Re: ISS Internet Scanner Cannot be relied upon for conclusive

[dleblanc () MINDSPRING COM (David LeBlanc)]

At 07:37 PM 2/10/99 +1100, Darren Reed wrote:
> In some mail from David LeBlanc, sie said:

> > We check file dates when checking for NT patches, and would catch your
> > example.

> I don't see how that can be considered "adequate".

Because it is going to be accurate on 99+% of NT systems.  The file
timestamps are all the same when you install a hotfix.  If you _really_
want to be sure no one has put trojans on a box, you need to baseline the
system (our system scanner does this, as does tripwire, and others).

> However, going back to "cops" (could be considered to be the origin of
> such processing), it appears it performed the same evil.

> For .dll's and friends which are supplied with service packs, I can't
> see why you would not use a cryptographic checksum to ensure that the
> file there is what you think it is.

This is because it is a huge amount of work to keep up with all of this.
We do exactly this when checking for trojan password filters for exactly
this reason.  In that case, it is important enough to detect trojan
versions to bother with worrying about whether MS shipped a new one with
the latest service pack (for example, there are 4 valid versions of
nwpwclnt.dll on Intel alone).  The odds of finding a trojan ntoskrnl.exe
are pretty slim.  OTOH, someone might read on a web page somewhere that we
only check file size on a password filter, so they make sure the trojan has
the same size as the real one, then we checksum it and bust them 8-)




David LeBlanc
dleblanc () mindspring com