Rootkits and Windows 'security' :: limits of Antivirus
techAdmin
Status: Site Admin
Joined: 26 Sep 2003
Posts: 4127
Location: East Coast, West Coast? I know it's one of them.
Reply Quote
Another fascinating read from emailbattles, this one covers Window's rootkits, which I've been hearing more and more about lately.

Disclaimer, notice:::
Take note here, a rootkit is not a Windows only phenomena. But it is Windows that is easiest to take over due to the incredibly poor built in default security settings Microsoft continues to release it's products with. And the horrible, by design, built in security chasms that give direct access to core operating system functions, like MSIE's active x, that no other operating system has.

The attacks begin... what one rootkit author has to say
:: Quote ::
Hacker Defender project leader holy_father claims,"There is no known public rootkit detector that can reveal the presence of Hacker defender rootkit with this antidetection engine."

He says antivirus companies simply wait to see new virus patterns, then add signature files. holy_father insists commercial vendors,"sell the fake sense of security but they do not bring the real security to your computer."

You may recall for example the recent problems Sony created with their copy protection installing a rootkit on Windows. For those of you wondering just why that was so bad, this type of article should begin to explain the problems. And also why Sony was immediately found guilty, and immediately settled the case, and immediately stopped using that method.

These types of methods are growing increasingly complex in nature, and the antivirus game of protect after the attack happens may have a limited lifespan.

What are rootkits for?
:: Quote ::
What payload? Whatever the attacker chose to hide beneath Golden Hacker Defender's cloak: virus, backdoor, spyware, or you-name-it. The authors of rootkits like Golden Hacker Defender couldn't care less. They just provide the software that disables antivirus scanners... which they detect much like antivirus scanners detect them: with binary signature files.

All versions of Hacker Defender test for Avast!, AVG, Kaspersky, McAfee, NOD32, Norton, Panda, and PC-cillin. Once aboard, most versions trap all your logon info... including administrative services.

This is not good news for anyone trying to maintain a secure windows computer.

What is a rootkit?
:: Quote ::
After a succesful intrusion into a system, usually the intruder will install a so-called "rootkit" to secure further access. Such rootkits are readily available on the internet and are designed to be used even by less experienced users.

Rootkits usually comprise tools to erase traces of the intrusion from audit logs, "backdoors" that allow easy access, once installed, and means to hide the rootkit itself from administrators.... Advanced rootkits will install such modified executables with the same sizes and timestamps as the original ones (which is quite easy - any executable can be padded to a larger size by simply adding random junk at the end)... Linux Kernel Rootkits

Note the keywords here: after a successful intrusion. On windows, this can mean simply connecting to the internet, literally. Or going to a website with Internet Explorer. Or simply VIEWING an infected email. On unix based system it's generally quite a bit more difficult to achieve 'a successful intrusion'. Not impossible, but more difficult.

From the comments section of the emailbattles article:

:: Quote ::
Writing and selling an RK is NOT illegal, it's the other stuff that's tagged onto it by bad people that does the harm. A " pure " RK on its own does no damage, it would just sit there doing nothing. It's just a way to gain part or full hidden access to a computer. In order for something nasty/dodgy to happen, an RK has to come with an attached payload. The RK is just the carrier/hider of something worse.


So it's a tool to do something, but that something is not in and of itself illegal. Sort of like a gun I guess in areas where owning a gun is legal.

How do they avoid detection?
:: Quote ::
Tests for eight antivirus products (Avast!, AVG, Kaspersky, McAfee, NOD32, Norton, Panda, PC-cillin) with the newest upgrades, are always made before the customer receives the final product. The code is always unique for each customer, which means that detection of one customer's product should not affect other customer's products.

If you think about it, simple code scrambling in what is called dangerous or malicious software results in a clean scan report. It is really as easy as changing one byte here and there to fool your expensive antivirus product. emailbattles



How bad is the problem?
:: Quote ::
For the most part, the rootkits are being detected and removed from Windows XP (gold) versions but infection rates on XP SP1 and XP SP2 machines are also high.

The Ispro rootkit, for example, was prevalent on 50 percent of all Windows XP machines without a service pack. About 20 percent of all scans of machines running XP SP1 and SP2 also found the rootkit. eweek.com

20% of machines with XP service pack 2 with rootkits. This is just one type of malware keep in mind. Download the Windows rootkit cleaner. More on removing these things from emailbattles.com.

What to do?
Again from the comments:

:: Quote ::
Disable/Prompt - ActiveX/Active Scripting/Java and don't allow Auto Installs.

A good FW set up for MAX Security.

And if you don't visit dodgy sites etc And/Or click on unknown cr#p on ANY site or in emails you have very little if Anything to fear.


You've read this a hundred times by now, and let's cover the same ground again:

Don't use MSIE or Outlook / Outlook Express
MSIE active x is the number one attack vector for such devices to install themselves on your system.

As has been pointed out to me by others, disabling active x completely is not enough, there have been, and continue to be, exploit after exploit that use for example javascript to switch on active x through other security holes.

The solution is to not use MSIE for any reason, ever, except to run windows update. Firefox, by Mozilla.org, is a great browser, and much more secure than MSIE.

The same goes for email: do not use any Windows program that depends on the MSIE HTML rendering engine to display html emails. That includes Outlook and Outlook Express. Thunderbird email client from mozilla.org set to view all emails in plain text mode is a great product.

Despite promises to fix the security of these issues, major holes continue to show up. Why is this? Because active x is still in existence. Until active x goes, security will never be achieved. MSIE and Outlook products must be rewritten from the ground up. All active x functionality must be removed from the core browser engine, and only be attached as an optional module which can be physically removed from the system.

Since this is not going to happen, you need to stop using MSIE for all web accessing. Noone I know who has fully switched to a non-MS email and browsing package has had any significant issues with spyware, viruses, trojans, or anything else.

But the coming Windows Vista will take care of these security issues, right?
Sadly, no:
:: Quote ::
When asked about the future of rootkits on Vista, Hacker Defender's author replied, "Some kernel methods will still work (like filter drivers), but ... I think that all these protection will affect kernel mode rookits only :) which mean it would be possible to rewrite hxdef - or write somethign similar in user mode - that would really work even on OS with such kernel protection :) This is great, isn't it ?:))"

Turns out, rootkitters are more excited about Vista than you are. emailbattles.com

And on and on it goes. Very nice sequence of articles by emailbattles, that site has been doing some nice work lately. For those of you paying attention, take note of what AV products are NOT mentioned.

Conclusions:
A standard windows user with no hardware firewall like a router, and running any windows without a software firewall, any Windows pre XP SP 2 that is, and who connects to the web, can be assumed to be infected.

Any standard user with ideally a hardware firewall in place but running standard MSIE and Outlook type products can be assumed to probably be infected.

Any user running firewalls and not using MS products to access the web in any way, email or websites, can be assumed to be less at risk, but still vulnerable due to the tendency to fall for social engineering attacks [like, I included the file you wanted; check out this screensaver; check out hot pix of <someone>, and so on...].

The 20% rootkit infection rate for XP SP 2 users is particularly disturbing. Keep in mind that this is only rootkits, not generic spyware or other types of malware, trojans, viruses, etc.

Essentially, only windows power users can hope to avoid infection, or people with power user friends who can train them how to do this. This is because Windows is barely useable if you run it in standard user mode, with restricted permissions. I tried having a client run in this protected mode and her Outlook 2003 would simply not work. That's right, an MS product would not run in that mode. Plus that triggered some other networking issues that took almost 1 year to resolve due to the bugs that were unearthed in the process.

MS is not designed to run in protected user mode, it's been built around running in administrator, full privilege mode. That's the direct opposite of unix based systems like Mac OSX and Linux.
Back to top
vkaryl
Status: Contributor
Joined: 31 Oct 2004
Posts: 273
Location: back of beyond - s. UT, closer to Vegas than SLC
Reply Quote
Interesting. I downloaded the "fix" just to see....

Okay. Now, y'all need to realize I am no neophyte with machines or windows (newish with linux, but that's nothing to do with this.) I have yet to install XP SP2. I've run this machine on XP SP1 ever since it was new (12/2002). I bought a full-version XP Pro after I got this machine, wiped the proprietary cr#p off the drive and installed XP MY way.

I've never done any of the "panic updates" windows insists you need to be "safe". Not one. I've never accessed the 'net with IE. I use IE on my localhost install ONLY - to look at sites I design locally (using XAMPP) before I put them online.

I used to use OE, but over a year ago moved to t'bird, and have been using it in tandem with Firefox and/or Opera (though I really don't like Opera, I mostly just check site display with it). I don't ever download mail to my machine unless I've vetted it first with MailWasher (which I've used since it was 0.5....) I don't click on oddball stuff online, and I use adblockers, popup stoppers, Spybot S&D, and a bunch of layered firewalls, virus programs, etc. I don't have a hardware firewall however, because I don't have broadband, so my "network" machines must connect separately.

I was interested to see if I might have a hidden timebomb - but guess what? Nothing. Ran the rootkit "rooter" on both my desktop and my laptop (same as all the above, except IS XP SP2, and XP Home at that *sigh*), and not one thing popped up. Absolutely clean. According to MS that is.

So I guess I'll go on my merry way. I'm pretty careful, and that's all that's required for me I guess!
Back to top
Display posts from previous:   

All times are GMT - 8 Hours