Full Disclosure mailing list archives
Re: Microsot DID DISCLOSE potential Backdoor
From: "J. Oquendo" <sil () infiltrated net>
Date: Wed, 7 May 2008 22:49:40 -0500
On Wed, 07 May 2008, Paul Schmehl wrote:
And that relates to the MSRT how?
Relates to MSRT sending your information. It only sends information when it finds something. I never stated it sends all your information all the time.
Now you're being silly. You're claiming that *realtime connection information* is included in the data that is sent but without any grounds to do so and despite Microsoft's claims to the contrary. And without any proof.
Pick up a dev machine load it with malware, run MSRT, and sniff it. You'll see what it sends and remember LEA uses IP as an identifier bottom line.
You might try it some time. Getting the facts beats wild speculation and hyperbole every time. I just installed MSRT on my laptop and ran it while Wireshark was monitoring all external communications. It sent exactly *zero* information to MS.
It sent zero information because it did not detect anything malicious. As for paranoia, has nothing to do with paranoia. Facts. Fact 1) Is MS sending information from your machine to them ... Yes Fact 2) If something malicious is detected on your machine will it go to MS. Yes. Fact 3) Will they share information obtained from YOUR machine via YOUR IP address will they share that information with LEA? According to the MS spokesman they will. Fact 4) Can LEA correlate the information sent from your machine to an IP address... Yes. Go back and look at the information MS is obtaining it's in the log file. So looking at Sasser, lets fiddle with this: Quick Scan Results: ---------------- Found virus: Win32/Sasser.A.worm in file://C:\WINDOWS\avserve.exe Found virus: Win32/Sasser.A.worm in regkey://HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\avserve.exe Found virus: Win32/Sasser.A.worm in runkey://HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\avserve.exe Found virus: Win32/Sasser.A.worm in file://C:\WINDOWS\avserve.exe Quick Scan Removal Results ---------------- Start 'remove' for regkey://HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\avserve.exe Operation succeeded ! Start 'remove' for runkey://HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\avserve.exe Operation succeeded ! Start 'remove' for file://\\?\C:\WINDOWS\avserve.exe Operation succeeded ! Results Summary: ---------------- Found Win32/Sasser.A.worm and Removed! Return code: 6 Microsoft Windows Malicious Software Removal Tool Finished On Mon Mar 19 13:15:57 2007 (from there website). Now according to their article and common logic, in their article they stated they obtained samples of the infection to track the CNC of a botnet. How did they get this is up in the air, but with their forced update history, its possible on detection they can actually send avserve.exe right back to themselves. Anyhow, so I create something crafted to implicate you - using my previous analogy of being a botnet CNC owner, my program implicates your network you take the fall. People pull Joe Jobs all the time.
Not all of us are consumed by paranoia and unfounded fears. Some of us actually approach security from a rational, intelligent perspective and attempt to mitigate risks to the best of our abilities while accepting the fact that we can't stop every attack.
A Joe Job is an unfounded fear? How about poisoning the well. What happens if someone reading this decides to put it to the tests nullifying any verifiable, concrete snapshots with garbage. Then what will be of the tool? e-Garbage truck?
I don't consider fantasizing about bogeymen "thinking outside the box".
Fantasizing has nothing to do with reality. People are paying top dollars in life to screw someone all the time whether its online or not. This is another stupid mechanism someone can use. Its a flawed concept albeit nice idea. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA #579 (FW+VPN v4.1) SGFE #574 (FW+VPN v4.1) wget -qO - www.infiltrated.net/sig|perl http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x3AC173DB _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Microsot DID DISCLOSE potential Backdoor J. Oquendo (May 03)
- Re: Microsot DID DISCLOSE potential Backdoor Aaron Kempf (May 06)
- Message not available
- Re: Microsot DID DISCLOSE potential Backdoor J. Oquendo (May 06)
- Re: Microsot DID DISCLOSE potential Backdoor Paul Schmehl (May 07)
- Re: Microsot DID DISCLOSE potential Backdoor J. Oquendo (May 07)
- Re: Microsot DID DISCLOSE potential Backdoor Ureleet (May 07)
- Re: Microsot DID DISCLOSE potential Backdoor Paul Schmehl (May 07)
- Re: Microsot DID DISCLOSE potential Backdoor J. Oquendo (May 07)
- Re: Microsot DID DISCLOSE potential Backdoor Paul Schmehl (May 08)
- Re: Microsot DID DISCLOSE potential Backdoor J. Oquendo (May 08)
- Snort Signature to detect credit cards wilder_jeff Wilder (May 08)
- Re: Snort Signature to detect credit cards Ivan . (May 08)
- Re: Snort Signature to detect credit cards Christopher Jacob (May 08)
- Re: Snort Signature to detect credit cards Ray P (May 08)
- Re: Snort Signature to detect credit cards Simon Smith (May 08)
- Re: Snort Signature to detect credit cards Randal T. Rioux (May 09)
- Re: Snort Signature to detect credit cards T Biehn (May 09)
- Re: Snort Signature to detect credit cards Siim Põder (May 09)
- Re: Microsot DID DISCLOSE potential Backdoor J. Oquendo (May 06)