RCC - check your system's trusted root certificate store

Discussion in 'other anti-malware software' started by svenfaw, Feb 28, 2015.

  1. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    136
    [This is an early release. As it does not give detailed guidance on possible remediation actions, it is mostly for advanced users]

    How do you determine, out of the hundreds of root certificates a typical Windows system trusts, which ones are actually supposed to be there and which ones have been added "behind your back"?

    RCC is a tool that quickly inspects the root certificates trusted by Windows and Mozilla Firefox, and pinpoints possible issues. For instance, it is able to detect funky root certificates installed by Superfish or other unknown threats.

    RCC does not require admin rights.
    It is compatible with Windows 7 and later (clients) and Windows 2008 and later (servers).
    Please note that RCC currently uses a (non-elevated) PowerShell command to enumerate the system certificate root store.

    Available from: http://trax.x10.mx/apps.html

    This console version requires no installation - just unzip and run.

    Edit: A graphical version and more features will probably follow.
    Here's a screenshot of a very early preview (no release available yet):
     
    Last edited: Nov 29, 2015
  2. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    IS this compare one's rootCA to some DB?
     
  3. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    136
    That's correct. It's checking against the Microsoft Root Certificate Program list (available at http://download.microsoft.com/download/1/5/7/157B29AB-F890-464A-995A-C87945B28E5A/Windows Root Certificate Program Members - Sept 2014.pdf.)

    RCC performs this check fully offline. It does not need an internet connection as it ships with its own copy of this list. In a future release you will be able to use a custom list in plaintext format.
     
  4. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    Thanks for quick reply, seems useful.
    I'll test it later.
     
  5. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    977
    Location:
    Paris
    Sven- Although I'm sure your motives are noble, do you really think it is a good idea to directly link to a Powershell script and say RunMe?

    Also, the Microsoft Root Certificate Program list leaves a bunch of (older) Symantec Certificates off, so users should be prepared.
     
  6. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    136
    The tool does start a PowerShell instance to enumerate the certificate root store. This step completes in a few seconds and is a Microsoft-documented way of doing so.

    On the security implications of that: PowerShell does not have any extra privileges compared to a regular executable. However, for people running a HIPS, starting a background PowerShell process can trigger a pop-up, depending on your settings. I will mention this in the OP.

    Does this answer your concern, or were you pointing out the fact that there is no website yet?

    About Symantec (and surely many other) root certificates: At this time, this tool simply highlights non-MCP certificates. This of course, does not automatically imply that they are malicious. At this stage, it is entirely up to the user to evaluate the implications, if any.
     
    Last edited: Feb 28, 2015
  7. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,767
    Location:
    Outer space
    Will future versions also check Firefox's Root Store?
    RCC did detect the Qustodio root cert, but output is messed up:
    rcc.png
     
  8. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    533
    Location:
    UK
    Thank you!....Very useful.
     
  9. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    136
    The plan is to check 3 root stores eventually: OS, Firefox and Java.
    The output you are getting is strange indeed. Are you running an international version of Windows?

    And if possible, could you run and post the output of the following PowerShell command on your system?
    What it does is display a CSV-formatted list of your root certs.

    (gci -r cert:\localmachine\root | Select thumbprint, subject | sort thumbprint -Unique | convertto-csv)
     
  10. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,767
    Location:
    Outer space
    No, just the english version.
    I'm not familiar with PowerShell, how can I enter this command?
    I started PowerShell, went to the path that contains the RCC executable and entered:
    ".\rcc.exe --gci -r cert:\localmachine\root | Select thumbprint, subject | sort thumbprint -Unique | convertto-csv"
    But not much happened.
     
  11. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    136
    Easiest way is: Win+R, type "powershell_ise"
    Once this is open, just paste the above command then press F5 or enter.
     
  12. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,767
    Location:
    Outer space
    Thanks, here is the output:
     
  13. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    136
    OK, I think I have identified the problem and just fixed it in the latest version (1.24). Could you try to download it again (see URL in the first post) and see if the output is better?
     
  14. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Nice little program. I found a few CA's that needed to go away, and a few I did not recognize, and could not identify.
     
  15. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,767
    Location:
    Outer space
    Yes :)
    Untitled.png
     
  16. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    136
    I would like to announce that a new release is available. :)

    Changes in version 1.28:
    - optimized scanning algorithm (resulting in faster scan and lower CPU usage)
    - fixed missing 1st character in some certificate names
    - updated built-in Microsoft signature DB
    - even smaller executable size

    Please remember that this is still an early release.

    See OP for the download link.
     
    Last edited: Mar 8, 2015
  17. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    It correctly detected ClockWorkMod's cert which I installed to backup Android.
    Great tool, thanks!
     
  18. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    136
    Astonishingly, it seems that Firefox does not verify the integrity of its built-in CA root store upon starting. RCC will be performing this check in the next version.
     
  19. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    Yup. so Fx is far from immune against Superfish like attack at least so far.
     
  20. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    855
    Thanks, keep up the good work!
     
  21. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    533
    Location:
    UK
    Looking forward to the updated version for Fx.
     
  22. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,767
    Location:
    Outer space
    Indeed, nice work :)
     
  23. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    136
    RCC will now also scan the Firefox CA store if it detects any.
    As this is the very first release with this capability, there may be some issues with detections or performance. Thanks for your feedback!


    136.png
     

    Attached Files:

    Last edited: Mar 24, 2015
  24. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    855
    Cheers for that. Would it be a minor modification for the program to also scan Palemoon (a Firefox derivative)?

    Also it might be worth updating the hashes listed in your opening post :)
     
  25. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    3,875
    I just ran this on XP, mistakenly...since it meant for Windows 7 and later...

    ScreenShot_RCC_02.gif
     
Loading...