Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Warns of Impossible to Clean Spyware

Posted by Zonk on from the they-have-the-technology dept.

darkjedi521 writes "The Inquirer has a story that the next generation of Windows spyware and exploits are starting to make use of "kernel rootkits". A paper at Microsoft Research has details on a prototype detection tool. Computerworld has more details, as well." From the article: "Newer rootkits can intercept system calls that are passed to the kernel and filter out queries generated by the software. This makes them invisible to administrators and to detection tools..."

27 of 813 comments (clear)

  1. Unpossible to Clean SpyWare? by ackthpt · · Score: 3, Interesting
    Microsoft researchers have developed a tool, named "Strider Ghostbuster" that can detect rootkits by comparing clean and suspect versions of Windows and looking for differences.

    Sounds almost malaprop. "It works, I threatened to rip a copy of Ghostbusters II onto my HD and I heard a tiny scream! My spyware aragorn!"

    However the paper admits that the only way to be sure that you have killed a kernel rootkit is to completely erase an infected hard drive and reinstall the operating system from scratch.

    That sounds rather drastic. How about drilling a hole through it, smashing it with a sledgehammer and throwing it into the Tiber while you're at it? Microsoft seems to be making a stronger case all the time for not exposing a Windows PC to the internet. Maybe it is time to look at a Mac.

    Microsoft's XBox Firewire

    --

    A feeling of having made the same mistake before: Deja Foobar
    1. Re:Unpossible to Clean SpyWare? by nacturation · · Score: 3, Interesting

      Not likely, as you and I may have XP Developer Edition, but where are you in your patches? Hmm?

      And what's hard about that? It's exceedingly unlikely that any particular version of any Windows system file will have the same MD5 checksum as a trojaned version. Plus, if you know that patch X contains this list of files with this list of checksums, you can determine what patchlevel it has. It's not easy to do as it takes some intelligent coding, but it's far from impossible. Or just go the lazy way -- based on the different versions of each file Microsoft has released, you will know that the file is either good (because of all the patched versions Microsoft has released, its MD5 checksum matches one) or the file is bad (because its checksum doesn't match one released by Microsoft).

      --
      Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
    2. Re:Unpossible to Clean SpyWare? by temojen · · Score: 2, Interesting

      You used to be able to get hard drives with a read-only jumper. Too bad they don't seem to make them anymore. It'd be cool to have that jumper hooked up to a keyed lock.

    3. Re:Unpossible to Clean SpyWare? by ad0gg · · Score: 2, Interesting

      Thats where Paladium comes in, kernell calls can get intercepted. When the bios and cpu are both secured, only signed code is executed. No more problems. Love it or hate it, its administrator's dream to have that level control on servers. Its know its double edge sword and that it can also be used for DRM and limiting access, I wouldn't want it a consumer box but it makes perfect sense for the business world.

      --

      Have you ever been to a turkish prison?

    4. Re:Unpossible to Clean SpyWare? by Werrismys · · Score: 4, Interesting
      "Honestly, VMWare is the best way to use Windows :-)" You could not be more right. I have been advocating VMware before, but for a reason.

      I have set up 98SE, 2000Pro, XP environments (clean) under VMware and can easily create a 'clean' environment to test stuff. The snapshot feature is excellent, just snapshot the VM in question and if/when the software fucks up, restore.

      The virtual hardware is the same every time. No driver issues. In fact, the current desktop PC's are so fast that it would make sense to run Winblows in them exclusively under VMware.. just store the user dirs on server. Get a new PC? Just copy the virtual disks and configuration.

      I've been using VMware since its introduction and am currently using the 4 (and 5beta) versions for desktop use. I've had no use for the expensive server version yet since most of the servers are already running Linux.. but for those legacy Win32 apps VMware is really a blessing. Even been testing BSD's and SuSE distros with it.

      --
      'Once scientists, even the dim-witted social scientists, get muzzled, the Western Civilization is finished.' - oldhack
    5. Re:Unpossible to Clean SpyWare? by mgv · · Score: 2, Interesting

      And what's hard about that? It's exceedingly unlikely that any particular version of any Windows system file will have the same MD5 checksum as a trojaned version. Plus, if you know that patch X contains this list of files with this list of checksums, you can determine what patchlevel it has. It's not easy to do as it takes some intelligent coding, but it's far from impossible. Or just go the lazy way -- based on the different versions of each file Microsoft has released, you will know that the file is either good (because of all the patched versions Microsoft has released, its MD5 checksum matches one) or the file is bad (because its checksum doesn't match one released by Microsoft).

      Actually, its a little harder than this.

      Because the rootkits don't need to touch the windows files, just add their own ones, which could be anywhere. If they can find any hook into the OS on bootup, it can be made to load up. There is no reason to delete any existing OS file. Part of what a rootkit can do is run files but tell anyone that asks that they are running another (untampered) file, which is probably in the normal location with the normal file name.

      What this means is that every detection live-CD will have to have the equivalent of of an antivirus program with a list of all the exploits that have been detected to date.

      Otherwise it finds a normal looking kernel and associated files, but which happen to get rooted at a later stage in the bootup, using an exploit that wasn't recorded or understood at the time the CD was pressed.

      To eliminate this sort of problem you may well need to do a file sweep against all files on the filesystem, comparing them against known exploits, off a bootable CD. It certainly won't be an easy or quick task, and would probably require a connection to a network or the internet to download the up to date checksums (much like an AV program).

      Michael

      --
      There is no cryptographic solution to the problem where the intended receiver and the attacker are the same entity.
  2. Argument for Partitioning by generationxyu · · Score: 2, Interesting
    The Windows installer should have a partition editor, and some information about partitioning. It should allow you to easily install Windows on a separate partition from your data.

    Then you can keep /home on a separate partition, /var on a sep...

    Oh wait.

    --
    I mod down pyramid schemes in sigs.
  3. Re:You're infected! Not me. by Master+Bait · · Score: 4, Interesting

    In the old pre OS X days, most Mac viruses were INITs (AKA Extensions) which are rewritten system calls. I remember a virus from the olden days which was an INIT that spread through a DiskInsertionEvent.

    --
    "Only in their dreams can men truly be free 'twas always thus, and always thus will be."
    --Tom Schulman
  4. Admin = Screwed by The+Bungi · · Score: 2, Interesting
    As long as people are logged in as admins when they install that REALLY COOL KAZAA CLONE they donwloaded from a server in ROMANIA, they're screwed. Just like root on Unix, the admin can do just about anything (though some things are more difficult because of ACLs).

    It was just a matter of time, really. This problem will go away only if people realize they're at risk by running under an admin account and companies (including Microsoft) and independent developers learn to write applications that don't need god-like powers to function. Without user pressure (don't buy or use apps that require admin rights!!) this won't happen.

    Windows has had this capability since NT4. I think it's time we started using it.

  5. Sounds familiar... by madaxe42 · · Score: 2, Interesting

    Where I work, we've taken the step, as we have *many* identical boxes, of keeping a default system image ghosted and backed up on our *linux* server, because that's the only moderately safe place on the network. We end up rolling out a ghosted image at leas twice a week - our jobs would be hell without it.

  6. Re:This isn't really a problem by JQuick · · Score: 3, Interesting

    What could be simpler?

    Either install a non-Windows OS on your existing hardware or buy a Mac. Linux, any BSD, or Macos X are simpler choices. BSD or Linux are harder in the short run but require less on-going maintenance once the user is settled in. Macos X requires changing both hardware and software, but is likely to be an easier transition for most users.

    Whether you like it or not, the Wintel platform is no longer a very good choice for the average computer user, and has become a quite unpleasant environment for most people.

  7. Happened to me 2 days ago. by LePrince · · Score: 5, Interesting
    I was at work, and I'm the only person in our helpdesk to "de-spywarise" the company's PC (I'm the only 2nd level tech analyst). I got a laptop yesterday that was infected with numerous spywares. After removing most of them with HijackThis, Spybot, CWShredder, there was a rogue entry to a file named "elitegfk.exe" in the registry that, as soon as I removed it, came back.

    Easy enough I thought, I'll just remove physically the file and the process. But no; the file wasn't ANYWHERE. Yes, I unchecked the "Hide protected system files" checkbox and I was on SHOW HIDDEN FILES, so ALL files were displayed. Heck, a dir /s on the root of the filesystem didn't even work... I thought that it would be possible that the file has another name, renamed itself to that, made its dirty business then renamed itself. I fired up Filemon (from Sysinternal) and sure enough, I see plenty of activity from a process named elitegfk.exe but STILL no sign of the file and/or process. I scanned the registry, and regedit.exe took 2 seconds to complete the scan... !

    I was on the verge of reformatting the system when I thought about something: I accessed the laptop through the admin share (\\computer\c$); sure enough, the file was there, sitting quietly sitting in c:\winnt\system32 (Win2k system)...

    The spyware prevented its own display through taskmgr, explorer and regedit. Regedt32 didn'T work, I got a virtual memory low error when I tried to scan the registry. The ONLY way I could see the file was through Filemon AND through the file sharing...

    I'm guessing next one will palliate to those things by attaching themselves to the most common troubleshootings tools like regmon and attach themselves to the SMB protocol to make sure they can't be displayed through the shares...

    This is getting ridiculous. Yes, you'll tell me to switch to Firefox, but we can't; I work in an artistic company with 1000+ PC and non-tech-savyy users, and tons of internal apps that were developped either with .Net or massive ACtiveX and other MS-only stuff, so we can't switch everything to Firefox, and having 2 browsers isn't a viable option either, since most of our users would simply get confused.

    Anyway.

    1. Re:Happened to me 2 days ago. by argent · · Score: 2, Interesting

      tons of internal apps that were developped either with .Net or massive ACtiveX and other MS-only stuff,

      You know, if Microsoft ever does get a clue and fix the real security holes that let these spyware apps in in the first place, you'll have to rewrite all that stuff... because there's no way to fix Windows properly without changing the API.

      Bite the bullet already.

  8. Thin edge of the wedge... by spywarearcata.com · · Score: 2, Interesting

    Ironically, it will probably be the annoyance of pervasive spyware that causes the death of internet privacy: every process stream will be digitally signed and serialized.

    We can filter out the bad guys at the cost of definitively identifying you.

  9. never been as issue by Anonymous Coward · · Score: 1, Interesting

    runas /user:administrator "Control.exe TIMEDATE.CPL" For The GUI

    runas /user:administrator "time 12:13:14" ... etc

    I have been a windows admin for many years (not by choice, Linux runs at home), but microsoft has come a loooong way making sure that you dont have to be loged in as Admin to perform any function. Just take a little scripting.

  10. Re:Nothing is impossible to clean by tehshen · · Score: 2, Interesting

    XP is the only Windows I have installed (I was too young/naïve to do any others) so I have no experience with others, sorry.

    I bought this computer from Dell (before bathing in holy water and peeling all the stickers off, so it's OK) and didn't get a rescue CD - just loads of driver and application CDs. Besides, if this impossible-to-clean spyware is what it says it is, just using a rescue CD to recover system files is just a long shot.

    Also, those of us clever to have ghost images of their computers will probably also be clever enough not to get targeted by this spyware in the first case (by not using IE or Windows, or whatnot). Recommending disk imaging tools to novices would most likely scare them.

    --
    Guy asked me for a quarter for a cup of coffee. So I bit him.
  11. Security Levels by Detritus · · Score: 2, Interesting
    It might help if Microsoft took an idea from BSD and made it possible to write-protect critical system files. That way, even if Joe PornMonger downloads worms and viruses while logged in as Administrator, the software would not be able to corrupt the operating system.

    I would also add a digital signature check to the bootstrap process, so that critical operating system code wouldn't be loaded unless it was signed by Microsoft.

    --
    Mea navis aericumbens anguillis abundat
  12. Boot from Knoppix CD by spywarearcata.com · · Score: 2, Interesting

    ...when you want to use the Internet. You don't even need to possess a hard drive.

  13. Re:They should know by Oriumpor · · Score: 3, Interesting
    Just cause you can't do something doesn't mean it's impossible:

    thishouseisclear.bat
    echo doh>c:\progra~1\Intern~1\iexplore.exe.new
    attrib +r +a +s +h iexplore.exe.new
    move c:\progra~1\Intern~1\iexplore.exe c:\progra~1\Intern~1\iexplore.bak
    echo doh >c:\progra~1\Intern~1\iexplore.exe
    attrib +r +a +s +h c:\progra~1\Intern~1\iexplore.exe
    Moments later the fixit wizard will more than likely pop up, hit cancel, and yes. Viola.
  14. Re:Once a machine is compromized... by myov · · Score: 2, Interesting

    Hate to reply to my own post, but one of my clients/suppliers has two machines with a KVM at each desk. One for external (web/mail), the other for internal tasks (accounting/etc). Two separate networks that do not talk. Only one has internet.

    In theory, nothing should take down the internal systems.

    --
    I use Macs to up my productivity, so up yours Microsoft!
  15. Re:Ease of rootkitting on Windows vs. other by ratboy666 · · Score: 2, Interesting

    A rootkit can be installed on any OS that can be rooted in the first place. To root a box requires two things:

    An attack vector that gives access

    A method to escalate to root.

    On Windows, typically, user runs as "admin", which means only the first need be found. Any convenient buffer overflow will do.

    On Unix, typically, services are not run as "root", meaning local priviledge escalations are useful. (suid programs, etc.)

    In general, its easier with Windows.

    HOWEVER, the art of writing the rest of the rootkit is better understood under Unix -- the common services are clearly documented. Under Windows, the rootkit author needs to expend more work in the kit itself. Before Windows, PC-DOS rootkits were quite common.

    As to "probable"? If you find *any* trojan software that has *ever* had root, its over. Same for viruses. Note that its very difficult to determine if root was ever aquired, as this means the software can have made itself invisible.

    So, the machine must be booted from clean (unwritable) media to find any "spyware", "viruses", etc. The rest of the discussion doesn't matter. A clean boot is needed. (and, even this is hard -- now that BIOS is flashable, the kit could hide there instead; which is why is I DON'T like flashable BIOS, and favour a simple bootloader).

    YMMV
    Ratboy
    (and, yes, I *have* been rootkitted; now I am just a paranoid)

    --
    Just another "Cubible(sic) Joe" 2 17 3061
  16. This proves once more... by Spy+der+Mann · · Score: 3, Interesting

    how flawed this operating system is.

    Flaw #1: Any app can make arbitrary changes to the registry.
    Flaw #2: Any app can make arbitrary changes to the system files.
    Flaw #3: There is no "safe-mode" for core utilities, that would bypass any hijacking of system calls.

    Now can anybody explain to me what was the point of having "system, readonly" attributes, if they can just be turned off?

    Bill Gates never wanted to admit it. But this is just proof that Windows is nothing but MS-DOS "on steroids".

    Till a few days ago, I thought Linux would be the doom of Microsoft, defeating it like David defeated Goliath. But it turns out.. Goliath is about to die from a genetic anomaly. His very nature gave him a short lifespan.

    Oh joy...

    1. Re:This proves once more... by nick8325 · · Score: 2, Interesting

      Sort of. I like L4 a lot :-).

      Except that (please correct me if I'm wrong) I think that L4Linux runs all drivers in the same process as the Linux kernel. So the kernel is not protected from interference from the drivers. Of course, this was done to make it easier to put Linux on top of L4, which is fair enough, so.

      As the "kernel" is running in user mode rather than kernel mode, there can be memory protection. But doing this (especially with Linux drivers' like of playing with kernel data structures) would, I think, be nearly as hard as turning Linux into a multi-server microkernel anyway.

      So the Linux kernel could still be compromised in L4Linux. Then anything spawned by the Linux kernel could be compromised. The driver could map new pages into any Linux process to run arbitrary code.

      In this case processes which were not spawned by the Linux kernel and which did not trust any Linux processes would be unaffected. They could possibly check for exploits. It still wouldn't be easy, though, with filesystem drivers running in the Linux kernel (h4x0red ;-)), and this process couldn't be started by a Linux process after the bad driver had been loaded.

      The driver could also overwrite this process on disk. So upon reboot, a bad kernelkit-checker is loaded. The checker will need to get it right every time before the system is rebooted, with an untrusted file system. I think that hard isn't a strong enough word :-)

      If the driver was run as a separate process, then it couldn't destroy everything like this without using buffer overruns and suchlike. It can only destroy things in its own address space. With the whole Linux kernel and drivers in one process, that advantage of microkernels almost disappears.

  17. Re:Don't get too smug... by stratjakt · · Score: 2, Interesting

    No, they typically pick up on the nfs legacy of running everything as "nobody/nobody", because it's a pain in the ass to add a user/group for every service you run, and most admins (and distros) are lazy.

    If it's a webserver, they just let everything (apache, squid, proftpd, etc) run as apache/apache because most "web gurus" are too lazy/incompetent to figure out permission problems with some mod or web app wont work.

    Go read some howtos, see how often they recommend doing a "chmod -R 755 /etc/x" and "chown -Rnobody:nobody /etc/x". Granted, many linux howtos floating around on the web are written by people with only the basic knowledge of the topic at hand.

    At any rate, once you've configured all your servers to run as "nobody", all of a sudden the "nobody" account has access to a whole lot of important configuration files. That is, your "unpriveledged" account "nobody" or "apache" winds up with pretty much all the rights you need to install your rootkit.

    So who needs to be "root" if the "nobody" account has access to all your important shit like your /etc/pam.d, all your .conf files, etc?

    --
    I don't need no instructions to know how to rock!!!!
  18. Already in the wild? by kilocomp · · Score: 4, Interesting

    One of the computers I support had a very nasty piece of spyware. I am not sure if it was exploiting the same things described by Microsoft, but it had the following symptoms:
    1. The process would not show up in task manager
    2. The related files would not show up in Explorer
    3. The related registry keys did not show up in regedit
    4. It some how was being called by Winlogin, so it ran even in safe mode.

    The way I detected it was by using several Sysinternals utilities http://www.sysinternals.com/. I have a script that uses pslist to monitor all processes on the network and this spyware was not smart enough to hide from that. A remote regedit session enabled you to see the related registry files. I had to use BartPE http://www.nu2.nu/pebuilder/ to mount the drive and clean out the related files and registry keys.

    1. Re:Already in the wild? by Anonymous Coward · · Score: 1, Interesting

      This is undoubtedly a case of kernel-level hooking (i.e. a rootkit) simply because you say the hidden values were visible over the network using a remote registry editor. Undoubtedly the hidden files would have been visible on a network share, as windows uses seperate channels for many of the remote counterparts to basic system functions (registry, files, etc.) that most rootkit writers do not bother to hook.

      -rk

  19. Not the only way by Metasquares · · Score: 2, Interesting

    If the program modifies the Windows kernel in such a way that it is undetectable, couldn't a simple boot CD (running something other than Windows) with a spyware scanner work? Sounds like a potential use of Knoppix, although I'm unaware of any anti-spyware programs for Linux (as spyware is not really a problem on Linux). Something like ClamAV but for spyware would be nice.