No Defense Against Windows Rootkits?

An anonymous reader writes "Spyware bad guys (and also phishing people) started using rootkits technology to stay hidden in a system. The problem is that at the moment the technology to defend a Windows system from these things is very poor. In fact antivirus companies have just started adding basic anti-rootkits technology. So the problem is serious, and well outlined by this question: Is the closed source code of Windows preventing us from actively defending our systems?"

It works both ways, but it's worse for MS

[SilverspurG]

The problem is that at the moment the technology to defend a Windows system from this things is really poor.

While it's less common on our beloved Linux platform it's pretty tough to defend against here, too. If someone can make use of a Firefox hole, couple it with a root exploit, and put a kmod in /lib/modules, it's all over. With the 2.6 kernel seeing an explosion in `lsmod`, I can no longer verify each and every module Debian loads so easily as I could in the 2.4 series.

does Windows source code unavailability prevent us to actively defend our systems?

This would be a resounding YES.

And Butler and Hoglund's recent book on rootkits was pretty nice. :)

Re:It works both ways, but it's worse for MS

[EvilMonkeySlayer]

Yep, all servers i've built which use Linux which are accessible from the outside do not have loadable module support enabled at all.
It prevents a large swathe if not all rootkits from running.
This is one of the areas where I think Linux (and open source software in general) has closed source software beat, you can easilly customise the kernel to your own particular situation in which the machine will be running. Being able to have your own custom built kernel with stuff like grsecurity etc is invaluable.

Re:It works both ways, but it's worse for MS

Yes, you can, and it's even recommended.

Other steps you can take are :
-not having dev tools installed on your servers (quite often source root kits require them)
-keeping copies of /bin and /usr/bin on some ro media (either a CD or on a seperate server mounted ro), and checking them ageinst you're working copies regularly.
-running chkrootkit :-)
-Mount / ro. You need to set up seperate space for /tmp and /var (not to mention /home) but this will defeat 99% of the automated root kits, of course, if the attacker gets in personnally, all bets are off...

I fear not your rootkits!

[tsalaroth]

Because Windows has no root!

Re:I fear not your rootkits!

[AKAImBatman]

Right. We should rename them, "SystemKits".

(For those who don't get it, "System" is a login with higher privleges than even Administrator. There's nothing that System can't do. Just to brighten up your day, it's also the default user for Windows Services. Feel safe yet?)

Re:I fear not your rootkits!

[Tony+Hoyle]

System (more accurately LocalSystem) can't access network resources.

So there is *something* that they can't do.

Try

at (now plus a minute) /interactive cmd.exe

voila! Interactive system shell!

Windows Rootkit detection Tool

[republican+gourd]

Shameless plug: I've written a script that should be able to help find any rootkits that are listening on tcp/udp on windows.

Heres the link

What it does is attempt to handshake with itself on every available tcp or udp port. If the handshake fails, that is an indicator that somebody else is already camping out on that port.

Source is GPL, feedback is always welcome.

SysInternals'

[wumpus188]

.. RootkitRevealer is your friend.

MS(ux) for a few reasons, this is just one of them

[jeremy111]

Let us not forget the wonders of ActiveX controls not to mention IE's ability to install items with out authentication. As far as that is concerned ANY installer should have to be authenticated as an ADMINISTRATOR before the install can proceed. I think this small step would curb many of the issues with spyware, adware, toolbars, etc.

Strider ghostbuster...

[nweaver]

Strider Ghostbuster,, a Microsoft developed technique for detecting all persistant and stealthy rootkits .

Just convince Microsoft to make it available.

There is also SysInternal's Rootkit Revealer, which although not quite as general, is still hard to fool.

Unacceptable for national defense

[keraneuology]

Since Bill Gates became the 2nd largest stockholder in Newport News Shipbuilding and guaranteed that the Ronald Reagan class of aircraft carrier will be Windows 2000 based, how does the Navy deal with this issue? Or have they addressed it at all? The last thing we need is for just one person in that population 5,000 floating city with malicious intentions to pop a rootkit into the mess that is navigation, fire control or general operations.

So we are left with two options:

a) Windows 2000 is impervious to rootkits, either off the shelf or through modifications unavailable to the general public

b) The US Navy is running an unsecurable OS for the most advanced surface ships in the world - with nuclear reactors to boot.

Rootkit Responsibility

[acvh]

"the FU rootkit, which I wrote, is intended to demonstrate. It is not malicious but more proof of a premise."

"I do know that FU is one of the most widely deployed rootkits in the world. [It] seems to be the rootkit of choice for spyware and bot networks right now"

He wrote and distributed a rootkit for windows; for educational purposes only (!). It becomes one of the most widely used tools to propagate spyware and trojans. Does he bear any moral responsibilty for this?

I would answer positively. If I leave a loaded gun lying on the sidewalk and someone picks it up and shoots someone else, I think I may get some bad karma.

They keep flogging this outdated line of reasoning

[haruchai]

From http://www.viruslist.com/en/analysis?pubid=1687408 59

Currently, malicious code for Windows is more common than for UNIX because Windows is the most widely used operating system. However, if UNIX starts to gain popularity, then the situation will naturally change; new rootkits for UNIX will be written, and new methods of combating them will be developed.

This has been refuted time and again yet the various Windows-friendly analyst continually trot this one out as a rationale for the ( admittedly much improved but still ) relatively weak security design of M$ Windows.

Newsflash for those who didn't get the memo: Windows leads by a huge margin ON THE DESKTOP. On the server side the disparity, if one exists is a completely different story. Also, since there are many open source versions of Unix, such as Linux, *BSD, and Solaris, some of which have been available for more than a decade, it should have been relatively easy for Windows-loving, Unix-hating programmers to have designed the Unix-slaying, self-propagating daemon years ago. To date, the only thing that has come close was the Morris worm way back in the late '80s.

So guys, nice try - your explanation ( or rationale ) is leaking badly. If Windows represent a bigger target, it SUPPOSEDLY has the "advantage" of being closed-source but the open source Unices, which are fewer in number SHOULD be an easier target.

It's time to focus on what the true flaws of each platform are - their relative prevalence is no longer relevant to the discussion ( aka flamefest ).

"Windows for Warships": old old news

[toby]

Is the closed source code of Windows preventing us from actively defending our systems?

Does this question really need to be asked any longer?

Has this story teleported us all back to the year 2000? Hit the reset button? Is Slashdot's new motto "No hugging, no learning"?

b) The US Navy is running an unsecurable OS for the most advanced surface ships in the world - with nuclear reactors to boot.

I thought this was common knowledge. I didn't really expect a "pro-business" administration to do anything about it, did you? It's actually one of the few things that makes the rest of us feel safer.

Britain has the same problem, by the way:

The Royal Navy's new, state-of-the-art destroyer has been fitted with combat management software that can be hacked into, crashes easily and is vulnerable to viruses, according to one of the system's designers who was fired after raising his concerns. ... he told Channel 4 news that "the use of Windows For Warships puts the ship and her crew at risk, and the defence of the realm".

There are also plans to install a similar Microsoft Windows-based computerised command system on Britain's nuclear submarines. Wilson said: "It is inconceivable that we could allow the possible accidental release of nuclear missiles. The people who survived such an exchange, if any, would certainly regard such a thing as a crime against humanity. And I can't help feeling that even planning to deploy such systems on Windows, with its unreliability and lack of security, is itself some sort of crime in international law."

Also see The Register which quotes an upbeat Armed Forces Minister:

Fabricant had asked if there had been an external review of the Type 45 decision, and from Ingram's answer we can perhaps infer 'No'. He then asked for a cost comparison between Unix and Windows 2000 as the CMS OS, and Ingram simply said: "The cost of implementing an operating system for the Combat Management System in the Type 45 is a matter for the prime contractor, BAE Systems, and their sub-contractor. The Department does not have, or require, visibility of costs at that level of detail."

Fabricant also asked what systems had been put in place to cope with a failure, and what steps had been taken to ensure the Win2k CMS in the Type 45 was reliable. Aside from affirming that Win2k was "the lowest risk choice" and that BAE was on top of "residual risks" (Are these cookies? Spyware?), Ingram said: "The system design has built-in redundancy, with automatic, and transparent, switch-over to a back-up system if the primary system has a problem. This would provide continuity of operation and ensure that no data was lost. The system design also ensures that comprehensive hardware mechanisms will be in place to avoid any other safety or technical issues."

Perhaps the Minister can now explain why his desktop PC doesn't even run properly.

Les Hatton gives his opinion at IT Week:

... the Royal Navy is all set to go to sea with Windows on warships. Am I alone in thinking that this has to be one of the most terminally stupid IT decisions of the century?

...this was first attempted in the mid-1990s. There was a wonderful description of the then-latest generation of a US missile cruiser, the USS Yorktown, having to be frequently rebooted because its underlying network of computers running Windows NT crashed somewhat inconveniently. Apparently the design meant that critical systems such as steering could be lost in mid-battle.

So here we are again. This time the dec

Re:MS(ux) for a few reasons, this is just one of t

[jacksonj04]

The trouble is that people do not listen. Unless they do not actually have admin access to the system, the chances are if a box pops up going "You need admin access to install this, if you have it then just shove in a username and password here:" people will do so regardless.

Hell, in XPSP2 it has this big balloon which pops up repeatedly going along the lines of "Listen you pillock, you don't have firewall or automatic updates turned on. You really do need these. Click here and I'll set it all up for you, it's about 3 seconds work!". I know people who, when have this pointed out to them, go "Oh I never read that, it just keeps popping up".

The only other thing to do with some people is forcibly configure things, which I'm sure we'd all hate. I use Active Directory to force fine-tuned update compliance and firewall settings across my home network, but home users can't even negotiate a simple dialogue going "Here's what you need to do, here's why you need to do it, here's how to do it".

So when IE pops up a convenient dialogue warning about the fact that HotPornDialer32.exe isn't signed and is in fact coming from a website with an invalid certificate, along with a warning about exactly why it's bad to click 'Install', people will do anyway. Perhaps a Firefox-esque forced delay is in order so people can't just click 'OK' without thinking.