Security Basics mailing list archives
Re: Microsoft Software Auditing ?
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Wed, 13 Apr 2005 12:23:25 +0200
On 2005-04-11 Adam Jones wrote:
Scanning for executables is a poor method of accomplishing things.
That I have to disagree with. If I understood the OP right, he just wanted to inventory the software (rightfully) installed on the system. Since there is software that comes as a standalone executable so it won't show up anywhere. How would one inventory this kind of software w/o scanning for executables?
It misses a lot and requires a large time investment to be effective. Here's why: 1) executable scanning misses a lot: Here are a few ways that I can quickly think of to "hide" an executable: Name it as an harmless-sounding executeable in a reliable known directory.
That won't make you miss the executable.
Overwrite a rarely-used legitimate executeable in a known directory. Store it in an NTFS alternate data stream[1] and access it through a script. Store it under another file name and rename it at execution time.
These may be an issue, but require users to have write-access (which they shouldn't). Overwritten executables will most likely be detected by comparing the file's hash against a known-good baseline. The other two may be a problem, but AFAICS only if users are allowed to write files. If one just wants to take inventory of the installed software I don't consider this an issue.
In short even a halfhearted attempt to hide the executable will give it a decent chance of getting past strait .exe scanning. 2) Time investment: The only way that executable scanning is going to really be effective is if you begin with a lot of prepwork. To combat file replacement you would have to crc every executable on the system, and update that crc any time you patch the system or update your software. Accounting for overwritten system files would also involve crc checking, but this time on the client system.
CRC is neither intended nor appropriate for detecting wilful/malicious manipulations of files. You need to use other hashes (at least MD5) for that purpose.
There are applications that will detect NTFS alternate data streams, those would probably need to be run as a second scan of the system.
True, but only if you want to detect malicious changes to the system.
Looking for alternate extensions would probably be best done by looking for the associated scripting files, which means at least scanning .bat, .js, .vbs, and .wsf extensions, then looking for any rename commands in each of those files.
Which leaves you with the exact same problem you referred to above (renaming of files before execution). Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq --------------------------------------------------------------------------- Earn your MS in Information Security ONLINE Organizations worldwide are in need of highly qualified information security professionals. Norwich University is fulfilling this demand with its MS in Information Security offered online. Recognized by the NSA as an academically excellent program, NU offers you the opportunity to earn your degree without disrupting your home or work life. http://www.msia.norwich.edu/secfocus_en ----------------------------------------------------------------------------
Current thread:
- RE: Microsoft Software Auditing ?, (continued)
- RE: Microsoft Software Auditing ? Dante Mercurio (Apr 06)
- RE: Microsoft Software Auditing ? Beauford, Jason (Apr 06)
- Re: Microsoft Software Auditing ? Andrew Rogers (Apr 07)
- Re: Microsoft Software Auditing ? Jonathan Loh (Apr 06)
- RE: Microsoft Software Auditing ? Depp, Dennis M. (Apr 07)
- RE: Microsoft Software Auditing ? Jacob Bresciani (Apr 07)
- RE: Microsoft Software Auditing ? Beauford, Jason (Apr 07)
- RE: Microsoft Software Auditing ? Depp, Dennis M. (Apr 07)
- Re: Microsoft Software Auditing ? Times Enemy (Apr 08)
- Re: Microsoft Software Auditing ? Adam Jones (Apr 11)
- Re: Microsoft Software Auditing ? Ansgar -59cobalt- Wiechers (Apr 13)
- Re: Microsoft Software Auditing ? Adam Jones (Apr 14)
- Re: Microsoft Software Auditing ? Times Enemy (Apr 08)