"2. Append the pair with the second hard-coded 16-byte salt and bytes 0x15, 0x00 " and assuming point 2 of my message above:
This gives a finger print of all actual used programs. This finger print should be specific in the range of 1 to 10^(-7).
If so specific, it limits the scope to preconfigured systems, which are NOT run under user control.
Might it be, that those targets are embedded systems like ATM, Mobile base stations and again SCADA-systems?
Supposedly an administrator could send an update that inserts random files in program files to foil the system identification method, but given that the attacker has such detailed information about the target systems, this seems like a temporary measure at best.
Edit: It looks like the code is only looking for a specific filename. In that case, the only way to thwart this is to rename that file (and fix any issues that this would cause).
"2. Append the pair with the second hard-coded 16-byte salt and bytes 0x15, 0x00 " and assuming point 2 of my message above:
This gives a finger print of all actual used programs. This finger print should be specific in the range of 1 to 10^(-7).
If so specific, it limits the scope to preconfigured systems, which are NOT run under user control.
Might it be, that those targets are embedded systems like ATM, Mobile base stations and again SCADA-systems?
Supposedly an administrator could send an update that inserts random files in program files to foil the system identification method, but given that the attacker has such detailed information about the target systems, this seems like a temporary measure at best.
Edit: It looks like the code is only looking for a specific filename. In that case, the only way to thwart this is to rename that file (and fix any issues that this would cause).