Valdis to Harlan:
> > However, you _can_ get a warm fuzzy if the file has
> > the MS file version information compiled into it.
>
> And you verify the authenticity of your warm fuzzy how, exactly?
Rumour has it that MS will be making its WarmFuzzy Verifer beta release
within a month...
> const char MS_version[] = "bogus MS file version info goes here";
Well, it is done a bit differently from that, but the basic idea is
right.
And it's already been done. Heaps. Especially by some of the adware
developers...
> (Remember - we've already had major worms that crafted a totally bogus
> "X-Virus: scanned by" header claiming a real AV had scanned it....)
Yep -- even the skiddies have thought of this level of trivial
deception.
> > That warm fuzzy can be increased if the file is
> > digitally signed by MS.
>
> First, go back and re-read http://www.cert.org/advisories/CA-2001-04.html
8-)
> Second, remember that you're worried that the machine is compromised - and
> you're asking it to verify the signature. Again, if the box is compromised,
> the DLL that verifies signatures could be backdoored as well.
Indeed, although to date I certainly haven't seen this done and don't
recall hearing of this level of deception. It's probably not far off
though -- it would be a trivial addition to any of the modestly clever
rootkits, but does not require that degree of complexity.
Regards,
Nick FitzGerald
Received on Mar 17 2005
Intro
