On Wed, 07 May 2008, Paul Schmehl wrote: > And that relates to the MSRT how?
Relates to MSRT sending your information. It only sends information when it finds something. I never stated it sends all your information all the time. > Now you're being silly. You're claiming that *realtime connection > information* is included in the data that is sent but without any grounds > to do so and despite Microsoft's claims to the contrary. And without any > proof. > Pick up a dev machine load it with malware, run MSRT, and sniff it. You'll see what it sends and remember LEA uses IP as an identifier bottom line. > You might try it some time. Getting the facts beats wild speculation and > hyperbole every time. I just installed MSRT on my laptop and ran it while > Wireshark was monitoring all external communications. It sent exactly > *zero* information to MS. It sent zero information because it did not detect anything malicious. As for paranoia, has nothing to do with paranoia. Facts. Fact 1) Is MS sending information from your machine to them ... Yes Fact 2) If something malicious is detected on your machine will it go to MS. Yes. Fact 3) Will they share information obtained from YOUR machine via YOUR IP address will they share that information with LEA? According to the MS spokesman they will. Fact 4) Can LEA correlate the information sent from your machine to an IP address... Yes. Go back and look at the information MS is obtaining it's in the log file. So looking at Sasser, lets fiddle with this: Quick Scan Results: ---------------- Found virus: Win32/Sasser.A.worm in file://C:\WINDOWS\avserve.exe Found virus: Win32/Sasser.A.worm in regkey://HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\avserve.exe Found virus: Win32/Sasser.A.worm in runkey://HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\avserve.exe Found virus: Win32/Sasser.A.worm in file://C:\WINDOWS\avserve.exe Quick Scan Removal Results ---------------- Start 'remove' for regkey://HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\avserve.exe Operation succeeded ! Start 'remove' for runkey://HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\avserve.exe Operation succeeded ! Start 'remove' for file://\\?\C:\WINDOWS\avserve.exe Operation succeeded ! Results Summary: ---------------- Found Win32/Sasser.A.worm and Removed! Return code: 6 Microsoft Windows Malicious Software Removal Tool Finished On Mon Mar 19 13:15:57 2007 (from there website). Now according to their article and common logic, in their article they stated they obtained samples of the infection to track the CNC of a botnet. How did they get this is up in the air, but with their forced update history, its possible on detection they can actually send avserve.exe right back to themselves. Anyhow, so I create something crafted to implicate you - using my previous analogy of being a botnet CNC owner, my program implicates your network you take the fall. People pull Joe Jobs all the time. > Not all of us are consumed by paranoia and unfounded fears. Some of us > actually approach security from a rational, intelligent perspective and > attempt to mitigate risks to the best of our abilities while accepting the > fact that we can't stop every attack. A Joe Job is an unfounded fear? How about poisoning the well. What happens if someone reading this decides to put it to the tests nullifying any verifiable, concrete snapshots with garbage. Then what will be of the tool? e-Garbage truck? > I don't consider fantasizing about bogeymen "thinking outside the box". Fantasizing has nothing to do with reality. People are paying top dollars in life to screw someone all the time whether its online or not. This is another stupid mechanism someone can use. Its a flawed concept albeit nice idea. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA #579 (FW+VPN v4.1) SGFE #574 (FW+VPN v4.1) wget -qO - www.infiltrated.net/sig|perl http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x3AC173DB _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
