<<< Date Index >>>     <<< Thread Index >>>

Microsot DID DISCLOSE potential Backdoor



While you were sleeping and focusing on COFEE...

Microsoft Discloses Government Backdoor on Windows Operating Systems
Wednesday, April 30th, 2008 @ 6:00 am | Privacy, News
http://www.infiltrated.net/?p=92

Microsoft may have inadvertently disclosed a potential Microsoft backdoor for 
law 
enforcement earlier this week. To explain this all, here is the layman term of 
a backdoor 
from Wikipedia:

A backdoor in a computer system (or cryptosystem or algorithm) is a method of 
bypassing normal authentication, securing remote access to a computer, 
obtaining access 
to plaintext, and so on, while attempting to remain undetected. The backdoor 
may take 
the form of an installed program (e.g., Back Orifice), or could be a 
modification to an 
existing program or hardware device.

According to an article on PC World: "The software vendor is giving law 
enforcers 
access to a special tool that keeps tabs on botnets, using data compiled from 
the 450 
million computer users who have installed the Malicious Software Removal tool 
that 
ships with Windows."

Not a big deal until you keep reading: "Although Microsoft is reluctant to give 
out details 
on its botnet buster - the company said that even revealing its name could give 
cyber 
criminals a clue on how to thwart it"

Stop the press for second or two and look at this logically: "users who have 
installed the 
Malicious Software Removal tool" followed by " Microsoft is reluctant to give 
out details 
on its botnet buster - the company said that even revealing its name could give 
cyber 
criminals a clue on how to thwart it", what? This is perhaps the biggest gaffe 
I've read 
thus far on potential government collusion with Microsoft.

We then have the following wording: "Microsoft had not previously talked about 
its 
botnet tool, but it turns out that it was used by police in Canada to make a 
high-profile 
bust earlier this year." So again, thinking logically at what has been said so 
far by 
Microsoft; "We have a tool called Malicious Software Removal tool...", "we 
can't tell 
you the name of this tool since it would undermine our snooping...", "it's been 
used by 
law enforcement already to make a high-profile bust earlier this year."

Remember a "Malicious Software Reporting Tool" is a lot different from a 
"Malicious 
Software Removal Tool". Understanding networking, computing, botnets, let's put 
this 
concept into a working model to explain how this is nothing more than a 
backdoor. You 
have an end user, we'll create a random Windows XP user: Farmer John in North 
Dakota. 
Farmer John in North Dakota uses his machine once a week to read news, send 
family 
email, nothing more. He installed Microsoft's Malicious Removal Tool. Farmer 
John's 
machine becomes infected at some point and sends Microsoft information about 
the 
compromise: "I'm Farmer John's machine coming from X_IP_Address".

A correlation is done with this information and then supposedly used to track 
where the 
botnet's originating IP address is from. From the article: "Analysis by 
Microsoft's 
software allowed investigators to identify which IP address was being used to 
operate the 
botnet, Gaudreau said. And that cracked the case." This is not difficult, 
detect a DST 
(destination) for malware sent from Farmer John's machine. Simple, good guys 
win, 
everyone is happy.

The concept of Microsoft's Malicious Software Removal tool not being a backdoor 
is 
flawed. For starters, no information is ever disclosed to someone installing 
the Windows 
Malicious Software removal tool: "Windows will now install a program which will 
report 
suspicious activity to Microsoft". As far as I can recall on any Windows 
update, there has 
never been any mention of it.

"But this is a wonderful tool, why are you being such a troll and knocking 
Microsoft for 
doing the right thing!". The question slash qualm I have about this tool is I'd 
like to know 
what, why, when and how things are being done on my machine. It's not a matter 
of 
condemning Microsoft, but what happens if at some point in time Microsoft along 
with 
government get an insane idea to branch away from obtaining other data for 
whatever 
intents and purposes?

We've seen how the NSA is allowed to gather any kind of information they'd like 
(http://www.eff.org/issues/nsa-spying), 
we now have to contend with Microsoft attempting to do the same. Any way you'd 
like to 
market this, it reeks of a backdoor: (again pointing to the definition) A 
backdoor in a 
computer system ... is a method of bypassing normal authentication, ... 
obtaining access 
to ... , and so on, while attempting to remain undetected. There's no beating 
around the 
bush here on what this tool is and does.

This is reminiscent of the 90's with the NSA's ECHELON program. In 1994, the 
NSA 
intercepted the faxes and telephone calls of Airbus. What resulted was the 
information 
was then forwarded to Boeing and McDonnell-Douglas in which they snagged the 
contract from under Airbus' feet. In 1996, the CIA hacked into the computers of 
the 
Japanese Trade Ministry seeking "negotiations on import quotas for US cars on 
the 
Japanese market". Resulting with the information being passed off to "US 
negotiator 
Mickey Kantor" who accepted a lower offer.

As an American you might say "so what, more power to us" but to think that any 
government wouldn't do it to its own citizens for whatever reason would be 
absurd. 
There are a lot of horrible routes this could take.

What happens if slash when for some reason or another the government decides 
that you 
should not read a news site, will Microsoft willingly oblige and rewrite the 
news in 
accordance to what the government deems readable?

How about the potential to give Microsoft a warrantless order to discover who 
doesn't 
like a President's "health care plan", or who is irrate and whatever policy; 
Will Microsoft 
sift through a machine to retrieve relevant data to disclose to authorities?

That doesn't include the potential for say technological espionage and gouging 
of sorts. 
What's to stop Microsoft from say, mapping a network and reporting all 
"non-Microsoft" 
based products back to Microsoft. The information could then be used to say 
raise 
support costs, allow Microsoft to offer juicier incentives to rid the network 
of non MS 
based products, the scenarios are endless.

Sadly, most people will shrug and pass it off as nothing. Most security buffs, 
experts, etc., 
haven't mentioned a word of it outside of "the wonderful method to remove, 
detect, 
botnets!" and I don't necessarily disagree it's a unique way to detect what is 
happening, 
but this could have been done at the ISP and NSP level without installing a 
backdoor. 
Why didn't law enforcement approach botnets from that avenue? Perhaps they 
have, this 
I'm actually certain of which leads me to believe this is a prelude of 
something more 
secretive that has yet to be disclosed or discovered.

http://www.pcworld.com/businesscenter/article/145257/microsoft_botnethunting_tool_helps_bust_hackers.html
http://cryptome.org/echelon-ep-fin.htm (ECHELON MISHAPS)

More on Microsoft's *Potential* Government Backdoor
Thursday, May 1st, 2008 @ 7:21 am | Privacy, News
http://www.infiltrated.net/?p=92

After reading through Microsoft's comments repeatedly yesterday, I cannot come 
to the 
conclusion that Microsoft's "Malware Removal Tool" is not some form of 
backdoor. 
Their comments in the initial article are extremely disturbing and anyone using 
a 
Microsoft product should now be extremely weary about downloading new updates 
if 
even deciding to continue using Microsoft at all.

So let's take a look at the top botnets. Srizbi, Bobax, Rustock, Cutwail, 
Ozdok, Nucrypt, 
Wopla, Spamthru, Storm, Grum, Onewordsub; These are the top as reported by 
Secure 
Works. 
(http://www.secureworks.com/research/threats/topbotnets/?threat=topbotnets) 
Guess what, eight out of eleven are all encrypted. Not that big of a deal until 
you decipher 
what Microsoft stated in their original quotes in correlation to some facts.

>From the article: Microsoft security experts analyze samples of malicious code 
>to capture 
a snapshot of what is happening on the botnet network, which can then be used 
by law 
enforcers, Cranton said. "They can actually get into the software code and say, 
.Here's 
information on how it's being controlled.'"

Perhaps Microsoft could clarify how exactly are they doing what they do, more 
importantly, what information is being sent over the wire and to whom. Are they 
now 
breaking code as well. Did the botnet authors go through the steps of 
encrypting code. We 
know for a fact that traffic being sent from a compromised host to a controller 
is 
encrypted, so what is Microsoft analyzing. What COULDN'T Microsoft have gained 
from getting code for analysis say by working along with Symantec or someone 
else.

Now before you shoot off an answer like "the code doofus, they're analyzing the 
code!", 
think about it again. If they're in it to analyze solely the code, they could 
have worked 
with AntiVirus vendors for samples as opposed to putting a tool on your machine 
which 
collects YOUR DATA and sends it off to who knows where. A law enforcement 
agency, 
or team Microsoft.

I'll pause on this for now. How about the validity in stating: "Botnet Operator 
tracked via 
IP". How legitimate is this argument given the fact (not presumption) that IP 
is a horrible 
identifier. Let's put this in a practical example. Farmer Joe in Nebraska is 
using a DSL 
connection that it always on. He uses Windows XP and doesn't know what a 
Windows 
Update is so he's never used it. His computer is compromised, a botnet 
controller is 
installed and attacks are launched from Nebraska. The attacker sanitized Farmer 
Joe's 
machine to erase his tracks using multiple wipes with perhaps PGP. The end.

For any business or law enforcement agency to claim they can track down via an 
IP 
address, perhaps they've skimmed on the fact that there are far too many open 
WiFi 
hotspots in the world to conclusively narrow a fact. We have an assumption that 
an 
attacker is behind 10.10.10.159. Can we see them? No. All we know is the 
address. Being 
I've used a private address, I won't bother diving into "but he came from ISP X 
in 
Nebraska." Irrelevant. What you have is a fishing expedition.

/ SNIP
For more on this false sense of ID-via-IP: Well, let me ask you you think 
171.70.120.60 
is. I'll give you a hint; at this instant, there are 72 of us.

Here's another question. Whom would you suspect 171.71.241.89 is? At this point 
in 
time, I am in Barcelona; if I were home, that would be my address as you would 
see it, 
but my address as I would see it would be in 10.32.244.216/29. There might be 
several 
hundred people you would see using 171.71.241.89;
/END SNIP

I implore you to read a NANOG thread 
http://readlist.com/lists/trapdoor.merit.edu/nanog/6/33246.html
Professionals know, IP is an inaccurate identifier so why does it seem that  
Microsoft
along with LEO are relying on this. Makes a great baseline sure, but is 
certainly ripe
for abuse

Again, please understand what I am stating, this is "not to say that its a 
horrible idea", its 
a start, a baseline - but not a definitive measure of determining who is 
controlling a bot, 
who created the botnet, etc.

Looking at past history, unfortunately you have the tinkerers; so what happens 
to an up-
and-coming "security" buff who is getting into the field and stumbles upon a 
botnet. Sure 
he was moronic to join an irc channel filled with bots, sure he was idiotic in 
downloading 
the code for the sake of learning. Fact is he might have. Guess what will 
happen to him 
when a Law Enforcement Agency raids his house? Guess what will happen when that 
agency needs funding for a new uber Cyber(buzzword)Crime fighting department. 
You 
guessed it. Hey "Up-and-coming security buff..." Kiss your terminal goodbye, 
and from 
here on out, your dreams of becoming the next Bruce Schneier will be close to 
non-
existent. It happens.

Anyhow, re-emphasizing... Shame on Microsoft for forwarding your data without 
telling 
you. Shame on Microsoft for not asking you if you wanted to "PARTICIPATE" in 
sending data. Shame on Microsoft for not explicitly stating: The data we are 
sneaking off 
your computer will be sent to government agencies of our choice. Its a horrible 
practice 
and a damaging breach of trust. Their action worries me as a security 
professional, will 
they ever scour for data for profit. Why not, no one would notice or care 
anyway.

J. Oquendo
sil @ infiltrated dot net

-- 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA #579 (FW+VPN v4.1)
SGFE #574 (FW+VPN v4.1)

wget -qO - www.infiltrated.net/sig|perl

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x3AC173DB