Does Automatic Update service (wuauserv) use generated IP addresses?

  • Thread starter Thread starter Vince C.
  • Start date Start date
Woops... sorry for my mispelling :-s.

"Where (were) you also told (by whom?) about being infected with a
blaster-like virus when I reported this?"

Let me rephrase my point: when I first reported this "problem", people from
MS have asked me to scan for any spyware/trojan though I did and found
nothing. But I didn't mention it in my original post. Does it mean MS people
might happen not to be aware of this fact (that WU uses "weird" IP addresses
for whatever purpose)?...

I've updated Norton AntiVirus 2003 with the latest available updates and
ran a full scan on all files on my drives and it reports no viruses. If
it can't detect a virus, I have to assume I am clean as possible. Also,
I only post here in plain text and with no attachments. *I* was the one
that posted here. I've read the description of the mblaster virus and
haven't encounter any of those symptoms. I have a router with firewall
which blocks port 135 (and others related to NetBIOS and RPC). I have
Norton Internet Security (NIS) firewall on my computer which also blocks
the same ports. I share the cable router with another user who is
running Windows 98 and doesn't have a clue regarding security and is not
an expert user, so NIS has them blocked from accessing my computer.
So I don't know what virus you speak.

You're right and I came to the same conclusion given nothing malicious was
detected on my machine. Sorry for being unclear. You are confirming this
behaviour is part of not only WU process but is also triggered by something
else.

Vince C.
 
James said:
I have found the same thing on two win2k servers as follows:

Process PID localIP LocalPort RemoteIp RemotePort State Protocol Path


svchost.exe 1096 [OURIPADDRESS] 2139 81.52.248.151 80 CLOSE_WAIT TCP
C:\WINNT\system32\svchost.exe

% This is the RIPE Whois server.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyright.html
inetnum: 81.52.248.0 - 81.52.250.127
netname: AKAMAI-FT-US
descr: Akamai Technologies - US machines connected to FT AS5511
country: US
admin-c: NARA1-RIPE
tech-c: NARA1-RIPE
tech-c: NF1714-RIPE
status: ASSIGNED PA
mnt-by: FT-BRX
changed: (e-mail address removed) 20030321
source: RIPE
svchost.exe 1096 [OURIPADDRESS] 2144 199.77.203.33 443 CLOSE_WAIT TCP
C:\WINNT\system32\svchost.exe

OrgName: Genuity
OrgID: GNTY
Address: Genuity
Address: 225 Presidential Way
City: Woburn
StateProv: MA
PostalCode: 01888
Country: US

NetRange: 199.75.0.0 - 199.78.255.255
CIDR: 199.75.0.0/16, 199.76.0.0/15, 199.78.0.0/16
NetName: GNTY-199-75
NetHandle: NET-199-75-0-0-1
Parent: NET-199-0-0-0-0
NetType: Direct Allocation
NameServer: DNSAUTH1.SYS.GTEI.NET
NameServer: DNSAUTH2.SYS.GTEI.NET
NameServer: DNSAUTH3.SYS.GTEI.NET


The former IP is from AKAMAI network, France Telecom. Since WU uses AKAMAI
bla bla, you know it's safe.

The latter is less obvious but it's also a WU pending close. I've tried to
search DNS that I know for occurrences of Genuity but found nothing. The
only way I could get accurate information was a traceroute; here are the
last lines:

11 78 ms 94 ms 78 ms ewr-brdr-02.inet.qwest.net [205.171.1.97]
12 94 ms 78 ms 94 ms ewr-core-02.inet.qwest.net [205.171.17.129]
13 94 ms 78 ms 94 ms ewr-core-03.inet.qwest.net [205.171.17.34]
14 125 ms 93 ms 94 ms dca-core-02.inet.qwest.net [205.171.8.181]
15 141 ms 109 ms 110 ms atl-core-02.inet.qwest.net [205.171.8.153]
16 125 ms 109 ms 110 ms atl-core-01.inet.qwest.net [205.171.21.149]
17 110 ms 109 ms 125 ms atl-edge-07.inet.qwest.net [205.171.21.82]
18 109 ms 125 ms 109 ms 63.148.128.74
19 110 ms 109 ms 125 ms oit-gtri-rtr.gatech.edu [130.207.244.5]
20 110 ms 109 ms 125 ms 199.77.203.33

Well I wouldn't worry if your machine is up-to-date with all security
hotfixes, your A-V software is also up-to-date, if AdAware/SpyBot didn't
detect any malware and if your FW is well configured. These make pretty much
conditions but that's the way it normally goes for everyone we read from in
this thread.

Make sure these conditions are met and if they are, this must be part of the
process I described as for what I called "Windows Update server discovery".
The fact that SVCHOST was making the call is a hint. I don't know of a virus
or Trojan that binds to SVCHOST. There might be but recent threats were
mostly Blaster variants.

I think you shouldn't see connections to that IP for long. Maybe a day or
two. Just like the hits I saw towards "mail.lamediatheque.be". This is how
it goes on my system. Right after a few weird IPs were "checked" by SVCHOST
I always see an Automatic Update notification icon in the tray.

Hope this helped.
Vince C.
 
Le 24 Aug 2003 11:36:17 -0700
KB said:
[...] I then discovered that it was wuauserv.exe (or dll) that was
making these outgoing connections to places other than microsoft.com.

I have used latest spybot, adaware, and McAffee anti-virus; none found
anything wrong with my wuauserv and the problem persists. Also, my XP
patches are all "up-to-date". I am obviously suspicious of the truth
of this given wuauserv is the leading suspect.

Vince is also thinking about UpDate mechanisme. I am agree with you,
this process is suspect.
[...] Three
of these addresses don't have reverse DNS which seems highly
suspicious to me.

Same observation.
I think this is a HUGE security problem.

It could.
For this problem I have recently used ethereal for XP; it does pretty
good. I did like to use tcpdump on FreeBSD, but now I am on switched
network and can't watch neighboring traffic. I have not captured any
of this packet traffic yet to look at it.

Thanks to give us any feedback.
 
Le 26 Aug 2003 04:53:23 -0700
Sam said:
[...]
The fact that you are receiving data from "an impossible connexion"
could mean that there is a malfunction in the find_an_ip algorithm.

What about a loop that is looking for a valid WUS :

1. at a givent step it finds 194.78.106.1
3. it checks if it is a valid WUS
2. then it records in another variable the ip_fqdn =
mail.lamediatheque.be. with a reverse dns query
4. if it is a valid WUS, it writes the IP/FQDN in the DNS cache

This bad implementation could lead to having mail.lamediatheque.be.
point to another IP that could be a valid WUS.

WindowsUpdate then uses mail.lamediatheque.be to connect to that IP
and your firewall doesn't use the cache of your workstation to get the
IP of mail.lamediatheque.be.


This is just an idea...

True, This could be an error in the DNS cache, note that in my opinion,
this is also a little security problem.
 
Le Sun, 24 Aug 2003 20:58:28 +0200
Vince C. said:
"KB" <[email protected]> a écrit dans le message de (e-mail address removed)...
[snipped and snipped again :) ]
3 of these addresses don't have reverse DNS which seems highly
suspicious to me.

Well, don't know if suspicious is the right term but it tends to confirm the
subject of this thread ;-). It would be dangerous if:
1. WU uses generated IP addresses
2. our famous "malicious user" knows how to build a web site that acts the
same...

Hmmm... that's... terrifying! :-D
Would be the supreme virus (note for later: think of installing BEOS instead ;-)

Terrifying but possible.
And , in my opinion, they are already enough security problem in
windows to decide to put sensitive date on a non-windows machine.
Wonder if it's the same on Windows 98... I wish someone had time to check
that... 'Would tell if this is a technology in use since the early days. But I
bet this was active only since they introduced the new version of Windows
Update.

I am agree but I think that this new version is not secure.
 
Le Tue, 26 Aug 2003 17:13:59 +0200
Vince C. said:
Seriously that's why I think MS should at least publish a list of trusted WU
servers. I wouldn't like to let my PC blindly connect to whatever machine on
the world without a clue it is safe... Since doing WU from Explorer doesn't
even let you feel more secure.

Agree with you, this is a minimum.
 
Le Sun, 31 Aug 2003 23:25:12 +0200
Vince C. said:
[...]
The first rule in my firewall is
1/ to block explicitly any traffic to/from this IPadress/SNmask
(194.78.106.1/255.255.255.0) for port 80 443

Your Network/Mask is not well-formed. It should be
194.78.106.0/255.255.255.0. Network IDs masked bits (i.e. bits in the
network ID that correspond to zeroes in the mask) must be 0. If you change
the rule you will see it works. I also made that mistake with Kerio and it
worked as soon as I changed the network ID.

The rule is correct, I just made an error writing this post.
The rule is 194.78.106.0/255.255.255.0.
As explain, the firewall block correctly all manual connection to this
address and does not block the automatic connection made by Internet
Explorer...
Maybe due to an error in the DNS cache process used by the WU program
as proposed by Sam.
 
"malamort" <[email protected]> a écrit dans le
message de [...]
The rule is correct, I just made an error writing this post.
The rule is 194.78.106.0/255.255.255.0.
As explain, the firewall block correctly all manual connection to this
address and does not block the automatic connection made by Internet
Explorer...
Maybe due to an error in the DNS cache process used by the WU program
as proposed by Sam.

I would say it might also be due the Winsock's nature. It uses an LSP
(Layered Service Provider) architecture. Provided your firewall LSP resides
above the LSP that is called when IE is opened, this can also explain why
your FW doesn't react sometimes. I remember I have seen quite a complete
post on grc news server. Unfortunately I don't remember who posted and where
:(. I'll try to find more info later.

But as far as I'm concerned I also can see some connections made from my
"external IP" that are not trapped by Kerio. I'm sure these connections are
held by a LSP that resides below Kerio.

Vince C.
 
"Vince C." <[email protected]> a écrit dans le message de
[...]
... grc news server. Unfortunately I don't remember who posted and where

Here it is. It was a post from Kevin McAleavey

------

You are quite right. The Internet Lock on ZoneAlarm will only stop the flow
of traffic that it is monitoring through your protocol stack. ZoneAlarm, as
any of the software firewalls, is monitoring your traffic high up on the
protocol stack and will not detect traffic which is flowing low on the
stack.

This came up in discussions on grc.com over a year ago and I'll post two
messages from that discussion thread, in two parts, which may provide
further background as to why ZoneAlarm may not be reacting to internet
traffic and how it is possible to hack past a firewall other than disabling
the firewall.

Part 1 of 2 is the discussion of how firewalls work and how it is possible
to hack past them. It is a re-post from a discussion thread in
http://neworder.box.sk/

Part 2 of 2 is a message from Kevin McAleavey of BOClean who was making
comments on the discussion in Part 1. I couldn't say it any better than
Kevin.


Part 1 of 2
This is the message that started the discussion thread in grc.com


http://neworder.box.sk/wb/index.php3?did=neworderpublic&disp=56869&thread=56869

[Requires registration to get to the link.]

moderated by Sidewinder, QX-Mat, Thran, Cube

The dummies guide to Firewalls, the protocol stack, the LSP and how to hack
past them by 1:72 Newbie? everybody calls you a lamer? read! by Clayman

Posted by 1:72 *.btinternet.com - 2001/Apr/12 15:41
plz NO flames just read
I apologise in advance for the length of this post, and the radical dumb-
down ... if anyone wants to discuss it in the dirty raw let me know,*l*

Winsock aware people may want to start reading from half way down <G> Or
even skip the post entirely : ) But trust me, it DOES break new ground at
the bottom.

Heres the dummies guide to Firewalls, the protocol stack, the LSP and how
to hack past them ...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Okay, lets look at how those pretty packets get from 'out there' to your
app ... its kinda like the sperm thing, but amazingly less packets die
along the way. Because this is a general threat I'll dumb it down a little
where I can, and I can then expand on areas of question later.

We should all be familiar with the winsock.dll ... it exports the methods
we use to use windows sockets, its a fairly simple affair and doesn't
include any facility for checking and manipulating packets or watching all
socket activity ... Many apps DO watch all sockets though, but how? Is
there another .DLL? A hook?

Well, the methods you need are within the Winsock DLL but they are not
accessible through the public interface (the DLL Exports) they are buried
deep inside ... now, accessing non-exported functionality would be a bit of
a problem, but for the fact that the winsock DLL interface is not a fixed
entity ... its just a handy entry point holder for the true complexity
below, the wonderful 'Protocol Stack' !

So ....
[App] [App] [App] [App]
[--------------------WinAPI---------------------]
[-Winsock DLL-] [Various other DLLs]
[Protocol Stack]

All your windows applications sit on the WinAPI ... which handles all the
hard stuff like talking to the various device drivers for you, this means
that the app doesn't need to know anything except how to talk 'API'

The winAPI has a special (optional) component which handles networking with
sockets called the winsock DLL, this acts as a secretary, phoning people,
hanging up on people, putting new messages in an applications IN-TRAY, and
sending messages from an applications OUT-TRAY ... and basically handling
things for our app in an orderly manner.

Now, The Protocol Stack, sits between the world as we know it, and the
application - and its job covers quite a lot, but think of it simply as a
Wrapping/Unwrapping room for messages going in and coming out. It checks
that the data packages are wrapped correctly according to their size and
nature (TCP/UDP/Etc...)

Packages coming in are checked and unwrapped, the envelopes are all opened,
and the final item is passed, ready to use, to the winsock DLL which then
informs the application that it has a message waiting, and places the
message in the applications IN-TRAY - the application doesn't have to worry
about how the package got here, how it was addresses, or how many layers of
wrapping paper were removed, it just takes the item from the Winsock DLL
when its ready, and uses it.

Now ... That's quite simple so far ... But, there are many different ways to
wrap different types of message - we call these 'protocols' and the
protocols sometimes (rarely) change - or new ones are added ... to cater
for this the ProtocolStack is broken down still further ....

[--------Protocol Stack----------]
[Transportation][Namespace]

The Transportation side of things deals with wrapping/unwrapping parcels
and taking them to and from the delivery medium (Not a MailVan in this
case, its the internet hardware ... although, sometimes it seems about as
slow as surface mail <G>)

The Namespace side is responsible for checking the addresses ...We can
forget this, but think 'DNS'

Now, like I said, the Transportation layer deals with the wrappings ... and
different packages have to be wrapped differently, rather than have one
lump of code telling us how all things should be wrapped we have a much
more flexible arrangement ... We have a conveyor belt of wrapping/unwrapping
people and the packages pass each of them in turn.

Now, in the winsock there is a .DLL for each of these people we have a DLL
that controls how they behave ... for example, we might have someone that
picks out round objects and wraps them in brown paper - that is one DLL the
message passes through ... then our wrapped ball will be passed to a DLL
for a person that takes square objects and puts them in boxes, he ignores
the package because it doesn't apply ... etc ....

So ... data going out passes through a number of DLL's each manipulating
and wrapping it in some way or just ignoring it till it finally comes out
the other side all ready for shipping over the internet safely.

The reverse is true, and passing a wrapped item up the line in the opposite
direction will cause the DLL's to unwrap it appropriately too, so that it
arrives at the Winsock DLL ready to be passed to the application.

Not so difficult so far !

Now, lets look at that pictorially, The wrap/unwrap DLLs are known as 'LSP's
or 'Layered Service Providers' And they are called this because they
provide suitably standardized TCP and UDP wrapping services that the
internet likes, and they do this in layers ... each checking the data in
turn before passing it to the next LSP layer in the long chain of LSPs ...
Finally it reaches a BASE LAYER which does all the low level processing and
actually implements the protocol.

We can start to see now why they call it a 'stack'

[---------Application--------]
[------Winsock2 API-------]
[------Winsock2 DLL------]
[Transport] [namespace]
[LSP]
[LSP]
[LSP]
[LSP]
[LSP]
[Base Layer] - This is the final layer, it does the low level work

Now, since the LSP chain is a linked-list of DLL's we can insert one ...
Firewalls do this ... And this firewall LSP takes his instructions from a
RuleSet, such as .... any packages from 'Lebanon' throw away quickly.

Whenever it sees a package that fits its rules it behaves accordingly, to
lose the packet it simply doesn't pass it on to the next LSP in the chain
(Who didn't expect it coming anyway) and in this way packages to and from
Lebanon can be suitably lost : )

Below the base layer things get a little too grubby, the data passes
through a device driver for a modem or network card, which sends the data
to a device - This is the zero layer, or the VXD ... each of these drives
is hardware specific, and therefore completely beyond out explanation
<grin> Phew, dontcha love shortcuts?

And below that is your pretty modem or network card with its blinking
flashing lights.

Now, our firewall is throwing away packets it doesn't like, and its doing
it at a very low level ... it stops (Or SHOULD stop) bad packets getting to
or from our applications ... and also, should stop hidden applications we
didn't know about from talking to the outside world (Trojans my dear boy,
Trojans!)

Now, some fun ....Nightmare scenarios for your firewall ....
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SCENE 1 ... a DLL Trojan is sitting in the protocol stack at a lower
position that the firewall ...

[LSP]
[LSP]
[FIREWALL LSP]
[LSP]
[TROJAN LSP]
[LSP]
[BASE LAYER]

There is no Application sitting on the WinAPI or using the Winsock DLL ....
Just a DLL inserted into the protocol chain as shown above. This means that
Trojan packets don't have to pass all the way along the protocol chain, up
through the stack ... it only has to get as far as your Trojan DLL ... who
will not pass the packet further (Because its journey is a shorter and its
already reached its destination)
This means there is no Trojan packets for your Firewall to handle, they all
stop short - and therefore your firewall is happily silent. Data going out
from the Trojan is the same, it starts inside the protocol stack and
travels outwards from a point already beyond the firewall.

Do a netstat -a (Lists all open sockets) .... because nothing further up
the chain than your [trojanLSP] is aware of the socket (Why would we tell
them we opened a socket) it doesn't show at all ! Stealth!

See the power of a LSP DLL Trojan ?
But, how can we stay ensure that we stay lower in the chain than the
firewall's LSP ?

SCENE 2 ... a DLL Trojan is sitting under the protocol stack as a baselayer
wrapper

[LSP]
[LSP]
[LSP]
[FIREWALL LSP]
[TROJAN - [BASE LAYER] ]

The Trojan pretends to be the base layer (Replaces it) and whenever asked
says 'I am the base layer and there is nothing below me' and doesn't offer a
pointer to the true base layer, thus the true base layer is disconnected
from the chain and cannot be found ... The Trojan calls it and exports all
of its functions back up the chain, but - it takes out Trojan packets and
inserts Trojan replies ... NO LSP will ever see these, regardless of their
position in the stack.

Of course, these methods only evade firewalls on the local machine ... a
hardware firewall or a firewall on a network gateway WOULD spot the
connections to and from the socket. Is there a way around that ???

Of course there is ... and here's the fun part of Trojan LSP's

SCENE 3 ... Promiscuous mode LSP firewall evasion

Lets say we have a gateway that is running externally to the infected
machine (A gateway firewall or a hardware firewall)

Now, ALL firewalls have holes in them for authorized applications to talk
through in both directions ... if they didn't then why have the internet at
all ? Nothing would get in or out !

So, we can assume that there are sockets in use that have firewall approval
.... how does this help our Trojan ... Well, instead of our LSP looking for
packets directed specifically AT it, it scans ALL traffic for specially
quoted sequences...

When it finds a specially quoted (embedded) sequence it removes that
sequence from the data before passing the data up the chain ...
When the Trojan wants to send a reply, it quotes it and inserts it into the
outgoing data on the same socket that it just received the command from ...

Because it is stripping commands out BEFORE they get to the application
that owns the socket, and its inserting replies AFTER they left them
application, the application is completely unaware that a Trojans commands
and replies are getting a free ride on its socket.

So, out hacker just connects (Or sends UDP) to ANY socket he can see from
the outside, possibly an FTP/HTTP/TELNET/MAIL daemon .... and the Trojan
will act upon it and reply, but the application will see none of that, the
application only sees what is NOT quoted .... so, hey presto - we trojaned
ALL of his ports ...and even remote firewalls will allow some of those
ports access to the world, or it wouldn't have the sockets open.

If our open quote was '<---' and our close quote was '--->' and when the
Trojan replies its open quote is '[--' and its close quote is '--]' we
could connect to, saaaay .... the telnet port if its open, and this is what
we type

lo<---hello--->gin guest[enter]
[---OK---]

The Telnet daemon sees 'login'
The Trojan sees 'hello'
The Trojan replies 'OK'

now, lets say our Trojan always replies with the victims time whenever we
type 'time' ... lets continue that telnet connection from where we left,

password? <---time--->
[---The time is 14:27pm on Monday 12th April--]
<--portlog 23 play-->
[--Playing back log for port 23--]
[--login fred^^topsecret^^ls^^ps x^^kill -9 28374^^--]
[--login guest^^blooper^^ls^^quota^^logi^gout^^--]
--8< snip -------
[--login user^^usermania^^ls^^ps x^^eggdrop egg.conf^^ls^^--]
[--end of log for port 23--]

See that, we asked our Trojan for the log of port 23 and it played back the
first few bytes of each connection it had seen on that port today ...
There's the guest password, lets give it ...

blooper [ENTER]
Welcome Guest, This is a test account with no prive ... blah ....
<--shutdown-->
[--Shutting down now--]
[BYE]

..connection lost..

Now, its unlikely that the windows machine has a telnet port, but bear in
mind that this could be ANY UDP or TCP port we can reach despite the
firewall, possibly a port 80 or some listening ICQ or MSN or mIRC's IDENT
port etc ... even ports 137, 138, 139 (Although the firewall would prolly
block or restrict those last 3) ... all are our Trojan

For a firewall to detect this it would have to be an AI, maybe a user that
happened to be packet logging would spot it ... but, our quoting wouldn't be
so obvious and our command/replies would be simply encrypted.

Imagine, the hex 0x293D3E22 was our open quote, and 0xEE3DF405 was our
close quote, and that all data quoted strings were fiendishly bit-mashed,
looks just like regular binary data now huh ? Send it UDPwise to a socked
we can reach and BOOM, we can reset the box, or have it send back files or
directory contents ...

SUMMARY
~~~~~~~~
Now, you know how firewalls tend to attach to the system and filter data
.... and you know that any LSP can see ALL traffic but normally only deals
with packets that it applies to ...

.... you've seen how the low level LSP Trojan can make a mockery of any
remote firewall provision by using either :

Unauthorized sockets (unknown unenumeratable invisible sockets - only seen
from the outside and only if it likes your IP/remote port)

-or-

Authorized sockets (by sitting on all sockets promiscuously and riding the
authorized ones through any firewalls)

There is one lower point of access which has even greater rewards, the
Layer-0 VXD wrapping Trojan, but that we will save for another time.

If anyone wants to see some actual C++ for LSP Trojans let me know and I'll
put some up, but I don't distribute binaries or complete sources, I'm only
offering the business end of the code : )

If anyone wants the seriously detailed hi-tech version of this article, let
me know and I'll place it as a reply to this thread, but my wrists are
aching and I really don't want to type any more today ... I been typing all
day and this article has just wiped out fingers <G>

plz again no flames just read and tell me what u think :(

PS I need to go now for real and is their any one from HOLLAND cos I am
going from the 18th to the 25th of this month and looking for some
"good"(that's a joke just in case) places to go to.

1:72 out


END of Part 1 of 2

Continued...

------

Continuation from Part 1 of 2...

Part 2 of 2

[From the discussion thread in grc.com about the article posted in Part 1
of 2.]

This might be a dumb question, but...
If an Intruder tried this, wouldn't it corrupt the TCP/IP stack? And
wouldn't that alone alert the user, if in fact, it "did" corrupt
TCP/IP?
Just wondering and trying to increase my learning curve...



Howdy ... End of a long and nasty shift ... OK, I'm game, I'll take this on
.... If an intruder tried this, depending on how well they wrote their VXD
wrapper code, you'd never know TCP/IP is "corrupted" ... Bear with me here
for I am (as usual at this hour) tired and not the sharpest blade in the
drawer at the moment. What you know as "TCP/IP" in Microsoft parlance is
way above the "NDIS layer" (Network Driver Interface Specification or "the
base layer") ... What the author (aside, NICE article that backs up my own
major point about "software firewalls being a waste of time") is trying to
say here is that by "shimming" a Trojan into the "winsock" (actually deep
below it) just like firewalls "shim" the winsock (a misnomer, but the
accepted view of reality lately) it is possible for such a Trojan to "shim"
itself UNDER the firewall in the stack and thus hide from a firewall. An
error would be generated at a higher layer, not here. Either the Trojan
would be successful or the shimming would result in a constant error that
would only be resolved by reloading windows. By the way, reloading windows
without a format and fdisk operation would probably only end up with the
shim reasserting itself again.

That all said, where the author was going is one I really got a kick out of
- that is, like many Trojans we've already seen (and a large number of
"internet worm viruses" as well) who defeat firewalls by using "authorized
connections" such as Outbreak Express or IE which are already authorized to
pass along nasties, is there's an even nastier way to assert a nasty, by
placing it as a wrapper around the lowest level of the protocol, in the
NDIS portion itself. When THIS is done, there is no way on this earth to
stop it from functioning and virtually no way to detect it at all unless
you HAPPEN to catch the VXD being installed. This is what he referred to
with the "ring 0" trick ... Even an external hardware firewall could miss
this is traffic is interspersed with the "real traffic" and siphoned off
before being detected.

But in all sincerity, you're NOT corrupting the stack, assuming the DLL (at
an upper level like a software firewall) intercepts the traffic and passes
along the ashes up the chain to the firewall ... It WOULD fail if it was
poorly written. If however the author of a nasty were to place it into the
VXD chains, there'd be no warning at all and folks are used to seeing
windows bomb on a boot-up, think nothing of it and reboot again whereupon it
wakes up properly. Raise hands now, how often has this happened to you?

What the person proposes is actually quite frightening. It was something I
envisioned when we were working on (and then abandoned) our "securesock"
software before the "free firewalls" pretty much killed the project (can't
compete with free when you've got bills and salaries to pay) ... But we saw
this coming back when Back Orifice 2000 was released and it went and
tunneled right into EXPLORER.EXE with remote threads and one really lousy
(apologies, DilDog ... Heh) cob job of "hacking the process stack" in the
Tooltips library to hide the remote thread BO2K created ...

Bottom line though, there is NO CURE for where nasties are headed ... A
HARDWARE firewall can up your chances a bit, but what he describes in that
article is not only doable, we've seen many recent Trojans (Sub7 2.2 as
just one example) already headed in that direction. As it is, there are
modules in the core Sub7 code that are completely invisible to "process
view" detection ... And "mobman" is working on a 2.3 version of Sub7 that
looks like it will be released in a few weeks (there's a bogus 2.3 going
around which is actually a 2.2 version that's been repacked - same old
stuff, no news) ... And rumors on IRC claim that Bionet 3.14 will also be
headed for the bottom layer, way beneath where software firewalls kick in
the "stack."

Still, the main trick is getting the nasty *onto* the machine, but people
still insist that it's OK to run scripting with "all the latest patches"
.... Ask the Air Force how that all is working out. <grin> Open acceptance
of scripting and ActiveX is STILL the major infection vector these days and
if any of them slip past, they've got ya. What the author talks about
though is very much for real and no, it's highly unlikely that any warning
will appear other than those scripting warnings that enough people have
ignored already.

Sub7 is QUITE prevalent out there even though the USUAL infection vector
involves embedding a tiny file uploader into script on a site which dumps a
VERY small program (we're now seeing these "Trojan grabbers" down to 7 to
16 k in size lately) which once installed, will then go grab the "fatter
Trojans" from somewhere else once they're on the machine. Won't take much
to get nailed though, the kids have been *very* busy as my absence from
here lately attests to. And nailing the "firewalls" is "job number one" to
most of them. The old solutions are about to fall.

Anyhow, loved the description of the FedEx conveyor belt. One of the more
interesting descriptions of the app layers I've seen. With Microsoft's
changes to their own NDIS to create more and more "promiscuous holes for
multimedia and streaming content," I'd say Windows XP is a goner. It was
bad enough when they introduced "out of band data support" in the NDIS 4.0
release, now with NDIS 5.0, they've made it a whole lot worse with (and I
quote) "New mechanisms for off-loading tasks such as TCP/IP checksum,
IP Security, TCP message segmentation, and Fast Packet Forwarding to
intelligent hardware" (see http://www.microsoft.com/hwdev/devdes/ndis5.HTM
for more) it's about to become and even more "happy browser/OS integration"
nightmare in the NEXT windows (like Win98 wasn't bad enough)
....
Just in case you wondered why I have a bad attitude about Microsoft doing
the "browser/OS integration" thing in the first place ... Well, I'm off to
bed ... Sorry for the ramblings but what I read in that article wasn't news
to me at least ... But then folks pay me to keep up with this
....
Kevin McAleavey

Kevin's home page: http://www.nsclean.com/
includes BOClean

**END of Part 2 of 2**
 
Back
Top