Monday, March 11, 2002 |
10:07 - Security Updates Redux
http://www.symantec.com/avcenter/venc/data/w32.gibe@mm.html
|
(top) |
Matt Robinson gives me an update on the "Microsoft Security Update" trojan-spam I talked about yesterday:
Ahh, a semantic attack! Cute. Microsoft "hotfixes" -do- follow the filename convention used above. Q216309 is the ID of a support centre article. Microsoft do issue security bulletins to interested parties by email (though they use PGP signatures... as if anyone'd check those!) It's a very convincing semantic attack, in fact. It's probably a trojan horse attack rather than a virus. Funny thing is, I can see a lot of Microsoft employees falling for this one ;)
That's a good point to bring up, actually: PGP signatures. The spammer/attacker should have included one. Who cares if it's not legit? Who would go to the trouble of decoding the signature and matching it against the source? Just having a PGP signature would be proof enough for most people of the update's authenticity. Why would they include one if it was faked, goes the logic? After all, they know they'd be caught if anybody thought to check it!
Yuh-huh. If.
I don't check the MD5 sums on software packages under UNIX as often as I should, or their PGP signatures. Just the fact that they're there is good enough for me. The ports system in FreeBSD automates the checking of the MD5 sums, but I've been conditioned for so long by a lack of problems with the ports I've installed that when I do see an MD5 checksum failure, I write it off as a bad MD5 checksum or a bug in the checking process. Which it usually is, but you can just imagine the risks involved.
That's what smart attackers will do: they'll dress up their trojans with the most official-sounding and official-looking stuff imaginable, and nobody will question it. It's like dressing up an assassin in a military uniform from a costume shop: it's all fake, but nobody will realize it unless they look really close-- and who's willing to look really close? It might be for real!
|
|