New Alureon Rootkit Takes Malware To New Level

← Back to Stories (view on slashdot.org)

New Alureon Rootkit Takes Malware To New Level

Posted by CmdrTaco on Monday May 16, 2011 @03:40AM from the boot-the-root dept.

Trailrunner7 writes "A new version of the venerable Alureon malware has appeared, and this one includes some odd behavior designed to prevent analysis and detection by antimalware systems. However, this isn't the typical evasion algorithm, as it uses some unusual encryption and decryption routines to make life much more difficult for analysts and users whose machines have been infected. Alureon is a well-known and oft-researched malware family that has some rootkit-like capabilities in some of its variations. The newest version of the malware exhibits some behavior that researchers haven't seen before and which make it more problematic for antimalware software to detect it and for experts to break down its components."

135 comments

Min score:

Reason:

Sort:

A silly question by countertrolling · 2011-05-16 03:44 · Score: 3, Insightful

Why can't the system be installed on ROM? At the very least, it will boot clean every time...

--
For justice, we must go to Don Corleone
1. Re:A silly question by drolli · 2011-05-16 03:48 · Score: 2
  
  Because then security leaks cant be fixed? I suggest at least some switch to update the software. On the other hand that could be achieved with any USB stick with a write protect switch.
2. Re:A silly question by improfane · 2011-05-16 03:48 · Score: 5, Informative
  
  Malicious software can still be malicious while in memory, send spam, botnet etc. A running exploit of a readonly system is just as compromised as a running writable one, until you turn it off of course. You would never be able to patch it unless you patch the ROM or receive memory patches.
  
  --
  Slashdot needs Geekcode | Can anyone recommend any good SCIFI? My tastes: Foundation, Startide Rising, CITY, Ringworld,
3. Re:A silly question by kelemvor4 · 2011-05-16 03:56 · Score: 1
  
  It was a total pain in the ass. You had to replace a chip in the Amiga to upgrade your OS. Not something I relish the idea of returning to anytime soon.
4. Re:A silly question by datapharmer · 2011-05-16 04:01 · Score: 3, Insightful
  
  EEPROM can be... this is essentially what coreboot is.
  
  --
  Get a web developer
5. Re:A silly question by postbigbang · 2011-05-16 04:01 · Score: 2
  
  No.
  A kernel launched from write-protected, hence read-only memory, is going to be the same every time. Subsequent loads can infect a kernel that sits in writeable memory, where malware can do its work. ROMs just are not changeable, unless they're of a genre that permits this, like electrically-erasible programmable read only memory, or EEROMs, which usually take an electrical charge or specific freqs of light to allow change.
  My problem with this kit is that we would probably prosecute someone that makes malaria or HIV or even the common cold viruses more difficult to cure. Yes, tools need to be made to discover how to secure system more thoroughly, but we're not instilling diligence on the parts of OS makers and sysadmins to stop the problems we have now.
  
  --
  ---- Teach Peace. It's Cheaper Than War.
6. Re:A silly question by countertrolling · 2011-05-16 04:02 · Score: 4, Insightful
  
  On the other hand that could be achieved with any USB stick with a write protect switch.
  That would be the proper procedure that I would find perfectly acceptable, but all the present day USB sticks with write protect do it with software. It's not like the floppies that made it physically impossible to write by literally turning off the ability to write. It's one of the giant steps backwards that the industry has made.. intentionally? I don't know, but my suspicions run high.
  
  --
  For justice, we must go to Don Corleone
7. Re:A silly question by grumbel · 2011-05-16 04:07 · Score: 2
  
  A more interesting question would be why systems are still so shitty at even basic self verification. A Linux might verify a packages signature on install, but after that, there is absolutely no oversight about what is happening to that package. On a regular dist-upgrade it can't even properly tell apart which config files have been touched by the user and which have been automatically generated.
  This is not even an especially hard problem to solve, instead of dumping everything into a single directory tree, dump all packages into a read-only tree and save all the changes to that tree into a completely separate directory tree that is mounted on top of the other one via some kind of unionfs. This wouldn't just be good for security, it would also make a users life much easier, as changes and hacks that divert from the vanilla system would be instantly visible.
8. Re:A silly question by _0xd0ad · 2011-05-16 04:07 · Score: 1
  
  It's not like the floppies that made it physically impossible to write by literally turning off the ability to write.
  Which floppies were those?
9. Re:A silly question by tlhIngan · 2011-05-16 04:15 · Score: 2
  
  Because then security leaks cant be fixed? I suggest at least some switch to update the software. On the other hand that could be achieved with any USB stick with a write protect switch.
  If software can turn off "write protect" then you don't have anything. Period. Because anything legit software can do, malware can do. If it can do an update of the ROM image, then malware can as well (and there was a virus that overwrote or attempted to overwrite the BIOS).
  If you make it harder by requiring the user flip a switch, you'll find after the first update that 75% of the people didn't bother updating. After the second, 95% of the switches will be in the "allow write" position as people get lazy. (It will asymptotically approach 100%). If you make it so they have to flip the switch back to write-protect mode in order to boot, well, you'll asymtotically reach 100% of people who don't bother updating because it's too troublesome.
10. Re:A silly question by hairyfeet · 2011-05-16 04:16 · Score: 5, Interesting
  
  Because then all they have to do is figure out a buffer overflow for the default browser and you can't patch it so you're boned? As a PC repairman my question would be this....why bother? Do you have ANY idea how many unpatched XP boxes are out there? Boxes with NO AV, or the same trialware Norton crap it came with in 05, loaded up with P2P crap or running "Razr1911 Pro SP2 Corp" that has WU turned off to keep from getting WGA'd? If the number was less than 60 million frankly I'd be amazed.
  So I don't see why they are bothering with this now when they have so much low hanging fruit left, unless they are planning on using it for a spear phishing attack. The time to be releasing something like this would be about 6 months before XP EOL, when the amount of unpatched "Razr1911 Windows 7 all versions pre-activated" will be much higher, although even then most likely all the updates will be turned off (already seeing that BTW, as MSFT figured out how to kill the Razr1911 OEM hack on the RTM version so pirates are just killing WU like they did with XP) so again hacking will be easy.
  As a guy that cleans them for a living I can tell you infecting a Windows box simply isn't that hard, not because MSFT built a bad OS (I'd argue that properly patched an XP or 7 box is actually pretty solid) but because there are so many pirated versions, boxes controlled by people that will happily click on any email attachment, or download "Hot_Lesbos.avi.exe" and run it without a second thought.
  Hell Limewire has been dead for a couple of years yet I still see new boxes infected with malware calling itself "the new Limewire" because simply ripping off the old Limewire icons is enough to get the clueless to happily turn off any security that attempts to stop them installing it so they can snatch the latest pop crap. Social engineering with literally millions of clueless users makes it butt simple to infect masses of boxes with just a little carrot at the end of a stick. This seems like a hell of a lot more work than required unless they have some corporate target in mind.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
11. Re:A silly question by Peristaltic · 2011-05-16 04:16 · Score: 1
  
  You don't remember the notch in the side of the disk? Notch = RW, cover the notch with tape = RO
12. Re:A silly question by Anonymous Coward · 2011-05-16 04:19 · Score: 1
  
  Why not?
  An OS chip would be significantly better than the terrible mess we have now.
  This way it creates a logical separation of OS and user space, too.
  It would force OS developers to rethink what an executable can do with respect to the OS.
  Not to mention that it is much easier to do now due to SSDs being seriously cheap to produce in the sizes that are required. (even for the awfully stupid sizes of Vis7a)
  I already put my OS on a separate partition as it is. The whole Program Files directory is a symlink to another one.
  As are all the other main directory paths.
  Makes it much easier to deal with OS crap to have things separate.
  Meanwhile Microsoft doesn't give a damn about organization and don't even adhere to their own standard user directory format by installing their crapware directly in it instead of application data sub-directories.
  The OS doesn't need to be fully read-only, some parts can be write-enabled, but are only write-enabled by passing through the OS first and not just direct-access for anything.
  This plus custom hardware on the chips could allow them to be slightly more secure by making it harder to see key files used for decryption.
  Of course, this now goes in to the whole trusted computing mess that is happening just now and would end up being used for DRM shit, so nobody will want that.
13. Re:A silly question by improfane · 2011-05-16 04:22 · Score: 1
  
  You are implying that a kernel booted from write-protected media is impossible to infect while running This is not true.
  No kernel is impossible is impervious to attack while running.
  
  --
  Slashdot needs Geekcode | Can anyone recommend any good SCIFI? My tastes: Foundation, Startide Rising, CITY, Ringworld,
14. Re:A silly question by tlhIngan · 2011-05-16 04:24 · Score: 5, Informative
  
  That would be the proper procedure that I would find perfectly acceptable, but all the present day USB sticks with write protect do it with software. It's not like the floppies that made it physically impossible to write by literally turning off the ability to write. It's one of the giant steps backwards that the industry has made.. intentionally? I don't know, but my suspicions run high.
  A floppy drive is easy - a floppy drive is just some motors in a cage - the floppy controller resides o nthe motherboard and tells those motors how to operate. The write protect switch can easily disable the floppy drive's write amplifier.
  Something like a hard drive is hard - you can't disable the read/write line to the (PATA) drive, because you have to write to the registers in order for it to work. It's why forensic labs have drive write blockers - they pass through everything except the write commands - these things require intelligence in order to perform their tasks.
  Ditto USB drives - you can't disable writing to the NAND flash chips itself, because you have to write to them in order to read from them (as well as do things like identify the capacity and such), so the controller has to have intelligence to handle ignoring write commands from the USB host (and even then some drives still do wear levelling and garbage collection on the raw media - so you need lots of firmware hooks to disable that, too).
  The problem is, there's no way to physically make it impossible to write. Some flash chips it was possible - you protected it by disabling the high-voltage programming power source - without that voltage, programming would be problematic. But these days, the charge circuits to do that are built into the silicon so the manufacturers don't have to spend the extra dollar on external power supply circuits and PCB routing, because the intent for writable nonvolatile memory was being able to write to them.
  Making a write-protect switch these days is difficult and often requires extra circuits in order to have the necessary intelligence to block write commands and not all writes (which disables normal read operations as well).
15. Re:A silly question by Chemisor · 2011-05-16 04:24 · Score: 1
  
  If your motherboard has a TPM chip, you could set up a trusted boot sequence, insuring that the OS is unmodified. You can then make the OS execute only signed executables, making any modifications to installed software impossible. Malware would also be prevented from running.
16. Re:A silly question by postbigbang · 2011-05-16 04:32 · Score: 1
  
  I'm implying only that when initially read from ROM, it's as clean as it was written. Certainly any kernel can be subsequently infected, given current techniques. I know of no kernel that can't be rooted, given various techniques, and possibly a soldering iron+.
  
  --
  ---- Teach Peace. It's Cheaper Than War.
17. Re:A silly question by tlhIngan · 2011-05-16 04:33 · Score: 1
  
  A more interesting question would be why systems are still so shitty at even basic self verification. A Linux might verify a packages signature on install, but after that, there is absolutely no oversight about what is happening to that package. On a regular dist-upgrade it can't even properly tell apart which config files have been touched by the user and which have been automatically generated.
  This is not even an especially hard problem to solve, instead of dumping everything into a single directory tree, dump all packages into a read-only tree and save all the changes to that tree into a completely separate directory tree that is mounted on top of the other one via some kind of unionfs. This wouldn't just be good for security, it would also make a users life much easier, as changes and hacks that divert from the vanilla system would be instantly visible.
  And how do you propose that the "pristine" packages below it are updated without giving malware the same priviledges or ability to update those packages with infected versions?
  Trusted binaries (which defeats the entire purpose and puts us back into Apple Jailbreaking)? Signed packages (ditto)? And if you propose having users manage the certificates by installing them, remember that malware can do the same to bypass any sort of signing mechanism.
  The unfortunate truth is, the only way to ensure it is trusted boot and a trust chain, which was the whole point of TCPA, which was something people rallied against.
  Sadly, the end result is there isn't any way to have the openness of a PC without having the dilligence of being able to maintain it properly. And Steve Jobs' truck analogy might be right - people will always need trucks (PCs), but sometimes, they just want a little runabout to do their things (post-PC devices - smartphones, tablets, etc. that are locked down and "just work"). Of course, there may be room for something in-between the walled garden of Apple and the wide-open free-for-all that is Android, but it's not quite there yet (even though Android makes it "hard", alternative app stores that serve up pirated apps and malware simultaneously are unfortunately, popular).
18. Re:A silly question by hedwards · 2011-05-16 04:34 · Score: 1
  
  If that's what you want to do, it's not that hard to do. SATA to SD Adapter Just set the card as read only and then only change it to read write when you need to do an upgrade. Or since it's and SD card you may as well just image the firmware to the card from a different computer.
19. Re:A silly question by countertrolling · 2011-05-16 04:35 · Score: 2
  
  You're missing part of the discussion where a disk or USB stick with true physical write protection will mitigate the problem considerably.. I don't really care what the 'clueless' do. If they want to hose their systems, that's just more business for you and me. I just want something to protect myself. Word of mouth will catch on in due time... For now, I make images of fresh installs to save myself and clients a great deal of time.. What used to take two hours is fixed in less than 15 minutes. Booting into a live CD allows me to recoup their docs and stuff before I do the restore.
  
  --
  For justice, we must go to Don Corleone
20. Re:A silly question by hedwards · 2011-05-16 04:36 · Score: 1
  
  If that's what you want, you can always just use tripwire with the various related data stored on a separate disk.
21. Re:A silly question by geekprime · 2011-05-16 04:40 · Score: 1
  
  Then how do sd cards handle the write protect switch they have and by the way, all my sd to usb adapters handle the write protect switch just fine (so there's your protected media)
  It's obviously not impossible or not done before, I even have an old 128m pny stick with a wp switch built right in.
22. Re:A silly question by ashidosan · 2011-05-16 04:49 · Score: 1
  
  Yes, I can see how a tab far outside the physical storage media would physically prevent the write heads from touching the floppy (which, I think, was the point GP was trying to make).
23. Re:A silly question by countertrolling · 2011-05-16 04:57 · Score: 1
  
  No. It uses a normally open microswitch that would cut off all power to the write circuit. It was more failsafe than a nuclear powerplant..
  
  --
  For justice, we must go to Don Corleone
24. Re:A silly question by drsmithy · 2011-05-16 04:57 · Score: 5, Insightful
  
  EEPROM can be... this is essentially what coreboot is.
  If the end user can do it, the end user can be convinced to do it by malware.
25. Re:A silly question by obarthelemy · 2011-05-16 05:01 · Score: 1
  
  Apparently, it's handled in software or firmware on the host's side. There's feed back on the forums of people who've hacked it hardware style (short it, cover it)... I'm too lazy to keep looking for a software hack.
  Good question though. The answer is: it's not very trustworthy, as the host has to politely refrain from writing, instead of it being the device to becomes physically un-writable.
  
  --
  The Cloud - because you don't care if your apps and data are up in the air.
26. Re:A silly question by Muad'Dave · 2011-05-16 05:01 · Score: 1
  
  That reminds me of a bit in one of the control registers on the original IBM PC/AT motherboard. It's function: Mask the non-maskable interrupt. That's kinda like dreaming the impossible dream, isn't it?
  
  --
  Tiller's Rule: Never use a word in written form that you've only heard and never read. You will end up looking foolish.
27. Re:A silly question by _0xd0ad · 2011-05-16 05:01 · Score: 1
  
  Well and good until somebody hacks a floppy drive to bypass it.
28. Re:A silly question by dwandy · 2011-05-16 05:03 · Score: 1
  not because MSFT built a bad OS
  download "Hot_Lesbos.avi.exe" and run it
  
  I'd argue the second makes lie of the first.
  --
  If you think imaginary property and real property are the same, when does your house become public domain?
29. Re:A silly question by _0xd0ad · 2011-05-16 05:11 · Score: 2
  
  The point is that the ROM doesn't need to be infected. The system has to load into RAM to actually run, and if you can't patch the OS (easily or at all) you can't fix things like remotely-exploitable buffer underruns.
  Then you just end up with malware that network-boots: as soon as you fire up your pristine kernel and connect it to the network, one of the other infected machines on the network re-infects it and the malware is free to do whatever it wants in user-space (send spam, data-mine, participate in a DDOS, and try to spread itself to the other computers on the network). If you can't patch the hole that's being used as an infection vector, you're basically SOL.
30. Re:A silly question by v1 · 2011-05-16 05:12 · Score: 4, Interesting
  
  I would have found that hard to believe before having seen it in action myself.
  My camera uses an SD card of course, but it can use that open source camera software too. But to use it, you have to write to to a new card, and then turn on the write protect switch or the camera won't boot it. Once thge new software is booted, it can save pictures to the card. Good proof that the write protect on the SD card is more of a "suggestion" than a "switch".
  
  --
  I work for the Department of Redundancy Department.
31. Re:A silly question by Technician · 2011-05-16 05:14 · Score: 2
  
  I did that because when I worked in repair I needed working copies (they get damaged) that would not lose the tape. You can buy disks without the notch so there is no protect to fall off. To prevent accidents, the switch I put in the drive was a reed switch. It required knowledge of the switch as well as the pocket screwdriver with the magnet in the end to turn on the hidden write switch while writing another working copy of the diagnostic floppy disks.
  None of the floppies in the field service kit had a write enable notch. It makes no sense taking one customer's infection and giving it to someone else. The modern replacement is a burned DVD instead of a thumb drive. Use read only media for any of your service materials. No exceptions.
  
  --
  The truth shall set you free!
32. Re:A silly question by PPH · 2011-05-16 05:17 · Score: 1
  
  Social engineering with literally millions of clueless users makes it butt simple to infect masses of boxes with just a little carrot at the end of a stick.
  And I'm happy with that. It's like the story of the two campers trying to outrun the bear. One says its hopeless. Bears are too fast. The other says, "I don't have to outrun the bear. I just have to outrun you." As long as there are millions of clueless users out there as low hanging fruit, us people with more secure (not perfect, just better) systems and a clue about not surfing for pr0n as root will dodge the bear.
  And if they start coming after Linux systems, I'll just switch to something nobody uses so nobody will target it.
  BSD.
  Ducking and running .....
  
  --
  Have gnu, will travel.
33. Re:A silly question by Anonymous Coward · 2011-05-16 05:27 · Score: 0
  
  Have you tried OS/2 - eComStation lately???
  Try it http://www.ecomstation.com/
34. Re:A silly question by Anonymous Coward · 2011-05-16 05:35 · Score: 0
  
  Well, it would be possible to build computers that can make ROM, RAM, a hard disk or any combination thereof read-only by flipping a mechanical switch, so the user needs to switch to "update" mode for OS updates and installation of other critical system software. This and better firmware could make computers more secure to some extent.
  However, manufacturers have no particular interest in making computers more secure. They haven't even an interest in making them usable - see e.g. nonsensical keyboard layouts and screen sizes, extremely low keyboard quality of laptops, glaring screens, etc. - because they figure that customers care for other things.
35. Re:A silly question by grumbel · 2011-05-16 05:41 · Score: 2
  
  And how do you propose that the "pristine" packages below it are updated without giving malware the same priviledges or ability to update those packages with infected versions?
  Packages and their updates have a proper signature from your distributor, malware doesn't. The point here isn't so much to create the one true final solution to computer security, but to have some robust tracking of origin of a package and its containing files, on top of that you could then build a whitelist, WoT or whatever to improve things even further. As of right now there really isn't much of a build in form of tracking for what an application does to your system or how it was modified.
  
  Sadly, the end result is there isn't any way to have the openness of a PC without having the dilligence of being able to maintain it properly.
  Quite the opposite, a proper secure system would be much more open then our current PCs, as it would allow users to mess around with their system, run any app they want and all of that without having the fear of braking anything, as the system would be able to keep track of all the changes and undo them if needed.
  The OLPC for example has that (in theory at least, real world implementation is still incomplete). You can essentially setup the thing so that it shows you what applications other people in your friends lists are running. If you want to copy that application you just click on it and the system will copy the app over and run it on your system, all in a secure manner, as applications are run in isolation without full system access. If you want to modify it, you click the "show source" button and hack away, again, the thing keeps track of your modifications and can undo them when needed.
36. Re:A silly question by GameboyRMH · 2011-05-16 05:41 · Score: 1
  
  Good to know 8-(
  
  --
  "When information is power, privacy is freedom" - Jah-Wren Ryel
37. Re:A silly question by _0xd0ad · 2011-05-16 05:43 · Score: 1
  
  A simple mechanical switch the only thing standing between a determined user and his/her screensavers/wallpaper/cursor pack?
  *shudder*
38. Re:A silly question by dougisfunny · 2011-05-16 06:01 · Score: 1
  
  So properly authorized programs shouldn't be able to make any changes on a system?
  http://www.smbc-comics.com/index.php?db=comics&id=2237#comic
  
  --
  This is not the funny you're looking for.
39. Re:A silly question by macs4all · 2011-05-16 06:04 · Score: 2
  
  Well and good until somebody hacks a floppy drive to bypass it.
  You don't understand hardware so good, do you?
  
  The W/P switch in old floppy drives wasn't a "request not to write"; it actually disabled the HARDWARE enable input to the WRITE CURRENT driver in the R/W head. The only way it could fail was if the microswitch that read the "tab" (or the optical sensor in the 3.5 inch version) failed; or, if you had an Apple ][ disk drive, if static zapped the 74LS125 on the 5.25 Shugart drive's board (a somewhat common, VERY nasty problem, which resulted in the write/erase current being turned on PERMANENTLY!).
  
  No amount of SOFTWARE could defeat the HARDWARE W/P switch. And if you are talking about a USER "hacking" their OWN drive to defeat that (a common mod was to install a switch on the front of the drive to provide "no-tab" Normal, Protect Always, and No Protect operation), then that particular user has done so with the understanding that they have VOLUNTARILY placed themselves at greater risk. Different situation completely than with a "Please Write Protect Me" SOFTWARE scheme, as with the USB sticks.
  
  On a related note, I can't understand why someone can't actually provide HARDWARE write protect on a USB stick, unless the integration has gotten so high that the controller and memory are actually within the same IC package (and if the designer of that chip wanted it, they could STILL bring a HARDWARE enable out to the world, not just a port pin read by the controller).
40. Re:A silly question by macs4all · 2011-05-16 06:09 · Score: 2
  
  I did that because when I worked in repair I needed working copies (they get damaged) that would not lose the tape. You can buy disks without the notch so there is no protect to fall off. To prevent accidents, the switch I put in the drive was a reed switch. It required knowledge of the switch as well as the pocket screwdriver with the magnet in the end to turn on the hidden write switch while writing another working copy of the diagnostic floppy disks.
  None of the floppies in the field service kit had a write enable notch. It makes no sense taking one customer's infection and giving it to someone else. The modern replacement is a burned DVD instead of a thumb drive. Use read only media for any of your service materials. No exceptions.
  Yeah, the 8 inch floppies actually got it right. They had a Write ENABLE sticker. If the Notch was NOT covered over, then the disk was automatically Write Protected. The rationale was that a sticker can NEVER "fall ON". I would imagine that whatever evil engineer inverted that logic did it because he was either pressured to, or was tired to digging around to find write-enable stickers...
41. Re:A silly question by Penguinisto · 2011-05-16 06:09 · Score: 2
  
  Dude - he was probably referring to the OS, not the apps.
  Uncle (below) answered it adequately - that the OS would reboot with a 'pristine' state - including the same flaws it had before. While this would frustrate some forms of trojan or malware, it certainly wouldn't even begin to stop it all.
  You can do something similar with virtual machinery, but the pristine VM could get corrupted too... becomes a chicken/egg question if the user isn't too awful computer-savvy.
  Now someone with some sysadmin mojo could use it to good effect (oh? that website infected my VM? Well, time to clone off another from the virgin copy, test it out to be sure, and just avoid that site - maybe notify the site owner...) But normal users? Nuh-uh. They'll just get re-infected again 6 or 7 times out of ten.
  
  --
  Quo usque tandem abutere, Nimbus, patientia nostra?
42. Re:A silly question by Penguinisto · 2011-05-16 06:11 · Score: 1
  
  Yup - and the 3.5" ones had a little slider that did the exact same thing.
  
  --
  Quo usque tandem abutere, Nimbus, patientia nostra?
43. Re:A silly question by v1 · 2011-05-16 06:12 · Score: 1
  
  ya, "secure digital" my ass. Secure for them maybe, not secure for me
  
  --
  I work for the Department of Redundancy Department.
44. Re:A silly question by Skuld-Chan · 2011-05-16 06:19 · Score: 1
  
  As someone who tearfully sold off the last of my Amiga hardware (an A4000 with a BPPC 233 604 board and my Amiga 1200) the entire Amiga OS really wasn't in ROM - it was really just the stuff to bootstrap the OS, libraries to handle mouse/keyboard io and dialogue boxes and windows. 3.1 had workbench.library in rom too, but I'm really not sure why.
  The vast majority of the OS was still on disk ;).
  In other words: the ENTIRE OS wasn't restored every time you switched the thing on which is what the parent wants.
  In fact Amiga viruses were really quite nasty (since the OS had no memory management/protection, no security layer what-so-ever, and all the systemlibraries and kernel were EASILY patchable). More than one bypassed the floppy write protect (granted this was rumor) by patching trackdisk.device.
45. Re:A silly question by Anonymous Coward · 2011-05-16 06:25 · Score: 0
  
  All RawNAND chips have a WP (write protect) signal that does exactly what you are asking for.
  Note that it is not really useful in a USB drive since you have to rewrite all data starting to go bad. WP signal enabled == eventual data rot.
46. Re:A silly question by macs4all · 2011-05-16 06:34 · Score: 1
  
  A floppy drive is easy - a floppy drive is just some motors in a cage - the floppy controller resides on the motherboard and tells those motors how to operate
  My guess is that you've never actually SEEN a floppy drive.
  
  Even the most hardware efficient floppy drive of all time, the Disk ][ drive electronics designed by Steve Wozniak for use with the Apple ][, used something like 8 TTL and analog chips on the floppy drive itself, plus some transistors, resistors, capacitors, an inductor, and a few other components. This is IN the drive itself. This connected via a 20-pin (IIRC) ribbon cable to a peripheral card in the computer with 5 more chips on it, including a pair of TTL ROMS that formed a really clever state machine that did the actual GCC "nibble" encoding/decoding. While it is true that the CPU in the Apple ][ controlled the stepper motor for the head movement (and maybe the spindle motor, too. Can't recall) more or less directly, and was responsible for the actual timing of the reading and writing of the "nibbles"; but the actual laying down and picking up of those nibbles on the disk surface was actually all done by the peripheral card and the electronics in the drive enclosure. So, your assertion that the floppy drive is but a box-full-o-motors is demonstrably false.
  
  And as I said, that was the MOST hardware-efficient floppy design of all time. The reference designs by Shugart had a TON of electronics inside the floppy drive itself, and ANOTHER TWO TONS of the most bizarre conglomeration of digital and analog hardware mankind has ever seen on the "interface" card in the computer. I have no idea what the CPU in the host had to do after all this; but I assure you, that NO floppy has EVER been "just a box with motors". Period. You are simply talking out of your ass.
47. Re:A silly question by blair1q · 2011-05-16 06:35 · Score: 1
  
  So I don't see why they are bothering with this now when they have so much low hanging fruit left
  Because the low hanging fruit aren't the high-value targets, and the high-value targets are still susceptible to a small number of exploits.
48. Re:A silly question by countertrolling · 2011-05-16 06:35 · Score: 1
  
  Then the only thing left is a live CD or DVD in a read only drive.. And that's ok also, even if a bit slow.. There's usually enough RAM to load the entire system in there if you need the speed, but that opens up a small vulnerability right there... At least there's a choice.
  
  --
  For justice, we must go to Don Corleone
49. Re:A silly question by _0xd0ad · 2011-05-16 07:01 · Score: 1
  
  I understand perfectly. Perhaps YOU do not understand.
  The W/P switch in old floppy disks was just a "request not to write" because, although the floppy drives themselves (if they were correctly engineered) implemented this in such a way that the write hardware was actually disabled if that latch couldn't close, there is absolutely nothing preventing the floppy disk from being written if the floppy drive doesn't care whether the write-protect tab is closed.
  The floppy drive might have made it physically impossible to write to a floppy if the write-protect switch/tab on the floppy was opened, but the floppy itself did not. Stick that floppy in a drive that has been hacked to not care about the write protect switch, and you will find that it is not "physically" impossible to change the contents of that floppy.
50. Re:A silly question by macs4all · 2011-05-16 07:05 · Score: 1
  
  If your motherboard has a TPM chip, you could set up a trusted boot sequence, insuring that the OS is unmodified. You can then make the OS execute only signed executables, making any modifications to installed software impossible. Malware would also be prevented from running.
  And even putting all the useability issues aside, just how many Slashdotters do you think would be capable of accomplishing the above? Now, expand that to the general population. How many now?
51. Re:A silly question by Tenebrousedge · 2011-05-16 07:12 · Score: 1
  
  Please consider using <em> or <strong> tags instead of capitalization. Your post was otherwise excellent.
  
  --
  Those who advocate genocide deserve every protection afforded by law, and none afforded by common human decency.
52. Re:A silly question by _0xd0ad · 2011-05-16 07:13 · Score: 1
  
  If the Notch was NOT covered over, then the disk was automatically Write Protected. The rationale was that a sticker can NEVER "fall ON". I would imagine that whatever evil engineer inverted that logic did it because he was either pressured to, or was tired to digging around to find write-enable stickers...
  More likely they wanted a way to "write-protect" a disk in such a way that the user couldn't* make the disk writable again. Yep, that's right... DRM.
  *Except with a hole-punch.
53. Re:A silly question by cforciea · 2011-05-16 07:15 · Score: 1
  
  Malware probably isn't going to make a hardware mod to your floppy drive.
54. Re:A silly question by _0xd0ad · 2011-05-16 07:17 · Score: 1
  
  Never mind. Your point is a fair one: for a typical user's floppy disk drive, no malware would be able to propagate itself over a write-protected floppy disk.
  However I don't see that it's a terribly significant point since they'd probably be putting a write-enabled floppy into the drive pretty often anyway.
55. Re:A silly question by Anonymous Coward · 2011-05-16 07:19 · Score: 0
  
  RPM does this. http://www.rpm.org/max-rpm/ch-rpm-verify.html - Chapter 6. Using RPM to Verify Installed Packages.
56. Re:A silly question by Anonymous Coward · 2011-05-16 07:34 · Score: 0
  
  Among other duties, I also clean up malware for a living. I can agree that I often work on unpatched boxes with no security software, but very frequently I see the same class of malware on patched and/or "protected" computers. Most of the computers that I have to work with get infected because of "free smiles", office chain letters, bad advice, porn, and general oreying on trust and fear; in almost no cases is pirated software involved.
57. Re:A silly question by Anonymous Coward · 2011-05-16 07:45 · Score: 0
  
  The Commodore Amiga did this. To upgrade the OS (to a new version) you had to change chips. This wasn't a bad thing IMO. But, the problem comes when it boots and "patches" known issues in the OS. A virus could hide there. Of course, you can simply NOT load the patches... but depending on the virus, the damage may be done.
58. Re:A silly question by Yvan256 · 2011-05-16 07:51 · Score: 1
  
  But if the system could check itself in real-time, it could compare the running copy with the ROM (supposedly clean) copy and "reboot" the bad parts while the user is continuing what he's doing.
59. Re:A silly question by Anonymous Coward · 2011-05-16 08:25 · Score: 0
  
  Okay so on my Linux box I have to mark the file as executable first true...
  5 best new Linux games you haven't seen yet throw up a couple of dev looking pages and own some Linux users.
60. Re:A silly question by Anonymous Coward · 2011-05-16 08:28 · Score: 0
  
  Your comments about the Win 7 OEM "hack" being killed by MS are completely false. Therefore, the rest of your post is fucked. I've been running that for years and I've been able to install any and all Windows Updates including the WGA updates (which MS helpfully deselects by default).
  What the fuck do you have against Razr1911? They don't put malware in their shit. If you're finding malware in it, then you should stop using torrents and get your releases off Usenet and check the md5 hash.
  Again, the Lenovo OEM Win 7 "hack" works just fine to this day and you can install any update you want while using it.
  You sound like a fucking amateur.
61. Re:A silly question by pwizard2 · 2011-05-16 08:46 · Score: 1
  
  On a related note, I can't understand why someone can't actually provide HARDWARE write protect on a USB stick
  It's been done. I still have an early-generation Memorex USB stick from 2002 that has a physical write-protect switch on it. (basically a little recessed switch on the back much like the one on SD cards) When the switch is set to read-only, it works consistently across all operating systems so it's definitely a hardware lock, not software. The stick is of such durable construction and so reliable that I still use it today even though it is very low capacity by modern standards. (128 MB)
  
  The next stick I bought didn't have hardware write protect and I haven't seen the feature since.
  
  --
  "It is a denial of justice not to stretch out a helping hand to the fallen; that is the common right of humanity."
62. Re:A silly question by Anonymous Coward · 2011-05-16 08:49 · Score: 0
  
  Sure, but that notch did NOT make it impossible to write to the disk. It just informed that drive that it *shouldn't* be written to.
63. Re:A silly question by Anonymous Coward · 2011-05-16 08:59 · Score: 0
  
  WOW, talking about reading fail. Hey, dufus: how you you think they wrote to commercial disks that had no notched at all?
64. Re:A silly question by WuphonsReach · 2011-05-16 09:15 · Score: 1
  
  And even the old floppy disks relied solely on the good behavior of the host system not to write to the disk.
  
  Sure, there was the notch that you either filled in or opened up, and there might have been circuitry inside the drive to detect that and actually prevent writes. But an attacker could have easily covered the lens (in 3.5" drives) or rewired the circuits on the drive (on 5.25" drives). Now, those two attacks require the complicity of the user - but now it might just be a JUMP instruction in the device driver that can easily be overwritten by malware.
  
  --
  Wolde you bothe eate your cake, and have your cake?
65. Re:A silly question by Kingrames · 2011-05-16 09:19 · Score: 1
  
  I always try to visualize it from both sides - as many times as a floppy was made secure that way - it could just as easily be made unsecure - those aol floppies could be made read-write by literally cutting a hole where the floppy was sealed read-only.
  
  They probably couldn't find a feasible way of including a physical switch ON the usb side of the device, though that would be pretty sweet.
  
  And then there's the convenience versus security aspect of it - I can remember plenty of stories of aspiring astronomers and photographers who can't seem to get their telescopes/cameras working because the lens cap is on. It doesn't take but a few seconds or minutes to miss something huge.
  
  --
  If you can read this, I forgot to post anonymously.
66. Re:A silly question by WuphonsReach · 2011-05-16 09:19 · Score: 1
  
  Or FSVS, if you're willing to store extra copies of the actual binaries. (With the bonus that now all of your config files are version controlled and you can easily do a diff to see what changed.)
  
  --
  Wolde you bothe eate your cake, and have your cake?
67. Re:A silly question by Wingnut64 · 2011-05-16 10:11 · Score: 1
  
  On a related note, I can't understand why someone can't actually provide HARDWARE write protect on a USB stick
  If you're looking for one I've been using one of these:
  http://www.newegg.com/Product/Product.aspx?Item=N82E16820709013&cm_re=kanguru_flashblu_ii-_-20-709-013-_-Product
  Running a persistent Linux OS off of it and the hardware write protect switch is nice as Windows tries to helpfully format anything that's not FAT/NTFS. Of course I've gotten kernel panics more then once booting off this when I forget to turn it back, as it fails to remount the root filesystem R/W...
  
  --
  echo 'Header append X-HD-DVD "0x09f911029d74e35bd84156c5635688c0"' >> /etc/apache2/httpd.conf
68. Re:A silly question by WorBlux · 2011-05-16 10:29 · Score: 1
  
  Yes, it's fairly simple. Say the ROM has a remote vulnerability and the malware is complex enough to recognize a RO primary partition. Say it injects an alias for shutdown into the environment when it detects a RO root partition. When a it shutsdown command is issued, because of the alias it also sends a packet to a C&C server saying, hey you need to expoit me again. The C&C can then try to reinfect directly, or command another computer on the LAN to do so when it detects the computer has booted up again.
69. Re:A silly question by couchslug · 2011-05-16 10:34 · Score: 1
  
  Linux runs quite nicely from live CD/DVD and live distros have been practical (Demolinux) since circa 1999.
  
  --
  "This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
70. Re:A silly question by postbigbang · 2011-05-16 10:38 · Score: 1
  
  What you describe is an "autostart" or re-infection at startup. If a path can be found to infect once, it can often be utilized again. Once an infection "sticks" in this way, I've seen malware do random port pings on subnets it finds.
  
  --
  ---- Teach Peace. It's Cheaper Than War.
71. Re:A silly question by hairyfeet · 2011-05-16 12:25 · Score: 1
  
  Sorry but you're full of shit AC and I have NOTHING against old Razr1911, as a matter of fact I often use his "XP Mini Pro" with my own keys for low RAM boxes. hell of a lot better than WinFLP.
  But if anyone doesn't believe me here is a little test: download "Windows 7 X86-X64 all versions" .ISO. That is the RTM version BTW. Now let it patch to Sp1...I'll wait...uh oh! Did you just get WGA'd? Yes you did. Of course you can kill it in about 25 seconds with "WGAKiller All Versions.exe" but that doesn't change the fact MSFT has blacklisted the OEM RTM keys that were used in the original hack.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
72. Re:A silly question by macs4all · 2011-05-16 12:27 · Score: 1
  
  Please consider using <em> or <strong> tags instead of capitalization. Your post was otherwise excellent.
  Sorry. Just a lazy habit. It interrupts my train of thought too much to use those clumsy HTML tags.
  
  But, thanks for the props on the content!
73. Re:A silly question by BlueScreenO'Life · 2011-05-16 12:27 · Score: 1
  
  I also miss the days of BASIC on ROM!
74. Re:A silly question by macs4all · 2011-05-16 12:38 · Score: 1
  
  Some people will just argue and argue no matter the fact that they are demonstrably full of it.
  
  Unfortunately, Slashdot seems to attract those types, like flies to a steaming dungpile.
75. Re:A silly question by macs4all · 2011-05-16 12:52 · Score: 1
  
  WOW, talking about reading fail. Hey, dufus: how you you think they wrote to commercial disks that had no notched at all?
  First, the preferred spelling is "Doofus", dufus.
  
  Second, it is YOU that has the reading comprehension issue, not I.
  
  I was talking about regular CONSUMER drives; not the specially-modified DUPLICATOR drives.
  
  Oh, nevermind. You won't understand the difference anyway...
76. Re:A silly question by _0xd0ad · 2011-05-16 16:57 · Score: 1
  
  I apologize. I misunderstood the initial premise. We're both correct. Ok?
  No, no amount of software hocus-pocus by any malware author will magically make an un-modded floppy drive able to start writing to write-protected disks, per your point. Correct.
  And neither will a write-protect notch "physically" prevent a modded floppy drive from writing to the disk, per my point, also correct.
77. Re:A silly question by AmiMoJo · 2011-05-17 02:10 · Score: 1
  
  There is another option. Have the ROM only run signed code, or rather privileged signed code. That way a virus can't replace critical parts of the system (rootkit). If you do it right you could even allow signed code to update the ROM itself, at the risk of being screwed if your signing key is leaked.
  Not all that practical on a general purpose PC because of the need to sign every OS but games consoles have used this system since the original XBOX, or maybe even on the PS2 (can't remember now). Actually the Dreamcast had it as well but it was poorly implemented.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Great... by Anonymous Coward · 2011-05-16 03:46 · Score: 0

Oh great, malware coders have learned how to do math. We're boned.
Worthless Summary by OverlordQ · 2011-05-16 03:47 · Score: 5, Insightful

A new version of the venerable Alureon malware has appeared, and this one includes some odd behavior designed to prevent analysis and detection by antimalware systems. However, this isn't the typical evasion algorithm, as it uses some unusual encryption and decryption routines to make life much more difficult for analysts and users whose machines have been infected. Alureon is a well-known and oft-researched malware family that has some rootkit-like capabilities in some of its variations. The newest version of the malware exhibits some behavior that researchers haven't seen before and which make it more problematic for antimalware software to detect it and for experts to break down its components.
A new version of well-known Alureon is out which has odd things to make it hard to analyze. It's odd, and is not normal and makes it's hard to analyze. It's well known and is a rootkit.The new version is odd and makes it hard to analyze.
We got that after the first sentence, how about actually providing some fscking detail.

--
Your hair look like poop, Bob! - Wanker.
1. Re:Worthless Summary by zill · 2011-05-16 03:50 · Score: 2
  
  A new version of the malware contains new features? Does the president know about this yet?
2. Re:Worthless Summary by equex · 2011-05-16 03:54 · Score: 2
  
  Yes, and he said
  shut..
  
  down...
  
  EVERYTHING
  
  --
  Can I light a sig ?
3. Re:Worthless Summary by Anonymous Coward · 2011-05-16 03:56 · Score: 1
  
  We got that after the first sentence, how about actually providing some fscking detail.
  You mean like:
  
  it uses some unusual encryption and decryption routines to make life much more difficult
  and
  
  Alureon is a well-known and oft-researched malware family that has some rootkit-like capabilities in some of its variations.
  I guess for more details you'd have to RTFA?
4. Re:Worthless Summary by steelfood · 2011-05-16 04:18 · Score: 1
  
  I guess it's now too much to expect the editors to choose decent summaries, much less do any actual editing of said summaries.
  
  --
  "If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
5. Re:Worthless Summary by Anonymous Coward · 2011-05-16 04:20 · Score: 2, Funny
  
  Tautology makes things true. You didn't know tautology makes things true? Well, it's true; tautology makes things true.
6. Re:Worthless Summary by Anonymous Coward · 2011-05-16 04:58 · Score: 1
  
  I think this is what I scraped off my nieces computer a few weeks ago. She's one of those "I'll click on anything!" types. I did notice a lot of 'free' games, limewire (thought that was odd because I thought it was dead) and about 9 'virus scanners/protectors', along with the one that tells you that you've got a virus and wants a credit card to enable the 'full version' that will remove them...
  It had disabled Microsoft Security Essentials, all windows updates, and when you tried to run a browser instance it would put up a pop-up asking if it could enable 'advanced virus protection'. I never tried saying yes, but if you said no and then went to any antivirus or antimalware web site, it'd jump to a screen saying that you arent protected and cant go there.
  Even rebooting in safe mode didnt disable it. I ended up booting into system repair, rolling back to the oldest (about a month old) system checkpoint, rebooting and inserting a cd I'd burned with win7 sp1, malwarebytes and security essentials. I ran malwarebytes, it found 200-something infections and removed them. I installed security essentials and it reported and killed 5-6 items over the next 10 minutes without running a scan, just gave me a little lower-right-corner status icon popup saying it found and killed something. Ran the service pack install. Re-ran a malwarebytes run and a security essentials run and both came up clean. Seems to be good since. But this articles use of the word 'rootkit' makes me concerned that its still buried deep in there somewhere.
7. Re:Worthless Summary by Catnaps · 2011-05-16 05:46 · Score: 1
  
  You'll be wanting this then: http://www.gmer.net/ Anyone who's removing spyware on a daily basis should be using this as well as MBAM etc. It's not perfect (what is?) but I've found a few rootkits with it.
8. Re:Worthless Summary by Anonymous Coward · 2011-05-16 09:50 · Score: 0
  
  Heh heh. The Internet? Waz that? That them there place with the girls who take them tops off? Boy when I ran the Texas Rangers I got to see lots of boobies. Then my wife ran over and killed that guy. Sok, I knew this guy named Karl and another named Dick who told what to do.
  Heh heh, I let a terrorist attack happen on American soil, I took office even thou I lost the election, did I mention my wife killed someone with her car? Heh heh, oh and I oversaw the signing of the most 'executive orders' ever. My wetback and my chink took the fall for most of the stuff I did heh.
  Mah daddy might have had to have withdrawn from Iraq but I showed them damn. What? The 9/11 commission said that Saddam had nothing to do with 9/11? Well tell talk radio and Fox News to crank up our PR machine louder dammit! I need another vacation.
  Heh heh heh...heh heh...daddy said I tarnished our family name. But I did mostly everything Karl and Dick told me. And theys smart! Now people say I not only started unnecessary wars but tanked the economy in the process. Did I mention my wife killed someone?
  Heh heh heh heh heh, now I did maybe engage in 'speculation' when I said that Iraq had WMDs. But Dick and God, heh heh heh heh heh heh heh heh I did mention God talks to me too, told me it was ok that what mattered was that we thought we were right. God told me, and my wife killed someone.
  Heh heh heh heh heh heh heh heh heh heh heh heh, I served 2 terms. That means I did good right? Ray-gun served two terms. I'm just like him. Heh...oh hell why did I ever get off the sauce.
9. Re:Worthless Summary by Anonymous Coward · 2011-05-16 11:14 · Score: 0
  
  Heh, modded down eh? That is ok. That damn libural media needs people like you! I mean heh, we need people like you to fight the damn liburl media!
  Lib-arul. Lib a rul. When you say them apart it sounds funny! Heh, heh heh heh heh!
10. Re:Worthless Summary by pookemon · 2011-05-16 11:24 · Score: 1
  
  Presumably it has self modifying and self replicating code - just like the summary for TFA.
  
  I assume it has code that can modify itself and self replicate just like the summary for TFA.
  
  Sheesh...
  
  --
  dnuof eruc rof aixelsid
Comment removed by account_deleted · 2011-05-16 03:53 · Score: 2

Comment removed based on user account deletion
Make up your mind by ledow · 2011-05-16 03:53 · Score: 5, Informative

Summary says: "The newest version of the malware exhibits some behavior that researchers haven't seen before"
The article says: "In 1999, a new virus, Win32/Crypto, was discovered... Today, in 2011, variants of Win32/Alureon are bringing this old-school technique back to life... Another interesting tidbit is that an initial version of this obfuscator first arrived in our lab in the first half of 2009."
That's kinda stretching the definition of "haven't seen before", which may be true in a technical sense (because they haven't seen THIS EXACT MALWARE before, but they've certainly seen lots like it).
1. Re:Make up your mind by YaHooL · 2011-05-16 05:16 · Score: 1
  
  "In 1999, a new virus, Win32/Crypto, was discovered... Today, in 2011, variants of Win32/Alureon are bringing this old-school technique back to life..."
  Now I understand.
  As a tribute to the 1999 Win32/Crypto, the summery of this article has been formulated like the virus-hoax chain-mails of that era.
2. Re:Make up your mind by Anonymous Coward · 2011-05-16 07:05 · Score: 0
  
  Easy to explain:
  In the late 90s, people still wrote viruses - computer programs that piggy backed onto other programs. They were often written directly in assembly language and this offered them much more tricks on how to evade detection, like encryption, hiding it's entry point, and many other techniques.
  But classic file viruses basically died with the advent of installation programs (files stopped being shared by simply copying). Instead they were replaced by worms and trojans. Worms and trojans are stand alone executable files and hence often written in high level languages like C or whatever. As a result some of those classic techniques largely fell by the way-side.
  Seems that this malware brought back one of the old tricks of the old file viruses.
  Viruses have been encrypting themselves for ages - long since before the internet, but what made Win32/Crypto different is it didn't store it's decryption key opting instead to brute force it's own key. This has the effect that it is difficult for scanners to decrypt it - emulation is slower than running code, and hence costly decryption routines could cause some virus scanners to report a clean file prematurely.
  The fact this particular technique is back is interesting, but no big deal or cause for concern.
  If this is the extent that malware writers have used old tricks to... we can be truly thankful they haven't re-discovered the more advanced techniques yet.
Or rather by drb226 · 2011-05-16 03:54 · Score: 1

New Alureon Rootkit Takes Malware To Same Level As Before, but With More Obscurity.
Once you have root access, is there really "another level" to take it to?
1. Re:Or rather by datapharmer · 2011-05-16 04:09 · Score: 2
  
  Bios, SMM. See Abstracts: http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=Persistent_BIOS_Infection http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.153.9106&rep=rep1&type=pdf (warning, pdf!)
  
  --
  Get a web developer
2. Re:Or rather by Anonymous Coward · 2011-05-16 04:10 · Score: 1
  
  Another level? Sure...
  POKE 59458,62
3. Re:Or rather by Anonymous Coward · 2011-05-16 04:18 · Score: 0
  
  Gaining root is relatively trivial. Remaining un-noticed is much more difficult - a rootkit than can prevent detection for longer is certainly another level. It's not just about what you can do with the user's machine, it's about how long you can keep doing it.
4. Re:Or rather by AJH16 · 2011-05-16 04:18 · Score: 1
  
  Yes, because you can make it harder to detect the running patterns. My understanding of the article is basically that it encrypts it's own execution path so that the individual sections of code can't be followed until they run. They also avoid actually storing the key in the executable making it difficult to detect the running code as it will not match patterns as easily. It's an old technique being applied to a newer system, but it is interesting since it is a step up in complexity of an already complex system.
  
  --
  AJ Henderson
Better Summary: by circletimessquare · 2011-05-16 03:58 · Score: 1

Something is happening that is new, but we can't describe how or why it is new. We're like Roy Scheider in Jaws: "You're going to need a bigger boat." And you're like Robert Shaw: you just get to work trying to catch the thing. Even though it is big, it's bad, it's silent, it runs deep, you don't have the tools to properly track, capture, kill or otherwise defeat the thing, and you will be dead in 15 minutes at the end of the movie anyway. So just run around and panic. Because rootkits are scary, and strange new exotic rootkits are scarier. Your best bet is to strap on your scuba gear and go hide on the ocean bottom and pee while the real men take care of business. Oh, almost forgot: "Boo!"

--
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
1. Re:Better Summary: by YaHooL · 2011-05-16 05:52 · Score: 1
  
  Something is happening that is new, but we can't describe how or why it is new."
  Reminds me of "Winter 2008's smash hit" (literally). Conficker.B worm featured a mysterious payload hashing which turned out to be the first known "production" use of MD6
Don't worry, Microsoft is on it by digitaldc · 2011-05-16 04:00 · Score: 3, Informative

"We're closely monitoring Alureon to ensure that our users are always protected. In fact, Alureon has been part of the Microsoft Malicious Software Removal Tool (MSRT) since April 2007."

I am putting my full faith and hope in to the Microsoft security team to eliminate it with their latest Malicious Software Removal tool.
I have given up on being paranoid about viruses, and I am much happier now!

--
He who knows best knows how little he knows. - Thomas Jefferson
1. Re:Don't worry, Microsoft is on it by maxwell+demon · 2011-05-16 04:26 · Score: 1
  
  Hmmm ... they don't say "a defence against Alureon has been part ..." but "Alureon has been part ..."
  Maybe it's not a good idea to install their MSRT, after all :-)
  
  --
  The Tao of math: The numbers you can count are not the real numbers.
2. Re:Don't worry, Microsoft is on it by digitaldc · 2011-05-16 04:38 · Score: 1
  
  Yeah, Microsoft just decided to give up and hack their own machines in order to fix them...permanently.
  
  --
  He who knows best knows how little he knows. - Thomas Jefferson
3. Re:Don't worry, Microsoft is on it by Anonymous Coward · 2011-05-16 05:21 · Score: 0
  
  It's too bad that, when Alureon (or TDSS) has infected your bootloader, it blocks access to the Windows Update servers.
4. Re:Don't worry, Microsoft is on it by freddieb · 2011-05-16 08:29 · Score: 1
  
  The last time I had a windows virus it was Alureon. Every time I clean the drive, it was fine until I reinstalled MSRT. Then it appeared. Finally, I replaced the drive and installed Nortons and have not had another problem. I found only one tool that would actually remove it and it was free from Kaspersky Labs (TDSSKiller).
5. Re:Don't worry, Microsoft is on it by pookemon · 2011-05-16 11:29 · Score: 1
  
  Pffft - now you're infected with Nortons.
  
  --
  dnuof eruc rof aixelsid
Not really. by Viewsonic · 2011-05-16 04:03 · Score: 3, Informative

Only for major major updates, and it wasn't a pain in the ass. You unplugged the chip and stuck the new one in. Back then it was pretty common for users to hack their Amigas anyways, so it wasn't that big of a deal to open her up and swap it in. The pain the ass was expanding the chip memory by soldering lines to a new socket. I was 12 when I had to do this for my Amiga 500. Worked fine.
1. Re:Not really. by kelemvor4 · 2011-05-16 04:16 · Score: 1
  
  Other systems at the time were updated by sticking a floppy in the drive and either booting directly from the new disk, or copying files to your hard drive (if you had one). Some users were comfortable replacing the chip themselves but many ended up having to go pay a computer shop to do the upgrade for them.
  
  Amiga's had some features that were totally ahead of their time, but imo this is more of a design flaw than a feature to be reincarnated in new systems. Commodore apparently recognized this as well, since they created the ability to use disk based kickstart on the 3000.
2. Re:Not really. by mcavic · 2011-05-16 04:27 · Score: 1
  
  I never owned an Amiga, but the Commodore 64 and 128 never needed OS updates. Software was written better in those days.
3. Re:Not really. by Tx · 2011-05-16 04:30 · Score: 3, Informative
  
  Kickstart was more of a BIOS-equivalent than an OS. You couldn't do anything with Kickstart by itself, kickstart booted the actual OS (Workbench). Some RiscOS machines OTOH did boot a reasonably advanced GUI OS from ROM, in fact if I'm not mistaken there are some such still in production.
  
  --
  Oh no... it's the future.
4. Re:Not really. by equex · 2011-05-16 04:51 · Score: 2
  
  I had a couple of RiscOS fanatics for friends (i was in the commodore camp), and afaik they had a 2MB ROM to boot from, which included memory protected processes ('modules') and a configurable desktop environment, a taskbar/taskmanager hybrid as well as an assembler/BASIC editor/assembler and some other tools. Also grandparent must be trolling, since those OS'es was so incredibly small and uncomplicated that it should in fact be possible to write them with zero bugs whatsoever.
  
  --
  Can I light a sig ?
5. Re:Not really. by obarthelemy · 2011-05-16 05:10 · Score: 2
  
  I'll bite
  1- above all, there was a lot less of it. Win7 is rumored to be about 50 million lines of code. I can't find the C64's rom size, but it's at least 2 orders of magnitude less.
  2- there were no security issues requiring frequent updates. the C64 was not connected to the internet, and the basic OS was in ROM, so any security holes remained un-exploited
  3- nobody cared about bugs, especially since the OS did so little anyway. I never had the money for a C64, but my ZX Spectrum had plenty of bugs.
  4- I remember very well that the C64 sorely needed un OS update to its floppy disc functions :-p
  
  --
  The Cloud - because you don't care if your apps and data are up in the air.
6. Re:Not really. by thoromyr · 2011-05-16 07:53 · Score: 1
  
  Kickstart as a "BIOS-equivalent"? I don't know of any BIOS that support windowing, where you have terminal windows and common commands available to you, including the ability to launch new terminal windows. On the other hand I don't remember configuring drives or boot order from KickStart. On an Amiga, KickStart may not have been a full system, but it was not like a BIOS either.
7. Re:Not really. by Tx · 2011-05-16 22:15 · Score: 1
  
  Again, I think you're confused. You boot up an Amiga without a disk or hard drive in, and it shows you a disk icon and waits for something to boot from. What you're describing is Workbench (the terminal windows are CLI windows in Amiga-speak) and you need a disk to boot it. You can make a boot disk to boot to a CLI without booting a full Workbench, but you don't boot to a CLI from Kickstart alone. At least, not with Kickstart 2 or 3 machines - I had an A600 and an A1200, and I'm pretty sure Kickstart 1.3 in the A500's was the same.
  
  --
  Oh no... it's the future.
8. Re:Not really. by petteyg359 · 2011-05-17 09:48 · Score: 1
  
  1 - That's an excuse, not a reason.
  2 - Ever heard of CompuServe? How about QuantumLink? Lucasfilm's Habitat? Not only were they "online", but there were also basic "MMO" entertainment programs.
  3 - Maybe that explains why nobody used version numbers on programs back then. Wait.. they did? Oh, I guess they must have cared after all.
  4 - You could (and still can) buy replacement chips for the computer and drive, and an optional replacement cable, to make the drive much faster. Even the original hardware could be improved with plain software "speed loaders".
9. Re:Not really. by thoromyr · 2011-05-18 03:24 · Score: 1
  
  you are seriously confused, and don't know how an Amiga worked. The Workbench was a full blown GUI, not a mostly-there gui. Having a shell window without a desktop is *not* Workbench. The A1000 (and later the A3000) differed in that they had some of the information on a kickstart floppy rather than in ROM which *did* require a floppy to boot (I think the A3000 was able to read its kickstart from a hard drive, but to be honest I don't remember).
  But, hey, I'm sure I can't convince you. One thing the Amiga always had going for it were users who were blind to anything they didn't want to believe. But if you care to read you might try http://en.wikipedia.org/wiki/AmigaOS#Kickstart The wikipedia entry says "full windowing environment" which is a bit of an exaggeration (it allowed close, move, resize and front back window operations and redrew window contents). Then there's http://www.amigahistory.co.uk/earlystart.html which shows the initial screen. Sure, you have to hold down both mouse buttons on boot to access it or you get the "insert disk" message -- but you already knew that, right?
Why whitelist it at all? by Anonymous Coward · 2011-05-16 04:03 · Score: 0

this one includes some odd behavior designed to prevent analysis and detection by antimalware systems.
If some software is hard to analyze, at some point shouldn't you just give up on trying to figure it out, and elect to never install it? I'd remove this from whitelist consideration and move on to a competitor, long before I'd bother with the trouble of sorting out such a mess.
Some software just isn't worth auditing. If they didn't even try to make it readable, fuck 'em. If you need to run a malware app, there's plenty out there to choose from, which don't fight you. Let Alureon languish in obscurity until they remove their tangledness.
1. Re:Why whitelist it at all? by maxwell+demon · 2011-05-16 04:18 · Score: 2
  
  The problem with this is that DRM software is also intentionally hard to analyse. And for a commercial OS vendor it's not a good idea to disallow DRM on installed software.
  
  --
  The Tao of math: The numbers you can count are not the real numbers.
Where's Sony by Anonymous Coward · 2011-05-16 04:06 · Score: 0

Where's Sony's involvement in all of this?
Rootkits, malware, must be Sony.
Seal Team 6 by sycodon · 2011-05-16 04:06 · Score: 0

Why can't someone go all Seal Team 6 on these coder's asses?
I'm sure their Moms could use the basement for something better than hosting these losers.

--
When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
1. Re:Seal Team 6 by Anonymous Coward · 2011-05-16 04:25 · Score: 0
  
  This is Disney. You're sued.
2. Re:Seal Team 6 by AlecC · 2011-05-16 04:35 · Score: 2
  
  You think this is saddos in their Mom's basement? Hacked machines and botnets are big business nowadays. This is the "Russian Mafia" or equivalent, paying big money for infected machines,
  
  --
  Consciousness is an illusion caused by an excess of self consciousness.
3. Re:Seal Team 6 by sycodon · 2011-05-16 09:34 · Score: 1
  
  Down modded by said mouth breathing, mother's basement dwelling losers.
  
  --
  When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
Why can't the system be installed on ROM by Anonymous Coward · 2011-05-16 04:30 · Score: 0

Because the current model of downloading active scripts and running them locally would be broken. As well as there would be no method for remote upgrading, bug patching, I mean installing service packs..
I've heard of this. by xerxesVII · 2011-05-16 04:35 · Score: 1

I hear that the new version has some behaviors that make it harder to detect and also more difficult to analyze.

--
"We shall grapple with the ineffable, and see if we may not eff it after all." - Douglas Adams
Blaming MSFT or "clueless users" is pointless. by Anonymous Coward · 2011-05-16 05:32 · Score: 1

I also happen to be a PC technician, and I find it tiresome to hear people tirade about how bad Windows is, or how "clueless" users are. Software vulnerabilities are a fact of life, and it's unrealistic to expect average users to tell a fake warning from a real one when they can look pretty much identical.
Here's a car analogy. If I paint a phony detour sign that looks exactly like a real detour sign, stick it up in the middle of a road, and traffic starts diverting down a street of my choice, does that make the drivers stupid or "clueless"?
Even with the best available antivirus software and every available patch, 0-day drive-by exploits will come along, and people will get burned. My approach is to assume that problems will occur, and focus on how to quickly and easily recover from such incidents.
Is the open internet on its way out? by AlphaOmegaLeague · 2011-05-16 07:14 · Score: 1

My impression is that the internet ecosystem is becoming so lethal that standalone boxes (especially windows) are on their way out. Even hosted blogs and web sites have a hard time defending against the constant onslaught of spam and exploits. Are we in the last days of the open internet, before moving to a more closed environment where only large server clouds will be able to survive?
1. Re:Is the open internet on its way out? by yahwotqa · 2011-05-16 08:14 · Score: 1
  
  Nah. It just means that there will be less servers run by clueless people.
2. Re:Is the open internet on its way out? by Anonymous Coward · 2011-05-16 08:33 · Score: 0
  
  This has always been a problem. If we ever go into a Closed Internet, I doubt it will be due to "spam and exploits".
A signature by any name would identify as such. by VortexCortex · 2011-05-16 10:34 · Score: 2

So, the malware has executable payload chunks that are encrypted and spread around (locations obscured) that must be decrypted prior to execution of said payload.
I get that this makes it a little bit harder to figure out what the program is about to do (hint: allow it to decode, breakpoint & step), but isn't the point to simply identify that the malware is present? Unless the malware is capable of executing encrypted code on the chip, the code that decrypts the remaining payload code must be stored in plain machine code.
The machine code that initiates the brute force will be identifiable, and a signature can be made. Nothing to see here folks. The shitty encryption system doesn't even use asymmetric keys, and the very fact that it only takes 255 tries for it to brute-force one of its "chunks" is laughable. I mean -- I wrote better cipher systems when I was 12... Are they trying to avoid breaching US encryption export laws?!
Who cares how good it is at hiding its payload if the code that decodes the payload has a fingerprint...
P.S. What really scares the shit out of me is new processor tech that enables public key crypto at the machine instruction level. Not only will the "good" guys use it to "protect" their code from their user's prying eyes, the malware writers will use this to actually design code that has no fingerprints. Each copy will be indistinguishable from pseudo random noise -- So much for "signatures" at that point.
P.P.S. Once you know malware has executed on the system, it's time for a full wipe, BIOS re-flash, and OS re-install -- There is no "removing" malware.
System in ROM do work... by Anonymous Coward · 2011-05-16 10:58 · Score: 0

It's pathetic to see all these people with kinda old /. IDs writing that system in ROM can't work because an exploit against the system in ROM would then work everytime.
You guys are lame, so lame to comment such bullshit and it's saddening to see monkeys with + modpoints wasting them on that bullshittycrap.
Crypto can solve this and this is *precisely* the problem Google solved with their Chromebook. Now, of course, Google may have fuxx0red the implementation, but the maths behind the concept are sound.
What you don't get is that the system in ROM makes sure that the computer, at *every single reboot*, will look for cryptographically signed updates.
If an attacker manages to break crypto, then the world at large is fucked up and botnets will be the least of our concerns.
So we consider the math behind the crypto are sound and, using logic, here's what we have: we have a system that, at every reboot, will look for valid (cryptographically signed) updates. If a legit update is found, it is installed.
What does this mean? It means that unless the "r00t spl0it" can fuck up your entire chain, at one point the computer *shall* find a correct, valid update. And the spl0it *cannot* modify the ROM and it *cannot* forever prevent legit update from being found by the system in ROM.
And what shall that update contain? At one point a security patch owning the "r00t spl0it".
Now how hard is that to understand? How comes this sh!t has been known since ages and actually implemented in the Google Chromebook and you still get r*tard here saying that "a r00t spl0it shall 0wn your ROM system everytime"? WTFF? How hard is, say, "minimal system in ROM writing only cryptographically signed update in EEPROM" to understand?
Instead of knee-jerking and bowing to malware authors as if they were going to write an uber-malware, you should start applauding people, like those working at Google, looking for solutions.
Once again: Google may have fuxx0red this particular implementation (I don't know all the details), but that f*cking sh!t is totally doable.
Say a f*cking EEPROM checked from a ROM: if the EEPROM doesn't contain data cryptographically system with a FUCKING key FUCKING written in ROM, then it gets erased, on every reboot. So the spl0it can write to the EEPROM? Big fucking no-deal: that corrupted EEPROM *shall* be erased on the next reboot. At one point on reboot the system in ROM *shall* find a motherfucking security patches patching the r00t spl0it.
How f*cking hard is that to f*cking understand you f*cking r*tards?
They are using redundancy. by Anonymous Coward · 2011-05-16 11:39 · Score: 0

-- In the malware?
-- No, in the summary!
-- Bwahahahaha!
Comment removed by account_deleted · 2011-05-17 04:32 · Score: 1

Comment removed based on user account deletion