Slashdot Mirror

← Back to Stories (view on slashdot.org)

Windows Rootkit Wars Escalate

Posted by ryuzaki0 on from the most-secure-version-of-windows-ever dept.

An anonymous reader writes "The rootkit wars have started to escalate with a rootkit named Rustock which is able to remain hidden from all the popular anti-rootkit tools. It uses some new techniques including not only putting itself in a ADS (NTFS alternate data stream) which isn't seen by normal file system enumeration tools, but even blocks ADS aware tools from seeing the stream. Works in Vista, too! Analysis in both Symantec and F-Secure blogs."

8 of 342 comments (clear)

  1. if only windows was closed source by Anonymous Coward · · Score: 5, Funny

    If only Windows was closed source, then writing such tools would be difficult. Oh, wait...

  2. Security doesn't start at rootkit detection by Opportunist · · Score: 5, Insightful

    People, please, stay sensible. First of all, a rootkit has to GET into a system. How it hides, how it vanishes, how it hooks certain parts of the system and how it defeats anti-rootkit tools is moot if it doesn't even GET that far.

    Whatever a program may want to do, first of all it has to be started. Now, there are currently no unpatched remote exploits or program-runs-crap-by-itself bugs I'm aware of. In other words: You have to start it!

    And that's what it comes down to. Keep your system updated! Don't click on every moronic spammail you get! Don't run everything you download from an unrelyable source without at least checking what it is!

    My prediction would be that you can eliminate about 95% of the most dangerous worms, trojans and spybots currently in the wild if we could just get people to abstain from running every single piece of junk they stumble upon. The best protection against infection is still a working brain.

    There is no technical solution for a social problem. I say it time and again. If it's been true ever, it is in the area of malware. Antimalware tools are akin to safety belts and airbags. You have them, and you use them, but that doesn't mean you drive 150 on an icy road, just 'cause, hey, you got safety belts and an airbag, what damage could happen, eh?

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:Security doesn't start at rootkit detection by Jaysu · · Score: 5, Insightful

      "My prediction would be that you can eliminate about 95% of the most dangerous worms, trojans and spybots currently in the wild if we could just get people to abstain from running every single piece of junk they stumble upon."

      oh, and uh, don't put a store bought Sony music CD in there either. Spam can come in forms besides bright flashing "click me" banners.

      --
      It has been said that 63% of all statistics are made up
    2. Re:Security doesn't start at rootkit detection by Evil+Shabazz · · Score: 5, Insightful

      Sony has clearly shown us that even "trusted" sources and "knowing" what you're running can result in unintentional rootkit installation without your knowledge. After all, isn't Sony a "trusted" source and we knew playing their CDs wouldn't be harmful, right?

      I bought that CD from a store legitimately. There's no way I'd get a rootkit problem from that, right?

      --
      Down with the career politician! SUPPORT TERM LIMITS
  3. Re:number 1 reason to hate sony by djdavetrouble · · Score: 5, Informative

    A rootkit is a tool that script kiddies use to break into systems, as opposed to someone with actual skill finding and exploiting weaknesses using their own brain.

    No it isn't.
    A rootkit is what is installed to give the cracker unimpeded access (provides a backdoor, hides processes, replaces legitimate processes with trojaned ones, keep activity out of system logs) once they have gained entry to a system (usually throgh a known vulnerability.) THeir activity would be hidden from netstat ps, etc.

    At least look at Wikipedia.

    --
    music lover since 1969
  4. Re:Vista compatible? by Short+Circuit · · Score: 5, Interesting
    It doesn't hook any public APIs, but it does hook some internal ones. Quoth the Symantec link:
    Rootkit detectors also check for the integrity of some kernel structures like the Service Descriptor Table, but Rustock.A controls kernel functions by hooking MSR_SYSENTER and other special IRP functions. [2]


    If that's not functionality that should require Windows binaries to be signed, I don't know what is.
    --
    tasks(723) drafts(105) languages(484) examples(29106)
  5. Obligatory Star Wars reference by Shadowland · · Score: 5, Funny

    [Yoda]
    Begun, the Rootkit Wars have...
    [/Yoda]

  6. Re:Forever War by Lumpy · · Score: 5, Informative

    Nope your saviour is called BartPE. no virus,worm,rootkit on the planet can disable it.

    In fact I dont even bother running any Host OS scans when I fix someone's PC anymore, I boot from a BartPE disc, scan it with the antivir and antispyware and clean it up easier and faster than anything else.

    Takes me far less time I get it on the first try and it's back to a clean machine for 35 seconds until the owner clicks on things again to reinstall every bit of spyware.

    --
    Do not look at laser with remaining good eye.