alt Hacker NewsI understand your point; but I'm struggling to see how this could be weaponized. Keep in mind, that these Dos compatible drive letters need to map to a real NT path endpoint (e.g. a drive/volume); so it isn't clear how the malware could both have a difficult to scan Dos tree while also not exposing that same area elsewhere for trivial scanning.
Replies
avidiax • today at 7:59 PM
Not sure if it is natively supported, but the malware can just decrypt a disk image to RAM and create a RAM disk mounted to +. Or it can maybe have a user space driver for a loop device, so the sectors of the drive are only decrypted on the fly.
It would likely break a lot of analysis tools and just generally make things very difficult.
buzer • today at 6:20 PM
The recovery partition might work if it exists.
I'm betting there's some badly written AV software out there which will crash on non-standard drive letters, allowing at least a bit of mayhem.