Slashdot Mirror
Hackers Serving Rootkits with Bagles
Iran Contra writes "Security researchers at F-Secure in Finland have discovered a rootkit component in the Bagle worm that loads a kernel-mode driver to hide the processes and registry keys of itself and other Bagle-related malware from security scanners. Bagle started out as a simple e-mail borne executable and the addition of rootkit capabilities show how far ahead of the cat-and-mouse game the attackers are."
I AM A FISH!
Oy vey!
P.S. FIRST PSOTS!
AKA a nazi fanatic loser.
....
...etc.
1. You rejuvenate and dance when you hear a windows flaw exposed, but you conveniently ignore the thousands of security flaws exposed in linux.
2. You yell loudly TROLL! at any person's post or at any person you see posting facts that you do not want to hear about your oh so cool linux.
3. You know it's a classic case of penis envy, you don't have all the support, software and hardware available for linux and you have to let that anger out somewhere, but you don't have the brains to admit it.
4. You hate windows, hate Microsoft, but race to emulate windows, have programs to run office from within linux, and spend a $300 on a Windows emulator, only Windows fools.
5. You cannot admit that you don't have professional usage of Linux outside server markets.
6. You cannot admit that most of the joe user out there when told that there is linux will respond, what is that?
7. You cannot admit that there is no professional printing capabilities in linux.
8. You cannot admit that you are a masochist (otherwise why would someone spend hours playing with scripts,
and recompiling programs that are available for Windows?)
9. You cannot admit that there is no professional desktop publishing done on Linux.
10. You cannot admit that no one in their right mind would do professional video editing in Linux.
11. You cannot admit that linux sucks when it comes for gaming/home entertainment or education.
12. You have problems in understanding Windows, and you will blame your own incompetence on Microsoft.
13. You have problems in pointing a clicking, but have no problems in wading through cryptic scripts written by lunatics.
14. Nothing will get past that shit that fills your head, you will not admit to any facts.
15. You can't admit that naming of linux components, packages, and others are weird and fits profiles of troubled teenagers. gentoo, lgx, rpm
16. You feel angered because you were left out by microsoft's Media technologies, they support Mac, Sun sparc, but not linux.
17. You feel inferior deep inside but unable to admit it, you don't have a database as easy and powerful as Access.
18. You cannot tell that not a single office package outside Microsoft's is worth looking at or bothering with.
19. You don't know that your CD recorder software sucks.
20. You don't have DVD-RAM, DVD-R, DVD-RW support in your pathetic OS.
21. While the rest of the world moves on, you're stuck in a stone age technology that needs third party software to boot into GUI.
22. You act out of prejudice, you kill file domains and users of specific news readers while you ignore the bullshit that your fellow linux losers post.
23. You don't know commercial support in Linux is almost non existent.
24. You miss the fact that companies are leaving linux because of the chaos, and the cheap linux losers who are unwilling to pay and support hard work, Corel, gaming companies,...etc.
25. You are unaware that linux has no terminal services (there is a lame one that no one uses), and commercial support for it is not happening.
26. You are unaware that setting up servers on Windows takes couple of minutes while on linux, good luck playing with configuration scripts.
27. You cannot admit that support for USB on linux is laughable at best.
28. You think that Linux is better because slashdot told you so.
29. You spend countless hours flaming people because they post their opinions about your oh so cool linux and your attitude, instead of researching things for yourself and understanding fact in order not to look this stupid.
30. You think that anyone who uses linux has a clue.
31. You think that linux cannot crash.
32. You think that everyone is interested in your conspiracy theories about Microsoft (or should i say M$ in order for you, teenagers to understand?), and how they destroyed linux,
33. You keep ignoring the fact that thousands of linux servers get hacked every year, but it takes one Windows server hacked to get you and your fellow linux idiots to dance and celebrate.
Or is it just me who's been reading about rootkits and keyloggers now becoming standard payloads in worms/virus/web exploits?
In the end, they're just another piece of cut and paste code for script kiddies.
He tried to kill me with a forklift!
Next time on Slashdot: "Bagle.GE authors sued by Sony for rootkit copyright infringement!" Honestly though, maybe we should all just start carrying around rootkits on our USB keys. Plug it into your aunt's computer, and she'll never forget your birthday again (even if she wanted to).
Fragging my father since 2004
I keep waiting for a virus based on genetic algorithms. I'm certain that it's only a matter of time.
// file: mice.h
#include "frickin_lasers.h"
It's a Windows security alert! I call dupe! After all the WMF flaws, this latest IE exploit and Vista delays, what else is there on /.?
"Sure there's porn and piracy on the Web but there's probably a downside too."
This has been written about before on the F-Secure security blog. There's also a nice pic of what all the different parts of bagel look like and how they interact.
WARNING: May contain traces of nut
It definitely isn't, trust me. I'm a ...biologist.
j pg is a nice picture of C.elegans, The Model Worm (r).
I mean the picture, of course: http://images.slashdot.org/topics/topicworms.gif -- it is an insect larva, not a worm. To be more specific -- probably a butterfly caterpillar.
You want to see a worm? Here -> http://www.desc.med.vu.nl/NL-taxi/ICE/C_elegans1.
January
All together now...
"It's Cracker, not Hacker!"
Don't take the above poster too seriously. He doesn't.
Mark me OffTopic if you will (it's Friday and I'm feeling brave, so I'll take that risk), but when I first read this, I read it as:
...and so on (I shall spare you the rest).
"Hackers Serving Rootkits with Bagels"
...and I started to think how cool a hacker café would be... then I got to wondering what else you might be able to order at a hacker café:
Trojan Muffins (secret filling might bring surprise!)
DDoS Donuts (very tasty, but eat too many and they gang up on you)
L33t Latté (quintuple espresso with a single shot of milk)
Keylogger Cakes (be careful, they're watching)
Ah well, as they say in these parts 'ah'll get me coat'...
... because it doesn't allow loading of non GPL binary drivers.
Wow! I thought 'Slashdot Admins Crapflood Their Own Website Day' was starting early this year in an attempt to actually catch people off guard, but this story is real.
SysInternals' free program RootkitRevealer is the best way I know to reveal the presence of rootkits.
In general, any program SysInternals provides is the best in its field, I've found.
Try the just updated (March 7, 2006) version of Autoruns to find nasty stuff running under Windows.
--
Before, Saddam got Iraq oil profits & paid part to kill Iraqis. Now a few Americans share Iraq oil profits, & U.S. citizens pay to kill Iraqis. Improvement?
Why the FUCK doesn't Einstein's have onion bagels? That's the best god damn flavor for god's sake.
I got so tired of explaining it over and over. Ultimate Spyware/Virus Blocker. If you think there is something I need to add or remove then please leave a comment.
:)
My friend is opening up a coffee shop that will have an ap. I will make some copies of Ubuntu for the customers to use.
Now where do I find a dentist for the rootkit I received when I didn't take my own advice
Gizmos Gagets For Ninjas
No matter how nasty worms get a user still has to execute them for his/her PC to become infected -- and even then with a decent setup there's still the possibility/probability of a correctly-setup anti-virus prog checking the message between the user's click(s) and the execution of the malware.
So, malware makers are not so much "ahead of the game" as "still reliant on the problem that exists between the keyboard and the chair."
My sig is too lon
I'd like to disagree, but with the growing promenance of organized crime, highly profitable spam, and so on, I can't. I'm mildly surprised that one of the bigger organizations hasn't gone out and found someone who can do what they need and has few scruples about doing it when the money is right.
I can only assume that it's not worth doing - ie systems to crack are in such plentiful supply already that there's just no need to bother with real effort.
airplanes into buildings, bomb innocent people, or any such violent destructive buillshit; who cares if he does hate MS?
Saturday is April 1. Slashdot will be shut down. Sorry for the inconvenience.
Your O/S locks with Bagels, sir.
He who knows best knows how little he knows. - Thomas Jefferson
Us canucks are way ahead of the rest of the world...;-)
:-)
True leaders in operating systems and bagels...;-)
There is indeed already a linux caffee...in Toronto, Canada!
http://www.linuxcaffe.ca/
You call these bagels?!
Mac users typically know very little about windows or linux, and yet they still claim they use the "best" operating system?
The Mac equation is a minimal set of software options and guaranteed interoperability. Its idiot proof. That's what people like about it.
Its also IMHO what sucks about it.
I have a mac, I have a pc and I have an okay linux box.
The mac is for sure the sexiest, but its option poor. Mac users feel free to flame away, but if you can't back it up with a logical comparison, then you've only furthered my point.
------ The best brain training is now totally free : )
Search Results for: Bagle.GE produced zero results
I don't know where this myth comes from, but you only need to look at Microsoft's own security bulletins to see that this just isn't the case. Unchecked buffers resulting in buffer overflows mean that a cracker can install and run any code he likes, without you ever knowing about it.
For exampleHere is an excerpt:
Websense researchers found that the rigged site exploits the unpatched createTextRange vulnerability to download and install a keystroke logger without any user action.Worse than that, the bad guy doesn't need to install a virus, so your virus checker probably won't notice. And even spyware scanners will only work if the bad guy uses code that the AdAware guys and their friends know about.
This, my friends, is why everyone is switching to Firefox--------
Hey, who needs a sig? Not me!! Oh wait...
... who doesn't want free yummy bagles to eat? Oh, you mean the computer types... [grin]
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
1. I definitly don't ignore flaws in GNU/Linux software, I run promptly off and patch them. As for Windows flaws, I find them quite interesting because they're usually not just a regular typo kind of flaw but something more deep in the archetecture, they kind that I want to learn to avoid as a budding computer programmer. Plus I'm a Windows sysadmin and so these will quite possibly affect me personally
2. I've actually never yelled anything on slashdot ( by yelling, I'm assuming you mean typing with caps on)
3. I have one penis, that is enough. Thank you.
4. I don't hate windows, it's more of a strong distaste, like the feeling I have for asparagus. Also, you'll never see me spending money on windows emulation software. I've played with Wine to get IE to work in Linux, but that is because I'm a web developer and I need to test stuff, not because I enjoy that travesty.
5. I'm not quite sure what this means, but I have it on good authority that several large bussinesses use it on there desktops. Nasa is one example, Ibm is moving there, and I think European companies have a dispropotionatly large number of deployments.
6. I don't know any linux user who would be ashamed that people don't know what linux is. It's a bug, but were working on it. https://launchpad.net/malone/bugs/1
7. Somebody else alreay spoke to this.
8. Are kids masochists for playing with Legos for hours on ends? I do this because I enjoy it. If you don't there are many distros that do not require that sort of thing.
9. Funny, I saw an artical in newsforge about a professional publisher that used about half linux, half windows.
10. I know nothing about video editing, don't really care either.
11. Depends on what you mean. For the 'gamer' types (you know who you are) that is true. It's the main reason I still have a copy of windows. For most people I don't think that's too much of an issue. As for educational software, there's plenty for Linux.
12. I actually find this more true of windows users that linux users.
13. These lunatics are probably smarter than you or I will ever be. And I don't think any one where has a problem with clicking. It's just really inefficient for some tasks.
14. Yes, and your statement was incredibly factual. Pot, meet kettle.
15. I'm deeply confused what 'gentoo', 'lgx', and 'rpm' have to do with tenageers.
16. I'm actually quite happy with win32codecs.
17. No I'm starting to think your post should have been modded funny.
18. I'm not much of an office user, but OpenOffice works quite fine for me. I love the pdf export option, and it's equation writting capabilities suit me well as a math student. Sure it has a few issues, but I like it better than MS Office.
19. I've never had problems with recording in Gnome. It's increadiby easy too.
20. I have a CD-RW, DVD R/RW and it can read and write both CDs and DVD fine in linux.
21. I didn't need any 3rd party software to use X. To get good graphic accelleration I needed the non-free fglrx driver. But the same would be true in Windows.
22. I'm not a usenet user. But I do find emails from Outlook users with their tiny blue fonts annoying so I can sympatise.
23. Did I miss something? What happened to IBM, Redhat, Novel, HP, and several other large companies.
24. Thats fine with me. I'll continue to give my money to the companies that stay.
25. I'm not an authourity on the issue. But I've heard that the Windows one would be better off to be non-existant too.
26. I've set up Windows about 150 times now. It takes about 3-5 hours to get the computer into a state were it is ready to use. (this includes patching, and installing important software like a real web browser, office software, a firewall, AV, etc). An Ubuntu install is about 1 hour.
27. All my usb stuff Just Works(tm). Same with my brother's, and anyone else I've seen.
28. I used linux before I knew s
assuming that programmers use logic as I do in my programming, why make these things? if you're out to prove something why not make a useful program that gets noticed merely because of how great it is as it helps people do something, rather than something harmful and invasive.
no matter how hard I try to figure out the reasoning behind creating such devices of invasion, the more confused I get. The only thing that it sounds like is that since they can't physically bully people around they figure they'll do it cyberally(?). If its a point they're trying to prove, besides the fact that they are complete jackasses, then I do believe it has been lost in the translation. I'd much rather be known for creating something terribly awesome, not awesomely terrible.
I, for one, would rather be infamous, than famous.
It's already happened, but not through the intentional use of genetic algorithms. Back in the late 1980's, there was a virus on MSDos that was dirt simple: it would attach itself to two other
Enter natural selection.
As with any repeated copying process, errors eventually creep in. Most of them, of course, undoubtedly caused the virus to fail. But by the early to mid 1990's, there were at least two variants that were seen in the wild that 1) were clearly the result of copying errors, and 2) increased the spread of the virus.
Friday the 13th/Benign did not delete files; thus, it would not suffer a population collapse every seven months or so as did the original.
Friday the 13th/Promiscuous was a sub-type of benign that would reinfect files that had already been infected (thus possibly displacing a non-promiscuous version). This made it slightly easier for users to detect, but gave it a competitive advantage over its rivals.
I think the main reason we don't see this happening with newer viruses is that they are much more complicated and there are more mechanisms in place to prevent copying errors, both of which would drive down the rate at which useful mutations appear.
--MarkusQ
Sorry, but both are historically valid descriptors.
//Information does not want to be free; it wants to breed.
Years.. no, decades ago, everyone was scared shitless of boot sector viruses. Today it's rootkits. This isn't rocket science, it's about friggin time these things hit the mainstream. It's obvious that today's software relies on many layers of abstraction provided by the OS. Infiltrate one of those layers and you've fooled the entire system. It's no different than the men with wires going to their ears saying "You didn't see anything, move along", except your software's too dumb to see that the man is lying. There is no ultimate solution to this, software is software and no matter how well you try to secure the OS, all it takes is a little patch to disable all your security. The closest thing to a secure OS would be some sort of read-only boot device, and I really mean READ-ONLY, not just "mount -o ro". Boot off the DVD-Rom.. even then, just one glitch in the programming could open up the whole system to in-memory patching.
What we CAN do to relieve this plague is take away the motivation behind viruses. They don't exist just for fun, they serve a purpose.. DDoS is a lucrative racket. If we can somehow make an infected PC less valuable to the attacker, to the point where it's not even worth infecting, the virus threat will slow down to a crawl. Why don't we have more Linux viruses ? Because it's a high-risk, low-potential target. If Microsoft could accomplish the same level of security with the average Windows PC, virus authors would have to go out and get real friggin jobs for once.
-Billco, Fnarg.com
Is what you eat. Bagle is l33t.
> no matter how hard I try to figure out the reasoning behind creating such devices of invasion, the more confused I get. The only thing that it sounds like is that since they can't physically bully people around they figure they'll do it cyberally(?). If its a point they're trying to prove, besides the fact that they are complete jackasses, then I do believe it has been lost in the translation. I'd much rather be known for creating something terribly awesome, not awesomely terrible.
Some people enjoy creating, others enjoy disrupting. Defacements, viruses, trolls... just different ways of doing the same thing.
Sheesh, evil *and* a jerk. -- Jade
"being able to break security doesn't make you a hacker any more than being able to hotwire cars makes you an automotive engineer. Unfortunately, many journalists and writers have been fooled into using the word hacker to describe crackers; this irritates real hackers no end." Great esr quote from http://www.catb.org/~esr/faqs/hacker-howto.html.
There is also a history of slashdotters complaining about the use of "Hacker" instead of "Cracker" whenever the term Hacker is used (sometimes regardless of the context). Hence the taking the piss out of such slashdotters...
Don't take the above poster too seriously. He doesn't.
Or do you just work there?
The trick to malware writing in DOS is to hide from DOS. We do that by placing malware in some unclaimed memory and rapidly change it to keep malware scanners from pattern matching the malware.
Windows changed that. Malware needs to be recognized by Windows, in some form or else it's not going to get it's messages and it's not going to be able to access the wonderful WinAPI, which will give it more power and make it smaller. There's no point in a spy changing their clothing to disguise themselves if they always have to wear a nametag.
Rootkits are the obvious solution to this problem, because it allows a program to be recognized by Windows and hide from programs using Windows to attempt to recognize it. We're only seeing rootkits now because it's getting harder to disguise malware by giving it a nondescript name.
~~~
Click here, you know you wanna!
I think the only way to get ahead of these rootkits is to make the OS its own rootkit. This is, caging. Executing the apps in virtual winxp environments and let them modify their own registry entries.
I think I saw a virtualization software out there, but I don't remember well.
Issue 55 had a piece that described the SSDT hooking that Bagle now employs. I'm pretty sure someone identified Bagle's use of this prior to McAfee but I can't put my finger on the source.
It'll probably just result in them holding it against you. Especially if you let them loose their photos and such.
Hard to tell what the solution is. You could pretend to not know anything about windows to get them off your back, but then they'll probably look down on you for that and get the impression that there's nothing wrong with windows. Perhaps the best option would be to set up a linux dual boot, and let windows go to hell. The malfunctioning copy of windows would act as a remider of what they'd have to deal with all the time if you hadn't installed linux for them, so maybe they might actually be greatfull for it.
This is a great marketing opportunity for security vendors to create bootable-CD-based anti-malware programs:
Boot with CD, dial modem if necessary, log-into or set up new subscription to anti-malware vendor, do a remote-based malware scan/repair and bring hard-disk's-definitions up-to-date, and reboot clean.
If people did this once a week, in addition to 24x7 monitoring, these nasties would have a lot harder time surviving.