Windows Rootkit Wars Escalate 342
An anonymous reader writes "The rootkit wars have started to escalate with a rootkit named Rustock which is able to remain hidden from all the popular anti-rootkit tools. It uses some new techniques including not only putting itself in a ADS (NTFS alternate data stream) which isn't seen by normal file system enumeration tools, but even blocks ADS aware tools from seeing the stream. Works in Vista, too! Analysis in both Symantec and F-Secure blogs."
Whats ADS for? (Score:2, Interesting)
or was it for something different entirely? I remember there being a "chmod +/-h"
in old (perhaps even current, I no longer use it) versions of HP-UX that would hide
files , is this something similar?
Re:Whats ADS for? (Score:5, Informative)
Re:Whats ADS for? (Score:5, Informative)
http://www.securityfocus.com/infocus/1822 [securityfocus.com]
Here's a nice FAQ on that. (Score:5, Informative)
There's a lot that can be done with it.
Re:Whats ADS for? (Score:2, Informative)
Re:Whats ADS for? (Score:4, Interesting)
I fought with the HackerDefender rootkit earlier this year. Best I can tell it got in through a vulnerability in the Finger port of my mail server. It installed itself as a legacy mode device driver. The device driver was set up to hide certain filenames from Windows. Once installed, you COULD NOT SEE the files the rootkit used. The files weren't files marked with the "hidden" attribute, they were simply hidden from Windows at all levels. You COULD NOT SEE the registry entries. You could not see the task in Task Manager. Very evil and took many hours of my time to fix.
Re:Whats ADS for? (Score:3, Informative)
In my opinion, however, once you get a system that badly infected, you should give up and wipe clean. You'll never know if you've succesfully closed all the holes, and not even an expensive forensic analysis could guarantee such a thing.
Make your own ADS (Score:4, Interesting)
Go to the command prompt.
echo Text! > text.txt:ADS
Do a DIR and you'll see the size of text.txt is 0 bytes.
The string "Text!" has ended up in an ADS stream called "ADS".
Forever War (Score:4, Insightful)
counter counter rootkit v. counter rootkit
counter counter counter rootkit v. counter counter rootkit
An endless cycle of patch, pray, patch, pray, reinstall awaits us.
X|K|Ubuntu, anyone?
Re:Forever War (Score:3, Funny)
while (!os_written_in_typesafe_language) {
counter_rootkit(create_rootkit(true));
}
. . .
catch (NoSuchRootkitPossibleException ex) {
}
Re:Forever War (Score:2)
Re:Forever War (Score:3, Informative)
Re:Forever War (Score:2)
Re:Forever War (Score:5, Informative)
In fact I dont even bother running any Host OS scans when I fix someone's PC anymore, I boot from a BartPE disc, scan it with the antivir and antispyware and clean it up easier and faster than anything else.
Takes me far less time I get it on the first try and it's back to a clean machine for 35 seconds until the owner clicks on things again to reinstall every bit of spyware.
Undetectable? (Score:3, Insightful)
Re:Undetectable? And old news too (Score:2, Insightful)
if only windows was closed source (Score:5, Funny)
Detection (Score:5, Funny)
Does this mean that in Soviet Russia, rootkits detect y... Bah, nevermind. Too easy.
Re:Detection (Score:5, Funny)
Security doesn't start at rootkit detection (Score:5, Insightful)
Whatever a program may want to do, first of all it has to be started. Now, there are currently no unpatched remote exploits or program-runs-crap-by-itself bugs I'm aware of. In other words: You have to start it!
And that's what it comes down to. Keep your system updated! Don't click on every moronic spammail you get! Don't run everything you download from an unrelyable source without at least checking what it is!
My prediction would be that you can eliminate about 95% of the most dangerous worms, trojans and spybots currently in the wild if we could just get people to abstain from running every single piece of junk they stumble upon. The best protection against infection is still a working brain.
There is no technical solution for a social problem. I say it time and again. If it's been true ever, it is in the area of malware. Antimalware tools are akin to safety belts and airbags. You have them, and you use them, but that doesn't mean you drive 150 on an icy road, just 'cause, hey, you got safety belts and an airbag, what damage could happen, eh?
Re:Security doesn't start at rootkit detection (Score:5, Insightful)
Normally I would agree, but what about the fact that there may be legitimate sites out there that have been infected by this rootkit, which will then in turn infect users who have no reason to fear infection? Not every work or trojan is spread via the incompetence of the user -- it only seems that way. Look at the way 180solutions is dumping spyware on unaware MySpace users who click on seemingly legitimate content, including an ad for software to protect children. ALl someone has to do is slip this sucker into some seemingly harmless content and WHAM!
Re:Security doesn't start at rootkit detection (Score:2)
Re:Security doesn't start at rootkit detection (Score:2)
Well, that's the very definition of a trojan.
Re:Security doesn't start at rootkit detection (Score:5, Insightful)
I bought that CD from a store legitimately. There's no way I'd get a rootkit problem from that, right?
Re:Security doesn't start at rootkit detection (Score:5, Insightful)
oh, and uh, don't put a store bought Sony music CD in there either. Spam can come in forms besides bright flashing "click me" banners.
Re:Security doesn't start at rootkit detection (Score:4, Funny)
Re:Security doesn't start at rootkit detection (Score:3, Insightful)
Oh, [secunia.com] really? [blogspot.com]
Not to mention that if they have to implement double-digits worth of patches a month [vnunet.com] you have to suspect that there are, indeed, unknown (by the public) security holes to be found, and which may have already been found by blackhats.
Antimalware tools are akin to snake oil and herbal remedies. No sane system should need that kind of overhead, and I've said i
Re:Security doesn't start at rootkit detection (Score:2)
This is the situation we find ourselves in on most popular OS and broswers. There are no simple ways to remotely install software without at least the user indirectly knowing about it. This is an improvement. As you say, it is now a social problem where someone has to click a link on some spam email. So it is a socail problem. Note, however, that it might be better if the user had to click a link, ac
Re:Security doesn't start at rootkit detection (Score:5, Informative)
People, please, stay sensible. First of all, a rootkit has to GET into a system.
True, but there are many modes of infection.
Whatever a program may want to do, first of all it has to be started. Now, there are currently no unpatched remote exploits or program-runs-crap-by-itself bugs I'm aware of. In other words: You have to start it!
So, just because you don't know of any unpatched, remote vulnerabilities being exploited, we should not worry about them? What about local escalations, there are plenty of those outstanding and some people admin multi-user boxes. Finally, it can come in as a trojan. No one has the time to exhaustively check every program they run, if the source is even available. That means you have to trust every program you install. This is asking users to sacrifice usability for security, and that is a classic security blunder.
My prediction would be that you can eliminate about 95% of the most dangerous worms, trojans and spybots currently in the wild if we could just get people to abstain from running every single piece of junk they stumble upon.
My prediction is we can stop 100% of worms, trojans, and spybots by no longer using computers... of course that kind of defeats the purpose.
There is no technical solution for a social problem.
Malware is mostly a technical problem and a computer/human interaction problem. It can be solved with education as a social problem, but only when the previous problems have been fixed. You can't expect users to learn a whole lot of really complex topics in order to perform simple tasks. It is not going to happen. When joe-sixpack runs their computer they expect it to conform to some basic, sensible characteristics and it is failing. This is not the user's fault. This is the fault of the people who designed the system first and then tried to teach the average person a long series of complex topics and ever changing rules. What they should have done was ask the users what the computer should do and then make the computer do that.
It is unreasonable to expect that clicking on an icon that looks just like your picture files will install a program and let someone in Russia start using your computer to send spam. This is a failing of the computer, not the user. The computer should clearly indicate to the user what is a picture and what is a program. Then, it should not let the program do anything the user does not expect and want. If this rootkit arrives in a trojan, disguised as data or a beneficial program like a game, and the user runs it, they still should not have to worry about it because it should be running in a sandbox, by default. When it tries to do something unusual, like patch the core of the OS, the user should be warned in very strong language and given the option of letting the rootkit patch a VM's core OS instead, thereby stopping it from having any effect. It doesn't take a genius to do this, if only people would stop apologizing for how crappily most OS's, especially Windows, deal with this stuff. By blaming the users for this failing you're part of the problem. Stop it.
Re:Security doesn't start at rootkit detection (Score:5, Interesting)
There is no 100% solution except to cease using the technology. That's a given. But that would be like saying we should stop using cars because accidents happen.
What you advocated, however, was users not running software or opening data they don't trust. For most users, that cuts the functionality of their machine in half. Trust is a sliding scale. And given the relatively mild punishment for trusting too much, most users will chose functionality over security. The job of the OS should be to make sure they never have to make that choice.
There is no technical solution to everything, though. You cannot "fool proof" everything. Would you go around fool-proofing cars or guns? I'd rather expect someone using either to have proper training and knows how to use it, so he is neither harm to himself nor others.
Well, if I can get a gun or car to do exactly what I want without any risk or decrease in functionality, I'm all for it. As for training, the point is that the usability and functionality of the system has to be up to snuff before it can be effective. To bring cars to the equivalent level of functionality as a Windows machine you'd have to have no windshield and the user would have to just be guessing where they are going. Right now users are given basically no information about what is happening. Is that a program or data? What is it doing when I'm running it? Is it sending spam, or running a game? Is it reading my tax returns? No idea.
The analogy of guns is an interesting one. Anyone who has had a traditional education concerning guns has heard that they should always treat the gun as if it is loaded and point it away from anything they don't want to shoot. Why? Why not only point it in a safe direction when it is loaded? There is no danger if the action is open and it is obviously empty. The answer is "conditioning." Nobody can concentrate on one thing all the time. By always treating the gun as loaded users condition themselves through repetition. That way, when they're thinking about something else (like is that a bear in those trees) they unconsciously point their gun in a safe direction and don't accidentally shoot their hunting buddy when they stumble.
The reason this is such an appropriate comparison is because Windows uses conditioning as well. Every time it brings up the same cryptic dialogue box with (OK/Cancel) it conditions users to click "OK" to get their computer to work again. It also conditions them to click "OK" when being warned of a potential threat. It is one of the worst UI choices, ever and a classic example of what not to do. In many cases even reading the dialogue you don't know what each of the buttons will do since "OK" and "Cancel" are not appropriate responses and are not actions. It is the result of programmers ignoring the human component of computer/human interactions when it comes to security.
First and foremost, you are responsible for what comes out of your computer.
I'll accept that I am responsible, but that does not mean no one else is as well. Picture this, the computer sales guy talks a grandmother into buying a computer. She knows nothing about them, but he tells her it is as easy to use as a TV and will let her send e-mail to her grandkids. They install it and hook it up for her. She never patches it and it is not set to do so automatically. It is compromised. It sends spam. Is it her fault she was lied to? Is it her fault she assumed it would behave reasonably instead of doing things all on its own? Yes, but even more than that it is the fault of the salesman and the system designers.
If someone is unfit to use a car, we don't let him use it.
If more than 70% of people are unfit to use most cars on the road, but do just fine with an Audi, maybe we need to rethink our car designs rather than sending everyone back to driver's education.
Likewise, if someone is unfit to use a computer because he cannot follow the most basic rules of common sense, he should not be on t
Re:Security doesn't start at rootkit detection (Score:3, Insightful)
Condoms (a technical solution) MITIGATES a social problem (teen pregnancy, STD's). They don't SOLVE these problems, because a Condom is only something like 99% effective (the 1% being people who don't use them properly).
So, assuming one's social problem is going out and seeking the services of a prostitute - use of condoms by said prostitute means that 99% of your prostitues won't have an STD (except crab lice - prefer those who shave). The world is bette
Re:Security doesn't start at rootkit detection (Score:4, Insightful)
Which does not mean that I'd connect to the 'net without a firewall.
Attack vector (Score:2)
So what that means is that there are unpatched holes, and since we don't know where they are you don't know a likley attack vector that such a rootkit might try and be deployed by.
Don't connect to the net without a firewall? Heck, given you can't know anything you are doing over the network is not an attac
Re:Security doesn't start at rootkit detection (Score:5, Interesting)
Before any of the hundreds of security holes in Windows XP were published, they were still there! If you have paid any attention to security, you would be very confident that there are many remote root, arbitrary code, no-interaction-required holes in Windows RIGHT NOW.
They are no doubt being used. I can think of many ways to build a bot that connects home indetectably to all but the most paranoid and brilliant sysadmin.
Yes, it works in Vista (Score:3, Informative)
Vista has numerous improvements security wise, and almost all of them have to do with prevent a machine from becoming infected to begin with.
, [msdn.com]UAC [msdn.com], Windows Defender [microsoft.com], the improved software firewall [microsoft.com], IE 7+ sandboxing/broker [msdn.com], etc... these are all meant to make it a lot harder for malware to get on the machine to begin with.
As the old security adage goes, if untrusted software is run on your machine, it's not your machine anymore. [microsoft.com]
Re:Yes, it works in Vista (Score:4, Informative)
Address space randomization [msdn.com].
Helps if you actually preview before posting.
Works in but did it install itself? (Score:3, Insightful)
Re:Yes, it works in Vista (Score:4, Insightful)
A bad guy can upload files on your web site, if he isn't allowed to run them, you've nothing to fear (except if YOU run them afterwards, of course, but it's covered by #1)
Re:Yes, it works in Vista (Score:2)
Re:Yes, it works in Vista (Score:2)
Getting around this is simply a matter of coding for it.
The Address Space Randomization, however, would make this very, very hard.
Re:Yes, it works in Vista (Score:3, Insightful)
You do realize that every time you use "M$" fewer and fewer people could care any less about what you have to say, right?
I'll be happy to stop using it when M$ stops putting their marketing keys on millions of general purpose PC keyboards.
"M$" is just a handy reminder that Microsoft is still taxing the world $40,000,000,000+ per year for a dozen programs mostly written more than a decade ago with most of the most difficult bits, the device drivers, being written by third parties.
You attribute Micro
Symantech vs F-Secure (Score:5, Informative)
Symantec says that FSecure's product can't remove this. Date June 29.
Any reason for this discrepency? You'd think they'd continue to moniter what other companies are doing to combat the problem and 8 days would be enough for them to find out about the new release.
Re:Symantech vs F-Secure (Score:2)
Re:Symantech vs F-Secure (Score:3, Informative)
Seems to effect (Score:2, Interesting)
Would be interesting to know if there will be or are 64-bit versions of rootkits.
Re:Seems to effect (Score:2)
Re:Seems to effect (Score:4, Informative)
You did miss the memo. The AMD and Intel 64 bit processors use an instruction set architecture called "x86_64" (also x64 or AMD64 or EM64T, isn't marketing wonderful?). This instruction set extends the original 32 bit x86 instruction set. Wikipedia has some x86_64 [wikipedia.org] architecture information.
Detect this.... (Score:3, Informative)
"The reason that there is no longer a command-line version is that malware authors have started targetting RootkitRevealer's scan by using its executable name. We've therefore updated RootkitRevealer to execute its scan from a randomly named copy of itself that runs as a Windows service. This type of execution is not conducive to a command-line interface. Note that you can use command-line options to execute an automatic scan with results logged to a file, which is the equivalent of the command-line version's behavior." http://www.sysinternals.com/Utilities/RootkitReve
Ooops... 1 step ahead of the hackers yet again.
Vista compatible? (Score:4, Interesting)
Also, would it be able to hide from a tool like SysInternal's rootkit detector which compares API return values for the registry and filesystem with an actual analysis of the registry files themselves, and a scan of the raw blocks on the disk? (Understands NTFS and FAT, and the registry hive format).
Re:Vista compatible? (Score:2, Interesting)
Re:Vista compatible? (Score:5, Interesting)
If that's not functionality that should require Windows binaries to be signed, I don't know what is.
Howdy Hoo ! (Score:2, Funny)
If they'd put some fucking beer in there now & then it wouldn't be so damn aggrevating.
Good thing I still use Windows 95... (Score:3, Funny)
Useful tool link (Score:5, Informative)
It can be found buried in this FAQ about the NTFS ADS feature: http://www.heysoft.de/nt/ntfs-ads.htm [heysoft.de]
I haven't tried it yet, but it looks like it should work from a win32 bootdisk (like BARTPE). So you should be able to boot from a clean win32 environment and scan the computer's hard disk to find any files with ADSs. Fortunately, use of this feature within NTFS is not widespread, so malware should stand out pretty obviously.
Have fun!
-R
ADS was also an IIS backdoor (Score:4, Informative)
Microsoft has been less than forthcoming about ADS, it's function and it's mechanism. ADS has been used in the past to hack into web servers and now appears to be useful for rooting any system with NTFS.
Is ADS a Microsoft backdoor?
Re:ADS was also an IIS backdoor (Score:3, Interesting)
Given that Microsoft has the keys to the front door (windows security update for example), why would they need a backdoor?
I'm undecided as to whether alternative stream was a good idea with poor implementation (and bad documentation), or just a bad idea.
Re:ADS was also an IIS backdoor (Score:4, Insightful)
I've known about it for a long time now, but have yet to ever use it myself. I really wish you could disable it entirely if nothing legitmate is going to bother. As it is now, it's just a poor security-by-obscurity mechanism that really has no place in the base OS.
Wait, I take back what I said before. I did find one shareware program that hid it's "I've been installed for this long" counter file in the ADS. Deleting the file reset the counter.
Re:ADS was also an IIS backdoor (Score:3, Informative)
Fortunately, the ADS stream can only be non-critical data because transferring to a single stream filesystem (such as FAT32) would drop the additional stream. I'm not sure if ZIP stores them or not (built in ZIP in XP), but that would be interesting.
Think of it as a named section of a fil
Re:ADS was also an IIS backdoor (Score:3, Insightful)
Escaping from a chroot jail (Score:2)
Otherwise, a hacker could just "cd
Re:ADS was also an IIS backdoor (Score:3, Interesting)
I was actually suprised that Microsoft didn't take advantage of streams more often than they do. It would be
Re:ADS was also an IIS backdoor (Score:2)
That exploit just worked by tricking IIS's extension parser - It would normally treat an ASP specially rather than as a plain file. Because the file would obviously have read permission set, specifying that name just returns the file itself the same way IIS would return any other not-special file.
The DATA stream just specifies the basic unnamed default stream containing what we would normally think of as the file itself. All NTF
Offline rootkit scanner? (Score:4, Interesting)
Then, one periodically (once or twice a week, as paranoia sees fit) ran the utility on their machine. If stuff in the MS-DOS directory was changed, it was immediately apparant. Integrity Master also was able to scan for some known viruses as well in addition to keeping a log of changed files.
We need a utility like that for Windows XP and Vista. A bootable CD or DVD that not just can understand NTFS (and NTFS's file compression), but has the necessary software to mount hard disks which are encrypted with BitLocker, PGP, SafeBoot, PointSec, WinMagic, DriveCrypt Plus Pack. The utility should also allow for username/password entry so EFS-protected files can be checked too.
This utility should use a CD or DVD to boot from, mount hard drive volumes, run checks for alternate data streams, system and nonsystem files, and finally the registry, perhaps including the encrypted parts like the SAM. It should not just save hashes of files, but perhaps have some ability to check file signatures as well (like sfc.exe and sigverif.exe do), so an update to Windows via a legitimate way doesn't set off a lot of false positives. Of course, the "manifest" file storing the file hashes on the file system would be stored on a removable USB drive, so the OS on the hard drive never has the ability to touch it.
Because this checking is done offline, a rootkit would be a lot harder to hide (unless it uses a method that the integrity scanner wasn't programmed to detect, like perhaps pointing to unallocated disk space for executable code, or hiding in an EFS-protected file.)
Of course, offline checking isn't perfect, because the machine being scanned has to be totally downed for a good amount of time which can't be done in a 24/7 environment.
There are some hurdles though. Trying to reduce the amount of false positives is one, for example. A novice user presented with a notice that a lot of files were changed likely wouldn't know what was a bad change, and what was normal for system functioning. After that, its decoding files and registry keys. Finally, if a known rootkit database was used, keeping track of how rootkits encrypt their payload, and delivering timely program updates.
Meanwhile, MS releases a rootkit of their own... (Score:2, Offtopic)
my blog [blogspot.com] a few days ago.
Obligatory Star Wars reference (Score:5, Funny)
Begun, the Rootkit Wars have...
[/Yoda]
What's a "Trojan?" (Score:3, Funny)
I looked up from my iBook and FC5 workstation, looked him in the eye with a face full of innocence, and asked, "What's a 'Trojan?'"
"Well, see, it's like... a 'trojan' is like the Trojan horse; it's a program that comes into your system and
wink
"...why I oughtta slug you!"
It's a good thing the guy's a consummate professional, because I probably deserve to be writing this from the hospital.
AV companies are dishonest (Score:5, Insightful)
I don't know how or when it changed, but the orthodox approach to virus scanning used to be that you booted a known clean (very likely read-only) system in order to diagnose the possibly-compromised system.
Every time I hear about how some malware uses a rootkit to "hide", I know it simply means that people are using compromised systems to diagnose themselves. That approach is fundamentally flawed. No one should be surprised that it doesn't work, and it shouldn't be news that it doesn't work. We shouldn't be seeing this article on Slashdot in any category other than the humor section.
But we do see it, because it is news (to somebody?) because this unreliable approach to scanning is mainstream. How the hell did that happen?
It happened because the AV companies are selling their products as something that Windows users install rather than boot. But we know and they know that can't work. It's snakeoil and I think selling it is despicable.
Re:AV companies are dishonest (Score:3, Informative)
You could shell out the ridiculous price of $400+ for a copy of AVAST's B.A.R.T. CD, I suppose - but then you're stuck with their inferior virus scanning/removal technology. I've generally fared better running the latest AVG on a compromised system's own OS than relying on AVAST to get it clean runni
Re:T-minus 3... 2... 1... (Score:3, Interesting)
That and people, listen, stop running windows as root. Make yourself a less privileged user and learn to work in a non-root environment!!!
Tom
Re:T-minus 3... 2... 1... (Score:5, Insightful)
What about developers ? Lots of apps -- essentially games -- don't run well in unprivileged environments. I run as unprivileged user but usually need to use runas when I didn't took the time to adjust braindead defaults program settings. And you can't ask the average user to tweak file and register permissions. BTW I've seen apps opening data files rw when only ro was needed. How do you avoid security flaws then ? Editing binary to change call parameters isn't an option...
Re:T-minus 3... 2... 1... (Score:2)
I seem to recall Word [used to?] writing files in the \windows\system32 dir....
Tom
Re:T-minus 3... 2... 1... (Score:2)
Run As (Score:2)
But the real solution is to complain to your software vendors.
Re:Run As (Score:5, Insightful)
The problem when you do this, it essentially treats you as if you are that user, not just their privileges. It's a pain in the neck when you do this to install a program, and it installs it only to that (Say, the Administrator account) users start menu.
Or if you want to save a document from a program that requires it, you save it to My Documents, right? Go to open it later, open up My Documents in Windows Explorer and wow! It's gone!
(disclaimer: maybe it doesn't work this way in XP, but it certainly did in Win2k when I did take the effort to run as non-privileged user. XP Home doesn't make it that easy, what with the crippled security optons)
Re:T-minus 3... 2... 1... (Score:3, Informative)
Odd... On Linux, I don't have any trouble running games or development applications as an unprivileged user. The only time I ever switch to a privileged user is when I'm installing something or reconfiguring the system in some way.
Of course, that usually has more to do with the developers of said applications than the OS itself. Windows is perfectly capable of running applications well under unprivileg
My personnal experience... (Score:5, Informative)
- your access rights are correctly set (as in using the GUID "video" to grand access to devices used for graphic acceleration. Most modern distro have this done auto-magically by the setup or have the plug-n-play daemon assign correct rights to newly plugged devices)
- there are small piece of code that are used to communicate between priviledged acces and un privilidged access (in other words : once upon a time, you needed to have SETUID on SVGALib to have nice graphics in games under Linux. Nowadays, SDL communicates with drivers and architectures like DRI, which take car to pass messages to a more priviledged part which, in turn, will take care of the sensitive steps. (In other words : Old applications - use special extension and map framebuffer themeselfs, if enough access rights. New (unpriviledged) applications - ask the X Server (with modern extension) which itselfs has the right to access hardware to map what is needed.
That means that, with a correctly setup system, I never needed to SUDO before playing anything with mplayer, xine, vlc or whatever else.
I almost never run application as something different as my user account.
In fact, even installing update is being slowly replaced with a less priviledged process in recent distro (instead of asking the users to star a process as root and installing updates himself under this identity, newer distro have a separate demon that runs with the minimal necessary privileges and the user only has a small application that passes messages to the update daemon to make the system install patches).
On the other hand, Windows, with its "admin-by-default" accounts hasn't done anything to prevent misbehavioured software. I can understand that Windows 3.x and Windows 9x, with all their DOS tradition behind them had to be "admin-by-default". But since Microsoft moved to a new architecture, why don't they change the default user profile behaviour ? Old APPs are run thrue an emulated API, newer application break if they can't run in a non-priviledged environnement.
Old usage needed admin rights. That's normal. What's not normal is that Microsoft perpatuated the bad habbit in newer versions of Windows.
Re:T-minus 3... 2... 1... (Score:3, Informative)
I routinely play DVDs as my user [you need read access to
I routinely play full screen video games as my user not root, etc, etc, etc.
Your information is out of date and just plain incorrect.
Tom
Re:T-minus 3... 2... 1... (Score:2, Funny)
Better late than never though I suppose . . . . .
Re:T-minus 3... 2... 1... (Score:3, Interesting)
Psh, my graphing calculator is much more secure than any of those. No security exploits, ever.
Re:T-minus 3... 2... 1... (Score:2)
Re:T-minus 3... 2... 1... (Score:3, Insightful)
If it's undetectable how would you know?
Re:T-minus 3... 2... 1... (Score:2)
Oh, by the way -- if there were an undetectable rootkit on OS X, how would one go about finding it?
Re:T-minus 3... 2... 1... (Score:2)
You're foot touched the hot lava!
Re:T-minus 3... 2... 1... (Score:2)
Re:Enough is enough (Score:5, Insightful)
Ha, ha, ha (Score:4, Insightful)
tell me how, please. The things you know about him/her/them/whatever:
A DNS-Server in San Jose.
A host in Kiew.
Code generated in Russia.
Distributed by spambots from around the world.
Now, where do you start looking? Have you ever tried getting some help from authorities in Russia? If not, it's a worthy adventure. At the very least, it gives you enough material to write a very interesting book.
Re:Are you kidding? (Score:2)
Re:Are you kidding? (Score:2)
And as other people have said, the government is going after hackers.
Re:Are you kidding? (Score:5, Insightful)
Aren't a lot of those terrorists dead? You know, the ones with bombs strapped to them, or the ones who forced planes into buildings. And as regards the living terrorists, the criticism isn't so much directed at their pursuit, but rather the collateral damage in terms of innocent civilian casualties abroad and loss of civil rights at home.
Re:number 1 reason to hate sony (Score:5, Funny)
I know what you mean! Just the other day I was listening to two teenage girls yakking in the mall...
"Oh no you did-uhnt! Girl, you can't be lettin' some loser root your kit like that!"
Re:number 1 reason to hate sony (Score:2)
Re:number 1 reason to hate sony (Score:2)
If nothing else, it raised the awareness that there is a problem. Which also proves that nobody is useless, everyone can at least serve as a bad example.
Re:number 1 reason to hate sony (Score:5, Informative)
No it isn't.
A rootkit is what is installed to give the cracker unimpeded access (provides a backdoor, hides processes, replaces legitimate processes with trojaned ones, keep activity out of system logs) once they have gained entry to a system (usually throgh a known vulnerability.) THeir activity would be hidden from netstat ps, etc.
At least look at Wikipedia [wikipedia.org].
Re:number 1 reason to hate sony (Score:2)
Re:number 1 reason to hate sony (Score:5, Informative)
Even the ultimate authority on computer terminology, the Urban Dictionary [urbandictionary.com], gets it right:
Re:number 1 reason to hate sony (Score:2)
Maybe the word isn't as universal as we thought
Re:number 1 reason to hate sony (Score:5, Insightful)
It's very common for people to write their own tools, and then use them. That doesn't make them a script kiddie.
Let's separate the brainless script kiddies from what a rootkit is. It really doesn't matter who uses a rootkit, how the rootkit was developed, or even the motives of the user of the rootkit. A rootkit is a tool that provides unrestricted access to the system it is deployed on. Regardless of who, how, or why.
Hey! (Score:2)
Hey Hey! Hate the game! Not the playa'! 'Sama 'n Sony got serious game.
Re:Could you thwart an undetectable rootkit anyway (Score:2)
Are you serious? (Score:3, Insightful)
#6 is even more out there. Unplug from the network? Being as how you're posting to Slashdot, obviously you're not taking your own advice. What am I missing here?
I think you need to get your tinfoil hat adjusted.
Sean