Othello  

Version 1.7

By Erick Engelke

erick@uwaterloo.ca


Othello is a tool to check your Windows XP/2003 system for suspicious services and programs.

Read a general description of how this technology works.

Download...

Compatibility

Works on Windows XP, Windows 2003 and Vista, but you must run it from an Administrator account.

On Vista, automatically prompts for elevated user privileges.

Basic Operation

When run, this program scans all the active services, user processes and startup programs in your computer and lists those that don't have valid code signatures. Code signing is explained below, but basically it authenticates the software as being really from someone fairly trustworthy. Files which do not contain code signing signatures... well they could be valid, but they might be malware, these are the files you must check.

After the data collection phase, the progress bar disappears and the system starts displaying useful information.

A tree appears, listing signed vendors and their applications running in your computer.  You can browse through them an look for anything unexpected.  Expand the tree to get more details.

When you close the tree’s window, you are left with the main console displaying services and programs which are not signed and thus more suspicious.

Clicking on a service EXE entry displays all the services associated with that EXE, and also the name of the company and other information claimed by the EXE. Remember, you cannot trust this information, it's not a signed EXE, it could all be misinformation written by hackers.

A good way of thinking about it is... if the file claims to be from Microsoft or another so-called leading company, it would be rare for that file to not be signed.

Clicking on the EXE name also copies that name to the clipboard, so you can paste it. This is very handy if you then click on Virus Scan File, which brings up the web page of a company that will scan the file with most popular virus scanning engines. Since the filename is on the clipboard, you can just paste it into the filename field, and then you can have the file checked by all the vendors.

Code Signing

Code signing means the people producing the software have paid money and underwent security checks to ensure they are who they say they are. It's essentially the same process as applying for an SSL site certificate and just as trustworthy. If you are a small company, it's a pain and an expense, but big companies do it, I do it, and it's a good idea.

The signature used to sign the code is a special little secret file and a password. Companies horde this secret like they do access to their bank account. If the secrets got out, and hackers were to use their signature... they would lose their status and all products signed by them would lose its privileged status.

More Virus Information

If you are suspicious about a file, submit it to Virus Total to see if anyone has already identified it as malware. Files that aren't flagged may still be malware in a day-zero attack. You may want to disable the service and see if you can live without it.

Othello is a signed file, Internet Explorer shows The University of Waterloo as the source.

 

Copyright Erick Engelke 2006, 2007

Pages updated: February 6, 2007

 

Changelog

1.7 Feb 6, 2007, now Vista prompts for elevated privileges, usable right off web

1.8 Feb 14, 2007, warns of any signatures where the root CA is unusual – not in the list of stock root CA’s shipped with Windows