"Rootkit" spyware ..be very very afraid..

[MikeHunt]

RSA: Microsoft on 'rootkits': Be afraid, be very afraid

Rootkits are a new generation of powerful system-monitoring programs


FEBRUARY 17, 2005 (IDG NEWS SERVICE) - Microsoft Corp. security researchers are warning about a new generation of powerful system-monitoring programs, or "rootkits," that are almost impossible to detect using current security products and could pose a serious risk to corporations and individuals.

The researchers discussed the growing threat posed by kernel rootkits at a session at the RSA Security Conference in San Francisco this week. The malicious snooping programs are becoming more common and could soon be used to create a new generation of mass-distributed spyware and worms.

With names like "Hacker Defender," "FU" and "Vanquish," the programs are the latest generation of remote system-monitoring software that has been around for years, according to Mike Danseglio and Kurt Dillard, both of Microsoft's Security Solutions Group.

The programs are used by malicious hackers to control, attack or ferret information from systems on which the software has been installed, typically without the owner's knowledge, either by a virus or after a successful hack of the computer's defenses, they said. Once installed, many rootkits run quietly in the background but can easily be spotted by looking for memory processes that are running on the infected system, monitoring outbound communications from the machine, or checking for newly installed programs.

However, kernel rootkits that modify the kernel component of an operating system are becoming more common. Rootkit authors are also making huge strides in their ability to hide their creations, said Danseglio.

In particular, some newer rootkits are able to intercept queries or "system calls" that are passed to the kernel and filter out queries generated by the rootkit software. The result is that typical signs that a program is running, such as an executable file name, a named process that uses some of the computer's memory, or configuration settings in the operating system's registry, are invisible to administrators and to detection tools, said Danseglio.

The increasingly sophisticated rootkits and the speed with which techniques are migrating from rootkits to spyware and viruses may be the result of influence from organized online criminal groups that value stealthy, invasive software, said Dillard

One rootkit, called Hacker Defender, released about a year ago, even uses encryption to protect outbound communications and can piggyback on commonly used ports such as TCP Port 135 to communicate with the outside world without interrupting other applications that use that port, he said.

The kernel rootkits are invisible to many detection tools, including antivirus, host and network intrusion-detection sensors and antispyware products, the researchers said. In fact, some of the most powerful tools for detecting the rootkits are designed by rootkit authors, not security companies, they said.

There are few strategies for detecting kernel rootkits on an infected system, especially because each rootkit behaves differently and uses different strategies to hide itself.

It is sometimes possible to spot kernel rootkits by examining infected systems from another machine on a network, said Dillard. Another strategy to spot kernel rootkits is to use Windows PE, a stripped-down version of the Windows XP operating system that can be run from a CD-ROM, to boot a computer and then compare the profile of the clean operating system to the infected system, according to Dillard and Danseglio.

Microsoft researchers have developed a tool called Strider GhostBuster that can detect rootkits by comparing clean and suspect versions of Windows and looking for differences that may indicate that a kernel rootkit is running, according to a paper published by Microsoft Research.

The only reliable way to remove kernel rootkits is to completely erase an infected hard drive and reinstall the operating system from scratch, Danseglio said.

Although rootkits are not unique to Windows, the popular operating system is a rich target and makes it easy for malicious hackers to disguise the presence of such programs, according to Jonathan Levin of Symantec Corp.'s @stake division, who attended the presentation at the RSA conference.

The operating system's powerful application programming interfaces make it easy to mask behaviors on the system. Microsoft's Internet Explorer Web browser is also a frequent avenue for malicious hackers, viruses and worms that could drop a rootkit on a vulnerable Windows system, Levin said.

Better tools could be built to detect the current crop of kernel rootkits. However, rootkit authors are adept at spotting new detection techniques and modifying their programs to slip around them, Danseglio said. "These people are smart. They're very smart," he said.

http://www.computerworld.com/printth...,99843,00.html

[.:sp00ky:.]

"These people are smart. They're very smart," he said."

These people need to get girl/boyfriends maybe go out for some fresh air,because anyone who spends all their free time making viruses with names like "Hacker Defender," "FU" and "Vanquish," and think in some way their been"cool" need to get a life.

[ratbag]

viruses spyware hacker attacks only make software and pc security better by exposing holes and vunerabilities

[SLACKDADDY]

To all hackers out there, you have my respect for your talent (but not for the way you go about showing it). If you want to feel the real power of love and notoriety, please please please put your creative energies into a powerful, efficient, secure and anonymous P2P program......man, talk about the world beating a path to your door!!!!!!!!!!!!!!!!!!! What are you guys waiting for???!!! You think Napster is/was a household word, yours would be next if not bigger!

[mcovey]

I have chkrootkit run on my server every night, plus I trust my hardware/software firewall combo.

On my windows desktop .. I could care less it almost never boots :P

[Auggie2k]

I hope all those peoples who make the spyware computers blow up! its so bloody annoying! stop it please?

[infringer]

Interesting you know strange I almost wonder if microsoft themselves are not using this as a part of there DRM funny I have a brand new hdd that all of a sudden went currupt out of the clear blue and the files on that drive where music and video copywrighted files so to speak but all legitly owned this is not the first time this has happend mind you it is an external drive and I am not the only one who has had this happen upon formatting the drive I did a full surface scan with 0 bad sectors or 0 file system errors...

I wonder if they aint dabbling in the remote monitoring of stuff like this... This has happen twice now in my quest to back up all of my media CDs and DVDs alike to external hard drive I find it quite annoying more then anything else who wants to repititiously back up there media to hdd... The drive was brand new retail and the Date on the drive was NOV 04 and the other one was roughly the same when it came to age and exactly the same drive I find it kinda amusing...

I almost wonder if Microsoft isnt using there own monitoring system with there Operating System...

I just find it all to funny that Microsoft is complaining about this or warning people about this yet doing nothing about it... And Microsoft floated through there antitrust case... And Microsoft is going all big on the DRM... And Microsoft is the OS I was running I very much am beginning to hate Microsoft more and more every day if they keep down the road there headed you can bet more and more folks will be investing in linux stock.

The MPAA/RIAA stated that they clearly have software which will remotely wipe your drive clean...

I also heard that there is a way to flag your BIOS for this to happen which was devolped by none other then big ole corperate white collared Microsoft...

Its sad its privacy no more.

Get out your guns (DVD/CDBURNERS) and start fireing away. I have enough stuff to back up to DVDR

Mr. Gates of all people has room to speak about piracy with his operating system basically starting as a mix and mush of stolen ideas... Some people make it in the game we call life doing everything wrong and getting away with it and others well... Lemme tell you Bill Gates is one of them statistics not a financial statistic but a part of an even bigger statistic... The statistic of people who "make it big and then forget were they came from."

Lemme tell you what Mr. Gates you just keep right on forgetting where you came from and all the support of the people that purchase your OS will forget about you as well.

-infringer-