Windows Rootkits 344
GuidoJ writes "The Register is running an article by Kevin Poulsen of SecurityFocus Online about rootkits in Windows NT. While rootkits are a well-known issue in Unix and Linux systems, they have rarely been found on compromised Windows machines. According to the article, Windows NT backdoors have always been 'trivial', and they have caused enough havoc already. Imagine what a stealthy rootkit could do!"
And all this time (Score:5, Funny)
How do you know Bill didn't? (Score:5, Interesting)
With closed source code, how do you know that there isn't a root kit included? There are so many "undocumented features", "easter eggs", flight simulators, etc. included free of charge in Windows, what else is in there that we haven't found yet?
Queen B
Re:How do you know Bill didn't? (Score:5, Funny)
Re:And all this time (Score:2, Troll)
That said though, MS is a company run by criminals, with a long history of criminal actions. And they've tried to get open source software, the software I and many other users use to make a living, outlawed in the US, or at the least, banned for government use. They're essentially trying to FUD everyone here out of business and mandate use of their software.
I think it's fair to expect that they're going to get a bad rap, here of all places. Microsofties come here, to the site most identified with open source ideals, and expect that we should kiss the ass of the company doing the most to ruin our way of life. How stupid are they? Even if MS doesn't suck *right now* they suck for all of the things they have done in the past.
This is my long way of saying that I totally agree. Fuck off to the MS forums where you belong, you trolls. You'll get absolutely no respect here for osculating the prosterior of billy boy and steve "Developers, Developer, Developers" ballmer.
Roots on Windows aren't as l337 (Score:2, Funny)
Watch as I type edit and the screen goes blank!
Re:Roots on Windows aren't as l337 (Score:2)
Of course, if the admin as so kind to put a c or bourne shell + cygwin on the NT box, heck, you can do whatever you want.
Re:Roots on Windows aren't as l337 (Score:2)
Re:Roots on Windows aren't as l337 (Score:2)
Thanks.
Re:Roots on Windows aren't as l337 (Score:2, Informative)
http://lists.isb.sdnpk.org/pipermail/comp-list/
Re:Roots on Windows aren't as l337 (Score:4, Informative)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
In the client, just append a ":" to the hostname/ip.
Re:Roots on Windows aren't as l337 (Score:5, Insightful)
Re:Roots on Windows aren't as l337 (Score:5, Interesting)
Re:Roots on Windows aren't as l337 (Score:2, Informative)
Point of clarification: W2K Professional does not have terminal services available to it, although Server and Advanced Server both do. WXP has it tho, and it's nice and easy to use.
Re:Roots on Windows aren't as l337 (Score:2)
Re:Roots on Windows aren't as l337 (Score:2)
You are aware that %systemroot%\system32\edit.com is a text-mode app, right?
cmd.exe is rather limited in what it can do...but it wouldn't take much to FTP a Cygwin install from someplace and fire that up. You might also manually install VNC (copy the files where they need to go and insert the necessary registry entries) and take over the desktop.
Rootkits in brief (Score:5, Informative)
http://www.oreillynet.com/pub/a/linux/2001/12/14/
See this if you're having trouble printing code examples
Understanding Rootkits
by Oktay Altunergil
12/14/2001
A rootkit is a collection of tools an intruder brings along to a victim computer after gaining initial access. A rootkit generally contains network sniffers, log-cleaning scripts, and trojaned replacements of core system utilities such as ps, netstat, ifconfig, and killall. Although the intruders still need to break into a victim system before they can install their rootkits, the ease-of-use and the amount of destruction they cause make rootkits a big threat for system administrators.
The main purpose of a rootkit is to allow intruders to come back to the compromised system later and access it without being detected. A rootkit makes this very easy by installing a backdoor remote-access daemon, such as a modified version of telnetd or sshd. These will often run on a different port than the one that these daemons listen on by default.
Most rootkits also come with modified system binaries that replace the existing ones on the target system. At a minimum, core binaries such as ps, w, who, netstat, ls, find, and other binaries that can be used in monitoring server activity, are replaced so intruders and the processes they run are invisible to an unsuspecting system administrator.
Because most rootkits will mimic the creation dates and file sizes of the original system binaries while replacing them with infected versions, keeping records of these file statistics is not sufficient. Thus, the best way to make an inventory of system file information that can be used to identify suspicious activities on the server is to calculate the cryptographic checksums of these files and store this information in a safe location, such as on a CD.
Third-party tools such as Tripwire or AIDE make this process much easier and more robust by automating the calculation of these file signatures.
Here's a quick explanation of Tripwire from the organization's web site:
"Tripwire is a tool that checks to see what has changed on your system. The program monitors key attributes of files that should not change, including binary signature, size, expected change of size, etc."
Obviously this process has to be repeated as you introduce more software and other files into your system. You can also use the RPM signatures on RPM-based systems such as Red Hat and SuSE to compare the current MD5 signatures of your files to those in the RPM installation database. Unfortunately, the RPM application itself and the local RPM database cannot be trusted to provide accurate information because intruders can potentially infect them too.
Some rootkits may also contain sniffer or keylogger applications that are used to gather passwords for other systems and listen to traffic for sensitive information. To do this, the rootkits set the PROMISCIOUS mode on the target machine's network interface card (NIC). In normal operation, a network interface card only listens to traffic that is specifically addressed to itself and traffic that is coming through the broadcast address that everyone listens to.
On a "non-promiscuous" network adapter, the packets that are addressed to other network interfaces are silently discarded without even looking at the actual data in them. However, when using directly connected computers or a network that uses basic, non-switching HUBs, your interface actually can listen to all traffic if it's in PROMISCIOUS mode.
If an intruder listens to this traffic on a relatively large network, the results may be catastrophic. To protect the whole network even when one of the machines is broken into, using direct cable connections and basic HUBs should be avoided. Switching-hubs and other more advanced networking equipment do not broadcast traffic to all the machines on the network, but only send it to the machine that is supposed to receive it, effectively protecting all the other machines on the network.
Because the first thing a system administrator does to monitor unusual activity is to check the system log files, it is very common for a rootkit to include a utility to modify the system logs. In some extreme cases, rootkits disable logging all together and discard all existing logs. Usually if the intruders intend to use the server for an extended period of time as a launch base for future intrusion activity, they will only remove those portions of logs that can reveal their presence. Because the absence of log files or stopped logging activity is a sign of suspicious activity itself, only attackers who have adopted the hit-and-run style will choose to blindly discard all logs.
One method administrators can use to maintain logs about an intrusion attempt -- successful or otherwise -- is to devise a system that detects network anomalies and alerts the system administrators by sending them notification email messages and/or log files. Obviously, the network intrusion detection and periodic log-file transfer methods cannot be trusted after the intruder gains access to the machine.
Related Reading
Building Internet Firewalls, 2nd Ed. Building Internet Firewalls, 2nd Ed.
By Elizabeth D. Zwicky, Simon Cooper & D. Brent Chapman
Table of Contents
Index
Sample Chapter
Full Description
Read Online -- Safari
Arguably the most severe threat to system security that can be caused by a rootkit comes from those that deploy LKM (Loadable Kernel Module) trojans. Loadable Kernel Modules are a mechanism for adding functionality to an operating-system kernel on the fly -- without requiring a kernel recompilation. Although the benefits of using LKMs are universally recognized, they are also subject to abuse by intruders who use the kernel module-loading mechanism for malicious purposes. Even if you reboot a system that is infected by an LKM Trojan, the LKM process will reload it during boot-up just like any other kernel module. Loadable Kernel Modules are used by many operating systems including Linux, Solaris, and FreeBSD.
According to SANS, "Kernel [LKM] rootkits do not replace system binaries, they subvert them through the kernel. For example, ps may get process information from
Although it is thought to be possible to cryptographically sign kernel modules, the best mode of prevention against this security threat is to compile all functionality statically into the kernel and disable the LKM functionality -- especially on a server system which is not likely to need additional kernel functionality at a later time.
Knark, Adore, and Rtkit are just a few of many LKM rootkits available today.
The only way to avoid rootkit installations on your system is to stop them before they enter your system. Remember that a rootkit is not designed to help an intruder gain access to a system. A rootkit is designed to make the intruders feel at home and allow them work silently on your system without being disturbed. To install a rootkit, an intruder still must gain unauthorized access to your server using traditional methods, such as exploiting known vulnerabilities or even practicing social engineering to get the password information from a well-meaning person who happens to have it.
To avoid future headaches, you should always install firewalls on your machines that are accessible via some type of a network, apply all published patches to your software, and disable any services that are not absolutely necessary. Coupling these practices with strong passwords and secure protocols, such as SSL and SSh where applicable, you can be sure that your system will never be compromised.
Well
In my next article, I'll discuss some of the tools that are at your disposal in your quest to detect the existence of a rootkit on your system. I will also talk about what you can do to clean up a rootkit after you discover it.
Oktay Altunergil works full time as a Unix Administrator and PHP Programmer.
Return to the Linux DevCenter.
oreillynet.com Copyright © 2003 O'Reilly & Associates, Inc.
rootkit my ass (Score:2, Insightful)
Re:rootkit my ass (Score:5, Interesting)
Re:rootkit my ass (Score:2)
You have to think like an admin (Score:3, Interesting)
Re:rootkit my ass (Score:3, Interesting)
Re:rootkit my ass (Score:3, Funny)
Re:rootkit my ass (Score:4, Insightful)
I have seen may firewalls allowing everything outgoing, even for servers that had no reason to connect to the internet had access to the outside. Sure it might be easier to run that "Windows Update" but still.
Look at Phrack and so on (Score:3, Informative)
The main issue is that although NT has quite good privilege separation and 2K even better (both better than a non-security enhanced Unix), 90% of the apps don't use this. That means once you're in, you have the machine.
Re:rootkit my ass (Score:2)
Is this new??? (Score:4, Funny)
Re:Is this new??? (Score:2)
I hate it when my cheap anti-MS jokes gets modded as interesting or insightful.
I can't tell if the moderator was sarcastically moderating or not, heh.
This shows that Windows (Score:4, Funny)
rootkit redundant. (Score:5, Interesting)
I too, in the rarity that it's on, run my Windows box as Administrator because, unlike *nix, there's no easy way to become Admin (root) when you need to. You have to logout and log back in, unless they've changed it in recent releases.
Re:rootkit redundant. (Score:5, Informative)
Re:rootkit redundant. (Score:5, Informative)
Just to clear up a few things: "Run as" is not in Windows NT 4.0 (or below I would assume). In Windows 2000, you Shift-right_click to get "Run As" as an option. You cannot run another copy of Explorer.exe with it (and so you cannot access the control panel as administrator using this trick). Windows XP's fast user switching is better in this regard- no need to close programs to do something as administrator, but still not as nice as nix. Windows NT Resource kit has a command line SU utility, but I've never used it.
Re:rootkit redundant. (Score:5, Informative)
Jouster
Re:rootkit redundant. (Score:3, Informative)
wrong, and wrong
First, you can. Kill explorer.exe from the task manager, and then rerun it as Administrator: you'll get the Administrator's taskbar, desktop, etc.
Second, you don't need to. You can run the command prompt as Administrator, and launch all the commands you need from there, including control panel applets and MMC snap-ins (you learn soon which has what filename). Or you can start Internet Explorer (iexplore.exe) as Administrator, instead - when browsing local folders, it will turn into an Explorer workalike, with just some UI problems (it won't be able to receive update notifications, not even from itself, so you'll need to refresh directory listings manually with F5)
Re:rootkit redundant. (Score:4, Informative)
But what you say is also true. I too run an account that's a member of Administrators because it's too much trouble to become all-powerful when needed.
It's kinda funny now that I'm thinking of it. You have to be an admin to install a printer, but any old account can delete the printer driver files. Nice.
Re:rootkit redundant. (Score:5, Insightful)
But what you say is also true. I too run an account that's a member of Administrators because it's too much trouble to become all-powerful when needed.
It's kinda funny now that I'm thinking of it. You have to be an admin to install a printer, but any old account can delete the printer driver files. Nice.
Not if you've spent some time locking down the box, and designing and implementing security properly. Users cant delete anything they dont have write access too.
Now, out of the box, WinXP and its predecessors install by default in a very insecure state. That I take issue with, but there's nothing stopping you from fixing that.
If you have your
And if you run as administrator all the time, that's just like always logging in as root.
Too many people like to dump on Windows security, but very few have ever even bothered to try and set it up properly.
After the filesystem permissions are properly set, the local and domain policies in place and checked, the services audited for necessity and security, then what's left is a legitimate fault with Windows.
Re:rootkit redundant. (Score:2)
http://www.nsa.gov/snac/
Re:rootkit redundant. (Score:2)
It doesn't help that, as you noted, the default Windows install is horribly insecure. You could proceed to lock it down...but that would be like having to go through a fresh install of $RANDOM_LINUX_DISTRO and chmod go-w the contents of entire directories to lock it up. A default install ought to be reasonably secure...it doesn't necessarily need to be hardened against all present and future exploits, but making the factory install as wide open as the goatse.cx guy isn't the brightest idea in the world.
I find it easier to just not allow Win32 boxen to connect directly to the Internet. They're all firewalled behind systems running Linux (usually). That doesn't guard against local users hosing their systems, but since this is a software-coding shop, most of our people are smart enough to not do something like that. It's not like we have some old biddy flipping the power switch on/off all day between bouts of tinkering with some Excel spreadsheet.
No no no (Score:5, Insightful)
Well I would have to disagree. Let's peel the onion back one layer - why on earth would anyone have to change the default filesystem permissions?
The reason is that windows has no concept, and never did, of paritioning user data from system data. In any unix, the filesystem is sensibly laid out such that removing write access to huge swathes of it do absolutely nothing to hinder it's usability. Not so in windows, everything's mixed together in one big steaming mess. Instead of simple read access, we have confusing messages from explorer telling users "OH MY GOD! You shouldn't look at the files in this directory, it can cause obesity, nausea, jet-like diarrhea and insanity - but click here if you really really want to see them ..." or some other such nonsense. W2K isn't much better, but at least it's less obnoxious.
Secondly - and this is mroe of a cultural issue which flows naturally from the above situation - this isn't even realistic. I used to do this, locking users out of c:\ and \system32\ etc., but I would find that we had all these boneheaded programs we had to run which needed to write to various parts of the filesystem for no apparent reason other than ignorance. This problem is so rife with windows developers that locking users out of peices of the filesystem is almost useless, because you wind up not being able to do it anyway.
Re:rootkit redundant. (Score:2)
There is a nice little command runas that lets you 'su' to another user.
Also, in XP, runas is a right-click option on executable desktop and start menu items.
runas - Re:rootkit redundant. (Score:5, Informative)
C:\>runas
RUNAS USAGE:
RUNAS [/profile] [/env] [/netonly]
program command line for EXE. See below for examples
Examples:
> runas
> runas
> runas
NOTE: Enter user's password only when prompted.
NOTE: USER@DOMAIN is not compatible with
Re:rootkit redundant. (Score:2)
> Administrator anyway
I don't, just like everybody with a clue.
> there's no easy way to become Admin (root) when
> you need to
err. why don't you try this at home
C:\>runas
Yes, with some effort you can have a secure win2K.
J.
Re:rootkit redundant. (Score:2)
To do file management, including changing permissions and the like, you can use DOS (the command prompt can be run with RunAs). You can run the "cacls" command from the command prompt to change permissions, and I assume you know how to move files, make directories, etc.
Re:rootkit redundant. (Score:2, Insightful)
Yeah. MS has "caught on", somewhat. 2000 will sometimes prompt you (esp when inserting a CD and it thinks you want to install something) if you want to run as administrator when it detects that you need higher privs to run something. But it doesn't always work.
I've noticed this with things like installing patches for installed apps (like Adobe Acrobat, for instance). Acrobat will periodically check for updates and then ask if you want to install and download. I got tired of hitting the 'no, ask me later' button so I went ahead said yes. It finished downloading and then stopped saying I had to log in as 'administrator' to install the update. Would have been nice if it had said so in the first place or gave me an option to use 'runas'.
I've tried to get out of the habit of running with an administrator priv account. I don't need administrator very much for day-to-day stuff at work (they deliver the machines with owner's domain account in the administrator's group by default), but it is a pain to have to log out and back in to be able to install something.
Re:rootkit redundant. (Score:2)
Interesting (Score:4, Interesting)
Re:Interesting (Score:2)
2. you're a MS basher
Look, I think my posts have been *very* moderate. I like Linux, and I think the Microsoft has, in the past, been anticompetitive. I also think that proprietary software is doomed and that Windows shows the fundamental flaws of this approach even though it is not bad software compared to most commercial software out there.
Look, if it is that hard to bring secure software to the masses via proprietary development practices-- if Microsoft can't afford to do it-- then this is a case against a business model, not against a company in particular.
3. you have a hotmail account listed in slashdot
therefore...
4. you're a hypocrite.
Hmmm.... I was not about to cancel my hotmail account just because they *finally* after many tries migrated from *BSD and Qmail...... I had a hotmail account then and I still have one. Why should I make everyone change their address listings for me?
Old news (Score:3, Insightful)
Internet Explorer is a rootkit? (Score:5, Funny)
Re:Internet Explorer is a rootkit? (Score:2, Funny)
"Also known as "kernel mode Trojans," root kits are far more sophisticated than the usual batch of Windows backdoor programs that irk network administrators today. The difference is the depth at which they control the compromised system."
Re:Internet Explorer is a rootkit? (Score:2)
In other words, it is all done in userspace. But it still catches microsoft with their pants down; why would they go to that much trouble to hide your browsing history from yourself?
The really worrying part (Score:3, Insightful)
But then I guess that it's possible precisely because MS have made it simple to manage, and thus simple to mis-manage.
Of course, the best way to defeat this kind of trojan is simply to use a firewall and block the ports being used to remotly configure the hidden driver. So then, the worrying part is not the trojan itself, but the competancy of the average user...
Let's pretend I'm on linux... (Score:2, Funny)
So what about this is more difficult than windows? An API must exist for a driver to be loaded, therefore it can be exploited. The tool that interacts with a user installing a driver uses this API, the rootkit bypasses all possible interaction (and uses its priveledged position to hide its existance)
Re:Let's pretend I'm on linux... (Score:3, Informative)
Also, since Linux is a file based config OS, it's gonna be a damn sight easier to remove a rootkit than it would be with Win32. Having had experience (trying to) remove undesirable VXDs and so forth from Windows systems, if the driver in question is resident Windows itself tries very hard not to let you remove it, and there's no easy way to edit the registry without booting fully into the OS.
Re:Boot into safe mode (Score:2)
The recovery console is only any good if the trojan isn't masquarading as some other, normally innocent device driver or service. If, for instance (not giving anyone ideas, BTW
Re:Let's pretend I'm on linux... (Score:2)
There's also the argument that the kind of people who hang around in #linux are the same 13 year old kids who hang on efnet because they want to be l337.
There are many millions more ppl using Windows than Linux, and statistically speaking the percentage of those using Windows for non-user level purposes will be much lower than the same for Linux. Besides, if the average 13 year old's Linux system gets 0wned, it's 1) quite likely to be by another 13 year old script kiddie, and 2) they probably won't notice anyway.
there's more you can do (network wise) with a few small shell scripts in linux, than you could in windows.
This is true, if we're talking about things you can do 'out of the box'. On the other hand, using a console and file upload permissions on an NT/2k/XP system, you can progressively open ports for remote sessions, access network shares, and pretty much do anything (eventually) you'd do locally.
Re:The really worrying part (Score:2)
Ofcourse at kernel level you could listen for any single packet of data, or even a non ip ethernet frame etc, and possibly establish a full outgoing tcp connection with whoever is in control of your machine.
Re:The really worrying part (Score:2)
The only ports open through my firewall are those needed for web services on my server, and those ports are already opened by the server daemons themselves. If any other app tried to open the port, they'd fail seeing as it was already open for another service.
The best way to defeat this kind of trojan is to prevent it from being installed
My apologies for this unadultarated sarcasm but, uh, duh? No, I really like my machine being compromised by some bastard cracker idiot. Please mister cracker, come and render my computer useless!
I'm done now.
Re:The really worrying part (Score:2)
I was referring to inbound ports. Unless of course, the trojan contacted the cracker rather than vice-versa, which is entirely possible but would mean the cracker's IP would have to remain static and thus quite traceable.
Without knowing your capacity as a user I can't speak for you, but I regularly check on the apps (using netstat) that have ports open, and if I see something I shouldn't, I check it out.
Re:The really worrying part (Score:2)
Hey, you're not the guy writing these things, are you...?
Re:The really worrying part (Score:2)
Good thing I've got one then
I had the same thought, and for that reason I do all my admin remotely through my laptop. With a firewall behind my ADSL, and one on each of my PCs, it seems unlikely that both machines would become vulnerable before I got a handle on the problem.
Re:You can't in Win XP, unless the driver is signe (Score:2)
It's daft about Lexmark (I've had the same calls!) especially when they're clearly going to make a packet from print cartridges in the future...
Heh...that's one way to decrease install size.. (Score:4, Funny)
"The stealth driver in my mind is the scary concept," says Mertens. "You can hide an elephant with it."
So the first thing they do is hide the \winnt folder?
.
Imagine a beowulf cluster of rootkits! (Score:5, Interesting)
Having lived thru Melissa and ILOVEYOU, I can't imagine it would get much worse than that. The way security is(n't) done in Windows pretty much obviates the need for a rootkit, almost by design you could say.
People keep talking about the "next" Melissa, but I don't think there will be one -- for basically the same reason there won't be another 4 planes hijacked and crashed into buildings. Microsoft has learned from past mistakes, and Outlook is far far more secure "out of the box" than it once was.
People have learned, too; for example if you buy a new Dell it comes with McAfee Security Center, which gives you antivirus and (hopefully) some basic firewall protection. It took a few good beatdowns, but Joe User is at least aware of the dangers out there. To a degree I think we can thank the spammers; people are less likely to open suspect attachments nowadays because they prolly think it's spam. I'll take the silver lining and be happy.
I'd be far more worried about a rootkit/attack on the Internet itself (e.g. core routers, DNS) than the Next Big Windows Vulnerability. With the increasing trend towards Internet Everything, were I in the mood to break things, I would be hacking DNS and Cisco -- break the mesh and the nodes are useless. Conversely, clueful people weren't affected by SQL Slammer since why would you let your SQL Server talk to the Internet on port 1433 anyway?
Re:Imagine a beowulf cluster of rootkits! (Score:2)
New versions, Yes. Old versions like Outlook 97/2000 which are some of the most common email clients in the world are not. There is also no automatic feature built into Office 2K or below which can apply security updates. If your not savy enough(most aren't) to be able to find and use the Office update site your a sitting duck.
Its a fact that most Windows users run Windows 98 and a version of Office before XP. Broadband is also more common then ever. It will be a few more years before MS Windows gives up its role as the biggest danger to the Internet and viruses like Melissa and ILoveYou are hardly a thing of the past.
rootkit detection tool (Score:4, Informative)
http://www.chkrootkit.org [chkrootkit.org]
I like the detection method they used, BSoD (Score:4, Interesting)
Field Day!
And here we thought that unstable interfaces for device drivers were a bug, they are a feature! This would be really useful if a BSoD only indicated intrusion, sadly it only indicates that your computer is turned on and what module it ran last. Hint to all you LEET HAXORS, make your names dumb like M$ does, rather than "0wned", "R000TED" or any varient of common four letter words like jerk.
Who says the ierk was responsible for the crash? We know that Windows does that, but we don't know anything about the ierk? Applying the razon, it's best to accept that Windows is still BSoD.
Oh the list of laughs to be had here go on and on. Who actually thought that it was impossible to hide applications and files on a system that's designed for DRM? Ha! those are features. Who would really trust an O$ by a company who's EULA says the company has the right to inspect and delete files at will and without notice? If they can read and delete, you bet they can write. The system is backdoored by design, of course people are going to take advantage of it.
Silly article, sensationalism and slim facts (Score:2, Funny)
Jon Littman wrote an interesting book about Kevin Mitnick entitled The Fugitive Game. In it he partly addresses the situation of an FBI informant and not-so-l33t hax0r, Kevin Poulsen [nerdworldnj.com]. 100 to 1 this is the same l33t hax0r. Way back in the day--1990--Poulsen was described as not very l33t:
Now I grant you that 13 years is a lot of time for someone to change and learn to abandon stupid sensational media tactics. But look at the substance of the linked slashdot article : "I wrote a rootkit for Windows, I'm cool, and I ran a script kiddie workshop [blackhat.com]so lots of people can do it! By the way, I screwed up the old code. But the new ones the evil hax0rs will make will be really bad. .. So hire me as a consultant!"...um, yeah, right.
Re:Silly article, sensationalism and slim facts (Score:2)
How to clean boot Windows? (Score:5, Interesting)
It used to be that I would scan someone's system for malware by booting DOS6.22 (or later, Win98 since it could support some newer,bigger filesystem) and run F-Prot. This eventually became less and less practical. The scanner didn't even fit on a floppy anymore, so I was doing thing like clean booting and making a RAM disk, and then unzipping several floppies onto the RAM disk just so I could run a scanner. But eventually people started using NTFS which my DOS/Win98 boot floppies could read anymore.
I guess I didn't keep up, and I didn't know what the orthodox approach to safe scanning was anymore. Eventually we started telling customers to see someone else about their Windows problems; we just wanted to support our apps and that was it.
Eventually I found out what the so-called "experts" we were referring people to were doing: they would boot the unclean, suspected system, and install some Windows-based antivirus program (McAffee, Norton, whatever), and then run it to scan the (possibly) infected system, while it was running in a (possibly) infected state. Holy shit, how stupid can you be? No wonder stuff doesn't get detected.
People were getting huge bills for techs' time too. The amount of waste I saw was staggering, and these were small businesses, not big megacorps.
I guess the only way to reliably scan a Windows system is take the hard disk out and mount it as a secondary drive in a known clean system? Beats me. Just about every other OS can be booted from removable media, but I don't know a way to do that with Windows. Oh well, somebody else's problem.
Except there isn't a "somebody else." The customers call around to try to find someone to help them, and in a city of half a million people, no one can. They ask again a couple of weeks and a few thousand dollars later, more desperate. And I tell 'em the only thing I know will work for sure: Totally wipe the HD and reload your apps.
Re:How to clean boot Windows? (Score:4, Interesting)
Re:How to clean boot Windows? (Score:4, Informative)
Pretty simple.
Re:How to clean boot Windows? (Score:2, Informative)
Re:How to clean boot Windows? (Score:4, Insightful)
Re:How to clean boot Windows? (Score:2)
Despite their increasingly sophisticated design, the current crop of Windows root kits are generally not completely undetectable, and Slanret is no exception. Because it relies on a device driver, booting in "safe mode" will disable its cloaking mechanism, rendering its files visible.
Somebody read the article, read his comment, and said, "what great insight this man must have! Similar to my own exceptional insight. I must mod him up, which is in a way like modding myself up. I am so kewl. Mod, mod".
Re:How to clean boot Windows? (Score:2)
One I remember from awhile back was stealth.c, which you couldn't detect once it got into memory. It intercepted calls to memory and didn't return anything related to it. It was stored on the boot sector of your HD, and if you loaded an OS from the HD, even in Safe Mode, you were SOL.
Re:How to clean boot Windows? (Score:3, Interesting)
The downside is everytime I need one I have to re-create/burn a CDR that is garbage as soon as another virus is found and the database is updated (pretty much daily).
I personally like to make it VERY CLEAR what I am running and how I am doing what I am doing when I do bother to help yet another lost Windows user. My parting statement to many has become, "I told you to buy a Mac..."
My going rate for such garbage services is $125/hr.
I also happen to have many "clients" where I work on their Linux machines for
Bill raped 'em, why can't I?
Boot Disk (Score:4, Interesting)
Re:How to clean boot Windows? (Score:2)
Here-s the link: www.heise.de [heise.de]
It seems the trick is to load the registry to a ramdisk, and subst the ramdisk drive letter. Rather elegant use of an old dos command.
Also good for keeping people from loading/adding/deleting programs.
Re:How to clean boot Windows? (Score:2, Informative)
The link is in german and requires a lot of click-though until you hit the download. An easier location to get KNOPPIX is the ftp server, eg this one:
ftp://ftp.tu-chemnitz.de/pub/linux/knoppix/
You find KNOPPIX on many big linux distro mirrors, so go to your favourite one..
Marc
Re:How to clean boot Windows? (Score:2)
With Windows apps writing to portions of the boot sector wiping the HD and starting clean might not work anymore in the not to distant future.
And here's how you fix that little problem:
Re:How to clean boot Windows? (Score:2)
Jouster
Re:How to clean boot Windows? (Score:2, Funny)
Imagine how many out there are already compromised (Score:5, Insightful)
And given this, I wonder how many windows machines are already compromised?
I read this article a couple of days on bugtraq and they were speculating that with one known kit in existence, there are probably ten more they don't know about. They literally stumbled onto this one by accident.
Imagine these sleeping beauties (well beasts) all just waiting for the signal...
Terminology (Score:4, Funny)
Tips of using Windows rootkits (Score:5, Informative)
1: We use packers and unpackers to protect all of our payloads, along with standard de-ICEing as to make casual debuggers simply crash. Look at some of the cracking group trainers as to understand how we hide stuff.
2: Sometimes, we put utilites on the machine (like grep, ps, kill) that normally arent on Windows machines, however the Internix package makes a garbage DOS shell verrry usable
3: We hit many of the files, such as ntoskern, explorer, and others that are ran many times per session. What's better is if you can offload the code to a common library.
4: If you target a Windows 2k or XP platform, make sure to install the payload inside a system file and its backup. If you dont, windows will overwrite your trjaned package with the known good one. With the bad in the cab, you'll be guaranteed a hole. Sometimes, however, the packages cause problems with windows updates. If that kind of thing happens, it usually causes a bluescreen.
5: A smart cracker will program the trojaned executable to check a web page on the net (say geocities) and parse the html for commands to do. This way, you have no direct 'link' to the rooted system, and somebody else takes the rap. Using an anonymizing proxy is highly reccomended.
I've had no experience in writing a kernel-level NT driver, but what I hear from my pals, it's a bitch to do right. I mostly do packages/integration with known software. You'd be amazed how many kid back hats think Netbus, Sub7 or Backoriface is the way you do such things. You just do NOT WANT TO TOUCH THIS CODE, as damn near every anti-virus software will alert the user. That equals a re-Ghost (which that's a good reason to infect the main ghost image...),
I'll hang around a little while if there's any questions.
Ja ne..
Re:Tips of using Windows rootkits (Score:3, Insightful)
I had on a box that would not do windows update. The complaining dll had a very recent modification date. So I cracked it open in CYGWIN and diffed it against a copy off the Win2K cd (this dll had not changed from default because the luser -- not me -- had never run WindowsUpdate. D'oh.) Hrm. Then I extracted the DLL from the CABS on the drive and rebooted. Same problem. Diffed the CAB extracted file with the one on the CD. Guess what. This was my first experience with a win2k rootkit. I forget what it was called, but a rebuild was in order. Man was it slick. I've seen rootkits on linux, BSD and solaris, but damn was this smooth with the packing it into the CABS. I wish I knew what it was up to.
Re:Tips of using Windows rootkits (Score:3, Interesting)
Darn. I always keep archives of things I think might be important. On a system I had once (some dweeb had win98 on a t-1), explorer.exe was doing weird stuff to images.excite.com, but there was a hosts delimiter to redirect it to some cable IP addy. I sent a 'kill' command to my setup which proceeded to undo all I installed. That is one rule I do follow.. if something doesn't feel right, drop it like a bad habit, and fast.
+I meant that I don't remember the DLL name that was acting up. I googled(tm) and googled(tm) and couldn't find anything.
Exactly. Actually, people usually equate more to instability than to trojaned executable. Most just dont have the know-how to protect themselves against us. They see software firewalls, but who doesnt allow iexplore.exe contact the internet (talking about general users)?
The best security is to surf from a public terminal and transfer only known good stuff. How many of you would use something like Bitkeeper and get Linux ISO's? How do you know a trojan wasnt installed into server X or Linux kernel compile 2.4.20z? You usually can trust the main servers. You know that the main developer isnt inserting garbage like this into it..... but what if the ftp server was hacked? What would it take to hack a hole in a server to grant server permissions (eg root)? 10 lines max.
I know there'll be a few that say I have no ethics, but a few things I will not stand by is hacking of servers which provide GPL-like source programs. Hacking them help nobody. Not even people like me.
Still it's been glad to talk with you and the slashdot community. I was expecting a more - negative attitude towards me. I'm glad I was wrong
Why bother? (Score:5, Insightful)
The article confuses two issues - programs that acquire administrator privileges (trivial) and programs that run in kernel mode (possible, but why bother)? Which are they talking about?
Once Palladium is deployed, attacks that reside below the operating system will be possible. Once the attack is in "secure storage", anti-virus tools won't be able to find it or remove it. Now that will be l33t.
I wonder about the call for signed drivers... (Score:3, Insightful)
As far as a university machine goes, it's more than trival to use MS Office's VBA to control a machine with hand written code to edit the filesystem and even make simple shells even if the machine has had it's cmd.exe/command.com 'removed'...
Perhaps this is just a way to force everyone to supporting signed drivers and letting MS control yet another aspect of the PC industry. There is little other reason to draw attention to the well known fact of widely avalible windows kits.
Not very much of a sysadmin is he? (Score:5, Funny)
No need to run Windows as an Administrator (Score:5, Insightful)
We're all familiar with sudo for linux. There's an equivalent for Windows. Theres a program called "runas" and its included with Windows 2000 and XP.
You can do runas
You can read the docs on runas by going to http://support.microsoft.com/default.aspx?scid=kb
Re:No need to run Windows as an Administrator (Score:2)
Which is kind of a pain if you're trying to include runas in a script.
Re:No need to run Windows as an Administrator (Score:2, Funny)
Photo Viewer? Photo Editor? (Score:2)
Windows NT isn't a multiuser 'Time Sharing' system (Score:3, Interesting)
You can install Hummingbird Inetd or Interix, or use the built in but anaemic Telnet server that comes with W2K, but since NT's focus is not to be a symmetrical multi-user timesharing system, the default system most people think of as 'NT' isn't that fun to hack into.
Now, I've supported many simultaneous users on an NT box running Interix, but that's the exception. I've wondered for awhile how well Apache would run in an Interix subsystem. But it's not interesting enough that I've tried it.
Why install a rootkit? (Score:3, Funny)
If it were me, I would just find a buffer overflow, and have some fun..
Windows Rootkit (Score:3, Funny)
installing a Windows rootkit (Score:3, Funny)
The very best line from the article: (Score:4, Funny)
Re:Duh... (Score:3, Insightful)
as a side note, don't I know you?