Re: strange software > winsupdater.exe

[Nick FitzGerald <nick () virus-l demon co uk>]

Valdis to Harlan:

> > However, you _can_ get a warm fuzzy if the file has
> > the MS file version information compiled into it. 
>
> And you verify the authenticity of your warm fuzzy how, exactly? 

Rumour has it that MS will be making its WarmFuzzy Verifer beta release 
within a month...

> const char MS_version[] = "bogus MS file version info goes here";

Well, it is done a bit differently from that, but the basic idea is 
right.

And it's already been done.  Heaps.  Especially by some of the adware 
developers...

> (Remember - we've already had major worms that crafted a totally bogus
> "X-Virus: scanned by" header claiming a real AV had scanned it....)

Yep -- even the skiddies have thought of this level of trivial 
deception.

> > That warm fuzzy can be increased if the file is
> > digitally signed by MS.
>
> First, go back and re-read http://www.cert.org/advisories/CA-2001-04.html

8-)

> Second, remember that you're worried that the machine is compromised - and
> you're asking it to verify the signature.  Again, if the box is compromised,
> the DLL that verifies signatures could be backdoored as well.

Indeed, although to date I certainly haven't seen this done and don't 
recall hearing of this level of deception.  It's probably not far off 
though -- it would be a trivial addition to any of the modestly clever 
rootkits, but does not require that degree of complexity.


Regards,

Nick FitzGerald