New Rootkit Bypasses Windows Code-Signing Security

Trailrunner7 writes "In recent versions of Windows, specifically Vista and Windows 7, Microsoft has introduced a number of new security features designed to prevent malicious code from running. But attackers are continually finding new ways around those protections, and the latest example is a rootkit that can bypass the Windows driver-signing protection."

Well, DUH...

[adjuster]

Without "trusted" hardware the user will always be able to override software "protections" designed to prevent arbitrary code execution. This is just another "leapfrog" in this arms race. Give me "trusted computing" where I control the keys and decide what software is "trusted" and I'd be fine w/ it. Otherwise, I'll take the current situation on personal computers because, at least, I can run arbitrary software. ("Don't turn my PC into an iPhone, bro!")

Re:Well, DUH...

[tompaulco]

Code signing is just a money making scheme for Microsoft cleverly disguised as a protective measure for us users. Smaller projects can not afford to have their code digitally signed by Microsoft. People have been writing workarounds for this involving spoofing the driver as being in TEST mode, but this is a hassle for the end user.

Re:Well, DUH...

[99BottlesOfBeerInMyF]

Give me "trusted computing" where I control the keys and decide what software is "trusted" and I'd be fine w/ it.

The problem is, 99% of our society cannot properly decide whether software should be trusted or not, and even with more granular controls and proper feedback from the OS a lot of malware will slip through.

I don't think this is an unsolvable problem. I like the iPhone App store model to some extent. A company with professionals should be vetting software and should be telling users what software should and should not be able to run. But the iPhone App store fails in many ways as well.

First, there should not be one company deciding. We should harness the free market and build a system that takes inputs from whatever security feeds users subscribe to and weight those security feeds based upon the end user's preferences. Also, we should be able to override the choices for any given case. If we really want to run some software but our security feeds think it is malware, we should be able to do it. Heck, there are valid reasons, such as research, for wanting to run malware. It should just be a very advanced setting that makes it perfectly clear to the end user that they're handing complete control of their device to some other party, forever.

I'm convinced we could leverage the benefits of both an iPhone app store approach and a traditional package manager approach. I fear, however, that none of the companies in a position to actually make a good system and push it to end users is going to be motivated to do so. Apple will wait for others, and Microsoft sees the way they could leverage their monopoly using an iApp store of their own. Canonical has laid the groundwork, but only as far as copying Apple and incorporating it into their package manager. They're not much for making revolutionary new technologies, nor are they in much position to push it and, lastly, unless they're aiming at the ultra-secure market, their users are currently least in the need of beefing up security.

Re:Well, DUH...

[TheLink]

A company with professionals should be vetting software and should be telling users what software should and should not be able to run.

IMO, the software should be saying what type of sandbox it wants upfront. From a finite manageable set of sandbox templates.

The software could also instead request a custom sandbox, but a "custom sandbox and app pair" need to be signed by a trusted party. Either the OS vendor, or someone else with their cert installed (e.g. Corporate IT).

I proposed something like this to Ubuntu: https://bugs.launchpad.net/ubuntu/+bug/156693

Rather than solve something harder than the halting problem (you often don't have the full inputs to the program), you just get the programmers to declare upfront what access the programs need, and if declared OK, the OS enforces the sandboxes.

Re:Well, DUH...

[TemporalBeing]

Give me "trusted computing" where I control the keys and decide what software is "trusted" and I'd be fine w/ it.

The problem is, 99% of our society cannot properly decide whether software should be trusted or not, and even with more granular controls and proper feedback from the OS a lot of malware will slip through.

I don't think this is an unsolvable problem.

But how that 99% of society wants to use the computer should not ( and cannot necessarily) be dictated by even the 1% as the 1% will not know every edge case for how the 99% wants to use the computer. Thereby, "trusted" computing in that model is 100% flawed, and you then have to build in backdoors - like the register key that can disable requiring a signed driver so developers can test their drivers - so that the 99% can all do what they want/need to on the computer.

Re:Well, DUH...

[Applekid]

Code signing is just a money making scheme for Microsoft cleverly disguised as a protective measure for us users. Smaller projects can not afford to have their code digitally signed by Microsoft. People have been writing workarounds for this involving spoofing the driver as being in TEST mode, but this is a hassle for the end user.

Um, code signing can be by any trusted authority. You need not pay Microsoft for user code.

Drivers are another story. They need to pass WHQL, but that's no big deal because it's already paid through the licensing fees collected if you want to put a Windows logo on your product certifying it's compatible with Windows. Naturally, if it's going to have the logo on the box, Microsoft wants to make sure your crappy driver doesn't cause problems that will be blamed on Windows.

Installing unsigned drivers in testing mode is a pain in a live environment for the same very good reason you don't want to perform crash testing on a live motorway.

Re:Well, DUH...

[99BottlesOfBeerInMyF]

IMO, the software should be saying what type of sandbox it wants upfront. From a finite manageable set of sandbox templates.

Agreed. It greatly lessens the work for auditors as they only have to figure out what you're doing with the services/access and then decide if that is actually appropriate. I'd also mention adding official services and protocols (such as an update service, a secure registration/purchasing service, a service for ad streaming to supported apps, etc.) results in fewer apps needing to roll their own services for these purposes and further simplifies security auditing.

Re:Well, DUH...

[rsmith-mac]

Drivers are another story. They need to pass WHQL

Even this is not quite true. There are 2 different levels of signing: Ownership signing, and WHQL signing. Ownership signing establishes who the driver came from; unless a driver is ownership signed, 64bit versions of Windows will flat-out refuse to install it (unless you boot with signature enforcement disabled) and is what TFA is referencing. WHQL signing is a second layer where MS signs off on the drver; without a WHQL signature, Windows will throw up a scary warning advising you that the driver is not WHQL signed and that you should not install it, but it will still let you install the driver if you choose to. The only other non-WHQL limitation is that Windows won't use the driver automatically for newly installed devices.

In any case, drivers ultimately do not need to pass WHQL to be used. Ownership signing is sufficient to allow installation, however any serious vendor is going to want WHQL approval to avoid the scary warning.

But can TDL4 bypass Safe Mode?

[digitaldc]

Safe Mode is all I run nowadays.
I am just too scared to 'Start Windows Normally'

Re:But can TDL4 bypass Safe Mode?

[Monkeedude1212]

It's weird, when I tried the "Last Known Good" configuration it booted up Windows 98!

Not for -your- security

[Microlith]

In recent versions of Windows, specifically Vista and Windows 7, Microsoft has introduced a number of new security features designed to prevent malicious code from running.

Of course, but the primary role of that lock down was to protect their DRM'd subsystems, which can be accessed by drivers running in kernel space, not to protect end-users from malicious driver code. Those were vicious but by far a minority, and hasn't improved the situation on Windows Vista x64 / Windows 7 in the slightest.

But hey, now Microsoft gets to bill everyone $250 for each driver release!

Re:Not for -your- security

[K.+S.+Kyosuke]

Of course, but the primary role of that lock down was to protect their DRM'd subsystems

In other words, the protection is there in order to prevent malicious code from stopping?

Re:Not for -your- security

[clodney]

In recent versions of Windows, specifically Vista and Windows 7, Microsoft has introduced a number of new security features designed to prevent malicious code from running.

Of course, but the primary role of that lock down was to protect their DRM'd subsystems, which can be accessed by drivers running in kernel space, not to protect end-users from malicious driver code.

Question for you - what benefit does Microsoft gain from enforcing DRM? They are not the copyright holders of music and movies, so they have no direct loss if pirating of content leads to reduced sales of music and movies.

Seems to me that if MS own self interest is considered they would put their effort into preventing piracy of their own software, and not worry about the DRM systems.

Windows Vista and 7 do indeed include DRM subsystems, but since I can't see how MS self interest is invovled in maintaining them, I think it is likely that these are things that the content holders demanded from them before they would grant MS the necessary licenses to produce players, or enter into partnerships to promote such content.

Either way, seems to me that MS is at most a reluctant partner in such schemes, and don't really care if DRM gets hacked. But driver signing and anti-malware do generate negative customer feedback, so I believe they take those things more seriously.

Infecting the MBR requires admin rights

[gad_zuki!]

or physical access. At that point anything goes. Why bother with screwing with code signing tricks when you can just run whatever code you like.

Re:Infecting the MBR requires admin rights

[BLKMGK]

Nope, I don't think so. If you attempt to load up an unsigned driver on 64bit Win7 or Vista 64 and do not specifically go through the F key function to turn on the mode that disables signed drivers - at every single boot - you will get a nasty text message that HALTS the boot process, shows you the name of the unsigned driver, and shows you the registry key that called it (as I recall, been awhile).

Unsigned drivers on 64bit Windows are NOT the same as the unsigned code box you're talking about. Attempts to load unsigned drivers on the OS that requires it halts the boot process. You can go into a mode to load them - which I think even has visual indicators - or use a test cert - indicators here too I believe - but it's most certainly not the trivial thing to get aorund you've just described, sorry.

Re:Infecting the MBR requires admin rights

[gad_zuki!]

You are correct. Here are the peerguardian people talking about this. When running 64-bit signing is required. 32-bit it is not.

http://www.raymond.cc/blog/archives/2009/08/24/loading-unsigned-drivers-in-windows-7-and-vista-64-bit-x64/

Re:Wow. Master Boot Record infectors.

[PatPending]

Old sk00l. When was the last MBR infector seen in the wild? 2002? Most of this class are from the DOS era, fercryingoutloud.

From the second paragraph of the fine article (emphasis added):

TDSS has been causing serious trouble for users for more than two years now, and is an example of a particularly pernicious type of rootkit that infects the master boot record of a PC. This type of malware often is referred to as a bootkit and can be extremely difficult to remove once it's detected. The older versions of TDSS--TDL1, TDL2 and TDL3--are detected by most antimalware suites now, but it's TDL4 that's the most problematic right now.

Not a "New" Rootkit

[Avohir]

This is a new version of a ~2 year old rootkit, also known as TDSS, and the company responsible for this particular parasite is a russian outfit known as Dogma Millions. Eset did a good writeup on the older version here. This newer version is actually even more interesting than the article indicates. It's intelligent enough to send tools like MBRCheck off to look at a backup of the MBR so that they'll erroneously return a "clean" verdict while the system remains infected. The best bet for removal is TDSSKiller by Kaspersky (the company that wrote the blog entry).

Re:Not a "New" Rootkit

[Ziekheid]

I have a box infected with this and thought I had removed it. After running the utility you linked I found out its mbr is still infected though, so thanks for the link, but it's not able to 'cure' the infection.
Some solutions on the Kaspersky forum suggest rewriting the MBR which I will attempt now.

I traced the initial infection back to a vulnerable Flash installation which locks certain flash files so they can not be updated anymore after infection keeping you vulnerable for future infections.

Re:Not a "New" Rootkit

[iMouse]

The MBR isn't the only point of infection. TDSS also patches legitimate system files, resulting in reinfection of the MBR if the infected files on the drive are not taken care of first.

Acceptable and Proper Slashdot Vocabulary

[h00manist]

Welcome to Eleven Thousandth Slash Dot Dot Org's and Cambridge International Language Forum! We shall henceforth debate the propriety of linguistic terms to be used by ourselves, and other participants of the public at large, within the realm of our debate on all matters relating to the technical world - including those of impact in non-technically-literate circles of society. We will here discuss the proper use of verbs and nouns, adverbs and adjectives, phrasal verbs and colloquial terms, and vote on their acceptability to be assembled into a properly approved vocabulary for use on this most honourable forum in all of geekdom, Slashdot! Our first items approved on the agenda today -

Acceptable vocabulary for use within Slashdot fora

boxen, facetious plural of box (by analogy to oxen as the plural form of ox), particularly in computer hacker slang with respect to the term 'box' for a computer

Non-acceptable vocabulary for use within Slashdot fora

Virii is in fact an INCORRECT pluralization of "virus", however, some retard keeps resubmitting it as the plural form. 1 4m k00l, 1 c4n wr173 l33tz0r 'virii' 1n v15u4l b451c 5cr1p7.. ph33r m3h.

Further submissions for today's Slashdot Approved Vocabulary vote?

Re:Acceptable and Proper Slashdot Vocabulary

[hairyfeet]

I don't know, that is kinda like arguing you are the tallest midget as BOTH are major levels of stupid.

As for TFA, as long as Windows is the #1 desktop deployed it will always be a target, but frankly as a PC repairman I can say there is so much low hanging fruit with home users most won't even need this trick. All they have to do is pop up on a website "ZOMG DUDE, You got teh Viruz!! Turn off yur broken AV and run this ZOMG quick!!!" and you'd be surprised how many will do JUST that. I have literally sat beside a user and said "Do NOT open a password protected zip file it IS a virus!" and had them go "My BFF Kim sent this! stop being paranoid!" and watched dumbfounded as they proceeded to do EXACTLY what the instructions said and pwned themselves.

While I'm sure the malware kits will all add this to make guys like me have to work harder to get rid of it (in actuality it is pretty much nuke and reinstall anymore) to actually infect many home users all you have to do is the above or the ever easy "You need this codec to watch our FREE Lesbian pron!". I swear guys fall for THAT one damned near every time. I actually had to hunt down a decent virus free porn site just to send my "must click teh prons!" users to just to keep them from constantly reinfecting their machines.

So Linux guys be DAMNED GLAD you don't have those home users and there will hopefully NEVER be a "year of the Linux desktop" because a week later the net will be flooded with "Porn_Codec.sh" and "Happy_Puppy.scr.sh"with helpful instructions on how to run them that the users WILL follow. Stupid is as Stupid Does.

Re:Wow. Master Boot Record infectors.

[sexconker]

Why does everything have to be a kit?
Rootkit. Okay.
Bootkit. I see what you did there.

Would a WoW hack that steals/sells your loot be a lootkit?

Would a viral advertising campaign that gets a bunch of douches to seek out 1930s era fashion for their high school proms be a zoot kit?

Would naughty chimney sweeps toss packages of dirt, grime, and grease down your chimney and call it a soot kit?

Is whatever drug / "treatment" the government uses on every former agent who goes public with stories about aliens called a coot kit?

Are those wooden owls you put out to scare other birds away from your crops a hoot kit?

Is the point of this post completely inconsequential, making the post a moot kit?

Re:Wow. Master Boot Record infectors.

[HermMunster]

It does more than infect the MBR. It creates a virtual file system and encrypts it's payload into that. This makes it undetectable by most antivirus software. Microsoft's Security Essentials DOES detect it, but it CAN'T remove it, at least as of a couple weeks ago when I first encountered the rootkit. You need to boot with your Windows CD (leaving most people that have a recovery partition in the cold) and fix the boot record.

Re:Hope it just leaks lots of data

[afidel]

Actually, the best use is to install drivers that bypass DRM.

Once and for all...

[WaroDaBeast]

The nominative plural ending for Latin nouns following the second declension is -i, so if virus was a masculine noun, which it is not ("n." means it's neutral), it would then take an i, which would give "viri." But since "virus" is neutral, its plural is "vira," so next time you wanna brag about how well you know Latin — without sounding like a fool —, say that instead.

Or you can say "viruses" if you feel like speaking English. My €0.02.


P.S.: The only time you get that double i in the nominative plural is when you inflect a second declension masculine noun that ends in -ius, such as "filius."

Re:The driver signing is mainly for DRM

[Myria]

Vista and 7's driver signing requirement is mainly for DRM purposes.

No, the driver signing requirement is for quality control purposes. 60% of Windows crashes used to be driver-related. Now, Microsoft actually requires a proof of correctness, using their Static Driver Verifier, before a driver is signed.

You're talking about the Windows Hardware Quality Labs signature, not the kernel-mode driver signing requirement in 64-bit Vista and 7. A WHQL signature is not required in order to have a driver load, a kernel-mode driver signature is. Microsoft only does their quality testing with drivers submitted to WHQL; an appropriate VeriSign certificate is enough to get the driver to load, without any quality checking on the part of Microsoft.

It is the kernel-mode driver signing requirement that this rootkit bypasses, not the WHQL signature.