Re: [Full-disclosure] Microsot DID DISCLOSE potential Backdoor



--On Thursday, May 08, 2008 10:40:35 -0500 "J. Oquendo" <sil@xxxxxxxxxxxxxxx>
wrote:

On Thu, 08 May 2008, Paul Schmehl wrote:

You're comparing apples with oranges. The is precisely the muddying of the
waters that J. Oquendo is seeking to stir up emotions.

And you know me this well to infer it's stirring up emotions. I call it
raising awareness. You have your interpretation of what you read, I have
mine. Is yours wrong Paul.

This is what you call "raising awareness".

"Microsoft may have inadvertently disclosed a potential Microsoft backdoor for
law
enforcement earlier this week. "

Of course, with the weasel words "may have", "inadvertently" and "potential",
you can always claim you never really said that, but you know exactly what the
reader will take away from that headline - "What??? Microsoft installed a
backdoor on my computer????"

You then quote PC World - "The software vendor is giving law enforcers
access to a special tool that keeps tabs on botnets, using data compiled from
the 450
million computer users who have installed the Malicious Software Removal tool
that
ships with Windows."

Note that the botnet tool is "a special tool that keep tabs on botnets" and
that it "use[s] data compiled from the 450 million computer users....."

Now we know, first of all, that the MSRT doesn't even send data unless you have
an infection (and that functionality can be disabled.) Secondly, we know that
the botnet tool "uses" data compiled from the use of the MSRT.

From this you get "Microsoft has installed a backdoor on your computer!!!"

Then you make this amazing leap of "logic".

"So again, thinking logically at what has been said so far by
Microsoft; "We have a tool called Malicious Software Removal tool...", "we
can't tell
you the name of this tool since it would undermine our snooping...", "it's been
used by
law enforcement already to make a high-profile bust earlier this year."

So, in one "sentence" you tie the MSRT to the botnet buster and go from "it
sends data" to "it spies on you". Nice try, but you're not fooling anyone
except fools.

BTW, a backdoor program is something that allows me to access your computer
without your knowledge any time I want to, not a program that sends me
information whenever you choose to run it *if* you choose to send it. Again,
nice try, but you're not fooling anyone except fools and conspiracy theorists.

Next you manage to tie the MSRT to the NSA, Echelon, AT&T wiretaps,
eavesdropping and other supposed nefarious activities.

But you're not trying to stir up emotions - no - just "raising awareness".


It is Microsoft's fault for not being honest period no ifs ands or buts.
Please give us your professional correlation of the article. Information
obtained from MSRT was used to track botnet hunters in cahoots with another
tool.


I don't know the details of what Microsoft is providing LE from MSRT. Neither
do you. That is precisely my point. That isn't stopping you from making wild
claims, though.

Here's one possible use.

Microsoft correlates the data sent from MSRT. They notify law enforcement that
they are seeing a recent trend of 150,000 computers infected with a certain
malware. It opens port x, communicates using protocol y and talks to the
following IP addresses (C&Cs). They provide LE with a tool that is a botnet
hunter that knows what traffic to look for, what ports to look on, what
protocols are being used and where the C&Cs are. All that information was
obtained from the data received from MSRTs reporting in from all over the world.

LE then uses that tool to set up monitoring of those specific ports, protocols
and C&Cs, begins gathering data and eventually busts the botmaster.

Now, how has this exposed you personally? Revealed your IP? Invaded your
privacy? Created a backdoor on your computer?

Yes, their web page (I don't see any EULA) states that they don't collect
personally identifiable information. Furthermore, the botnet tool is a
separate tool. The page also states that after the tool is run, it deletes
itself. So, when you are infected with something, the tool will detect and
clean it *and* send some information about the infection back to M$.

Can you please find this page. I showed you mine show me yours or just STFU
for now, otherwise the "my cojones are bigger than yours" becomes redundant
nonsense. EOS

Unable to perform a simple search?

The MSRT home page:
<http://www.microsoft.com/security/malwareremove/default.mspx?tapm=A51S01B01>

The download page:
<http://www.microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en>

"The version of this tool delivered by Windows Update runs on your computer
once a month, in the background. If an infection is found, the tool will
display a status report the next time you start your computer. If you would
like to run this tool more than once a month, run the version that is available
from this Web page or use the version on the Malicious Software Removal Tool
Web site.

Please review KB890830 for the list of malicious software that the current
version of the tool is capable of removing as well as usage instructions. Also,
please be aware that this tool reports anonymous information back to Microsoft
in the event that an infection is found or an error is encountered. The above
KB article contains information on how to disable this functionality and what
specific information is sent to Microsoft. "

KB890830:
<http://support.microsoft.com/?kbid=890830>

"Reporting infection information to Microsoft
The Malicious Software Removal Tool will send basic information to Microsoft if
the tool detects malicious software or finds an error. This information will be
used for tracking virus prevalence. No identifiable personal information that
is related to you or to the computer is sent together with this report."

"Reporting component
The Malicious Software Removal Tool sends information to Microsoft if it
detects malicious software or finds an error. The specific information that is
sent to Microsoft consists of the following items:
The name of the malicious software that is detected
The result of malicious software removal
The operating system version
The operating system locale
The processor architecture
The version number of the tool
An indicator that notes whether the tool is being run by Microsoft Update,
Windows Update, Automatic Updates, the Download Center, or from the Web site
An anonymous GUID
A cryptographic one-way hash (MD5) of the path and file name of each
malicious software file that is removed from the computer

If apparently malicious software is found on the computer, the tool prompts you
to send information to Microsoft beyond what is listed here. You are prompted
in each of these instances, and this information is sent only with your
consent. The additional information includes the following:
The files that are suspected to be malicious software. The tool will
identify the files for you.
A cryptographic one-way hash (MD5) of any suspicious files that are
detected.

You can disable the reporting feature. For information about how to disable the
reporting component and how to prevent this tool from sending information to
Microsoft, click the following article umber to view the article in the
Microsoft Knowledge Base:

891716 (http://support.microsoft.com/kb/891716/) Deployment of the Microsoft
Windows Malicious Software Removal Tool in an enterprise environment "

KB891716:
<http://support.microsoft.com/kb/891716/>

"Q3. How can I disable the infection-reporting component of the tool so that
the report is not sent back to Microsoft?

A3. An administrator can choose to disable the infection-reporting component of
the tool by adding the following registry key value to computers. If this
registry key value is set, the tool will not report infection information back
to Microsoft.
Subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT
Entry name: \DontReportInfectionInformation
Type: REG_DWORD
Value data: 1

This functionality is automatically disabled if the following registry key
value exists:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\WUServer
This registry key value indicates that the computer is connected to an SUS
server."

Is there anything else that you need in order to figure out that your claims
are wholly without merit?

--
Paul Schmehl (pauls@xxxxxxxxxxxx)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • Re: no response from Microsoft customer support - security issue?
    ... Microsoft support. ... It looks like the Microsoft reporting webpage for security issues has been ... If you suspect malicious software, ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: Having Hotmail problems? Please read.
    ... PSS Security Response Team Alert - New Worm: ... Microsoft Outlook, Microsoft Outlook Express, and ... you can prevent against infection by Mydoom.C ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
  • Re: Microsoft Public Services <sxfxtblx@advisor.microsoft.net> EMAIL
    ... the hotlinks in this message are valid Microsoft links, ... You install a good antivirus program, keep it active, keep the virus ... You can install all appropriate Microsoft security patches and Service ... you can proof your system against infection, ...
    (microsoft.public.security.virus)
  • Re: Virus (Swen?) opened automatically?
    ... procedures are corrupted (the same reason Microsoft does not send patches ... even after discovering the infection. ... Microsoft website would take less than 15 minutes. ... And then, installing ...
    (microsoft.public.security.virus)
  • RE: Integrated Authentication Issues with ISA 2004
    ... I don't have a problem with the monitoring and reporting I think I may have ... > Microsoft CSS Online Newsgroup Support ... we recommend you to post to appropriate newsgroup ... it will not pass your authentication to the ISA Server. ...
    (microsoft.public.isa)