Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Hackers Serving Rootkits with Bagles

Posted by CowboyNeal on Fri Mar 31, 2006 06:08 AM
from the worm-in-the-apple dept.
Worms Security IT
Iran Contra writes "Security researchers at F-Secure in Finland have discovered a rootkit component in the Bagle worm that loads a kernel-mode driver to hide the processes and registry keys of itself and other Bagle-related malware from security scanners. Bagle started out as a simple e-mail borne executable and the addition of rootkit capabilities show how far ahead of the cat-and-mouse game the attackers are."
+ -
story

Related Stories

[+] Developers: Undetectable Rootkits Through Virtualization? 237 comments
techmuse writes "eWeek has an article about a prototype rootkit that is implemented using a virtual machine hypervisor running on top of AMD's Pacifica virtualization implementation. The idea is that the target OS, or software running on it, would not be able to detect the rootkit, because the OS would be running virtualized on top of the rootkit. The prototype is supposed to be demonstrated at the Syscan conference and the Black Hat Briefings over the next month."
[+] Ask Slashdot: A Closed Off System? 177 comments
AnarkiNet wonders: "In an age of malware which installs itself via browsers, rootkits installing themselves from audio cds, and loads of other shady things happening on your computer, would a 'Closed OS' be successful? The idea is an operating system (open or closed source), which allows no third party software to be installed, ever. Yes, not even your own coded programs would run unless they existed in the OS-maker-managed database of programs that could be installed. Some people might be aghast at this idea but I feel that it could be highly useful for example in the corporate setting where there would be no need for a secretary to have anything on his/her computer other than the programs available from the OS-maker. For now, let's not worry if people can 'get around' the system. If each program that made up the collection of allowed programs was 'up to scratch' and had 'everything you need', would you really have an issue with being unable to install a different program that did the same thing?"
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Hackers Serving Rootkits with Bagles 25 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Am I wrong (Score:5, Insightful)

    by 3.5 stripes (578410) on Friday March 31 2006, @06:12AM (#15032717)
    Or is it just me who's been reading about rootkits and keyloggers now becoming standard payloads in worms/virus/web exploits?

    In the end, they're just another piece of cut and paste code for script kiddies.
    • No, it's definitely not just you. I work with [removing] IM-based viruses as a hobby project, and there has been a clear shift from simple executable file viruses to full rootkits. Along the way I've seen everything from loading with the shell or userinit to winlogon to bogus kernel drivers.

      It's my personal (and professional) opinion that this is likely to become the norm. I give it another year or two before the majority of malware is all rootkit-based. It's far too easy to incorporate rootkit technology,

  • Before long... (Score:5, Funny)

    by totalbasscase (907682) on Friday March 31 2006, @06:14AM (#15032721)
    Next time on Slashdot: "Bagle.GE authors sued by Sony for rootkit copyright infringement!" Honestly though, maybe we should all just start carrying around rootkits on our USB keys. Plug it into your aunt's computer, and she'll never forget your birthday again (even if she wanted to).
    • of course you have to execute a file on the drive manually, since USB drives dont subscribe t to the autoplay mentality :p

      Your joking has revealed an interesting point though - would it be possible to patent rootkit technology now, or some really restrictive DRM, so that when corporations/the government get around to developing software that wants to restrict our every move, it's already been done/patended? :D I'm not aware of all the intricacies of copyright law and prior art etc, and I'm aware if a gov
      • Funny, anytime I plug my USB key into my computer, WinXP asks me if I want to do something with it.

        I'm sure if you dropped an autoplay.inf file on the root of the drive, Windows could be tricked into executing it.
        • there's quite a difference between asking you if you want to view the folders on the drive, open in media player etc, and automatically running code without your permission.

  • The evolving virus (Score:5, Interesting)

    by ndogg (158021) <<the.rhorn> <at> <gmail.com>> on Friday March 31 2006, @06:19AM (#15032733) Homepage Journal
    I keep waiting for a virus based on genetic algorithms. I'm certain that it's only a matter of time.
    • The older DAV and co viruses from the late 90-es were polymorphic and changed their code from time to time.

      In fact as far as underlying technology the current viruses have regressed back to simple non-polymorphic code. Not entirely surprising considering that they are written in a high level language nowdays. If you look at the recent crop there is anything including Delphi and VB used to write them with some EXE compression at the end applied to get the size down to a reasonable value.

    • Re:The evolving virus (Score:5, Interesting)

      by january (906774) on Friday March 31 2006, @06:43AM (#15032780)
      Agree. This will be a breakthrough, and if anything is a mystery -- then the question, why it hasn't already happened.

      Evolving computer programs -- not simple genetic algorithms, but programs that actually "thrive" on CPU time and memory, and compete for these resources -- have been already used to experimentally investigate evolution. Note that there is a serious difference between a genetic algorithm and a truly evolving program. In the former case, the fitness function is precisely defined by the programmer. In the latter, the fitness is just what it is in living organisms -- ability to pass on the genes, or code.

      Check out the web page -- http://www.msu.edu/~lenski/ [msu.edu] -- of Richard Lenski, experimental evolutionist (bacteria in a test tube + computer), you will find a nice article on in silicio evolution on his web page. The guy has 4 Nature and 2 Science publications only on the topic of digital evolution.

      January

      j.

      • Re:The evolving virus (Score:4, Interesting)

        by aug24 (38229) on Friday March 31 2006, @07:09AM (#15032825) Homepage
        The thing about genetic algorithms to date is that they have only been permitted to evolve within parameters. Evolving better weightings for poker playing bots for example. This is a highly successful technique, analogous to the way the human brain sets itself up - highly structured programming (physical brain) with variable parameters (experience).

        If you allow the code itself to evolve (typically achieved with Lisp or similar cos of the convenient tree structure of the code) then the likelihood is that you can write a better program than will evolve anyway, because so many of the evolved programs are utterly useless. This, of course, is the argument for Intelligent Design, except that the planet really does have unlimited time, and there aren't anti-virus companies constantly trying to sterilise the planet (as far as we know! ;-)

        Finally, most genetic algorithms require 'sex' type recombination to (randomly and hopefully) whittle away the useless code that has accumulated. This might be a little hard to implement in a cloaking virus - the one thing they don't want is to have any kind of signal that they are there!

        All in all, I'll be surprised to see a truly genetic algorithm virus ever. The closest we might see are self tuning ones - eg ones that spot the user is using the machine and back off their spamming activities so that they aren't obvious.

        J.

        • Re:The evolving virus (Score:5, Interesting)

          by zerocool^ (112121) on Friday March 31 2006, @10:11AM (#15033476) Homepage Journal

          If you're talking polymorphic characteristics (in viruses or animals), the phrase you're looking for is Heterozygous Advantage [wikipedia.org]. Yes, I do live with a woman who is going to vet school and who has a degree in animal science.

          In computer terms, it's going to be hard for random code variations to produce a useful new code segment on their own, for exactly the reasons you describe - there needs to be "sex", or a merging of two codebases, in order to produce surrogate code.

          In terms of animals, however, if I may step on my pro-evolution soapbox... This is what all those people at the Institute for Creation Research and Answers in Genesis never talk about. The natural tendancy in animals (at least, and probably in other kingdoms) is for the offspring of a non-homogonous pairing to be *better* than either of the parents. No joke, this is the way it works. Not all the time, but more often than not.

          For example, my wife is pretty firmly against the homogonization of the beef industry onto black angus for meat and holstein for milk. The reason being, if you breed nothing but black angus to black angus, you're going to get black angus, which is good, but it will never get better than its parents. If you're breeding black angus and charolais, however, the genetic tendancy is that the offspring most of the time will posess the best characteristics of both parents (breeding and birthing ease with black angus, better meat with charolais).

          Anyway, I have to go fix a dead UPS.

          ~Will
          • Thanks for that, interesting.

            I'd propose a small correction to what you say: the natural tendency of sexual reproduction is to produce creatures that are either (a)inviable, which typically miscarry or (b) similar or (c) better. This would be analogous to receiving two lots of bad code, one of each, or two lots of good code respectively.

            AIUI a surprising number of the offspring of higher animals 'spontaneously' abort without the parent necessarily even knowing about it.

            Cheers,
            Justin.

    • Re:The evolving virus (Score:5, Insightful)

      by Illserve (56215) on Friday March 31 2006, @08:03AM (#15032921)
      It's hard to see why genetic algorithms are an inherently good way to design computer virii. The fitness landscape is not well suited to GA'S, it's too rugged. GA's need a particular structure of problem to function well, one in which every change produces an incremental benefit or impairment.

      Changing which registry key a worm modifies, or what files a virus affects will cause wildly varrying effects, 99.9999% of which will cause either no discernable effect, or blue screen the system. This is not a good setup for the GA to figure out what works best.

      So despite the similarity in name and function with biological viruses, computer virii (and worms, trojans etc) are not really evolvable, but need to be engineered.

  • This has been written about before on the F-Secure security blog [f-secure.com]. There's also a nice pic of what all the different parts of bagel look like [f-secure.com] and how they interact.

  • [Off topic] It's not a worm! (Score:5, Interesting)

    by january (906774) on Friday March 31 2006, @06:30AM (#15032762)
    It definitely isn't, trust me. I'm a ...biologist.

    I mean the picture, of course: http://images.slashdot.org/topics/topicworms.gif [slashdot.org] -- it is an insect larva, not a worm. To be more specific -- probably a butterfly caterpillar.

    You want to see a worm? Here -> http://www.desc.med.vu.nl/NL-taxi/ICE/C_elegans1.j pg [med.vu.nl] is a nice picture of C.elegans, The Model Worm (r).

    January

  • Mmmmm... bagels! (Score:5, Funny)

    by jtcedinburgh (626412) on Friday March 31 2006, @06:39AM (#15032776)
    Mark me OffTopic if you will (it's Friday and I'm feeling brave, so I'll take that risk), but when I first read this, I read it as:

    "Hackers Serving Rootkits with Bagels"

    ...and I started to think how cool a hacker café would be... then I got to wondering what else you might be able to order at a hacker café:

    Trojan Muffins (secret filling might bring surprise!)
    DDoS Donuts (very tasty, but eat too many and they gang up on you)
    L33t Latté (quintuple espresso with a single shot of milk)
    Keylogger Cakes (be careful, they're watching)

    ...and so on (I shall spare you the rest).

    Ah well, as they say in these parts 'ah'll get me coat'...
    • Trojan Muffins (secret filling might bring surprise!)
      DDoS Donuts (very tasty, but eat too many and they gang up on you)
      L33t Latté (quintuple espresso with a single shot of milk)
      Keylogger Cakes (be careful, they're watching)

      I think ThinkGeek just found their newest product line.
  • SysInternals' free program RootkitRevealer [sysinternals.com] is the best way I know to reveal the presence of rootkits.

    In general, any program SysInternals provides is the best in its field, I've found.

    Try the just updated (March 7, 2006) version of Autoruns [sysinternals.com] to find nasty stuff running under Windows.

    --
    Before, Saddam got Iraq oil profits & paid part to kill Iraqis. Now a few Americans share Iraq oil profits, & U.S. citizens pay to kill Iraqis. Improvement?

  • I blogged Ubuntu LiveCD to explain to noobies (Score:5, Interesting)

    by ScrewTivo (458228) on Friday March 31 2006, @07:42AM (#15032892) Homepage
    I got so tired of explaining it over and over. Ultimate Spyware/Virus Blocker [blogspot.com]. If you think there is something I need to add or remove then please leave a comment.

    My friend is opening up a coffee shop that will have an ap. I will make some copies of Ubuntu for the customers to use.

    Now where do I find a dentist for the rootkit I received when I didn't take my own advice :)

  • A new taste treat (Score:3, Funny)

    by digitaldc (879047) * on Friday March 31 2006, @08:24AM (#15032955)
    Your O/S locks with Bagels, sir.

  • Mmm, bagles... (Score:3, Funny)

    by antdude (79039) on Friday March 31 2006, @10:30AM (#15033617) Homepage Journal
    ... who doesn't want free yummy bagles to eat? Oh, you mean the computer types... [grin]

  • Rootkits are the new bootsector (Score:3, Insightful)

    by billcopc (196330) <vrillco@yahoo.com> on Friday March 31 2006, @11:20AM (#15033992) Homepage
    Years.. no, decades ago, everyone was scared shitless of boot sector viruses. Today it's rootkits. This isn't rocket science, it's about friggin time these things hit the mainstream. It's obvious that today's software relies on many layers of abstraction provided by the OS. Infiltrate one of those layers and you've fooled the entire system. It's no different than the men with wires going to their ears saying "You didn't see anything, move along", except your software's too dumb to see that the man is lying. There is no ultimate solution to this, software is software and no matter how well you try to secure the OS, all it takes is a little patch to disable all your security. The closest thing to a secure OS would be some sort of read-only boot device, and I really mean READ-ONLY, not just "mount -o ro". Boot off the DVD-Rom.. even then, just one glitch in the programming could open up the whole system to in-memory patching.

    What we CAN do to relieve this plague is take away the motivation behind viruses. They don't exist just for fun, they serve a purpose.. DDoS is a lucrative racket. If we can somehow make an infected PC less valuable to the attacker, to the point where it's not even worth infecting, the virus threat will slow down to a crawl. Why don't we have more Linux viruses ? Because it's a high-risk, low-potential target. If Microsoft could accomplish the same level of security with the average Windows PC, virus authors would have to go out and get real friggin jobs for once.
      • I can't believe you responded to that! Although it did make me laugh... most of the points were hilarious, especially about "no databases for linux as powerfull as MS Access"! I'd love to know what people like Oracle & Sun(PostgreSQL) would say about that.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.