Slashdot Mirror
No Defense Against Windows Rootkits?
An anonymous reader writes "Spyware bad guys (and also phishing people) started using rootkits technology to stay hidden in a system. The problem is that at the moment the technology to defend a Windows system from these things is very poor. In fact antivirus companies have just started adding basic anti-rootkits technology. So the problem is serious, and well outlined by this question: Is the closed source code of Windows preventing us from actively defending our systems?"
Who has the chops to run through 800,000,000 lines of code to do the fixing of this OS?
I mean even if you find the problem can you honestly say you'd be sure you wouldn't leave Notepad.exe broken by making your changes?
Clearly Windows needs to be completely re thought with NO concern for legacy apps. See also OS X.
This
Shameless plug: I've written a script that should be able to help find any rootkits that are listening on tcp/udp on windows.
Heres the link
What it does is attempt to handshake with itself on every available tcp or udp port. If the handshake fails, that is an indicator that somebody else is already camping out on that port.
Source is GPL, feedback is always welcome.
This topic has been beaten to death a thousand and one times before but the reality still holds true: as long as a company holds the source of their software to their chest, you simply have to rely on them to provide the security for said software. By doing so you create the equivalent of a single point of failure that has to be addressed solely by the holding company, and as a result, you are subject to the "hurry up and wait" syndrome that accompanies it. That's when it comes back to "suck it up or don't use it," which carries all the arguments of "we don't have a choice" or "switching isn't an alternative for us."
This sig is six words long.
With the source code for Linux, we can easy add signatures and verification to the module loading system. So that wouldnt be an issue.
In 2.6 you use the kernel capabilites to load the appropriate modules at boot time, then strip the kernel of the ability to load any others. Adds a little more work for getting that module loaded. Throw in more stuff (verifying the module list from read-only media before loading any modules) and you can get pretty well defended against this kind of thing.
If I have been able to see further than others, it is because I bought a pair of binoculars.
If the API were opened up not only would it have made it possible for someone to do a work-alike competitor to Gates's natural horizontal and vertical monopoly, it would have made open analysis of the potential security holes practical so that insurance companies could get into the business of software quality assurance -- which would have dramatically raised the quality of software professinals and computer security.
Seastead this.
But the reverse is true, you could have people going through finding exploits and using them without reporting them. Closed source is safer.
System (more accurately LocalSystem) can't access network resources.
/interactive cmd.exe
So there is *something* that they can't do.
Try
at (now plus a minute)
voila! Interactive system shell!
1. By having a standalone system to boot and being
able to set the meada to read only (via an
electrical switch on the disk). This is the
original method.
2. Bootable CD-ROM (equivalent to #1)
3. Volume analysis tools (similar to tripwire, with
the program AND reference data on CD-ROM). A single
scan could then be done carefully, if on-line; or
better, when in single user mode.
Combine #3 and #2 gives you a very good check for a validated reference.
The important thing it to be SURE your referece is valid by building it from trusted sources (known good binaries from vendors, or inspecting and compiling the programs yourself).
So we are left with two options:
a) Windows 2000 is impervious to rootkits, either off the shelf or through modifications unavailable to the general public
b) The US Navy is running an unsecurable OS for the most advanced surface ships in the world - with nuclear reactors to boot.
If the g'vt kept the data on you that google does you'd better believe you'd be calling it "doing evil"
Is there any product for Windows like Bastille Linux that would help a user lock down any vulnerabilities in their system like file shares, unnecessary accounts, open ports, unnecessary services, IE settings, etc?
If not, there should be.
But the fundamental problem is that if someone wants to install this garbage, the only way you can really stop them is by taking control of their computer away from them. I'm not sure that even Microsoft is willing to go that far yet, and I'm not sure I would want them to, anyway.
Whoever corrects a mocker invites insult;
whoever rebukes a wicked man incurs abuse.
--Proverbs 9:7
I recently cleaned a machine infected with a rootkit that was NOT detected with Rootkit Revealer. The virus loaded itself via the HKLM/Soft/MS/Windows/Run key, as usual, but it didn't show on regedit nor elsewhere, and the Rootkit Revealer did not detect the "missing" key. The only way to see and remove it was to boot with a WinPE CD.
Fortunately these rootkits can usually be detected by their side-effects, like the slowness and the internet activity... but you have to be suspitious that something's going on.
The availablitiy of the source code has nothing to do with it. Joe Beerbelly is not going to be looking at the source code of his operating system. You'd be lucky if he understands that a thing called an operating system exists and has something called source code associated with it.
If your solution is to fix it yourself, you've already lost. It needs to be fixed by the *official* software vendor so that the changes can be pushed automatically to all the Beerbellies and Flabbyasses out there.
And besides, even for those who can understand the source code, it's not like the changes required are simple. If you DO manage to understand the system enough to make some usefull changes, a vendor will not just blindly accept them. They will themselves have to review the changes and completely understand them anyways. So why not do it themselves the first time? And to the person spending all that time doing the vendors work for them, do you not have a life or a job or something?
I work with spyware infected systems every day, and I have never found a "rootkit" on one
The issuse is that they're extremely difficult to detect. What heuristics do you use that that the major AV companies are not aware of?
The most effective method that I have found to get rid of spyware on an infected system, by the way, is to boot from a live Windows bootable CD to delete all the crappy spyware directories...
I'm sure that works reasonably well, but once a system is comprimised, you never really know for sure. I find that the only surefire method, which incidentally often takes less time, is to wipe the drive and start fresh. The type of user that is going to get spyware probably doesn't have a complicated setup or do more than write documents and use iTunes, and backing up is as simple as looking for *.doc, *.xls, *.ppt, *.mp*, *.mov, *.wmv, and *.avi.
Purchased...?
Warez jokes aside, most common non-corporate windows are OEM copies. OEM = no support from microsoft. You get your pile of bytes that might or might not work, and you get some patches at the whim of MS. You get no support unless you pay thru the nose per incident.
Sure, you can call your OEM supplier - however, they have no access to the source, and generally just tell you to reinstall the thing and immediately tell your system is unsupported if you actually install something other than the supplied bundled software on your system.
Uhmmm, actually you are only aware of it since two weeks ago. How long the attacks have been going on, or whether or not you are already infected with a rootkit, is unknown. A rootkit that isn't used much, except to find and download the CEO's email once a month, may go undetected for a long time.
Oh well, what the hell...
This is how rootkits are at least detected:
A rootkit has the ability to change the inputs and outputs of the overlaying OS API's. It does not however have the ability to change the I/O's of direct hardware access. Simple solution to detect rootkits is to do an API call for file directory (dir, ls, whatever), and compare it side-by-side to a direct hardware request for a file directory.
Frink: Nice try floyd, but you were designed for scrubbing, and scrubbing is what you shall do.
The logic of this statement is grating on my nerves but I can't seem to identify the fallacy. Malicious users can reverse engineer the closed source, find vulnerabilities that the company does not and just exploit them. Closed source is safer iff you can't reverse engineer it, otherwise its just an extra step. So the conclusion is false.
Denying the Antecedent
Any argument of the following form is invalid:
If A then B
Not A Therefore, Not B
Your argument:
If source is open hackers can easily find exploits. Not open implies hackers cannot easily find exploits.
So that's why there are so many linux virii and worms...whether the assertion is true or not is not supported by your argument.
A people that values its privileges above its principles soon loses both. Dwight D. Eisenhower
No, I don't have time to deal with the source code for any OS, let alone figure out how to defend it against attacks. I suspect the vast majority of “us” don't have time for it either.
Open Sauce zealots can look elsewhere for emotional support.
Does this question really need to be asked any longer?
Has this story teleported us all back to the year 2000? Hit the reset button? Is Slashdot's new motto "No hugging, no learning"?
I thought this was common knowledge. I didn't really expect a "pro-business" administration to do anything about it, did you? It's actually one of the few things that makes the rest of us feel safer.
Britain has the same problem, by the way:
Also see The Register which quotes an upbeat Armed Forces Minister:
Perhaps the Minister can now explain why his desktop PC doesn't even run properly.
Les Hatton gives his opinion at IT Week:
you had me at #!
Its fairly easy to put a module in Linux using /proc/kmem even if modules are disabled.
I ran into the same exact problem recently. Excellent karma, heavy participation, and prevented from posting at work due to being downmodded "too many" times. I have stopped subscribing, stopped moderating, stopped metamoderating.
Ironically, the word ironically is often used incorrectly.
How do you get around the stuff that likes root to be r-w, like /etc/mtab? I know it's frequently suggested to replace this with a symlink to /proc/mounts, but I also understand that some software doesn't like this. There is also some other stuff that likes to write into /etc, like /etc/dhcpcd/dhcpcd-eth0.info.
The living have better things to do than to continue hating the dead.
Metamoderating is a joke. I did it about twenty times. It has no effect whatsoever on anything. I think, nowadays /. is run by a small group of control freaks. I didn't mind it when you had to wait 4 or 5 minutes between posts but now it's so long that I lose interest in the discussions.
I got the same thing on a post that got upmodded almost as many times as it got downmodded. I had the misfortune of posting something controversial near the top of the list and got something like 10 mods down and 9 mods up, so the net downmod on the post was about 10%, but because the total *number* of downmods was above a threshold, I got put in the penalty box. I couldn't get the penalty lifted by communicating with /.'s staff folks either.
Before that day, I always thought the people bitching about the moderation system were just whining, but now I'm convinced there are aspects of it that are completely capricious.
Trouble making decisions? Just flip for it.
i have the solution for the inept family members. If they demand to run windows then in order to get free IT support from me they have to let me install trustnoexe on their machine. I set it up via a vnc session after they start the vnc server by an icon on their desktop.
yes, they can no longer install software themselves. but no spyware or viruses can get past it as they are not on the approved to run list.
is it a PITA for the computer owner? yes. But they will accept it if they want free help from me. it works great for most of my family and typically most people do not install software often if at all after they get it set up to run the way they want.
Do not look at laser with remaining good eye.
Does he bear any moral responsibilty for this? I would answer positively. If I leave a loaded gun lying on the sidewalk and someone picks it up and shoots someone else, I think I may get some bad karma.
karma != responsibility
Share and Enjoy!
This has probably already been said but I'm pissed and am having a casual browse before bedtime....
Sysinternals
If you must use Windows these fine folk are well worth a visit (should be mandatory...)
Sky subscribers are morons. They pay to be advertised at !