Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Warns of Impossible to Clean Spyware

Posted by Zonk on from the they-have-the-technology dept.

darkjedi521 writes "The Inquirer has a story that the next generation of Windows spyware and exploits are starting to make use of "kernel rootkits". A paper at Microsoft Research has details on a prototype detection tool. Computerworld has more details, as well." From the article: "Newer rootkits can intercept system calls that are passed to the kernel and filter out queries generated by the software. This makes them invisible to administrators and to detection tools..."

16 of 813 comments (clear)

  1. They should know by Realistic_Dragon · · Score: 5, Funny

    They are the ones who made it impossible to delete Internet Exploiter after all.

    --
    Beep beep.
  2. Re:Unpossible to Clean SpyWare? by timeOday · · Score: 5, Insightful

    I agree it's extreme. They should offer a downloadable bootable CD that verifies the checksums of all system files.

  3. Bruce Schneier on the Prototype Detection Tool by Noksagt · · Score: 5, Informative
    Bruce covered the tool in a recent post on his blog. He says:
    This is a really interesting technical report from Microsoft. It describes a clever prototype -- called GhostBuster -- they developed for detecting arbitrary persistent and stealthy software, such as rootkits, Trojans, and software keyloggers. It's a really elegent idea, based on a simple observation: the rootkit must exist on disk to be persistent, but must lie to programs running within the infected OS in order to hide.

    Here's how it works: The user has the GhostBuster program on a CD. He sticks the CD in the drive, and from within the (possibly corrupted) OS, the checker program runs: stopping all other user programs, flushing the caches, and then doing a complete checksum of all files on the disk and a scan of any registry keys that could autostart the system, writing out the results to a file on the hard drive.

    Then the user is instructed to press the reset button, the CD boots its own OS, and the scan is repeated. Any differences indicate a rootkit or other stealth software, without the need for knowing what particular rootkits are or the proper checksums for the programs installed on disk.

    Simple. Clever. Elegant.

    In order to fool GhostBuster, the rootkit must 1) detect that such a checking program is running and either not lie to it or change the output as it's written to disk (in the limit this becomes the halting problem for the rootkit designer), 2) integrate into the BIOS rather than the OS (tricky, platform specific, and not always possible), or 3) give up on either being persistent or stealthy. Thus this doesn't eliminate rootkits entirely, but is a pretty mortal blow to persistent rootkits.

    Of course, the concept could be adopted for any other operating system as well.

    This is a great idea, but there's a huge problem. GhostBuster is only a research prototype, so you can't get a copy. And, even worse, Microsoft has no plans to turn it into a commercial tool.

    This is too good an idea to abandon. Microsoft, if you're listening, you should release this tool to the world. Make it public domain. Make it open source, even. It's a great idea, and you deserve credit for coming up with it.

    Any other security companies listening? Make and sell one of these. Anyone out there looking for an open source project? Here's a really good one.

    Note: I have no idea if Microsoft patented this idea. If they did and they don't release it, shame on them. If they didn't, good for them.
  4. Re:Nothing is impossible to clean by ackthpt · · Score: 5, Insightful
    Reinstall windows.

    Funny how many people seem to take this lightly. The way I see it:

    Reinstall Windows

    Reinstall all Software, include some pesky registrations

    Update all drivers to where you were before hand

    Put back all your customizations, default settings, etc.

    Yeah, not impossible, but makes a boot to the head sound appealing.

    --

    A feeling of having made the same mistake before: Deja Foobar
  5. Re:Unpossible to Clean SpyWare? by Qzukk · · Score: 5, Insightful

    Maybe it is time to look at a Mac.

    Kernel-level rootkits have plagued Unixes (including Linux) for a long time. Fortunately on Linux most suck, and can be detected with chkrootkit (yet how many out there that aren't detectable...), and (this is true for windows as well) any of them can be found simply by inspecting the drive from a known clean boot media.

    Removing rootkits (kernel level or not) from any OS requires either guruhood, an exact knowledge of which rootkit(s) was used and what files they trojan (as well as a clean source to restore those files from), or a reformat-reinstall-restore(dataonly)frombackups.

    --
    If I have been able to see further than others, it is because I bought a pair of binoculars.
  6. Re:Unpossible to Clean SpyWare? by ackthpt · · Score: 5, Insightful
    I agree it's extreme. They should offer a downloadable bootable CD that verifies the checksums of all system files.

    Not likely, as you and I may have XP Developer Edition, but where are you in your patches? Hmm?

    Seems the best way to handle this is to run all browser processes at a very low security level.

    --

    A feeling of having made the same mistake before: Deja Foobar
  7. Re:You're infected! Not me. by Kpt+Kill · · Score: 5, Insightful

    You're telling me that when joe user installs his linux version of kazaa and it pops up the message, you must install with root... enter password... linux solaris, mac, anything will be immune to the malware? I think not. Users dont read popups. If they are prompted for root... they will type it in.
    Ive even seen macromedia flash boxes pop up to alert you that IE has blocked their activeX script, and the user should do the following steps to install the plugin. And people do.

  8. It's recommended, but not 100% necessary. by khasim · · Score: 5, Insightful

    With Linux, you can boot from a live CD and validate every file and package on your system.

    You can even chroot the system, wipe the boot sector and re-install the kernel.

    This might be "impossible" to clean on Windows, but on Linux, it's just really annoying.

    1. Re:It's recommended, but not 100% necessary. by hankwang · · Score: 5, Informative
      You keep a LiveCD with MD5 hashes for the current versions of all of your binaries?

      Step 1: Take you Fedora or whatever installation cd's with all the original RPM files.

      Step 2: Issue the command: rpm -Vp *.rpm

      Step 3: All files that have a "5" in front of them have a wrong MD5 checksum.

      --
      Avantslash: low-bandwidth mobile slashdot.
  9. Re:Ok... by Zocalo · · Score: 5, Informative

    Actually, most *NIX rootkits have been intercepting system calls to the kernel and replacing common command tools that might be used to detect and remove them for ages. I haven't heard of one that can avoid detection by the likes of Chkrootkit and Rootkit Hunter yet, other than by being brand new of course. Naturally, that doesn't automatically mean that it's impossible to write one though.

    --
    UNIX? They're not even circumcised! Savages!
  10. Happened to me 2 days ago. by LePrince · · Score: 5, Interesting
    I was at work, and I'm the only person in our helpdesk to "de-spywarise" the company's PC (I'm the only 2nd level tech analyst). I got a laptop yesterday that was infected with numerous spywares. After removing most of them with HijackThis, Spybot, CWShredder, there was a rogue entry to a file named "elitegfk.exe" in the registry that, as soon as I removed it, came back.

    Easy enough I thought, I'll just remove physically the file and the process. But no; the file wasn't ANYWHERE. Yes, I unchecked the "Hide protected system files" checkbox and I was on SHOW HIDDEN FILES, so ALL files were displayed. Heck, a dir /s on the root of the filesystem didn't even work... I thought that it would be possible that the file has another name, renamed itself to that, made its dirty business then renamed itself. I fired up Filemon (from Sysinternal) and sure enough, I see plenty of activity from a process named elitegfk.exe but STILL no sign of the file and/or process. I scanned the registry, and regedit.exe took 2 seconds to complete the scan... !

    I was on the verge of reformatting the system when I thought about something: I accessed the laptop through the admin share (\\computer\c$); sure enough, the file was there, sitting quietly sitting in c:\winnt\system32 (Win2k system)...

    The spyware prevented its own display through taskmgr, explorer and regedit. Regedt32 didn'T work, I got a virtual memory low error when I tried to scan the registry. The ONLY way I could see the file was through Filemon AND through the file sharing...

    I'm guessing next one will palliate to those things by attaching themselves to the most common troubleshootings tools like regmon and attach themselves to the SMB protocol to make sure they can't be displayed through the shares...

    This is getting ridiculous. Yes, you'll tell me to switch to Firefox, but we can't; I work in an artistic company with 1000+ PC and non-tech-savyy users, and tons of internal apps that were developped either with .Net or massive ACtiveX and other MS-only stuff, so we can't switch everything to Firefox, and having 2 browsers isn't a viable option either, since most of our users would simply get confused.

    Anyway.

  11. Re:Unpossible to Clean SpyWare? by pbranes · · Score: 5, Informative
    One of my job functions at the university where I'm employed is to fix student computers. 95% of the calls we receive are spyware/virus related. We have stopped trying to disinfect Windows from inside the operating system because it is pointless - there is no way to clean everything off from within the operating system. What we do is boot off of BartPE bootable CD, connect to the network, update the virus scanner & adaware, and clean off the hard drive. Then we proceed to boot the computer into windows to finish the final clean-up.

    So, it surprises me that a report about this kind of ad-ware/viruses is just now coming out because we have been dealing with impossible-to-remove software for at least a year now. Fortunately the only way to defeat a BartPE scan is to install a BIOS virus - and almost nobody does that any more. :-)

  12. Re:Unpossible to Clean SpyWare? by Anonymous Coward · · Score: 5, Funny

    Macs are magic! Don't you read Slashdot?

  13. Yes, it is the same problem by tetromino · · Score: 5, Insightful

    R00tkits will get installed on Macs the same way they get installed on Linux: through a combination of two exploits. First, the hacker uses an exploit to obtain shell access with an unprivileged account Typical exploits include holes in Samba or CUPS (which OSX also uses), browser bugs (e.g. libpng overflows), holes in various daemons (if you use your OSX as a server), or even simply using a keylogger on a public machine to catch a user's password.

    Then, the hacker uses a second exploit to elevate his local shell access to local root. Typical exploits of this nature include thread race conditions in the kernel, the kernel failing to properly sanitize input, or problems when a process is shifted from one kernel security infrastructure to another. The Linux kernel had a number of local root exploits in the past few months. IIRC Apple usually doesn't publish its list of security vulnerabilities (it just puts the fixes on Sofware Update, without fully explaining what they fix), so I can't comment on the security of the darwin xnu kernel.

    Thus, I would say it's about as easy to install a rootkit on a Linux workstation as on an OSX desktop (and similarly, it's as easy to install a rootkit on a Linux server as on an OSX server). In other words, you need an unpatched system vulnerable to a specific pair of exploits, a clueless admin, and a skilled hacker -- which is not an impossible combination.

  14. Re:Unpossible to Clean SpyWare? by nacturation · · Score: 5, Insightful

    And when that day comes, I will be amazed at the greatness of the hackers. Given the complexity required just to find a trivial collision in MD5, the Earth will likely be destroyed in WWIII long before someone managed to get a complex trojan to generate the same hash value. But even still, it's easy to work around that -- just calculate hash values using several different hash algorithms. Given the odds of successfully finding a collision which matches, say, both MD5 and SHA-1, the universe will have long imploded by then.

    --
    Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
  15. Re:Unpossible to Clean SpyWare? by Macgruder · · Score: 5, Informative

    I've been using BartPE for a year now. The inital basic setup is very easy. It's also easy to customize it to add in your applications. Well, it's easy to add it into BartPE (loadable .inf files) , but sometimes you have to do a LOT of digging into Windows and the specific application to determine WHAT you need to add to said .inf.

    My BartPE disk has Ad-Aware SE, and I use SFX to make self-extracting executable of Spybot. For AV stuff, I use Mcafee GUI plugin for their command line scanner, and Sysclean (by the same folks that make pc-cillin). Also Mcafee's Stinger is loaded, too.

    I put it on a CD-RW, and once a week d/l the updates, then use the Bart PEBuilder program to rebuild an ISO, and burn that to a CD-RW.

    Virus scans, spyware files... all are gone without having to boot into the compromised OS. Registry cleaning requires you to boot into the OS, but once the files are gone, that makes it a lot easier to clean.

    It's not 100%, but it vastly improves the chances of fixing the system, with minimal time (30 mins a week to get the updates, 20 mins of actual work running the Bart disk to clean a system)

    --
    I'm not crazy,I'm actively irresponsible.