Slashdot Mirror
Microsoft Warns of Impossible to Clean Spyware
darkjedi521 writes "The Inquirer has a story that the next generation of Windows spyware and exploits are starting to make use of "kernel rootkits". A paper at Microsoft Research has details on a prototype detection tool. Computerworld has more details, as well." From the article: "Newer rootkits can intercept system calls that are passed to the kernel and filter out queries generated by the software. This makes them invisible to administrators and to detection tools..."
Install SP2 before you connect a Windows XP machine to the internet.
The last time I connected a fresh Windows XP RTM box to the internet, it was infected with MS Blaster in 6 minutes.
Windows XP Service Pack 2 on CD FREE
"TK-421, why aren't you at your post?"
Can you install a linux rootkit by viewing a web page in Mozilla / Konqueror?
Deep Freeze is much simpler.
There does exist a tool called "linkd" in the Windows 2003 Server resource kit, which allows you to set mount points via the command line.
So you install a system. Use two partitions. Pull the drive. Install 2nd drive on working windows machin. Copy the "Documents and Settings" to the second partition of the newly installed drive. Then use linkd to create a "Documents and Settings" mount point from one partition to the other.
As a semi-serious builder/hobbyist, when I build a system, I use preconfigured sysprep images where I have already done this (the mount point linkage IS copied by programs like ghost that support NTFS5). I can restore a single partition or the whole disk. Either way. I distribute a restore DVD to my customers that can fix their spyware- and virus-hosed Windows installs without killing all the pictures they took with their digital camera etc.
It took me a bit of fiddling to make sure I have the process right, but for the number of times it's saved me two hours' work, I almost want to cry.
-- I wanna decide who lives and who dies - Crow T. Robot, MST3K
Actually, most *NIX rootkits have been intercepting system calls to the kernel and replacing common command tools that might be used to detect and remove them for ages. I haven't heard of one that can avoid detection by the likes of Chkrootkit and Rootkit Hunter yet, other than by being brand new of course. Naturally, that doesn't automatically mean that it's impossible to write one though.
UNIX? They're not even circumcised! Savages!
Unless there's something really new and complex going on here, not only is this not new, but IT professionals already have ways of dealing with it. In our case, on a live system with one reboot required. I wouldn't call it minor, certainly (10 minutes of downtime is 10 minutes of downtime), but... hell, if script kiddies have been using this for months and months...
I don't think a *nix kernel rootkit has ever existed, where a program can modify the kernel and is impossible to remove.
+ kernel&btnG=Google+Search
It would have taken all of 30 seconds to google in advance:
http://www.google.com/search?hl=en&q=unix+rootkit
--A closed mouth gathers no foot.
So, it surprises me that a report about this kind of ad-ware/viruses is just now coming out because we have been dealing with impossible-to-remove software for at least a year now. Fortunately the only way to defeat a BartPE scan is to install a BIOS virus - and almost nobody does that any more. :-)
The downside is, the repository of known sizes and checksums are stored on local disk. The upside is they are also recorded, in a fairly easy to retrieve form, on the original install media and are the updates are recorded with each patch file also.
So a good sysadmin doesn't have to track all that, because a good system already did it for him. A good sysadmin would want to make sure there's a way to get into the system from known-good media and access the checksum database from alternate media. Instead of trying to rebuild the DB from install media, it could be just as good to back up the DB when the system is in a known good state. (Just after clean install; before each update, verify the system from clean boot and an offline copy of the checksum db, and so on.)
On AIX, use "lppchk", Solaris has "pkgchk", and RPM-based Linuxes have "rpm --verify".
OK, I lied about Mac OS X, though I don't know of any way to verify the information. 'lsbom' will list the information from a bill of materials file, and these are kept in /Library/Recipts/$PackageName. Disk Utility's "Repair Permissions" uses at least part of the information; maybe I'll intentionally screw up a system file and see if it reports a size verification or checksum failure on it.
Now, of course, anything you put on a system which doesn't use the system package manager won't be recorded in the system package database. So you can't find out it is there, or validate it, or anything.
From my recollections of working with InstallShield a few years ago, it does not track this kind of information at all. I could be wrong about this, it's been quite a while--NT 4.0 was still new!
OSX is more secure in many ways. For those that know what they are doing... (they usually don't get infected but that's beside the point) you can use the "chflags schg " command as root to lock a file so that it cannot be modified. The flag can only be cleared in single-user mode. Standard linux distros with ext2/ext3/reiserfs don't have that. I'm not real up to speed on WinXP or 2003, so I don't know if they have a single user mode (or a real multi-user mode ). But OSX can be hardened to where you can be sure the kernel or critical libs cannot be updated.
I prefer to have read-only filesystems. That way, every reboot guarantees a clean system.
:-)
You think it's a joke, but actually I do almost exactly that: for the few times I actually do need to use Windows, chiefly to use AutoCAD, I boot Win98 in VMWare and set it to always return to the hard-disk snapshot it booted with. That way, I can get as many xyz-wares on the Windows box, it'll always come back pristine the next time I restart it. And whenever I need to install something new, or change something in the Windows install, I do it carefully and take a new snapshot when I'm happy with it.
Honestly, VMWare is the best way to use Windows
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Argh! This is one of the most blatantly obvious mistakes that always get modded up on Slashdot.
Yes, absolutely every general purpose OS can be rooted, spywared, hacked, or otherwise compromised.
By analogy, anything can kill you, poison can kill you, water can kill you, a bullet can kill you and a butterfly can kill you. Being possible is not the same as being probable.
In the binary, off/on, sense, security can theoretically be compromised. But we don't live in theory, we live in practice. There are no known kernel exploits for Mac OS X, there is no known spyware, there are no known viruses, there have been a handful of OS X specific exploits that require the user to run a program (and generally ask you to supply an admin password), and have all been "proof of concepts". The bulk of OS X security updates have been for Open Source/Unix apps, which are all turned off by default, and have never been reported as actually exploited.
It's virtually impossible to just randomly get rooted, trojaned, hit by a virus, or otherwise find your Mac is pwn3d. On Windows, you need to be fairly diligent, and even then you can't be sure.
You gotta ask yourself why this is. The answer isn't just "Windows is more common" (although that is a part of it. Windows is inherently flawed from a security standpoint. Mac OS X is inherently secure (relatively speaking). That doesn't mean it's impossible to hack a Mac, but it does mean that the risks are fewer, and are far more easily mitigated.
When someone says, "Windows is malware-ridden, I'm switching to a Mac" (sometimes a toothless threat, sometimes not), the response, "but it's possible to write a rootkit for Mac OS X too," is not a counter-argument. It's, at best, a warning that someday that Mac might possibly, but not very likely, get a virus or something... maybe, probably not though.
Step 1: Take you Fedora or whatever installation cd's with all the original RPM files.
Step 2: Issue the command: rpm -Vp *.rpm
Step 3: All files that have a "5" in front of them have a wrong MD5 checksum.
Avantslash: low-bandwidth mobile slashdot.
That's why patching local privilege escalstion bugs is important.
I've been using BartPE for a year now. The inital basic setup is very easy. It's also easy to customize it to add in your applications. Well, it's easy to add it into BartPE (loadable .inf files) , but sometimes you have to do a LOT of digging into Windows and the specific application to determine WHAT you need to add to said .inf.
My BartPE disk has Ad-Aware SE, and I use SFX to make self-extracting executable of Spybot. For AV stuff, I use Mcafee GUI plugin for their command line scanner, and Sysclean (by the same folks that make pc-cillin). Also Mcafee's Stinger is loaded, too.
I put it on a CD-RW, and once a week d/l the updates, then use the Bart PEBuilder program to rebuild an ISO, and burn that to a CD-RW.
Virus scans, spyware files... all are gone without having to boot into the compromised OS. Registry cleaning requires you to boot into the OS, but once the files are gone, that makes it a lot easier to clean.
It's not 100%, but it vastly improves the chances of fixing the system, with minimal time (30 mins a week to get the updates, 20 mins of actual work running the Bart disk to clean a system)
I'm not crazy,I'm actively irresponsible.
Check the 911 forums (Bart links them from the Nu2 site) for modified Ad-Aware plugin that uses RunScanner. It'll let you scan the host system's registry from within Bart. I've added it to my latest builds this week, and it's been a great time saver and seems to work well.
:)
I'd link you myself, but I'm stuck on dial up at the moment.
Yes, the "push" has begun ... "this is why computers should only run software from 'trusted', 'licensed' software vendors, and only on 'trusted', 'licensed' hardware", they will say ... the ultimate industry lockout to new potential competitors. And the sad thing is the excuse is a flawed premise; the current widespread and rapidly increasing malware problems are primarily because Windows is such a mess internally. Windows is imploding. And they must have known it was going to happen, over a year ago already, when they suddenly decided to start this massive new focus on security .. they knew their security sucked, they saw this coming, and now they're doing two things: (a) trying to patch Windows fast enough to prevent a total implosion and sudden mass exodus from the platform, and (b) try to capitalise on all the spyware and viruses to push 'trusted' computing platforms in order to gain control of the platform to create artificial barriers to entry for new small competitors.
If you want to build a BartPE disk, check out The Ultimate Boot CD for Windows. It's a massive collection of plugins and drivers for BartPE. Adaware, Hijack this, McAffee, defraggers, etc. Here's a list of apps it comes with.
Hands down, bar none, the best place to start your BartPE plugin collection.
A man who can't pronouce "nuclear arsenal" shouldn't have one -sig ends here.