Slashdot Mirror
Microsoft Warns of Impossible to Clean Spyware
darkjedi521 writes "The Inquirer has a story that the next generation of Windows spyware and exploits are starting to make use of "kernel rootkits". A paper at Microsoft Research has details on a prototype detection tool. Computerworld has more details, as well." From the article: "Newer rootkits can intercept system calls that are passed to the kernel and filter out queries generated by the software. This makes them invisible to administrators and to detection tools..."
Reinstall windows.
I would amend this. Add:
4. a. Install hardware NAT firewall
These cost, what, $40 now. This will help you survive long enough to download patches.
I spent almost two weeks trying to clean the VX2 spyware from a computer that belonged to one of my brothers in law... only to learn the only way to kill this p* of s* is to remove the infected hard disk, plug it into another (uninfected) computer and reformat the whole thing. I kid you not.
I stopped providing "free technical support" to my brothers in law a short while after that episode. And yes, my machines run Linux or OpenBSD.
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
Uninstall Windows.
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
I agree it's extreme. They should offer a downloadable bootable CD that verifies the checksums of all system files.
...rootkits for Linux are also a bitch to find and get rid of. It's only because we have had this risk for longer that we have good tools to find, remove and otherwise manage the risk... but how many Linux users actually do this?
Probably the same five who spool logs to another sever as well as write-only tape and run everything in chroot I suspect.
Beep beep.
Click here or here.
I remember attempting to clean systems that had the Linux Rootkit installed on it in the past. Can't trust results of ps, can't trust results of netstat, can't trust anything.
I can't even imagine having this type of situation on a Windows box. There's just so many more places to hide things and most even technically knowledgable people wouldn't know what to do if their favorite process list application or network connection lister only shows you what the spyware author wants you to see.
If you can even discern there is a problem, re-formatting is your only hope.
I'm a big tall mofo.
Except that's the recommended course of action for a rooted UNIX/Linux/BSD machine too (along with figuring out how it was rooted, plugging the hole, and preserving any evidence).
Maybe it is time to look at a Mac.
Kernel-level rootkits have plagued Unixes (including Linux) for a long time. Fortunately on Linux most suck, and can be detected with chkrootkit (yet how many out there that aren't detectable...), and (this is true for windows as well) any of them can be found simply by inspecting the drive from a known clean boot media.
Removing rootkits (kernel level or not) from any OS requires either guruhood, an exact knowledge of which rootkit(s) was used and what files they trojan (as well as a clean source to restore those files from), or a reformat-reinstall-restore(dataonly)frombackups.
If I have been able to see further than others, it is because I bought a pair of binoculars.
That sounds very similar to what I do for my wifes computer: 1. Buy new PC 2. DO NOT PLUG IN NETWORK CABLE 3. Image drive to external storage wth Ghost or the like 4. Unplug external storage 5. Plug in network cable 6. Let her play around for about 2 weeks 7. Restore image made in step 3 8. Goto 4
You hate your job? There's a support group for that. It's called "everybody" and they meet at the bar. -Drew Carey.
Not likely, as you and I may have XP Developer Edition, but where are you in your patches? Hmm?
Seems the best way to handle this is to run all browser processes at a very low security level.
A feeling of having made the same mistake before: Deja Foobar
As far as I know, rootkits like that have been the norm rather than the exception on Linux and, I think, the BSDs for some time. I don't know about the other UNIXes and UNIX-like OSes (like MacOS/X), but I'd be surprised if it wasn't the case to some extent there too.
It's been widely recognised for a while that if your system is cracked, the only way to be fairly sure you've cleaned it is to reformat it and start again then *carefully* restore data from backups. I don't see how this is news.
You're telling me that when joe user installs his linux version of kazaa and it pops up the message, you must install with root... enter password... linux solaris, mac, anything will be immune to the malware? I think not. Users dont read popups. If they are prompted for root... they will type it in.
Ive even seen macromedia flash boxes pop up to alert you that IE has blocked their activeX script, and the user should do the following steps to install the plugin. And people do.
Thank god your average linux account can't go modify the kernel, unlike your average windows account! Maybe now they'll have to finish catching up.
Slashdot Patriotism: We Support our Dupes!
That sounds rather drastic.
Um, dude, a rootkit for *any* OS that hides itself by intercepting kernel calls is effectively uneradicable except by total reinstall. How the hell would a Mac save you from that?
Long past time actually. Come on over to the Mac side. Everybody seriously, there's plenty of room over here.
Appended to the end of comments you post. 120 chars.
With Linux, you can boot from a live CD and validate every file and package on your system.
You can even chroot the system, wipe the boot sector and re-install the kernel.
This might be "impossible" to clean on Windows, but on Linux, it's just really annoying.
If we were all excellent system admins, we would have an md5 sum of each kernel and each pertinent file in /etc and each binary in the /sbin and /bin directories. I don't but it would probably be a good idea.
"Only in their dreams can men truly be free 'twas always thus, and always thus will be."
--Tom Schulman
Once you're infected, in order to detect or clean, you have to cold boot from known clean media. How to conveniently do this with Windows, I have no idea. (I used to sometimes check clients' machines by booting from an MS-DOS 6.22 floppy and running F-Prot, but it got harder'n'harder to make that work, for a variety of reasons. It eventually got where the only way I knew to reliably do it, was to physically transplant their hard disk to another Windows machine that was known to be ok. As this was usually impractical, expensive, etc, people stopped asking me for help. ;-)
That's one of the reasons I consider the Windows AV market to mainly be snake-oil. In my limited experience with Windows, all the AV products I've seen, were just applications that the user was expected to run while possibly already compromised. It amused me that people paid for that stuff.
If you're relaying on a scanner to detect and clean stuff after the fact, it's too late and you have no reasonable expectation of the product actually working. The only workable defense is to not get infected in the first place.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
It would be no different from having to drop down to root and do a make install or some such.
Heresy! There's no spyware that a little FORMAT C: can't handle!
Of course, there are standardized tools to generate md5 sums of files. A good rootkit, before replacing a file, determines the md5 checksum of the file. Then, when then easily-detectable standardized tools ask for the checksum, the rootkit intercepts the request and feeds the tool garbage. Of course, there are countermeasures you can take, but they will tend become standardized, leading to counter-counter-measures.
What it boils down to is GIGO. If you don't trust to code running on your system, you can't trust ANY result reported by the system. The only solution is to force the system to run code you trust - ie boot to a floppy or CD.
Yes UNIX system have had rootkit problems for a long time.
However, how did those rootkits get installed? Typically through holes in services, like FTP server exploits or web server exploits or whatever.
But OSX has none of those running by default. That's right, none. So while in theory possibly you could develop an exploit against, say, Apache on the Mac (the port you'd most likely be able to get to) it wouldn't reach many people at all, and so the user base would have to be quite huge to make it worth the effort to even try.
The other potential vector is user apps like the browser or users simply running a silly program. But there the app has a greater hurdle, as no users on OSX are "root" users and thus are unable to easily install a rootkit. At best you'll get an admin user to possibly type in his passsword, but that will again affect a lot less people as not so many will be willing to type in an admin password just to see blinky the fish swim around on-screen. Compare and contrast with so many Windows users that run Admin because some games require it.
Lastly, let's say a rootkit does get through. Software update runs on every Mac by default every week, so Apple has a chance to go after it that way. Possibly of course they can intercept what Software Update is doing, but it adds another layer of compexity to what they are doing.
Yes possibly the same thing can be done on a Mac. Just as someone can break into a car stored in a private garage - but it's a lot less likeley than if you leave your car parked on the street in an iffy neighborhood, which is what all Windows boxes are nowadays. With SP2 all the've done is decided to park under the streetlight instead of in the shadows.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Yes, I agree that detecting an exploited kernel can never be reliably done while using the exploited kernel itself. (one more argument exemplifying the futility of the trusted computing base / DRM...but I digress) I think that Knoppix + NTFS (either the r/o GNU one or Captive NTFS + clean dll's) would make a good foundation for a detection/removal tool.
The only problem being that Joe User won't think of downloading until the first sign of trouble. Which could mean that he's running \/\/1nd0z3 already, which means any downloaded CD image from that point in time forward can be made to appear bona fide.
A bootable CD with a checksum or digital signature checker ought to come with the system.
"Provided by the management for your protection."
you keep using that word ("can't"). I don't think it means what you think it means.
of course you could switch browsers etc. what you mean is that it is more work than you are willing to do.
just a nitpick on an otherwise interesting story.
but I think it's an important nitpick because things can't keep going the way they are. with all the spam, spyware, viruses etc. there is going to come a point when businesses can't afford to have stupid employees running crap software.
there ARE alternatives available for EVERYONE. adapting will be harder for some than others, but when the options become adapt or die, those using words like "can't" will find themselves on the wrong side of the evolutionary process.
At first glance, it even seems like it would be fairly trivial to build one yourself assuming that you can maintain a clean set of files to generate checksums from. Once you have the files you can use the live distro and checksumming tool of your choice to do the comparisons and replace suspect files accordingly. However...
The obviously problem is going to be dealing with DLL hell, especially if you want to include third party DLLs in your scanning tool. There are dozens of legitimate versions of some DLLs out there, especially for widely deployed things like the expoitable GDI DLLs that were at the centre of a "critical" patch a few months ago. Best of all, some apps are coded to require specific versions of those files and refuse to work with other versions. Yes, that's appallingly broken and terrible design, but it does happen, and checking the embedded DLL version number is no help - what's to stop a rootkit replacing a DLL's with a version with an unused version number? How would you deal with an unknown version of a critical DLL in a known shared file directory for a third party vendor that wouldn't confuse a typical user? Ignore it, and risk missing a rootkit? Delete it, and risk breaking an application (providing an option to restore it being an obvious safety net)? Or give the user a choice they probably won't understand between the two previous options?
UNIX? They're not even circumcised! Savages!
Step 1 - Install linux -end
Good Karma, Bad Karma, doesnt matter to me... I'm still going to say whats on my mind!
You say
and I say "That's the price of committing your business to propriatary software and interfaces that are someone elses profit centre."I know that this doesn't help you in your situation, but it does serve as a cautionary note for those who are not yet in that position, but are considering a move to propriatary software.
Cheer up, though. Once the cost of supporting such a fragile situation exceeds the cost of migrating to a saner environment, you can put the case forth to move to a more secure, more open platform.
Until then, you have my deepest sympathies.
"values of beta will give rise to dom!"
What about critical system updates? They often need to write to these critical system files. They would be protected against Joe PornMonger's worms and viruses as well as the updates. As he is always running as Administrator, there's no way to tell if it is a worm or an update agent requesting write-access to the files.
Guy asked me for a quarter for a cup of coffee. So I bit him.
Sure, there's Bart's Preinstalled Environment bootable-cd-maker but MS really should release a bootable CD of its OSes, complete with cleanup- and other system-maintenance tools, to the community. Heck, I wouldn't even mind typing in my MS-Windows serial number or inserting a floppy that had a key-holding file copied from my hard disk every time I boot. Heck, I'll even pay $5 for the media and give Microsoft my name and address for a tool this useful.
Knoppix rocks but there are some Windows-maintenance things that are much easier in a Windows-booted environment.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
R00tkits will get installed on Macs the same way they get installed on Linux: through a combination of two exploits. First, the hacker uses an exploit to obtain shell access with an unprivileged account Typical exploits include holes in Samba or CUPS (which OSX also uses), browser bugs (e.g. libpng overflows), holes in various daemons (if you use your OSX as a server), or even simply using a keylogger on a public machine to catch a user's password.
Then, the hacker uses a second exploit to elevate his local shell access to local root. Typical exploits of this nature include thread race conditions in the kernel, the kernel failing to properly sanitize input, or problems when a process is shifted from one kernel security infrastructure to another. The Linux kernel had a number of local root exploits in the past few months. IIRC Apple usually doesn't publish its list of security vulnerabilities (it just puts the fixes on Sofware Update, without fully explaining what they fix), so I can't comment on the security of the darwin xnu kernel.
Thus, I would say it's about as easy to install a rootkit on a Linux workstation as on an OSX desktop (and similarly, it's as easy to install a rootkit on a Linux server as on an OSX server). In other words, you need an unpatched system vulnerable to a specific pair of exploits, a clueless admin, and a skilled hacker -- which is not an impossible combination.
And when that day comes, I will be amazed at the greatness of the hackers. Given the complexity required just to find a trivial collision in MD5, the Earth will likely be destroyed in WWIII long before someone managed to get a complex trojan to generate the same hash value. But even still, it's easy to work around that -- just calculate hash values using several different hash algorithms. Given the odds of successfully finding a collision which matches, say, both MD5 and SHA-1, the universe will have long imploded by then.
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
For microsoft to make a statment such as this could only mean one thing, they intend to push for trusted computing. Watch for them to lobby the government(s) for this:
trusted computing
Enjoy,
It's just the normal noises in here.
Any app can do the same thing in Linux. What's your point?
I knew someone was going to say this :)
The person who runs something as root, is the same user that doesnt understand what root is. AKA, the typical windows user. If the linux on the desktop dream ever comes true, you would be AMAZED at how many users are going to just user the first username/password in the system.
Not to mention, how long until they run into a problem ( like say... trying to play certain games ) that says... "You must be root to do blah blah." From that momment on, Joe user uses root for everything.
If we could ship every copy of XP, with a few years of technical competency, there would be a hell of alot less spyware/virii/worms and trojans floating around out there!
Uh....only apps running as administrator can do these things.
The cake is a pie
The only solution is to force the system to run code you trust - ie boot to a floppy or CD.
I'm probably being paranoid, but how long till we start seeing rootkits that flash your BIOS?
Karma: Segmentation fault (tried to dereference a null post)
This is non-trivial for executable files, especially when retaining code executability and constant file size (although a clever rootkit lies about file sizes, too). If you figure out how to do this for arbitrary files in a tractable computation time, be sure to include it in your application to the NSA.
I will probably be moderated down for this, but: likely yes. Mozilla has a few crash bugs; Konqueror has more. It is quite likely that some of those bugs are exploitable; then just use a Linux kernel privelege-escalation exploit (of which there are also many) to instantly become root. Voila; r00ted Linux system in two easy steps. Just because nobody bothers to do it (Konqueror's market share is necessarily even smaller than the Linux desktop market; it doesn't even come close to Mozilla's measly percentage) doesn't mean it's impossible.
main(c,r){for(r=32;r;) printf(++c>31?c=!r--,"\n":c<r?" ":~c&r?" `":" #");}
I think the root of the problem is that most Windows systems (unless centrally managed) are usually setup so that normal users are logged in with elevated priveleges. If they were logged in without supernatural priveleges then the damage done by the spyware, viruses, and trojans, would be limited just to your account and files (e.g. the rest of the system, and certainly the kernel, would be unaffected). So, it seems like the best strategy to fight spyware is to end the current practice of using the administrator account. I am sure that microsoft could even do something to discourage its use.
It would be fine if the ADMINISTRATOR had the ability to sign code for Palladium.
I disabled Firefox's extention thing and run a firewall on my Linux box. Is that becasue Linux is inherently flawed?
You may be trolling but I'll bite.
If there is a right way and a wrong way to use something, you make using it the wrong way very very difficult. You put in fail safes and safeties. True, any fail safe or safety can be circumvented, but you want to make it annoying and difficult to do so.
There are entire research topics in industrial design about making the user do the right thing. In airplanes, power plants, submarines etc. That a company with ~$50 billion in cash will not invest in desiging their product to make use of this research, and when there are more secure models readily available (various unices, VMS, MVS etc.), is just negligent, IMO.
An analogy might be a car with the brake hooked up to the accelerator. If you had to push on the accelerator 'just right' to stop the car (otherwise it speeds up!) then it is not your fault if you have an accident. It is the car company's fault for a faulty design.
putting the 'B' in LGBTQ+
That's because the open source apps have all their exploits reported as separate incidents, with incident IDs and so on. Apple (and Microsoft) slipstream security fixes into other patches all the time and just don't report them.
For Microsoft this technique is no longer useful because hackers reverse engineer the patches to determine the security flaws.
...and you wonder why I run Linux. If I can't read the code and compile it, I won't run it.