×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New Alureon Rootkit Takes Malware To New Level

CmdrTaco posted more than 2 years ago | from the boot-the-root dept.

Security 135

Trailrunner7 writes "A new version of the venerable Alureon malware has appeared, and this one includes some odd behavior designed to prevent analysis and detection by antimalware systems. However, this isn't the typical evasion algorithm, as it uses some unusual encryption and decryption routines to make life much more difficult for analysts and users whose machines have been infected. Alureon is a well-known and oft-researched malware family that has some rootkit-like capabilities in some of its variations. The newest version of the malware exhibits some behavior that researchers haven't seen before and which make it more problematic for antimalware software to detect it and for experts to break down its components."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

135 comments

A silly question (3, Insightful)

countertrolling (1585477) | more than 2 years ago | (#36140762)

Why can't the system be installed on ROM? At the very least, it will boot clean every time...

Re:A silly question (-1, Troll)

x*yy*x (2058140) | more than 2 years ago | (#36140778)

And all the users programs will be gone on next reboot?

Re:A silly question (2)

Penguinisto (415985) | more than 2 years ago | (#36142310)

Dude - he was probably referring to the OS, not the apps.

Uncle (below) answered it adequately - that the OS would reboot with a 'pristine' state - including the same flaws it had before. While this would frustrate some forms of trojan or malware, it certainly wouldn't even begin to stop it all.

You can do something similar with virtual machinery, but the pristine VM could get corrupted too... becomes a chicken/egg question if the user isn't too awful computer-savvy.

Now someone with some sysadmin mojo could use it to good effect (oh? that website infected my VM? Well, time to clone off another from the virgin copy, test it out to be sure, and just avoid that site - maybe notify the site owner...) But normal users? Nuh-uh. They'll just get re-infected again 6 or 7 times out of ten.

Re:A silly question (1)

Yvan256 (722131) | more than 2 years ago | (#36143436)

But if the system could check itself in real-time, it could compare the running copy with the ROM (supposedly clean) copy and "reboot" the bad parts while the user is continuing what he's doing.

Re:A silly question (2)

drolli (522659) | more than 2 years ago | (#36140810)

Because then security leaks cant be fixed? I suggest at least some switch to update the software. On the other hand that could be achieved with any USB stick with a write protect switch.

Re:A silly question (3, Insightful)

datapharmer (1099455) | more than 2 years ago | (#36140936)

EEPROM can be... this is essentially what coreboot is.

Re:A silly question (5, Insightful)

drsmithy (35869) | more than 2 years ago | (#36141512)

EEPROM can be... this is essentially what coreboot is.

If the end user can do it, the end user can be convinced to do it by malware.

Re:A silly question (4, Insightful)

countertrolling (1585477) | more than 2 years ago | (#36140944)

On the other hand that could be achieved with any USB stick with a write protect switch.

That would be the proper procedure that I would find perfectly acceptable, but all the present day USB sticks with write protect do it with software. It's not like the floppies that made it physically impossible to write by literally turning off the ability to write. It's one of the giant steps backwards that the industry has made.. intentionally? I don't know, but my suspicions run high.

Re:A silly question (1)

_0xd0ad (1974778) | more than 2 years ago | (#36141008)

It's not like the floppies that made it physically impossible to write by literally turning off the ability to write.

Which floppies were those?

Re:A silly question (1)

Peristaltic (650487) | more than 2 years ago | (#36141078)

You don't remember the notch in the side of the disk? Notch = RW, cover the notch with tape = RO

Re:A silly question (1)

ashidosan (1790808) | more than 2 years ago | (#36141430)

Yes, I can see how a tab far outside the physical storage media would physically prevent the write heads from touching the floppy (which, I think, was the point GP was trying to make).

Re:A silly question (1)

countertrolling (1585477) | more than 2 years ago | (#36141510)

No. It uses a normally open microswitch that would cut off all power to the write circuit. It was more failsafe than a nuclear powerplant..

Re:A silly question (1)

_0xd0ad (1974778) | more than 2 years ago | (#36141554)

Well and good until somebody hacks a floppy drive to bypass it.

Re:A silly question (2)

Technician (215283) | more than 2 years ago | (#36141688)

I did that because when I worked in repair I needed working copies (they get damaged) that would not lose the tape. You can buy disks without the notch so there is no protect to fall off. To prevent accidents, the switch I put in the drive was a reed switch. It required knowledge of the switch as well as the pocket screwdriver with the magnet in the end to turn on the hidden write switch while writing another working copy of the diagnostic floppy disks.

None of the floppies in the field service kit had a write enable notch. It makes no sense taking one customer's infection and giving it to someone else. The modern replacement is a burned DVD instead of a thumb drive. Use read only media for any of your service materials. No exceptions.

Re:A silly question (2)

macs4all (973270) | more than 2 years ago | (#36142306)

I did that because when I worked in repair I needed working copies (they get damaged) that would not lose the tape. You can buy disks without the notch so there is no protect to fall off. To prevent accidents, the switch I put in the drive was a reed switch. It required knowledge of the switch as well as the pocket screwdriver with the magnet in the end to turn on the hidden write switch while writing another working copy of the diagnostic floppy disks.

None of the floppies in the field service kit had a write enable notch. It makes no sense taking one customer's infection and giving it to someone else. The modern replacement is a burned DVD instead of a thumb drive. Use read only media for any of your service materials. No exceptions.

Yeah, the 8 inch floppies actually got it right. They had a Write ENABLE sticker. If the Notch was NOT covered over, then the disk was automatically Write Protected. The rationale was that a sticker can NEVER "fall ON". I would imagine that whatever evil engineer inverted that logic did it because he was either pressured to, or was tired to digging around to find write-enable stickers...

Re:A silly question (1)

_0xd0ad (1974778) | more than 2 years ago | (#36142970)

If the Notch was NOT covered over, then the disk was automatically Write Protected. The rationale was that a sticker can NEVER "fall ON". I would imagine that whatever evil engineer inverted that logic did it because he was either pressured to, or was tired to digging around to find write-enable stickers...

More likely they wanted a way to "write-protect" a disk in such a way that the user couldn't* make the disk writable again. Yep, that's right... DRM.

*Except with a hole-punch.

Re:A silly question (2)

macs4all (973270) | more than 2 years ago | (#36142240)

Well and good until somebody hacks a floppy drive to bypass it.

You don't understand hardware so good, do you?

The W/P switch in old floppy drives wasn't a "request not to write"; it actually disabled the HARDWARE enable input to the WRITE CURRENT driver in the R/W head. The only way it could fail was if the microswitch that read the "tab" (or the optical sensor in the 3.5 inch version) failed; or, if you had an Apple ][ disk drive, if static zapped the 74LS125 on the 5.25 Shugart drive's board (a somewhat common, VERY nasty problem, which resulted in the write/erase current being turned on PERMANENTLY!).

No amount of SOFTWARE could defeat the HARDWARE W/P switch. And if you are talking about a USER "hacking" their OWN drive to defeat that (a common mod was to install a switch on the front of the drive to provide "no-tab" Normal, Protect Always, and No Protect operation), then that particular user has done so with the understanding that they have VOLUNTARILY placed themselves at greater risk. Different situation completely than with a "Please Write Protect Me" SOFTWARE scheme, as with the USB sticks.

On a related note, I can't understand why someone can't actually provide HARDWARE write protect on a USB stick, unless the integration has gotten so high that the controller and memory are actually within the same IC package (and if the designer of that chip wanted it, they could STILL bring a HARDWARE enable out to the world, not just a port pin read by the controller).

Re:A silly question (1)

_0xd0ad (1974778) | more than 2 years ago | (#36142836)

I understand perfectly. Perhaps YOU do not understand.

The W/P switch in old floppy disks was just a "request not to write" because, although the floppy drives themselves (if they were correctly engineered) implemented this in such a way that the write hardware was actually disabled if that latch couldn't close, there is absolutely nothing preventing the floppy disk from being written if the floppy drive doesn't care whether the write-protect tab is closed.

The floppy drive might have made it physically impossible to write to a floppy if the write-protect switch/tab on the floppy was opened, but the floppy itself did not. Stick that floppy in a drive that has been hacked to not care about the write protect switch, and you will find that it is not "physically" impossible to change the contents of that floppy.

Re:A silly question (1)

_0xd0ad (1974778) | more than 2 years ago | (#36143008)

Never mind. Your point is a fair one: for a typical user's floppy disk drive, no malware would be able to propagate itself over a write-protected floppy disk.

However I don't see that it's a terribly significant point since they'd probably be putting a write-enabled floppy into the drive pretty often anyway.

Re:A silly question (5, Informative)

tlhIngan (30335) | more than 2 years ago | (#36141172)

That would be the proper procedure that I would find perfectly acceptable, but all the present day USB sticks with write protect do it with software. It's not like the floppies that made it physically impossible to write by literally turning off the ability to write. It's one of the giant steps backwards that the industry has made.. intentionally? I don't know, but my suspicions run high.

A floppy drive is easy - a floppy drive is just some motors in a cage - the floppy controller resides o nthe motherboard and tells those motors how to operate. The write protect switch can easily disable the floppy drive's write amplifier.

Something like a hard drive is hard - you can't disable the read/write line to the (PATA) drive, because you have to write to the registers in order for it to work. It's why forensic labs have drive write blockers - they pass through everything except the write commands - these things require intelligence in order to perform their tasks.

Ditto USB drives - you can't disable writing to the NAND flash chips itself, because you have to write to them in order to read from them (as well as do things like identify the capacity and such), so the controller has to have intelligence to handle ignoring write commands from the USB host (and even then some drives still do wear levelling and garbage collection on the raw media - so you need lots of firmware hooks to disable that, too).

The problem is, there's no way to physically make it impossible to write. Some flash chips it was possible - you protected it by disabling the high-voltage programming power source - without that voltage, programming would be problematic. But these days, the charge circuits to do that are built into the silicon so the manufacturers don't have to spend the extra dollar on external power supply circuits and PCB routing, because the intent for writable nonvolatile memory was being able to write to them.

Making a write-protect switch these days is difficult and often requires extra circuits in order to have the necessary intelligence to block write commands and not all writes (which disables normal read operations as well).

Re:A silly question (1)

geekprime (969454) | more than 2 years ago | (#36141338)

Then how do sd cards handle the write protect switch they have and by the way, all my sd to usb adapters handle the write protect switch just fine (so there's your protected media)
It's obviously not impossible or not done before, I even have an old 128m pny stick with a wp switch built right in.

Re:A silly question (1)

obarthelemy (160321) | more than 2 years ago | (#36141548)

Apparently, it's handled in software or firmware on the host's side. There's feed back on the forums of people who've hacked it hardware style (short it, cover it)... I'm too lazy to keep looking for a software hack.

Good question though. The answer is: it's not very trustworthy, as the host has to politely refrain from writing, instead of it being the device to becomes physically un-writable.

Re:A silly question (4, Interesting)

v1 (525388) | more than 2 years ago | (#36141670)

I would have found that hard to believe before having seen it in action myself.

My camera uses an SD card of course, but it can use that open source camera software too. But to use it, you have to write to to a new card, and then turn on the write protect switch or the camera won't boot it. Once thge new software is booted, it can save pictures to the card. Good proof that the write protect on the SD card is more of a "suggestion" than a "switch".

Re:A silly question (0)

Anonymous Coward | more than 2 years ago | (#36142464)

All RawNAND chips have a WP (write protect) signal that does exactly what you are asking for.

Note that it is not really useful in a USB drive since you have to rewrite all data starting to go bad. WP signal enabled == eventual data rot.

Re:A silly question (1)

macs4all (973270) | more than 2 years ago | (#36142548)

A floppy drive is easy - a floppy drive is just some motors in a cage - the floppy controller resides on the motherboard and tells those motors how to operate

My guess is that you've never actually SEEN a floppy drive.

Even the most hardware efficient floppy drive of all time, the Disk ][ drive electronics designed by Steve Wozniak for use with the Apple ][, used something like 8 TTL and analog chips on the floppy drive itself, plus some transistors, resistors, capacitors, an inductor, and a few other components. This is IN the drive itself. This connected via a 20-pin (IIRC) ribbon cable to a peripheral card in the computer with 5 more chips on it, including a pair of TTL ROMS that formed a really clever state machine that did the actual GCC "nibble" encoding/decoding. While it is true that the CPU in the Apple ][ controlled the stepper motor for the head movement (and maybe the spindle motor, too. Can't recall) more or less directly, and was responsible for the actual timing of the reading and writing of the "nibbles"; but the actual laying down and picking up of those nibbles on the disk surface was actually all done by the peripheral card and the electronics in the drive enclosure. So, your assertion that the floppy drive is but a box-full-o-motors is demonstrably false [apple2history.org] .

And as I said, that was the MOST hardware-efficient floppy design of all time. The reference designs by Shugart had a TON of electronics inside the floppy drive itself, and ANOTHER TWO TONS of the most bizarre conglomeration of digital and analog hardware mankind has ever seen on the "interface" card in the computer. I have no idea what the CPU in the host had to do after all this; but I assure you, that NO floppy has EVER been "just a box with motors". Period. You are simply talking out of your ass.

Re:A silly question (1)

countertrolling (1585477) | more than 2 years ago | (#36142580)

Then the only thing left is a live CD or DVD in a read only drive.. And that's ok also, even if a bit slow.. There's usually enough RAM to load the entire system in there if you need the speed, but that opens up a small vulnerability right there... At least there's a choice.

Re:A silly question (2)

tlhIngan (30335) | more than 2 years ago | (#36141062)

Because then security leaks cant be fixed? I suggest at least some switch to update the software. On the other hand that could be achieved with any USB stick with a write protect switch.

If software can turn off "write protect" then you don't have anything. Period. Because anything legit software can do, malware can do. If it can do an update of the ROM image, then malware can as well (and there was a virus that overwrote or attempted to overwrite the BIOS).

If you make it harder by requiring the user flip a switch, you'll find after the first update that 75% of the people didn't bother updating. After the second, 95% of the switches will be in the "allow write" position as people get lazy. (It will asymptotically approach 100%). If you make it so they have to flip the switch back to write-protect mode in order to boot, well, you'll asymtotically reach 100% of people who don't bother updating because it's too troublesome.

Re:A silly question (5, Informative)

improfane (855034) | more than 2 years ago | (#36140812)

Malicious software can still be malicious while in memory, send spam, botnet etc. A running exploit of a readonly system is just as compromised as a running writable one, until you turn it off of course. You would never be able to patch it unless you patch the ROM or receive memory patches.

Re:A silly question (2)

postbigbang (761081) | more than 2 years ago | (#36140938)

No.

A kernel launched from write-protected, hence read-only memory, is going to be the same every time. Subsequent loads can infect a kernel that sits in writeable memory, where malware can do its work. ROMs just are not changeable, unless they're of a genre that permits this, like electrically-erasible programmable read only memory, or EEROMs, which usually take an electrical charge or specific freqs of light to allow change.

My problem with this kit is that we would probably prosecute someone that makes malaria or HIV or even the common cold viruses more difficult to cure. Yes, tools need to be made to discover how to secure system more thoroughly, but we're not instilling diligence on the parts of OS makers and sysadmins to stop the problems we have now.

Re:A silly question (1)

improfane (855034) | more than 2 years ago | (#36141148)

You are implying that a kernel booted from write-protected media is impossible to infect while running This is not true.

No kernel is impossible is impervious to attack while running.

Re:A silly question (1)

postbigbang (761081) | more than 2 years ago | (#36141254)

I'm implying only that when initially read from ROM, it's as clean as it was written. Certainly any kernel can be subsequently infected, given current techniques. I know of no kernel that can't be rooted, given various techniques, and possibly a soldering iron+.

Re:A silly question (2)

_0xd0ad (1974778) | more than 2 years ago | (#36141662)

The point is that the ROM doesn't need to be infected. The system has to load into RAM to actually run, and if you can't patch the OS (easily or at all) you can't fix things like remotely-exploitable buffer underruns.

Then you just end up with malware that network-boots: as soon as you fire up your pristine kernel and connect it to the network, one of the other infected machines on the network re-infects it and the malware is free to do whatever it wants in user-space (send spam, data-mine, participate in a DDOS, and try to spread itself to the other computers on the network). If you can't patch the hole that's being used as an infection vector, you're basically SOL.

Re:A silly question (0)

Anonymous Coward | more than 2 years ago | (#36141926)

Well, it would be possible to build computers that can make ROM, RAM, a hard disk or any combination thereof read-only by flipping a mechanical switch, so the user needs to switch to "update" mode for OS updates and installation of other critical system software. This and better firmware could make computers more secure to some extent.

However, manufacturers have no particular interest in making computers more secure. They haven't even an interest in making them usable - see e.g. nonsensical keyboard layouts and screen sizes, extremely low keyboard quality of laptops, glaring screens, etc. - because they figure that customers care for other things.

Re:A silly question (1)

_0xd0ad (1974778) | more than 2 years ago | (#36142002)

A simple mechanical switch the only thing standing between a determined user and his/her screensavers/wallpaper/cursor pack?

*shudder*

Re:A silly question (2)

CarsonChittom (2025388) | more than 2 years ago | (#36140854)

Amigas sort of did this [wikipedia.org] , apparently.

Re:A silly question (1)

kelemvor4 (1980226) | more than 2 years ago | (#36140894)

It was a total pain in the ass. You had to replace a chip in the Amiga to upgrade your OS. Not something I relish the idea of returning to anytime soon.

Not really. (3, Informative)

Viewsonic (584922) | more than 2 years ago | (#36140950)

Only for major major updates, and it wasn't a pain in the ass. You unplugged the chip and stuck the new one in. Back then it was pretty common for users to hack their Amigas anyways, so it wasn't that big of a deal to open her up and swap it in. The pain the ass was expanding the chip memory by soldering lines to a new socket. I was 12 when I had to do this for my Amiga 500. Worked fine.

Re:Not really. (1)

kelemvor4 (1980226) | more than 2 years ago | (#36141080)

Other systems at the time were updated by sticking a floppy in the drive and either booting directly from the new disk, or copying files to your hard drive (if you had one). Some users were comfortable replacing the chip themselves but many ended up having to go pay a computer shop to do the upgrade for them.

Amiga's had some features that were totally ahead of their time, but imo this is more of a design flaw than a feature to be reincarnated in new systems. Commodore apparently recognized this as well, since they created the ability to use disk based kickstart on the 3000.

Re:Not really. (1)

mcavic (2007672) | more than 2 years ago | (#36141204)

I never owned an Amiga, but the Commodore 64 and 128 never needed OS updates. Software was written better in those days.

Re:Not really. (2)

obarthelemy (160321) | more than 2 years ago | (#36141656)

I'll bite

1- above all, there was a lot less of it. Win7 is rumored to be about 50 million lines of code. I can't find the C64's rom size, but it's at least 2 orders of magnitude less.
2- there were no security issues requiring frequent updates. the C64 was not connected to the internet, and the basic OS was in ROM, so any security holes remained un-exploited
3- nobody cared about bugs, especially since the OS did so little anyway. I never had the money for a C64, but my ZX Spectrum had plenty of bugs.
4- I remember very well that the C64 sorely needed un OS update to its floppy disc functions :-p

Re:Not really. (3, Informative)

Tx (96709) | more than 2 years ago | (#36141228)

Kickstart was more of a BIOS-equivalent than an OS. You couldn't do anything with Kickstart by itself, kickstart booted the actual OS (Workbench). Some RiscOS machines OTOH did boot a reasonably advanced GUI OS from ROM, in fact if I'm not mistaken there are some such still in production.

Re:Not really. (2)

equex (747231) | more than 2 years ago | (#36141460)

I had a couple of RiscOS fanatics for friends (i was in the commodore camp), and afaik they had a 2MB ROM to boot from, which included memory protected processes ('modules') and a configurable desktop environment, a taskbar/taskmanager hybrid as well as an assembler/BASIC editor/assembler and some other tools. Also grandparent must be trolling, since those OS'es was so incredibly small and uncomplicated that it should in fact be possible to write them with zero bugs whatsoever.

Re:A silly question (1)

Anonymous Coward | more than 2 years ago | (#36141112)

Why not?

An OS chip would be significantly better than the terrible mess we have now.
This way it creates a logical separation of OS and user space, too.
It would force OS developers to rethink what an executable can do with respect to the OS.

Not to mention that it is much easier to do now due to SSDs being seriously cheap to produce in the sizes that are required. (even for the awfully stupid sizes of Vis7a)

I already put my OS on a separate partition as it is. The whole Program Files directory is a symlink to another one.
As are all the other main directory paths.
Makes it much easier to deal with OS crap to have things separate.
Meanwhile Microsoft doesn't give a damn about organization and don't even adhere to their own standard user directory format by installing their crapware directly in it instead of application data sub-directories.

The OS doesn't need to be fully read-only, some parts can be write-enabled, but are only write-enabled by passing through the OS first and not just direct-access for anything.
This plus custom hardware on the chips could allow them to be slightly more secure by making it harder to see key files used for decryption.
Of course, this now goes in to the whole trusted computing mess that is happening just now and would end up being used for DRM shit, so nobody will want that.

Re:A silly question (1)

hedwards (940851) | more than 2 years ago | (#36141272)

If that's what you want to do, it's not that hard to do. SATA to SD Adapter [soarland.com] Just set the card as read only and then only change it to read write when you need to do an upgrade. Or since it's and SD card you may as well just image the firmware to the card from a different computer.

Re:A silly question (1)

Skuld-Chan (302449) | more than 2 years ago | (#36142408)

As someone who tearfully sold off the last of my Amiga hardware (an A4000 with a BPPC 233 604 board and my Amiga 1200) the entire Amiga OS really wasn't in ROM - it was really just the stuff to bootstrap the OS, libraries to handle mouse/keyboard io and dialogue boxes and windows. 3.1 had workbench.library in rom too, but I'm really not sure why.

The vast majority of the OS was still on disk ;).

In other words: the ENTIRE OS wasn't restored every time you switched the thing on which is what the parent wants.

In fact Amiga viruses were really quite nasty (since the OS had no memory management/protection, no security layer what-so-ever, and all the systemlibraries and kernel were EASILY patchable). More than one bypassed the floppy write protect (granted this was rumor) by patching trackdisk.device.

Re:A silly question (2)

grumbel (592662) | more than 2 years ago | (#36141006)

A more interesting question would be why systems are still so shitty at even basic self verification. A Linux might verify a packages signature on install, but after that, there is absolutely no oversight about what is happening to that package. On a regular dist-upgrade it can't even properly tell apart which config files have been touched by the user and which have been automatically generated.

This is not even an especially hard problem to solve, instead of dumping everything into a single directory tree, dump all packages into a read-only tree and save all the changes to that tree into a completely separate directory tree that is mounted on top of the other one via some kind of unionfs. This wouldn't just be good for security, it would also make a users life much easier, as changes and hacks that divert from the vanilla system would be instantly visible.

Re:A silly question (1)

tlhIngan (30335) | more than 2 years ago | (#36141256)

A more interesting question would be why systems are still so shitty at even basic self verification. A Linux might verify a packages signature on install, but after that, there is absolutely no oversight about what is happening to that package. On a regular dist-upgrade it can't even properly tell apart which config files have been touched by the user and which have been automatically generated.

This is not even an especially hard problem to solve, instead of dumping everything into a single directory tree, dump all packages into a read-only tree and save all the changes to that tree into a completely separate directory tree that is mounted on top of the other one via some kind of unionfs. This wouldn't just be good for security, it would also make a users life much easier, as changes and hacks that divert from the vanilla system would be instantly visible.

And how do you propose that the "pristine" packages below it are updated without giving malware the same priviledges or ability to update those packages with infected versions?

Trusted binaries (which defeats the entire purpose and puts us back into Apple Jailbreaking)? Signed packages (ditto)? And if you propose having users manage the certificates by installing them, remember that malware can do the same to bypass any sort of signing mechanism.

The unfortunate truth is, the only way to ensure it is trusted boot and a trust chain, which was the whole point of TCPA, which was something people rallied against.

Sadly, the end result is there isn't any way to have the openness of a PC without having the dilligence of being able to maintain it properly. And Steve Jobs' truck analogy might be right - people will always need trucks (PCs), but sometimes, they just want a little runabout to do their things (post-PC devices - smartphones, tablets, etc. that are locked down and "just work"). Of course, there may be room for something in-between the walled garden of Apple and the wide-open free-for-all that is Android, but it's not quite there yet (even though Android makes it "hard", alternative app stores that serve up pirated apps and malware simultaneously are unfortunately, popular).

Re:A silly question (2)

grumbel (592662) | more than 2 years ago | (#36141984)

And how do you propose that the "pristine" packages below it are updated without giving malware the same priviledges or ability to update those packages with infected versions?

Packages and their updates have a proper signature from your distributor, malware doesn't. The point here isn't so much to create the one true final solution to computer security, but to have some robust tracking of origin of a package and its containing files, on top of that you could then build a whitelist, WoT or whatever to improve things even further. As of right now there really isn't much of a build in form of tracking for what an application does to your system or how it was modified.

Sadly, the end result is there isn't any way to have the openness of a PC without having the dilligence of being able to maintain it properly.

Quite the opposite, a proper secure system would be much more open then our current PCs, as it would allow users to mess around with their system, run any app they want and all of that without having the fear of braking anything, as the system would be able to keep track of all the changes and undo them if needed.

The OLPC for example has that (in theory at least, real world implementation is still incomplete). You can essentially setup the thing so that it shows you what applications other people in your friends lists are running. If you want to copy that application you just click on it and the system will copy the app over and run it on your system, all in a secure manner, as applications are run in isolation without full system access. If you want to modify it, you click the "show source" button and hack away, again, the thing keeps track of your modifications and can undo them when needed.

Re:A silly question (1)

hedwards (940851) | more than 2 years ago | (#36141296)

If that's what you want, you can always just use tripwire with the various related data stored on a separate disk.

Re:A silly question (5, Interesting)

hairyfeet (841228) | more than 2 years ago | (#36141070)

Because then all they have to do is figure out a buffer overflow for the default browser and you can't patch it so you're boned? As a PC repairman my question would be this....why bother? Do you have ANY idea how many unpatched XP boxes are out there? Boxes with NO AV, or the same trialware Norton crap it came with in 05, loaded up with P2P crap or running "Razr1911 Pro SP2 Corp" that has WU turned off to keep from getting WGA'd? If the number was less than 60 million frankly I'd be amazed.

So I don't see why they are bothering with this now when they have so much low hanging fruit left, unless they are planning on using it for a spear phishing attack. The time to be releasing something like this would be about 6 months before XP EOL, when the amount of unpatched "Razr1911 Windows 7 all versions pre-activated" will be much higher, although even then most likely all the updates will be turned off (already seeing that BTW, as MSFT figured out how to kill the Razr1911 OEM hack on the RTM version so pirates are just killing WU like they did with XP) so again hacking will be easy.

As a guy that cleans them for a living I can tell you infecting a Windows box simply isn't that hard, not because MSFT built a bad OS (I'd argue that properly patched an XP or 7 box is actually pretty solid) but because there are so many pirated versions, boxes controlled by people that will happily click on any email attachment, or download "Hot_Lesbos.avi.exe" and run it without a second thought.

Hell Limewire has been dead for a couple of years yet I still see new boxes infected with malware calling itself "the new Limewire" because simply ripping off the old Limewire icons is enough to get the clueless to happily turn off any security that attempts to stop them installing it so they can snatch the latest pop crap. Social engineering with literally millions of clueless users makes it butt simple to infect masses of boxes with just a little carrot at the end of a stick. This seems like a hell of a lot more work than required unless they have some corporate target in mind.

Re:A silly question (2)

countertrolling (1585477) | more than 2 years ago | (#36141282)

You're missing part of the discussion where a disk or USB stick with true physical write protection will mitigate the problem considerably.. I don't really care what the 'clueless' do. If they want to hose their systems, that's just more business for you and me. I just want something to protect myself. Word of mouth will catch on in due time... For now, I make images of fresh installs to save myself and clients a great deal of time.. What used to take two hours is fixed in less than 15 minutes. Booting into a live CD allows me to recoup their docs and stuff before I do the restore.

Re:A silly question (1)

PPH (736903) | more than 2 years ago | (#36141714)

Social engineering with literally millions of clueless users makes it butt simple to infect masses of boxes with just a little carrot at the end of a stick.

And I'm happy with that. It's like the story of the two campers trying to outrun the bear. One says its hopeless. Bears are too fast. The other says, "I don't have to outrun the bear. I just have to outrun you." As long as there are millions of clueless users out there as low hanging fruit, us people with more secure (not perfect, just better) systems and a clue about not surfing for pr0n as root will dodge the bear.

And if they start coming after Linux systems, I'll just switch to something nobody uses so nobody will target it.

BSD.

Ducking and running .....

Re:A silly question (0)

Anonymous Coward | more than 2 years ago | (#36141826)

Have you tried OS/2 - eComStation lately???

Try it http://www.ecomstation.com/

Blaming MSFT or "clueless users" is pointless. (1)

Anonymous Coward | more than 2 years ago | (#36141886)

I also happen to be a PC technician, and I find it tiresome to hear people tirade about how bad Windows is, or how "clueless" users are. Software vulnerabilities are a fact of life, and it's unrealistic to expect average users to tell a fake warning from a real one when they can look pretty much identical.

Here's a car analogy. If I paint a phony detour sign that looks exactly like a real detour sign, stick it up in the middle of a road, and traffic starts diverting down a street of my choice, does that make the drivers stupid or "clueless"?

Even with the best available antivirus software and every available patch, 0-day drive-by exploits will come along, and people will get burned. My approach is to assume that problems will occur, and focus on how to quickly and easily recover from such incidents.

Re:A silly question (1)

blair1q (305137) | more than 2 years ago | (#36142574)

So I don't see why they are bothering with this now when they have so much low hanging fruit left

Because the low hanging fruit aren't the high-value targets, and the high-value targets are still susceptible to a small number of exploits.

Re:A silly question (0)

Anonymous Coward | more than 2 years ago | (#36143226)

Among other duties, I also clean up malware for a living. I can agree that I often work on unpatched boxes with no security software, but very frequently I see the same class of malware on patched and/or "protected" computers. Most of the computers that I have to work with get infected because of "free smiles", office chain letters, bad advice, porn, and general oreying on trust and fear; in almost no cases is pirated software involved.

Re:A silly question (1)

Chemisor (97276) | more than 2 years ago | (#36141178)

If your motherboard has a TPM chip, you could set up a trusted boot sequence, insuring that the OS is unmodified. You can then make the OS execute only signed executables, making any modifications to installed software impossible. Malware would also be prevented from running.

Re:A silly question (1)

macs4all (973270) | more than 2 years ago | (#36142866)

If your motherboard has a TPM chip, you could set up a trusted boot sequence, insuring that the OS is unmodified. You can then make the OS execute only signed executables, making any modifications to installed software impossible. Malware would also be prevented from running.

And even putting all the useability issues aside, just how many Slashdotters do you think would be capable of accomplishing the above? Now, expand that to the general population. How many now?

Why can't the system be installed on ROM (0)

Anonymous Coward | more than 2 years ago | (#36141226)

Because the current model of downloading active scripts and running them locally would be broken. As well as there would be no method for remote upgrading, bug patching, I mean installing service packs..

Re:A silly question (0)

Anonymous Coward | more than 2 years ago | (#36143354)

The Commodore Amiga did this. To upgrade the OS (to a new version) you had to change chips. This wasn't a bad thing IMO. But, the problem comes when it boots and "patches" known issues in the OS. A virus could hide there. Of course, you can simply NOT load the patches... but depending on the virus, the damage may be done.

Great... (0)

Anonymous Coward | more than 2 years ago | (#36140790)

Oh great, malware coders have learned how to do math. We're boned.

Seal Team 6 (0)

sycodon (149926) | more than 2 years ago | (#36140998)

Why can't someone go all Seal Team 6 on these coder's asses?

I'm sure their Moms could use the basement for something better than hosting these losers.

Re:Seal Team 6 (0)

Anonymous Coward | more than 2 years ago | (#36141184)

This is Disney. You're sued.

Re:Seal Team 6 (2)

AlecC (512609) | more than 2 years ago | (#36141280)

You think this is saddos in their Mom's basement? Hacked machines and botnets are big business nowadays. This is the "Russian Mafia" or equivalent, paying big money for infected machines,

Worthless Summary (5, Insightful)

OverlordQ (264228) | more than 2 years ago | (#36140806)

A new version of the venerable Alureon malware has appeared, and this one includes some odd behavior designed to prevent analysis and detection by antimalware systems. However, this isn't the typical evasion algorithm, as it uses some unusual encryption and decryption routines to make life much more difficult for analysts and users whose machines have been infected. Alureon is a well-known and oft-researched malware family that has some rootkit-like capabilities in some of its variations. The newest version of the malware exhibits some behavior that researchers haven't seen before and which make it more problematic for antimalware software to detect it and for experts to break down its components.

A new version of well-known Alureon is out which has odd things to make it hard to analyze. It's odd, and is not normal and makes it's hard to analyze. It's well known and is a rootkit.The new version is odd and makes it hard to analyze.

We got that after the first sentence, how about actually providing some fscking detail.

Re:Worthless Summary (1)

Anonymous Coward | more than 2 years ago | (#36140898)

We got that after the first sentence, how about actually providing some fscking detail.

You mean like:

it uses some unusual encryption and decryption routines to make life much more difficult

and

Alureon is a well-known and oft-researched malware family that has some rootkit-like capabilities in some of its variations.

I guess for more details you'd have to RTFA?

Better Summary: (1)

circletimessquare (444983) | more than 2 years ago | (#36140912)

Something is happening that is new, but we can't describe how or why it is new. We're like Roy Scheider in Jaws: "You're going to need a bigger boat." And you're like Robert Shaw: you just get to work trying to catch the thing. Even though it is big, it's bad, it's silent, it runs deep, you don't have the tools to properly track, capture, kill or otherwise defeat the thing, and you will be dead in 15 minutes at the end of the movie anyway. So just run around and panic. Because rootkits are scary, and strange new exotic rootkits are scarier. Your best bet is to strap on your scuba gear and go hide on the ocean bottom and pee while the real men take care of business. Oh, almost forgot: "Boo!"

Re:Better Summary: (1)

YaHooL (1745114) | more than 2 years ago | (#36142098)

Something is happening that is new, but we can't describe how or why it is new."

Reminds me of "Winter 2008's smash hit" (literally). Conficker.B worm [wikipedia.org] featured a mysterious payload hashing which turned out to be the first known "production" use of MD6 [wikipedia.org]

Re:Worthless Summary (1)

steelfood (895457) | more than 2 years ago | (#36141104)

I guess it's now too much to expect the editors to choose decent summaries, much less do any actual editing of said summaries.

Re:Worthless Summary (2, Funny)

Anonymous Coward | more than 2 years ago | (#36141114)

Tautology makes things true. You didn't know tautology makes things true? Well, it's true; tautology makes things true.

Re:Worthless Summary (1)

Anonymous Coward | more than 2 years ago | (#36141522)

I think this is what I scraped off my nieces computer a few weeks ago. She's one of those "I'll click on anything!" types. I did notice a lot of 'free' games, limewire (thought that was odd because I thought it was dead) and about 9 'virus scanners/protectors', along with the one that tells you that you've got a virus and wants a credit card to enable the 'full version' that will remove them...

It had disabled Microsoft Security Essentials, all windows updates, and when you tried to run a browser instance it would put up a pop-up asking if it could enable 'advanced virus protection'. I never tried saying yes, but if you said no and then went to any antivirus or antimalware web site, it'd jump to a screen saying that you arent protected and cant go there.

Even rebooting in safe mode didnt disable it. I ended up booting into system repair, rolling back to the oldest (about a month old) system checkpoint, rebooting and inserting a cd I'd burned with win7 sp1, malwarebytes and security essentials. I ran malwarebytes, it found 200-something infections and removed them. I installed security essentials and it reported and killed 5-6 items over the next 10 minutes without running a scan, just gave me a little lower-right-corner status icon popup saying it found and killed something. Ran the service pack install. Re-ran a malwarebytes run and a security essentials run and both came up clean. Seems to be good since. But this articles use of the word 'rootkit' makes me concerned that its still buried deep in there somewhere.

Re:Worthless Summary (1)

Catnaps (2044938) | more than 2 years ago | (#36142032)

You'll be wanting this then: http://www.gmer.net/ [gmer.net] Anyone who's removing spyware on a daily basis should be using this as well as MBAM etc. It's not perfect (what is?) but I've found a few rootkits with it.

Make up your mind (5, Informative)

ledow (319597) | more than 2 years ago | (#36140860)

Summary says: "The newest version of the malware exhibits some behavior that researchers haven't seen before"

The article says: "In 1999, a new virus, Win32/Crypto, was discovered... Today, in 2011, variants of Win32/Alureon are bringing this old-school technique back to life... Another interesting tidbit is that an initial version of this obfuscator first arrived in our lab in the first half of 2009."

That's kinda stretching the definition of "haven't seen before", which may be true in a technical sense (because they haven't seen THIS EXACT MALWARE before, but they've certainly seen lots like it).

Re:Make up your mind (1)

YaHooL (1745114) | more than 2 years ago | (#36141704)

"In 1999, a new virus, Win32/Crypto, was discovered... Today, in 2011, variants of Win32/Alureon are bringing this old-school technique back to life..."

Now I understand.
As a tribute to the 1999 Win32/Crypto, the summery of this article has been formulated like the virus-hoax chain-mails of that era.

Re:Make up your mind (0)

Anonymous Coward | more than 2 years ago | (#36142874)

Easy to explain:
In the late 90s, people still wrote viruses - computer programs that piggy backed onto other programs. They were often written directly in assembly language and this offered them much more tricks on how to evade detection, like encryption, hiding it's entry point, and many other techniques.

But classic file viruses basically died with the advent of installation programs (files stopped being shared by simply copying). Instead they were replaced by worms and trojans. Worms and trojans are stand alone executable files and hence often written in high level languages like C or whatever. As a result some of those classic techniques largely fell by the way-side.

Seems that this malware brought back one of the old tricks of the old file viruses.
Viruses have been encrypting themselves for ages - long since before the internet, but what made Win32/Crypto different is it didn't store it's decryption key opting instead to brute force it's own key. This has the effect that it is difficult for scanners to decrypt it - emulation is slower than running code, and hence costly decryption routines could cause some virus scanners to report a clean file prematurely.

The fact this particular technique is back is interesting, but no big deal or cause for concern.
If this is the extent that malware writers have used old tricks to... we can be truly thankful they haven't re-discovered the more advanced techniques yet.

Or rather (1)

drb226 (1938360) | more than 2 years ago | (#36140878)

New Alureon Rootkit Takes Malware To Same Level As Before, but With More Obscurity.

Once you have root access, is there really "another level" to take it to?

Re:Or rather (1)

Anonymous Coward | more than 2 years ago | (#36141036)

Another level? Sure...

POKE 59458,62

Re:Or rather (0)

Anonymous Coward | more than 2 years ago | (#36141094)

Gaining root is relatively trivial. Remaining un-noticed is much more difficult - a rootkit than can prevent detection for longer is certainly another level. It's not just about what you can do with the user's machine, it's about how long you can keep doing it.

Re:Or rather (1)

AJH16 (940784) | more than 2 years ago | (#36141102)

Yes, because you can make it harder to detect the running patterns. My understanding of the article is basically that it encrypts it's own execution path so that the individual sections of code can't be followed until they run. They also avoid actually storing the key in the executable making it difficult to detect the running code as it will not match patterns as easily. It's an old technique being applied to a newer system, but it is interesting since it is a step up in complexity of an already complex system.

Don't worry, Microsoft is on it (3, Informative)

digitaldc (879047) | more than 2 years ago | (#36140928)

"We're closely monitoring Alureon to ensure that our users are always protected. In fact, Alureon has been part of the Microsoft Malicious Software Removal Tool (MSRT) since April 2007."

I am putting my full faith and hope in to the Microsoft security team to eliminate it with their latest Malicious Software Removal tool.
I have given up on being paranoid about viruses, and I am much happier now!

Re:Don't worry, Microsoft is on it (1)

maxwell demon (590494) | more than 2 years ago | (#36141190)

Hmmm ... they don't say "a defence against Alureon has been part ..." but "Alureon has been part ..."
Maybe it's not a good idea to install their MSRT, after all :-)

Re:Don't worry, Microsoft is on it (1)

digitaldc (879047) | more than 2 years ago | (#36141320)

Yeah, Microsoft just decided to give up and hack their own machines in order to fix them...permanently.

Re:Don't worry, Microsoft is on it (0)

Anonymous Coward | more than 2 years ago | (#36141756)

It's too bad that, when Alureon (or TDSS) has infected your bootloader, it blocks access to the Windows Update servers.

Why whitelist it at all? (0)

Anonymous Coward | more than 2 years ago | (#36140958)

this one includes some odd behavior designed to prevent analysis and detection by antimalware systems.

If some software is hard to analyze, at some point shouldn't you just give up on trying to figure it out, and elect to never install it? I'd remove this from whitelist consideration and move on to a competitor, long before I'd bother with the trouble of sorting out such a mess.

Some software just isn't worth auditing. If they didn't even try to make it readable, fuck 'em. If you need to run a malware app, there's plenty out there to choose from, which don't fight you. Let Alureon languish in obscurity until they remove their tangledness.

Re:Why whitelist it at all? (2)

maxwell demon (590494) | more than 2 years ago | (#36141096)

The problem with this is that DRM software is also intentionally hard to analyse. And for a commercial OS vendor it's not a good idea to disallow DRM on installed software.

Where's Sony (0)

Anonymous Coward | more than 2 years ago | (#36140992)

Where's Sony's involvement in all of this?

Rootkits, malware, must be Sony.

I've heard of this. (1)

xerxesVII (707232) | more than 2 years ago | (#36141274)

I hear that the new version has some behaviors that make it harder to detect and also more difficult to analyze.

Is the open internet on its way out? (1)

AlphaOmegaLeague (2115370) | more than 2 years ago | (#36142984)

My impression is that the internet ecosystem is becoming so lethal that standalone boxes (especially windows) are on their way out. Even hosted blogs and web sites have a hard time defending against the constant onslaught of spam and exploits. Are we in the last days of the open internet, before moving to a more closed environment where only large server clouds will be able to survive?
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...