Home > Windows > Microsoft Warns of Impossible to Clean Spyware Microsoft Warns of Impossible to Clean Spyware Eugenia Loli 2005-02-18 Windows 36 Comments Here’s a story that the next generation of Windows spyware and exploits are starting to make use of “kernel rootkits”. A paper at Microsoft Research has details on a prototype detection tool. About The Author Eugenia Loli Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker. Follow me on Twitter @EugeniaLoli 36 Comments 2005-02-18 8:18 pm Anonymous What a nice surprise for the friday evening. But surely it must be possible with hash codes to find if any file has been tampered with? 2005-02-18 8:41 pm Anonymous Windows, Linux, and Unix all have rootkits. Yes, you can find the changed files with hashes. But not from the infected system. You need to boot from trusted media, such as a live CD-ROM, which won’t lie to you like the compromised system will. Read-only media shine for this sort of task. Best practice is to image the disk for forensics, if desired, then format and reinstall the OS. Attempting to remove the compromised files is usually more work than a reinstall, and you always to ask yourself if you really got all of the compromised files. Restore the configuration files and data from backups. You do keep backups, don’t you? 2005-02-18 8:44 pm Anonymous Say someone surfs to a website I control. I use a security exploit in the operating system or browser to install my rootkit on the client OS so that it cannot be removed, and did not see the install. Now the user is under my thumb when they go to their home page, I display my ads on other people sites. When they go to ebay.com, I will instead redirect them to on of my affiliate sites instead. So you have to ask yourself, why is the FBI not at my door? The only real thing that separates my actions from writing a worm, is that my code does not self replicate. So there you have it, I am going to pwn one of the governments computers and upload my rootkit, and when they kick down my door I will say. “Sorry, you made a mistake, the code I hacked your system to upload does not self replicate, and further more it even displays ads.” 2005-02-18 9:16 pm Anonymous Root-kits have been around a while for *nix admins so this is no new struggle for admins out there. The main problem I see with Windows is it lacks multi-layered security. Once you get in with admin access the whole system is pretty much yours. Even worse getting “admin” on Windows isn’t hard either. I guess it’s time for the developers at Redmond to discover read-only filesystems, automated integrity checking and process jails. 2005-02-18 9:18 pm Anonymous For me as a programmer, nothing is impossible;) 2005-02-18 9:19 pm Anonymous Actually you can do all you want but to an extent. But I agree totally – the other problem ofcourse is that everything is a black box. As long as they keep it this way, it will always be vulnerable to these problems. 2005-02-18 9:31 pm Anonymous MSFT is only a blackbox to legitmate programmers. I wonder if the crackers out there have written another windows API book, that tells of all the ‘hidden’ features of windows. The rate at which new viruses are released I do wonder. 2005-02-18 9:32 pm Anonymous It starts with good av and firewall and setting up your system to a base user for everything except admim. While things may be near impossible to clean they are not impossible to stop before they infect your system. 2005-02-18 9:35 pm Anonymous Imagine a linux/unix system infected the same type of rootkit. You wont be able to clean this system neither, a reinstall solves the problem here also. 2005-02-18 9:42 pm Anonymous With all due respect, getting good binaries may prove a little more difficult than suggested. MS has a tendancy to release hundereds of patchs and eventually merges them as a Service Pack. Now you have to use the origianl media plus various SP. Well, using SP might not be that bad, it really gets difficult when MS starts releasing several small patchs and then comparing those files. Since MS stopped producing SP’s for NT, 2000, that leads the admins a whole lot of digging for the smaller patches. Keep in mind that this is the base install, things get even more complicated when additional software is installed. There has to be easier way. 1) Would MS publish hashs for their files? 2) Would they produce a scan for the base install as well as their patched software? 3) Not likely…. They servers would be over run by the average user…. Just guessing on this point… Just rambling potential solutions….. or just rambling…. 2005-02-18 9:43 pm Anonymous this is drive by downloads through IE (which every neophyte windows user has a problem with) 2005-02-18 9:56 pm Anonymous I read a couple of the articles mentioned in the Slashdot report. The implications for the security industry are not good. If one of these kernel root kits is installed via drive by download, or via e-mail attachment then several things change. 1) If one of the tasks of the root kit is spyware, then anti-spyware programs will not detect it. The root kit will intercept any system calls that might aid in detection. Spyware is already difficult to remove; now detection will be just as hard, if not harder. 2) The same applies to anti-virus vendors. Scanning from an infected OS will not do much good. 3) This implies an escalation in the employed scanning methods. Microsoft has developed a preliminary system called Ghostbuster that runs and scans first under Windows, then from a self booting CD. It then compares the results of the scans to each other to determine if there is anything amiss. If there is, good luck cleaning the system. Further complications: Every time there are updates to Windows, a new CD would have to be burned (assuming you have a clean system). This goes beyond the ability of the average user. A desktop system should not be vulnerable to this garbage. Root kits were typically installed via flaws in servers. Desktop software typically wasn’t vulnerable to this kind of stuff. Now it is, and Windows’ emphasis on tight integration, coupled with most users running as an administrator makes for a particularly lethal combination. Never was an OS redesign so badly needed. 2005-02-18 9:57 pm Anonymous Imagine a linux/unix system infected the same type of rootkit. You wont be able to clean this system neither, a reinstall solves the problem here also. You’re right, read the FreeBSD security list sometime. Every so often someone comes and ask how to clean their machine that got hacked, and the answer is always, “Format and reinstall from backups”. 2005-02-18 10:13 pm Anonymous Hacker Defender – NT root kit http://hxdef.czweb.org/ Go hackers against M$ evil empire ! 2005-02-18 10:18 pm Anonymous >Imagine a linux/unix system infected the same type of rootkit. >You wont be able to clean this system neither, a reinstall solves the problem here also. As long as you can identify the compromised file(s), you only have to delete them and re copy from your install media. Same can probably be done on Windows, although the registry probably makes it little more challenging to clean. The real problem are not the rootkit approach, but the ease which spyware are able to install on windows in the first place. The layered security in Linux/unix does have it’s use. And there are several ways to increase it too. The day I see the first reliable reports of this kind of attacks on Linux I’ll start mounting the /bin partitions read only. 2005-02-18 10:30 pm Anonymous With all due respect, getting good binaries may prove a little more difficult than suggested. you don’t seem to understand. it’s a diff. you take a look at the system when mounted from a clean OS e.g. Windows PE, then take a look at the system when mounted from the infected OS. then analyze the difference. the MS tool is simply a sophisticated version of md5sum, Bart’s PE, and other free tools. this is an ancient forensics method. rootkits are old (~1999 for kernel-mode Windows kits), but mass use rootkit technologies by spyware coders is rather new. it’s simply an arms race. the rootkit coder modifies his kit to evade current detection tools, then the countermeasures are improved until they detect the kit. rootkit.com is replete with examples of this. 2005-02-18 10:40 pm Anonymous There has to be easier way. well MS can do this pretty easily. they have Windows Preinstallation Environment, their upcoming antivirus and current spyware detector, and various checksumming and analysis tools. there are also ways to check for rootkits from within the infected OS e.g. raw registry editor, raw process viewer, hook detector, etc. howerver, if you can afford to reboot and use a clean boot CD, that’s a much better method. even advanced methods like EPA (execution path analysis) can be circumvented by a really good rootkit. 2005-02-18 10:48 pm Anonymous “With all due respect, getting good binaries may prove a little more difficult than suggested.” I archive all patches and software installed on any Windows system. Re-installation is painful, but possible. If I did it once, then I can do it again with the same files. I don’t bother to archive updates that are handled by repositories for my Linux systems. Reinstall from CD, then run ‘apt-get update && apt-get upgrade’ or similar should get me back where I was. Third party or local stuff is archived, same as the Windows stuff. I’m sure that others will have suggestions on how to simplify reinstalling Windows. The idea of comparing the checksums created running on the compromised system with those running from CD-ROM is clever. It sounds like it should find compromised executables that try to hide themselves. But those aren’t the only dangers from a compromised system. Configuration changes can make standard programs dangerous. No matter how much it takes to reinstall, it may be easier than tracking down ALL of the results of a compromise. 2005-02-18 10:54 pm Anonymous This qualifies as a virus not as adware The defence I can think of is to have a third-party app – presumably supplied as part of an antivirus suite – compare windows file hashes to a record.. or better – to a live online database of file version hashes. 2005-02-18 11:16 pm Anonymous But those aren’t the only dangers from a compromised system. so true. the assumption is that the kernel-mode kits can’t hide because they try to hide i.e. they can be found by diffing techniques. this MS method would need to be combined with old school methods to find ring 3 kits, simple backdoors, etc. 2005-02-19 1:04 am Anonymous In response, OpenSource proponents were quick to remind that Linux innovated this concept much earlier than Microsoft even thought about it. As usual, Linux innovation precedes corprorate proprietary crapware: very good rootkits for Linux were known before this century. The February 2005 news published in different Internet news sites: a pro-opensource software development Web site was running infected by the “automated rootkit” (what the heck it is? – they called it that way) for a year before they realized their main server does not belong to them 100%. So, if Microsoft tries to patent the concept of impossible to clean spyware, IBM will provide (with the help of OpenSource in general and Linux in particular) examples of a prior art. In related news: FreeBSD groups claim that Linux stole idea of rootkits from FreeBSD and GPL-ed it because BSD license allows it. Regardless of FreeBSD/Linux priority, Microsoft comes distant third (at least) in that definitely impressive innovation race. As usual. 2005-02-19 1:06 am Anonymous Spyware that deals with working around Windows security is in violation of the DMCA. Any spyware/adware write who employs these methods will be sued into oblivion. 2005-02-19 2:23 am Anonymous I belive the techincalterm is “trojan”. 2005-02-19 4:10 am Anonymous Please allow me to adapt your usual defense whenever the problem of Windows malware is brought up: “My Linux system have never been infected by a rootkit, therefore this is not a real security problem and I don’t need to take any specific steps to secure my system…” Sounds familiar? For the record, I do use an anti-rootkit tool for Linux/BSD/*nix called rkhunter. It’s pretty good, and updated regularly. http://www.rootkit.nl/ 2005-02-19 5:02 am Anonymous As a limited user your copy of IE should have no access to the kernel files… So..RUN AS A USER. Maybe not a full solution, but it’s got to help. 2005-02-19 6:44 am Anonymous Computer Viruses are probably called so because of their similarity to biological Viruses, i.e. they spread through a vector and have similar statistical models for infection and die-off. Originally the difference between a Worm and a Virus was that a Worm auto-propagated (spread) whereas a Virus needed some user intervention to infect, such as opening a file or attachment. Since the increase in the number of computers permanently connected to the Internet and Microsoft’s creation of software systems that allow for easy auto-propagation, most viruses now use auto-propagation and thus should properly be called worm/viruses. There are however still some viruses that require user interactions to infect. Spyware is a more like a legal term. Spyware is a program that without the users consent tells other people/programs what that person is doing. 2005-02-19 8:15 am Anonymous Oh dear, Rootkits! /me reaches for the power button 2005-02-19 8:28 am Anonymous TIP: You can pretty much anything while being a limited user in you own home folder,that is if the developer hasn’t messed up one or another.Furthermore you can encrypt that newly created folder,let’s say c:Documents and SettingsOpera,and all files within and still have a full functional browser. Have at least one limited user account ready.Set the following registry keys to read only (deny write) for this particular limited user.(needless to say you ought to mack a backup first of you registry state) SoftwareMicrosoftWindowsCurrentVersionRun SoftwareMicrosoftWindowsCurrentVersionRunOnce SoftwareMicrosoftWindowsCurrentVersionExplorerUser Shell Folders SoftwareMicrosoftWindowsCurrentVersionExplorerShell Folders SoftwareMicrosoftWindowsNTCurrentVersionWindows C:Documents and Settings<user>StartmenuProgramsStartup CDocuments and Settings<All users>StartmenuProgramsStartup 2005-02-19 10:26 am Anonymous useing tripwire? atleast in the *nix world this nice app can tell you of any changes to the system. allso, did not norton come with a “immunize” feature that more or less logged the checksum of major system files? any changes and the alarm goes off. heh, i have spybots teatimer running so that when a change to specific parts of the registry happens it will alert me and ask if the change should be allowed or denied. problem with these kinds of apps is that they need user feedback and therefor the user must understand the question. in this age of thinking as if the computer is a advanced typewriter and vcr i dont think we get far in the user understanding part. only way to solve this without educating the mases (and i tell you, if they dont want to be educated you will have a hard time doing so) is to create a true immunesystem for the computer. able to detect, id and remove bad code automaticly without the user knowing. the question then becomes, how do we tell the bad code from the advanced code? basicly the computer have become in fact to powerfull. we need a new kind of system where ever memory address is locked down, where you cant patch files by inserting new code inside the old binarys. can this be done and still give the user what he wants? 2005-02-19 11:48 am Anonymous @Jim Thats right, all breaches into a computer system to install any kind of software – replicant or non-replicant should be treated the same. Still there has been spyware that then goes and probes other machines to assist in further attacks. Computer security is currently handled quite hipocritical by the authorities (most likely due to heavy lobbying rather than anything else) and this just continues everyone’s problem (except those making large amounts of money from it, which then spends this money on further lobbying, cycle continuing). 2005-02-19 4:12 pm Anonymous “Spyware that deals with working around Windows security is in violation of the DMCA. Any spyware/adware write who employs these methods will be sued into oblivion.” Only if he lives in the USA. What if he lives in Belarus or Cambodia? 2005-02-19 6:09 pm Anonymous Take it easy, man. BTW, I never used that “line of defence” you attribute to me. I know that malware exists for Windows, and even gave you my personal experience of how a corporation with over 5,000 desktops could be forced to spend a lot of money for basic security measures- just because they did it after they were infected twice. If they did it before, like I secured my personal desktop which remained not infected- their losses from malware would be $0. You dismissed that as my personal experince- and suddenly what, you spread lies about me? That is so low, even zealot like you could comperehend how low it is. 2005-02-19 7:18 pm Anonymous Aren’t you the one that said that you have never been infected by malware, even though you don’t have anti-virus software? I’m pretty sure you did, but I could be wrong. If you haven’t, then accept my apologies. I simply reacting to your trollish diatribe about Linux “paving the way” for Windows rootkits. When you try to inflame people by posting provocative stuff, don’t be surprised if you get burned. You dismissed that as my personal experince- and suddenly what, you spread lies about me? Well, you know, you spread lies about me first (saying that I had insulted you when I hadn’t, saying I’m a zealot when I’m not), so now we’re even! 2005-02-20 1:08 am Anonymous you take a look at the system when mounted from a clean OS e.g. Windows PE, then take a look at the system when mounted from the infected OS. then analyze the difference. This won’t work. The system when mounted with the infected OS can be desined to give you the same results by tricking you. 2005-02-20 7:42 am Anonymous you don’t seem to understand. it’s a diff. you take a look at the system when mounted from a clean OS e.g. Windows PE, then take a look at the system when mounted from the infected OS. then analyze the difference. the MS tool is simply a sophisticated version of md5sum, Bart’s PE, and other free tools. this is an ancient forensics method. ______________________________________________________________ The problem is making sure you have the same levle of patchs, IE: the infected environment vs clean os environment. Here is the crux of the issue. Correct me if I am wrong but both images must match: Clean OS | Infected OS | Base system | Base System Applications | Applications Then your preform a differnce between the 2 said bases. Anying that doesn’t exist could be a problem. Now what happens when you have several patches for either OS or Application. Now you have to keep track of every patch for the OS and Application and have an environment created so that you can preform the Diff. Keep in mind that not all machies have the same software installed. True one PE environment can be used for several machines but there are going to be quite a few that do not correspond to the standard image / patch level / application in question. Now that involves creating custome CD’s for every machine that is at a different level with respect to patches for: 1) Base 2) Application How much of your time are you willing to devote to the creation of CD images for scans. You may have MS issue patches once or twice a month. That is one to two images right there. Ok 2 images right there. What happens if you have a thousand machies and have about 50 or so that do not correspond to the company standard due to applications or base install. Now to be able to do the diff’s on said machines, that would be any where from 50 to 100 images that are being created for the purpose of diff’ng. How long would it take to create 100 images and do the diff’ng on thoes machies? 2005-02-21 7:35 am Anonymous I guess this is why most people here doesn’t use Windows anymore.