Windows Rootkit Wars Escalate 342
An anonymous reader writes "The rootkit wars have started to escalate with a rootkit named Rustock which is able to remain hidden from all the popular anti-rootkit tools. It uses some new techniques including not only putting itself in a ADS (NTFS alternate data stream) which isn't seen by normal file system enumeration tools, but even blocks ADS aware tools from seeing the stream. Works in Vista, too! Analysis in both Symantec and F-Secure blogs."
Re:Whats ADS for? (Score:5, Informative)
Here's a nice FAQ on that. (Score:5, Informative)
There's a lot that can be done with it.
Yes, it works in Vista (Score:3, Informative)
Vista has numerous improvements security wise, and almost all of them have to do with prevent a machine from becoming infected to begin with.
, [msdn.com]UAC [msdn.com], Windows Defender [microsoft.com], the improved software firewall [microsoft.com], IE 7+ sandboxing/broker [msdn.com], etc... these are all meant to make it a lot harder for malware to get on the machine to begin with.
As the old security adage goes, if untrusted software is run on your machine, it's not your machine anymore. [microsoft.com]
Re:Whats ADS for? (Score:2, Informative)
Re:Yes, it works in Vista (Score:4, Informative)
Address space randomization [msdn.com].
Helps if you actually preview before posting.
Symantech vs F-Secure (Score:5, Informative)
Symantec says that FSecure's product can't remove this. Date June 29.
Any reason for this discrepency? You'd think they'd continue to moniter what other companies are doing to combat the problem and 8 days would be enough for them to find out about the new release.
Re:Whats ADS for? (Score:5, Informative)
http://www.securityfocus.com/infocus/1822 [securityfocus.com]
Re:number 1 reason to hate sony (Score:5, Informative)
No it isn't.
A rootkit is what is installed to give the cracker unimpeded access (provides a backdoor, hides processes, replaces legitimate processes with trojaned ones, keep activity out of system logs) once they have gained entry to a system (usually throgh a known vulnerability.) THeir activity would be hidden from netstat ps, etc.
At least look at Wikipedia [wikipedia.org].
Detect this.... (Score:3, Informative)
"The reason that there is no longer a command-line version is that malware authors have started targetting RootkitRevealer's scan by using its executable name. We've therefore updated RootkitRevealer to execute its scan from a randomly named copy of itself that runs as a Windows service. This type of execution is not conducive to a command-line interface. Note that you can use command-line options to execute an automatic scan with results logged to a file, which is the equivalent of the command-line version's behavior." http://www.sysinternals.com/Utilities/RootkitReve
Ooops... 1 step ahead of the hackers yet again.
Useful tool link (Score:5, Informative)
It can be found buried in this FAQ about the NTFS ADS feature: http://www.heysoft.de/nt/ntfs-ads.htm [heysoft.de]
I haven't tried it yet, but it looks like it should work from a win32 bootdisk (like BARTPE). So you should be able to boot from a clean win32 environment and scan the computer's hard disk to find any files with ADSs. Fortunately, use of this feature within NTFS is not widespread, so malware should stand out pretty obviously.
Have fun!
-R
ADS was also an IIS backdoor (Score:4, Informative)
Microsoft has been less than forthcoming about ADS, it's function and it's mechanism. ADS has been used in the past to hack into web servers and now appears to be useful for rooting any system with NTFS.
Is ADS a Microsoft backdoor?
Re:number 1 reason to hate sony (Score:5, Informative)
Even the ultimate authority on computer terminology, the Urban Dictionary [urbandictionary.com], gets it right:
Re:Seems to effect (Score:4, Informative)
You did miss the memo. The AMD and Intel 64 bit processors use an instruction set architecture called "x86_64" (also x64 or AMD64 or EM64T, isn't marketing wonderful?). This instruction set extends the original 32 bit x86 instruction set. Wikipedia has some x86_64 [wikipedia.org] architecture information.
Re:Security doesn't start at rootkit detection (Score:5, Informative)
People, please, stay sensible. First of all, a rootkit has to GET into a system.
True, but there are many modes of infection.
Whatever a program may want to do, first of all it has to be started. Now, there are currently no unpatched remote exploits or program-runs-crap-by-itself bugs I'm aware of. In other words: You have to start it!
So, just because you don't know of any unpatched, remote vulnerabilities being exploited, we should not worry about them? What about local escalations, there are plenty of those outstanding and some people admin multi-user boxes. Finally, it can come in as a trojan. No one has the time to exhaustively check every program they run, if the source is even available. That means you have to trust every program you install. This is asking users to sacrifice usability for security, and that is a classic security blunder.
My prediction would be that you can eliminate about 95% of the most dangerous worms, trojans and spybots currently in the wild if we could just get people to abstain from running every single piece of junk they stumble upon.
My prediction is we can stop 100% of worms, trojans, and spybots by no longer using computers... of course that kind of defeats the purpose.
There is no technical solution for a social problem.
Malware is mostly a technical problem and a computer/human interaction problem. It can be solved with education as a social problem, but only when the previous problems have been fixed. You can't expect users to learn a whole lot of really complex topics in order to perform simple tasks. It is not going to happen. When joe-sixpack runs their computer they expect it to conform to some basic, sensible characteristics and it is failing. This is not the user's fault. This is the fault of the people who designed the system first and then tried to teach the average person a long series of complex topics and ever changing rules. What they should have done was ask the users what the computer should do and then make the computer do that.
It is unreasonable to expect that clicking on an icon that looks just like your picture files will install a program and let someone in Russia start using your computer to send spam. This is a failing of the computer, not the user. The computer should clearly indicate to the user what is a picture and what is a program. Then, it should not let the program do anything the user does not expect and want. If this rootkit arrives in a trojan, disguised as data or a beneficial program like a game, and the user runs it, they still should not have to worry about it because it should be running in a sandbox, by default. When it tries to do something unusual, like patch the core of the OS, the user should be warned in very strong language and given the option of letting the rootkit patch a VM's core OS instead, thereby stopping it from having any effect. It doesn't take a genius to do this, if only people would stop apologizing for how crappily most OS's, especially Windows, deal with this stuff. By blaming the users for this failing you're part of the problem. Stop it.
Re:T-minus 3... 2... 1... (Score:3, Informative)
Odd... On Linux, I don't have any trouble running games or development applications as an unprivileged user. The only time I ever switch to a privileged user is when I'm installing something or reconfiguring the system in some way.
Of course, that usually has more to do with the developers of said applications than the OS itself. Windows is perfectly capable of running applications well under unprivileged user accounts, but the developers of those applications have gotten into the nasty habit of relying on the fact that most Windows users run as Administrator.
Re:Whats ADS for? (Score:3, Informative)
In my opinion, however, once you get a system that badly infected, you should give up and wipe clean. You'll never know if you've succesfully closed all the holes, and not even an expensive forensic analysis could guarantee such a thing.
Re:Symantech vs F-Secure (Score:3, Informative)
Re:Offline rootkit scanner? (Score:2, Informative)
My personnal experience... (Score:5, Informative)
- your access rights are correctly set (as in using the GUID "video" to grand access to devices used for graphic acceleration. Most modern distro have this done auto-magically by the setup or have the plug-n-play daemon assign correct rights to newly plugged devices)
- there are small piece of code that are used to communicate between priviledged acces and un privilidged access (in other words : once upon a time, you needed to have SETUID on SVGALib to have nice graphics in games under Linux. Nowadays, SDL communicates with drivers and architectures like DRI, which take car to pass messages to a more priviledged part which, in turn, will take care of the sensitive steps. (In other words : Old applications - use special extension and map framebuffer themeselfs, if enough access rights. New (unpriviledged) applications - ask the X Server (with modern extension) which itselfs has the right to access hardware to map what is needed.
That means that, with a correctly setup system, I never needed to SUDO before playing anything with mplayer, xine, vlc or whatever else.
I almost never run application as something different as my user account.
In fact, even installing update is being slowly replaced with a less priviledged process in recent distro (instead of asking the users to star a process as root and installing updates himself under this identity, newer distro have a separate demon that runs with the minimal necessary privileges and the user only has a small application that passes messages to the update daemon to make the system install patches).
On the other hand, Windows, with its "admin-by-default" accounts hasn't done anything to prevent misbehavioured software. I can understand that Windows 3.x and Windows 9x, with all their DOS tradition behind them had to be "admin-by-default". But since Microsoft moved to a new architecture, why don't they change the default user profile behaviour ? Old APPs are run thrue an emulated API, newer application break if they can't run in a non-priviledged environnement.
Old usage needed admin rights. That's normal. What's not normal is that Microsoft perpatuated the bad habbit in newer versions of Windows.
Comment removed (Score:2, Informative)
Nitpicking (Score:2, Informative)
I always thought the means to gain access through vulnerabilities were called 'exploits.'
Re:Whats ADS for? (Score:1, Informative)
That's a tremendous over-simplification. (It's also wrong. File types aren't stored in the resource fork; some files don't even have resource forks.) The resource fork contains a database of objects, each of which has a type and an ID. The primary use for resource forks by applications is to store user interface elements. Windows are stored in resources of type WIND, icons were originally stored as type ICON, and dialog boxes are stored as type DLOG. In the Motorola 68k days, the application's executable was stored in CODE resources. Lists of strings are stored in STR# resources, which makes localization a snap--just use a different string list, no recompilation necessary.
Re:Forever War (Score:5, Informative)
In fact I dont even bother running any Host OS scans when I fix someone's PC anymore, I boot from a BartPE disc, scan it with the antivir and antispyware and clean it up easier and faster than anything else.
Takes me far less time I get it on the first try and it's back to a clean machine for 35 seconds until the owner clicks on things again to reinstall every bit of spyware.
Re:T-minus 3... 2... 1... (Score:3, Informative)
I routinely play DVDs as my user [you need read access to
I routinely play full screen video games as my user not root, etc, etc, etc.
Your information is out of date and just plain incorrect.
Tom
Re:AV companies are dishonest (Score:3, Informative)
You could shell out the ridiculous price of $400+ for a copy of AVAST's B.A.R.T. CD, I suppose - but then you're stuck with their inferior virus scanning/removal technology. I've generally fared better running the latest AVG on a compromised system's own OS than relying on AVAST to get it clean running from the stripped-down XP that boots from a B.A.R.T. CD.
Personally, I find it amazing that Symantec, of all people, hasn't re-used the "boot from virtual partition into PC-DOS" solution they've already integrated into Ghost Corporate as a way for their AV software to run full scans and cleans?
Re:Forever War (Score:3, Informative)
Also, computers are not Turing machines; they are linearly-bounded automata. Turing machines have infinite memory. In fact, a Turing machine can decide the output of a LBA. In any case, you can of course check to see if an algorithm will work under certain constraints. That's why there's a "System Requirements" part on software boxes.
Sysinternals Rootkit Revealer already scans ADS (Score:2, Informative)
Re:ADS was also an IIS backdoor (Score:3, Informative)
Fortunately, the ADS stream can only be non-critical data because transferring to a single stream filesystem (such as FAT32) would drop the additional stream. I'm not sure if ZIP stores them or not (built in ZIP in XP), but that would be interesting.
Think of it as a named section of a file that can be treated as it's own independent file. It's only scary because Explorer, DIR, etc. do not show the named stream content of a file and therefore there's no way to see them without third-party tools. Not real smart of MS, but most people would get confused they think. They should give me a text box to click, like the box that let's me see extensions and "protected operating system files."
That's not all though, if you want a real trip, go into $WINROOT and try to delete notepad.exe. Just click it and hit delete. Notepad.exe will magically reappear! ADS I can deal with. Of course, there are ways, so now I have the wonderful Notepad2 as my notepad.exe