Windows Rootkits

GuidoJ writes "The Register is running an article by Kevin Poulsen of SecurityFocus Online about rootkits in Windows NT. While rootkits are a well-known issue in Unix and Linux systems, they have rarely been found on compromised Windows machines. According to the article, Windows NT backdoors have always been 'trivial', and they have caused enough havoc already. Imagine what a stealthy rootkit could do!"

And all this time

[antis0c]

I thought Windows WAS a rootkit.

Roots on Windows aren't as l337

[numbski]

What I mean, is that what are you going to do from a windows remote terminal? I mean honestly, it's not that cool to have a windows terminal server session open (presuming that service is even set up), and even though you can telnet into windows, hacking in DOS just isn't 1337 enough. :P

Watch as I type edit and the screen goes blank!

Is this new???

[TopShelf]

I thought this was called "Windows Update"...

This shows that Windows

[ksheka]

...is approaching parity with Linux.

Internet Explorer is a rootkit?

[metamatic]

Sounds to me like IE counts as a root kit. It intercepts the API calls at low level, it can't be uninstalled by normal means, and it uses its "man in the middle" status to hide its secret log files [windows-sucks.com] of all the URLs you visit. Plus, of course, it provides root access via security holes...

Heh...that's one way to decrease install size..

[A_Non_Moose]

quote:
"The stealth driver in my mind is the scary concept," says Mertens. "You can hide an elephant with it."


So the first thing they do is hide the \winnt folder?
.

Let's pretend I'm on linux...

[pr0ntab]

Aha! I compromised a process running as root (for example). What shall I do now? I know, I'll insmod IHAX0REDUGOOD.so after dld'ng it from my xoom.com warez page. Oooh, now I can install zombieslaved and use IHAX0REDUGOOD to prevent anyone from seeing it.

So what about this is more difficult than windows? An API must exist for a driver to be loaded, therefore it can be exploited. The tool that interacts with a user installing a driver uses this API, the rootkit bypasses all possible interaction (and uses its priveledged position to hide its existance)

Re:Internet Explorer is a rootkit?

[ConMotto]

As funny as it soudns, I think it actually does. From the article,

"Also known as "kernel mode Trojans," root kits are far more sophisticated than the usual batch of Windows backdoor programs that irk network administrators today. The difference is the depth at which they control the compromised system."

Silly article, sensationalism and slim facts

[AEton]

Jon Littman wrote an interesting book about Kevin Mitnick entitled The Fugitive Game. In it he partly addresses the situation of an FBI informant and not-so-l33t hax0r, Kevin Poulsen [nerdworldnj.com]. 100 to 1 this is the same l33t hax0r. Way back in the day--1990--Poulsen was described as not very l33t:

Their UNIX expertise was not high....I got the feeling these were guys not used to thinking in terms of multiuser systems, not being alert to the fact that "who"s and "ps"s casually invoked by someone else could expose them.

Now I grant you that 13 years is a lot of time for someone to change and learn to abandon stupid sensational media tactics. But look at the substance of the linked slashdot article : "I wrote a rootkit for Windows, I'm cool, and I ran a script kiddie workshop [blackhat.com]so lots of people can do it! By the way, I screwed up the old code. But the new ones the evil hax0rs will make will be really bad. .. So hire me as a consultant!"...um, yeah, right.

Terminology

[gmuslera]

For what the article say, it is more a BSODkit than anything else.

Re:Is this new???

[Anonvmous Coward]

"I thought this was called "Windows Update"..."

No, it's called Outlook Express.

Not very much of a sysadmin is he?

[JJAnon]

I don't think that cluster had bluescreened since it was put into production two years ago.
.. which is proof that this was the first time he checked on the cluster since it was 'put in production'.

Re:rootkit my ass

[Anonymous Coward]

But why would you do that? Delerious you are! That would be so hard to command.Compare that to a simple telnet session.

Why install a rootkit?

[CoyoteGuy]

Why install a rootkit when there are so many other, much easier vulnerabilities to exploit? I mean, come on... What haxx0r has time to write a rootkit, when they have oodles of options at their fingertips? It's the difference between a script kiddie and a real h@xx0r..

If it were me, I would just find a buffer overflow, and have some fun..

Re:No need to run Windows as an Administrator

[g0hare]

hey, be careful, actually knowing how w2k and xp work could get you banned from slashdot.

Windows Rootkit

[Sgs-Cruz]

A simple windows r00tkit can be found here [nih.gov]. :)

His name is Kevin Poulsen...

[Anonymous Coward]

His name is Kevin Poulsen...

His name is Kevin Poulsen...

His name is Kevin Poulsen...

Re:How do you know Bill didn't?

[Imperator]

With closed source code, how do you know that there isn't a root kit included?

Because China is getting access to the code, and if there's one code review team to make Microsoft trustworthy, it's the Chinese government.

Re:How to clean boot Windows?

[Jmstuckman]

Did you ever try to boot a CD-R on a machine that doesn't support bootable CD's? It's not much fun.

Re:How do you know Bill didn't?

[t0ny]

With closed source code, how do you know that there isn't a root kit included?

I heard that they put code in Windows XP that will drink your last beer, leave the toilet seat up, and sleep with your wife while you are at work.

installing a Windows rootkit

[g4dget]

Is that like pouring a bucket of water into the ocean? Or bringing a boxed lunch to an all-you-can-eat buffet?

The very best line from the article:

[shrikel]

"I'm absolutely, one hundred percent positive that there's probably ten more that we haven't seen publicly,"