Windows Rootkits

GuidoJ writes "The Register is running an article by Kevin Poulsen of SecurityFocus Online about rootkits in Windows NT. While rootkits are a well-known issue in Unix and Linux systems, they have rarely been found on compromised Windows machines. According to the article, Windows NT backdoors have always been 'trivial', and they have caused enough havoc already. Imagine what a stealthy rootkit could do!"

rootkit my ass

[B3ryllium]

Can't a decent firewall counter 90% of rootkits?

Old news

[kUnGf00m45t3r]

Here's where the article was originally posted on March 5th: http://www.securityfocus.com/news/2879

Re:Roots on Windows aren't as l337

[slugo3]

What I mean, is that what are you going to do from a windows remote terminal you don't necessarily have to set up a shell, you could install port scanners, eggdrop bots and ddos tools. even though its windows you dont want to get hacked for a lot of the same reasons you dont want any computer with internet access to become compromised.

The really worrying part

[djkitsch]

The bit that really concerns me is that it's possible at all, to install a device driver without the user's consent that can directly mediate between the hardware layer and the kernel -

But then I guess that it's possible precisely because MS have made it simple to manage, and thus simple to mis-manage.

Of course, the best way to defeat this kind of trojan is simply to use a firewall and block the ports being used to remotly configure the hidden driver. So then, the worrying part is not the trojan itself, but the competancy of the average user...

Re:rootkit my ass

[handybundler]

But the remaining 10% is obviously far more dangerous than 9/10 of the people who can't pass a firewall.

Imagine how many out there are already compromised

[terraformer]

According to the article, Windows NT backdoors have always been 'trivial'...

And given this, I wonder how many windows machines are already compromised?
I read this article a couple of days on bugtraq and they were speculating that with one known kit in existence, there are probably ten more they don't know about. They literally stumbled onto this one by accident.

Imagine these sleeping beauties (well beasts) all just waiting for the signal...

Why bother?

[Anonymous Coward]

Nobody bothered with NT rootkits for years because individual users had enough privileges that it wasn't worth the trouble. As long as you can write the registry as an ordinary user, you're in.

The article confuses two issues - programs that acquire administrator privileges (trivial) and programs that run in kernel mode (possible, but why bother)? Which are they talking about?

Once Palladium is deployed, attacks that reside below the operating system will be possible. Once the attack is in "secure storage", anti-virus tools won't be able to find it or remove it. Now that will be l33t.

I wonder about the call for signed drivers...

[Anonymous Coward]

Windows root kits have been avalible for years. I don't even remember how long ago it was I gave up complaining about there use on the machines on campus. =)

As far as a university machine goes, it's more than trival to use MS Office's VBA to control a machine with hand written code to edit the filesystem and even make simple shells even if the machine has had it's cmd.exe/command.com 'removed'...

Perhaps this is just a way to force everyone to supporting signed drivers and letting MS control yet another aspect of the PC industry. There is little other reason to draw attention to the well known fact of widely avalible windows kits.

Re:rootkit redundant.

[stratjakt]

There's no need to run as Administrator. Pretty much any user account can mess up a Windows system pretty bad, even the Guest account.

But what you say is also true. I too run an account that's a member of Administrators because it's too much trouble to become all-powerful when needed.

It's kinda funny now that I'm thinking of it. You have to be an admin to install a printer, but any old account can delete the printer driver files. Nice.

Not if you've spent some time locking down the box, and designing and implementing security properly. Users cant delete anything they dont have write access too.

Now, out of the box, WinXP and its predecessors install by default in a very insecure state. That I take issue with, but there's nothing stopping you from fixing that.

If you have your /bin directories set up as uog+rwx then I can screw around with your printers too. This doesnt mean that linux is "insecure".

And if you run as administrator all the time, that's just like always logging in as root.

Too many people like to dump on Windows security, but very few have ever even bothered to try and set it up properly.

After the filesystem permissions are properly set, the local and domain policies in place and checked, the services audited for necessity and security, then what's left is a legitimate fault with Windows.

Re:Duh...

[The Evil Couch]

yes and no. on win 9X systems (to include ME), yes. however, on NT based systems, not everyone is administrator. for home users, nearly everyone runs as admin, though. for network use, none of my users get much in the way of permissions, and I don't know a lot of windows sys-admins that give their users permissions much higher than bare minimum.

as a side note, don't I know you?

Re:rootkit redundant.

[Fishstick]

RUNAS USAGE:

RUNAS [/profile] [/env] [/netonly] /user: program /profile if the user's profile needs to be loaded /env to use current environment instead of user's. /netonly use if the credentials specified are for remote access only. /user should be in form USER@DOMAIN or DOMAIN\USER
program command line for EXE. See below for examples

Examples:
> runas /profile /user:mymachine\administrator cmd
> runas /profile /env /user:mydomain\admin "mmc %windir%\system32\dsa.msc"
> runas /env /user:user@domain.microsoft.com "notepad \"my file.txt\""

NOTE: Enter user's password only when prompted.
NOTE: USER@DOMAIN is not compatible with /netonly.

Yeah. MS has "caught on", somewhat. 2000 will sometimes prompt you (esp when inserting a CD and it thinks you want to install something) if you want to run as administrator when it detects that you need higher privs to run something. But it doesn't always work.

I've noticed this with things like installing patches for installed apps (like Adobe Acrobat, for instance). Acrobat will periodically check for updates and then ask if you want to install and download. I got tired of hitting the 'no, ask me later' button so I went ahead said yes. It finished downloading and then stopped saying I had to log in as 'administrator' to install the update. Would have been nice if it had said so in the first place or gave me an option to use 'runas'.

I've tried to get out of the habit of running with an administrator priv account. I don't need administrator very much for day-to-day stuff at work (they deliver the machines with owner's domain account in the administrator's group by default), but it is a pain to have to log out and back in to be able to install something.

Re:rootkit my ass

[Openadvocate]

Depends on how it's configured and is a excellent example of why doing NAT on your router does not equal firewalling.
I have seen may firewalls allowing everything outgoing, even for servers that had no reason to connect to the internet had access to the outside. Sure it might be easier to run that "Windows Update" but still.

No need to run Windows as an Administrator

[mintech]

Theres no reason to run Windows as an Administrator except in unique circumstances. I still dont understand why people run as an administrator.

We're all familiar with sudo for linux. There's an equivalent for Windows. Theres a program called "runas" and its included with Windows 2000 and XP.

You can do runas /user:administrator cmd to get a dos prompt with Admin privs.. and then do whatever you want.

You can read the docs on runas by going to http://support.microsoft.com/default.aspx?scid=kb; en-us;294676 [microsoft.com]

Re:A system with a rootkit has...

[Anonymous Coward]

And you're going to check all your source code for Windows??? Try...

If you have an account on a local machine, there's a very simple way to 'root' a windows nt box. Almost always, the yutz of the admin has the antivirus stuff running as Administrator or system (yes, I've seen that one on 1 system). There's a simple way to take any gui program and run code through it.

Either my bootable business card or my floppy will provide that exe. Remotely, it's harder to gain 'root' elevation but many MS services are prime candidates. And no, IIS is a small fish, as admins usually DO secure it down now.

And about your Linux kernel modules garbage.... If you have 1 breach in root, you're screwed. It isnt that hard to dump lspci and compile your goodies in locally. Any SMART Linux admin will not have any tools for software development. I'd even rip out all text editors and network diagnostic tools. I'd make it a hell for a hacker who __thinks__ they have it easy. Depending on the situation, I might even include NSA linux patch.

Have you ever seen a truly locked down, but usable system? Tis not something you want to play with.....

Re:How to clean boot Windows?

[sludg-o]

How did this get modded insightful? If the root kit modifies core system binaries (which is exactly the M.O. of most root kits), then it would still get loaded in safe mode.

Re:Tips of using Windows rootkits

[The Ape With No Name]

4: If you target a Windows 2k or XP platform, make sure to install the payload inside a system file and its backup. If you dont, windows will overwrite your trjaned package with the known good one. With the bad in the cab, you'll be guaranteed a hole. Sometimes, however, the packages cause problems with windows updates. If that kind of thing happens, it usually causes a bluescreen.

I had on a box that would not do windows update. The complaining dll had a very recent modification date. So I cracked it open in CYGWIN and diffed it against a copy off the Win2K cd (this dll had not changed from default because the luser -- not me -- had never run WindowsUpdate. D'oh.) Hrm. Then I extracted the DLL from the CABS on the drive and rebooted. Same problem. Diffed the CAB extracted file with the one on the CD. Guess what. This was my first experience with a win2k rootkit. I forget what it was called, but a rebuild was in order. Man was it slick. I've seen rootkits on linux, BSD and solaris, but damn was this smooth with the packing it into the CABS. I wish I knew what it was up to.

Re:Tips of using Windows rootkits

[Anonymous Coward]

Umm, it's a package that 'we' install on systems for nice unix-like capibility for Win2K boxes. Out of the box, a Win2K command interepter just sucks. There' snot much you can do, other than copy, move, and garbage. 'Internix' is a package, somewhat like busybox for Windows. It provides all the main gnu tool functionality with tools like chmod and chown modified for _basic_ windows operation. Trust me, it's an alpha package at best.

And dont bother looking for it either. It can be compiled seperately, but how it's usually installed is by the usual... Pack it to another big program (sometimes word.exe is chosen) and have it check for a /command switch. Then it goes into console mode. The only way you'd find it is by using the same technique as the guy who used Cygwin and diffed his dll's.

Also, you may want to pay special attention to the font directory. Interesting stuff can happen in those subdirectories.

No no no

[wobblie]

Well I would have to disagree. Let's peel the onion back one layer - why on earth would anyone have to change the default filesystem permissions?

The reason is that windows has no concept, and never did, of paritioning user data from system data. In any unix, the filesystem is sensibly laid out such that removing write access to huge swathes of it do absolutely nothing to hinder it's usability. Not so in windows, everything's mixed together in one big steaming mess. Instead of simple read access, we have confusing messages from explorer telling users "OH MY GOD! You shouldn't look at the files in this directory, it can cause obesity, nausea, jet-like diarrhea and insanity - but click here if you really really want to see them ..." or some other such nonsense. W2K isn't much better, but at least it's less obnoxious.

Secondly - and this is mroe of a cultural issue which flows naturally from the above situation - this isn't even realistic. I used to do this, locking users out of c:\ and \system32\ etc., but I would find that we had all these boneheaded programs we had to run which needed to write to various parts of the filesystem for no apparent reason other than ignorance. This problem is so rife with windows developers that locking users out of peices of the filesystem is almost useless, because you wind up not being able to do it anyway.