Erik Parker wrote: > > This was usefull in a way. Except for a couple things. Did you run this > multiple times? Because it doesn't always have the strange nature. > > I also think the fact that it trys to resolve that hostname every 5 > minutes, is totally un-called for. It should check to see if their is a > dialup connection, or some kind of tcp/ip available, and THEN try to > resolve. That isn't a MAJOR performance problem, but if someone is running > windows 98 on a 486/33 (Yes, I hear there are people out there like that). > They need every bit of proccess time they can get. > > Thanks for the insight though. Is windowsupdate.microsoft.com the only > host it tries to connect to? > > Microsoft also purchased windowsupdate.com, which will most likely take > over that address at some point. The entire thing still seems fishy. I dumped the update connections from 3 separate hosts on the same network, showing the same behavior in each. If someone else has a different experience, I would like to hear about it. Also, the update tool may not be directly trying to resolve the update server address, but using a high-level Inet API call that would do the same while attemptiong to make a connection. The entire system seems horribly ineffcient, as the updating machine needs to download the entire list of updates every time it wants to check for new ones. The worst part about all of this is that every single Windows 98 computer that wishes to get an update has to rely on a single host for the security. If that one server got compromised one day, or an attacker cracks the MS DNS server again, there could be millions of users installing torjans every hour. The scope of this attack is big enough to attract crackers who actually know what they are doing... Brian Hayward wrote: > > So the weakest link here is the nameserver. If someone is able to > compromise your nameserver. > > I wonder what type of validation is done within the update utility. > Does it check to see if the resolved address is indeed a valid microsoft > IP address, or are there any other security checks that prevent > installation of updates from a non-microsoft site? > > --- Even if someone was able to compromise the DNS server or drop a false address for it in your hosts file, they would need to create a copy of Microsoft's site to fool the Win98 users into downloading a look-a-like ActiveX control to control the updates. The real M$ control is signed with VeriSign, the lack of this signature should clue in the user that something is wrong. To create a 'trojan' update you would need to do the following: 1) Compomise the DNS server or their hosts file. 2) Create a cab + cucif.cif file with thier trojan added. 3) Create (or reuse) the ActiveX update component, reusing it seems simple enough and would maintain the signature. 4) Discover the locations of the update files on the real server and place thier trojan in the same location on the spoofing server. This is just one scenario, but the point is that spoofing windowsupdate.microsoft.com is just the beginning, and as I have replied to numerous e-mails, not quite as easy as it seems at first. As Mr. Parker said, this entire setup seems kinda fishy...
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:32:04 PDT