Slashdot Mirror
Microsoft Warns of Impossible to Clean Spyware
darkjedi521 writes "The Inquirer has a story that the next generation of Windows spyware and exploits are starting to make use of "kernel rootkits". A paper at Microsoft Research has details on a prototype detection tool. Computerworld has more details, as well." From the article: "Newer rootkits can intercept system calls that are passed to the kernel and filter out queries generated by the software. This makes them invisible to administrators and to detection tools..."
There's a very simple SOP for Windows users that will completely eliminate the need for a fix:
1. Buy new PC
2. DO NOT PLUG IN NETWORK CABLE
3. Image drive to external storage wth Ghost or the like
4. Unplug external storage
5. Plug in network cable
6. Connect to Internet. Save any info needed for storage.
7. Unplug network cable
8. Print all info obtained in step 6
9. Plug external storage back in
10. Restore image made in step 3
11. File hardcopies in cabinet
12. Knock back 3 or more shots of your favorite liquor
13. Unplug network cable
14. Return to step 3 for new Internet sessions
What could be simpler?
They are the ones who made it impossible to delete Internet Exploiter after all.
Beep beep.
Well, at least Windows is catching up. We've had rootkits on linux forever! :)
Karma: SELECT `karma` FROM `users` WHERE `userid`=138474;
I agree it's extreme. They should offer a downloadable bootable CD that verifies the checksums of all system files.
In the old pre OS X days, most Mac viruses were INITs (AKA Extensions) which are rewritten system calls. I remember a virus from the olden days which was an INIT that spread through a DiskInsertionEvent.
"Only in their dreams can men truly be free 'twas always thus, and always thus will be."
--Tom Schulman
Funny how many people seem to take this lightly. The way I see it:
Reinstall Windows
Reinstall all Software, include some pesky registrations
Update all drivers to where you were before hand
Put back all your customizations, default settings, etc.
Yeah, not impossible, but makes a boot to the head sound appealing.
A feeling of having made the same mistake before: Deja Foobar
Install SP2 before you connect a Windows XP machine to the internet.
The last time I connected a fresh Windows XP RTM box to the internet, it was infected with MS Blaster in 6 minutes.
Windows XP Service Pack 2 on CD FREE
"TK-421, why aren't you at your post?"
Except that's the recommended course of action for a rooted UNIX/Linux/BSD machine too (along with figuring out how it was rooted, plugging the hole, and preserving any evidence).
Maybe it is time to look at a Mac.
Kernel-level rootkits have plagued Unixes (including Linux) for a long time. Fortunately on Linux most suck, and can be detected with chkrootkit (yet how many out there that aren't detectable...), and (this is true for windows as well) any of them can be found simply by inspecting the drive from a known clean boot media.
Removing rootkits (kernel level or not) from any OS requires either guruhood, an exact knowledge of which rootkit(s) was used and what files they trojan (as well as a clean source to restore those files from), or a reformat-reinstall-restore(dataonly)frombackups.
If I have been able to see further than others, it is because I bought a pair of binoculars.
Can you install a linux rootkit by viewing a web page in Mozilla / Konqueror?
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
Not likely, as you and I may have XP Developer Edition, but where are you in your patches? Hmm?
Seems the best way to handle this is to run all browser processes at a very low security level.
A feeling of having made the same mistake before: Deja Foobar
You're telling me that when joe user installs his linux version of kazaa and it pops up the message, you must install with root... enter password... linux solaris, mac, anything will be immune to the malware? I think not. Users dont read popups. If they are prompted for root... they will type it in.
Ive even seen macromedia flash boxes pop up to alert you that IE has blocked their activeX script, and the user should do the following steps to install the plugin. And people do.
That sounds rather drastic.
Um, dude, a rootkit for *any* OS that hides itself by intercepting kernel calls is effectively uneradicable except by total reinstall. How the hell would a Mac save you from that?
With Linux, you can boot from a live CD and validate every file and package on your system.
You can even chroot the system, wipe the boot sector and re-install the kernel.
This might be "impossible" to clean on Windows, but on Linux, it's just really annoying.
There does exist a tool called "linkd" in the Windows 2003 Server resource kit, which allows you to set mount points via the command line.
So you install a system. Use two partitions. Pull the drive. Install 2nd drive on working windows machin. Copy the "Documents and Settings" to the second partition of the newly installed drive. Then use linkd to create a "Documents and Settings" mount point from one partition to the other.
As a semi-serious builder/hobbyist, when I build a system, I use preconfigured sysprep images where I have already done this (the mount point linkage IS copied by programs like ghost that support NTFS5). I can restore a single partition or the whole disk. Either way. I distribute a restore DVD to my customers that can fix their spyware- and virus-hosed Windows installs without killing all the pictures they took with their digital camera etc.
It took me a bit of fiddling to make sure I have the process right, but for the number of times it's saved me two hours' work, I almost want to cry.
-- I wanna decide who lives and who dies - Crow T. Robot, MST3K
Actually, most *NIX rootkits have been intercepting system calls to the kernel and replacing common command tools that might be used to detect and remove them for ages. I haven't heard of one that can avoid detection by the likes of Chkrootkit and Rootkit Hunter yet, other than by being brand new of course. Naturally, that doesn't automatically mean that it's impossible to write one though.
UNIX? They're not even circumcised! Savages!
Unless there's something really new and complex going on here, not only is this not new, but IT professionals already have ways of dealing with it. In our case, on a live system with one reboot required. I wouldn't call it minor, certainly (10 minutes of downtime is 10 minutes of downtime), but... hell, if script kiddies have been using this for months and months...
Easy enough I thought, I'll just remove physically the file and the process. But no; the file wasn't ANYWHERE. Yes, I unchecked the "Hide protected system files" checkbox and I was on SHOW HIDDEN FILES, so ALL files were displayed. Heck, a dir /s on the root of the filesystem didn't even work... I thought that it would be possible that the file has another name, renamed itself to that, made its dirty business then renamed itself. I fired up Filemon (from Sysinternal) and sure enough, I see plenty of activity from a process named elitegfk.exe but STILL no sign of the file and/or process. I scanned the registry, and regedit.exe took 2 seconds to complete the scan... !
I was on the verge of reformatting the system when I thought about something: I accessed the laptop through the admin share (\\computer\c$); sure enough, the file was there, sitting quietly sitting in c:\winnt\system32 (Win2k system)...
The spyware prevented its own display through taskmgr, explorer and regedit. Regedt32 didn'T work, I got a virtual memory low error when I tried to scan the registry. The ONLY way I could see the file was through Filemon AND through the file sharing...
I'm guessing next one will palliate to those things by attaching themselves to the most common troubleshootings tools like regmon and attach themselves to the SMB protocol to make sure they can't be displayed through the shares...
This is getting ridiculous. Yes, you'll tell me to switch to Firefox, but we can't; I work in an artistic company with 1000+ PC and non-tech-savyy users, and tons of internal apps that were developped either with .Net or massive ACtiveX and other MS-only stuff, so we can't switch everything to Firefox, and having 2 browsers isn't a viable option either, since most of our users would simply get confused.
Anyway.
I don't think a *nix kernel rootkit has ever existed, where a program can modify the kernel and is impossible to remove.
+ kernel&btnG=Google+Search
It would have taken all of 30 seconds to google in advance:
http://www.google.com/search?hl=en&q=unix+rootkit
--A closed mouth gathers no foot.
Of course, there are standardized tools to generate md5 sums of files. A good rootkit, before replacing a file, determines the md5 checksum of the file. Then, when then easily-detectable standardized tools ask for the checksum, the rootkit intercepts the request and feeds the tool garbage. Of course, there are countermeasures you can take, but they will tend become standardized, leading to counter-counter-measures.
What it boils down to is GIGO. If you don't trust to code running on your system, you can't trust ANY result reported by the system. The only solution is to force the system to run code you trust - ie boot to a floppy or CD.
So, it surprises me that a report about this kind of ad-ware/viruses is just now coming out because we have been dealing with impossible-to-remove software for at least a year now. Fortunately the only way to defeat a BartPE scan is to install a BIOS virus - and almost nobody does that any more. :-)
Damn.. now I'm going to have that theme song in my head all day.. :->
When there's something weird,
and it don't look good
Who ya gonna call?
MI-CRO-SOFT??! (Wait..)
I am the maverick of Slashdot
I prefer to have read-only filesystems. That way, every reboot guarantees a clean system.
:-)
You think it's a joke, but actually I do almost exactly that: for the few times I actually do need to use Windows, chiefly to use AutoCAD, I boot Win98 in VMWare and set it to always return to the hard-disk snapshot it booted with. That way, I can get as many xyz-wares on the Windows box, it'll always come back pristine the next time I restart it. And whenever I need to install something new, or change something in the Windows install, I do it carefully and take a new snapshot when I'm happy with it.
Honestly, VMWare is the best way to use Windows
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Macs are magic! Don't you read Slashdot?
R00tkits will get installed on Macs the same way they get installed on Linux: through a combination of two exploits. First, the hacker uses an exploit to obtain shell access with an unprivileged account Typical exploits include holes in Samba or CUPS (which OSX also uses), browser bugs (e.g. libpng overflows), holes in various daemons (if you use your OSX as a server), or even simply using a keylogger on a public machine to catch a user's password.
Then, the hacker uses a second exploit to elevate his local shell access to local root. Typical exploits of this nature include thread race conditions in the kernel, the kernel failing to properly sanitize input, or problems when a process is shifted from one kernel security infrastructure to another. The Linux kernel had a number of local root exploits in the past few months. IIRC Apple usually doesn't publish its list of security vulnerabilities (it just puts the fixes on Sofware Update, without fully explaining what they fix), so I can't comment on the security of the darwin xnu kernel.
Thus, I would say it's about as easy to install a rootkit on a Linux workstation as on an OSX desktop (and similarly, it's as easy to install a rootkit on a Linux server as on an OSX server). In other words, you need an unpatched system vulnerable to a specific pair of exploits, a clueless admin, and a skilled hacker -- which is not an impossible combination.
One of the computers I support had a very nasty piece of spyware. I am not sure if it was exploiting the same things described by Microsoft, but it had the following symptoms:
1. The process would not show up in task manager
2. The related files would not show up in Explorer
3. The related registry keys did not show up in regedit
4. It some how was being called by Winlogin, so it ran even in safe mode.
The way I detected it was by using several Sysinternals utilities http://www.sysinternals.com/. I have a script that uses pslist to monitor all processes on the network and this spyware was not smart enough to hide from that. A remote regedit session enabled you to see the related registry files. I had to use BartPE http://www.nu2.nu/pebuilder/ to mount the drive and clean out the related files and registry keys.
Argh! This is one of the most blatantly obvious mistakes that always get modded up on Slashdot.
Yes, absolutely every general purpose OS can be rooted, spywared, hacked, or otherwise compromised.
By analogy, anything can kill you, poison can kill you, water can kill you, a bullet can kill you and a butterfly can kill you. Being possible is not the same as being probable.
In the binary, off/on, sense, security can theoretically be compromised. But we don't live in theory, we live in practice. There are no known kernel exploits for Mac OS X, there is no known spyware, there are no known viruses, there have been a handful of OS X specific exploits that require the user to run a program (and generally ask you to supply an admin password), and have all been "proof of concepts". The bulk of OS X security updates have been for Open Source/Unix apps, which are all turned off by default, and have never been reported as actually exploited.
It's virtually impossible to just randomly get rooted, trojaned, hit by a virus, or otherwise find your Mac is pwn3d. On Windows, you need to be fairly diligent, and even then you can't be sure.
You gotta ask yourself why this is. The answer isn't just "Windows is more common" (although that is a part of it. Windows is inherently flawed from a security standpoint. Mac OS X is inherently secure (relatively speaking). That doesn't mean it's impossible to hack a Mac, but it does mean that the risks are fewer, and are far more easily mitigated.
When someone says, "Windows is malware-ridden, I'm switching to a Mac" (sometimes a toothless threat, sometimes not), the response, "but it's possible to write a rootkit for Mac OS X too," is not a counter-argument. It's, at best, a warning that someday that Mac might possibly, but not very likely, get a virus or something... maybe, probably not though.
And when that day comes, I will be amazed at the greatness of the hackers. Given the complexity required just to find a trivial collision in MD5, the Earth will likely be destroyed in WWIII long before someone managed to get a complex trojan to generate the same hash value. But even still, it's easy to work around that -- just calculate hash values using several different hash algorithms. Given the odds of successfully finding a collision which matches, say, both MD5 and SHA-1, the universe will have long imploded by then.
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
For microsoft to make a statment such as this could only mean one thing, they intend to push for trusted computing. Watch for them to lobby the government(s) for this:
trusted computing
Enjoy,
It's just the normal noises in here.
Is this a joke? You boot off the CD and then the most complicated thing you have to do from there is choose your timezone. You don't have to know anything to install Windows XP...
I've been using BartPE for a year now. The inital basic setup is very easy. It's also easy to customize it to add in your applications. Well, it's easy to add it into BartPE (loadable .inf files) , but sometimes you have to do a LOT of digging into Windows and the specific application to determine WHAT you need to add to said .inf.
My BartPE disk has Ad-Aware SE, and I use SFX to make self-extracting executable of Spybot. For AV stuff, I use Mcafee GUI plugin for their command line scanner, and Sysclean (by the same folks that make pc-cillin). Also Mcafee's Stinger is loaded, too.
I put it on a CD-RW, and once a week d/l the updates, then use the Bart PEBuilder program to rebuild an ISO, and burn that to a CD-RW.
Virus scans, spyware files... all are gone without having to boot into the compromised OS. Registry cleaning requires you to boot into the OS, but once the files are gone, that makes it a lot easier to clean.
It's not 100%, but it vastly improves the chances of fixing the system, with minimal time (30 mins a week to get the updates, 20 mins of actual work running the Bart disk to clean a system)
I'm not crazy,I'm actively irresponsible.
I have set up 98SE, 2000Pro, XP environments (clean) under VMware and can easily create a 'clean' environment to test stuff. The snapshot feature is excellent, just snapshot the VM in question and if/when the software fucks up, restore.
The virtual hardware is the same every time. No driver issues. In fact, the current desktop PC's are so fast that it would make sense to run Winblows in them exclusively under VMware.. just store the user dirs on server. Get a new PC? Just copy the virtual disks and configuration.
I've been using VMware since its introduction and am currently using the 4 (and 5beta) versions for desktop use. I've had no use for the expensive server version yet since most of the servers are already running Linux.. but for those legacy Win32 apps VMware is really a blessing. Even been testing BSD's and SuSE distros with it.
'Once scientists, even the dim-witted social scientists, get muzzled, the Western Civilization is finished.' - oldhack