Security Incidents mailing list archives
Re: strange software > winsupdater.exe
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Fri, 18 Mar 2005 09:30:59 +1300
Valdis to Harlan:
However, you _can_ get a warm fuzzy if the file has the MS file version information compiled into it.And you verify the authenticity of your warm fuzzy how, exactly?
Rumour has it that MS will be making its WarmFuzzy Verifer beta release within a month...
const char MS_version[] = "bogus MS file version info goes here";
Well, it is done a bit differently from that, but the basic idea is right. And it's already been done. Heaps. Especially by some of the adware developers...
(Remember - we've already had major worms that crafted a totally bogus "X-Virus: scanned by" header claiming a real AV had scanned it....)
Yep -- even the skiddies have thought of this level of trivial deception.
That warm fuzzy can be increased if the file is digitally signed by MS.First, go back and re-read http://www.cert.org/advisories/CA-2001-04.html
8-)
Second, remember that you're worried that the machine is compromised - and you're asking it to verify the signature. Again, if the box is compromised, the DLL that verifies signatures could be backdoored as well.
Indeed, although to date I certainly haven't seen this done and don't recall hearing of this level of deception. It's probably not far off though -- it would be a trivial addition to any of the modestly clever rootkits, but does not require that degree of complexity. Regards, Nick FitzGerald
Current thread:
- Re: Pubstro rash, (continued)
- Re: Pubstro rash Jeff Kell (Mar 18)
- RE: Pubstro rash David Gillett (Mar 18)
- Re: strange software > winsupdater.exe Mike Barushok (Mar 16)
- Re: strange software > winsupdater.exe Harlan Carvey (Mar 16)
- RE: strange software > winsupdater.exe Jim Harrison (ISA) (Mar 16)
- RE: strange software > winsupdater.exe Harlan Carvey (Mar 16)
- Re: strange software > winsupdater.exe dave_mikesch (Mar 16)
- RE: strange software > winsupdater.exe Jim Harrison (ISA) (Mar 16)
- Re: strange software > winsupdater.exe Harlan Carvey (Mar 17)
- Re: strange software > winsupdater.exe Valdis . Kletnieks (Mar 17)
- Re: strange software > winsupdater.exe Nick FitzGerald (Mar 17)
- Re: strange software > winsupdater.exe Valdis . Kletnieks (Mar 17)
- Re: strange software > winsupdater.exe Harlan Carvey (Mar 17)
- Re: strange software > winsupdater.exe k levinson (Mar 17)
- Re: strange software > winsupdater.exe Harlan Carvey (Mar 28)
- Administrivia: Re: strange software > winsupdater.exe Daniel Hanson (Mar 28)