https




Internet Anti-Intrusion Patch Verification and Intrusion
Evidence Scanner — for Microsoft Windows NT


(Click image to jump to PatchWork Information and Download Page)

PatchWork?
On Thursday, March 8th, 2001, the United States Federal Bureau of Investigation (FBI) disclosed details of an ongoing investigation into the organized intrusion, by Eastern European hackers, of more than forty, commercial, domestic, web sites.

See the Full FBI Announcement Here

These attacks were particularly disturbing because, in every case, the Russian hackers were simply exploiting well known and readily preventable vulnerabilities of non-updated versions of Microsoft's Windows NT web serving operating system.

Prior to the FBI's public announcement, I was contacted and asked to quickly create a tool to perform two specific functions for any Internet-connected Windows NT/2000 system:

Rapidly scan the system's mass storage for evidence of files known to be used by hackers for system intrusion and also files implicated in the specific intrusions researched by the FBI.
Analyze the Windows server for the presence of the specific vulnerabilities known to have been exploited by the Russian hackers.
Created in two days, and occupying just 30k bytes after being digitally signed with my secure digital signature, this new and COMPLETELY FREE utility, PatchWork, is ready for your use.

Pursuant to my agreement, PatchWork is being distributed by
the Center for Internet Security and may be immediately
and easily downloaded directly from their web site:

The Center for Internet Security
http://www.cisecurity.org

You can learn about The Center from their web site. You will find a link to their "PatchWork Page" at the top of their site's home page.



What Does PatchWork NOT do?

It is important for you to understand why PatchWork was created
so that you will be able to apply it with maximum effectiveness.

PatchWork was designed from information provided by the FBI. This information was derived from their investigation into a series of directly related and coordinated intrusions into United States eCommerce and eBanking sites. Through this investigation, the FBI determined the "Attack Vectors" — the specific exploits — that were used by remote intruders to gain entry into Windows NT systems.

PATCHWORK ONLY CHECKS FOR AND ADVISES ABOUT
THE PRESENCE OF THESE SPECIFIC VULNERABILITIES.

You must NOT confuse PatchWork with a general-purpose, comprehensive, patch-verification tool — it is not that. Such capability is beyond the scope of the present utility. We believe that if PatchWork gives your computer the "all clear", then that system will be hardened against the specific Internet eCommerce attacks that have been occurring with disturbing frequency. However, by no means should this PatchWork utility be used as a substitute for continuing comprehensive and proactive security measures.

It is our sincere hope that your use of this first simple "PatchWork" tool will help to highlight the need for taking your Internet security seriously. If we are able to help you solve a few security problems today — and surprise you a bit about the very real need for continuing vigilance — this tool will have been a success in our eyes.



Version History

v1.00 — Initial Release

v1.01 — Minor Cosmetic Tweak

A paragraph was appended to the end of the file system scan reminding the user that we were only performing a simple file name match and that, consequently, any "hits" should be further researched before any conclusions are reached.

v1.10 — Function Enhancements
We were able to obtain the file sizes of all but two known "bad" files. Therefore PatchWork was enhanced to check the suspect file size and to report both a "name match" and a file size match. This will essentially eliminate false positive reports.
We learned that Microsoft's patching tools do not correctly verify the installed version of IIS prior to overwriting. Older versions were therefore being incorrectly "upgraded." PatchWork v1.10 now takes proactive responsibility to make sure all application patches will be safe and correct.
PatchWork's initial MDAC recommendation was warning about unsafe registry keys even if the server's "/msdac" virtual root had been removed or renamed (which prevents the vulnerability). PatchWork now checks this before raising an alert.
PatchWork was creating "option setting" registry entries for itself even when it was run under Windows 9x, for which the program is not intended. That behavior is now suppressed so that there are no registry side effects from running under Win9x.



PatchWork's Digital Signature

Since PatchWork is being downloaded from a server other than mine, and since copies will probably be passed around the Internet quite a bit, users need to have some way to verify that the original program has not been tampered with in any way. For that reason I have "digitally signed" the original PatchWork program with my personal, non-spoofable, cryptographic signature.

For instruction on checking the validity of the file's signature, click the link below:

How to Verify a Digital Signature



PatchWork Meets the Press

InternetNews — Firm to Air Online Security Tool for FBI
March 8th, 2001, by Carol King
ComputerWorld — FBI investigating widespread Web site break-ins by crime groups
March 8th, 2001, by Dan Verton
PC World.com — Hacker Wave Combines Break-Ins With Extortion
March 8th, 2001, by Jennifer O'Neill, Medill News Service
InfoWorld — FBI warns e-commerce sites
March 9th, 2001, by Margret Johnston and Joris Evers
USA Today — FBI warns of organized hacker attacks
March 9th, 2001, Washington / Associated Press
Washington Post — Hackers Feast On Complacency
March 9th, 2001, by Ariana Eunjung Cha
SF Gate News — European Hackers Plunder U.S. Firms; FBI says 40 victims in 20 states were hit
March 9th, 2001, by Bill Wallace
InfoWorld — Security center issues anti-hacker tool
March 12th, 2001, by Margret Johnston
Internet Week — Failure To Keep Security Updated Can Cost More Than Customers
March 15th, 2001, editorial by Wayne Rash

I sincerely hope you find PatchWork to be a useful and effective utility to aid in taking the first steps toward establishing proactive and ongoing management of your enterprise's Internet-connected server security.

Wishing you safe and secure use of the Internet!


Jump to top of page
Gibson Research Corporation is owned and operated by Steve Gibson.  The contents
of this page are Copyright (c) 2014 Gibson Research Corporation. SpinRite, ShieldsUP,
NanoProbe, and any other indicated trademarks are registered trademarks of Gibson
Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy.
Jump to top of page

Last Edit: Oct 06, 2003 at 14:29 (3,848.39 days ago)Viewed 81 times per day