A blog about generally interesting infosec stuff by employees of SecQuest Information Security https://www.secquest.co.uk

Thursday, 30 August 2012

SmartScreen Filter Revisited

Following up on the blog post last year about Microsoft downloading potentially private/sensitive files due to SmartScreen filter we thought that we'd take a look at IE10 on Windows 8. Files used in testing were old versions of cmd.exe so should be "known good" on any whitelists.

Yet again we found that files that you download are hoovered up by Microsoft servers a short time after!


Original request for file
x.x.x.x - - [28/Aug/2012:10:21:21 +0100] "GET /temp/temp1.exe HTTP/1.1" 200 70144 "http://y.y.y.y/temp/" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Trident/6.0)"

Unknown requests for file
64.124.203.73.available.above.net - - [28/Aug/2012:11:33:14 +0100] "GET /temp/temp1.exe HTTP/1.1" 302 269 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/5.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.5.30729; MS-RTC LM 8; .NET CLR 3.0.30729; .NET4.0C; BRI/1; BRI/2; AskTbFWV5/5.9.1.14019; BOIE9;ENUSMSNIP)"

208.50.101.156 - - [28/Aug/2012:11:53:06 +0100] "GET /temp/temp1.exe HTTP/1.1" 302 269 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30618; .NET4.0C; msn OptimizedIE8;DEAT; AskTB5.4; Windows Live Messenger 14.0.8117.0416)"

74.217.148.74 - - [28/Aug/2012:14:41:36 +0100] "GET /temp/temp1.exe HTTP/1.1" 302 269 "http://y.y.y.y/temp/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; GTB6.6; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; HPNTDF; BRI/1; Tablet PC 2.0; BRI/2; .NET4.0C)"


So Microsoft's servers now have three copies of your file, that secret information about the upcoming company merger may not be that secret any longer.

IP information
64.124.203.73  - Abovenet Communications, Inc
208.50.101.156 - Level 3 Communications, Inc.
74.217.148.74  - Internap Network Services Corporation


All of the above IPs route through msn.net at some point.

Again a ton of different user agents are seen.. is this to test compatibility or to merge in with existing traffic and hide in plain sight?

Some examples
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; ABPlayer_3.0.0; GTB6.6; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; HPNTDF; InfoPath.3; AskTbMP3R7/5.9.1.14019; Windows Live Messenger 14.0.8117.0416)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/5.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.5.30729; MS-RTC LM 8; .NET CLR 3.0.30729; .NET4.0C; BRI/1; BRI/2; AskTbFWV5/5.9.1.14019; BOIE9;ENUSMSNIP)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30618; .NET4.0C; msn OptimizedIE8;DEAT; AskTB5.4; Windows Live Messenger 14.0.8117.0416)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; GTB6.6; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; HPNTDF; BRI/1; Tablet PC 2.0; BRI/2; .NET4.0C)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ;  Embedded Web Browser from: http://bsalsa.com/; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; AskTbBT5/5.8.0.12304; Windows Live Messenger 14.0.8117.0416)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB6.6; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; ShopperReports 3.0.517.0; SRS_IT_E8790471B6765D5135A194; Windows Live Messenger 14.0.8117.0416)


There may be an innocent explanation for all of this but it's a bit rude to just grab files without asking!

During testing we also found that attempts are made to download files protected by simple auth but fail with a 401 so at least it looks like usernames/passwords aren't being sent.

Update: The Register have an article about SmartScreen here saying that Microsoft are being informed about applications you install based on research by Nadim Kobeissi. With this issue not only do they know what you've installed but they know where it came from!

Fully

9 comments:

  1. Smart screen filter re visited is a web that is following up of the blog in last year about the downloading of the Microsoft private and sensitive files. The knowledge is about the good points and keeping the sense in https://www.essaywritinglab.co.uk/do-my-assignment/ that can look toward the IP information with some kind of paintings.

    ReplyDelete
  2. This is very helpful information for especially those, who want to use different files. They can solve their issues and get many benefits. Dissertation writing services.

    ReplyDelete
  3. Thank you for sharing this, even though I have read the article before. This article proved to be an excellent BTEC assignment help as well. I came to know about this the first time I read this, and it ultimately made me doubt all the offerings of smartScreen. I think the issue has been resolved now, and it is nothing but just an ancient history!

    ReplyDelete
  4. SEO is a general chat forum that is having the joining date in the year 2021 with the most meaningful information for the author. This is animated article that is used to be read and locked my keys inside my car has the perfect styling to do the component of the great versions.

    ReplyDelete
  5. Microsoft is one of the best medium for sharing various products that are working on demand. Therefore, I am suggesting to use phoenix iv therapy that is known as best.

    ReplyDelete
  6. Client access has data among the directories to read partition on these aspects this was good to read portfolio. Pictures that can be shared on this with the recent iot in maintenance appointments along with the contact details to share on this were useful with the parties.

    ReplyDelete
  7. Infosec rating has the fields to take data with the aspects fields this was good to present the facilitation to get. I will be able to pert the categories that have Mobile iv drip with the partition of time that used to get data with the filter revised to get friction data.

    ReplyDelete
  8. There are various sites that deal free PDA ringtones, designs or even games to download onto your PDA. The sites shift in that some permit you to buy explicit wireless ringtones https://ringtones-library.com/ while others offer memberships that permit you to download a limitless number of mobile phone ringtones.

    ReplyDelete
  9. So sad to here that a teen https://www.collegebasics.com/blog/dissertation-writing-services/ died May his/her soul rest in Pease. Pay some condolence to him/her because he/her died in a teen age, I deeply condole to that guy or girl.

    ReplyDelete