Unofficial updates and modifications

[bristols]

More arguments? You give us zero

Well... you're wrong. Below is an argument, in brief:

Maybe MSFN is a good place to test malware out. If it gets past that relatively 'techie' audience, it's far more likely to thrive in the wild.

I'm playing devils' advocate a bit here, as a means to asking a 'what if...?' question.

As long as there is no real proof of any bad unofficial updates I simply have to assume that you are wrong. I don't have to proof or argument anything.

You state something here so it's your job to come up with arguments and proof.

It seems you're assuming that I'm making definitive statements about updates posted here. I made it clear that I'm not. Not making statements, but asking questions. No-one here is saying that you have to prove or argue for anything. Don't misunderstand me. I have no interest in scoring points, winning arguments, or combat for the sake of it. But I do want to ask some questions that I haven't seen asked. Questions I think should be asked, to explore some aspects of this community's efforts to keep 9x alive that haven't been much talked about. The whole point of me bothering to use my time to post here is that I want to 'keep 9x alive', and keep the efforts here strong by addressing any weak points in them. We may disagree on what the weak points are, of course, and you may not see the value of these questions. I'm not a programmer, and I'm not one of your wise men.

Besides, programming something like Uberskin is really not the most efficient way to spread malware or compromise systems. There are less complex ways to do that. And a techie site like MSFN is the wrong place to look for malware victims right smile.gif

A malware/virus will be targetting the XP/Vista machines, because that'll enable the malware/virus its maximum spread. We are less of a target than the Linux/Free BSD users, for the single reason that we're, by now, less than 1% of the total computer user community.

IMO releasing the malicious code here would increase the chances of it being discovered. Many of the members here know how 9X systems work in far more detail than members elsewhere. They're much more likely to notice unusual activity. Some of us have some potent security setups in place that don't miss much.

So, above are three arguments against the likelihood that any intentional malicious code is in the updates posted here.

But to dream about scenarios of a deliberate spread is just ludicrous.

To state that there has been - or probably has been - a deliberate spread, without evidence to back this up, is ludicrous. However, to consider the possibility - while unlikely - is not.

Again, don't misunderstand me. What I'm really asking is whether we should as a community be concerned at all from a security point of view - even just in theory - about the unofficial updates posted here.

If we should be concerned, how should that concern translate into action? Maybe a list of guidelines for authors of patches, asking them to explain what patches are intended to do, give a detailed account about changes made to users' systems, provide assurances that the files included were tested by named anti-malware products, suggest any possible downsides to applying their patches (form a security and functionality point of view), and so on? I think a set of guidelines along these lines would have some value for our community. It may be of little use to the wise among you. But for the less knowledgeable, and for the paranoid, it could provide reassurance, and maybe increase their understanding of patches. The feedback from users to authors would likely be more useful if users had a better understanding of their work.

To create a patch that works (unless one is so incredibly lucky that turning to a lottery ought to be much more profitable), one must be a knowledgeable programmer and/or reverser. It involves long hours of effort and dedication. And many more of plain bitter failure!

An couple examples of my own. I posted a Screen saver that I was working on for myself. The 0.1 revision worked fine (used it since then with no problems), but when I did the 0.2 revision, it seemed to work fine for me. But when I played with it some more after I put it into the thread and realized that I wasn't detecting the screen coming back up right. Did I do it purposefully or negligently? Definitely not! In fact, I felt very bad that I turned the software out with such a problem. I think you'll find that with most if not all programmers when they turn out something that isn't working right.

I can appreciate the (often thankless) painstaking, long hours of effort that goes into a programmer's work (I experience this myself sometimes). I don't mean to bash such folks. I applaud conscientious programmers. But however conscientious a programmer is, I'm not likely to install his or her product if he either can't or won't communicate to me what it is that I'm installing, and for what purpose. When it comes to installing anything, my default position is wariness. I need to be reassured somewhat as to the quality, effectiveness and reliability of the product before I'll even consider it. Any other evidence of the trustworthiness and intentions of the author is also massively persuasive.

By adding these functions to 98, it's entirely possible that some of this malicious code will be able to run on 9X when it couldn't before. In this respect, malware is no different that any other software. KernelEX definitely will not cause 9X to be vulnerable to all the malware that XP has been hit with, but it will have an effect. There's no way to know how much effect unless you have a crew of programmers available that know how to reverse engineer malware and have an in depth understanding of both types of operating systems at a kernel level. Microsoft has plenty of programmers and they can't prevent vulnerabilities in their own products, and they have the source code. KernelEX would have to become a lot more popular before malware writers start looking to write exploit code for it, but the additional functions may allow some of it to work, at least partially, which could lead to some very unexpected behaviors. It's just a potential problem we need to be aware of, one that could become more significant as KernelEX grows. When you get right down to it, this wouldn't be a KernelEX problem. Being targeted by all kinds of malicious code is just reality for NT systems. Adding NT functions to 9X systems gives them some of the NT systems problems.

Thanks Rick, for providing some clarity to exactly the kind of issues that I think need to be aired. Perhaps they have been already aired here already - please correct me if I'm wrong. But if so, I haven't seen it, and that's why I ask the questions. There are members here far better placed than I am to provide useful answers to the security-related questions that arise from a project like KernelEX.

Perhaps some sort of test case can be devised to see if a function vulnerable in NT, introduced to 9x by KernelEX, can be exploited on a 9x system, where before KernelEX was installed that system was not vulnerable.

The bare fact that you raise this question doesn't mean that there is any real danger.

This goes without saying, clearly.

Well, I'd better stop here. I guess I'm entering the ranting mode.

No, please continue with the rant!

Edited November 2, 2008 by bristols

[submix8c]

Please! Here on MSFN, there is a world of assistance, both "official" and "unofficial".

As for "unofficial", one might expect that (more than likely) a "disassembler" has been used ("reverse engineering", which will not be admitted to, and a "patch", which may be admitted to), or the items may be written from "scratch". In either case, the particular "offering" is tested by the author on one or more systems and suggested that it be "tested" on any takers' systems. If a problem arises for any particular "taker", then it's usually reports and either the author attempts a correction or other "takers" will attempt to assist in the correction.

The implication in the topic at hand is that "newbies" (forgive me for the term) are haphazardly foisting "fixes" on the "general public". This is not true. Go look at the (e.g.) AutoPatcher for Windows 98SE thread and see for yourself that all participants understand the risks and accept them. Indeed, they attempt to solve the idiosyncracies and, in most cases, surmount them.

Please do not imply that anyone intends to do harm to any other member's working system. Test it first. This is the way of a true programmer (abbreviated process listed) -

- Design

- Code

- Coder Test

- User test

- Acceptance

- Distribution

Was in the business for 19 years and never had anything been just "distributed" without "testing". You already state that you're not a programmer, so please don't offend we who are else you might never get the assistance you may someday seek. If you suspect unfriendly "unofficial fixes" (e.g. trojans), test them and find out for yourself, report the culprit and perpetrator, and have them banned.

So - rants? A little respect is due. Test? Up to you, but don't complain if you don't. Particular problem? Ask, and be obliged...

Forgot to mention re. KernelEX - as was stated, is a project that is rigourously tested and if you get your "copy" from any other source (same as with MS software "fixes"), you shoot your own foot...

Edited November 2, 2008 by submix8c

[herbalist]

Perhaps some sort of test case can be devised to see if a function vulnerable in NT, introduced to 9x by KernelEX, can be exploited on a 9x system, where before KernelEX was installed that system was not vulnerable.

To my knowledge, this hasn't been discussed much or explored in any detail. System functions themselves are not vulnerable per se. They're used when the application (or malware) needs them. Allow me to rephrase your statement a little.

Perhaps some sort of test case can be devised to see if a core function of NT that's introduced into 9x by KernelEX can be used to exploit or infect a 9x system, where before KernelEX was installed, that system was not vulnerable to that malicious code.

When you include all the variants, there is somewhere around a half million pieces of malicious code. Testing anything more than a few examples would be impossible without a large number of employees who know what they're doing. Disassembling malware is well beyond my abilities and those of most people I know. Some of us here have small malware collections. It might be feasible to set up a standard 9X testbox and attempt to run the malware we have on it, keeping records of which ones affect a 9X system. Then install KernelEX and run them all again and see what changes. The absolute earliest I could even consider starting a project like that would be mid-winter. The most I would expect to see is a very small percentage of the malicious code for NT functioning as it was designed to. The added system functions are only one piece of a larger puzzle. The system files and their locations will be different than the malware writer coded for. Only some of the NT functions will be available. Others will not. Most malicious code for NT systems expects to find an NTFS file system, which won't be there. The processes and command switches that are normally present on an NT system won't be there or won't work. I'd expect to see some malware that partially functions, but not necessarily as it was designed to.

If KernelEX gets developed enough to go mainstream and get noticed by malware writers, then everything could change.

Rick

[Dude111]

I dont think anyone who has a love for Win98se would try to hurt anyone (Especially on a site like this)

If they are well known,i think its OK to trust thier stuff

[cannie]

I dont think anyone who has a love for Win98se would try to hurt anyone (Especially on a site like this)

If they are well known,i think its OK to trust thier stuff

Just the oposite happens against 98 users, as seen in many threads in this same forum.

Incredible but certain: 98 users are the enemy for many people.

It seems you must say WOW! or shut up.

Why? Are they Ms shareholders?

[herbalist]

Just the oposite happens against 98 users, as seen in many threads in this same forum.

Those "get with the times" comments do get old after a while. But now that Vista's out, XP users are starting to get the same treatment. I hope they enjoy hearing it as much as they enjoyed dishing it out to us.

Incredible but certain: 98 users are the enemy for many people. Why? Are they Ms shareholders?

I think MS and companies that sell software view 98 users as bad for their bottom line. If they can convince people to stop using 98, they're more likely to get them to buy new hardware, software, and operating systems. Users have been fed a steady diet of propaganda regarding 98, starting with "it's so insecure" and have been led to believe that this alleged insecurity makes it a threat to their systems, like it carries a disease or something. The entertainment industry doesn't like 98. Making DRM part of the OS doesn't work so well when they can't stop the user from accessing it with DOS. I convinced that there's quite a few groups, companies, and agencies that view DOS and the access it gives users to everything as a threat to their agendas.

Perhaps more likely is the possibility that infected files might be unintentionally passed on to users through an unofficial patch, when a patch-maker's system is infected.

The chances of this happening are extremely small, even if the patch developers system is infected. A malware writer would never expect his code to be spread via such a vector. The malicious code would have to be completely within the patch's files and would have to survive any/all modifications that might be made to the files. It could not perform any activity that might catch the attention of the developers, testers and users. It would have to work on systems that are set up differently than the typical 9X system. It would have to escape detection by all the parties AVs and security packages. IMO, someone would have to be deliberately targeting this specific group of people, not just 98 users, and be good at it before it would be successful.

Rick

[cannie]

Perhaps more likely is the possibility that infected files might be unintentionally passed on to users through an unofficial patch, when a patch-maker's system is infected.

IMO one of the worst enemies of any computer user is that illness called "updatitis". You don't need to fix anything which works correctly. You need to search a solution when you get into a real problem. So there's no need to patch anything but in the case that it goes wrong.

Taking this into account, the possibility of being infected by any virus nowadays is almost so small in Windows 98 as in Linux, because users are only about 1% of the total and it doesn't pay to create viruses for them.

On the opposite side, I've had a repeated experience of the message "kernelnt.dll not found", due to XP viruses which tried to infect Windows 98. In these cases the OS acted as an antivirus. This is one of the main reasons why I keep using Windows 98 instead of XP, which I also have installed on doubleboot.