Entirely new trojan quietly wheeled into black hat forums An RSA researcher claims to have found an entirely new trojan during his trawls of the criminal underground. RSA researcher Eli Marcus says the "Pandemiya" trojan comprises about 25,000 lines of fresh code. With most malware based on proven platforms, entirely new code is a rarity. Pandemiya is nasty: it infects Windows PCs, …
HOUSE!
What, we aren't playing Buzzword Bingo? Because I can't see any other reason for stringing that many nouns together in a row. Windows has a registry, but there's no such thing as a security registry, and 'function' and 'API' are just pointlessly-doubled synonyms.
In case anyone wants a non-mangled explanation, the linked post explains that it sets a registry key, AppCertDlls, which contains a list of DLLs that get injected into every process created (by the CreateProcess API). This is a Windows security function (designed for sysadmins to deploy DLLs into their administered machines that can white- or black-list executables according to e.g. site policy). However, you can't just pull out the highlighted words from that explanation, jumble them up randomly, and expect it to be a valid summary.
As for it being 'unique', it's nothing of the sort, nor does the OP make that claim. It's been in use for a while by multiple viruses, and it's exactly the same as the KnownDlls technique, which has been around even longer (although IIRC MS has killed it in recent Windows.) One notable advantage of it is that, at least as recently as March last year (according to http://forum.sysinternals.com/bug-appcertdlls_topic29211.html), this key wasn't scanned by Sysinternals Autoruns. So there's an interesting thing.
Going for the Downvote record? You will have to try harder than that.
Check the top post in this comment section for a good example on getting the downvotes.
Ohhh dear!!
As a Mac, Linux, Windows user I am starting to get tired of this old religious dogmatism.
Like the name by the way but should it not be "Coli Canis" in the vulgar form and "Testiculos Canis" in the more correct proper form?
Calm down, he/she/it is merely trolling for downvotes. Which we, being evil sods, will not give him despite this creating an entirely screwed up impression of how we value this post (trust me, it makes sense at some level - you may need to drink some more beer first).
Botmasters, botnet files, buggy wares, command line action, CreateProcess API., criminal underground., .dll file plug-ins, drive-by infections, Dynamic encrypted communications, Flash, Java, malware, modular, new code, new trojan, Pandemiya, pervasive, RSA researcher, Silverlight, software, trojans, Windows
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
