×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Windows Rootkits

michael posted more than 11 years ago | from the every-box-should-have-one dept.

Security 344

GuidoJ writes "The Register is running an article by Kevin Poulsen of SecurityFocus Online about rootkits in Windows NT. While rootkits are a well-known issue in Unix and Linux systems, they have rarely been found on compromised Windows machines. According to the article, Windows NT backdoors have always been 'trivial', and they have caused enough havoc already. Imagine what a stealthy rootkit could do!"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

344 comments

First post! (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5462394)

First Post!!!!

Re:First post! (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5462449)

welcome to gheydot. A winner is you!

Re:First post! (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5462566)

5cr1p+ k1dd13s 5h0u1d gr4b 4 r00+ !

So Does Finally Getting The First Post... (1)

Shturmovik (632314) | more than 11 years ago | (#5462528)

...make up for the fact that you'll never ever have sex? For your sake, we hope so.

Re:So Does Finally Getting The First Post... (0)

Anonymous Coward | more than 11 years ago | (#5462591)

...make up for the fact that you'll never ever have sex? For your sake, we hope so.

No, getting first post twice in a row makes up for it!

I'd Give That A Try... (1)

Shturmovik (632314) | more than 11 years ago | (#5462657)

...but my life would get in the way.

Re:I'd Give That A Try... (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5462737)

...but my life would get in the way.

Which is doing mostlty what? Reading slashdot?

Yeah, It Turns My Wife On. (0, Offtopic)

Shturmovik (632314) | more than 11 years ago | (#5462783)

She's under my desk right now. Oh no wait, that's the dog...

Re:Yeah, It Turns My Wife On. (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5462887)

The complete text of all the world's great works of literature, collected all into one place :

ABCDEFGHIJKLMNOPQRSTUVWXYZ

Clearly I am the smartest man in the world!

NAKED AND PETRIFIED RICHARD STALLMAN!!!!!! (-1, Flamebait)

Anonymous Coward | more than 11 years ago | (#5462660)

With hot grits down his pants!!!

first post (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5462401)

oh yeah

imagine... (-1, Troll)

Anonymous Coward | more than 11 years ago | (#5462419)

what anal penetrators would do so hetrosexual men community!

And all this time (5, Funny)

antis0c (133550) | more than 11 years ago | (#5462426)

I thought Windows WAS a rootkit.

Re:And all this time (-1, Redundant)

Anonymous Coward | more than 11 years ago | (#5462483)

And I thought Windows machines were BORN compromised.

Re:And all this time (1, Troll)

Johnny O (22313) | more than 11 years ago | (#5462725)

Re:And all this time (Score:0)
by Anonymous Coward on Friday March 07, @04:21PM (#5462483)

And I thought Windows machines were BORN compromised.
----
ROTFLMAO

I eat (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5462428)

jizz.

First post! (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5462430)

In Soviet Russia we can only imagine what a beowulf cluster of these could do to YOU!

Roots on Windows aren't as l337 (2, Funny)

numbski (515011) | more than 11 years ago | (#5462433)

What I mean, is that what are you going to do from a windows remote terminal? I mean honestly, it's not that cool to have a windows terminal server session open (presuming that service is even set up), and even though you can telnet into windows, hacking in DOS just isn't 1337 enough. :P

Watch as I type edit and the screen goes blank!

Re:Roots on Windows aren't as l337 (1)

CoolVibe (11466) | more than 11 years ago | (#5462481)

And what about being able to execute windows scripting host scripts? If you _really_ want to, you can do almost anything from the console prompt in NT, but you'd have to work for it.

Of course, if the admin as so kind to put a c or bourne shell + cygwin on the NT box, heck, you can do whatever you want.

Re:Roots on Windows aren't as l337 (1)

B3ryllium (571199) | more than 11 years ago | (#5462495)

What if you root remote desktop connection, or whatever terminal services calls it? Full GUI access. This is why I changed the port for it :) It was damn hard to find out how, though.

Re:Roots on Windows aren't as l337 (1)

secolactico (519805) | more than 11 years ago | (#5462688)

Would you mind telling us how is it done? Or point us to a reference url?

Thanks.

Re:Roots on Windows aren't as l337 (2, Informative)

muletool (234921) | more than 11 years ago | (#5462801)

Heres some info for Win2k

http://lists.isb.sdnpk.org/pipermail/comp-list/2 00 1-December/000558.html

Re:Roots on Windows aren't as l337 (4, Insightful)

slugo3 (31204) | more than 11 years ago | (#5462516)

What I mean, is that what are you going to do from a windows remote terminal you don't necessarily have to set up a shell, you could install port scanners, eggdrop bots and ddos tools. even though its windows you dont want to get hacked for a lot of the same reasons you dont want any computer with internet access to become compromised.

Re:Roots on Windows aren't as l337 (4, Interesting)

j_kenpo (571930) | more than 11 years ago | (#5462723)

A windows command prompt is only the beggining of the fun. Once there, you can install a hidden VNC server and get your remote desktop, as outlined in "Hacking Exposed" 2nd and 3rd editions in the section under Windows NT and Windows 2000. Also, if it is a Win2k box, you can enable the terminal service and run something like RT client or in linux Rdesktop to get a remote desktop. There are other things you can do with a command prompt to, such as install any other trojan along the lines of BO, or Sub7 for remote control havoc, not to mention things like run irc bots, zombies, or be really lame and set up crappy things like DDOS nodes. Or if you feel like cheating at SETI, you can set up a remote SETI client, or as some people saw, there was a virus/trojan that ran around and set up a Distributed.net client. Those are just basic examples of what you can do, and if there were a good Root kit for Windows, you could hide those processes. In truth, you could do all the same things you could do with a Windows root kit that can be done with a Unix one, only it just wouldnt be as cool for some reason.

When will I see red stories from the future? (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5462439)

I wanna see my futuristic stories!

Rootkits in brief (5, Informative)

Anonymous Coward | more than 11 years ago | (#5462455)

Published on The O'Reilly Network (http://www.oreillynet.com/)
http://www.oreillynet.com/pub/a/linux/2001/12/14/r ootkit.html
See this if you're having trouble printing code examples
Understanding Rootkits
by Oktay Altunergil
12/14/2001

A rootkit is a collection of tools an intruder brings along to a victim computer after gaining initial access. A rootkit generally contains network sniffers, log-cleaning scripts, and trojaned replacements of core system utilities such as ps, netstat, ifconfig, and killall. Although the intruders still need to break into a victim system before they can install their rootkits, the ease-of-use and the amount of destruction they cause make rootkits a big threat for system administrators.

The main purpose of a rootkit is to allow intruders to come back to the compromised system later and access it without being detected. A rootkit makes this very easy by installing a backdoor remote-access daemon, such as a modified version of telnetd or sshd. These will often run on a different port than the one that these daemons listen on by default.

Most rootkits also come with modified system binaries that replace the existing ones on the target system. At a minimum, core binaries such as ps, w, who, netstat, ls, find, and other binaries that can be used in monitoring server activity, are replaced so intruders and the processes they run are invisible to an unsuspecting system administrator.

Because most rootkits will mimic the creation dates and file sizes of the original system binaries while replacing them with infected versions, keeping records of these file statistics is not sufficient. Thus, the best way to make an inventory of system file information that can be used to identify suspicious activities on the server is to calculate the cryptographic checksums of these files and store this information in a safe location, such as on a CD.

Third-party tools such as Tripwire or AIDE make this process much easier and more robust by automating the calculation of these file signatures.

Here's a quick explanation of Tripwire from the organization's web site:

"Tripwire is a tool that checks to see what has changed on your system. The program monitors key attributes of files that should not change, including binary signature, size, expected change of size, etc."

Obviously this process has to be repeated as you introduce more software and other files into your system. You can also use the RPM signatures on RPM-based systems such as Red Hat and SuSE to compare the current MD5 signatures of your files to those in the RPM installation database. Unfortunately, the RPM application itself and the local RPM database cannot be trusted to provide accurate information because intruders can potentially infect them too.

Some rootkits may also contain sniffer or keylogger applications that are used to gather passwords for other systems and listen to traffic for sensitive information. To do this, the rootkits set the PROMISCIOUS mode on the target machine's network interface card (NIC). In normal operation, a network interface card only listens to traffic that is specifically addressed to itself and traffic that is coming through the broadcast address that everyone listens to.

On a "non-promiscuous" network adapter, the packets that are addressed to other network interfaces are silently discarded without even looking at the actual data in them. However, when using directly connected computers or a network that uses basic, non-switching HUBs, your interface actually can listen to all traffic if it's in PROMISCIOUS mode.

If an intruder listens to this traffic on a relatively large network, the results may be catastrophic. To protect the whole network even when one of the machines is broken into, using direct cable connections and basic HUBs should be avoided. Switching-hubs and other more advanced networking equipment do not broadcast traffic to all the machines on the network, but only send it to the machine that is supposed to receive it, effectively protecting all the other machines on the network.

Because the first thing a system administrator does to monitor unusual activity is to check the system log files, it is very common for a rootkit to include a utility to modify the system logs. In some extreme cases, rootkits disable logging all together and discard all existing logs. Usually if the intruders intend to use the server for an extended period of time as a launch base for future intrusion activity, they will only remove those portions of logs that can reveal their presence. Because the absence of log files or stopped logging activity is a sign of suspicious activity itself, only attackers who have adopted the hit-and-run style will choose to blindly discard all logs.

One method administrators can use to maintain logs about an intrusion attempt -- successful or otherwise -- is to devise a system that detects network anomalies and alerts the system administrators by sending them notification email messages and/or log files. Obviously, the network intrusion detection and periodic log-file transfer methods cannot be trusted after the intruder gains access to the machine.

Related Reading

Building Internet Firewalls, 2nd Ed. Building Internet Firewalls, 2nd Ed.
By Elizabeth D. Zwicky, Simon Cooper & D. Brent Chapman
Table of Contents
Index
Sample Chapter
Full Description
Read Online -- Safari

Arguably the most severe threat to system security that can be caused by a rootkit comes from those that deploy LKM (Loadable Kernel Module) trojans. Loadable Kernel Modules are a mechanism for adding functionality to an operating-system kernel on the fly -- without requiring a kernel recompilation. Although the benefits of using LKMs are universally recognized, they are also subject to abuse by intruders who use the kernel module-loading mechanism for malicious purposes. Even if you reboot a system that is infected by an LKM Trojan, the LKM process will reload it during boot-up just like any other kernel module. Loadable Kernel Modules are used by many operating systems including Linux, Solaris, and FreeBSD.
According to SANS, "Kernel [LKM] rootkits do not replace system binaries, they subvert them through the kernel. For example, ps may get process information from /proc (procfs). A kernel rootkit may subvert the kernel to hide specific processes from procfs so ps or even a known good copy from vendor media will report false information."

Although it is thought to be possible to cryptographically sign kernel modules, the best mode of prevention against this security threat is to compile all functionality statically into the kernel and disable the LKM functionality -- especially on a server system which is not likely to need additional kernel functionality at a later time.

Knark, Adore, and Rtkit are just a few of many LKM rootkits available today.

The only way to avoid rootkit installations on your system is to stop them before they enter your system. Remember that a rootkit is not designed to help an intruder gain access to a system. A rootkit is designed to make the intruders feel at home and allow them work silently on your system without being disturbed. To install a rootkit, an intruder still must gain unauthorized access to your server using traditional methods, such as exploiting known vulnerabilities or even practicing social engineering to get the password information from a well-meaning person who happens to have it.

To avoid future headaches, you should always install firewalls on your machines that are accessible via some type of a network, apply all published patches to your software, and disable any services that are not absolutely necessary. Coupling these practices with strong passwords and secure protocols, such as SSL and SSh where applicable, you can be sure that your system will never be compromised.

Well ... not exactly. Even if you make the maximum effort possible to secure your system, given enough exposure, it is still very likely that someone will break into your system and install a rootkit or two.

In my next article, I'll discuss some of the tools that are at your disposal in your quest to detect the existence of a rootkit on your system. I will also talk about what you can do to clean up a rootkit after you discover it.

Oktay Altunergil works full time as a Unix Administrator and PHP Programmer.

Return to the Linux DevCenter.

oreillynet.com Copyright © 2003 O'Reilly & Associates, Inc.

Re:Rootkits in brief (0)

Anonymous Coward | more than 11 years ago | (#5462727)

Isn't violating copyright like that, er, just asking for trouble? IANAL, but that could get someone into deep bother...

Re:Rootkits in brief (0)

Anonymous Coward | more than 11 years ago | (#5462897)

Who in trouble? Slashdot is the one publishing it.

rootkit my ass (2, Insightful)

B3ryllium (571199) | more than 11 years ago | (#5462457)

Can't a decent firewall counter 90% of rootkits?

Re:rootkit my ass (5, Interesting)

Angry White Guy (521337) | more than 11 years ago | (#5462538)

There are ways to get around that. Make the compromised machine initiate all the communications, and you can punch a hole through all but the most determined firewalls. That's why irc bots are so popular.

Re:rootkit my ass (1)

B3ryllium (571199) | more than 11 years ago | (#5462593)

yeah, that's one way - although I suppose some Nazi system admins can even find ways to prevent that :)

You have to think like an admin (3, Interesting)

Angry White Guy (521337) | more than 11 years ago | (#5462649)

From trusted ports to trusted ports work for most firewalls. Another way is to control by e-mail. You could even make it look like DNS queries if you wanted. The trick is not getting caught on the way in. Once in, there's not a lot holding you back.

Re:You have to think like an admin (1, Informative)

Anonymous Coward | more than 11 years ago | (#5462851)

I've even read about stealthy ddos type applications that take their targeting and control info from remote hosts via specially encoded ICMP packets. Unless you expect them, the firewall may just think someone is doing a ping or traceroute.

Re:rootkit my ass (2, Interesting)

Elwood P Dowd (16933) | more than 11 years ago | (#5462863)

Not only that, you could easily make the rootkit query a webpage for instructions. It could check slashdot for posts by an anonymous coward with a certain set of keywords. If you are rooted, and your attacker has 10 ounces of creativity, a firewall will offer you zero protection. The firewall is there to make it more difficult to get rooted in the first place.

Re:rootkit my ass (1, Insightful)

handybundler (232934) | more than 11 years ago | (#5462604)

But the remaining 10% is obviously far more dangerous than 9/10 of the people who can't pass a firewall.

Re:rootkit my ass (1)

B3ryllium (571199) | more than 11 years ago | (#5462685)

Yeah, but at least they earned their status. ;-) I'd rather get cracked by Kevin Mitnick than by Joe Blow l33t h4x0R d00dZ. (Not to say that Mitnick could or would crack me, just as an example of ... prestige ... :)

Re:rootkit my ass (0)

robtm (199348) | more than 11 years ago | (#5462780)

"Can't a decent firewall counter 90% of rootkits?"

Well, then I guess that it is the other 10% that is the problem.

Re:rootkit my ass (1, Interesting)

Anonymous Coward | more than 11 years ago | (#5462822)

The Windows world runs very poorly designed apps, that are based on the idea of "active content." They can get compromised just by loading a spreadsheet. It's not like you have to connect to some port and buffer-overflow something. Just email the user a rootkit inside a trojan horse, and they'll run it.

What use is a firewall then? What are you gonna do, have the firewall block email? Block the web too, thanks to ActiveX controls and "plugins." The only firewall that really protects Windows, is the one where you pull the network cable out of their NIC and disable their floppy drive. (Then, if you want to be sure, pour gasoline on the computer and light a match.)

Windows and networks just don't belong together.

rootkit redundant. (5, Interesting)

aePrime (469226) | more than 11 years ago | (#5462467)

Well, as most Windows users run their boxes as Administrator anyway, a rootkit can almost be any program that's run with malicious intent.

I too, in the rarity that it's on, run my Windows box as Administrator because, unlike *nix, there's no easy way to become Admin (root) when you need to. You have to logout and log back in, unless they've changed it in recent releases.

Re:rootkit redundant. (5, Informative)

BagOBones (574735) | more than 11 years ago | (#5462559)

Its called Run As.. It should be in every NT version of windows and its in the Right Click menu.. (I think you have to hold Shift or Ctrl some times) Lets you try and run an app as any user you know the login too.

Re:rootkit redundant. (0)

Anonymous Coward | more than 11 years ago | (#5462568)

open up cmd.exe and type 'runas /?'

Re:rootkit redundant. (3, Informative)

glenebob (414078) | more than 11 years ago | (#5462569)

There's no need to run as Administrator. Pretty much any user account can mess up a Windows system pretty bad, even the Guest account.

But what you say is also true. I too run an account that's a member of Administrators because it's too much trouble to become all-powerful when needed.

It's kinda funny now that I'm thinking of it. You have to be an admin to install a printer, but any old account can delete the printer driver files. Nice.

Re:rootkit redundant. (5, Insightful)

stratjakt (596332) | more than 11 years ago | (#5462856)

There's no need to run as Administrator. Pretty much any user account can mess up a Windows system pretty bad, even the Guest account.

But what you say is also true. I too run an account that's a member of Administrators because it's too much trouble to become all-powerful when needed.

It's kinda funny now that I'm thinking of it. You have to be an admin to install a printer, but any old account can delete the printer driver files. Nice.


Not if you've spent some time locking down the box, and designing and implementing security properly. Users cant delete anything they dont have write access too.

Now, out of the box, WinXP and its predecessors install by default in a very insecure state. That I take issue with, but there's nothing stopping you from fixing that.

If you have your /bin directories set up as uog+rwx then I can screw around with your printers too. This doesnt mean that linux is "insecure".

And if you run as administrator all the time, that's just like always logging in as root.

Too many people like to dump on Windows security, but very few have ever even bothered to try and set it up properly.

After the filesystem permissions are properly set, the local and domain policies in place and checked, the services audited for necessity and security, then what's left is a legitimate fault with Windows.

Re:rootkit redundant. (0)

Anonymous Coward | more than 11 years ago | (#5462583)

remote desktop to localhost also.. Runas

Very hard indeed., n00b

It's called runas in XP (1)

spells (203251) | more than 11 years ago | (#5462586)

Type runas at a command prompt for the options. Also you can right click on any icon to launch an app using runas.

Re:It's called runas in XP (1)

Fishstick (150821) | more than 11 years ago | (#5462911)

> Also you can right click on any ico

Hmm, not _any_ icon, apparently.

I just tried it on w2k pro here and it does work on .exe files (shift->right-click).

I did the same thing on a .pl file and the option didn't appear so it seems likely that win only will provide that option on right-click for some filetypes.

Thanks for the tip, tho. I didn't know about using runas from explorer.

2000 got better (1)

Angry White Guy (521337) | more than 11 years ago | (#5462587)

It's still not as friendly as *nix, but MS has caught on. They have added some support for installing programs as other users, and running programs as other users, but it's still not all there.

Re:rootkit redundant. (1)

ReverendRyan (582497) | more than 11 years ago | (#5462623)

Actually, in 2k atleast, if you create a shortcut to whatever program you want to run as administrator then check the "run as different user" checkbox on the general tab of the properties, you can run any program as any user from any user. (except control pannels)

There is also the "runas" command if you're at the shell. IIRC, the format is something like runas \u:(DOMAIN)/(USER) (PROGRAM) but its been awhile since I was on an NT box...

Re:rootkit redundant. (1)

deranged unix nut (20524) | more than 11 years ago | (#5462631)

BTW, you don't need to run as Administrator.

There is a nice little command runas that lets you 'su' to another user.

Also, in XP, runas is a right-click option on executable desktop and start menu items.

Re:rootkit redundant. (1)

emcron (455054) | more than 11 years ago | (#5462671)

On my XP box I log in as a limited user so as not to expose all administrative capability when it's not needed. It is very simple to execute a process as admin when needed: WinXP incorporates a "Run as" command (simply right-click the app) where you simply supply the admin password and *only* that program is granted admin capability, leaving the rest of the system still under the limited user restrictions.

runas - Re:rootkit redundant. (5, Informative)

Malc (1751) | more than 11 years ago | (#5462759)

That's not true - I do it all the time using "runas". I use it mostly to launch MMC with the permissions I need to access IIS on a test web server. I also occasionally use it to run Explorer with elevated permissions to save me effort accessing administrative shares. I think it's supposed to be one of the ways to install applications that require administrative permissions, although I'm not sure on that.

C:\>runas /?
RUNAS USAGE:

RUNAS [/profile] [/env] [/netonly] /user:<UserName> program

/profile if the user's profile needs to be loaded
/env to use current environment instead of user's.
/netonly use if the credentials specified are for remote access only.
/user <UserName> should be in form USER@DOMAIN or DOMAIN\USER
program command line for EXE. See below for examples

Examples:
> runas /profile /user:mymachine\administrator cmd
> runas /profile /env /user:mydomain\admin "mmc %windir%\system32\dsa.msc"
> runas /env /user:user@domain.microsoft.com "notepad \"my file.txt\""

NOTE: Enter user's password only when prompted.
NOTE: USER@DOMAIN is not compatible with /netonly.

Re:rootkit redundant. (0)

Anonymous Coward | more than 11 years ago | (#5462918)

I'm pretty sure in XP you can just right-click on an application and select "run as" to run a program with administrator rights.

Interesting (3, Interesting)

einhverfr (238914) | more than 11 years ago | (#5462468)

I suspect that too many of the Windoze h4x0rz are too lazy or incompetent to really put in a root-kit. It is possible (imagine if a backdoor installs a .vxd) and this could be devastating (of course driver signing might help).

Old news (3, Insightful)

kUnGf00m45t3r (628515) | more than 11 years ago | (#5462469)

Here's where the article was originally posted on March 5th: http://www.securityfocus.com/news/2879

his name (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5462492)

his name, was Kevin Poulsen

See, people just don't get it (-1, Redundant)

Anonymous Coward | more than 11 years ago | (#5462498)

Microsoft, as its standard practice, has been incorporating the rootkit into the OS for years! They're just trying to make our lives easier.

Pardon? (0)

Anonymous Coward | more than 11 years ago | (#5462499)

they have rarely been found on compromised Windows machines.

Says who? Maybe windows admins were even slower than I thought.

I guess if you can't even install a patch...

TROLL!

Internet Explorer is a rootkit? (5, Funny)

metamatic (202216) | more than 11 years ago | (#5462511)

Sounds to me like IE counts as a root kit. It intercepts the API calls at low level, it can't be uninstalled by normal means, and it uses its "man in the middle" status to hide its secret log files [windows-sucks.com] of all the URLs you visit. Plus, of course, it provides root access via security holes...

Re:Internet Explorer is a rootkit? (2, Funny)

ConMotto (586959) | more than 11 years ago | (#5462676)

As funny as it soudns, I think it actually does. From the article,

"Also known as "kernel mode Trojans," root kits are far more sophisticated than the usual batch of Windows backdoor programs that irk network administrators today. The difference is the depth at which they control the compromised system."

The really worrying part (3, Insightful)

djkitsch (576853) | more than 11 years ago | (#5462522)

The bit that really concerns me is that it's possible at all, to install a device driver without the user's consent that can directly mediate between the hardware layer and the kernel -

But then I guess that it's possible precisely because MS have made it simple to manage, and thus simple to mis-manage.

Of course, the best way to defeat this kind of trojan is simply to use a firewall and block the ports being used to remotly configure the hidden driver. So then, the worrying part is not the trojan itself, but the competancy of the average user...

Let's pretend I'm on linux... (2, Funny)

pr0ntab (632466) | more than 11 years ago | (#5462639)

Aha! I compromised a process running as root (for example). What shall I do now? I know, I'll insmod IHAX0REDUGOOD.so after dld'ng it from my xoom.com warez page. Oooh, now I can install zombieslaved and use IHAX0REDUGOOD to prevent anyone from seeing it.

So what about this is more difficult than windows? An API must exist for a driver to be loaded, therefore it can be exploited. The tool that interacts with a user installing a driver uses this API, the rootkit bypasses all possible interaction (and uses its priveledged position to hide its existance)

Re:Let's pretend I'm on linux... (2, Informative)

djkitsch (576853) | more than 11 years ago | (#5462785)

My point was not that it's easier to do on Windows than on Linux (it's not), but that the average Linux user is a lot more likely to already have 'locked down' their system than the average Windows user, not to mention is more likely to hve the skills to remove it.

Also, since Linux is a file based config OS, it's gonna be a damn sight easier to remove a rootkit than it would be with Win32. Having had experience (trying to) remove undesirable VXDs and so forth from Windows systems, if the driver in question is resident Windows itself tries very hard not to let you remove it, and there's no easy way to edit the registry without booting fully into the OS.

Re:Let's pretend I'm on linux... (1)

stratjakt (596332) | more than 11 years ago | (#5462920)

>> the average Linux user is a lot more likely to already have 'locked down' their system than the average Windows user, not to mention is more likely to hve the skills to remove it.

I doubt that.

The average linux user is a 13 year old who downloaded Red Hat because he wants to be l337.

Go to #linux on efnet, grab IPs at random from the kids in the pack (heck try the mods too), and see how many you can log into with root/root or root/(blank).

Linux rootkits are more popular, IMO, because there's more you can do (network wise) with a few small shell scripts in linux, than you could in windows.

Re:The really worrying part (1)

Angry White Guy (521337) | more than 11 years ago | (#5462848)

That does not defeat the rootkit, that only makes you feel better. How about one that can get through your firewall. Maybe cycle through all ports until it can make communication? Hide with the rest of the traffic?

The best way to defeat this kind of trojan is to prevent it from being installed.

Heh...that's one way to decrease install size.. (4, Funny)

A_Non_Moose (413034) | more than 11 years ago | (#5462542)

quote:
"The stealth driver in my mind is the scary concept," says Mertens. "You can hide an elephant with it."


So the first thing they do is hide the \winnt folder?
.

Duh... (1)

HungWeiLo (250320) | more than 11 years ago | (#5462581)

Aren't all users Administrators with full Read/Write/Change priv's already? (Rootkit == Score: -1 Redundant)

Re:Duh... (2, Insightful)

The Evil Couch (621105) | more than 11 years ago | (#5462883)

yes and no. on win 9X systems (to include ME), yes. however, on NT based systems, not everyone is administrator. for home users, nearly everyone runs as admin, though. for network use, none of my users get much in the way of permissions, and I don't know a lot of windows sys-admins that give their users permissions much higher than bare minimum.

as a side note, don't I know you?

Imagine a beowulf cluster of rootkits! (5, Interesting)

Qrlx (258924) | more than 11 years ago | (#5462592)

But seriously, I'm asked to "Imagine what a stealthy rootkit could do!"

Having lived thru Melissa and ILOVEYOU, I can't imagine it would get much worse than that. The way security is(n't) done in Windows pretty much obviates the need for a rootkit, almost by design you could say.

People keep talking about the "next" Melissa, but I don't think there will be one -- for basically the same reason there won't be another 4 planes hijacked and crashed into buildings. Microsoft has learned from past mistakes, and Outlook is far far more secure "out of the box" than it once was.

People have learned, too; for example if you buy a new Dell it comes with McAfee Security Center, which gives you antivirus and (hopefully) some basic firewall protection. It took a few good beatdowns, but Joe User is at least aware of the dangers out there. To a degree I think we can thank the spammers; people are less likely to open suspect attachments nowadays because they prolly think it's spam. I'll take the silver lining and be happy.

I'd be far more worried about a rootkit/attack on the Internet itself (e.g. core routers, DNS) than the Next Big Windows Vulnerability. With the increasing trend towards Internet Everything, were I in the mood to break things, I would be hacking DNS and Cisco -- break the mesh and the nodes are useless. Conversely, clueful people weren't affected by SQL Slammer since why would you let your SQL Server talk to the Internet on port 1433 anyway?

Windows sucks... (-1)

Anonymous Coward | more than 11 years ago | (#5462644)

ass

Silly article, sensationalism and slim facts (2, Funny)

AEton (654737) | more than 11 years ago | (#5462695)

Jon Littman wrote an interesting book about Kevin Mitnick entitled The Fugitive Game. In it he partly addresses the situation of an FBI informant and not-so-l33t hax0r, Kevin Poulsen [nerdworldnj.com] . 100 to 1 this is the same l33t hax0r. Way back in the day--1990--Poulsen was described as not very l33t:

Their UNIX expertise was not high....I got the feeling these were guys not used to thinking in terms of multiuser systems, not being alert to the fact that "who"s and "ps"s casually invoked by someone else could expose them.

Now I grant you that 13 years is a lot of time for someone to change and learn to abandon stupid sensational media tactics. But look at the substance of the linked slashdot article : "I wrote a rootkit for Windows, I'm cool, and I ran a script kiddie workshop [blackhat.com] so lots of people can do it! By the way, I screwed up the old code. But the new ones the evil hax0rs will make will be really bad. .. So hire me as a consultant!"...um, yeah, right.

How to clean boot Windows? (5, Interesting)

Anonymous Coward | more than 11 years ago | (#5462701)

One of the annoying things about Windows, is that there doesn't seem to be any simple way to "clean boot" it off a floppy or CD.

It used to be that I would scan someone's system for malware by booting DOS6.22 (or later, Win98 since it could support some newer,bigger filesystem) and run F-Prot. This eventually became less and less practical. The scanner didn't even fit on a floppy anymore, so I was doing thing like clean booting and making a RAM disk, and then unzipping several floppies onto the RAM disk just so I could run a scanner. But eventually people started using NTFS which my DOS/Win98 boot floppies could read anymore.

I guess I didn't keep up, and I didn't know what the orthodox approach to safe scanning was anymore. Eventually we started telling customers to see someone else about their Windows problems; we just wanted to support our apps and that was it.

Eventually I found out what the so-called "experts" we were referring people to were doing: they would boot the unclean, suspected system, and install some Windows-based antivirus program (McAffee, Norton, whatever), and then run it to scan the (possibly) infected system, while it was running in a (possibly) infected state. Holy shit, how stupid can you be? No wonder stuff doesn't get detected.

People were getting huge bills for techs' time too. The amount of waste I saw was staggering, and these were small businesses, not big megacorps.

I guess the only way to reliably scan a Windows system is take the hard disk out and mount it as a secondary drive in a known clean system? Beats me. Just about every other OS can be booted from removable media, but I don't know a way to do that with Windows. Oh well, somebody else's problem.

Except there isn't a "somebody else." The customers call around to try to find someone to help them, and in a city of half a million people, no one can. They ask again a couple of weeks and a few thousand dollars later, more desperate. And I tell 'em the only thing I know will work for sure: Totally wipe the HD and reload your apps.

Re:How to clean boot Windows? (3, Interesting)

j_kenpo (571930) | more than 11 years ago | (#5462821)

Id have to agree with this. With the exception of the Emergency Recovery Console, in Win2k and WinXP, there isnt really a safe way that I can think of to clean out a infected Windows box the same way as the old Dos days (or even up to WinME). In Unix you could at least boot off a floppy or CD like Knoppix and mount the drive in some form of a safe manner. Ive heard that there is supposidly a way to do this with Windows, but since I have no real desire to go back to Windows nor do I support Windows, so I dont know the legitimacy of that statement nor have I checked. If a Win2k or winXP system is partitioned for FAT32, you could still boot off a floppy and run, but like you said, NTFS is a bitch. If theres some sort of corruption of the boot sector or fat table, mounting it secondary in another system would be suspect, and I have seen viruses that disable virus scanners (or at least attempt to) so installing one after the fact is only partially reliable, if at all. Anyone have any ideas on this?

Re:How to clean boot Windows? (3, Informative)

jd142 (129673) | more than 11 years ago | (#5462868)

Boot from a Linux floppy/cdrom or Windows cd. Boot to console, mount your drives as ro and scan them. Then if you find something, boot into safe mode and remove the offending files.

Pretty simple.

Re:How to clean boot Windows? (1)

Jmstuckman (561420) | more than 11 years ago | (#5462919)

Knowing this probably doesn't help you not, but when F-PROT for DOS became too big to fit on a boot floppy, an option appeared to split the F-PROT files into two disks. It still works this way -- put program files on one disk, data files on the other, and the scanner will prompt you to swap disks when needed.

>

Re:How to clean boot Windows? (0)

Anonymous Coward | more than 11 years ago | (#5462923)

With Windows apps writing to portions of the boot sector wiping the HD and starting clean might not work anymore in the not to distant future.

Imagine how many out there are already compromised (4, Insightful)

terraformer (617565) | more than 11 years ago | (#5462718)

According to the article, Windows NT backdoors have always been 'trivial'...

And given this, I wonder how many windows machines are already compromised?
I read this article a couple of days on bugtraq and they were speculating that with one known kit in existence, there are probably ten more they don't know about. They literally stumbled onto this one by accident.

Imagine these sleeping beauties (well beasts) all just waiting for the signal...

You mean windows isn't secure? (1)

zerus (108592) | more than 11 years ago | (#5462730)

What is this about rootkits and windows? Microsoft makes the most secure software don't they? I'm being facetious of course. This seems like old news for some reason, maybe it's seeing the light of day because of the slammer worm that kicked the shiznit out of so many servers. Chalk it up to the backlash effect if you ask me

Tips of using Windows rootkits (5, Informative)

Anonymous Coward | more than 11 years ago | (#5462814)

I'm a black hat and have had my hand in the creation in them at a few times. You've got to realise that you have to target a default installation of windows given a certain platform. Here's some of my tips of how we go about infecting Windows computers as so they are 'easier' for us to use..

1: We use packers and unpackers to protect all of our payloads, along with standard de-ICEing as to make casual debuggers simply crash. Look at some of the cracking group trainers as to understand how we hide stuff.

2: Sometimes, we put utilites on the machine (like grep, ps, kill) that normally arent on Windows machines, however the Internix package makes a garbage DOS shell verrry usable ;-)

3: We hit many of the files, such as ntoskern, explorer, and others that are ran many times per session. What's better is if you can offload the code to a common library.

4: If you target a Windows 2k or XP platform, make sure to install the payload inside a system file and its backup. If you dont, windows will overwrite your trjaned package with the known good one. With the bad in the cab, you'll be guaranteed a hole. Sometimes, however, the packages cause problems with windows updates. If that kind of thing happens, it usually causes a bluescreen.

5: A smart cracker will program the trojaned executable to check a web page on the net (say geocities) and parse the html for commands to do. This way, you have no direct 'link' to the rooted system, and somebody else takes the rap. Using an anonymizing proxy is highly reccomended.

I've had no experience in writing a kernel-level NT driver, but what I hear from my pals, it's a bitch to do right. I mostly do packages/integration with known software. You'd be amazed how many kid back hats think Netbus, Sub7 or Backoriface is the way you do such things. You just do NOT WANT TO TOUCH THIS CODE, as damn near every anti-virus software will alert the user. That equals a re-Ghost (which that's a good reason to infect the main ghost image...),

I'll hang around a little while if there's any questions.

Ja ne..

What about spyware??? (0)

Anonymous Coward | more than 11 years ago | (#5462815)

Windows users, tend to run lots of exe's downloaded from the internet. Virtual girls, mail attachments, jokes, demos, ...

Can't one of these hack into the system and : install a daemon which listens on a TCP port for commands? And can't one of these commands be to update the trojan?

At least in linux, you can't override system files if you are not root. On the other hand, all of windows users, use their computer as root.

That's already "rootkit".

Why bother? (5, Insightful)

Anonymous Coward | more than 11 years ago | (#5462817)

Nobody bothered with NT rootkits for years because individual users had enough privileges that it wasn't worth the trouble. As long as you can write the registry as an ordinary user, you're in.

The article confuses two issues - programs that acquire administrator privileges (trivial) and programs that run in kernel mode (possible, but why bother)? Which are they talking about?

Once Palladium is deployed, attacks that reside below the operating system will be possible. Once the attack is in "secure storage", anti-virus tools won't be able to find it or remove it. Now that will be l33t.

I wonder about the call for signed drivers... (3, Insightful)

Anonymous Coward | more than 11 years ago | (#5462826)

Windows root kits have been avalible for years. I don't even remember how long ago it was I gave up complaining about there use on the machines on campus. =)

As far as a university machine goes, it's more than trival to use MS Office's VBA to control a machine with hand written code to edit the filesystem and even make simple shells even if the machine has had it's cmd.exe/command.com 'removed'...

Perhaps this is just a way to force everyone to supporting signed drivers and letting MS control yet another aspect of the PC industry. There is little other reason to draw attention to the well known fact of widely avalible windows kits.

Not very much of a sysadmin is he? (4, Funny)

JJAnon (180699) | more than 11 years ago | (#5462836)

I don't think that cluster had bluescreened since it was put into production two years ago.
.. which is proof that this was the first time he checked on the cluster since it was 'put in production'.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...