Slashdot Mirror
Microsoft Warns of Impossible to Clean Spyware
darkjedi521 writes "The Inquirer has a story that the next generation of Windows spyware and exploits are starting to make use of "kernel rootkits". A paper at Microsoft Research has details on a prototype detection tool. Computerworld has more details, as well." From the article: "Newer rootkits can intercept system calls that are passed to the kernel and filter out queries generated by the software. This makes them invisible to administrators and to detection tools..."
Sounds almost malaprop. "It works, I threatened to rip a copy of Ghostbusters II onto my HD and I heard a tiny scream! My spyware aragorn!"
However the paper admits that the only way to be sure that you have killed a kernel rootkit is to completely erase an infected hard drive and reinstall the operating system from scratch.
That sounds rather drastic. How about drilling a hole through it, smashing it with a sledgehammer and throwing it into the Tiber while you're at it? Microsoft seems to be making a stronger case all the time for not exposing a Windows PC to the internet. Maybe it is time to look at a Mac.
Microsoft's XBox Firewire
A feeling of having made the same mistake before: Deja Foobar
A programmer is a machine for converting coffee into code.
Reinstall windows.
Nothing for you to see here. Please move along
Newer rootkits can intercept system calls that are passed to the kernel and filter out queries
Oh joy.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
IT was really only a matter of time. I'm surprised that these types of attacks haven't surfaced sooner.
There's a very simple SOP for Windows users that will completely eliminate the need for a fix:
1. Buy new PC
2. DO NOT PLUG IN NETWORK CABLE
3. Image drive to external storage wth Ghost or the like
4. Unplug external storage
5. Plug in network cable
6. Connect to Internet. Save any info needed for storage.
7. Unplug network cable
8. Print all info obtained in step 6
9. Plug external storage back in
10. Restore image made in step 3
11. File hardcopies in cabinet
12. Knock back 3 or more shots of your favorite liquor
13. Unplug network cable
14. Return to step 3 for new Internet sessions
What could be simpler?
sigh
And makes it better! Our rootkits can be surrepticiously removed!
I would suspect that worms and virus would fall into that realm as well?
They are the ones who made it impossible to delete Internet Exploiter after all.
Beep beep.
As in Microsoft admits its OS is full of holes!
If someone says he and his monkey have nothing to hide, they almost certainly do.
"Press [space] to boot from CD and begin Linux installation..."
*press*
Time to move to Linux or maybe the 'MacOS'. The end is near for BillG !!
With handwriting on the wall, I'm surprised more people have not moved to alternatives. I'll just stick with my Macs for Internet use. PCs can't handle it easily enough. Bo
it's called "Windows XP". There are other names. "Millennium" is the worst.
Laws are for people with no friends.
All the more reason to use a *nix-based OS.
Then you can keep /home on a separate partition, /var on a sep...
Oh wait.
I mod down pyramid schemes in sigs.
Well, at least Windows is catching up. We've had rootkits on linux forever! :)
Karma: SELECT `karma` FROM `users` WHERE `userid`=138474;
Boot a clean kernel from removeable, non-writeable media (closed-session CD or write-protected floppy) when doing the rootkit detection. (some details are left to the reader as an exercise)
I just wanted to know how you folks handle spyware on your own machines.
... and what the odds are that spyware writers will concentrate on fooling those two in particular as they are so well regarded by most folks I read of.
I run AdAware and Spybot S&D (and AVG for Antivirus) but lately I'm wondering if I'm being complacent
So, any dark horse apps out there I should give a look at?
Kevin
I spent almost two weeks trying to clean the VX2 spyware from a computer that belonged to one of my brothers in law... only to learn the only way to kill this p* of s* is to remove the infected hard disk, plug it into another (uninfected) computer and reformat the whole thing. I kid you not.
I stopped providing "free technical support" to my brothers in law a short while after that episode. And yes, my machines run Linux or OpenBSD.
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
This proves, of course, that Windows is inferior, since 'root kits' have never existed for *nix. Right?
Uninstall Windows.
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
The basic problem is that spyware and adware is only combatted at a technological level. That is never going to be enough, atleast if you want to keep computers somewhat usable. Strict laws and law enforcement about privacy issues is what is needed. It is just plain ridiculous to say that companies are going to regulate themselves.
Most companies may respect your privacy, most people also won't kill people. That doesn't mean you don't need laws and law enforcement!
...rootkits for Linux are also a bitch to find and get rid of. It's only because we have had this risk for longer that we have good tools to find, remove and otherwise manage the risk... but how many Linux users actually do this?
Probably the same five who spool logs to another sever as well as write-only tape and run everything in chroot I suspect.
Beep beep.
Click here or here.
Install SP2 before you connect a Windows XP machine to the internet.
The last time I connected a fresh Windows XP RTM box to the internet, it was infected with MS Blaster in 6 minutes.
Windows XP Service Pack 2 on CD FREE
"TK-421, why aren't you at your post?"
I remember attempting to clean systems that had the Linux Rootkit installed on it in the past. Can't trust results of ps, can't trust results of netstat, can't trust anything.
I can't even imagine having this type of situation on a Windows box. There's just so many more places to hide things and most even technically knowledgable people wouldn't know what to do if their favorite process list application or network connection lister only shows you what the spyware author wants you to see.
If you can even discern there is a problem, re-formatting is your only hope.
I'm a big tall mofo.
Root kits have been around on *nix machines for quite some time.
Root kits pose the same kind of problems on all systems they get on to, regardless of the system the only true way to make sure the system is clean is by wiping it and reinstall from scratch.
Now that being said, is is fairly scary considering the number of people who use computers without a clue about security of any kind and the ease that Microsoft makes it to exploit those uses.
Back ups are going to be even more important. Disk imaging softwares are handy to make images and recover.
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
What if you only run managed code (Java and .NET)? Couldn't the runtime prevent any overwriting of protected files?
People could run newer programs this way, and legacy native programs would run in a virtual environment like Virtual PC or VMWare.
It was just a matter of time, really. This problem will go away only if people realize they're at risk by running under an admin account and companies (including Microsoft) and independent developers learn to write applications that don't need god-like powers to function. Without user pressure (don't buy or use apps that require admin rights!!) this won't happen.
Windows has had this capability since NT4. I think it's time we started using it.
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
Microsoft Warns of Impossible to Clean Spyware
Bizarro: On Bizarro world people like spyware. People no clean from computer. Go now live to Solomon Grundi.
Solomon Grundi: Errrr! Solomon Grundi say Microsoft full of crap. Solomon Grundi crush Microsoft like piece of paper.
Bizzaro: This Legion of Doom reporting. Back to Zonk at Slashdot.
Some would be Linux turncoat, go code a chkrootkit windows port.
=)
"God of Rock, thank you for this chance to kick ass. "
As far as I know, rootkits like that have been the norm rather than the exception on Linux and, I think, the BSDs for some time. I don't know about the other UNIXes and UNIX-like OSes (like MacOS/X), but I'd be surprised if it wasn't the case to some extent there too.
It's been widely recognised for a while that if your system is cracked, the only way to be fairly sure you've cleaned it is to reformat it and start again then *carefully* restore data from backups. I don't see how this is news.
Where I work, we've taken the step, as we have *many* identical boxes, of keeping a default system image ghosted and backed up on our *linux* server, because that's the only moderately safe place on the network. We end up rolling out a ghosted image at leas twice a week - our jobs would be hell without it.
Yeah, ofcourse. Once you have software installed with root or admin privileges, it can do pretty much anything, and should be treated as such.
Shouldn't the system be designed that it cannot get on with root/admin previleges without the user's knowledge in the first place?
The underlying problem is Windows' flawed methodolgy of encouraging people to run as admin (RunAs or other lame workarounds don't count - I have encountered several situations where RunAs doesn't do the job - something as simple as like changing the system date/time for example).
If common sysadmin tasks cannot be accomplished without logging in as Admin, people are going to log on as Admin all the time (why should software installation require changes to the central registry?).
All software is installed with root/admin privileges, should be treated with caution.
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
This is about being unable to clean a compromised environment from within that environment right? Isn't the solution to have your cleaning tool on a live disk?
Big deal! Linux has had this for like... ever now!
;-)
Oh wait...
Have a Happy.
Gee, didn't viruses back in the 80s intercept DOS system calls and block attempts to find them (if something read the file it got the clean version, but the execute-program call got the infected version)? This is why, people, the rule was that you made sure to boot from known clean media before you scanned a system for viruses: you couldn't trust a scan when the malware already had control and could determine what you saw. MS is just realizing that this is still a problem? Someone smack these people with 20-year-old virus summaries.
Wasn't it just posted here at slashdot within the last 24Hours that Microsoft windows is soo much more secure than RedHat (linux)
It's also possible to use a software hardening tools to prevent changes to the kernel (can't remember the exact company, think the name was "Server-Lock", or something like that).
The real answer is layered security, well managed backup and data protection strategies, and the understanding that no networked PC is immune.
Always value the individual over the system. --Bruce Lee "I don't need a Sig - I have a custom 191" - me
Microsoft Researchers = Oxymoron?
Who is more foolish? The fool, or the fool who follows?
hey microsift, check out tripwire, asshats
Microsoft is actually admitting there Operating System is so buggy that software with out Microsofts permision can intersept calls to Root..
Is there any one out there with the Time and Resources to start the Class Action Suit..
We ahve always know Windows has promblems, no microsoft even admits it..
What would there defence in a class action law suit even be?????
I'm not well educated on the concept or existence of rootkits, but I get the impression that they exist on Linux as well as Windows operating systems. My question to the /. community is: which OS is most easily infected by a rootkit?
Just because something is possible doesn't make it probable. Viruses may or may not be possible on Mac OS X and Linux operating systems, but they are clearly not probable (based on the extremely low number actually found in the wild).
So just how probably are rootkits on the relative operating systems?
With Linux, you can boot from a live CD and validate every file and package on your system.
You can even chroot the system, wipe the boot sector and re-install the kernel.
This might be "impossible" to clean on Windows, but on Linux, it's just really annoying.
The Windows installer should have a partition editor,
/home on a separate partition, /var on a sep..
Check! WIndows XP and 2000 both have it.
It should allow you to easily install Windows on a separate partition from your data.
Just did it last week!
Then you can keep
It's called "Documents and Settings"
how long until
Wouldn't it still be quite possible to scan the system from a non infected source, such as the UBCD4Win? Its a bootable cd, like knoppix and others, but with a light version of windows XP and a ton of cleaning tools. I use it regularly for cleaning spyware and viruses off thoroughly infected systems.
It's be able to cope with systems having hundreds of virii and such. If you trust it to remove simpler malware, then ingrained rootkits should be a similar problem, for an 'external' system. Not to mention it has all the critical XP system files handy for replacements. A bit easier than the 'nuke it all' aproach, which is beginning to sound like 'reboot and see if the problem goes away'.
If your first web page viewed wasn't www.drbizzaro.com to wack off to PrOn, maybe you wouldn't get MS Blaster in da 3 minutes it took ya.
President Bush Supporter
This replaces ntoskrnl.exe?
Why would that be impossible to fix? Wouldnt just using something like Barts PE or Knoppix and copy an unmolested copy back on to your system work?
I prefer to virus/spyware scan a system from an bootable CD than the host OS.
But yes... detection under the hacked kernel would be harder.
These guys have security software that is light years ahead. Start with 'Process Guard'. http://www.diamondcs.com.au/
Newer rootkits can intercept system calls that are passed to the kernel and filter out queries generated by the software. This makes them invisible to administrators and to detection tools
This coming from a company who specializes in swiss cheese security? I have a feeling Microsoft is going to turn into one of those companies who produce a massively destructive virus, and sell the cure.
Ok. I got nothing.
"A microprocessor... is a terrible thing to waste." --
GeneralEmergency
Nothing much changes it would seem.
Stick Men
Just reformat.. There its clean.
Sounds almost like a setup "well, you are infected with that damned spyware so you gotta upgrade"
Dont laugh, i have heard of several so called computer support guys getting extra cash and spare machines this way...
Though today users are getting a bit smarter..
---- Booth was a patriot ----
Unless there's something really new and complex going on here, not only is this not new, but IT professionals already have ways of dealing with it. In our case, on a live system with one reboot required. I wouldn't call it minor, certainly (10 minutes of downtime is 10 minutes of downtime), but... hell, if script kiddies have been using this for months and months...
This is just another blatant plug for why trusted computing is necessary. It seems to be all to common of a practice these days. "They've got WMDs!", "Social Security is in a crisis!", "The bad guys can get your computer and there is nothing you can do!" To parrot an overworked phrase except with the middle filled in:
1. Scare public
2. Propose unpalitable solution
3. Profit!!
I'm sick of people threatening and trying to scare me.
In Republican America phones tap you.
Linux.
Not really meant as a joke but A Linux Live-CD with an anti-spyware tool and a full RW version of NTFS seems like a good solution. Boot from the CD and have the anti-spyware tool go through the system and have it remove the malware. If you have a network connection it could even update the spyware tool over the Internet.
Of course Microsoft could make a live cd version of Windows to do the same thing but will they?
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
Easy enough I thought, I'll just remove physically the file and the process. But no; the file wasn't ANYWHERE. Yes, I unchecked the "Hide protected system files" checkbox and I was on SHOW HIDDEN FILES, so ALL files were displayed. Heck, a dir /s on the root of the filesystem didn't even work... I thought that it would be possible that the file has another name, renamed itself to that, made its dirty business then renamed itself. I fired up Filemon (from Sysinternal) and sure enough, I see plenty of activity from a process named elitegfk.exe but STILL no sign of the file and/or process. I scanned the registry, and regedit.exe took 2 seconds to complete the scan... !
I was on the verge of reformatting the system when I thought about something: I accessed the laptop through the admin share (\\computer\c$); sure enough, the file was there, sitting quietly sitting in c:\winnt\system32 (Win2k system)...
The spyware prevented its own display through taskmgr, explorer and regedit. Regedt32 didn'T work, I got a virtual memory low error when I tried to scan the registry. The ONLY way I could see the file was through Filemon AND through the file sharing...
I'm guessing next one will palliate to those things by attaching themselves to the most common troubleshootings tools like regmon and attach themselves to the SMB protocol to make sure they can't be displayed through the shares...
This is getting ridiculous. Yes, you'll tell me to switch to Firefox, but we can't; I work in an artistic company with 1000+ PC and non-tech-savyy users, and tons of internal apps that were developped either with .Net or massive ACtiveX and other MS-only stuff, so we can't switch everything to Firefox, and having 2 browsers isn't a viable option either, since most of our users would simply get confused.
Anyway.
Ok, despite the collision weaknesses in some algos, we all know hashes are pretty effective at detecting changed files. So, the next time your antivirus software checks that your system files haven't been modified it might whine about the differences...
And if you really want to be sure, boot from CD to ensure you're not running any kernel process that magically corrects any anomolies.
Sure, it may be inconvenient to check for this but the real problem is that most people *won't* boot from CD to do a virus scan. Some of us will if we need to, though.
Once you're infected, in order to detect or clean, you have to cold boot from known clean media. How to conveniently do this with Windows, I have no idea. (I used to sometimes check clients' machines by booting from an MS-DOS 6.22 floppy and running F-Prot, but it got harder'n'harder to make that work, for a variety of reasons. It eventually got where the only way I knew to reliably do it, was to physically transplant their hard disk to another Windows machine that was known to be ok. As this was usually impractical, expensive, etc, people stopped asking me for help. ;-)
That's one of the reasons I consider the Windows AV market to mainly be snake-oil. In my limited experience with Windows, all the AV products I've seen, were just applications that the user was expected to run while possibly already compromised. It amused me that people paid for that stuff.
If you're relaying on a scanner to detect and clean stuff after the fact, it's too late and you have no reasonable expectation of the product actually working. The only workable defense is to not get infected in the first place.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Google for 'mac osx rootkit' turns up about 3000 hits, the top being an osx rootkit.
Ironically, it will probably be the annoyance of pervasive spyware that causes the death of internet privacy: every process stream will be digitally signed and serialized.
We can filter out the bad guys at the cost of definitively identifying you.
Packet sniffer Netstat
-73, de n1ywb
www.n1ywb.com
runas /user:administrator "Control.exe TIMEDATE.CPL" For The GUI
/user:administrator "time 12:13:14" ... etc
runas
I have been a windows admin for many years (not by choice, Linux runs at home), but microsoft has come a loooong way making sure that you dont have to be loged in as Admin to perform any function. Just take a little scripting.
Why do these people compile and install trojan software? Don't they do a code review before installation?
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
This is true of any OS where the infection process is running as root/Administrator. If the user is not running their user account as an administrator, Window's ACLs would stop the root-kit from being installed, similarly to how Linux protects system directories from normal users.
Blaster doesn't work that way dumpkof.
"Kernel Rootkit" != Rootkit. And notice the quotes. (If you don't understand, then you probably weren't meant to)
Yeah, and make that OS a Linux or *BSD* OS! Otherwise, if these rootkits are around, it's rince and repeat every other day...
Slightly OT story: I was doing tech support for my father-in-law. Due to Windows spyware and instability, I was almost going to give up, with predictable consequences over the mood whenever we visited my wife's family. So I told him I would install Linux on his PC and support him. Since then, the only tech support intervention he has needed was when his HD died. He knows he shouldn't use the root password ever.
Linux: The only way to cut on tech support for family PCs. (Another in-law is a Mac person, never a complaint either!)
It's geek humor, it's weird, it's a free web comic! www.surliness.com
--
Mad science! Robots! Underwear! Cute girls! Full comic online! http://www.girlgeniusonline.com/
MS kernel rootkits are probably coming from the same people who, in their day jobs, write remote administration tools for corporate customers. IT management doesn't want the worker population to know just when they're taking a peak, monitoring use, or snooping around.
Why doesn't microsoft generate hashes (longish ones would be nice) of all the files it publishes and then offer them as a reference for anyone who has to clean up their system.
The second thing they could do is try and stop people (read: software developers, and themselves) from dumping anything into the SYSTEM32 directory. Its just poor organisation. Nothing to do with technical problems - Does windows have the equivolent of ldconfig or LD_LIBRARY_PATH ?
[ Monday is a terrible way to spend one seventh of your life. ]
Hardware-level security. At least, this seems to be the way to push for it. "Prove" that security can't be maintained at the software-level, then push for "Trusted Computing" or some such BS. Right now, it is to MS's advantage to prove that security through software is inherently flawed and impossible, then use that to their advantage in locking out other operating systems with hardware-level components. "Run for your lives!" -> "Run to the MS bunker!"
That would just be paranoia, but how does a user get a rootkit in the first place? Visiting a site with a malformed URL?
Always do right. This will gratify some people and astonish the rest. -- Mark Twain
I would also add a digital signature check to the bootstrap process, so that critical operating system code wouldn't be loaded unless it was signed by Microsoft.
Mea navis aericumbens anguillis abundat
...when you want to use the Internet. You don't even need to possess a hard drive.
Heresy! There's no spyware that a little FORMAT C: can't handle!
Yes UNIX system have had rootkit problems for a long time.
However, how did those rootkits get installed? Typically through holes in services, like FTP server exploits or web server exploits or whatever.
But OSX has none of those running by default. That's right, none. So while in theory possibly you could develop an exploit against, say, Apache on the Mac (the port you'd most likely be able to get to) it wouldn't reach many people at all, and so the user base would have to be quite huge to make it worth the effort to even try.
The other potential vector is user apps like the browser or users simply running a silly program. But there the app has a greater hurdle, as no users on OSX are "root" users and thus are unable to easily install a rootkit. At best you'll get an admin user to possibly type in his passsword, but that will again affect a lot less people as not so many will be willing to type in an admin password just to see blinky the fish swim around on-screen. Compare and contrast with so many Windows users that run Admin because some games require it.
Lastly, let's say a rootkit does get through. Software update runs on every Mac by default every week, so Apple has a chance to go after it that way. Possibly of course they can intercept what Software Update is doing, but it adds another layer of compexity to what they are doing.
Yes possibly the same thing can be done on a Mac. Just as someone can break into a car stored in a private garage - but it's a lot less likeley than if you leave your car parked on the street in an iffy neighborhood, which is what all Windows boxes are nowadays. With SP2 all the've done is decided to park under the streetlight instead of in the shadows.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
1. dir /a /s > a:\infected.txt /a /s > a:\reality.txt
2. reboot to floppy w/ NTFSDOS on it
3. dir
4. diff infected.txt reality.txt
Not a bad idea, I thought Microsoft Research did more hardcore stuff though....=
Wer mit Ungeheuern kämpft, mag zusehn, dass er nicht dabei zum Ungeheuer wird. --Nietzsche
A "prototype detection tool", useful for detecting prototypes.
The tool immediately concluded that Windows itself is a
prototype, and asked the user to discard the prototype in favor
of something production-quality. Unable to find anything
meeting that description from Microsoft, the user explored other
freedoms.
"Microsoft killed my company, I hold a personal grudge. I don't use Microsoft products and neither should you."-JWZ
There's an OS out there that doesn't allow spyware or viruses to run: OS/400. It has a protected memory scheme that doesn't allow processes to touch other processes, or the 'kernel'. Hm.
EARTH TO MICROSOFT: get rid of the whole incestuous Active-X/Active-Desktop/HTML Control/Security Zones approach to security, and do what every other browser out there does: implement a security model that's default-closed and requires an obvious and intrusive operation (installing a plugin, usually restarting the browser) to grant additional privileges to some component.
.NET, I'll warrant.
Oh, and the same foul-up fairy is lurking in
cron job chkrootkit? oh shiii I forgot we are talking Windows
the very laws of physics and logic make it entirely impossible to create a system that could not be spoofed like this... checksum chains and secure module loading... these types of idea cannot exist in this universe... we are screwed.. .except microsoft. because you know.
3. Profit Anyway!!!!
yeah I'm kidding... or am I?
Of course, software alone doesn't define the behaviour of the machine: there's also the mighty Registry, and it would be next to impossible to apply TCPA principles there.
Forgive me for my lack of ignorance on the following questions, but if windows, say in longhorn would just stop allowing everything and anyone but admin to install or execute files, wouldnt that solve the spyware problem? Is that actually a hard thing to do?
Wow that's a while for a Windows machine to go uncompromised online. Last I heard, 15 seconds was how long it took.
Blaster is a worm. It exploits a security hole without requiring any user interaction. Even if you don't touch the mouse your computer will still be infected. A correctly configured firewall will block it though.
I'll probably be modded down for this...
...why they made their AntiSpyware software free
Step 1 - Install linux -end
Good Karma, Bad Karma, doesnt matter to me... I'm still going to say whats on my mind!
... through hacking/viruses/spyware/etc - it's all the same - there's only one secure solution. Wipe and start over. A compromized machine can never be clean again, no matter what cleanup tools you run.
Someone was telling me once that IBM's virus cleanup policy a few years ago was reimage. No backup of your machine, just an image. Would you want the risk of something hanging around and leaking sensitive corporate data?
The obvious solution though is to run untrusted apps (Web/mail) in a jail, where they can't touch the rest of the system. Or at least un-integrate them from the OS!
I use Macs to up my productivity, so up yours Microsoft!
Damn.. now I'm going to have that theme song in my head all day.. :->
When there's something weird,
and it don't look good
Who ya gonna call?
MI-CRO-SOFT??! (Wait..)
I am the maverick of Slashdot
Five links deep, I found the original paper. The procedure goes as follows:
1. Scan the hard drive while running the potentially infected kernel.
2. Scan the drive while running from a write protected media running windows PE with a diff tool installed.
3. diff the two results, and the difference is what is being hid!
Pretty obvious, really. But there's a slight problem with it: you might as well do the whole spyware/ virus scan from the CD and be done with it. I mean, its pretty much just as easy to detect the malware with known signatures as it is with a diff of the file listings. I'd wager that you could accomplish the same thing they're doing with almost any linux based live cd.
I Browse at +4 Flamebait
Open Source Sysadmin
If things this devious can be slipped through the OS, I wonder what other features of the OS can be bypassed, or circumvented. Like DRM, Broacast flag intergration, botNets and the like. I giess MS is just covering the A$$ests, and beginning to build a veneer of plausible deniability.
My cat's picked up a Hammer. HEY! Put down that Hammer. Put Down that Hamm...THUNK!
I warned you this was going to happen. http://the16types.info/forums/viewtopic.php?t=155 Actually now you have been warned.
I personally love this new development. I hope these hackers go to town and stay all night. My fondest wish would be that they RUIN microsoft and the vole goes bankrupt!
OSX is more secure in many ways. For those that know what they are doing... (they usually don't get infected but that's beside the point) you can use the "chflags schg " command as root to lock a file so that it cannot be modified. The flag can only be cleared in single-user mode. Standard linux distros with ext2/ext3/reiserfs don't have that. I'm not real up to speed on WinXP or 2003, so I don't know if they have a single user mode (or a real multi-user mode ). But OSX can be hardened to where you can be sure the kernel or critical libs cannot be updated.
There is a utility that already exists to remove some of the new kernel level Malware utilites out there. It is referred to as LSPFIX. The home website for this is:
http://www.cexx.org/lspfix.htm
This utility allows you to see what network level drivers are loading into the kernel. I've had to use this utility to strip Malware off of several client systems. Be very careful, if you pull out a legitimate network driver, you will permanently damage your network settings.
Go to http://knoppix.org and get a disk and reboot. Voila, no spyware. MS has serious trust issues at this point. The main reason I run Linux instead of Windows is that I just don't trust what Windows is doing and there's no way for me to find out.
Sure, there's Bart's Preinstalled Environment bootable-cd-maker but MS really should release a bootable CD of its OSes, complete with cleanup- and other system-maintenance tools, to the community. Heck, I wouldn't even mind typing in my MS-Windows serial number or inserting a floppy that had a key-holding file copied from my hard disk every time I boot. Heck, I'll even pay $5 for the media and give Microsoft my name and address for a tool this useful.
Knoppix rocks but there are some Windows-maintenance things that are much easier in a Windows-booted environment.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Sounds exactly like something the managers would want.
So, this is kinda cool :) Don't worry about good ol' spyware, your Windows is crapped because invisible stuff running in the background that only we can detect and the solution is to reinstall :) Not that you didn't have to clean install (or re-ghost) your Windows every now and then, but at least now you have an official Microsoft reason for that :)
I am putting myself to the fullest possible use, which is all I can think that any conscious entity can ever hope to do.
You forgot to start your list by using <ul> for unordered list. Therefore, your bullet points appear outside of your post's margin rather than inside. So, the correct procedure is:
<ul>
<li>bullet point one</li>
<li>bullet point two</li>
<li>bullet point n</li>
</ul>
This has been a public service announcement.
R00tkits will get installed on Macs the same way they get installed on Linux: through a combination of two exploits. First, the hacker uses an exploit to obtain shell access with an unprivileged account Typical exploits include holes in Samba or CUPS (which OSX also uses), browser bugs (e.g. libpng overflows), holes in various daemons (if you use your OSX as a server), or even simply using a keylogger on a public machine to catch a user's password.
Then, the hacker uses a second exploit to elevate his local shell access to local root. Typical exploits of this nature include thread race conditions in the kernel, the kernel failing to properly sanitize input, or problems when a process is shifted from one kernel security infrastructure to another. The Linux kernel had a number of local root exploits in the past few months. IIRC Apple usually doesn't publish its list of security vulnerabilities (it just puts the fixes on Sofware Update, without fully explaining what they fix), so I can't comment on the security of the darwin xnu kernel.
Thus, I would say it's about as easy to install a rootkit on a Linux workstation as on an OSX desktop (and similarly, it's as easy to install a rootkit on a Linux server as on an OSX server). In other words, you need an unpatched system vulnerable to a specific pair of exploits, a clueless admin, and a skilled hacker -- which is not an impossible combination.
I mean, I've been trying to remove "explorer.exe" forever but that damn virus just won't go away.
I might know what I'm talkin' about, but then again, this is Slashdot...
how flawed this operating system is.
Flaw #1: Any app can make arbitrary changes to the registry.
Flaw #2: Any app can make arbitrary changes to the system files.
Flaw #3: There is no "safe-mode" for core utilities, that would bypass any hijacking of system calls.
Now can anybody explain to me what was the point of having "system, readonly" attributes, if they can just be turned off?
Bill Gates never wanted to admit it. But this is just proof that Windows is nothing but MS-DOS "on steroids".
Till a few days ago, I thought Linux would be the doom of Microsoft, defeating it like David defeated Goliath. But it turns out.. Goliath is about to die from a genetic anomaly. His very nature gave him a short lifespan.
Oh joy...
One of the computers I support had a very nasty piece of spyware. I am not sure if it was exploiting the same things described by Microsoft, but it had the following symptoms:
1. The process would not show up in task manager
2. The related files would not show up in Explorer
3. The related registry keys did not show up in regedit
4. It some how was being called by Winlogin, so it ran even in safe mode.
The way I detected it was by using several Sysinternals utilities http://www.sysinternals.com/. I have a script that uses pslist to monitor all processes on the network and this spyware was not smart enough to hide from that. A remote regedit session enabled you to see the related registry files. I had to use BartPE http://www.nu2.nu/pebuilder/ to mount the drive and clean out the related files and registry keys.
I got infected in 30 seconds!
For microsoft to make a statment such as this could only mean one thing, they intend to push for trusted computing. Watch for them to lobby the government(s) for this:
trusted computing
Enjoy,
It's just the normal noises in here.
Is a suposition, but maybe all this stuff is to stop OS emulators or something like that...
The OS binaries themselves are all digitally signed with MS's cert. Just have the install cd have an option to verify signatures on all binaries. When it comes up with a binary signed by another company, it asks if you trust that company. If a binary comes up without a digital signature, it asks if you trust that binary. The default answer would be no.
pstools
My Linux Command of the Day site : LCOD
Back in that time, there were plenty of dos viruses that where using "tunneling" techniques to bypass the chain of hooks on interrupt vectors. Still, if it is the same here, that's detectable; You just need to have a detector that is also using the same methods used by the spywares to be the first to intercept calls...
By instilling the fear in the customer's heart, they prepare him for the sacrifices required by the war on terroris^H^H^H^H^H^H^H^Hspywares. Soon, we will all welcome and cheer our saver, the allmighty NGSCB! aka pallaidum, aka TCPA. No more privacy and control on your own data and communications, but that's the price to pay, my friend. They can put virii IN THE KERNEL if you do not have a big TCPA chip deep in the guts of your PC.
Microsoft "Palladium": A Business Overview
Combining Microsoft Windows Features, Personal Computing Hardware, and Software Applications for Greater Security, Personal Privacy and System Integrity
Sure.
--
Go Debian!
They had rootkits like this for Unix/Linux for over a decade. I guess we have another good 15 years worth of bugs to get out of Windows, but then it would look a lot more like Linux. I'm surprised that they feel they need to do that yet. Windows is still very way to buggy to require something this sophisticated yet.
Any app can do the same thing in Linux. What's your point?
Perhaps M$ is preparing the field for its future digitally-signed software. Scare tactics (FUD) are shown to be good strategies to increase revenues when releasing new products or fighting out competition.
However, don't worry, no one ever got fired for choosing Microsoft.
If you want to know more about detecting kernel rootkits and cryptograhpically signed kernel modules, check out this paper by Dino Dai Zovi.
Linux and Solaris admins have been coping with kernel-inserted malware for years. It will be amusing to see if the Windows victims do distinctly better or worse with it.
"But all your emitter and collector are belong to me!"
I love that the Microsoft-recommended solution is to reinstall the
hard drive. How practical will that be to their customers? "Excuse
me, Mrs. Jones/CIO Smith, you apparently have a bug we can't even
see, much less delete. Please use your Windows disks to reformat and
reinstall the OS. You did back up all your data, right? You'll also
have to take time to reinstall it. Hope the bug's not backed up
along with your data, cause like we said, we can't see it once it
runs."
I'm glad I use an open-source kernel (Linux), that I can recompile
and reinstall any time I want. That way, the little beasties that
are described in this article, even if they were re-written for Linux
and somehow got through my firewalls, could be wiped out by
recreating the kernel program. Once I make and install a clean
kernel, it will be allowed to tell me where the beasties are stored
on disk, and then I can delete them.
Microsoft cannot let you recompile the kernel, because they sell
their kernel, and this prevents them from sharing the source code
with you. If they provided a backup kernel with their distribution,
the bug could infect that too. If they let people download a clean
kernel from the web, how would they prevent an infected kernel from
infecting the new kernel as soon as it was downloaded?
With Linux, I can change things enough that the compromised system
can't tell I'm compiling or installing a replacement kernel. (Though
I might also have to recompile and reinstall the boot loader, if it
was compromised. The point is, this can all be automated, and I
would not have to reinstall the hard drive.)
I don't worry about viruses in Linux anyway, since I don't have to
have root/adminstrator permissions to do my daily work in Unix. The
commands I run on a daily basis don't have the authority to do
anything to hurt my kernel.
This is a variation on an old "who do you trust" problem that Brian
Kernighan came up with while writing C: he compiled a custom compiler
that put a back door in the "login" program. So the back door wasn't
in the login source code. Once he added the same type of code to the
C compiler, it didn't have to be in the C compiler source code
either.
Wasn't this the point of SFC? Interrupt system calls in the kernel in order to prevent people from overwriting key system files? Interrupt the opening of these files for writing or implement some checks in there.
Yet another flawed marketing ploy I guess.
-M
when you see the word 'Linux', drink!
If you're truly paranoid, you can disable loadable modules, thus preventing a kernel-level rootkit module from being loaded.
steve
Oh, you're not stuck, you're just unable to let go of the onion rings.
The Unquirer has a story that the next generation of Angel Spyware exploits that are starting to make use of "kernel crappiness". A paper at Microsoft Research has details on a tool that spies on your Windows kernel and attempts to fix its bugs. Computerworld has more details, as well." From the article: "Newer Windows Service Patches can intercept system calls that are passed to the kernel by legitimate software and filter out queries generated by malware. This makes Windows completely vulnerable to bugs and to rootkit tools..."
Towards the Singularity.
... and many Linux users seem to prefer logging in as the root exclusively, this is a big potential problem. However, in Mac OS X, the root account is disabled by default to avoid this kind of behavior.
In Other news: Bill Gates Promises Action on Spyware & Malware
t itle=Gates-Promises-Action-on-Spyware--Malware&sto ry_id=1510.46178820&category=business
http://business.newsfactor.com/story.xhtml?story_
Serge
i for one welcome our new kernel-mode overlords!
Right Click on the My Documents link on your desktop, select Move and tell it to put it to D:\whereever the hell I feel like it, and it'll ask you if you want to move all of your existing documents to the new folder.
Hit yes, and you're done.
You are exactly the kind of person that ends up with Spyware, Adware, and will get his XP hacked.
A true admin knows that you have to do more than this, including locking down the PC after the install, installing all the necessary patches, etc.
"Is this a joke?" No, it's reality.
http://research.microsoft.com/research/pubs/view.a spx?tr_id=775
Something I've worked with is a VMWare Server. You can serve out a windows image, to linux or whatever else, and make the VMWare image run in a temporary space. I don't remember what the setting is called but it doesn't keep any changes you make, as soon as you kill the session you have to start over.
You can also use this with AFS so that your files are always available to you when you boot the virtual windows.
If you get a problem, just restart the VMWare session. Within minutes you have a brand new windows box (virtual) to play with.
Security is also centralized as the admin only has to update the master image on the server.
I've seen this done. It works great. Or at least it did with Windows 98. I've never seen it done with NT 5+ (2k/XP).
http://research.microsoft.com/sm/strider/spyware/
Bart, of Bart's PE fame, says in the Bart PE FAQ:
Q: Why can't Windows 2000/NT4 be used to build BartPE? Is there a technical reason for this?
A: Yes, that kernel does not support the "/minint" switch and therefore cannot boot from readonly media... Also the layout.inf does not contain required information.
There you have it. NT and 2000 cannot boot from CD (well, mabye they could using a boot-loader-initialized ramdisk hack).
Win95, 98, and ME are all DOS-based kernels, and should be able to boot from CD.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Regrettably, there is little progress in convincing people IE-only sites are a bad thing.
However, centralised administration and lockdown of IE is totally possible. We do it - Internet Zone at High, Trusted Sites locked list, using IEAK and Group Policies to allow only sites we know are kosher and deploying Mozilla as default browser for other sites. (We used to use Mozilla Mail but are moving from IMAP).
Just because you can't replace the door doesn't mean you can't replace the locks. Get Firefox. Get IEAK. Get to know GPEDIT.MSC and POLEDIT.EXE
I used a similar tool called zap on various unix servers back in 1989-93. It completely wiped all process traces from ps output and even took care of who and lastlog commands. The toole required root privs but i suspect that these rootkits require WNT/W2K admin privs as well since they write to system directories.
I reimage my coputer almost every week. On a sign of virus, key logger, trojan, screen flikering, mouse moving by itself... I reimage my PC, boot with BartPE, use ClamAV + other couple of antivirus programs to check the harddrives that do contain my data (I don't keep anything good on the system partition - at least). Then zero fill the system hard drive. THEN I boot into the reimaged sytem that is clean. Phew...
If I can do it, why can't other people do it? By making an image I avoid having to reactivate windows. That's it.
Your rootkit are belong to us... get it?
Have a good one.
===== "Every head is a different world so don't invade mine you FREAK!" smartSAGA said
Knoppix: learn it, live it, love it.
[o]_O
The usefulness of being able to run, for example, Tripwire from a known clean OS makes me wonder why it isn't standard on KNOPPIX. Does anyone know of a CD distro that offers Tripwire or similar MD5 based integrity utility standard?
//Information does not want to be free; it wants to breed.
> having 2 browsers isn't a viable option either, since most of our users
> would simply get confused.
Too bad for you. But I could see ActiveX and all that MS tech was crap from day one and never touched the stuff. Others were not so bright. In a free market the bad ideas and those who support/defend them eventually pay the ultimate price for mistakes of this magnitude: being outcompeted by the smarter, more techically agile ones.
Your firm is at a disadvantage now that will grow even worse in the coming years as your employer continues to throw good money after bad by incorrectly taking the advice of idiots like yourself. YOU will become as employable as a CNE and I will not worry at all over your fate since it is clear you have chosen poorly and do not belong in the IT game. The invisible hand of the marketplace will reassign you to a career more suited to your limited vision.
The cluetrain has even made it to the dimwits at the Dept of Homeland Security that using IE is harmful/fatal to the nation's IT infrastructure yet you whine that "we just can't stop using it, learning to click on a different icon would be too hard." Bah.
YOU are the IT dept, it is YOUR duty to select and deploy the Information Technology you know to be the safest and most cost effective. It is the 'artistic types' job to produce the creative output that is the lifeblood of your company, but it is NOT their job to make the technology decisions because they aren't competent to make those decisions anymore than YOU could replace the artists in their jobs. So stop whining and do your f***ing job or else don't come here bitching when your boss finally realizes you aren't and replaces you with someone who will protect the company's assets.
Democrat delenda est
I think the root of the problem is that most Windows systems (unless centrally managed) are usually setup so that normal users are logged in with elevated priveleges. If they were logged in without supernatural priveleges then the damage done by the spyware, viruses, and trojans, would be limited just to your account and files (e.g. the rest of the system, and certainly the kernel, would be unaffected). So, it seems like the best strategy to fight spyware is to end the current practice of using the administrator account. I am sure that microsoft could even do something to discourage its use.
If the program modifies the Windows kernel in such a way that it is undetectable, couldn't a simple boot CD (running something other than Windows) with a spyware scanner work? Sounds like a potential use of Knoppix, although I'm unaware of any anti-spyware programs for Linux (as spyware is not really a problem on Linux). Something like ClamAV but for spyware would be nice.
I find that totally, and in all other ways, unpossible. You keep using that word. I am not sure it means what you think it means. ;-)
"by comparing clean and suspect versions of Windows and looking for differences"
Note to self: Today I added some extra code to my Kernel Rootkit to return bogus file size.
...userland security tools are utter BS. Why the hell would you buy an "internet security suite" for desktops when you can use a standalone box to secure your network?
Nuff said.
(Assuming that you have good backups of your OpenOffice.org gzipped XML doc files, the source code to your programming projects, etc., etc. regularly backed up to CDRs.)
this was meant as a joke to the gp's login.
Remember kids, using XP is like having unprotected sex with prostitutes. You're going to get infected pretty regularly, so always have lots of penicillin on hand.
See the page at http://www.cybersource.com.au/product/safe_interne t_computer/, and look at the pretty S5 slideshow (the screenshots page). It's a Knoppix-based computer (it's branded as a hardware solution) that's been designed to make Windows users feel at home - IceWM with the SilveradoXP theme, OO.O listed as "Word Processor," "Spreadsheet," etc. Users can use the internet safely, and even if something is compromised, it will be gone at reboot. Of course, there are some complications involved with not having any permanent storage, but the system basically works.
Disclaimer: I'm somewhat connected to Cybersource, but I don't have anything to gain from this.
-ReK
md5sum -c reality.md5
reality: FAILED
md5sum: WARNING: 1 of 1 computed checksum did NOT match
And they say that Windows is more secure than Linux. OMFG. This is crap, i simply can't believe it...
Microsoft is more secure then Linux.
irc.enterthegame.com #linux
if there's a way to use Linux rescue CDs to do the same job, i.e. to fix an infected Windows drive? Or simply put, what are Ad-Aware and McAfee's equivalents in Linux? Of course, I mean cleaning Windows not Linux, guess everybody here understands that. ;-)
If there's such tools in Linux, then maintaining a Windows PC would be as simple as make it dual-boot with a bullet-proof Linux distro and switch it to Linux everynight and let Linux do all the magic. If you need to change anything, just ssh into the box, no matter how far you're from it. No CD burning(of course, Knoppix-like tools are always welcome), no sitting in front of every sick PC and waiting it to boot, everything is just as elegant as a xterm. How nice would it be!
People who dislike China tend to mention Tiananmen Square a lot, but they always forget the Tank Man is also a Chinese.
It sucks, but the proper way to deal with any sort of intrustion is to reinstall everything. Don't fool yourself into thinking that you can figure out what was done to your system and undo those changes. Be safe, reinstall.
Mac users are just as stupid as everyone else in the world
;-)
Now, now -- if they were that stupid, they'd use Windows.
--R.J.
Electric-Escape.net
...and you wonder why I run Linux. If I can't read the code and compile it, I won't run it.
That does it, I'm switching.
"Microsoft researchers have developed a tool, named "Strider Ghostbuster" that can detect rootkits by comparing clean and suspect versions of Windows and looking for differences."
Oh wow! How inovative! Detecting differences by compairing a known good copy with an infected one.... Wow! I wonder if they've appied for the Patent? They've even given it a cute name and everything!
The race isn't always to the swift... but that's the way to bet!
Don't trust any file on kazaa or other p2p. Use a good antivirus that scans files when you download.
Many files are infected.
This is another problem with p2p. There is no way to communicate to people that the software is corrupted.
Catch22.
The problem is, there is no such thing as a bootable Windows CD, so you can't just run your AV software off a clean boot, like they used to do back in DOS days.
Then, again, any of you AV vendors out there care to release a Windows AV system that runs off a bootable CD? I mean, all it has to do is go through the files in the C: filesystem. HINT: recompile (the scanner part of) your product under linux, and package the sucker on a bootable linux CD. Shouldn't take more than 3 days of work, really. The AV software itself can be much simpler than your current full-blown Windows-hosted package, since it doesn't have to run off an infected boot!
You'd have to write the piece of code to mount the goddamn registry though.
Excellent point, unlikely != impossible. Not so long a go it was common wisdom that it was impossible to get a virus from a jpeg!
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
This shows that its wrong not to fix the underlying errors. The current way of just fixing things as they pop up is just a temporary solution. Microsoft should have spent their money on making Windows more secure instead of just put band aid ontop of the steaming pile.
HTTP/1.1 400
Not if you want it to be able to do more than just detect the problems. NTFS write support in Linux is not yet complete.
This post written under Gentoo-linux with an SCO IP license.
1) Make a drive image over the network, mount that image as a filesystem and run viral scan
2) Pull drive, put in 2nd machine and scan.
How do you get a rootkit on windows. It sounds like another unix bashing microsoft stunt. Yeah Rootkits started on Unix....
The reason for re-installation is that you can go and verify every file your package database knows about, but not the ones it doesnt.
/dev or out of the way places that your packages never would have touched, so you will fix up your packaged files but I doubt there is a r00tkit-1.1337.i386.rpm you can check against.
Plenty of rootkits go and hide themselves in
Sure, it might just leave some stale binaries or scripts around, but unless you go and validate every inode in your filesystem you cant be sure it isnt just going to just open you up to another r00ting again.
And that, kiddies, is why we have backups. (Or at least with Solaris you can jumpstart install/flash it exactly how you want every time).
"If everybody is thinking alike, somebody isn't thinking" - Gen. George S. Patton
I had an incredible thing happen to me.
Upped desktop res to 1600x1200. Fine.
The fonts were too small. Changed them to 'Large' (M$ default). Windoze told me to restart, since such a drastic measure as changing font size clearly requires a reboot.
Still too small... used custom. Big mistake! 155% font size out the Win2000Pro into endless bluescreen loop. Three hours later I simply backed up all data (using cygwin and tar, since I don't trust M$'s backup) and reinstalled the whole crapola.
Why not just install debian? Simple, this was my gaming box. Nothing important on it. Games and photos.
It's a good thing that not all games rely on the godforsaken Registry(tm). Upon reinstalling, Windoze did these increcible things:
-rearranged all joystick ID's, made me reconfigure all games.
-Rearranged some controllers' button ID's. Making the reconfiguring of all games even harder.
Seriously. Windows 2000 PROFESSIONAL my ass.
'Once scientists, even the dim-witted social scientists, get muzzled, the Western Civilization is finished.' - oldhack
Waaay back when I was in university taking an assembly language course, we had to write a program which copied itself to another block of memory (and you had to ensure you didn't overwrite the end-of-program byte, lest you create a worm). For extra credit, the professor (when he took a similar course) had to create programs that lived in cores (memory) and did search and destroy missions on enemy programs of the same kind. These 'core wars', were not allowed from our class, as they tended to be difficult to kill, ate other programs already in memory, and annoyed system administrators as you had to shut the whole system down in order to kill them (purge memory).
system(cmd);
compiled with cygwin with cmd containing firefox + all args passed...
this is no catch-all since most IE-vulnerable software just uses the DLL's but it WILL, when inserted in, say, logon bat for a domain, prevent fucking up the system just because the latest Windows Update decided to add those IE and Outlook icons on the desktop AGAIN.
'Once scientists, even the dim-witted social scientists, get muzzled, the Western Civilization is finished.' - oldhack
When working on my Mom's computer, I forgot that she doesn't have a hardware firewall like I do; so in the time between booting up Windows for the first time and downloading Zonealarm, the system had already been wormed.
It's not a coincidence that every other computer I administrate runs GNU/Linux.
and I bet KNOPPIX would have seen it. KNOPPIX CDs are essentail tool today. I carry one with me everywhere i go.
This cannot be possible! Bill Gates has 20 Billion US Dollars! Ask any businessman in the country if Bill has the best technology, and they will tell you "he must have, he has 20 billion dollars!" So what the hell?!? Do you mean to tell me that all those silly Linux nerds with hardly 20 Billion dollars among all of them have better technology than Bill Gates? Impossible! 99 out of every 100 businessmen in America agree, it itsn't how much you know about technology that makes it great, it's how much money you have that makes your technology great! Ask those businessmen, and they will set those silly Linux nerds straight about technology, that's for sure!
So you have 1st hand experience with being infected?
This is somewhat serendipitous for Microsoft, now they can provide anti-virus software to protect you from invisible files that could be performing unwanted activities on your computer. Conveniently enough, these affect process listings in such a way that makes them equally indetectable, thus rendering these kinds of virii completely unviewable.
How convenient. Fortunately, the only fix is the Strider Ghostbuster CDROM toolkit which is a new utility that requires media to run and is sold as another product offering from Microsoft.
This is such a scam. These kinds of rootkits have existed in the UNIX world for as long as I can remember, once a box has been sufficiently owned in this fashion the only truly safe measure is a complete reinstall.
btw, if you avoid logging in to your PC as superuser you can provide some reasonable protection from rootkits that masquerade as a trojan app. The other common means is to exploit a security hole to gain root access (eg: SMTPD runs as root and has buffer overflow bug, etc.), but your Windows updates are going to protect you from these.... aren't they?
Eric Sarjeant
eric[@]sarjeant.com
I certainly do. That's why I mentioned BSD, then the "other UNIXes and UNIX-like OSes". Perhaps not as clearly worded as it could have been, but I didn't really expect anybody to care.
... but what I've seen working with it and what I've read suggests it's really a whole new OS that has a POSIX subsystem based on a UNIX. A nice system, sure, but not really UNIX. This is probably a good thing for most users ;-)
That said, I'm increasingly of the view that Linux is more of a "real" UNIX system than MacOS X, not in code heritage but in functionality and behaviour. Yes, MacOS X is based on a "true UNIX" codebase
Boot cd checking is slowish. Most files on my system are standard packages. So my config files are the only thing at risk from a complete package compare. With a account clean of scripts can configs.
This is a reinstall expect slower. First it compares the files/boot sector with what the default config plus updates should be. Creating a master set of changes that have happened to the system and reseting system to default plus updates.
It is better if you have a known set of config files.
Note this list can contain extra sections because of missed updated or new updates.
Note this includes looking for non-standard files.
This is verry effective.
I take issue with your assumption that 5% of the market share should mean 5% of the attacks/exploits. that makes the assumption that the relationship is linear, something I strongly suspect is inaccurate and certainly wouldn't rely on for preditions of any sort.
Especially since the Linux desktop use base (as opposed to market share) could be anywhere in a very large range. It's rather hard to tell when purchasing stats are only one small part of the matter.
Also, I'd like to note as the admin of a Linux co-located server that it's all too easy to get cracked, though most breaches I've heard about locally seem to have been installs of old distros, combined with a failure to patch the machine before exposing it to the 'net.
My colo hasn't been cracked yet (well, I sure as hell hope not - one can never, sadly, be 100% certain w/o just reformatting it daily) and it's been on the 'net 24/7 with a static IP and a large pipe, running public services that might be attractive to crackers (SSL web server, etc). Paranoia and prompt patching is necessary though.
When it comes to rootkits, one doesn't need a virus for that. A manual or script-kiddie tool exploit can install a rootkit just as easily. My totally unsupported suspicion is that the vast majority of rooted Linux systems are cracked by script-kiddies' scannning and automated exploit tools, not viri or manual attacks.
Yeah it's called Game Guard hah. I'm prob going to have to quit playing LineageII because of it.
12 month old rootkit system does not work on linux in most cases. Systems of honey pots sees to that.
Windows you still find 6 year old faults. Ping of death buffer overflow has never being used by hackers to get a door yet but the will sooner or latter.
Small holes are problems fix them and they don't grow into big holes.
Joe User doesn't know about ANY kind of rootkit, even now.
This is the first time Joe Admin has heard of spyware that can't be stopped with his Super Spyware Nuke software.
The point is, before this particular kind of Spybot-proof spyware existed, people believed in the term "anti-spyware", and Microsoft was never forced to contradict them (and maybe have to fix their browser). But just like anti-virus, it can only protect you from known, unsophisticated crap, and this forces people (some people) to notice that switching to AOL doesn't make you nearly as safe as switching to Unix.
Don't thank God, thank a doctor!
How frequent are vulnerabilities in Safari? In IE? In Firefox?
I agree in principle, but it's like saying a Volvo (Mac) costs a bit more and is a bit more secure than a Ford (Windows) when you could get a free tank (Linux) that is, amazingly, faster, more maneuverable, and more fuel-efficient than either the Volvo or the Ford.
Especially when people are stupid enough that I want to bomb them, I know which one I'm taking.
Don't thank God, thank a doctor!
Evolutionary pressure leads to death or Evolution.
Microsoft could be leading to death because its not showing signs of moving to a Evolution system.
Evolution is the source of linux power. Every 12 to 6 months users get to turn over there os for free. So the turn over reduces the number of older systems to be effected.
This logic that windows will get harder than linux is flawed. Over 90% of linux software is opensource so undercontrol by opensource developers. Ie anyone of these developers can fix a problem in any one of these apps that leads to a problem. Ie Opensource and Spyware don't go together.
Over 90% of microsoft software is closed source that they have no control over. The problem.
I want spyware I create a download program with a back door not usings a buffer overflow place it closed source get users using it then explot. Hmm users are stuct either change program or live with it. Opensource users get a programmer and remove my spyware and fork my project.
If Linux and Windows positions were reversed, we'd be reading about lots of Linux exploits - not because one OS is inherently more secure than the other (under a good administrator, either can be locked down) - but because you get a lot more bang for your buck in going after the largest number of targets.
This is Microsoft fud.
This is simply not true. The position are reversed on the Webserver market do we see hackers targeting Appache no they go after the soft target IIS or Ms sql server. The linux sql servers are not soft targets.
Please note Linux understands selinux is added to the system. Linux was the first system to support NX extentions. Linux was the first to support 64 bit. These things are not done because its simple because they are the right thing to do.
The first exploit in-the-wild that i remember was about 10 years back, called heroin.c. it did pretty simple things like modifying lsmod, rmmod, process tables etc. these days they are a lot more sophisiticated.
if you think that changing to linux will save you from unrecoverable attacks, keep in mind that the new attacks you will have have been developed over decades.
Its kinda funny, I have a Linux server exposed to the outside and it was being targetted by kiddies.
;-)
I set the firewall rules up, all that stuff. And then I installed a rootkit on it.
Why, you ask? A rootkit offered me better security as I could watch without Being watched.
When the kid overflows your FTP server and has a terminal, whats better to do: watch as some other user, or watch as a super-root and not be anywhere on any name or process list?
Their method is a memory compare of a remote
Windows machine.. Can't you just pop in the CDROM and run a CD-ROM based DIR command, or say
compare against CRC in the CDROM.. That would be better.. I guess when they upgrade your OS, they don't want to upload the new CRC's for the diffs..
It makes me wonder why it takes so long.. I guess they have to dodge their own spyware, so nobody will notice.. Anyone could detect spyware, if somehow you could CRC your entire hard drive, then compare the CRC every night.. But only toward DLL's and COM's, and EXE's, they don't change.. And viruses can only occur in executables, not data..
Just say no to license servers!!
Is this done by dll hooking?
Karma: Bad is the liberal way of saying this guy won't drink the kool aid here on slash dot. I wear my Karma with pride
I'm a Windows user, but now use Linux exclusively to surf the Internet. My home Windows machine is disconnected from, and will never be re-connected to, the Internet.
I'm looking at the Mac Mini, but not sure if I want to put my family through a third learning curve.
Slashdot entertains. Windows pays the mortgage.
The standard rule applies: once the evil software gets root, you're screwed. If some piece of malware installed itself and ran with administrator privileges, you can't trust that machine to be clean ever again. You can only hope that the malware is unsophisticated enough to let you remove it, which is what Microsoft's tool and others do.
Instead of trying to clean up infected systems after the fact, it would be better for Microsoft to put some real effort into making Windows a system where you can get things done without having to execute code with administrator privileges all the time. You should be able to download some crappy shareware game and *by default* it runs with reduced privileges and no access to files outside its own directory. If you want an application to have access to some other files, you can drag them to its window.
Unfortunately it's much easier just to run everthing with full rights all the time (or at least full rights of the invoking user, so even if it can't trash the machine it can trash your own files), and lazily stick with a culture of using executables for everything (eg self-unpacking zipfiles).
It's a difficult problem to fix, but Microsoft could make some big improvements if they really wanted to.
-- Ed Avis ed@membled.com
SHA-1 and MD5 hashes of all variants of Win system files. Tripwire the hell out of your box after you nuke it from space.
Delete IE, Install firefox and rename it to Internet explorer, I did it on my mums PC (A most difficult to please individual) and told her it was a new version, since then no spyware.
www.boznz.com Simple solutions to complex problems.
I have chattr man pages.
And you obviously don't understand them.
The immutable flag can be changed at will by root while in multiuser mode.
Again, *WRONG*.
The immutable flag can be *SET* at will by root, but cannot be *UNSET* unless in single-user mode.
Read and digest my whole comment before coming back with an anonymous "wrong".
I did. How about you understand what the hell you're talking about before nattering on about stuff you *clearly* have no idea about?
What you need to use is something like regdump, I've started to use it to convert windows settings into Linux settings transparently, but you can use it to make sure nothing modified the registry.
./regdump NTUSER.DAT > backup_profile.reg
If only Microsoft open sourced their registry code so that everyone could compile a fresh, untouched version.
Fresh from the sourceforge.net project BeeHive...
regdump-0.0.1
This is very, very alpha. But hey, it's a start right?
GENERAL NOTES:
The code provided shows a general implementation which can read Microsoft
Windows NT 4.0 and Windows 2000 hive files. (Note: Win2K has a very
different appearance internally (data) but the hive files are same in
their structure.) I decided to make the output marginally useful so the
contents of the hive file are dumped to stdout in REGEDIT4 format so you
can do something like:
thank God the internet isn't a human right.