Norton Liveupdate musings

Neon, the details for the IP yours is conecting to are :

inetnum: 203.134.38.224 - 203.134.38.255
netname: MLOGOTHETISPTYLTD
descr: iPrimus Customer
country: AU
admin-c: JD29-AP
tech-c: HA13-AP
mnt-by: MAINT-PRIMUS-AU
changed: lambo@primus.com.au 20000724
status: ASSIGNED NON-PORTABLE
source: APNIC
changed: hm-changed@apnic.net 20020827

person: Jim Dandy
nic-hdl: JD29-AP
e-mail: netops@iprimus.com.au
address: L3 1 Alfred Circular Quay
address: Sydney NSW Australia
address: 2000
phone: +61-2-94232400
fax-no: +61-2-94232410
country: AU
changed: netops@primus.com.au 20030724
mnt-by: MAINT-PRIMUS-AU
source: APNIC

Are you from australia ?

I'm quite keen on figuring out the protocol.. think about it.. if someone knew how it gets the latest update, someone could possibly get a webserver to serve up a fake update... maybe one that ruins all the definitions. Just a thought...

I personally think they chose to have liveupdate work over http because most corporate firewalls would be configured to allow outbound requests to port 80.. that would save users from having to get an admin to poke a hole in the firewall for liveupdate.

Its quite stupid actually.. You'd think that they'd encrypt the traffic at the very least (I don't think they do).. not to mention I wonder whether the update it downloads is checked against an MD5 hash from somewhere else. They do give the hashes on their own website..

Sorry about the mammoth post.

Yeah I am from Australia, and my isp is IPrimus

I also checked just then with live update and it still connected to the same IP as I stated before.

.. Which program/site u use to get the info about the IP addy? I use the ARIN site, but dosnt contain that much info.

Neon, so thats a good thing,... looks to me like they have some sort of regional mirror system for the liveupdate,, does that sound like a bad guess ? You could hit that webserver and check what its running..
just telnet to the ip, port 80, and type
[code:1]
HEAD / HTTP/1.0
<enter>
<enter>
[/code:1]

let me know what it returns as the server.. I'm guessing you'll see Akamai Cacheing system as well...

as for where I picked up that info.. good old command line whois.. basically does the same thing as arin.net whois. Thing is, different regions are allocated IPs by different authorities.. for example, Asia gets them from Apnic.net whereas the americas get them from Arin and Europe from Ripe.net..

I think i queried apnic.. which allocates australia as well i think... if you query the wrong one, you'll get something like this.

whois -h whois.arin.net 203.134.38.224
OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU

ReferralServer: whois://whois.apnic.net

NetRange: 202.0.0.0 - 203.255.255.255
CIDR: 202.0.0.0/7
NetName: APNIC-CIDR-BLK
NetHandle: NET-202-0-0-0-1
Parent:
NetType: Allocated to APNIC

Thus you can see that its allocated by apnic.. and then you query the correct one.

A bit of research found me the Liveupdate Administrators guide...
Here it is :
www.its.uiowa.edu/cs/helpdesk/virus/PDF_docs/norton/Luadmin.pdf

Look at Chapter one, page 8 -- How the liveupdate client works

Looks like I was right, it does try and pick the nearest server.. and the download is via http and ftp (they don't specify when each is used). They do list all the files that are used in the liveupdate process, as well as the name of the file it downloads.. but there's no mention of the protocol.. as far as I could see, the webserver that it was updating from did not seem to understand regular HTTP requests..

Apparently administrators can even set up their own internal liveupdate server so that people don't have to keep using the Internet link to download updates.. that would be a neat idea.. as it would be faster as well..

Does anyone have this implemented ? And if so, do you know how the client requests from the server ? There appears to be some form of authentication :

LiveUpdate 1.6x and 1.7 secure the download process by checking file signatures before delivering any LiveUpdate content to the user. In addition, LiveUpdate 1.7 secures and authenticates downloaded packages to each client, server, and gateway.
Each new update is accompanied by a cryptographic signature, which is then signed using a private key that is stored on a secure Symantec server. The resulting digital signature is stored in a signature file, which is compressed into the Livetri.zip file along with the catalog file. If any of the authentication checks fail, a descriptive error message appears and the activity is recorded in the log file. On Windows NT computers, an error is also written to the NT event log.

Of course my whole notion may be hair brained.. but if you figure out how to handle the requests from the client, wouldn't it be possible to serve a file of your choosing.. the client downloads it, and obviously installs the update package.. what if your update patches norton antivirus to do some nasty things.. or even better, patches liveupdate to send you some stuff... it already has internet access after all

Sigh.. the glory of idle conjecture...

I tried doing that thing you said about telnetting into the IP address with port 80. I used PuTTY, It worked, but it disconnected me really quickly, it only gave me enough time to type "HEAD / HTT" then the connection was dropped... Must have a Very short time out eh?

But to combat the short timeout, I used ID Serve from grc.com and it returned these results:

[code:1]Initiating server query ...
Looking up the domain name for IP: 203.134.38.238
The domain name for the IP address is: 203-134-38-238.cust.syd.iprimus.net.au
Connecting to the server on standard HTTP port: 80
[Connected] Requesting the server's default page.
The server returned the following response headers:
HTTP/1.0 400 Bad Request
Server: AkamaiGHost
Mime-Version: 1.0
Content-Type: text/html
Content-Length: 132
Expires: Sun, 21 Dec 2003 14:55:18 GMT
Date: Sun, 21 Dec 2003 14:55:18 GMT
Connection: close
Query complete.[/code:1]

But yeah I agree with you on saying that it does use a closest mirror system.

When I captured the packets during the live update process I noticed the following things about DNS

My computer sent a DNS query to liveupdate.symantecliveupdate.com
The response had 5 entries.
[code:1]1. liveupdate.symantecliveupdate.com = liveupdate.symantec.com
2. liveupdate.symantec.com = liveupdate.symantec.d4p.net
3. liveupdate.symantec.d4p.net = a188.x.akamai.net
4. a188.x.akamai.net = 203.134.38.231
5. a188.x.akamai.net = 203.134.38.238[/code:1]

and there we have it, my live update according to TCPView was using 203.134.38.238

That’s also interesting with making your own live update server, I know a place that runs 30 comps and needs to update their definitions regularly, so that would be a ease on the bandwidth when an update is available

Hmm odd about that manual HTTP request... should work just fine...
I wrote a little perl script that I stick in my path.. then in run I just type
id <ip-address or hostname> and it gives me back a bunch of useful stuff about the server. Really simple stuff, but can be useful sometimes.

Perhaps I'll setup another box here and make it a LU server and capture the whole process.. even if nothing comes out of it, it'll make for some interesting protocol analysis.. its been awhile since I read bytes off the wire.... in hex... with my left eye closed... while standing on my head.