Re: strange software > winsupdater.exe

From: Nick FitzGerald (nick_at_virus-l.demon.co.uk)
Date: 03/17/05

  • Next message: David Gillett: "Pubstro rash" 
    Date: Fri, 18 Mar 2005 09:30:59 +1300
To: incidents@securityfocus.com

    Valdis to Harlan:

    > > However, you _can_ get a warm fuzzy if the file has
    > > the MS file version information compiled into it.
    >
    > And you verify the authenticity of your warm fuzzy how, exactly?

    Rumour has it that MS will be making its WarmFuzzy Verifer beta release
    within a month...

    > const char MS_version[] = "bogus MS file version info goes here";

    Well, it is done a bit differently from that, but the basic idea is
    right.

    And it's already been done. Heaps. Especially by some of the adware
    developers...

    > (Remember - we've already had major worms that crafted a totally bogus
    > "X-Virus: scanned by" header claiming a real AV had scanned it....)

    Yep -- even the skiddies have thought of this level of trivial
    deception.

    > > That warm fuzzy can be increased if the file is
    > > digitally signed by MS.
    >
    > First, go back and re-read http://www.cert.org/advisories/CA-2001-04.html

    8-)

    > Second, remember that you're worried that the machine is compromised - and
    > you're asking it to verify the signature. Again, if the box is compromised,
    > the DLL that verifies signatures could be backdoored as well.

    Indeed, although to date I certainly haven't seen this done and don't
    recall hearing of this level of deception. It's probably not far off
    though -- it would be a trivial addition to any of the modestly clever
    rootkits, but does not require that degree of complexity.

    Regards,

    Nick FitzGerald

  • Next message: David Gillett: "Pubstro rash"
    • Quantcast