Slashdot Mirror
Windows Rootkits
GuidoJ writes "The Register is running an article by Kevin Poulsen of SecurityFocus Online about rootkits in Windows NT. While rootkits are a well-known issue in Unix and Linux systems, they have rarely been found on compromised Windows machines. According to the article, Windows NT backdoors have always been 'trivial', and they have caused enough havoc already. Imagine what a stealthy rootkit could do!"
Can't a decent firewall counter 90% of rootkits?
What I mean, is that what are you going to do from a windows remote terminal you don't necessarily have to set up a shell, you could install port scanners, eggdrop bots and ddos tools. even though its windows you dont want to get hacked for a lot of the same reasons you dont want any computer with internet access to become compromised.
The bit that really concerns me is that it's possible at all, to install a device driver without the user's consent that can directly mediate between the hardware layer and the kernel -
But then I guess that it's possible precisely because MS have made it simple to manage, and thus simple to mis-manage.
Of course, the best way to defeat this kind of trojan is simply to use a firewall and block the ports being used to remotly configure the hidden driver. So then, the worrying part is not the trojan itself, but the competancy of the average user...
sig:- (wit >= sarcasm)
And given this, I wonder how many windows machines are already compromised?
I read this article a couple of days on bugtraq and they were speculating that with one known kit in existence, there are probably ten more they don't know about. They literally stumbled onto this one by accident.
Imagine these sleeping beauties (well beasts) all just waiting for the signal...
Who are you? The new #2 Who is #1? You are #617565. I am not a number, I am a free man! Muhahaha.
There's no need to run as Administrator. Pretty much any user account can mess up a Windows system pretty bad, even the Guest account.
/bin directories set up as uog+rwx then I can screw around with your printers too. This doesnt mean that linux is "insecure".
But what you say is also true. I too run an account that's a member of Administrators because it's too much trouble to become all-powerful when needed.
It's kinda funny now that I'm thinking of it. You have to be an admin to install a printer, but any old account can delete the printer driver files. Nice.
Not if you've spent some time locking down the box, and designing and implementing security properly. Users cant delete anything they dont have write access too.
Now, out of the box, WinXP and its predecessors install by default in a very insecure state. That I take issue with, but there's nothing stopping you from fixing that.
If you have your
And if you run as administrator all the time, that's just like always logging in as root.
Too many people like to dump on Windows security, but very few have ever even bothered to try and set it up properly.
After the filesystem permissions are properly set, the local and domain policies in place and checked, the services audited for necessity and security, then what's left is a legitimate fault with Windows.
I don't need no instructions to know how to rock!!!!
yes and no. on win 9X systems (to include ME), yes. however, on NT based systems, not everyone is administrator. for home users, nearly everyone runs as admin, though. for network use, none of my users get much in the way of permissions, and I don't know a lot of windows sys-admins that give their users permissions much higher than bare minimum.
as a side note, don't I know you?
The World's Worst Webcomic!
Yeah. MS has "caught on", somewhat. 2000 will sometimes prompt you (esp when inserting a CD and it thinks you want to install something) if you want to run as administrator when it detects that you need higher privs to run something. But it doesn't always work.
I've noticed this with things like installing patches for installed apps (like Adobe Acrobat, for instance). Acrobat will periodically check for updates and then ask if you want to install and download. I got tired of hitting the 'no, ask me later' button so I went ahead said yes. It finished downloading and then stopped saying I had to log in as 'administrator' to install the update. Would have been nice if it had said so in the first place or gave me an option to use 'runas'.
I've tried to get out of the habit of running with an administrator priv account. I don't need administrator very much for day-to-day stuff at work (they deliver the machines with owner's domain account in the administrator's group by default), but it is a pain to have to log out and back in to be able to install something.
There is much cruelty in the universe, John.
Yeah, we seem to have the tour map.
Theres no reason to run Windows as an Administrator except in unique circumstances. I still dont understand why people run as an administrator.
/user:administrator cmd to get a dos prompt with Admin privs.. and then do whatever you want.
; en-us;294676
We're all familiar with sudo for linux. There's an equivalent for Windows. Theres a program called "runas" and its included with Windows 2000 and XP.
You can do runas
You can read the docs on runas by going to http://support.microsoft.com/default.aspx?scid=kb
And you're going to check all your source code for Windows??? Try...
If you have an account on a local machine, there's a very simple way to 'root' a windows nt box. Almost always, the yutz of the admin has the antivirus stuff running as Administrator or system (yes, I've seen that one on 1 system). There's a simple way to take any gui program and run code through it.
Either my bootable business card or my floppy will provide that exe. Remotely, it's harder to gain 'root' elevation but many MS services are prime candidates. And no, IIS is a small fish, as admins usually DO secure it down now.
And about your Linux kernel modules garbage.... If you have 1 breach in root, you're screwed. It isnt that hard to dump lspci and compile your goodies in locally. Any SMART Linux admin will not have any tools for software development. I'd even rip out all text editors and network diagnostic tools. I'd make it a hell for a hacker who __thinks__ they have it easy. Depending on the situation, I might even include NSA linux patch.
Have you ever seen a truly locked down, but usable system? Tis not something you want to play with.....
How did this get modded insightful? If the root kit modifies core system binaries (which is exactly the M.O. of most root kits), then it would still get loaded in safe mode.
4: If you target a Windows 2k or XP platform, make sure to install the payload inside a system file and its backup. If you dont, windows will overwrite your trjaned package with the known good one. With the bad in the cab, you'll be guaranteed a hole. Sometimes, however, the packages cause problems with windows updates. If that kind of thing happens, it usually causes a bluescreen.
I had on a box that would not do windows update. The complaining dll had a very recent modification date. So I cracked it open in CYGWIN and diffed it against a copy off the Win2K cd (this dll had not changed from default because the luser -- not me -- had never run WindowsUpdate. D'oh.) Hrm. Then I extracted the DLL from the CABS on the drive and rebooted. Same problem. Diffed the CAB extracted file with the one on the CD. Guess what. This was my first experience with a win2k rootkit. I forget what it was called, but a rebuild was in order. Man was it slick. I've seen rootkits on linux, BSD and solaris, but damn was this smooth with the packing it into the CABS. I wish I knew what it was up to.
Comparing it to Windows will be a moot point, since El Dorado is going to have a 40% larger code base than XP.
Umm, it's a package that 'we' install on systems for nice unix-like capibility for Win2K boxes. Out of the box, a Win2K command interepter just sucks. There' snot much you can do, other than copy, move, and garbage. 'Internix' is a package, somewhat like busybox for Windows. It provides all the main gnu tool functionality with tools like chmod and chown modified for _basic_ windows operation. Trust me, it's an alpha package at best.
/command switch. Then it goes into console mode. The only way you'd find it is by using the same technique as the guy who used Cygwin and diffed his dll's.
And dont bother looking for it either. It can be compiled seperately, but how it's usually installed is by the usual... Pack it to another big program (sometimes word.exe is chosen) and have it check for a
Also, you may want to pay special attention to the font directory. Interesting stuff can happen in those subdirectories.
Well I would have to disagree. Let's peel the onion back one layer - why on earth would anyone have to change the default filesystem permissions?
The reason is that windows has no concept, and never did, of paritioning user data from system data. In any unix, the filesystem is sensibly laid out such that removing write access to huge swathes of it do absolutely nothing to hinder it's usability. Not so in windows, everything's mixed together in one big steaming mess. Instead of simple read access, we have confusing messages from explorer telling users "OH MY GOD! You shouldn't look at the files in this directory, it can cause obesity, nausea, jet-like diarrhea and insanity - but click here if you really really want to see them ..." or some other such nonsense. W2K isn't much better, but at least it's less obnoxious.
Secondly - and this is mroe of a cultural issue which flows naturally from the above situation - this isn't even realistic. I used to do this, locking users out of c:\ and \system32\ etc., but I would find that we had all these boneheaded programs we had to run which needed to write to various parts of the filesystem for no apparent reason other than ignorance. This problem is so rife with windows developers that locking users out of peices of the filesystem is almost useless, because you wind up not being able to do it anyway.