Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Developments From Microsoft Research

Posted by Zonk on from the end-result-of-windows-money dept.

prostoalex writes "Information Week magazine runs a brief report from Microsoft Research, showcasing some of the new technologies the company's research division is working on. Among them — a rootkit that eliminates other rootkits, a firewall that blocks the traffic exploiting published vulnerabilities, a system for catching lost e-mail, a honeypot targeted at discovering zero-day exploits, and some anti-phishing applications."

44 of 206 comments (clear)

  1. rootkit wars by Toby+The+Economist · · Score: 5, Insightful

    > a rootkit that eliminates other rootkits

    Well, there goes kernel stability.

    I'm really not sure I want a future Norton RootKit Protector installing itself, bugs and all, into my kernel.

    1. Re:rootkit wars by HillBilly · · Score: 5, Funny

      Aww, how could you not trust norton? It slows the fast changing internet world down to much better pace! ;)

      --
      "Go into the hall of mirrors and have a bloody hard look at yourself" - HG Nelson
    2. Re:rootkit wars by QuantumG · · Score: 5, Funny

      no, no, no, it's much worse than you think. These rootkits are based on virtualization, they install themselves below the kernel. The kernel runs on these rootkits.

      --
      How we know is more important than what we know.
    3. Re:rootkit wars by ZeroExistenZ · · Score: 2, Funny
      Aww, how could you not trust norton? It slows the fast changing internet world down to much better pace! ;)

      It not only creates a seniorweb(tm) as you stated, it's also a security strategy to slow down your PC and use all available memory so you are physically unable to install malware.


      Due to Moores law, Norton is required to double the memory and processor use in the same rate processors evolve, by adding *more features*.


      I think they've taken the most logical course to build in this security strategy right into the kernel as it has become hard to find additional features to successfully slow down the latest generation of processors.

      --
      I think we can keep recursing like this until someone returns 1
    4. Re:rootkit wars by Anonymous Coward · · Score: 5, Insightful

      Ok, no more BS. First of all, the project is called Strider Ghostbuster. Second it is not a rootkit itself. The way it works is it lists all the files on your computer running as a program on the suspect machine. Then you run it from a boot CD, just like Knoppix, and do the same thing. Then when see files listed on the scan from the CD that weren't on the other list, you know they are hiding themselves from the OS. This is a good idea because it doesn't require signature files of checksums of a known good state.

      Not everything from Microsoft is fucking stupid, but the comments that inevitably follow every single MS story on Slashdot are.

    5. Re:rootkit wars by Bjarke+Roune · · Score: 4, Insightful

      Why is this modded funny? One of the hardest kind of rootkits to detect is ones based on virtualization, and they indeed do run under the kernel, tricking the kernel to believe that the kernel is running on actual hardware when in fact it is running on virtual hardware generated by the rootkit. I do not know if there are any actual, malicious rootkits out there doing this, but they could do it, and it would be very hard to get rid of such a rootkit if it was done properly.

      --
      Bjarke Roune
    6. Re:rootkit wars by EvilGrin666 · · Score: 2, Interesting

      Well there is Blue Pill. However there is some doubt within certain circles as to it's existence. Plus, even if it does exist and work as the author claims it to, it's only a proof of concept piece of malware.

    7. Re:rootkit wars by geoff+lane · · Score: 3, Funny

      I wrote a shell script that did that years ago. Where can I pick up my Nobel Prize?

    8. Re:rootkit wars by EvanED · · Score: 2, Interesting

      The current PoC can be found by just scanning all memory, and if that could be solved (very difficult)

      It's not as difficult as you think. There's a proof of concept rootkit called Shadow Walker which uses a very clever technique taken from PaX's method for preventing stack and heap execution of code without hardware NX support. It's not pefect -- there are a couple avenues of detection that are hard to "solve" -- but it does go a fair way towards achieving that goal.

      though this needs an external reference timesource since you can't trust the host

      Which means you're subject to network delays and whatnot. This is actually harder than it seems to do well. ;-)

  2. It is good to see by Sinryc · · Score: 3, Interesting

    It really is good to see that Microsoft is trying to do some good things. I mean they ARE the huge company that they are, so it really is good to see that they are trying to do things better. However, a rootkit to change a rootkit does not sound like a good idea... But a firewall like they are talking about does seem pretty interesting. I hope to see good stuff come out. As a Windows user, this is good news for me.

    --
    Yay, I have a sig.
  3. You thought you were safe! by Anonymous Coward · · Score: 2, Funny

    a rootkit that eliminates other rootkits

    Yes, but what about rootkits that eliminate rootkits that eliminate other rootkits? Muhahaha

  4. What the ... ? Lost email? by khasim · · Score: 5, Insightful
    SureMail Microsoft researchers Sharad Agarwal and Venkat Padmanabhan determined that about 1% of all e-mails get lost in e-mail systems. SureMail is a proposed system in which the e-mail client detects when an e-mail has been sent to a recipient's account and alerts that recipient when an e-mail fails to make it to his or her in-box. SureMail would indicate the e-mail's sender but not disclose the missing message's contents.

    How the fuck does email get "lost"? How could that happen? Even a server crash should not cause that.

    Why not, instead, spend the time and money finding the real problem in your email system and fixing that? I handle about 1,500 in-bound messages a day. By their calculations, I should be losing 15 or so, every day. Yet that does not seem to be happening.
    1. Re:What the ... ? Lost email? by dattaway · · Score: 4, Funny

      How the fuck does email get "lost"? How could that happen? Even a server crash should not cause that.

      You don't understand. Microsoft's email servers are more personal than BSD or Linux. Each email is hand scanned and routed. Each packet is individually inspected and if something is wrong, its routed to the appropriate supervisor. There's lots of checks and procedures. This is why Microsoft's mail servers have a more friendly user interface. You get what you pay for.

    2. Re:What the ... ? Lost email? by martin-boundary · · Score: 4, Insightful
      Unlikely. SMTP is designed for reliability. When a server OKs a client DATA submission, it is supposed to accept to route the mail no matter what, even if it might take a week to contact another server. SMTP servers which have been around for a while are plenty reliable, certainly much more than 99%. The relevant RFCs have been around in one form or another for 20 years.

      The most likely causes of lost mail are stupid admins, who either don't know how to set up their mail spools, or run unreliable commercial or homebrew mail filters, in the wrong place and/or with the wrong settings.

    3. Re:What the ... ? Lost email? by Hurricane78 · · Score: 3, Funny

      Yes sir! We use only the finest baby libraries, softely coded and flown from Iraq, cleansed in finest quality norton scanners, lightly killed, and then sealed in a succulent DRM quintuple secure treble virtualized rootkit envelope and lovingly compiled with visual basic.

      Steve Milton Ballmer
      CEO, Microsoft-Whizzo Corp.

      --
      Any sufficiently advanced intelligence is indistinguishable from stupidity.
    4. Re:What the ... ? Lost email? by Dunbal · · Score: 2, Funny

      How the fuck does email get "lost"? How could that happen? Even a server crash should not cause that.

            Don't worry. I'm sure that if you ask nicely, the NSA/Homeland Security will give you a copy of your email.

      --
      Seven puppies were harmed during the making of this post.
  5. Hacks by Simon80 · · Score: 4, Funny

    a rootkit that eliminates other rootkits
    This just in: Microsoft team A resorts to rooting Windows in order to fix the problems introduced by some 21 man team B somewhere else in the company that they can't get in touch with.
    1. Re:Hacks by rucs_hack · · Score: 2, Insightful

      excellent, this will amount to a microsoft tutorial for hackers on how to deploy their stuff whilst simultaniously removing those from competing groups....

  6. Microsoft research is cool by sentientbrendan · · Score: 2, Interesting

    They've put out quite a few interesting experimental languages for the .NET platform.

    In particular f# (ocaml with .NETified classes) looks pretty cool.

    Can anyone in the know comment on how doing research for a company like microsoft compares to doing CS research at a university? I'd imagine the pay would be somewhat better, but are there other tradeoffs like reduced freedom?

    1. Re:Microsoft research is cool by MicrosoftRepresentit · · Score: 3, Interesting

      Working for MS means more money, more variety in the work you do, better offices, better facilities, better training, better career prospects.

      Don't think doing CS research at uni is like a cross between having a job and being a student, because unless you are very lucky, it isn't, it fucking sucks. Its the worst of both worlds, the shittiness of it all has sucked the life and enthusiasm out of at least three of my friends.

  7. Why wait? Get Snort today. by khasim · · Score: 3, Informative

    Microsoft is re-inventing "intrusion detection" and "packet analysis". Save yourself some stress and deploy Snort today.
    http://www.snort.org/

    1. Re:Why wait? Get Snort today. by m-wielgo · · Score: 2, Informative

      Sure it does!

      http://www.snort.org/dl/binaries/win32/
      http://www.winsnort.com/
      http://www.sans.org/resources/idfaq/snort.php

    2. Re:Why wait? Get Snort today. by gbobeck · · Score: 2, Informative
      but snort does not run on windows, which is sorta their target OS....

      Actually, Snort will run on Windows.

      First, you need to install WinPcap, which is available at http://www.winpcap.org/.

      Next, you will have to download the Snort Windows binary at http://snort.org/dl/binaries/win32/.

      Finally, RTFSnortM and have fun.

      Its not all that hard to get going... I had to do a Snort install on a Windows box in order to work on a project in my Network Security class at Loyola University Chicago.
      --
      Navicula hydraulica plena anguilarum est. Omnes castelli tuus nostri sunt. Ed elli avea del cul fatto trombetta.
    3. Re:Why wait? Get Snort today. by Strolls · · Score: 2, Funny
      It's not all that hard to get going... I had to do a Snort install on a Windows box in order to work on a project in my Network Security class at Loyola University Chicago.
      I'm sure my grandma won't have any problems, then.

      Stroller.

  8. This is just brilliant by NotFamousYet · · Score: 2, Funny

    > a rootkit that eliminates other rootkits

    So being evil installing rootkits is not enough?

    One rootkit to rule them all! :P

  9. Because if you fix the problem, you've fixed it. by khasim · · Score: 2, Insightful
    Why not do both?

    If you fix the problem of "lost" emails, then why run a system to find alert people to email that is not lost any more?

    If your system is unreliable, adding complexity usually does not make it more reliable. You need to fix the problem at the lowest level possible.

    Since this is Microsoft, they're probably referring to Exchange/Outlook. Exchange is mostly database driven now. If you're losing messages in your database, having someone re-send them is NOT the approach you want to take.

    You have what is known as "database corruption" and that does NOT spontaneously solve itself. You have a serious problem.
  10. The research department is ... by zoftie · · Score: 2, Insightful

    From what I know of the Microsoft research, is that it is patent fishing net so that in the future they can sell/control techologies. Basically covering future turf, so that they can control cash flows and maybe make some money on top of it selling the patents. Control in such way if fooling company developing their product would have some nice feature that will partly infringe on the patent. Then microsoft can hurt the company and tell it what to do. And tech is developed far enough to have an idea for patent, and then dropped. Sort of like slugs sliming up the IP territory.

    I might be wrong, its been a while.

  11. Re:RootkitDetector Reloaded... by EvanED · · Score: 2, Interesting

    Actually, in a rare turn of events, GhostBuster isn't the reincarnation.

    MSR has been working on GhostBuster for some time, with a white paper released July 2004. That MSR site says that RootkitRevealer was released Feb 22, 2005. This fact is confirmed by archive.org, where the version archived Feb 22 does not contain RR and the one from Feb 23 does. (Not to mention the front page listed it as Feb 22.)

  12. No Legitimate Purpose by Anonymous Coward · · Score: 5, Insightful
    a rootkit that eliminates other rootkits

    There appears to be no legitimate purpose to such research.

    1. A rootkit that eliminates other rootkits can probably also be eliminated, so this research does not really solve a problem.
    2. Rather than perfecting a rootkit, they should be working towards making a rootkit an impossibility in their OS.
    3. If you can write a rootkit, eliminating other rootkits does not appear to be that large of a challenge in the first place.
    4. If you want to eliminate a rootkit, reinstalling the OS seems like a better idea.
    5. There are countless illicit uses of such software.

    Are they developing this rootkit in an effort to develop new security for their OS? I don't get it.

    1. Re:No Legitimate Purpose by EvanED · · Score: 5, Informative

      The article is misleading if not outright wrong; GhostBuster isn't a rootkit itself, it's just a rootkit detection thing very similar to RootkitRevealer. (GhostBuster came first and is more complete.)

      It's closer to anti-virus than it is to a rootkit itself, though the similarities there don't go very far either. (AVs almost universally work by signature matching; GB works by comparing registry entries and files against each other by multiple means of acquiring that information in order to find the symptoms of having a rootkit -- missing information. This assumes that the rootkit is imperfect in hiding. For instance, this will do a scan of the registry through the standard API calls. But then it will parse the registry hives that are on disk. The assumption is that the rootkit is going to hook the API calls. Hooking the I/O calls is rather more difficult, and it's impossible if you can do a clean boot. (One of the options is to do a diff of a hot scan vs. a known good scan done from a Windows PE boot.) There are still things that rootkit authors can do though, specifically NOT hide from GB itself. IN the case of RootkitRevealer, this has actually turned into a mini-arms race of itself. Rootkits started not hiding from rreveal.exe or whatever it's called (so that it wouldn't detect diffs), so RootkitRevealer started randomly renaming itself each time it runs. The state of the art on the black hat side is to carry a signature of RootkitRevealer-like programs and do pattern matching in very much the same way that AV does pattern matching to find viruses.)

      2. Rather than perfecting a rootkit, they should be working towards making a rootkit an impossibility in their OS.

      If you can run drivers in kernel mode, you can run a rootkit. (Unless you can statically prove everything you let run in kernel space is safe... this may or may not be possible. For what it's worth, my current research is related to model checking drivers.)

  13. Great, Just what I need by LividBlivet · · Score: 2, Interesting

    Invisible processes battling each other for CPU, RAM, disk space and Internet bandwidth resources. And all I want to do is send some resumes, check the news and email and browse some sites. Ubuntu just got a much larger partition. Screw this crap, seriously.

  14. Re:RootkitDetector Reloaded... by SeaFox · · Score: 2, Funny
    MSR has been working on GhostBuster [microsoft.com] for some time, with a white paper released July 2004.

    So wait, is Microsoft supposed to be the young fit men hunting ghosts or the large, bloated Stay-Puft Marshmallow Man that's unhealthy for the public?
  15. Don't call stop-gap measures research ... by YeeHaW_Jelte · · Score: 4, Insightful

    If this is microsoft innovation, it's not very innovative. All these 'technologies' are basically extra layers of software to fix the bugs in the first layers ... be it security (phishing stuff, adaptive firewalls, etc etc) or losing emails ... which should not happen anyway and we already have basically the same technique they're developing in the mail protocol, namely confirming a received email.

    --

    ---
    "The chances of a demonic possession spreading are remote -- relax."
  16. A rootkit to destroy other rootkits... by Opportunist · · Score: 4, Insightful

    Lemme get this straight. A company is working on a rootkit for their own OS. Now, it could be me, but if I didn't sleep through OS programming, as the maker of the OS I already have total control over everything in it (provided my user allows me to have it, which is pretty much a given with MS OSs). Why do I need a rootkit?

    Not to mention that Vista was trumped to be the most secure, un-hackable system ever. How do you install a rootkit on it? I thought it is impossible (spare your corrections, I know it is possible no matter what. I just want to get an answer from the guys that keep telling me it is impossible to rootkit Vista).

    So we're now at the "who gets deeper into the system" war. Because one thing is a given, 3 days after the MS rootkit to destroy other rootkits, the rootkit to destroy the MS rootkit is rolling out. Then it's a month 'til patchday and... you know the drill, we already live it.

    There is no technical solution to social problems. As long as people are dumb enough to click everything offered to them while they're running on admin or root privileges, those things will exist and they will work. Now, with Vista finally trying to run on low privileges, the social engineering part will become bigger to get the user to grant more privileges when necessary for the bug to survive, but since pretty much EVERY program will need those for installation, people will hand out those privileges like freebies, because it's customary that a new program needs them.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:A rootkit to destroy other rootkits... by EvanED · · Score: 2, Informative

      I already have total control over everything in it (provided my user allows me to have it, which is pretty much a given with MS OSs). Why do I need a rootkit?

      You don't. It's poor reporting. GhostBuster isn't a rootkit; it's just a rootkit detection program. (Or set of programs.)

  17. Trilion? by EvilMonkeySlayer · · Score: 2, Funny

    That's nothing, I hear Google invested one Gillion dollars.

  18. Re:Norton Ghost or a "dd" solution via Linux by Zwaxy · · Score: 2, Insightful

    OK, so you've got a clean image saved somewhere. Now what?

    How do you detect whether you've been infected, when all you have is an image of an NTFS filesystem?

    And once you are infected, how do you clean up without losing all your user files?

  19. Re:Rootkit issue, not the solution by Duds · · Score: 2, Funny

    Then they'll just come back with a bigger rootkit and eventually a rootkit so big it'll destroy us all.

  20. Microsoft (Research) Acquires new tecnology! by C0deJunkie · · Score: 3, Informative

    Microsoft Research is developing technology for finding rootkits by using their own deceptive behavior against them. Known as GhostBuster, it relies on analyzing and comparing system information at both a high level--from a Win32 API, for example--and a low level--such as the raw disk information. Any difference in the two views--for example, the low-level view indicating a file not present in the high-level view--makes a compelling case that a rootkit is trying to hide.

    Simply not true!
    I mean, since it is the Exact description of how RootkitRevealer works, I suppose (I'm sure) that it is the same product. For those who do not know,Microsoft acquired sysinternals (maker of RootkitRevealer) a few months ago.

    --
    Apple iProduct. Non importa cosa sia, lo comprerete!
  21. Oh, and talking 'bout honeypots by Opportunist · · Score: 5, Interesting

    The "classic" honeypot is pretty much dead. Nobody uses a 0day against a random machine anymore. At the very least, one tries to avoid certain IPs and IP Ranges that are known to host pots. Whether MS wants to believe it or not, those lists exist. One of my pots has been discovered a while ago and on that machine, I've never had any detections since, except a few scriptkids that don't count.

    Even "detecting" pots that simulate a user's behaviour and look actively for forged sites and such are getting out of usefulness, since a lot of distributors already start hardening their attacks against aggressive farming. Or they require you to go through very detailed steps that a bot cannot reproduce. I've recently had my first captcha-protected exploit (was a porn site, and what user wouldn't solve a captcha to get his pic when he surfed there just for that in the first place?).

    Forget honeypots. Unless you put a human behind that VM it's running on. Automated pots are becoming less and less useful with attackers becoming more and more aware of them. Especially you can dump any kind of "honeypot kit", they are known and their quirks are tested painstakingly before an attack takes place.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:Oh, and talking 'bout honeypots by StrawberryFrog · · Score: 2, Interesting

      avoid certain IPs and IP Ranges that are known to host pots ... those lists exist.

      Cool. How can I get my machine on those lists?

      Seriously, this means that an IP range can be "poisoned" by hosting honeypots amid the the real machines in it. And if not, you don't lose either - you have a working honeypot.

      --

      My Karma: ran over your Dogma
      StrawberryFrog

  22. Re:Norton Ghost or a "dd" solution via Linux by WWWWolf · · Score: 2, Interesting
    How do you detect whether you've been infected, when all you have is an image of an NTFS filesystem?

    You make an image of filesystem that consists of out-of-the-box software that is known to be clean. If that's not clean, repeat from the start and keep both eyes open.

    If you still want to check it, you can always mount the image as a local filesystem and use whatever tools you want to check it: mount -t ntfs /data/user-hd-image.img /mnt/loop -o loop,ro and bigassvirusandrootkittest --verbose /mnt/loop =)

    And once you are infected, how do you clean up without losing all your user files?

    You can always keep user files on another partition.

    But usually, if you have the ability to use images like this, you're rich enough to use an actual Network. You don't keep any important user files locally, you have a file server instead. Local hard drive is only for applications and temporary stuff. (And if a virus grabs your OS while in middle of a big project, you keep the Temporary Stuff in a known location so that the tech support guy can easily move it to another drive before reimaging the whole thing. Or, hey, another partition again!)

  23. Microsoft Singularity by krelian · · Score: 2, Interesting
    This is the most interesting project IMO, but will probably never see the light of day. From the Wikipedia article

    Singularity is a Microsoft Research project started in 2003 to build a highly-dependable operating system in which the kernel, device driver, and applications are all written in managed code. The lowest-level x86 interrupt dispatch code is written in assembly language and C. Once this code has done its job, it calls the kernel, whose runtime and garbage collector are written in C# and run in unsafe mode. The hardware abstraction layer is written in C++ and runs in safe mode. There is also some C code to handle debugging. The computer's BIOS is only called during the 16-bit real-mode bootstrap stage; once in 32-bit mode, Singularity never calls the BIOS again, but rather calls device drivers written in C#. During installation, CIL opcodes of the C# kernel are compiled into x86 opcodes using the Bartok research project. Bartok is an optimizing compiler written in C# for translating CIL into x86.

    The Microsoft Singularity page
  24. One rootkit by BarFly143 · · Score: 2, Funny

    One rootkit to rule them all, one rootkit to find them. One rootkit to bring them all and in the kernel bind them.