Slashdot Mirror
Windows Rootkit Wars Escalate
An anonymous reader writes "The rootkit wars have started to escalate with a rootkit named Rustock which is able to remain hidden from all the popular anti-rootkit tools. It uses some new techniques including not only putting itself in a ADS (NTFS alternate data stream) which isn't seen by normal file system enumeration tools, but even blocks ADS aware tools from seeing the stream. Works in Vista, too! Analysis in both Symantec and F-Secure blogs."
rootkit v. counter rootkit
counter counter rootkit v. counter rootkit
counter counter counter rootkit v. counter counter rootkit
An endless cycle of patch, pray, patch, pray, reinstall awaits us.
X|K|Ubuntu, anyone?
From what I understand, the goverment does take computer crime seriously, and does go after virus & rootkit authors. Unless that author happens to be a corporation, in which case it's a-ok.
>possible for a rootkit to go completely undetected on OSX
If it's undetectable how would you know?
People, please, stay sensible. First of all, a rootkit has to GET into a system. How it hides, how it vanishes, how it hooks certain parts of the system and how it defeats anti-rootkit tools is moot if it doesn't even GET that far.
Whatever a program may want to do, first of all it has to be started. Now, there are currently no unpatched remote exploits or program-runs-crap-by-itself bugs I'm aware of. In other words: You have to start it!
And that's what it comes down to. Keep your system updated! Don't click on every moronic spammail you get! Don't run everything you download from an unrelyable source without at least checking what it is!
My prediction would be that you can eliminate about 95% of the most dangerous worms, trojans and spybots currently in the wild if we could just get people to abstain from running every single piece of junk they stumble upon. The best protection against infection is still a working brain.
There is no technical solution for a social problem. I say it time and again. If it's been true ever, it is in the area of malware. Antimalware tools are akin to safety belts and airbags. You have them, and you use them, but that doesn't mean you drive 150 on an icy road, just 'cause, hey, you got safety belts and an airbag, what damage could happen, eh?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
If it wasn't so sad, it would be funny.
tell me how, please. The things you know about him/her/them/whatever:
A DNS-Server in San Jose.
A host in Kiew.
Code generated in Russia.
Distributed by spambots from around the world.
Now, where do you start looking? Have you ever tried getting some help from authorities in Russia? If not, it's a worthy adventure. At the very least, it gives you enough material to write a very interesting book.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
That and people, listen, stop running windows as root. Make yourself a less privileged user and learn to work in a non-root environment!!!
What about developers ? Lots of apps -- essentially games -- don't run well in unprivileged environments. I run as unprivileged user but usually need to use runas when I didn't took the time to adjust braindead defaults program settings. And you can't ask the average user to tweak file and register permissions. BTW I've seen apps opening data files rw when only ro was needed. How do you avoid security flaws then ? Editing binary to change call parameters isn't an option...
I have discovered a truly marvelous proof of killer sig, which this margin is too narrow to contain.
About your last link, #4 is wrong. Allowing to upload a program and allowing to run it is a very different thing.
A bad guy can upload files on your web site, if he isn't allowed to run them, you've nothing to fear (except if YOU run them afterwards, of course, but it's covered by #1)
I have discovered a truly marvelous proof of killer sig, which this margin is too narrow to contain.
The US government can't even persue terrorists who kill American citizens without inviting substantial criticism.
Aren't a lot of those terrorists dead? You know, the ones with bombs strapped to them, or the ones who forced planes into buildings. And as regards the living terrorists, the criticism isn't so much directed at their pursuit, but rather the collateral damage in terms of innocent civilian casualties abroad and loss of civil rights at home.
There's always a few people mention this.
The problem when you do this, it essentially treats you as if you are that user, not just their privileges. It's a pain in the neck when you do this to install a program, and it installs it only to that (Say, the Administrator account) users start menu.
Or if you want to save a document from a program that requires it, you save it to My Documents, right? Go to open it later, open up My Documents in Windows Explorer and wow! It's gone!
(disclaimer: maybe it doesn't work this way in XP, but it certainly did in Win2k when I did take the effort to run as non-privileged user. XP Home doesn't make it that easy, what with the crippled security optons)
A real cracker could write their own rootkit, and it would still be called a rootkit even though that particular rootkit wouldn't be available to anyone but himself.
It's very common for people to write their own tools, and then use them. That doesn't make them a script kiddie.
Let's separate the brainless script kiddies from what a rootkit is. It really doesn't matter who uses a rootkit, how the rootkit was developed, or even the motives of the user of the rootkit. A rootkit is a tool that provides unrestricted access to the system it is deployed on. Regardless of who, how, or why.
Slashdot.. where people join together in deliberate ignorance.
Is there any legitimate program that uses the ADS? I can see maybe some 68k Macintosh emulators using it, but most of the time those guys just create a virtual drive (a big single file that doesn't use the ADS) instead.
:)
I've known about it for a long time now, but have yet to ever use it myself. I really wish you could disable it entirely if nothing legitmate is going to bother. As it is now, it's just a poor security-by-obscurity mechanism that really has no place in the base OS.
Wait, I take back what I said before. I did find one shareware program that hid it's "I've been installed for this long" counter file in the ADS. Deleting the file reset the counter.
I read the internet for the articles.
I don't know how or when it changed, but the orthodox approach to virus scanning used to be that you booted a known clean (very likely read-only) system in order to diagnose the possibly-compromised system.
Every time I hear about how some malware uses a rootkit to "hide", I know it simply means that people are using compromised systems to diagnose themselves. That approach is fundamentally flawed. No one should be surprised that it doesn't work, and it shouldn't be news that it doesn't work. We shouldn't be seeing this article on Slashdot in any category other than the humor section.
But we do see it, because it is news (to somebody?) because this unreliable approach to scanning is mainstream. How the hell did that happen?
It happened because the AV companies are selling their products as something that Windows users install rather than boot. But we know and they know that can't work. It's snakeoil and I think selling it is despicable.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.