DaveDudeNo Fear join:1999-09-01 New Jersey |
RSA: Microsoft on 'rootkits': Be afraid, be very» www.computerworld.com/se ··· ,00.html FEBRUARY 17, 2005 (IDG NEWS SERVICE) - Microsoft Corp. security researchers are warning about a new generation of powerful system-monitoring programs, or "rootkits," that are almost impossible to detect using current security products and could pose a serious risk to corporations and individuals. The researchers discussed the growing threat posed by kernel rootkits at a session at the RSA Security Conference in San Francisco this week. The malicious snooping programs are becoming more common and could soon be used to create a new generation of mass-distributed spyware and worms. |
|
SteveI know your IP address
join:2001-03-10 Tustin, CA |
Steve
2005-Feb-18 4:52 pm
Re: RSA: Microsoft on 'rootkits': Be afraid, be veThe best reason I know of to run as a limited user...
And the rootkit guys at Microsoft Research are the toppest of notch. |
|
Vampirefo Premium Member join:2000-12-11 Huntington, WV |
I have tested several root kits and several dll injection Trojans none seem to work with debug disabled. I never use limited accounts only Admin accounts I just don't allow debug privilege. |
|
astirusty Premium Member join:2000-12-23 Henderson, NV |
to DaveDude
I am really surprised MS does already have a program available to detect Windows rootkit-ed systems.  Surely a program that does a CRC of system files and compares the file name and CRC data to a list of file names and CRC signatures stored in database could detect this kind of tampering? |
|
B04 Premium Member join:2000-10-28 |
to Vampirefo
Uh, couldn't those administrative accounts simply grant themselves debug privilege? Excuse my ignorance, please.
-- B
|
|
|
SteveI know your IP address
join:2001-03-10 Tustin, CA |
Steve
2005-Feb-18 5:06 pm
said by B04:Uh, couldn't those administrative accounts simply grant themselves debug privilege? Excuse my ignorance, please. It looks to me like you understand things perfectly well. said by astirusty:Surely a program that does a CRC of system files and compares the file name and CRC data to a list of file names and CRC signatures stored in database could detect this kind of tampering? The whole idea of a rootkit is that the OS itself cannot be trusted. When your program runs to collect the CRC of (say) KERNEL32.DLL, the rootkit will just lie to you about the answer. Once your OS is compromised, there are nearly no questions you can ask that give an answer you can rely on. Steve |
|
B04 Premium Member join:2000-10-28 |
B04
Premium Member
2005-Feb-18 5:09 pm
Sure, but it's relatively easy to do the CRC with an off-line boot disk, no? Of course, keeping it up to date across service packs and NOT across rootkit infections would be the tricky part...
-- B |
|
Vampirefo Premium Member join:2000-12-11 Huntington, WV 1 edit |
to B04
said by B04:Uh, couldn't those administrative accounts simply grant themselves debug privilege? Excuse my ignorance, please. -- B Of course not, no more than a firewall could just one day decide to let anything in or out. |
|
astirusty Premium Member join:2000-12-23 Henderson, NV 2 edits |
to Steve
said by Steve: The whole idea of a rootkit is that the OS itself cannot be trusted. When your program runs to collect the CRC of (say) KERNEL32.DLL, the rootkit will just lie to you about the answer. Yes, I know. However a rootkit will have a hard time lie-ing about what the correct CRC value to return is. I guess the rootkit could encorporate the same database and pass that back.... However the rootkit would have to recognize the process doing the CRC and then figure out where to load the CRC value at in the process.Nevertheless, the program could be made to run standalone from a boot CD - like BartPE. |
|
SteveI know your IP address
join:2001-03-10 Tustin, CA |
Steve
2005-Feb-18 5:19 pm
said by astirusty: However a rootkit will have a hard time lie-ing about what the correct CRC value to return is. I guess the rootkit could encorporate the same database and pass that back.... What it has no trouble lying about is hiding the rootkit files itself: while enumerating a directory, it just conveniently forgets to return that such and such files exist. Nevertheless, the program could be made to run standalone from a boot CD - like BartPE. Yes, this is pretty much the approach that people use. Once the rootkit bits execute, you're done. Steve |
|
Vampirefo Premium Member join:2000-12-11 Huntington, WV 2 edits |
said by Steve: Once the rootkit bits execute, you're done. Steve Boot into safe mode and remove it. |
|
SteveI know your IP address
join:2001-03-10 Tustin, CA |
Steve
2005-Feb-18 5:22 pm
said by Vampirefo:Boot into safe mode and remove it. Safe mode does not guarantee that your rootkit bits won't execute - if the OS is compromised, you're toast. |
|
Vampirefo Premium Member join:2000-12-11 Huntington, WV |
Do you know of one single root kit that can beat safe mode? I know of zero.
Please post name I will infect this pc and show you it can't beat safe mode. |
|
SteveI know your IP address
join:2001-03-10 Tustin, CA |
Steve
2005-Feb-18 5:26 pm
said by Vampirefo:Do you know of one single root kit that can beat safe mode? I know of zero. I am speaking about how operating systems work in general, not how any particular rootkit works. Safe mode can't even beat all the user-mode badware, so it's impossible to believe that rootkits are somehow always beaten by safe mode. |
|
Vampirefo Premium Member join:2000-12-11 Huntington, WV |
Debug is not loaded in safe mode root kit defeated end of story. |
|
astirusty Premium Member join:2000-12-23 Henderson, NV |
to Steve
said by Steve: What it has no trouble lying about is hiding the rootkit files itself: while enumerating a directory, it just conveniently forgets to return that such and such files exist. Yes, a very valid point. |
|
SteveI know your IP address
join:2001-03-10 Tustin, CA |
to Vampirefo
said by Vampirefo:Debug is not loaded in safe mode root kit defeated end of story. I have just been informed reliably by a source at Microsoft that your notion needs a "reality check": Safe mode is no protection from anything. I've also been informed that an administrator probably cannot directly re-enable his debug privilege, but installing a trivial service running as LocalSystem can accomplish the same thing. |
|
| |
to Vampirefo
Re: RSA: Microsoft on 'root kit': Be afraid, be veSo if one goes into tools-internet options-advanced and unchecks debugging they are safe from a root kit?
Or is it necessary to change other settings also? |
|
SteveI know your IP address
join:2001-03-10 Tustin, CA |
Steve
2005-Feb-18 5:42 pm
said by PageTurner:So if one goes into tools-internet options-advanced and unchecks debugging they are safe from a root kit? Absolutely not. This may stop some kinds, but absolutely not all kinds. |
|
Vampirefo Premium Member join:2000-12-11 Huntington, WV 1 edit |
to Steve
Re: RSA: Microsoft on 'rootkits': Be afraid, be vesaid by Steve:I've also been informed that an administrator probably cannot directly re-enable his debug privilege, but installing a trivial service running as LocalSystem can accomplish the same thing. Not without the admin password. |
|
SteveI know your IP address
join:2001-03-10 Tustin, CA |
Steve
2005-Feb-18 5:45 pm
said by Vampirefo: Not without the admin password. If you run some malware as the administrator, it can install a service without knowing that password. If you're talking about running as a non-admin user, then that's a different story. |
|
Vampirefo Premium Member join:2000-12-11 Huntington, WV |
to Steve
said by Steve:said by Vampirefo:Debug is not loaded in safe mode root kit defeated end of story. I have just been informed reliably by a source at Microsoft that your notion needs a "reality check": Safe mode is no protection from anything. No reality checked needed, Root kits are easy to find and remove. I can do it in safe mode or via network, MS guy needs to put down the crack pipe and sniff some coffee. |
|
SteveI know your IP address
join:2001-03-10 Tustin, CA |
Steve
2005-Feb-18 5:54 pm
Vampirefo , you are positively on drugs. All a rootkit has to do is add itself to the list of drivers started in safe mode, and it runs then too. » www.rootkit.com/board.ph ··· isp=3067You are the only person on the planet who thinks that root kits are "easy" to remove. |
|
Vampirefo Premium Member join:2000-12-11 Huntington, WV |
I see the whole picture now MS created Strider GhostBuster and wants to scare people into getting it. |
|
Vampirefo 3 edits |
to Steve
said by Steve:Vampirefo , you are positively on drugs. All a rootkit has to do is add itself to the list of drivers started in safe mode, and it runs then too. » www.rootkit.com/board.ph ··· isp=3067You are the only person on the planet who thinks that root kits are "easy" to remove. This again requires debug privilege, MS guy and others are only giving you part of the story no rootkit can work without debug privilege. Ask your MS guy to give you the name of just one rootkit that works without debug privilege, I would love to see how smart the guy you are talking to really is. |
|
| Vampirefo |
Here is a rootkit detector don't tell your MS guy, he wont be able to scare the children any more. » www.securityfocus.com/ar ··· 1/350233 |
|
SteveI know your IP address
join:2001-03-10 Tustin, CA 1 edit |
to Vampirefo
said by Vampirefo: This again requires debug privilege, MS guy and others are only giving you part of the story no rootkit can work without debug privilege. I have checked with multiple people who know about this, and every one says not only that you're wrong, but that you're spectacularly wrong. I know firsthand that one does not require debug privilege to install something into that registry key, nor to install a LocalSystem service or driver. You are badly confused about what "debug privilege" means and how it's only one of many vectors for system infection. Do not listen to him about rootkits. He's seriously mistaken.said by a colleague on this matter:Ask him: Administrators can modify the OS -- how would you explain that you can upgrade the OS as an admin? Thus, if you can install a different OS, what's to stop you from installing *anything* else, or modifying the OS for that sake? And WTF does "Debug isn't loaded" mean? Sorry, this was just too fun to pass up  Just very, very badly mistaken. |
|
psloss Premium Member join:2002-02-24 |
to Vampirefo
said by Vampirefo:said by Steve:I've also been informed that an administrator probably cannot directly re-enable his debug privilege, but installing a trivial service running as LocalSystem can accomplish the same thing. Not without the admin password. If you're running as admin, you already have a sufficient rights to go: OpenSCManager CreateService("set_sedebugprivilege", etc) OpenService("set_sedebugprivilege") StartService Philip Sloss |
|
dave Premium Member join:2000-05-04 not in ohio |
to DaveDude
'Safe mode' is not a security option. The purpose of safe mode is to allow you to recover from buggy software (typically drivers) that prevents the system from being brought up normally.
Want something to still run in safe mode? Then add it to the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot.
I haven't tried this, but I imagine all you do is add a key named Minimal\MyRootKit and you're all set. |
|
SteveI know your IP address
join:2001-03-10 Tustin, CA |
Steve
2005-Feb-18 8:14 pm
said by dave:I haven't tried this, but I imagine all you do is add a key named Minimal\MyRootKit and you're all set. But you forgot about the "debug bit"! |
|