Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Windows Rootkit Wars Escalate

timothy posted about 8 years ago | from the most-secure-version-of-windows-ever dept.

342

An anonymous reader writes "The rootkit wars have started to escalate with a rootkit named Rustock which is able to remain hidden from all the popular anti-rootkit tools. It uses some new techniques including not only putting itself in a ADS (NTFS alternate data stream) which isn't seen by normal file system enumeration tools, but even blocks ADS aware tools from seeing the stream. Works in Vista, too! Analysis in both Symantec and F-Secure blogs."

cancel ×

342 comments

Sorry! There are no comments related to the filter you selected.

FIRST POST! (-1, Offtopic)

Anonymous Coward | about 8 years ago | (#15712893)

from a machine with a rootkid installed... 0wned!

T-minus 3... 2... 1... (-1, Flamebait)

Recovering Hater (833107) | about 8 years ago | (#15712901)

Cue the Mac OS-X / *Nix / *BSD zealotry.

Re:T-minus 3... 2... 1... (2, Interesting)

tomstdenis (446163) | about 8 years ago | (#15712920)

Well it wouldn't happen in other OSes because NTFS is closed proprietary standard. :-)

That and people, listen, stop running windows as root. Make yourself a less privileged user and learn to work in a non-root environment!!!

Tom

Re:T-minus 3... 2... 1... (4, Insightful)

alexhs (877055) | about 8 years ago | (#15713022)

That and people, listen, stop running windows as root. Make yourself a less privileged user and learn to work in a non-root environment!!!

What about developers ? Lots of apps -- essentially games -- don't run well in unprivileged environments. I run as unprivileged user but usually need to use runas when I didn't took the time to adjust braindead defaults program settings. And you can't ask the average user to tweak file and register permissions. BTW I've seen apps opening data files rw when only ro was needed. How do you avoid security flaws then ? Editing binary to change call parameters isn't an option...

Re:T-minus 3... 2... 1... (1)

tomstdenis (446163) | about 8 years ago | (#15713071)

All valid points.

I seem to recall Word [used to?] writing files in the \windows\system32 dir....

Tom

Re:T-minus 3... 2... 1... (1)

quantum bit (225091) | about 8 years ago | (#15713091)

This was definitely fixed in Word 2000, not sure about 97. Stupid MS org chart tool still tried to do that though.

Re:T-minus 3... 2... 1... (-1, Troll)

not already in use (972294) | about 8 years ago | (#15712928)

And go! Aww crap, the windows apologists beat me to the punch. Whether or not it's possible for a rootkit to go completely undetected on OSX, there's no denying that it hasn't happened yet, and thus, I don't have to deal with it. Not fanboy speak, just reality.

Re:T-minus 3... 2... 1... (1)

failure-man (870605) | about 8 years ago | (#15712965)

There's something wrong with your statement. Look for it. Something about "no denying." ;)

Re:T-minus 3... 2... 1... (3, Insightful)

Anonymous Coward | about 8 years ago | (#15712967)

>possible for a rootkit to go completely undetected on OSX

If it's undetectable how would you know?

Re:T-minus 3... 2... 1... (1)

YU Nicks NE Way (129084) | about 8 years ago | (#15713055)

The parent is either the best troll I've ever read, or the stupidest piece of fanboy fiction ever propagated. I'm hoping it's a troll, because, if it is, it needs to be held up to all attempted trollers as the standard to which they should aspire.

Oh, by the way -- if there were an undetectable rootkit on OS X, how would one go about finding it?

Re:T-minus 3... 2... 1... (0)

Anonymous Coward | about 8 years ago | (#15713072)

How did we find out about this undetectable windows rootkit?

Re:T-minus 3... 2... 1... (1)

Philip K Dickhead (906971) | about 8 years ago | (#15713281)

How did we find out about this undetectable windows rootkit?
Xray-glasses. They can see the invisible ink. Windows is anything-proof!

You're foot touched the hot lava!

Re:T-minus 3... 2... 1... (1)

dfghjk (711126) | about 8 years ago | (#15713225)

the parent isn't an apology in any way, and how is anything related to OSX remotely relevant? As the parent said, any issue with Windows will be viewed as an opportunity to evangelize macs1. Nicely done.

Re:T-minus 3... 2... 1... (1, Funny)

failure-man (870605) | about 8 years ago | (#15712944)

Yeah! We've had rootkits since . . . . . well, about as long as we've had root! Your retarded spawn of DOS and an art school is late to the party.
 
Better late than never though I suppose . . . . .

Enough is enough (0, Troll)

Le Marteau (206396) | about 8 years ago | (#15712907)

Breaking into a computer should be considered as serious as breaking into one's home. Enough of the "kids will be kids" stuff, and lets have our government go after the zombie masters as the scum that they are: invaders into our lives and our stuff.

Re:Enough is enough (3, Funny)

AssCork (769414) | about 8 years ago | (#15712932)

The Government's resources are currently tied up chasing 'terrorists' and holding the world's oil supply hostage. Please wait your turn. Your post has been noted and the next available Government Agent will be dispatched as soon as they are free. Thanks.

Re:Enough is enough (4, Insightful)

SoCalChris (573049) | about 8 years ago | (#15712933)

From what I understand, the goverment does take computer crime seriously, and does go after virus & rootkit authors. Unless that author happens to be a corporation, in which case it's a-ok.

Are you kidding? (-1, Troll)

JonTurner (178845) | about 8 years ago | (#15712963)

>>lets have our government go after the zombie masters as the scum that they are: invaders into our lives and our stuff.

Good luck with that. The US government can't even persue terrorists who kill American citizens without inviting substantial criticism. If they can't arrest cold-blooded killers you think they're going to be able to round up computer geeks?

Maybe the UN can take care of this. (trying to supress a chuckle)

Re:Are you kidding? (1)

failure-man (870605) | about 8 years ago | (#15712983)

I think the criticism probably stems from the fact that they're so bad at catching them and cause so much "collateral damage" . . . . . .

Re:Are you kidding? (1)

kalirion (728907) | about 8 years ago | (#15712990)

I think you misunderstood the GP. He is not saying we should pick up everyone who at some point had a drink with the third cousin, twice removed, of a hacker, and throw them on a CIA plane to be boiled in Uzbekistan without any semblance of due process.

And as other people have said, the government is going after hackers.

Re:Are you kidding? (4, Insightful)

miskatonic alumnus (668722) | about 8 years ago | (#15713082)

The US government can't even persue terrorists who kill American citizens without inviting substantial criticism.

Aren't a lot of those terrorists dead? You know, the ones with bombs strapped to them, or the ones who forced planes into buildings. And as regards the living terrorists, the criticism isn't so much directed at their pursuit, but rather the collateral damage in terms of innocent civilian casualties abroad and loss of civil rights at home.

Re:Are you kidding? (0)

Anonymous Coward | about 8 years ago | (#15713135)

Please,

Ass pyramids, paper bags, and barking dogs are not torture.

Seeing Ms. England nude, however, you got me on that one.

Re:Are you kidding? (0)

Anonymous Coward | about 8 years ago | (#15713187)

Really? Who was criticizing the US government for going into Afghanistan?

Ohhh, you are talking about criticisms on the war in IRAQ. The place that didn't attack us. The place with no weapons of mass distruction.

Idiot neocon.

Re:Are you kidding? (1)

Kylere (846597) | about 8 years ago | (#15713213)

You must be kidding, our government since before Clinton wastes its resources handling trifling issues and ignoring the terrorist threats as much as possible.

Re:Are you kidding? (1)

plague3106 (71849) | about 8 years ago | (#15713257)

Except that when Gore was VP one of his recommendations was a no-fly list that went ignored by the FAA. There's an article on CNN on TWA 800 today, which shows they were the first to think it was terrorism, and started looking into how to deal with it.

Re:Are you kidding? (0)

Anonymous Coward | about 8 years ago | (#15713244)

The US government can't even persue terrorists who kill American citizens without inviting substantial criticism

please correct me if i'm wrong, but i do not recall criticism of attacking the al qaeda training camps in afghanistan. the criticism started once we invaded a non-related, anti-al qaeda nation under the false pretense of an impending wmd attack.

Re:Enough is enough (1, Insightful)

Anonymous Coward | about 8 years ago | (#15712992)

Since when does the government "go after" people who break in to homes? Even busting people who don't mow their lawns is a higher priority.

Ha, ha, ha (3, Insightful)

Opportunist (166417) | about 8 years ago | (#15713000)

If it wasn't so sad, it would be funny.

tell me how, please. The things you know about him/her/them/whatever:

A DNS-Server in San Jose.
A host in Kiew.
Code generated in Russia.
Distributed by spambots from around the world.

Now, where do you start looking? Have you ever tried getting some help from authorities in Russia? If not, it's a worthy adventure. At the very least, it gives you enough material to write a very interesting book.

Re:Enough is enough (1, Insightful)

Anonymous Coward | about 8 years ago | (#15713313)

Why? Afriad someone will see your porn collection? Seriously, house breaking should be ignored by the law as much as computer cracking should. The police never "find" who done it when your house is robbed, 99% of the time they never even find your stuff. If you are lucky a cop sees the crime happening and stops it while it's in progress. It's a waste of time for them, that's how they feel about it. The government should force everyone to handle their own security.

Poof! No more problem.

Oh, wait, yes, the lame whiners who currently complain that they can't keep their computer secure will bitch because they can't seem to work a deadbolt and what is a lock anyway? Saying the government should handle computer security is like saying that an officer of the law should be stationed at your house to lock your doors for you and take the car keys out of your ignition.

No, security should be intirely in the private realm.

number 1 reason to hate sony (1, Interesting)

Data Link Layer (743774) | about 8 years ago | (#15712909)

I don't hate sony because they installed rootkits on some peoples computers, I hate them because of that incident the word rootkit became popular.

Re:number 1 reason to hate sony (0)

eln (21727) | about 8 years ago | (#15712941)

"rootkit" has been a popular term to describe a package like this for decades. A rootkit is a tool that script kiddies use to break into systems, as opposed to someone with actual skill finding and exploiting weaknesses using their own brain.

Re:number 1 reason to hate sony (5, Informative)

djdavetrouble (442175) | about 8 years ago | (#15713079)

A rootkit is a tool that script kiddies use to break into systems, as opposed to someone with actual skill finding and exploiting weaknesses using their own brain.

No it isn't.
A rootkit is what is installed to give the cracker unimpeded access (provides a backdoor, hides processes, replaces legitimate processes with trojaned ones, keep activity out of system logs) once they have gained entry to a system (usually throgh a known vulnerability.) THeir activity would be hidden from netstat ps, etc.

At least look at Wikipedia [wikipedia.org] .

Re:number 1 reason to hate sony (1)

eln (21727) | about 8 years ago | (#15713126)

Actually, it's both [retrologic.com] .

Re:number 1 reason to hate sony (4, Informative)

mobby_6kl (668092) | about 8 years ago | (#15713193)

I don't think I've heard anyone use the term to refer to automatic cracking tools, although it wouldn't be completely unreasonable (rootkit == a kit to get root). Actually, it looks like someone edited the entry and simply inserted "; an automated cracking tool" to completely change the definition ;)

Even the ultimate authority on computer terminology, the Urban Dictionary [urbandictionary.com] , gets it right:

A rootkit is a set of software tools frequently used by a third party (usually an intruder) after gaining access to a computer system. These tools are intended to conceal running processes, files or system data, which helps an intruder maintain access to a system without the user's knowledge. Rootkits are known to exist for a variety of operating systems such as Linux, Solaris and versions of Microsoft Windows.

The rootkit concept is the dominant controversial aspect of the 2005 Sony CD copy protection controversy, which has made the previously obscure concept of a rootkit much more widely known in the technology community, and to the general public

Re:number 1 reason to hate sony (1)

eln (21727) | about 8 years ago | (#15713218)

Interesting. I've heard it used many times that way. In my understanding of the word, a rootkit is a collection of scripts that will both crack root and install backdoors and other protections to help you maintain root once you're in. I don't know that I've ever heard it applied only to the tools you use once you're already in.

Maybe the word isn't as universal as we thought ;).

Re:number 1 reason to hate sony (4, Funny)

ScentCone (795499) | about 8 years ago | (#15712945)

I hate them because of that incident the word rootkit became popular.

I know what you mean! Just the other day I was listening to two teenage girls yakking in the mall...

"Oh no you did-uhnt! Girl, you can't be lettin' some loser root your kit like that!"

Re:number 1 reason to hate sony (1)

SomeoneGotMyNick (200685) | about 8 years ago | (#15713059)

Gee, I would have thought rootkit would have been the term used for a hair dye touchup product.

Re:number 1 reason to hate sony (1)

treeves (963993) | about 8 years ago | (#15713274)

Probably the P intended a different meaning - one that would be clear had he/she(yeah, right!) written two sentences instead a run-on sentence (i.e "I hate them. Because of that incident. . . )
- Grammar Nazi sympathizer

Re:number 1 reason to hate sony (1)

punkr0x (945364) | about 8 years ago | (#15712958)

That's like saying you hate Osama Bin Ladin for making the word "terrorism" popular! Hate Sony/Osama for their actions, hate Slashdot/the NSA for popularizing the word.

Hey! (1)

Philip K Dickhead (906971) | about 8 years ago | (#15713317)

That's like saying you hate Osama Bin Ladin for making the word "terrorism" popular! Hate Sony/Osama for their actions, hate Slashdot/the NSA for popularizing the word.


Hey Hey! Hate the game! Not the playa'! 'Sama 'n Sony got serious game.

Re:number 1 reason to hate sony (0)

Anonymous Coward | about 8 years ago | (#15712960)

it was popular way before that.
I don't think sony made any difference.

Re:number 1 reason to hate sony (1)

Opportunist (166417) | about 8 years ago | (#15713018)

Actually, that's something I like about them (as much as I hate Sony, for ... various reasons, let's not get there). They managed to get the term "rootkit" into everyone's head, even people who didn't even know what "root" meant when applied to a computer.

If nothing else, it raised the awareness that there is a problem. Which also proves that nobody is useless, everyone can at least serve as a bad example.

Re:number 1 reason to hate sony (1)

AcidLacedPenguiN (835552) | about 8 years ago | (#15713021)

Personally, I'd much rather have a rootbeer. Or maybe just a regular beer.

Whats ADS for? (1, Interesting)

Viol8 (599362) | about 8 years ago | (#15712912)

Was this designed simply an easy way to hide (system?) files in the filesystem
or was it for something different entirely? I remember there being a "chmod +/-h"
in old (perhaps even current, I no longer use it) versions of HP-UX that would hide
files , is this something similar?

Re:Whats ADS for? (4, Informative)

baywulf (214371) | about 8 years ago | (#15712943)

It is like a generalized version of the resource and data fork on old MacOS files with similar uses.

Re:Whats ADS for? (4, Informative)

MrNougat (927651) | about 8 years ago | (#15713063)

"In essence they were created to provide compatibility with HFS, or the old Macintosh Hierarchical File System. The way that the Macintosh's file system works is that they will use both data and resource forks to store their contents. The data fork is for the contents of the document while the resource fork is to identify file type and other pertinent details."

http://www.securityfocus.com/infocus/1822 [securityfocus.com]

Here's a nice FAQ on that. (4, Informative)

khasim (1285) | about 8 years ago | (#15712971)

http://www.heysoft.de/nt/ntfs-ads.htm [heysoft.de]

There's a lot that can be done with it.

Re:Whats ADS for? (1)

ben there... (946946) | about 8 years ago | (#15712977)

I'm guessing, but I think ADS could be used to store a thumbnail with a movie file, or a transcript, or other types of metadata.

Not that it ever has been used for anything significant like that.

Re:Whats ADS for? (2, Informative)

staticdaze (597246) | about 8 years ago | (#15713009)

ADS is used in Windows as part of everyday usage. The "Summary" tab that you see when you view any file's properties is stored in ADS. Also, I believe (vague memory here) that when you download something in Internet explorer and try to run the file, the flag for that annoying "You got this from the Internet, are you sure you want to run it?" is stored in ADS.

Re:Whats ADS for? (3, Interesting)

Control-Z (321144) | about 8 years ago | (#15713266)

It's much more than a "hidden" attribute on a file.

I fought with the HackerDefender rootkit earlier this year. Best I can tell it got in through a vulnerability in the Finger port of my mail server. It installed itself as a legacy mode device driver. The device driver was set up to hide certain filenames from Windows. Once installed, you COULD NOT SEE the files the rootkit used. The files weren't files marked with the "hidden" attribute, they were simply hidden from Windows at all levels. You COULD NOT SEE the registry entries. You could not see the task in Task Manager. Very evil and took many hours of my time to fix.

Forever War (4, Insightful)

Kream (78601) | about 8 years ago | (#15712916)

rootkit v. counter rootkit
counter counter rootkit v. counter rootkit
counter counter counter rootkit v. counter counter rootkit

An endless cycle of patch, pray, patch, pray, reinstall awaits us.

X|K|Ubuntu, anyone?

Re:Forever War (0)

rowama (907743) | about 8 years ago | (#15713015)

Until the rootkit named "Roadblock" emerges, then the war is over ...
Oh wait, this is not about Robot Wars. Sorry.

Re:Forever War (2, Funny)

0xABADC0DA (867955) | about 8 years ago | (#15713119)

Here let me codify that:

while (!os_written_in_typesafe_language) {
      counter_rootkit(create_rootkit(true));
}
. . .
catch (NoSuchRootkitPossibleException ex) {
// what's that you say?
}

Re:Forever War (1)

Tim Browse (9263) | about 8 years ago | (#15713314)

Is there any particular reason you believe that writing an OS in a typesafe language would make rootkits impossible? Or are you implying something else?

So which... (0)

Anonymous Coward | about 8 years ago | (#15712917)

So which CD's does this one come on? When can I expect a class action suit to get me a few free downloads from it?

Undetectable? (2, Insightful)

PIPBoy3000 (619296) | about 8 years ago | (#15712926)

Since F-Secure detects it, does that imply it's not popular?

Re:Undetectable? And old news too (2, Insightful)

tradeoph (691427) | about 8 years ago | (#15713029)

Since F-Secure detects it since June 21st, does it imply this is old news?

if only windows was closed source (5, Funny)

Anonymous Coward | about 8 years ago | (#15712946)

If only Windows was closed source, then writing such tools would be difficult. Oh, wait...

Detection (4, Funny)

kirkb (158552) | about 8 years ago | (#15712972)

This Russian-created rootkit is smart enough to recognize known anti-rootkit tools and hide from them.

Does this mean that in Soviet Russia, rootkits detect y... Bah, nevermind. Too easy. :P

Security doesn't start at rootkit detection (5, Insightful)

Opportunist (166417) | about 8 years ago | (#15712974)

People, please, stay sensible. First of all, a rootkit has to GET into a system. How it hides, how it vanishes, how it hooks certain parts of the system and how it defeats anti-rootkit tools is moot if it doesn't even GET that far.

Whatever a program may want to do, first of all it has to be started. Now, there are currently no unpatched remote exploits or program-runs-crap-by-itself bugs I'm aware of. In other words: You have to start it!

And that's what it comes down to. Keep your system updated! Don't click on every moronic spammail you get! Don't run everything you download from an unrelyable source without at least checking what it is!

My prediction would be that you can eliminate about 95% of the most dangerous worms, trojans and spybots currently in the wild if we could just get people to abstain from running every single piece of junk they stumble upon. The best protection against infection is still a working brain.

There is no technical solution for a social problem. I say it time and again. If it's been true ever, it is in the area of malware. Antimalware tools are akin to safety belts and airbags. You have them, and you use them, but that doesn't mean you drive 150 on an icy road, just 'cause, hey, you got safety belts and an airbag, what damage could happen, eh?

Re:Security doesn't start at rootkit detection (0, Troll)

Bryansix (761547) | about 8 years ago | (#15713002)

While you are correct about 99% of of infections about 1% come just connecting to the internet. Remember that there was a time when MS did not have a patch out and you could get a virus just by being online. In addition holes in IE allow machines to be infected simply by surfing onto legitimate websites that have been compromised on the backend.

Re:Security doesn't start at rootkit detection (3, Insightful)

Opportunist (166417) | about 8 years ago | (#15713052)

Sorry to say it bluntly, but I do remember. It's over. It's patched. Currently, there are no unpatched bugs (at least none that I'm aware of) that let you deliver malware straight to a connected computer.

Which does not mean that I'd connect to the 'net without a firewall.

Re:Security doesn't start at rootkit detection (0)

Anonymous Coward | about 8 years ago | (#15713182)

If you are onlien with windows without a
1) Firewall
2) AV program (up to date and all)
3) Decently secure web browser (and securte/up to date remote accessing programs in general)

Then it's your own damn fault.

Re:Security doesn't start at rootkit detection (4, Insightful)

Billosaur (927319) | about 8 years ago | (#15713087)

And that's what it comes down to. Keep your system updated! Don't click on every moronic spammail you get! Don't run everything you download from an unrelyable source without at least checking what it is!

My prediction would be that you can eliminate about 95% of the most dangerous worms, trojans and spybots currently in the wild if we could just get people to abstain from running every single piece of junk they stumble upon. The best protection against infection is still a working brain.

Normally I would agree, but what about the fact that there may be legitimate sites out there that have been infected by this rootkit, which will then in turn infect users who have no reason to fear infection? Not every work or trojan is spread via the incompetence of the user -- it only seems that way. Look at the way 180solutions is dumping spyware on unaware MySpace users who click on seemingly legitimate content, including an ad for software to protect children. ALl someone has to do is slip this sucker into some seemingly harmless content and WHAM!

Re:Security doesn't start at rootkit detection (1)

Opportunist (166417) | about 8 years ago | (#15713271)

I'd put that under "clicking every kind of useless crap". :)

Re:Security doesn't start at rootkit detection (5, Insightful)

Jaysu (952981) | about 8 years ago | (#15713121)

"My prediction would be that you can eliminate about 95% of the most dangerous worms, trojans and spybots currently in the wild if we could just get people to abstain from running every single piece of junk they stumble upon."

oh, and uh, don't put a store bought Sony music CD in there either. Spam can come in forms besides bright flashing "click me" banners.

Re:Security doesn't start at rootkit detection (3, Funny)

Opportunist (166417) | about 8 years ago | (#15713288)

What do you mean, "buy music"?

Re:Security doesn't start at rootkit detection (2, Insightful)

WhiteWolf666 (145211) | about 8 years ago | (#15713285)

Now, there are currently no unpatched remote exploits or program-runs-crap-by-itself bugs I'm aware of. In other words: You have to start it!

Oh, [secunia.com] really? [blogspot.com]

Not to mention that if they have to implement double-digits worth of patches a month [vnunet.com] you have to suspect that there are, indeed, unknown (by the public) security holes to be found, and which may have already been found by blackhats.

Antimalware tools are akin to snake oil and herbal remedies. No sane system should need that kind of overhead, and I've said it before: once you're infected, the only way of going back to a "known clean" configuration is a wipe and restore from "known good" media, or a complete checksum of binary signatures from a read-only known-good boot medium. The only thing antimalware does is make you feel safe, much like the Windows Security Center logo. Once your system is infected, a good root-kit is unremovable, and even garden variety uncommon malware may not be detected by the popular virus scanners; this is exactly what happened to Valve with the Half-Life 2 code theft. Someone designed a custom worm to penetrate their network and e-mail out important corporate files, and they got away with it.

Re:Security doesn't start at rootkit detection (1)

fermion (181285) | about 8 years ago | (#15713312)

Now, there are currently no unpatched remote exploits or program-runs-crap-by-itself bugs I'm aware of

This is the situation we find ourselves in on most popular OS and broswers. There are no simple ways to remotely install software without at least the user indirectly knowing about it. This is an improvement. As you say, it is now a social problem where someone has to click a link on some spam email. So it is a socail problem. Note, however, that it might be better if the user had to click a link, accept a box that accepted the download, and then another that accepted the install. This seems to be what MS Vista does, and we will see how that goes.

All that aside, the notion that there is not existing problem does not mean that there will no be a future problem. After all, the past problems have largely been caused by well meaning developers trying to gain a market advantage, often by making the user a more attractive target for advertisers or otherwise making it easier to extract money or time from the user. Though we have reached a reasonable medium at the moment, there is every reason to believe this stasis will be broken at some point in future, proabably in 6-12 months, and a significant opportunity will present itself. When that oppotunity does present itself, this rootkit will be ready.

Yes, it works in Vista (3, Informative)

ThinkFr33ly (902481) | about 8 years ago | (#15712994)

I think it's somewhat disingenuous to specifically note this rootkit works in Vista. It implies that the security work done in Vista has somehow failed.

Vista has numerous improvements security wise, and almost all of them have to do with prevent a machine from becoming infected to begin with.

, [msdn.com] UAC [msdn.com] , Windows Defender [microsoft.com] , the improved software firewall [microsoft.com] , IE 7+ sandboxing/broker [msdn.com] , etc... these are all meant to make it a lot harder for malware to get on the machine to begin with.

As the old security adage goes, if untrusted software is run on your machine, it's not your machine anymore. [microsoft.com]

Re:Yes, it works in Vista (3, Informative)

ThinkFr33ly (902481) | about 8 years ago | (#15713011)

Sorry, that first link should be:

Address space randomization [msdn.com] .

Helps if you actually preview before posting. :(

Works in but did it install itself? (2, Insightful)

Shivetya (243324) | about 8 years ago | (#15713031)

or did they make sure it could install?

Re:Yes, it works in Vista (3, Insightful)

alexhs (877055) | about 8 years ago | (#15713080)

About your last link, #4 is wrong. Allowing to upload a program and allowing to run it is a very different thing.

A bad guy can upload files on your web site, if he isn't allowed to run them, you've nothing to fear (except if YOU run them afterwards, of course, but it's covered by #1)

Re:Yes, it works in Vista (1)

figleaf (672550) | about 8 years ago | (#15713131)

You forgot to mention the changes in x64 versions of Windows which have made them impervious to rootkits so far.

Re:Yes, it works in Vista (1)

ThinkFr33ly (902481) | about 8 years ago | (#15713180)

I'm not sure that's true (I think I remember hearing about an x64 proof of concept root kit), but even if that is true it's just because the layout of OS components in memory has changed.

Getting around this is simply a matter of coding for it.

The Address Space Randomization, however, would make this very, very hard.

Re:Yes, it works in Vista (0)

Anonymous Coward | about 8 years ago | (#15713310)

it has nothing to do with layouts.

Symantech vs F-Secure (4, Informative)

Bill, Shooter of Bul (629286) | about 8 years ago | (#15713037)

FSecure's posting says that they released a version of their antirootkit software that can defeat this. Date June 21

Symantec says that FSecure's product can't remove this. Date June 29.

Any reason for this discrepency? You'd think they'd continue to moniter what other companies are doing to combat the problem and 8 days would be enough for them to find out about the new release.

Re:Symantech vs F-Secure (1)

Fencepost (107992) | about 8 years ago | (#15713223)

The Symantec article may be referring to some research they were doing over the course of a week or two, or the fact that they're looking at Rustock.B may mean that it's a new variant that again deals with F-Secure's detection.

Could you thwart an undetectable rootkit anyway? (0)

Anonymous Coward | about 8 years ago | (#15713073)

To be useful to its creators, a rootkit has to do something. That something usually involves communication on the internet. So, could you find a rootkit by looking for tcp addresses by text searching the whole hard drive? Could you thwart it by detecting an attempt to communicate with certain addresses?

Re:Could you thwart an undetectable rootkit anyway (1)

Khyber (864651) | about 8 years ago | (#15713157)

not easy as long as ADS exists.

Seems to effect (1, Interesting)

Utopia (149375) | about 8 years ago | (#15713078)

x86 versions only.

Would be interesting to know if there will be or are 64-bit versions of rootkits.

Re:Seems to effect (1)

LordKaT (619540) | about 8 years ago | (#15713264)

You mean 32-bit, right? The desktop 64-bit processors out now are x86 processors, unless I missed the memo that we were all to move to RISC.

HYPE SELLS (1, Funny)

majest!k (836921) | about 8 years ago | (#15713081)

"Rootkit Wars" ??

This isn't a war. This is merely an advance in the sophistication of one rootkit. This happens all the time.

Why is this being called a "war" now?

Maybe because if they called it what it is - "Another Lame Virus Advancement" - nobody would click the link and look at their ads.

What a joke.

By the way, does anyone else find it funny that Symantec and F-Secure have "blogs" now? WTF? Why not just go the whole 9 and create a MySpace profile too?

Detect this.... (3, Informative)

mdsc1 (988693) | about 8 years ago | (#15713084)

Did the writers of the rootkit consider that...

"The reason that there is no longer a command-line version is that malware authors have started targetting RootkitRevealer's scan by using its executable name. We've therefore updated RootkitRevealer to execute its scan from a randomly named copy of itself that runs as a Windows service. This type of execution is not conducive to a command-line interface. Note that you can use command-line options to execute an automatic scan with results logged to a file, which is the equivalent of the command-line version's behavior." http://www.sysinternals.com/Utilities/RootkitRevea ler.html [sysinternals.com]

Ooops... 1 step ahead of the hackers yet again.

Re:Detect this.... (0)

Anonymous Coward | about 8 years ago | (#15713181)

Yes, but the rootkit scans the exe file for strings within it. What you've quoted merely says that the executing thread is renamed randomly - it would still contain it's own name (i.e. "rootkit revealer" or similar) within the file/image, and will therefore be detected and hidden from.

Re:Detect this.... (1)

mdsc1 (988693) | about 8 years ago | (#15713268)

Thus why if you follow the directions with older versions of the program, you rename the .exe as well.

VM immunity? (0)

Anonymous Coward | about 8 years ago | (#15713106)

Does a VM offer immunity to rootkits?

If the VM'd instance is subverted, does the underlying OS become exposed?

Thanks,
-Alajando

Vista compatible? (3, Interesting)

tlhIngan (30335) | about 8 years ago | (#15713107)

Don't rootkits need to hook into the kernel in some way, and the "some way" in Vista is via signed binaries? Overriding kernel hooks seem to imply that yes, signed binaries are needed as well...

Also, would it be able to hide from a tool like SysInternal's rootkit detector which compares API return values for the registry and filesystem with an actual analysis of the registry files themselves, and a scan of the raw blocks on the disk? (Understands NTFS and FAT, and the registry hive format).

Re:Vista compatible? (2, Interesting)

j00r0m4nc3r (959816) | about 8 years ago | (#15713168)

Apparently it runs as a kernel-mode driver, and does not hook any API's or run any processes or threads...

Re:Vista compatible? (5, Interesting)

Short Circuit (52384) | about 8 years ago | (#15713254)

It doesn't hook any public APIs, but it does hook some internal ones. Quoth the Symantec link:
Rootkit detectors also check for the integrity of some kernel structures like the Service Descriptor Table, but Rustock.A controls kernel functions by hooking MSR_SYSENTER and other special IRP functions. [2]


If that's not functionality that should require Windows binaries to be signed, I don't know what is.

Howdy Hoo ! (2, Funny)

Joebert (946227) | about 8 years ago | (#15713122)

Theese things are like the neighbor that just walks in the house, takes a piss, grabs a beer out of the fridge, asks you if you're watching teh game after sitting on the couch next to you.

If they'd put some fucking beer in there now & then it wouldn't be so damn aggrevating.

Re:Howdy Hoo ! (1)

robophobe (892079) | about 8 years ago | (#15713211)

Wow, you met my mother-in-law!

Re:Howdy Hoo ! (1)

Joebert (946227) | about 8 years ago | (#15713240)

Your mother-in-law writes rootkits ?

Good thing I still use Windows 95... (2, Funny)

linebackn (131821) | about 8 years ago | (#15713140)

NTFS alternate data stream? It's a good thing I still use Windows 95 that doesn't have any of those fancy shmancy features that can be exploited like that.

Useful tool link (4, Informative)

RebornData (25811) | about 8 years ago | (#15713142)

If you're (like me) one of the, umm, fortunate souls who get to clean up rootkit-infested machines regularly, there's a tool you should know about: LADS, for "list alternative data streams"

It can be found buried in this FAQ about the NTFS ADS feature: http://www.heysoft.de/nt/ntfs-ads.htm [heysoft.de]

I haven't tried it yet, but it looks like it should work from a win32 bootdisk (like BARTPE). So you should be able to boot from a clean win32 environment and scan the computer's hard disk to find any files with ADSs. Fortunately, use of this feature within NTFS is not widespread, so malware should stand out pretty obviously.

Have fun!

-R

ADS was also an IIS backdoor (4, Informative)

goat_roperdillo (984552) | about 8 years ago | (#15713174)

Some of the first info on ADS was revealed when IIS users were notified by Microsoft that the full source code of any ASP URL, e.g.
http://www.mycode.asp
could be downloaded to a browser by appending ":$DATA" to the URL, e.g.,
http://www.mycode.asp:$DATA
Little explanation of ADS or the special ADS keyword "$DATA" was revealed in the Microsoft Security Bulletin MS98-003 [microsoft.com] . At the time I could not fine a full list of ADS keywords or an explanation of ADS on Microsoft's site, merely references to making a filename "canonical" (whatever that meant - no explanation was provided).

Microsoft has been less than forthcoming about ADS, it's function and it's mechanism. ADS has been used in the past to hack into web servers and now appears to be useful for rooting any system with NTFS.

Is ADS a Microsoft backdoor?

Re:ADS was also an IIS backdoor (2, Interesting)

whitehatlurker (867714) | about 8 years ago | (#15713296)

Is ADS a Microsoft backdoor?

Given that Microsoft has the keys to the front door (windows security update for example), why would they need a backdoor?

I'm undecided as to whether alternative stream was a good idea with poor implementation (and bad documentation), or just a bad idea.

what about DOS (0)

Anonymous Coward | about 8 years ago | (#15713214)

does it show in DOS ?

Offline rootkit scanner? (4, Interesting)

dfloyd888 (672421) | about 8 years ago | (#15713299)

Long ago, in the days of MS-DOS, there was a program that was excellent at detecting unknown MS-DOS viruses. Called Integrity Master, for maximum security one ran it from a bootable floppy, scanned files on the hard disk, and stored the file with the scanned signatures on a floppy. It wasn't SHA or MD5 hashes, but at the time it was solid security.

Then, one periodically (once or twice a week, as paranoia sees fit) ran the utility on their machine. If stuff in the MS-DOS directory was changed, it was immediately apparant. Integrity Master also was able to scan for some known viruses as well in addition to keeping a log of changed files.

We need a utility like that for Windows XP and Vista. A bootable CD or DVD that not just can understand NTFS (and NTFS's file compression), but has the necessary software to mount hard disks which are encrypted with BitLocker, PGP, SafeBoot, PointSec, WinMagic, DriveCrypt Plus Pack. The utility should also allow for username/password entry so EFS-protected files can be checked too.

This utility should use a CD or DVD to boot from, mount hard drive volumes, run checks for alternate data streams, system and nonsystem files, and finally the registry, perhaps including the encrypted parts like the SAM. It should not just save hashes of files, but perhaps have some ability to check file signatures as well (like sfc.exe and sigverif.exe do), so an update to Windows via a legitimate way doesn't set off a lot of false positives. Of course, the "manifest" file storing the file hashes on the file system would be stored on a removable USB drive, so the OS on the hard drive never has the ability to touch it.

Because this checking is done offline, a rootkit would be a lot harder to hide (unless it uses a method that the integrity scanner wasn't programmed to detect, like perhaps pointing to unallocated disk space for executable code, or hiding in an EFS-protected file.)

Of course, offline checking isn't perfect, because the machine being scanned has to be totally downed for a good amount of time which can't be done in a 24/7 environment.

There are some hurdles though. Trying to reduce the amount of false positives is one, for example. A novice user presented with a notice that a lot of files were changed likely wouldn't know what was a bad change, and what was normal for system functioning. After that, its decoding files and registry keys. Finally, if a known rootkit database was used, keeping track of how rootkits encrypt their payload, and delivering timely program updates.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>