A blog about generally interesting infosec stuff by Darren Fuller/Paul Marsh, SecQuest Information Security https://www.secquest.co.uk

Thursday, 30 August 2012

SmartScreen Filter Revisited

Following up on the blog post last year about Microsoft downloading potentially private/sensitive files due to SmartScreen filter we thought that we'd take a look at IE10 on Windows 8. Files used in testing were old versions of cmd.exe so should be "known good" on any whitelists.

Yet again we found that files that you download are hoovered up by Microsoft servers a short time after!


Original request for file
x.x.x.x - - [28/Aug/2012:10:21:21 +0100] "GET /temp/temp1.exe HTTP/1.1" 200 70144 "http://y.y.y.y/temp/" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Trident/6.0)"

Unknown requests for file
64.124.203.73.available.above.net - - [28/Aug/2012:11:33:14 +0100] "GET /temp/temp1.exe HTTP/1.1" 302 269 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/5.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.5.30729; MS-RTC LM 8; .NET CLR 3.0.30729; .NET4.0C; BRI/1; BRI/2; AskTbFWV5/5.9.1.14019; BOIE9;ENUSMSNIP)"

208.50.101.156 - - [28/Aug/2012:11:53:06 +0100] "GET /temp/temp1.exe HTTP/1.1" 302 269 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30618; .NET4.0C; msn OptimizedIE8;DEAT; AskTB5.4; Windows Live Messenger 14.0.8117.0416)"

74.217.148.74 - - [28/Aug/2012:14:41:36 +0100] "GET /temp/temp1.exe HTTP/1.1" 302 269 "http://y.y.y.y/temp/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; GTB6.6; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; HPNTDF; BRI/1; Tablet PC 2.0; BRI/2; .NET4.0C)"


So Microsoft's servers now have three copies of your file, that secret information about the upcoming company merger may not be that secret any longer.

IP information
64.124.203.73  - Abovenet Communications, Inc
208.50.101.156 - Level 3 Communications, Inc.
74.217.148.74  - Internap Network Services Corporation


All of the above IPs route through msn.net at some point.

Again a ton of different user agents are seen.. is this to test compatibility or to merge in with existing traffic and hide in plain sight?

Some examples
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; ABPlayer_3.0.0; GTB6.6; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; HPNTDF; InfoPath.3; AskTbMP3R7/5.9.1.14019; Windows Live Messenger 14.0.8117.0416)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/5.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.5.30729; MS-RTC LM 8; .NET CLR 3.0.30729; .NET4.0C; BRI/1; BRI/2; AskTbFWV5/5.9.1.14019; BOIE9;ENUSMSNIP)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30618; .NET4.0C; msn OptimizedIE8;DEAT; AskTB5.4; Windows Live Messenger 14.0.8117.0416)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; GTB6.6; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; HPNTDF; BRI/1; Tablet PC 2.0; BRI/2; .NET4.0C)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ;  Embedded Web Browser from: http://bsalsa.com/; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; AskTbBT5/5.8.0.12304; Windows Live Messenger 14.0.8117.0416)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB6.6; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; ShopperReports 3.0.517.0; SRS_IT_E8790471B6765D5135A194; Windows Live Messenger 14.0.8117.0416)


There may be an innocent explanation for all of this but it's a bit rude to just grab files without asking!

During testing we also found that attempts are made to download files protected by simple auth but fail with a 401 so at least it looks like usernames/passwords aren't being sent.

Update: The Register have an article about SmartScreen here saying that Microsoft are being informed about applications you install based on research by Nadim Kobeissi. With this issue not only do they know what you've installed but they know where it came from!

Fully

No comments:

Post a Comment