Microsoft Warns of Impossible to Clean Spyware

darkjedi521 writes "The Inquirer has a story that the next generation of Windows spyware and exploits are starting to make use of "kernel rootkits". A paper at Microsoft Research has details on a prototype detection tool. Computerworld has more details, as well." From the article: "Newer rootkits can intercept system calls that are passed to the kernel and filter out queries generated by the software. This makes them invisible to administrators and to detection tools..."

Bruce Schneier on the Prototype Detection Tool

[Noksagt]

Bruce covered the tool in a recent post on his blog. He says:

This is a really interesting technical report from Microsoft. It describes a clever prototype -- called GhostBuster -- they developed for detecting arbitrary persistent and stealthy software, such as rootkits, Trojans, and software keyloggers. It's a really elegent idea, based on a simple observation: the rootkit must exist on disk to be persistent, but must lie to programs running within the infected OS in order to hide.

Here's how it works: The user has the GhostBuster program on a CD. He sticks the CD in the drive, and from within the (possibly corrupted) OS, the checker program runs: stopping all other user programs, flushing the caches, and then doing a complete checksum of all files on the disk and a scan of any registry keys that could autostart the system, writing out the results to a file on the hard drive.

Then the user is instructed to press the reset button, the CD boots its own OS, and the scan is repeated. Any differences indicate a rootkit or other stealth software, without the need for knowing what particular rootkits are or the proper checksums for the programs installed on disk.

Simple. Clever. Elegant.

In order to fool GhostBuster, the rootkit must 1) detect that such a checking program is running and either not lie to it or change the output as it's written to disk (in the limit this becomes the halting problem for the rootkit designer), 2) integrate into the BIOS rather than the OS (tricky, platform specific, and not always possible), or 3) give up on either being persistent or stealthy. Thus this doesn't eliminate rootkits entirely, but is a pretty mortal blow to persistent rootkits.

Of course, the concept could be adopted for any other operating system as well.

This is a great idea, but there's a huge problem. GhostBuster is only a research prototype, so you can't get a copy. And, even worse, Microsoft has no plans to turn it into a commercial tool.

This is too good an idea to abandon. Microsoft, if you're listening, you should release this tool to the world. Make it public domain. Make it open source, even. It's a great idea, and you deserve credit for coming up with it.

Any other security companies listening? Make and sell one of these. Anyone out there looking for an open source project? Here's a really good one.

Note: I have no idea if Microsoft patented this idea. If they did and they don't release it, shame on them. If they didn't, good for them.

Re:Ok...

[Zocalo]

Actually, most *NIX rootkits have been intercepting system calls to the kernel and replacing common command tools that might be used to detect and remove them for ages. I haven't heard of one that can avoid detection by the likes of Chkrootkit and Rootkit Hunter yet, other than by being brand new of course. Naturally, that doesn't automatically mean that it's impossible to write one though.

Re:Unpossible to Clean SpyWare?

[pbranes]

One of my job functions at the university where I'm employed is to fix student computers. 95% of the calls we receive are spyware/virus related. We have stopped trying to disinfect Windows from inside the operating system because it is pointless - there is no way to clean everything off from within the operating system. What we do is boot off of BartPE bootable CD, connect to the network, update the virus scanner & adaware, and clean off the hard drive. Then we proceed to boot the computer into windows to finish the final clean-up.

So, it surprises me that a report about this kind of ad-ware/viruses is just now coming out because we have been dealing with impossible-to-remove software for at least a year now. Fortunately the only way to defeat a BartPE scan is to install a BIOS virus - and almost nobody does that any more. :-)

Re:It's recommended, but not 100% necessary.

[hankwang]

You keep a LiveCD with MD5 hashes for the current versions of all of your binaries?

Step 1: Take you Fedora or whatever installation cd's with all the original RPM files.

Step 2: Issue the command: rpm -Vp *.rpm

Step 3: All files that have a "5" in front of them have a wrong MD5 checksum.

Re:Unpossible to Clean SpyWare?

[Macgruder]

I've been using BartPE for a year now. The inital basic setup is very easy. It's also easy to customize it to add in your applications. Well, it's easy to add it into BartPE (loadable .inf files) , but sometimes you have to do a LOT of digging into Windows and the specific application to determine WHAT you need to add to said .inf.

My BartPE disk has Ad-Aware SE, and I use SFX to make self-extracting executable of Spybot. For AV stuff, I use Mcafee GUI plugin for their command line scanner, and Sysclean (by the same folks that make pc-cillin). Also Mcafee's Stinger is loaded, too.

I put it on a CD-RW, and once a week d/l the updates, then use the Bart PEBuilder program to rebuild an ISO, and burn that to a CD-RW.

Virus scans, spyware files... all are gone without having to boot into the compromised OS. Registry cleaning requires you to boot into the OS, but once the files are gone, that makes it a lot easier to clean.

It's not 100%, but it vastly improves the chances of fixing the system, with minimal time (30 mins a week to get the updates, 20 mins of actual work running the Bart disk to clean a system)