Gregory's Server
@moira @dangoodin @matrosov I finally had time to read, the article says this can be done so its not visible. It also mentions just registering the sha256 hash of legit logo files and scanning for those, this could be added to AV pretty easily as well, right, so an unexpected logo file is detected quickly, although I suppose the malware could try and hide itself from scanning.
Once malware gets to a fundamental level of the system, it's hard for subordinate levels to kick it out
@raven667 @dangoodin @matrosov Well yeah, it can be done without being visible - _by replacing the image with your sabotaged one, which shows the same image but also has the payload_. Or that's how I read it.
The point is to have a non-standard image in there first so that if it swaps in what looks like the standard image, you know _something_ has happened. You don't know what, and it doesn't stop it - it's just an alarm of sorts.