RE: How to....

["Edwards, Al" <al.edwards () edeltacom com>]

-----Original Message-----
From: Greg [mailto:security-basics () pchandyman com au] 
Sent: Monday, September 26, 2005 9:32 PM
To: security-basics () securityfocus com
Subject: How to....

....really shoot your XP machine in the foot, so to speak.

Pick any program shortcut that is pinned to your start menu. If you
don't have any, find any old program shortcut (or make one) then pin it
to your start menu. Now go find some other shortcut to a completely
different program and open it's properties. Copy the full path info from
that one and past it into the path info in the properties for that other
shortcut that is pinned to the start menu and click OK to make it stick.
Now carefully look at that icon. It hasn't changed. Now click on it. The
icon now starts that other program instead of the one it looks like it
is SUPPOSED to start.

Now while all that is simple "so what?" to most of you, think of this -
I deal in a lot of low level security stuff that is below the radar of a
lot of you but if an icon that is frequently used in the list of
commonly used programs or those pinned to the start menu can be so
easily changed to start some other program yet not look like it was
tampered with at all, why couldn't the next Trojan include code to do
this? Eg, place a Trojan on the C drive, copy the full path info into
the "Windows Update" icon on your start menu (for example) where it runs
that Trojan instead. That Trojan may do what it is designed to do and
also do the actual starting of Windows Update after that.

What stops a local user or a Trojan doing this in a normal XP
installation that hasn't been changed and all runs at admin levels as so
many businesses do?

Greg.