Slashdot Mirror
Windows Rootkit Wars Escalate
An anonymous reader writes "The rootkit wars have started to escalate with a rootkit named Rustock which is able to remain hidden from all the popular anti-rootkit tools. It uses some new techniques including not only putting itself in a ADS (NTFS alternate data stream) which isn't seen by normal file system enumeration tools, but even blocks ADS aware tools from seeing the stream. Works in Vista, too! Analysis in both Symantec and F-Secure blogs."
rootkit v. counter rootkit
counter counter rootkit v. counter rootkit
counter counter counter rootkit v. counter counter rootkit
An endless cycle of patch, pray, patch, pray, reinstall awaits us.
X|K|Ubuntu, anyone?
Well it wouldn't happen in other OSes because NTFS is closed proprietary standard. :-)
That and people, listen, stop running windows as root. Make yourself a less privileged user and learn to work in a non-root environment!!!
Tom
Someday, I'll have a real sig.
Since F-Secure detects it, does that imply it's not popular?
From what I understand, the goverment does take computer crime seriously, and does go after virus & rootkit authors. Unless that author happens to be a corporation, in which case it's a-ok.
It is like a generalized version of the resource and data fork on old MacOS files with similar uses.
I hate them because of that incident the word rootkit became popular.
I know what you mean! Just the other day I was listening to two teenage girls yakking in the mall...
"Oh no you did-uhnt! Girl, you can't be lettin' some loser root your kit like that!"
Don't disappoint your bird dog. Go to the range.
If only Windows was closed source, then writing such tools would be difficult. Oh, wait...
>possible for a rootkit to go completely undetected on OSX
If it's undetectable how would you know?
http://www.heysoft.de/nt/ntfs-ads.htm
There's a lot that can be done with it.
This Russian-created rootkit is smart enough to recognize known anti-rootkit tools and hide from them.
:P
Does this mean that in Soviet Russia, rootkits detect y... Bah, nevermind. Too easy.
Slashdot: come for the pedantry, stay for the condescension.
People, please, stay sensible. First of all, a rootkit has to GET into a system. How it hides, how it vanishes, how it hooks certain parts of the system and how it defeats anti-rootkit tools is moot if it doesn't even GET that far.
Whatever a program may want to do, first of all it has to be started. Now, there are currently no unpatched remote exploits or program-runs-crap-by-itself bugs I'm aware of. In other words: You have to start it!
And that's what it comes down to. Keep your system updated! Don't click on every moronic spammail you get! Don't run everything you download from an unrelyable source without at least checking what it is!
My prediction would be that you can eliminate about 95% of the most dangerous worms, trojans and spybots currently in the wild if we could just get people to abstain from running every single piece of junk they stumble upon. The best protection against infection is still a working brain.
There is no technical solution for a social problem. I say it time and again. If it's been true ever, it is in the area of malware. Antimalware tools are akin to safety belts and airbags. You have them, and you use them, but that doesn't mean you drive 150 on an icy road, just 'cause, hey, you got safety belts and an airbag, what damage could happen, eh?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I think it's somewhat disingenuous to specifically note this rootkit works in Vista. It implies that the security work done in Vista has somehow failed.
Vista has numerous improvements security wise, and almost all of them have to do with prevent a machine from becoming infected to begin with.
, UAC, Windows Defender, the improved software firewall, IE 7+ sandboxing/broker, etc... these are all meant to make it a lot harder for malware to get on the machine to begin with.
As the old security adage goes, if untrusted software is run on your machine, it's not your machine anymore.
If it wasn't so sad, it would be funny.
tell me how, please. The things you know about him/her/them/whatever:
A DNS-Server in San Jose.
A host in Kiew.
Code generated in Russia.
Distributed by spambots from around the world.
Now, where do you start looking? Have you ever tried getting some help from authorities in Russia? If not, it's a worthy adventure. At the very least, it gives you enough material to write a very interesting book.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
ADS is used in Windows as part of everyday usage. The "Summary" tab that you see when you view any file's properties is stored in ADS. Also, I believe (vague memory here) that when you download something in Internet explorer and try to run the file, the flag for that annoying "You got this from the Internet, are you sure you want to run it?" is stored in ADS.
That and people, listen, stop running windows as root. Make yourself a less privileged user and learn to work in a non-root environment!!!
What about developers ? Lots of apps -- essentially games -- don't run well in unprivileged environments. I run as unprivileged user but usually need to use runas when I didn't took the time to adjust braindead defaults program settings. And you can't ask the average user to tweak file and register permissions. BTW I've seen apps opening data files rw when only ro was needed. How do you avoid security flaws then ? Editing binary to change call parameters isn't an option...
I have discovered a truly marvelous proof of killer sig, which this margin is too narrow to contain.
Since F-Secure detects it since June 21st, does it imply this is old news?
or did they make sure it could install?
* Winners compare their achievements to their goals, losers compare theirs to that of others.
FSecure's posting says that they released a version of their antirootkit software that can defeat this. Date June 21
Symantec says that FSecure's product can't remove this. Date June 29.
Any reason for this discrepency? You'd think they'd continue to moniter what other companies are doing to combat the problem and 8 days would be enough for them to find out about the new release.
Well.. maybe. Or Maybe not. But Definitely not sort of.
"In essence they were created to provide compatibility with HFS, or the old Macintosh Hierarchical File System. The way that the Macintosh's file system works is that they will use both data and resource forks to store their contents. The data fork is for the contents of the document while the resource fork is to identify file type and other pertinent details."
http://www.securityfocus.com/infocus/1822
Web 2.0 == Giant Blogspam Circle Jerk
A rootkit is a tool that script kiddies use to break into systems, as opposed to someone with actual skill finding and exploiting weaknesses using their own brain.
No it isn't.
A rootkit is what is installed to give the cracker unimpeded access (provides a backdoor, hides processes, replaces legitimate processes with trojaned ones, keep activity out of system logs) once they have gained entry to a system (usually throgh a known vulnerability.) THeir activity would be hidden from netstat ps, etc.
At least look at Wikipedia.
music lover since 1969
The US government can't even persue terrorists who kill American citizens without inviting substantial criticism.
Aren't a lot of those terrorists dead? You know, the ones with bombs strapped to them, or the ones who forced planes into buildings. And as regards the living terrorists, the criticism isn't so much directed at their pursuit, but rather the collateral damage in terms of innocent civilian casualties abroad and loss of civil rights at home.
Did the writers of the rootkit consider that...
a ler.html
"The reason that there is no longer a command-line version is that malware authors have started targetting RootkitRevealer's scan by using its executable name. We've therefore updated RootkitRevealer to execute its scan from a randomly named copy of itself that runs as a Windows service. This type of execution is not conducive to a command-line interface. Note that you can use command-line options to execute an automatic scan with results logged to a file, which is the equivalent of the command-line version's behavior." http://www.sysinternals.com/Utilities/RootkitReve
Ooops... 1 step ahead of the hackers yet again.
Don't rootkits need to hook into the kernel in some way, and the "some way" in Vista is via signed binaries? Overriding kernel hooks seem to imply that yes, signed binaries are needed as well...
Also, would it be able to hide from a tool like SysInternal's rootkit detector which compares API return values for the registry and filesystem with an actual analysis of the registry files themselves, and a scan of the raw blocks on the disk? (Understands NTFS and FAT, and the registry hive format).
Theese things are like the neighbor that just walks in the house, takes a piss, grabs a beer out of the fridge, asks you if you're watching teh game after sitting on the couch next to you.
If they'd put some fucking beer in there now & then it wouldn't be so damn aggrevating.
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
NTFS alternate data stream? It's a good thing I still use Windows 95 that doesn't have any of those fancy shmancy features that can be exploited like that.
If you're (like me) one of the, umm, fortunate souls who get to clean up rootkit-infested machines regularly, there's a tool you should know about: LADS, for "list alternative data streams"
It can be found buried in this FAQ about the NTFS ADS feature: http://www.heysoft.de/nt/ntfs-ads.htm
I haven't tried it yet, but it looks like it should work from a win32 bootdisk (like BARTPE). So you should be able to boot from a clean win32 environment and scan the computer's hard disk to find any files with ADSs. Fortunately, use of this feature within NTFS is not widespread, so malware should stand out pretty obviously.
Have fun!
-R
Microsoft has been less than forthcoming about ADS, it's function and it's mechanism. ADS has been used in the past to hack into web servers and now appears to be useful for rooting any system with NTFS.
Is ADS a Microsoft backdoor?
Even the ultimate authority on computer terminology, the Urban Dictionary, gets it right:
It's much more than a "hidden" attribute on a file.
I fought with the HackerDefender rootkit earlier this year. Best I can tell it got in through a vulnerability in the Finger port of my mail server. It installed itself as a legacy mode device driver. The device driver was set up to hide certain filenames from Windows. Once installed, you COULD NOT SEE the files the rootkit used. The files weren't files marked with the "hidden" attribute, they were simply hidden from Windows at all levels. You COULD NOT SEE the registry entries. You could not see the task in Task Manager. Very evil and took many hours of my time to fix.
Long ago, in the days of MS-DOS, there was a program that was excellent at detecting unknown MS-DOS viruses. Called Integrity Master, for maximum security one ran it from a bootable floppy, scanned files on the hard disk, and stored the file with the scanned signatures on a floppy. It wasn't SHA or MD5 hashes, but at the time it was solid security.
Then, one periodically (once or twice a week, as paranoia sees fit) ran the utility on their machine. If stuff in the MS-DOS directory was changed, it was immediately apparant. Integrity Master also was able to scan for some known viruses as well in addition to keeping a log of changed files.
We need a utility like that for Windows XP and Vista. A bootable CD or DVD that not just can understand NTFS (and NTFS's file compression), but has the necessary software to mount hard disks which are encrypted with BitLocker, PGP, SafeBoot, PointSec, WinMagic, DriveCrypt Plus Pack. The utility should also allow for username/password entry so EFS-protected files can be checked too.
This utility should use a CD or DVD to boot from, mount hard drive volumes, run checks for alternate data streams, system and nonsystem files, and finally the registry, perhaps including the encrypted parts like the SAM. It should not just save hashes of files, but perhaps have some ability to check file signatures as well (like sfc.exe and sigverif.exe do), so an update to Windows via a legitimate way doesn't set off a lot of false positives. Of course, the "manifest" file storing the file hashes on the file system would be stored on a removable USB drive, so the OS on the hard drive never has the ability to touch it.
Because this checking is done offline, a rootkit would be a lot harder to hide (unless it uses a method that the integrity scanner wasn't programmed to detect, like perhaps pointing to unallocated disk space for executable code, or hiding in an EFS-protected file.)
Of course, offline checking isn't perfect, because the machine being scanned has to be totally downed for a good amount of time which can't be done in a 24/7 environment.
There are some hurdles though. Trying to reduce the amount of false positives is one, for example. A novice user presented with a notice that a lot of files were changed likely wouldn't know what was a bad change, and what was normal for system functioning. After that, its decoding files and registry keys. Finally, if a known rootkit database was used, keeping track of how rootkits encrypt their payload, and delivering timely program updates.
The desktop 64-bit processors out now are x86 processors, unless I missed the memo that we were all to move to RISC.
You did miss the memo. The AMD and Intel 64 bit processors use an instruction set architecture called "x86_64" (also x64 or AMD64 or EM64T, isn't marketing wonderful?). This instruction set extends the original 32 bit x86 instruction set. Wikipedia has some x86_64 architecture information.
isomerica.net | Foonetic IRC
[Yoda]
Begun, the Rootkit Wars have...
[/Yoda]
Odd... On Linux, I don't have any trouble running games or development applications as an unprivileged user. The only time I ever switch to a privileged user is when I'm installing something or reconfiguring the system in some way.
Of course, that usually has more to do with the developers of said applications than the OS itself. Windows is perfectly capable of running applications well under unprivileged user accounts, but the developers of those applications have gotten into the nasty habit of relying on the fact that most Windows users run as Administrator.
There's always a few people mention this.
The problem when you do this, it essentially treats you as if you are that user, not just their privileges. It's a pain in the neck when you do this to install a program, and it installs it only to that (Say, the Administrator account) users start menu.
Or if you want to save a document from a program that requires it, you save it to My Documents, right? Go to open it later, open up My Documents in Windows Explorer and wow! It's gone!
(disclaimer: maybe it doesn't work this way in XP, but it certainly did in Win2k when I did take the effort to run as non-privileged user. XP Home doesn't make it that easy, what with the crippled security optons)
It's only capable of hiding itself if it is in the running environment. One solution is to boot from known-good, read-only media. Then you can search from known rootkit signatures.
In my opinion, however, once you get a system that badly infected, you should give up and wipe clean. You'll never know if you've succesfully closed all the holes, and not even an expensive forensic analysis could guarantee such a thing.
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
My personnal experience this far with Linux is that most of the time, you won't need full root access, if :
- your access rights are correctly set (as in using the GUID "video" to grand access to devices used for graphic acceleration. Most modern distro have this done auto-magically by the setup or have the plug-n-play daemon assign correct rights to newly plugged devices)
- there are small piece of code that are used to communicate between priviledged acces and un privilidged access (in other words : once upon a time, you needed to have SETUID on SVGALib to have nice graphics in games under Linux. Nowadays, SDL communicates with drivers and architectures like DRI, which take car to pass messages to a more priviledged part which, in turn, will take care of the sensitive steps. (In other words : Old applications - use special extension and map framebuffer themeselfs, if enough access rights. New (unpriviledged) applications - ask the X Server (with modern extension) which itselfs has the right to access hardware to map what is needed.
That means that, with a correctly setup system, I never needed to SUDO before playing anything with mplayer, xine, vlc or whatever else.
I almost never run application as something different as my user account.
In fact, even installing update is being slowly replaced with a less priviledged process in recent distro (instead of asking the users to star a process as root and installing updates himself under this identity, newer distro have a separate demon that runs with the minimal necessary privileges and the user only has a small application that passes messages to the update daemon to make the system install patches).
On the other hand, Windows, with its "admin-by-default" accounts hasn't done anything to prevent misbehavioured software. I can understand that Windows 3.x and Windows 9x, with all their DOS tradition behind them had to be "admin-by-default". But since Microsoft moved to a new architecture, why don't they change the default user profile behaviour ? Old APPs are run thrue an emulated API, newer application break if they can't run in a non-priviledged environnement.
Old usage needed admin rights. That's normal. What's not normal is that Microsoft perpatuated the bad habbit in newer versions of Windows.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
My boss was telling me how he'd spent all morning with the IT manager removing a trojan off of his Windows machine.
..."
I looked up from my iBook and FC5 workstation, looked him in the eye with a face full of innocence, and asked, "What's a 'Trojan?'"
"Well, see, it's like... a 'trojan' is like the Trojan horse; it's a program that comes into your system and
wink
"...why I oughtta slug you!"
It's a good thing the guy's a consummate professional, because I probably deserve to be writing this from the hospital.
"It's a pain in the neck when you do this to install a program, and it installs it only to that (Say, the Administrator account) users start menu.
Or if you want to save a document from a program that requires it, you save it to My Documents, right? Go to open it later, open up My Documents in Windows Explorer and wow! It's gone!"
1) Click on my sig
2) Go to the useful tools section and grab one of the "sudo" type programs. Sudo WN is my favorite. The sudo tools solve the problems you mentioned above.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
This is just nitpicking, but from my understanding a rootkit consists of tools implemented _once the system is comprimised_ to maintain root status and hide the comprimisation.
I always thought the means to gain access through vulnerabilities were called 'exploits.'
A real cracker could write their own rootkit, and it would still be called a rootkit even though that particular rootkit wouldn't be available to anyone but himself.
It's very common for people to write their own tools, and then use them. That doesn't make them a script kiddie.
Let's separate the brainless script kiddies from what a rootkit is. It really doesn't matter who uses a rootkit, how the rootkit was developed, or even the motives of the user of the rootkit. A rootkit is a tool that provides unrestricted access to the system it is deployed on. Regardless of who, how, or why.
Slashdot.. where people join together in deliberate ignorance.
All bullshit. The RTC requires root to setup ... ONCE [ideally at startup]... then any user can use it.
/dev/dvd] it's called group management.
I routinely play DVDs as my user [you need read access to
I routinely play full screen video games as my user not root, etc, etc, etc.
Your information is out of date and just plain incorrect.
Tom
Someday, I'll have a real sig.
Every time a security issue is posted, we get this advice about using an unprivileged user. It is, however, far from the end-all of security issues - even running as a normal luser, a program can hide from that user. And it has access to all of that users data. One advance would be rigid separation between applications; Microsoft currently considers the desktop the "security boundary", and doesn't do much to isolate applications. Applications are also written carelessly with regards to buffer overflows in local input vectors, such as textboxes. Therefore, anything on the desktop has pretty much access to anything else running there, given some light hacking.
Allowing per-application access control is kludgily achieved by running apps as another user; this is counter-intuitive in todays world, where there is an 1:1 relationship between logged in users and computers. Separating applications, and assigning access rights with some granularity, is really difficult. But if web-apps don't take over the world, one would need another leap in separation, like protected mode was to real mode.
Go to the command prompt.
echo Text! > text.txt:ADS
Do a DIR and you'll see the size of text.txt is 0 bytes.
The string "Text!" has ended up in an ADS stream called "ADS".
Cue the Mac OS-X / *Nix / *BSD zealotry.
Psh, my graphing calculator is much more secure than any of those. No security exploits, ever.
Stupidity is like nuclear power, it can be used for good or evil. And you don't want to get any on you.
I don't know how or when it changed, but the orthodox approach to virus scanning used to be that you booted a known clean (very likely read-only) system in order to diagnose the possibly-compromised system.
Every time I hear about how some malware uses a rootkit to "hide", I know it simply means that people are using compromised systems to diagnose themselves. That approach is fundamentally flawed. No one should be surprised that it doesn't work, and it shouldn't be news that it doesn't work. We shouldn't be seeing this article on Slashdot in any category other than the humor section.
But we do see it, because it is news (to somebody?) because this unreliable approach to scanning is mainstream. How the hell did that happen?
It happened because the AV companies are selling their products as something that Windows users install rather than boot. But we know and they know that can't work. It's snakeoil and I think selling it is despicable.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
even running as a normal luser, a program can hide from that user.
Yes, but the program cannot make itself run automatically at bootup as this would require changing files which are owned by root
So basically it will die at next reboot. It might be able to start when that same user logs in, but this can be fixed by forcing all config changes to come from root (Admin or whatever)
It also means that if I scan for this software as root there isnt a thing it can do to avoid detection.
Although this is written with my linux hat on I also happen to develop software for windows and can see no reason that the same principles cannot be applied to windows.
Apart from one, it would cost MS a fortune to rewrite office, and they would lose the edge which office has over the competition (all the private hooks into the OS it uses which they dont publicise to other developers)
I dont read
TCP/IP addresses are often hex-encoded in compiled code, so doing a text search for xxx.xxx.xxx.xxx probably wouldn't be useful anyway...
As long as MS brings up and touts security, particulalry in the context of proprietary software, the comment is valid, even if humorous.
And it's free! http://www.sysinternals.com/Utilities/RootkitRevea ler.html
Short answer: yes.
/bin/login dumped core when it couldn't send the captured passwords back home.
Anecdotal evidence: I once set up a Linux machine behind a firewall, couldn't get to the Internet, but it could be seen from the Internet. Turns out there wasn't any requirement for it to see the Internet, so I checked "done" and moved on. This was a one-off deal.
Got a call a month later: "login isn't working". Of course the machine was for dozens of desktop machines that logged in to run custom Universe scripts, so no one could do his/her work. So I go out there and notice that the network cables have been rearranged to go around the firewall. And there were quite a few email messages spooled up and going nowhere.
Asked about the cable. "Oh. I tried that because I couldn't get to the Internet."
"From this machine?"
"Yeah."
"Why did you want to get to the Internet from the Universe server?"
"I wanted to surf the net while I was waiting for this other install thing that I was doing to finish."
OK, so the machine is naked on the Internet, and login's broken. It takes the password, then another login prompt. Found a rootkit. Reinstalled the O/S, restored Universe from backups, put the machine back behind the firewall.
Oh, the spooled-up email messages? Email to the rootkit installer. Even if the machine was pwned, s/he never found out. After poking around for a while, I discovered that it was a poorly implemented rootkit, e.g., the replacement for
Further, even if the elaborate cloaking schemes are followed, there must be communication back to the new pwner of the machine.
"Press to test."
(click)
"Release to detonate."
I was pretty much with you until #5. Don't boot from read/write media? What exactly do you want me to boot from? Telling people not to boot from their hard disk is pretty radical. And even my Deb CD is really a CD-R - which is, you know, writeable.
#6 is even more out there. Unplug from the network? Being as how you're posting to Slashdot, obviously you're not taking your own advice. What am I missing here?
I think you need to get your tinfoil hat adjusted.
Sean