Windows Rootkit Wars Escalate

An anonymous reader writes "The rootkit wars have started to escalate with a rootkit named Rustock which is able to remain hidden from all the popular anti-rootkit tools. It uses some new techniques including not only putting itself in a ADS (NTFS alternate data stream) which isn't seen by normal file system enumeration tools, but even blocks ADS aware tools from seeing the stream. Works in Vista, too! Analysis in both Symantec and F-Secure blogs."

number 1 reason to hate sony

I don't hate sony because they installed rootkits on some peoples computers, I hate them because of that incident the word rootkit became popular.

Re:number 1 reason to hate sony

A rootkit is a tool that script kiddies use to break into systems, as opposed to someone with actual skill finding and exploiting weaknesses using their own brain.

No it isn't.
A rootkit is what is installed to give the cracker unimpeded access (provides a backdoor, hides processes, replaces legitimate processes with trojaned ones, keep activity out of system logs) once they have gained entry to a system (usually throgh a known vulnerability.) THeir activity would be hidden from netstat ps, etc.

At least look at Wikipedia [wikipedia.org].

Re:number 1 reason to hate sony

I don't think I've heard anyone use the term to refer to automatic cracking tools, although it wouldn't be completely unreasonable (rootkit == a kit to get root). Actually, it looks like someone edited the entry and simply inserted "; an automated cracking tool" to completely change the definition ;)

Even the ultimate authority on computer terminology, the Urban Dictionary [urbandictionary.com], gets it right:

A rootkit is a set of software tools frequently used by a third party (usually an intruder) after gaining access to a computer system. These tools are intended to conceal running processes, files or system data, which helps an intruder maintain access to a system without the user's knowledge. Rootkits are known to exist for a variety of operating systems such as Linux, Solaris and versions of Microsoft Windows.

The rootkit concept is the dominant controversial aspect of the 2005 Sony CD copy protection controversy, which has made the previously obscure concept of a rootkit much more widely known in the technology community, and to the general public

Re:number 1 reason to hate sony

A real cracker could write their own rootkit, and it would still be called a rootkit even though that particular rootkit wouldn't be available to anyone but himself.

It's very common for people to write their own tools, and then use them. That doesn't make them a script kiddie.

Let's separate the brainless script kiddies from what a rootkit is. It really doesn't matter who uses a rootkit, how the rootkit was developed, or even the motives of the user of the rootkit. A rootkit is a tool that provides unrestricted access to the system it is deployed on. Regardless of who, how, or why.

Re:number 1 reason to hate sony

I hate them because of that incident the word rootkit became popular.

I know what you mean! Just the other day I was listening to two teenage girls yakking in the mall...

"Oh no you did-uhnt! Girl, you can't be lettin' some loser root your kit like that!"

Whats ADS for?

Was this designed simply an easy way to hide (system?) files in the filesystem
or was it for something different entirely? I remember there being a "chmod +/-h"
in old (perhaps even current, I no longer use it) versions of HP-UX that would hide
files , is this something similar?

Re:Whats ADS for?

It is like a generalized version of the resource and data fork on old MacOS files with similar uses.

Re:Whats ADS for?

"In essence they were created to provide compatibility with HFS, or the old Macintosh Hierarchical File System. The way that the Macintosh's file system works is that they will use both data and resource forks to store their contents. The data fork is for the contents of the document while the resource fork is to identify file type and other pertinent details."

http://www.securityfocus.com/infocus/1822 [securityfocus.com]

Here's a nice FAQ on that.

http://www.heysoft.de/nt/ntfs-ads.htm [heysoft.de]

There's a lot that can be done with it.

Re:Whats ADS for?

It's much more than a "hidden" attribute on a file.

I fought with the HackerDefender rootkit earlier this year. Best I can tell it got in through a vulnerability in the Finger port of my mail server. It installed itself as a legacy mode device driver. The device driver was set up to hide certain filenames from Windows. Once installed, you COULD NOT SEE the files the rootkit used. The files weren't files marked with the "hidden" attribute, they were simply hidden from Windows at all levels. You COULD NOT SEE the registry entries. You could not see the task in Task Manager. Very evil and took many hours of my time to fix.

Make your own ADS

Go to the command prompt.

echo Text! > text.txt:ADS

Do a DIR and you'll see the size of text.txt is 0 bytes.

The string "Text!" has ended up in an ADS stream called "ADS".

Forever War

rootkit v. counter rootkit
counter counter rootkit v. counter rootkit
counter counter counter rootkit v. counter counter rootkit

An endless cycle of patch, pray, patch, pray, reinstall awaits us.

X|K|Ubuntu, anyone?

Re:Forever War

Nope your saviour is called BartPE. no virus,worm,rootkit on the planet can disable it.

In fact I dont even bother running any Host OS scans when I fix someone's PC anymore, I boot from a BartPE disc, scan it with the antivir and antispyware and clean it up easier and faster than anything else.

Takes me far less time I get it on the first try and it's back to a clean machine for 35 seconds until the owner clicks on things again to reinstall every bit of spyware.

Undetectable?

Since F-Secure detects it, does that imply it's not popular?

if only windows was closed source

If only Windows was closed source, then writing such tools would be difficult. Oh, wait...

Detection

This Russian-created rootkit is smart enough to recognize known anti-rootkit tools and hide from them.

Does this mean that in Soviet Russia, rootkits detect y... Bah, nevermind. Too easy. :P

Re:Detection

In Soviet Russia Vista Rootkits ship before Vista

Security doesn't start at rootkit detection

People, please, stay sensible. First of all, a rootkit has to GET into a system. How it hides, how it vanishes, how it hooks certain parts of the system and how it defeats anti-rootkit tools is moot if it doesn't even GET that far.

Whatever a program may want to do, first of all it has to be started. Now, there are currently no unpatched remote exploits or program-runs-crap-by-itself bugs I'm aware of. In other words: You have to start it!

And that's what it comes down to. Keep your system updated! Don't click on every moronic spammail you get! Don't run everything you download from an unrelyable source without at least checking what it is!

My prediction would be that you can eliminate about 95% of the most dangerous worms, trojans and spybots currently in the wild if we could just get people to abstain from running every single piece of junk they stumble upon. The best protection against infection is still a working brain.

There is no technical solution for a social problem. I say it time and again. If it's been true ever, it is in the area of malware. Antimalware tools are akin to safety belts and airbags. You have them, and you use them, but that doesn't mean you drive 150 on an icy road, just 'cause, hey, you got safety belts and an airbag, what damage could happen, eh?

Re:Security doesn't start at rootkit detection

And that's what it comes down to. Keep your system updated! Don't click on every moronic spammail you get! Don't run everything you download from an unrelyable source without at least checking what it is!

My prediction would be that you can eliminate about 95% of the most dangerous worms, trojans and spybots currently in the wild if we could just get people to abstain from running every single piece of junk they stumble upon. The best protection against infection is still a working brain.

Normally I would agree, but what about the fact that there may be legitimate sites out there that have been infected by this rootkit, which will then in turn infect users who have no reason to fear infection? Not every work or trojan is spread via the incompetence of the user -- it only seems that way. Look at the way 180solutions is dumping spyware on unaware MySpace users who click on seemingly legitimate content, including an ad for software to protect children. ALl someone has to do is slip this sucker into some seemingly harmless content and WHAM!

Re:Security doesn't start at rootkit detection

Sony has clearly shown us that even "trusted" sources and "knowing" what you're running can result in unintentional rootkit installation without your knowledge. After all, isn't Sony a "trusted" source and we knew playing their CDs wouldn't be harmful, right?

I bought that CD from a store legitimately. There's no way I'd get a rootkit problem from that, right?

Re:Security doesn't start at rootkit detection

"My prediction would be that you can eliminate about 95% of the most dangerous worms, trojans and spybots currently in the wild if we could just get people to abstain from running every single piece of junk they stumble upon."

oh, and uh, don't put a store bought Sony music CD in there either. Spam can come in forms besides bright flashing "click me" banners.

Re:Security doesn't start at rootkit detection

What do you mean, "buy music"?

Re:Security doesn't start at rootkit detection

People, please, stay sensible. First of all, a rootkit has to GET into a system.

True, but there are many modes of infection.

Whatever a program may want to do, first of all it has to be started. Now, there are currently no unpatched remote exploits or program-runs-crap-by-itself bugs I'm aware of. In other words: You have to start it!

So, just because you don't know of any unpatched, remote vulnerabilities being exploited, we should not worry about them? What about local escalations, there are plenty of those outstanding and some people admin multi-user boxes. Finally, it can come in as a trojan. No one has the time to exhaustively check every program they run, if the source is even available. That means you have to trust every program you install. This is asking users to sacrifice usability for security, and that is a classic security blunder.

My prediction would be that you can eliminate about 95% of the most dangerous worms, trojans and spybots currently in the wild if we could just get people to abstain from running every single piece of junk they stumble upon.

My prediction is we can stop 100% of worms, trojans, and spybots by no longer using computers... of course that kind of defeats the purpose.

There is no technical solution for a social problem.

Malware is mostly a technical problem and a computer/human interaction problem. It can be solved with education as a social problem, but only when the previous problems have been fixed. You can't expect users to learn a whole lot of really complex topics in order to perform simple tasks. It is not going to happen. When joe-sixpack runs their computer they expect it to conform to some basic, sensible characteristics and it is failing. This is not the user's fault. This is the fault of the people who designed the system first and then tried to teach the average person a long series of complex topics and ever changing rules. What they should have done was ask the users what the computer should do and then make the computer do that.

It is unreasonable to expect that clicking on an icon that looks just like your picture files will install a program and let someone in Russia start using your computer to send spam. This is a failing of the computer, not the user. The computer should clearly indicate to the user what is a picture and what is a program. Then, it should not let the program do anything the user does not expect and want. If this rootkit arrives in a trojan, disguised as data or a beneficial program like a game, and the user runs it, they still should not have to worry about it because it should be running in a sandbox, by default. When it tries to do something unusual, like patch the core of the OS, the user should be warned in very strong language and given the option of letting the rootkit patch a VM's core OS instead, thereby stopping it from having any effect. It doesn't take a genius to do this, if only people would stop apologizing for how crappily most OS's, especially Windows, deal with this stuff. By blaming the users for this failing you're part of the problem. Stop it.

Re:Security doesn't start at rootkit detection

There is no 100% solution except to cease using the technology. That's a given. But that would be like saying we should stop using cars because accidents happen.

What you advocated, however, was users not running software or opening data they don't trust. For most users, that cuts the functionality of their machine in half. Trust is a sliding scale. And given the relatively mild punishment for trusting too much, most users will chose functionality over security. The job of the OS should be to make sure they never have to make that choice.

There is no technical solution to everything, though. You cannot "fool proof" everything. Would you go around fool-proofing cars or guns? I'd rather expect someone using either to have proper training and knows how to use it, so he is neither harm to himself nor others.

Well, if I can get a gun or car to do exactly what I want without any risk or decrease in functionality, I'm all for it. As for training, the point is that the usability and functionality of the system has to be up to snuff before it can be effective. To bring cars to the equivalent level of functionality as a Windows machine you'd have to have no windshield and the user would have to just be guessing where they are going. Right now users are given basically no information about what is happening. Is that a program or data? What is it doing when I'm running it? Is it sending spam, or running a game? Is it reading my tax returns? No idea.

The analogy of guns is an interesting one. Anyone who has had a traditional education concerning guns has heard that they should always treat the gun as if it is loaded and point it away from anything they don't want to shoot. Why? Why not only point it in a safe direction when it is loaded? There is no danger if the action is open and it is obviously empty. The answer is "conditioning." Nobody can concentrate on one thing all the time. By always treating the gun as loaded users condition themselves through repetition. That way, when they're thinking about something else (like is that a bear in those trees) they unconsciously point their gun in a safe direction and don't accidentally shoot their hunting buddy when they stumble.

The reason this is such an appropriate comparison is because Windows uses conditioning as well. Every time it brings up the same cryptic dialogue box with (OK/Cancel) it conditions users to click "OK" to get their computer to work again. It also conditions them to click "OK" when being warned of a potential threat. It is one of the worst UI choices, ever and a classic example of what not to do. In many cases even reading the dialogue you don't know what each of the buttons will do since "OK" and "Cancel" are not appropriate responses and are not actions. It is the result of programmers ignoring the human component of computer/human interactions when it comes to security.

First and foremost, you are responsible for what comes out of your computer.

I'll accept that I am responsible, but that does not mean no one else is as well. Picture this, the computer sales guy talks a grandmother into buying a computer. She knows nothing about them, but he tells her it is as easy to use as a TV and will let her send e-mail to her grandkids. They install it and hook it up for her. She never patches it and it is not set to do so automatically. It is compromised. It sends spam. Is it her fault she was lied to? Is it her fault she assumed it would behave reasonably instead of doing things all on its own? Yes, but even more than that it is the fault of the salesman and the system designers.

If someone is unfit to use a car, we don't let him use it.

If more than 70% of people are unfit to use most cars on the road, but do just fine with an Audi, maybe we need to rethink our car designs rather than sending everyone back to driver's education.

Likewise, if someone is unfit to use a computer because he cannot follow the most basic rules of common sense, he should not be on t

Re:Security doesn't start at rootkit detection

Sorry to say it bluntly, but I do remember. It's over. It's patched. Currently, there are no unpatched bugs (at least none that I'm aware of) that let you deliver malware straight to a connected computer.

Which does not mean that I'd connect to the 'net without a firewall.

Re:Security doesn't start at rootkit detection

Currently, there are no unpatched bugs (at least none that I'm aware of) that let you deliver malware straight to a connected computer.

Before any of the hundreds of security holes in Windows XP were published, they were still there! If you have paid any attention to security, you would be very confident that there are many remote root, arbitrary code, no-interaction-required holes in Windows RIGHT NOW.

They are no doubt being used. I can think of many ways to build a bot that connects home indetectably to all but the most paranoid and brilliant sysadmin.

Yes, it works in Vista

I think it's somewhat disingenuous to specifically note this rootkit works in Vista. It implies that the security work done in Vista has somehow failed.

Vista has numerous improvements security wise, and almost all of them have to do with prevent a machine from becoming infected to begin with.

, [msdn.com]UAC [msdn.com], Windows Defender [microsoft.com], the improved software firewall [microsoft.com], IE 7+ sandboxing/broker [msdn.com], etc... these are all meant to make it a lot harder for malware to get on the machine to begin with.

As the old security adage goes, if untrusted software is run on your machine, it's not your machine anymore. [microsoft.com]

Re:Yes, it works in Vista

Sorry, that first link should be:

Address space randomization [msdn.com].

Helps if you actually preview before posting. :(

Re:Yes, it works in Vista

About your last link, #4 is wrong. Allowing to upload a program and allowing to run it is a very different thing.

A bad guy can upload files on your web site, if he isn't allowed to run them, you've nothing to fear (except if YOU run them afterwards, of course, but it's covered by #1)

Symantech vs F-Secure

FSecure's posting says that they released a version of their antirootkit software that can defeat this. Date June 21

Symantec says that FSecure's product can't remove this. Date June 29.

Any reason for this discrepency? You'd think they'd continue to moniter what other companies are doing to combat the problem and 8 days would be enough for them to find out about the new release.

Seems to effect

x86 versions only.

Would be interesting to know if there will be or are 64-bit versions of rootkits.

Re:Seems to effect

The desktop 64-bit processors out now are x86 processors, unless I missed the memo that we were all to move to RISC.
You did miss the memo. The AMD and Intel 64 bit processors use an instruction set architecture called "x86_64" (also x64 or AMD64 or EM64T, isn't marketing wonderful?). This instruction set extends the original 32 bit x86 instruction set. Wikipedia has some x86_64 [wikipedia.org] architecture information.

HYPE SELLS

"Rootkit Wars" ??

This isn't a war. This is merely an advance in the sophistication of one rootkit. This happens all the time.

Why is this being called a "war" now?

Maybe because if they called it what it is - "Another Lame Virus Advancement" - nobody would click the link and look at their ads.

What a joke.

By the way, does anyone else find it funny that Symantec and F-Secure have "blogs" now? WTF? Why not just go the whole 9 and create a MySpace profile too?

Detect this....

Did the writers of the rootkit consider that...

"The reason that there is no longer a command-line version is that malware authors have started targetting RootkitRevealer's scan by using its executable name. We've therefore updated RootkitRevealer to execute its scan from a randomly named copy of itself that runs as a Windows service. This type of execution is not conducive to a command-line interface. Note that you can use command-line options to execute an automatic scan with results logged to a file, which is the equivalent of the command-line version's behavior." http://www.sysinternals.com/Utilities/RootkitRevea ler.html [sysinternals.com]

Ooops... 1 step ahead of the hackers yet again.

Vista compatible?

Don't rootkits need to hook into the kernel in some way, and the "some way" in Vista is via signed binaries? Overriding kernel hooks seem to imply that yes, signed binaries are needed as well...

Also, would it be able to hide from a tool like SysInternal's rootkit detector which compares API return values for the registry and filesystem with an actual analysis of the registry files themselves, and a scan of the raw blocks on the disk? (Understands NTFS and FAT, and the registry hive format).

Re:Vista compatible?

It doesn't hook any public APIs, but it does hook some internal ones. Quoth the Symantec link:

Rootkit detectors also check for the integrity of some kernel structures like the Service Descriptor Table, but Rustock.A controls kernel functions by hooking MSR_SYSENTER and other special IRP functions. [2]

If that's not functionality that should require Windows binaries to be signed, I don't know what is.

Howdy Hoo !

Theese things are like the neighbor that just walks in the house, takes a piss, grabs a beer out of the fridge, asks you if you're watching teh game after sitting on the couch next to you.

If they'd put some fucking beer in there now & then it wouldn't be so damn aggrevating.

Good thing I still use Windows 95...

NTFS alternate data stream? It's a good thing I still use Windows 95 that doesn't have any of those fancy shmancy features that can be exploited like that.

Useful tool link

If you're (like me) one of the, umm, fortunate souls who get to clean up rootkit-infested machines regularly, there's a tool you should know about: LADS, for "list alternative data streams"

It can be found buried in this FAQ about the NTFS ADS feature: http://www.heysoft.de/nt/ntfs-ads.htm [heysoft.de]

I haven't tried it yet, but it looks like it should work from a win32 bootdisk (like BARTPE). So you should be able to boot from a clean win32 environment and scan the computer's hard disk to find any files with ADSs. Fortunately, use of this feature within NTFS is not widespread, so malware should stand out pretty obviously.

Have fun!

-R

ADS was also an IIS backdoor

Some of the first info on ADS was revealed when IIS users were notified by Microsoft that the full source code of any ASP URL, e.g.

http://www.mycode.asp

could be downloaded to a browser by appending ":$DATA" to the URL, e.g.,

http://www.mycode.asp:$DATA

Little explanation of ADS or the special ADS keyword "$DATA" was revealed in the Microsoft Security Bulletin MS98-003 [microsoft.com]. At the time I could not fine a full list of ADS keywords or an explanation of ADS on Microsoft's site, merely references to making a filename "canonical" (whatever that meant - no explanation was provided).

Microsoft has been less than forthcoming about ADS, it's function and it's mechanism. ADS has been used in the past to hack into web servers and now appears to be useful for rooting any system with NTFS.

Is ADS a Microsoft backdoor?

Re:ADS was also an IIS backdoor

Is there any legitimate program that uses the ADS? I can see maybe some 68k Macintosh emulators using it, but most of the time those guys just create a virtual drive (a big single file that doesn't use the ADS) instead.

I've known about it for a long time now, but have yet to ever use it myself. I really wish you could disable it entirely if nothing legitmate is going to bother. As it is now, it's just a poor security-by-obscurity mechanism that really has no place in the base OS.

Wait, I take back what I said before. I did find one shareware program that hid it's "I've been installed for this long" counter file in the ADS. Deleting the file reset the counter. :)

Offline rootkit scanner?

Long ago, in the days of MS-DOS, there was a program that was excellent at detecting unknown MS-DOS viruses. Called Integrity Master, for maximum security one ran it from a bootable floppy, scanned files on the hard disk, and stored the file with the scanned signatures on a floppy. It wasn't SHA or MD5 hashes, but at the time it was solid security.

Then, one periodically (once or twice a week, as paranoia sees fit) ran the utility on their machine. If stuff in the MS-DOS directory was changed, it was immediately apparant. Integrity Master also was able to scan for some known viruses as well in addition to keeping a log of changed files.

We need a utility like that for Windows XP and Vista. A bootable CD or DVD that not just can understand NTFS (and NTFS's file compression), but has the necessary software to mount hard disks which are encrypted with BitLocker, PGP, SafeBoot, PointSec, WinMagic, DriveCrypt Plus Pack. The utility should also allow for username/password entry so EFS-protected files can be checked too.

This utility should use a CD or DVD to boot from, mount hard drive volumes, run checks for alternate data streams, system and nonsystem files, and finally the registry, perhaps including the encrypted parts like the SAM. It should not just save hashes of files, but perhaps have some ability to check file signatures as well (like sfc.exe and sigverif.exe do), so an update to Windows via a legitimate way doesn't set off a lot of false positives. Of course, the "manifest" file storing the file hashes on the file system would be stored on a removable USB drive, so the OS on the hard drive never has the ability to touch it.

Because this checking is done offline, a rootkit would be a lot harder to hide (unless it uses a method that the integrity scanner wasn't programmed to detect, like perhaps pointing to unallocated disk space for executable code, or hiding in an EFS-protected file.)

Of course, offline checking isn't perfect, because the machine being scanned has to be totally downed for a good amount of time which can't be done in a 24/7 environment.

There are some hurdles though. Trying to reduce the amount of false positives is one, for example. A novice user presented with a notice that a lot of files were changed likely wouldn't know what was a bad change, and what was normal for system functioning. After that, its decoding files and registry keys. Finally, if a known rootkit database was used, keeping track of how rootkits encrypt their payload, and delivering timely program updates.

i feel left out

i still use FAT32, you insensitive clod!

Meanwhile, MS releases a rootkit of their own...

Microsoft Private Folder 1.0 uses rootkit-like techniques to hide encrypted files from the Win32 API. I wrote a little about it in
my blog [blogspot.com] a few days ago.

Obligatory Star Wars reference

[Yoda]
Begun, the Rootkit Wars have...
[/Yoda]

What's a "Trojan?"

My boss was telling me how he'd spent all morning with the IT manager removing a trojan off of his Windows machine.

I looked up from my iBook and FC5 workstation, looked him in the eye with a face full of innocence, and asked, "What's a 'Trojan?'"

"Well, see, it's like... a 'trojan' is like the Trojan horse; it's a program that comes into your system and ..."

wink

"...why I oughtta slug you!"

It's a good thing the guy's a consummate professional, because I probably deserve to be writing this from the hospital.