Slashdot Mirror
New Developments From Microsoft Research
prostoalex writes "Information Week magazine runs a brief report from Microsoft Research, showcasing some of the new technologies the company's research division is working on. Among them — a rootkit that eliminates other rootkits, a firewall that blocks the traffic exploiting published vulnerabilities, a system for catching lost e-mail, a honeypot targeted at discovering zero-day exploits, and some anti-phishing applications."
It really is good to see that Microsoft is trying to do some good things. I mean they ARE the huge company that they are, so it really is good to see that they are trying to do things better. However, a rootkit to change a rootkit does not sound like a good idea... But a firewall like they are talking about does seem pretty interesting. I hope to see good stuff come out. As a Windows user, this is good news for me.
Yay, I have a sig.
They've put out quite a few interesting experimental languages for the .NET platform.
.NETified classes) looks pretty cool.
In particular f# (ocaml with
Can anyone in the know comment on how doing research for a company like microsoft compares to doing CS research at a university? I'd imagine the pay would be somewhat better, but are there other tradeoffs like reduced freedom?
Actually, in a rare turn of events, GhostBuster isn't the reincarnation.
MSR has been working on GhostBuster for some time, with a white paper released July 2004. That MSR site says that RootkitRevealer was released Feb 22, 2005. This fact is confirmed by archive.org, where the version archived Feb 22 does not contain RR and the one from Feb 23 does. (Not to mention the front page listed it as Feb 22.)
Invisible processes battling each other for CPU, RAM, disk space and Internet bandwidth resources. And all I want to do is send some resumes, check the news and email and browse some sites. Ubuntu just got a much larger partition. Screw this crap, seriously.
Congratulations! You just found the proof that on an unreliable channel you can't have a 100% reliable communication. You can improve the reliability, but you can't make it perfect.
The type of proof you were using is called "infinite regress".
The "classic" honeypot is pretty much dead. Nobody uses a 0day against a random machine anymore. At the very least, one tries to avoid certain IPs and IP Ranges that are known to host pots. Whether MS wants to believe it or not, those lists exist. One of my pots has been discovered a while ago and on that machine, I've never had any detections since, except a few scriptkids that don't count.
Even "detecting" pots that simulate a user's behaviour and look actively for forged sites and such are getting out of usefulness, since a lot of distributors already start hardening their attacks against aggressive farming. Or they require you to go through very detailed steps that a bot cannot reproduce. I've recently had my first captcha-protected exploit (was a porn site, and what user wouldn't solve a captcha to get his pic when he surfed there just for that in the first place?).
Forget honeypots. Unless you put a human behind that VM it's running on. Automated pots are becoming less and less useful with attackers becoming more and more aware of them. Especially you can dump any kind of "honeypot kit", they are known and their quirks are tested painstakingly before an attack takes place.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Well there is Blue Pill. However there is some doubt within certain circles as to it's existence. Plus, even if it does exist and work as the author claims it to, it's only a proof of concept piece of malware.
You make an image of filesystem that consists of out-of-the-box software that is known to be clean. If that's not clean, repeat from the start and keep both eyes open.
If you still want to check it, you can always mount the image as a local filesystem and use whatever tools you want to check it: mount -t ntfs /data/user-hd-image.img /mnt/loop -o loop,ro and bigassvirusandrootkittest --verbose /mnt/loop =)
You can always keep user files on another partition.
But usually, if you have the ability to use images like this, you're rich enough to use an actual Network. You don't keep any important user files locally, you have a file server instead. Local hard drive is only for applications and temporary stuff. (And if a virus grabs your OS while in middle of a big project, you keep the Temporary Stuff in a known location so that the tech support guy can easily move it to another drive before reimaging the whole thing. Or, hey, another partition again!)
I believe it exists and works, however it's overrated and definetely not "100% undetectable" as claimed. The current PoC can be found by just scanning all memory, and if that could be solved (very difficult) you can always time the execution of certain expensive-to-virtualise instructions, though this needs an external reference timesource since you can't trust the host. Also virtualisation can be disabled at the BIOS / EFI level. So it's a threat but not quite the apocalyptic scenario some have claimed.
Singularity is a Microsoft Research project started in 2003 to build a highly-dependable operating system in which the kernel, device driver, and applications are all written in managed code. The lowest-level x86 interrupt dispatch code is written in assembly language and C. Once this code has done its job, it calls the kernel, whose runtime and garbage collector are written in C# and run in unsafe mode. The hardware abstraction layer is written in C++ and runs in safe mode. There is also some C code to handle debugging. The computer's BIOS is only called during the 16-bit real-mode bootstrap stage; once in 32-bit mode, Singularity never calls the BIOS again, but rather calls device drivers written in C#. During installation, CIL opcodes of the C# kernel are compiled into x86 opcodes using the Bartok research project. Bartok is an optimizing compiler written in C# for translating CIL into x86.
The Microsoft Singularity pageyou must not be using exchange :-) we've been tracking exchange silently dropping mail (even between users on the same server!) for at least a year; microsoft has not yet been able to provide even an explanation let alone a fix.
The current PoC can be found by just scanning all memory, and if that could be solved (very difficult)
;-)
It's not as difficult as you think. There's a proof of concept rootkit called Shadow Walker which uses a very clever technique taken from PaX's method for preventing stack and heap execution of code without hardware NX support. It's not pefect -- there are a couple avenues of detection that are hard to "solve" -- but it does go a fair way towards achieving that goal.
though this needs an external reference timesource since you can't trust the host
Which means you're subject to network delays and whatnot. This is actually harder than it seems to do well.