Slashdot Mirror

← Back to Stories (view on slashdot.org)

Windows Rootkit Wars Escalate

Posted by ryuzaki0 on from the most-secure-version-of-windows-ever dept.

An anonymous reader writes "The rootkit wars have started to escalate with a rootkit named Rustock which is able to remain hidden from all the popular anti-rootkit tools. It uses some new techniques including not only putting itself in a ADS (NTFS alternate data stream) which isn't seen by normal file system enumeration tools, but even blocks ADS aware tools from seeing the stream. Works in Vista, too! Analysis in both Symantec and F-Secure blogs."

3 of 342 comments (clear)

  1. Security doesn't start at rootkit detection by Opportunist · · Score: 5, Insightful

    People, please, stay sensible. First of all, a rootkit has to GET into a system. How it hides, how it vanishes, how it hooks certain parts of the system and how it defeats anti-rootkit tools is moot if it doesn't even GET that far.

    Whatever a program may want to do, first of all it has to be started. Now, there are currently no unpatched remote exploits or program-runs-crap-by-itself bugs I'm aware of. In other words: You have to start it!

    And that's what it comes down to. Keep your system updated! Don't click on every moronic spammail you get! Don't run everything you download from an unrelyable source without at least checking what it is!

    My prediction would be that you can eliminate about 95% of the most dangerous worms, trojans and spybots currently in the wild if we could just get people to abstain from running every single piece of junk they stumble upon. The best protection against infection is still a working brain.

    There is no technical solution for a social problem. I say it time and again. If it's been true ever, it is in the area of malware. Antimalware tools are akin to safety belts and airbags. You have them, and you use them, but that doesn't mean you drive 150 on an icy road, just 'cause, hey, you got safety belts and an airbag, what damage could happen, eh?

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:Security doesn't start at rootkit detection by Jaysu · · Score: 5, Insightful

      "My prediction would be that you can eliminate about 95% of the most dangerous worms, trojans and spybots currently in the wild if we could just get people to abstain from running every single piece of junk they stumble upon."

      oh, and uh, don't put a store bought Sony music CD in there either. Spam can come in forms besides bright flashing "click me" banners.

      --
      It has been said that 63% of all statistics are made up
    2. Re:Security doesn't start at rootkit detection by Evil+Shabazz · · Score: 5, Insightful

      Sony has clearly shown us that even "trusted" sources and "knowing" what you're running can result in unintentional rootkit installation without your knowledge. After all, isn't Sony a "trusted" source and we knew playing their CDs wouldn't be harmful, right?

      I bought that CD from a store legitimately. There's no way I'd get a rootkit problem from that, right?

      --
      Down with the career politician! SUPPORT TERM LIMITS