Malicious Bots Hide Using Rootkit Code

Discussion in 'malware problems & news' started by ronjor, May 18, 2005.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,770
    Location:
    Texas
    Story
     
  2. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    Hi,

    Always interesting news amigo, even if kids and teens could become a little bit paranoîacs. ;)

    I'm not totally agree with some points of view on the article, especially about the opinion that Rootkits are undetectable.

    Hacker Defender free edition is well known by many security softwares (see the image with NOD32 Trial version) and easy to remove.

    Detection is really difficult with the golden version.
    But even in this case, it's possible to detect its hidden TCP connections with a protocol analyzer or an advanced sniffer.

    I don't believe in the invisible malware:the perfect rootkit is ...Windows iself!
    In the other hand, rootkits writers are exloiting some methods using "Ring 0" or the motherboard.

    In this case, with the "cat and mouse" game: to be continued...

    A Microsoft searchers has "written" a tutorial for demysthificating rootkits.

    It's not technical and there is an illustration with HRDF (how to detect and remove).
    It's a video and Real player (mozilla/firefox) or Windows media player (IE) are necessary (about 50 min.).

    Just follow the next link and create an account:

    http://www.w2knews.com//rd/rd.cfm?id=050425ED-Rootkit_WC

    The article has mentioned antidetection methods and in this case, classicals AVs/ATs have to improve their technology against new generation of threats:

    http://www.viruslist.com/en/analysis?pubid=162454316


    Regards
     

    Attached Files:

  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hi kareldjag,

    Ring-0 is no real threat; assuming Current Privilege Level (CPL) it still has to write to memory and therefore,a simple restore via an Image, ShadowUser, or Deep Freeze takes care of the problem

    The eeprom memory on the motherboard is another issue: not explained anywhere (maybe you have a source) is how the rootkit becomes embedded into the chip. Purchasing the card or board from the manufacture or reputable dealer would preclude having a rootkit pre-embedded.

    If a trojan or other software program attempts to install it, that could easily be prevented by an anti-executable program. You mentioned in another thread that a script could easily disable an anti-executable program (you mentioned PG) which would prevent it from starting at the reboot by removing it from the run keys. Well, not all such programs start from the Run Keys. Anyway, this is no issue if running Deep Freeze or something similar because anything that the script changed would be undone on reboot.

    Besides, what are the chances of that happening, really?? Maybe you can shed more light on this.

    Actually, with the proper set up there is no need to play that game...

    Regards,

    -rich
     
  4. controler

    controler Guest

    Hi

    EEPROM ( electricly erasable programable read only memory ) refers to the memory on your video card which has been talked about
    for along time in the rootkit community. ( rootkit.com )

    The two memories talked about on the motherboard are your RAM, which is erased each time you reboot & your BIOS which does not get erased on reboot.
    BIOS Viri have been around since the dawm of computers. AV's used to catch most of them. This is why I preach reflashing your BIOS before you reformat to be extra sure ;)

    Hope this helps in your search.

    P.S. one thing about reflashing your BIOS. Alot of computer manufacturers still make you create and use a floppy disk to perform this action. In the old days, motherboard manufacturers made you move a jumper on the motherboard to flash the BIOS. Nice feature since you or any other program could not write to BIOS without moving jumper. Alot of companies have done away with a jumper. This way they have fewer tech calls on poorly flashed BIOS which usualy made the motherboard usless.

    controler
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Thanks - some good info there - I searched that site some time ago but didn't catch specifics on eeprom.

    There are two references to a driver that would load executable code onto the chip.

    Would the installation/running of this driver be stopped by an anti-executable program, such as ProcessGuard or FreezeX (now called anti-executable)?

    -rich
     
  6. controler

    controler Guest

    Rmus

    I have not tried FreezX but am sure PG would block the driver.

    controler
     
  7. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Thanks, controler - - it seems to me, then, that the most secure setup to defend against a Rootkit (or any other trojan, really) is

    1) some type of anti-executable program

    2) some type of lockdown program, such as ShadowUser or Deep Freeze.

    I see no reason (except for the fun of it) to bother with scanning/detecting for rootkits with the above in place.

    -rich
     
  8. controler

    controler Guest

    The main thing is that your system was fresh when you installed shadowuser & FreezX. ;)
    I don't know if FreezX stops new driver install ect like PG does but I would think that important. The theory is while in Shadowmode you still nee protection, even if all is back to normal after reboot. The one thing I don't like is an option in Shadowuser to reboot & save all changes. I think this could cause some nasty things to happen if a person wasn't careful. ShadowUser allows the user to either shutdown Shadowuser -saving all changes & or reboot saving all changes.
    Then there is the commit button.
    Anyway, You still need protection while in shadowmode, which includes a software firewall or good router which includes a firewall.

    controler
     
  9. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Yes, it does. See

    http://www.faronics.com/html/AntiExecStd.asp

    I too had reservations about it and decided on Deep Freeze.

    Agreed!


    -rich
     
  10. controler

    controler Guest

    I have not tried Deepfreez yet. I shall take a peek at it.

    Have you seen posts anywhere that compare the two?

    controler
     
  11. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    See below.

    EDIT: should add in keeping with the topic of the article Ronjor mentioned, that using one of the anti-executables mentioned in above posts, and a lock-down program as described here, precludes the need for worrying about detection: the rootkit just doesn't run or execute, and is removed on reboot.
    ------

    Give some careful thought to Deep Freeze - it was designed with public computers in mind - libraries, schools - where changes to the system - new programs, etc - are not often made. This Enterprise version installs a "Thawed" Partition for users to store data files, etc. But C:\ is absolutely bulletproof. I learned about DF, at the school where I work, and was thoroughly impressed.

    The home (Standard) edition does not have the Thawed drive so you need at least two or more partitions with at least one not frozen. Since C:\ will be locked down, nothing can write to it. This means you have to do some remapping in case you use IE, OE, etc. (Not a problem here, since I don't use those). Also, if you use My Documents, etc, but this remapping is now pretty easily done, with TweakUI.

    So, there is a bit of inconvenience, which is why ShadowUser appeals to a lot of people, with its "Commit" function, etc.

    But for me, I felt that DF was more robust and secure (it doesn't work on the virtual image principle that SU does -- see article below) - it's "driver operates at a lower level" (words of DF support in answer to my question about the differences).

    So, as with any product, users need to give careful thought and trial of products. I'm not speaking to you, of course, but mention this in general as a way of saying that I no longer recomend that someone purchase product A instead of B - I gladly will say that I am happy with a product and why, but prefer to list 2 or 3 for users to compare.

    There are just too many differences in users' systems, computing habits, needs, etc.

    About trial - DF *strongly* recommends their free 60 day evaluation before purchasing.

    Please report back your experiences.

    regards,

    -rich

    A little ShadowUser story.
    https://www.wilderssecurity.com/showthread.php?t=64145

    Deep Freeze Experiences
    https://www.wilderssecurity.com/showthread.php?t=60158

    ShadowUser Virtual Volumes
    http://www.shadowstor.com/solutions/secure/VirtualVolumesExplained/

    Deep Freeze FAQ
    http://www.faronics.net/faq/index.php?sid=35795&lang=en&action=show&cat=382256

    Has anybody tried Deepfreeze?
    http://www.dslreports.com/forum/remark,10677993
     
    Last edited: May 23, 2005
  12. controler

    controler Guest

    Rmus

    @ present I am running Firefox from RAMDisk through Shadowuser.
    Works sweet. I hope to try out the Home version of Deepfreeze since that is where common users will be.
    I don't know when I will get at it since it is the height of the fishing season here.
    We need to have our priorities :D

    Deepfreeze sounds a bit complicated for home users doesn't it?
    Maybe I could get a LIC for the full version.

    controler
     
  13. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Yes - I've put it on just two systems (besides mine).

    I assume you mean the Enterprise version - I never inquired directly, but took at face value from their site that it came in licenses of 10 only for institutions.

    But of course!

    If you do try it, I'd be interested in your comments. (probably should start a new thread)

    regards,

    -rich
     

    Attached Files:

  14. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    Hi,

    Tks for replies, i tought i was alone to be ineterested on the subject ;) .

    F-Secure team have also commented the news:
    http://www.f-secure.com/weblog/#00000559

    If rootkits evolve to be able to gain access and hide themselves in the falsh memory of video cards or in EEPROM devices, then then it's not really the most important.A piece of code can be stored and run and executed from the videoprocessor in order to patch the Kernel memory.

    But in this case again, the cat and mouse game is not obsolete at all: the industry of security (software or hardware) will take advantage of this rootkits poosibilities as mercantile and advertising arguments for their new products.

    The first question with any malware (like rootkits) is not "which line defense and software must be deployed.
    The first question is "how malwares (and in this case how rootkits) can enter, gain access and infect a system.

    Rootkits always take advantage of privileges escalation, vulnerable systems (not well configured and hardened) and of the user's mistake.

    Taking time for hardening Windows is as important as choosing its line defense (services, tcp/ip parameters, rights and privileges etc).
    On a hardened system, with very limited privilege (never run as an admin.) and an educated user, the challenge will be more difficult for the attacker.

    As always, know your enemy and you'll be able to defeat/vanquish ;) it.
    This sentence is true since the mammoth era.

    This kind of method (software attack against hardware area) is not new.
    In the past, C.I.H virus has already used it:
    http://www.hardwaresecrets.com/article/40


    About attcks aginst hardware, there is for exemple a pdf paper(a little bit technical) from the Princeton University and i attached the more intersting part.
    The full paper: http://videos.dac.com/41st/papers/46_1.pdf

    Countermeasures exist and will always exist against any rootkit method.
    We have discussed on other thread about Hardware security.
    AMD will provide AV technology:
    http://prnewswire.com/broadcast/12076/press.shtml

    Microsoft has already Integrity Flow (and GhostRider) on its project.
    And LONGHORN will integrate hardware security features:
    http://www.microsoft.com/resources/ngscb/default.mspx

    And ATI-NVidia-Assus and other hardware constructors will surely integrate security features in their products.

    Finally, there's no reason to be afraid:the invisible malware is not ready to be borned (since it integrates a system as an external piece of code, it will be detected).

    Just quickly a few others points.

    Controler, i confirm that ProcessGuard prevent rootkits installations on a clean system (see the image).

    RMus,

    -about vb scripts: there's many things that we can do with a vbs: run an application as a service, disable a start up entry etc.

    But it's not an issue if Windows Scripting Host has been diabled.
    For the ones who don't know if WHS is enabled on their computer:
    Click on the next link, unzip the file and run the vbs.
    A pop up will appear to notify the anwer.
    http://www.jastek.net/dnl/nowsh.zip

    If WHS is enabled, then just follow instructions on the help file, or here:
    http://www.sarc.com/avcenter/venc/data/win.script.hosting.html

    -Regarding virtual drive technologies like DeepFreeze/ShadowUser, i don't doubt that they're really effective.
    But if it was the ultimate solution against rootkits and any malware and attack, then brothers Network/Computer Associates and uncle Symantec can just stop their busieness now.

    You're protected after the reboot, but very vulnerable during the session.
    Just a scenario: an attacker can prepare a special rootkit package to put in P2P area like HackerDefender gold version+undetected keylogger+another stealth beckdoor+some photos, mpeg and wav files.
    The zip package is called "britneyinbikini"and the exe install directily the rootkit and launch the keylogger and the other backdoor.
    Thenif, after the kid/teen who has run the .exe, if the kid's mother take the computer for banking and shoping online, the harm and the worse is done.
    After the reboot, the computer is perhaps clean, but it's too late.

    Regards
     

    Attached Files:

    Last edited: May 24, 2005
  15. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    Here an extract about software attacks on Hardware:
     

    Attached Files:

  16. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    OK, I have to start from scratch. The security here is (in addition to a firewall):

    1) FreezeX (now named Anti-executable)

    2) Disable WSH (some use Wormguard which blocks scripts from running)

    3) Deep Freeze

    FreezeX (or similar product, ProcessGuard) will not let any .exe run that is not on the system's "white list." In your scenario above, the "britneyinbikini" will *not* install, so there is no vulnerability during the session.

    Yes, the advertising arguments are very persuasive indeed. After rootkits pass, something else will spring out of the woodwork.

    It's no coincidence that MS is now in the anti-virus business. Would that they put as much effort into producing a more robust security model for Windows and their other software.

    Because the programs mentioned above work from a "white list" there is no need to update anything, unlike an anti-virus program. Hence, no cat-and-mouse game.

    Well, this has been recognized by many (including myself) who do not feel the need to use any anti-virus, anti-ad, anti-_________ (fill in the blank) and have been perfectly secure for years.

    While scanning/detecting for malware, analyzing hijack logs, etc., may be fun for some people, it's a waste of time for the home user who just wants to have a nice computing/surfing experience and not worry about it.

    One correction above: Unlike ShadowUser, Deep Freeze does not employ virtual drive technology. Their driver works at a lower level.

    Regards,

    -rich
     
  17. controler

    controler Guest

    RMUS

    how do you uninstall Deepfreeze?


    controler
     
  18. Isn't the real issue that most common users can be easily infected with rootkit and they'll probably never know about it? Not whether you guys with all your extra super heavy duty layered protection could ever possibly be infected (highly unlikely).

    I don't know many people who have even heard about a rootkit or Process Guard / Deep Freeze, and most could care less about the programs. How many average computer users are really going to take the time to learn to use even more security programs besides their AV and Firewall?

    We really need to have something better built into Windows if the average user is ever going to find out about it. Like a combination of Process Guard and Deep Freeze like technology built right into Windows and easy to use and figure out.

    I know, I know, what your all thinking, M$ will just screw it all up, but in reality that's probably the only way most people will ever hear of this stuff and benefit from it.
     
  19. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
  20. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hard to argue with this and your other comments, Uncle S. I can speak only for myself and others whom I've helped set up a system.

    Once everything is in place, it's easier really, because unlike AV programs, there is nothing to update. You never have to "clean" your system- that's done automatically at every reboot

    You are too logical, Uncle S. :D

    This, of course, should have been put into the planning stages 1 day after Win95 was released.

    Personally, I don't think it will ever happen because there is just too much money to be made in the prevention industry. Why else did Microsoft get into the AV business?

    Regarding rootkits - if people understand that it is just a trojan of a different breed, then the fear factor stays low.

    In my case. I don't even mention names of viruses and other malware in setting up home systems for friends and family - I just install the programs and show them how they work and they get on with their computing. It really boils down to how you approach and teach the basics of security. As mentioned many times on these forums, many people dont' consider security until they find a virus, etc, then they frantically shop around for a product, and the cat and mouse game begins. But we are getting a bit off topic here - might be nice to start a thread on the basics of security.

    regards,

    -rich
     
  21. controler

    controler Guest

    oh oh I guess I should have done alot more reading before installing Deepfreeze.

    I should NOThave chosen the workstation version. This one IS for schools,ect & NOT a common home user.

    Even my workstation install didn't go well. The first thing that happened wasI lost my internet connection & was forced to shut down Look & Stop to get reconnected.

    Second thing I noticed was a very slow system untill after about three reboots.

    Next I wanted to see how uninstall went after just 10 min.

    There is no uninstall in add-remove.

    Hereis a quote form their site in answer to, HOW do I uninstall Deepfreeze?


    "Thaw Deep Freeze using the Boot Control tab and restart the workstation."


    Where is this boot tab? I sure can not find it yet LOL

    Left or right clicking on the tray icon does nothing.
    I know it is early & am on first cup a java but geezh.

    I am sure the workstation version isgreat for schools ect or even a parent that doesn't want things messed up butI know allready it is not for me.

    Now where is the BOOT TAB? so I can remove it. Otherwise Ineed to reformat again.

    controler
     
  22. controler

    controler Guest

    Rmus, I will befishing off & on all of June. Usualy on weekends.
    I spend alot of time inmotel room as where I am this week. Ihad someextra time & thought I would see what Deepfreeze was all about.

    It does have some ok protection. I never tried to shut it down with DSC's tool as of yet. I will mess a bit more this evening.

    controler
     
  23. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    o_O Please Explain...

    -rich
     
  24. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    Hi,

    Rmus,

    "Virtual drive technology" is just an expression to nominate solutions like Deep Freeze, Drive Vaccine, ShadowUser etc.
    But it seems that the pro version can use virtual zones.

    As i said and i repeat it again: even with DeepFreeze, you're still vulnerable during a session.

    Now ok, you've added PG to your set up:

    The kid's mother is banking and doing shopping online.

    With web application attacks, any data stored in the browser can be intercepted, modified and stolen on the fly and in real time (cookies, passwords, bookmarks).
    Man in the Middle is an attack used in phishing:
    the attacker has just to redirect the session to a fake https web site, and then no need to use a keylogger but just a sniffer to record any password.

    We can't ignore the impact of phishing, especially in USA.
    And methods are became more and more sophisticated; here a recent example: http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=194

    And with PG+DeepFreeze + AntiExe., you're still vulnerable to many attacks (see the image) like TCP hijacking, DNS arp cache poisoning, DOS/DDOS/DDORS, Buffer Overflows, java exploits and so on.

    If rootkits are not the ultimate malwares, DeepFreeze is not the ultimate defense: with or without DeepFreeze, there's NO 100% secure system in windows Home or Unix corporate environment.

    And just remeber a simple theory:

    1-A software is composed of piece of code,
    2-but a piece of code can be broken;
    3-DeepFreeze is a software,
    4-then DeepFreeze can be broken.

    I have nothing against those solutions: i defend prevention softwares, but as always, each solutions has its onwn limits.
    I'll give it a try and i'll see.

    Regarding rootkits, they're more a problem in a corporate environment.
    And they're also more common and well known (papers and specialists) on Unix systems since many years.

    Here's an exemple of set up to prevent Windows rootkits:

    -Harden Windows as well as possible,
    -Instal la classical defense (firewall+AV+AT+AS+ Web Filter),
    -Choose an HIPS (host intrusion prevention system) which can block automatically drivers-devices installations (ProcessGuard, System Safety Monitor, Securitask 2005),
    -Potect your registry (RegRun, RegDefend etc),
    -Choose a powerful firewall apllication to control activities on your system and to be able to detect suspect ones (SafenSec, AntiHook, AntiExe, SSM...),
    -Install a strong integrity protection to prevent any change on the system (solutions like DeepFreeze, Viguard, XIntegrity etc),
    -Stay aware and well informed about threats and attacks.

    This set up will not prevent all possible attacks, but the majority of malwares: spywares, virus, worms, trojans, backdoors and also rootkits.

    Regards
     

    Attached Files:

  25. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hello kareldjag,

    Pro version of which above? I specifically asked DF this, and they replied that unlike ShadowUser, DF does not use a virtual zone.

    You'll have to be more specific about how this works. How is this data stolen?

    1) Since I'm not using IE how does a web application attack know where cookies are stored?

    2) on passwords: if not using IE, how would a web attack know where pw are stored? Anyway, the only 2 secure sites where I use a pw, verification is required, so the pw by itself is of no use.

    3) No bookmarks here - I use a global history directory (Not IE so I doubt a web app attack could get to them) Anyway, of what value are someone's bookmarks?

    This is just silly. Anyone who doesn't keep a custom address list in their HTTPS firewall rule is negligent. There is no way here that my firewall will permit any surreptitious connection to another HTTPS site.

    OK, you've got me here - I tried enlarging your image but can't make it out.

    I can speak to DNS cache poisoning - aka pharming - the customized HTTPS firewall rule takes care of port 443 attempts. Port 80 (regular browser surfing) can be monitored manually to check the IP address if something seems suspicious.

    Java exploit is of no concern here, since it is disabled.

    If some of the others you mention here work on scripts, with WSH disabled, that is some prevention.

    All Deep Freeze claims is that anything written to disk while in the frozen state is discarded. Anti-executable and anti-script programs prevent any trojans, etc, from running that happen to sneak in during the session.

    At present, the only possibility of breaking it is for someone to gain physical access to your computer and bypass your bios protection.

    No doubt a clever person may find another way at some point... But if we used that as criteria for choosing a program, we would never dare choose anything!

    Can't argue with this setup! If you can convince everyone to adopt a similar setup, cyberspace would be a safer place to visit!

    You should send this setup to the author of the article ronjur listed at the top of this thread!

    regards,

    -rich
     
Loading...
Thread Status:
Not open for further replies.