Let me start, as always, by saying that Security Now! is great podcast that I look forward to listening every week. In episode 154 Steve answers a question to a listeners who says he noticed a virus warning about "Wizmo", Steve's Windows tweaking tool. Steve answers by basically saying that Wizmo is safe and known to trigger false positives by some AV software so the warning can be ignored. That's some bad advice.

While I have no doubt that the Wizmo.exe file compiled by Steve is completely safe, the question is "is the copy of Wizmo.exe the listener downloaded exactly the same as the one Steve compiled?".

You said it yourself Steve, "Trust No One"

Most crackers are very smart and they'll do anything to get you to run their trojans. Applications like Wizmo that are known to trigger false-positives make perfect disguises for trojans since virus warnings are likely to be ignored. It's trivial to name any file "wizmo.exe" or any other name so for Steve to have just said that wizmo is safe was bad.

Beyond renaming the file, crackers could also employ other tactics to trick users to downloading their trojan such as:

• Setup phishing sites like “grsee.com” to catch accidental traffic (utube.com gets tons of accidental traffic.)
• Use third party freeware mirrors to serve a the bad file (lots of search referrers)
• Share the trojan on torrents and other file sharing networks
• Hack the web server with the legitimate file and serve their own files
• Use DNS exploits to resolve grc.com to their malware site (difficult and very targeted)

All the above are possible and the last two would even work against the knowledgeable computer users. The bottom line is that you need a better way to verify that files you run are legitimate.

How to authenticate downloaded files

Check the file hash

There are two ways to verify that the wizmo.exe, or any other file, is a trusted file. The first is for the developer to publish a hash (fingerprint) of the original file which the user can verify once the file is downloaded. Most, if not all, Linux distributions publish hashes of all their ISOs. To verify the hash on Windows, I recommend a freeware tool called Hashcalc from SlavaSoft. The problem with this method is that you have to trust that the published hash is actually from the developer and not published on some phishing site etc. It’s also possible, but extremely difficult for different files to have the same hash fingerprint. This, as Security Now listeners know, is called a hash collision.

Check the digital signature

The other way to validate a file is to check the file’s digital signature. Files can be signed with digital signatures using a certificate much like a website SSL certificate. A signed file will contain a “digital signatures” tab on the Windows file properties dialog. Verify the certificate chain just like you would any other SSL certificate. The only vulnerability to this authentication method is if the developer lost control of their certificate and didn't issue a revocation or if your root certificates were compromised. Unfortunately well trusted developer signing certificates are not free.

Wizmo is not autheticatable

Unfortunately it looks like Wizmo.exe from GRC.com is neither signed nor is there a hash published on the site so there's no way of knowing if the wizmo.exe you downloaded is the exact same as what Steve compiled.

Here are the hashes of the wizmo.exe I just downloaded. You can test against these... if you trust me.