Network Security: Detailed info on Re: strange software

Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.

Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.

Network Security Incidents

[Top] [All Lists]

Re: strange software > winsupdater.exe

from [Valdis . Kletnieks] Network Security

[Permanent Link]

Subject:	Re: strange software > winsupdater.exe
Date:	Thu, 17 Mar 2005 13:20:57 -0500

On Thu, 17 Mar 2005 03:08:14 PST, Harlan Carvey said:

However, you _can_ get a warm fuzzy if the file has
the MS file version information compiled into it.


And you verify the authenticity of your warm fuzzy how, exactly? 

const char MS_version[] = "bogus MS file version info goes here";

(Remember - we've already had major worms that crafted a totally bogus
"X-Virus: scanned by" header claiming a real AV had scanned it....)

That warm fuzzy can be increased if the file is
digitally signed by MS.


First, go back and re-read http://www.cert.org/advisories/CA-2001-04.html

Second, remember that you're worried that the machine is compromised - and
you're asking it to verify the signature.  Again, if the box is compromised,
the DLL that verifies signatures could be backdoored as well.

This is why you *really* need to boot from a known-clean CD and verify the
signatures from there.

pgphKg3HkyMif.pgp
Description: PGP signature

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
RE: Pubstro rash, (continued) RE: Pubstro rash, Alexandre Skyrme Re: Pubstro rash, Jeff Kell RE: Pubstro rash, David Gillett Re: strange software > winsupdater.exe, Mike Barushok Re: strange software > winsupdater.exe, Harlan Carvey RE: strange software > winsupdater.exe, Jim Harrison (ISA) RE: strange software > winsupdater.exe, Harlan Carvey Re: strange software > winsupdater.exe, dave_mikesch RE: strange software > winsupdater.exe, Jim Harrison (ISA) Re: strange software > winsupdater.exe, Harlan Carvey Re: strange software > winsupdater.exe, Valdis . Kletnieks <= Re: strange software > winsupdater.exe, Nick FitzGerald Re: strange software > winsupdater.exe, Harlan Carvey Re: strange software > winsupdater.exe, k levinson Re: strange software > winsupdater.exe, Harlan Carvey Administrivia: Re: strange software > winsupdater.exe, Daniel Hanson

Previous by Date:	Re: strange software > winsupdater.exe, k levinson
Next by Date:	Re: strange software > winsupdater.exe, Nick FitzGerald
Previous by Thread:	Re: strange software > winsupdater.exe, Harlan Carvey
Next by Thread:	Re: strange software > winsupdater.exe, Nick FitzGerald
Indexes:	[Date] [Thread] [Top] [All Lists]