
Executable Archaeology: The Case Of The Stupid Thing Eating All My RAM - gluxon
http://www.veracode.com/blog/2013/05/executable-archaeology-the-case-of-the-stupid-thing-eating-all-my-ram/
======
IvyMike
I would like to see the bug report. "BUG12345: Shaking my computer results in
a loss of available memory".

~~~
kens
That reminds me of the famous Sun Microsystems discovery that shouting at hard
drives increases their latency (for real):
<http://www.youtube.com/watch?v=tDacjrSCeq4>

------
0x0
I find it incredible that Microsoft would allow OEMs to preload software like
this. The end user experience and impression of Windows 8 takes a brutal hit.

~~~
Fizzer
Microsoft does work at eliminating this kind of thing. They clearly just
missed this one.

Microsoft's main source of control over OEMs is the logo program. All laptops
that want to get the "Designed for Windows" sticker (logo) have to pass a
minimum bar set by Microsoft, which includes things like "must boot within X
seconds" or "must sleep within Y seconds", "must output the correct audio
frequencies", etc. My guess is none of the logo tests invoke the accelerometer
which is why this got missed.

The logo program is great in theory, but in practice it doesn't work too well
since consumers don't care about the sticker. Therefore, if Microsoft makes
the requirements too high, OEMs will simply stop trying and just sell their
laptops without a sticker.

~~~
Someone
I care about that sticker; I don't like it. Especially with laptops, those
stickers (you may get a 'Intel inside' one, too) look ugly. Removal also
typically is hard, as the stickers are designed to look good for years.

B the way, I remember reading somewhere that Dell at a time compared the
benefits of being in such a program with the cost of applying such a sticker,
and found it wasn't worthwhile to take part in that sticker program. Anybody
know whether that is true?

~~~
RobAley
I don't know, but my dell box has a windows 7 sticker on (running Ubuntu, of
course), so someone somewhere in Dell/Microsoft clearly made it worthwhile...

------
fletchowns
Very neat discovery and great write-up about it! Were you able to get in touch
with somebody at "Spacer" to let them know about the mistake? If so, are they
going to correct it?

------
csallen
Why protect the guilty "Spacer"?

~~~
abadidea
[author here] I'm not supposed to directly call out corporations for mistakes
in public because then their feelings will be hurt and they won't be a
customer in the future ;)

I was kind of expecting someone to tell me "Spacer" was too obvious and to
obfuscate it some more, but they let it slide - probably because this is not a
security flaw like I'd usually be dropping, just a general oopsie.

~~~
DanBC
Do userland utilities like this have the potential for big scary security
holes? Or is Windows 7 / 8 better than that now?

~~~
rainforest
In a sense Windows (Vista) and 7 and 8 have encouraged targeting user-mode
processes. The garden variety IRC bots that ship with the "hacking tools"
available through various YouTube channels all run in user-mode.

The most common (at least based on my ~10 instance) technique is malware that
installs itself into %APPDATA% and sets itself to start on boot. The
executable then launches some process (like services.exe) and injects its own
code (known as RunPE).

I'm not sure how prolific exploitation of user-mode binaries is, but the
damage that can be done from user-mode is non-trivial.

------
dools
A perfect example of why you should never use foul language in your code -
even if it's not meant for production ;)

~~~
mark-r
I work with a guy who left some scathing comments in the code about the
incompetence of the vendor he was forced to work with. Interesting times
ensued when our company was bought by theirs and they started looking through
the source.

------
joseph_cooney
Interesting article. There are better ways of looking at memory allocations in
.NET code, however, including CLR allocation profiler, WinDBG, VMMap, and
tools from Telerik, Jetbrains, ANTS etc that take away a lot of the guess
work. Still, kudos to the author for not doing an immediate re-pave.

~~~
abadidea
Author here! I work in/study static analysis, so "running the program" would
be entirely defeating the fun ;)

~~~
joseph_cooney
Right! Your comment re: special tools in the article now makes more sense.

------
ErikRogneby
Thank you. This was a fun read.

------
gluxon
To the author: Saw this on comex's Twitter and got a good kick out of it. My
first surprise was that HN didn't already have this submitted. My second was
it reaching first page in 3 hours.

:)

------
smaili
If I were you I would be thankful that there were memory issues, otherwise you
wouldn't even have discovered this malware! :)

~~~
ars
It's not malware - it's nothing ware. It does nothing at all except use
memory. If there were no memory issue then it _really_ wouldn't do anything.

Like this machine: <http://mentalfloss.com/article/24670/machine-turns-itself>

~~~
caf
Kind of like an electronic benign tumour.

------
primitur
Am I the only one who thinks this is _obviously_ a ploy to sell more RAM to
the _angry_ users!?!@?

