Sunday, April 08, 2007

(Lite) Security Sunday Leads

With all this lost-egg hunting and the like today, here are some quickly laid "peeps" that might be of interest when you finally get some down-time:

Microsoft's XP Change Analysis Diagnostic Tool (CADT)

Via ISC-SANS handler's diary post

Once installed the tool will scan the computer looking for specific types of changes to the computer including....

  • Software Programs which are listed in the Add/Remove Program control panel
  • Operating System Components including Hotfixes or updates from Microsoft Update
  • Browser Helper Objects and other COM components loaded in Internet Explorer
  • Drivers
  • ActiveX Controls and
  • Other Auto-Start Extensibility Points

It creates a nice little XML file that you can use for a variety of purposes.

The tool also displays changes to loaded applications and startup objects.

The goal for sysadmins here is to get a file to provide troubleshooting logs related to system changes. While site-wide deployment might be over-kill, this could be a good "monitoring tool" to drop on a system where there are lots of "go-backs" for system repairs due to "user activity."

For instance, Microsoft provides a scenario where Help Desk can advise a user to download and install the tool (assuming they have sufficient rights to do so). The user runs the tool, the XML file gets generated and the user can email the file to the Help Desk for system analysis.

We use some remote desktop tools so we could do it ourselves, but the concept is still the same.

I can think of two good reasons for having this on an XP pc for home users as well:

  1. Providing easy geek support to "Mom/Dad/Relative/Friend" pc's. Often less-experienced users will install drivers/programs/stuff without really understanding what they are doing. This might help solve some of those "communication" barriers that often arise between the support geeks and the loved ones they support.
  2. Monitoring "kid-installations" on the home pc. If you don't bother to set up a specific account for Junior on your home XP system, with limited rights, then no telling what might be going on the pc while Junior is off on early-release day. This might be a bit more "non-intrusive" method instead of relying upon an automatic screen-capture/keylogger type program (icky).

I am curious about one thing: According to the Microsoft KB article, it works by querying XP's System Restore data for a user-specified period then compares the changes and reports. Based on that, I'm betting it won't be of any use if you have turned off System Restore for some reason.

More information and download link from KB Article 924732 at

Related utilities:

ASUS.COM Exploited

A bit of time ago, seems like a wicked ANI exploit was making its rounds hitting both Windows and Firefox browsers.

Fortunately, Microsoft issued an out-of-cycle security patch that closed that hole (once applied).

Unfortunately, a few websites had already been exploited by the malicious code.

One site was You know...that motherboard/systemboard manufacturer?

Seems that they had an iframe exploit serving up bad code.

Only when ISC-SANS took a look they didn't find anything...until they dug deeper. uses load balancing so some times you might get the IP of a compromised server, and other times you would pick up an IP of a "safe" sever. That's why it took a bit of time to track down.

A comparison between both server's home-page code revealed the malicious code.

(Good thing to remember...load balancing multi-IP servers.)

The code leads to another VBscript, which points to another (obfuscated) javascript code and a baddie .exe file hidden as a .jpg file.

That file showed up as a trojan/password stealer.

And all a bunch of poor users wanted to to was shop for systemboards for their l33t rigs or grab some drivers.

Just another reason to be extra careful with running your browser with JavaScript enabled.

I personally like using the NoScript extension for Mozilla's Firefox to control JavaScript execution.

ASUS seems to be slowly cleaning up their page code. English seems OK now, but at last report the other language websites were still showing evidence of the malicious code.

Thought it was interesting...

See Alice and Bob Do DNSSEC

I like pictures!

I drive the folks I work with crazy with extra flowcharts, screen captures, etc. in our documentation.

MatasanoChargen - is a clever security blog I have recently added to my RSS feed pile.

One of the fun things of late they do is to provide illustrated lessons on security concepts using Alice and Bob.

The iconic images are clear and easy to grasp, yet provide great foundational understanding to some of the more complex network security areas.

For examples of Alice and Bob theatre:

A Case Against DNSSEC, Count 1: Solves A Non-Problem - explains DNSSEC, trusted keys and a bit of DNS.

A Case Against DNSSEC, Count 2: Too Complicated To Deploy - more DNSSEC fun

FYI -- DNSSEC stands for Domain Name System Security Extensions.

One more cool illustrated post from that blog: DRM Secrets Revealed At Nate Lawson’s Blog

Sunbelt Software Tackles Ethics and Antispyware

Sunbelt Software's Alex Eckelberry takes to task various "vendors" of antispyware products who offer free downloads of their scanning products, but then require purchase before they can be activated for removal.

SunbeltBLOG: Ethics and antispyware

I've always depended on quality freeware anti-spyware tools and have never gone wrong or been burned. As such, I've never been bitten by one of these products. There are just too many "quality" freeware anti-malware applications to bother with any of the more dubious products.

However, I can easily see where a "noobie" pc user, whose system is caught in the binds of a malware infection can get taken in. They don't have a "geek-support" friend or family member to call. A co-worker tells them to run a search on "Google." They do and next thing you know, they have stumbled erroneously on just such a rouge/suspect product.

Alex picks apart that model of software distribution very well. I learned some things.

For example, I had never considered that developers were actually paying download sites for each "free" download they server up.

And that there are conversion-rates for downloads and product purchases.

And that if a product offers a free scanner download, but requires payment to remove, conversion rates increase substantially.

Even worse, who can tell if those "results" are actually false-positives? A noobie user wouldn't have a clue. Scare tactics at their best.

Lastly, Alex reminds users that some "independent" review sites might rank products higher based on commissions paid. Ick. So take what you see rated with a sizeable "grain of salt."

As for Sunbelt's premier anti-malware product, CounterSpy V2?

Always offered as a fully-functional download (both for scans and removals) operational for 15-days. Should be long enough to get your machine back on its feet again and let you really decide if you want to drop a Jackson on it.

Or just go with one of the reputable anti-malware programs.

There are lots.


No comments: