New Rootkit Bypasses Windows Code-Signing Security 160
Trailrunner7 writes "In recent versions of Windows, specifically Vista and Windows 7, Microsoft has introduced a number of new security features designed to prevent malicious code from running. But attackers are continually finding new ways around those protections, and the latest example is a rootkit that can bypass the Windows driver-signing protection."
Re:Well, DUH... (Score:4, Interesting)
Give me "trusted computing" where I control the keys and decide what software is "trusted" and I'd be fine w/ it.
The problem is, 99% of our society cannot properly decide whether software should be trusted or not, and even with more granular controls and proper feedback from the OS a lot of malware will slip through.
I don't think this is an unsolvable problem. I like the iPhone App store model to some extent. A company with professionals should be vetting software and should be telling users what software should and should not be able to run. But the iPhone App store fails in many ways as well.
First, there should not be one company deciding. We should harness the free market and build a system that takes inputs from whatever security feeds users subscribe to and weight those security feeds based upon the end user's preferences. Also, we should be able to override the choices for any given case. If we really want to run some software but our security feeds think it is malware, we should be able to do it. Heck, there are valid reasons, such as research, for wanting to run malware. It should just be a very advanced setting that makes it perfectly clear to the end user that they're handing complete control of their device to some other party, forever.
I'm convinced we could leverage the benefits of both an iPhone app store approach and a traditional package manager approach. I fear, however, that none of the companies in a position to actually make a good system and push it to end users is going to be motivated to do so. Apple will wait for others, and Microsoft sees the way they could leverage their monopoly using an iApp store of their own. Canonical has laid the groundwork, but only as far as copying Apple and incorporating it into their package manager. They're not much for making revolutionary new technologies, nor are they in much position to push it and, lastly, unless they're aiming at the ultra-secure market, their users are currently least in the need of beefing up security.
Re:Not for -your- security (Score:3, Interesting)
Of course, but the primary role of that lock down was to protect their DRM'd subsystems
In other words, the protection is there in order to prevent malicious code from stopping?
Re:Well, DUH... (Score:4, Interesting)
A company with professionals should be vetting software and should be telling users what software should and should not be able to run.
IMO, the software should be saying what type of sandbox it wants upfront. From a finite manageable set of sandbox templates.
The software could also instead request a custom sandbox, but a "custom sandbox and app pair" need to be signed by a trusted party. Either the OS vendor, or someone else with their cert installed (e.g. Corporate IT).
I proposed something like this to Ubuntu: https://bugs.launchpad.net/ubuntu/+bug/156693 [launchpad.net]
Rather than solve something harder than the halting problem (you often don't have the full inputs to the program), you just get the programmers to declare upfront what access the programs need, and if declared OK, the OS enforces the sandboxes.
Re:Wow. Master Boot Record infectors. (Score:3, Interesting)
It does more than infect the MBR. It creates a virtual file system and encrypts it's payload into that. This makes it undetectable by most antivirus software. Microsoft's Security Essentials DOES detect it, but it CAN'T remove it, at least as of a couple weeks ago when I first encountered the rootkit. You need to boot with your Windows CD (leaving most people that have a recovery partition in the cold) and fix the boot record.
Re:Hope it just leaks lots of data (Score:4, Interesting)
Re:Not a "New" Rootkit (Score:3, Interesting)
I have a box infected with this and thought I had removed it. After running the utility you linked I found out its mbr is still infected though, so thanks for the link, but it's not able to 'cure' the infection.
Some solutions on the Kaspersky forum suggest rewriting the MBR which I will attempt now.
I traced the initial infection back to a vulnerable Flash installation which locks certain flash files so they can not be updated anymore after infection keeping you vulnerable for future infections.
Re:Well, DUH... (Score:3, Interesting)
IMO, the software should be saying what type of sandbox it wants upfront. From a finite manageable set of sandbox templates.
Agreed. It greatly lessens the work for auditors as they only have to figure out what you're doing with the services/access and then decide if that is actually appropriate. I'd also mention adding official services and protocols (such as an update service, a secure registration/purchasing service, a service for ad streaming to supported apps, etc.) results in fewer apps needing to roll their own services for these purposes and further simplifies security auditing.
Re:Well, DUH... (Score:3, Interesting)
Even this is not quite true. There are 2 different levels of signing: Ownership signing, and WHQL signing. Ownership signing establishes who the driver came from; unless a driver is ownership signed, 64bit versions of Windows will flat-out refuse to install it (unless you boot with signature enforcement disabled) and is what TFA is referencing. WHQL signing is a second layer where MS signs off on the drver; without a WHQL signature, Windows will throw up a scary warning advising you that the driver is not WHQL signed and that you should not install it, but it will still let you install the driver if you choose to. The only other non-WHQL limitation is that Windows won't use the driver automatically for newly installed devices.
In any case, drivers ultimately do not need to pass WHQL to be used. Ownership signing is sufficient to allow installation, however any serious vendor is going to want WHQL approval to avoid the scary warning.