Slashdot Mirror
No Defense Against Windows Rootkits?
An anonymous reader writes "Spyware bad guys (and also phishing people) started using rootkits technology to stay hidden in a system. The problem is that at the moment the technology to defend a Windows system from these things is very poor. In fact antivirus companies have just started adding basic anti-rootkits technology. So the problem is serious, and well outlined by this question: Is the closed source code of Windows preventing us from actively defending our systems?"
This would be a resounding YES.
And Butler and Hoglund's recent book on rootkits was pretty nice.
fast as fast can be. you'll never catch me.
Because Windows has no root!
No, seriously, I don't know the answer to this. :-)
-Rob
Biblical fiscal responsibility
Who has the chops to run through 800,000,000 lines of code to do the fixing of this OS?
I mean even if you find the problem can you honestly say you'd be sure you wouldn't leave Notepad.exe broken by making your changes?
Clearly Windows needs to be completely re thought with NO concern for legacy apps. See also OS X.
This
Is the closed source code of Windows preventing us from actively defending our systems?
Yes. We are at the mercy of Microsoft to patch the systems for us. At least with Open Source you have potentially thousands of programmers looking for security holes and reporting those security problems.
Bradley Holt
Shameless plug: I've written a script that should be able to help find any rootkits that are listening on tcp/udp on windows.
Heres the link
What it does is attempt to handshake with itself on every available tcp or udp port. If the handshake fails, that is an indicator that somebody else is already camping out on that port.
Source is GPL, feedback is always welcome.
Short answer is Yes. The closed source of M$ *IS* preventing us from actively defending. AFAIK, M$ feels that they will get around to it or another company will step up to fill in the gap forcing us either way, to purchase yet another piece of software or the uber upgrade. Kinda like the insurance industry.
Joe Consumer: "Do I really need this?"
Co. Thug: "No, not at all. However, you never know when you may have an accident."
Your actions in life will determine your children's future.
.. RootkitRevealer is your friend.
This topic has been beaten to death a thousand and one times before but the reality still holds true: as long as a company holds the source of their software to their chest, you simply have to rely on them to provide the security for said software. By doing so you create the equivalent of a single point of failure that has to be addressed solely by the holding company, and as a result, you are subject to the "hurry up and wait" syndrome that accompanies it. That's when it comes back to "suck it up or don't use it," which carries all the arguments of "we don't have a choice" or "switching isn't an alternative for us."
This sig is six words long.
Let us not forget the wonders of ActiveX controls not to mention IE's ability to install items with out authentication. As far as that is concerned ANY installer should have to be authenticated as an ADMINISTRATOR before the install can proceed. I think this small step would curb many of the issues with spyware, adware, toolbars, etc.
Is the closed source code of Windows preventing us from actively defending our systems?
The right question is what is the vendor (Microsoft) doing about it. You purchased a product from a vendor, you should expect them to solve problems with that product or explain how to properly secure it, or just ignore the issue which says something about their product and commitment to support.
Strider Ghostbuster,, a Microsoft developed technique for detecting all persistant and stealthy rootkits .
Just convince Microsoft to make it available.
There is also SysInternal's Rootkit Revealer, which although not quite as general, is still hard to fool.
Test your net with Netalyzr
If the API were opened up not only would it have made it possible for someone to do a work-alike competitor to Gates's natural horizontal and vertical monopoly, it would have made open analysis of the potential security holes practical so that insurance companies could get into the business of software quality assurance -- which would have dramatically raised the quality of software professinals and computer security.
Seastead this.
I administer a network with about 50 workstations. We run Windows2000 with Symantec Anti-Virus Corporate (aka Norton). Symantec registered an internal attack by a root kit only two weeks ago. This stuff is in the wild now!
So we are left with two options:
a) Windows 2000 is impervious to rootkits, either off the shelf or through modifications unavailable to the general public
b) The US Navy is running an unsecurable OS for the most advanced surface ships in the world - with nuclear reactors to boot.
If the g'vt kept the data on you that google does you'd better believe you'd be calling it "doing evil"
YES!!!!!!! that is all...
If carrots got you drunk, rabbits would be fucked up. - Comedian Mitch Hedberg R.I.P. 03/30/68-2/24/05
It's also really hard to detect, inform users about, and/or remove rootkits without the user knowing a bit about the inner workings of the system. In a "root/administrator" world, there's no guarantee that a rootkit can be detected anyway, because there's nothing a detection app can look at that a rootkit can't obscure, if it knows what the detection app will be looking for.
Windows has problems that make rootkits easier, but it's not because it's closed-source.
The root of the problem may be the organizational structure of Microsoft. We have the mess that is/was longhorn/vista and the comments that it had to be re-written from the ground up.
d ral-bazaar/
The point made in the 'Cathedral and the Bazaar' may be coming to pass. It is impossible to manage very complex systems effectively. It is a question of distributed control vs. top down management. My favorite example is the Soviet Union vs. the US of A. A bureaucracy can't manage something as complex as a whole economy; maybe it can't manage something as complex as Windows.
The bottom line would seem to be that we will see a never-ending stream of problems like the one at hand.
www.catb.org/~esr/writings/cathedral-bazaar/cathe
www.uq.edu.au/news/index.html?article=6618
Yes, Microsoft has a Shared Source program. I'm not 100% sure of the exact requirements to join the Shared Source program (you could look it up on their website I'm sure) but the requirements are fairly hefty. You have to sign some pretty thorough NDAs, of course. To the best of my knowledge, an individual acting by themself rarely gets access, although I'm pretty sure that several book authors got access to Windows source. Companies can gain access, but they normally have to pay for the priveledge (if you recall the Win2k source code getting lose a year or so back, that was on account of a company that had purchased a liscense to the code losing it). A large number of Universities have access to the code, as do governments and government contractors.
Is there any product for Windows like Bastille Linux that would help a user lock down any vulnerabilities in their system like file shares, unnecessary accounts, open ports, unnecessary services, IE settings, etc?
If not, there should be.
1. Buy a Mac! and be a little bit paranoid about security.
/. grade paranoid), but is doable.
2. Use Linux and be paranoid about security.
3. Buy a tinfoil hat.
4. Build a beowulf cluster of Linux enabled devices: an iPod, two toasters, one 'smart' fridge, and one spoon -anything runs Linux these days-.
5. Build your own OS!
Or you can keep on using Windows and trusting AV companies and its flawed model of "ok, we'll release the fix AFTER enough people have been screwed".
I don't think that the design of Windows, where changing an int to a float in the library that displays Clippy can crash MSN Messenger, would allow for easy fixes, regardless of closed or open source code.
You can actively defend your system anyway. It takes time and money (e.g. self-made hardware firewall with parts bought from the tinfoil-hat store, if you want to be
Disclosure: I'm stupid
But the fundamental problem is that if someone wants to install this garbage, the only way you can really stop them is by taking control of their computer away from them. I'm not sure that even Microsoft is willing to go that far yet, and I'm not sure I would want them to, anyway.
Whoever corrects a mocker invites insult;
whoever rebukes a wicked man incurs abuse.
--Proverbs 9:7
The availablitiy of the source code has nothing to do with it. Joe Beerbelly is not going to be looking at the source code of his operating system. You'd be lucky if he understands that a thing called an operating system exists and has something called source code associated with it.
If your solution is to fix it yourself, you've already lost. It needs to be fixed by the *official* software vendor so that the changes can be pushed automatically to all the Beerbellies and Flabbyasses out there.
And besides, even for those who can understand the source code, it's not like the changes required are simple. If you DO manage to understand the system enough to make some usefull changes, a vendor will not just blindly accept them. They will themselves have to review the changes and completely understand them anyways. So why not do it themselves the first time? And to the person spending all that time doing the vendors work for them, do you not have a life or a job or something?
Okay class, let's review.
When you perform any operation on a file system object - getting the contents of a file, size, modification date, etc - you're, after all the layers of indirection, making a system call to the executive. Most real rootkits on Windows NT derivatives are kernel rootkits - that is they modify core system calls to hide themselves and perform nefarious activies - you can't really detect them with something as naive as a file content check.
This may be slighty OT, but I don't see ANY reason why a closed source system that's this vulnurable should be allowed in any Medical/Govermental or Military implementation. Sure, lot's of Apps are written ABOVE the OS and thus in control of the branch maintaining them, but damnit, the OS is at the root of the problem here! Makes you understand why trains all across Europe are still kept track of (punny, eh?) by old Digital DEC's running VMS or OpenVMS. The whole idea that mindshare of the mainframe is growing old and retiring is going to be an issue, Windows 2000 server is not a replacement for something like VMS.
fak3r.com
What if we as a community just put a 12 month moratorium on backfilling MS crappy code and the crappy job they do designing and then maintaining it. What if we simply let it go to shit and let MS deal with the consequences. Sometimes I feel like an ennabler for a crazy codependent cranked out asshole. What if we just said NO -it's your fundamental problem, you fix it. Maybe MS stock would go down, maybe not. Maybe some really important systems would fizzle up in flames. Who fucking cares? I say call them on their bluff and stop pretending that they're not sucking off OUR work and OUR integrity.
1. Get pair of scissors
2. Cut Ethernet Cable
3. Windows is now secure from attacks via the internet!
Oh, and don't forget to mention that you should run tripwire from a known-secure system (a Knoppix CD, for instance) at least once in a while. Indeed, if your system is infested by a good rootkit, it could itself so well that it would play back a phony, made to look innocent contents of any files that it had infected.
Same goes for lsmod, ps and other tools (it is however very rare that a rootkit is so thorough as to hide itself from all tools. Most often an rpm -q --verify -a finds the nasties). But if you're really paranoid, run your tripwire and rpm --verify from an external system, not from within the one you want to examine.
I work with spyware infected systems every day, and I have never found a "rootkit" on one
The issuse is that they're extremely difficult to detect. What heuristics do you use that that the major AV companies are not aware of?
The most effective method that I have found to get rid of spyware on an infected system, by the way, is to boot from a live Windows bootable CD to delete all the crappy spyware directories...
I'm sure that works reasonably well, but once a system is comprimised, you never really know for sure. I find that the only surefire method, which incidentally often takes less time, is to wipe the drive and start fresh. The type of user that is going to get spyware probably doesn't have a complicated setup or do more than write documents and use iTunes, and backing up is as simple as looking for *.doc, *.xls, *.ppt, *.mp*, *.mov, *.wmv, and *.avi.
"the FU rootkit, which I wrote, is intended to demonstrate. It is not malicious but more proof of a premise."
"I do know that FU is one of the most widely deployed rootkits in the world. [It] seems to be the rootkit of choice for spyware and bot networks right now"
He wrote and distributed a rootkit for windows; for educational purposes only (!). It becomes one of the most widely used tools to propagate spyware and trojans. Does he bear any moral responsibilty for this?
I would answer positively. If I leave a loaded gun lying on the sidewalk and someone picks it up and shoots someone else, I think I may get some bad karma.
From http://www.viruslist.com/en/analysis?pubid=1687408 59
Currently, malicious code for Windows is more common than for UNIX because Windows is the most widely used operating system. However, if UNIX starts to gain popularity, then the situation will naturally change; new rootkits for UNIX will be written, and new methods of combating them will be developed.
This has been refuted time and again yet the various Windows-friendly analyst continually trot this one out as a rationale for the ( admittedly much improved but still ) relatively weak security design of M$ Windows.
Newsflash for those who didn't get the memo: Windows leads by a huge margin ON THE DESKTOP. On the server side the disparity, if one exists is a completely different story. Also, since there are many open source versions of Unix, such as Linux, *BSD, and Solaris, some of which have been available for more than a decade, it should have been relatively easy for Windows-loving, Unix-hating programmers to have designed the Unix-slaying, self-propagating daemon years ago. To date, the only thing that has come close was the Morris worm way back in the late '80s.
So guys, nice try - your explanation ( or rationale ) is leaking badly. If Windows represent a bigger target, it SUPPOSEDLY has the "advantage" of being closed-source but the open source Unices, which are fewer in number SHOULD be an easier target.
It's time to focus on what the true flaws of each platform are - their relative prevalence is no longer relevant to the discussion ( aka flamefest ).
Pain is merely failure leaving the body
Is the closed source code of Windows preventing us from actively defending our systems?
Windows being closed source in no way prevents me from defending my system. I just insert my Gentoo install disk and reboot.
``It's well known that the *nix operating system model is more secure by default, through good design.''
Is it the Windows design that is insecure, or the implementations? Of course, that begs the question if there actually _is_ a Windows design to speak of. Well, what is there in the APIs that Microsoft publishes that is necessarily insecure, and what is there in the Unix APIs that is necessarily insecure?
I can answer parts of the Unix side; the fact that software needs to be all-powerful to do a single privileged operation (such an binding to a port below 1024). Functions like tmpnam(3), which generate predictable filenames.
Things like the general lack of bounds checking (leading to buffer overflows) are implementation issues, and could be overcome by using better programming languages.
Please correct me if I got my facts wrong.
He did mention "normally unconnected read-only media". So you not only put your checksums on these, but also a minimal rescue system, which you boot whenever you want to check integrity of your main system (on Linux, such a system might be a Knoppix CD, for instance...).
Granted, on Windows, this might be a tad more difficult, as the Windows rescue CD's may not be usable enough to run checksumming utilities...
Ok, but Knoppix does support NTFS so just use a Knoppix CD to check your windows checksums. But then another problem on windows is that lots of files do change even during normal operations, so it's difficult to distinguish those changes performed by a rootkit from the innocent changes performed by the system itself because "the mouse has moved"...
To reiterate: The name of the game is reduced user permissions. The biggest problem with windows security (second biggest?) is that non doman users are Administrator by default. This means that any vulnerability can be exploited to install files where they should not be.
/windows or /program files, or write global registry keys.
Reduced user permissions (aka: creating a user account with permissions of "User") means that the user cannot install files to
Lets review: Administrator/root accounts have good authentication measures and are not used for everyday use. User accounts have limited ability to foobar your system, and ARE used for everyday work.
Unless you run Knoppix/ubuntu from CD/DVD, in which case just reboot.
The problem is not well-outlined by that question. In fact, the addition of the idea of closed or open source has nothing to do with it. Is the lack of attention paid to rootkits the source of the problem? Is this just the problem of the month that will be solved soon and replaced by another, bigger problem? The open/closed source question is important, but really doesn't have anything to do with the issue at hand.
Yes, taking the system offline with a "rescue disk" and comparing cryptographically-secure checksums against known good values does work. That's the standard for rootkit detection.
However, it's hella inconvenient, on many servers, to boot to a "rescue disk". Do you have any:
- servers that cannot tolerate the downtime required to scan?
- servers at remote locations where you can't insert bootable media easily (CDROM, floppy, etc.)?
- servers or workstations that just don't have bootable media capabilities (headless/PXE boot systems, anything w/o CDROM and floppy drives)?
So while it's a theoretical solution, it's also a shitty solution in practice. How many administrators are going to take the time to take ALL of their servers offline for this kind of review? None, that's right. Because none of their managers are going to be willing to tolerate that kind of expense, effort, man time, and downtime in order to check for something that they can't even understand.
Perhaps you should put the bong down now....
An old-timer with old-timey ideas.
Does this question really need to be asked any longer?
Has this story teleported us all back to the year 2000? Hit the reset button? Is Slashdot's new motto "No hugging, no learning"?
I thought this was common knowledge. I didn't really expect a "pro-business" administration to do anything about it, did you? It's actually one of the few things that makes the rest of us feel safer.
Britain has the same problem, by the way:
Also see The Register which quotes an upbeat Armed Forces Minister:
Perhaps the Minister can now explain why his desktop PC doesn't even run properly.
Les Hatton gives his opinion at IT Week:
you had me at #!
The trouble is that people do not listen. Unless they do not actually have admin access to the system, the chances are if a box pops up going "You need admin access to install this, if you have it then just shove in a username and password here:" people will do so regardless.
Hell, in XPSP2 it has this big balloon which pops up repeatedly going along the lines of "Listen you pillock, you don't have firewall or automatic updates turned on. You really do need these. Click here and I'll set it all up for you, it's about 3 seconds work!". I know people who, when have this pointed out to them, go "Oh I never read that, it just keeps popping up".
The only other thing to do with some people is forcibly configure things, which I'm sure we'd all hate. I use Active Directory to force fine-tuned update compliance and firewall settings across my home network, but home users can't even negotiate a simple dialogue going "Here's what you need to do, here's why you need to do it, here's how to do it".
So when IE pops up a convenient dialogue warning about the fact that HotPornDialer32.exe isn't signed and is in fact coming from a website with an invalid certificate, along with a warning about exactly why it's bad to click 'Install', people will do anyway. Perhaps a Firefox-esque forced delay is in order so people can't just click 'OK' without thinking.
How many people can read hex if only you and dead people can read hex?
> ..it is easier for the "bad" guys to find the security holes in open source
> software.
Is it? I wonder if this isn't a case where we don't look for proof becuase we've assumed we know the answer. Certainly, with open source, you can examine the source. But examining complex kernel source code is no trivial task. Given the large amount of practice and study on methods of hacking closed source systems, isn't is possible that this having the source doesn't really make it easier after all? That it just offers a method not available on closed source systems?
Sorry, but you're just plain wrong.
"This has been refuted time and again..."
Really? Got an example?
Try this one on for size: Firefox didn't have an security issues until it started becoming popular. The Mac had a few recently too.
Windows SERVERS are not the common target of these root-kits, the DESKTOP is because it IS the most popular.
If Joe Beerbelly used Linux on the desktop, you'd have to take away his ability to install programs to protect him. How useable is the system at that point?
"If Windows represent a bigger target, it SUPPOSEDLY has the "advantage" of being closed-source but the open source Unices, which are fewer in number SHOULD be an easier target."
Hogwash. Why would i target a system that fewer installs? I need an army of machines to get my spam out or to propagate my virus. *nix can't provide that right now.
I'm not saying that *nix is no good, but the logic that it is a smaller target therefore relatively unchallenged holds true.
I've had to deal with a highly infested windows system a few times. There are a lot of ways to deal with it; my favorite is reformat and hand them Mepis (or another easy distro) but some people can't handle that. I had one system in particular I couldn't completely clean up, I had logged in safe mode and cleaned, but there was still something (with no services or processes I could see running) going on. So I grabbed this Rootkit Revealer and it found my problems. It was a cinch to log in under dos and get rid of the problems (although in retrospect I could have used Knoppix or another LiveCD.
So there are good Windows rootkit revealers, you just have to look for them.
Most people run Windows as Administrator. Why is that?
Because a lot of applications WON'T WORK if they're run as normal users. Why is that?
Because the Windows mindset comes from DOS, where there were no restrictions on what an application could do. Anything could put something anywhere it wanted to. So the developers got used to being able to do that.
Suddenly here comes Windows, and suddenly your application can't save settings to the INI file in C:\WINDOWS anymore, because it doesn't have write access to that directory.
The correct thing is to get an upgrade for the app. But you can make it work by just running as an administrator. So they do. And Microsoft is complicit in this by not putting enough pressure on the application developers to fix their apps to not require administrator access.
Does the closed-source nature prevent people from defending against this? Not really. If everyone ran as root in their Linux systems all the time, there would be just as many exploits for Linux.
"That design being ?"
For one, better user accounts and software that doesn't require root access to run (Windows is just getting there now). For another, better separation of executables making it very easy to lock out system binaries while still giving access to applications (sbin and bin). Let's not forget that with XP Home, Windows still defaults everyone to being an administrator. I think even Pro does that for the first user created.
"On the server-side - and particularly the non-Windows server side - the single biggest vulnerability and attack vector - the user(s) - have a substantially different profile."
Maybe, but we're not always talking about social engineering. There are plenty of real software vulnerabilities. Social engineering must be dealt with by proper training.
"This is before even getting to the simple fact that unix has had 20 years more to harden itself from attackers."
Are you conceding that Unix is more secure, but using this as an excuse? Even if it's a valid excuse, it still means Unix is more secure, which is all that's important.
"Targets are not only chosen because they're easy, but also because they're useful."
I'd say that huge databases of credit card numbers and other personal information is very useful. I reckon that Unix servers are probably the most useful to break into since they're run by banks and the government as well as large corporations. Some turd's desktop is ok at sending spam, but the big hackers would be after the big servers.
The global economy is a great thing until you feel it locally.
I believe people will anyway -- they'll just learn that they have to wait a moment before they can click 'OK'... they still won't think. Maybe most of them never will.
..... My other computer is YOUR computer.
This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
How do you get around the stuff that likes root to be r-w, like /etc/mtab? I know it's frequently suggested to replace this with a symlink to /proc/mounts, but I also understand that some software doesn't like this. There is also some other stuff that likes to write into /etc, like /etc/dhcpcd/dhcpcd-eth0.info.
The living have better things to do than to continue hating the dead.
rootkit revealer.
The main problem when trying to get rid or detect rootkits on Windows XP/Server 2003 is that the "Safe Mode" is not at all safe at all.
By the time the system has booted far enough to get into "Safe Mode" it's already loaded so many DLL's, including the obfucating rootkit ones, that there's no way of accessing the filesystem to see the malware.
Now, if Microsoft had added a single-tasking, statically linked command line emergency system which would allow you to just manipulate an NTFS filesystem this would be the greatest step forward in rootkit/malware removal.
Alternatively, "Safe Mode" should load only those DLL's which are hard coded into the kernel to load, along with signatures and checksums to make sure (as much as you can) that those files haven't been tampered with.
As it is, the only way I've found of de-rootkitting machine is using Knoppix 3.6 and captive-NTFS!
Agrajag: "Oh no, not again!"
Actually, if fewer people ran 2K/XP as admin, there'd be a lot fewer problems with viruses and trojans - many (most?) are unable to install using "normal means" (ie: through a browsers or email client) using non-admin accounts.
I've given some serious thought to doing that myself, but I've never been hit badly enough to worry about it.
That said, some of the new rootkits are very, very good and kind of frightening. Do a bit of investigating at some of the hacker websites (like the guy who wrote the trojan which was used at Valve for the famous HL2 theft), and you'll see how sophisticated they've become since that very early version that was relatively easy to detect compared to what's out now...
For the newest trojans, aside from actually physically booting windows from a clean source (ie: bootable clean CD-ROM that can check file signatures and such), these new trojans are undetectable by even the most current scanning software (including scanning tools from sysinternals and such). They hook the OS early enough, and at such a low-level that they're completely invisible when you're running the OS itself.
N.
"Nothing strengthens authority so much as silence." - Charles de Gaulle
This seems like a symptom of a different problem, not really a problem in and of itself. Users become complacent with dialog boxes, systray warnings, etc, because there are no limits or standards regarding when these warnings are issued.
In the same session I can recieve the "Take a tour of windows," "Your firewall is not turned on," "Clean up your desktop icons," and "Your hardware could not be installed" messages, all from the same section of the screen with the same look. Starting immediately after Windows installation users are taught those are 'random message bubbles' that could mean anything. Users just get discouraged when they have to acknowledge that they are sending information across the internet unencrypted, then acknowledge they are entering a secure site, then acknowledge they are leaving a secured site.
Is the closed source code of Windows preventing us from actively defending our systems?"
If you can go in to the source code and tinker with it, chances are you don't need any help defending your system in the first place.
The anti-spyware product SpyCatcher 2006 (free as in beer version) will detect rootkits when they are being run. It also uses some rootkit technology to foritfy itself from spyware trying to detect anti-spyware products.
--NerdMachine
This has probably already been said but I'm pissed and am having a casual browse before bedtime....
Sysinternals
If you must use Windows these fine folk are well worth a visit (should be mandatory...)
Sky subscribers are morons. They pay to be advertised at !
Why people feel the need to shove something down other people's throats or evangelically browbeat them is a mystery to me. I'm here to solve people's problems, not make life more difficult. I present the options that are within their budget, explain the distinctions without bias, then let them decide. BTW, since they have made an investment (client buy-in), I've also found they are willing to put more time into learning their systems and learning about protecting themselves. I sometimes think we, the geek community, are our own worst enemy! Sheesh.
"[I]t is a wise man who admits the limits of his knowledge or skill, and that pretending either causes harm." --Terry Go