Slashdot Mirror
No Defense Against Windows Rootkits?
An anonymous reader writes "Spyware bad guys (and also phishing people) started using rootkits technology to stay hidden in a system. The problem is that at the moment the technology to defend a Windows system from these things is very poor. In fact antivirus companies have just started adding basic anti-rootkits technology. So the problem is serious, and well outlined by this question: Is the closed source code of Windows preventing us from actively defending our systems?"
This would be a resounding YES.
And Butler and Hoglund's recent book on rootkits was pretty nice.
fast as fast can be. you'll never catch me.
Is the closed source code of Windows preventing us from actively defending our systems?
The right question is what is the vendor (Microsoft) doing about it. You purchased a product from a vendor, you should expect them to solve problems with that product or explain how to properly secure it, or just ignore the issue which says something about their product and commitment to support.
Potentially != Actually.
How long was the plain text password in Firebird before it was caught? A year and a half? And that's not even something subtle as some buffer overflows, or that double free in zlib.
The root of the problem may be the organizational structure of Microsoft. We have the mess that is/was longhorn/vista and the comments that it had to be re-written from the ground up.
d ral-bazaar/
The point made in the 'Cathedral and the Bazaar' may be coming to pass. It is impossible to manage very complex systems effectively. It is a question of distributed control vs. top down management. My favorite example is the Soviet Union vs. the US of A. A bureaucracy can't manage something as complex as a whole economy; maybe it can't manage something as complex as Windows.
The bottom line would seem to be that we will see a never-ending stream of problems like the one at hand.
www.catb.org/~esr/writings/cathedral-bazaar/cathe
www.uq.edu.au/news/index.html?article=6618
"the FU rootkit, which I wrote, is intended to demonstrate. It is not malicious but more proof of a premise."
"I do know that FU is one of the most widely deployed rootkits in the world. [It] seems to be the rootkit of choice for spyware and bot networks right now"
He wrote and distributed a rootkit for windows; for educational purposes only (!). It becomes one of the most widely used tools to propagate spyware and trojans. Does he bear any moral responsibilty for this?
I would answer positively. If I leave a loaded gun lying on the sidewalk and someone picks it up and shoots someone else, I think I may get some bad karma.
From http://www.viruslist.com/en/analysis?pubid=1687408 59
Currently, malicious code for Windows is more common than for UNIX because Windows is the most widely used operating system. However, if UNIX starts to gain popularity, then the situation will naturally change; new rootkits for UNIX will be written, and new methods of combating them will be developed.
This has been refuted time and again yet the various Windows-friendly analyst continually trot this one out as a rationale for the ( admittedly much improved but still ) relatively weak security design of M$ Windows.
Newsflash for those who didn't get the memo: Windows leads by a huge margin ON THE DESKTOP. On the server side the disparity, if one exists is a completely different story. Also, since there are many open source versions of Unix, such as Linux, *BSD, and Solaris, some of which have been available for more than a decade, it should have been relatively easy for Windows-loving, Unix-hating programmers to have designed the Unix-slaying, self-propagating daemon years ago. To date, the only thing that has come close was the Morris worm way back in the late '80s.
So guys, nice try - your explanation ( or rationale ) is leaking badly. If Windows represent a bigger target, it SUPPOSEDLY has the "advantage" of being closed-source but the open source Unices, which are fewer in number SHOULD be an easier target.
It's time to focus on what the true flaws of each platform are - their relative prevalence is no longer relevant to the discussion ( aka flamefest ).
Pain is merely failure leaving the body
From my experience with windows, my mind boggles at the idea of trying to do something similar on that platform. Seems like every time I run windows update, some critical DLL ends up changed, and applications add their own specialized librarys with registry keys overriding the defaults.
Hell, half the time windows itself doesn't know what its installed. Every time I have to rollback a box from some semi-major patch, I cringe. I know something is going to break. If it's internal system doesn't keep basic track of what's installed and running (how many broken uninstall apps have you seen, which end up with you crawling through the registry trying to disable the damn software?), how the hell can you even know what to scan for?
I don't have the faintest idea of how to go about checking for a windows rootkit. What could you do? Take a drive image to compare against? That would never fly. Windows hides so many damn system jobs anyway, how the hell would you be able to spot one more?
The bulk of my windows security comes from running Snort upstream on the traffic that comes from the damn box, looking for traffic that ought not be there, and denying outbound from every port except ones I allow explicitly.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
The trouble is that people do not listen. Unless they do not actually have admin access to the system, the chances are if a box pops up going "You need admin access to install this, if you have it then just shove in a username and password here:" people will do so regardless.
Hell, in XPSP2 it has this big balloon which pops up repeatedly going along the lines of "Listen you pillock, you don't have firewall or automatic updates turned on. You really do need these. Click here and I'll set it all up for you, it's about 3 seconds work!". I know people who, when have this pointed out to them, go "Oh I never read that, it just keeps popping up".
The only other thing to do with some people is forcibly configure things, which I'm sure we'd all hate. I use Active Directory to force fine-tuned update compliance and firewall settings across my home network, but home users can't even negotiate a simple dialogue going "Here's what you need to do, here's why you need to do it, here's how to do it".
So when IE pops up a convenient dialogue warning about the fact that HotPornDialer32.exe isn't signed and is in fact coming from a website with an invalid certificate, along with a warning about exactly why it's bad to click 'Install', people will do anyway. Perhaps a Firefox-esque forced delay is in order so people can't just click 'OK' without thinking.
How many people can read hex if only you and dead people can read hex?
Here is another potential problem. MS might come out with an add-on to their OS where it prevents unauthorized (or authorized) installation of these malwares....it will do this because they are not digitally signed, and authenticated to the user...the only problem: My friend does not want to use a program (i.e. photoshop) so he deletes it from his computer and gives me the disk. The disk is registered to his windows...now I can't install it....or what if I want to rip my DvD movie to my computer (backup)...it won't let me play it.
In the end, the best answer is for people to start using their noodle...protection software can also hinder us.
I mod down so you can mod up. Your welcome.
At the end of the day, operating systems can only identify suspicious behavior. It will always be up to the user to make the final call. If your users can't make good decisions, nothing short of a total system lock-down will help.