Windows Rootkits

GuidoJ writes "The Register is running an article by Kevin Poulsen of SecurityFocus Online about rootkits in Windows NT. While rootkits are a well-known issue in Unix and Linux systems, they have rarely been found on compromised Windows machines. According to the article, Windows NT backdoors have always been 'trivial', and they have caused enough havoc already. Imagine what a stealthy rootkit could do!"

rootkit redundant.

[aePrime]

Well, as most Windows users run their boxes as Administrator anyway, a rootkit can almost be any program that's run with malicious intent.

I too, in the rarity that it's on, run my Windows box as Administrator because, unlike *nix, there's no easy way to become Admin (root) when you need to. You have to logout and log back in, unless they've changed it in recent releases.

Interesting

[einhverfr]

I suspect that too many of the Windoze h4x0rz are too lazy or incompetent to really put in a root-kit. It is possible (imagine if a backdoor installs a .vxd) and this could be devastating (of course driver signing might help).

Re:rootkit my ass

[Angry White Guy]

There are ways to get around that. Make the compromised machine initiate all the communications, and you can punch a hole through all but the most determined firewalls. That's why irc bots are so popular.

Imagine a beowulf cluster of rootkits!

[Qrlx]

But seriously, I'm asked to "Imagine what a stealthy rootkit could do!"

Having lived thru Melissa and ILOVEYOU, I can't imagine it would get much worse than that. The way security is(n't) done in Windows pretty much obviates the need for a rootkit, almost by design you could say.

People keep talking about the "next" Melissa, but I don't think there will be one -- for basically the same reason there won't be another 4 planes hijacked and crashed into buildings. Microsoft has learned from past mistakes, and Outlook is far far more secure "out of the box" than it once was.

People have learned, too; for example if you buy a new Dell it comes with McAfee Security Center, which gives you antivirus and (hopefully) some basic firewall protection. It took a few good beatdowns, but Joe User is at least aware of the dangers out there. To a degree I think we can thank the spammers; people are less likely to open suspect attachments nowadays because they prolly think it's spam. I'll take the silver lining and be happy.

I'd be far more worried about a rootkit/attack on the Internet itself (e.g. core routers, DNS) than the Next Big Windows Vulnerability. With the increasing trend towards Internet Everything, were I in the mood to break things, I would be hacking DNS and Cisco -- break the mesh and the nodes are useless. Conversely, clueful people weren't affected by SQL Slammer since why would you let your SQL Server talk to the Internet on port 1433 anyway?

You have to think like an admin

[Angry White Guy]

From trusted ports to trusted ports work for most firewalls. Another way is to control by e-mail. You could even make it look like DNS queries if you wanted. The trick is not getting caught on the way in. Once in, there's not a lot holding you back.

How to clean boot Windows?

[Anonymous Coward]

One of the annoying things about Windows, is that there doesn't seem to be any simple way to "clean boot" it off a floppy or CD.

It used to be that I would scan someone's system for malware by booting DOS6.22 (or later, Win98 since it could support some newer,bigger filesystem) and run F-Prot. This eventually became less and less practical. The scanner didn't even fit on a floppy anymore, so I was doing thing like clean booting and making a RAM disk, and then unzipping several floppies onto the RAM disk just so I could run a scanner. But eventually people started using NTFS which my DOS/Win98 boot floppies could read anymore.

I guess I didn't keep up, and I didn't know what the orthodox approach to safe scanning was anymore. Eventually we started telling customers to see someone else about their Windows problems; we just wanted to support our apps and that was it.

Eventually I found out what the so-called "experts" we were referring people to were doing: they would boot the unclean, suspected system, and install some Windows-based antivirus program (McAffee, Norton, whatever), and then run it to scan the (possibly) infected system, while it was running in a (possibly) infected state. Holy shit, how stupid can you be? No wonder stuff doesn't get detected.

People were getting huge bills for techs' time too. The amount of waste I saw was staggering, and these were small businesses, not big megacorps.

I guess the only way to reliably scan a Windows system is take the hard disk out and mount it as a secondary drive in a known clean system? Beats me. Just about every other OS can be booted from removable media, but I don't know a way to do that with Windows. Oh well, somebody else's problem.

Except there isn't a "somebody else." The customers call around to try to find someone to help them, and in a city of half a million people, no one can. They ask again a couple of weeks and a few thousand dollars later, more desperate. And I tell 'em the only thing I know will work for sure: Totally wipe the HD and reload your apps.

Re:Roots on Windows aren't as l337

[j_kenpo]

A windows command prompt is only the beggining of the fun. Once there, you can install a hidden VNC server and get your remote desktop, as outlined in "Hacking Exposed" 2nd and 3rd editions in the section under Windows NT and Windows 2000. Also, if it is a Win2k box, you can enable the terminal service and run something like RT client or in linux Rdesktop to get a remote desktop. There are other things you can do with a command prompt to, such as install any other trojan along the lines of BO, or Sub7 for remote control havoc, not to mention things like run irc bots, zombies, or be really lame and set up crappy things like DDOS nodes. Or if you feel like cheating at SETI, you can set up a remote SETI client, or as some people saw, there was a virus/trojan that ran around and set up a Distributed.net client. Those are just basic examples of what you can do, and if there were a good Root kit for Windows, you could hide those processes. In truth, you could do all the same things you could do with a Windows root kit that can be done with a Unix one, only it just wouldnt be as cool for some reason.

Re:How to clean boot Windows?

[j_kenpo]

Id have to agree with this. With the exception of the Emergency Recovery Console, in Win2k and WinXP, there isnt really a safe way that I can think of to clean out a infected Windows box the same way as the old Dos days (or even up to WinME). In Unix you could at least boot off a floppy or CD like Knoppix and mount the drive in some form of a safe manner. Ive heard that there is supposidly a way to do this with Windows, but since I have no real desire to go back to Windows nor do I support Windows, so I dont know the legitimacy of that statement nor have I checked. If a Win2k or winXP system is partitioned for FAT32, you could still boot off a floppy and run, but like you said, NTFS is a bitch. If theres some sort of corruption of the boot sector or fat table, mounting it secondary in another system would be suspect, and I have seen viruses that disable virus scanners (or at least attempt to) so installing one after the fact is only partially reliable, if at all. Anyone have any ideas on this?

Re:rootkit my ass

[Anonymous Coward]

The Windows world runs very poorly designed apps, that are based on the idea of "active content." They can get compromised just by loading a spreadsheet. It's not like you have to connect to some port and buffer-overflow something. Just email the user a rootkit inside a trojan horse, and they'll run it.

What use is a firewall then? What are you gonna do, have the firewall block email? Block the web too, thanks to ActiveX controls and "plugins." The only firewall that really protects Windows, is the one where you pull the network cable out of their NIC and disable their floppy drive. (Then, if you want to be sure, pour gasoline on the computer and light a match.)

Windows and networks just don't belong together.

Re:rootkit my ass

[Elwood P Dowd]

Not only that, you could easily make the rootkit query a webpage for instructions. It could check slashdot for posts by an anonymous coward with a certain set of keywords. If you are rooted, and your attacker has 10 ounces of creativity, a firewall will offer you zero protection. The firewall is there to make it more difficult to get rooted in the first place.

I like the detection method they used, BSoD

[Erris]

... the mysterious crashes were actually a lucky break -- they gave away the presence of an until-then unknown tool that can render an intruder nearly undetectable on a hacked system. Now dubbed "Slanret", "IERK, ..."

Field Day!

And here we thought that unstable interfaces for device drivers were a bug, they are a feature! This would be really useful if a BSoD only indicated intrusion, sadly it only indicates that your computer is turned on and what module it ran last. Hint to all you LEET HAXORS, make your names dumb like M$ does, rather than "0wned", "R000TED" or any varient of common four letter words like jerk.

Who says the ierk was responsible for the crash? We know that Windows does that, but we don't know anything about the ierk? Applying the razon, it's best to accept that Windows is still BSoD.

Oh the list of laughs to be had here go on and on. Who actually thought that it was impossible to hide applications and files on a system that's designed for DRM? Ha! those are features. Who would really trust an O$ by a company who's EULA says the company has the right to inspect and delete files at will and without notice? If they can read and delete, you bet they can write. The system is backdoored by design, of course people are going to take advantage of it.

Windows NT isn't a multiuser 'Time Sharing' system

[SN74S181]

Since Windows NT isn't a multiuser timesharing system, the power of 'root', in particular remotely, isn't that great. The remote login and remote administration tools for NT are patched on kludges.

You can install Hummingbird Inetd or Interix, or use the built in but anaemic Telnet server that comes with W2K, but since NT's focus is not to be a symmetrical multi-user timesharing system, the default system most people think of as 'NT' isn't that fun to hack into.

Now, I've supported many simultaneous users on an NT box running Interix, but that's the exception. I've wondered for awhile how well Apache would run in an Interix subsystem. But it's not interesting enough that I've tried it.

How do you know Bill didn't?

[queenb**ch]

With closed source code, how do you know that there isn't a root kit included? There are so many "undocumented features", "easter eggs", flight simulators, etc. included free of charge in Windows, what else is in there that we haven't found yet?

Queen B

Re:How to clean boot Windows?

[krray]

Create a bootable Linux CD with whatever you need on there. I happen to throw on McFee's UVSCAN Linux based scan software and go.

The downside is everytime I need one I have to re-create/burn a CDR that is garbage as soon as another virus is found and the database is updated (pretty much daily).

I personally like to make it VERY CLEAR what I am running and how I am doing what I am doing when I do bother to help yet another lost Windows user. My parting statement to many has become, "I told you to buy a Mac..."

My going rate for such garbage services is $125/hr.
I also happen to have many "clients" where I work on their Linux machines for ... free. Because I *ENJOY* it.

Bill raped 'em, why can't I?

Boot Disk

[hendridm]

You could always create an NTFS Boot Disk [ntfs.com] to scan a suspect system. If you want write access, you'll need a boot disk capable of writing data [sysinternals.com] though. Haven't seen a free read/write solution yet...

Re:Let's pretend I'm on linux...

[Anonymous Coward]

Well, /dev/kmem for one. You need grsecurity to patch that out.

Re:Tips of using Windows rootkits

[Anonymous Coward]

+Sorry. It's all long gone.

Darn. I always keep archives of things I think might be important. On a system I had once (some dweeb had win98 on a t-1), explorer.exe was doing weird stuff to images.excite.com, but there was a hosts delimiter to redirect it to some cable IP addy. I sent a 'kill' command to my setup which proceeded to undo all I installed. That is one rule I do follow.. if something doesn't feel right, drop it like a bad habit, and fast.

+I meant that I don't remember the DLL name that was acting up. I googled(tm) and googled(tm) and couldn't find anything.

Exactly. Actually, people usually equate more to instability than to trojaned executable. Most just dont have the know-how to protect themselves against us. They see software firewalls, but who doesnt allow iexplore.exe contact the internet (talking about general users)?

The best security is to surf from a public terminal and transfer only known good stuff. How many of you would use something like Bitkeeper and get Linux ISO's? How do you know a trojan wasnt installed into server X or Linux kernel compile 2.4.20z? You usually can trust the main servers. You know that the main developer isnt inserting garbage like this into it..... but what if the ftp server was hacked? What would it take to hack a hole in a server to grant server permissions (eg root)? 10 lines max.

I know there'll be a few that say I have no ethics, but a few things I will not stand by is hacking of servers which provide GPL-like source programs. Hacking them help nobody. Not even people like me.

Still it's been glad to talk with you and the slashdot community. I was expecting a more - negative attitude towards me. I'm glad I was wrong :-)