Slashdot Mirror
No Defense Against Windows Rootkits?
An anonymous reader writes "Spyware bad guys (and also phishing people) started using rootkits technology to stay hidden in a system. The problem is that at the moment the technology to defend a Windows system from these things is very poor. In fact antivirus companies have just started adding basic anti-rootkits technology. So the problem is serious, and well outlined by this question: Is the closed source code of Windows preventing us from actively defending our systems?"
This would be a resounding YES.
And Butler and Hoglund's recent book on rootkits was pretty nice.
fast as fast can be. you'll never catch me.
They have Virtual PC, they could pull it off probably just as well as Apple did for 'Classic', but they won't, and that's why Vista is still going to be bug riddled.
Is the closed source code of Windows preventing us from actively defending our systems?
Yes. We are at the mercy of Microsoft to patch the systems for us. At least with Open Source you have potentially thousands of programmers looking for security holes and reporting those security problems.
Bradley Holt
Short answer is Yes. The closed source of M$ *IS* preventing us from actively defending. AFAIK, M$ feels that they will get around to it or another company will step up to fill in the gap forcing us either way, to purchase yet another piece of software or the uber upgrade. Kinda like the insurance industry.
Joe Consumer: "Do I really need this?"
Co. Thug: "No, not at all. However, you never know when you may have an accident."
Your actions in life will determine your children's future.
Is the closed source code of Windows preventing us from actively defending our systems?
The right question is what is the vendor (Microsoft) doing about it. You purchased a product from a vendor, you should expect them to solve problems with that product or explain how to properly secure it, or just ignore the issue which says something about their product and commitment to support.
Clearly Windows needs to be completely re thought with NO concern for legacy apps.
They tried with Vista, and broke it more.
/* oops I accidentally made a comment, sorry */
rigorously check that no application level software was written to any new calls in advance of the public disclosure of those calls
Yeah, but that still wouldn't help in this case as the administrative tools probably wouldn't count.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
It's also really hard to detect, inform users about, and/or remove rootkits without the user knowing a bit about the inner workings of the system. In a "root/administrator" world, there's no guarantee that a rootkit can be detected anyway, because there's nothing a detection app can look at that a rootkit can't obscure, if it knows what the detection app will be looking for.
Windows has problems that make rootkits easier, but it's not because it's closed-source.
The root of the problem may be the organizational structure of Microsoft. We have the mess that is/was longhorn/vista and the comments that it had to be re-written from the ground up.
d ral-bazaar/
The point made in the 'Cathedral and the Bazaar' may be coming to pass. It is impossible to manage very complex systems effectively. It is a question of distributed control vs. top down management. My favorite example is the Soviet Union vs. the US of A. A bureaucracy can't manage something as complex as a whole economy; maybe it can't manage something as complex as Windows.
The bottom line would seem to be that we will see a never-ending stream of problems like the one at hand.
www.catb.org/~esr/writings/cathedral-bazaar/cathe
www.uq.edu.au/news/index.html?article=6618
This may be slighty OT, but I don't see ANY reason why a closed source system that's this vulnurable should be allowed in any Medical/Govermental or Military implementation. Sure, lot's of Apps are written ABOVE the OS and thus in control of the branch maintaining them, but damnit, the OS is at the root of the problem here! Makes you understand why trains all across Europe are still kept track of (punny, eh?) by old Digital DEC's running VMS or OpenVMS. The whole idea that mindshare of the mainframe is growing old and retiring is going to be an issue, Windows 2000 server is not a replacement for something like VMS.
fak3r.com
I think what they are saying, (not having RTFA), is that if an independant company had access to the source code, they could affectivly(sp?) write a program that would keep a rootkit from happening. NOT that Joe Beerbelly needs the source.
This is PURE EAU DE TROLLETTE
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
> it's also the default user for Windows Services
Not true of NT 5.1 and 5.2 (XP, 2003). Most services run as 'Local Service' or 'Network Service' with differently grained privileges. System is still available for services that require it (including NT's crss and lsass processes).
Go somewhere random
Oh, and don't forget to mention that you should run tripwire from a known-secure system (a Knoppix CD, for instance) at least once in a while. Indeed, if your system is infested by a good rootkit, it could itself so well that it would play back a phony, made to look innocent contents of any files that it had infected.
Same goes for lsmod, ps and other tools (it is however very rare that a rootkit is so thorough as to hide itself from all tools. Most often an rpm -q --verify -a finds the nasties). But if you're really paranoid, run your tripwire and rpm --verify from an external system, not from within the one you want to examine.
"the FU rootkit, which I wrote, is intended to demonstrate. It is not malicious but more proof of a premise."
"I do know that FU is one of the most widely deployed rootkits in the world. [It] seems to be the rootkit of choice for spyware and bot networks right now"
He wrote and distributed a rootkit for windows; for educational purposes only (!). It becomes one of the most widely used tools to propagate spyware and trojans. Does he bear any moral responsibilty for this?
I would answer positively. If I leave a loaded gun lying on the sidewalk and someone picks it up and shoots someone else, I think I may get some bad karma.
From http://www.viruslist.com/en/analysis?pubid=1687408 59
Currently, malicious code for Windows is more common than for UNIX because Windows is the most widely used operating system. However, if UNIX starts to gain popularity, then the situation will naturally change; new rootkits for UNIX will be written, and new methods of combating them will be developed.
This has been refuted time and again yet the various Windows-friendly analyst continually trot this one out as a rationale for the ( admittedly much improved but still ) relatively weak security design of M$ Windows.
Newsflash for those who didn't get the memo: Windows leads by a huge margin ON THE DESKTOP. On the server side the disparity, if one exists is a completely different story. Also, since there are many open source versions of Unix, such as Linux, *BSD, and Solaris, some of which have been available for more than a decade, it should have been relatively easy for Windows-loving, Unix-hating programmers to have designed the Unix-slaying, self-propagating daemon years ago. To date, the only thing that has come close was the Morris worm way back in the late '80s.
So guys, nice try - your explanation ( or rationale ) is leaking badly. If Windows represent a bigger target, it SUPPOSEDLY has the "advantage" of being closed-source but the open source Unices, which are fewer in number SHOULD be an easier target.
It's time to focus on what the true flaws of each platform are - their relative prevalence is no longer relevant to the discussion ( aka flamefest ).
Pain is merely failure leaving the body
Clearly Windows needs to be completely re thought with NO concern for legacy apps. See also OS X.
But if they did that, why would you use Windows?
If you had to choose between Windows Rewrite, which isn't backwards compatible, Linux, and MacOS X, the appeal of the non Windows solutions is a lot higher than it is now.
From my experience with windows, my mind boggles at the idea of trying to do something similar on that platform. Seems like every time I run windows update, some critical DLL ends up changed, and applications add their own specialized librarys with registry keys overriding the defaults.
Hell, half the time windows itself doesn't know what its installed. Every time I have to rollback a box from some semi-major patch, I cringe. I know something is going to break. If it's internal system doesn't keep basic track of what's installed and running (how many broken uninstall apps have you seen, which end up with you crawling through the registry trying to disable the damn software?), how the hell can you even know what to scan for?
I don't have the faintest idea of how to go about checking for a windows rootkit. What could you do? Take a drive image to compare against? That would never fly. Windows hides so many damn system jobs anyway, how the hell would you be able to spot one more?
The bulk of my windows security comes from running Snort upstream on the traffic that comes from the damn box, looking for traffic that ought not be there, and denying outbound from every port except ones I allow explicitly.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
The problem is not well-outlined by that question. In fact, the addition of the idea of closed or open source has nothing to do with it. Is the lack of attention paid to rootkits the source of the problem? Is this just the problem of the month that will be solved soon and replaced by another, bigger problem? The open/closed source question is important, but really doesn't have anything to do with the issue at hand.
Not to bash, but I smell a rat when anyone say's that something's foolproof. The very nature of a rootkit is that it interfeers at the loest possible level, there for if the scanner can read it, the rootkit can modify it (down to tinkering with the disk drive driver if needs be). If push comes to shove, the rootkit can just rewrite parts of the kernel memory to hide itself.
As for the process table hack, it should be pretty easy to move the process forward and back in the process stack (in a critical execution zone to prevent process switching) which would fool even the MS process scanner.
Even more importantly, a failed handshake on a port where netstat doesn't show a process is a near-certain indicator. If you combine with handshake with an actual connection attempt to a remote system, you should be able to detect any active rootkit (a rootkit in a dormant state would still be hidden).
Security is a process and UNIX people traditionally knew what they were doing, if you suddenly have a bunch of clueless clickmonkeys (AKA Windows admins) adopting *nix we will see increased virus and worm activity. Fear!
The trouble is that people do not listen. Unless they do not actually have admin access to the system, the chances are if a box pops up going "You need admin access to install this, if you have it then just shove in a username and password here:" people will do so regardless.
Hell, in XPSP2 it has this big balloon which pops up repeatedly going along the lines of "Listen you pillock, you don't have firewall or automatic updates turned on. You really do need these. Click here and I'll set it all up for you, it's about 3 seconds work!". I know people who, when have this pointed out to them, go "Oh I never read that, it just keeps popping up".
The only other thing to do with some people is forcibly configure things, which I'm sure we'd all hate. I use Active Directory to force fine-tuned update compliance and firewall settings across my home network, but home users can't even negotiate a simple dialogue going "Here's what you need to do, here's why you need to do it, here's how to do it".
So when IE pops up a convenient dialogue warning about the fact that HotPornDialer32.exe isn't signed and is in fact coming from a website with an invalid certificate, along with a warning about exactly why it's bad to click 'Install', people will do anyway. Perhaps a Firefox-esque forced delay is in order so people can't just click 'OK' without thinking.
How many people can read hex if only you and dead people can read hex?
Why would a rootkit listen for connections?
With the increase in firewalls between internal and extenal networks, NAT etc. there is hardly any point in making a rootkit to listen for connections.
Much better to make out going connections.
* rootkit'd pc makes connection to IRC server and joins #haxored
* botnet commander sends commands using IRC.
yay! etc.
The top three ways to stop a rootkit are:
* Don't web surf as Administrator.
* Don't run unexpected attachments to emails.
* Don't install software from an untrusted source(ie. don't pirate software)
These are simple rules.
They were known in 1995.
Ten years later and people still haven't learnt anything.
But I suppose good contraception has been around for 50 years and people don't seem to understand that yet either.
smoking causes cancer.
not doing exercise makes you fat.
quick fixes don't work
ok, I'm done.
- Jesse McNelis
...and that is all I have to say about that.
http://jessta.id.au
I wish Microsoft would but it will never happen. See OS X's market share.
> ..it is easier for the "bad" guys to find the security holes in open source
> software.
Is it? I wonder if this isn't a case where we don't look for proof becuase we've assumed we know the answer. Certainly, with open source, you can examine the source. But examining complex kernel source code is no trivial task. Given the large amount of practice and study on methods of hacking closed source systems, isn't is possible that this having the source doesn't really make it easier after all? That it just offers a method not available on closed source systems?
Sorry, but you're just plain wrong.
"This has been refuted time and again..."
Really? Got an example?
Try this one on for size: Firefox didn't have an security issues until it started becoming popular. The Mac had a few recently too.
Windows SERVERS are not the common target of these root-kits, the DESKTOP is because it IS the most popular.
If Joe Beerbelly used Linux on the desktop, you'd have to take away his ability to install programs to protect him. How useable is the system at that point?
"If Windows represent a bigger target, it SUPPOSEDLY has the "advantage" of being closed-source but the open source Unices, which are fewer in number SHOULD be an easier target."
Hogwash. Why would i target a system that fewer installs? I need an army of machines to get my spam out or to propagate my virus. *nix can't provide that right now.
I'm not saying that *nix is no good, but the logic that it is a smaller target therefore relatively unchallenged holds true.
Most people run Windows as Administrator. Why is that?
Because a lot of applications WON'T WORK if they're run as normal users. Why is that?
Because the Windows mindset comes from DOS, where there were no restrictions on what an application could do. Anything could put something anywhere it wanted to. So the developers got used to being able to do that.
Suddenly here comes Windows, and suddenly your application can't save settings to the INI file in C:\WINDOWS anymore, because it doesn't have write access to that directory.
The correct thing is to get an upgrade for the app. But you can make it work by just running as an administrator. So they do. And Microsoft is complicit in this by not putting enough pressure on the application developers to fix their apps to not require administrator access.
Does the closed-source nature prevent people from defending against this? Not really. If everyone ran as root in their Linux systems all the time, there would be just as many exploits for Linux.
I believe people will anyway -- they'll just learn that they have to wait a moment before they can click 'OK'... they still won't think. Maybe most of them never will.
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
Here is another potential problem. MS might come out with an add-on to their OS where it prevents unauthorized (or authorized) installation of these malwares....it will do this because they are not digitally signed, and authenticated to the user...the only problem: My friend does not want to use a program (i.e. photoshop) so he deletes it from his computer and gives me the disk. The disk is registered to his windows...now I can't install it....or what if I want to rip my DvD movie to my computer (backup)...it won't let me play it.
In the end, the best answer is for people to start using their noodle...protection software can also hinder us.
I mod down so you can mod up. Your welcome.
And that's why you apply a few simple security measures
Why aren't these applied by default?
== Jez ==
Do you miss Firefox? Try Pale Moon.
You said it: "known pathogens".
Now think about "unknown pathogens" for a minute.
Only the paranoid will survive...
Oh well, what the hell...
At the end of the day, operating systems can only identify suspicious behavior. It will always be up to the user to make the final call. If your users can't make good decisions, nothing short of a total system lock-down will help.
This seems like a symptom of a different problem, not really a problem in and of itself. Users become complacent with dialog boxes, systray warnings, etc, because there are no limits or standards regarding when these warnings are issued.
In the same session I can recieve the "Take a tour of windows," "Your firewall is not turned on," "Clean up your desktop icons," and "Your hardware could not be installed" messages, all from the same section of the screen with the same look. Starting immediately after Windows installation users are taught those are 'random message bubbles' that could mean anything. Users just get discouraged when they have to acknowledge that they are sending information across the internet unencrypted, then acknowledge they are entering a secure site, then acknowledge they are leaving a secured site.
Is the closed source code of Windows preventing us from actively defending our systems?"
If you can go in to the source code and tinker with it, chances are you don't need any help defending your system in the first place.
Why people feel the need to shove something down other people's throats or evangelically browbeat them is a mystery to me. I'm here to solve people's problems, not make life more difficult. I present the options that are within their budget, explain the distinctions without bias, then let them decide. BTW, since they have made an investment (client buy-in), I've also found they are willing to put more time into learning their systems and learning about protecting themselves. I sometimes think we, the geek community, are our own worst enemy! Sheesh.
"[I]t is a wise man who admits the limits of his knowledge or skill, and that pretending either causes harm." --Terry Go