Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Rootkits: Subverting the Windows Kernel

timothy posted more than 9 years ago | from the only-for-bad-people dept.

381

nazarijo (Jose Nazario) writes "A group of people out there, let's call them 'elite hacker d00ds,' are able to skillfully craft Windows rootkits that evade almost any known detection system. Some people want to know how this is done, be they aspiring elite hackers, security professionals who have to try and find these rootkits, or just interested parties. If you're one of them, Grog Hoglund and James Butler's new book, Rootkits: Subverting the Windows Kernel is for you. It's focused like a laser on how to defeat detection at various levels in the Windows OS once you're in." Read on for the rest of Nazario's review.

Some may wonder if Hoglund and Butler are being irresponsible by writing a book that shows you how to bypass detection. If you look closely, however, you'll see that all of the methods they outline are detectable by current rootkit revealing mechanisms. And they also show you how to detect many new rootkits in the process. I consider this book to be a responsible contribution to the community, professionals and amateurs alike, in the finest tradition full disclosure.

The book is organized into three major sections, even if it's note explicitly marked as such. The first section serves as an introduction to the topic and some of the high level concepts you'll need to know about Windows, control mechanisms, and where you can introduce your code. The second part is a highly technical tour of the techniques used to hook your rootkit in and hide it, And the third section is really one chapter covering detection of rootkits.

The first few chapters, which serve to introduce the topic, get technical right away. Chapter 2, for example, shows you some basic mechanisms for hooking in your rootkit. If you're getting lost at this point, you'll want to probably augment your reading with a Win32 internals book. The resources listed by the authors, though, are great. By this point you can also see that the writing is clear and the examples contribute perfectly to the topic. Hardware hooking basics are covered in chapter 3, which should give you some indication of the book's pace (quick!).

By the time you get to chapter 4 and discussing how to hook into both userland and the kernel, you're getting at some very valuable material. Although the book focuses on kernel hooking, a brief description of userland hooking is provided. Chapter 5 covers runtime patching, a black art that's not well known. This is almost worth the full price of admission, but the material gets even better.

In chapters 6-9 you get into some serious deep voodoo and dark arts. In these chapters you'll learn the basics of direct kernel object manipulation, layered device drivers (which can save you a lot of work), hardware manipulation, and network handling. All of these are techniques used by rootkit authors to varying degrees and effect, so you should become familiar with them. The code examples are clear and functional, and you'll learn enough to write a basic rootkit in only about 150 pages. Simple keyboard sniffers and covert channels are described in the code examples. Useful stuff.

I can't say I found many errors or nits in the book. There's some problems at times getting the code formatting just right, and what appear to be a few stray characters here and there, but nothing too obvious to me. Then again, I'm not a Windows kernel programmer, so I don't feel qualified to comment on the correctness of the code.

In the finest tradition of using a blog and dynamic website to assist your readers, the authors have set up rootkit.com, which nicely supplements their book. Most of the resources they mention in the book are available here, as well as a great array of contributors and evolving techniques. Without the book the site is still useful, but together they're a great combination. Too many books lose their value once you read them, and some books stay with you because you're having difficulty understanding the authors. Rootkits will stay near you while you develop your skills because it's a lot of material in a small space, and although it's very clearly written, there is a deep amount of material to digest. You'll be working with this one for a while.

My only major wish for this book is for it to have covered detection more significantly. One chapter covers how to detect rootkits, and although you may be able to look for some specific telltale signs of rootkits depending on how they were introduced, a more complete coverage of this approach would have made the book even more worthwhile.

Rootkits is an invaluable contribution in the wider understanding of advanced attack and hacker techniques. Previously, much of this material was known to only a handful of people, and assembling your own knowledge base was difficult. Hoglund and Butler write clearly, use great code examples, and deliver an excellent book on a high technical and specialized topic. If you're interested in learning how to write your own rootkit or detect someone else's rootkit on your system, you should definitely start with this book.


You can purchase Rootkits: Subverting the Windows Kernel from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

cancel ×

381 comments

Sorry! There are no comments related to the filter you selected.

First... (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#13332056)

...Post!

Suck it, bitchez!

Re:First... (-1, Flamebait)

Eric604 (798298) | more than 9 years ago | (#13332150)

YES! In their face!@

Frosty Piss? (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#13332062)

Why do fireworks die?

31337 (-1, Troll)

mix_master_mike (540678) | more than 9 years ago | (#13332065)

Woah windows rooting, how hardcore is that. 1337 1337 1337.

Re:31337 (0, Troll)

Rosco P. Coltrane (209368) | more than 9 years ago | (#13332098)

Duh... You can't make a book about, say, subverting the NetBSD kernel. You have to have something to write to make a book you know.

It is an interesting book (3, Interesting)

confusion (14388) | more than 9 years ago | (#13332071)

Hopefully the hax0rs are not the only ones reading this. There are some valuable lessons for MS and security providers.

Jerry
http://www.cyvin.org/ [cyvin.org]

Re:It is an interesting book (1)

Iriel (810009) | more than 9 years ago | (#13332112)

So how many years do you think it will be until Microsoft cares about it? ;) </toungeincheek)

Re:It is an interesting book (3, Insightful)

ryanr (30917) | more than 9 years ago | (#13332236)

What do you think Microsoft is going to do about it? If someone has system access there isn't anything to be done about them moving in with a rootkit.

Oh wait, did you mean you want Palladium? Microsoft is way ahead of you, then.

Fat bloated kernels (4, Interesting)

drgonzo59 (747139) | more than 9 years ago | (#13332269)

The lesson in this article should be also that there is something wrong with the Windows kernel if there can be written whole books about how to make rootkits for it. The same can go for the Linux kernel. (Yeah that's right, I bashed _the_ penguin on the head, mod me down!)

Kernels are so big and bloated that there is almost %100 chance of there being some exploitable whole in them. If the "good hackers" discover it, it will be patched, if the "bad hackers" discover it, they will make rookits.

A lot of the code that is not tested and buggy is in the drivers, and I don't understand why do current operating systems still have drivers that are run in the kernel instead of in the user space. The machines are fast enough to switch contexts between the display, mouse, sound, disk and communication with the ports. The kernel should be very small and only implement the security policies and handle communications between devices. If the hacker manages to exploit a hole in the display driver, the driver will not crash the system. These are called secure microkernels or separation kernels. I think the present 4Ghz machines can hangle a %10 slowdown at the expense of say, %80, improved security. In 18 months, the speed will double anyway ;)

Check out this [nist.gov] paper from NIST that talks about this. Also, more general info about it here [acumeninfo.com]

Re:Fat bloated kernels (5, Informative)

arkanes (521690) | more than 9 years ago | (#13332458)

You can make a rootkit for any OS, even a minimal microkernel, unless your OS runs out of ROM or there's similiar hardware level measures in place. A rootkit is the end result of an exploit, not an exploit itself - the tricky part is getting sufficent access to install a rootkit.

Re:Fat bloated kernels (1)

drgonzo59 (747139) | more than 9 years ago | (#13332485)

You are right, I was just thinking that a small (couple of thousand lines) open source microkernel will have much less exploits than a kernel that is a million lines together with drivers and everything else that can run in kernel space.

Re:Fat bloated kernels (1)

TheRealMindChild (743925) | more than 9 years ago | (#13332477)

I don't understand why do current operating systems still have drivers that are run in the kernel instead of in the user space

Two words: Context Switches

Re:Fat bloated kernels (1)

SharpFang (651121) | more than 9 years ago | (#13332484)

Andy? Andrew Tannenbaum? I didn't know you read Slashdot. By the way, I thought Linus has already explained that matter to you!

(no, 20% efficiency/speed lost is NOT an acceptable loss)

Re:Fat bloated kernels (1)

LnxAddct (679316) | more than 9 years ago | (#13332497)

OMG! Andrew Tanenbaum reads slashdot! Now all we need is for Linus to step up again and we can recreate 1992!
Regards,
Steve

P.S. Hi Andy!

A pundit comment (0)

Anonymous Coward | more than 9 years ago | (#13332397)

Lasers don't focus, they naturally produce a beam of light in which all the photons are travelling in approximately the same direction.

just fyi.

invaluable for something, anyway (-1, Troll)

elvisinmyhead (547182) | more than 9 years ago | (#13332073)

Rootkits is an invaluable contribution in the wider understanding of advanced attack and hacker techniques

heh, heh, yeah...

My opinion (5, Interesting)

Umbral Blot (737704) | more than 9 years ago | (#13332080)

I own this book and I thought it was great. I am not a rootkit creator, but I am woking with drivers, and the information this book gives is great for a driver developer. This book is very straight forward and understandable, even for someone with little driver experiance, unlike many resources for driver developers. Also it gives actual source code to illustrate concepts, unlike many books which spend too much time covering concepts and too little getting those concepts to do actual work for you.

Great! (not) (-1, Troll)

Spy der Mann (805235) | more than 9 years ago | (#13332084)

More tools for hackers who love to spread SPAM and viruses using our computers, yay! (/sarcasm)

>:(

Re:Great! (not) (2, Insightful)

Anonymous Coward | more than 9 years ago | (#13332127)

It is nice to see that you took the time to post a knee-jerk response, but could not be bothered to read the first paragraph of the article.

Some may wonder if Hoglund and Butler are being irresponsible by writing a book that shows you how to bypass detection. If you look closely, however, you'll see that all of the methods they outline are detectable by current rootkit revealing mechanisms. And they also show you how to detect many new rootkits in the process. I consider this book to be a responsible contribution to the community, professionals and amateurs alike, in the finest tradition full disclosure.

Re:Great! (not) (0)

Anonymous Coward | more than 9 years ago | (#13332179)

oh my god dude its crackers man CRACKERS are the bad ones, hackers are us angelic coders that do the world nothing but good. Oh my god why don't you understand me its just like at school when everyone made fun of me for being different they just didnt understand whaaaaaaaaaaaaaaaaa listen to me! hear me!

Re:Great! (not) (0, Troll)

superpulpsicle (533373) | more than 9 years ago | (#13332216)

But.... crackers get no attention. Hackers cause malicious attacks, they are the ones changing the world above politics and corporate BS.

If it wasn't for these spyware/adwares/hacks, there would have never been a need for firefox. That's just 1 tiny example.

Hey, (0, Flamebait)

TransEurope (889206) | more than 9 years ago | (#13332213)

do we really want that the Internet becamesa place of a higher order and full control?
I think a little bit of chaos and anarchy is a really good thing.
And warzones are producing relly good payed jobs ;)

Re:Great! (not) (3, Insightful)

jurt1235 (834677) | more than 9 years ago | (#13332382)

If you are running MS windows, is it then really your computer? Look good at the licensing, it might reveal some things in the really small print......

Ok, you got moderated as a troll, this should really score good!

I wonder... (2, Insightful)

squoozer (730327) | more than 9 years ago | (#13332089)

...how long it will be beofre someone tries to ban books like this?

Re:I wonder... (1, Troll)

varmittang (849469) | more than 9 years ago | (#13332164)

I don't know, how long do you think it will take to reach Hillary Clinton.

Re:I wonder... (3, Funny)

TripMaster Monkey (862126) | more than 9 years ago | (#13332184)


If hacker knowledge is outlawed, only outlaws will have hacker knowledge.

Re:I wonder... (2, Interesting)

ndansmith (582590) | more than 9 years ago | (#13332247)

If they are not banned outright, don't be suprised if your FBI file is augmented when you check this book out from the library.

Re:I wonder... (0)

Anonymous Coward | more than 9 years ago | (#13332274)

Yeah didn't the patriot act include getting library records about what books you check out?

Re:I wonder... (1)

computational super (740265) | more than 9 years ago | (#13332296)

Hehe - the first thing I thought when I read the review was, "I wonder if I can buy it at Barnes & Noble... with cash?"

Re:I wonder... (4, Funny)

failure-man (870605) | more than 9 years ago | (#13332369)

Cash is suspicious. Use a gift card that you bought with cash at a different store. And use a disguise. Nothing's less suspicious than a guy in a trenchcoat buying a book with blackhat potential with a gift card . . . . . . .

Re:I wonder... (1)

meringuoid (568297) | more than 9 years ago | (#13332302)

...how long it will be beofre someone tries to ban books like this?

How long does it take to say 'terrorists'?

That, plus about thirty seconds.

It will never happen. (1)

WindBourne (631190) | more than 9 years ago | (#13332319)

Instead, when you buy the book, the FBI/DOJ will be studying who you are. Use cash.

Obligatory spelling/capitalization gripe (0)

Anonymous Coward | more than 9 years ago | (#13332095)

Okay, so after glancing at the first two paragraphs, I had immediately caught three typos/spelling errors/capitalization problems. ARGH.

Re:Obligatory spelling/capitalization gripe (4, Funny)

SlayerofGods (682938) | more than 9 years ago | (#13332122)

Yah I saw them too. Everyone knows it's not 'elite hacker' but rather 'l33t hax0r'
Damn editors.

Re:Obligatory spelling/capitalization gripe (5, Funny)

anandamide (86527) | more than 9 years ago | (#13332221)

Okay, so after glancing at the first two paragraphs, I had immediately caught three typos/spelling errors/capitalization problems. ARGH.


Sorry, that's spelled 'ARGV'.

Re:Obligatory spelling/capitalization gripe (1, Informative)

Chosen Reject (842143) | more than 9 years ago | (#13332273)

security professionals who have to try and find these rootkits

This one bothers me. How does one go about just trying without trying anything in specific. It's like humming with your mouth open!

It's "try to find".

Re:Obligatory spelling/capitalization gripe (-1, Troll)

tivoKlr (659818) | more than 9 years ago | (#13332307)

Well woop the freakin' doo.

I'm so sick of the damn spelling police and the CONTINUOUS off topic spelling and dupe commentary...(not that this is on topic or anything.)

Re:Obligatory spelling/capitalization gripe (1, Funny)

Stanistani (808333) | more than 9 years ago | (#13332479)

>Well woop the freakin' doo.

That's "whoop de"...

*slides under rug*

rootkits... (1)

ph4te (901242) | more than 9 years ago | (#13332104)

All natural bandaids!

Rootkit Sleuthing IRL (5, Informative)

chota (577760) | more than 9 years ago | (#13332107)

Here's a story of some peeps from Microsoft Product Support Services who got a call about a weird crash in Exchange; tracked it down with the debugger, and found a pretty well-hidden rootkit. In fact, it would've remained hidden if it didn't have a bug in it!

Don't believe everything the debugger is telling you!!! (aka Rootkit) [msdn.com]

Re:Rootkit Sleuthing IRL (1)

ndykman (659315) | more than 9 years ago | (#13332327)

Great link. Pretty impressive work to solve an Exchange crash, and it's a good example of how to use kernel/user debuggers to solve complex crashes. I'd like to hear more stories like that one. You could learn a lot.

It just goes to show, you never can really tell what's really going on without some real effort.

Re:Rootkit Sleuthing IRL (2, Interesting)

Monstard (855195) | more than 9 years ago | (#13332422)

Wow, I read up on rootkits. Amazing. And hacker defender reads like a manifesto on hacking PCs.

As I Mac user I keep hearing about how much more secure Macs are than PC's, and sort of believe that. But in reality, what is the true security of a Mac vs. a PC? I mean, I *want* to believe I have the more secure system, but complacency is the surest way to hack a system. So, anybody know the real deal.

If a Mac hacker was as motivated as any PC hacker, could a rootkit like hacker defender be installed just as easily on a Mac?

We've got to stop them! (3, Funny)

The Woodworker (723841) | more than 9 years ago | (#13332109)

DMCA...no, that won't work. How about PATRIOT ACT! Yeah, those damn terrorists and their first amendment.

Re:We've got to stop them! (1, Insightful)

Anonymous Coward | more than 9 years ago | (#13332170)

Nah, the Patriot Act by itself won't work. I know, let's bri^h^h^hlobby congress to revive the CBDTPA, and let's have them call it something else so the sheeple won't know any difference. When we get that, we wil use it along with the patriot act to exe^h^h^hhunt down those tourists.

Sincerely

George W. Bush
President of Hali^h^h^h^h The United States of America

Richard Cheney
Vice President of Hali^h^h^h^h The United States of America

Bill Ga^h^h^h^h^h^h^h

Re: (0)

Anonymous Coward | more than 9 years ago | (#13332478)

Use sparingly, please. The effect just isn't the same when you beat it to death like that.

Re:We've got to stop them! (1)

xmorg (718633) | more than 9 years ago | (#13332343)

I agree with The Woodworker. These are terrorists, and need to go to Guantanimo. You can hit them with DMCA and Patriot act charges.

easy stuff (0)

Anonymous Coward | more than 9 years ago | (#13332110)

making windows rootkits is almost as easy as making linux rootkits, almost.

Don't tell girls you're going to root their box (5, Funny)

Anonymous Coward | more than 9 years ago | (#13332114)

I was chatting up this chick in a bar last night and I said, "Yeah, I could root your box in about five seconds," and she slapped me! I thought that would impress the chixxors!

Root a box (2, Informative)

totallygeek (263191) | more than 9 years ago | (#13332166)

In Australia, to root something is to have sexual intercourse with it. So, chatting with some chick about rooting her box may get you a slap. You should buy her a drink first.


Where I learned this [imdb.com] . Well, about the rooting, not about the smoothing over chicks.

She wasn't impressed with my 3.5" floppy, either (1)

spun (1352) | more than 9 years ago | (#13332399)

She said I couldn't root her box because my hard drive was too small and I didn't have enough RAM. Then she said that all her ports were closed unless I had a fat pipe. Chicks these days, they want top of the line hardware, let me tell you.

Re:Don't tell girls you're going to root their box (1)

game kid (805301) | more than 9 years ago | (#13332461)

You should have specified a more reasonable timeout period.

Like, about four minutes. ;)

hmm.. (0)

Anonymous Coward | more than 9 years ago | (#13332115)

So that's why I get all these blue screens of death... I must have a root kit installed on my machine.. oh wait..

Hmmmm (2, Funny)

chriso11 (254041) | more than 9 years ago | (#13332116)

I keep thinking I need this book just to secure my own PCs and also help out friends...

You have to love the windows environment.

Although good for security experts, (0, Flamebait)

Tolkien (664315) | more than 9 years ago | (#13332117)

I'll bet /. anything that this book is going to start churning out script kiddies.

Re:Although good for security experts, (2, Interesting)

g0bshiTe (596213) | more than 9 years ago | (#13332295)

I doubt it would do them much good, I suppose you would have to have more technical knowledge than the average script kiddie to make effective use of this title.

Not to mention know how to read.

I need this (1)

SLASHAttitude (569660) | more than 9 years ago | (#13332123)

This is something I have been interested in for some time. I can not wait to get this book and give it a once over.

Subversion enough? (1)

gmac63 (12603) | more than 9 years ago | (#13332124)


I though merely installing Windows was subversion enough. Am I wrong?

-Security d00d

The great thing about this book (1)

Rosco P. Coltrane (209368) | more than 9 years ago | (#13332133)

It's also a useful tool for advocates who try to convince people to switch from Windows to another OS (no, not just Linux), the argument being "look, you wonder if Windows is insecure? how about a whole friggin book, with an ISBN and all, about how to do nasty things in Windows despite A/V software and anti-spywares!"

Re:The great thing about this book (3, Insightful)

defile (1059) | more than 9 years ago | (#13332177)

It's also a useful tool for advocates who try to convince people to switch from Windows to another OS (no, not just Linux), the argument being "look, you wonder if Windows is insecure? how about a whole friggin book, with an ISBN and all, about how to do nasty things in Windows despite A/V software and anti-spywares!"

Which OS were you talking about? I could swear the ones you might name have hacking books written about them too.

Re:The great thing about this book (1)

dioscaido (541037) | more than 9 years ago | (#13332285)

Yeah, thank god it is so much more difficult to write root kits of unix/linux/osx!!LOL!1!one! :)

Re:The great thing about this book (3, Insightful)

LurkerXXX (667952) | more than 9 years ago | (#13332351)

Yeah, it'd be terrible to use an OS with rootkits available for it.

Instead of windows they could switch to Linux or a *BSD or [rootkit.nl] MacOS [secretweaponlabs.com] .

Oh wait, almost all OS's out there right now have rootkits for them.

Re:The great thing about this book (1)

Cheapy (809643) | more than 9 years ago | (#13332400)

You seem to forget that rootkits were originally a Unix thing. You know, a kit that would replace 'netstat', 'w', and other commands with modified versions so the regular users wouldn't notice any illegal activity.

Does this still work? (3, Informative)

meditation_dude (907877) | more than 9 years ago | (#13332159)

I remember people had Linux boot disks for changing the Windows NT admin password. But does this kind of thing still work for Windows XP and the server editions? I wonder if Microsoft will take this info and use it in Windows Vista to counteract rooting.

Re:Does this still work? (3, Funny)

TripMaster Monkey (862126) | more than 9 years ago | (#13332224)


But does this kind of thing still work for Windows XP and the server editions?

Short answer: yes.
Long answer: hell yes.

There is no such thing as security if you have physical access to the box. Period.

Re:Does this still work? (2)

morgan_greywolf (835522) | more than 9 years ago | (#13332310)

There is no such thing as security if you have physical access to the box. Period. Exactly. You could boot from alternate media, swap hard drives, or heck, you could even just put the system hard drive(s) in your pocket. That's why locking down desktops is basically pointless for anyone that knows what they're doing.

Re:Does this still work? (3, Funny)

SharpFang (651121) | more than 9 years ago | (#13332502)

You can always booby-trap the case.

Re:Does this still work? (3, Insightful)

RetroGeek (206522) | more than 9 years ago | (#13332455)

There is no such thing as security if you have physical access to the box. Period.

Which is why you need disk encryptors. The entire disk is encrypted. Go ahead, access it outside the OS environment. All you get is random bits.

Yes, you can try to brute force the password, but that takes many, many CPU cycles, and much time.

Google it [google.com]

Re:Does this still work? (1)

pandrijeczko (588093) | more than 9 years ago | (#13332292)

Using a Linux boot disk means you can forget about the NT admin password anyway - just mount the Windows NTFS partition onto the Linux filesystem and you can take off any information you want...

Incidentally, you can do this with just about OS, even another Linux box - it's the fact that Linux can recognise just about any partition type there is (with the correct kernel/modules in place) that makes this work.

Re:Does this still work? (1)

emidln (806452) | more than 9 years ago | (#13332418)

ahem, *cough*, encryption, *cough*

This is why on systems that demand physical security in an insecure location we use loopback encryption. Welcome to 1999!

Re:Does this still work? (0)

Anonymous Coward | more than 9 years ago | (#13332340)

Windows doesn't have much to say about security before it has started. Even Linux, etc. are vulernable to this sort of attack.

You can lock these things out by disabling booting from anything but the hard drive in BIOS and password protecting it. (at least for Windows, iirc you can just add parameters at the bootloader prompt to get into linux)

Of course if an attacker can open up the machine and reset BIOS, they pretty much physically "own" it to begin with.

Re:Does this still work? (2, Informative)

Grantmillie (899785) | more than 9 years ago | (#13332434)

One thing I just recently learned when trying to recover files from a bad boot sector drive along the same lines is Windows security for protecting profile specific data (my documents etc.) can just as easily be hacked using nothing more than windows. All you have to do is load the drive on another windows machine, when you try to view the files and you get an "access denied" message, merely go through the advanced security settings on the folder and there is the option to apply your own security settings directly over the old ones. Bam, easy access.

Wow (3, Interesting)

ryanr (30917) | more than 9 years ago | (#13332174)

I don't think I've ever seen Jose be so complimentary about a book before. Nice job, guys. I have the book as well, and I like what I've seen so far, but I haven't read enough yet to comment meaningfully.

I will point out though that the rootkit.com site has been around for a few years now, and obviously predates the book. In fact, I hope the book will explain in greater detail a lot of the technical topics from the site that are often only presented via code.

"Greg", not "Grog" (1, Informative)

Anonymous Coward | more than 9 years ago | (#13332183)

That's GREG HOGLUND. Not 'Grog Hegland'!

    Sheesh, it's even written down on the front cover of the book that you supposedly have in front of you while reviewing it!

w00t (3, Funny)

vga_init (589198) | more than 9 years ago | (#13332191)

r0x0rz j00r b0x0rz, d00d

Re:w00t (1)

j_cavera (758777) | more than 9 years ago | (#13332218)

Probably the first time in Slashdot's history that that comment is actually on topic...

d00d! ill be l33t h4xx0r!! (0)

filesiteguy (695431) | more than 9 years ago | (#13332197)

So if I'm reading this correctly, I can break into a Windows workstation?

I won't need a Knoppix CD?

I should try this on my workstation...

...oh, wait. I run Linux. Nevermind.

What I like is that people are becoming more aware of the vunerabilities in these systems, which include Windows NT/XP/Vista (a single-user system subverted to multi-use) and Linux/Unix/Mac (which are multi-user to begin with.)

Re:d00d! ill be l33t h4xx0r!! (1)

meringuoid (568297) | more than 9 years ago | (#13332284)

I should try this on my workstation... oh, wait. I run Linux. Nevermind.

Good for you. For any panicking Windows users - move to UNIX and never worry about rootkits ever again!

Really, go ahead. You can trust me ;-)

Linux is NOT UNIX! (1, Interesting)

Anonymous Coward | more than 9 years ago | (#13332391)

Linux isn't the only kernel, *cough* (UNIX Clone) that has or can have rootkits, other UNIX(tm) variants too - including FreeBSD and somewhat possible on OpenBSD; but Linux being the most common for such in-securities by clueless admins running clueless windows-like/wannabe Linux distros. Odd that they call this a 'rootkit' for MS Windows though, doesn't make sense as there is no 'root' user by default in MS Windows.

-Linux, for those who hate MS.

-*BSD, for those who love UNIX.

Re:d00d! ill be l33t h4xx0r!! (0)

Anonymous Coward | more than 9 years ago | (#13332408)

And if you aren't running encrypted file systems on your Linux workstation, I can break into it if I have a Knoppix CD or other wise have physical access. What's your point? You think there has never been a rootkit out for Linux? Riight.

Re:d00d! ill be l33t h4xx0r!! (1, Informative)

Anonymous Coward | more than 9 years ago | (#13332419)

which include Windows NT/XP/Vista (a single-user system subverted to multi-use)

just as sort of a postscript here, that is absolutely false

Easy. (0)

Anonymous Coward | more than 9 years ago | (#13332252)

How to subvert the Windows kernel? Just run it.

Spiff (1)

RenegadeRunner (907473) | more than 9 years ago | (#13332260)

Wanna check the book out myself, given such the good response. I share several other's sentiments in believing it will be put to good use for the sake of security and everyone's wellfare, but let's be real: script kiddies eat this stuff up.

Re:Spiff (1)

rel4x (783238) | more than 9 years ago | (#13332453)

hmm...while I share your general dislike for the people that would use this information in a less than responsible fashion, I feel the need to point out that Script Kiddies are probably not going to be toying with layered device drivers...their only draw would be code samples, and those are EVERYWHERE already. These people would probably be a bit more skilled.

Shameless plug (3, Interesting)

republican gourd (879711) | more than 9 years ago | (#13332291)

Since its vaguely on topic, and I'd like feedback if I can get it, here is some shameless whoring for a Free rootkit detection program I wrote:

Heres the URL [elifulkerson.com]

This is a multithreaded script that establishes socket connections between the threads and tries to pass a keyphrase between them. The assumption is that even if windows is compromised, a successfull TCP connection will indicate that the port is really not in use, regardless of what netstat says. Unless a rootkit is slick enough to make multiple programs share a port regardless of SO_REUSEADDR, this should catch it. The drawback, unfortunately, is that it can take a significant amount of time to scan 65,000 odd ports in this manner. Anyway, its GPL, so have at it.

The need for ROM kernels (5, Interesting)

G4from128k (686170) | more than 9 years ago | (#13332293)

The core problem with detecting a rootkit is that the detection software would seem to need to run inside the infected codespace. Unless the detector is 100% self-contained (e.g., involves NO calls to OS API during the detection process) the detector is itself detectable and defeatable by a skilled rootkit. Since invoking any software on a running system means calling APIs of that system (to read the executable, spawn a new process, etc.) and those APIs are not trustworthy on a rooted system, detection seems like a tricky problem.

The solution is either to boot the detector from its own media (inconvenient if you want to scan your system for rootkits on any regular basis) or to create a ROM core to the OS that is totally incorruptible. To be safe, this core needs to be not patchable or modifiable by any software running outside the ROM.

The point is that no computer can trust code fragments stored of writable media. The only way to really secure a system is with hardware (i.e., functionality embedded in a chip) or ROM-based software.

Moving to ROM isn't without its challenges. The writers of the code will actually need to be very good at their jobs because they won't be able to fix the problem later with a simple patch. But maybe the core of an OS should be this way -- based on very well-written code that does not need patching.

Re:The need for ROM kernels (5, Insightful)

Animats (122034) | more than 9 years ago | (#13332433)

A secure microkernel is quite possible, but, as Ballmer once said, "If we stopped adding features to Windows, it would become a commodity, like a BIOS. And Microsoft is not in the BIOS businees".

ROM Microkernels, but they won't help (1)

jfengel (409917) | more than 9 years ago | (#13332493)

There is a middle path, where perhaps the ROM can be modified only with very particular acknowledgement from the user. Say, the mod has to be burned onto a CD and booted, and before overwriting itself the existing ROM asks, "Are you 100% sure you got this from a reliable source?" It could even check the Net to check the signature, if it had sufficient IP stack built in.

This works best with microkernel architecture, which lets out Linux and Windows but OS X could conceivably go there. (And Windows actually could do it as well, since it is built around a kind of overblown microkernel.)

But still, the protected kernel isn't really the problem. You can't really hard-code detection software into it because there are always new rootkits that would require mods to the protected kernel. I just showed that it could be done, but it would be deliberately awkward, and so there's plenty of time for a new flaw to be exploited.

It would make it easier to clean the infection off your system without reinstalling, but if you're wiping out everything above the microkernel, you're effectively reinstalling anyway. During a regular reinstall, the BIOS acts as the micro-microkernel. So it's all the same.

Re:The need for ROM kernels (1)

coolsva (786215) | more than 9 years ago | (#13332499)

Read recently that in the XBox, there is some 512 bytes of code in the ROM (well hidden) that can authenticate the boot code, this way Im sure a future version of Windows can be sure that it is started without any rootkit exploits (ROM boot code refuses to execute exploited OS)

And with it I can hack the gibson in 3 seconds ... (2, Funny)

PalmKiller (174161) | more than 9 years ago | (#13332322)

oh nevermind

tunbgir7 (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#13332335)

I'll have oofended users. Surprise and 3istraction

Rootkit Revealer (1)

IHawkMike (564552) | more than 9 years ago | (#13332341)

You can get a great tool for detecting rootkits as well as a nice little explanation of them here [sysinternals.com] .

Re:Rootkit Revealer (1)

IHawkMike (564552) | more than 9 years ago | (#13332381)

The L got left off the URL. Sorry. Try again [sysinternals.com]

No Obligatory Snipery? (3, Funny)

sadomikeyism (677964) | more than 9 years ago | (#13332345)

Where is the "I for one welcome our rootkit overlords"? Or the "ALL YOUR ROOT ARE BELONG TO US"?

Rootkit revealer (4, Informative)

markh1967 (315861) | more than 9 years ago | (#13332361)

If you run Windows and want to check if your system has a rootkit installed try running Rootkit revealer [sysinternals.com] .

It scans all files and registry entries at a high and low level then compares the two to see which files and registry entries were hidden to the high level scan.

predictions? (2, Insightful)

dioscaido (541037) | more than 9 years ago | (#13332377)

How many readers won't know what a root kit is, and declare 'ha, see! windowze is insecure, glad I run [alternate]'? :}

Why are you reviewing this book? (0, Troll)

slavemowgli (585321) | more than 9 years ago | (#13332387)

I'm not a Windows kernel programmer, so I don't feel qualified to comment on the correctness of the code.

Um... then why are you reviewing this book? Shouldn't you be at least somewhat familiar with the topic it covers? Saying that you didn't find any errors or omissions is akin to someone like me reviewing a book on - say - how to do brain surgery and concluding that it's good because I couldn't find any downsides.

When you don't know anything about the topic in question, then it's not surprising that you don't find anything that's wrong with the book. But it also means that your review is, basically, worthless.

Aw... Windows is growing up... [sniff] (1)

bersl2 (689221) | more than 9 years ago | (#13332438)

I have been waiting for the day that Windows rootkits will start compromising the various detection utilities as well, such that the only way to remove the kits is to run read-only from a trusted environment. Then they will all discover how deep the rabbit hole goes. Or something like that.

This is not a troll, because I think that is a sign of forthcoming higher maturity.

Dupe (1)

wardle (206858) | more than 9 years ago | (#13332442)

see this article [slashdot.org] !

Is this a response to that "Ask Slashdot" article?

P.S. This is a joke.

legal (1)

Khashishi (775369) | more than 9 years ago | (#13332481)

Is this book legal?

Sample chapter here (1)

Karamchand (607798) | more than 9 years ago | (#13332482)

Try before you buy and check out the book's sample chapter, Leave No Trace [awprofessional.com] now!
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?