Slashdot Mirror
New Rootkit Bypasses Windows Code-Signing Security
Trailrunner7 writes "In recent versions of Windows, specifically Vista and Windows 7, Microsoft has introduced a number of new security features designed to prevent malicious code from running. But attackers are continually finding new ways around those protections, and the latest example is a rootkit that can bypass the Windows driver-signing protection."
Safe Mode is all I run nowadays.
I am just too scared to 'Start Windows Normally'
He who knows best knows how little he knows. - Thomas Jefferson
Code signing is just a money making scheme for Microsoft cleverly disguised as a protective measure for us users. Smaller projects can not afford to have their code digitally signed by Microsoft. People have been writing workarounds for this involving spoofing the driver as being in TEST mode, but this is a hassle for the end user.
If you are not allowed to question your government then the government has answered your question.
or physical access. At that point anything goes. Why bother with screwing with code signing tricks when you can just run whatever code you like.
Give me "trusted computing" where I control the keys and decide what software is "trusted" and I'd be fine w/ it.
The problem is, 99% of our society cannot properly decide whether software should be trusted or not, and even with more granular controls and proper feedback from the OS a lot of malware will slip through.
I don't think this is an unsolvable problem. I like the iPhone App store model to some extent. A company with professionals should be vetting software and should be telling users what software should and should not be able to run. But the iPhone App store fails in many ways as well.
First, there should not be one company deciding. We should harness the free market and build a system that takes inputs from whatever security feeds users subscribe to and weight those security feeds based upon the end user's preferences. Also, we should be able to override the choices for any given case. If we really want to run some software but our security feeds think it is malware, we should be able to do it. Heck, there are valid reasons, such as research, for wanting to run malware. It should just be a very advanced setting that makes it perfectly clear to the end user that they're handing complete control of their device to some other party, forever.
I'm convinced we could leverage the benefits of both an iPhone app store approach and a traditional package manager approach. I fear, however, that none of the companies in a position to actually make a good system and push it to end users is going to be motivated to do so. Apple will wait for others, and Microsoft sees the way they could leverage their monopoly using an iApp store of their own. Canonical has laid the groundwork, but only as far as copying Apple and incorporating it into their package manager. They're not much for making revolutionary new technologies, nor are they in much position to push it and, lastly, unless they're aiming at the ultra-secure market, their users are currently least in the need of beefing up security.
This is a new version of a ~2 year old rootkit, also known as TDSS, and the company responsible for this particular parasite is a russian outfit known as Dogma Millions. Eset did a good writeup on the older version here. This newer version is actually even more interesting than the article indicates. It's intelligent enough to send tools like MBRCheck off to look at a backup of the MBR so that they'll erroneously return a "clean" verdict while the system remains infected. The best bet for removal is TDSSKiller by Kaspersky (the company that wrote the blog entry).
To err is human, to really foul up requires a computer
A company with professionals should be vetting software and should be telling users what software should and should not be able to run.
IMO, the software should be saying what type of sandbox it wants upfront. From a finite manageable set of sandbox templates.
The software could also instead request a custom sandbox, but a "custom sandbox and app pair" need to be signed by a trusted party. Either the OS vendor, or someone else with their cert installed (e.g. Corporate IT).
I proposed something like this to Ubuntu: https://bugs.launchpad.net/ubuntu/+bug/156693
Rather than solve something harder than the halting problem (you often don't have the full inputs to the program), you just get the programmers to declare upfront what access the programs need, and if declared OK, the OS enforces the sandboxes.
Of course, but the primary role of that lock down was to protect their DRM'd subsystems, which can be accessed by drivers running in kernel space, not to protect end-users from malicious driver code.
Question for you - what benefit does Microsoft gain from enforcing DRM? They are not the copyright holders of music and movies, so they have no direct loss if pirating of content leads to reduced sales of music and movies.
Seems to me that if MS own self interest is considered they would put their effort into preventing piracy of their own software, and not worry about the DRM systems.
Windows Vista and 7 do indeed include DRM subsystems, but since I can't see how MS self interest is invovled in maintaining them, I think it is likely that these are things that the content holders demanded from them before they would grant MS the necessary licenses to produce players, or enter into partnerships to promote such content.
Either way, seems to me that MS is at most a reluctant partner in such schemes, and don't really care if DRM gets hacked. But driver signing and anti-malware do generate negative customer feedback, so I believe they take those things more seriously.
Actually, the best use is to install drivers that bypass DRM.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
I don't know, that is kinda like arguing you are the tallest midget as BOTH are major levels of stupid.
As for TFA, as long as Windows is the #1 desktop deployed it will always be a target, but frankly as a PC repairman I can say there is so much low hanging fruit with home users most won't even need this trick. All they have to do is pop up on a website "ZOMG DUDE, You got teh Viruz!! Turn off yur broken AV and run this ZOMG quick!!!" and you'd be surprised how many will do JUST that. I have literally sat beside a user and said "Do NOT open a password protected zip file it IS a virus!" and had them go "My BFF Kim sent this! stop being paranoid!" and watched dumbfounded as they proceeded to do EXACTLY what the instructions said and pwned themselves.
While I'm sure the malware kits will all add this to make guys like me have to work harder to get rid of it (in actuality it is pretty much nuke and reinstall anymore) to actually infect many home users all you have to do is the above or the ever easy "You need this codec to watch our FREE Lesbian pron!". I swear guys fall for THAT one damned near every time. I actually had to hunt down a decent virus free porn site just to send my "must click teh prons!" users to just to keep them from constantly reinfecting their machines.
So Linux guys be DAMNED GLAD you don't have those home users and there will hopefully NEVER be a "year of the Linux desktop" because a week later the net will be flooded with "Porn_Codec.sh" and "Happy_Puppy.scr.sh"with helpful instructions on how to run them that the users WILL follow. Stupid is as Stupid Does.
ACs don't waste your time replying, your posts are never seen by me.