|
Posted by Massimo on April 25, 2008, 1:55 pm
If you were Registered and logged in, you could reply and use other advanced thread options
On Thu, 24 Apr 2008 22:16:58 -0500, SomeoneElse(not@telling.com)
wrote:
>wrote:
>
>>Hello,
>>
>>I surfed for another reason over the web when I stumbled upon a site
>>where the utility Runscanner was advertised. (www.runscanner.net) and
>>saw that this tool scans for instances of a certain piece of software,
>>making a MD5 hash fo it and ckecking their online database to see if
>>the file is fake or not.
>>
>>Now this seems to me -not being an expert at all- a way to verify the
>>authenticity of a file that could be handy.
>>
>>I have some questions about this:
>>
>>1. Is this a good way to control the authenticity of your files?
>>
>>2. If so, what Runscanner-like tool would be the best to do this?
>>
>>3. Could such a tool not become infected itself and be used by malware
>>to disguise itself. ;-)
>>
>>Thanks,
>>
>Malware can be designed to install into any program, Also Runnscanner
>itself might be malware disguised as security software, many malware
>writers do that.
That is only one of the several things I am afraid of...;-)
>I would wait a bit ( it says it was released last
>Feb, ) and see if the experts decide that Runscanner is malware.
>
Good advice...
>In any case you generally do not want to run most security software
>from the installed OS itself. Rather you want to create something like
>a bartpe on CD, add the software as an addin, and run the software
>from bartpe.
>
In my opinion you are right there too, but I only own *one* lifetime
and working from a cd asks its time. I thought to work from a
usb-stick with fysical write protection. (must still buy one).
>One thing that is nice about the program is that it points to a couple
>of websites that store md5sums of files in various Windows
>distributions. I believe they all need registration though.
>
Had not yet given it a try so the registration is new to me...
>I think such an approach is not very powerful protection for several
>reasons. First, a malware writer may have his malware replace a file
>with an older version which has an exploit in it. Second malware
>writers know about md5sums and may rewrite your files in such a
>way that they reproduce the md5sum, hiding the malware. Third this
>technique while catching changes in existing system files may not
>catch new files added to your system. Keep in mind to that malware
>will often subvert the OS in a way so that software using the API
>calls will miss added files or misreport file information. A
>particularly nasty hack would be something like this: rewrite the API
>call "OpenFiles" and "ReadFile" ( sorry I am probably a bit off on
>these, been a while since I used the win API ) so that when you open
>a file for example "csrsrv.dll" it will return the contents of the old
>version generating the same md5sum.
>
I see, of course. But none of the tools made for protection can save
you. So I suppose the only thing to do is to gather a bunch of
excellent tools and use them all and then hope for the best.
>What I think you would rather a program like this do is:
>
>1) Require you to start with a clean system. Scan the system making a
> database of checksums of files. I would prefer at least two
> different checksums, and i would prefer that they use some kind
> of salted checksum.
>
> A salted checksum is basically a checksum where you modify the
> method of calculating the checksum by adding things to the hash
> string. To give you an example, take the csrsrv.dll open in
> NotePad, add the word "salt" at the beginning, save this as
> csrsrv.salted. Take the md5sum of srsrv.salted and use that as your
> checksum. Only instead "salt" I would have the user specify what
> kind of salt to use.
>
>2) When an upgrade of sometime is install you should start with
> a clean system and regenerate the database right after the
> upgrade.
>
>3) When doing the original scan do it booting off of a bartpe made
> from your original system. When scanning for changes scan off of
> the same bartpe.
>
Now this seems a good plan to me!
>There are many available systems that scan the system and make a
>database of checksums of the files. Tripwire, Osirus, AIDE come to
>mind. They are mostly developed for Unix systems but some can also be
>run on Windows systems. AFAIK none use salted passwords, though some
>allow the user to define his own checksum.
>
>If anyone knows a free, native WIndows application that can be moved
>to CD ( after installation) and allows user defined checksums let me
>know, and has reports meant for single user systems let me know.
>
Thanks for your thorough reaction!
Regards,
Massimo
| 
XML site map