Slashdot Mirror
Windows Rootkit Wars Escalate
An anonymous reader writes "The rootkit wars have started to escalate with a rootkit named Rustock which is able to remain hidden from all the popular anti-rootkit tools. It uses some new techniques including not only putting itself in a ADS (NTFS alternate data stream) which isn't seen by normal file system enumeration tools, but even blocks ADS aware tools from seeing the stream. Works in Vista, too! Analysis in both Symantec and F-Secure blogs."
rootkit v. counter rootkit
counter counter rootkit v. counter rootkit
counter counter counter rootkit v. counter counter rootkit
An endless cycle of patch, pray, patch, pray, reinstall awaits us.
X|K|Ubuntu, anyone?
From what I understand, the goverment does take computer crime seriously, and does go after virus & rootkit authors. Unless that author happens to be a corporation, in which case it's a-ok.
It is like a generalized version of the resource and data fork on old MacOS files with similar uses.
I hate them because of that incident the word rootkit became popular.
I know what you mean! Just the other day I was listening to two teenage girls yakking in the mall...
"Oh no you did-uhnt! Girl, you can't be lettin' some loser root your kit like that!"
Don't disappoint your bird dog. Go to the range.
If only Windows was closed source, then writing such tools would be difficult. Oh, wait...
http://www.heysoft.de/nt/ntfs-ads.htm
There's a lot that can be done with it.
This Russian-created rootkit is smart enough to recognize known anti-rootkit tools and hide from them.
:P
Does this mean that in Soviet Russia, rootkits detect y... Bah, nevermind. Too easy.
Slashdot: come for the pedantry, stay for the condescension.
People, please, stay sensible. First of all, a rootkit has to GET into a system. How it hides, how it vanishes, how it hooks certain parts of the system and how it defeats anti-rootkit tools is moot if it doesn't even GET that far.
Whatever a program may want to do, first of all it has to be started. Now, there are currently no unpatched remote exploits or program-runs-crap-by-itself bugs I'm aware of. In other words: You have to start it!
And that's what it comes down to. Keep your system updated! Don't click on every moronic spammail you get! Don't run everything you download from an unrelyable source without at least checking what it is!
My prediction would be that you can eliminate about 95% of the most dangerous worms, trojans and spybots currently in the wild if we could just get people to abstain from running every single piece of junk they stumble upon. The best protection against infection is still a working brain.
There is no technical solution for a social problem. I say it time and again. If it's been true ever, it is in the area of malware. Antimalware tools are akin to safety belts and airbags. You have them, and you use them, but that doesn't mean you drive 150 on an icy road, just 'cause, hey, you got safety belts and an airbag, what damage could happen, eh?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
That and people, listen, stop running windows as root. Make yourself a less privileged user and learn to work in a non-root environment!!!
What about developers ? Lots of apps -- essentially games -- don't run well in unprivileged environments. I run as unprivileged user but usually need to use runas when I didn't took the time to adjust braindead defaults program settings. And you can't ask the average user to tweak file and register permissions. BTW I've seen apps opening data files rw when only ro was needed. How do you avoid security flaws then ? Editing binary to change call parameters isn't an option...
I have discovered a truly marvelous proof of killer sig, which this margin is too narrow to contain.
FSecure's posting says that they released a version of their antirootkit software that can defeat this. Date June 21
Symantec says that FSecure's product can't remove this. Date June 29.
Any reason for this discrepency? You'd think they'd continue to moniter what other companies are doing to combat the problem and 8 days would be enough for them to find out about the new release.
Well.. maybe. Or Maybe not. But Definitely not sort of.
"In essence they were created to provide compatibility with HFS, or the old Macintosh Hierarchical File System. The way that the Macintosh's file system works is that they will use both data and resource forks to store their contents. The data fork is for the contents of the document while the resource fork is to identify file type and other pertinent details."
http://www.securityfocus.com/infocus/1822
Web 2.0 == Giant Blogspam Circle Jerk
A rootkit is a tool that script kiddies use to break into systems, as opposed to someone with actual skill finding and exploiting weaknesses using their own brain.
No it isn't.
A rootkit is what is installed to give the cracker unimpeded access (provides a backdoor, hides processes, replaces legitimate processes with trojaned ones, keep activity out of system logs) once they have gained entry to a system (usually throgh a known vulnerability.) THeir activity would be hidden from netstat ps, etc.
At least look at Wikipedia.
music lover since 1969
The US government can't even persue terrorists who kill American citizens without inviting substantial criticism.
Aren't a lot of those terrorists dead? You know, the ones with bombs strapped to them, or the ones who forced planes into buildings. And as regards the living terrorists, the criticism isn't so much directed at their pursuit, but rather the collateral damage in terms of innocent civilian casualties abroad and loss of civil rights at home.
If you're (like me) one of the, umm, fortunate souls who get to clean up rootkit-infested machines regularly, there's a tool you should know about: LADS, for "list alternative data streams"
It can be found buried in this FAQ about the NTFS ADS feature: http://www.heysoft.de/nt/ntfs-ads.htm
I haven't tried it yet, but it looks like it should work from a win32 bootdisk (like BARTPE). So you should be able to boot from a clean win32 environment and scan the computer's hard disk to find any files with ADSs. Fortunately, use of this feature within NTFS is not widespread, so malware should stand out pretty obviously.
Have fun!
-R
Microsoft has been less than forthcoming about ADS, it's function and it's mechanism. ADS has been used in the past to hack into web servers and now appears to be useful for rooting any system with NTFS.
Is ADS a Microsoft backdoor?
Even the ultimate authority on computer terminology, the Urban Dictionary, gets it right:
If that's not functionality that should require Windows binaries to be signed, I don't know what is.
tasks(723) drafts(105) languages(484) examples(29106)
Long ago, in the days of MS-DOS, there was a program that was excellent at detecting unknown MS-DOS viruses. Called Integrity Master, for maximum security one ran it from a bootable floppy, scanned files on the hard disk, and stored the file with the scanned signatures on a floppy. It wasn't SHA or MD5 hashes, but at the time it was solid security.
Then, one periodically (once or twice a week, as paranoia sees fit) ran the utility on their machine. If stuff in the MS-DOS directory was changed, it was immediately apparant. Integrity Master also was able to scan for some known viruses as well in addition to keeping a log of changed files.
We need a utility like that for Windows XP and Vista. A bootable CD or DVD that not just can understand NTFS (and NTFS's file compression), but has the necessary software to mount hard disks which are encrypted with BitLocker, PGP, SafeBoot, PointSec, WinMagic, DriveCrypt Plus Pack. The utility should also allow for username/password entry so EFS-protected files can be checked too.
This utility should use a CD or DVD to boot from, mount hard drive volumes, run checks for alternate data streams, system and nonsystem files, and finally the registry, perhaps including the encrypted parts like the SAM. It should not just save hashes of files, but perhaps have some ability to check file signatures as well (like sfc.exe and sigverif.exe do), so an update to Windows via a legitimate way doesn't set off a lot of false positives. Of course, the "manifest" file storing the file hashes on the file system would be stored on a removable USB drive, so the OS on the hard drive never has the ability to touch it.
Because this checking is done offline, a rootkit would be a lot harder to hide (unless it uses a method that the integrity scanner wasn't programmed to detect, like perhaps pointing to unallocated disk space for executable code, or hiding in an EFS-protected file.)
Of course, offline checking isn't perfect, because the machine being scanned has to be totally downed for a good amount of time which can't be done in a 24/7 environment.
There are some hurdles though. Trying to reduce the amount of false positives is one, for example. A novice user presented with a notice that a lot of files were changed likely wouldn't know what was a bad change, and what was normal for system functioning. After that, its decoding files and registry keys. Finally, if a known rootkit database was used, keeping track of how rootkits encrypt their payload, and delivering timely program updates.
[Yoda]
Begun, the Rootkit Wars have...
[/Yoda]
There's always a few people mention this.
The problem when you do this, it essentially treats you as if you are that user, not just their privileges. It's a pain in the neck when you do this to install a program, and it installs it only to that (Say, the Administrator account) users start menu.
Or if you want to save a document from a program that requires it, you save it to My Documents, right? Go to open it later, open up My Documents in Windows Explorer and wow! It's gone!
(disclaimer: maybe it doesn't work this way in XP, but it certainly did in Win2k when I did take the effort to run as non-privileged user. XP Home doesn't make it that easy, what with the crippled security optons)
My personnal experience this far with Linux is that most of the time, you won't need full root access, if :
- your access rights are correctly set (as in using the GUID "video" to grand access to devices used for graphic acceleration. Most modern distro have this done auto-magically by the setup or have the plug-n-play daemon assign correct rights to newly plugged devices)
- there are small piece of code that are used to communicate between priviledged acces and un privilidged access (in other words : once upon a time, you needed to have SETUID on SVGALib to have nice graphics in games under Linux. Nowadays, SDL communicates with drivers and architectures like DRI, which take car to pass messages to a more priviledged part which, in turn, will take care of the sensitive steps. (In other words : Old applications - use special extension and map framebuffer themeselfs, if enough access rights. New (unpriviledged) applications - ask the X Server (with modern extension) which itselfs has the right to access hardware to map what is needed.
That means that, with a correctly setup system, I never needed to SUDO before playing anything with mplayer, xine, vlc or whatever else.
I almost never run application as something different as my user account.
In fact, even installing update is being slowly replaced with a less priviledged process in recent distro (instead of asking the users to star a process as root and installing updates himself under this identity, newer distro have a separate demon that runs with the minimal necessary privileges and the user only has a small application that passes messages to the update daemon to make the system install patches).
On the other hand, Windows, with its "admin-by-default" accounts hasn't done anything to prevent misbehavioured software. I can understand that Windows 3.x and Windows 9x, with all their DOS tradition behind them had to be "admin-by-default". But since Microsoft moved to a new architecture, why don't they change the default user profile behaviour ? Old APPs are run thrue an emulated API, newer application break if they can't run in a non-priviledged environnement.
Old usage needed admin rights. That's normal. What's not normal is that Microsoft perpatuated the bad habbit in newer versions of Windows.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
A real cracker could write their own rootkit, and it would still be called a rootkit even though that particular rootkit wouldn't be available to anyone but himself.
It's very common for people to write their own tools, and then use them. That doesn't make them a script kiddie.
Let's separate the brainless script kiddies from what a rootkit is. It really doesn't matter who uses a rootkit, how the rootkit was developed, or even the motives of the user of the rootkit. A rootkit is a tool that provides unrestricted access to the system it is deployed on. Regardless of who, how, or why.
Slashdot.. where people join together in deliberate ignorance.
I don't know how or when it changed, but the orthodox approach to virus scanning used to be that you booted a known clean (very likely read-only) system in order to diagnose the possibly-compromised system.
Every time I hear about how some malware uses a rootkit to "hide", I know it simply means that people are using compromised systems to diagnose themselves. That approach is fundamentally flawed. No one should be surprised that it doesn't work, and it shouldn't be news that it doesn't work. We shouldn't be seeing this article on Slashdot in any category other than the humor section.
But we do see it, because it is news (to somebody?) because this unreliable approach to scanning is mainstream. How the hell did that happen?
It happened because the AV companies are selling their products as something that Windows users install rather than boot. But we know and they know that can't work. It's snakeoil and I think selling it is despicable.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.