Windows Rootkits 344
GuidoJ writes "The Register is running an article by Kevin Poulsen of SecurityFocus Online about rootkits in Windows NT. While rootkits are a well-known issue in Unix and Linux systems, they have rarely been found on compromised Windows machines. According to the article, Windows NT backdoors have always been 'trivial', and they have caused enough havoc already. Imagine what a stealthy rootkit could do!"
rootkit my ass (Score:2, Insightful)
Old news (Score:3, Insightful)
Re:Roots on Windows aren't as l337 (Score:5, Insightful)
The really worrying part (Score:3, Insightful)
But then I guess that it's possible precisely because MS have made it simple to manage, and thus simple to mis-manage.
Of course, the best way to defeat this kind of trojan is simply to use a firewall and block the ports being used to remotly configure the hidden driver. So then, the worrying part is not the trojan itself, but the competancy of the average user...
Re:rootkit my ass (Score:1, Insightful)
Imagine how many out there are already compromised (Score:5, Insightful)
And given this, I wonder how many windows machines are already compromised?
I read this article a couple of days on bugtraq and they were speculating that with one known kit in existence, there are probably ten more they don't know about. They literally stumbled onto this one by accident.
Imagine these sleeping beauties (well beasts) all just waiting for the signal...
Why bother? (Score:5, Insightful)
The article confuses two issues - programs that acquire administrator privileges (trivial) and programs that run in kernel mode (possible, but why bother)? Which are they talking about?
Once Palladium is deployed, attacks that reside below the operating system will be possible. Once the attack is in "secure storage", anti-virus tools won't be able to find it or remove it. Now that will be l33t.
I wonder about the call for signed drivers... (Score:3, Insightful)
As far as a university machine goes, it's more than trival to use MS Office's VBA to control a machine with hand written code to edit the filesystem and even make simple shells even if the machine has had it's cmd.exe/command.com 'removed'...
Perhaps this is just a way to force everyone to supporting signed drivers and letting MS control yet another aspect of the PC industry. There is little other reason to draw attention to the well known fact of widely avalible windows kits.
Re:rootkit redundant. (Score:5, Insightful)
But what you say is also true. I too run an account that's a member of Administrators because it's too much trouble to become all-powerful when needed.
It's kinda funny now that I'm thinking of it. You have to be an admin to install a printer, but any old account can delete the printer driver files. Nice.
Not if you've spent some time locking down the box, and designing and implementing security properly. Users cant delete anything they dont have write access too.
Now, out of the box, WinXP and its predecessors install by default in a very insecure state. That I take issue with, but there's nothing stopping you from fixing that.
If you have your
And if you run as administrator all the time, that's just like always logging in as root.
Too many people like to dump on Windows security, but very few have ever even bothered to try and set it up properly.
After the filesystem permissions are properly set, the local and domain policies in place and checked, the services audited for necessity and security, then what's left is a legitimate fault with Windows.
Re:Duh... (Score:3, Insightful)
as a side note, don't I know you?
Re:rootkit redundant. (Score:2, Insightful)
Yeah. MS has "caught on", somewhat. 2000 will sometimes prompt you (esp when inserting a CD and it thinks you want to install something) if you want to run as administrator when it detects that you need higher privs to run something. But it doesn't always work.
I've noticed this with things like installing patches for installed apps (like Adobe Acrobat, for instance). Acrobat will periodically check for updates and then ask if you want to install and download. I got tired of hitting the 'no, ask me later' button so I went ahead said yes. It finished downloading and then stopped saying I had to log in as 'administrator' to install the update. Would have been nice if it had said so in the first place or gave me an option to use 'runas'.
I've tried to get out of the habit of running with an administrator priv account. I don't need administrator very much for day-to-day stuff at work (they deliver the machines with owner's domain account in the administrator's group by default), but it is a pain to have to log out and back in to be able to install something.
Re:rootkit my ass (Score:4, Insightful)
I have seen may firewalls allowing everything outgoing, even for servers that had no reason to connect to the internet had access to the outside. Sure it might be easier to run that "Windows Update" but still.
No need to run Windows as an Administrator (Score:5, Insightful)
We're all familiar with sudo for linux. There's an equivalent for Windows. Theres a program called "runas" and its included with Windows 2000 and XP.
You can do runas
You can read the docs on runas by going to http://support.microsoft.com/default.aspx?scid=kb
Re:A system with a rootkit has... (Score:1, Insightful)
If you have an account on a local machine, there's a very simple way to 'root' a windows nt box. Almost always, the yutz of the admin has the antivirus stuff running as Administrator or system (yes, I've seen that one on 1 system). There's a simple way to take any gui program and run code through it.
Either my bootable business card or my floppy will provide that exe. Remotely, it's harder to gain 'root' elevation but many MS services are prime candidates. And no, IIS is a small fish, as admins usually DO secure it down now.
And about your Linux kernel modules garbage.... If you have 1 breach in root, you're screwed. It isnt that hard to dump lspci and compile your goodies in locally. Any SMART Linux admin will not have any tools for software development. I'd even rip out all text editors and network diagnostic tools. I'd make it a hell for a hacker who __thinks__ they have it easy. Depending on the situation, I might even include NSA linux patch.
Have you ever seen a truly locked down, but usable system? Tis not something you want to play with.....
Re:How to clean boot Windows? (Score:4, Insightful)
Re:Tips of using Windows rootkits (Score:3, Insightful)
I had on a box that would not do windows update. The complaining dll had a very recent modification date. So I cracked it open in CYGWIN and diffed it against a copy off the Win2K cd (this dll had not changed from default because the luser -- not me -- had never run WindowsUpdate. D'oh.) Hrm. Then I extracted the DLL from the CABS on the drive and rebooted. Same problem. Diffed the CAB extracted file with the one on the CD. Guess what. This was my first experience with a win2k rootkit. I forget what it was called, but a rebuild was in order. Man was it slick. I've seen rootkits on linux, BSD and solaris, but damn was this smooth with the packing it into the CABS. I wish I knew what it was up to.
Re:Tips of using Windows rootkits (Score:1, Insightful)
And dont bother looking for it either. It can be compiled seperately, but how it's usually installed is by the usual... Pack it to another big program (sometimes word.exe is chosen) and have it check for a
Also, you may want to pay special attention to the font directory. Interesting stuff can happen in those subdirectories.
No no no (Score:5, Insightful)
Well I would have to disagree. Let's peel the onion back one layer - why on earth would anyone have to change the default filesystem permissions?
The reason is that windows has no concept, and never did, of paritioning user data from system data. In any unix, the filesystem is sensibly laid out such that removing write access to huge swathes of it do absolutely nothing to hinder it's usability. Not so in windows, everything's mixed together in one big steaming mess. Instead of simple read access, we have confusing messages from explorer telling users "OH MY GOD! You shouldn't look at the files in this directory, it can cause obesity, nausea, jet-like diarrhea and insanity - but click here if you really really want to see them ..." or some other such nonsense. W2K isn't much better, but at least it's less obnoxious.
Secondly - and this is mroe of a cultural issue which flows naturally from the above situation - this isn't even realistic. I used to do this, locking users out of c:\ and \system32\ etc., but I would find that we had all these boneheaded programs we had to run which needed to write to various parts of the filesystem for no apparent reason other than ignorance. This problem is so rife with windows developers that locking users out of peices of the filesystem is almost useless, because you wind up not being able to do it anyway.