Malware uses Windows product IDs to mix mutex Malware writers are using Windows unique product numbers to generate mutex values to evade researchers, SANS security boffin Lenny Zeltser says. Mutex values are used as an accurate reference to determine if multiple identical processes are running. Malware including the infamous BackOff credit card stealer has used mutex for …
So how does this work if you have a raft of machines with the same id?
I wouldn't have thought it would make any difference. The presumable intention is to ensure that only one copy is running at a time on any given system, to prevent the infection crippling the machine and indeed itself. If two different machines compute the same value it doesn't make any difference since the mutex is local to the system, so the one instance per machine relationship still holds.
Who cares?
What it's saying is that to know if it's already running on a computer, it makes a mutex called by something (similar to, but probably a hash of) the GUID of that computer. It might end up with the same mutex on two machines, but who cares about that? All it needs is to know if it's running on THIS machine already without giving the game away with VIRUS_MUTEX_1 showing up in its code.
And, sorry, but any decent install with a VLK should still be giving unique GUID/SID's - that's what sysprep.is for.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
