Slashdot Mirror

← Back to Stories (view on slashdot.org)

Windows Rootkits

Posted by michael on from the every-box-should-have-one dept.

GuidoJ writes "The Register is running an article by Kevin Poulsen of SecurityFocus Online about rootkits in Windows NT. While rootkits are a well-known issue in Unix and Linux systems, they have rarely been found on compromised Windows machines. According to the article, Windows NT backdoors have always been 'trivial', and they have caused enough havoc already. Imagine what a stealthy rootkit could do!"

5 of 322 comments (clear)

  1. Re:Roots on Windows aren't as l337 by slugo3 · · Score: 4, Insightful

    What I mean, is that what are you going to do from a windows remote terminal you don't necessarily have to set up a shell, you could install port scanners, eggdrop bots and ddos tools. even though its windows you dont want to get hacked for a lot of the same reasons you dont want any computer with internet access to become compromised.

  2. Imagine how many out there are already compromised by terraformer · · Score: 4, Insightful
    According to the article, Windows NT backdoors have always been 'trivial'...

    And given this, I wonder how many windows machines are already compromised?
    I read this article a couple of days on bugtraq and they were speculating that with one known kit in existence, there are probably ten more they don't know about. They literally stumbled onto this one by accident.

    Imagine these sleeping beauties (well beasts) all just waiting for the signal...

    --
    Who are you? The new #2 Who is #1? You are #617565. I am not a number, I am a free man! Muhahaha.
  3. Re:rootkit redundant. by stratjakt · · Score: 5, Insightful

    There's no need to run as Administrator. Pretty much any user account can mess up a Windows system pretty bad, even the Guest account.

    But what you say is also true. I too run an account that's a member of Administrators because it's too much trouble to become all-powerful when needed.

    It's kinda funny now that I'm thinking of it. You have to be an admin to install a printer, but any old account can delete the printer driver files. Nice.

    Not if you've spent some time locking down the box, and designing and implementing security properly. Users cant delete anything they dont have write access too.

    Now, out of the box, WinXP and its predecessors install by default in a very insecure state. That I take issue with, but there's nothing stopping you from fixing that.

    If you have your /bin directories set up as uog+rwx then I can screw around with your printers too. This doesnt mean that linux is "insecure".

    And if you run as administrator all the time, that's just like always logging in as root.

    Too many people like to dump on Windows security, but very few have ever even bothered to try and set it up properly.

    After the filesystem permissions are properly set, the local and domain policies in place and checked, the services audited for necessity and security, then what's left is a legitimate fault with Windows.

    --
    I don't need no instructions to know how to rock!!!!
  4. No need to run Windows as an Administrator by mintech · · Score: 5, Insightful

    Theres no reason to run Windows as an Administrator except in unique circumstances. I still dont understand why people run as an administrator.

    We're all familiar with sudo for linux. There's an equivalent for Windows. Theres a program called "runas" and its included with Windows 2000 and XP.

    You can do runas /user:administrator cmd to get a dos prompt with Admin privs.. and then do whatever you want.

    You can read the docs on runas by going to http://support.microsoft.com/default.aspx?scid=kb; en-us;294676

  5. No no no by wobblie · · Score: 4, Insightful

    Well I would have to disagree. Let's peel the onion back one layer - why on earth would anyone have to change the default filesystem permissions?

    The reason is that windows has no concept, and never did, of paritioning user data from system data. In any unix, the filesystem is sensibly laid out such that removing write access to huge swathes of it do absolutely nothing to hinder it's usability. Not so in windows, everything's mixed together in one big steaming mess. Instead of simple read access, we have confusing messages from explorer telling users "OH MY GOD! You shouldn't look at the files in this directory, it can cause obesity, nausea, jet-like diarrhea and insanity - but click here if you really really want to see them ..." or some other such nonsense. W2K isn't much better, but at least it's less obnoxious.

    Secondly - and this is mroe of a cultural issue which flows naturally from the above situation - this isn't even realistic. I used to do this, locking users out of c:\ and \system32\ etc., but I would find that we had all these boneheaded programs we had to run which needed to write to various parts of the filesystem for no apparent reason other than ignorance. This problem is so rife with windows developers that locking users out of peices of the filesystem is almost useless, because you wind up not being able to do it anyway.