Stealth rootkit could make our lives a misery - bit-tech.net Forums

WilHarris · 18th Jul 2006, 10:01

http://www.bit-tech.net/news/2006/07...ives_a_misery/

Firehed · 18th Jul 2006, 10:51

Oh joy. Luckily I've been using my Mac almost exclusively the past few days, and hope to get a Mini so I can be just about fully switched over when not gaming.

Of course, just avoiding the thing in the first place fixes the problem before it starts. It still requires you to do something stupid (though the list of stupid things grows by the day; thanks Sony!)

EvilRusk · 18th Jul 2006, 10:57

Yippee!

Well just yesterday I finished setting up Ubuntu 6.06 on my PC, so I will be using windows only for games from tomorrow. Ubuntu is getting really nice now.

Could this kind of process "molestation" by a rootkit be covered by using some kind of process hash-check (md5 etc etc)? That way if the rootkit interfered with another process, the hash-check would fail and alert the user of infection. The rootkit would then have to alter the hash-checker to work. You could even have a hash-check-checker and a hash-check-checker-checker and the hash-check arms race would be on!

Admittedly hash-checkers/process guards are rather complex for the average user, but this is the kind of security that really ought to be built into an operating system. I'd be disappointed if Vista didn't include a higher level of process protection.

As an aside you have a typo on the front page link for the article ("environmeny").

rupbert · 18th Jul 2006, 11:08

I understand rootkits, how they evade dectection etc. however I'm not quite sure how they 'get' onto a machine.

Is it too naive to think that I will never get a rootkit using a hardware and software firewall and anti-virus?

mmorgue · 18th Jul 2006, 13:24

I'm a bit confused as to how this happens. What i mean is, the means by which a rootkit "infects" a system -- are there any normal operations that do <whatever> it is this rootkit does? If there isn't, would that not be a failure in the Windows OS? To prevent code of that low level to infiltrate into core kernal operations?

EvilRusk · 18th Jul 2006, 15:19

http://www.securityfocus.com/infocus/1850

Quote:

Windows does not protect memory in kernel mode from other threads running in kernel mode

Things like drivers, game copy protection (eg starforce) and other low level programs run with kernel mode privileges.

It seems rootkits exist because of a flaw in the design of windows. Essentially the rootkit uses an exploit in windows or some other software with "kernel mode" access to install itself. This is one of the big worries about starforce. There is an exploit in starforce whereby using some simple code (that could be hidden in a malformed webpage etc etc), starforce will grant any process "kernel mode" or "ring 0" privileges.

Because windows does not properly protect kernel processes, any software that installs a driver (even antivirus/firewalls) is potentially a security risk unless exploits are fixed rapidly by the company that produces that software.

Unless there is a major overhaul in the design of windows this will continue to be a problem.

eddtox · 18th Jul 2006, 17:49

Quote:

Originally Posted by EvilRusk

http://www.securityfocus.com/infocus/1850

Things like drivers, game copy protection (eg starforce) and other low level programs run with kernel mode privileges.

It seems rootkits exist because of a flaw in the design of windows. Essentially the rootkit uses an exploit in windows or some other software with "kernel mode" access to install itself. This is one of the big worries about starforce. There is an exploit in starforce whereby using some simple code (that could be hidden in a malformed webpage etc etc), starforce will grant any process "kernel mode" or "ring 0" privileges.

Because windows does not properly protect kernel processes, any software that installs a driver (even antivirus/firewalls) is potentially a security risk unless exploits are fixed rapidly by the company that produces that software.

Unless there is a major overhaul in the design of windows this will continue to be a problem.

Better stop bashing Windows, or Glider will be along soon to tell you how great it is.

On a more serious note, this could be a huge problem in years to come. I can think of certaion companies [cough-sony-cough] which wouldn't shy away from using this sort of technology..

-ed out

DXR_13KE · 18th Jul 2006, 20:13

fcuk you sony for starting this.
[/rant]

i realy hope microsoft patches this up. i am going to switch to linux anyway, and use windoze only for games.

Ab$olut · 19th Jul 2006, 02:04

looks like linux for me too as I have finally packed in gaming I think anyway more into my music and just wasting time on youtube/google vids

dibbs · 19th Jul 2006, 03:51

well, i guess we could all switch to linux, hope for a windows to linux emulator for games, and everyone boycott the ps3...

but thats an ideal world scenario
what will really happen is

everyone will keep running linux for day to day and windows for games, and people will still pay out the ass and buy into sony's new george foreman grill...

reality sucks...

Buzzons · 19th Jul 2006, 17:14

This kind of issue wont (so says MSDN blogs) be an issue in Vista, they are protecting Ring 0 apps/ access.

Secondly, to get a root kit onto your machine you just use the latest 0day that has not been patched yet and that requies no input from you at all, be it a FF/IE/Office/XP/any other software exploit (does not need to be an MS bit of code) -- Symantec and Mcafee have both had issues of their code allowing this kind of behaviour to happen in the last few months.

Thirdy, for all you linux fanboys -- root kits existed on Linux BEFORE they did on windows, it is EASIER to rootkit a linux box than it is a windows box as you can hide it within the kernel source code and the like making it even harder to find.

Fouthly - for those that like Macs, there are about 10 "0-day" (more like 0-year) exploits that allow other users to gain remote admin rights on your PC that apple refuse / cant be assed to patch. Your safer on windows than on Mac OSX.

A dedicated hardware firewall may, and i stress, may help you protect your self against a root kit, but it depends on a) your firewall is set up (does it monitor both in and outbound traffic?) and b) how the root kit communicates, as it can piggy back on legitamit HTTP requets or within other packets that the firewall may not notice as a "bad" packet.

Software firewalls / avs just fail when it comes to root kits so they are totaly useless for finding / protecting your self from them.

To be fair, if you run in user mode on windows, a root kit cant install its self, only admin accounts can access ring0 so if you run with Guest rights or user Rights it will be more secure, of course you can use privalige esscalation, but you can do that in linux as well so *shrug* you are nieve if you think you are safer running Mac OSX or Linux when it comes to these things.

18th Jul 2006, 10:01	#1
WilHarris Just another nobody Join Date: Jun 2001 Location: Oxford Posts: 2,671	Stealth rootkit could make our lives a misery http://www.bit-tech.net/news/2006/07...ives_a_misery/

18th Jul 2006, 10:51	#2
Firehed Why not? I own a domain to match. Join Date: Feb 2004 Location: An hour north of Boston Posts: 12,576	Oh joy. Luckily I've been using my Mac almost exclusively the past few days, and hope to get a Mini so I can be just about fully switched over when not gaming. Of course, just avoiding the thing in the first place fixes the problem before it starts. It still requires you to do something stupid (though the list of stupid things grows by the day; thanks Sony!) __________________ hire me @ eric-stern.com - web developer and php ninja pics @ my smugmug :: Twitter @firehed :: blog @ firehed.net 40D\|580EXII\|285HV\|AB800\|70-200f/4LIS\|17-50f/2.8\|150f/2.8Macro\|50f/1.8 MacPro @ 8x2.8GHz, 10GB FBDDR2, 3TB HD :: MBP @ 2x2.2GHz, 4GB DDR2, 320GB HD

18th Jul 2006, 20:13	#8
DXR_13KE Madeira's banana is the best!!! Join Date: Sep 2005 Location: Madeira ; Portugal Posts: 6,469	fcuk you sony for starting this. [/rant] i realy hope microsoft patches this up. i am going to switch to linux anyway, and use windoze only for games. __________________ *Renegade X - 0.40 Release!* <---- CLICK!

19th Jul 2006, 02:04	#9
Ab$olut Supermodder Join Date: Dec 2004 Location: mansfield notts Posts: 584	looks like linux for me too as I have finally packed in gaming I think anyway more into my music and just wasting time on youtube/google vids __________________ http://www.dameet.co.uk 3000+ 64 venice : XFX 6800gs 256mb : 2gb cosair value ram : 120Gb maxtor : 400w silver power psu

19th Jul 2006, 03:51	#10
dibbs What's a Dremel? Join Date: Jul 2006 Location: indiana Posts: 5	poop well, i guess we could all switch to linux, hope for a windows to linux emulator for games, and everyone boycott the ps3... but thats an ideal world scenario what will really happen is everyone will keep running linux for day to day and windows for games, and people will still pay out the ass and buy into sony's new george foreman grill... reality sucks...

18th Jul 2006, 10:57	#3
EvilRusk 69 Dude!! Join Date: Jan 2006 Location: Arrg Yarrg Posts: 69	Yippee! Well just yesterday I finished setting up Ubuntu 6.06 on my PC, so I will be using windows only for games from tomorrow. Ubuntu is getting really nice now. Could this kind of process "molestation" by a rootkit be covered by using some kind of process hash-check (md5 etc etc)? That way if the rootkit interfered with another process, the hash-check would fail and alert the user of infection. The rootkit would then have to alter the hash-checker to work. You could even have a hash-check-checker and a hash-check-checker-checker and the hash-check arms race would be on! Admittedly hash-checkers/process guards are rather complex for the average user, but this is the kind of security that really ought to be built into an operating system. I'd be disappointed if Vista didn't include a higher level of process protection. As an aside you have a typo on the front page link for the article ("environmeny").

18th Jul 2006, 11:08	#4
rupbert Hypermodder Join Date: Jul 2002 Location: Northern Ireland Posts: 799	I understand rootkits, how they evade dectection etc. however I'm not quite sure how they 'get' onto a machine. Is it too naive to think that I will never get a rootkit using a hardware and software firewall and anti-virus?

18th Jul 2006, 13:24	#5
mmorgue Supermodder Join Date: Feb 2005 Location: Mos Eisley, in the bar... Posts: 378	I'm a bit confused as to how this happens. What i mean is, the means by which a rootkit "infects" a system -- are there any normal operations that do <whatever> it is this rootkit does? If there isn't, would that not be a failure in the Windows OS? To prevent code of that low level to infiltrate into core kernal operations?

19th Jul 2006, 17:14	#11
Buzzons Mod Master Join Date: Jul 2005 Posts: 2,086	This kind of issue wont (so says MSDN blogs) be an issue in Vista, they are protecting Ring 0 apps/ access. Secondly, to get a root kit onto your machine you just use the latest 0day that has not been patched yet and that requies no input from you at all, be it a FF/IE/Office/XP/any other software exploit (does not need to be an MS bit of code) -- Symantec and Mcafee have both had issues of their code allowing this kind of behaviour to happen in the last few months. Thirdy, for all you linux fanboys -- root kits existed on Linux BEFORE they did on windows, it is EASIER to rootkit a linux box than it is a windows box as you can hide it within the kernel source code and the like making it even harder to find. Fouthly - for those that like Macs, there are about 10 "0-day" (more like 0-year) exploits that allow other users to gain remote admin rights on your PC that apple refuse / cant be assed to patch. Your safer on windows than on Mac OSX. A dedicated hardware firewall may, and i stress, may help you protect your self against a root kit, but it depends on a) your firewall is set up (does it monitor both in and outbound traffic?) and b) how the root kit communicates, as it can piggy back on legitamit HTTP requets or within other packets that the firewall may not notice as a "bad" packet. Software firewalls / avs just fail when it comes to root kits so they are totaly useless for finding / protecting your self from them. To be fair, if you run in user mode on windows, a root kit cant install its self, only admin accounts can access ring0 so if you run with Guest rights or user Rights it will be more secure, of course you can use privalige esscalation, but you can do that in linux as well so shrug you are nieve if you think you are safer running Mac OSX or Linux when it comes to these things.