Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×

Windows Rootkit Wars Escalate 342

An anonymous reader writes "The rootkit wars have started to escalate with a rootkit named Rustock which is able to remain hidden from all the popular anti-rootkit tools. It uses some new techniques including not only putting itself in a ADS (NTFS alternate data stream) which isn't seen by normal file system enumeration tools, but even blocks ADS aware tools from seeing the stream. Works in Vista, too! Analysis in both Symantec and F-Secure blogs."
This discussion has been archived. No new comments can be posted.

Windows Rootkit Wars Escalate

Comments Filter:
  • Whats ADS for? (Score:2, Interesting)

    by Viol8 ( 599362 )
    Was this designed simply an easy way to hide (system?) files in the filesystem
    or was it for something different entirely? I remember there being a "chmod +/-h"
    in old (perhaps even current, I no longer use it) versions of HP-UX that would hide
    files , is this something similar?
    • Re:Whats ADS for? (Score:5, Informative)

      by baywulf ( 214371 ) on Thursday July 13, 2006 @10:50AM (#15712943)
      It is like a generalized version of the resource and data fork on old MacOS files with similar uses.
    • by khasim ( 1285 ) <brandioch.conner@gmail.com> on Thursday July 13, 2006 @10:54AM (#15712971)
      http://www.heysoft.de/nt/ntfs-ads.htm [heysoft.de]

      There's a lot that can be done with it.
    • Re:Whats ADS for? (Score:2, Informative)

      by staticdaze ( 597246 )
      ADS is used in Windows as part of everyday usage. The "Summary" tab that you see when you view any file's properties is stored in ADS. Also, I believe (vague memory here) that when you download something in Internet explorer and try to run the file, the flag for that annoying "You got this from the Internet, are you sure you want to run it?" is stored in ADS.
    • Re:Whats ADS for? (Score:4, Interesting)

      by Control-Z ( 321144 ) on Thursday July 13, 2006 @11:41AM (#15713266)
      It's much more than a "hidden" attribute on a file.

      I fought with the HackerDefender rootkit earlier this year. Best I can tell it got in through a vulnerability in the Finger port of my mail server. It installed itself as a legacy mode device driver. The device driver was set up to hide certain filenames from Windows. Once installed, you COULD NOT SEE the files the rootkit used. The files weren't files marked with the "hidden" attribute, they were simply hidden from Windows at all levels. You COULD NOT SEE the registry entries. You could not see the task in Task Manager. Very evil and took many hours of my time to fix.

    • Make your own ADS (Score:4, Interesting)

      by The MAZZTer ( 911996 ) <megazzt AT gmail DOT com> on Thursday July 13, 2006 @01:16PM (#15713810) Homepage

      Go to the command prompt.

      echo Text! > text.txt:ADS

      Do a DIR and you'll see the size of text.txt is 0 bytes.

      The string "Text!" has ended up in an ADS stream called "ADS".

  • Forever War (Score:4, Insightful)

    by Kream ( 78601 ) <hoipolloi&gmail,com> on Thursday July 13, 2006 @10:47AM (#15712916)
    rootkit v. counter rootkit
    counter counter rootkit v. counter rootkit
    counter counter counter rootkit v. counter counter rootkit

    An endless cycle of patch, pray, patch, pray, reinstall awaits us.

    X|K|Ubuntu, anyone?
    • Here let me codify that:

      while (!os_written_in_typesafe_language) {
            counter_rootkit(create_rootkit(true));
      }
      . . .
      catch (NoSuchRootkitPossibleException ex) {
      // what's that you say?
      }
      • Is there any particular reason you believe that writing an OS in a typesafe language would make rootkits impossible? Or are you implying something else?
    • Starting to sound like our missile defense system. First a missile, then an anti-missile missile. Then an anti-anti-missile missile, and so forth. I feel safer already. If Star Wars can keep the homeland safe, then surely a better rootkit from symantec (or sony!) can keep me safe from these rootkits!
    • Re:Forever War (Score:5, Informative)

      by Lumpy ( 12016 ) on Thursday July 13, 2006 @12:56PM (#15713679) Homepage
      Nope your saviour is called BartPE. no virus,worm,rootkit on the planet can disable it.

      In fact I dont even bother running any Host OS scans when I fix someone's PC anymore, I boot from a BartPE disc, scan it with the antivir and antispyware and clean it up easier and faster than anything else.

      Takes me far less time I get it on the first try and it's back to a clean machine for 35 seconds until the owner clicks on things again to reinstall every bit of spyware.
  • Undetectable? (Score:3, Insightful)

    by PIPBoy3000 ( 619296 ) on Thursday July 13, 2006 @10:48AM (#15712926)
    Since F-Secure detects it, does that imply it's not popular?
  • by Anonymous Coward on Thursday July 13, 2006 @10:51AM (#15712946)
    If only Windows was closed source, then writing such tools would be difficult. Oh, wait...
  • Detection (Score:5, Funny)

    by kirkb ( 158552 ) on Thursday July 13, 2006 @10:54AM (#15712972) Homepage
    This Russian-created rootkit is smart enough to recognize known anti-rootkit tools and hide from them.

    Does this mean that in Soviet Russia, rootkits detect y... Bah, nevermind. Too easy. :P
  • by Opportunist ( 166417 ) on Thursday July 13, 2006 @10:55AM (#15712974)
    People, please, stay sensible. First of all, a rootkit has to GET into a system. How it hides, how it vanishes, how it hooks certain parts of the system and how it defeats anti-rootkit tools is moot if it doesn't even GET that far.

    Whatever a program may want to do, first of all it has to be started. Now, there are currently no unpatched remote exploits or program-runs-crap-by-itself bugs I'm aware of. In other words: You have to start it!

    And that's what it comes down to. Keep your system updated! Don't click on every moronic spammail you get! Don't run everything you download from an unrelyable source without at least checking what it is!

    My prediction would be that you can eliminate about 95% of the most dangerous worms, trojans and spybots currently in the wild if we could just get people to abstain from running every single piece of junk they stumble upon. The best protection against infection is still a working brain.

    There is no technical solution for a social problem. I say it time and again. If it's been true ever, it is in the area of malware. Antimalware tools are akin to safety belts and airbags. You have them, and you use them, but that doesn't mean you drive 150 on an icy road, just 'cause, hey, you got safety belts and an airbag, what damage could happen, eh?
    • And that's what it comes down to. Keep your system updated! Don't click on every moronic spammail you get! Don't run everything you download from an unrelyable source without at least checking what it is!

      My prediction would be that you can eliminate about 95% of the most dangerous worms, trojans and spybots currently in the wild if we could just get people to abstain from running every single piece of junk they stumble upon. The best protection against infection is still a working brain.

      Normally I would agree, but what about the fact that there may be legitimate sites out there that have been infected by this rootkit, which will then in turn infect users who have no reason to fear infection? Not every work or trojan is spread via the incompetence of the user -- it only seems that way. Look at the way 180solutions is dumping spyware on unaware MySpace users who click on seemingly legitimate content, including an ad for software to protect children. ALl someone has to do is slip this sucker into some seemingly harmless content and WHAM!

    • by Jaysu ( 952981 ) on Thursday July 13, 2006 @11:19AM (#15713121)
      "My prediction would be that you can eliminate about 95% of the most dangerous worms, trojans and spybots currently in the wild if we could just get people to abstain from running every single piece of junk they stumble upon."

      oh, and uh, don't put a store bought Sony music CD in there either. Spam can come in forms besides bright flashing "click me" banners.
    • Now, there are currently no unpatched remote exploits or program-runs-crap-by-itself bugs I'm aware of. In other words: You have to start it!

      Oh, [secunia.com] really? [blogspot.com]

      Not to mention that if they have to implement double-digits worth of patches a month [vnunet.com] you have to suspect that there are, indeed, unknown (by the public) security holes to be found, and which may have already been found by blackhats.

      Antimalware tools are akin to snake oil and herbal remedies. No sane system should need that kind of overhead, and I've said i
    • Now, there are currently no unpatched remote exploits or program-runs-crap-by-itself bugs I'm aware of

      This is the situation we find ourselves in on most popular OS and broswers. There are no simple ways to remotely install software without at least the user indirectly knowing about it. This is an improvement. As you say, it is now a social problem where someone has to click a link on some spam email. So it is a socail problem. Note, however, that it might be better if the user had to click a link, ac

    • by 99BottlesOfBeerInMyF ( 813746 ) on Thursday July 13, 2006 @11:57AM (#15713361)

      People, please, stay sensible. First of all, a rootkit has to GET into a system.

      True, but there are many modes of infection.

      Whatever a program may want to do, first of all it has to be started. Now, there are currently no unpatched remote exploits or program-runs-crap-by-itself bugs I'm aware of. In other words: You have to start it!

      So, just because you don't know of any unpatched, remote vulnerabilities being exploited, we should not worry about them? What about local escalations, there are plenty of those outstanding and some people admin multi-user boxes. Finally, it can come in as a trojan. No one has the time to exhaustively check every program they run, if the source is even available. That means you have to trust every program you install. This is asking users to sacrifice usability for security, and that is a classic security blunder.

      My prediction would be that you can eliminate about 95% of the most dangerous worms, trojans and spybots currently in the wild if we could just get people to abstain from running every single piece of junk they stumble upon.

      My prediction is we can stop 100% of worms, trojans, and spybots by no longer using computers... of course that kind of defeats the purpose.

      There is no technical solution for a social problem.

      Malware is mostly a technical problem and a computer/human interaction problem. It can be solved with education as a social problem, but only when the previous problems have been fixed. You can't expect users to learn a whole lot of really complex topics in order to perform simple tasks. It is not going to happen. When joe-sixpack runs their computer they expect it to conform to some basic, sensible characteristics and it is failing. This is not the user's fault. This is the fault of the people who designed the system first and then tried to teach the average person a long series of complex topics and ever changing rules. What they should have done was ask the users what the computer should do and then make the computer do that.

      It is unreasonable to expect that clicking on an icon that looks just like your picture files will install a program and let someone in Russia start using your computer to send spam. This is a failing of the computer, not the user. The computer should clearly indicate to the user what is a picture and what is a program. Then, it should not let the program do anything the user does not expect and want. If this rootkit arrives in a trojan, disguised as data or a beneficial program like a game, and the user runs it, they still should not have to worry about it because it should be running in a sandbox, by default. When it tries to do something unusual, like patch the core of the OS, the user should be warned in very strong language and given the option of letting the rootkit patch a VM's core OS instead, thereby stopping it from having any effect. It doesn't take a genius to do this, if only people would stop apologizing for how crappily most OS's, especially Windows, deal with this stuff. By blaming the users for this failing you're part of the problem. Stop it.

    • There is no technical solution for a social problem.

      Condoms (a technical solution) MITIGATES a social problem (teen pregnancy, STD's). They don't SOLVE these problems, because a Condom is only something like 99% effective (the 1% being people who don't use them properly).

      So, assuming one's social problem is going out and seeking the services of a prostitute - use of condoms by said prostitute means that 99% of your prostitues won't have an STD (except crab lice - prefer those who shave). The world is bette
  • by ThinkFr33ly ( 902481 ) on Thursday July 13, 2006 @10:58AM (#15712994)
    I think it's somewhat disingenuous to specifically note this rootkit works in Vista. It implies that the security work done in Vista has somehow failed.

    Vista has numerous improvements security wise, and almost all of them have to do with prevent a machine from becoming infected to begin with.

    , [msdn.com]UAC [msdn.com], Windows Defender [microsoft.com], the improved software firewall [microsoft.com], IE 7+ sandboxing/broker [msdn.com], etc... these are all meant to make it a lot harder for malware to get on the machine to begin with.

    As the old security adage goes, if untrusted software is run on your machine, it's not your machine anymore. [microsoft.com]
  • by Bill, Shooter of Bul ( 629286 ) on Thursday July 13, 2006 @11:05AM (#15713037) Journal
    FSecure's posting says that they released a version of their antirootkit software that can defeat this. Date June 21

    Symantec says that FSecure's product can't remove this. Date June 29.

    Any reason for this discrepency? You'd think they'd continue to moniter what other companies are doing to combat the problem and 8 days would be enough for them to find out about the new release.
    • The Symantec article may be referring to some research they were doing over the course of a week or two, or the fact that they're looking at Rustock.B may mean that it's a new variant that again deals with F-Secure's detection.
    • by ALecs ( 118703 )
      F-Secure's blog says Blacklight can detect this kit - but can't remove it. The instructions for removing it involve booting from recovery console and using some arcance incantatio of the copy command to splat garbage over the ADS. I'd call that "cannot remove this virus".
  • Seems to effect (Score:2, Interesting)

    by Utopia ( 149375 )
    x86 versions only.

    Would be interesting to know if there will be or are 64-bit versions of rootkits.
    • You mean 32-bit, right? The desktop 64-bit processors out now are x86 processors, unless I missed the memo that we were all to move to RISC.
      • Re:Seems to effect (Score:4, Informative)

        by spinfire ( 148920 ) <dpn@isomerica.net> on Thursday July 13, 2006 @11:56AM (#15713355) Homepage
        The desktop 64-bit processors out now are x86 processors, unless I missed the memo that we were all to move to RISC.
        You did miss the memo. The AMD and Intel 64 bit processors use an instruction set architecture called "x86_64" (also x64 or AMD64 or EM64T, isn't marketing wonderful?). This instruction set extends the original 32 bit x86 instruction set. Wikipedia has some x86_64 [wikipedia.org] architecture information.
  • Detect this.... (Score:3, Informative)

    by mdsc1 ( 988693 ) on Thursday July 13, 2006 @11:14AM (#15713084)
    Did the writers of the rootkit consider that...

    "The reason that there is no longer a command-line version is that malware authors have started targetting RootkitRevealer's scan by using its executable name. We've therefore updated RootkitRevealer to execute its scan from a randomly named copy of itself that runs as a Windows service. This type of execution is not conducive to a command-line interface. Note that you can use command-line options to execute an automatic scan with results logged to a file, which is the equivalent of the command-line version's behavior." http://www.sysinternals.com/Utilities/RootkitRevea ler.html [sysinternals.com]

    Ooops... 1 step ahead of the hackers yet again.
  • Vista compatible? (Score:4, Interesting)

    by tlhIngan ( 30335 ) <slashdot.worf@net> on Thursday July 13, 2006 @11:17AM (#15713107)
    Don't rootkits need to hook into the kernel in some way, and the "some way" in Vista is via signed binaries? Overriding kernel hooks seem to imply that yes, signed binaries are needed as well...

    Also, would it be able to hide from a tool like SysInternal's rootkit detector which compares API return values for the registry and filesystem with an actual analysis of the registry files themselves, and a scan of the raw blocks on the disk? (Understands NTFS and FAT, and the registry hive format).
  • Howdy Hoo ! (Score:2, Funny)

    by Joebert ( 946227 )
    Theese things are like the neighbor that just walks in the house, takes a piss, grabs a beer out of the fridge, asks you if you're watching teh game after sitting on the couch next to you.

    If they'd put some fucking beer in there now & then it wouldn't be so damn aggrevating.
  • by linebackn ( 131821 ) on Thursday July 13, 2006 @11:22AM (#15713140)
    NTFS alternate data stream? It's a good thing I still use Windows 95 that doesn't have any of those fancy shmancy features that can be exploited like that.
  • Useful tool link (Score:5, Informative)

    by RebornData ( 25811 ) on Thursday July 13, 2006 @11:22AM (#15713142)
    If you're (like me) one of the, umm, fortunate souls who get to clean up rootkit-infested machines regularly, there's a tool you should know about: LADS, for "list alternative data streams"

    It can be found buried in this FAQ about the NTFS ADS feature: http://www.heysoft.de/nt/ntfs-ads.htm [heysoft.de]

    I haven't tried it yet, but it looks like it should work from a win32 bootdisk (like BARTPE). So you should be able to boot from a clean win32 environment and scan the computer's hard disk to find any files with ADSs. Fortunately, use of this feature within NTFS is not widespread, so malware should stand out pretty obviously.

    Have fun!

    -R
  • by goat_roperdillo ( 984552 ) on Thursday July 13, 2006 @11:27AM (#15713174)
    Some of the first info on ADS was revealed when IIS users were notified by Microsoft that the full source code of any ASP URL, e.g.
    http://www.mycode.asp
    could be downloaded to a browser by appending ":$DATA" to the URL, e.g.,
    http://www.mycode.asp:$DATA
    Little explanation of ADS or the special ADS keyword "$DATA" was revealed in the Microsoft Security Bulletin MS98-003 [microsoft.com]. At the time I could not fine a full list of ADS keywords or an explanation of ADS on Microsoft's site, merely references to making a filename "canonical" (whatever that meant - no explanation was provided).

    Microsoft has been less than forthcoming about ADS, it's function and it's mechanism. ADS has been used in the past to hack into web servers and now appears to be useful for rooting any system with NTFS.

    Is ADS a Microsoft backdoor?

    • Is ADS a Microsoft backdoor?

      Given that Microsoft has the keys to the front door (windows security update for example), why would they need a backdoor?

      I'm undecided as to whether alternative stream was a good idea with poor implementation (and bad documentation), or just a bad idea.

      • by jandrese ( 485 ) <kensama@vt.edu> on Thursday July 13, 2006 @01:03PM (#15713721) Homepage Journal
        Is there any legitimate program that uses the ADS? I can see maybe some 68k Macintosh emulators using it, but most of the time those guys just create a virtual drive (a big single file that doesn't use the ADS) instead.

        I've known about it for a long time now, but have yet to ever use it myself. I really wish you could disable it entirely if nothing legitmate is going to bother. As it is now, it's just a poor security-by-obscurity mechanism that really has no place in the base OS.

        Wait, I take back what I said before. I did find one shareware program that hid it's "I've been installed for this long" counter file in the ADS. Deleting the file reset the counter. :)
        • The OS uses it to store summary and author information. The content indexer would use it to store a thumbnail image. It's a little weird because if you don't know about it, you always assumed that one file was "one file".

          Fortunately, the ADS stream can only be non-critical data because transferring to a single stream filesystem (such as FAT32) would drop the additional stream. I'm not sure if ZIP stores them or not (built in ZIP in XP), but that would be interesting.

          Think of it as a named section of a fil
    • There is no full list of "keywords" for the same reason there is no complete list of file name extensions, any program can choose their own. The only special thing about $DATA is that this is (generally) the default mapping. The IIS bug had little to do with ADS per se, but more to do with how you detect what file a reference goes to, and what you do by default. A possible similar bug would be using the case insensitiveness of the file system, if there was a bug not realizing this in the server. Other bugs
      • I think this is the equivalent situation. When you chroot, it changes the root of the file system, "/", but IIRC it doesn't change any open directory handles. In particular, it doesn't change the current working directory. So you should always follow a chroot with "cd /" or equivalent. If you have other open directories, you also have to deal with those.

        Otherwise, a hacker could just "cd .." and they're out of your jail.
    • Actually, NTFS streams were pretty well discussed when they came out back in 1994. They have been there since Windows NT 3.1. They are similiar to the old macintosh's data and resource forks, and I believe Microsoft implemented it so that they could support Macintosh files when acting as a file server (or perhaps they were considering building a Macintosh compatability box on top of the NT kernel).

      I was actually suprised that Microsoft didn't take advantage of streams more often than they do. It would be
    • Little explanation of ADS or the special ADS keyword "$DATA" was revealed

      That exploit just worked by tricking IIS's extension parser - It would normally treat an ASP specially rather than as a plain file. Because the file would obviously have read permission set, specifying that name just returns the file itself the same way IIS would return any other not-special file.

      The DATA stream just specifies the basic unnamed default stream containing what we would normally think of as the file itself. All NTF
  • by dfloyd888 ( 672421 ) * on Thursday July 13, 2006 @11:45AM (#15713299)
    Long ago, in the days of MS-DOS, there was a program that was excellent at detecting unknown MS-DOS viruses. Called Integrity Master, for maximum security one ran it from a bootable floppy, scanned files on the hard disk, and stored the file with the scanned signatures on a floppy. It wasn't SHA or MD5 hashes, but at the time it was solid security.

    Then, one periodically (once or twice a week, as paranoia sees fit) ran the utility on their machine. If stuff in the MS-DOS directory was changed, it was immediately apparant. Integrity Master also was able to scan for some known viruses as well in addition to keeping a log of changed files.

    We need a utility like that for Windows XP and Vista. A bootable CD or DVD that not just can understand NTFS (and NTFS's file compression), but has the necessary software to mount hard disks which are encrypted with BitLocker, PGP, SafeBoot, PointSec, WinMagic, DriveCrypt Plus Pack. The utility should also allow for username/password entry so EFS-protected files can be checked too.

    This utility should use a CD or DVD to boot from, mount hard drive volumes, run checks for alternate data streams, system and nonsystem files, and finally the registry, perhaps including the encrypted parts like the SAM. It should not just save hashes of files, but perhaps have some ability to check file signatures as well (like sfc.exe and sigverif.exe do), so an update to Windows via a legitimate way doesn't set off a lot of false positives. Of course, the "manifest" file storing the file hashes on the file system would be stored on a removable USB drive, so the OS on the hard drive never has the ability to touch it.

    Because this checking is done offline, a rootkit would be a lot harder to hide (unless it uses a method that the integrity scanner wasn't programmed to detect, like perhaps pointing to unallocated disk space for executable code, or hiding in an EFS-protected file.)

    Of course, offline checking isn't perfect, because the machine being scanned has to be totally downed for a good amount of time which can't be done in a 24/7 environment.

    There are some hurdles though. Trying to reduce the amount of false positives is one, for example. A novice user presented with a notice that a lot of files were changed likely wouldn't know what was a bad change, and what was normal for system functioning. After that, its decoding files and registry keys. Finally, if a known rootkit database was used, keeping track of how rootkits encrypt their payload, and delivering timely program updates.
  • Microsoft Private Folder 1.0 uses rootkit-like techniques to hide encrypted files from the Win32 API. I wrote a little about it in
    my blog [blogspot.com] a few days ago.

  • by Shadowland ( 574647 ) on Thursday July 13, 2006 @12:05PM (#15713406)
    [Yoda]
    Begun, the Rootkit Wars have...
    [/Yoda]
  • by Rimbo ( 139781 ) <[rimbosity] [at] [sbcglobal.net]> on Thursday July 13, 2006 @12:38PM (#15713566) Homepage Journal
    My boss was telling me how he'd spent all morning with the IT manager removing a trojan off of his Windows machine.

    I looked up from my iBook and FC5 workstation, looked him in the eye with a face full of innocence, and asked, "What's a 'Trojan?'"

    "Well, see, it's like... a 'trojan' is like the Trojan horse; it's a program that comes into your system and ..."

    wink

    "...why I oughtta slug you!"

    It's a good thing the guy's a consummate professional, because I probably deserve to be writing this from the hospital.
  • by Sloppy ( 14984 ) on Thursday July 13, 2006 @01:39PM (#15713947) Homepage Journal

    I don't know how or when it changed, but the orthodox approach to virus scanning used to be that you booted a known clean (very likely read-only) system in order to diagnose the possibly-compromised system.

    Every time I hear about how some malware uses a rootkit to "hide", I know it simply means that people are using compromised systems to diagnose themselves. That approach is fundamentally flawed. No one should be surprised that it doesn't work, and it shouldn't be news that it doesn't work. We shouldn't be seeing this article on Slashdot in any category other than the humor section.

    But we do see it, because it is news (to somebody?) because this unreliable approach to scanning is mainstream. How the hell did that happen?

    It happened because the AV companies are selling their products as something that Windows users install rather than boot. But we know and they know that can't work. It's snakeoil and I think selling it is despicable.

    • Sure.... but they also leave few real alternatives. So far, the most useful "boot from alternate OS to virus scan/clean" solutions are illegal, pirated boot CDs like "Hiren's" that make the rounds on the net.

      You could shell out the ridiculous price of $400+ for a copy of AVAST's B.A.R.T. CD, I suppose - but then you're stuck with their inferior virus scanning/removal technology. I've generally fared better running the latest AVG on a compromised system's own OS than relying on AVAST to get it clean runni

"There is no statute of limitations on stupidity." -- Randomly produced by a computer program called Markov3.

Working...