Slashdot Mirror

← Back to Stories (view on slashdot.org)

No Defense Against Windows Rootkits?

Posted by CmdrTaco on from the bend-over-and-take-it dept.

An anonymous reader writes "Spyware bad guys (and also phishing people) started using rootkits technology to stay hidden in a system. The problem is that at the moment the technology to defend a Windows system from these things is very poor. In fact antivirus companies have just started adding basic anti-rootkits technology. So the problem is serious, and well outlined by this question: Is the closed source code of Windows preventing us from actively defending our systems?"

15 of 510 comments (clear)

  1. You have to wonder... by ellem · · Score: 3, Interesting

    Who has the chops to run through 800,000,000 lines of code to do the fixing of this OS?

    I mean even if you find the problem can you honestly say you'd be sure you wouldn't leave Notepad.exe broken by making your changes?

    Clearly Windows needs to be completely re thought with NO concern for legacy apps. See also OS X.

    --
    This .sig is fake but accurate.
  2. Windows Rootkit detection Tool by republican+gourd · · Score: 5, Interesting

    Shameless plug: I've written a script that should be able to help find any rootkits that are listening on tcp/udp on windows.

    Heres the link

    What it does is attempt to handshake with itself on every available tcp or udp port. If the handshake fails, that is an indicator that somebody else is already camping out on that port.

    Source is GPL, feedback is always welcome.

  3. And now for something completely repetitive... by menorikey · · Score: 3, Interesting

    This topic has been beaten to death a thousand and one times before but the reality still holds true: as long as a company holds the source of their software to their chest, you simply have to rely on them to provide the security for said software. By doing so you create the equivalent of a single point of failure that has to be addressed solely by the holding company, and as a result, you are subject to the "hurry up and wait" syndrome that accompanies it. That's when it comes back to "suck it up or don't use it," which carries all the arguments of "we don't have a choice" or "switching isn't an alternative for us."

    --
    This sig is six words long.
  4. Re:It works both ways, but it's worse for MS by Qzukk · · Score: 4, Interesting

    In 2.6 you use the kernel capabilites to load the appropriate modules at boot time, then strip the kernel of the ability to load any others. Adds a little more work for getting that module loaded. Throw in more stuff (verifying the module list from read-only media before loading any modules) and you can get pretty well defended against this kind of thing.

    --
    If I have been able to see further than others, it is because I bought a pair of binoculars.
  5. Re:The Answer by insomniac8400 · · Score: 3, Interesting

    But the reverse is true, you could have people going through finding exploits and using them without reporting them. Closed source is safer.

  6. Re:I fear not your rootkits! by Tony+Hoyle · · Score: 5, Interesting

    System (more accurately LocalSystem) can't access network resources.

    So there is *something* that they can't do.

    Try

    at (now plus a minute) /interactive cmd.exe

    voila! Interactive system shell!

  7. Unacceptable for national defense by keraneuology · · Score: 5, Interesting
    Since Bill Gates became the 2nd largest stockholder in Newport News Shipbuilding and guaranteed that the Ronald Reagan class of aircraft carrier will be Windows 2000 based, how does the Navy deal with this issue? Or have they addressed it at all? The last thing we need is for just one person in that population 5,000 floating city with malicious intentions to pop a rootkit into the mess that is navigation, fire control or general operations.

    So we are left with two options:

    a) Windows 2000 is impervious to rootkits, either off the shelf or through modifications unavailable to the general public

    b) The US Navy is running an unsecurable OS for the most advanced surface ships in the world - with nuclear reactors to boot.

    --
    If the g'vt kept the data on you that google does you'd better believe you'd be calling it "doing evil"
  8. Bastille Windows? by Fiver- · · Score: 3, Interesting

    Is there any product for Windows like Bastille Linux that would help a user lock down any vulnerabilities in their system like file shares, unnecessary accounts, open ports, unnecessary services, IE settings, etc?

    If not, there should be.

  9. I'm not sure admin is such a big deal by Dink+Paisy · · Score: 4, Interesting
    The problem is that a lot of this stuff is installed voluntarily. If P2PFreeMovies.exe and BritaneySperesNaked!!!.exe say they need admin access to install, people will just type the password in. Better use of capabilities and code signing would help, and, unlike mainstream Linux, Windows actually has an advanced security model that would allow this.

    But the fundamental problem is that if someone wants to install this garbage, the only way you can really stop them is by taking control of their computer away from them. I'm not sure that even Microsoft is willing to go that far yet, and I'm not sure I would want them to, anyway.

    --

    Whoever corrects a mocker invites insult;
    whoever rebukes a wicked man incurs abuse.
    --Proverbs 9:7
    1. Re:I'm not sure admin is such a big deal by eyeball · · Score: 4, Interesting
      Here is another potential problem. MS might come out with an add-on to their OS where it prevents unauthorized (or authorized) installation of these malwares....it will do this because they are not digitally signed, and authenticated to the user...the only problem: My friend does not want to use a program (i.e. photoshop) so he deletes it from his computer and gives me the disk. The disk is registered to his windows...now I can't install it....or what if I want to rip my DvD movie to my computer (backup)...it won't let me play it.


      From everything I've read, it seems MS is working on the goal of windows eventually running only applications signed by them, the same way XBox is supposed to only run games they sign. There are so many things wrong with that besides the examples you mentioned:

      - Who signs the apps? Microsoft?
      - How do they determine which are legit and which arent?
      - Who is held responsible if a legit company
      - How much will they charge?
      - Will the costs of signing push shareware & freeware programmers out of the market?
      - Will the signed applications expire?
      - What happens if I sell my computer? Are the licenses still tied to it?
      - Will they also keep compeditors out of the market too
      - What happens when everyone's guard is down, and someone figures out a way to code-sign a worm.

      Just to scratch the surface. Worst case scenario, future PCs will cease to run Linux or any other alternative OS.

      My real fear is that MS and/or Intel lobbyists convince the government to pass a law mandating that computers only run signed code. As a matter of fact, I'm surprised they've waited this long.

      --

      _______
      2B1ASK1
  10. Re:SysInternals' by ZyBex · · Score: 4, Interesting

    I recently cleaned a machine infected with a rootkit that was NOT detected with Rootkit Revealer. The virus loaded itself via the HKLM/Soft/MS/Windows/Run key, as usual, but it didn't show on regedit nor elsewhere, and the Rootkit Revealer did not detect the "missing" key. The only way to see and remove it was to boot with a WinPE CD.

    Fortunately these rootkits can usually be detected by their side-effects, like the slowness and the internet activity... but you have to be suspitious that something's going on.

  11. Re:What rootkits? by ThaFooz · · Score: 4, Interesting

    I work with spyware infected systems every day, and I have never found a "rootkit" on one

    The issuse is that they're extremely difficult to detect. What heuristics do you use that that the major AV companies are not aware of?

    The most effective method that I have found to get rid of spyware on an infected system, by the way, is to boot from a live Windows bootable CD to delete all the crappy spyware directories...

    I'm sure that works reasonably well, but once a system is comprimised, you never really know for sure. I find that the only surefire method, which incidentally often takes less time, is to wipe the drive and start fresh. The type of user that is going to get spyware probably doesn't have a complicated setup or do more than write documents and use iTunes, and backing up is as simple as looking for *.doc, *.xls, *.ppt, *.mp*, *.mov, *.wmv, and *.avi.

  12. Re:Wrong question! by Jarnis · · Score: 3, Interesting

    Purchased...?

    Warez jokes aside, most common non-corporate windows are OEM copies. OEM = no support from microsoft. You get your pile of bytes that might or might not work, and you get some patches at the whim of MS. You get no support unless you pay thru the nose per incident.

    Sure, you can call your OEM supplier - however, they have no access to the source, and generally just tell you to reinstall the thing and immediately tell your system is unsupported if you actually install something other than the supplied bundled software on your system.

  13. "Windows for Warships": old old news by toby · · Score: 5, Interesting

    Is the closed source code of Windows preventing us from actively defending our systems?

    Does this question really need to be asked any longer?

    Has this story teleported us all back to the year 2000? Hit the reset button? Is Slashdot's new motto "No hugging, no learning"?

    b) The US Navy is running an unsecurable OS for the most advanced surface ships in the world - with nuclear reactors to boot.

    I thought this was common knowledge. I didn't really expect a "pro-business" administration to do anything about it, did you? It's actually one of the few things that makes the rest of us feel safer.

    Britain has the same problem, by the way:

    The Royal Navy's new, state-of-the-art destroyer has been fitted with combat management software that can be hacked into, crashes easily and is vulnerable to viruses, according to one of the system's designers who was fired after raising his concerns. ... he told Channel 4 news that "the use of Windows For Warships puts the ship and her crew at risk, and the defence of the realm".

    There are also plans to install a similar Microsoft Windows-based computerised command system on Britain's nuclear submarines. Wilson said: "It is inconceivable that we could allow the possible accidental release of nuclear missiles. The people who survived such an exchange, if any, would certainly regard such a thing as a crime against humanity. And I can't help feeling that even planning to deploy such systems on Windows, with its unreliability and lack of security, is itself some sort of crime in international law."

    Also see The Register which quotes an upbeat Armed Forces Minister:

    Fabricant had asked if there had been an external review of the Type 45 decision, and from Ingram's answer we can perhaps infer 'No'. He then asked for a cost comparison between Unix and Windows 2000 as the CMS OS, and Ingram simply said: "The cost of implementing an operating system for the Combat Management System in the Type 45 is a matter for the prime contractor, BAE Systems, and their sub-contractor. The Department does not have, or require, visibility of costs at that level of detail."

    Fabricant also asked what systems had been put in place to cope with a failure, and what steps had been taken to ensure the Win2k CMS in the Type 45 was reliable. Aside from affirming that Win2k was "the lowest risk choice" and that BAE was on top of "residual risks" (Are these cookies? Spyware?), Ingram said: "The system design has built-in redundancy, with automatic, and transparent, switch-over to a back-up system if the primary system has a problem. This would provide continuity of operation and ensure that no data was lost. The system design also ensures that comprehensive hardware mechanisms will be in place to avoid any other safety or technical issues."

    Perhaps the Minister can now explain why his desktop PC doesn't even run properly.

    Les Hatton gives his opinion at IT Week:

    ... the Royal Navy is all set to go to sea with Windows on warships. Am I alone in thinking that this has to be one of the most terminally stupid IT decisions of the century?

    ...this was first attempted in the mid-1990s. There was a wonderful description of the then-latest generation of a US missile cruiser, the USS Yorktown, having to be frequently rebooted because its underlying network of computers running Windows NT crashed somewhat inconveniently. Apparently the design meant that critical systems such as steering could be lost in mid-battle.

    So here we are again. This time the dec

    --
    you had me at #!
  14. Re:It works both ways, but it's worse for MS by Anonymous Coward · · Score: 3, Interesting

    Its fairly easy to put a module in Linux using /proc/kmem even if modules are disabled.