lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 7 May 2008 22:49:40 -0500
From: "J. Oquendo" <sil@...iltrated.net>
To: Paul Schmehl <pauls@...allas.edu>
Cc: full-disclosure@...ts.grok.org.uk, butraq@...urityfocus.com
Subject: Re: Microsot DID DISCLOSE potential Backdoor

On Wed, 07 May 2008, Paul Schmehl wrote:

> And that relates to the MSRT how?

Relates to MSRT sending your information. It only sends information
when it finds something. I never stated it sends all your information
all the time.

> Now you're being silly.  You're claiming that *realtime connection 
> information* is included in the data that is sent but without any grounds 
> to do so and despite Microsoft's claims to the contrary.  And without any 
> proof.
> 

Pick up a dev machine load it with malware, run MSRT, and sniff it. You'll
see what it sends and remember LEA uses IP as an identifier bottom line.

> You might try it some time.  Getting the facts beats wild speculation and 
> hyperbole every time.  I just installed MSRT on my laptop and ran it while 
> Wireshark was monitoring all external communications.  It sent exactly 
> *zero* information to MS.

It sent zero information because it did not detect anything malicious.
As for paranoia, has nothing to do with paranoia. Facts. Fact 1) Is MS
sending information from your machine to them ... Yes Fact 2) If something
malicious is detected on your machine will it go to MS. Yes. Fact 3) Will
they share information obtained from YOUR machine via YOUR IP address
will they share that information with LEA? According to the MS spokesman
they will. Fact 4) Can LEA correlate the information sent from your machine
to an IP address... Yes.

Go back and look at the information MS is obtaining it's in the log file.
So looking at Sasser, lets fiddle with this:

 
Quick Scan Results:
----------------
Found virus: Win32/Sasser.A.worm in file://C:\WINDOWS\avserve.exe
Found virus: Win32/Sasser.A.worm in regkey://HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\avserve.exe
Found virus: Win32/Sasser.A.worm in runkey://HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\avserve.exe
Found virus: Win32/Sasser.A.worm in file://C:\WINDOWS\avserve.exe
 
Quick Scan Removal Results
----------------
Start 'remove' for regkey://HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\avserve.exe
Operation succeeded !
 
Start 'remove' for runkey://HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\avserve.exe
Operation succeeded !
 
Start 'remove' for file://\\?\C:\WINDOWS\avserve.exe
Operation succeeded !
 
Results Summary:
----------------
Found Win32/Sasser.A.worm and Removed!
 
Return code: 6
Microsoft Windows Malicious Software Removal Tool Finished On Mon Mar 19 13:15:57 2007

(from there website).

Now according to their article and common logic, in their article they stated
they obtained samples of the infection to track the CNC of a botnet. How did
they get this is up in the air, but with their forced update history, its
possible on detection they can actually send avserve.exe right back to themselves.

Anyhow, so I create something crafted to implicate you - using my previous
analogy of being a botnet CNC owner, my program implicates your network
you take the fall. People pull Joe Jobs all the time.

> Not all of us are consumed by paranoia and unfounded fears.  Some of us 
> actually approach security from a rational, intelligent perspective and 
> attempt to mitigate risks to the best of our abilities while accepting the 
> fact that we can't stop every attack.

A Joe Job is an unfounded fear? How about poisoning the well. What happens
if someone reading this decides to put it to the tests nullifying any
verifiable, concrete snapshots with garbage. Then what will be of the
tool? e-Garbage truck?

> I don't consider fantasizing about bogeymen "thinking outside the box".

Fantasizing has nothing to do with reality. People are paying top dollars
in life to screw someone all the time whether its online or not. This is
another stupid mechanism someone can use. Its a flawed concept albeit nice
idea.


-- 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA #579 (FW+VPN v4.1)
SGFE #574 (FW+VPN v4.1)

wget -qO - www.infiltrated.net/sig|perl

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x3AC173DB

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ