Re: Root toolkits on Windows

Vanguard
Date: 03/31/05 

Date: Thu, 31 Mar 2005 11:36:27 -0600

"Michael Pelletier" <mjpelletier@mjpelletier.com> wrote in message
news:JfL2e.34722$AN1.6527@fed1read03...
> winged wrote:
>
>> Tony Lawrence wrote:
>>> Michael Pelletier wrote:
>>>
>>>> I ran across this article and thought it was interesting
>>>>
>>>> http://www.computerworld.com/printthis/2005/0,4814,99843,00.html
>>>>
>>>> Michael
>>>>
>>>
>>> Yes, and there are people who say it's been going on much longer
>>> than
>>> than most people think and that there are more infected machines
>>> than
>>> you might think: http://www.aplawrence.com/Words2005/2005_03_23.html
>>>
>>
>> While you can not see these root kits easily you can see ones like
>> hacker defender and vanguard (and others) by using this tool from
>> system
>> internals.

Hopefully he meant the "Vanquish" rootkit since I'm not proliferating
any of this high-level OS programming code (yeah, I wish I was that
smart to understand that level of programming).

>> http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml
>>
>> If you have an older version of this program you may want to upgrade
>> to
>> the current version(ver 1.32). The whole concept of using a root kit
>> is
>> to hide ones activity from the victim.
>
> The ones the article are referencing are about hiding itself from
> detection
> (antivirus, etc). The problem with it is 1) Antivirus software gets it
> information, indirectly, from the Windows kernel. Now, here is the
> problem.
> If the kernel has been compromised and the virus is getting info from
> the
> compromised kernel it really makes anti-virus software a total
> joke....

Hence the continued need for AV software that can run from a bootable
floppy or CD so the suspect OS is not actually running when it is being
scanned.

>> Root kits can be useful to use for monitoring systems without "users"
>> knowledge. Legalities of doing so depend on network policies and who
>> owns the asset and the network.
>
> Sure, but these applications are designed, and installed, for
> malicious
> purposes...
>
>> Hiding this stuff using alternate data streams and other methods can
>> be
>> problematic,
>
> Not if your leach onto the NT Kernel. You have to remember that in
> Windows
> they restrict any sort of direct access. Once it is installed the only
> way
> to detect it is to pull system disk and scan it from an uncompromised
> system. This make is a pain-in-ass just to check since the system will
> be
> down.

Microsoft has their Strider Ghostbuster Rootkit Detection utility coming
out later (http://research.microsoft.com/­rootkit/) which purportedly
works similar to SysInternal's Rootkit Revealer except that it does an
in-the-box scan compared with an out-of-box scan (the SysInternals tool
only does an in-the-box scan and compare). Any anti-virus programs that
claim rootkit detection (beyond just using signatures which may not be
detectable under a compromised OS) will also be required to create
bootable media to provide an out-of-box scan.

The only real protection is boundary protection; i.e., never let it in
in the first place. Once in, it may be smart and corrosive enough to
prevent detection and even entangle itself so badly that removal will
result in corrupting the OS, and only out-of-the-box scanning would even
detect it. 

-- 
____________________________________________________________
Post your replies to the newsgroup.  Share with others.
E-mail reply: Remove "NIXTHIS" and add "#VS811" to Subject.
____________________________________________________________

Relevant Pages

  • Re: Urgent!!! My computer seems to be hacked, pls HELP!!!
    ... Rootkits in general, ... password known to the attacker. ... Kernel mode rootkits are nastier still. ... evade detection easily since any program running on top of a corrupted ...
    (comp.security.ssh)
  • PROBLEM: Logitech optical usb mouse and vfat partition passing from 2.6.7 to 2.6.8.1 kernel
    ... "advise" on the possible bugs of the newer kernel. ... Synaptics Touchpad, model: 1 ... -> multifinger detection ... sisfb: Deprecated ioctl call received - update your application! ...
    (Linux-Kernel)
  • RE: SELECT() returns 1 But FIONREAD says (Input/output error)
    ... That call errors out with an i/o error. ... will reset the "something interesting has happened" ... nothing to wait for as far as the kernel is concerned. ... a detection of an error condition that could be persistent ...
    (Linux-Kernel)
  • Re: sareg 2.6 doesnt recognize the CD!!??
    ... > I upgrade the sarge from 2.4 to 2.6 in order to mount> automatically the usb pen it runs ... > the installation started correctly, after a while> (detection of keyboard) no Cd is detected here too,> when I used the option expert, the following messages> is printed: no ide-detect, strange since the kernel ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx with a subject of "unsubscribe". ...
    (Debian-User)
  • Version 0.6 of the OSSEC HIDS is available for download.
    ... detection system. ... support for NIDS log analysis and an improved rootkit ... detection and integrity checking capabilities. ...
    (Security-Basics)
Quantcast