Slashdot Mirror
Microsoft Warns of Impossible to Clean Spyware
darkjedi521 writes "The Inquirer has a story that the next generation of Windows spyware and exploits are starting to make use of "kernel rootkits". A paper at Microsoft Research has details on a prototype detection tool. Computerworld has more details, as well." From the article: "Newer rootkits can intercept system calls that are passed to the kernel and filter out queries generated by the software. This makes them invisible to administrators and to detection tools..."
Install SP2 before you connect a Windows XP machine to the internet.
The last time I connected a fresh Windows XP RTM box to the internet, it was infected with MS Blaster in 6 minutes.
Windows XP Service Pack 2 on CD FREE
"TK-421, why aren't you at your post?"
Can you install a linux rootkit by viewing a web page in Mozilla / Konqueror?
Deep Freeze is much simpler.
It's also possible to use a software hardening tools to prevent changes to the kernel (can't remember the exact company, think the name was "Server-Lock", or something like that).
The real answer is layered security, well managed backup and data protection strategies, and the understanding that no networked PC is immune.
Always value the individual over the system. --Bruce Lee "I don't need a Sig - I have a custom 191" - me
Wouldn't it still be quite possible to scan the system from a non infected source, such as the UBCD4Win? Its a bootable cd, like knoppix and others, but with a light version of windows XP and a ton of cleaning tools. I use it regularly for cleaning spyware and viruses off thoroughly infected systems.
It's be able to cope with systems having hundreds of virii and such. If you trust it to remove simpler malware, then ingrained rootkits should be a similar problem, for an 'external' system. Not to mention it has all the critical XP system files handy for replacements. A bit easier than the 'nuke it all' aproach, which is beginning to sound like 'reboot and see if the problem goes away'.
There does exist a tool called "linkd" in the Windows 2003 Server resource kit, which allows you to set mount points via the command line.
So you install a system. Use two partitions. Pull the drive. Install 2nd drive on working windows machin. Copy the "Documents and Settings" to the second partition of the newly installed drive. Then use linkd to create a "Documents and Settings" mount point from one partition to the other.
As a semi-serious builder/hobbyist, when I build a system, I use preconfigured sysprep images where I have already done this (the mount point linkage IS copied by programs like ghost that support NTFS5). I can restore a single partition or the whole disk. Either way. I distribute a restore DVD to my customers that can fix their spyware- and virus-hosed Windows installs without killing all the pictures they took with their digital camera etc.
It took me a bit of fiddling to make sure I have the process right, but for the number of times it's saved me two hours' work, I almost want to cry.
-- I wanna decide who lives and who dies - Crow T. Robot, MST3K
Or Inept Explorer? It's time to OPERAte! And/or catch fire!
Actually, most *NIX rootkits have been intercepting system calls to the kernel and replacing common command tools that might be used to detect and remove them for ages. I haven't heard of one that can avoid detection by the likes of Chkrootkit and Rootkit Hunter yet, other than by being brand new of course. Naturally, that doesn't automatically mean that it's impossible to write one though.
UNIX? They're not even circumcised! Savages!
Unless there's something really new and complex going on here, not only is this not new, but IT professionals already have ways of dealing with it. In our case, on a live system with one reboot required. I wouldn't call it minor, certainly (10 minutes of downtime is 10 minutes of downtime), but... hell, if script kiddies have been using this for months and months...
It will prevent some worms from spreading, which does allow for safe online updates. On our campus network, an unpatched machine lasts an average of 20 minutes before being infected, so you can't ever take the risk of installing service packs online unless you're behind NAT.
But you are correct that it does not help prevent spyware and other viruses that come in through IE, email, and infected executables. Since most spyware either comes with commercial software, or installs itself through IE and ActiveX, NAT does nothing at all there.
I don't think a *nix kernel rootkit has ever existed, where a program can modify the kernel and is impossible to remove.
+ kernel&btnG=Google+Search
It would have taken all of 30 seconds to google in advance:
http://www.google.com/search?hl=en&q=unix+rootkit
--A closed mouth gathers no foot.
So, it surprises me that a report about this kind of ad-ware/viruses is just now coming out because we have been dealing with impossible-to-remove software for at least a year now. Fortunately the only way to defeat a BartPE scan is to install a BIOS virus - and almost nobody does that any more. :-)
VX2 is a pain in the ass but it can be removed without a format. You just need a number of tools and pretty good knowledge of the registry to pull it off.
vx2finder
dllcompare
killbox
hijackthis is helpfull also and lspfix in case you screw up the lsp with hijackthis
you also need to remove all registry notify operations that occur on explorer or task manager startup
Yeah, I know, too late now.
Maybe not right now, but there have been a few arbitrary code execution vulnerabilities in Mozilla. If someone happened to visit a web site that made use of one of these vulnerabilities, then they could get something nasty installed. If they were running as root, then there's nothing stopping this from doing all sorts of kernel level things. If not, then it could just put trojaned copies of su and sudo somewhere on the user's path and wait for them to type in a password required for root access (meanwhile, harvesting data from the user's account, for example by polling X for copies of events).
I am TheRaven on Soylent News
Wow that's a while for a Windows machine to go uncompromised online. Last I heard, 15 seconds was how long it took.
linkd isn't even needed at all... the docs&settings path is stored in the registry. change it, and you're set.
The downside is, the repository of known sizes and checksums are stored on local disk. The upside is they are also recorded, in a fairly easy to retrieve form, on the original install media and are the updates are recorded with each patch file also.
So a good sysadmin doesn't have to track all that, because a good system already did it for him. A good sysadmin would want to make sure there's a way to get into the system from known-good media and access the checksum database from alternate media. Instead of trying to rebuild the DB from install media, it could be just as good to back up the DB when the system is in a known good state. (Just after clean install; before each update, verify the system from clean boot and an offline copy of the checksum db, and so on.)
On AIX, use "lppchk", Solaris has "pkgchk", and RPM-based Linuxes have "rpm --verify".
OK, I lied about Mac OS X, though I don't know of any way to verify the information. 'lsbom' will list the information from a bill of materials file, and these are kept in /Library/Recipts/$PackageName. Disk Utility's "Repair Permissions" uses at least part of the information; maybe I'll intentionally screw up a system file and see if it reports a size verification or checksum failure on it.
Now, of course, anything you put on a system which doesn't use the system package manager won't be recorded in the system package database. So you can't find out it is there, or validate it, or anything.
From my recollections of working with InstallShield a few years ago, it does not track this kind of information at all. I could be wrong about this, it's been quite a while--NT 4.0 was still new!
At least they're bright enough to rip off tripwire, instead of some other rootkit detector.
OSX is more secure in many ways. For those that know what they are doing... (they usually don't get infected but that's beside the point) you can use the "chflags schg " command as root to lock a file so that it cannot be modified. The flag can only be cleared in single-user mode. Standard linux distros with ext2/ext3/reiserfs don't have that. I'm not real up to speed on WinXP or 2003, so I don't know if they have a single user mode (or a real multi-user mode ). But OSX can be hardened to where you can be sure the kernel or critical libs cannot be updated.
I prefer to have read-only filesystems. That way, every reboot guarantees a clean system.
:-)
You think it's a joke, but actually I do almost exactly that: for the few times I actually do need to use Windows, chiefly to use AutoCAD, I boot Win98 in VMWare and set it to always return to the hard-disk snapshot it booted with. That way, I can get as many xyz-wares on the Windows box, it'll always come back pristine the next time I restart it. And whenever I need to install something new, or change something in the Windows install, I do it carefully and take a new snapshot when I'm happy with it.
Honestly, VMWare is the best way to use Windows
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Not really. You can easily spot all the hooks in the IE registry entries. If you're too confused by the registry, get "HijackThis". There are only four places an autostart entry could be (just repeated in the user half of the registry), probably two less places in an XP system. Fake drivers load in one of two places, as do fake DLLs. I'd say use system file checker too, but it's too stupid to realize the difference between a corrupted file and a legitimately patched one.
...Plus a command-line registry editor, or maybe something like the EDIT.COM command.
It's not rocket science, but what makes it a tremendous pain is Microsoft's lack of useful command line utilities. I'm not talking about how they left out utilities for importing DS objects or copying files with rights intact, I mean registry editing tools. What MS needs is a utility to make a boot disk that's *NOT* DOS based (doesn't run in real mode), and has NTFS support.
Fred
"A fool and his freedom are soon parted"
-RMS
Argh! This is one of the most blatantly obvious mistakes that always get modded up on Slashdot.
Yes, absolutely every general purpose OS can be rooted, spywared, hacked, or otherwise compromised.
By analogy, anything can kill you, poison can kill you, water can kill you, a bullet can kill you and a butterfly can kill you. Being possible is not the same as being probable.
In the binary, off/on, sense, security can theoretically be compromised. But we don't live in theory, we live in practice. There are no known kernel exploits for Mac OS X, there is no known spyware, there are no known viruses, there have been a handful of OS X specific exploits that require the user to run a program (and generally ask you to supply an admin password), and have all been "proof of concepts". The bulk of OS X security updates have been for Open Source/Unix apps, which are all turned off by default, and have never been reported as actually exploited.
It's virtually impossible to just randomly get rooted, trojaned, hit by a virus, or otherwise find your Mac is pwn3d. On Windows, you need to be fairly diligent, and even then you can't be sure.
You gotta ask yourself why this is. The answer isn't just "Windows is more common" (although that is a part of it. Windows is inherently flawed from a security standpoint. Mac OS X is inherently secure (relatively speaking). That doesn't mean it's impossible to hack a Mac, but it does mean that the risks are fewer, and are far more easily mitigated.
When someone says, "Windows is malware-ridden, I'm switching to a Mac" (sometimes a toothless threat, sometimes not), the response, "but it's possible to write a rootkit for Mac OS X too," is not a counter-argument. It's, at best, a warning that someday that Mac might possibly, but not very likely, get a virus or something... maybe, probably not though.
Step 1: Take you Fedora or whatever installation cd's with all the original RPM files.
Step 2: Issue the command: rpm -Vp *.rpm
Step 3: All files that have a "5" in front of them have a wrong MD5 checksum.
Avantslash: low-bandwidth mobile slashdot.
Back in that time, there were plenty of dos viruses that where using "tunneling" techniques to bypass the chain of hooks on interrupt vectors. Still, if it is the same here, that's detectable; You just need to have a detector that is also using the same methods used by the spywares to be the first to intercept calls...
That's why patching local privilege escalstion bugs is important.
If you're truly paranoid, you can disable loadable modules, thus preventing a kernel-level rootkit module from being loaded.
steve
Oh, you're not stuck, you're just unable to let go of the onion rings.
I've been using BartPE for a year now. The inital basic setup is very easy. It's also easy to customize it to add in your applications. Well, it's easy to add it into BartPE (loadable .inf files) , but sometimes you have to do a LOT of digging into Windows and the specific application to determine WHAT you need to add to said .inf.
My BartPE disk has Ad-Aware SE, and I use SFX to make self-extracting executable of Spybot. For AV stuff, I use Mcafee GUI plugin for their command line scanner, and Sysclean (by the same folks that make pc-cillin). Also Mcafee's Stinger is loaded, too.
I put it on a CD-RW, and once a week d/l the updates, then use the Bart PEBuilder program to rebuild an ISO, and burn that to a CD-RW.
Virus scans, spyware files... all are gone without having to boot into the compromised OS. Registry cleaning requires you to boot into the OS, but once the files are gone, that makes it a lot easier to clean.
It's not 100%, but it vastly improves the chances of fixing the system, with minimal time (30 mins a week to get the updates, 20 mins of actual work running the Bart disk to clean a system)
I'm not crazy,I'm actively irresponsible.
Ad-aware and BartPE won't detect spyware that's rewritten your crypt32.dll or dllhost.exe to the same size and header. The only thing would be a antivirus tools that does hash checks with known good DLLs.
And that's not available yet. Thin kof all the different systems with different versions of DLLs. This is going to get ugly.
http://research.microsoft.com/sm/strider/spyware/
The usefulness of being able to run, for example, Tripwire from a known clean OS makes me wonder why it isn't standard on KNOPPIX. Does anyone know of a CD distro that offers Tripwire or similar MD5 based integrity utility standard?
//Information does not want to be free; it wants to breed.
No it isn't. If you don't know what the hell you're talking about, please don't post.
Yes, I'm new here.
It's by far the best solution I know of. And yes, there are several rather large plugin repositories with setups for 3rd party software. There's an Ad-aware plugin built in, but I'd recommend you search the forums for the plugin with RunScanner, which will let you scan the host computer's registry as well. But to fully answer your question, the build I personally use includes AdAware, McAffee CLI, Ghost 8, Partition Magic, a defragger and a number of other tools. I can be made to do just about anything you'd like.
I work for a small repair shop, and cleaning AV/Spyware has become 60% of our business in the past year, we've been using Bart since around Aug 2003, and it's been an absolutely indispensable tool in that time. Machines that we would have simply reloaded in the past can often times be saved by virtue of being able to run scans from outside the host system.
The advantage of the BSD scheme is that even if the box gets rooted there are files that even root can't mess with. They get locked down after the system is switched into multiuser mode. The only way to modify/delete the files is to reboot the system.
Mea navis aericumbens anguillis abundat
Check the 911 forums (Bart links them from the Nu2 site) for modified Ad-Aware plugin that uses RunScanner. It'll let you scan the host system's registry from within Bart. I've added it to my latest builds this week, and it's been a great time saver and seems to work well.
:)
I'd link you myself, but I'm stuck on dial up at the moment.
Step forward, LOCALHOST\Administrators!
Also.. on a Linux system, not only does it ask you to create a root account/password, but distros like Debian, Mandrake, SuSe, Red Hat/FC, hell, even Linspire advise you strongly not to use the root account, and some give you a nice 'bomb' wallpaper in X to warn you when you're logged in as root. It's also difficult (or in some cases impossible) to not create a standard user account during initial Linux configuration.
With regards to Safe Mode, yes, there is one in XP, which helps out greatly with removing trojans/adware/viruses/AOL, but in the case of a Kernel rootkit, it isn't going to help. With Linux, you can have several Kernels, and choose which one to load at boot time. You can tell init what gets run at different runlevels. Also, working in the favour of Linux (and to a lesser extent, Apple Macs) is the market share of desktops. There's no percentage in writing this stuff for such a minority userbase, especially when the people on the other end are likely to be clueful enough to know 'why all these popups are suddenly appearing'.
Yes, the "push" has begun ... "this is why computers should only run software from 'trusted', 'licensed' software vendors, and only on 'trusted', 'licensed' hardware", they will say ... the ultimate industry lockout to new potential competitors. And the sad thing is the excuse is a flawed premise; the current widespread and rapidly increasing malware problems are primarily because Windows is such a mess internally. Windows is imploding. And they must have known it was going to happen, over a year ago already, when they suddenly decided to start this massive new focus on security .. they knew their security sucked, they saw this coming, and now they're doing two things: (a) trying to patch Windows fast enough to prevent a total implosion and sudden mass exodus from the platform, and (b) try to capitalise on all the spyware and viruses to push 'trusted' computing platforms in order to gain control of the platform to create artificial barriers to entry for new small competitors.
I've never seen one fail to type in the admin password as soon as prompted, no hesitation, no questions asked. I don't think it's going to be hard to start generating lots of self-hacked machines once OSX gets more market share and becomes a more viable target for the spread of little nasty things.
wrong, it's what is installed after gaining root to take control of the system, leave backdoors for access, and patch certain utilties so it's hard to find (like ls, ps, etc)
It does not, though I will admit that the "local" / "remote" names are rather confusing. A local exploit is one that is run by a user that has access to the system; that includes somebody who logs into a regular user account via telnet or ssh. A remote exploit is one that is run from outside the system. In this case, what is described is a remote exploit to get user-level access, followed by a local root exploit to get root access. Both can be done via the network.
How can we continue to believe in a just universe and freedom to eat crackers if we have no ale?
The reason for re-installation is that you can go and verify every file your package database knows about, but not the ones it doesnt.
/dev or out of the way places that your packages never would have touched, so you will fix up your packaged files but I doubt there is a r00tkit-1.1337.i386.rpm you can check against.
Plenty of rootkits go and hide themselves in
Sure, it might just leave some stale binaries or scripts around, but unless you go and validate every inode in your filesystem you cant be sure it isnt just going to just open you up to another r00ting again.
And that, kiddies, is why we have backups. (Or at least with Solaris you can jumpstart install/flash it exactly how you want every time).
"If everybody is thinking alike, somebody isn't thinking" - Gen. George S. Patton
If you want to build a BartPE disk, check out The Ultimate Boot CD for Windows. It's a massive collection of plugins and drivers for BartPE. Adaware, Hijack this, McAffee, defraggers, etc. Here's a list of apps it comes with.
Hands down, bar none, the best place to start your BartPE plugin collection.
A man who can't pronouce "nuclear arsenal" shouldn't have one -sig ends here.
I with you. I only allow 'users' to surf the web. The only time an 'admin' account is allowed on the net is to connect to microsoft and install software.
Think global, act loco
Makes a list of md5sums:Check the sums: (Same procedure as above, then diffs the results with the old file)Run this as root(sudo), obviously. With NetBSD's md5 and diff, the output looks like this:I thought about compiling a statically linked find and md5 and putting those on the USB drive but... meh. Good enough for a desktop.