Slashdot Mirror
Windows Rootkit Wars Escalate
An anonymous reader writes "The rootkit wars have started to escalate with a rootkit named Rustock which is able to remain hidden from all the popular anti-rootkit tools. It uses some new techniques including not only putting itself in a ADS (NTFS alternate data stream) which isn't seen by normal file system enumeration tools, but even blocks ADS aware tools from seeing the stream. Works in Vista, too! Analysis in both Symantec and F-Secure blogs."
It is like a generalized version of the resource and data fork on old MacOS files with similar uses.
http://www.heysoft.de/nt/ntfs-ads.htm
There's a lot that can be done with it.
I think it's somewhat disingenuous to specifically note this rootkit works in Vista. It implies that the security work done in Vista has somehow failed.
Vista has numerous improvements security wise, and almost all of them have to do with prevent a machine from becoming infected to begin with.
, UAC, Windows Defender, the improved software firewall, IE 7+ sandboxing/broker, etc... these are all meant to make it a lot harder for malware to get on the machine to begin with.
As the old security adage goes, if untrusted software is run on your machine, it's not your machine anymore.
ADS is used in Windows as part of everyday usage. The "Summary" tab that you see when you view any file's properties is stored in ADS. Also, I believe (vague memory here) that when you download something in Internet explorer and try to run the file, the flag for that annoying "You got this from the Internet, are you sure you want to run it?" is stored in ADS.
FSecure's posting says that they released a version of their antirootkit software that can defeat this. Date June 21
Symantec says that FSecure's product can't remove this. Date June 29.
Any reason for this discrepency? You'd think they'd continue to moniter what other companies are doing to combat the problem and 8 days would be enough for them to find out about the new release.
Well.. maybe. Or Maybe not. But Definitely not sort of.
"In essence they were created to provide compatibility with HFS, or the old Macintosh Hierarchical File System. The way that the Macintosh's file system works is that they will use both data and resource forks to store their contents. The data fork is for the contents of the document while the resource fork is to identify file type and other pertinent details."
http://www.securityfocus.com/infocus/1822
Web 2.0 == Giant Blogspam Circle Jerk
A rootkit is a tool that script kiddies use to break into systems, as opposed to someone with actual skill finding and exploiting weaknesses using their own brain.
No it isn't.
A rootkit is what is installed to give the cracker unimpeded access (provides a backdoor, hides processes, replaces legitimate processes with trojaned ones, keep activity out of system logs) once they have gained entry to a system (usually throgh a known vulnerability.) THeir activity would be hidden from netstat ps, etc.
At least look at Wikipedia.
music lover since 1969
Did the writers of the rootkit consider that...
a ler.html
"The reason that there is no longer a command-line version is that malware authors have started targetting RootkitRevealer's scan by using its executable name. We've therefore updated RootkitRevealer to execute its scan from a randomly named copy of itself that runs as a Windows service. This type of execution is not conducive to a command-line interface. Note that you can use command-line options to execute an automatic scan with results logged to a file, which is the equivalent of the command-line version's behavior." http://www.sysinternals.com/Utilities/RootkitReve
Ooops... 1 step ahead of the hackers yet again.
If you're (like me) one of the, umm, fortunate souls who get to clean up rootkit-infested machines regularly, there's a tool you should know about: LADS, for "list alternative data streams"
It can be found buried in this FAQ about the NTFS ADS feature: http://www.heysoft.de/nt/ntfs-ads.htm
I haven't tried it yet, but it looks like it should work from a win32 bootdisk (like BARTPE). So you should be able to boot from a clean win32 environment and scan the computer's hard disk to find any files with ADSs. Fortunately, use of this feature within NTFS is not widespread, so malware should stand out pretty obviously.
Have fun!
-R
Microsoft has been less than forthcoming about ADS, it's function and it's mechanism. ADS has been used in the past to hack into web servers and now appears to be useful for rooting any system with NTFS.
Is ADS a Microsoft backdoor?
Even the ultimate authority on computer terminology, the Urban Dictionary, gets it right:
The desktop 64-bit processors out now are x86 processors, unless I missed the memo that we were all to move to RISC.
You did miss the memo. The AMD and Intel 64 bit processors use an instruction set architecture called "x86_64" (also x64 or AMD64 or EM64T, isn't marketing wonderful?). This instruction set extends the original 32 bit x86 instruction set. Wikipedia has some x86_64 architecture information.
isomerica.net | Foonetic IRC
People, please, stay sensible. First of all, a rootkit has to GET into a system.
True, but there are many modes of infection.
Whatever a program may want to do, first of all it has to be started. Now, there are currently no unpatched remote exploits or program-runs-crap-by-itself bugs I'm aware of. In other words: You have to start it!
So, just because you don't know of any unpatched, remote vulnerabilities being exploited, we should not worry about them? What about local escalations, there are plenty of those outstanding and some people admin multi-user boxes. Finally, it can come in as a trojan. No one has the time to exhaustively check every program they run, if the source is even available. That means you have to trust every program you install. This is asking users to sacrifice usability for security, and that is a classic security blunder.
My prediction would be that you can eliminate about 95% of the most dangerous worms, trojans and spybots currently in the wild if we could just get people to abstain from running every single piece of junk they stumble upon.
My prediction is we can stop 100% of worms, trojans, and spybots by no longer using computers... of course that kind of defeats the purpose.
There is no technical solution for a social problem.
Malware is mostly a technical problem and a computer/human interaction problem. It can be solved with education as a social problem, but only when the previous problems have been fixed. You can't expect users to learn a whole lot of really complex topics in order to perform simple tasks. It is not going to happen. When joe-sixpack runs their computer they expect it to conform to some basic, sensible characteristics and it is failing. This is not the user's fault. This is the fault of the people who designed the system first and then tried to teach the average person a long series of complex topics and ever changing rules. What they should have done was ask the users what the computer should do and then make the computer do that.
It is unreasonable to expect that clicking on an icon that looks just like your picture files will install a program and let someone in Russia start using your computer to send spam. This is a failing of the computer, not the user. The computer should clearly indicate to the user what is a picture and what is a program. Then, it should not let the program do anything the user does not expect and want. If this rootkit arrives in a trojan, disguised as data or a beneficial program like a game, and the user runs it, they still should not have to worry about it because it should be running in a sandbox, by default. When it tries to do something unusual, like patch the core of the OS, the user should be warned in very strong language and given the option of letting the rootkit patch a VM's core OS instead, thereby stopping it from having any effect. It doesn't take a genius to do this, if only people would stop apologizing for how crappily most OS's, especially Windows, deal with this stuff. By blaming the users for this failing you're part of the problem. Stop it.
Odd... On Linux, I don't have any trouble running games or development applications as an unprivileged user. The only time I ever switch to a privileged user is when I'm installing something or reconfiguring the system in some way.
Of course, that usually has more to do with the developers of said applications than the OS itself. Windows is perfectly capable of running applications well under unprivileged user accounts, but the developers of those applications have gotten into the nasty habit of relying on the fact that most Windows users run as Administrator.
It's only capable of hiding itself if it is in the running environment. One solution is to boot from known-good, read-only media. Then you can search from known rootkit signatures.
In my opinion, however, once you get a system that badly infected, you should give up and wipe clean. You'll never know if you've succesfully closed all the holes, and not even an expensive forensic analysis could guarantee such a thing.
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
I don't know if Knoppix sees ADS's, but thats wat I use to scan Windows Boxes. I like to use HijackThis (Windows exe file) to quicly find ADS and other rootkit nastiness.
EOF
My personnal experience this far with Linux is that most of the time, you won't need full root access, if :
- your access rights are correctly set (as in using the GUID "video" to grand access to devices used for graphic acceleration. Most modern distro have this done auto-magically by the setup or have the plug-n-play daemon assign correct rights to newly plugged devices)
- there are small piece of code that are used to communicate between priviledged acces and un privilidged access (in other words : once upon a time, you needed to have SETUID on SVGALib to have nice graphics in games under Linux. Nowadays, SDL communicates with drivers and architectures like DRI, which take car to pass messages to a more priviledged part which, in turn, will take care of the sensitive steps. (In other words : Old applications - use special extension and map framebuffer themeselfs, if enough access rights. New (unpriviledged) applications - ask the X Server (with modern extension) which itselfs has the right to access hardware to map what is needed.
That means that, with a correctly setup system, I never needed to SUDO before playing anything with mplayer, xine, vlc or whatever else.
I almost never run application as something different as my user account.
In fact, even installing update is being slowly replaced with a less priviledged process in recent distro (instead of asking the users to star a process as root and installing updates himself under this identity, newer distro have a separate demon that runs with the minimal necessary privileges and the user only has a small application that passes messages to the update daemon to make the system install patches).
On the other hand, Windows, with its "admin-by-default" accounts hasn't done anything to prevent misbehavioured software. I can understand that Windows 3.x and Windows 9x, with all their DOS tradition behind them had to be "admin-by-default". But since Microsoft moved to a new architecture, why don't they change the default user profile behaviour ? Old APPs are run thrue an emulated API, newer application break if they can't run in a non-priviledged environnement.
Old usage needed admin rights. That's normal. What's not normal is that Microsoft perpatuated the bad habbit in newer versions of Windows.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
"It's a pain in the neck when you do this to install a program, and it installs it only to that (Say, the Administrator account) users start menu.
Or if you want to save a document from a program that requires it, you save it to My Documents, right? Go to open it later, open up My Documents in Windows Explorer and wow! It's gone!"
1) Click on my sig
2) Go to the useful tools section and grab one of the "sudo" type programs. Sudo WN is my favorite. The sudo tools solve the problems you mentioned above.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
This is just nitpicking, but from my understanding a rootkit consists of tools implemented _once the system is comprimised_ to maintain root status and hide the comprimisation.
I always thought the means to gain access through vulnerabilities were called 'exploits.'
the resource fork is to identify file type and other pertinent details
That's a tremendous over-simplification. (It's also wrong. File types aren't stored in the resource fork; some files don't even have resource forks.) The resource fork contains a database of objects, each of which has a type and an ID. The primary use for resource forks by applications is to store user interface elements. Windows are stored in resources of type WIND, icons were originally stored as type ICON, and dialog boxes are stored as type DLOG. In the Motorola 68k days, the application's executable was stored in CODE resources. Lists of strings are stored in STR# resources, which makes localization a snap--just use a different string list, no recompilation necessary.
Nope your saviour is called BartPE. no virus,worm,rootkit on the planet can disable it.
In fact I dont even bother running any Host OS scans when I fix someone's PC anymore, I boot from a BartPE disc, scan it with the antivir and antispyware and clean it up easier and faster than anything else.
Takes me far less time I get it on the first try and it's back to a clean machine for 35 seconds until the owner clicks on things again to reinstall every bit of spyware.
Do not look at laser with remaining good eye.
All bullshit. The RTC requires root to setup ... ONCE [ideally at startup]... then any user can use it.
/dev/dvd] it's called group management.
I routinely play DVDs as my user [you need read access to
I routinely play full screen video games as my user not root, etc, etc, etc.
Your information is out of date and just plain incorrect.
Tom
Someday, I'll have a real sig.
Sure.... but they also leave few real alternatives. So far, the most useful "boot from alternate OS to virus scan/clean" solutions are illegal, pirated boot CDs like "Hiren's" that make the rounds on the net.
You could shell out the ridiculous price of $400+ for a copy of AVAST's B.A.R.T. CD, I suppose - but then you're stuck with their inferior virus scanning/removal technology. I've generally fared better running the latest AVG on a compromised system's own OS than relying on AVAST to get it clean running from the stripped-down XP that boots from a B.A.R.T. CD.
Personally, I find it amazing that Symantec, of all people, hasn't re-used the "boot from virtual partition into PC-DOS" solution they've already integrated into Ghost Corporate as a way for their AV software to run full scans and cleans?
The halting problem has to do with a Turing machine running another Turing machine and deciding its output. What he's talking about is proving what algorithms can even run under certain conditions. That is a different problem entirely. One Turing machine most assuredly can run another one; it's just impossible to guarantee that it will return every time. This is what makes the halting problem impossible. You can run a Turing machine in another one, but there are two ways a Turing machine can reject an input. It can either decide it (return a NO) or it can enter an infinite loop. The parent machine has no way of knowing if the child machine is in such a loop or if it just happens to be a very long computation, so it just sits there and lets the child run. This is the difference between a Turing-decidable language and a Turing-recognizable one. In the parent poster's scenario, you only need to check recognizability, not decidability.
Also, computers are not Turing machines; they are linearly-bounded automata. Turing machines have infinite memory. In fact, a Turing machine can decide the output of a LBA. In any case, you can of course check to see if an algorithm will work under certain constraints. That's why there's a "System Requirements" part on software boxes.
And it's free! http://www.sysinternals.com/Utilities/RootkitRevea ler.html