Re: Microsoft Software Auditing ?

[Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>]

On 2005-04-11 Adam Jones wrote:
> Scanning for executables is a poor method of accomplishing things.

That I have to disagree with. If I understood the OP right, he just
wanted to inventory the software (rightfully) installed on the system.
Since there is software that comes as a standalone executable so it
won't show up anywhere. How would one inventory this kind of software
w/o scanning for executables?

> It misses a lot and requires a large time investment to be effective.
> Here's why:
>
> 1) executable scanning misses a lot:
> Here are a few ways that I can quickly think of to "hide" an executable:
>
> Name it as an harmless-sounding executeable in a reliable known directory.

That won't make you miss the executable.

> Overwrite a rarely-used legitimate executeable in a known directory.
> Store it in an NTFS alternate data stream[1] and access it through a script.
> Store it under another file name and rename it at execution time.

These may be an issue, but require users to have write-access (which
they shouldn't). Overwritten executables will most likely be detected by
comparing the file's hash against a known-good baseline. The other two
may be a problem, but AFAICS only if users are allowed to write files.
If one just wants to take inventory of the installed software I don't
consider this an issue.

> In short even a halfhearted attempt to hide the executable will give
> it a decent chance of getting past strait .exe scanning.
>
> 2) Time investment:
> The only way that executable scanning is going to really be effective
> is if you begin with a lot of prepwork.
>
> To combat file replacement you would have to crc every executable on
> the system, and update that crc any time you patch the system or
> update your software.
>
> Accounting for overwritten system files would also involve crc
> checking, but this time on the client system.

CRC is neither intended nor appropriate for detecting wilful/malicious
manipulations of files. You need to use other hashes (at least MD5) for
that purpose.

> There are applications that will detect NTFS alternate data streams,
> those would probably need to be run as a second scan of the system.

True, but only if you want to detect malicious changes to the system.

> Looking for alternate extensions would probably be best done by
> looking for the associated scripting files, which means at least
> scanning .bat, .js, .vbs, and .wsf extensions, then looking for any
> rename commands in each of those files.

Which leaves you with the exact same problem you referred to above
(renaming of files before execution).

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

---------------------------------------------------------------------------
Earn your MS in Information Security ONLINE
Organizations worldwide are in need of highly qualified information security 
professionals.  Norwich University is fulfilling this demand with its MS in 
Information Security offered online.  Recognized by the NSA as an 
academically excellent program, NU offers you the opportunity to earn your 
degree without disrupting your home or work life.

http://www.msia.norwich.edu/secfocus_en
----------------------------------------------------------------------------