Slashdot Mirror
Windows Rootkit Wars Escalate
An anonymous reader writes "The rootkit wars have started to escalate with a rootkit named Rustock which is able to remain hidden from all the popular anti-rootkit tools. It uses some new techniques including not only putting itself in a ADS (NTFS alternate data stream) which isn't seen by normal file system enumeration tools, but even blocks ADS aware tools from seeing the stream. Works in Vista, too! Analysis in both Symantec and F-Secure blogs."
I don't hate sony because they installed rootkits on some peoples computers, I hate them because of that incident the word rootkit became popular.
Was this designed simply an easy way to hide (system?) files in the filesystem
or was it for something different entirely? I remember there being a "chmod +/-h"
in old (perhaps even current, I no longer use it) versions of HP-UX that would hide
files , is this something similar?
rootkit v. counter rootkit
counter counter rootkit v. counter rootkit
counter counter counter rootkit v. counter counter rootkit
An endless cycle of patch, pray, patch, pray, reinstall awaits us.
X|K|Ubuntu, anyone?
Well it wouldn't happen in other OSes because NTFS is closed proprietary standard. :-)
That and people, listen, stop running windows as root. Make yourself a less privileged user and learn to work in a non-root environment!!!
Tom
Someday, I'll have a real sig.
Since F-Secure detects it, does that imply it's not popular?
The Government's resources are currently tied up chasing 'terrorists' and holding the world's oil supply hostage. Please wait your turn. Your post has been noted and the next available Government Agent will be dispatched as soon as they are free. Thanks.
The following replies are posted by unwashed nerds.
From what I understand, the goverment does take computer crime seriously, and does go after virus & rootkit authors. Unless that author happens to be a corporation, in which case it's a-ok.
Yeah! We've had rootkits since . . . . . well, about as long as we've had root! Your retarded spawn of DOS and an art school is late to the party.
Better late than never though I suppose . . . . .
If only Windows was closed source, then writing such tools would be difficult. Oh, wait...
There's something wrong with your statement. Look for it. Something about "no denying." ;)
>possible for a rootkit to go completely undetected on OSX
If it's undetectable how would you know?
http://www.heysoft.de/nt/ntfs-ads.htm
There's a lot that can be done with it.
This Russian-created rootkit is smart enough to recognize known anti-rootkit tools and hide from them.
:P
Does this mean that in Soviet Russia, rootkits detect y... Bah, nevermind. Too easy.
Slashdot: come for the pedantry, stay for the condescension.
People, please, stay sensible. First of all, a rootkit has to GET into a system. How it hides, how it vanishes, how it hooks certain parts of the system and how it defeats anti-rootkit tools is moot if it doesn't even GET that far.
Whatever a program may want to do, first of all it has to be started. Now, there are currently no unpatched remote exploits or program-runs-crap-by-itself bugs I'm aware of. In other words: You have to start it!
And that's what it comes down to. Keep your system updated! Don't click on every moronic spammail you get! Don't run everything you download from an unrelyable source without at least checking what it is!
My prediction would be that you can eliminate about 95% of the most dangerous worms, trojans and spybots currently in the wild if we could just get people to abstain from running every single piece of junk they stumble upon. The best protection against infection is still a working brain.
There is no technical solution for a social problem. I say it time and again. If it's been true ever, it is in the area of malware. Antimalware tools are akin to safety belts and airbags. You have them, and you use them, but that doesn't mean you drive 150 on an icy road, just 'cause, hey, you got safety belts and an airbag, what damage could happen, eh?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I think the criticism probably stems from the fact that they're so bad at catching them and cause so much "collateral damage" . . . . . .
I think you misunderstood the GP. He is not saying we should pick up everyone who at some point had a drink with the third cousin, twice removed, of a hacker, and throw them on a CIA plane to be boiled in Uzbekistan without any semblance of due process.
And as other people have said, the government is going after hackers.
Since when does the government "go after" people who break in to homes? Even busting people who don't mow their lawns is a higher priority.
I think it's somewhat disingenuous to specifically note this rootkit works in Vista. It implies that the security work done in Vista has somehow failed.
Vista has numerous improvements security wise, and almost all of them have to do with prevent a machine from becoming infected to begin with.
, UAC, Windows Defender, the improved software firewall, IE 7+ sandboxing/broker, etc... these are all meant to make it a lot harder for malware to get on the machine to begin with.
As the old security adage goes, if untrusted software is run on your machine, it's not your machine anymore.
If it wasn't so sad, it would be funny.
tell me how, please. The things you know about him/her/them/whatever:
A DNS-Server in San Jose.
A host in Kiew.
Code generated in Russia.
Distributed by spambots from around the world.
Now, where do you start looking? Have you ever tried getting some help from authorities in Russia? If not, it's a worthy adventure. At the very least, it gives you enough material to write a very interesting book.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
That and people, listen, stop running windows as root. Make yourself a less privileged user and learn to work in a non-root environment!!!
What about developers ? Lots of apps -- essentially games -- don't run well in unprivileged environments. I run as unprivileged user but usually need to use runas when I didn't took the time to adjust braindead defaults program settings. And you can't ask the average user to tweak file and register permissions. BTW I've seen apps opening data files rw when only ro was needed. How do you avoid security flaws then ? Editing binary to change call parameters isn't an option...
I have discovered a truly marvelous proof of killer sig, which this margin is too narrow to contain.
Since F-Secure detects it since June 21st, does it imply this is old news?
or did they make sure it could install?
* Winners compare their achievements to their goals, losers compare theirs to that of others.
FSecure's posting says that they released a version of their antirootkit software that can defeat this. Date June 21
Symantec says that FSecure's product can't remove this. Date June 29.
Any reason for this discrepency? You'd think they'd continue to moniter what other companies are doing to combat the problem and 8 days would be enough for them to find out about the new release.
Well.. maybe. Or Maybe not. But Definitely not sort of.
The parent is either the best troll I've ever read, or the stupidest piece of fanboy fiction ever propagated. I'm hoping it's a troll, because, if it is, it needs to be held up to all attempted trollers as the standard to which they should aspire.
Oh, by the way -- if there were an undetectable rootkit on OS X, how would one go about finding it?
All valid points.
I seem to recall Word [used to?] writing files in the \windows\system32 dir....
Tom
Someday, I'll have a real sig.
x86 versions only.
Would be interesting to know if there will be or are 64-bit versions of rootkits.
"Rootkit Wars" ??
This isn't a war. This is merely an advance in the sophistication of one rootkit. This happens all the time.
Why is this being called a "war" now?
Maybe because if they called it what it is - "Another Lame Virus Advancement" - nobody would click the link and look at their ads.
What a joke.
By the way, does anyone else find it funny that Symantec and F-Secure have "blogs" now? WTF? Why not just go the whole 9 and create a MySpace profile too?
smattawichu
The US government can't even persue terrorists who kill American citizens without inviting substantial criticism.
Aren't a lot of those terrorists dead? You know, the ones with bombs strapped to them, or the ones who forced planes into buildings. And as regards the living terrorists, the criticism isn't so much directed at their pursuit, but rather the collateral damage in terms of innocent civilian casualties abroad and loss of civil rights at home.
Did the writers of the rootkit consider that...
a ler.html
"The reason that there is no longer a command-line version is that malware authors have started targetting RootkitRevealer's scan by using its executable name. We've therefore updated RootkitRevealer to execute its scan from a randomly named copy of itself that runs as a Windows service. This type of execution is not conducive to a command-line interface. Note that you can use command-line options to execute an automatic scan with results logged to a file, which is the equivalent of the command-line version's behavior." http://www.sysinternals.com/Utilities/RootkitReve
Ooops... 1 step ahead of the hackers yet again.
This was definitely fixed in Word 2000, not sure about 97. Stupid MS org chart tool still tried to do that though.
Don't rootkits need to hook into the kernel in some way, and the "some way" in Vista is via signed binaries? Overriding kernel hooks seem to imply that yes, signed binaries are needed as well...
Also, would it be able to hide from a tool like SysInternal's rootkit detector which compares API return values for the registry and filesystem with an actual analysis of the registry files themselves, and a scan of the raw blocks on the disk? (Understands NTFS and FAT, and the registry hive format).
Theese things are like the neighbor that just walks in the house, takes a piss, grabs a beer out of the fridge, asks you if you're watching teh game after sitting on the couch next to you.
If they'd put some fucking beer in there now & then it wouldn't be so damn aggrevating.
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
NTFS alternate data stream? It's a good thing I still use Windows 95 that doesn't have any of those fancy shmancy features that can be exploited like that.
If you're (like me) one of the, umm, fortunate souls who get to clean up rootkit-infested machines regularly, there's a tool you should know about: LADS, for "list alternative data streams"
It can be found buried in this FAQ about the NTFS ADS feature: http://www.heysoft.de/nt/ntfs-ads.htm
I haven't tried it yet, but it looks like it should work from a win32 bootdisk (like BARTPE). So you should be able to boot from a clean win32 environment and scan the computer's hard disk to find any files with ADSs. Fortunately, use of this feature within NTFS is not widespread, so malware should stand out pretty obviously.
Have fun!
-R
not easy as long as ADS exists.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Microsoft has been less than forthcoming about ADS, it's function and it's mechanism. ADS has been used in the past to hack into web servers and now appears to be useful for rooting any system with NTFS.
Is ADS a Microsoft backdoor?
You must be kidding, our government since before Clinton wastes its resources handling trifling issues and ignoring the terrorist threats as much as possible.
the parent isn't an apology in any way, and how is anything related to OSX remotely relevant? As the parent said, any issue with Windows will be viewed as an opportunity to evangelize macs1. Nicely done.
Except that when Gore was VP one of his recommendations was a no-fly list that went ignored by the FAA. There's an article on CNN on TWA 800 today, which shows they were the first to think it was terrorism, and started looking into how to deal with it.
You're foot touched the hot lava!
"Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
Long ago, in the days of MS-DOS, there was a program that was excellent at detecting unknown MS-DOS viruses. Called Integrity Master, for maximum security one ran it from a bootable floppy, scanned files on the hard disk, and stored the file with the scanned signatures on a floppy. It wasn't SHA or MD5 hashes, but at the time it was solid security.
Then, one periodically (once or twice a week, as paranoia sees fit) ran the utility on their machine. If stuff in the MS-DOS directory was changed, it was immediately apparant. Integrity Master also was able to scan for some known viruses as well in addition to keeping a log of changed files.
We need a utility like that for Windows XP and Vista. A bootable CD or DVD that not just can understand NTFS (and NTFS's file compression), but has the necessary software to mount hard disks which are encrypted with BitLocker, PGP, SafeBoot, PointSec, WinMagic, DriveCrypt Plus Pack. The utility should also allow for username/password entry so EFS-protected files can be checked too.
This utility should use a CD or DVD to boot from, mount hard drive volumes, run checks for alternate data streams, system and nonsystem files, and finally the registry, perhaps including the encrypted parts like the SAM. It should not just save hashes of files, but perhaps have some ability to check file signatures as well (like sfc.exe and sigverif.exe do), so an update to Windows via a legitimate way doesn't set off a lot of false positives. Of course, the "manifest" file storing the file hashes on the file system would be stored on a removable USB drive, so the OS on the hard drive never has the ability to touch it.
Because this checking is done offline, a rootkit would be a lot harder to hide (unless it uses a method that the integrity scanner wasn't programmed to detect, like perhaps pointing to unallocated disk space for executable code, or hiding in an EFS-protected file.)
Of course, offline checking isn't perfect, because the machine being scanned has to be totally downed for a good amount of time which can't be done in a 24/7 environment.
There are some hurdles though. Trying to reduce the amount of false positives is one, for example. A novice user presented with a notice that a lot of files were changed likely wouldn't know what was a bad change, and what was normal for system functioning. After that, its decoding files and registry keys. Finally, if a known rootkit database was used, keeping track of how rootkits encrypt their payload, and delivering timely program updates.
Why? Afriad someone will see your porn collection? Seriously, house breaking should be ignored by the law as much as computer cracking should. The police never "find" who done it when your house is robbed, 99% of the time they never even find your stuff. If you are lucky a cop sees the crime happening and stops it while it's in progress. It's a waste of time for them, that's how they feel about it. The government should force everyone to handle their own security.
Poof! No more problem.
Oh, wait, yes, the lame whiners who currently complain that they can't keep their computer secure will bitch because they can't seem to work a deadbolt and what is a lock anyway? Saying the government should handle computer security is like saying that an officer of the law should be stationed at your house to lock your doors for you and take the car keys out of your ignition.
No, security should be intirely in the private realm.
Hey Hey! Hate the game! Not the playa'! 'Sama 'n Sony got serious game.
"Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
i still use FAT32, you insensitive clod!
Back in grad school, someone accidentally erased every user file on our group's Mac. Including my thesis! Unerasing was a nightmare (our mac "guru" wasn't much help). We got the data back, but none of it had the correct data fork associated with it. Everything got treated as an ascii text file.
I spit on your grave, OS7!
The world is made by those who show up for the job.
Microsoft Private Folder 1.0 uses rootkit-like techniques to hide encrypted files from the Win32 API. I wrote a little about it in
my blog a few days ago.
Alajandro, I'd think most rootkits would be contained within that virtual machine. They typically insert themselves into the core/kernel of the OS such that the OS cannot see it, its actions, its files, etc. Hope that helps. -dj
Sorry to say it bluntly, but I do remember. It's over. It's patched. Currently, there are no unpatched bugs (at least none that I'm aware of) that let you deliver malware straight to a connected computer.
So what that means is that there are unpatched holes, and since we don't know where they are you don't know a likley attack vector that such a rootkit might try and be deployed by.
Don't connect to the net without a firewall? Heck, given you can't know anything you are doing over the network is not an attack vector you might as well just shut down the network connection altogether.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
That and people, listen, stop running windows as root. Make yourself a less privileged user and learn to work in a non-root environment!!!
Too bad that Windows and most of the nixes have had at least one privilege escalation exploit present at any given time. Not to mention that to install software (for all users), one has to be root. A rootkit only needs to be embedded in an installer.
I think this is the equivalent situation. When you chroot, it changes the root of the file system, "/", but IIRC it doesn't change any open directory handles. In particular, it doesn't change the current working directory. So you should always follow a chroot with "cd /" or equivalent. If you have other open directories, you also have to deal with those.
.." and they're out of your jail.
Otherwise, a hacker could just "cd
[Yoda]
Begun, the Rootkit Wars have...
[/Yoda]
In *most* instances, you can use the built-in "Run As" feature to fun games/etc that need special permissions.
But the real solution is to complain to your software vendors.
and from the mplayer docs:
andand
This is just one app. Consider my 5c donated.
+5, Truth
Odd... On Linux, I don't have any trouble running games or development applications as an unprivileged user. The only time I ever switch to a privileged user is when I'm installing something or reconfiguring the system in some way.
Of course, that usually has more to do with the developers of said applications than the OS itself. Windows is perfectly capable of running applications well under unprivileged user accounts, but the developers of those applications have gotten into the nasty habit of relying on the fact that most Windows users run as Administrator.
I have a legitimate question. What site can you visit to get the rootkit or discuss information about it?, When I was in university I usually went to neworder.box.sk to all my hacker/cracker needs, also the russian password crackers sites and crackstore to name a few.
There was also fravia and other nice pages where you cold get that information but now I am not "on the song" anymore, can anyone enlighten me please?
Ubuntu is an African word meaning 'I can't configure Debian'
These guys confirm it
+5, Truth
Well you used to have to run games as setuid root because of limitations of SVGAlib. But that was like 10 years ago.
“Common sense is not so common.” — Voltaire
This should change with Vista, since all users in Vista are limited users. If you belong to the Administrators group, your programs will not run with Administrative permissions unless you use runas. Programs that know they need higher permissions will cause a password prompt to appear asking for administrative permissions (no password needed if you are an admin, but you still get the prompt).
So any developers who have been lazy about this will get a rude awakening with Vista. The typical application should only need admin privileges to install. Since the devs will be getting the prompts too, hopefully they fix all of the annoyances themselves.
Actually, most older games will work under a limited account if you give all users read/write permissions to the directory "C:\Program Files\Game Directory". This is true of most older software.
While there is naturally a security risk in giving all users the ability to write to files that will also be run by privileged users, there are so few viruses on the loose that attempt to infect old games and Win9x apps that I wouldn't worry about it.
Every game I've seen released since mid-2001 has had no problem running on a limited account. The only possible exception I can think of is MMORPGs that require patching before connecting to the server. User preferences and savegames are now saved in the %userprofile%\My Documents\My Games\Name of Game folder.
If you're playing 90s-era games and apps, you have to duplicate the environment they were assumed to run under. The simple measure of adjusting filesystem permissions and setting OS emulation for the executable accounts for the vast majority of older games that I've tried. You have to be an administrator to do it, but once it's done it works under any account.
---
According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
...just as any issue with a Mac not have game #x available is viewed as an opportunity to evangelize windows. Mac users have to listen to this drivel constantly from windows users. It's annoying coming from either direction. Use the tool that suits YOU and don't deride others for their choice of OS. btw, I think your 2nd last sentence should've read: "As the parent said, any issue with Windows will be viewed as an opportunity to evangelize linux"
I chose to end my comments, not with a rim shot, but a long decaying F#7sus4
in UNIX, a root is only for adding users or changing special permissions globally. All others get a special copy of the same and the games that you run can change them at will.
UNIX apps being statically bound come with their own libraries, and hence you do not need to share anything.
Windows comes ONLY with shareware stuff (NOT shareware), so that all applications depend on that copy for everything.
"Doing what i can, with what i have." ~ Burt Gummer
My personnal experience this far with Linux is that most of the time, you won't need full root access, if :
- your access rights are correctly set (as in using the GUID "video" to grand access to devices used for graphic acceleration. Most modern distro have this done auto-magically by the setup or have the plug-n-play daemon assign correct rights to newly plugged devices)
- there are small piece of code that are used to communicate between priviledged acces and un privilidged access (in other words : once upon a time, you needed to have SETUID on SVGALib to have nice graphics in games under Linux. Nowadays, SDL communicates with drivers and architectures like DRI, which take car to pass messages to a more priviledged part which, in turn, will take care of the sensitive steps. (In other words : Old applications - use special extension and map framebuffer themeselfs, if enough access rights. New (unpriviledged) applications - ask the X Server (with modern extension) which itselfs has the right to access hardware to map what is needed.
That means that, with a correctly setup system, I never needed to SUDO before playing anything with mplayer, xine, vlc or whatever else.
I almost never run application as something different as my user account.
In fact, even installing update is being slowly replaced with a less priviledged process in recent distro (instead of asking the users to star a process as root and installing updates himself under this identity, newer distro have a separate demon that runs with the minimal necessary privileges and the user only has a small application that passes messages to the update daemon to make the system install patches).
On the other hand, Windows, with its "admin-by-default" accounts hasn't done anything to prevent misbehavioured software. I can understand that Windows 3.x and Windows 9x, with all their DOS tradition behind them had to be "admin-by-default". But since Microsoft moved to a new architecture, why don't they change the default user profile behaviour ? Old APPs are run thrue an emulated API, newer application break if they can't run in a non-priviledged environnement.
Old usage needed admin rights. That's normal. What's not normal is that Microsoft perpatuated the bad habbit in newer versions of Windows.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
My boss was telling me how he'd spent all morning with the IT manager removing a trojan off of his Windows machine.
..."
I looked up from my iBook and FC5 workstation, looked him in the eye with a face full of innocence, and asked, "What's a 'Trojan?'"
"Well, see, it's like... a 'trojan' is like the Trojan horse; it's a program that comes into your system and
wink
"...why I oughtta slug you!"
It's a good thing the guy's a consummate professional, because I probably deserve to be writing this from the hospital.
"...just as any issue with a Mac not have game #x available is viewed as an opportunity to evangelize windows."
Irrelevant. Besides I'm not the original poster of this nor have I evangelized windows.
"Use the tool that suits YOU and don't deride others for their choice of OS."
Didn't deride anybody. That was the mac fanboy...
"I think your 2nd last sentence should've read: "As the parent said, any issue with Windows will be viewed as an opportunity to evangelize linux""
No, it was mac evangelism.
This is just nitpicking, but from my understanding a rootkit consists of tools implemented _once the system is comprimised_ to maintain root status and hide the comprimisation.
I always thought the means to gain access through vulnerabilities were called 'exploits.'
Read this paper: SubVirt: Implementing malware with virtual machines (and my blog if it won't print for you). VMWare/Virtual PC won't necessarily prevent rookits from infecting the host OS (though to date I haven't heard of any VM Rootkits).. just a matter of time, most likely.
Wer mit Ungeheuern kämpft, mag zusehn, dass er nicht dabei zum Ungeheuer wird. --Nietzsche
It makes you wonder about development cycles when people are producing malware for software that's not even been released yet. Is this a negative-day vulnerability? (and how does one quantify it when MS isn't yet saying when Vista's going to hit the market?)
Nostalgia's not what it used to be.
To put this in a different way... Security is an illusion, maybe even a delusion. There will never be a time when any of us is 100% secure. There is no OS that is 100% secure. Security is important, but if your expectation is for complete security, you will live a dissapointed life. The weak link in most computer networks is human. If it was programmed by humans, there will be a flaw that can be exploited. If there isn't a flaw in the programming, social engineering works fine to discover passwords that get you past the security.
The government does not exist to prevent someone from making a dumb mistake. It should convict those who take advantage of someone's dumb mistake. Most rootkits/spyware are installed by the owner of the PC when visiting illegal or semi-legal sites, such as pr0n/gambling/file sharing. Whether or not these sites should exist is beside the point. If you go for a walk through a "bad" neighborhood with no protection at 3AM and get mugged, yes they should convict the mugger, but you chose to go through a dangerous area at a dangerous time.
Because the government is made up of human beings, it is flawed. Legislation can fix some problems, but with the complex legalese that is used in most laws it is as easy to circumvent a poorly written law as it is to circumvent poorly written code. You just have to know what you are doing.
So take reasonable precautions, but don't expect your precautions to amount to much if you are making poor decisions.
I'm a happy pessimist. I expect and prepare for the worst, when it doesn't happen I am pleasantly surprised.
All bullshit. The RTC requires root to setup ... ONCE [ideally at startup]... then any user can use it.
/dev/dvd] it's called group management.
I routinely play DVDs as my user [you need read access to
I routinely play full screen video games as my user not root, etc, etc, etc.
Your information is out of date and just plain incorrect.
Tom
Someday, I'll have a real sig.
Every time a security issue is posted, we get this advice about using an unprivileged user. It is, however, far from the end-all of security issues - even running as a normal luser, a program can hide from that user. And it has access to all of that users data. One advance would be rigid separation between applications; Microsoft currently considers the desktop the "security boundary", and doesn't do much to isolate applications. Applications are also written carelessly with regards to buffer overflows in local input vectors, such as textboxes. Therefore, anything on the desktop has pretty much access to anything else running there, given some light hacking.
Allowing per-application access control is kludgily achieved by running apps as another user; this is counter-intuitive in todays world, where there is an 1:1 relationship between logged in users and computers. Separating applications, and assigning access rights with some granularity, is really difficult. But if web-apps don't take over the world, one would need another leap in separation, like protected mode was to real mode.
"All others get a special copy of the same and the games that you run can change them at will.
UNIX apps being statically bound come with their own libraries, and hence you do not need to share anything.
Windows comes ONLY with shareware stuff (NOT shareware), so that all applications depend on that copy for everything."
Wrong.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
Go to the command prompt.
echo Text! > text.txt:ADS
Do a DIR and you'll see the size of text.txt is 0 bytes.
The string "Text!" has ended up in an ADS stream called "ADS".
1) Malware installs itself in a 'good oddball location' (you'll see why a bit later)
2) Malware runs (on startup) and monitors the running processes as close to real time as possible
3) Malware has built in it the CRCs (likely MD5s) of known AV filescanners
THE RACE IS ON!!!
The malware has to find the AV filescanner, CRC/MD5 it and if identified, kill the AV process (if able to) and delete/muckup the AV filescanner at its leisure(?) BEFORE the AV scanner can find it, kill it, and delete it in return.
The only way around that would be to update/release the AV scanner faster than the malware authors can 'do their thing'. I don't think using some sort of 'runtime opcode munging' to change the EXE CRC at runtime will help as a mass-release software title (if possible).
Nope, to stop this kind of malware calls for 'personalized' AV with CRCs unique to the machine it is installed on before the software is obtained to install in the first place. Provided the OS maker(s) is trustworthy, such AV software should be the first program obtained and installed on the computer after the operating system.
Part of this also depends on where the attacker can upload/download files to or from. If he can upload a new file in a location that automatically runs (say a crontab entry on a 'nix system), or he can download your password info, then you're still in trouble.
I've heard a few stories of sites being compromised because a script incorrectly allowed a variable that wasn't tainted as a filename.
Cue the Mac OS-X / *Nix / *BSD zealotry.
Psh, my graphing calculator is much more secure than any of those. No security exploits, ever.
Stupidity is like nuclear power, it can be used for good or evil. And you don't want to get any on you.
Works in Vista, too!
I know this cannot be true since Microsoft Says Vista Most Secure OS Ever.
http://www.eecs.umich.edu/virtual/papers/king06.pd f
Belief is the currency of delusion.
I don't know how or when it changed, but the orthodox approach to virus scanning used to be that you booted a known clean (very likely read-only) system in order to diagnose the possibly-compromised system.
Every time I hear about how some malware uses a rootkit to "hide", I know it simply means that people are using compromised systems to diagnose themselves. That approach is fundamentally flawed. No one should be surprised that it doesn't work, and it shouldn't be news that it doesn't work. We shouldn't be seeing this article on Slashdot in any category other than the humor section.
But we do see it, because it is news (to somebody?) because this unreliable approach to scanning is mainstream. How the hell did that happen?
It happened because the AV companies are selling their products as something that Windows users install rather than boot. But we know and they know that can't work. It's snakeoil and I think selling it is despicable.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
welcome our first widely known Vista exploit!
Lets fire up your windows update gentlemen! You didnt really believe the buzz this time round?
The weak link in most computer networks is human. If it was programmed by humans, there will be a flaw that can be exploited.
Most compromises are the result of automated exploits with no user interaction. Sure a human made the OS being exploited, but that does not make it a human failing, just a failing in the OS.
Most rootkits/spyware are installed by the owner of the PC when visiting illegal or semi-legal sites, such as pr0n/gambling/file sharing.
Since when is porn semi-legal?
If you go for a walk through a "bad" neighborhood with no protection at 3AM and get mugged, yes they should convict the mugger, but you chose to go through a dangerous area at a dangerous time.
"Bad" neighborhood exist mostly because the police do not equitably enforce the law and the laws themselves are not equitable. The fact the some neighborhoods have more danger to the average pedestrian than others is often because police resources are improperly allocated by the wealthy. Whether I'm in a poor neighborhood because that is the only place I can afford to live, or a wealthy neighborhood, should not make any difference to the police or their behaviors and no more blame should be placed upon me.
So take reasonable precautions, but don't expect your precautions to amount to much if you are making poor decisions.
Most people who are infected with malware are infected without ever doing anything and don't even know it happened. That is not their fault nearly as much as it is the fault of the OS designers who touted their OS as "super secure" even though it is less secure than pretty much every other one out there. They were lied to and are still being lied to. Stop blaming the victims.
even running as a normal luser, a program can hide from that user.
Yes, but the program cannot make itself run automatically at bootup as this would require changing files which are owned by root
So basically it will die at next reboot. It might be able to start when that same user logs in, but this can be fixed by forcing all config changes to come from root (Admin or whatever)
It also means that if I scan for this software as root there isnt a thing it can do to avoid detection.
Although this is written with my linux hat on I also happen to develop software for windows and can see no reason that the same principles cannot be applied to windows.
Apart from one, it would cost MS a fortune to rewrite office, and they would lose the edge which office has over the competition (all the private hooks into the OS it uses which they dont publicise to other developers)
I dont read
TCP/IP addresses are often hex-encoded in compiled code, so doing a text search for xxx.xxx.xxx.xxx probably wouldn't be useful anyway...
It looked wrong even as I wrote it. now I remember.
The world is made by those who show up for the job.
It actually wasn't AQ but an Iranian backed group. No Al-Z either. But everything else yu say is true.
Never by hatred has hatred been appeased, only by kindness - the Buddha
"Most compromises are the result of automated exploits with no user interaction."
Actually most malware are viruses that can only spread via human interaction - opening emails, running scripts, going to phishing sites or other means of social engineering. Worms are the only automated means of spreading malware and they are a fraction of the problem, much rarer than virus and script-based malware.
Never by hatred has hatred been appeased, only by kindness - the Buddha
Actually most malware are viruses that can only spread via human interaction
True.
Worms are the only automated means of spreading malware and they are a fraction of the problem, much rarer than virus and script-based malware.
False.
Most malware is not automated, however, most infections are caused by automated malware. Worms are fewer in number, but spread much more quickly and widely. Counting the number of infections caused by worms and the number caused by malware involving human interaction yields the former as having a greater impact according to the majority of studies I've read.
As long as MS brings up and touts security, particulalry in the context of proprietary software, the comment is valid, even if humorous.
I'm not sure what your point is... because it seems to me you're just giving me a good example of good programming. You just need to emphasize other parts of the text : ...when available... ...That's why we don't use the kernel's filesystem driver at all...
For the last one you would need a larger excerpt with other video output methods.
RTC : allows Real-Time synchronisation. Used when available because Linux isn't a realtime OS. Would be pointless on, say, QNX. Usage of "virtualized functionnality" like standard timers works fine for almost everybody, you usually don't need hacks accessing hardware directly.
DVD : You don't get any benefit running as root because they aren't using kernel's filesystem driver. "Greping" for root in mplayer doc isn't an excuse to not read and understand what's written... There's probably a reason why you need to run as root to get the same functionnality directly from linux kernel, but I'm to lazy to search the thread talking about it at lkml.
It wouldn't be portable anyway.
DGA : Thanks, I didn't know about that -vo method. My unofficial debian mplayer package is compiled with 31 output methods, some work under X, some in a xterm, some on a console, some with files, some with particular hardware (like Matrox video cards). DGA works under X, but as mplayer doc states, you need root access. Why not use -vo xv then ? It works flawlessly on my Radeon card. It doesn't work on an older Mach64, in that case I need -vo x11 (-vo dga doesn't work either with that card).
All limitions you're citing are because of attempts to talk directly to hardware, and each time you have other options that are working as well.
Bad programming would have assumed that you were root and disallowing to run if RTC wouldn't have been available, for exemple.
So ?
I have discovered a truly marvelous proof of killer sig, which this margin is too narrow to contain.
And it's free! http://www.sysinternals.com/Utilities/RootkitRevea ler.html
How is it even found to be loaded in the first place?
Works in Vista, too!
Maybe Vista needs that new file system after all. Too many places to hide stuff in the current NTFS. FAT32 anyone?
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
I always hear about these new awesome r0x0r your s0x rootkits. That rootkit called HackDefender I believe it was that was all over the news wouldn't even install properly under a limited account..
Blame the user, not the software.
Communication with the rootkit author does not necessarily need to be a straightforward matter. I have seen concepts of a rootkit sending data by querying DNS servers controlled by the author and piecing data together by taking the first character from the domain being looked up.
dns -> google.com
dns -> overture.com
dns -> dnsstuff.com
A password of god was just transmitted.
A very crafty kit would build up this list by first by watching legitimate traffic on the network, so viewing raw traffic would not throw up any immediate red flags. Data can be hidden in many places. Just my 2 cents.
"Konnichiwa", said the boneless horror.
he/she wrote it.
I think the practice of booting from a known clean system ended with Windows NT. In the DOS and Windows 9x days, it was easy to make your own boot floppy, copy a virus scanner onto it, and stash it away in case of emergencies. Also, back then, rebooting was an everyday occurrence anyway.
With Windows NT and its successors, it became cumbersome to make an emergency boot disk -- you needed the original install CD to write to several floppies, and the emergency boot process took an eternity. The virus scanner would have to be burned onto a CD (not everyone had a CD burner) or written to a memory stick (which some BIOSes don't know how to boot from). Of course, the virus scanner could be distributed on pressed CDs, but there would still be a problem with keeping the virus definitions up to date.
So basically, the practice of clean-booting died for the same reasons that the floppy did.
There is no OS that is 100% secure. Security is important, but if your expectation is for complete security, you will live a dissapointed life. The weak link in most computer networks is human. If it was programmed by humans, there will be a flaw that can be exploited. If there isn't a flaw in the programming, social engineering works fine to discover passwords that get you past the security
Maybe not 100% secure, but there are commercial OS's that are orders of magnitude more secure than Windows. Why do people like you continue to post statements that make it sound like the current situation with Windows is the best we can hope for and we should not expect MS to improve the security of their OS?
There was a time when MS told developers that the only guaranteed writable dir was the windows dir, since your app could be running on a network installation of windows (where everything was on a network drive, but a tiny secondary windows dir would be created on the local machine so that settings (i.e. INI files) could still be per user).
But that was > 10 years ago, before they created the Windows registry and told developers to switch to using that. I'd hate to think how many components are not even looked at let alone updated with each "new version" of Office.
Attention zealots and haters: 00100 00100
"An endless cycle of patch, pray, patch, pray, reinstall awaits us."
Patch available here for current & future rootkits: http://www.apple.com/macosx/
"Most compromises are the result of automated exploits with no user interaction. Sure a human made the OS being exploited, but that does not make it a human failing, just a failing in the OS."
Exploits and security holes don't cause themselves. Any failing of the OS is caused by the person/persons who programmed it.
"Since when is porn semi-legal?"
There is some porn that is legal, and some that is not. Some that comes from human slavery and some that doesn't.
""Bad" neighborhood exist mostly because the police do not equitably enforce the law and the laws themselves are not equitable. The fact the some neighborhoods have more danger to the average pedestrian than others is often because police resources are improperly allocated by the wealthy. Whether I'm in a poor neighborhood because that is the only place I can afford to live, or a wealthy neighborhood, should not make any difference to the police or their behaviors and no more blame should be placed upon me."
Not disagreeing with you on the cause, but I am not talking about living in a "bad" neighborhood and going home there. I am using an inadequate metaphor to point out that the end user has decisions to make, and that there are consequences to those decisions. If you go to sites that are notorius for containing spyware/viruses/malware without protection your machine will be infected. That's the way it is. If you don't go to those kinds of sites you have a much lower chance of getting seriously infected.
"Most people who are infected with malware are infected without ever doing anything and don't even know it happened. That is not their fault nearly as much as it is the fault of the OS designers who touted their OS as "super secure" even though it is less secure than pretty much every other one out there. They were lied to and are still being lied to. Stop blaming the victims."
The above does not meet with my experience in this. I run the tech bench at an ISP. I can tell what kind of sites people have been visiting based on the malware that is detected on their pc. It's that simple. I do not think that OS manufacturers are without blame, but I think that there is enough blame to go around. If you want to know how I would arrange blame, it would be in three tiers:
1) The people who write malicious code.
2) The companies that don't fix all their bugs as quickly as security holes are detected or are not forthright about the security implications of use of their product.
3) The people who intentionally visit areas of the web that are KNOWN to contain more security risks than others.
I'm a happy pessimist. I expect and prepare for the worst, when it doesn't happen I am pleasantly surprised.
"Mac users pummelled by angry infectees. See the aftermath, tonight at 10:00."
...just as any issue with a Mac not have game #x available is viewed as an opportunity to evangelize windows.
Exactly the first thing I thought as reading dfghjk's comment.
Short answer: yes.
/bin/login dumped core when it couldn't send the captured passwords back home.
Anecdotal evidence: I once set up a Linux machine behind a firewall, couldn't get to the Internet, but it could be seen from the Internet. Turns out there wasn't any requirement for it to see the Internet, so I checked "done" and moved on. This was a one-off deal.
Got a call a month later: "login isn't working". Of course the machine was for dozens of desktop machines that logged in to run custom Universe scripts, so no one could do his/her work. So I go out there and notice that the network cables have been rearranged to go around the firewall. And there were quite a few email messages spooled up and going nowhere.
Asked about the cable. "Oh. I tried that because I couldn't get to the Internet."
"From this machine?"
"Yeah."
"Why did you want to get to the Internet from the Universe server?"
"I wanted to surf the net while I was waiting for this other install thing that I was doing to finish."
OK, so the machine is naked on the Internet, and login's broken. It takes the password, then another login prompt. Found a rootkit. Reinstalled the O/S, restored Universe from backups, put the machine back behind the firewall.
Oh, the spooled-up email messages? Email to the rootkit installer. Even if the machine was pwned, s/he never found out. After poking around for a while, I discovered that it was a poorly implemented rootkit, e.g., the replacement for
Further, even if the elaborate cloaking schemes are followed, there must be communication back to the new pwner of the machine.
"Press to test."
(click)
"Release to detonate."
What al Zaquari was running isn't an actual AQ-operated group either. It's a fucking PR stunt naming it the same thing.
If corporations are people, aren't stockholders guilty of slavery?
What I find troubling is how blaze Windoze users are about it all. They get upset that their machine won't work once it is totally bogged down with spyware, but they don't care about the fact that some asshats were monitoring their every move on their machines for many weeks/months/years even.
Oh well, what the hell...
Exploits and security holes don't cause themselves. Any failing of the OS is caused by the person/persons who programmed it.
If you want to look at it that way, fine, but then all problems are caused by human error, if only the error of perceiving them as errors. The point is, the end user is not responsible for them, in most cases.
There is some porn that is legal, and some that is not. Some that comes from human slavery and some that doesn't.
Porn in the US is a fairly regulated industry. Asserting that a significant amount of it is illegal, without any evidence is empty rhetoric.
Not disagreeing with you on the cause, but I am not talking about living in a "bad" neighborhood and going home there. I am using an inadequate metaphor to point out that the end user has decisions to make, and that there are consequences to those decisions.
Perhaps you should be a little more conservative with your metaphors. Your metaphor was dangerously close to some arrogant, aristocratic racism I hear regularly. In any case, I've yet to see a correlation between people who merely visit sites and who become infected with malware and certainly nothing to demonstrate causality.
The above does not meet with my experience in this. I run the tech bench at an ISP. I can tell what kind of sites people have been visiting based on the malware that is detected on their pc. It's that simple.
Most malware (by infection number) does not spread through Websites at all. Of that which does, a good portion is posted on public forums and on cracked servers of all kinds. I'm looking at the infected host list for an entire class A right now as well as a list of the DNS request history for them. The vast majority has no correlation at all because most infections do not spread from a particular kind of Website. The only correlation I know of is particular sites that trick people into installing some sort of malware, often spyware.
The people who intentionally visit areas of the web that are KNOWN to contain more security risks than others.
It is this last group I disagree with. First, I'm not sure I believe there is such an "area of the Web." Second, I certainly haven't seen evidence of it. Third, assuming such a thing exists, it certainly is not common knowledge.
... in capitalist America, even Duke Nukem Forever ships before Vista.
Sean
I was pretty much with you until #5. Don't boot from read/write media? What exactly do you want me to boot from? Telling people not to boot from their hard disk is pretty radical. And even my Deb CD is really a CD-R - which is, you know, writeable.
#6 is even more out there. Unplug from the network? Being as how you're posting to Slashdot, obviously you're not taking your own advice. What am I missing here?
I think you need to get your tinfoil hat adjusted.
Sean
"Porn in the US is a fairly regulated industry. Asserting that a significant amount of it is illegal, without any evidence is empty rhetoric."
? scope=all&edition=i&q=Slavery+%2B+pornography
e rence/techniques.of.adware.and.spyware.pdf "Most adware and spyware programs are obtained initially by BROWSING THE WEB or along with some
The first part of your statement is the key "Porn in the US" http://search.bbc.co.uk/cgi-bin/search/results.pl
are a list of articles from the BBC on slavery and pornography. Most of which occur outside of the US.
"Perhaps you should be a little more conservative with your metaphors. Your metaphor was dangerously close to some arrogant, aristocratic racism I hear regularly. In any case, I've yet to see a correlation between people who merely visit sites and who become infected with malware and certainly nothing to demonstrate causality."
I grew up in some of the worst neighborhoods of NY and Philly, you don't have to tell me about racism or as they say in Philly Zipcodeism where job apps from certain zipcodes get thrown out unlooked at.
My experience with the malware issue is that of an ISP cleaning machines that are infected with malware. the correlations that I have seen are porn - spambots, gambling - trojans/keyloggers, gamecheat/filesharing - trojans/toolbars.
"Most malware (by infection number) does not spread through Websites at all. Of that which does, a good portion is posted on public forums and on cracked servers of all kinds. I'm looking at the infected host list for an entire class A right now as well as a list of the DNS request history for them. The vast majority has no correlation at all because most infections do not spread from a particular kind of Website. The only correlation I know of is particular sites that trick people into installing some sort of malware, often spyware."
The first thing I would like to know is where your data is coming from and which time period you are using for your data. According to a symantec white paper http://securityresponse.symantec.com/avcenter/ref
unrelated ad-supported software. The programs are rarely installed from a conspicuous website, but
rather through social engineering banner ads, drive-by-downloads, and through peer-to-peer networks
with misleading filenames. Some adware and spyware programs are even installed by exploiting software
vulnerabilities." (Caps added) from p8 of the above whitepaper. Trojans, which now make up a vast majority of infected pc's do indeed come from risky surfing.
I'm a happy pessimist. I expect and prepare for the worst, when it doesn't happen I am pleasantly surprised.
"What about developers?"
.NET came along, you could pretty much guarantee you were doing COM programming of some kind.
.NET allows you to do this as you don't _have_ to install your stuff to the GAC, and you don't need to write to any privileged locations to be able to get stuff done. You should just be able to play in your hom^H^H^HDocuments and Settings folder and do everything from there.
That is the main cause of problems with windows. In order to develop on windows before
In order to develop and test COM components, you need to be able to install them so they can be picked up by CoCreateInstance() and its brethren.
In order to install COM components, you need to write to the HKEY_LOCAL_MACHINE/[something I can't remember]/Classes registry key, which rightly requires Administrator priveliges.
Therefore, in order to develop COM components - i.e. in order to do any serious Windows development - you _needed_ to run as roo^H^H^HAdministrator.
The trouble is, if you're running as Administrator, you don't notice if you end up doing other things that also require Administrator privs. Like writing to other parts of HKLM, or the Program Files (or even System32) folder. None of that fails on your system, as you're Admin, so you never pick up on it.
Your code goes to testing. In order to install your COM components, the testers need to at least install as Administrator. If they forget to test as a limited user, they'll never notice that either.
You ship. Now everyone who uses your program needs to run as Admin. Think they'll change which account they're logged into just to run your program? Nope - they'll just give themselves Admin privs all the time.
In order to fix this, developers _need_ to be able to write, compile, install and run the programs they're developing as non-Administrators. Fortunately,
Why doesn't the gene pool have a life guard?
If you have to use Windows, Rootkits are another reason to zero the hard drive regularly. But if you don't have to, another reason to buy a mac or UPGRADE to Linux.
\
..you run XP from a FAT32 partition? (But might have NTFS partitions)
If Google really cared they would fix Android Chrome to reflow text, instead of discriminating
dun dun dun the plot continues.
"I thought what I'd do was I'd pretend I was one of those deaf-mutes" ~ Laughing Man - GITS:SAC
Tangent, yes. But...
/linux noob
//working on that
///Farker
At my previous position BartPE was a godsend. If you do physical Windows support, and you aren't aware of this, I strongly urge you to take a peek: http://www.nu2.nu/pebuilder/
Think Win98 boot floppy on crack. Boots off CD/DVD, does PnP, has network support, the ability to add virus scanners & other nifty tools.
There are Linux boot CDs that do more/less/theSame, but if you're like me and (/gasp) not familiar with Linux then this can be a powerful tool.
i'm pretty sure on both windows and linux a normal user can make stuff run when they login pretty easilly and on many linux installs they can probablly even use cron to schedule it to happen soon after startup.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
Most desktops are only used by one person. Starting from that users "Startup" folder (or equivalent) is effectively the same thing as starting at system boot.
So basically it will die at next reboot. It might be able to start when that same user logs in, but this can be fixed by forcing all config changes to come from root (Admin or whatever)
A solution completely unworkable for the majority of desktop PCs.
Apart from one, it would cost MS a fortune to rewrite office, and they would lose the edge which office has over the competition (all the private hooks into the OS it uses which they dont publicise to other developers)
I see the good old "hidden APIs" myth still exists, despite the complete and utter lack of any actual evidence supporting it.
Tell us, just what "advantages" do you think these supposed "private hooks" engender to a *word processor* or *spreadsheet* program ?
Or you could just use "Run As" for those times you need to actually install a COM component.
The trouble is, if you're running as Administrator, you don't notice if you end up doing other things that also require Administrator privs. Like writing to other parts of HKLM, or the Program Files (or even System32) folder. None of that fails on your system, as you're Admin, so you never pick up on it.
This is not an excuse for fundamentally bad development practices. If you're storing run-time or per-user data in system areas, you're either lazy or incompentent. "But it works for me" is not justification for doing something even a first-year software engineering student should be able to tell you is the wrong way to do it.
Your code goes to testing. In order to install your COM components, the testers need to at least install as Administrator. If they forget to test as a limited user, they'll never notice that either.
Nor is it an excuse for poor testing procedures.
No developer has had any reasonable excuse for not writing LUA-friendly Windows software for ~7-8 years. Arguably, it's more like ~10 years, since NT4 was released, but I'm prepared to cut some slack.
the correlations that I have seen are porn - spambots, gambling - trojans/keyloggers, gamecheat/filesharing - trojans/toolbars.
Trojans and keyloggers are mostly the same thing. Spambots by number are almost completely installed by automated worms. In fact, I don't think I've ever seen a spamnet or botnet where anyone bothered to use trojans for anything, except perhaps grabbing a new control channel. Keyloggers and other data mining trojans are rarely spread by worms directly, but then again they still make up an insignificant portion of malware right now.
The first thing I would like to know is where your data is coming from and which time period you are using for your data.
The data I mentioned seeing myself, is coming from a class A network's malware and traffic monitoring system (I can't reveal which one due to my NDA). I'd like to throw in a disclaimer here. I read a lot of network security information, whitepapers, reports, etc. and work in the field, but I am not a professional security expert. I make my living in other ways and don't want you to get the mistaken impression that because I have this info I'm some sort of expert.
As to the time period, this holds true for general trends. Looking at today, this month, or this year shows no real difference, although my DNS data does not go back an entire year.
"Most adware and spyware programs are obtained initially by BROWSING THE WEB or along with some unrelated ad-supported software."
This is probably true, but adware and spyware still do not account for the majority of malware, by infection number. Botnet armies tens of thousands of members strong used for DDoS and spamming are not uncommon. I don't think any type of malware that requires human interaction of any sort is likely to ever catch up to them for sheer numbers.
The programs are rarely installed from a conspicuous website, but rather through social engineering banner ads, drive-by-downloads, and through peer-to-peer networks with misleading filenames.
Even this subset of malware contains an significant exception. P2P networks are not the Web.
Trojans, which now make up a vast majority of infected pc's do indeed come from risky surfing.
Trojans do not make up the majority of infections. The comment you quote is somewhat misleading in the way it is phrased, but if you read carefully you'll see it does not say that they are. I get a security brief every day that lists the major infections and new threats. Trojans appear in the new threats, but I can only remember one that ever appeared as a major infection. I'm willing to believe that you can increase your risk by going to certain sites, sites that can be classified into distinct categories, but in general no matter where you surf, the majority of your malware infections will have no correlation. Whether or not you use your computer or just leave it sitting idle and connected to the internet will make no significant difference to the number of infections.
The first idea that pops into my head, is that users should use Windows under copyright (which allows Fair Use) instead of licensing it. Then they can legally make a clean boot disk.
But I guess the idea of using software under copyright is controversial, and some people still want to license Windows. Ok, whatever. One thing these users could maybe do, is run Windows under virtualization (which MS has recently started to license for "free") and then scan the guest system from a well-protected host OS.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Where did I defend script kiddies?