Security Basics mailing list archives
Re: How to....
From: Jacob Bresciani <jacob () bresciani ca>
Date: Tue, 27 Sep 2005 11:31:34 -0700
This has been capable since 95 I think, the location of program the shortcut is linked to and the location of the icon that is displayed are 2 different settings in the shortcut.
Heck you don't even have to change one of the users icons, just make your own and use a known system icon and bundle it with your trojan and let it overwrite the existing one.
Jacob Bresciani"Passwords are like bubble gum, strongest when fresh, should never be used by groups and create a sticky mess when left laying around"
-anon On Sep 26, 2005, at 6:32 PM, Greg wrote:
....really shoot your XP machine in the foot, so to speak.Pick any program shortcut that is pinned to your start menu. If you don't have any, find any old program shortcut (or make one) then pin it to your start menu. Now go find some other shortcut to a completely different program and open it's properties. Copy the full path info from that one and past it into the path info in the properties for that other shortcut that is pinned to the start menu and click OK to make it stick. Now carefully look at that icon. It hasn't changed. Now click on it. The icon now starts that other program instead of the one it looks like it is SUPPOSED to start.Now while all that is simple "so what?" to most of you, think of this - I deal in a lot of low level security stuff that is below the radar of a lot of you but if an icon that is frequently used in the list of commonly used programs or those pinned to the start menu can be so easily changed to start some other program yet not look like it was tampered with at all, why couldn't the next Trojan include code to do this? Eg, place a Trojan on the C drive, copy the full path info into the "Windows Update" icon on your start menu (for example) where it runs that Trojan instead. That Trojan may do what it is designed to do and also do the actual starting of Windows Update after that.What stops a local user or a Trojan doing this in a normal XP installation that hasn't been changed and all runs at admin levels as so many businesses do?Greg.
Current thread:
- How to.... Greg (Sep 27)
- Re: How to.... Micheal Espinola Jr (Sep 28)
- Re: How to.... Ansgar -59cobalt- Wiechers (Sep 28)
- Re: How to.... Larry Offley (Sep 28)
- Re: How to.... Jacob Bresciani (Sep 28)
- Re: How to.... Greg (Sep 28)
- Re: How to.... Barrie Dempster (Sep 28)
- <Possible follow-ups>
- RE: How to.... Clarkson, Dustin (Sep 28)
- Re: How to.... Greg (Sep 28)
- Re: How to.... Ansgar -59cobalt- Wiechers (Sep 30)
- Re: How to.... Greg (Sep 28)
- RE: How to.... Smith, Jeff (Sep 28)
- RE: How to.... Craig Wright (Sep 28)