dslreports logo
Search similar:


uniqs
37796

DaveDude
No Fear
join:1999-09-01
New Jersey

DaveDude

Member

RSA: Microsoft on 'rootkits': Be afraid, be very

»www.computerworld.com/se ··· ,00.html

FEBRUARY 17, 2005 (IDG NEWS SERVICE) - Microsoft Corp. security researchers are warning about a new generation of powerful system-monitoring programs, or "rootkits," that are almost impossible to detect using current security products and could pose a serious risk to corporations and individuals.

The researchers discussed the growing threat posed by kernel rootkits at a session at the RSA Security Conference in San Francisco this week. The malicious snooping programs are becoming more common and could soon be used to create a new generation of mass-distributed spyware and worms.

Steve
I know your IP address

join:2001-03-10
Tustin, CA

Steve

Re: RSA: Microsoft on 'rootkits': Be afraid, be ve

The best reason I know of to run as a limited user...

And the rootkit guys at Microsoft Research are the toppest of notch.

Vampirefo
Premium Member
join:2000-12-11
Huntington, WV

Vampirefo

Premium Member

I have tested several root kits and several dll injection Trojans none seem to work with debug disabled. I never use limited accounts only Admin accounts I just don't allow debug privilege.
astirusty
Premium Member
join:2000-12-23
Henderson, NV

astirusty to DaveDude

Premium Member

to DaveDude
I am really surprised MS does already have a program available to detect Windows rootkit-ed systems.

Surely a program that does a CRC of system files and compares the file name and CRC data to a list of file names and CRC signatures stored in database could detect this kind of tampering?
B04
Premium Member
join:2000-10-28

B04 to Vampirefo

Premium Member

to Vampirefo

Uh, couldn't those administrative accounts simply grant themselves debug privilege? Excuse my ignorance, please.

-- B

Steve
I know your IP address

join:2001-03-10
Tustin, CA

Steve

said by B04:

Uh, couldn't those administrative accounts simply grant themselves debug privilege? Excuse my ignorance, please.
It looks to me like you understand things perfectly well.
said by astirusty:

Surely a program that does a CRC of system files and compares the file name and CRC data to a list of file names and CRC signatures stored in database could detect this kind of tampering?
The whole idea of a rootkit is that the OS itself cannot be trusted. When your program runs to collect the CRC of (say) KERNEL32.DLL, the rootkit will just lie to you about the answer.

Once your OS is compromised, there are nearly no questions you can ask that give an answer you can rely on.

Steve
B04
Premium Member
join:2000-10-28

B04

Premium Member

Sure, but it's relatively easy to do the CRC with an off-line boot disk, no? Of course, keeping it up to date across service packs and NOT across rootkit infections would be the tricky part...

-- B

Vampirefo
Premium Member
join:2000-12-11
Huntington, WV

1 edit

Vampirefo to B04

Premium Member

to B04
said by B04:

Uh, couldn't those administrative accounts simply grant themselves debug privilege? Excuse my ignorance, please.

-- B
Of course not, no more than a firewall could just one day decide to let anything in or out.
astirusty
Premium Member
join:2000-12-23
Henderson, NV

2 edits

astirusty to Steve

Premium Member

to Steve
said by Steve:



The whole idea of a rootkit is that the OS itself cannot be trusted. When your program runs to collect the CRC of (say) KERNEL32.DLL, the rootkit will just lie to you about the answer.
Yes, I know. However a rootkit will have a hard time lie-ing about what the correct CRC value to return is. I guess the rootkit could encorporate the same database and pass that back.... However the rootkit would have to recognize the process doing the CRC and then figure out where to load the CRC value at in the process.

Nevertheless, the program could be made to run standalone from a boot CD - like BartPE.

Steve
I know your IP address

join:2001-03-10
Tustin, CA

Steve

said by astirusty:

However a rootkit will have a hard time lie-ing about what the correct CRC value to return is. I guess the rootkit could encorporate the same database and pass that back....
What it has no trouble lying about is hiding the rootkit files itself: while enumerating a directory, it just conveniently forgets to return that such and such files exist.
Nevertheless, the program could be made to run standalone from a boot CD - like BartPE.
Yes, this is pretty much the approach that people use. Once the rootkit bits execute, you're done.

Steve

Vampirefo
Premium Member
join:2000-12-11
Huntington, WV

2 edits

Vampirefo

Premium Member

said by Steve:

Once the rootkit bits execute, you're done.

Steve
Boot into safe mode and remove it.

Steve
I know your IP address

join:2001-03-10
Tustin, CA

Steve

said by Vampirefo:

Boot into safe mode and remove it.
Safe mode does not guarantee that your rootkit bits won't execute - if the OS is compromised, you're toast.

Vampirefo
Premium Member
join:2000-12-11
Huntington, WV

Vampirefo

Premium Member

Do you know of one single root kit that can beat safe mode? I know of zero.

Please post name I will infect this pc and show you it can't beat safe mode.

Steve
I know your IP address

join:2001-03-10
Tustin, CA

Steve

said by Vampirefo:

Do you know of one single root kit that can beat safe mode? I know of zero.
I am speaking about how operating systems work in general, not how any particular rootkit works.

Safe mode can't even beat all the user-mode badware, so it's impossible to believe that rootkits are somehow always beaten by safe mode.

Vampirefo
Premium Member
join:2000-12-11
Huntington, WV

Vampirefo

Premium Member

Debug is not loaded in safe mode root kit defeated end of story.
astirusty
Premium Member
join:2000-12-23
Henderson, NV

astirusty to Steve

Premium Member

to Steve
said by Steve:

What it has no trouble lying about is hiding the rootkit files itself: while enumerating a directory, it just conveniently forgets to return that such and such files exist.
Yes, a very valid point.

Steve
I know your IP address

join:2001-03-10
Tustin, CA

Steve to Vampirefo

to Vampirefo
said by Vampirefo:

Debug is not loaded in safe mode root kit defeated end of story.
I have just been informed reliably by a source at Microsoft that your notion needs a "reality check": Safe mode is no protection from anything.

I've also been informed that an administrator probably cannot directly re-enable his debug privilege, but installing a trivial service running as LocalSystem can accomplish the same thing.

PageTurner
Premium Member
join:2004-08-16
US

PageTurner to Vampirefo

Premium Member

to Vampirefo

Re: RSA: Microsoft on 'root kit': Be afraid, be ve

So if one goes into tools-internet options-advanced and unchecks debugging they are safe from a root kit?

Or is it necessary to change other settings also?

Steve
I know your IP address

join:2001-03-10
Tustin, CA

Steve

said by PageTurner:

So if one goes into tools-internet options-advanced and unchecks debugging they are safe from a root kit?
Absolutely not.

This may stop some kinds, but absolutely not all kinds.

Vampirefo
Premium Member
join:2000-12-11
Huntington, WV

1 edit

Vampirefo to Steve

Premium Member

to Steve

Re: RSA: Microsoft on 'rootkits': Be afraid, be ve

said by Steve:

I've also been informed that an administrator probably cannot directly re-enable his debug privilege, but installing a trivial service running as LocalSystem can accomplish the same thing.
Not without the admin password.

Steve
I know your IP address

join:2001-03-10
Tustin, CA

Steve

said by Vampirefo:

Not without the admin password.
If you run some malware as the administrator, it can install a service without knowing that password.

If you're talking about running as a non-admin user, then that's a different story.

Vampirefo
Premium Member
join:2000-12-11
Huntington, WV

Vampirefo to Steve

Premium Member

to Steve
said by Steve:
said by Vampirefo:

Debug is not loaded in safe mode root kit defeated end of story.
I have just been informed reliably by a source at Microsoft that your notion needs a "reality check": Safe mode is no protection from anything.

No reality checked needed, Root kits are easy to find and remove.

I can do it in safe mode or via network, MS guy needs to put down the crack pipe and sniff some coffee.

Steve
I know your IP address

join:2001-03-10
Tustin, CA

Steve

Vampirefo , you are positively on drugs.

All a rootkit has to do is add itself to the list of drivers started in safe mode, and it runs then too.

»www.rootkit.com/board.ph ··· isp=3067

You are the only person on the planet who thinks that root kits are "easy" to remove.

Vampirefo
Premium Member
join:2000-12-11
Huntington, WV

Vampirefo

Premium Member

I see the whole picture now MS created Strider GhostBuster and wants to scare people into getting it.
Vampirefo

3 edits

Vampirefo to Steve

Premium Member

to Steve
said by Steve:

Vampirefo , you are positively on drugs.

All a rootkit has to do is add itself to the list of drivers started in safe mode, and it runs then too.

»www.rootkit.com/board.ph ··· isp=3067

You are the only person on the planet who thinks that root kits are "easy" to remove.
This again requires debug privilege, MS guy and others are only giving you part of the story no rootkit can work without debug privilege.

Ask your MS guy to give you the name of just one rootkit that works without debug privilege, I would love to see how smart the guy you are talking to really is.
Vampirefo

Vampirefo

Premium Member

Here is a rootkit detector don't tell your MS guy, he wont be able to scare the children any more. »www.securityfocus.com/ar ··· 1/350233

Steve
I know your IP address

join:2001-03-10
Tustin, CA

1 edit

Steve to Vampirefo

to Vampirefo
said by Vampirefo:


This again requires debug privilege, MS guy and others are only giving you part of the story no rootkit can work without debug privilege.
I have checked with multiple people who know about this, and every one says not only that you're wrong, but that you're spectacularly wrong. I know firsthand that one does not require debug privilege to install something into that registry key, nor to install a LocalSystem service or driver.

You are badly confused about what "debug privilege" means and how it's only one of many vectors for system infection.

Do not listen to him about rootkits. He's seriously mistaken.
said by a colleague on this matter:

Ask him:

Administrators can modify the OS -- how would you explain that you can upgrade the OS as an admin?

Thus, if you can install a different OS, what's to stop you from installing *anything* else, or modifying the OS for that sake?

And WTF does "Debug isn't loaded" mean?

Sorry, this was just too fun to pass up
Just very, very badly mistaken.
psloss
Premium Member
join:2002-02-24

psloss to Vampirefo

Premium Member

to Vampirefo
said by Vampirefo:
said by Steve:

I've also been informed that an administrator probably cannot directly re-enable his debug privilege, but installing a trivial service running as LocalSystem can accomplish the same thing.
Not without the admin password.
If you're running as admin, you already have a sufficient rights to go:

OpenSCManager
CreateService("set_sedebugprivilege", etc)
OpenService("set_sedebugprivilege")
StartService

Philip Sloss
dave
Premium Member
join:2000-05-04
not in ohio

dave to DaveDude

Premium Member

to DaveDude
'Safe mode' is not a security option. The purpose of safe mode is to allow you to recover from buggy software (typically drivers) that prevents the system from being brought up normally.

Want something to still run in safe mode? Then add it to the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot.

I haven't tried this, but I imagine all you do is add a key named Minimal\MyRootKit and you're all set.

Steve
I know your IP address

join:2001-03-10
Tustin, CA

Steve

said by dave:

I haven't tried this, but I imagine all you do is add a key named Minimal\MyRootKit and you're all set.
But you forgot about the "debug bit"!