Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security

No Defense Against Windows Rootkits? 510

An anonymous reader writes "Spyware bad guys (and also phishing people) started using rootkits technology to stay hidden in a system. The problem is that at the moment the technology to defend a Windows system from these things is very poor. In fact antivirus companies have just started adding basic anti-rootkits technology. So the problem is serious, and well outlined by this question: Is the closed source code of Windows preventing us from actively defending our systems?"
This discussion has been archived. No new comments can be posted.

No Defense Against Windows Rootkits?

Comments Filter:
  • by SilverspurG ( 844751 ) * on Wednesday September 28, 2005 @10:28AM (#13667182) Homepage Journal
    The problem is that at the moment the technology to defend a Windows system from this things is really poor.
    While it's less common on our beloved Linux platform it's pretty tough to defend against here, too. If someone can make use of a Firefox hole, couple it with a root exploit, and put a kmod in /lib/modules, it's all over. With the 2.6 kernel seeing an explosion in `lsmod`, I can no longer verify each and every module Debian loads so easily as I could in the 2.4 series.
    does Windows source code unavailability prevent us to actively defend our systems?
    This would be a resounding YES.

    And Butler and Hoglund's recent book on rootkits was pretty nice. :)
    • by jeremy111 ( 95134 ) on Wednesday September 28, 2005 @10:34AM (#13667248) Homepage
      Let us not forget the wonders of ActiveX controls not to mention IE's ability to install items with out authentication. As far as that is concerned ANY installer should have to be authenticated as an ADMINISTRATOR before the install can proceed. I think this small step would curb many of the issues with spyware, adware, toolbars, etc.
      • by Dink Paisy ( 823325 ) on Wednesday September 28, 2005 @10:49AM (#13667400) Homepage
        The problem is that a lot of this stuff is installed voluntarily. If P2PFreeMovies.exe and BritaneySperesNaked!!!.exe say they need admin access to install, people will just type the password in. Better use of capabilities and code signing would help, and, unlike mainstream Linux, Windows actually has an advanced security model that would allow this.

        But the fundamental problem is that if someone wants to install this garbage, the only way you can really stop them is by taking control of their computer away from them. I'm not sure that even Microsoft is willing to go that far yet, and I'm not sure I would want them to, anyway.

        • the only way you can really stop them is by taking control of their computer away from them. I'm not sure that even Microsoft is willing to go that far yet, and I'm not sure I would want them to, anyway.
          Are you kidding? Microsoft is the single entity that's pushing hardest for exactly that! That's what their whole "Trusted Computing" thing is for, you know.
        • by AviLazar ( 741826 ) on Wednesday September 28, 2005 @12:52PM (#13668509) Journal
          Here is another potential problem. MS might come out with an add-on to their OS where it prevents unauthorized (or authorized) installation of these malwares....it will do this because they are not digitally signed, and authenticated to the user...the only problem: My friend does not want to use a program (i.e. photoshop) so he deletes it from his computer and gives me the disk. The disk is registered to his windows...now I can't install it....or what if I want to rip my DvD movie to my computer (backup)...it won't let me play it.

          In the end, the best answer is for people to start using their noodle...protection software can also hinder us.
          • by Antique Geekmeister ( 740220 ) on Wednesday September 28, 2005 @02:45PM (#13669447)
            This is already in development. It's the Trusted Computing initiative, formerly known as Palladium, and it's a very big security effort. The benefit of its features are high: on-board high-speed encryption and authentication, easily available to users. The danger is also high: this is supposed to integrate with Dirital Rights Management and provide hardware level control of access to DVD writers, hard drives, boot loaders, system kernels, and secure operations called from withing software. That means that unless you can get the autohrization and the money to buy a highly authorized key from, say, the Microsoft key provisioning service, you will have difficulty writing and especially publishing open source tools that access those features.
          • by eyeball ( 17206 ) on Wednesday September 28, 2005 @04:05PM (#13670287) Journal
            Here is another potential problem. MS might come out with an add-on to their OS where it prevents unauthorized (or authorized) installation of these malwares....it will do this because they are not digitally signed, and authenticated to the user...the only problem: My friend does not want to use a program (i.e. photoshop) so he deletes it from his computer and gives me the disk. The disk is registered to his windows...now I can't install it....or what if I want to rip my DvD movie to my computer (backup)...it won't let me play it.


            From everything I've read, it seems MS is working on the goal of windows eventually running only applications signed by them, the same way XBox is supposed to only run games they sign. There are so many things wrong with that besides the examples you mentioned:

            - Who signs the apps? Microsoft?
            - How do they determine which are legit and which arent?
            - Who is held responsible if a legit company
            - How much will they charge?
            - Will the costs of signing push shareware & freeware programmers out of the market?
            - Will the signed applications expire?
            - What happens if I sell my computer? Are the licenses still tied to it?
            - Will they also keep compeditors out of the market too
            - What happens when everyone's guard is down, and someone figures out a way to code-sign a worm.

            Just to scratch the surface. Worst case scenario, future PCs will cease to run Linux or any other alternative OS.

            My real fear is that MS and/or Intel lobbyists convince the government to pass a law mandating that computers only run signed code. As a matter of fact, I'm surprised they've waited this long.

        • by Durandal64 ( 658649 ) on Wednesday September 28, 2005 @01:37PM (#13668913)
          The problem is that a lot of this stuff is installed voluntarily. If P2PFreeMovies.exe and BritaneySperesNaked!!!.exe say they need admin access to install, people will just type the password in. Better use of capabilities and code signing would help, and, unlike mainstream Linux, Windows actually has an advanced security model that would allow this.
          This is true, but there is only so much the operating system can do for the user. Windows, Mac OS X, Linux et al are not psychic. All they can do is warn users of the potential hazards of running untrusted software and create certain reasonable barriers to entry for installation programs. On the former, Windows, when configured properly, does a pretty good job of it. On the latter, it's abysmal. Windows Vista is embracing the idea of lesser privileges and a `sudo'-like authentication model, so things are looking better for it. An XP administrator is completely at the mercy of any malicious executable if he double-clicks it.

          At the end of the day, operating systems can only identify suspicious behavior. It will always be up to the user to make the final call. If your users can't make good decisions, nothing short of a total system lock-down will help.
      • by jacksonj04 ( 800021 ) <nick@nickjackson.me> on Wednesday September 28, 2005 @11:33AM (#13667827) Homepage
        The trouble is that people do not listen. Unless they do not actually have admin access to the system, the chances are if a box pops up going "You need admin access to install this, if you have it then just shove in a username and password here:" people will do so regardless.

        Hell, in XPSP2 it has this big balloon which pops up repeatedly going along the lines of "Listen you pillock, you don't have firewall or automatic updates turned on. You really do need these. Click here and I'll set it all up for you, it's about 3 seconds work!". I know people who, when have this pointed out to them, go "Oh I never read that, it just keeps popping up".

        The only other thing to do with some people is forcibly configure things, which I'm sure we'd all hate. I use Active Directory to force fine-tuned update compliance and firewall settings across my home network, but home users can't even negotiate a simple dialogue going "Here's what you need to do, here's why you need to do it, here's how to do it".

        So when IE pops up a convenient dialogue warning about the fact that HotPornDialer32.exe isn't signed and is in fact coming from a website with an invalid certificate, along with a warning about exactly why it's bad to click 'Install', people will do anyway. Perhaps a Firefox-esque forced delay is in order so people can't just click 'OK' without thinking.
        • Perhaps a Firefox-esque forced delay is in order so people can't just click 'OK' without thinking.

          I believe people will anyway -- they'll just learn that they have to wait a moment before they can click 'OK'... they still won't think. Maybe most of them never will.

        • This seems like a symptom of a different problem, not really a problem in and of itself. Users become complacent with dialog boxes, systray warnings, etc, because there are no limits or standards regarding when these warnings are issued.

          In the same session I can recieve the "Take a tour of windows," "Your firewall is not turned on," "Clean up your desktop icons," and "Your hardware could not be installed" messages, all from the same section of the screen with the same look. Starting immediately after Wind
    • by tomjen ( 839882 ) on Wednesday September 28, 2005 @10:36AM (#13667269)
      I was thinking, could you not just recompile the kernel without suport for loadable modules?
      I mean, if i ran a server i would do that.
      • by EvilMonkeySlayer ( 826044 ) on Wednesday September 28, 2005 @10:46AM (#13667360) Journal
        Yep, all servers i've built which use Linux which are accessible from the outside do not have loadable module support enabled at all.
        It prevents a large swathe if not all rootkits from running.
        This is one of the areas where I think Linux (and open source software in general) has closed source software beat, you can easilly customise the kernel to your own particular situation in which the machine will be running. Being able to have your own custom built kernel with stuff like grsecurity etc is invaluable.
      • by Anonymous Coward on Wednesday September 28, 2005 @10:46AM (#13667370)
        Yes, you can, and it's even recommended.

        Other steps you can take are :
        -not having dev tools installed on your servers (quite often source root kits require them)
        -keeping copies of /bin and /usr/bin on some ro media (either a CD or on a seperate server mounted ro), and checking them ageinst you're working copies regularly.
        -running chkrootkit :-)
        -Mount / ro. You need to set up seperate space for /tmp and /var (not to mention /home) but this will defeat 99% of the automated root kits, of course, if the attacker gets in personnally, all bets are off...

        • I was going to post my copy of /etc/fstab with comments to follow-up your post, but the stupid /. lameness filter wouldn't let me. It complained of too many "junk" characters, even after I removed all of the comments and forward slashes. I'm sick to death of this /. crap - it's getting in the way of this being a forum where one can actively participate. The other ignorant thing getting on my nerves is the "feature" preventing posting too quickly. Yesterday it told me that it was an hour and 26 minutes s
        • Read-only root (Score:3, Interesting)

          by dpilot ( 134227 )
          How do you get around the stuff that likes root to be r-w, like /etc/mtab? I know it's frequently suggested to replace this with a symlink to /proc/mounts, but I also understand that some software doesn't like this. There is also some other stuff that likes to write into /etc, like /etc/dhcpcd/dhcpcd-eth0.info.
        • by schon ( 31600 ) on Wednesday September 28, 2005 @12:27PM (#13668321)
          Great advice... some other things you can do:

          mount /tmp and /var with the noexec option - if you have developers who don't understand security, this can save your bacon. (someone used a hole in a PHP script to upload and execute a file to /var/tmp - the upload happened, the execute didn't. I ended up with a copy of the rootkit (fairly new at the time) as well as how he got in, which was shown to the web developer responsible in an attempt to get him to take security more seriously.)

          use a separate account for each daemon (some distros I've seen run apache as 'nobody', for example - don't use 'nobody', create a separate user for each daemon) This prevents your daemons from overwriting each others data, and allows the following:

          use --uid-owner and/or --gid-owner in iptables to restrict your daemons from opening *outgoing* connections, or listening on random ports. If one of your daemons is compromised, it makes it harder for an attacker to connect to take over complete control.

          Never have executables or data owned by the same user that the daemon runs as. I've seen this done mostly on game servers (the docs recommend running the game as 'unreal', and have all the game files owned by 'unreal') but some others (squidGuard comes to mind) also recommend (or even require!!?!?) having data files owned by the daemon. If there was a hole in the daemon, an attacker could theoretically use it to gain higher priveleges (such as the UID of the account used to start the daemon - frequently root) the next time the daemon is started.
      • by quantum bit ( 225091 ) on Wednesday September 28, 2005 @11:16AM (#13667664) Journal
        Or, if you're running BSD, set kern.securelevel to 1 or 2.

        That will prevent loading new kernel modules (so you can still load them early in the boot process), cut off access to things like /dev/mem, and if you set it to 2, disable access to raw disk devices.
    • by Qzukk ( 229616 ) on Wednesday September 28, 2005 @10:37AM (#13667279) Journal
      In 2.6 you use the kernel capabilites to load the appropriate modules at boot time, then strip the kernel of the ability to load any others. Adds a little more work for getting that module loaded. Throw in more stuff (verifying the module list from read-only media before loading any modules) and you can get pretty well defended against this kind of thing.

    • That would be why all the security manuals for linux recommend disabling module loading. Not that even this would prevent you from modifying the kernel, it just makes it harder.
  • by tsalaroth ( 798327 ) <tsal@arikel.net> on Wednesday September 28, 2005 @10:28AM (#13667186) Homepage Journal
    Because Windows has no root!
    • by AKAImBatman ( 238306 ) * <akaimbatman@gmaiBLUEl.com minus berry> on Wednesday September 28, 2005 @10:35AM (#13667253) Homepage Journal
      Right. We should rename them, "SystemKits".

      (For those who don't get it, "System" is a login with higher privleges than even Administrator. There's nothing that System can't do. Just to brighten up your day, it's also the default user for Windows Services. Feel safe yet?)
      • by Tony Hoyle ( 11698 ) <tmh@nodomain.org> on Wednesday September 28, 2005 @10:40AM (#13667305) Homepage
        System (more accurately LocalSystem) can't access network resources.

        So there is *something* that they can't do.

        Try

        at (now plus a minute) /interactive cmd.exe

        voila! Interactive system shell!
        • by Anonymous Coward
          > System (more accurately LocalSystem) can't access network resources.

          Hahaha, I see you have little understanding of Windows.

          System can load device drivers, and access ring 0.
          System can do anything it wants, including working with any and all network connections already running, and grabbing any kerberos tokens present on the machine.

          I grant you, it would take writing actual code.

          Maybe you meant, System cannot access network resources as long as System doesn't do anything bad.

          But, of course, if we assume
      • > it's also the default user for Windows Services

        Not true of NT 5.1 and 5.2 (XP, 2003). Most services run as 'Local Service' or 'Network Service' with differently grained privileges. System is still available for services that require it (including NT's crss and lsass processes).

      • by kiwimate ( 458274 ) on Wednesday September 28, 2005 @11:35AM (#13667847) Journal
        And that's why you apply a few simple security measures, such as denying LocalSystem access to CMD.EXE and other powerful utilities via NTFS permissions. You can do this to bring LocalSystem down to a level lower than Administrator, and virtually nothing breaks if you do it with a little bit of forethought. Yes, it takes a little bit of work to do the initial planning, but once it's done you script it and bingo. And there are plenty of examples on websites of sample lockdowns plus the scripts (using XCACLS.EXE, typically). Take those examples and customize them to your environment as needed -- you've saved yourself a whole load of the initial work.

        You can open up these permissions on a system-by-system basis if really necessary, or even better just set applications that support it to use named service accounts. Cuts out a huge number of vulnerabilities.

        You can secure a Windows system, and it's really pretty easy to do a lot of these things. You just have to know a bit of what you're doing and be prepared to put in the work. That's the biggest flaw in most MS administration shops: people who shouldn't be admins get lulled into a false sense of security because there's a pretty GUI and they don't understand what's going on behind the scenes.
      • There's nothing that System can't do.

        Oh yeah? Delete a file when there's a read-lock on it. :o)

        for those who don't get it, this is a fundamental problem with Windows - a file that's locked can't be modified or deleted. It's why you have to reboot after installing a service pack, or sometimes removing a virus.
    • by El_Muerte_TDS ( 592157 ) on Wednesday September 28, 2005 @10:53AM (#13667451) Homepage
      Crap, I renamed the user "Administrator" to "root"
  • by lpangelrob ( 714473 ) on Wednesday September 28, 2005 @10:29AM (#13667188)
    They've been dealing with rootkits seemingly forever. How did they manage?

    No, seriously, I don't know the answer to this. :-)

    • by Sam Nitzberg ( 242911 ) on Wednesday September 28, 2005 @10:39AM (#13667292)
      " They've been dealing with rootkits seemingly forever. How did they manage?"

      tripwire - there's a commercial version available, and I've used the free version. Creates checksums to compare your system against...

      A brief description here... (with download and install instructions)

      http://www.cert.org/security-improvement/implement ations/i002.02.html [cert.org]

      Sam
      http:/// [http] www . iamsam . com
      • Knoppix CD (Score:4, Insightful)

        by ArsenneLupin ( 766289 ) on Wednesday September 28, 2005 @10:59AM (#13667509)
        ... tripwire ...

        Oh, and don't forget to mention that you should run tripwire from a known-secure system (a Knoppix CD, for instance) at least once in a while. Indeed, if your system is infested by a good rootkit, it could itself so well that it would play back a phony, made to look innocent contents of any files that it had infected.

        Same goes for lsmod, ps and other tools (it is however very rare that a rootkit is so thorough as to hide itself from all tools. Most often an rpm -q --verify -a finds the nasties). But if you're really paranoid, run your tripwire and rpm --verify from an external system, not from within the one you want to examine.

      • by SatanicPuppy ( 611928 ) <Satanicpuppy@nosPAm.gmail.com> on Wednesday September 28, 2005 @11:17AM (#13667679) Journal
        From my experience with windows, my mind boggles at the idea of trying to do something similar on that platform. Seems like every time I run windows update, some critical DLL ends up changed, and applications add their own specialized librarys with registry keys overriding the defaults.

        Hell, half the time windows itself doesn't know what its installed. Every time I have to rollback a box from some semi-major patch, I cringe. I know something is going to break. If it's internal system doesn't keep basic track of what's installed and running (how many broken uninstall apps have you seen, which end up with you crawling through the registry trying to disable the damn software?), how the hell can you even know what to scan for?

        I don't have the faintest idea of how to go about checking for a windows rootkit. What could you do? Take a drive image to compare against? That would never fly. Windows hides so many damn system jobs anyway, how the hell would you be able to spot one more?

        The bulk of my windows security comes from running Snort upstream on the traffic that comes from the damn box, looking for traffic that ought not be there, and denying outbound from every port except ones I allow explicitly.
    • by DrSkwid ( 118965 ) on Wednesday September 28, 2005 @11:08AM (#13667597) Journal
      The Unix folk - Ritchie [wikipedia.org], Pike [wikipedia.org] et al ditched Unix and root years ago and made a new system plan9 [bell-labs.com] (though Ritchie was, by his own admission, more a famous name than an architect in plan9 - though he did do the compiler)

      Spending years being not-free as in beer, plan9 languished during the Linux FOSS years until belatedly being opened up for version 3

      Then Lucent lost loads of $$ in the dot-com crash and wound down Bell Labs (such as taking out every other light bulb) and the staff retired or left (mostly to Google)

      as Rob Pike said "Not only is UNIX dead, it's starting to smell really bad." - circa 1991

    • This is how rootkits are at least detected:

      A rootkit has the ability to change the inputs and outputs of the overlaying OS API's. It does not however have the ability to change the I/O's of direct hardware access. Simple solution to detect rootkits is to do an API call for file directory (dir, ls, whatever), and compare it side-by-side to a direct hardware request for a file directory.
      • "Simple solution to detect rootkits is to do an API call for file directory (dir, ls, whatever), and compare it side-by-side to a direct hardware request for a file directory."

        That's cute, except you're assumiung your active memory is safe. So long as I'm running in memory, I don't even need to hook the API calls to fake return data. Jamie Butler demonstrated a technique at this year's DEFCON for hiding an active in-memory rootkit using the TLBs built into modern processors. Good luck on that one.

        Unless you
  • by ellem ( 147712 ) * <ellem52@g3.14159mail.com minus pi> on Wednesday September 28, 2005 @10:29AM (#13667190) Homepage Journal
    Who has the chops to run through 800,000,000 lines of code to do the fixing of this OS?

    I mean even if you find the problem can you honestly say you'd be sure you wouldn't leave Notepad.exe broken by making your changes?

    Clearly Windows needs to be completely re thought with NO concern for legacy apps. See also OS X.
    • Clearly Windows needs to be completely re thought with NO concern for legacy apps.

      They tried with Vista, and broke it more.
    • Clearly Windows needs to be completely re thought with NO concern for legacy apps. See also OS X.

      But if they did that, why would you use Windows?

      If you had to choose between Windows Rewrite, which isn't backwards compatible, Linux, and MacOS X, the appeal of the non Windows solutions is a lot higher than it is now.
    • by Luscious868 ( 679143 ) on Wednesday September 28, 2005 @11:35AM (#13667852)
      Clearly Windows needs to be completely re thought with NO concern for legacy apps. See also OS X.

      I wish Microsoft would but it will never happen. See OS X's market share.

  • The Answer (Score:3, Insightful)

    by mysqlrocks ( 783488 ) on Wednesday September 28, 2005 @10:31AM (#13667206) Homepage Journal
    Is the closed source code of Windows preventing us from actively defending our systems?

    Yes. We are at the mercy of Microsoft to patch the systems for us. At least with Open Source you have potentially thousands of programmers looking for security holes and reporting those security problems.
    • Re:The Answer (Score:5, Insightful)

      by sqlrob ( 173498 ) on Wednesday September 28, 2005 @10:37AM (#13667283)
      Potentially != Actually.

      How long was the plain text password in Firebird before it was caught? A year and a half? And that's not even something subtle as some buffer overflows, or that double free in zlib.

    • Re:The Answer (Score:3, Interesting)

      But the reverse is true, you could have people going through finding exploits and using them without reporting them. Closed source is safer.
      • Re:The Answer (Score:3, Insightful)

        by mysqlrocks ( 783488 )
        You make a good point. Yes, it is easier for the "bad" guys to find the security holes in open source software. This comes down to a question of trust. Do you trust that there are more "good" guys looking for security holes then "bad" guys? If so, then the "good" guys will catch the security problems before the "bad" guys the majority of the time. Speaking of trust, do you trust closed source software vendors to find and fix their security holes? If given the choice to fix a security hole that only they kno
        • > ..it is easier for the "bad" guys to find the security holes in open source
          > software.

          Is it? I wonder if this isn't a case where we don't look for proof becuase we've assumed we know the answer. Certainly, with open source, you can examine the source. But examining complex kernel source code is no trivial task. Given the large amount of practice and study on methods of hacking closed source systems, isn't is possible that this having the source doesn't really make it easier after all? That it just
  • by republican gourd ( 879711 ) on Wednesday September 28, 2005 @10:32AM (#13667219)

    Shameless plug: I've written a script that should be able to help find any rootkits that are listening on tcp/udp on windows.

    Heres the link [elifulkerson.com]

    What it does is attempt to handshake with itself on every available tcp or udp port. If the handshake fails, that is an indicator that somebody else is already camping out on that port.

    Source is GPL, feedback is always welcome.

    • OK so how is this different from netstat -an?

      Listening on a port != rootkit. Windows listens on dozens of ports - some of which you can't switch off without crippling the system.

      Mine's fairly locked down, and listens on:

      TCP: 135,139,445,1025
      UDP: 445,500,1026,1137,1138,1251,1900,2419,2420,3273,32 74,3275,3276,4500

      And that's just the ones listening on 0.0.0.0...

      • OK so how is this different from netstat -an?

        Netstat (and ps, and ls, ...) is often doctored by the rootkit so as to not show itself running.

        The trick described would find still rootkits which hide by doctoring those common system utilities. It won't probably find kernel-module based rootkits that specifically look for that trick, but those are rare.

        Listening on a port != rootkit.

        But listening on a port where no currently activated legitimate service should be listening may be.

        And that's just the one

        • Even more importantly, a failed handshake on a port where netstat doesn't show a process is a near-certain indicator. If you combine with handshake with an actual connection attempt to a remote system, you should be able to detect any active rootkit (a rootkit in a dormant state would still be hidden).
  • by atgrim ( 103715 )
    Short answer is Yes. The closed source of M$ *IS* preventing us from actively defending. AFAIK, M$ feels that they will get around to it or another company will step up to fill in the gap forcing us either way, to purchase yet another piece of software or the uber upgrade. Kinda like the insurance industry.

    Joe Consumer: "Do I really need this?"

    Co. Thug: "No, not at all. However, you never know when you may have an accident."
  • I have a question for the Windows developers out there...

    Does Microsoft over share their code with developers?

    While I am aware that MS does not legally publish their source code to Windows I do recall at one point that Microsoft did share some sections with a focus group of developers. It would only make sense that MS would share code with the big anti-virus firms in order to ensure a better product for their customers.

    But I could be wrong about them sharing source with anyone.
    • by bushidocoder ( 550265 ) on Wednesday September 28, 2005 @10:46AM (#13667361) Homepage
      Yes, Microsoft has a Shared Source program. I'm not 100% sure of the exact requirements to join the Shared Source program (you could look it up on their website I'm sure) but the requirements are fairly hefty. You have to sign some pretty thorough NDAs, of course. To the best of my knowledge, an individual acting by themself rarely gets access, although I'm pretty sure that several book authors got access to Windows source. Companies can gain access, but they normally have to pay for the priveledge (if you recall the Win2k source code getting lose a year or so back, that was on account of a company that had purchased a liscense to the code losing it). A large number of Universities have access to the code, as do governments and government contractors.
  • SysInternals' (Score:5, Informative)

    by wumpus188 ( 657540 ) on Wednesday September 28, 2005 @10:33AM (#13667238)
    .. RootkitRevealer [sysinternals.com] is your friend.
    • Re:SysInternals' (Score:4, Interesting)

      by ZyBex ( 793975 ) on Wednesday September 28, 2005 @10:50AM (#13667420)
      I recently cleaned a machine infected with a rootkit that was NOT detected with Rootkit Revealer. The virus loaded itself via the HKLM/Soft/MS/Windows/Run key, as usual, but it didn't show on regedit nor elsewhere, and the Rootkit Revealer did not detect the "missing" key. The only way to see and remove it was to boot with a WinPE CD.

      Fortunately these rootkits can usually be detected by their side-effects, like the slowness and the internet activity... but you have to be suspitious that something's going on.
      • I think the best way to detect a rootkit is to simply put something between it and the internet that can log net traffic, say a router or somesuch.. course, you'd have to make sure the router hasn't been exploited too... :)

        Oh, here's a useful tip for people.. there is a cheaper alternative to WinPE.. BartPE [nu2.nu], it requires Windows XP to build the bootable cd but in terms of usefulness it's a nice little life saver.
        Can also be extended with Ultimate Boot CD (UBCD) [ubcd4win.com].
  • by menorikey ( 915085 ) on Wednesday September 28, 2005 @10:33AM (#13667240)
    This topic has been beaten to death a thousand and one times before but the reality still holds true: as long as a company holds the source of their software to their chest, you simply have to rely on them to provide the security for said software. By doing so you create the equivalent of a single point of failure that has to be addressed solely by the holding company, and as a result, you are subject to the "hurry up and wait" syndrome that accompanies it. That's when it comes back to "suck it up or don't use it," which carries all the arguments of "we don't have a choice" or "switching isn't an alternative for us."
  • Wrong question! (Score:5, Insightful)

    by Ingolfke ( 515826 ) on Wednesday September 28, 2005 @10:35AM (#13667268) Journal
    Is the closed source code of Windows preventing us from actively defending our systems?

    The right question is what is the vendor (Microsoft) doing about it. You purchased a product from a vendor, you should expect them to solve problems with that product or explain how to properly secure it, or just ignore the issue which says something about their product and commitment to support.
    • Re:Wrong question! (Score:4, Interesting)

      by Jarnis ( 266190 ) on Wednesday September 28, 2005 @11:01AM (#13667526)
      Purchased...?

      Warez jokes aside, most common non-corporate windows are OEM copies. OEM = no support from microsoft. You get your pile of bytes that might or might not work, and you get some patches at the whim of MS. You get no support unless you pay thru the nose per incident.

      Sure, you can call your OEM supplier - however, they have no access to the source, and generally just tell you to reinstall the thing and immediately tell your system is unsupported if you actually install something other than the supplied bundled software on your system.
  • by nweaver ( 113078 ) on Wednesday September 28, 2005 @10:37AM (#13667284) Homepage
    Strider Ghostbuster, [microsoft.com], a Microsoft developed technique for detecting all persistant and stealthy rootkits .

    Just convince Microsoft to make it available.

    There is also SysInternal's Rootkit Revealer [sysinternals.com], which although not quite as general, is still hard to fool.
  • under attack (Score:4, Informative)

    by andrewzx1 ( 832134 ) on Wednesday September 28, 2005 @10:39AM (#13667298) Homepage Journal
    I administer a network with about 50 workstations. We run Windows2000 with Symantec Anti-Virus Corporate (aka Norton). Symantec registered an internal attack by a root kit only two weeks ago. This stuff is in the wild now!
    • Re:under attack (Score:3, Interesting)

      by HermanAB ( 661181 )
      Uhmmm, actually you are only aware of it since two weeks ago. How long the attacks have been going on, or whether or not you are already infected with a rootkit, is unknown. A rootkit that isn't used much, except to find and download the CEO's email once a month, may go undetected for a long time.
  • by keraneuology ( 760918 ) on Wednesday September 28, 2005 @10:42AM (#13667329) Journal
    Since Bill Gates became the 2nd largest stockholder in Newport News Shipbuilding and guaranteed that the Ronald Reagan class of aircraft carrier will be Windows 2000 based, how does the Navy deal with this issue? Or have they addressed it at all? The last thing we need is for just one person in that population 5,000 floating city with malicious intentions to pop a rootkit into the mess that is navigation, fire control or general operations.

    So we are left with two options:

    a) Windows 2000 is impervious to rootkits, either off the shelf or through modifications unavailable to the general public

    b) The US Navy is running an unsecurable OS for the most advanced surface ships in the world - with nuclear reactors to boot.

    • by toby ( 759 ) * on Wednesday September 28, 2005 @11:27AM (#13667760) Homepage Journal

      Is the closed source code of Windows preventing us from actively defending our systems?

      Does this question really need to be asked any longer?

      Has this story teleported us all back to the year 2000? Hit the reset button? Is Slashdot's new motto "No hugging, no learning"?

      b) The US Navy is running an unsecurable OS for the most advanced surface ships in the world - with nuclear reactors to boot.

      I thought this was common knowledge. I didn't really expect a "pro-business" administration to do anything about it, did you? It's actually one of the few things that makes the rest of us feel safer.

      Britain has the same problem [ncl.ac.uk], by the way:

      The Royal Navy's new, state-of-the-art destroyer has been fitted with combat management software that can be hacked into, crashes easily and is vulnerable to viruses, according to one of the system's designers who was fired after raising his concerns. ... he told Channel 4 news that "the use of Windows For Warships puts the ship and her crew at risk, and the defence of the realm".

      There are also plans to install a similar Microsoft Windows-based computerised command system on Britain's nuclear submarines. Wilson said: "It is inconceivable that we could allow the possible accidental release of nuclear missiles. The people who survived such an exchange, if any, would certainly regard such a thing as a crime against humanity. And I can't help feeling that even planning to deploy such systems on Windows, with its unreliability and lack of security, is itself some sort of crime in international law."

      Also see The Register [theregister.co.uk] which quotes an upbeat Armed Forces Minister:

      Fabricant had asked if there had been an external review of the Type 45 decision, and from Ingram's answer we can perhaps infer 'No'. He then asked for a cost comparison between Unix and Windows 2000 as the CMS OS, and Ingram simply said: "The cost of implementing an operating system for the Combat Management System in the Type 45 is a matter for the prime contractor, BAE Systems, and their sub-contractor. The Department does not have, or require, visibility of costs at that level of detail."

      Fabricant also asked what systems had been put in place to cope with a failure, and what steps had been taken to ensure the Win2k CMS in the Type 45 was reliable. Aside from affirming that Win2k was "the lowest risk choice" and that BAE was on top of "residual risks" (Are these cookies? Spyware?), Ingram said: "The system design has built-in redundancy, with automatic, and transparent, switch-over to a back-up system if the primary system has a problem. This would provide continuity of operation and ensure that no data was lost. The system design also ensures that comprehensive hardware mechanisms will be in place to avoid any other safety or technical issues."

      Perhaps the Minister can now explain why his desktop PC doesn't even run properly.

      Les Hatton gives his opinion [vnunet.com] at IT Week:

      ... the Royal Navy is all set to go to sea with Windows on warships. Am I alone in thinking that this has to be one of the most terminally stupid IT decisions of the century?

      ...this was first attempted in the mid-1990s. There was a wonderful description of the then-latest generation of a US missile cruiser, the USS Yorktown, having to be frequently rebooted because its underlying network of computers running Windows NT crashed somewhat inconveniently. Apparently the design meant that critical systems such as steering could be lost in mid-battle.

      So here we are again. This time the dec

  • The big picture (Score:4, Insightful)

    by Anonymous Coward on Wednesday September 28, 2005 @10:44AM (#13667349)
    The root of the problem may be the organizational structure of Microsoft. We have the mess that is/was longhorn/vista and the comments that it had to be re-written from the ground up.

    The point made in the 'Cathedral and the Bazaar' may be coming to pass. It is impossible to manage very complex systems effectively. It is a question of distributed control vs. top down management. My favorite example is the Soviet Union vs. the US of A. A bureaucracy can't manage something as complex as a whole economy; maybe it can't manage something as complex as Windows.

    The bottom line would seem to be that we will see a never-ending stream of problems like the one at hand.

    www.catb.org/~esr/writings/cathedral-bazaar/cathed ral-bazaar/
    www.uq.edu.au/news/index.html?article=6618
  • Bastille Windows? (Score:4, Interesting)

    by Fiver- ( 169605 ) on Wednesday September 28, 2005 @10:48AM (#13667392)
    Is there any product for Windows like Bastille Linux that would help a user lock down any vulnerabilities in their system like file shares, unnecessary accounts, open ports, unnecessary services, IE settings, etc?

    If not, there should be.
    • Re:Bastille Windows? (Score:3, Informative)

      by E-Rock ( 84950 )
      I'm not familiar with Bastille but the Security Configuration Wizard included with W2k3 SP1 does a lot of this. It will help you by identifying services that you can disable, modify the registry to secure the machine and will help build your firewall rules for the things you want to have runnning.

      It's not perfect, but it provides a good starting point and can roll back the changes you make. It also creates an XML file with the changes it recommends if you want to simply review it and make any changes your
  • by AnonymousYellowBelly ( 913452 ) on Wednesday September 28, 2005 @10:49AM (#13667397)
    1. Buy a Mac! and be a little bit paranoid about security.
    2. Use Linux and be paranoid about security.
    3. Buy a tinfoil hat.
    4. Build a beowulf cluster of Linux enabled devices: an iPod, two toasters, one 'smart' fridge, and one spoon -anything runs Linux these days-.
    5. Build your own OS!

    Or you can keep on using Windows and trusting AV companies and its flawed model of "ok, we'll release the fix AFTER enough people have been screwed".

    I don't think that the design of Windows, where changing an int to a float in the library that displays Clippy can crash MSN Messenger, would allow for easy fixes, regardless of closed or open source code.

    You can actively defend your system anyway. It takes time and money (e.g. self-made hardware firewall with parts bought from the tinfoil-hat store, if you want to be /. grade paranoid), but is doable.

  • source code (Score:3, Interesting)

    by merdark ( 550117 ) on Wednesday September 28, 2005 @10:50AM (#13667423)
    The availablitiy of the source code has nothing to do with it. Joe Beerbelly is not going to be looking at the source code of his operating system. You'd be lucky if he understands that a thing called an operating system exists and has something called source code associated with it.

    If your solution is to fix it yourself, you've already lost. It needs to be fixed by the *official* software vendor so that the changes can be pushed automatically to all the Beerbellies and Flabbyasses out there.

    And besides, even for those who can understand the source code, it's not like the changes required are simple. If you DO manage to understand the system enough to make some usefull changes, a vendor will not just blindly accept them. They will themselves have to review the changes and completely understand them anyways. So why not do it themselves the first time? And to the person spending all that time doing the vendors work for them, do you not have a life or a job or something?
  • by fak3r ( 917687 ) on Wednesday September 28, 2005 @10:53AM (#13667455) Homepage
    This may be slighty OT, but I don't see ANY reason why a closed source system that's this vulnurable should be allowed in any Medical/Govermental or Military implementation. Sure, lot's of Apps are written ABOVE the OS and thus in control of the branch maintaining them, but damnit, the OS is at the root of the problem here! Makes you understand why trains all across Europe are still kept track of (punny, eh?) by old Digital DEC's running VMS or OpenVMS. The whole idea that mindshare of the mainframe is growing old and retiring is going to be an issue, Windows 2000 server is not a replacement for something like VMS.
  • by gelfling ( 6534 ) on Wednesday September 28, 2005 @10:56AM (#13667478) Homepage Journal
    What if we as a community just put a 12 month moratorium on backfilling MS crappy code and the crappy job they do designing and then maintaining it. What if we simply let it go to shit and let MS deal with the consequences. Sometimes I feel like an ennabler for a crazy codependent cranked out asshole. What if we just said NO -it's your fundamental problem, you fix it. Maybe MS stock would go down, maybe not. Maybe some really important systems would fizzle up in flames. Who fucking cares? I say call them on their bluff and stop pretending that they're not sucking off OUR work and OUR integrity.
  • by acvh ( 120205 ) <geek@msci[ ]s.com ['gar' in gap]> on Wednesday September 28, 2005 @11:00AM (#13667515) Homepage
    "the FU rootkit, which I wrote, is intended to demonstrate. It is not malicious but more proof of a premise."

    "I do know that FU is one of the most widely deployed rootkits in the world. [It] seems to be the rootkit of choice for spyware and bot networks right now"

    He wrote and distributed a rootkit for windows; for educational purposes only (!). It becomes one of the most widely used tools to propagate spyware and trojans. Does he bear any moral responsibilty for this?

    I would answer positively. If I leave a loaded gun lying on the sidewalk and someone picks it up and shoots someone else, I think I may get some bad karma.
    • If he didn't write this rootkit and made it available, someone elase would. And worse, someone else could not publish the rootkit, so the good guys have a chance of improvening the system*, they could just sell it on the black market.

      Blamming him because people use the rootkit is advocating security trhought obscurity.

      * Not that MS will do that, but this is MS problem.

    • Does he bear any moral responsibilty for this? I would answer positively. If I leave a loaded gun lying on the sidewalk and someone picks it up and shoots someone else, I think I may get some bad karma.

      karma != responsibility

  • by haruchai ( 17472 ) on Wednesday September 28, 2005 @11:02AM (#13667532)
    From http://www.viruslist.com/en/analysis?pubid=1687408 59 [viruslist.com]

    Currently, malicious code for Windows is more common than for UNIX because Windows is the most widely used operating system. However, if UNIX starts to gain popularity, then the situation will naturally change; new rootkits for UNIX will be written, and new methods of combating them will be developed.

    This has been refuted time and again yet the various Windows-friendly analyst continually trot this one out as a rationale for the ( admittedly much improved but still ) relatively weak security design of M$ Windows.

    Newsflash for those who didn't get the memo: Windows leads by a huge margin ON THE DESKTOP. On the server side the disparity, if one exists is a completely different story. Also, since there are many open source versions of Unix, such as Linux, *BSD, and Solaris, some of which have been available for more than a decade, it should have been relatively easy for Windows-loving, Unix-hating programmers to have designed the Unix-slaying, self-propagating daemon years ago. To date, the only thing that has come close was the Morris worm way back in the late '80s.

    So guys, nice try - your explanation ( or rationale ) is leaking badly. If Windows represent a bigger target, it SUPPOSEDLY has the "advantage" of being closed-source but the open source Unices, which are fewer in number SHOULD be an easier target.

    It's time to focus on what the true flaws of each platform are - their relative prevalence is no longer relevant to the discussion ( aka flamefest ).
    • Sorry, but you're just plain wrong.

      "This has been refuted time and again..."

      Really? Got an example?

      Try this one on for size: Firefox didn't have an security issues until it started becoming popular. The Mac had a few recently too.

      Windows SERVERS are not the common target of these root-kits, the DESKTOP is because it IS the most popular.

      If Joe Beerbelly used Linux on the desktop, you'd have to take away his ability to install programs to protect him. How useable is the system at that point?

      "If Wi

  • Nah (Score:3, Funny)

    by Aumaden ( 598628 ) <Devon.C.Miller@g[ ]l.com ['mai' in gap]> on Wednesday September 28, 2005 @11:05AM (#13667552) Journal
    Is the closed source code of Windows preventing us from actively defending our systems?

    Windows being closed source in no way prevents me from defending my system. I just insert my Gentoo install disk and reboot.
  • Not well-outlined (Score:3, Insightful)

    by eander315 ( 448340 ) on Wednesday September 28, 2005 @11:20AM (#13667699)
    So the problem is serious, and well outlined by this question: Is the closed source code of Windows preventing us from actively defending our systems?"

    The problem is not well-outlined by that question. In fact, the addition of the idea of closed or open source has nothing to do with it. Is the lack of attention paid to rootkits the source of the problem? Is this just the problem of the month that will be solved soon and replaced by another, bigger problem? The open/closed source question is important, but really doesn't have anything to do with the issue at hand.

  • The problem is... (Score:3, Insightful)

    by JoeD ( 12073 ) on Wednesday September 28, 2005 @11:52AM (#13667999) Homepage
    Most people run Windows as Administrator. Why is that?

    Because a lot of applications WON'T WORK if they're run as normal users. Why is that?

    Because the Windows mindset comes from DOS, where there were no restrictions on what an application could do. Anything could put something anywhere it wanted to. So the developers got used to being able to do that.

    Suddenly here comes Windows, and suddenly your application can't save settings to the INI file in C:\WINDOWS anymore, because it doesn't have write access to that directory.

    The correct thing is to get an upgrade for the app. But you can make it work by just running as an administrator. So they do. And Microsoft is complicit in this by not putting enough pressure on the application developers to fix their apps to not require administrator access.

    Does the closed-source nature prevent people from defending against this? Not really. If everyone ran as root in their Linux systems all the time, there would be just as many exploits for Linux.
  • by 8127972 ( 73495 ) on Wednesday September 28, 2005 @12:16PM (#13668209)
    ..... My other computer is YOUR computer.
  • by e40 ( 448424 ) on Wednesday September 28, 2005 @12:29PM (#13668334) Journal
    rootkit revealer [sysinternals.com].
  • by MROD ( 101561 ) on Wednesday September 28, 2005 @12:36PM (#13668393) Homepage
    The main problem when trying to get rid or detect rootkits on Windows XP/Server 2003 is that the "Safe Mode" is not at all safe at all.

    By the time the system has booted far enough to get into "Safe Mode" it's already loaded so many DLL's, including the obfucating rootkit ones, that there's no way of accessing the filesystem to see the malware.

    Now, if Microsoft had added a single-tasking, statically linked command line emergency system which would allow you to just manipulate an NTFS filesystem this would be the greatest step forward in rootkit/malware removal.

    Alternatively, "Safe Mode" should load only those DLL's which are hard coded into the kernel to load, along with signatures and checksums to make sure (as much as you can) that those files haven't been tampered with.

    As it is, the only way I've found of de-rootkitting machine is using Knoppix 3.6 and captive-NTFS!
  • Bad question (Score:3, Insightful)

    by jasonmicron ( 807603 ) on Wednesday September 28, 2005 @02:09PM (#13669177)
    Is the closed source code of Windows preventing us from actively defending our systems?"

    If you can go in to the source code and tinker with it, chances are you don't need any help defending your system in the first place.
  • by TractorBarry ( 788340 ) on Wednesday September 28, 2005 @06:12PM (#13671528) Homepage
    This has probably already been said but I'm pissed and am having a casual browse before bedtime....

    Sysinternals [sysinternals.com]

    If you must use Windows these fine folk are well worth a visit (should be mandatory...)

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (10) Sorry, but that's too useful.

Working...