Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Microsot DID DISCLOSE potential Backdoor
From: Paul Schmehl <pauls () utdallas edu>
Date: Thu, 08 May 2008 12:12:43 -0500

--On Thursday, May 08, 2008 10:40:35 -0500 "J. Oquendo" <sil () infiltrated net> 
wrote:

On Thu, 08 May 2008, Paul Schmehl wrote:

You're comparing apples with oranges.  The is precisely the muddying of the
waters that J. Oquendo is seeking to stir up emotions.

And you know me this well to infer it's stirring up emotions. I call it
raising awareness. You have your interpretation of what you read, I have
mine. Is yours wrong Paul.

This is what you call "raising awareness".

"Microsoft may have inadvertently disclosed a potential Microsoft backdoor for 
law
enforcement earlier this week. "

Of course, with the weasel words "may have", "inadvertently" and "potential", 
you can always claim you never really said that, but you know exactly what the 
reader will take away from that headline - "What???  Microsoft installed a 
backdoor on my computer????"

You then quote PC World - "The software vendor is giving law enforcers
access to a special tool that keeps tabs on botnets, using data compiled from 
the 450
million computer users who have installed the Malicious Software Removal tool 
that
ships with Windows."

Note that the botnet tool is "a special tool that keep tabs on botnets" and 
that it "use[s] data compiled from the 450 million computer users....."

Now we know, first of all, that the MSRT doesn't even send data unless you have 
an infection (and that functionality can be disabled.)  Secondly, we know that 
the botnet tool "uses" data compiled from the use of the MSRT.

From this you get "Microsoft has installed a backdoor on your computer!!!"

Then you make this amazing leap of "logic".

"So again, thinking logically at what has been said so far by
Microsoft; "We have a tool called Malicious Software Removal tool...", "we 
can't tell
you the name of this tool since it would undermine our snooping...", "it's been 
used by
law enforcement already to make a high-profile bust earlier this year."

So, in one "sentence" you tie the MSRT to the botnet buster and go from "it 
sends data" to "it spies on you".  Nice try, but you're not fooling anyone 
except fools.

BTW, a backdoor program is something that allows me to access your computer 
without your knowledge any time I want to, not a program that sends me 
information whenever you choose to run it *if* you choose to send it.  Again, 
nice try, but you're not fooling anyone except fools and conspiracy theorists.

Next you manage to tie the MSRT to the NSA, Echelon, AT&T wiretaps, 
eavesdropping and other supposed nefarious activities.

But you're not trying to stir up emotions - no - just "raising awareness".


It is Microsoft's fault for not being honest period no ifs ands or buts.
Please give us your professional correlation of the article. Information
obtained from MSRT was used to track botnet hunters in cahoots with another
tool.


I don't know the details of what Microsoft is providing LE from MSRT.  Neither 
do you.   That is precisely my point.  That isn't stopping you from making wild 
claims, though.

Here's one possible use.

Microsoft correlates the data sent from MSRT.  They notify law enforcement that 
they are seeing a recent trend of 150,000 computers infected with a certain 
malware.  It opens port x, communicates using protocol y and talks to the 
following IP addresses (C&Cs).  They provide LE with a tool that is a botnet 
hunter that knows what traffic to look for, what ports to look on, what 
protocols are being used and where the C&Cs are.  All that information was 
obtained from the data received from MSRTs reporting in from all over the world.

LE then uses that tool to set up monitoring of those specific ports, protocols 
and C&Cs, begins gathering data and eventually busts the botmaster.

Now, how has this exposed you personally?  Revealed your IP?  Invaded your 
privacy?  Created a backdoor on your computer?

Yes, their web page (I don't see any EULA) states that they don't collect
personally identifiable information.  Furthermore, the botnet tool is a
separate tool.  The page also states that after the tool is run, it deletes
itself.  So, when you are infected with something, the tool will detect and
clean it *and* send some information about the infection back to M$.

Can you please find this page. I showed you mine show me yours or just STFU
for now, otherwise the "my cojones are bigger than yours" becomes redundant
nonsense. EOS

Unable to perform a simple search?

The MSRT home page:
<http://www.microsoft.com/security/malwareremove/default.mspx?tapm=A51S01B01>

The download page:
<http://www.microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en>

"The version of this tool delivered by Windows Update runs on your computer 
once a month, in the background. If an infection is found, the tool will 
display a status report the next time you start your computer. If you would 
like to run this tool more than once a month, run the version that is available 
from this Web page or use the version on the Malicious Software Removal Tool 
Web site.

Please review KB890830 for the list of malicious software that the current 
version of the tool is capable of removing as well as usage instructions. Also, 
please be aware that this tool reports anonymous information back to Microsoft 
in the event that an infection is found or an error is encountered. The above 
KB article contains information on how to disable this functionality and what 
specific information is sent to Microsoft. "

KB890830:
<http://support.microsoft.com/?kbid=890830>

"Reporting infection information to Microsoft
The Malicious Software Removal Tool will send basic information to Microsoft if 
the tool detects malicious software or finds an error. This information will be 
used for tracking virus prevalence. No identifiable personal information that 
is related to you or to the computer is sent together with this report."

"Reporting component
The Malicious Software Removal Tool sends information to Microsoft if it 
detects malicious software or finds an error. The specific information that is 
sent to Microsoft consists of the following items:
    The name of the malicious software that is detected
    The result of malicious software removal
    The operating system version
    The operating system locale
    The processor architecture
    The version number of the tool
    An indicator that notes whether the tool is being run by Microsoft Update, 
Windows Update, Automatic Updates, the Download Center, or from the Web site
    An anonymous GUID
    A cryptographic one-way hash (MD5) of the path and file name of each 
malicious software file that is removed from the computer

If apparently malicious software is found on the computer, the tool prompts you 
to send information to Microsoft beyond what is listed here. You are prompted 
in each of these instances, and this information is sent only with your 
consent. The additional information includes the following:
    The files that are suspected to be malicious software. The tool will 
identify the files for you.
    A cryptographic one-way hash (MD5) of any suspicious files that are 
detected.

You can disable the reporting feature. For information about how to disable the 
reporting component and how to prevent this tool from sending information to 
Microsoft, click the following article umber to view the article in the 
Microsoft Knowledge Base:

891716 (http://support.microsoft.com/kb/891716/) Deployment of the Microsoft 
Windows Malicious Software Removal Tool in an enterprise environment "

KB891716:
<http://support.microsoft.com/kb/891716/>

"Q3. How can I disable the infection-reporting component of the tool so that 
the report is not sent back to Microsoft?

A3. An administrator can choose to disable the infection-reporting component of 
the tool by adding the following registry key value to computers. If this 
registry key value is set, the tool will not report infection information back 
to Microsoft.
    Subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT
    Entry name: \DontReportInfectionInformation
    Type: REG_DWORD
    Value data: 1

This functionality is automatically disabled if the following registry key 
value exists:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\WUServer
This registry key value indicates that the computer is connected to an SUS 
server."

Is there anything else that you need in order to figure out that your claims 
are wholly without merit?

-- 
Paul Schmehl (pauls () utdallas edu)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]