RE: Microsot DID DISCLOSE potential Backdoor

[Ken Schaefer <Ken () adOpenStatic com>]

I'm not sure the facts in evidence support the conclusions reached here (sorry, not posting inline as I don't want to 
address each conclusion built upon some other shaky conclusion.

> From http://support.microsoft.com/kb/890830

======
Reporting component
The Malicious Software Removal Tool sends information to Microsoft if it detects malicious software or finds an error. 
The specific information that is sent to Microsoft consists of the following items: * The name of the malicious 
software that is detected
* The result of malicious software removal
* The operating system version
* The operating system locale
* The processor architecture
* The version number of the tool
* An indicator that notes whether the tool is being run by Microsoft Update, Windows Update, Automatic Updates, the 
Download Center, or from the Web site
* An anonymous GUID
* A cryptographic one-way hash (MD5) of the path and file name of each malicious software file that is removed from the 
computer
If apparently malicious software is found on the computer, the tool prompts you to send information to Microsoft beyond 
what is listed here. You are prompted in each of these instances, and this information is sent only with your consent. 
The additional information includes the following: * The files that are suspected to be malicious software. The tool 
will identify the files for you.
* A cryptographic one-way hash (MD5) of any suspicious files that are detected.
You can disable the reporting feature. For information about how to disable the reporting component and how to prevent 
this tool from sending information to Microsoft, click the following article umber to view the article in the Microsoft 
Knowledge Base:

891716 (http://support.microsoft.com/kb/891716/) Deployment of the Microsoft Windows Malicious Software Removal Tool in 
an enterprise environment
======

Either I am missing the point of J. Oquendo's post, or the conclusions I think he reaches are speculation rather that 
established.

Cheers
Ken

> -----Original Message-----
> From: J. Oquendo [mailto:sil () infiltrated net]
> Sent: Sunday, 4 May 2008 1:46 PM
> To: bugtraq () securityfocus com; full-disclosure () lists grok org uk
> Subject: Microsot DID DISCLOSE potential Backdoor
>
> While you were sleeping and focusing on COFEE...
>
> Microsoft Discloses Government Backdoor on Windows Operating Systems
> Wednesday, April 30th, 2008 @ 6:00 am | Privacy, News
> http://www.infiltrated.net/?p=92
>
> Microsoft may have inadvertently disclosed a potential Microsoft
> backdoor for law
> enforcement earlier this week. To explain this all, here is the layman
> term of a backdoor
> from Wikipedia:
>
> A backdoor in a computer system (or cryptosystem or algorithm) is a
> method of
> bypassing normal authentication, securing remote access to a computer,
> obtaining access
> to plaintext, and so on, while attempting to remain undetected. The
> backdoor may take
> the form of an installed program (e.g., Back Orifice), or could be a
> modification to an
> existing program or hardware device.
>
> According to an article on PC World: "The software vendor is giving law
> enforcers
> access to a special tool that keeps tabs on botnets, using data
> compiled from the 450
> million computer users who have installed the Malicious Software
> Removal tool that
> ships with Windows."
>
> Not a big deal until you keep reading: "Although Microsoft is reluctant
> to give out details
> on its botnet buster - the company said that even revealing its name
> could give cyber
> criminals a clue on how to thwart it"
>
> Stop the press for second or two and look at this logically: "users who
> have installed the
> Malicious Software Removal tool" followed by " Microsoft is reluctant
> to give out details
> on its botnet buster - the company said that even revealing its name
> could give cyber
> criminals a clue on how to thwart it", what? This is perhaps the
> biggest gaffe I've read
> thus far on potential government collusion with Microsoft.
>
> We then have the following wording: "Microsoft had not previously
> talked about its
> botnet tool, but it turns out that it was used by police in Canada to
> make a high-profile
> bust earlier this year." So again, thinking logically at what has been
> said so far by
> Microsoft; "We have a tool called Malicious Software Removal tool...",
> "we can't tell
> you the name of this tool since it would undermine our snooping...",
> "it's been used by
> law enforcement already to make a high-profile bust earlier this year."
>
> Remember a "Malicious Software Reporting Tool" is a lot different from
> a "Malicious
> Software Removal Tool". Understanding networking, computing, botnets,
> let's put this
> concept into a working model to explain how this is nothing more than a
> backdoor. You
> have an end user, we'll create a random Windows XP user: Farmer John in
> North Dakota.
> Farmer John in North Dakota uses his machine once a week to read news,
> send family
> email, nothing more. He installed Microsoft's Malicious Removal Tool.
> Farmer John's
> machine becomes infected at some point and sends Microsoft information
> about the
> compromise: "I'm Farmer John's machine coming from X_IP_Address".
>
> A correlation is done with this information and then supposedly used to
> track where the
> botnet's originating IP address is from. From the article: "Analysis by
> Microsoft's
> software allowed investigators to identify which IP address was being
> used to operate the
> botnet, Gaudreau said. And that cracked the case." This is not
> difficult, detect a DST
> (destination) for malware sent from Farmer John's machine. Simple, good
> guys win,
> everyone is happy.
>
> The concept of Microsoft's Malicious Software Removal tool not being a
> backdoor is
> flawed. For starters, no information is ever disclosed to someone
> installing the Windows
> Malicious Software removal tool: "Windows will now install a program
> which will report
> suspicious activity to Microsoft". As far as I can recall on any
> Windows update, there has
> never been any mention of it.
>
> "But this is a wonderful tool, why are you being such a troll and
> knocking Microsoft for
> doing the right thing!". The question slash qualm I have about this
> tool is I'd like to know
> what, why, when and how things are being done on my machine. It's not a
> matter of
> condemning Microsoft, but what happens if at some point in time
> Microsoft along with
> government get an insane idea to branch away from obtaining other data
> for whatever
> intents and purposes?
>
> We've seen how the NSA is allowed to gather any kind of information
> they'd like (http://www.eff.org/issues/nsa-spying),
> we now have to contend with Microsoft attempting to do the same. Any
> way you'd like to
> market this, it reeks of a backdoor: (again pointing to the definition)
> A backdoor in a
> computer system ... is a method of bypassing normal authentication, ...
> obtaining access
> to ... , and so on, while attempting to remain undetected. There's no
> beating around the
> bush here on what this tool is and does.
>
> This is reminiscent of the 90's with the NSA's ECHELON program. In
> 1994, the NSA
> intercepted the faxes and telephone calls of Airbus. What resulted was
> the information
> was then forwarded to Boeing and McDonnell-Douglas in which they
> snagged the
> contract from under Airbus' feet. In 1996, the CIA hacked into the
> computers of the
> Japanese Trade Ministry seeking "negotiations on import quotas for US
> cars on the
> Japanese market". Resulting with the information being passed off to
> "US negotiator
> Mickey Kantor" who accepted a lower offer.
>
> As an American you might say "so what, more power to us" but to think
> that any
> government wouldn't do it to its own citizens for whatever reason would
> be absurd.
> There are a lot of horrible routes this could take.
>
> What happens if slash when for some reason or another the government
> decides that you
> should not read a news site, will Microsoft willingly oblige and
> rewrite the news in
> accordance to what the government deems readable?
>
> How about the potential to give Microsoft a warrantless order to
> discover who doesn't
> like a President's "health care plan", or who is irrate and whatever
> policy; Will Microsoft
> sift through a machine to retrieve relevant data to disclose to
> authorities?
>
> That doesn't include the potential for say technological espionage and
> gouging of sorts.
> What's to stop Microsoft from say, mapping a network and reporting all
> "non-Microsoft"
> based products back to Microsoft. The information could then be used to
> say raise
> support costs, allow Microsoft to offer juicier incentives to rid the
> network of non MS
> based products, the scenarios are endless.
>
> Sadly, most people will shrug and pass it off as nothing. Most security
> buffs, experts, etc.,
> haven't mentioned a word of it outside of "the wonderful method to
> remove, detect,
> botnets!" and I don't necessarily disagree it's a unique way to detect
> what is happening,
> but this could have been done at the ISP and NSP level without
> installing a backdoor.
> Why didn't law enforcement approach botnets from that avenue? Perhaps
> they have, this
> I'm actually certain of which leads me to believe this is a prelude of
> something more
> secretive that has yet to be disclosed or discovered.
>
> http://www.pcworld.com/businesscenter/article/145257/microsoft_botnethu
> nting_tool_helps_bust_hackers.html
> http://cryptome.org/echelon-ep-fin.htm (ECHELON MISHAPS)
>
> More on Microsoft's *Potential* Government Backdoor
> Thursday, May 1st, 2008 @ 7:21 am | Privacy, News
> http://www.infiltrated.net/?p=92
>
> After reading through Microsoft's comments repeatedly yesterday, I
> cannot come to the
> conclusion that Microsoft's "Malware Removal Tool" is not some form of
> backdoor.
> Their comments in the initial article are extremely disturbing and
> anyone using a
> Microsoft product should now be extremely weary about downloading new
> updates if
> even deciding to continue using Microsoft at all.
>
> So let's take a look at the top botnets. Srizbi, Bobax, Rustock,
> Cutwail, Ozdok, Nucrypt,
> Wopla, Spamthru, Storm, Grum, Onewordsub; These are the top as reported
> by Secure
> Works.
> (http://www.secureworks.com/research/threats/topbotnets/?threat=topbotn
> ets)
> Guess what, eight out of eleven are all encrypted. Not that big of a
> deal until you decipher
> what Microsoft stated in their original quotes in correlation to some
> facts.
>
> From the article: Microsoft security experts analyze samples of
> malicious code to capture
> a snapshot of what is happening on the botnet network, which can then
> be used by law
> enforcers, Cranton said. "They can actually get into the software code
> and say, .Here's
> information on how it's being controlled.'"
>
> Perhaps Microsoft could clarify how exactly are they doing what they
> do, more
> importantly, what information is being sent over the wire and to whom.
> Are they now
> breaking code as well. Did the botnet authors go through the steps of
> encrypting code. We
> know for a fact that traffic being sent from a compromised host to a
> controller is
> encrypted, so what is Microsoft analyzing. What COULDN'T Microsoft have
> gained
> from getting code for analysis say by working along with Symantec or
> someone else.
>
> Now before you shoot off an answer like "the code doofus, they're
> analyzing the code!",
> think about it again. If they're in it to analyze solely the code, they
> could have worked
> with AntiVirus vendors for samples as opposed to putting a tool on your
> machine which
> collects YOUR DATA and sends it off to who knows where. A law
> enforcement agency,
> or team Microsoft.
>
> I'll pause on this for now. How about the validity in stating: "Botnet
> Operator tracked via
> IP". How legitimate is this argument given the fact (not presumption)
> that IP is a horrible
> identifier. Let's put this in a practical example. Farmer Joe in
> Nebraska is using a DSL
> connection that it always on. He uses Windows XP and doesn't know what
> a Windows
> Update is so he's never used it. His computer is compromised, a botnet
> controller is
> installed and attacks are launched from Nebraska. The attacker
> sanitized Farmer Joe's
> machine to erase his tracks using multiple wipes with perhaps PGP. The
> end.
>
> For any business or law enforcement agency to claim they can track down
> via an IP
> address, perhaps they've skimmed on the fact that there are far too
> many open WiFi
> hotspots in the world to conclusively narrow a fact. We have an
> assumption that an
> attacker is behind 10.10.10.159. Can we see them? No. All we know is
> the address. Being
> I've used a private address, I won't bother diving into "but he came
> from ISP X in
> Nebraska." Irrelevant. What you have is a fishing expedition.
>
> / SNIP
> For more on this false sense of ID-via-IP: Well, let me ask you you
> think 171.70.120.60
> is. I'll give you a hint; at this instant, there are 72 of us.
>
> Here's another question. Whom would you suspect 171.71.241.89 is? At
> this point in
> time, I am in Barcelona; if I were home, that would be my address as
> you would see it,
> but my address as I would see it would be in 10.32.244.216/29. There
> might be several
> hundred people you would see using 171.71.241.89;
> /END SNIP
>
> I implore you to read a NANOG thread
> http://readlist.com/lists/trapdoor.merit.edu/nanog/6/33246.html
> Professionals know, IP is an inaccurate identifier so why does it seem
> that  Microsoft
> along with LEO are relying on this. Makes a great baseline sure, but is
> certainly ripe
> for abuse
>
> Again, please understand what I am stating, this is "not to say that
> its a horrible idea", its
> a start, a baseline - but not a definitive measure of determining who
> is controlling a bot,
> who created the botnet, etc.
>
> Looking at past history, unfortunately you have the tinkerers; so what
> happens to an up-
> and-coming "security" buff who is getting into the field and stumbles
> upon a botnet. Sure
> he was moronic to join an irc channel filled with bots, sure he was
> idiotic in downloading
> the code for the sake of learning. Fact is he might have. Guess what
> will happen to him
> when a Law Enforcement Agency raids his house? Guess what will happen
> when that
> agency needs funding for a new uber Cyber(buzzword)Crime fighting
> department. You
> guessed it. Hey "Up-and-coming security buff..." Kiss your terminal
> goodbye, and from
> here on out, your dreams of becoming the next Bruce Schneier will be
> close to non-
> existent. It happens.
>
> Anyhow, re-emphasizing... Shame on Microsoft for forwarding your data
> without telling
> you. Shame on Microsoft for not asking you if you wanted to
> "PARTICIPATE" in
> sending data. Shame on Microsoft for not explicitly stating: The data
> we are sneaking off
> your computer will be sent to government agencies of our choice. Its a
> horrible practice
> and a damaging breach of trust. Their action worries me as a security
> professional, will
> they ever scour for data for profit. Why not, no one would notice or
> care anyway.
>
> J. Oquendo
> sil @ infiltrated dot net
>
> --
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> J. Oquendo
> SGFA #579 (FW+VPN v4.1)
> SGFE #574 (FW+VPN v4.1)
>
> wget -qO - www.infiltrated.net/sig|perl
>
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x3AC173DB