No Defense Against Windows Rootkits?

"Spyware bad guys (and also phishing people) started using rootkits
technology to stay hidden in a system. The problem is that at the moment
the technology to defend a Windows system from these things is very poor.
In fact antivirus companies have just started adding basic anti-rootkits
technology. So the problem is serious, and well outlined by this question:
Is the closed source code of Windows preventing us from actively defending
our systems?"


http://www.viruslist.com/en/analysis?pubid=168740859


Imhotep

 

No.

(But only if you bother reading the article, as opposed to an unattributed
"source").

Bad data in = bad data out ;o)

--

Hairy One Kenobi

Disclaimer: the opinions expressed in this opinion do not necessarily
reflect the opinions of the highly-opinionated person expressing the opinion
in the first place. So there!

 

IMHO (although I'm hardly humble) the question of open-source is largely
irrelevant to the issue of rootkits. FWIW (doncha love acronyms?) the
concept of rootkits was imported to Windows from the *nix world.

Unix or Windows rootkits operate at the level of binaries. Where the
binaries come from (open- or closed-source) is immaterial.

Regards,

PS Full HD OTFE encryption provides a large measure of protection
(although not complete protection) against rootkits and other malware.

PPS The only complete protection (passing over hardware tampering such as
compromised BIOSs) is something like hash-checking essential files after
booting from a known-good CD.

 

Ah...ok...not sure what that has to do with the article but, yes, you are
correct rootkits were first developed on UNIX...again not sure what that
has to do with the article or what the hell FWIW means....

Ah...ok...again not sure what that has to do with the article or what point
your are trying to make...

Another is *not* running user's accounts with any privileges...which is one
of the easiest (well, if you use UNIX/Linux/BSD) things you can do.

Sure but that would be a real pain-in-the-ass to do everytime you boot.
Also, if you do not reboot frequently that measure becomes useless (ie you
need to reboot with a cd with the saved file hashes to detect a break in
after the fact)

Im

 

Something like Tripwire? What would be the equivalent for Windows?

 

The "" generally means it is a quote from some source...if you do not like
his/her comments write them. ;-O

Im

 

The problem that exists is this. An application is generally requesting
(using) a kernel API in some way-shape-or-from. In other words the
application is not looking directly at the file directly on the disk. So,
if a rootkit is installed, and you are running a security app like Tripwire
on the same infected machine, then it really is useless (your asking the
rootkit if the system is infected). That is why the other posted said
"...booting from known-good cd".

Im

 

Hi Imhotep - FYI, just in case you were unaware of it. The following is
from my Blog, addy in my Signature below:


"Either run on-line at the first link or download (thus saving for future
use) and run the Microsoft Malicious Software Removal Tool, here:

http://www.microsoft.com/security/malwareremove/default.mspx and here:
http://www.microsoft.com/security/malwareremove/families.mspx

This tool addresses a number of the worst virus and worm families/variants
including a number of the Hacker Defender rootkits. It is updated on the
second Tuesday of the month and should be re-downloaded and re-run then each
time as well as when you suspect problems."

 

Perhaps I misread your post - did you not frame the central question in
terms of Windows being closed-source?

But, no, I see I did NOT misread your post - that is indeed how you
framed the question. And the point of my response was that framing the
problem that way is unhelpful - a red herring, in fact. Open- or closed-
source has very little to do with the problem of rootkits - or with
solutions.

In fact, rootkits are common on many of the open-source *nices (and have
"migrated" to closed-source Windows only relatively recently). The
*nices are where rootkits first came to prominence, emphasizing my point
that open- or closed-source is hardly the central aspect.

So what part of my point did you find confusing or unclear?



Incidentally, FWIW means "for what it's worth." I would have expected
an old-timer to be familiar with acronyms and buzzwords, but, if not, let
me refer you to, for instance:

http://kb.iu.edu/data/adkc.html

Again, my point is that open- or closed-source is not the key aspect. A
rootkit compromises the OS at the executable binaries level and NOT at
the source-code level.

There are a number of protections that can be applied against rootkits:
before, during, or after the fact.

Windows, whatever its other deficiencies, has rich and sophisticated
permissions, policies, and control mechanisms - every bit the match of
the *nices. While I concede unhesitatingly that most users don't use
them and often run naked in admin mode, that is not an inherent flaw of
the OS.

Next: If you do not have constant control and custody of the machine,
there is a significant risk that someone can manually install a rootkit,
no matter what permission mechanisms the OS invokes when running. Full
OTFE HD encryptiuon is a significant protection against this major class
of risk any time the system is not running! The alternative is
validating everything from known-good sources before each boot (or just
taking your chances, I suppose).

Regards,

 

Thanks for the info. I do not use Windows but, I am sure it will help other
people here. Do you mind if I cut and paste your links for the next "virus
help" question?

Im

 

Re; the M$RT, FYI it claimed to have completely cleaned Win32/Gael.a,
but when I rebooted it had *not* cleaned
c:\windows\system32\userinit.exe, which then proceeded to re-infect the
whole machine. Re-booting in safe mode with command prompt, and
killing the userinit process, it was possible to copy a clean userinit
from write-protected flashdisk (floppy works too) right over the
infected one. Haven't had any dramas since *fingers crossed*.

 

Hi Imhotep - Not at all - the principle purpose of that Blog is to help
people with malware issues. However, there are a number of other virus and
trojan related tools identified therein as well, and I do try to keep it
updated, so I would suggest that you point them to the whole Blog rather
than (or at least in addition to) just the MSRT links, if that's what you
meant.

 

You use adelphia? Are you in Florida?

Im

 

Do you generally quote yourself? Neither do I. That was the introduction of
the story where I first came across the article...hence the quotes.

"Spyware bad guys (and also phishing people) started using rootkits
technology to stay hidden in a system. The problem is that at the moment
the technology to defend a Windows system from these things is very poor.
In fact antivirus companies have just started adding basic anti-rootkits
technology. So the problem is serious, and well outlined by this question:
Is the closed source code of Windows preventing us from actively defending
our systems?"

Although, I do believe in the merit of open source and open standards over
proprietary source and standards...

Now idea how this topic became an open source vs proprietary source
discussion...

Yes, rootkits first hit unixes about 10 years ago when windows 95 was just
new...now they are being used against Windows. Now, using *that* as a
justification for "...emphasizing my point that open- or closed-source is
hardly the central aspect" is weak at best.

I understand your point, I just don't agree with it. There are many more
things to consider when comparing open standards/open source to proprietary
source/proprietary standards than just the history of rootkits...

Nah, I am not a member of the acronym fad group. I'll just spell it out,
thank you.

All binaries are "born" from source

Honestly, I will take FreeBSD over MS whatever everytime.

One of the more serious problems with Windows was how it, and third party
software, did not address non privileged users very well. This has resulted
in people running their accounts with local admin privs. Would you surf the
the Internet logged in as admin? Why would you surf the web in *your*
account with admin privs since, really, they are the same account with
respect to system privileges....

The other problem with Microsoft is, frankly, they are too busy with other
projects to really make quality software. They are too busy, trying to
maintain too many markets and have become reliant on the attitude of "what
else are you going to run on your desktop?" This arrogance has caused them
to lose touch with their customer's needs.

Im

 

Perhaps that was the intro where you first came across the story but there
was NO such quote in the url you cited:

http://www.viruslist.com/en/analysis?pubid=168740859

Regards,

 

Nope, Anaheim, CA

 

The convention is that anything quoted is, indeed, written in quotes. And
then a link provided to the article *quoted*.

AFAIK, it has never been convention to post a quote and then cite something
completely unrelated... and, has been pointed out, the article is utterly at
odds with its "intro", except when viewed through the most rose-tinted of
spectacles ;o)

Incidentally (I'm being lazy, and only posting the once) the argument
between elevated vs. non-elevated privileges is also a little spurious. Yes,
running "naked" admin can get you a whole host of additional vectors, but it
is utterly irrelevant to the actual installation of a rootkit.

To use the inevitable car analogy, it's the nail in your tyre that causes
the puncture, not which route you chose to drive back from work.

Pedant, moi? )

H1K

 

After being chided for ending a sentence with a preposition, Churchill
responded dryly, "That is the sort of arrant pedantry up with which I shall
not put."

Regards,

 

Tripwire

 

An additional FYI, courtesy of MVP Steve Winograd:


The beta version of F-Secure BlackLight rootkit remover, which had been
set to expire on October 1, has been extended to January 1. You can
download the new version here:

http://www.f-secure.com/blacklight/try.shtml