Slashdot Mirror
Microsoft Warns of Impossible to Clean Spyware
darkjedi521 writes "The Inquirer has a story that the next generation of Windows spyware and exploits are starting to make use of "kernel rootkits". A paper at Microsoft Research has details on a prototype detection tool. Computerworld has more details, as well." From the article: "Newer rootkits can intercept system calls that are passed to the kernel and filter out queries generated by the software. This makes them invisible to administrators and to detection tools..."
I agree it's extreme. They should offer a downloadable bootable CD that verifies the checksums of all system files.
Funny how many people seem to take this lightly. The way I see it:
Reinstall Windows
Reinstall all Software, include some pesky registrations
Update all drivers to where you were before hand
Put back all your customizations, default settings, etc.
Yeah, not impossible, but makes a boot to the head sound appealing.
A feeling of having made the same mistake before: Deja Foobar
Except that's the recommended course of action for a rooted UNIX/Linux/BSD machine too (along with figuring out how it was rooted, plugging the hole, and preserving any evidence).
Maybe it is time to look at a Mac.
Kernel-level rootkits have plagued Unixes (including Linux) for a long time. Fortunately on Linux most suck, and can be detected with chkrootkit (yet how many out there that aren't detectable...), and (this is true for windows as well) any of them can be found simply by inspecting the drive from a known clean boot media.
Removing rootkits (kernel level or not) from any OS requires either guruhood, an exact knowledge of which rootkit(s) was used and what files they trojan (as well as a clean source to restore those files from), or a reformat-reinstall-restore(dataonly)frombackups.
If I have been able to see further than others, it is because I bought a pair of binoculars.
Not likely, as you and I may have XP Developer Edition, but where are you in your patches? Hmm?
Seems the best way to handle this is to run all browser processes at a very low security level.
A feeling of having made the same mistake before: Deja Foobar
You're telling me that when joe user installs his linux version of kazaa and it pops up the message, you must install with root... enter password... linux solaris, mac, anything will be immune to the malware? I think not. Users dont read popups. If they are prompted for root... they will type it in.
Ive even seen macromedia flash boxes pop up to alert you that IE has blocked their activeX script, and the user should do the following steps to install the plugin. And people do.
That sounds rather drastic.
Um, dude, a rootkit for *any* OS that hides itself by intercepting kernel calls is effectively uneradicable except by total reinstall. How the hell would a Mac save you from that?
With Linux, you can boot from a live CD and validate every file and package on your system.
You can even chroot the system, wipe the boot sector and re-install the kernel.
This might be "impossible" to clean on Windows, but on Linux, it's just really annoying.
Of course, there are standardized tools to generate md5 sums of files. A good rootkit, before replacing a file, determines the md5 checksum of the file. Then, when then easily-detectable standardized tools ask for the checksum, the rootkit intercepts the request and feeds the tool garbage. Of course, there are countermeasures you can take, but they will tend become standardized, leading to counter-counter-measures.
What it boils down to is GIGO. If you don't trust to code running on your system, you can't trust ANY result reported by the system. The only solution is to force the system to run code you trust - ie boot to a floppy or CD.
You say
and I say "That's the price of committing your business to propriatary software and interfaces that are someone elses profit centre."I know that this doesn't help you in your situation, but it does serve as a cautionary note for those who are not yet in that position, but are considering a move to propriatary software.
Cheer up, though. Once the cost of supporting such a fragile situation exceeds the cost of migrating to a saner environment, you can put the case forth to move to a more secure, more open platform.
Until then, you have my deepest sympathies.
"values of beta will give rise to dom!"
R00tkits will get installed on Macs the same way they get installed on Linux: through a combination of two exploits. First, the hacker uses an exploit to obtain shell access with an unprivileged account Typical exploits include holes in Samba or CUPS (which OSX also uses), browser bugs (e.g. libpng overflows), holes in various daemons (if you use your OSX as a server), or even simply using a keylogger on a public machine to catch a user's password.
Then, the hacker uses a second exploit to elevate his local shell access to local root. Typical exploits of this nature include thread race conditions in the kernel, the kernel failing to properly sanitize input, or problems when a process is shifted from one kernel security infrastructure to another. The Linux kernel had a number of local root exploits in the past few months. IIRC Apple usually doesn't publish its list of security vulnerabilities (it just puts the fixes on Sofware Update, without fully explaining what they fix), so I can't comment on the security of the darwin xnu kernel.
Thus, I would say it's about as easy to install a rootkit on a Linux workstation as on an OSX desktop (and similarly, it's as easy to install a rootkit on a Linux server as on an OSX server). In other words, you need an unpatched system vulnerable to a specific pair of exploits, a clueless admin, and a skilled hacker -- which is not an impossible combination.
And when that day comes, I will be amazed at the greatness of the hackers. Given the complexity required just to find a trivial collision in MD5, the Earth will likely be destroyed in WWIII long before someone managed to get a complex trojan to generate the same hash value. But even still, it's easy to work around that -- just calculate hash values using several different hash algorithms. Given the odds of successfully finding a collision which matches, say, both MD5 and SHA-1, the universe will have long imploded by then.
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
For microsoft to make a statment such as this could only mean one thing, they intend to push for trusted computing. Watch for them to lobby the government(s) for this:
trusted computing
Enjoy,
It's just the normal noises in here.
Is this a joke? You boot off the CD and then the most complicated thing you have to do from there is choose your timezone. You don't have to know anything to install Windows XP...