Windows Rootkit Wars Escalate

An anonymous reader writes "The rootkit wars have started to escalate with a rootkit named Rustock which is able to remain hidden from all the popular anti-rootkit tools. It uses some new techniques including not only putting itself in a ADS (NTFS alternate data stream) which isn't seen by normal file system enumeration tools, but even blocks ADS aware tools from seeing the stream. Works in Vista, too! Analysis in both Symantec and F-Secure blogs."

Forever War

[Kream]

rootkit v. counter rootkit
counter counter rootkit v. counter rootkit
counter counter counter rootkit v. counter counter rootkit

An endless cycle of patch, pray, patch, pray, reinstall awaits us.

X|K|Ubuntu, anyone?

Re:Forever War

[Lumpy]

Nope your saviour is called BartPE. no virus,worm,rootkit on the planet can disable it.

In fact I dont even bother running any Host OS scans when I fix someone's PC anymore, I boot from a BartPE disc, scan it with the antivir and antispyware and clean it up easier and faster than anything else.

Takes me far less time I get it on the first try and it's back to a clean machine for 35 seconds until the owner clicks on things again to reinstall every bit of spyware.

Re:Enough is enough

[SoCalChris]

From what I understand, the goverment does take computer crime seriously, and does go after virus & rootkit authors. Unless that author happens to be a corporation, in which case it's a-ok.

Re:Whats ADS for?

[baywulf]

It is like a generalized version of the resource and data fork on old MacOS files with similar uses.

Re:number 1 reason to hate sony

[ScentCone]

I hate them because of that incident the word rootkit became popular.

I know what you mean! Just the other day I was listening to two teenage girls yakking in the mall...

"Oh no you did-uhnt! Girl, you can't be lettin' some loser root your kit like that!"

if only windows was closed source

If only Windows was closed source, then writing such tools would be difficult. Oh, wait...

Re:T-minus 3... 2... 1...

>possible for a rootkit to go completely undetected on OSX

If it's undetectable how would you know?

Here's a nice FAQ on that.

[khasim]

http://www.heysoft.de/nt/ntfs-ads.htm

There's a lot that can be done with it.

Detection

[kirkb]

This Russian-created rootkit is smart enough to recognize known anti-rootkit tools and hide from them.

Does this mean that in Soviet Russia, rootkits detect y... Bah, nevermind. Too easy. :P

Re:Detection

[monopole]

In Soviet Russia Vista Rootkits ship before Vista

Security doesn't start at rootkit detection

[Opportunist]

People, please, stay sensible. First of all, a rootkit has to GET into a system. How it hides, how it vanishes, how it hooks certain parts of the system and how it defeats anti-rootkit tools is moot if it doesn't even GET that far.

Whatever a program may want to do, first of all it has to be started. Now, there are currently no unpatched remote exploits or program-runs-crap-by-itself bugs I'm aware of. In other words: You have to start it!

And that's what it comes down to. Keep your system updated! Don't click on every moronic spammail you get! Don't run everything you download from an unrelyable source without at least checking what it is!

My prediction would be that you can eliminate about 95% of the most dangerous worms, trojans and spybots currently in the wild if we could just get people to abstain from running every single piece of junk they stumble upon. The best protection against infection is still a working brain.

There is no technical solution for a social problem. I say it time and again. If it's been true ever, it is in the area of malware. Antimalware tools are akin to safety belts and airbags. You have them, and you use them, but that doesn't mean you drive 150 on an icy road, just 'cause, hey, you got safety belts and an airbag, what damage could happen, eh?

Re:Security doesn't start at rootkit detection

[Opportunist]

Sorry to say it bluntly, but I do remember. It's over. It's patched. Currently, there are no unpatched bugs (at least none that I'm aware of) that let you deliver malware straight to a connected computer.

Which does not mean that I'd connect to the 'net without a firewall.

Re:Security doesn't start at rootkit detection

[Billosaur]

And that's what it comes down to. Keep your system updated! Don't click on every moronic spammail you get! Don't run everything you download from an unrelyable source without at least checking what it is!

My prediction would be that you can eliminate about 95% of the most dangerous worms, trojans and spybots currently in the wild if we could just get people to abstain from running every single piece of junk they stumble upon. The best protection against infection is still a working brain.

Normally I would agree, but what about the fact that there may be legitimate sites out there that have been infected by this rootkit, which will then in turn infect users who have no reason to fear infection? Not every work or trojan is spread via the incompetence of the user -- it only seems that way. Look at the way 180solutions is dumping spyware on unaware MySpace users who click on seemingly legitimate content, including an ad for software to protect children. ALl someone has to do is slip this sucker into some seemingly harmless content and WHAM!

Re:Security doesn't start at rootkit detection

[Jaysu]

"My prediction would be that you can eliminate about 95% of the most dangerous worms, trojans and spybots currently in the wild if we could just get people to abstain from running every single piece of junk they stumble upon."

oh, and uh, don't put a store bought Sony music CD in there either. Spam can come in forms besides bright flashing "click me" banners.

Re:Security doesn't start at rootkit detection

[Opportunist]

What do you mean, "buy music"?

Re:Security doesn't start at rootkit detection

[99BottlesOfBeerInMyF]

People, please, stay sensible. First of all, a rootkit has to GET into a system.

True, but there are many modes of infection.

Whatever a program may want to do, first of all it has to be started. Now, there are currently no unpatched remote exploits or program-runs-crap-by-itself bugs I'm aware of. In other words: You have to start it!

So, just because you don't know of any unpatched, remote vulnerabilities being exploited, we should not worry about them? What about local escalations, there are plenty of those outstanding and some people admin multi-user boxes. Finally, it can come in as a trojan. No one has the time to exhaustively check every program they run, if the source is even available. That means you have to trust every program you install. This is asking users to sacrifice usability for security, and that is a classic security blunder.

My prediction would be that you can eliminate about 95% of the most dangerous worms, trojans and spybots currently in the wild if we could just get people to abstain from running every single piece of junk they stumble upon.

My prediction is we can stop 100% of worms, trojans, and spybots by no longer using computers... of course that kind of defeats the purpose.

There is no technical solution for a social problem.

Malware is mostly a technical problem and a computer/human interaction problem. It can be solved with education as a social problem, but only when the previous problems have been fixed. You can't expect users to learn a whole lot of really complex topics in order to perform simple tasks. It is not going to happen. When joe-sixpack runs their computer they expect it to conform to some basic, sensible characteristics and it is failing. This is not the user's fault. This is the fault of the people who designed the system first and then tried to teach the average person a long series of complex topics and ever changing rules. What they should have done was ask the users what the computer should do and then make the computer do that.

It is unreasonable to expect that clicking on an icon that looks just like your picture files will install a program and let someone in Russia start using your computer to send spam. This is a failing of the computer, not the user. The computer should clearly indicate to the user what is a picture and what is a program. Then, it should not let the program do anything the user does not expect and want. If this rootkit arrives in a trojan, disguised as data or a beneficial program like a game, and the user runs it, they still should not have to worry about it because it should be running in a sandbox, by default. When it tries to do something unusual, like patch the core of the OS, the user should be warned in very strong language and given the option of letting the rootkit patch a VM's core OS instead, thereby stopping it from having any effect. It doesn't take a genius to do this, if only people would stop apologizing for how crappily most OS's, especially Windows, deal with this stuff. By blaming the users for this failing you're part of the problem. Stop it.

Re:Security doesn't start at rootkit detection

[Evil+Shabazz]

Sony has clearly shown us that even "trusted" sources and "knowing" what you're running can result in unintentional rootkit installation without your knowledge. After all, isn't Sony a "trusted" source and we knew playing their CDs wouldn't be harmful, right?

I bought that CD from a store legitimately. There's no way I'd get a rootkit problem from that, right?

Re:Security doesn't start at rootkit detection

[Lord+Ender]

Currently, there are no unpatched bugs (at least none that I'm aware of) that let you deliver malware straight to a connected computer.

Before any of the hundreds of security holes in Windows XP were published, they were still there! If you have paid any attention to security, you would be very confident that there are many remote root, arbitrary code, no-interaction-required holes in Windows RIGHT NOW.

They are no doubt being used. I can think of many ways to build a bot that connects home indetectably to all but the most paranoid and brilliant sysadmin.

Re:Security doesn't start at rootkit detection

[99BottlesOfBeerInMyF]

There is no 100% solution except to cease using the technology. That's a given. But that would be like saying we should stop using cars because accidents happen.

What you advocated, however, was users not running software or opening data they don't trust. For most users, that cuts the functionality of their machine in half. Trust is a sliding scale. And given the relatively mild punishment for trusting too much, most users will chose functionality over security. The job of the OS should be to make sure they never have to make that choice.

There is no technical solution to everything, though. You cannot "fool proof" everything. Would you go around fool-proofing cars or guns? I'd rather expect someone using either to have proper training and knows how to use it, so he is neither harm to himself nor others.

Well, if I can get a gun or car to do exactly what I want without any risk or decrease in functionality, I'm all for it. As for training, the point is that the usability and functionality of the system has to be up to snuff before it can be effective. To bring cars to the equivalent level of functionality as a Windows machine you'd have to have no windshield and the user would have to just be guessing where they are going. Right now users are given basically no information about what is happening. Is that a program or data? What is it doing when I'm running it? Is it sending spam, or running a game? Is it reading my tax returns? No idea.

The analogy of guns is an interesting one. Anyone who has had a traditional education concerning guns has heard that they should always treat the gun as if it is loaded and point it away from anything they don't want to shoot. Why? Why not only point it in a safe direction when it is loaded? There is no danger if the action is open and it is obviously empty. The answer is "conditioning." Nobody can concentrate on one thing all the time. By always treating the gun as loaded users condition themselves through repetition. That way, when they're thinking about something else (like is that a bear in those trees) they unconsciously point their gun in a safe direction and don't accidentally shoot their hunting buddy when they stumble.

The reason this is such an appropriate comparison is because Windows uses conditioning as well. Every time it brings up the same cryptic dialogue box with (OK/Cancel) it conditions users to click "OK" to get their computer to work again. It also conditions them to click "OK" when being warned of a potential threat. It is one of the worst UI choices, ever and a classic example of what not to do. In many cases even reading the dialogue you don't know what each of the buttons will do since "OK" and "Cancel" are not appropriate responses and are not actions. It is the result of programmers ignoring the human component of computer/human interactions when it comes to security.

First and foremost, you are responsible for what comes out of your computer.

I'll accept that I am responsible, but that does not mean no one else is as well. Picture this, the computer sales guy talks a grandmother into buying a computer. She knows nothing about them, but he tells her it is as easy to use as a TV and will let her send e-mail to her grandkids. They install it and hook it up for her. She never patches it and it is not set to do so automatically. It is compromised. It sends spam. Is it her fault she was lied to? Is it her fault she assumed it would behave reasonably instead of doing things all on its own? Yes, but even more than that it is the fault of the salesman and the system designers.

If someone is unfit to use a car, we don't let him use it.

If more than 70% of people are unfit to use most cars on the road, but do just fine with an Audi, maybe we need to rethink our car designs rather than sending everyone back to driver's education.

Likewise, if someone is unfit to use a computer because he cannot follow the most basic rules of common sense, he should not be on t

Yes, it works in Vista

[ThinkFr33ly]

I think it's somewhat disingenuous to specifically note this rootkit works in Vista. It implies that the security work done in Vista has somehow failed.

Vista has numerous improvements security wise, and almost all of them have to do with prevent a machine from becoming infected to begin with.

, UAC, Windows Defender, the improved software firewall, IE 7+ sandboxing/broker, etc... these are all meant to make it a lot harder for malware to get on the machine to begin with.

As the old security adage goes, if untrusted software is run on your machine, it's not your machine anymore.

Re:Yes, it works in Vista

[ThinkFr33ly]

Sorry, that first link should be:

Address space randomization.

Helps if you actually preview before posting. :(

Re:Yes, it works in Vista

[alexhs]

About your last link, #4 is wrong. Allowing to upload a program and allowing to run it is a very different thing.

A bad guy can upload files on your web site, if he isn't allowed to run them, you've nothing to fear (except if YOU run them afterwards, of course, but it's covered by #1)

Ha, ha, ha

[Opportunist]

If it wasn't so sad, it would be funny.

tell me how, please. The things you know about him/her/them/whatever:

A DNS-Server in San Jose.
A host in Kiew.
Code generated in Russia.
Distributed by spambots from around the world.

Now, where do you start looking? Have you ever tried getting some help from authorities in Russia? If not, it's a worthy adventure. At the very least, it gives you enough material to write a very interesting book.

Re:T-minus 3... 2... 1...

[alexhs]

That and people, listen, stop running windows as root. Make yourself a less privileged user and learn to work in a non-root environment!!!

What about developers ? Lots of apps -- essentially games -- don't run well in unprivileged environments. I run as unprivileged user but usually need to use runas when I didn't took the time to adjust braindead defaults program settings. And you can't ask the average user to tweak file and register permissions. BTW I've seen apps opening data files rw when only ro was needed. How do you avoid security flaws then ? Editing binary to change call parameters isn't an option...

Symantech vs F-Secure

[Bill,+Shooter+of+Bul]

FSecure's posting says that they released a version of their antirootkit software that can defeat this. Date June 21

Symantec says that FSecure's product can't remove this. Date June 29.

Any reason for this discrepency? You'd think they'd continue to moniter what other companies are doing to combat the problem and 8 days would be enough for them to find out about the new release.

Re:Whats ADS for?

[MrNougat]

"In essence they were created to provide compatibility with HFS, or the old Macintosh Hierarchical File System. The way that the Macintosh's file system works is that they will use both data and resource forks to store their contents. The data fork is for the contents of the document while the resource fork is to identify file type and other pertinent details."

http://www.securityfocus.com/infocus/1822

Re:number 1 reason to hate sony

[djdavetrouble]

A rootkit is a tool that script kiddies use to break into systems, as opposed to someone with actual skill finding and exploiting weaknesses using their own brain.

No it isn't.
A rootkit is what is installed to give the cracker unimpeded access (provides a backdoor, hides processes, replaces legitimate processes with trojaned ones, keep activity out of system logs) once they have gained entry to a system (usually throgh a known vulnerability.) THeir activity would be hidden from netstat ps, etc.

At least look at Wikipedia.

Re:Are you kidding?

[miskatonic+alumnus]

The US government can't even persue terrorists who kill American citizens without inviting substantial criticism.

Aren't a lot of those terrorists dead? You know, the ones with bombs strapped to them, or the ones who forced planes into buildings. And as regards the living terrorists, the criticism isn't so much directed at their pursuit, but rather the collateral damage in terms of innocent civilian casualties abroad and loss of civil rights at home.

Detect this....

[mdsc1]

Did the writers of the rootkit consider that...

"The reason that there is no longer a command-line version is that malware authors have started targetting RootkitRevealer's scan by using its executable name. We've therefore updated RootkitRevealer to execute its scan from a randomly named copy of itself that runs as a Windows service. This type of execution is not conducive to a command-line interface. Note that you can use command-line options to execute an automatic scan with results logged to a file, which is the equivalent of the command-line version's behavior." http://www.sysinternals.com/Utilities/RootkitRevea ler.html

Ooops... 1 step ahead of the hackers yet again.

Vista compatible?

[tlhIngan]

Don't rootkits need to hook into the kernel in some way, and the "some way" in Vista is via signed binaries? Overriding kernel hooks seem to imply that yes, signed binaries are needed as well...

Also, would it be able to hide from a tool like SysInternal's rootkit detector which compares API return values for the registry and filesystem with an actual analysis of the registry files themselves, and a scan of the raw blocks on the disk? (Understands NTFS and FAT, and the registry hive format).

Re:Vista compatible?

[Short+Circuit]

It doesn't hook any public APIs, but it does hook some internal ones. Quoth the Symantec link:

Rootkit detectors also check for the integrity of some kernel structures like the Service Descriptor Table, but Rustock.A controls kernel functions by hooking MSR_SYSENTER and other special IRP functions. [2]

If that's not functionality that should require Windows binaries to be signed, I don't know what is.

Useful tool link

[RebornData]

If you're (like me) one of the, umm, fortunate souls who get to clean up rootkit-infested machines regularly, there's a tool you should know about: LADS, for "list alternative data streams"

It can be found buried in this FAQ about the NTFS ADS feature: http://www.heysoft.de/nt/ntfs-ads.htm

I haven't tried it yet, but it looks like it should work from a win32 bootdisk (like BARTPE). So you should be able to boot from a clean win32 environment and scan the computer's hard disk to find any files with ADSs. Fortunately, use of this feature within NTFS is not widespread, so malware should stand out pretty obviously.

Have fun!

-R

ADS was also an IIS backdoor

[goat_roperdillo]

Some of the first info on ADS was revealed when IIS users were notified by Microsoft that the full source code of any ASP URL, e.g.

http://www.mycode.asp

could be downloaded to a browser by appending ":$DATA" to the URL, e.g.,

http://www.mycode.asp:$DATA

Little explanation of ADS or the special ADS keyword "$DATA" was revealed in the Microsoft Security Bulletin MS98-003. At the time I could not fine a full list of ADS keywords or an explanation of ADS on Microsoft's site, merely references to making a filename "canonical" (whatever that meant - no explanation was provided).

Microsoft has been less than forthcoming about ADS, it's function and it's mechanism. ADS has been used in the past to hack into web servers and now appears to be useful for rooting any system with NTFS.

Is ADS a Microsoft backdoor?

Re:ADS was also an IIS backdoor

[KingMotley]

Actually, NTFS streams were pretty well discussed when they came out back in 1994. They have been there since Windows NT 3.1. They are similiar to the old macintosh's data and resource forks, and I believe Microsoft implemented it so that they could support Macintosh files when acting as a file server (or perhaps they were considering building a Macintosh compatability box on top of the NT kernel).

I was actually suprised that Microsoft didn't take advantage of streams more often than they do. It would be a nice place to have put file meta-data (Like MP3 tags, creator, summary, etc), or image thumbnails (instead of thumbs.db). They probably wanted to support FAT32, and Windows 9x which is why they didn't.

It's hardly a backdoor, it was a pretty big deal and a feature Microsoft made a pretty big deal of when it arrived. NTFS also supports another hardly used feature known as sparse files where you can allocate space within a file that doesn't actually take any disk space. Useful for some record/database applications. It also supports junction points as well, allowing you to map a drive into a folder (Similiar to linux's symbolic links).

Re:ADS was also an IIS backdoor

[jandrese]

Is there any legitimate program that uses the ADS? I can see maybe some 68k Macintosh emulators using it, but most of the time those guys just create a virtual drive (a big single file that doesn't use the ADS) instead.

I've known about it for a long time now, but have yet to ever use it myself. I really wish you could disable it entirely if nothing legitmate is going to bother. As it is now, it's just a poor security-by-obscurity mechanism that really has no place in the base OS.

Wait, I take back what I said before. I did find one shareware program that hid it's "I've been installed for this long" counter file in the ADS. Deleting the file reset the counter. :)

Re:number 1 reason to hate sony

[mobby_6kl]

I don't think I've heard anyone use the term to refer to automatic cracking tools, although it wouldn't be completely unreasonable (rootkit == a kit to get root). Actually, it looks like someone edited the entry and simply inserted "; an automated cracking tool" to completely change the definition ;)

Even the ultimate authority on computer terminology, the Urban Dictionary, gets it right:

A rootkit is a set of software tools frequently used by a third party (usually an intruder) after gaining access to a computer system. These tools are intended to conceal running processes, files or system data, which helps an intruder maintain access to a system without the user's knowledge. Rootkits are known to exist for a variety of operating systems such as Linux, Solaris and versions of Microsoft Windows.

The rootkit concept is the dominant controversial aspect of the 2005 Sony CD copy protection controversy, which has made the previously obscure concept of a rootkit much more widely known in the technology community, and to the general public

Re:Whats ADS for?

[Control-Z]

It's much more than a "hidden" attribute on a file.

I fought with the HackerDefender rootkit earlier this year. Best I can tell it got in through a vulnerability in the Finger port of my mail server. It installed itself as a legacy mode device driver. The device driver was set up to hide certain filenames from Windows. Once installed, you COULD NOT SEE the files the rootkit used. The files weren't files marked with the "hidden" attribute, they were simply hidden from Windows at all levels. You COULD NOT SEE the registry entries. You could not see the task in Task Manager. Very evil and took many hours of my time to fix.

Offline rootkit scanner?

[dfloyd888]

Long ago, in the days of MS-DOS, there was a program that was excellent at detecting unknown MS-DOS viruses. Called Integrity Master, for maximum security one ran it from a bootable floppy, scanned files on the hard disk, and stored the file with the scanned signatures on a floppy. It wasn't SHA or MD5 hashes, but at the time it was solid security.

Then, one periodically (once or twice a week, as paranoia sees fit) ran the utility on their machine. If stuff in the MS-DOS directory was changed, it was immediately apparant. Integrity Master also was able to scan for some known viruses as well in addition to keeping a log of changed files.

We need a utility like that for Windows XP and Vista. A bootable CD or DVD that not just can understand NTFS (and NTFS's file compression), but has the necessary software to mount hard disks which are encrypted with BitLocker, PGP, SafeBoot, PointSec, WinMagic, DriveCrypt Plus Pack. The utility should also allow for username/password entry so EFS-protected files can be checked too.

This utility should use a CD or DVD to boot from, mount hard drive volumes, run checks for alternate data streams, system and nonsystem files, and finally the registry, perhaps including the encrypted parts like the SAM. It should not just save hashes of files, but perhaps have some ability to check file signatures as well (like sfc.exe and sigverif.exe do), so an update to Windows via a legitimate way doesn't set off a lot of false positives. Of course, the "manifest" file storing the file hashes on the file system would be stored on a removable USB drive, so the OS on the hard drive never has the ability to touch it.

Because this checking is done offline, a rootkit would be a lot harder to hide (unless it uses a method that the integrity scanner wasn't programmed to detect, like perhaps pointing to unallocated disk space for executable code, or hiding in an EFS-protected file.)

Of course, offline checking isn't perfect, because the machine being scanned has to be totally downed for a good amount of time which can't be done in a 24/7 environment.

There are some hurdles though. Trying to reduce the amount of false positives is one, for example. A novice user presented with a notice that a lot of files were changed likely wouldn't know what was a bad change, and what was normal for system functioning. After that, its decoding files and registry keys. Finally, if a known rootkit database was used, keeping track of how rootkits encrypt their payload, and delivering timely program updates.

Re:Seems to effect

[spinfire]

The desktop 64-bit processors out now are x86 processors, unless I missed the memo that we were all to move to RISC.
You did miss the memo. The AMD and Intel 64 bit processors use an instruction set architecture called "x86_64" (also x64 or AMD64 or EM64T, isn't marketing wonderful?). This instruction set extends the original 32 bit x86 instruction set. Wikipedia has some x86_64 architecture information.

Obligatory Star Wars reference

[Shadowland]

[Yoda]
Begun, the Rootkit Wars have...
[/Yoda]

Re:Run As

[creepynut]

There's always a few people mention this.

The problem when you do this, it essentially treats you as if you are that user, not just their privileges. It's a pain in the neck when you do this to install a program, and it installs it only to that (Say, the Administrator account) users start menu.

Or if you want to save a document from a program that requires it, you save it to My Documents, right? Go to open it later, open up My Documents in Windows Explorer and wow! It's gone!

(disclaimer: maybe it doesn't work this way in XP, but it certainly did in Win2k when I did take the effort to run as non-privileged user. XP Home doesn't make it that easy, what with the crippled security optons)

My personnal experience...

[DrYak]

My personnal experience this far with Linux is that most of the time, you won't need full root access, if :
- your access rights are correctly set (as in using the GUID "video" to grand access to devices used for graphic acceleration. Most modern distro have this done auto-magically by the setup or have the plug-n-play daemon assign correct rights to newly plugged devices)
- there are small piece of code that are used to communicate between priviledged acces and un privilidged access (in other words : once upon a time, you needed to have SETUID on SVGALib to have nice graphics in games under Linux. Nowadays, SDL communicates with drivers and architectures like DRI, which take car to pass messages to a more priviledged part which, in turn, will take care of the sensitive steps. (In other words : Old applications - use special extension and map framebuffer themeselfs, if enough access rights. New (unpriviledged) applications - ask the X Server (with modern extension) which itselfs has the right to access hardware to map what is needed.

That means that, with a correctly setup system, I never needed to SUDO before playing anything with mplayer, xine, vlc or whatever else.
I almost never run application as something different as my user account.
In fact, even installing update is being slowly replaced with a less priviledged process in recent distro (instead of asking the users to star a process as root and installing updates himself under this identity, newer distro have a separate demon that runs with the minimal necessary privileges and the user only has a small application that passes messages to the update daemon to make the system install patches).

On the other hand, Windows, with its "admin-by-default" accounts hasn't done anything to prevent misbehavioured software. I can understand that Windows 3.x and Windows 9x, with all their DOS tradition behind them had to be "admin-by-default". But since Microsoft moved to a new architecture, why don't they change the default user profile behaviour ? Old APPs are run thrue an emulated API, newer application break if they can't run in a non-priviledged environnement.

Old usage needed admin rights. That's normal. What's not normal is that Microsoft perpatuated the bad habbit in newer versions of Windows.

Re:number 1 reason to hate sony

[ScottLindner]

A real cracker could write their own rootkit, and it would still be called a rootkit even though that particular rootkit wouldn't be available to anyone but himself.

It's very common for people to write their own tools, and then use them. That doesn't make them a script kiddie.

Let's separate the brainless script kiddies from what a rootkit is. It really doesn't matter who uses a rootkit, how the rootkit was developed, or even the motives of the user of the rootkit. A rootkit is a tool that provides unrestricted access to the system it is deployed on. Regardless of who, how, or why.

Make your own ADS

[The+MAZZTer]

Go to the command prompt.

echo Text! > text.txt:ADS

Do a DIR and you'll see the size of text.txt is 0 bytes.

The string "Text!" has ended up in an ADS stream called "ADS".

AV companies are dishonest

[Sloppy]

I don't know how or when it changed, but the orthodox approach to virus scanning used to be that you booted a known clean (very likely read-only) system in order to diagnose the possibly-compromised system.

Every time I hear about how some malware uses a rootkit to "hide", I know it simply means that people are using compromised systems to diagnose themselves. That approach is fundamentally flawed. No one should be surprised that it doesn't work, and it shouldn't be news that it doesn't work. We shouldn't be seeing this article on Slashdot in any category other than the humor section.

But we do see it, because it is news (to somebody?) because this unreliable approach to scanning is mainstream. How the hell did that happen?

It happened because the AV companies are selling their products as something that Windows users install rather than boot. But we know and they know that can't work. It's snakeoil and I think selling it is despicable.