(forgot to reply all) I was actually just sanity checking that. They replied the first time you brought this up, linking to their earlier explanation:
https://bugzilla.mozilla.org/show_bug.cgi?id=1647181#c15 So that even explains the network listener. A bit grungy, but maybe it's been fixed in newer versions? Mark On Wed, 15 Mar 2023, 03:56 Kurt Seifried, <k...@seifried.org> wrote: > Is there some reason that BJCA hasn't replied yet? Although it's a bit > late now, they're in. > > On Tue, Mar 14, 2023 at 9:51 PM Mark Steward <markstew...@gmail.com> > wrote: > >> Hi Kurt, >> >> As a random Internet volunteer, I've had a brief read of the report >> you're citing: >> >> https://go.recordedfuture.com/hubfs/reports/cta-2021-0729.pdf >> >> and while it may sound concerning without context, it looks to me like a >> whole lot of nothing. >> >> The report appears to be entirely built around automated sandbox runs by >> Hybrid Analysis and Alienvault. There is no language that suggests Insikt >> ran or even obtained a copy of the software. >> >> They even give away that they don't understand what a sandbox does with >> their first finding: >> >> > This particular version of services.exe was first released by Microsoft >> on April 13, 2021, in a Windows 10 security update (KB5001337), indicating >> that the One Pass process infection chain may have been adapted since then >> to include this file as the initial loader. >> >> This actually only indicates that the Windows VM used for testing the >> sample was up to date. >> >> Most of the behaviour noted is typical of installation software, and only >> becomes concerning when the assumption is that the user did not consent to >> installation. >> >> Things that might not be obvious: >> >> - ActiveX support is not surprising for corporate convenience software >> or bundled drivers. >> >> - Renaming built-in utilities like regsvr32.exe can be a red flag in >> intrusion scenarios, but it's more likely a frozen copy of the Windows >> utility to avoid compatibility problems. >> >> - The network listener behaviour might be suspicious, but does not show >> up on the Alienvault report, and could be a mechanism for a UI to >> communicate locally to the update service. wmControl.exe is also likely a >> frozen copy of the Windows utility, as it appears on other Alienvault >> reports for One Pass as a console application, not a driver. >> >> - Proprietary antivirus software identifying it as something unrelated >> is almost always a false alert. In a similar way, the Alienvault detection >> of "Exhibits behavior characteristic of Nymaim malware" is due to it using >> a Windows feature to replace in-use files on restart. >> >> >> This is not to give the software a clean bill of health, but as you're >> aware, doing so would require in-depth investigation. Nothing in this >> report makes me think it'll be worth the time. >> >> >> Mark >> >> >> On Tue, 14 Mar 2023, 04:19 'Kurt Seifried' via >> dev-security-policy@mozilla.org, <dev-security-policy@mozilla.org> wrote: >> >>> I haven't seen the software. But isn't it BJCA's job to prove they are >>> trustworthy? Shouldn't BJCA.cn have some simple answer in the form of "no >>> it's not spyware, and here's how we can easily and simply prove it." >>> >>> Why is this the responsibility of random Internet volunteers to prevent >>> Mozilla from being bamboozled into accepting an untrustworthy CA? Shouldn't >>> Mozilla be ensuring that root CA's are highly trusted and not involved in >>> spyware, like Trustcor apparently was? >>> >>> Also when it comes to spyware there are very few experts or groups that >>> can properly analyze this (e.g. Citizen Lab comes to mind). There isn't >>> some huge pool of people with a ton of spare time to track this down. >>> Witness involvement in this mailing list as a good example of how few >>> people are actually involved. >>> >>> >>> On Mon, Mar 13, 2023 at 9:26 PM Ben Wilson <bwil...@mozilla.com> wrote: >>> >>>> Kurt, >>>> I am a bit skeptical when I am only able to identify one report that is >>>> then repeated by other sources. Were you able to identify independent >>>> examinations of the v.2.x software other than the one by Insikt Group? >>>> Ben >>>> >>>> > > -- > Kurt Seifried (He/Him) > k...@seifried.org > -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAPyX2nfoyyMSUyBYRF0Cto29LBwUTFJuCrux1puZfVKS2xzBaA%40mail.gmail.com.
