ASN.1 vuln, Windows integrity checker

Published: 2005-06-08
Last Updated: 2005-06-09 00:17:38 UTC
by Toby Kohlenberg (Version: 1)
0 comment(s)

More reports of RBOT using ASN.1 vuln

We are getting more and more reports of the use of the ASN.1 vuln in an rbot variant. This is using one of the ASN.1 vulns patched by MS04-007. The exploit is borrowed from an existing proof of concept. For more discussion see this article on the vuln-

(thanks Dave)

This was previously mentioned in the diary on the 3rd of June as possibly rbot attacking IIS' authentication methods

This is the report from VirusTotal for the samples we've seen:

Antivirus Version Update Result
AntiVir 06.05.2005 no virus found
AVG 718 06.04.2005 no virus found
Avira 06.05.2005 no virus found
BitDefender 7.0 06.05.2005 Backdoor.SDBot.0B1CDAF0
ClamAV devel-20050501 06.05.2005 no virus found
DrWeb 4.32b 06.05.2005 no virus found
eTrust-Iris 06.05.2005 Win32/RBot.121504!Worm
eTrust-Vet 06.03.2005 no virus found
Fortinet 06.04.2005 suspicious
Ikarus 2.32 06.03.2005 IM-Worm.Win32.Sumom.C
Kaspersky 06.06.2005 Backdoor.Win32.Rbot.gen
McAfee 4506 06.03.2005 no virus found
NOD32v2 1.1129 06.05.2005 Win32/Rbot
Norman 5.70.10 06.04.2005 W32/MEWpacked.gen
Panda 8.02.00 06.05.2005 W32/Gaobot.HEG.worm
Sybari 7.5.1314 06.06.2005 Worm.RBot.BGM
Symantec 8.0 06.05.2005 W32.Spybot.Worm
TheHacker 5.8-3.0 06.06.2005 no virus found
VBA32 3.10.3 06.05.2005 Backdoor.Win32.Rbot.gen

Windows Integrity tracking

Having just suffered from a violent system crash, I'm in the perfect place to start tracking everything that is done to my system. My concern is that recently I ended up having to do multiple rebuilds not because I knew my system was compromised but because I couldn't be confident that it wasn't. After running all the rootkit detection tools, AV tools, spyware/adware tools, forensic tools, etc.. that I could find, I still didn't have complete confidence.

So with my nice clean build, I'm setting a goal of having complete tracking of the state of the system. I want to know anything that executes and anything it calls and when anything of that sort changes. I started by looking around for integrity tools and trying to choose one that would make it easy to track all this (cause I'm going to get a lot of noise, I realize that).

Before you ask, yes, I've hardened the build. Yes, I use tools like InControl, the application control built into my personal firewall, WinInterrogator, WinAudit, BHO Demon, AdAware, Spybot S&D, two different AV products, Rootkit Revealer, everything Sysinternals makes, and those are just the ones that come to mind without trying. I've tried everything I can find to track this sort of stuff. None of them give me the level of visibility and assurance I want & need. So, I've been brought to this.

At the moment, the ones I'm trying are Xintegrity Professional and Osiris. Xintegrity offers a free trial and has a clean interface. It seems to crash on occasion but I'm putting up with that for now. Osiris is free and (as far as I know) only offers a command-line interface but that's fine). I've started by building a baseline of the entire system. As I add new software, I'll update the baseline to include the freshly installed software. I'm in the process of identifying the files that are going to change (legitimately) frequently. Once I have those, I'll likely remove most of them from the checks.

Why would I do this? Why not trust my AV software, my personal firewall, my anti-spyware tools, my bootable forensics distro, and everything else? Simply because none of them offer the simple confidence that I want- that I know everything that is going to execute on my system, be it BHO, DLL, EXE, firefox extension, and I want to know when any of them or any of their configurations change. I don't trust my OS, I don't trust any of the software running on it (if the recent months have shown us anything, it is that Firefox has at least as many vulnerabilities showing up as it gains popularity, as IE does), and our tools for dealing with this just seem to stink (or at least fall short of the goal by a good distance).

What do y'all do to help deal with this issue? If there is an interest, I'll post updates in the diary from time to time.

Apple Vulnerability

Finally, Apple has released patches for a whole slew of vulnerabilities:

AFP Server
CVE-ID: CAN-2005-1721
AFP Server
CVE-ID: CAN-2005-1720
CVE-ID: CAN-2005-1333
CVE-ID: CAN-2005-1722
CVE-ID: CAN-2005-1726
CVE-ID: CAN-2005-1725
CVE-ID: CAN-2005-1723
MCX Client
CVE-ID: CAN-2005-1728
CVE-ID: CAN-2005-1724
CVE-ID: CAN-2005-0524, CAN-2005-0525, CAN-2005-1042, CAN-2005-1043
CVE-ID: CAN-2005-1343

Security Update 2005-006 may be obtained from the Software Update
pane in System Preferences, or Apple's Software Downloads web site:

0 comment(s)


Diary Archives