Re: No Defense Against Windows Rootkits?

From: nemo_outis (abc_at_xyz.com)
Date: 09/29/05 

Date: 29 Sep 2005 02:12:31 GMT

Imhotep <Imhotep@nospam.net> wrote in
news:_YednWF3VdbaoKbeRVn-3w@adelphia.com:

> nemo_outis wrote:
>
>> Imhotep <Imhotep@nospam.net> wrote in
>> news:KfCdnRIjyucGg6beRVn-jQ@adelphia.com:
>>
>>> "Spyware bad guys (and also phishing people) started using rootkits
>>> technology to stay hidden in a system. The problem is that at the
>>> moment the technology to defend a Windows system from these things
>>> is very poor. In fact antivirus companies have just started adding
>>> basic anti-rootkits technology. So the problem is serious, and well
>>> outlined by this question: Is the closed source code of Windows
>>> preventing us from actively defending our systems?"
>>>
>>>
>>> http://www.viruslist.com/en/analysis?pubid=168740859
>>>
>>>
>>> Imhotep
>>>
>>
>>
>> IMHO (although I'm hardly humble) the question of open-source is
>> largely irrelevant to the issue of rootkits. FWIW (doncha love
>> acronyms?) the concept of rootkits was imported to Windows from the
>> *nix world.
>
> Ah...ok...not sure what that has to do with the article but, yes, you
> are correct rootkits were first developed on UNIX...again not sure
> what that has to do with the article or what the hell FWIW means....

Perhaps I misread your post - did you not frame the central question in
terms of Windows being closed-source?

But, no, I see I did NOT misread your post - that is indeed how you
framed the question. And the point of my response was that framing the
problem that way is unhelpful - a red herring, in fact. Open- or closed-
source has very little to do with the problem of rootkits - or with
solutions.

In fact, rootkits are common on many of the open-source *nices (and have
"migrated" to closed-source Windows only relatively recently). The
*nices are where rootkits first came to prominence, emphasizing my point
that open- or closed-source is hardly the central aspect.

So what part of my point did you find confusing or unclear?

Incidentally, FWIW means "for what it's worth." I would have expected
an old-timer to be familiar with acronyms and buzzwords, but, if not, let
me refer you to, for instance:

http://kb.iu.edu/data/adkc.html

>> Unix or Windows rootkits operate at the level of binaries. Where the
>> binaries come from (open- or closed-source) is immaterial.
>
> Ah...ok...again not sure what that has to do with the article or what
> point your are trying to make...

Again, my point is that open- or closed-source is not the key aspect. A
rootkit compromises the OS at the executable binaries level and NOT at
the source-code level.

 

>> Regards,
>>
>> PS Full HD OTFE encryption provides a large measure of protection
>> (although not complete protection) against rootkits and other
>> malware.
>
> Another is *not* running user's accounts with any privileges...which
> is one of the easiest (well, if you use UNIX/Linux/BSD) things you can
> do.
>
>> PPS The only complete protection (passing over hardware tampering
>> such as compromised BIOSs) is something like hash-checking essential
>> files after booting from a known-good CD.
>
> Sure but that would be a real pain-in-the-ass to do everytime you
> boot. Also, if you do not reboot frequently that measure becomes
> useless (ie you need to reboot with a cd with the saved file hashes to
> detect a break in after the fact)

There are a number of protections that can be applied against rootkits:
before, during, or after the fact.

Windows, whatever its other deficiencies, has rich and sophisticated
permissions, policies, and control mechanisms - every bit the match of
the *nices. While I concede unhesitatingly that most users don't use
them and often run naked in admin mode, that is not an inherent flaw of
the OS.

Next: If you do not have constant control and custody of the machine,
there is a significant risk that someone can manually install a rootkit,
no matter what permission mechanisms the OS invokes when running. Full
OTFE HD encryptiuon is a significant protection against this major class
of risk any time the system is not running! The alternative is
validating everything from known-good sources before each boot (or just
taking your chances, I suppose).

Regards,

Relevant Pages

  • Re: No Defense Against Windows Rootkits?
    ... "Spyware bad guys started using rootkits ... the technology to defend a Windows system from these things is very poor. ... justification for "...emphasizing my point that open- or closed-source is ... in people running their accounts with local admin privs. ...
    (alt.computer.security)
  • Re: Hidden windows ports, files and services.
    ... Try using some tools that aren't affected by rootkits. ... Using the 'standard' tools like you have done will yeild little if no ... Hidden windows ports, files and services. ...
    (Security-Basics)
  • [Full-Disclosure] RKDetect - behaviour based rootkit detection utility
    ... Rkdetect is a little anomaly detection tool which can find services hidden by generic Windows rootkits like Hacker Defender. ...
    (Full-Disclosure)
  • Re: Microsoft Says Recovery from Malware Becoming Impossible
    ... The truth is that malware is 99.9 % a Windows problem. ... privileges but in Windows, especially "home" additions do. ... but we ARE talking about rootkits. ...
    (microsoft.public.security)
  • Re: RootKit Revealer Tool
    ... RootKits can get past Windows File Protection. ... : removing Malware don't apply. ... so normal scanning tools and detectors are unable to locate them. ...
    (microsoft.public.windowsxp.general)