Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Warns of Impossible to Clean Spyware

Posted by Zonk on from the they-have-the-technology dept.

darkjedi521 writes "The Inquirer has a story that the next generation of Windows spyware and exploits are starting to make use of "kernel rootkits". A paper at Microsoft Research has details on a prototype detection tool. Computerworld has more details, as well." From the article: "Newer rootkits can intercept system calls that are passed to the kernel and filter out queries generated by the software. This makes them invisible to administrators and to detection tools..."

9 of 813 comments (clear)

  1. Unpossible to Clean SpyWare? by ackthpt · · Score: 3, Interesting
    Microsoft researchers have developed a tool, named "Strider Ghostbuster" that can detect rootkits by comparing clean and suspect versions of Windows and looking for differences.

    Sounds almost malaprop. "It works, I threatened to rip a copy of Ghostbusters II onto my HD and I heard a tiny scream! My spyware aragorn!"

    However the paper admits that the only way to be sure that you have killed a kernel rootkit is to completely erase an infected hard drive and reinstall the operating system from scratch.

    That sounds rather drastic. How about drilling a hole through it, smashing it with a sledgehammer and throwing it into the Tiber while you're at it? Microsoft seems to be making a stronger case all the time for not exposing a Windows PC to the internet. Maybe it is time to look at a Mac.

    Microsoft's XBox Firewire

    --

    A feeling of having made the same mistake before: Deja Foobar
    1. Re:Unpossible to Clean SpyWare? by nacturation · · Score: 3, Interesting

      Not likely, as you and I may have XP Developer Edition, but where are you in your patches? Hmm?

      And what's hard about that? It's exceedingly unlikely that any particular version of any Windows system file will have the same MD5 checksum as a trojaned version. Plus, if you know that patch X contains this list of files with this list of checksums, you can determine what patchlevel it has. It's not easy to do as it takes some intelligent coding, but it's far from impossible. Or just go the lazy way -- based on the different versions of each file Microsoft has released, you will know that the file is either good (because of all the patched versions Microsoft has released, its MD5 checksum matches one) or the file is bad (because its checksum doesn't match one released by Microsoft).

      --
      Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
    2. Re:Unpossible to Clean SpyWare? by Werrismys · · Score: 4, Interesting
      "Honestly, VMWare is the best way to use Windows :-)" You could not be more right. I have been advocating VMware before, but for a reason.

      I have set up 98SE, 2000Pro, XP environments (clean) under VMware and can easily create a 'clean' environment to test stuff. The snapshot feature is excellent, just snapshot the VM in question and if/when the software fucks up, restore.

      The virtual hardware is the same every time. No driver issues. In fact, the current desktop PC's are so fast that it would make sense to run Winblows in them exclusively under VMware.. just store the user dirs on server. Get a new PC? Just copy the virtual disks and configuration.

      I've been using VMware since its introduction and am currently using the 4 (and 5beta) versions for desktop use. I've had no use for the expensive server version yet since most of the servers are already running Linux.. but for those legacy Win32 apps VMware is really a blessing. Even been testing BSD's and SuSE distros with it.

      --
      'Once scientists, even the dim-witted social scientists, get muzzled, the Western Civilization is finished.' - oldhack
  2. Re:You're infected! Not me. by Master+Bait · · Score: 4, Interesting

    In the old pre OS X days, most Mac viruses were INITs (AKA Extensions) which are rewritten system calls. I remember a virus from the olden days which was an INIT that spread through a DiskInsertionEvent.

    --
    "Only in their dreams can men truly be free 'twas always thus, and always thus will be."
    --Tom Schulman
  3. Re:This isn't really a problem by JQuick · · Score: 3, Interesting

    What could be simpler?

    Either install a non-Windows OS on your existing hardware or buy a Mac. Linux, any BSD, or Macos X are simpler choices. BSD or Linux are harder in the short run but require less on-going maintenance once the user is settled in. Macos X requires changing both hardware and software, but is likely to be an easier transition for most users.

    Whether you like it or not, the Wintel platform is no longer a very good choice for the average computer user, and has become a quite unpleasant environment for most people.

  4. Happened to me 2 days ago. by LePrince · · Score: 5, Interesting
    I was at work, and I'm the only person in our helpdesk to "de-spywarise" the company's PC (I'm the only 2nd level tech analyst). I got a laptop yesterday that was infected with numerous spywares. After removing most of them with HijackThis, Spybot, CWShredder, there was a rogue entry to a file named "elitegfk.exe" in the registry that, as soon as I removed it, came back.

    Easy enough I thought, I'll just remove physically the file and the process. But no; the file wasn't ANYWHERE. Yes, I unchecked the "Hide protected system files" checkbox and I was on SHOW HIDDEN FILES, so ALL files were displayed. Heck, a dir /s on the root of the filesystem didn't even work... I thought that it would be possible that the file has another name, renamed itself to that, made its dirty business then renamed itself. I fired up Filemon (from Sysinternal) and sure enough, I see plenty of activity from a process named elitegfk.exe but STILL no sign of the file and/or process. I scanned the registry, and regedit.exe took 2 seconds to complete the scan... !

    I was on the verge of reformatting the system when I thought about something: I accessed the laptop through the admin share (\\computer\c$); sure enough, the file was there, sitting quietly sitting in c:\winnt\system32 (Win2k system)...

    The spyware prevented its own display through taskmgr, explorer and regedit. Regedt32 didn'T work, I got a virtual memory low error when I tried to scan the registry. The ONLY way I could see the file was through Filemon AND through the file sharing...

    I'm guessing next one will palliate to those things by attaching themselves to the most common troubleshootings tools like regmon and attach themselves to the SMB protocol to make sure they can't be displayed through the shares...

    This is getting ridiculous. Yes, you'll tell me to switch to Firefox, but we can't; I work in an artistic company with 1000+ PC and non-tech-savyy users, and tons of internal apps that were developped either with .Net or massive ACtiveX and other MS-only stuff, so we can't switch everything to Firefox, and having 2 browsers isn't a viable option either, since most of our users would simply get confused.

    Anyway.

  5. Re:They should know by Oriumpor · · Score: 3, Interesting
    Just cause you can't do something doesn't mean it's impossible:

    thishouseisclear.bat
    echo doh>c:\progra~1\Intern~1\iexplore.exe.new
    attrib +r +a +s +h iexplore.exe.new
    move c:\progra~1\Intern~1\iexplore.exe c:\progra~1\Intern~1\iexplore.bak
    echo doh >c:\progra~1\Intern~1\iexplore.exe
    attrib +r +a +s +h c:\progra~1\Intern~1\iexplore.exe
    Moments later the fixit wizard will more than likely pop up, hit cancel, and yes. Viola.
  6. This proves once more... by Spy+der+Mann · · Score: 3, Interesting

    how flawed this operating system is.

    Flaw #1: Any app can make arbitrary changes to the registry.
    Flaw #2: Any app can make arbitrary changes to the system files.
    Flaw #3: There is no "safe-mode" for core utilities, that would bypass any hijacking of system calls.

    Now can anybody explain to me what was the point of having "system, readonly" attributes, if they can just be turned off?

    Bill Gates never wanted to admit it. But this is just proof that Windows is nothing but MS-DOS "on steroids".

    Till a few days ago, I thought Linux would be the doom of Microsoft, defeating it like David defeated Goliath. But it turns out.. Goliath is about to die from a genetic anomaly. His very nature gave him a short lifespan.

    Oh joy...

  7. Already in the wild? by kilocomp · · Score: 4, Interesting

    One of the computers I support had a very nasty piece of spyware. I am not sure if it was exploiting the same things described by Microsoft, but it had the following symptoms:
    1. The process would not show up in task manager
    2. The related files would not show up in Explorer
    3. The related registry keys did not show up in regedit
    4. It some how was being called by Winlogin, so it ran even in safe mode.

    The way I detected it was by using several Sysinternals utilities http://www.sysinternals.com/. I have a script that uses pslist to monitor all processes on the network and this spyware was not smart enough to hide from that. A remote regedit session enabled you to see the related registry files. I had to use BartPE http://www.nu2.nu/pebuilder/ to mount the drive and clean out the related files and registry keys.