RE: Microsot DID DISCLOSE potential Backdoor
I'm not sure the facts in evidence support the conclusions reached here (so=
rry, not posting inline as I don't want to address each conclusion built up=
on some other shaky conclusion.
From http://support.microsoft.com/kb/890830
=3D=3D=3D=3D=3D=3D
Reporting component
The Malicious Software Removal Tool sends information to Microsoft if it de=
tects malicious software or finds an error. The specific information that i=
s sent to Microsoft consists of the following items: * The name of the mali=
cious software that is detected
* The result of malicious software removal
* The operating system version
* The operating system locale
* The processor architecture
* The version number of the tool
* An indicator that notes whether the tool is being run by Microsoft Update=
, Windows Update, Automatic Updates, the Download Center, or from the Web s=
ite
* An anonymous GUID
* A cryptographic one-way hash (MD5) of the path and file name of each mali=
cious software file that is removed from the computer
If apparently malicious software is found on the computer, the tool prompts=
you to send information to Microsoft beyond what is listed here. You are p=
rompted in each of these instances, and this information is sent only with =
your consent. The additional information includes the following: * The file=
s that are suspected to be malicious software. The tool will identify the f=
iles for you.
* A cryptographic one-way hash (MD5) of any suspicious files that are detec=
ted.
You can disable the reporting feature. For information about how to disable=
the reporting component and how to prevent this tool from sending informat=
ion to Microsoft, click the following article umber to view the article in =
the Microsoft Knowledge Base:
891716 (http://support.microsoft.com/kb/891716/) Deployment of the Microsof=
t Windows Malicious Software Removal Tool in an enterprise environment
=3D=3D=3D=3D=3D=3D
Either I am missing the point of J. Oquendo's post, or the conclusions I th=
ink he reaches are speculation rather that established.
Cheers
Ken
> -----Original Message-----
> From: J. Oquendo [mailto:sil@infiltrated.net]
> Sent: Sunday, 4 May 2008 1:46 PM
> To: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk
> Subject: Microsot DID DISCLOSE potential Backdoor
>
> While you were sleeping and focusing on COFEE...
>
> Microsoft Discloses Government Backdoor on Windows Operating Systems
> Wednesday, April 30th, 2008 @ 6:00 am | Privacy, News
> http://www.infiltrated.net/?p=3D92
>
> Microsoft may have inadvertently disclosed a potential Microsoft
> backdoor for law
> enforcement earlier this week. To explain this all, here is the layman
> term of a backdoor
> from Wikipedia:
>
> A backdoor in a computer system (or cryptosystem or algorithm) is a
> method of
> bypassing normal authentication, securing remote access to a computer,
> obtaining access
> to plaintext, and so on, while attempting to remain undetected. The
> backdoor may take
> the form of an installed program (e.g., Back Orifice), or could be a
> modification to an
> existing program or hardware device.
>
> According to an article on PC World: "The software vendor is giving law
> enforcers
> access to a special tool that keeps tabs on botnets, using data
> compiled from the 450
> million computer users who have installed the Malicious Software
> Removal tool that
> ships with Windows."
>
> Not a big deal until you keep reading: "Although Microsoft is reluctant
> to give out details
> on its botnet buster - the company said that even revealing its name
> could give cyber
> criminals a clue on how to thwart it"
>
> Stop the press for second or two and look at this logically: "users who
> have installed the
> Malicious Software Removal tool" followed by " Microsoft is reluctant
> to give out details
> on its botnet buster - the company said that even revealing its name
> could give cyber
> criminals a clue on how to thwart it", what? This is perhaps the
> biggest gaffe I've read
> thus far on potential government collusion with Microsoft.
>
> We then have the following wording: "Microsoft had not previously
> talked about its
> botnet tool, but it turns out that it was used by police in Canada to
> make a high-profile
> bust earlier this year." So again, thinking logically at what has been
> said so far by
> Microsoft; "We have a tool called Malicious Software Removal tool...",
> "we can't tell
> you the name of this tool since it would undermine our snooping...",
> "it's been used by
> law enforcement already to make a high-profile bust earlier this year."
>
> Remember a "Malicious Software Reporting Tool" is a lot different from
> a "Malicious
> Software Removal Tool". Understanding networking, computing, botnets,
> let's put this
> concept into a working model to explain how this is nothing more than a
> backdoor. You
> have an end user, we'll create a random Windows XP user: Farmer John in
> North Dakota.
> Farmer John in North Dakota uses his machine once a week to read news,
> send family
> email, nothing more. He installed Microsoft's Malicious Removal Tool.
> Farmer John's
> machine becomes infected at some point and sends Microsoft information
> about the
> compromise: "I'm Farmer John's machine coming from X_IP_Address".
>
> A correlation is done with this information and then supposedly used to
> track where the
> botnet's originating IP address is from. From the article: "Analysis by
> Microsoft's
> software allowed investigators to identify which IP address was being
> used to operate the
> botnet, Gaudreau said. And that cracked the case." This is not
> difficult, detect a DST
> (destination) for malware sent from Farmer John's machine. Simple, good
> guys win,
> everyone is happy.
>
> The concept of Microsoft's Malicious Software Removal tool not being a
> backdoor is
> flawed. For starters, no information is ever disclosed to someone
> installing the Windows
> Malicious Software removal tool: "Windows will now install a program
> which will report
> suspicious activity to Microsoft". As far as I can recall on any
> Windows update, there has
> never been any mention of it.
>
> "But this is a wonderful tool, why are you being such a troll and
> knocking Microsoft for
> doing the right thing!". The question slash qualm I have about this
> tool is I'd like to know
> what, why, when and how things are being done on my machine. It's not a
> matter of
> condemning Microsoft, but what happens if at some point in time
> Microsoft along with
> government get an insane idea to branch away from obtaining other data
> for whatever
> intents and purposes?
>
> We've seen how the NSA is allowed to gather any kind of information
> they'd like (http://www.eff.org/issues/nsa-spying),
> we now have to contend with Microsoft attempting to do the same. Any
> way you'd like to
> market this, it reeks of a backdoor: (again pointing to the definition)
> A backdoor in a
> computer system ... is a method of bypassing normal authentication, ...
> obtaining access
> to ... , and so on, while attempting to remain undetected. There's no
> beating around the
> bush here on what this tool is and does.
>
> This is reminiscent of the 90's with the NSA's ECHELON program. In
> 1994, the NSA
> intercepted the faxes and telephone calls of Airbus. What resulted was
> the information
> was then forwarded to Boeing and McDonnell-Douglas in which they
> snagged the
> contract from under Airbus' feet. In 1996, the CIA hacked into the
> computers of the
> Japanese Trade Ministry seeking "negotiations on import quotas for US
> cars on the
> Japanese market". Resulting with the information being passed off to
> "US negotiator
> Mickey Kantor" who accepted a lower offer.
>
> As an American you might say "so what, more power to us" but to think
> that any
> government wouldn't do it to its own citizens for whatever reason would
> be absurd.
> There are a lot of horrible routes this could take.
>
> What happens if slash when for some reason or another the government
> decides that you
> should not read a news site, will Microsoft willingly oblige and
> rewrite the news in
> accordance to what the government deems readable?
>
> How about the potential to give Microsoft a warrantless order to
> discover who doesn't
> like a President's "health care plan", or who is irrate and whatever
> policy; Will Microsoft
> sift through a machine to retrieve relevant data to disclose to
> authorities?
>
> That doesn't include the potential for say technological espionage and
> gouging of sorts.
> What's to stop Microsoft from say, mapping a network and reporting all
> "non-Microsoft"
> based products back to Microsoft. The information could then be used to
> say raise
> support costs, allow Microsoft to offer juicier incentives to rid the
> network of non MS
> based products, the scenarios are endless.
>
> Sadly, most people will shrug and pass it off as nothing. Most security
> buffs, experts, etc.,
> haven't mentioned a word of it outside of "the wonderful method to
> remove, detect,
> botnets!" and I don't necessarily disagree it's a unique way to detect
> what is happening,
> but this could have been done at the ISP and NSP level without
> installing a backdoor.
> Why didn't law enforcement approach botnets from that avenue? Perhaps
> they have, this
> I'm actually certain of which leads me to believe this is a prelude of
> something more
> secretive that has yet to be disclosed or discovered.
>
> http://www.pcworld.com/businesscenter/article/145257/microsoft_botnethu
> nting_tool_helps_bust_hackers.html
> http://cryptome.org/echelon-ep-fin.htm (ECHELON MISHAPS)
>
> More on Microsoft's *Potential* Government Backdoor
> Thursday, May 1st, 2008 @ 7:21 am | Privacy, News
> http://www.infiltrated.net/?p=3D92
>
> After reading through Microsoft's comments repeatedly yesterday, I
> cannot come to the
> conclusion that Microsoft's "Malware Removal Tool" is not some form of
> backdoor.
> Their comments in the initial article are extremely disturbing and
> anyone using a
> Microsoft product should now be extremely weary about downloading new
> updates if
> even deciding to continue using Microsoft at all.
>
> So let's take a look at the top botnets. Srizbi, Bobax, Rustock,
> Cutwail, Ozdok, Nucrypt,
> Wopla, Spamthru, Storm, Grum, Onewordsub; These are the top as reported
> by Secure
> Works.
> (http://www.secureworks.com/research/threats/topbotnets/?threat=3Dtopbotn
> ets)
> Guess what, eight out of eleven are all encrypted. Not that big of a
> deal until you decipher
> what Microsoft stated in their original quotes in correlation to some
> facts.
>
> From the article: Microsoft security experts analyze samples of
> malicious code to capture
> a snapshot of what is happening on the botnet network, which can then
> be used by law
> enforcers, Cranton said. "They can actually get into the software code
> and say, .Here's
> information on how it's being controlled.'"
>
> Perhaps Microsoft could clarify how exactly are they doing what they
> do, more
> importantly, what information is being sent over the wire and to whom.
> Are they now
> breaking code as well. Did the botnet authors go through the steps of
> encrypting code. We
> know for a fact that traffic being sent from a compromised host to a
> controller is
> encrypted, so what is Microsoft analyzing. What COULDN'T Microsoft have
> gained
> from getting code for analysis say by working along with Symantec or
> someone else.
>
> Now before you shoot off an answer like "the code doofus, they're
> analyzing the code!",
> think about it again. If they're in it to analyze solely the code, they
> could have worked
> with AntiVirus vendors for samples as opposed to putting a tool on your
> machine which
> collects YOUR DATA and sends it off to who knows where. A law
> enforcement agency,
> or team Microsoft.
>
> I'll pause on this for now. How about the validity in stating: "Botnet
> Operator tracked via
> IP". How legitimate is this argument given the fact (not presumption)
> that IP is a horrible
> identifier. Let's put this in a practical example. Farmer Joe in
> Nebraska is using a DSL
> connection that it always on. He uses Windows XP and doesn't know what
> a Windows
> Update is so he's never used it. His computer is compromised, a botnet
> controller is
> installed and attacks are launched from Nebraska. The attacker
> sanitized Farmer Joe's
> machine to erase his tracks using multiple wipes with perhaps PGP. The
> end.
>
> For any business or law enforcement agency to claim they can track down
> via an IP
> address, perhaps they've skimmed on the fact that there are far too
> many open WiFi
> hotspots in the world to conclusively narrow a fact. We have an
> assumption that an
> attacker is behind 10.10.10.159. Can we see them? No. All we know is
> the address. Being
> I've used a private address, I won't bother diving into "but he came
> from ISP X in
> Nebraska." Irrelevant. What you have is a fishing expedition.
>
> / SNIP
> For more on this false sense of ID-via-IP: Well, let me ask you you
> think 171.70.120.60
> is. I'll give you a hint; at this instant, there are 72 of us.
>
> Here's another question. Whom would you suspect 171.71.241.89 is? At
> this point in
> time, I am in Barcelona; if I were home, that would be my address as
> you would see it,
> but my address as I would see it would be in 10.32.244.216/29. There
> might be several
> hundred people you would see using 171.71.241.89;
> /END SNIP
>
> I implore you to read a NANOG thread
> http://readlist.com/lists/trapdoor.merit.edu/nanog/6/33246.html
> Professionals know, IP is an inaccurate identifier so why does it seem
> that Microsoft
> along with LEO are relying on this. Makes a great baseline sure, but is
> certainly ripe
> for abuse
>
> Again, please understand what I am stating, this is "not to say that
> its a horrible idea", its
> a start, a baseline - but not a definitive measure of determining who
> is controlling a bot,
> who created the botnet, etc.
>
> Looking at past history, unfortunately you have the tinkerers; so what
> happens to an up-
> and-coming "security" buff who is getting into the field and stumbles
> upon a botnet. Sure
> he was moronic to join an irc channel filled with bots, sure he was
> idiotic in downloading
> the code for the sake of learning. Fact is he might have. Guess what
> will happen to him
> when a Law Enforcement Agency raids his house? Guess what will happen
> when that
> agency needs funding for a new uber Cyber(buzzword)Crime fighting
> department. You
> guessed it. Hey "Up-and-coming security buff..." Kiss your terminal
> goodbye, and from
> here on out, your dreams of becoming the next Bruce Schneier will be
> close to non-
> existent. It happens.
>
> Anyhow, re-emphasizing... Shame on Microsoft for forwarding your data
> without telling
> you. Shame on Microsoft for not asking you if you wanted to
> "PARTICIPATE" in
> sending data. Shame on Microsoft for not explicitly stating: The data
> we are sneaking off
> your computer will be sent to government agencies of our choice. Its a
> horrible practice
> and a damaging breach of trust. Their action worries me as a security
> professional, will
> they ever scour for data for profit. Why not, no one would notice or
> care anyway.
>
> J. Oquendo
> sil @ infiltrated dot net
>
> --
> =3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=
=3D+=3D+=3D+=3D+=3D+=3D+=3D+
> J. Oquendo
> SGFA #579 (FW+VPN v4.1)
> SGFE #574 (FW+VPN v4.1)
>
> wget -qO - www.infiltrated.net/sig|perl
>
> http://pgp.mit.edu:11371/pks/lookup?op=3Dget&search=3D0x3AC173DB
討論串 (同標題文章)