No Defense Against Windows Rootkits?

Discussion in 'Computer Security' started by Imhotep, Sep 28, 2005.

  1. Imhotep

    Imhotep Guest

    "Spyware bad guys (and also phishing people) started using rootkits
    technology to stay hidden in a system. The problem is that at the moment
    the technology to defend a Windows system from these things is very poor.
    In fact antivirus companies have just started adding basic anti-rootkits
    technology. So the problem is serious, and well outlined by this question:
    Is the closed source code of Windows preventing us from actively defending
    our systems?"


    http://www.viruslist.com/en/analysis?pubid=168740859


    Imhotep
     
    Imhotep, Sep 28, 2005
    #1
    1. Advertisements

  2. No.

    (But only if you bother reading the article, as opposed to an unattributed
    "source").

    Bad data in = bad data out ;o)

    --

    Hairy One Kenobi

    Disclaimer: the opinions expressed in this opinion do not necessarily
    reflect the opinions of the highly-opinionated person expressing the opinion
    in the first place. So there!
     
    Hairy One Kenobi, Sep 29, 2005
    #2
    1. Advertisements

  3. Imhotep

    nemo_outis Guest


    IMHO (although I'm hardly humble) the question of open-source is largely
    irrelevant to the issue of rootkits. FWIW (doncha love acronyms?) the
    concept of rootkits was imported to Windows from the *nix world.

    Unix or Windows rootkits operate at the level of binaries. Where the
    binaries come from (open- or closed-source) is immaterial.

    Regards,

    PS Full HD OTFE encryption provides a large measure of protection
    (although not complete protection) against rootkits and other malware.

    PPS The only complete protection (passing over hardware tampering such as
    compromised BIOSs) is something like hash-checking essential files after
    booting from a known-good CD.
     
    nemo_outis, Sep 29, 2005
    #3
  4. Imhotep

    Imhotep Guest

    Ah...ok...not sure what that has to do with the article but, yes, you are
    correct rootkits were first developed on UNIX...again not sure what that
    has to do with the article or what the hell FWIW means....
    Ah...ok...again not sure what that has to do with the article or what point
    your are trying to make...

    Another is *not* running user's accounts with any privileges...which is one
    of the easiest (well, if you use UNIX/Linux/BSD) things you can do.
    Sure but that would be a real pain-in-the-ass to do everytime you boot.
    Also, if you do not reboot frequently that measure becomes useless (ie you
    need to reboot with a cd with the saved file hashes to detect a break in
    after the fact)

    Im
     
    Imhotep, Sep 29, 2005
    #4
  5. Imhotep

    speeder Guest

    Something like Tripwire? What would be the equivalent for Windows?
     
    speeder, Sep 29, 2005
    #5
  6. Imhotep

    Imhotep Guest

    The "" generally means it is a quote from some source...if you do not like
    his/her comments write them. ;-O

    Im
     
    Imhotep, Sep 29, 2005
    #6
  7. Imhotep

    Imhotep Guest

    The problem that exists is this. An application is generally requesting
    (using) a kernel API in some way-shape-or-from. In other words the
    application is not looking directly at the file directly on the disk. So,
    if a rootkit is installed, and you are running a security app like Tripwire
    on the same infected machine, then it really is useless (your asking the
    rootkit if the system is infected). That is why the other posted said
    "...booting from known-good cd".

    Im
     
    Imhotep, Sep 29, 2005
    #7
  8. Imhotep

    Jim Byrd Guest

    Hi Imhotep - FYI, just in case you were unaware of it. The following is
    from my Blog, addy in my Signature below:


    "Either run on-line at the first link or download (thus saving for future
    use) and run the Microsoft Malicious Software Removal Tool, here:

    http://www.microsoft.com/security/malwareremove/default.mspx and here:
    http://www.microsoft.com/security/malwareremove/families.mspx

    This tool addresses a number of the worst virus and worm families/variants
    including a number of the Hacker Defender rootkits. It is updated on the
    second Tuesday of the month and should be re-downloaded and re-run then each
    time as well as when you suspect problems."
     
    Jim Byrd, Sep 29, 2005
    #8
  9. Imhotep

    nemo_outis Guest


    Perhaps I misread your post - did you not frame the central question in
    terms of Windows being closed-source?

    But, no, I see I did NOT misread your post - that is indeed how you
    framed the question. And the point of my response was that framing the
    problem that way is unhelpful - a red herring, in fact. Open- or closed-
    source has very little to do with the problem of rootkits - or with
    solutions.

    In fact, rootkits are common on many of the open-source *nices (and have
    "migrated" to closed-source Windows only relatively recently). The
    *nices are where rootkits first came to prominence, emphasizing my point
    that open- or closed-source is hardly the central aspect.

    So what part of my point did you find confusing or unclear?



    Incidentally, FWIW means "for what it's worth." I would have expected
    an old-timer to be familiar with acronyms and buzzwords, but, if not, let
    me refer you to, for instance:

    http://kb.iu.edu/data/adkc.html



    Again, my point is that open- or closed-source is not the key aspect. A
    rootkit compromises the OS at the executable binaries level and NOT at
    the source-code level.




    There are a number of protections that can be applied against rootkits:
    before, during, or after the fact.

    Windows, whatever its other deficiencies, has rich and sophisticated
    permissions, policies, and control mechanisms - every bit the match of
    the *nices. While I concede unhesitatingly that most users don't use
    them and often run naked in admin mode, that is not an inherent flaw of
    the OS.

    Next: If you do not have constant control and custody of the machine,
    there is a significant risk that someone can manually install a rootkit,
    no matter what permission mechanisms the OS invokes when running. Full
    OTFE HD encryptiuon is a significant protection against this major class
    of risk any time the system is not running! The alternative is
    validating everything from known-good sources before each boot (or just
    taking your chances, I suppose).

    Regards,
     
    nemo_outis, Sep 29, 2005
    #9
  10. Imhotep

    Imhotep Guest

    Thanks for the info. I do not use Windows but, I am sure it will help other
    people here. Do you mind if I cut and paste your links for the next "virus
    help" question? :)

    Im
     
    Imhotep, Sep 29, 2005
    #10
  11. Re; the M$RT, FYI it claimed to have completely cleaned Win32/Gael.a,
    but when I rebooted it had *not* cleaned
    c:\windows\system32\userinit.exe, which then proceeded to re-infect the
    whole machine. Re-booting in safe mode with command prompt, and
    killing the userinit process, it was possible to copy a clean userinit
    from write-protected flashdisk (floppy works too) right over the
    infected one. Haven't had any dramas since *fingers crossed*.
     
    lloyd.frombriz, Sep 29, 2005
    #11
  12. Imhotep

    Jim Byrd Guest

    Hi Imhotep - Not at all - the principle purpose of that Blog is to help
    people with malware issues. However, there are a number of other virus and
    trojan related tools identified therein as well, and I do try to keep it
    updated, so I would suggest that you point them to the whole Blog rather
    than (or at least in addition to) just the MSRT links, if that's what you
    meant. :)
     
    Jim Byrd, Sep 29, 2005
    #12
  13. Imhotep

    Imhotep Guest

    You use adelphia? Are you in Florida?

    Im
     
    Imhotep, Sep 29, 2005
    #13
  14. Imhotep

    Imhotep Guest

    Do you generally quote yourself? Neither do I. That was the introduction of
    the story where I first came across the article...hence the quotes.

    "Spyware bad guys (and also phishing people) started using rootkits
    technology to stay hidden in a system. The problem is that at the moment
    the technology to defend a Windows system from these things is very poor.
    In fact antivirus companies have just started adding basic anti-rootkits
    technology. So the problem is serious, and well outlined by this question:
    Is the closed source code of Windows preventing us from actively defending
    our systems?"

    Although, I do believe in the merit of open source and open standards over
    proprietary source and standards...

    Now idea how this topic became an open source vs proprietary source
    discussion...

    Yes, rootkits first hit unixes about 10 years ago when windows 95 was just
    new...now they are being used against Windows. Now, using *that* as a
    justification for "...emphasizing my point that open- or closed-source is
    hardly the central aspect" is weak at best.
    I understand your point, I just don't agree with it. There are many more
    things to consider when comparing open standards/open source to proprietary
    source/proprietary standards than just the history of rootkits...
    Nah, I am not a member of the acronym fad group. I'll just spell it out,
    thank you.
    All binaries are "born" from source :)
    Honestly, I will take FreeBSD over MS whatever everytime.

    One of the more serious problems with Windows was how it, and third party
    software, did not address non privileged users very well. This has resulted
    in people running their accounts with local admin privs. Would you surf the
    the Internet logged in as admin? Why would you surf the web in *your*
    account with admin privs since, really, they are the same account with
    respect to system privileges....

    The other problem with Microsoft is, frankly, they are too busy with other
    projects to really make quality software. They are too busy, trying to
    maintain too many markets and have become reliant on the attitude of "what
    else are you going to run on your desktop?" This arrogance has caused them
    to lose touch with their customer's needs.
    Im
     
    Imhotep, Sep 29, 2005
    #14
  15. Imhotep

    nemo_outis Guest



    Perhaps that was the intro where you first came across the story but there
    was NO such quote in the url you cited:

    http://www.viruslist.com/en/analysis?pubid=168740859

    Regards,
     
    nemo_outis, Sep 29, 2005
    #15
  16. Imhotep

    Jim Byrd Guest

    Nope, Anaheim, CA :)
     
    Jim Byrd, Sep 29, 2005
    #16
  17. The convention is that anything quoted is, indeed, written in quotes. And
    then a link provided to the article *quoted*.

    AFAIK, it has never been convention to post a quote and then cite something
    completely unrelated... and, has been pointed out, the article is utterly at
    odds with its "intro", except when viewed through the most rose-tinted of
    spectacles ;o)

    Incidentally (I'm being lazy, and only posting the once) the argument
    between elevated vs. non-elevated privileges is also a little spurious. Yes,
    running "naked" admin can get you a whole host of additional vectors, but it
    is utterly irrelevant to the actual installation of a rootkit.

    To use the inevitable car analogy, it's the nail in your tyre that causes
    the puncture, not which route you chose to drive back from work.

    Pedant, moi? :eek:)

    H1K
     
    Hairy One Kenobi, Sep 29, 2005
    #17
  18. Imhotep

    nemo_outis Guest



    After being chided for ending a sentence with a preposition, Churchill
    responded dryly, "That is the sort of arrant pedantry up with which I shall
    not put."

    Regards,
     
    nemo_outis, Sep 29, 2005
    #18
  19. Imhotep

    Winged Guest

    Tripwire
     
    Winged, Sep 30, 2005
    #19
  20. Imhotep

    Jim Byrd Guest

    An additional FYI, courtesy of MVP Steve Winograd:


    The beta version of F-Secure BlackLight rootkit remover, which had been
    set to expire on October 1, has been extended to January 1. You can
    download the new version here:

    http://www.f-secure.com/blacklight/try.shtml
     
    Jim Byrd, Sep 30, 2005
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.