No Defense Against Windows Rootkits?

An anonymous reader writes "Spyware bad guys (and also phishing people) started using rootkits technology to stay hidden in a system. The problem is that at the moment the technology to defend a Windows system from these things is very poor. In fact antivirus companies have just started adding basic anti-rootkits technology. So the problem is serious, and well outlined by this question: Is the closed source code of Windows preventing us from actively defending our systems?"

Windows Rootkit detection Tool

[republican+gourd]

Shameless plug: I've written a script that should be able to help find any rootkits that are listening on tcp/udp on windows.

Heres the link

What it does is attempt to handshake with itself on every available tcp or udp port. If the handshake fails, that is an indicator that somebody else is already camping out on that port.

Source is GPL, feedback is always welcome.

Re:It works both ways, but it's worse for MS

[Qzukk]

In 2.6 you use the kernel capabilites to load the appropriate modules at boot time, then strip the kernel of the ability to load any others. Adds a little more work for getting that module loaded. Throw in more stuff (verifying the module list from read-only media before loading any modules) and you can get pretty well defended against this kind of thing.

Re:I fear not your rootkits!

[Tony+Hoyle]

System (more accurately LocalSystem) can't access network resources.

So there is *something* that they can't do.

Try

at (now plus a minute) /interactive cmd.exe

voila! Interactive system shell!

Unacceptable for national defense

[keraneuology]

Since Bill Gates became the 2nd largest stockholder in Newport News Shipbuilding and guaranteed that the Ronald Reagan class of aircraft carrier will be Windows 2000 based, how does the Navy deal with this issue? Or have they addressed it at all? The last thing we need is for just one person in that population 5,000 floating city with malicious intentions to pop a rootkit into the mess that is navigation, fire control or general operations.

So we are left with two options:

a) Windows 2000 is impervious to rootkits, either off the shelf or through modifications unavailable to the general public

b) The US Navy is running an unsecurable OS for the most advanced surface ships in the world - with nuclear reactors to boot.

I'm not sure admin is such a big deal

[Dink+Paisy]

The problem is that a lot of this stuff is installed voluntarily. If P2PFreeMovies.exe and BritaneySperesNaked!!!.exe say they need admin access to install, people will just type the password in. Better use of capabilities and code signing would help, and, unlike mainstream Linux, Windows actually has an advanced security model that would allow this.

But the fundamental problem is that if someone wants to install this garbage, the only way you can really stop them is by taking control of their computer away from them. I'm not sure that even Microsoft is willing to go that far yet, and I'm not sure I would want them to, anyway.

Re:I'm not sure admin is such a big deal

[eyeball]

Here is another potential problem. MS might come out with an add-on to their OS where it prevents unauthorized (or authorized) installation of these malwares....it will do this because they are not digitally signed, and authenticated to the user...the only problem: My friend does not want to use a program (i.e. photoshop) so he deletes it from his computer and gives me the disk. The disk is registered to his windows...now I can't install it....or what if I want to rip my DvD movie to my computer (backup)...it won't let me play it.

From everything I've read, it seems MS is working on the goal of windows eventually running only applications signed by them, the same way XBox is supposed to only run games they sign. There are so many things wrong with that besides the examples you mentioned:

- Who signs the apps? Microsoft?
- How do they determine which are legit and which arent?
- Who is held responsible if a legit company
- How much will they charge?
- Will the costs of signing push shareware & freeware programmers out of the market?
- Will the signed applications expire?
- What happens if I sell my computer? Are the licenses still tied to it?
- Will they also keep compeditors out of the market too
- What happens when everyone's guard is down, and someone figures out a way to code-sign a worm.

Just to scratch the surface. Worst case scenario, future PCs will cease to run Linux or any other alternative OS.

My real fear is that MS and/or Intel lobbyists convince the government to pass a law mandating that computers only run signed code. As a matter of fact, I'm surprised they've waited this long.

Re:SysInternals'

[ZyBex]

I recently cleaned a machine infected with a rootkit that was NOT detected with Rootkit Revealer. The virus loaded itself via the HKLM/Soft/MS/Windows/Run key, as usual, but it didn't show on regedit nor elsewhere, and the Rootkit Revealer did not detect the "missing" key. The only way to see and remove it was to boot with a WinPE CD.

Fortunately these rootkits can usually be detected by their side-effects, like the slowness and the internet activity... but you have to be suspitious that something's going on.

Re:What rootkits?

[ThaFooz]

I work with spyware infected systems every day, and I have never found a "rootkit" on one

The issuse is that they're extremely difficult to detect. What heuristics do you use that that the major AV companies are not aware of?

The most effective method that I have found to get rid of spyware on an infected system, by the way, is to boot from a live Windows bootable CD to delete all the crappy spyware directories...

I'm sure that works reasonably well, but once a system is comprimised, you never really know for sure. I find that the only surefire method, which incidentally often takes less time, is to wipe the drive and start fresh. The type of user that is going to get spyware probably doesn't have a complicated setup or do more than write documents and use iTunes, and backing up is as simple as looking for *.doc, *.xls, *.ppt, *.mp*, *.mov, *.wmv, and *.avi.

"Windows for Warships": old old news

[toby]

Is the closed source code of Windows preventing us from actively defending our systems?

Does this question really need to be asked any longer?

Has this story teleported us all back to the year 2000? Hit the reset button? Is Slashdot's new motto "No hugging, no learning"?

b) The US Navy is running an unsecurable OS for the most advanced surface ships in the world - with nuclear reactors to boot.

I thought this was common knowledge. I didn't really expect a "pro-business" administration to do anything about it, did you? It's actually one of the few things that makes the rest of us feel safer.

Britain has the same problem, by the way:

The Royal Navy's new, state-of-the-art destroyer has been fitted with combat management software that can be hacked into, crashes easily and is vulnerable to viruses, according to one of the system's designers who was fired after raising his concerns. ... he told Channel 4 news that "the use of Windows For Warships puts the ship and her crew at risk, and the defence of the realm".

There are also plans to install a similar Microsoft Windows-based computerised command system on Britain's nuclear submarines. Wilson said: "It is inconceivable that we could allow the possible accidental release of nuclear missiles. The people who survived such an exchange, if any, would certainly regard such a thing as a crime against humanity. And I can't help feeling that even planning to deploy such systems on Windows, with its unreliability and lack of security, is itself some sort of crime in international law."

Also see The Register which quotes an upbeat Armed Forces Minister:

Fabricant had asked if there had been an external review of the Type 45 decision, and from Ingram's answer we can perhaps infer 'No'. He then asked for a cost comparison between Unix and Windows 2000 as the CMS OS, and Ingram simply said: "The cost of implementing an operating system for the Combat Management System in the Type 45 is a matter for the prime contractor, BAE Systems, and their sub-contractor. The Department does not have, or require, visibility of costs at that level of detail."

Fabricant also asked what systems had been put in place to cope with a failure, and what steps had been taken to ensure the Win2k CMS in the Type 45 was reliable. Aside from affirming that Win2k was "the lowest risk choice" and that BAE was on top of "residual risks" (Are these cookies? Spyware?), Ingram said: "The system design has built-in redundancy, with automatic, and transparent, switch-over to a back-up system if the primary system has a problem. This would provide continuity of operation and ensure that no data was lost. The system design also ensures that comprehensive hardware mechanisms will be in place to avoid any other safety or technical issues."

Perhaps the Minister can now explain why his desktop PC doesn't even run properly.

Les Hatton gives his opinion at IT Week:

... the Royal Navy is all set to go to sea with Windows on warships. Am I alone in thinking that this has to be one of the most terminally stupid IT decisions of the century?

...this was first attempted in the mid-1990s. There was a wonderful description of the then-latest generation of a US missile cruiser, the USS Yorktown, having to be frequently rebooted because its underlying network of computers running Windows NT crashed somewhat inconveniently. Apparently the design meant that critical systems such as steering could be lost in mid-battle.

So here we are again. This time the dec