Benefit of 64-bit OS?

Great! Hooks, per-process driver manipulations, screen grabbing filters are on the way?

 

Jeez - one person asks a simple question and world war 3 starts.....

 

hmm maybe, but its informative at least

 

Yes it is informative so I hope the thread doesn't get locked. Its good to hear security vendors issues with 64 bit. I guess at the end of the day the only way to find out how secure 64bit security products really are is to test them with all the testing tools and malware we have available.

 

Thanks for your detailed reply. Much appreciated.

 

It's clear that developers have different opinions regarding what is sufficient system access. I'm not a coder so I might not get all the terms right, but I'd like to ask both Ilya Rabinovich and the PrevX moderator this question. Using Microsofts "officially sanctioned" methods, is it possible to see all that is running at kernel level, rootkits, low level processes, etc or can activities (legit or otherwise) still remain hidden from security apps such as yours?

That doesn't hold true. Malware coders can use methods that work some of the time. Security apps have to work all of the time. A malware coder isn't that concerned if their code causes occasional crashes or damage in certain situations, not acceptable for a security app. The most a malware coder stands to lose is a few victims. For a security app vendor, the cost is much higher, customers, their reputation, and possibly their livelihood.

 

If I understand your question right, with using kernel API it is possible to write a full-featured rootkit under the x64 so-called "platform". The only real protection here is driver code signing. And yes, if malicious code, running at kernel level can bypass any security software. Other hand, any kernel-level malicious code can be sanitized.

 

Leaving Microsofts built in defenses out of the discussion for the moment, can I assume that security software cannot "see" everything running at kernel level using the methods Microsoft has provided?

 

On another forum over a year ago, i said suggested that SSL Certs could very possibly be forged/faked leading all sorts of skullduggery. I got shot down in flames by so called " experts " and MSVP's etc saying it was impossible blah blah blah. Well it happened, and is happening.

So if those clever baddies can do that, then i've every reason to presume they and/or others could very well forge/fake driver code signing too. Which would lead to all manner of problems no doubt.

I know someone who can write RK's for Vista, and also says 7 is no biggy either.

The ave Jo doesn't really need 64 Bit, or for that matter 3/4 GHz PC's !

 

what doesn't hold true that they shouldn't or will not adopt to new environment? Malware coders used unorthodox methods before just as some security developers did. Time to get innovative again....malware authors will

 

Wrong direction. Security software can't see what is going at application level without user-mode hooks. And this is the real security issue.

 

OK. There are problems with monitoring application level activities. How much ability does security software have to monitor kernel level activity on a 64 bit system?

 

In fact, different types of security software requires different level of control abilities.

 

I'm having a hard time finding the right way to ask this question. One more time. I realize that your software doesn't run on 64 bit, just like my preference, SSM does not. Leaving the built in protection of 64 bit systems out of the equation and referring to HIPS software such as yours or SSM, are the means provided by MS sufficient for apps like yours to monitor what happens at a kernel level? Did MS provide the means to observe all kernel level processes? Assuming a rootkit could defeat patchguard and their driver signing (or was allowed by it), would that process (and its activities) be visible using the access that MS provided, or can processes (legitimate or otherwise) run hidden because of the design of the OS and the amount of system access MS is giving?

 

Yes, if you have kernel-level access, you can run hidden processes and hide files and registry keys.

 

That is what I was referring to in laymans terms

Here is where the confusion starts. From a user perspective I would say great: somebody checks whether a company is ligitemate, no legitemate company, no signed driver, no kernel hooks. Period great

Next some security vendors started to argue that one could bypass the patchguard, MS should allow security vendors (here is the joking deal: only a few limited trusthworthy vendors like Norton/McFee, Kapersky etc, the known AV solution providers), because security should be layered per sé. There was another argument: who is going to save the OS when it's protection is bypasssed: exactly a third party. While MS argued by allowing no third party to the kernel, they would not have that problem anyway.

Then some PoC on parts of the chain started to arise (the chain of events needed to bypass the patchguard). The arguments (for a layman like me) sounded the same as Joanne Rutkowska's Blue Pill. When she was challenged by an anti/rootkit company to proove it she asked U$ 384,000 to enter the competition and backed off).

So the problability of bypassing the rootkit, for me is still in the phase "the moon is yellow, the moon is round, so it must be a giant Gouda cheese'. Some arguments are true, but the conclusion is far fetched.

What it really boils down to is (for me): how likely is it that a malicious vendor would acquire driver creditation (a signed driver)? I know you can get security certificate real easy without the issuers really checking (Comodo does f.i.). How easy is that for driver signing?


Second question I have is: why are especially the smaller companies (Ilya, Tzuk, Xioalin) so pissed off on this issue?

Could somebody eleborate on this?

 

Sorry if I am a bit out of the subject, but it looks important to me.

The normal way to use any OS should be to use it under LUA. So for me the real question is:
Is it possible to imagine a malware able to install in kernel level in a LUA environnment, without user interaction (social engineering or user giving credential through admin account password provision)? Does it already exist? The question is valid for 32bit OS as well.

 

Lucy,

Ce n'est pas possible avec 'Patchguard' aux x64, sans consentement d'utilisateur aux x32 non plus

 

Well, that is only a security issue if one is trusting his security to third-party security vendors. Some people do that. Some people don't. In the Windows world, a lot of people do. In the Unix world, very few do. And there isn't any reason why folks in the Windows world should not follow the example of Unix in this case. MS is trying to boost the security of the actual operating system. Not a bad goal, as I see it. And they are making things harder for malware authors - not impossible, true, but harder. If that makes things harder also for security vendors, that's life - security vendors are using many of the same technical methods as malware authors to do their thing, and how is the OS to know whether it's malware or legit security software doing it. Nobody likes it when people make their job harder.

I'm not a security vendor, but I do have a theory. The smaller companies building various kinds of special security software, like HIPS products or rollback products, have a very limited market. Most computer users have no idea such products and companies even exist, and no desire at all to use those products. These companies have to market to a special audience, such as the kind of people who read forums like this one, who will then pass on recommendations to other people. If Microsoft does something that makes forumites believe Windows can be secured pretty easily without complicated third-party software, said forumites will stop buying and recommending the wares of these small security vendors. And obviously the small security vendors lose business. And nobody likes that. Further, the changes MS is making do make it more difficult for the small vendors to do their thing, so it will be more difficult for the companies to provide service to their loyal customers. And then, I figure, there's also that some of these people use their own security software and are pissed off that they can't really do that on certain new MS operating systems, without significant changes to their own software. Maybe they don't trust MS. But then, I don't think anyone should be using an operating system they don't trust, from a company they don't trust. That is just stupid, and there's no way to secure an untrusted OS by piling third-party security software on it.

Of course it is possible. It's possible in most any OS, in Windows and in Linux, for example. Only that it requires a privilege escalation vulnerability - an unpatched one. Without privilege escalation vulnerabilities, it cannot be done. I don't know of any ITW malware that has done something like this, either. There's not much point to it right now - social engineering is a much easier way to attack systems. In a targeted attack, something like that might actually be used, maybe - probably not, though, as social engineering is still easier.

No security system is 100 %. And it doesn't need to be. Just close enough to make attacks very unlikely to succeed and easy to detect.

How it could happen: code a malware executable that runs standalone at first, writing itself into a browser cache or %Temp% folder, but not trying to write anywhere where limited users cannot (easy). In that malware executable, include the code to exploit the privilege escalation vulnerability right away when the malware executable gets started. Further, include code that then installs a kernel mode rootkit after privileges have been escalated to admin or system. You can then include whatever code you really wanted: spam/DDoS bots, keylogging, whatever to be run after the rootkit is installed and it can hide this stuff. Then dump this malware exe as the payload of some drive-by download attack on the web. And that's it. Of course, even this attack would be stopped by simple execution prevention - unless the attacker knew of some flaw in the execution prevention software and could exploit that, as well.

But really, you're exactly right that we should be discussing things from the limited user perspective. That should be the norm, and MS is moving to that direction. Of course, it's a lot easier for security vendors to sell their stuff if everyone runs as admin, so some of them don't like the idea of limited user accounts all that much.

 

True, true. I am now cancelling my holiday airflight ticket, because I would not survive the trip, there is a chance the plain will crash

True, true. I am not taking the free space on the parking lot, just before the entrance of the supermarket, my car's power steering might fail and I will cause an accident. Better to drive another 500 meters, so I can park all alone in a free area.

Windchild you are right, but imagine how life would look like when I would takes all these 'facts' as reality in life

Regards Kees

 

Kees1958

Ave vue un cuppa ? lol

Windchild

Lots of good points ! Another reason vendors are so pi**ed is because they have to pay $ to MS for driver signing, and many of these mainly only known to forumites ( good word lol ) don't make much, or ANY, $ in the first place.

MS should wave the fee for such nice peeps, or vastly reduce it. That would be very understanding of them, showing that they don't want to trample on everyone ! How much chance of that though

 

It would look exactly like it looks now: business as usual. Really, there's no point in denying reality. I can happily board an airplane knowing it might crash. I can happily recommend limited user accounts, and in the same post state that they are not invulnerable in any way to user mode malware or privilege escalation attacks. So what? Life is like that. There is always a certain amount of insecurity and uncertainty, random chance, if you will. Luck. Karma. Whatever, man, we have to roll with it. Just because something might happen and is possible, does not mean we have to get all stressed out and up because of it. I don't. You don't have to be the fastest guy when you're being chased by a bear - just be faster than someone else.

There is chance that the plane will crash. But how likely is it? How many times have you been in an airplane before, without it crashing? How often do other people do it? Pretty darn often. Actually, crashes are very rare. So why worry, even though they are possible? You shouldn't deny the possibility if it exists, and it does. Just accept that it's a small risk that you can't avoid, and continue living your life. And enjoy your holiday. You're almost certain to survive it.

 

Windchild,

Something got lost in translation, did not realise that using Dunglish (Dutch to English 1-on-1 translation) would mean the opposite; facts of life.

Ahh well we agree, live by the facts of life (hopefully correct now), not by the fears of life.

By the way: although we have no bears or lions in Holland, the saying in Dutch is exactly the same only it is a lion who is chasing.


Stevie,

Not quite sure whether I understand it properly, so

a) Yes I got a cup of my own brewing

b) No, I only drink tea when I am ill, otherwise prefer coffee

c) I have no chappa, just need a shower

 

Kees1958

You guessed right first time. It's from an old Brook Bond tea commercial in the UK on tv with the chimps i've seen on some rerun show of them. If you're not from the UK you probably havn't seen it.

Just found it on YouTube for you, i think it's quite funny, see what you think

http://www.youtube.com/watch?v=UenzNJztr4g

 

Thank you for the french. I got it

Basically, excepted vulnerabilities, there is no way to install at root in a LUA.

Fair enough. This means to me that a security product, which primarily target should be to increase the global security of the computer, has to work either on protecting the OS from such vulnerabilities, or alerting on social enginnered attacks, or stop user mode attacks.

One example:
DW 32 bits (and 64 bits) is great at protection against vulnerabilities as its defense mechanism is policy based and doesn't depend on credentials.
DW 32 bits (but not 64 bits) is great at protecting against user mode attacks for the very same reason, and as long as DW covers the attack scenario.
DW does nothing about social engineering. A dedicated tool (already existing on windows OS by default through IE) is therefore necessary.

I therefore understand Ilya's point of view, as itseems at least one scenario is no more acessible and he feels like he can't perform his task correctly. Wether or not this is true is a question of specialists. I will let PrevxHelp or anyone else discuss it.