Windows Rootkit Wars Escalate 342
An anonymous reader writes "The rootkit wars have started to escalate with a rootkit named Rustock which is able to remain hidden from all the popular anti-rootkit tools. It uses some new techniques including not only putting itself in a ADS (NTFS alternate data stream) which isn't seen by normal file system enumeration tools, but even blocks ADS aware tools from seeing the stream. Works in Vista, too! Analysis in both Symantec and F-Secure blogs."
number 1 reason to hate sony (Score:1, Interesting)
Whats ADS for? (Score:2, Interesting)
or was it for something different entirely? I remember there being a "chmod +/-h"
in old (perhaps even current, I no longer use it) versions of HP-UX that would hide
files , is this something similar?
Re:T-minus 3... 2... 1... (Score:3, Interesting)
That and people, listen, stop running windows as root. Make yourself a less privileged user and learn to work in a non-root environment!!!
Tom
Seems to effect (Score:2, Interesting)
Would be interesting to know if there will be or are 64-bit versions of rootkits.
Vista compatible? (Score:4, Interesting)
Also, would it be able to hide from a tool like SysInternal's rootkit detector which compares API return values for the registry and filesystem with an actual analysis of the registry files themselves, and a scan of the raw blocks on the disk? (Understands NTFS and FAT, and the registry hive format).
Re:Vista compatible? (Score:2, Interesting)
Re:Vista compatible? (Score:5, Interesting)
If that's not functionality that should require Windows binaries to be signed, I don't know what is.
Re:Whats ADS for? (Score:4, Interesting)
I fought with the HackerDefender rootkit earlier this year. Best I can tell it got in through a vulnerability in the Finger port of my mail server. It installed itself as a legacy mode device driver. The device driver was set up to hide certain filenames from Windows. Once installed, you COULD NOT SEE the files the rootkit used. The files weren't files marked with the "hidden" attribute, they were simply hidden from Windows at all levels. You COULD NOT SEE the registry entries. You could not see the task in Task Manager. Very evil and took many hours of my time to fix.
Re:ADS was also an IIS backdoor (Score:3, Interesting)
Given that Microsoft has the keys to the front door (windows security update for example), why would they need a backdoor?
I'm undecided as to whether alternative stream was a good idea with poor implementation (and bad documentation), or just a bad idea.
Offline rootkit scanner? (Score:4, Interesting)
Then, one periodically (once or twice a week, as paranoia sees fit) ran the utility on their machine. If stuff in the MS-DOS directory was changed, it was immediately apparant. Integrity Master also was able to scan for some known viruses as well in addition to keeping a log of changed files.
We need a utility like that for Windows XP and Vista. A bootable CD or DVD that not just can understand NTFS (and NTFS's file compression), but has the necessary software to mount hard disks which are encrypted with BitLocker, PGP, SafeBoot, PointSec, WinMagic, DriveCrypt Plus Pack. The utility should also allow for username/password entry so EFS-protected files can be checked too.
This utility should use a CD or DVD to boot from, mount hard drive volumes, run checks for alternate data streams, system and nonsystem files, and finally the registry, perhaps including the encrypted parts like the SAM. It should not just save hashes of files, but perhaps have some ability to check file signatures as well (like sfc.exe and sigverif.exe do), so an update to Windows via a legitimate way doesn't set off a lot of false positives. Of course, the "manifest" file storing the file hashes on the file system would be stored on a removable USB drive, so the OS on the hard drive never has the ability to touch it.
Because this checking is done offline, a rootkit would be a lot harder to hide (unless it uses a method that the integrity scanner wasn't programmed to detect, like perhaps pointing to unallocated disk space for executable code, or hiding in an EFS-protected file.)
Of course, offline checking isn't perfect, because the machine being scanned has to be totally downed for a good amount of time which can't be done in a 24/7 environment.
There are some hurdles though. Trying to reduce the amount of false positives is one, for example. A novice user presented with a notice that a lot of files were changed likely wouldn't know what was a bad change, and what was normal for system functioning. After that, its decoding files and registry keys. Finally, if a known rootkit database was used, keeping track of how rootkits encrypt their payload, and delivering timely program updates.
Re:ADS was also an IIS backdoor (Score:3, Interesting)
I was actually suprised that Microsoft didn't take advantage of streams more often than they do. It would be a nice place to have put file meta-data (Like MP3 tags, creator, summary, etc), or image thumbnails (instead of thumbs.db). They probably wanted to support FAT32, and Windows 9x which is why they didn't.
It's hardly a backdoor, it was a pretty big deal and a feature Microsoft made a pretty big deal of when it arrived. NTFS also supports another hardly used feature known as sparse files where you can allocate space within a file that doesn't actually take any disk space. Useful for some record/database applications. It also supports junction points as well, allowing you to map a drive into a folder (Similiar to linux's symbolic links).
Where do you go for the "alternate" news (Score:2, Interesting)
There was also fravia and other nice pages where you cold get that information but now I am not "on the song" anymore, can anyone enlighten me please?
Re:Security doesn't start at rootkit detection (Score:5, Interesting)
Before any of the hundreds of security holes in Windows XP were published, they were still there! If you have paid any attention to security, you would be very confident that there are many remote root, arbitrary code, no-interaction-required holes in Windows RIGHT NOW.
They are no doubt being used. I can think of many ways to build a bot that connects home indetectably to all but the most paranoid and brilliant sysadmin.
Make your own ADS (Score:4, Interesting)
Go to the command prompt.
echo Text! > text.txt:ADS
Do a DIR and you'll see the size of text.txt is 0 bytes.
The string "Text!" has ended up in an ADS stream called "ADS".
Re:T-minus 3... 2... 1... (Score:3, Interesting)
Psh, my graphing calculator is much more secure than any of those. No security exploits, ever.
Re:Security doesn't start at rootkit detection (Score:5, Interesting)
There is no 100% solution except to cease using the technology. That's a given. But that would be like saying we should stop using cars because accidents happen.
What you advocated, however, was users not running software or opening data they don't trust. For most users, that cuts the functionality of their machine in half. Trust is a sliding scale. And given the relatively mild punishment for trusting too much, most users will chose functionality over security. The job of the OS should be to make sure they never have to make that choice.
There is no technical solution to everything, though. You cannot "fool proof" everything. Would you go around fool-proofing cars or guns? I'd rather expect someone using either to have proper training and knows how to use it, so he is neither harm to himself nor others.
Well, if I can get a gun or car to do exactly what I want without any risk or decrease in functionality, I'm all for it. As for training, the point is that the usability and functionality of the system has to be up to snuff before it can be effective. To bring cars to the equivalent level of functionality as a Windows machine you'd have to have no windshield and the user would have to just be guessing where they are going. Right now users are given basically no information about what is happening. Is that a program or data? What is it doing when I'm running it? Is it sending spam, or running a game? Is it reading my tax returns? No idea.
The analogy of guns is an interesting one. Anyone who has had a traditional education concerning guns has heard that they should always treat the gun as if it is loaded and point it away from anything they don't want to shoot. Why? Why not only point it in a safe direction when it is loaded? There is no danger if the action is open and it is obviously empty. The answer is "conditioning." Nobody can concentrate on one thing all the time. By always treating the gun as loaded users condition themselves through repetition. That way, when they're thinking about something else (like is that a bear in those trees) they unconsciously point their gun in a safe direction and don't accidentally shoot their hunting buddy when they stumble.
The reason this is such an appropriate comparison is because Windows uses conditioning as well. Every time it brings up the same cryptic dialogue box with (OK/Cancel) it conditions users to click "OK" to get their computer to work again. It also conditions them to click "OK" when being warned of a potential threat. It is one of the worst UI choices, ever and a classic example of what not to do. In many cases even reading the dialogue you don't know what each of the buttons will do since "OK" and "Cancel" are not appropriate responses and are not actions. It is the result of programmers ignoring the human component of computer/human interactions when it comes to security.
First and foremost, you are responsible for what comes out of your computer.
I'll accept that I am responsible, but that does not mean no one else is as well. Picture this, the computer sales guy talks a grandmother into buying a computer. She knows nothing about them, but he tells her it is as easy to use as a TV and will let her send e-mail to her grandkids. They install it and hook it up for her. She never patches it and it is not set to do so automatically. It is compromised. It sends spam. Is it her fault she was lied to? Is it her fault she assumed it would behave reasonably instead of doing things all on its own? Yes, but even more than that it is the fault of the salesman and the system designers.
If someone is unfit to use a car, we don't let him use it.
If more than 70% of people are unfit to use most cars on the road, but do just fine with an Audi, maybe we need to rethink our car designs rather than sending everyone back to driver's education.
Likewise, if someone is unfit to use a computer because he cannot follow the most basic rules of common sense, he should not be on t
Re:T-minus 3... 2... 1... (Score:2, Interesting)
Yes, but the program cannot make itself run automatically at bootup as this would require changing files which are owned by root
So basically it will die at next reboot. It might be able to start when that same user logs in, but this can be fixed by forcing all config changes to come from root (Admin or whatever)
It also means that if I scan for this software as root there isnt a thing it can do to avoid detection.
Although this is written with my linux hat on I also happen to develop software for windows and can see no reason that the same principles cannot be applied to windows.
Apart from one, it would cost MS a fortune to rewrite office, and they would lose the edge which office has over the competition (all the private hooks into the OS it uses which they dont publicise to other developers)
Re:Could you thwart an undetectable rootkit anyway (Score:2, Interesting)
Re:Security doesn't start at rootkit detection (Score:2, Interesting)
Re:Could you thwart an undetectable rootkit anyway (Score:2, Interesting)
Anecdotal evidence: I once set up a Linux machine behind a firewall, couldn't get to the Internet, but it could be seen from the Internet. Turns out there wasn't any requirement for it to see the Internet, so I checked "done" and moved on. This was a one-off deal.
Got a call a month later: "login isn't working". Of course the machine was for dozens of desktop machines that logged in to run custom Universe scripts, so no one could do his/her work. So I go out there and notice that the network cables have been rearranged to go around the firewall. And there were quite a few email messages spooled up and going nowhere.
Asked about the cable. "Oh. I tried that because I couldn't get to the Internet."
"From this machine?"
"Yeah."
"Why did you want to get to the Internet from the Universe server?"
"I wanted to surf the net while I was waiting for this other install thing that I was doing to finish."
OK, so the machine is naked on the Internet, and login's broken. It takes the password, then another login prompt. Found a rootkit. Reinstalled the O/S, restored Universe from backups, put the machine back behind the firewall.
Oh, the spooled-up email messages? Email to the rootkit installer. Even if the machine was pwned, s/he never found out. After poking around for a while, I discovered that it was a poorly implemented rootkit, e.g., the replacement for
Further, even if the elaborate cloaking schemes are followed, there must be communication back to the new pwner of the machine.