Slashdot Mirror
Windows Rootkit Wars Escalate
An anonymous reader writes "The rootkit wars have started to escalate with a rootkit named Rustock which is able to remain hidden from all the popular anti-rootkit tools. It uses some new techniques including not only putting itself in a ADS (NTFS alternate data stream) which isn't seen by normal file system enumeration tools, but even blocks ADS aware tools from seeing the stream. Works in Vista, too! Analysis in both Symantec and F-Secure blogs."
rootkit v. counter rootkit
counter counter rootkit v. counter rootkit
counter counter counter rootkit v. counter counter rootkit
An endless cycle of patch, pray, patch, pray, reinstall awaits us.
X|K|Ubuntu, anyone?
Since F-Secure detects it, does that imply it's not popular?
From what I understand, the goverment does take computer crime seriously, and does go after virus & rootkit authors. Unless that author happens to be a corporation, in which case it's a-ok.
>possible for a rootkit to go completely undetected on OSX
If it's undetectable how would you know?
People, please, stay sensible. First of all, a rootkit has to GET into a system. How it hides, how it vanishes, how it hooks certain parts of the system and how it defeats anti-rootkit tools is moot if it doesn't even GET that far.
Whatever a program may want to do, first of all it has to be started. Now, there are currently no unpatched remote exploits or program-runs-crap-by-itself bugs I'm aware of. In other words: You have to start it!
And that's what it comes down to. Keep your system updated! Don't click on every moronic spammail you get! Don't run everything you download from an unrelyable source without at least checking what it is!
My prediction would be that you can eliminate about 95% of the most dangerous worms, trojans and spybots currently in the wild if we could just get people to abstain from running every single piece of junk they stumble upon. The best protection against infection is still a working brain.
There is no technical solution for a social problem. I say it time and again. If it's been true ever, it is in the area of malware. Antimalware tools are akin to safety belts and airbags. You have them, and you use them, but that doesn't mean you drive 150 on an icy road, just 'cause, hey, you got safety belts and an airbag, what damage could happen, eh?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Since when does the government "go after" people who break in to homes? Even busting people who don't mow their lawns is a higher priority.
If it wasn't so sad, it would be funny.
tell me how, please. The things you know about him/her/them/whatever:
A DNS-Server in San Jose.
A host in Kiew.
Code generated in Russia.
Distributed by spambots from around the world.
Now, where do you start looking? Have you ever tried getting some help from authorities in Russia? If not, it's a worthy adventure. At the very least, it gives you enough material to write a very interesting book.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
That and people, listen, stop running windows as root. Make yourself a less privileged user and learn to work in a non-root environment!!!
What about developers ? Lots of apps -- essentially games -- don't run well in unprivileged environments. I run as unprivileged user but usually need to use runas when I didn't took the time to adjust braindead defaults program settings. And you can't ask the average user to tweak file and register permissions. BTW I've seen apps opening data files rw when only ro was needed. How do you avoid security flaws then ? Editing binary to change call parameters isn't an option...
I have discovered a truly marvelous proof of killer sig, which this margin is too narrow to contain.
Since F-Secure detects it since June 21st, does it imply this is old news?
or did they make sure it could install?
* Winners compare their achievements to their goals, losers compare theirs to that of others.
About your last link, #4 is wrong. Allowing to upload a program and allowing to run it is a very different thing.
A bad guy can upload files on your web site, if he isn't allowed to run them, you've nothing to fear (except if YOU run them afterwards, of course, but it's covered by #1)
I have discovered a truly marvelous proof of killer sig, which this margin is too narrow to contain.
The US government can't even persue terrorists who kill American citizens without inviting substantial criticism.
Aren't a lot of those terrorists dead? You know, the ones with bombs strapped to them, or the ones who forced planes into buildings. And as regards the living terrorists, the criticism isn't so much directed at their pursuit, but rather the collateral damage in terms of innocent civilian casualties abroad and loss of civil rights at home.
Why? Afriad someone will see your porn collection? Seriously, house breaking should be ignored by the law as much as computer cracking should. The police never "find" who done it when your house is robbed, 99% of the time they never even find your stuff. If you are lucky a cop sees the crime happening and stops it while it's in progress. It's a waste of time for them, that's how they feel about it. The government should force everyone to handle their own security.
Poof! No more problem.
Oh, wait, yes, the lame whiners who currently complain that they can't keep their computer secure will bitch because they can't seem to work a deadbolt and what is a lock anyway? Saying the government should handle computer security is like saying that an officer of the law should be stationed at your house to lock your doors for you and take the car keys out of your ignition.
No, security should be intirely in the private realm.
As UN*X systems have a single file system root, one has to ask: are relative paths a UN*X backdoor?
There's always a few people mention this.
The problem when you do this, it essentially treats you as if you are that user, not just their privileges. It's a pain in the neck when you do this to install a program, and it installs it only to that (Say, the Administrator account) users start menu.
Or if you want to save a document from a program that requires it, you save it to My Documents, right? Go to open it later, open up My Documents in Windows Explorer and wow! It's gone!
(disclaimer: maybe it doesn't work this way in XP, but it certainly did in Win2k when I did take the effort to run as non-privileged user. XP Home doesn't make it that easy, what with the crippled security optons)
A real cracker could write their own rootkit, and it would still be called a rootkit even though that particular rootkit wouldn't be available to anyone but himself.
It's very common for people to write their own tools, and then use them. That doesn't make them a script kiddie.
Let's separate the brainless script kiddies from what a rootkit is. It really doesn't matter who uses a rootkit, how the rootkit was developed, or even the motives of the user of the rootkit. A rootkit is a tool that provides unrestricted access to the system it is deployed on. Regardless of who, how, or why.
Slashdot.. where people join together in deliberate ignorance.
Is there any legitimate program that uses the ADS? I can see maybe some 68k Macintosh emulators using it, but most of the time those guys just create a virtual drive (a big single file that doesn't use the ADS) instead.
:)
I've known about it for a long time now, but have yet to ever use it myself. I really wish you could disable it entirely if nothing legitmate is going to bother. As it is now, it's just a poor security-by-obscurity mechanism that really has no place in the base OS.
Wait, I take back what I said before. I did find one shareware program that hid it's "I've been installed for this long" counter file in the ADS. Deleting the file reset the counter.
I read the internet for the articles.
Every time a security issue is posted, we get this advice about using an unprivileged user. It is, however, far from the end-all of security issues - even running as a normal luser, a program can hide from that user. And it has access to all of that users data. One advance would be rigid separation between applications; Microsoft currently considers the desktop the "security boundary", and doesn't do much to isolate applications. Applications are also written carelessly with regards to buffer overflows in local input vectors, such as textboxes. Therefore, anything on the desktop has pretty much access to anything else running there, given some light hacking.
Allowing per-application access control is kludgily achieved by running apps as another user; this is counter-intuitive in todays world, where there is an 1:1 relationship between logged in users and computers. Separating applications, and assigning access rights with some granularity, is really difficult. But if web-apps don't take over the world, one would need another leap in separation, like protected mode was to real mode.
I don't know how or when it changed, but the orthodox approach to virus scanning used to be that you booted a known clean (very likely read-only) system in order to diagnose the possibly-compromised system.
Every time I hear about how some malware uses a rootkit to "hide", I know it simply means that people are using compromised systems to diagnose themselves. That approach is fundamentally flawed. No one should be surprised that it doesn't work, and it shouldn't be news that it doesn't work. We shouldn't be seeing this article on Slashdot in any category other than the humor section.
But we do see it, because it is news (to somebody?) because this unreliable approach to scanning is mainstream. How the hell did that happen?
It happened because the AV companies are selling their products as something that Windows users install rather than boot. But we know and they know that can't work. It's snakeoil and I think selling it is despicable.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
I was pretty much with you until #5. Don't boot from read/write media? What exactly do you want me to boot from? Telling people not to boot from their hard disk is pretty radical. And even my Deb CD is really a CD-R - which is, you know, writeable.
#6 is even more out there. Unplug from the network? Being as how you're posting to Slashdot, obviously you're not taking your own advice. What am I missing here?
I think you need to get your tinfoil hat adjusted.
Sean
You do realize that every time you use "M$" fewer and fewer people could care any less about what you have to say, right?
I'll be happy to stop using it when M$ stops putting their marketing keys on millions of general purpose PC keyboards.
"M$" is just a handy reminder that Microsoft is still taxing the world $40,000,000,000+ per year for a dozen programs mostly written more than a decade ago with most of the most difficult bits, the device drivers, being written by third parties.
You attribute Microsoft's actions to greed... guess what, THEY ARE A FOR PROFIT COMPANY. Greed is another word for the desire for profits.
Yep, and being paid justifies any action. At least in M$' eyes. Some companies are more ethical.
The decisions Microsoft made were the correct ones AT THE TIME they made them.
I've already reminded you that both the problems and the solutions were well understood long before M$ came along. M$ chose not to implement them.
In 1992, when Microsoft began what would become Windows 95, they didn't see the Internet coming.
Floppy based computer viruses were widespread by 1988, 4 years before. Similar security problems with similar solutions. M$ chose not to implement them.
By the time they realized that the net posed a security risk it was far too late to redesign Windows and have any hope of making real money on what was then one of the most expensive software projects in history.
The expense would've been much the same whether or not they'd implemented security features, the security risks were well understood by everybody at that time. M$ chose to ignore them.
You speak of "virtual machines" and claim that these were feasible on 386 hardware. First of all, you really must be delusional.
No delusions. I was referring to virtual machines in the more general sense of virtual memory with a cooperating OS. Something well understood long before then with the 80386 designed to support it. The 80286 was supposed to support it too but because of a major design mistake it wasn't practical.
Virtual machines are becoming popular today because hardware is finally at a point where the performance is expectable.
So emm386 and unix V using virtual memory paging were just a figment of my imagination? Virtualisation can also be done at software level, redirecting file open's, block writes and the like.
Do you honestly believe this was the case 12 or 15 years ago?
Yes. Virtualisation is taking off again now (it was common on other boxes decades ago) because there is a market need for it. It's just another layer isolating OS services from the hardware.
Second, I think you are dramatically underestimating the scope of creating an embedded virtual machine in the OS to run legacy applications. Even if Microsoft were to accomplish this, it would be at the expense of new features and improvements that customers demand.
False dichotomy. This is not an all or nothing situation. There is much than M$ could've done to improve the situation without trying to emulate every bit of their own OS. They chose not to.
You specifically said that Microsoft has claimed that users running as admin was never a problem, but your only support is the fact they use the terms "enterprise ready" or "internet ready".
So what does "enterprise ready" or "internet ready" mean to you? That it comes with a Twinkie?
Give me a break. Next you'll claim that anybody who criticizes the President wants terrorists to destroy America. You and I both know that in no way means that Microsoft thinks it's not a problem,
M$' actions speak louder than words. They think admin by default is not a problem and have done so for decades.
not to mention the fact that it is ENTIRELY possible to run XP without admin privs if you don't mind legacy apps often brea