Embed Notice
HTML Code
Corresponding Notice
- Embed this notice@rms The "CrowdStrike" software can summed up to be a kernel-rootkit antivirus.
Via a remote control mechanism, "CrowdStrike" regularly automatically downloads updated "signature definition" files, which are parsed by a kernel module that looks for matching "signatures" of attacks and is meant to stop them or something.
"CrowdStrike" pushed out a corrupted definition file to pretty much every woedows computer in the botnet, which the parsing NT kernel module will choke on and try to access low kernel memory that it wasn't allowed to access - due to the unprofessional design of the NT kernel, this triggers a bluescreen and a shutdown, rather than it trying to handle the error.
As the buggy kernel driver is loaded not long after boot (aside from in safe mode), every time such affected woedows computer boots, the bluescreen would happen again - with the "fix" being to either boot up into "safe mode" (quite bothersome if bitlocker is enabled, as often a unique 48 character password is required to access "safe mode" on such computers) and to delete the corrupted definition files, or to reboot 15+ times and hope new definition files are fetched and overwrite the corrupted files before it crashes.
I wrote a buggy kernel module for Linux-libre, the kernel, that dereferences a NULL pointer (a similar kind of bug) and as that is a professionally written kernel, it just dumps an error to dmesg and does not crash.
"CrowdStrike" is also available for GNU/Linux, where is was previously a Linux module (which was known for causing kernel panics often due to terrible programming), but now it's a eBPF program - which is a VM designed to try to make it impossible for ran programs to crash or exploit Linux - but I'm sure "CrowdStrike" will eventually accidentally pull that feat off.