Is there some reason that BJCA hasn't replied yet? Although it's a bit late now, they're in.
On Tue, Mar 14, 2023 at 9:51 PM Mark Steward <[email protected]> wrote: > Hi Kurt, > > As a random Internet volunteer, I've had a brief read of the report you're > citing: > > https://go.recordedfuture.com/hubfs/reports/cta-2021-0729.pdf > > and while it may sound concerning without context, it looks to me like a > whole lot of nothing. > > The report appears to be entirely built around automated sandbox runs by > Hybrid Analysis and Alienvault. There is no language that suggests Insikt > ran or even obtained a copy of the software. > > They even give away that they don't understand what a sandbox does with > their first finding: > > > This particular version of services.exe was first released by Microsoft > on April 13, 2021, in a Windows 10 security update (KB5001337), indicating > that the One Pass process infection chain may have been adapted since then > to include this file as the initial loader. > > This actually only indicates that the Windows VM used for testing the > sample was up to date. > > Most of the behaviour noted is typical of installation software, and only > becomes concerning when the assumption is that the user did not consent to > installation. > > Things that might not be obvious: > > - ActiveX support is not surprising for corporate convenience software or > bundled drivers. > > - Renaming built-in utilities like regsvr32.exe can be a red flag in > intrusion scenarios, but it's more likely a frozen copy of the Windows > utility to avoid compatibility problems. > > - The network listener behaviour might be suspicious, but does not show > up on the Alienvault report, and could be a mechanism for a UI to > communicate locally to the update service. wmControl.exe is also likely a > frozen copy of the Windows utility, as it appears on other Alienvault > reports for One Pass as a console application, not a driver. > > - Proprietary antivirus software identifying it as something unrelated is > almost always a false alert. In a similar way, the Alienvault detection of > "Exhibits behavior characteristic of Nymaim malware" is due to it using a > Windows feature to replace in-use files on restart. > > > This is not to give the software a clean bill of health, but as you're > aware, doing so would require in-depth investigation. Nothing in this > report makes me think it'll be worth the time. > > > Mark > > > On Tue, 14 Mar 2023, 04:19 'Kurt Seifried' via > [email protected], <[email protected]> wrote: > >> I haven't seen the software. But isn't it BJCA's job to prove they are >> trustworthy? Shouldn't BJCA.cn have some simple answer in the form of "no >> it's not spyware, and here's how we can easily and simply prove it." >> >> Why is this the responsibility of random Internet volunteers to prevent >> Mozilla from being bamboozled into accepting an untrustworthy CA? Shouldn't >> Mozilla be ensuring that root CA's are highly trusted and not involved in >> spyware, like Trustcor apparently was? >> >> Also when it comes to spyware there are very few experts or groups that >> can properly analyze this (e.g. Citizen Lab comes to mind). There isn't >> some huge pool of people with a ton of spare time to track this down. >> Witness involvement in this mailing list as a good example of how few >> people are actually involved. >> >> >> On Mon, Mar 13, 2023 at 9:26 PM Ben Wilson <[email protected]> wrote: >> >>> Kurt, >>> I am a bit skeptical when I am only able to identify one report that is >>> then repeated by other sources. Were you able to identify independent >>> examinations of the v.2.x software other than the one by Insikt Group? >>> Ben >>> >>> -- Kurt Seifried (He/Him) [email protected] -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CABqVa3_EuFvy%3D%3DwO5D3_ijv%2BZr2%2BmAmrV6HWLGuL9PoFWN9BNQ%40mail.gmail.com.
