
As for Canada, try taking some beers from one province to another.
Re: (Score:2)
And most of those people don't even try to perform repairs or maintenance on their cars themselves, they hire someone else to do it. They also typically join a breakdown service so if the car fails at an inconvenient location someone else will come and fix or tow it for them. It's also quite difficult to fuck up a modern properly maintained car by using it normally.
It's more analogous to something like a chromebook, google performs the maintenance and it's very difficult to fuck it up by accident.
Re: (Score:2)
Because a complex general purpose OS is simply not a suitable tool for an average user... They are better off with single purpose devices that are managed by someone else, walled garden tablets, chromebooks, games consoles etc. Complex computing systems were designed by geeks, for geeks, and should still be a niche only used by geeks.
Well, couldn't I just.... (Score:4, Funny)
Using a "com4" name, Windows considers the folder as being a device, meaning that the user cannot easily delete it. Given that Windows treats the folder "com4" folder differently, Windows Explorer or typical console commands are useless when attempting to delete it.
Couldn't I just boot up off a Linux disk, mount the Windows partition, and delete the folder that way? Linux isn't going to play along with this "oooo, let's pretend this directory is hardware" game.
Re: (Score:2, Informative)
In general, it is preferable to delete Windows malware using Linux because this makes sure the malware isn't running and re-creating files faster than you can delete them.
"warning: annoying popup ads" (Score:4, Insightful)
Next time, let's just squelch any story that we have to use this disclaimer for. Starve sites that do that to death and they will go away.
Imaging Software (Score:1)
I still find imaging software the best tool for any Windows user. Just revert to an image before the issue, and 15 minutes later, it is though nothing happened.
I use no anti virus and have all my data on a separate partition. The image is of a clean installation with all my software.
How Is This A Story? (Score:1)
How is this a story? A bog standard .exe kicked off at user login by the registry Run key? How very Windows XP of them.
Also, what the fuck is God mode? I've been an admin since DOS 3 and I have never heard of it. Checking it out, I see it's a term used by bloggers, to describe a built in hidden folder, accessed using a CLSID. What utter fucktard calls that God mode?
This is the sort of utter crap that I expect to see on a LoL or Minecraft forum post, not Slashdot.
Re: GORD IS DEQSD! (Score:1)
gort klaatu barada nikto
Re: (Score:1)
We have moderators that send bad posts into a -1 point dustbin. The Editors (team that posts the stories) have power to remove anything patently offensive, but don't censor on words alone.
Re: (Score:2)
And 4 years later all the machines will crash when the date flips on their microvax servers.
Re: (Score:1)
Or get some editor chappies who are speaking the most jolly good English.
Re: (Score:2)
Slashdot should have put the command line in a blockquote block. There, fixed that for ya.
Re: (Score:2)
Isn't there a code tag that disables the forum correction?
rd "\\.\%appdata%\com4.{241D7C96-F8BF-4F85-B01F-E2B043341A4B}" /S /Q
Hmm. Not a problem in preview.
Re: (Score:2)
Slashdot has never used the code tag in stories... does it work there?
Re: (Score:2)
I don't know for sure but it should considering a lot of stories are blog posts from the slashdot account and the submission page looks a lot like the posting page.
The "quote marks" or quoted text of the command showed up fine for me in the story. It wasn't until someone copied it that there was an issue.
Re: (Score:3)
Quotes at the command line join together strings that contain spaces... it's basically a one-character escape sequence that keeps the name of the object (directory or filename) together even when it contains a space.
Re: (Score:2)
rd Ãfoe\\.\%appdata%\com4.{241D7C96-F8BF-4F85-B01F-E2B043341A4B}Ãf /S
Either add support for UTF-8 to Slash or edit your copypasta to remove broken quotes. Don't just throw your hands in the air.
Replying to undo mis-moderation. Strangely, modding this up from -1 left it at -1. Is there a secret -2 that reads as -1?