Slashdot Mirror
Windows Rootkit Wars Escalate
An anonymous reader writes "The rootkit wars have started to escalate with a rootkit named Rustock which is able to remain hidden from all the popular anti-rootkit tools. It uses some new techniques including not only putting itself in a ADS (NTFS alternate data stream) which isn't seen by normal file system enumeration tools, but even blocks ADS aware tools from seeing the stream. Works in Vista, too! Analysis in both Symantec and F-Secure blogs."
Breaking into a computer should be considered as serious as breaking into one's home. Enough of the "kids will be kids" stuff, and lets have our government go after the zombie masters as the scum that they are: invaders into our lives and our stuff.
Mod down people who tell people how to mod in their sigs
I don't hate sony because they installed rootkits on some peoples computers, I hate them because of that incident the word rootkit became popular.
Was this designed simply an easy way to hide (system?) files in the filesystem
or was it for something different entirely? I remember there being a "chmod +/-h"
in old (perhaps even current, I no longer use it) versions of HP-UX that would hide
files , is this something similar?
rootkit v. counter rootkit
counter counter rootkit v. counter rootkit
counter counter counter rootkit v. counter counter rootkit
An endless cycle of patch, pray, patch, pray, reinstall awaits us.
X|K|Ubuntu, anyone?
So which CD's does this one come on? When can I expect a class action suit to get me a few free downloads from it?
Well it wouldn't happen in other OSes because NTFS is closed proprietary standard. :-)
That and people, listen, stop running windows as root. Make yourself a less privileged user and learn to work in a non-root environment!!!
Tom
Someday, I'll have a real sig.
Since F-Secure detects it, does that imply it's not popular?
Yeah! We've had rootkits since . . . . . well, about as long as we've had root! Your retarded spawn of DOS and an art school is late to the party.
Better late than never though I suppose . . . . .
If only Windows was closed source, then writing such tools would be difficult. Oh, wait...
There's something wrong with your statement. Look for it. Something about "no denying." ;)
>possible for a rootkit to go completely undetected on OSX
If it's undetectable how would you know?
http://www.heysoft.de/nt/ntfs-ads.htm
There's a lot that can be done with it.
This Russian-created rootkit is smart enough to recognize known anti-rootkit tools and hide from them.
:P
Does this mean that in Soviet Russia, rootkits detect y... Bah, nevermind. Too easy.
Slashdot: come for the pedantry, stay for the condescension.
People, please, stay sensible. First of all, a rootkit has to GET into a system. How it hides, how it vanishes, how it hooks certain parts of the system and how it defeats anti-rootkit tools is moot if it doesn't even GET that far.
Whatever a program may want to do, first of all it has to be started. Now, there are currently no unpatched remote exploits or program-runs-crap-by-itself bugs I'm aware of. In other words: You have to start it!
And that's what it comes down to. Keep your system updated! Don't click on every moronic spammail you get! Don't run everything you download from an unrelyable source without at least checking what it is!
My prediction would be that you can eliminate about 95% of the most dangerous worms, trojans and spybots currently in the wild if we could just get people to abstain from running every single piece of junk they stumble upon. The best protection against infection is still a working brain.
There is no technical solution for a social problem. I say it time and again. If it's been true ever, it is in the area of malware. Antimalware tools are akin to safety belts and airbags. You have them, and you use them, but that doesn't mean you drive 150 on an icy road, just 'cause, hey, you got safety belts and an airbag, what damage could happen, eh?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I think the criticism probably stems from the fact that they're so bad at catching them and cause so much "collateral damage" . . . . . .
I think you misunderstood the GP. He is not saying we should pick up everyone who at some point had a drink with the third cousin, twice removed, of a hacker, and throw them on a CIA plane to be boiled in Uzbekistan without any semblance of due process.
And as other people have said, the government is going after hackers.
I think it's somewhat disingenuous to specifically note this rootkit works in Vista. It implies that the security work done in Vista has somehow failed.
Vista has numerous improvements security wise, and almost all of them have to do with prevent a machine from becoming infected to begin with.
, UAC, Windows Defender, the improved software firewall, IE 7+ sandboxing/broker, etc... these are all meant to make it a lot harder for malware to get on the machine to begin with.
As the old security adage goes, if untrusted software is run on your machine, it's not your machine anymore.
If it wasn't so sad, it would be funny.
tell me how, please. The things you know about him/her/them/whatever:
A DNS-Server in San Jose.
A host in Kiew.
Code generated in Russia.
Distributed by spambots from around the world.
Now, where do you start looking? Have you ever tried getting some help from authorities in Russia? If not, it's a worthy adventure. At the very least, it gives you enough material to write a very interesting book.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
That and people, listen, stop running windows as root. Make yourself a less privileged user and learn to work in a non-root environment!!!
What about developers ? Lots of apps -- essentially games -- don't run well in unprivileged environments. I run as unprivileged user but usually need to use runas when I didn't took the time to adjust braindead defaults program settings. And you can't ask the average user to tweak file and register permissions. BTW I've seen apps opening data files rw when only ro was needed. How do you avoid security flaws then ? Editing binary to change call parameters isn't an option...
I have discovered a truly marvelous proof of killer sig, which this margin is too narrow to contain.
Since F-Secure detects it since June 21st, does it imply this is old news?
or did they make sure it could install?
* Winners compare their achievements to their goals, losers compare theirs to that of others.
FSecure's posting says that they released a version of their antirootkit software that can defeat this. Date June 21
Symantec says that FSecure's product can't remove this. Date June 29.
Any reason for this discrepency? You'd think they'd continue to moniter what other companies are doing to combat the problem and 8 days would be enough for them to find out about the new release.
Well.. maybe. Or Maybe not. But Definitely not sort of.
The parent is either the best troll I've ever read, or the stupidest piece of fanboy fiction ever propagated. I'm hoping it's a troll, because, if it is, it needs to be held up to all attempted trollers as the standard to which they should aspire.
Oh, by the way -- if there were an undetectable rootkit on OS X, how would one go about finding it?
All valid points.
I seem to recall Word [used to?] writing files in the \windows\system32 dir....
Tom
Someday, I'll have a real sig.
How did we find out about this undetectable windows rootkit?
To be useful to its creators, a rootkit has to do something. That something usually involves communication on the internet. So, could you find a rootkit by looking for tcp addresses by text searching the whole hard drive? Could you thwart it by detecting an attempt to communicate with certain addresses?
x86 versions only.
Would be interesting to know if there will be or are 64-bit versions of rootkits.
"Rootkit Wars" ??
This isn't a war. This is merely an advance in the sophistication of one rootkit. This happens all the time.
Why is this being called a "war" now?
Maybe because if they called it what it is - "Another Lame Virus Advancement" - nobody would click the link and look at their ads.
What a joke.
By the way, does anyone else find it funny that Symantec and F-Secure have "blogs" now? WTF? Why not just go the whole 9 and create a MySpace profile too?
smattawichu
The US government can't even persue terrorists who kill American citizens without inviting substantial criticism.
Aren't a lot of those terrorists dead? You know, the ones with bombs strapped to them, or the ones who forced planes into buildings. And as regards the living terrorists, the criticism isn't so much directed at their pursuit, but rather the collateral damage in terms of innocent civilian casualties abroad and loss of civil rights at home.
Did the writers of the rootkit consider that...
a ler.html
"The reason that there is no longer a command-line version is that malware authors have started targetting RootkitRevealer's scan by using its executable name. We've therefore updated RootkitRevealer to execute its scan from a randomly named copy of itself that runs as a Windows service. This type of execution is not conducive to a command-line interface. Note that you can use command-line options to execute an automatic scan with results logged to a file, which is the equivalent of the command-line version's behavior." http://www.sysinternals.com/Utilities/RootkitReve
Ooops... 1 step ahead of the hackers yet again.
This was definitely fixed in Word 2000, not sure about 97. Stupid MS org chart tool still tried to do that though.
Does a VM offer immunity to rootkits?
If the VM'd instance is subverted, does the underlying OS become exposed?
Thanks,
-Alajando
Don't rootkits need to hook into the kernel in some way, and the "some way" in Vista is via signed binaries? Overriding kernel hooks seem to imply that yes, signed binaries are needed as well...
Also, would it be able to hide from a tool like SysInternal's rootkit detector which compares API return values for the registry and filesystem with an actual analysis of the registry files themselves, and a scan of the raw blocks on the disk? (Understands NTFS and FAT, and the registry hive format).
Theese things are like the neighbor that just walks in the house, takes a piss, grabs a beer out of the fridge, asks you if you're watching teh game after sitting on the couch next to you.
If they'd put some fucking beer in there now & then it wouldn't be so damn aggrevating.
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
Please,
Ass pyramids, paper bags, and barking dogs are not torture.
Seeing Ms. England nude, however, you got me on that one.
NTFS alternate data stream? It's a good thing I still use Windows 95 that doesn't have any of those fancy shmancy features that can be exploited like that.
If you're (like me) one of the, umm, fortunate souls who get to clean up rootkit-infested machines regularly, there's a tool you should know about: LADS, for "list alternative data streams"
It can be found buried in this FAQ about the NTFS ADS feature: http://www.heysoft.de/nt/ntfs-ads.htm
I haven't tried it yet, but it looks like it should work from a win32 bootdisk (like BARTPE). So you should be able to boot from a clean win32 environment and scan the computer's hard disk to find any files with ADSs. Fortunately, use of this feature within NTFS is not widespread, so malware should stand out pretty obviously.
Have fun!
-R
not easy as long as ADS exists.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Microsoft has been less than forthcoming about ADS, it's function and it's mechanism. ADS has been used in the past to hack into web servers and now appears to be useful for rooting any system with NTFS.
Is ADS a Microsoft backdoor?
Really? Who was criticizing the US government for going into Afghanistan?
Ohhh, you are talking about criticisms on the war in IRAQ. The place that didn't attack us. The place with no weapons of mass distruction.
Idiot neocon.
You must be kidding, our government since before Clinton wastes its resources handling trifling issues and ignoring the terrorist threats as much as possible.
does it show in DOS ?
the parent isn't an apology in any way, and how is anything related to OSX remotely relevant? As the parent said, any issue with Windows will be viewed as an opportunity to evangelize macs1. Nicely done.
please correct me if i'm wrong, but i do not recall criticism of attacking the al qaeda training camps in afghanistan. the criticism started once we invaded a non-related, anti-al qaeda nation under the false pretense of an impending wmd attack.
Except that when Gore was VP one of his recommendations was a no-fly list that went ignored by the FAA. There's an article on CNN on TWA 800 today, which shows they were the first to think it was terrorism, and started looking into how to deal with it.
You're foot touched the hot lava!
"Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
Long ago, in the days of MS-DOS, there was a program that was excellent at detecting unknown MS-DOS viruses. Called Integrity Master, for maximum security one ran it from a bootable floppy, scanned files on the hard disk, and stored the file with the scanned signatures on a floppy. It wasn't SHA or MD5 hashes, but at the time it was solid security.
Then, one periodically (once or twice a week, as paranoia sees fit) ran the utility on their machine. If stuff in the MS-DOS directory was changed, it was immediately apparant. Integrity Master also was able to scan for some known viruses as well in addition to keeping a log of changed files.
We need a utility like that for Windows XP and Vista. A bootable CD or DVD that not just can understand NTFS (and NTFS's file compression), but has the necessary software to mount hard disks which are encrypted with BitLocker, PGP, SafeBoot, PointSec, WinMagic, DriveCrypt Plus Pack. The utility should also allow for username/password entry so EFS-protected files can be checked too.
This utility should use a CD or DVD to boot from, mount hard drive volumes, run checks for alternate data streams, system and nonsystem files, and finally the registry, perhaps including the encrypted parts like the SAM. It should not just save hashes of files, but perhaps have some ability to check file signatures as well (like sfc.exe and sigverif.exe do), so an update to Windows via a legitimate way doesn't set off a lot of false positives. Of course, the "manifest" file storing the file hashes on the file system would be stored on a removable USB drive, so the OS on the hard drive never has the ability to touch it.
Because this checking is done offline, a rootkit would be a lot harder to hide (unless it uses a method that the integrity scanner wasn't programmed to detect, like perhaps pointing to unallocated disk space for executable code, or hiding in an EFS-protected file.)
Of course, offline checking isn't perfect, because the machine being scanned has to be totally downed for a good amount of time which can't be done in a 24/7 environment.
There are some hurdles though. Trying to reduce the amount of false positives is one, for example. A novice user presented with a notice that a lot of files were changed likely wouldn't know what was a bad change, and what was normal for system functioning. After that, its decoding files and registry keys. Finally, if a known rootkit database was used, keeping track of how rootkits encrypt their payload, and delivering timely program updates.
Hey Hey! Hate the game! Not the playa'! 'Sama 'n Sony got serious game.
"Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
i still use FAT32, you insensitive clod!
Back in grad school, someone accidentally erased every user file on our group's Mac. Including my thesis! Unerasing was a nightmare (our mac "guru" wasn't much help). We got the data back, but none of it had the correct data fork associated with it. Everything got treated as an ascii text file.
I spit on your grave, OS7!
The world is made by those who show up for the job.
Microsoft Private Folder 1.0 uses rootkit-like techniques to hide encrypted files from the Win32 API. I wrote a little about it in
my blog a few days ago.
Sorry to say it bluntly, but I do remember. It's over. It's patched. Currently, there are no unpatched bugs (at least none that I'm aware of) that let you deliver malware straight to a connected computer.
So what that means is that there are unpatched holes, and since we don't know where they are you don't know a likley attack vector that such a rootkit might try and be deployed by.
Don't connect to the net without a firewall? Heck, given you can't know anything you are doing over the network is not an attack vector you might as well just shut down the network connection altogether.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
That and people, listen, stop running windows as root. Make yourself a less privileged user and learn to work in a non-root environment!!!
Too bad that Windows and most of the nixes have had at least one privilege escalation exploit present at any given time. Not to mention that to install software (for all users), one has to be root. A rootkit only needs to be embedded in an installer.
I think this is the equivalent situation. When you chroot, it changes the root of the file system, "/", but IIRC it doesn't change any open directory handles. In particular, it doesn't change the current working directory. So you should always follow a chroot with "cd /" or equivalent. If you have other open directories, you also have to deal with those.
.." and they're out of your jail.
Otherwise, a hacker could just "cd
[Yoda]
Begun, the Rootkit Wars have...
[/Yoda]
In *most* instances, you can use the built-in "Run As" feature to fun games/etc that need special permissions.
But the real solution is to complain to your software vendors.
and from the mplayer docs:
andand
This is just one app. Consider my 5c donated.
+5, Truth
Odd... On Linux, I don't have any trouble running games or development applications as an unprivileged user. The only time I ever switch to a privileged user is when I'm installing something or reconfiguring the system in some way.
Of course, that usually has more to do with the developers of said applications than the OS itself. Windows is perfectly capable of running applications well under unprivileged user accounts, but the developers of those applications have gotten into the nasty habit of relying on the fact that most Windows users run as Administrator.
I have a legitimate question. What site can you visit to get the rootkit or discuss information about it?, When I was in university I usually went to neworder.box.sk to all my hacker/cracker needs, also the russian password crackers sites and crackstore to name a few.
There was also fravia and other nice pages where you cold get that information but now I am not "on the song" anymore, can anyone enlighten me please?
Ubuntu is an African word meaning 'I can't configure Debian'
These guys confirm it
+5, Truth
Well you used to have to run games as setuid root because of limitations of SVGAlib. But that was like 10 years ago.
“Common sense is not so common.” — Voltaire
This should change with Vista, since all users in Vista are limited users. If you belong to the Administrators group, your programs will not run with Administrative permissions unless you use runas. Programs that know they need higher permissions will cause a password prompt to appear asking for administrative permissions (no password needed if you are an admin, but you still get the prompt).
So any developers who have been lazy about this will get a rude awakening with Vista. The typical application should only need admin privileges to install. Since the devs will be getting the prompts too, hopefully they fix all of the annoyances themselves.
Actually, most older games will work under a limited account if you give all users read/write permissions to the directory "C:\Program Files\Game Directory". This is true of most older software.
While there is naturally a security risk in giving all users the ability to write to files that will also be run by privileged users, there are so few viruses on the loose that attempt to infect old games and Win9x apps that I wouldn't worry about it.
Every game I've seen released since mid-2001 has had no problem running on a limited account. The only possible exception I can think of is MMORPGs that require patching before connecting to the server. User preferences and savegames are now saved in the %userprofile%\My Documents\My Games\Name of Game folder.
If you're playing 90s-era games and apps, you have to duplicate the environment they were assumed to run under. The simple measure of adjusting filesystem permissions and setting OS emulation for the executable accounts for the vast majority of older games that I've tried. You have to be an administrator to do it, but once it's done it works under any account.
---
According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
...just as any issue with a Mac not have game #x available is viewed as an opportunity to evangelize windows. Mac users have to listen to this drivel constantly from windows users. It's annoying coming from either direction. Use the tool that suits YOU and don't deride others for their choice of OS. btw, I think your 2nd last sentence should've read: "As the parent said, any issue with Windows will be viewed as an opportunity to evangelize linux"
I chose to end my comments, not with a rim shot, but a long decaying F#7sus4
>What about developers?
Stop going to porn and warez sites on you dev box.
in UNIX, a root is only for adding users or changing special permissions globally. All others get a special copy of the same and the games that you run can change them at will.
UNIX apps being statically bound come with their own libraries, and hence you do not need to share anything.
Windows comes ONLY with shareware stuff (NOT shareware), so that all applications depend on that copy for everything.
"Doing what i can, with what i have." ~ Burt Gummer
My personnal experience this far with Linux is that most of the time, you won't need full root access, if :
- your access rights are correctly set (as in using the GUID "video" to grand access to devices used for graphic acceleration. Most modern distro have this done auto-magically by the setup or have the plug-n-play daemon assign correct rights to newly plugged devices)
- there are small piece of code that are used to communicate between priviledged acces and un privilidged access (in other words : once upon a time, you needed to have SETUID on SVGALib to have nice graphics in games under Linux. Nowadays, SDL communicates with drivers and architectures like DRI, which take car to pass messages to a more priviledged part which, in turn, will take care of the sensitive steps. (In other words : Old applications - use special extension and map framebuffer themeselfs, if enough access rights. New (unpriviledged) applications - ask the X Server (with modern extension) which itselfs has the right to access hardware to map what is needed.
That means that, with a correctly setup system, I never needed to SUDO before playing anything with mplayer, xine, vlc or whatever else.
I almost never run application as something different as my user account.
In fact, even installing update is being slowly replaced with a less priviledged process in recent distro (instead of asking the users to star a process as root and installing updates himself under this identity, newer distro have a separate demon that runs with the minimal necessary privileges and the user only has a small application that passes messages to the update daemon to make the system install patches).
On the other hand, Windows, with its "admin-by-default" accounts hasn't done anything to prevent misbehavioured software. I can understand that Windows 3.x and Windows 9x, with all their DOS tradition behind them had to be "admin-by-default". But since Microsoft moved to a new architecture, why don't they change the default user profile behaviour ? Old APPs are run thrue an emulated API, newer application break if they can't run in a non-priviledged environnement.
Old usage needed admin rights. That's normal. What's not normal is that Microsoft perpatuated the bad habbit in newer versions of Windows.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
My boss was telling me how he'd spent all morning with the IT manager removing a trojan off of his Windows machine.
..."
I looked up from my iBook and FC5 workstation, looked him in the eye with a face full of innocence, and asked, "What's a 'Trojan?'"
"Well, see, it's like... a 'trojan' is like the Trojan horse; it's a program that comes into your system and
wink
"...why I oughtta slug you!"
It's a good thing the guy's a consummate professional, because I probably deserve to be writing this from the hospital.
"...just as any issue with a Mac not have game #x available is viewed as an opportunity to evangelize windows."
Irrelevant. Besides I'm not the original poster of this nor have I evangelized windows.
"Use the tool that suits YOU and don't deride others for their choice of OS."
Didn't deride anybody. That was the mac fanboy...
"I think your 2nd last sentence should've read: "As the parent said, any issue with Windows will be viewed as an opportunity to evangelize linux""
No, it was mac evangelism.
This is just nitpicking, but from my understanding a rootkit consists of tools implemented _once the system is comprimised_ to maintain root status and hide the comprimisation.
I always thought the means to gain access through vulnerabilities were called 'exploits.'
It makes you wonder about development cycles when people are producing malware for software that's not even been released yet. Is this a negative-day vulnerability? (and how does one quantify it when MS isn't yet saying when Vista's going to hit the market?)
Nostalgia's not what it used to be.
All bullshit. The RTC requires root to setup ... ONCE [ideally at startup]... then any user can use it.
/dev/dvd] it's called group management.
I routinely play DVDs as my user [you need read access to
I routinely play full screen video games as my user not root, etc, etc, etc.
Your information is out of date and just plain incorrect.
Tom
Someday, I'll have a real sig.
Every time a security issue is posted, we get this advice about using an unprivileged user. It is, however, far from the end-all of security issues - even running as a normal luser, a program can hide from that user. And it has access to all of that users data. One advance would be rigid separation between applications; Microsoft currently considers the desktop the "security boundary", and doesn't do much to isolate applications. Applications are also written carelessly with regards to buffer overflows in local input vectors, such as textboxes. Therefore, anything on the desktop has pretty much access to anything else running there, given some light hacking.
Allowing per-application access control is kludgily achieved by running apps as another user; this is counter-intuitive in todays world, where there is an 1:1 relationship between logged in users and computers. Separating applications, and assigning access rights with some granularity, is really difficult. But if web-apps don't take over the world, one would need another leap in separation, like protected mode was to real mode.
"All others get a special copy of the same and the games that you run can change them at will.
UNIX apps being statically bound come with their own libraries, and hence you do not need to share anything.
Windows comes ONLY with shareware stuff (NOT shareware), so that all applications depend on that copy for everything."
Wrong.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
Go to the command prompt.
echo Text! > text.txt:ADS
Do a DIR and you'll see the size of text.txt is 0 bytes.
The string "Text!" has ended up in an ADS stream called "ADS".
1) Malware installs itself in a 'good oddball location' (you'll see why a bit later)
2) Malware runs (on startup) and monitors the running processes as close to real time as possible
3) Malware has built in it the CRCs (likely MD5s) of known AV filescanners
THE RACE IS ON!!!
The malware has to find the AV filescanner, CRC/MD5 it and if identified, kill the AV process (if able to) and delete/muckup the AV filescanner at its leisure(?) BEFORE the AV scanner can find it, kill it, and delete it in return.
The only way around that would be to update/release the AV scanner faster than the malware authors can 'do their thing'. I don't think using some sort of 'runtime opcode munging' to change the EXE CRC at runtime will help as a mass-release software title (if possible).
Nope, to stop this kind of malware calls for 'personalized' AV with CRCs unique to the machine it is installed on before the software is obtained to install in the first place. Provided the OS maker(s) is trustworthy, such AV software should be the first program obtained and installed on the computer after the operating system.
Part of this also depends on where the attacker can upload/download files to or from. If he can upload a new file in a location that automatically runs (say a crontab entry on a 'nix system), or he can download your password info, then you're still in trouble.
I've heard a few stories of sites being compromised because a script incorrectly allowed a variable that wasn't tainted as a filename.
Cue the Mac OS-X / *Nix / *BSD zealotry.
Psh, my graphing calculator is much more secure than any of those. No security exploits, ever.
Stupidity is like nuclear power, it can be used for good or evil. And you don't want to get any on you.
Works in Vista, too!
I know this cannot be true since Microsoft Says Vista Most Secure OS Ever.
Mod funny, you dumbshits!
http://www.eecs.umich.edu/virtual/papers/king06.pd f
Belief is the currency of delusion.
I don't know how or when it changed, but the orthodox approach to virus scanning used to be that you booted a known clean (very likely read-only) system in order to diagnose the possibly-compromised system.
Every time I hear about how some malware uses a rootkit to "hide", I know it simply means that people are using compromised systems to diagnose themselves. That approach is fundamentally flawed. No one should be surprised that it doesn't work, and it shouldn't be news that it doesn't work. We shouldn't be seeing this article on Slashdot in any category other than the humor section.
But we do see it, because it is news (to somebody?) because this unreliable approach to scanning is mainstream. How the hell did that happen?
It happened because the AV companies are selling their products as something that Windows users install rather than boot. But we know and they know that can't work. It's snakeoil and I think selling it is despicable.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
welcome our first widely known Vista exploit!
Lets fire up your windows update gentlemen! You didnt really believe the buzz this time round?
This is my Trace Bustah, Bustah... Bustah!!!
Thank you The Big HitNihilism means nothing to the dancing peasants
even running as a normal luser, a program can hide from that user.
Yes, but the program cannot make itself run automatically at bootup as this would require changing files which are owned by root
So basically it will die at next reboot. It might be able to start when that same user logs in, but this can be fixed by forcing all config changes to come from root (Admin or whatever)
It also means that if I scan for this software as root there isnt a thing it can do to avoid detection.
Although this is written with my linux hat on I also happen to develop software for windows and can see no reason that the same principles cannot be applied to windows.
Apart from one, it would cost MS a fortune to rewrite office, and they would lose the edge which office has over the competition (all the private hooks into the OS it uses which they dont publicise to other developers)
I dont read
TCP/IP addresses are often hex-encoded in compiled code, so doing a text search for xxx.xxx.xxx.xxx probably wouldn't be useful anyway...
>Oh, by the way -- if there were an undetectable rootkit on OS X, how would one go about finding it?
Yes, I know your being flip.
The answer is by partitioning off "bad boot blocks" that are above the OS boot code and inserting load commands for network protocols that over-ride your soon to be loaded preferences, "Playmems" in Graphics card memory space, font worlds.
That's all you get for now
Anonymous Coward
It looked wrong even as I wrote it. now I remember.
The world is made by those who show up for the job.
It actually wasn't AQ but an Iranian backed group. No Al-Z either. But everything else yu say is true.
Never by hatred has hatred been appeased, only by kindness - the Buddha
As long as MS brings up and touts security, particulalry in the context of proprietary software, the comment is valid, even if humorous.
I'm not sure what your point is... because it seems to me you're just giving me a good example of good programming. You just need to emphasize other parts of the text : ...when available... ...That's why we don't use the kernel's filesystem driver at all...
For the last one you would need a larger excerpt with other video output methods.
RTC : allows Real-Time synchronisation. Used when available because Linux isn't a realtime OS. Would be pointless on, say, QNX. Usage of "virtualized functionnality" like standard timers works fine for almost everybody, you usually don't need hacks accessing hardware directly.
DVD : You don't get any benefit running as root because they aren't using kernel's filesystem driver. "Greping" for root in mplayer doc isn't an excuse to not read and understand what's written... There's probably a reason why you need to run as root to get the same functionnality directly from linux kernel, but I'm to lazy to search the thread talking about it at lkml.
It wouldn't be portable anyway.
DGA : Thanks, I didn't know about that -vo method. My unofficial debian mplayer package is compiled with 31 output methods, some work under X, some in a xterm, some on a console, some with files, some with particular hardware (like Matrox video cards). DGA works under X, but as mplayer doc states, you need root access. Why not use -vo xv then ? It works flawlessly on my Radeon card. It doesn't work on an older Mach64, in that case I need -vo x11 (-vo dga doesn't work either with that card).
All limitions you're citing are because of attempts to talk directly to hardware, and each time you have other options that are working as well.
Bad programming would have assumed that you were root and disallowing to run if RTC wouldn't have been available, for exemple.
So ?
I have discovered a truly marvelous proof of killer sig, which this margin is too narrow to contain.
And it's free! http://www.sysinternals.com/Utilities/RootkitRevea ler.html
How is it even found to be loaded in the first place?
Works in Vista, too!
Maybe Vista needs that new file system after all. Too many places to hide stuff in the current NTFS. FAT32 anyone?
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
I always hear about these new awesome r0x0r your s0x rootkits. That rootkit called HackDefender I believe it was that was all over the news wouldn't even install properly under a limited account..
Blame the user, not the software.
Communication with the rootkit author does not necessarily need to be a straightforward matter. I have seen concepts of a rootkit sending data by querying DNS servers controlled by the author and piecing data together by taking the first character from the domain being looked up.
dns -> google.com
dns -> overture.com
dns -> dnsstuff.com
A password of god was just transmitted.
A very crafty kit would build up this list by first by watching legitimate traffic on the network, so viewing raw traffic would not throw up any immediate red flags. Data can be hidden in many places. Just my 2 cents.
"Konnichiwa", said the boneless horror.
he/she wrote it.
I think the practice of booting from a known clean system ended with Windows NT. In the DOS and Windows 9x days, it was easy to make your own boot floppy, copy a virus scanner onto it, and stash it away in case of emergencies. Also, back then, rebooting was an everyday occurrence anyway.
With Windows NT and its successors, it became cumbersome to make an emergency boot disk -- you needed the original install CD to write to several floppies, and the emergency boot process took an eternity. The virus scanner would have to be burned onto a CD (not everyone had a CD burner) or written to a memory stick (which some BIOSes don't know how to boot from). Of course, the virus scanner could be distributed on pressed CDs, but there would still be a problem with keeping the virus definitions up to date.
So basically, the practice of clean-booting died for the same reasons that the floppy did.
There is no OS that is 100% secure. Security is important, but if your expectation is for complete security, you will live a dissapointed life. The weak link in most computer networks is human. If it was programmed by humans, there will be a flaw that can be exploited. If there isn't a flaw in the programming, social engineering works fine to discover passwords that get you past the security
Maybe not 100% secure, but there are commercial OS's that are orders of magnitude more secure than Windows. Why do people like you continue to post statements that make it sound like the current situation with Windows is the best we can hope for and we should not expect MS to improve the security of their OS?
There was a time when MS told developers that the only guaranteed writable dir was the windows dir, since your app could be running on a network installation of windows (where everything was on a network drive, but a tiny secondary windows dir would be created on the local machine so that settings (i.e. INI files) could still be per user).
But that was > 10 years ago, before they created the Windows registry and told developers to switch to using that. I'd hate to think how many components are not even looked at let alone updated with each "new version" of Office.
Attention zealots and haters: 00100 00100
"An endless cycle of patch, pray, patch, pray, reinstall awaits us."
Patch available here for current & future rootkits: http://www.apple.com/macosx/
"Mac users pummelled by angry infectees. See the aftermath, tonight at 10:00."
...just as any issue with a Mac not have game #x available is viewed as an opportunity to evangelize windows.
Exactly the first thing I thought as reading dfghjk's comment.
The last of the retarded spawn of DOS was Windows ME. RIP.
Windows NT and 2K are more like the retarded spawn of VMS. They rock.
And XP and Vista are the retarded spawn of VMS and an art school.
You can all complain about the security issues and how evil it is all you want but you have to admire the technology and the thought that goes into advanced viruses/trojans/worms/rootkits. This particular one is polymorphic and stealthed. Those are two traits that can be very difficult to implement into a program of any type. The original write obviously put alot of effort into creating this program, testing it on different configurations and then releasing it.
.com infector that was 800bytes or so long. I never released it into the wild, so why did i write you ask? I wrote it because i could, because i wanted to see if i could and when i'd finished i'd learned a hell of alot about x86 assembly. My point is, that we shouldn't all think rootkits/viruses are inheretly evil, they are like guns, they guns don't kill people, people do.
/me dons flame proof armour!
Yes i admire it for it's traits and i think they should teach virus writing etc in University, the algorithms for self-replication, stealth and polymorphism are very cool, and no self respecting programmer should NOT know how they work and at least how to implement them at a basic level.
This reminds me of weapons of war like cruise missles, their only purpose is to destroy things, but the technology they implement to do it is pretty freaking awesome!
And yes before you ask i once did write a virus. It was a DOS
Imagine if you will a virus that spreads like wildwire, but this virus was an anti-virus program that used peer-to-peer networking to download updates and eradicated all other virus/anti-virus programs out there. In the end you have one virus and it kills everything bad for you? Remind you of anything? Yep, the human body. We have benifical viruses/bacteria in our body. They are allowed to replicate and infect others so i believe the stigmata against these technological wonders needs to stop.
PS. I have nothing for disdain for script kiddies and those who use automated virus generators, if you are going to infect someones computer and disrupt their work, at least have enough balls to write it yourself.
I don't need to test my programs.. I have an error correcting modem.
Short answer: yes.
/bin/login dumped core when it couldn't send the captured passwords back home.
Anecdotal evidence: I once set up a Linux machine behind a firewall, couldn't get to the Internet, but it could be seen from the Internet. Turns out there wasn't any requirement for it to see the Internet, so I checked "done" and moved on. This was a one-off deal.
Got a call a month later: "login isn't working". Of course the machine was for dozens of desktop machines that logged in to run custom Universe scripts, so no one could do his/her work. So I go out there and notice that the network cables have been rearranged to go around the firewall. And there were quite a few email messages spooled up and going nowhere.
Asked about the cable. "Oh. I tried that because I couldn't get to the Internet."
"From this machine?"
"Yeah."
"Why did you want to get to the Internet from the Universe server?"
"I wanted to surf the net while I was waiting for this other install thing that I was doing to finish."
OK, so the machine is naked on the Internet, and login's broken. It takes the password, then another login prompt. Found a rootkit. Reinstalled the O/S, restored Universe from backups, put the machine back behind the firewall.
Oh, the spooled-up email messages? Email to the rootkit installer. Even if the machine was pwned, s/he never found out. After poking around for a while, I discovered that it was a poorly implemented rootkit, e.g., the replacement for
Further, even if the elaborate cloaking schemes are followed, there must be communication back to the new pwner of the machine.
"Press to test."
(click)
"Release to detonate."
What al Zaquari was running isn't an actual AQ-operated group either. It's a fucking PR stunt naming it the same thing.
If corporations are people, aren't stockholders guilty of slavery?
What I find troubling is how blaze Windoze users are about it all. They get upset that their machine won't work once it is totally bogged down with spyware, but they don't care about the fact that some asshats were monitoring their every move on their machines for many weeks/months/years even.
Oh well, what the hell...
... in capitalist America, even Duke Nukem Forever ships before Vista.
Sean
I was pretty much with you until #5. Don't boot from read/write media? What exactly do you want me to boot from? Telling people not to boot from their hard disk is pretty radical. And even my Deb CD is really a CD-R - which is, you know, writeable.
#6 is even more out there. Unplug from the network? Being as how you're posting to Slashdot, obviously you're not taking your own advice. What am I missing here?
I think you need to get your tinfoil hat adjusted.
Sean
"What about developers?"
.NET came along, you could pretty much guarantee you were doing COM programming of some kind.
.NET allows you to do this as you don't _have_ to install your stuff to the GAC, and you don't need to write to any privileged locations to be able to get stuff done. You should just be able to play in your hom^H^H^HDocuments and Settings folder and do everything from there.
That is the main cause of problems with windows. In order to develop on windows before
In order to develop and test COM components, you need to be able to install them so they can be picked up by CoCreateInstance() and its brethren.
In order to install COM components, you need to write to the HKEY_LOCAL_MACHINE/[something I can't remember]/Classes registry key, which rightly requires Administrator priveliges.
Therefore, in order to develop COM components - i.e. in order to do any serious Windows development - you _needed_ to run as roo^H^H^HAdministrator.
The trouble is, if you're running as Administrator, you don't notice if you end up doing other things that also require Administrator privs. Like writing to other parts of HKLM, or the Program Files (or even System32) folder. None of that fails on your system, as you're Admin, so you never pick up on it.
Your code goes to testing. In order to install your COM components, the testers need to at least install as Administrator. If they forget to test as a limited user, they'll never notice that either.
You ship. Now everyone who uses your program needs to run as Admin. Think they'll change which account they're logged into just to run your program? Nope - they'll just give themselves Admin privs all the time.
In order to fix this, developers _need_ to be able to write, compile, install and run the programs they're developing as non-Administrators. Fortunately,
Why doesn't the gene pool have a life guard?
If you have to use Windows, Rootkits are another reason to zero the hard drive regularly. But if you don't have to, another reason to buy a mac or UPGRADE to Linux.
\
..you run XP from a FAT32 partition? (But might have NTFS partitions)
If Google really cared they would fix Android Chrome to reflow text, instead of discriminating
dun dun dun the plot continues.
"I thought what I'd do was I'd pretend I was one of those deaf-mutes" ~ Laughing Man - GITS:SAC
Tangent, yes. But...
/linux noob
//working on that
///Farker
At my previous position BartPE was a godsend. If you do physical Windows support, and you aren't aware of this, I strongly urge you to take a peek: http://www.nu2.nu/pebuilder/
Think Win98 boot floppy on crack. Boots off CD/DVD, does PnP, has network support, the ability to add virus scanners & other nifty tools.
There are Linux boot CDs that do more/less/theSame, but if you're like me and (/gasp) not familiar with Linux then this can be a powerful tool.
i'm pretty sure on both windows and linux a normal user can make stuff run when they login pretty easilly and on many linux installs they can probablly even use cron to schedule it to happen soon after startup.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
Most desktops are only used by one person. Starting from that users "Startup" folder (or equivalent) is effectively the same thing as starting at system boot.
So basically it will die at next reboot. It might be able to start when that same user logs in, but this can be fixed by forcing all config changes to come from root (Admin or whatever)
A solution completely unworkable for the majority of desktop PCs.
Apart from one, it would cost MS a fortune to rewrite office, and they would lose the edge which office has over the competition (all the private hooks into the OS it uses which they dont publicise to other developers)
I see the good old "hidden APIs" myth still exists, despite the complete and utter lack of any actual evidence supporting it.
Tell us, just what "advantages" do you think these supposed "private hooks" engender to a *word processor* or *spreadsheet* program ?
Or you could just use "Run As" for those times you need to actually install a COM component.
The trouble is, if you're running as Administrator, you don't notice if you end up doing other things that also require Administrator privs. Like writing to other parts of HKLM, or the Program Files (or even System32) folder. None of that fails on your system, as you're Admin, so you never pick up on it.
This is not an excuse for fundamentally bad development practices. If you're storing run-time or per-user data in system areas, you're either lazy or incompentent. "But it works for me" is not justification for doing something even a first-year software engineering student should be able to tell you is the wrong way to do it.
Your code goes to testing. In order to install your COM components, the testers need to at least install as Administrator. If they forget to test as a limited user, they'll never notice that either.
Nor is it an excuse for poor testing procedures.
No developer has had any reasonable excuse for not writing LUA-friendly Windows software for ~7-8 years. Arguably, it's more like ~10 years, since NT4 was released, but I'm prepared to cut some slack.
Bah, don't get me started on the security on my abacus.
The first idea that pops into my head, is that users should use Windows under copyright (which allows Fair Use) instead of licensing it. Then they can legally make a clean boot disk.
But I guess the idea of using software under copyright is controversial, and some people still want to license Windows. Ok, whatever. One thing these users could maybe do, is run Windows under virtualization (which MS has recently started to license for "free") and then scan the guest system from a well-protected host OS.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.