Re: How the MS Critical Update Notification works...

[hdmoore () USA NET (HD Moore)]

Erik Parker wrote:
> This was usefull in a way. Except for a couple things. Did you run this
> multiple times? Because it doesn't always have the strange nature.
>
> I also think the fact that it trys to resolve that hostname every 5
> minutes, is totally un-called for. It should check to see if their is a
> dialup connection, or some kind of tcp/ip available, and THEN try to
> resolve. That isn't a MAJOR performance problem, but if someone is running
> windows 98 on a 486/33 (Yes, I hear there are people out there like that).
> They need every bit of proccess time they can get.
>
> Thanks for the insight though. Is windowsupdate.microsoft.com the only
> host it tries to connect to?
>
> Microsoft also purchased windowsupdate.com, which will most likely take
> over that address at some point.  The entire thing still seems fishy.

I dumped the update connections from 3 separate hosts on the same
network, showing the same behavior in each.  If someone else has a
different experience, I would like to hear about it.  Also, the update
tool may not be directly trying to resolve the update server address,
but using a high-level Inet API call that would do the same while
attemptiong to make a connection.  The entire system seems horribly
ineffcient, as the updating machine needs to download the entire list of
updates every time it wants to check for new ones.  The worst part about
all of this is that every single Windows 98 computer that wishes to get
an update has to rely on a single host for the security.  If that one
server got compromised one day, or an attacker cracks the MS DNS server
again, there could be millions of users installing torjans every hour.
The scope of this attack is big enough to attract crackers who actually
know what they are doing...


Brian Hayward wrote:
> So the weakest link here is the nameserver.  If someone is able to
> compromise your nameserver.
>
> I wonder what type of validation is done within the update utility.
> Does it check to see if the resolved address is indeed a valid microsoft
> IP address, or are there any other security checks that prevent
> installation of updates from a non-microsoft site?
>
> ---

Even if someone was able to compromise the DNS server or drop a false
address for it in your hosts file, they would need to create a copy of
Microsoft's site to fool the Win98 users into downloading a look-a-like
ActiveX control to control the updates.  The real M$ control is signed
with VeriSign, the lack of this signature should clue in the user that
something is wrong.  To create a 'trojan' update you would need to do
the following:


1) Compomise the DNS server or their hosts file.
2) Create a cab + cucif.cif file with thier trojan added.
3) Create (or reuse) the ActiveX update component, reusing it seems
simple enough and would maintain the signature.
4) Discover the locations of the update files on the real server and
place thier trojan in the same location on the spoofing server.

This is just one scenario, but the point is that spoofing
windowsupdate.microsoft.com is just the beginning, and as I have replied
to numerous e-mails, not quite as easy as it seems at first. As Mr.
Parker said, this entire setup seems kinda fishy...