Re: Hidden Applications and rootkits for Windows

From: Russ (Russ.Cooper_at_RC.ON.CA)
Date: 02/28/05

  • Next message: Brian Bergin: "Re: Firescrolling [Firefox 1.0]" 
    Date:         Mon, 28 Feb 2005 15:18:04 -0500
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    Compendium of responses;

    Quite a few people (Jason DePriest being first) pointed out the recently released RootkitRevealer from Sysinternals;

    http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml

    Together with a few glowing reports, there was this message from Bill Sanderson;
    -----
    I have to say, however, that the tool has some limitations. I don't find it usable on machines with Services for Macintosh installed and in use, and I'm told that there is an antivirus product which will have a similar effect--both balloon the number of entries found from a few hundred or less, to hundreds of thousands
    -----

    A number of other people (Daniel Weatherly being first) pointed out that Microsoft Research was already working on something;

    http://research.microsoft.com/rootkit/

    -----
    Matt Tisdel added this story;

    My brother was called into a company to deal with the following use of a Windows rootkit:

    The worm was spread by a password protected .zip file that a user, God bless him, was convinced to open. (Although, it can also spread through ActiveX) The worm installs itself, emails everyone in the address book, sits dormant on the workstation until a Domain Admin logs in, then it spreads itself across the network. In this case the Domain Controllers were easily compromised and DNS pretty much quit working. I believe that many of the detrimental effects of this version of the worm were a by-product of the worm ceaselessly downloading torrents of spyware.

    So, in this case, 3 normal precautions would have prevented or impeded the problem at 2 different levels.

    1. No one logs in as a Domain Admin
    2. No attachments; or at least follow basic precautions (If you aren't expecting an attachment from the person, don't open it)
    3. If Windows XP SP2 had been installed would at least have a chance of stopping the ActiveX infection method.
    -----

    Cheers,
    Russ - NTBugtraq Editor 

    --
NTBugtraq Editor's Note:
Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered.
--
  • Next message: Brian Bergin: "Re: Firescrolling [Firefox 1.0]"