Windows Rootkits 344
GuidoJ writes "The Register is running an article by Kevin Poulsen of SecurityFocus Online about rootkits in Windows NT. While rootkits are a well-known issue in Unix and Linux systems, they have rarely been found on compromised Windows machines. According to the article, Windows NT backdoors have always been 'trivial', and they have caused enough havoc already. Imagine what a stealthy rootkit could do!"
rootkit redundant. (Score:5, Interesting)
I too, in the rarity that it's on, run my Windows box as Administrator because, unlike *nix, there's no easy way to become Admin (root) when you need to. You have to logout and log back in, unless they've changed it in recent releases.
Interesting (Score:4, Interesting)
Re:rootkit my ass (Score:5, Interesting)
Imagine a beowulf cluster of rootkits! (Score:5, Interesting)
Having lived thru Melissa and ILOVEYOU, I can't imagine it would get much worse than that. The way security is(n't) done in Windows pretty much obviates the need for a rootkit, almost by design you could say.
People keep talking about the "next" Melissa, but I don't think there will be one -- for basically the same reason there won't be another 4 planes hijacked and crashed into buildings. Microsoft has learned from past mistakes, and Outlook is far far more secure "out of the box" than it once was.
People have learned, too; for example if you buy a new Dell it comes with McAfee Security Center, which gives you antivirus and (hopefully) some basic firewall protection. It took a few good beatdowns, but Joe User is at least aware of the dangers out there. To a degree I think we can thank the spammers; people are less likely to open suspect attachments nowadays because they prolly think it's spam. I'll take the silver lining and be happy.
I'd be far more worried about a rootkit/attack on the Internet itself (e.g. core routers, DNS) than the Next Big Windows Vulnerability. With the increasing trend towards Internet Everything, were I in the mood to break things, I would be hacking DNS and Cisco -- break the mesh and the nodes are useless. Conversely, clueful people weren't affected by SQL Slammer since why would you let your SQL Server talk to the Internet on port 1433 anyway?
You have to think like an admin (Score:3, Interesting)
How to clean boot Windows? (Score:5, Interesting)
It used to be that I would scan someone's system for malware by booting DOS6.22 (or later, Win98 since it could support some newer,bigger filesystem) and run F-Prot. This eventually became less and less practical. The scanner didn't even fit on a floppy anymore, so I was doing thing like clean booting and making a RAM disk, and then unzipping several floppies onto the RAM disk just so I could run a scanner. But eventually people started using NTFS which my DOS/Win98 boot floppies could read anymore.
I guess I didn't keep up, and I didn't know what the orthodox approach to safe scanning was anymore. Eventually we started telling customers to see someone else about their Windows problems; we just wanted to support our apps and that was it.
Eventually I found out what the so-called "experts" we were referring people to were doing: they would boot the unclean, suspected system, and install some Windows-based antivirus program (McAffee, Norton, whatever), and then run it to scan the (possibly) infected system, while it was running in a (possibly) infected state. Holy shit, how stupid can you be? No wonder stuff doesn't get detected.
People were getting huge bills for techs' time too. The amount of waste I saw was staggering, and these were small businesses, not big megacorps.
I guess the only way to reliably scan a Windows system is take the hard disk out and mount it as a secondary drive in a known clean system? Beats me. Just about every other OS can be booted from removable media, but I don't know a way to do that with Windows. Oh well, somebody else's problem.
Except there isn't a "somebody else." The customers call around to try to find someone to help them, and in a city of half a million people, no one can. They ask again a couple of weeks and a few thousand dollars later, more desperate. And I tell 'em the only thing I know will work for sure: Totally wipe the HD and reload your apps.
Re:Roots on Windows aren't as l337 (Score:5, Interesting)
Re:How to clean boot Windows? (Score:4, Interesting)
Re:rootkit my ass (Score:1, Interesting)
What use is a firewall then? What are you gonna do, have the firewall block email? Block the web too, thanks to ActiveX controls and "plugins." The only firewall that really protects Windows, is the one where you pull the network cable out of their NIC and disable their floppy drive. (Then, if you want to be sure, pour gasoline on the computer and light a match.)
Windows and networks just don't belong together.
Re:rootkit my ass (Score:3, Interesting)
I like the detection method they used, BSoD (Score:4, Interesting)
Field Day!
And here we thought that unstable interfaces for device drivers were a bug, they are a feature! This would be really useful if a BSoD only indicated intrusion, sadly it only indicates that your computer is turned on and what module it ran last. Hint to all you LEET HAXORS, make your names dumb like M$ does, rather than "0wned", "R000TED" or any varient of common four letter words like jerk.
Who says the ierk was responsible for the crash? We know that Windows does that, but we don't know anything about the ierk? Applying the razon, it's best to accept that Windows is still BSoD.
Oh the list of laughs to be had here go on and on. Who actually thought that it was impossible to hide applications and files on a system that's designed for DRM? Ha! those are features. Who would really trust an O$ by a company who's EULA says the company has the right to inspect and delete files at will and without notice? If they can read and delete, you bet they can write. The system is backdoored by design, of course people are going to take advantage of it.
Windows NT isn't a multiuser 'Time Sharing' system (Score:3, Interesting)
You can install Hummingbird Inetd or Interix, or use the built in but anaemic Telnet server that comes with W2K, but since NT's focus is not to be a symmetrical multi-user timesharing system, the default system most people think of as 'NT' isn't that fun to hack into.
Now, I've supported many simultaneous users on an NT box running Interix, but that's the exception. I've wondered for awhile how well Apache would run in an Interix subsystem. But it's not interesting enough that I've tried it.
How do you know Bill didn't? (Score:5, Interesting)
With closed source code, how do you know that there isn't a root kit included? There are so many "undocumented features", "easter eggs", flight simulators, etc. included free of charge in Windows, what else is in there that we haven't found yet?
Queen B
Re:How to clean boot Windows? (Score:3, Interesting)
The downside is everytime I need one I have to re-create/burn a CDR that is garbage as soon as another virus is found and the database is updated (pretty much daily).
I personally like to make it VERY CLEAR what I am running and how I am doing what I am doing when I do bother to help yet another lost Windows user. My parting statement to many has become, "I told you to buy a Mac..."
My going rate for such garbage services is $125/hr.
I also happen to have many "clients" where I work on their Linux machines for
Bill raped 'em, why can't I?
Boot Disk (Score:4, Interesting)
Re:Let's pretend I'm on linux... (Score:1, Interesting)
Re:Tips of using Windows rootkits (Score:3, Interesting)
Darn. I always keep archives of things I think might be important. On a system I had once (some dweeb had win98 on a t-1), explorer.exe was doing weird stuff to images.excite.com, but there was a hosts delimiter to redirect it to some cable IP addy. I sent a 'kill' command to my setup which proceeded to undo all I installed. That is one rule I do follow.. if something doesn't feel right, drop it like a bad habit, and fast.
+I meant that I don't remember the DLL name that was acting up. I googled(tm) and googled(tm) and couldn't find anything.
Exactly. Actually, people usually equate more to instability than to trojaned executable. Most just dont have the know-how to protect themselves against us. They see software firewalls, but who doesnt allow iexplore.exe contact the internet (talking about general users)?
The best security is to surf from a public terminal and transfer only known good stuff. How many of you would use something like Bitkeeper and get Linux ISO's? How do you know a trojan wasnt installed into server X or Linux kernel compile 2.4.20z? You usually can trust the main servers. You know that the main developer isnt inserting garbage like this into it..... but what if the ftp server was hacked? What would it take to hack a hole in a server to grant server permissions (eg root)? 10 lines max.
I know there'll be a few that say I have no ethics, but a few things I will not stand by is hacking of servers which provide GPL-like source programs. Hacking them help nobody. Not even people like me.
Still it's been glad to talk with you and the slashdot community. I was expecting a more - negative attitude towards me. I'm glad I was wrong