Slashdot Mirror

← Back to Stories (view on slashdot.org)

No Defense Against Windows Rootkits?

Posted by CmdrTaco on from the bend-over-and-take-it dept.

An anonymous reader writes "Spyware bad guys (and also phishing people) started using rootkits technology to stay hidden in a system. The problem is that at the moment the technology to defend a Windows system from these things is very poor. In fact antivirus companies have just started adding basic anti-rootkits technology. So the problem is serious, and well outlined by this question: Is the closed source code of Windows preventing us from actively defending our systems?"

6 of 510 comments (clear)

  1. SysInternals' by wumpus188 · · Score: 5, Informative

    .. RootkitRevealer is your friend.

  2. MS(ux) for a few reasons, this is just one of them by jeremy111 · · Score: 5, Informative

    Let us not forget the wonders of ActiveX controls not to mention IE's ability to install items with out authentication. As far as that is concerned ANY installer should have to be authenticated as an ADMINISTRATOR before the install can proceed. I think this small step would curb many of the issues with spyware, adware, toolbars, etc.

  3. Re:I fear not your rootkits! by AKAImBatman · · Score: 5, Informative

    Right. We should rename them, "SystemKits".

    (For those who don't get it, "System" is a login with higher privleges than even Administrator. There's nothing that System can't do. Just to brighten up your day, it's also the default user for Windows Services. Feel safe yet?)

    --
    Javascript + Nintendo DSi = DSiCade
  4. Strider ghostbuster... by nweaver · · Score: 5, Informative

    Strider Ghostbuster,, a Microsoft developed technique for detecting all persistant and stealthy rootkits .

    Just convince Microsoft to make it available.

    There is also SysInternal's Rootkit Revealer, which although not quite as general, is still hard to fool.

    --
    Test your net with Netalyzr
  5. Re:It works both ways, but it's worse for MS by EvilMonkeySlayer · · Score: 5, Informative

    Yep, all servers i've built which use Linux which are accessible from the outside do not have loadable module support enabled at all.
    It prevents a large swathe if not all rootkits from running.
    This is one of the areas where I think Linux (and open source software in general) has closed source software beat, you can easilly customise the kernel to your own particular situation in which the machine will be running. Being able to have your own custom built kernel with stuff like grsecurity etc is invaluable.

  6. Re:It works both ways, but it's worse for MS by Anonymous Coward · · Score: 5, Informative

    Yes, you can, and it's even recommended.

    Other steps you can take are :
    -not having dev tools installed on your servers (quite often source root kits require them)
    -keeping copies of /bin and /usr/bin on some ro media (either a CD or on a seperate server mounted ro), and checking them ageinst you're working copies regularly.
    -running chkrootkit :-)
    -Mount / ro. You need to set up seperate space for /tmp and /var (not to mention /home) but this will defeat 99% of the automated root kits, of course, if the attacker gets in personnally, all bets are off...