Microsoft Warns of Impossible to Clean Spyware

darkjedi521 writes "The Inquirer has a story that the next generation of Windows spyware and exploits are starting to make use of "kernel rootkits". A paper at Microsoft Research has details on a prototype detection tool. Computerworld has more details, as well." From the article: "Newer rootkits can intercept system calls that are passed to the kernel and filter out queries generated by the software. This makes them invisible to administrators and to detection tools..."

Unpossible to Clean SpyWare?

[ackthpt]

Microsoft researchers have developed a tool, named "Strider Ghostbuster" that can detect rootkits by comparing clean and suspect versions of Windows and looking for differences.

Sounds almost malaprop. "It works, I threatened to rip a copy of Ghostbusters II onto my HD and I heard a tiny scream! My spyware aragorn!"

However the paper admits that the only way to be sure that you have killed a kernel rootkit is to completely erase an infected hard drive and reinstall the operating system from scratch.

That sounds rather drastic. How about drilling a hole through it, smashing it with a sledgehammer and throwing it into the Tiber while you're at it? Microsoft seems to be making a stronger case all the time for not exposing a Windows PC to the internet. Maybe it is time to look at a Mac.

Microsoft's XBox Firewire

Re:Unpossible to Clean SpyWare?

[timeOday]

I agree it's extreme. They should offer a downloadable bootable CD that verifies the checksums of all system files.

Re:Unpossible to Clean SpyWare?

[temojen]

Except that's the recommended course of action for a rooted UNIX/Linux/BSD machine too (along with figuring out how it was rooted, plugging the hole, and preserving any evidence).

Re:Unpossible to Clean SpyWare?

[Qzukk]

Maybe it is time to look at a Mac.

Kernel-level rootkits have plagued Unixes (including Linux) for a long time. Fortunately on Linux most suck, and can be detected with chkrootkit (yet how many out there that aren't detectable...), and (this is true for windows as well) any of them can be found simply by inspecting the drive from a known clean boot media.

Removing rootkits (kernel level or not) from any OS requires either guruhood, an exact knowledge of which rootkit(s) was used and what files they trojan (as well as a clean source to restore those files from), or a reformat-reinstall-restore(dataonly)frombackups.

Re:Unpossible to Clean SpyWare?

[Intocabile]

My brother having discovered online porn has all but ruined an old 233 with spyware. Spybot Search and Destroy could get rid of a lot of it so I'm thinking he found some of this new stuff. He claimed Firefox doesn't work anymore but this is probably due to the spyware. Anyway I'm going to reinstall Windows and show him the wonders of Usenet.

P.S. What is the best current linux distribution for slow computers, with plenty of RAM.

Re:Unpossible to Clean SpyWare?

[ackthpt]

I agree it's extreme. They should offer a downloadable bootable CD that verifies the checksums of all system files.

Not likely, as you and I may have XP Developer Edition, but where are you in your patches? Hmm?

Seems the best way to handle this is to run all browser processes at a very low security level.

Re:Unpossible to Clean SpyWare?

[CaptKilljoy]

That sounds rather drastic.

Um, dude, a rootkit for *any* OS that hides itself by intercepting kernel calls is effectively uneradicable except by total reinstall. How the hell would a Mac save you from that?

Re:Unpossible to Clean SpyWare?

[JudgeFurious]

Long past time actually. Come on over to the Mac side. Everybody seriously, there's plenty of room over here.

Re:Unpossible to Clean SpyWare?

[Master+Bait]

If we were all excellent system admins, we would have an md5 sum of each kernel and each pertinent file in /etc and each binary in the /sbin and /bin directories. I don't but it would probably be a good idea.

Re:Unpossible to Clean SpyWare?

[Rei]

I get this mental image of a lone mac user sitting in a huge empty stadium, shouting "Echo!!!"... "Hey, is anybody else here?"... "I promise, we're all having a great time, come on over!"

Re:Unpossible to Clean SpyWare?

[dillon_rinker]

Of course, there are standardized tools to generate md5 sums of files. A good rootkit, before replacing a file, determines the md5 checksum of the file. Then, when then easily-detectable standardized tools ask for the checksum, the rootkit intercepts the request and feeds the tool garbage. Of course, there are countermeasures you can take, but they will tend become standardized, leading to counter-counter-measures.

What it boils down to is GIGO. If you don't trust to code running on your system, you can't trust ANY result reported by the system. The only solution is to force the system to run code you trust - ie boot to a floppy or CD.

Re:Unpossible to Clean SpyWare?

[pbranes]

One of my job functions at the university where I'm employed is to fix student computers. 95% of the calls we receive are spyware/virus related. We have stopped trying to disinfect Windows from inside the operating system because it is pointless - there is no way to clean everything off from within the operating system. What we do is boot off of BartPE bootable CD, connect to the network, update the virus scanner & adaware, and clean off the hard drive. Then we proceed to boot the computer into windows to finish the final clean-up.

So, it surprises me that a report about this kind of ad-ware/viruses is just now coming out because we have been dealing with impossible-to-remove software for at least a year now. Fortunately the only way to defeat a BartPE scan is to install a BIOS virus - and almost nobody does that any more. :-)

Re:Unpossible to Clean SpyWare?

[null+etc.]

I prefer to have read-only filesystems. That way, every reboot guarantees a clean system.

Re:Unpossible to Clean SpyWare?

[4of12]

The only problem being that Joe User won't think of downloading until the first sign of trouble. Which could mean that he's running \/\/1nd0z3 already, which means any downloaded CD image from that point in time forward can be made to appear bona fide.

A bootable CD with a checksum or digital signature checker ought to come with the system.

Re:Unpossible to Clean SpyWare?

[Zocalo]

They should offer a downloadable bootable CD that verifies the checksums of all system files.

At first glance, it even seems like it would be fairly trivial to build one yourself assuming that you can maintain a clean set of files to generate checksums from. Once you have the files you can use the live distro and checksumming tool of your choice to do the comparisons and replace suspect files accordingly. However...

The obviously problem is going to be dealing with DLL hell, especially if you want to include third party DLLs in your scanning tool. There are dozens of legitimate versions of some DLLs out there, especially for widely deployed things like the expoitable GDI DLLs that were at the centre of a "critical" patch a few months ago. Best of all, some apps are coded to require specific versions of those files and refuse to work with other versions. Yes, that's appallingly broken and terrible design, but it does happen, and checking the embedded DLL version number is no help - what's to stop a rootkit replacing a DLL's with a version with an unused version number? How would you deal with an unknown version of a critical DLL in a known shared file directory for a third party vendor that wouldn't confuse a typical user? Ignore it, and risk missing a rootkit? Delete it, and risk breaking an application (providing an option to restore it being an obvious safety net)? Or give the user a choice they probably won't understand between the two previous options?

Re:Unpossible to Clean SpyWare?

[greed]

A number of packaging utilities (mainly those not used on consumer-targetted OSes like Mac OS X and Windows) track checksums, sizes and permissions of installed files. At least, those that the packager indicates are expected to be non-mutable after install--so, typically, the contents of /usr, but not /etc or /var.

The downside is, the repository of known sizes and checksums are stored on local disk. The upside is they are also recorded, in a fairly easy to retrieve form, on the original install media and are the updates are recorded with each patch file also.

So a good sysadmin doesn't have to track all that, because a good system already did it for him. A good sysadmin would want to make sure there's a way to get into the system from known-good media and access the checksum database from alternate media. Instead of trying to rebuild the DB from install media, it could be just as good to back up the DB when the system is in a known good state. (Just after clean install; before each update, verify the system from clean boot and an offline copy of the checksum db, and so on.)

On AIX, use "lppchk", Solaris has "pkgchk", and RPM-based Linuxes have "rpm --verify".

OK, I lied about Mac OS X, though I don't know of any way to verify the information. 'lsbom' will list the information from a bill of materials file, and these are kept in /Library/Recipts/$PackageName. Disk Utility's "Repair Permissions" uses at least part of the information; maybe I'll intentionally screw up a system file and see if it reports a size verification or checksum failure on it.

Now, of course, anything you put on a system which doesn't use the system package manager won't be recorded in the system package database. So you can't find out it is there, or validate it, or anything.

From my recollections of working with InstallShield a few years ago, it does not track this kind of information at all. I could be wrong about this, it's been quite a while--NT 4.0 was still new!

Re:Unpossible to Clean SpyWare?

[nacturation]

Not likely, as you and I may have XP Developer Edition, but where are you in your patches? Hmm?

And what's hard about that? It's exceedingly unlikely that any particular version of any Windows system file will have the same MD5 checksum as a trojaned version. Plus, if you know that patch X contains this list of files with this list of checksums, you can determine what patchlevel it has. It's not easy to do as it takes some intelligent coding, but it's far from impossible. Or just go the lazy way -- based on the different versions of each file Microsoft has released, you will know that the file is either good (because of all the patched versions Microsoft has released, its MD5 checksum matches one) or the file is bad (because its checksum doesn't match one released by Microsoft).

Re:Unpossible to Clean SpyWare?

[Rosco+P.+Coltrane]

I prefer to have read-only filesystems. That way, every reboot guarantees a clean system.

You think it's a joke, but actually I do almost exactly that: for the few times I actually do need to use Windows, chiefly to use AutoCAD, I boot Win98 in VMWare and set it to always return to the hard-disk snapshot it booted with. That way, I can get as many xyz-wares on the Windows box, it'll always come back pristine the next time I restart it. And whenever I need to install something new, or change something in the Windows install, I do it carefully and take a new snapshot when I'm happy with it.

Honestly, VMWare is the best way to use Windows :-)

Re:Unpossible to Clean SpyWare?

Macs are magic! Don't you read Slashdot?

Re:Unpossible to Clean SpyWare?

[node+3]

Argh! This is one of the most blatantly obvious mistakes that always get modded up on Slashdot.

Yes, absolutely every general purpose OS can be rooted, spywared, hacked, or otherwise compromised.

By analogy, anything can kill you, poison can kill you, water can kill you, a bullet can kill you and a butterfly can kill you. Being possible is not the same as being probable.

In the binary, off/on, sense, security can theoretically be compromised. But we don't live in theory, we live in practice. There are no known kernel exploits for Mac OS X, there is no known spyware, there are no known viruses, there have been a handful of OS X specific exploits that require the user to run a program (and generally ask you to supply an admin password), and have all been "proof of concepts". The bulk of OS X security updates have been for Open Source/Unix apps, which are all turned off by default, and have never been reported as actually exploited.

It's virtually impossible to just randomly get rooted, trojaned, hit by a virus, or otherwise find your Mac is pwn3d. On Windows, you need to be fairly diligent, and even then you can't be sure.

You gotta ask yourself why this is. The answer isn't just "Windows is more common" (although that is a part of it. Windows is inherently flawed from a security standpoint. Mac OS X is inherently secure (relatively speaking). That doesn't mean it's impossible to hack a Mac, but it does mean that the risks are fewer, and are far more easily mitigated.

When someone says, "Windows is malware-ridden, I'm switching to a Mac" (sometimes a toothless threat, sometimes not), the response, "but it's possible to write a rootkit for Mac OS X too," is not a counter-argument. It's, at best, a warning that someday that Mac might possibly, but not very likely, get a virus or something... maybe, probably not though.

Re:Unpossible to Clean SpyWare?

[nacturation]

And when that day comes, I will be amazed at the greatness of the hackers. Given the complexity required just to find a trivial collision in MD5, the Earth will likely be destroyed in WWIII long before someone managed to get a complex trojan to generate the same hash value. But even still, it's easy to work around that -- just calculate hash values using several different hash algorithms. Given the odds of successfully finding a collision which matches, say, both MD5 and SHA-1, the universe will have long imploded by then.

Re:Unpossible to Clean SpyWare?

[temojen]

You used to be able to get hard drives with a read-only jumper. Too bad they don't seem to make them anymore. It'd be cool to have that jumper hooked up to a keyed lock.

Re:Unpossible to Clean SpyWare?

[Macgruder]

I've been using BartPE for a year now. The inital basic setup is very easy. It's also easy to customize it to add in your applications. Well, it's easy to add it into BartPE (loadable .inf files) , but sometimes you have to do a LOT of digging into Windows and the specific application to determine WHAT you need to add to said .inf.

My BartPE disk has Ad-Aware SE, and I use SFX to make self-extracting executable of Spybot. For AV stuff, I use Mcafee GUI plugin for their command line scanner, and Sysclean (by the same folks that make pc-cillin). Also Mcafee's Stinger is loaded, too.

I put it on a CD-RW, and once a week d/l the updates, then use the Bart PEBuilder program to rebuild an ISO, and burn that to a CD-RW.

Virus scans, spyware files... all are gone without having to boot into the compromised OS. Registry cleaning requires you to boot into the OS, but once the files are gone, that makes it a lot easier to clean.

It's not 100%, but it vastly improves the chances of fixing the system, with minimal time (30 mins a week to get the updates, 20 mins of actual work running the Bart disk to clean a system)

Re:Unpossible to Clean SpyWare?

[Filmwatcher888]

Ad-aware and BartPE won't detect spyware that's rewritten your crypt32.dll or dllhost.exe to the same size and header. The only thing would be a antivirus tools that does hash checks with known good DLLs.

And that's not available yet. Thin kof all the different systems with different versions of DLLs. This is going to get ugly.

Re:Unpossible to Clean SpyWare?

[sploo22]

The only solution is to force the system to run code you trust - ie boot to a floppy or CD.

I'm probably being paranoid, but how long till we start seeing rootkits that flash your BIOS?

Re:Unpossible to Clean SpyWare?

[ad0gg]

Thats where Paladium comes in, kernell calls can get intercepted. When the bios and cpu are both secured, only signed code is executed. No more problems. Love it or hate it, its administrator's dream to have that level control on servers. Its know its double edge sword and that it can also be used for DRM and limiting access, I wouldn't want it a consumer box but it makes perfect sense for the business world.

Re:Unpossible to Clean SpyWare?

[Slack3r78]

It's by far the best solution I know of. And yes, there are several rather large plugin repositories with setups for 3rd party software. There's an Ad-aware plugin built in, but I'd recommend you search the forums for the plugin with RunScanner, which will let you scan the host computer's registry as well. But to fully answer your question, the build I personally use includes AdAware, McAffee CLI, Ghost 8, Partition Magic, a defragger and a number of other tools. I can be made to do just about anything you'd like.

I work for a small repair shop, and cleaning AV/Spyware has become 60% of our business in the past year, we've been using Bart since around Aug 2003, and it's been an absolutely indispensable tool in that time. Machines that we would have simply reloaded in the past can often times be saved by virtue of being able to run scans from outside the host system.

Re:Unpossible to Clean SpyWare?

[Slack3r78]

Check the 911 forums (Bart links them from the Nu2 site) for modified Ad-Aware plugin that uses RunScanner. It'll let you scan the host system's registry from within Bart. I've added it to my latest builds this week, and it's been a great time saver and seems to work well.

I'd link you myself, but I'm stuck on dial up at the moment. :)

Re:Unpossible to Clean SpyWare?

[lachlan76]

It would be fine if the ADMINISTRATOR had the ability to sign code for Palladium.

Re:Unpossible to Clean SpyWare?

[plopez]

You may be trolling but I'll bite.

If there is a right way and a wrong way to use something, you make using it the wrong way very very difficult. You put in fail safes and safeties. True, any fail safe or safety can be circumvented, but you want to make it annoying and difficult to do so.

There are entire research topics in industrial design about making the user do the right thing. In airplanes, power plants, submarines etc. That a company with ~$50 billion in cash will not invest in desiging their product to make use of this research, and when there are more secure models readily available (various unices, VMS, MVS etc.), is just negligent, IMO.

An analogy might be a car with the brake hooked up to the accelerator. If you had to push on the accelerator 'just right' to stop the car (otherwise it speeds up!) then it is not your fault if you have an accident. It is the car company's fault for a faulty design.

Re:Unpossible to Clean SpyWare?

[IamTheRealMike]

There are no known kernel exploits for Mac OS X, there is no known spyware, there are no known viruses, there have been a handful of OS X specific exploits that require the user to run a program (and generally ask you to supply an admin password), and have all been "proof of concepts". The bulk of OS X security updates have been for Open Source/Unix apps, which are all turned off by default, and have never been reported as actually exploited.

That's because the open source apps have all their exploits reported as separate incidents, with incident IDs and so on. Apple (and Microsoft) slipstream security fixes into other patches all the time and just don't report them.

For Microsoft this technique is no longer useful because hackers reverse engineer the patches to determine the security flaws.

Re:Unpossible to Clean SpyWare?

[Werrismys]

"Honestly, VMWare is the best way to use Windows :-)" You could not be more right. I have been advocating VMware before, but for a reason.

I have set up 98SE, 2000Pro, XP environments (clean) under VMware and can easily create a 'clean' environment to test stuff. The snapshot feature is excellent, just snapshot the VM in question and if/when the software fucks up, restore.

The virtual hardware is the same every time. No driver issues. In fact, the current desktop PC's are so fast that it would make sense to run Winblows in them exclusively under VMware.. just store the user dirs on server. Get a new PC? Just copy the virtual disks and configuration.

I've been using VMware since its introduction and am currently using the 4 (and 5beta) versions for desktop use. I've had no use for the expensive server version yet since most of the servers are already running Linux.. but for those legacy Win32 apps VMware is really a blessing. Even been testing BSD's and SuSE distros with it.

Re:Unpossible to Clean SpyWare?

[Sven+The+Space+Monke]

If you want to build a BartPE disk, check out The Ultimate Boot CD for Windows. It's a massive collection of plugins and drivers for BartPE. Adaware, Hijack this, McAffee, defraggers, etc. Here's a list of apps it comes with.

Hands down, bar none, the best place to start your BartPE plugin collection.

Re:Unpossible to Clean SpyWare?

[mgv]

And what's hard about that? It's exceedingly unlikely that any particular version of any Windows system file will have the same MD5 checksum as a trojaned version. Plus, if you know that patch X contains this list of files with this list of checksums, you can determine what patchlevel it has. It's not easy to do as it takes some intelligent coding, but it's far from impossible. Or just go the lazy way -- based on the different versions of each file Microsoft has released, you will know that the file is either good (because of all the patched versions Microsoft has released, its MD5 checksum matches one) or the file is bad (because its checksum doesn't match one released by Microsoft).

Actually, its a little harder than this.

Because the rootkits don't need to touch the windows files, just add their own ones, which could be anywhere. If they can find any hook into the OS on bootup, it can be made to load up. There is no reason to delete any existing OS file. Part of what a rootkit can do is run files but tell anyone that asks that they are running another (untampered) file, which is probably in the normal location with the normal file name.

What this means is that every detection live-CD will have to have the equivalent of of an antivirus program with a list of all the exploits that have been detected to date.

Otherwise it finds a normal looking kernel and associated files, but which happen to get rooted at a later stage in the bootup, using an exploit that wasn't recorded or understood at the time the CD was pressed.

To eliminate this sort of problem you may well need to do a file sweep against all files on the filesystem, comparing them against known exploits, off a bootable CD. It certainly won't be an easy or quick task, and would probably require a connection to a network or the internet to download the up to date checksums (much like an AV program).

Michael

Impossible commands...

[inertia187]

Wow, Microsoft must think this command is impossible:

A:\> format C: /AUTOTEST

Nothing is impossible to clean

[Neil+Blender]

Reinstall windows.

Re:Nothing is impossible to clean

[ackthpt]

Reinstall windows.

Funny how many people seem to take this lightly. The way I see it:

Reinstall Windows

Reinstall all Software, include some pesky registrations

Update all drivers to where you were before hand

Put back all your customizations, default settings, etc.

Yeah, not impossible, but makes a boot to the head sound appealing.

Re:Nothing is impossible to clean

[Oriumpor]

Be careful, rootkits have a nasty tendency to leave hooks. Shutting down your PC might result in your bios being flashed to 0000000000000000000000.

But then again, that's not the goal of spyware companies, not that they'll be the ones you *really* have to worry about.

Re:Nothing is impossible to clean

[ThatDamnMurphyGuy]

> Yeah, not impossible, but makes a boot to the head sound appealing.

Well, you can make a custom XP CD slipstreamed with SP2 including all of your drivers and programs that get installed automatically.

It's not quick, and it's not for Mom and Pop, but once it's done, reinstalling is a breeze and the time spent pays off the first time you use it.

Re:Nothing is impossible to clean

[mrchaotica]

So unplug the power, since your data is alredy useless anyway.

Re:Nothing is impossible to clean

[mboverload]

I dont know where you live, but around here a user can hit the next bu ton 50 times.

Re:Nothing is impossible to clean

[tehshen]

XP is the only Windows I have installed (I was too young/naïve to do any others) so I have no experience with others, sorry.

I bought this computer from Dell (before bathing in holy water and peeling all the stickers off, so it's OK) and didn't get a rescue CD - just loads of driver and application CDs. Besides, if this impossible-to-clean spyware is what it says it is, just using a rescue CD to recover system files is just a long shot.

Also, those of us clever to have ghost images of their computers will probably also be clever enough not to get targeted by this spyware in the first case (by not using IE or Windows, or whatnot). Recommending disk imaging tools to novices would most likely scare them.

Re:Nothing is impossible to clean

[truesaer]

The installation for Windows XP is so damn tricky that the common Windows user wouldn't have a hope in hell of completing it.

Is this a joke? You boot off the CD and then the most complicated thing you have to do from there is choose your timezone. You don't have to know anything to install Windows XP...

Re:Nothing is impossible to clean

[Vicegrip]

OH BS... unless XP has the drivers you need bundled with it, you aren't connecting to a network, and you're only planning on using solitaire and not gaming, there's a lot of work to do to get a system installed right. Oh, hope the user doesn't start with a pre SP1 install.. connecting to the network will be really fun then.

This isn't really a problem

[ChuckleBug]

There's a very simple SOP for Windows users that will completely eliminate the need for a fix:

1. Buy new PC
2. DO NOT PLUG IN NETWORK CABLE
3. Image drive to external storage wth Ghost or the like
4. Unplug external storage
5. Plug in network cable
6. Connect to Internet. Save any info needed for storage.
7. Unplug network cable
8. Print all info obtained in step 6
9. Plug external storage back in
10. Restore image made in step 3
11. File hardcopies in cabinet
12. Knock back 3 or more shots of your favorite liquor
13. Unplug network cable
14. Return to step 3 for new Internet sessions

What could be simpler?

Re:This isn't really a problem

[clueless+idiot]

I would amend this. Add:

4. a. Install hardware NAT firewall

These cost, what, $40 now. This will help you survive long enough to download patches.

Re:This isn't really a problem

[Zebano]

That sounds very similar to what I do for my wifes computer: 1. Buy new PC 2. DO NOT PLUG IN NETWORK CABLE 3. Image drive to external storage wth Ghost or the like 4. Unplug external storage 5. Plug in network cable 6. Let her play around for about 2 weeks 7. Restore image made in step 3 8. Goto 4

Re:This isn't really a problem

[b1t+r0t]

What could be simpler?

1. Buy new PC
2. DO NOT PLUG IN NETWORK CABLE
3. PROFIT!

Re:This isn't really a problem

[Spetiam]

Deep Freeze is much simpler.

Re:This isn't really a problem

[JQuick]

What could be simpler?


Either install a non-Windows OS on your existing hardware or buy a Mac. Linux, any BSD, or Macos X are simpler choices. BSD or Linux are harder in the short run but require less on-going maintenance once the user is settled in. Macos X requires changing both hardware and software, but is likely to be an easier transition for most users.

Whether you like it or not, the Wintel platform is no longer a very good choice for the average computer user, and has become a quite unpleasant environment for most people.

Re:This isn't really a problem

[ChuckleBug]

Yeah. You got me. I typoed "unplug" when I meant "plug in." You win. I'm deeply ashamed. I wish you a wonderful weekend celebrating your decicive victory here today. Kudos.

Re:This isn't really a problem

[codemachine]

It will prevent some worms from spreading, which does allow for safe online updates. On our campus network, an unpatched machine lasts an average of 20 minutes before being infected, so you can't ever take the risk of installing service packs online unless you're behind NAT.

But you are correct that it does not help prevent spyware and other viruses that come in through IE, email, and infected executables. Since most spyware either comes with commercial software, or installs itself through IE and ActiveX, NAT does nothing at all there.

Re:This isn't really a problem

[phyruxus]

That looks like a cool product. When I read the page you linked, I saw "Completely invulnerable to hacking", and I thought "h4w h4w h4w", just like that, with numbers and in italics.

Sorry, I've been channeling Steven Wright since wednesday. Which is really strange because he's not dead. And may be why I'm not funny when I do it.

Re:This isn't really a problem

[uberdave]

1. Knock back 3 or more shots of your favorite liquor
2. Buy new PC
3. DO NOT PLUG IN NETWORK CABLE
4. Image drive to external storage wth Ghost or the like
5. Come to the realization that you don't have external storage
6. Knock back 3 more shots of your favorite liquor
7. Buy some external storage
8. Plug in network cable
9. Connect to Internet. Save any info needed for storage
10. Unplug network cable
11. Print all info obtained
12. Plug external storage back in
13. What the...?! Where did this spyware come from?
14. Realize you screwed up the install
15. Knock back 3 or more shots of your favorite liquor
16. Search for the install disks
17. Realize that the computer didn't come with Windows CD
18. Knock back 3 or more shots of your favorite liquor
19. Screw it! Download Gentoo

They should know

[Realistic_Dragon]

They are the ones who made it impossible to delete Internet Exploiter after all.

Re:They should know

[solafide]

Or Inept Explorer? It's time to OPERAte! And/or catch fire!

Re:They should know

[Oriumpor]

Just cause you can't do something doesn't mean it's impossible:

thishouseisclear.bat

echo doh>c:\progra~1\Intern~1\iexplore.exe.new
attrib +r +a +s +h iexplore.exe.new
move c:\progra~1\Intern~1\iexplore.exe c:\progra~1\Intern~1\iexplore.bak
echo doh >c:\progra~1\Intern~1\iexplore.exe
attrib +r +a +s +h c:\progra~1\Intern~1\iexplore.exe

Moments later the fixit wizard will more than likely pop up, hit cancel, and yes. Viola.

Re:They should know

[Queer+Boy]

Now, hold onto yourselves...there's one more thing.

A terrible spyware is in your system. So much rage, so much betrayal. I've never seen anything like it. I don't know what hovers over your kernel but it was strong enough to punch a hole in your security and take control away from you. It keeps system calls very close to it and away from the kernel. It lies to you...it does things only a geek can understand. It has been using your system to infect others. To your kernel, it simply is another system component, to us, it is the beast. Now let's go get your restore CD.

Argument for Partitioning

[generationxyu]

The Windows installer should have a partition editor, and some information about partitioning. It should allow you to easily install Windows on a separate partition from your data.

Then you can keep /home on a separate partition, /var on a sep...

Oh wait.

Re:Argument for Partitioning

[nmx]

The Windows installer should have a partition editor, and some information about partitioning. It should allow you to easily install Windows on a separate partition from your data.

It does. A rudimentary one, but nevertheless.

Re:Argument for Partitioning

[slaker]

There does exist a tool called "linkd" in the Windows 2003 Server resource kit, which allows you to set mount points via the command line.

So you install a system. Use two partitions. Pull the drive. Install 2nd drive on working windows machin. Copy the "Documents and Settings" to the second partition of the newly installed drive. Then use linkd to create a "Documents and Settings" mount point from one partition to the other.

As a semi-serious builder/hobbyist, when I build a system, I use preconfigured sysprep images where I have already done this (the mount point linkage IS copied by programs like ghost that support NTFS5). I can restore a single partition or the whole disk. Either way. I distribute a restore DVD to my customers that can fix their spyware- and virus-hosed Windows installs without killing all the pictures they took with their digital camera etc.

It took me a bit of fiddling to make sure I have the process right, but for the number of times it's saved me two hours' work, I almost want to cry.

Still behind the times

[SeanTobin]

Well, at least Windows is catching up. We've had rootkits on linux forever! :)

Re:Still behind the times

[Rhys]

Thank god your average linux account can't go modify the kernel, unlike your average windows account! Maybe now they'll have to finish catching up.

Just do what UNIX people do

[temojen]

Boot a clean kernel from removeable, non-writeable media (closed-session CD or write-protected floppy) when doing the rootkit detection. (some details are left to the reader as an exercise)

I am not surprised...

[Noryungi]

I spent almost two weeks trying to clean the VX2 spyware from a computer that belonged to one of my brothers in law... only to learn the only way to kill this p* of s* is to remove the infected hard disk, plug it into another (uninfected) computer and reformat the whole thing. I kid you not.

I stopped providing "free technical support" to my brothers in law a short while after that episode. And yes, my machines run Linux or OpenBSD.

Re:I am not surprised...

[jdog1016]

I recommend just telling everyone you know to go buy a Mac. Problem solved--no more technical support needed from me.

No, the correct procedure is:

[mrchaotica]

Uninstall Windows.

Don't get too smug...

[Realistic_Dragon]

...rootkits for Linux are also a bitch to find and get rid of. It's only because we have had this risk for longer that we have good tools to find, remove and otherwise manage the risk... but how many Linux users actually do this?

Probably the same five who spool logs to another sever as well as write-only tape and run everything in chroot I suspect.

Re:Don't get too smug...

[ThisIsFred]

Right on. If you haven't checked every bit in storage yourself (impossible), then consider the machine tainted. Check/backup your data, then reinstall.

Re:Don't get too smug...

[stratjakt]

No, they typically pick up on the nfs legacy of running everything as "nobody/nobody", because it's a pain in the ass to add a user/group for every service you run, and most admins (and distros) are lazy.

If it's a webserver, they just let everything (apache, squid, proftpd, etc) run as apache/apache because most "web gurus" are too lazy/incompetent to figure out permission problems with some mod or web app wont work.

Go read some howtos, see how often they recommend doing a "chmod -R 755 /etc/x" and "chown -Rnobody:nobody /etc/x". Granted, many linux howtos floating around on the web are written by people with only the basic knowledge of the topic at hand.

At any rate, once you've configured all your servers to run as "nobody", all of a sudden the "nobody" account has access to a whole lot of important configuration files. That is, your "unpriveledged" account "nobody" or "apache" winds up with pretty much all the rights you need to install your rootkit.

So who needs to be "root" if the "nobody" account has access to all your important shit like your /etc/pam.d, all your .conf files, etc?

Bruce Schneier on the Prototype Detection Tool

[Noksagt]

Bruce covered the tool in a recent post on his blog. He says:

This is a really interesting technical report from Microsoft. It describes a clever prototype -- called GhostBuster -- they developed for detecting arbitrary persistent and stealthy software, such as rootkits, Trojans, and software keyloggers. It's a really elegent idea, based on a simple observation: the rootkit must exist on disk to be persistent, but must lie to programs running within the infected OS in order to hide.

Here's how it works: The user has the GhostBuster program on a CD. He sticks the CD in the drive, and from within the (possibly corrupted) OS, the checker program runs: stopping all other user programs, flushing the caches, and then doing a complete checksum of all files on the disk and a scan of any registry keys that could autostart the system, writing out the results to a file on the hard drive.

Then the user is instructed to press the reset button, the CD boots its own OS, and the scan is repeated. Any differences indicate a rootkit or other stealth software, without the need for knowing what particular rootkits are or the proper checksums for the programs installed on disk.

Simple. Clever. Elegant.

In order to fool GhostBuster, the rootkit must 1) detect that such a checking program is running and either not lie to it or change the output as it's written to disk (in the limit this becomes the halting problem for the rootkit designer), 2) integrate into the BIOS rather than the OS (tricky, platform specific, and not always possible), or 3) give up on either being persistent or stealthy. Thus this doesn't eliminate rootkits entirely, but is a pretty mortal blow to persistent rootkits.

Of course, the concept could be adopted for any other operating system as well.

This is a great idea, but there's a huge problem. GhostBuster is only a research prototype, so you can't get a copy. And, even worse, Microsoft has no plans to turn it into a commercial tool.

This is too good an idea to abandon. Microsoft, if you're listening, you should release this tool to the world. Make it public domain. Make it open source, even. It's a great idea, and you deserve credit for coming up with it.

Any other security companies listening? Make and sell one of these. Anyone out there looking for an open source project? Here's a really good one.

Note: I have no idea if Microsoft patented this idea. If they did and they don't release it, shame on them. If they didn't, good for them.

Re:Bruce Schneier on the Prototype Detection Tool

[scheme]

Innovative it is not. The Linux recipe for this is to boot using knoppix, chroot to the main system, run tripwire/aide/chkrootkit/etc. and see if anything gets flagged.

The difference is that you don't need to run the ms program on a regular basis in order to build the database. The MS program will create 2 md5 databases and compare them to see if you've been infected. Although you could do that with tripwire, that really isn't what was designed for.

Re:Bruce Schneier on the Prototype Detection Tool

[John+Allsup]

This reminds me of the old fix for the Dir II virus. The fix was: zip up all the files on your hard disk, boot from a clean floppy and unzip them all.

Impossible to clean now

[totallygeek]

The obscure registry and assinine DLL structure, coupled with incomplete process lists and poorly-defined startup parameters make most spyware impossible to scrape off a system to date.

Re:Impossible to clean now

[ThisIsFred]

Not really. You can easily spot all the hooks in the IE registry entries. If you're too confused by the registry, get "HijackThis". There are only four places an autostart entry could be (just repeated in the user half of the registry), probably two less places in an XP system. Fake drivers load in one of two places, as do fake DLLs. I'd say use system file checker too, but it's too stupid to realize the difference between a corrupted file and a legitimately patched one.

It's not rocket science, but what makes it a tremendous pain is Microsoft's lack of useful command line utilities. I'm not talking about how they left out utilities for importing DS objects or copying files with rights intact, I mean registry editing tools. What MS needs is a utility to make a boot disk that's *NOT* DOS based (doesn't run in real mode), and has NTFS support. ...Plus a command-line registry editor, or maybe something like the EDIT.COM command.

Re:You're infected! Not me.

[Master+Bait]

In the old pre OS X days, most Mac viruses were INITs (AKA Extensions) which are rewritten system calls. I remember a virus from the olden days which was an INIT that spread through a DiskInsertionEvent.

Here's the link to a free SP2 CD from Microsoft

[xTK-421x]

Install SP2 before you connect a Windows XP machine to the internet.

The last time I connected a fresh Windows XP RTM box to the internet, it was infected with MS Blaster in 6 minutes.

Windows XP Service Pack 2 on CD FREE

Re:Here's the link to a free SP2 CD from Microsoft

[LurkerXXX]

The firewall is included in default XP, just not turned on.

Next time just do the install, turn on the firewall, then plug in the ethernet cable.

Then go download the latest service-packs/patches.

Windows is catching up to Linux!

[bigtallmofo]

I remember attempting to clean systems that had the Linux Rootkit installed on it in the past. Can't trust results of ps, can't trust results of netstat, can't trust anything.

I can't even imagine having this type of situation on a Windows box. There's just so many more places to hide things and most even technically knowledgable people wouldn't know what to do if their favorite process list application or network connection lister only shows you what the spyware author wants you to see.

If you can even discern there is a problem, re-formatting is your only hope.

Re:Further proof

[jonbryce]

Can you install a linux rootkit by viewing a web page in Mozilla / Konqueror?

Admin = Screwed

[The+Bungi]

As long as people are logged in as admins when they install that REALLY COOL KAZAA CLONE they donwloaded from a server in ROMANIA, they're screwed. Just like root on Unix, the admin can do just about anything (though some things are more difficult because of ACLs).

It was just a matter of time, really. This problem will go away only if people realize they're at risk by running under an admin account and companies (including Microsoft) and independent developers learn to write applications that don't need god-like powers to function. Without user pressure (don't buy or use apps that require admin rights!!) this won't happen.

Windows has had this capability since NT4. I think it's time we started using it.

Re:Admin = Screwed

[The+Bungi]

Not all of them, no. The Windows installer has the capability to do certain things under different accounts. And how is that different from any other operating system? If only due to the need to write to normally protected directories (Program Files | /usr/bin or whatever).

It would be no different from having to drop down to root and do a make install or some such.

Dark horse anti-spyware apps:

[mrchaotica]

• Linux
• Mac OS X
• BSD

This is the Legion of Doom Reporting

[wazzzup]

Microsoft Warns of Impossible to Clean Spyware

Bizarro: On Bizarro world people like spyware. People no clean from computer. Go now live to Solomon Grundi.

Solomon Grundi: Errrr! Solomon Grundi say Microsoft full of crap. Solomon Grundi crush Microsoft like piece of paper.

Bizzaro: This Legion of Doom reporting. Back to Zonk at Slashdot.

Rootkit cleaning

[Craig+Ringer]

As far as I know, rootkits like that have been the norm rather than the exception on Linux and, I think, the BSDs for some time. I don't know about the other UNIXes and UNIX-like OSes (like MacOS/X), but I'd be surprised if it wasn't the case to some extent there too.

It's been widely recognised for a while that if your system is cracked, the only way to be fairly sure you've cleaned it is to reformat it and start again then *carefully* restore data from backups. I don't see how this is news.

Re:You're infected! Not me.

[Kpt+Kill]

You're telling me that when joe user installs his linux version of kazaa and it pops up the message, you must install with root... enter password... linux solaris, mac, anything will be immune to the malware? I think not. Users dont read popups. If they are prompted for root... they will type it in.
Ive even seen macromedia flash boxes pop up to alert you that IE has blocked their activeX script, and the user should do the following steps to install the plugin. And people do.

Sounds familiar...

[madaxe42]

Where I work, we've taken the step, as we have *many* identical boxes, of keeping a default system image ghosted and backed up on our *linux* server, because that's the only moderately safe place on the network. We end up rolling out a ghosted image at leas twice a week - our jobs would be hell without it.

So?

[ViceClown]

Big deal! Linux has had this for like... ever now!

Oh wait... ;-)

recovering from kernel mode rootkits is hard...

[mrhandstand]

but not impossible. In laymans terms it means you can't trust the OS to provide your user space applications with correct data. Boot into an alternative OS (Knoppix), and you can then run cleanup tools.

It's also possible to use a software hardening tools to prevent changes to the kernel (can't remember the exact company, think the name was "Server-Lock", or something like that).

The real answer is layered security, well managed backup and data protection strategies, and the understanding that no networked PC is immune.

It's recommended, but not 100% necessary.

[khasim]

With Linux, you can boot from a live CD and validate every file and package on your system.

You can even chroot the system, wipe the boot sector and re-install the kernel.

This might be "impossible" to clean on Windows, but on Linux, it's just really annoying.

Re:It's recommended, but not 100% necessary.

[hankwang]

You keep a LiveCD with MD5 hashes for the current versions of all of your binaries?

Step 1: Take you Fedora or whatever installation cd's with all the original RPM files.

Step 2: Issue the command: rpm -Vp *.rpm

Step 3: All files that have a "5" in front of them have a wrong MD5 checksum.

Re:It's recommended, but not 100% necessary.

[temojen]

That's why patching local privilege escalstion bugs is important.

Non infected scanner?

[Kelerain]

Wouldn't it still be quite possible to scan the system from a non infected source, such as the UBCD4Win? Its a bootable cd, like knoppix and others, but with a light version of windows XP and a ton of cleaning tools. I use it regularly for cleaning spyware and viruses off thoroughly infected systems.

It's be able to cope with systems having hundreds of virii and such. If you trust it to remove simpler malware, then ingrained rootkits should be a similar problem, for an 'external' system. Not to mention it has all the critical XP system files handy for replacements. A bit easier than the 'nuke it all' aproach, which is beginning to sound like 'reboot and see if the problem goes away'.

In defense of Microsoft....

[GeneralEmergency]

...Uhhh. Errrr. Ummmm.

Ok. I got nothing.

Re:In defense of Microsoft....

[mrseigen]

At least they're bright enough to rip off tripwire, instead of some other rootkit detector.

Re:Ok...

[Zocalo]

Actually, most *NIX rootkits have been intercepting system calls to the kernel and replacing common command tools that might be used to detect and remove them for ages. I haven't heard of one that can avoid detection by the likes of Chkrootkit and Rootkit Hunter yet, other than by being brand new of course. Naturally, that doesn't automatically mean that it's impossible to write one though.

Hmm

[ctr2sprt]

Maybe I'm missing something, but this doesn't seem like anything new. Google for HackerDefender, I'm sure you'll find some relevant links. It intercepts the appropriate system calls to make itself completely invisible: it hides its processes as it's running, it hides the services that start them, etc. I've been seeing it on my employer's Windows servers for quite some time. There are ways to clean it, though they could of course be circumvented as well. The foolproof way to remove it is to boot from a special Windows boot CD and delete the files it uses.

Unless there's something really new and complex going on here, not only is this not new, but IT professionals already have ways of dealing with it. In our case, on a live system with one reboot required. I wouldn't call it minor, certainly (10 minutes of downtime is 10 minutes of downtime), but... hell, if script kiddies have been using this for months and months...

Happened to me 2 days ago.

[LePrince]

I was at work, and I'm the only person in our helpdesk to "de-spywarise" the company's PC (I'm the only 2nd level tech analyst). I got a laptop yesterday that was infected with numerous spywares. After removing most of them with HijackThis, Spybot, CWShredder, there was a rogue entry to a file named "elitegfk.exe" in the registry that, as soon as I removed it, came back.

Easy enough I thought, I'll just remove physically the file and the process. But no; the file wasn't ANYWHERE. Yes, I unchecked the "Hide protected system files" checkbox and I was on SHOW HIDDEN FILES, so ALL files were displayed. Heck, a dir /s on the root of the filesystem didn't even work... I thought that it would be possible that the file has another name, renamed itself to that, made its dirty business then renamed itself. I fired up Filemon (from Sysinternal) and sure enough, I see plenty of activity from a process named elitegfk.exe but STILL no sign of the file and/or process. I scanned the registry, and regedit.exe took 2 seconds to complete the scan... !

I was on the verge of reformatting the system when I thought about something: I accessed the laptop through the admin share (\\computer\c$); sure enough, the file was there, sitting quietly sitting in c:\winnt\system32 (Win2k system)...

The spyware prevented its own display through taskmgr, explorer and regedit. Regedt32 didn'T work, I got a virtual memory low error when I tried to scan the registry. The ONLY way I could see the file was through Filemon AND through the file sharing...

I'm guessing next one will palliate to those things by attaching themselves to the most common troubleshootings tools like regmon and attach themselves to the SMB protocol to make sure they can't be displayed through the shares...

This is getting ridiculous. Yes, you'll tell me to switch to Firefox, but we can't; I work in an artistic company with 1000+ PC and non-tech-savyy users, and tons of internal apps that were developped either with .Net or massive ACtiveX and other MS-only stuff, so we can't switch everything to Firefox, and having 2 browsers isn't a viable option either, since most of our users would simply get confused.

Anyway.

Re:Happened to me 2 days ago.

[rokzy]

you keep using that word ("can't"). I don't think it means what you think it means.

of course you could switch browsers etc. what you mean is that it is more work than you are willing to do.

just a nitpick on an otherwise interesting story.

but I think it's an important nitpick because things can't keep going the way they are. with all the spam, spyware, viruses etc. there is going to come a point when businesses can't afford to have stupid employees running crap software.

there ARE alternatives available for EVERYONE. adapting will be harder for some than others, but when the options become adapt or die, those using words like "can't" will find themselves on the wrong side of the evolutionary process.

Re:Happened to me 2 days ago.

[Lew+Pitcher]

You say

This is getting ridiculous. Yes, you'll tell me to switch to Firefox, but we can't; I work in an artistic company with 1000+ PC and non-tech-savyy users, and tons of internal apps that were developped either with .Net or massive ACtiveX and other MS-only stuff, so we can't switch everything to Firefox, and having 2 browsers isn't a viable option either, since most of our users would simply get confused.

and I say "That's the price of committing your business to propriatary software and interfaces that are someone elses profit centre."

I know that this doesn't help you in your situation, but it does serve as a cautionary note for those who are not yet in that position, but are considering a move to propriatary software.

Cheer up, though. Once the cost of supporting such a fragile situation exceeds the cost of migrating to a saner environment, you can put the case forth to move to a more secure, more open platform.

Until then, you have my deepest sympathies.

Re:Happened to me 2 days ago.

[argent]

tons of internal apps that were developped either with .Net or massive ACtiveX and other MS-only stuff,

You know, if Microsoft ever does get a clue and fix the real security holes that let these spyware apps in in the first place, you'll have to rewrite all that stuff... because there's no way to fix Windows properly without changing the API.

Bite the bullet already.

No Clean Boot?

[Sloppy]

This is new?! It has always been orthodox antivirus doctrine, that you cannot count on being able to reliably clean a compromised system, while you are running that compromised system.

Once you're infected, in order to detect or clean, you have to cold boot from known clean media. How to conveniently do this with Windows, I have no idea. (I used to sometimes check clients' machines by booting from an MS-DOS 6.22 floppy and running F-Prot, but it got harder'n'harder to make that work, for a variety of reasons. It eventually got where the only way I knew to reliably do it, was to physically transplant their hard disk to another Windows machine that was known to be ok. As this was usually impractical, expensive, etc, people stopped asking me for help. ;-)

That's one of the reasons I consider the Windows AV market to mainly be snake-oil. In my limited experience with Windows, all the AV products I've seen, were just applications that the user was expected to run while possibly already compromised. It amused me that people paid for that stuff.

If you're relaying on a scanner to detect and clean stuff after the fact, it's too late and you have no reasonable expectation of the product actually working. The only workable defense is to not get infected in the first place.

Thin edge of the wedge...

[spywarearcata.com]

Ironically, it will probably be the annoyance of pervasive spyware that causes the death of internet privacy: every process stream will be digitally signed and serialized.

We can filter out the bad guys at the cost of definitively identifying you.

Sheesh!

[Thud457]

Why do these people compile and install trojan software? Don't they do a code review before installation?

Re:Further proof

[CaptKilljoy]

I don't think a *nix kernel rootkit has ever existed, where a program can modify the kernel and is impossible to remove.

It would have taken all of 30 seconds to google in advance:
http://www.google.com/search?hl=en&q=unix+rootkit+ kernel&btnG=Google+Search

--A closed mouth gathers no foot.

Security Levels

[Detritus]

It might help if Microsoft took an idea from BSD and made it possible to write-protect critical system files. That way, even if Joe PornMonger downloads worms and viruses while logged in as Administrator, the software would not be able to corrupt the operating system.

I would also add a digital signature check to the bootstrap process, so that critical operating system code wouldn't be loaded unless it was signed by Microsoft.

Re:Security Levels

[tehshen]

What about critical system updates? They often need to write to these critical system files. They would be protected against Joe PornMonger's worms and viruses as well as the updates. As he is always running as Administrator, there's no way to tell if it is a worm or an update agent requesting write-access to the files.

Re:Security Levels

[Detritus]

The advantage of the BSD scheme is that even if the box gets rooted there are files that even root can't mess with. They get locked down after the system is switched into multiuser mode. The only way to modify/delete the files is to reboot the system.

Boot from Knoppix CD

[spywarearcata.com]

...when you want to use the Internet. You don't even need to possess a hard drive.

Re:Boot from Knoppix CD

[mwilliamson]

Yes, I agree that detecting an exploited kernel can never be reliably done while using the exploited kernel itself. (one more argument exemplifying the futility of the trusted computing base / DRM...but I digress) I think that Knoppix + NTFS (either the r/o GNU one or Captive NTFS + clean dll's) would make a good foundation for a detection/removal tool.

Impossible?

[Digital+Avatar]

Heresy! There's no spyware that a little FORMAT C: can't handle!

Not nearly the same problem

[SuperKendall]

Yes UNIX system have had rootkit problems for a long time.

However, how did those rootkits get installed? Typically through holes in services, like FTP server exploits or web server exploits or whatever.

But OSX has none of those running by default. That's right, none. So while in theory possibly you could develop an exploit against, say, Apache on the Mac (the port you'd most likely be able to get to) it wouldn't reach many people at all, and so the user base would have to be quite huge to make it worth the effort to even try.

The other potential vector is user apps like the browser or users simply running a silly program. But there the app has a greater hurdle, as no users on OSX are "root" users and thus are unable to easily install a rootkit. At best you'll get an admin user to possibly type in his passsword, but that will again affect a lot less people as not so many will be willing to type in an admin password just to see blinky the fish swim around on-screen. Compare and contrast with so many Windows users that run Admin because some games require it.

Lastly, let's say a rootkit does get through. Software update runs on every Mac by default every week, so Apple has a chance to go after it that way. Possibly of course they can intercept what Software Update is doing, but it adds another layer of compexity to what they are doing.

Yes possibly the same thing can be done on a Mac. Just as someone can break into a car stored in a private garage - but it's a lot less likeley than if you leave your car parked on the street in an iffy neighborhood, which is what all Windows boxes are nowadays. With SP2 all the've done is decided to park under the streetlight instead of in the shadows.

Re:Further proof

[TheRaven64]

Maybe not right now, but there have been a few arbitrary code execution vulnerabilities in Mozilla. If someone happened to visit a web site that made use of one of these vulnerabilities, then they could get something nasty installed. If they were running as root, then there's nothing stopping this from doing all sorts of kernel level things. If not, then it could just put trojaned copies of su and sudo somewhere on the user's path and wait for them to type in a password required for root access (meanwhile, harvesting data from the user's account, for example by polling X for copies of events).

Universal spyware solution!

[L1nux_L0ser83]

Step 1 - Install linux -end

GHOSTBUSTERS!

[d_jedi]

Damn.. now I'm going to have that theme song in my head all day.. :->


When there's something weird,
and it don't look good
Who ya gonna call?
MI-CRO-SOFT??! (Wait..)

Re:Once a machine is compromized...

[myov]

Hate to reply to my own post, but one of my clients/suppliers has two machines with a KVM at each desk. One for external (web/mail), the other for internal tasks (accounting/etc). Two separate networks that do not talk. Only one has internet.

In theory, nothing should take down the internal systems.

OSX definitely has some positives.

[nortcele]

OSX is more secure in many ways. For those that know what they are doing... (they usually don't get infected but that's beside the point) you can use the "chflags schg " command as root to lock a file so that it cannot be modified. The flag can only be cleared in single-user mode. Standard linux distros with ext2/ext3/reiserfs don't have that. I'm not real up to speed on WinXP or 2003, so I don't know if they have a single user mode (or a real multi-user mode ). But OSX can be hardened to where you can be sure the kernel or critical libs cannot be updated.

Re:OSX definitely has some positives.

[nortcele]

I have chattr man pages. The immutable flag can be changed at will by root while in multiuser mode. Not secure. Period. Read and digest my whole comment before coming back with an anonymous "wrong".

MS needs to release a bootable CD version

[davidwr]

Sure, there's Bart's Preinstalled Environment bootable-cd-maker but MS really should release a bootable CD of its OSes, complete with cleanup- and other system-maintenance tools, to the community. Heck, I wouldn't even mind typing in my MS-Windows serial number or inserting a floppy that had a key-holding file copied from my hard disk every time I boot. Heck, I'll even pay $5 for the media and give Microsoft my name and address for a tool this useful.

Knoppix rocks but there are some Windows-maintenance things that are much easier in a Windows-booted environment.

Yes, it is the same problem

[tetromino]

R00tkits will get installed on Macs the same way they get installed on Linux: through a combination of two exploits. First, the hacker uses an exploit to obtain shell access with an unprivileged account Typical exploits include holes in Samba or CUPS (which OSX also uses), browser bugs (e.g. libpng overflows), holes in various daemons (if you use your OSX as a server), or even simply using a keylogger on a public machine to catch a user's password.

Then, the hacker uses a second exploit to elevate his local shell access to local root. Typical exploits of this nature include thread race conditions in the kernel, the kernel failing to properly sanitize input, or problems when a process is shifted from one kernel security infrastructure to another. The Linux kernel had a number of local root exploits in the past few months. IIRC Apple usually doesn't publish its list of security vulnerabilities (it just puts the fixes on Sofware Update, without fully explaining what they fix), so I can't comment on the security of the darwin xnu kernel.

Thus, I would say it's about as easy to install a rootkit on a Linux workstation as on an OSX desktop (and similarly, it's as easy to install a rootkit on a Linux server as on an OSX server). In other words, you need an unpatched system vulnerable to a specific pair of exploits, a clueless admin, and a skilled hacker -- which is not an impossible combination.

Re:Yes, it is the same problem

[LurkerXXX]

Ever seen a group of average mac users working on OSX? (average, not nix type folks)

I've never seen one fail to type in the admin password as soon as prompted, no hesitation, no questions asked. I don't think it's going to be hard to start generating lots of self-hacked machines once OSX gets more market share and becomes a more viable target for the spread of little nasty things.

Re:Yes, it is the same problem

[aardvarkjoe]

That means physical accress to the machine, does it not?

It does not, though I will admit that the "local" / "remote" names are rather confusing. A local exploit is one that is run by a user that has access to the system; that includes somebody who logs into a regular user account via telnet or ssh. A remote exploit is one that is run from outside the system. In this case, what is described is a remote exploit to get user-level access, followed by a local root exploit to get root access. Both can be done via the network.

Re:Ease of rootkitting on Windows vs. other

[ratboy666]

A rootkit can be installed on any OS that can be rooted in the first place. To root a box requires two things:

An attack vector that gives access

A method to escalate to root.

On Windows, typically, user runs as "admin", which means only the first need be found. Any convenient buffer overflow will do.

On Unix, typically, services are not run as "root", meaning local priviledge escalations are useful. (suid programs, etc.)

In general, its easier with Windows.

HOWEVER, the art of writing the rest of the rootkit is better understood under Unix -- the common services are clearly documented. Under Windows, the rootkit author needs to expend more work in the kit itself. Before Windows, PC-DOS rootkits were quite common.

As to "probable"? If you find *any* trojan software that has *ever* had root, its over. Same for viruses. Note that its very difficult to determine if root was ever aquired, as this means the software can have made itself invisible.

So, the machine must be booted from clean (unwritable) media to find any "spyware", "viruses", etc. The rest of the discussion doesn't matter. A clean boot is needed. (and, even this is hard -- now that BIOS is flashable, the kit could hide there instead; which is why is I DON'T like flashable BIOS, and favour a simple bootloader).

YMMV
Ratboy
(and, yes, I *have* been rootkitted; now I am just a paranoid)

I know, right?

[catdevnull]

I mean, I've been trying to remove "explorer.exe" forever but that damn virus just won't go away.

This proves once more...

[Spy+der+Mann]

how flawed this operating system is.

Flaw #1: Any app can make arbitrary changes to the registry.
Flaw #2: Any app can make arbitrary changes to the system files.
Flaw #3: There is no "safe-mode" for core utilities, that would bypass any hijacking of system calls.

Now can anybody explain to me what was the point of having "system, readonly" attributes, if they can just be turned off?

Bill Gates never wanted to admit it. But this is just proof that Windows is nothing but MS-DOS "on steroids".

Till a few days ago, I thought Linux would be the doom of Microsoft, defeating it like David defeated Goliath. But it turns out.. Goliath is about to die from a genetic anomaly. His very nature gave him a short lifespan.

Oh joy...

Re:This proves once more...

[ucblockhead]

Uh....only apps running as administrator can do these things.

Re:This proves once more...

[salvorHardin]

And the local user account setup during initial XP configuration is a member of which group by default?

Step forward, LOCALHOST\Administrators!

Also.. on a Linux system, not only does it ask you to create a root account/password, but distros like Debian, Mandrake, SuSe, Red Hat/FC, hell, even Linspire advise you strongly not to use the root account, and some give you a nice 'bomb' wallpaper in X to warn you when you're logged in as root. It's also difficult (or in some cases impossible) to not create a standard user account during initial Linux configuration.

With regards to Safe Mode, yes, there is one in XP, which helps out greatly with removing trojans/adware/viruses/AOL, but in the case of a Kernel rootkit, it isn't going to help. With Linux, you can have several Kernels, and choose which one to load at boot time. You can tell init what gets run at different runlevels. Also, working in the favour of Linux (and to a lesser extent, Apple Macs) is the market share of desktops. There's no percentage in writing this stuff for such a minority userbase, especially when the people on the other end are likely to be clueful enough to know 'why all these popups are suddenly appearing'.

Re:This proves once more...

[nick8325]

Sort of. I like L4 a lot :-).

Except that (please correct me if I'm wrong) I think that L4Linux runs all drivers in the same process as the Linux kernel. So the kernel is not protected from interference from the drivers. Of course, this was done to make it easier to put Linux on top of L4, which is fair enough, so.

As the "kernel" is running in user mode rather than kernel mode, there can be memory protection. But doing this (especially with Linux drivers' like of playing with kernel data structures) would, I think, be nearly as hard as turning Linux into a multi-server microkernel anyway.

So the Linux kernel could still be compromised in L4Linux. Then anything spawned by the Linux kernel could be compromised. The driver could map new pages into any Linux process to run arbitrary code.

In this case processes which were not spawned by the Linux kernel and which did not trust any Linux processes would be unaffected. They could possibly check for exploits. It still wouldn't be easy, though, with filesystem drivers running in the Linux kernel (h4x0red ;-)), and this process couldn't be started by a Linux process after the bad driver had been loaded.

The driver could also overwrite this process on disk. So upon reboot, a bad kernelkit-checker is loaded. The checker will need to get it right every time before the system is rebooted, with an untrusted file system. I think that hard isn't a strong enough word :-)

If the driver was run as a separate process, then it couldn't destroy everything like this without using buffer overruns and suchlike. It can only destroy things in its own address space. With the whole Linux kernel and drivers in one process, that advantage of microkernels almost disappears.

Already in the wild?

[kilocomp]

One of the computers I support had a very nasty piece of spyware. I am not sure if it was exploiting the same things described by Microsoft, but it had the following symptoms:
1. The process would not show up in task manager
2. The related files would not show up in Explorer
3. The related registry keys did not show up in regedit
4. It some how was being called by Winlogin, so it ran even in safe mode.

The way I detected it was by using several Sysinternals utilities http://www.sysinternals.com/. I have a script that uses pslist to monitor all processes on the network and this spyware was not smart enough to hide from that. A remote regedit session enabled you to see the related registry files. I had to use BartPE http://www.nu2.nu/pebuilder/ to mount the drive and clean out the related files and registry keys.

Beware of trusted computing

[NullProg]

For microsoft to make a statment such as this could only mean one thing, they intend to push for trusted computing. Watch for them to lobby the government(s) for this:

trusted computing

Enjoy,

Re:Beware of trusted computing

[dustmite]

Yes, the "push" has begun ... "this is why computers should only run software from 'trusted', 'licensed' software vendors, and only on 'trusted', 'licensed' hardware", they will say ... the ultimate industry lockout to new potential competitors. And the sad thing is the excuse is a flawed premise; the current widespread and rapidly increasing malware problems are primarily because Windows is such a mess internally. Windows is imploding. And they must have known it was going to happen, over a year ago already, when they suddenly decided to start this massive new focus on security .. they knew their security sucked, they saw this coming, and now they're doing two things: (a) trying to patch Windows fast enough to prevent a total implosion and sudden mass exodus from the platform, and (b) try to capitalise on all the spyware and viruses to push 'trusted' computing platforms in order to gain control of the platform to create artificial barriers to entry for new small competitors.

MSDOS Viruses...

Back in that time, there were plenty of dos viruses that where using "tunneling" techniques to bypass the chain of hooks on interrupt vectors. Still, if it is the same here, that's detectable; You just need to have a detector that is also using the same methods used by the spywares to be the first to intercept calls...

Alternatively....

[NerveGas]

If you're truly paranoid, you can disable loadable modules, thus preventing a kernel-level rootkit module from being loaded.

steve

Re:Further proof

[Serapth]

I knew someone was going to say this :)

The person who runs something as root, is the same user that doesnt understand what root is. AKA, the typical windows user. If the linux on the desktop dream ever comes true, you would be AMAZED at how many users are going to just user the first username/password in the system.

Not to mention, how long until they run into a problem ( like say... trying to play certain games ) that says... "You must be root to do blah blah." From that momment on, Joe user uses root for everything.

If we could ship every copy of XP, with a few years of technical competency, there would be a hell of alot less spyware/virii/worms and trojans floating around out there!

predictable

[xmp_phrack]

i for one welcome our new kernel-mode overlords!

...from within the OS.

[abb3w]

Of course, there are standardized tools to generate md5 sums of files. A good rootkit, before replacing a file, determines the md5 checksum of the file. Then, when then easily-detectable standardized tools ask for the checksum, the rootkit intercepts the request and feeds the tool garbage.

...provided of course that the system is running. If you have booted the system from a separate known-clean read-only disk-- like, say, a KNOPPIX CD from a USB CD-ROM drive, the poor rootkit is essentially defenseless.

The usefulness of being able to run, for example, Tripwire from a known clean OS makes me wonder why it isn't standard on KNOPPIX. Does anyone know of a CD distro that offers Tripwire or similar MD5 based integrity utility standard?

Re:Further proof

[Spy+Hunter]

I will probably be moderated down for this, but: likely yes. Mozilla has a few crash bugs; Konqueror has more. It is quite likely that some of those bugs are exploitable; then just use a Linux kernel privelege-escalation exploit (of which there are also many) to instantly become root. Voila; r00ted Linux system in two easy steps. Just because nobody bothers to do it (Konqueror's market share is necessarily even smaller than the Linux desktop market; it doesn't even come close to Mozilla's measly percentage) doesn't mean it's impossible.

Don't let users login as either administrators

[guacamole]

I think the root of the problem is that most Windows systems (unless centrally managed) are usually setup so that normal users are logged in with elevated priveleges. If they were logged in without supernatural priveleges then the damage done by the spyware, viruses, and trojans, would be limited just to your account and files (e.g. the rest of the system, and certainly the kernel, would be unaffected). So, it seems like the best strategy to fight spyware is to end the current practice of using the administrator account. I am sure that microsoft could even do something to discourage its use.

Re:Don't let users login as either administrators

[shis-ka-bob]

I with you. I only allow 'users' to surf the web. The only time an 'admin' account is allowed on the net is to connect to microsoft and install software.

Not the only way

[Metasquares]

If the program modifies the Windows kernel in such a way that it is undetectable, couldn't a simple boot CD (running something other than Windows) with a spyware scanner work? Sounds like a potential use of Knoppix, although I'm unaware of any anti-spyware programs for Linux (as spyware is not really a problem on Linux). Something like ClamAV but for spyware would be nice.

Microsoft being inovative again?

[Eric+Damron]

"Microsoft researchers have developed a tool, named "Strider Ghostbuster" that can detect rootkits by comparing clean and suspect versions of Windows and looking for differences."

Oh wow! How inovative! Detecting differences by compairing a known good copy with an infected one.... Wow! I wonder if they've appied for the Patent? They've even given it a cute name and everything!

That only checks what you know

[asaul]

The reason for re-installation is that you can go and verify every file your package database knows about, but not the ones it doesnt.

Plenty of rootkits go and hide themselves in /dev or out of the way places that your packages never would have touched, so you will fix up your packaged files but I doubt there is a r00tkit-1.1337.i386.rpm you can check against.

Sure, it might just leave some stale binaries or scripts around, but unless you go and validate every inode in your filesystem you cant be sure it isnt just going to just open you up to another r00ting again.

And that, kiddies, is why we have backups. (Or at least with Solaris you can jumpstart install/flash it exactly how you want every time).