At 07:37 PM 2/10/99 +1100, Darren Reed wrote: >In some mail from David LeBlanc, sie said: >> We check file dates when checking for NT patches, and would catch your >> example. >I don't see how that can be considered "adequate". Because it is going to be accurate on 99+% of NT systems. The file timestamps are all the same when you install a hotfix. If you _really_ want to be sure no one has put trojans on a box, you need to baseline the system (our system scanner does this, as does tripwire, and others). >However, going back to "cops" (could be considered to be the origin of >such processing), it appears it performed the same evil. >For .dll's and friends which are supplied with service packs, I can't >see why you would not use a cryptographic checksum to ensure that the >file there is what you think it is. This is because it is a huge amount of work to keep up with all of this. We do exactly this when checking for trojan password filters for exactly this reason. In that case, it is important enough to detect trojan versions to bother with worrying about whether MS shipped a new one with the latest service pack (for example, there are 4 valid versions of nwpwclnt.dll on Intel alone). The odds of finding a trojan ntoskrnl.exe are pretty slim. OTOH, someone might read on a web page somewhere that we only check file size on a password filter, so they make sure the trojan has the same size as the real one, then we checksum it and bust them 8-) David LeBlanc dleblancat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:33:46 PDT