Slashdot Mirror
Hackers Serving Rootkits with Bagles
Iran Contra writes "Security researchers at F-Secure in Finland have discovered a rootkit component in the Bagle worm that loads a kernel-mode driver to hide the processes and registry keys of itself and other Bagle-related malware from security scanners. Bagle started out as a simple e-mail borne executable and the addition of rootkit capabilities show how far ahead of the cat-and-mouse game the attackers are."
Or is it just me who's been reading about rootkits and keyloggers now becoming standard payloads in worms/virus/web exploits?
In the end, they're just another piece of cut and paste code for script kiddies.
He tried to kill me with a forklift!
Next time on Slashdot: "Bagle.GE authors sued by Sony for rootkit copyright infringement!" Honestly though, maybe we should all just start carrying around rootkits on our USB keys. Plug it into your aunt's computer, and she'll never forget your birthday again (even if she wanted to).
Fragging my father since 2004
I keep waiting for a virus based on genetic algorithms. I'm certain that it's only a matter of time.
// file: mice.h
#include "frickin_lasers.h"
It's a Windows security alert! I call dupe! After all the WMF flaws, this latest IE exploit and Vista delays, what else is there on /.?
"Sure there's porn and piracy on the Web but there's probably a downside too."
This has been written about before on the F-Secure security blog. There's also a nice pic of what all the different parts of bagel look like and how they interact.
WARNING: May contain traces of nut
It definitely isn't, trust me. I'm a ...biologist.
j pg is a nice picture of C.elegans, The Model Worm (r).
I mean the picture, of course: http://images.slashdot.org/topics/topicworms.gif -- it is an insect larva, not a worm. To be more specific -- probably a butterfly caterpillar.
You want to see a worm? Here -> http://www.desc.med.vu.nl/NL-taxi/ICE/C_elegans1.
January
Mark me OffTopic if you will (it's Friday and I'm feeling brave, so I'll take that risk), but when I first read this, I read it as:
...and so on (I shall spare you the rest).
"Hackers Serving Rootkits with Bagels"
...and I started to think how cool a hacker café would be... then I got to wondering what else you might be able to order at a hacker café:
Trojan Muffins (secret filling might bring surprise!)
DDoS Donuts (very tasty, but eat too many and they gang up on you)
L33t Latté (quintuple espresso with a single shot of milk)
Keylogger Cakes (be careful, they're watching)
Ah well, as they say in these parts 'ah'll get me coat'...
Polly wants a "Cracker"
Thank you. I was about to have to do that.
Polly gets a "Bagle" instead. Polly is annoyed!
Look out!! He's got a chair!!!
May the Maths Be with you!
SysInternals' free program RootkitRevealer is the best way I know to reveal the presence of rootkits.
In general, any program SysInternals provides is the best in its field, I've found.
Try the just updated (March 7, 2006) version of Autoruns to find nasty stuff running under Windows.
--
Before, Saddam got Iraq oil profits & paid part to kill Iraqis. Now a few Americans share Iraq oil profits, & U.S. citizens pay to kill Iraqis. Improvement?
birdie num num
I got so tired of explaining it over and over. Ultimate Spyware/Virus Blocker. If you think there is something I need to add or remove then please leave a comment.
:)
My friend is opening up a coffee shop that will have an ap. I will make some copies of Ubuntu for the customers to use.
Now where do I find a dentist for the rootkit I received when I didn't take my own advice
Gizmos Gagets For Ninjas
No matter how nasty worms get a user still has to execute them for his/her PC to become infected -- and even then with a decent setup there's still the possibility/probability of a correctly-setup anti-virus prog checking the message between the user's click(s) and the execution of the malware.
So, malware makers are not so much "ahead of the game" as "still reliant on the problem that exists between the keyboard and the chair."
My sig is too lon
I can't believe you responded to that! Although it did make me laugh... most of the points were hilarious, especially about "no databases for linux as powerfull as MS Access"! I'd love to know what people like Oracle & Sun(PostgreSQL) would say about that.
Time is an illusion. Lunchtime doubly so. - Douglas Adams
I'd like to disagree, but with the growing promenance of organized crime, highly profitable spam, and so on, I can't. I'm mildly surprised that one of the bigger organizations hasn't gone out and found someone who can do what they need and has few scruples about doing it when the money is right.
I can only assume that it's not worth doing - ie systems to crack are in such plentiful supply already that there's just no need to bother with real effort.
airplanes into buildings, bomb innocent people, or any such violent destructive buillshit; who cares if he does hate MS?
Saturday is April 1. Slashdot will be shut down. Sorry for the inconvenience.
Your O/S locks with Bagels, sir.
He who knows best knows how little he knows. - Thomas Jefferson
"no databases for linux as powerfull as MS Access"! there is an MS Access for linux now? ;) If so, are Ballmer's kids allowed to use it or not?
molmod.com - computing tips from a molecular modeling
Us canucks are way ahead of the rest of the world...;-)
:-)
True leaders in operating systems and bagels...;-)
There is indeed already a linux caffee...in Toronto, Canada!
http://www.linuxcaffe.ca/
pretty much all of those fall into two categories.. "wrong" and "craftily worded"
the ones in the second category all start with "you can't admit that" - they are craftily worded because they are technically true: I won't admit to things that are blatantly false
A guilty conscience means at least you've got one.
11. You cannot admit that linux sucks when it comes for gaming/home entertainment or education.
/runs back to WoW
I play World of Warcraft on Linux... does that count?
Mac users typically know very little about windows or linux, and yet they still claim they use the "best" operating system?
The Mac equation is a minimal set of software options and guaranteed interoperability. Its idiot proof. That's what people like about it.
Its also IMHO what sucks about it.
I have a mac, I have a pc and I have an okay linux box.
The mac is for sure the sexiest, but its option poor. Mac users feel free to flame away, but if you can't back it up with a logical comparison, then you've only furthered my point.
------ The best brain training is now totally free : )
The troll is weak with this one.
"Made up/misattributed quote that makes me look smart. I am on
Search Results for: Bagle.GE produced zero results
I don't know where this myth comes from, but you only need to look at Microsoft's own security bulletins to see that this just isn't the case. Unchecked buffers resulting in buffer overflows mean that a cracker can install and run any code he likes, without you ever knowing about it.
For exampleHere is an excerpt:
Websense researchers found that the rigged site exploits the unpatched createTextRange vulnerability to download and install a keystroke logger without any user action.Worse than that, the bad guy doesn't need to install a virus, so your virus checker probably won't notice. And even spyware scanners will only work if the bad guy uses code that the AdAware guys and their friends know about.
This, my friends, is why everyone is switching to Firefox--------
Hey, who needs a sig? Not me!! Oh wait...
... who doesn't want free yummy bagles to eat? Oh, you mean the computer types... [grin]
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
1. I definitly don't ignore flaws in GNU/Linux software, I run promptly off and patch them. As for Windows flaws, I find them quite interesting because they're usually not just a regular typo kind of flaw but something more deep in the archetecture, they kind that I want to learn to avoid as a budding computer programmer. Plus I'm a Windows sysadmin and so these will quite possibly affect me personally
2. I've actually never yelled anything on slashdot ( by yelling, I'm assuming you mean typing with caps on)
3. I have one penis, that is enough. Thank you.
4. I don't hate windows, it's more of a strong distaste, like the feeling I have for asparagus. Also, you'll never see me spending money on windows emulation software. I've played with Wine to get IE to work in Linux, but that is because I'm a web developer and I need to test stuff, not because I enjoy that travesty.
5. I'm not quite sure what this means, but I have it on good authority that several large bussinesses use it on there desktops. Nasa is one example, Ibm is moving there, and I think European companies have a dispropotionatly large number of deployments.
6. I don't know any linux user who would be ashamed that people don't know what linux is. It's a bug, but were working on it. https://launchpad.net/malone/bugs/1
7. Somebody else alreay spoke to this.
8. Are kids masochists for playing with Legos for hours on ends? I do this because I enjoy it. If you don't there are many distros that do not require that sort of thing.
9. Funny, I saw an artical in newsforge about a professional publisher that used about half linux, half windows.
10. I know nothing about video editing, don't really care either.
11. Depends on what you mean. For the 'gamer' types (you know who you are) that is true. It's the main reason I still have a copy of windows. For most people I don't think that's too much of an issue. As for educational software, there's plenty for Linux.
12. I actually find this more true of windows users that linux users.
13. These lunatics are probably smarter than you or I will ever be. And I don't think any one where has a problem with clicking. It's just really inefficient for some tasks.
14. Yes, and your statement was incredibly factual. Pot, meet kettle.
15. I'm deeply confused what 'gentoo', 'lgx', and 'rpm' have to do with tenageers.
16. I'm actually quite happy with win32codecs.
17. No I'm starting to think your post should have been modded funny.
18. I'm not much of an office user, but OpenOffice works quite fine for me. I love the pdf export option, and it's equation writting capabilities suit me well as a math student. Sure it has a few issues, but I like it better than MS Office.
19. I've never had problems with recording in Gnome. It's increadiby easy too.
20. I have a CD-RW, DVD R/RW and it can read and write both CDs and DVD fine in linux.
21. I didn't need any 3rd party software to use X. To get good graphic accelleration I needed the non-free fglrx driver. But the same would be true in Windows.
22. I'm not a usenet user. But I do find emails from Outlook users with their tiny blue fonts annoying so I can sympatise.
23. Did I miss something? What happened to IBM, Redhat, Novel, HP, and several other large companies.
24. Thats fine with me. I'll continue to give my money to the companies that stay.
25. I'm not an authourity on the issue. But I've heard that the Windows one would be better off to be non-existant too.
26. I've set up Windows about 150 times now. It takes about 3-5 hours to get the computer into a state were it is ready to use. (this includes patching, and installing important software like a real web browser, office software, a firewall, AV, etc). An Ubuntu install is about 1 hour.
27. All my usb stuff Just Works(tm). Same with my brother's, and anyone else I've seen.
28. I used linux before I knew s
While I agree with you, you're correct in your assessment, I think you give the little maggot too much credit. I feel that the only way this schweinehund could have gotten something this thought out is from somebody else. Possibly M$-originated FUD?
assuming that programmers use logic as I do in my programming, why make these things? if you're out to prove something why not make a useful program that gets noticed merely because of how great it is as it helps people do something, rather than something harmful and invasive.
no matter how hard I try to figure out the reasoning behind creating such devices of invasion, the more confused I get. The only thing that it sounds like is that since they can't physically bully people around they figure they'll do it cyberally(?). If its a point they're trying to prove, besides the fact that they are complete jackasses, then I do believe it has been lost in the translation. I'd much rather be known for creating something terribly awesome, not awesomely terrible.
I, for one, would rather be infamous, than famous.
It's already happened, but not through the intentional use of genetic algorithms. Back in the late 1980's, there was a virus on MSDos that was dirt simple: it would attach itself to two other
Enter natural selection.
As with any repeated copying process, errors eventually creep in. Most of them, of course, undoubtedly caused the virus to fail. But by the early to mid 1990's, there were at least two variants that were seen in the wild that 1) were clearly the result of copying errors, and 2) increased the spread of the virus.
Friday the 13th/Benign did not delete files; thus, it would not suffer a population collapse every seven months or so as did the original.
Friday the 13th/Promiscuous was a sub-type of benign that would reinfect files that had already been infected (thus possibly displacing a non-promiscuous version). This made it slightly easier for users to detect, but gave it a competitive advantage over its rivals.
I think the main reason we don't see this happening with newer viruses is that they are much more complicated and there are more mechanisms in place to prevent copying errors, both of which would drive down the rate at which useful mutations appear.
--MarkusQ
Sorry, but both are historically valid descriptors.
//Information does not want to be free; it wants to breed.
Years.. no, decades ago, everyone was scared shitless of boot sector viruses. Today it's rootkits. This isn't rocket science, it's about friggin time these things hit the mainstream. It's obvious that today's software relies on many layers of abstraction provided by the OS. Infiltrate one of those layers and you've fooled the entire system. It's no different than the men with wires going to their ears saying "You didn't see anything, move along", except your software's too dumb to see that the man is lying. There is no ultimate solution to this, software is software and no matter how well you try to secure the OS, all it takes is a little patch to disable all your security. The closest thing to a secure OS would be some sort of read-only boot device, and I really mean READ-ONLY, not just "mount -o ro". Boot off the DVD-Rom.. even then, just one glitch in the programming could open up the whole system to in-memory patching.
What we CAN do to relieve this plague is take away the motivation behind viruses. They don't exist just for fun, they serve a purpose.. DDoS is a lucrative racket. If we can somehow make an infected PC less valuable to the attacker, to the point where it's not even worth infecting, the virus threat will slow down to a crawl. Why don't we have more Linux viruses ? Because it's a high-risk, low-potential target. If Microsoft could accomplish the same level of security with the average Windows PC, virus authors would have to go out and get real friggin jobs for once.
-Billco, Fnarg.com
Is what you eat. Bagle is l33t.
1. I dont dance.
2. I only yell troll when they are unsubstantiated "facts"
3. I have all the support I need. I can even buy commercial support if I dont. I also have to option to have Dell, or IBM support any system they ship with Linux installed. Thats as much as they do for windows as well.
4. I dont emulate, I run a dedicated win2k server almost once a month to do menial tasks.
5. concede, unless you want to count pixar, dreamworks, and countless other rendering studios that use maya on redhat while using xserves.
6. concede
7. Mac and linux both use cups. It isn't that difficult to trasnfer drivers. try again.
8. I dont look at scripts. Never had to, all of my hardware works just as is (granted I only do basic stuff, dvd burning (no ripping, see #4), dvd erasing, watching movies, listem to music, surf the net.
9. I believe Jon "Maddog" hall would disagree. All of his books are done with TeX or LaTeX.
10. see #5. I dont know about live action, its not my area of interest. From what I hear, MAC is the way to go for that.
11. My idea of a riviting game is frozen bubble. But I concede on games only for this point. I contest the rest of #11.
12. I have no problems understanding windows, Im just to cheap to buy it.
13. Havent used KDE, CDE, or Gnome lately have you.
14. pure bull intended to incite fury.
15. troubled teenages, no.... then theyd be pns, psy, or other such diatribe. just shows a penchant for unintelligable acronyms.
16. I have had no problems playing wmv's. also, I have a win2k system.
17. access is a front end. the database is sql. We have db2, MySql, PostgreSQL, oracle. We dont have a pretty front end, we only have serious databases. You can do everything from pure sql on the database server that Access installs and uses without ever opening up the access application.
18. I personally have no need to pay 400 for a wordprocessor. Openoffice, wordperfect, dos editor work for my purposes. I have never needed to use vb script.
19. NeroLinux is ok, I like K3b. Both will do DVD-/+RW DL.
20. I dont know about dvd-ram. How popular is that format? see #19.
21. All of Linux, except the Kernel is 3rd party. dont see why that is bad as long as it is a quality offering. Why does 3rd party even matter when quality should be the main judging point?
22. I have yet to peronsaly kill a file domain, and I will call BS when I see it, regardless of OS it was typed on.
23. Almost non-existant, only Novell, Red-hat, and IBM will support most anybody. Dell will support theyre customers. I believe there are others as well, does connical offer support?
24. Companies are switch both directions. Many are leaving Windows because of virus problems, others are leaving linux because of dependancy hell. This statement chose to ignore one side of the arguement in order to make an arguement. This was pure bias.
25. Terminal service. That is microsofts name for VNC. Please check again for VNC options in Linux. I know X.org has a client. OpenVNC is another option. Please research your fud before you spout it. OpenVNC is compatible with windows terminal server I believe.
26. Setting up servers is quicker, but I have never had a windows install take a couple of minutes. My fastest OS install was a very minimal linux install. Point is basically substatiated, but misleading at the same time.
27. Have you ran a modern linux distro. I have had no problems using my usb minidisk drive as a removable hd, my usb hd's, my thumbdrives, my usb burners, usb modems, usb nics, and I only have usb printers. Not a problem since Kernel 2.6 came out.
28. Anyone is a moron if they take slashdot as gospel. Always do your own research.
29. attack the site when you cannot attack the os? you are sinking to the level of those you are flaming.
30. Strongly disagree. My sister has no clue, but is running linux (I set it up and taught her how to use the net).
31. Linux can crash. Just run anything from ATI. Windows still crashes too
Stop signs are only Suggestions
> no matter how hard I try to figure out the reasoning behind creating such devices of invasion, the more confused I get. The only thing that it sounds like is that since they can't physically bully people around they figure they'll do it cyberally(?). If its a point they're trying to prove, besides the fact that they are complete jackasses, then I do believe it has been lost in the translation. I'd much rather be known for creating something terribly awesome, not awesomely terrible.
Some people enjoy creating, others enjoy disrupting. Defacements, viruses, trolls... just different ways of doing the same thing.
Sheesh, evil *and* a jerk. -- Jade
"being able to break security doesn't make you a hacker any more than being able to hotwire cars makes you an automotive engineer. Unfortunately, many journalists and writers have been fooled into using the word hacker to describe crackers; this irritates real hackers no end." Great esr quote from http://www.catb.org/~esr/faqs/hacker-howto.html.
There is also a history of slashdotters complaining about the use of "Hacker" instead of "Cracker" whenever the term Hacker is used (sometimes regardless of the context). Hence the taking the piss out of such slashdotters...
Don't take the above poster too seriously. He doesn't.
Or do you just work there?
The trick to malware writing in DOS is to hide from DOS. We do that by placing malware in some unclaimed memory and rapidly change it to keep malware scanners from pattern matching the malware.
Windows changed that. Malware needs to be recognized by Windows, in some form or else it's not going to get it's messages and it's not going to be able to access the wonderful WinAPI, which will give it more power and make it smaller. There's no point in a spy changing their clothing to disguise themselves if they always have to wear a nametag.
Rootkits are the obvious solution to this problem, because it allows a program to be recognized by Windows and hide from programs using Windows to attempt to recognize it. We're only seeing rootkits now because it's getting harder to disguise malware by giving it a nondescript name.
~~~
Click here, you know you wanna!
I think the only way to get ahead of these rootkits is to make the OS its own rootkit. This is, caging. Executing the apps in virtual winxp environments and let them modify their own registry entries.
I think I saw a virtualization software out there, but I don't remember well.
I thought it was funny as well.
Not sure why the GP was modded Offtopic, Funny would have been better.
It's apparent to this user that the AC poster is obviously a closet Linux zealot.
As far as which OS is better, I'm on the fence. I like Linux for the control over the OS it offers, and I like Windows because I can play my games, about all it's good for.
I am Bennett Haselton! I am Bennett Haselton!
Issue 55 had a piece that described the SSDT hooking that Bagle now employs. I'm pretty sure someone identified Bagle's use of this prior to McAfee but I can't put my finger on the source.
lol jews did rootkit
It'll probably just result in them holding it against you. Especially if you let them loose their photos and such.
Hard to tell what the solution is. You could pretend to not know anything about windows to get them off your back, but then they'll probably look down on you for that and get the impression that there's nothing wrong with windows. Perhaps the best option would be to set up a linux dual boot, and let windows go to hell. The malfunctioning copy of windows would act as a remider of what they'd have to deal with all the time if you hadn't installed linux for them, so maybe they might actually be greatfull for it.
This is a great marketing opportunity for security vendors to create bootable-CD-based anti-malware programs:
Boot with CD, dial modem if necessary, log-into or set up new subscription to anti-malware vendor, do a remote-based malware scan/repair and bring hard-disk's-definitions up-to-date, and reboot clean.
If people did this once a week, in addition to 24x7 monitoring, these nasties would have a lot harder time surviving.
How to tell if you are a misguided Windows Admin:
Linux does not boot into a GUI - it doesn't need one in order to function! Neither does a linux or unix admin!
Access is a easy and powerful database - yes, if you want to store your recipes in it, and make certain that no more than one user accesses them at one time! If you are looking for more than that, Access is useless!
Setting up servers on Windows takes couple of minutes while on linux, good luck playing with configuration scripts - yes, linux requires slightly higher brain function than simply sending a signal to your finger to click the mouse button!
Commercial support in Linux is almost non existent - you obviously have never worked with a commercial version such as RedHat or SuSE. They have support, believe me, my company pays for it.
Wading through cryptic scripts written by lunatics - yes, the Windows registry is much less cryptic (insert sarchasm here)!
One more though for you... linux does NOT integrate non-removable, non-essential components such as a web browser (IE) , email client (Outlook Express), and Media Player into a server operating system, requiring constant patches and hotfixes to fix security holes in the code that you could drive a truck through!