<html>
<head>
<style>
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
FONT-SIZE: 10pt;
FONT-FAMILY:Tahoma
}
</style>
</head>
<body class='hmmessage'>
more importantly-- <BR>
this is just another symptom that 'Microsoft makes Windows run slower over time' to force us to buy a new version'.<BR>
<BR>
If the software is doing things-- that it wasn't designed (advertised) to do-- that by definition is called BLOATWARE.<BR>
<BR>
It's time for MS to make performance _JUST_ as important as security.<BR>
Performance is important-- I'm hoping that Microsoft wakes up one of these days and starts talking about the 'Software Performance Lifecycle'.<BR>
<BR>
Personally; I'm sick and tired of MS forcing crapware / bloatware down our throats.<BR>
This software that you're talking about-- is just another symptom that MS doesn't give a crap about it's users.<BR>
<BR>
-Aaron<BR>
<BR>
<BR>
<BR>
<BR><BR>> Date: Sat, 3 May 2008 22:45:41 -0500<BR>> From: sil@infiltrated.net<BR>> To: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk<BR>> Subject: Microsot DID DISCLOSE potential Backdoor<BR>> <BR>> While you were sleeping and focusing on COFEE...<BR>> <BR>> Microsoft Discloses Government Backdoor on Windows Operating Systems<BR>> Wednesday, April 30th, 2008 @ 6:00 am | Privacy, News<BR>> http://www.infiltrated.net/?p=92<BR>> <BR>> Microsoft may have inadvertently disclosed a potential Microsoft backdoor for law <BR>> enforcement earlier this week. To explain this all, here is the layman term of a backdoor <BR>> from Wikipedia:<BR>> <BR>> A backdoor in a computer system (or cryptosystem or algorithm) is a method of <BR>> bypassing normal authentication, securing remote access to a computer, obtaining access <BR>> to plaintext, and so on, while attempting to remain undetected. The backdoor may take <BR>> the form of an installed program (e.g., Back Orifice), or could be a modification to an <BR>> existing program or hardware device.<BR>> <BR>> According to an article on PC World: "The software vendor is giving law enforcers <BR>> access to a special tool that keeps tabs on botnets, using data compiled from the 450 <BR>> million computer users who have installed the Malicious Software Removal tool that <BR>> ships with Windows."<BR>> <BR>> Not a big deal until you keep reading: "Although Microsoft is reluctant to give out details <BR>> on its botnet buster - the company said that even revealing its name could give cyber <BR>> criminals a clue on how to thwart it"<BR>> <BR>> Stop the press for second or two and look at this logically: "users who have installed the <BR>> Malicious Software Removal tool" followed by " Microsoft is reluctant to give out details <BR>> on its botnet buster - the company said that even revealing its name could give cyber <BR>> criminals a clue on how to thwart it", what? This is perhaps the biggest gaffe I've read <BR>> thus far on potential government collusion with Microsoft.<BR>> <BR>> We then have the following wording: "Microsoft had not previously talked about its <BR>> botnet tool, but it turns out that it was used by police in Canada to make a high-profile <BR>> bust earlier this year." So again, thinking logically at what has been said so far by <BR>> Microsoft; "We have a tool called Malicious Software Removal tool...", "we can't tell <BR>> you the name of this tool since it would undermine our snooping...", "it's been used by <BR>> law enforcement already to make a high-profile bust earlier this year."<BR>> <BR>> Remember a "Malicious Software Reporting Tool" is a lot different from a "Malicious <BR>> Software Removal Tool". Understanding networking, computing, botnets, let's put this <BR>> concept into a working model to explain how this is nothing more than a backdoor. You <BR>> have an end user, we'll create a random Windows XP user: Farmer John in North Dakota. <BR>> Farmer John in North Dakota uses his machine once a week to read news, send family <BR>> email, nothing more. He installed Microsoft's Malicious Removal Tool. Farmer John's <BR>> machine becomes infected at some point and sends Microsoft information about the <BR>> compromise: "I'm Farmer John's machine coming from X_IP_Address".<BR>> <BR>> A correlation is done with this information and then supposedly used to track where the <BR>> botnet's originating IP address is from. From the article: "Analysis by Microsoft's <BR>> software allowed investigators to identify which IP address was being used to operate the <BR>> botnet, Gaudreau said. And that cracked the case." This is not difficult, detect a DST <BR>> (destination) for malware sent from Farmer John's machine. Simple, good guys win, <BR>> everyone is happy.<BR>> <BR>> The concept of Microsoft's Malicious Software Removal tool not being a backdoor is <BR>> flawed. For starters, no information is ever disclosed to someone installing the Windows <BR>> Malicious Software removal tool: "Windows will now install a program which will report <BR>> suspicious activity to Microsoft". As far as I can recall on any Windows update, there has <BR>> never been any mention of it.<BR>> <BR>> "But this is a wonderful tool, why are you being such a troll and knocking Microsoft for <BR>> doing the right thing!". The question slash qualm I have about this tool is I'd like to know <BR>> what, why, when and how things are being done on my machine. It's not a matter of <BR>> condemning Microsoft, but what happens if at some point in time Microsoft along with <BR>> government get an insane idea to branch away from obtaining other data for whatever <BR>> intents and purposes?<BR>> <BR>> We've seen how the NSA is allowed to gather any kind of information they'd like (http://www.eff.org/issues/nsa-spying), <BR>> we now have to contend with Microsoft attempting to do the same. Any way you'd like to <BR>> market this, it reeks of a backdoor: (again pointing to the definition) A backdoor in a <BR>> computer system ... is a method of bypassing normal authentication, ... obtaining access <BR>> to ... , and so on, while attempting to remain undetected. There's no beating around the <BR>> bush here on what this tool is and does.<BR>> <BR>> This is reminiscent of the 90's with the NSA's ECHELON program. In 1994, the NSA <BR>> intercepted the faxes and telephone calls of Airbus. What resulted was the information <BR>> was then forwarded to Boeing and McDonnell-Douglas in which they snagged the <BR>> contract from under Airbus' feet. In 1996, the CIA hacked into the computers of the <BR>> Japanese Trade Ministry seeking "negotiations on import quotas for US cars on the <BR>> Japanese market". Resulting with the information being passed off to "US negotiator <BR>> Mickey Kantor" who accepted a lower offer.<BR>> <BR>> As an American you might say "so what, more power to us" but to think that any <BR>> government wouldn't do it to its own citizens for whatever reason would be absurd. <BR>> There are a lot of horrible routes this could take.<BR>> <BR>> What happens if slash when for some reason or another the government decides that you <BR>> should not read a news site, will Microsoft willingly oblige and rewrite the news in <BR>> accordance to what the government deems readable?<BR>> <BR>> How about the potential to give Microsoft a warrantless order to discover who doesn't <BR>> like a President's "health care plan", or who is irrate and whatever policy; Will Microsoft <BR>> sift through a machine to retrieve relevant data to disclose to authorities?<BR>> <BR>> That doesn't include the potential for say technological espionage and gouging of sorts. <BR>> What's to stop Microsoft from say, mapping a network and reporting all "non-Microsoft" <BR>> based products back to Microsoft. The information could then be used to say raise <BR>> support costs, allow Microsoft to offer juicier incentives to rid the network of non MS <BR>> based products, the scenarios are endless.<BR>> <BR>> Sadly, most people will shrug and pass it off as nothing. Most security buffs, experts, etc., <BR>> haven't mentioned a word of it outside of "the wonderful method to remove, detect, <BR>> botnets!" and I don't necessarily disagree it's a unique way to detect what is happening, <BR>> but this could have been done at the ISP and NSP level without installing a backdoor. <BR>> Why didn't law enforcement approach botnets from that avenue? Perhaps they have, this <BR>> I'm actually certain of which leads me to believe this is a prelude of something more <BR>> secretive that has yet to be disclosed or discovered.<BR>> <BR>> http://www.pcworld.com/businesscenter/article/145257/microsoft_botnethunting_tool_helps_bust_hackers.html<BR>> http://cryptome.org/echelon-ep-fin.htm (ECHELON MISHAPS)<BR>> <BR>> More on Microsoft's *Potential* Government Backdoor<BR>> Thursday, May 1st, 2008 @ 7:21 am | Privacy, News<BR>> http://www.infiltrated.net/?p=92<BR>> <BR>> After reading through Microsoft's comments repeatedly yesterday, I cannot come to the <BR>> conclusion that Microsoft's "Malware Removal Tool" is not some form of backdoor. <BR>> Their comments in the initial article are extremely disturbing and anyone using a <BR>> Microsoft product should now be extremely weary about downloading new updates if <BR>> even deciding to continue using Microsoft at all.<BR>> <BR>> So let's take a look at the top botnets. Srizbi, Bobax, Rustock, Cutwail, Ozdok, Nucrypt, <BR>> Wopla, Spamthru, Storm, Grum, Onewordsub; These are the top as reported by Secure <BR>> Works. (http://www.secureworks.com/research/threats/topbotnets/?threat=topbotnets) <BR>> Guess what, eight out of eleven are all encrypted. Not that big of a deal until you decipher <BR>> what Microsoft stated in their original quotes in correlation to some facts.<BR>> <BR>> From the article: Microsoft security experts analyze samples of malicious code to capture <BR>> a snapshot of what is happening on the botnet network, which can then be used by law <BR>> enforcers, Cranton said. "They can actually get into the software code and say, .Here's <BR>> information on how it's being controlled.'"<BR>> <BR>> Perhaps Microsoft could clarify how exactly are they doing what they do, more <BR>> importantly, what information is being sent over the wire and to whom. Are they now <BR>> breaking code as well. Did the botnet authors go through the steps of encrypting code. We <BR>> know for a fact that traffic being sent from a compromised host to a controller is <BR>> encrypted, so what is Microsoft analyzing. What COULDN'T Microsoft have gained <BR>> from getting code for analysis say by working along with Symantec or someone else.<BR>> <BR>> Now before you shoot off an answer like "the code doofus, they're analyzing the code!", <BR>> think about it again. If they're in it to analyze solely the code, they could have worked <BR>> with AntiVirus vendors for samples as opposed to putting a tool on your machine which <BR>> collects YOUR DATA and sends it off to who knows where. A law enforcement agency, <BR>> or team Microsoft.<BR>> <BR>> I'll pause on this for now. How about the validity in stating: "Botnet Operator tracked via <BR>> IP". How legitimate is this argument given the fact (not presumption) that IP is a horrible <BR>> identifier. Let's put this in a practical example. Farmer Joe in Nebraska is using a DSL <BR>> connection that it always on. He uses Windows XP and doesn't know what a Windows <BR>> Update is so he's never used it. His computer is compromised, a botnet controller is <BR>> installed and attacks are launched from Nebraska. The attacker sanitized Farmer Joe's <BR>> machine to erase his tracks using multiple wipes with perhaps PGP. The end.<BR>> <BR>> For any business or law enforcement agency to claim they can track down via an IP <BR>> address, perhaps they've skimmed on the fact that there are far too many open WiFi <BR>> hotspots in the world to conclusively narrow a fact. We have an assumption that an <BR>> attacker is behind 10.10.10.159. Can we see them? No. All we know is the address. Being <BR>> I've used a private address, I won't bother diving into "but he came from ISP X in <BR>> Nebraska." Irrelevant. What you have is a fishing expedition.<BR>> <BR>> / SNIP<BR>> For more on this false sense of ID-via-IP: Well, let me ask you you think 171.70.120.60 <BR>> is. I'll give you a hint; at this instant, there are 72 of us.<BR>> <BR>> Here's another question. Whom would you suspect 171.71.241.89 is? At this point in <BR>> time, I am in Barcelona; if I were home, that would be my address as you would see it, <BR>> but my address as I would see it would be in 10.32.244.216/29. There might be several <BR>> hundred people you would see using 171.71.241.89;<BR>> /END SNIP<BR>> <BR>> I implore you to read a NANOG thread http://readlist.com/lists/trapdoor.merit.edu/nanog/6/33246.html<BR>> Professionals know, IP is an inaccurate identifier so why does it seem that Microsoft<BR>> along with LEO are relying on this. Makes a great baseline sure, but is certainly ripe<BR>> for abuse<BR>> <BR>> Again, please understand what I am stating, this is "not to say that its a horrible idea", its <BR>> a start, a baseline - but not a definitive measure of determining who is controlling a bot, <BR>> who created the botnet, etc.<BR>> <BR>> Looking at past history, unfortunately you have the tinkerers; so what happens to an up-<BR>> and-coming "security" buff who is getting into the field and stumbles upon a botnet. Sure <BR>> he was moronic to join an irc channel filled with bots, sure he was idiotic in downloading <BR>> the code for the sake of learning. Fact is he might have. Guess what will happen to him <BR>> when a Law Enforcement Agency raids his house? Guess what will happen when that <BR>> agency needs funding for a new uber Cyber(buzzword)Crime fighting department. You <BR>> guessed it. Hey "Up-and-coming security buff..." Kiss your terminal goodbye, and from <BR>> here on out, your dreams of becoming the next Bruce Schneier will be close to non-<BR>> existent. It happens.<BR>> <BR>> Anyhow, re-emphasizing... Shame on Microsoft for forwarding your data without telling <BR>> you. Shame on Microsoft for not asking you if you wanted to "PARTICIPATE" in <BR>> sending data. Shame on Microsoft for not explicitly stating: The data we are sneaking off <BR>> your computer will be sent to government agencies of our choice. Its a horrible practice <BR>> and a damaging breach of trust. Their action worries me as a security professional, will <BR>> they ever scour for data for profit. Why not, no one would notice or care anyway.<BR>> <BR>> J. Oquendo<BR>> sil @ infiltrated dot net<BR>> <BR>> -- <BR>> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+<BR>> J. Oquendo<BR>> SGFA #579 (FW+VPN v4.1)<BR>> SGFE #574 (FW+VPN v4.1)<BR>> <BR>> wget -qO - www.infiltrated.net/sig|perl<BR>> <BR>> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x3AC173DB<BR>> <BR><BR><br /><hr />Windows Live SkyDrive lets you share files with faraway friends. <a href='http://www.windowslive.com/skydrive/overview.html?ocid=TXT_TAGLM_WL_Refresh_skydrive_052008' target='_new'>Start sharing.</a></body>
</html>