Microsoft Securiiy Essentials

Windows 7

Thanks
 >> Stay informed about: Microsoft Securiiy Essentials 

From: "maineearle"

> Windows 7
>

You didn't answer if "all partitions are NTFS" but I'll presume - yes.

Since it uses NTFS there is no chance of a Boot Sector Infector like the "NYB" or "Form"
virus and boot scan are not needed.

I haven't heard that a boot scan can prevent or clean the TDL3 when it injects code into
the MBR.



--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp
 >> Stay informed about: Microsoft Securiiy Essentials 

On Nov 7, 8:25 pm, "David H. Lipman"
wrote:
> From: "maineearle"
>
> > Windows 7
>
> You didn't answer if "all partitions are NTFS" but I'll presume - yes.
>
> Since it uses NTFS there is no chance of a Boot Sector Infector like the "NYB" or "Form"
> virus and boot scan are not needed.
>
> I haven't heard that a boot scan can prevent or clean the TDL3 when it injects code into
> the MBR.
>
> --
> Dave
> Multi-AV Scanning Tool -http://multi-av.thespykiller.co.ukhttp://www.pctipp.ch/downloads/dl/35905.asp

There should be something in Windows--this is a proposal not a
statement that this exists--that will tell you if the MBR has
changed,by comparison with a hash to a previous version.

Also, it is interesting that the TDL rootkit will not run in a Virtual
Machine. But I've read somewhere that running on Windows 7 the XP
virtual machine (by VWware, the free version) can in theory infect
your real machine (since a XP VM can cross-over into your real non-
virtual machine).

Is it possible to run a Windows 7 virtual machine while running
Windows 7 OS? What advantage would that have? Perhaps to prevent
this rootkit.

RL

http://go.eset.com/us/resources/white-papers/TDL3-Analysis.pdf

Detecting virtual machine environment
The rootkit dropper checks whether the rootkit is being executed in
the context of a virtual
machine. It does so by reading the local descriptor table register
(LDTR) that is used to calculate the
linear address from the segment_selector:offset pair. Microsoft
Windows operating systems don’t use a
Local Descriptor Table (LDT), so the LDTR contains zero, but many
virtual machine programs use it,
nonetheless. In this way, the rootkit can easily check whether it is
running inside virtual machine. The
following figure shows how TDL3 uses this technique to ensure that it
isn’t executed inside a virtual
machine
 >> Stay informed about: Microsoft Securiiy Essentials 

RayLopez99 wrote:

[...]

> There should be something in Windows--this is a proposal not a
> statement that this exists--that will tell you if the MBR has
> changed,by comparison with a hash to a previous version.

This is being done, but there are other considerations regarding the way
it is being done and the consequences of other uses of the technology.
See TPM.

[...]
 >> Stay informed about: Microsoft Securiiy Essentials 

Thanks
 >> Stay informed about: Microsoft Securiiy Essentials 

On Nov 11, 4:53 pm, FromTheRafters wrote:
> RayLopez99 wrote:
>
> [...]
>
> > There should be something in Windows--this is a proposal not a
> > statement that this exists--that will tell you if the MBR has
> > changed,by comparison with a hash to a previous version.
>
> This is being done, but there are other considerations regarding the way
> it is being done and the consequences of other uses of the technology.
> See TPM.
>
> [...]

Wow, I did not know TPM was around for so many years (since at least
2006)--I'd never heard of it and I keep abreast of PC advances more
than most. Interesting.

RL

The TPM was sardonically dubbed the "Fritz chip" by Professor Ross
Anderson, Security Engineering Professor at the University of
Cambridge Computer Laboratory, in reference to the former United
States Senator Ernest "Fritz" Hollings, who according to Anderson
"worked tirelessly in Congress to make TC a mandatory part of all
consumer electronics."[7]

TPM hardware

Trusted Platform Module on Asus motherboard P5Q PREMIUM
Starting in 2006, many new laptop computers have been sold with a
Trusted Platform Module chip built-in. In the future, this concept
could be co-located on an existing motherboard chip in computers, or
any other device where a TPM's facilities could be employed, such as a
cell phone. On PC the LPC bus is used.

Trusted Platform Module microcontrollers are currently produced by:

Atmel
Broadcom
Infineon (Infineon TPM)
Intel (via Intel Manageability Engine as iTPM)
Sinosun
STMicroelectronics
Nuvoton (formerly Winbond)
ITE (ITE TPM)
TOSHIBA
 >> Stay informed about: Microsoft Securiiy Essentials 

RayLopez99 wrote:
> On Nov 11, 4:53 pm, FromTheRafters wrote:
>> RayLopez99 wrote:
>>
>> [...]
>>
>>> There should be something in Windows--this is a proposal not a
>>> statement that this exists--that will tell you if the MBR has
>>> changed,by comparison with a hash to a previous version.
>>
>> This is being done, but there are other considerations regarding the way
>> it is being done and the consequences of other uses of the technology.
>> See TPM.
>>
>> [...]
>
> Wow, I did not know TPM was around for so many years (since at least
> 2006)--I'd never heard of it and I keep abreast of PC advances more
> than most. Interesting.

In order to have a stored measurement (hash) of the flash-able BIOS, you
would need a secure place to store it where an earlier ROM program could
compare it to a new measurement for that BIOS.

Unfortunately, the TPM also has other characteristics that have the
privacy crowd up in arms. To me, it's a baby/bathwater thing.
 >> Stay informed about: Microsoft Securiiy Essentials 

From: "FromTheRafters"

> RayLopez99 wrote:
>> On Nov 11, 4:53 pm, FromTheRafters wrote:
>>> RayLopez99 wrote:
>>>
>>> [...]
>>>
>>>> There should be something in Windows--this is a proposal not a
>>>> statement that this exists--that will tell you if the MBR has
>>>> changed,by comparison with a hash to a previous version.
>>>
>>> This is being done, but there are other considerations regarding the way
>>> it is being done and the consequences of other uses of the technology.
>>> See TPM.
>>>
>>> [...]
>>
>> Wow, I did not know TPM was around for so many years (since at least
>> 2006)--I'd never heard of it and I keep abreast of PC advances more
>> than most. Interesting.
>
> In order to have a stored measurement (hash) of the flash-able BIOS, you would need a
> secure place to store it where an earlier ROM program could compare it to a new
> measurement for that BIOS.
>
> Unfortunately, the TPM also has other characteristics that have the privacy crowd up in
> arms. To me, it's a baby/bathwater thing.

http://nesipublic.spawar.navy.mil/nesix/View/P1360

"The DoD memo also mandates that all new computer assets procured to support the DoD
enterprise include a Trusted Platform Module (TPM) version 1.2 or higher where such
technology is available. TPM is a microcontroller that stores keys, passwords and digital
certificates. It typically is affixed to the motherboard of computers. The nature of this
hardware chip ensures that the information stored becomes more secure from external
software attack and physical theft."

http://iase.disa.mil/policy-guidance/dod-dar-tpm-decree07-03-07.pdf



--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp
 >> Stay informed about: Microsoft Securiiy Essentials 

David H. Lipman wrote:
> From: "FromTheRafters"
>
>> RayLopez99 wrote:
>>> On Nov 11, 4:53 pm, FromTheRafters wrote:
>>>> RayLopez99 wrote:
>>>>
>>>> [...]
>>>>
>>>>> There should be something in Windows--this is a proposal not a
>>>>> statement that this exists--that will tell you if the MBR has
>>>>> changed,by comparison with a hash to a previous version.
>>>>
>>>> This is being done, but there are other considerations regarding the way
>>>> it is being done and the consequences of other uses of the technology.
>>>> See TPM.
>>>>
>>>> [...]
>>>
>>> Wow, I did not know TPM was around for so many years (since at least
>>> 2006)--I'd never heard of it and I keep abreast of PC advances more
>>> than most. Interesting.
>>
>> In order to have a stored measurement (hash) of the flash-able BIOS, you would need a
>> secure place to store it where an earlier ROM program could compare it to a new
>> measurement for that BIOS.
>>
>> Unfortunately, the TPM also has other characteristics that have the privacy crowd up in
>> arms. To me, it's a baby/bathwater thing.
>
> http://nesipublic.spawar.navy.mil/nesix/View/P1360
>
> "The DoD memo also mandates that all new computer assets procured to support the DoD
> enterprise include a Trusted Platform Module (TPM) version 1.2 or higher where such
> technology is available. TPM is a microcontroller that stores keys, passwords and digital
> certificates. It typically is affixed to the motherboard of computers. The nature of this
> hardware chip ensures that the information stored becomes more secure from external
> software attack and physical theft."
>
> http://iase.disa.mil/policy-guidance/dod-dar-tpm-decree07-03-07.pdf

Some nuts and bolts that address Ray's idea about using hashes as
integrity checks for BIOSes, loaders, OSen and applications.

http://www.rsa.com/rsalabs/technotes/tpm/sealedstorage.pdf

IFAIK, it isn't necessary to make use of the unique to the machine root
key in any outgoing data. I think that *this* and what can be done with
it is what the privacy folks are concerned about.
 >> Stay informed about: Microsoft Securiiy Essentials