• Quick note - the problem with Youtube videos not embedding on the forum appears to have been fixed, thanks to ZiprHead. If you do still see problems let me know.

Catastrophic Internet Failure

Well, something may be rotten there, if such an attack got through, I will concede that. As I was saying, this couldn't possibly load on any test computer without crashing it.
 
Wudang said:
Having been a professional tester for 7 years it is hard to imagine that getting through test.
Click to expand...

Remember the "PrintNightmare" fiasco a little while back? That somehow got through testing and ended up borking printing to network shared printers on 100s of millions of computers all over the world?.
 
Let's get this thread back on topic.

What are the long term social impacts of this disaster?
1. Cash will be around for a bit longer.
2. ??????
 
HansMustermann said:
Just to kinda duplicate what I wrote in the computers and internet thread, the file doesn't even contain any code that could do anything to cause even more corruption, or really do anything. It's just a long block of 00 bytes, including the DLL file header. (A driver is just a renamed DLL.) It's actually that corrupt header that causes the loader to crash when trying to load it. No code in the driver itself was even executed at this point. Except since it's a system driver, loaded by the kernel with kernel rights, this causes the kernel to fail.

TL;DR version for the everyman: it IS an exploit/attack on the Windows DLL loader, using a malformed file. Just it needs to be a system driver to work, and an update to an anti-virus provided that setup.
Click to expand...
If it was going to be an attack why just load a null file? Any simple virus could have caused a lot more damage.
 
a_unique_person said:
If it was going to be an attack why just load a null file? Any simple virus could have caused a lot more damage.
Click to expand...

Well, it did cause a lot of damage world wide. I mean, people probably actually died, since even some hospitals got nuked, and I personally know two people who couldn't get medical appointments. Plus such minor inconveniences, as millions of people stranded because they checked out of the hotel at the end of their vacation, but the airport can't carry them. Plus the effect on global commerce. This thing had probably a bigger blast radius (actual technical term for how many people get hit by an outage) than both nukes combined.

And some people aren't motivated by money or want to run bot farms. Some people just want to see the world burn. I actually had a classmate in college who wrote a computer virus that formatted hard drives (and not just the allocation table; it overwrote every sector) just for his idea of lulz, and was even proud of it. Like, literally, that was it. It didn't log keystrokes, it didn't give him access, it didn't hold data for ransom, just past a certain date everyone turning their computer on had their hard drive low-level wiped.
 
Darat said:
Who hasn’t accidentally uploaded a wrong file?
Click to expand...

I'd present the counter-point: if it was an accident, how DO you accidentally create such a file? As I was saying, it's impossible for a compiler to generate such a borked EXE/DLL header.

(DLL itself is the same format as an EXE. Well, technically it's a PE file format in this case. It would be the NE file format on 16 bit windows.)

At the very least, the standard header starts with a dummy MS-DOS 2.0 header, and a pointer to the actual Windows header, it has to start with the letters "MZ" as the first two bytes. It also includes a dummy MS-DOS 2.0 program, just enough to print "This program cannot be run in DOS mode". So that kinda text should be in there too.

That's something the compiler (well, ok, linker, technically) appends at the start of everything, regardless of whether it's an .EXE or a .DLL or .DRV or .SYS or .OCX or really anything that contains any executable code. No matter what other mistakes you did in the code, this WILL be there.

So how DO you end up with a file overwritten with nulls? Honest question.
 
Last edited:
Well, I think I answered my own question, after looking at the problem from a new angle and through a new vodka bottle: if you use your own program to copy, download or pack/unpack the file, and THAT one can malfunction like that.

I actually had a problem like that in the 90's, where a manager at the client removed the initialization of my LZ compression/decompression buffer, because he thought he optimized it that way. It didn't produce nulls, but it produced more garbage than Berlin over Easter :p
 
HansMustermann said:
Well, I think I answered my own question, after looking at the problem from a new angle and through a new vodka bottle: if you use your own program to copy, download or pack/unpack the file, and THAT one can malfunction like that.

I actually had a problem like that in the 90's, where a manager at the client removed the initialization of my LZ compression/decompression buffer, because he thought he optimized it that way. It didn't produce nulls, but it produced more garbage than Berlin over Easter :p
Click to expand...

Drivers are also signed by certificate. Which could have failed.
 
Hmm, I suppose that would put the kibosh on some of my unlikely scenarios of it happening by accident. Still not at the level of impossible, but I guess kinda stars aligning and Great Cthulhu rising from deep R'lyeh kinda improbable..
 
marting said:
Dave, of Dave's Garage, explains the problem. A CrowdStrike update installed at boot that operates at Ring 0 (OS max privilege) had a gross error that accesses memory that doesn't exist. Initiates a BSofD.
Click to expand...

Haven't watched the video, but... SORTA... and SORTA NOT. Yes, it did have that level of privilege, but again, no code in it actually did it or even ran at that point. Not that it had any meaningful code to run anyway. It was the loader in Windows itself that did that, due to the malformed PE header. It's not even a guess, people have remote-debugged it.
 
Last edited:
HansMustermann said:
Haven't watched the video, but... SORTA... and SORTA NOT. Yes, it did have that level of privilege, but again, no code in it actually did it or even ran at that point. Not that it had any meaningful code to run anyway. It was the loader in Windows itself that did that, due to the malformed PE header. It's not even a guess, people have remote-debugged it.
Click to expand...

Yep. Croaked at the git go. So no damage. Just need to boot up in safe mode and remove the bad file. A major screw up but not malware injection.
 
NB, for full disclosure sake, I'm not an IT support guy, I'm just an old programmer with an interest in Assembly, and an even more massive hard-on in watching IT train-wrecks. Like, seriously, digging through this mess made me hit myself in the middle of the forehead with my dick and pass out ;)

Think of me like Nelson Muntz in the Simpsons, watching this train wreck and going, "HAW-HAW!" ;)
 
marting said:
Yep. Croaked at the git go. So no damage. Just need to boot up in safe mode and remove the bad file. A major screw up but not malware injection.
Click to expand...

Indeed, no malware injection, to be sure. But it DID have a bigger blast radius (see definition before) than any attack so far, and quite probably some people actually DIED. Quite possibly, thousands, in fact. Which isn't something you usually associate with a cyber attack.

Like, seriously, this is what Y2K wished it were.
 
Last edited:
marting said:
Yep. Croaked at the git go. So no damage. Just need to boot up in safe mode and remove the bad file. A major screw up but not malware injection.
Click to expand...

Problems with this.
1. How does a person boot up in safe mode?
2. How does a person delete the bad file?
3. What is the path name of the bad file?
4. If I have only one computer how do I Google the above questions when my computer is not working? This question assumes that the information is on the Internet and I have the ability to find it.
5. If I am the IT person at work I may have many computers, some in remote locations. That will keep me employed for a long time.
 
You must log in or register to reply here.

Back
Top Bottom