Vista's UAC--The Rootkit Killer

Discussion in 'other security issues & news' started by midway40, May 25, 2008.

Thread Status:
Not open for further replies.
  1. midway40

    midway40 Registered Member

    Joined:
    Jul 24, 2006
    Posts:
    1,257
    Location:
    SW MS, USA
    Vista's despised UAC nails rootkit tests--PC World
     
  2. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Hardware, that is a very scaring development. As long it's on my harddisk I can clean it, but not the rest of my hardware.
     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    As an executable, rootkits can be easily prevented from installing by remote code execution as can any unauthorized executable. This type of prevention has been long available for anyone with HIPS or other such software with execution protection.

    It's commendable that Microsoft has built such protection into the Operating System.


    ----
    rich
     
  4. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    As long the installer of rootkits is an executable, I don't see any problem.
    The only thing I read about rootkits in articles is the scaring part, they never explain the very beginning of a rootkit, I don't even know how a rootkit-installer looks.
    If rootkits target hardware, how is an AV going to remove them ?
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
  6. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
  7. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Eric you are about 6 years behind. Many many proves and pocs are outthere for hardware rootkits. I understand the view of traditional software rooties but their resistance won´t cure the true problem of hardware vulnerability.
    It does not make sense to play down the story: you would need this .. and that... I know some freaks who worked in hardware bizz they laugh about and say it is easy to create hardware rootkits even for a wider range of products.

    Simplest and very effective way: Browser Exploit, Browser crashes while you surfing a web side during crash, vga card becomes rooted.
     
    Last edited: May 26, 2008
  8. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Very interesting!

    Can you detail how this occurs? Especially the method by which the rootkit code is attached to the vga card.
     
  9. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    If you know so much about it, how can I protect myself against rootkits ?
     
  10. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    This is one opinion : hardware rootkits are difficult to create
    http://forum.sysinternals.com/forum_posts.asp?TID=14366&PN=3

    This is another opinion : hardware rootkits are easy to create
    For me to find out who is closest to the truth. Yes, I know : everybody thinks, he is right.
    I better throw a coin in the air. :D
     
  11. Cerxes

    Cerxes Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    581
    Location:
    Northern Europe
    I would also like to know how this occurs regarding adding code to the device driver code, assumed that it ain't already implanted from fabric.

    /C.
     
    Last edited: May 26, 2008
  12. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I am curious about Shadow Walker, nice name.:) Is this a POC. If so, is it available in complied form etc. How is its detection when active and while trying to load etc?

    Is it superior to Rustock C, D etc?

    Thanks
     
  13. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Here is some info for you:
    Protection, detection?
    and finally:
    If Exploit gains Admin privileges it even could work in restricted accounts.

    Advantages?
     
    Last edited: May 26, 2008
  14. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Please explain

    1) how the browser becomes owned by exploit: what type of exploit? which browser?

    2) details of how this exploit reflashes the graphics card: how does it know which graphics card the computer has? Can all graphics cards be reflashed by the same code?
     
  15. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Hello,

    Add me to the list of those who want to hear about the magical way a generic rootkit exploits a generic browsers and flashes a generic GPU.

    There's a difference between installing a driver for graphic card that your OS can see and use AND writing directly to the device itself ...

    Mrk
     
  16. yankinNcrankin

    yankinNcrankin Registered Member

    Joined:
    May 6, 2006
    Posts:
    406
    I need to get in on this as well. I personally have no knowledge and specifics as to how its done but hey , just cause you can't see it don't mean it doesn't exist.
    The idea alone should raise concerns for any one that cares about security for their computer(s). Think about rogue ex-workers that may have worked for such company(s) that create GPUs', Motherboards, HDs' etc.....I'm sure they have enough knowledge to know what it would take to do exactly what systemjunkie has stated. Idea(s) are scary more so if they can actually be done and it goes against ones' beliefs etc.......for all I know companies will be mandated (if they not doing it already) to have their stuff rooted just because of past worldly events...............¿ :doubt:
    To have a computer that behaves as it should even though it could be rigged for spying but hey who cares as long as you not doing anything stupid right? Personally I think Vista by design was designed specifically for monitoring of the general public. I guess now that everyones happy with the SP3 and feel that its all cool since their machines behave as it should that its all cool....LOL you better think about that deeply.....bad apples everywhere......anything is possible. :D
     
    Last edited: May 27, 2008
  17. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    As for UAC, XP may be run as a limited user which will block the same kind of stuff that Vista's UAC blocks, but usually without offering a prompt. That does make it harder to use because some things just fail to happen with no explanation. However, it makes it much harder to give an inappropriate approval to a prompt as no such choice is offered. It could actually be said that UAC subjects the the user to pop-up fatigue thus resulting in inappropriate approvals. Of course the same could be said of most HIPS and "leak proof" firewalls.

    As for hardware rootkits, this sounds like the usual paranoid BS that gets spread around here.
     
  18. midway40

    midway40 Registered Member

    Joined:
    Jul 24, 2006
    Posts:
    1,257
    Location:
    SW MS, USA
    UAC is only effective when you understand what it is. A lot of people thinks it is just a nag "Are you sure you want to do this?" prompt so they either turn it off or mindlessly click OK.

    Let's say one of these users goes to a wallpaper site to find a certain wallpaper searched on Google. Right when the page loads all of the sudden the screen goes black and a UAC prompt pops up. This person would probably think "oh crap, there's that annoying UAC again--I want my Fuzzy Bunny wallpaper!" and clicks OK without thinking why a wallpaper site is wanting elevated privileges to begin with. And then after they get zapped with all kinds of malware they moan and groan saying that Vista is no more secure than XP.

    For years now people have been complaining of the insecurity of Windows and when they finally get a secure one they turn the most important security feature off. Go figure.

    [BTW, the above scenario is based on a real event. I encountered this last week on a wallpaper site though I was not looking for fuzzy bunnies, lol]
     
  19. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    That won´t stop them from being ITW.

    No, UAC is effective by default. Automatical downloader installation is blocked by default. Nobody would allow a unexpected Executable from nowhere, so UAC is effective from the ground for usual, oldschool malware.
     
Loading...
Thread Status:
Not open for further replies.