Vista's UAC--The Rootkit Killer

Vista's despised UAC nails rootkit tests--PC World

 

Hardware, that is a very scaring development. As long it's on my harddisk I can clean it, but not the rest of my hardware.

 

As an executable, rootkits can be easily prevented from installing by remote code execution as can any unauthorized executable. This type of prevention has been long available for anyone with HIPS or other such software with execution protection.

It's commendable that Microsoft has built such protection into the Operating System.


----
rich

 

As long the installer of rootkits is an executable, I don't see any problem.
The only thing I read about rootkits in articles is the scaring part, they never explain the very beginning of a rootkit, I don't even know how a rootkit-installer looks.
If rootkits target hardware, how is an AV going to remove them ?

 

See here for some thoughts about hardware rootkits, the 3rd & 4th posts down, by a_d_13 & EP_X0FF:

http://forum.sysinternals.com/forum_posts.asp?TID=14366&PN=3

 

Thank you very much, scaring stuff. If I ever get some of these rootkits, I wouldn't even notice.

 

Eric you are about 6 years behind. Many many proves and pocs are outthere for hardware rootkits. I understand the view of traditional software rooties but their resistance won´t cure the true problem of hardware vulnerability.
It does not make sense to play down the story: you would need this .. and that... I know some freaks who worked in hardware bizz they laugh about and say it is easy to create hardware rootkits even for a wider range of products.

Simplest and very effective way: Browser Exploit, Browser crashes while you surfing a web side during crash, vga card becomes rooted.

 

Very interesting!

Can you detail how this occurs? Especially the method by which the rootkit code is attached to the vga card.

 

If you know so much about it, how can I protect myself against rootkits ?

 

This is one opinion : hardware rootkits are difficult to create

http://forum.sysinternals.com/forum_posts.asp?TID=14366&PN=3

This is another opinion : hardware rootkits are easy to create

For me to find out who is closest to the truth. Yes, I know : everybody thinks, he is right.
I better throw a coin in the air.

 

I would also like to know how this occurs regarding adding code to the device driver code, assumed that it ain't already implanted from fabric.

/C.

 

I am curious about Shadow Walker, nice name. Is this a POC. If so, is it available in complied form etc. How is its detection when active and while trying to load etc?

Is it superior to Rustock C, D etc?

Thanks

 

Here is some info for you:

Protection, detection?

and finally:

If Exploit gains Admin privileges it even could work in restricted accounts.

Advantages?

 

Please explain

1) how the browser becomes owned by exploit: what type of exploit? which browser?

2) details of how this exploit reflashes the graphics card: how does it know which graphics card the computer has? Can all graphics cards be reflashed by the same code?

 

Hello,

Add me to the list of those who want to hear about the magical way a generic rootkit exploits a generic browsers and flashes a generic GPU.

There's a difference between installing a driver for graphic card that your OS can see and use AND writing directly to the device itself ...

Mrk

 

I need to get in on this as well. I personally have no knowledge and specifics as to how its done but hey , just cause you can't see it don't mean it doesn't exist.
The idea alone should raise concerns for any one that cares about security for their computer(s). Think about rogue ex-workers that may have worked for such company(s) that create GPUs', Motherboards, HDs' etc.....I'm sure they have enough knowledge to know what it would take to do exactly what systemjunkie has stated. Idea(s) are scary more so if they can actually be done and it goes against ones' beliefs etc.......for all I know companies will be mandated (if they not doing it already) to have their stuff rooted just because of past worldly events...............¿
To have a computer that behaves as it should even though it could be rigged for spying but hey who cares as long as you not doing anything stupid right? Personally I think Vista by design was designed specifically for monitoring of the general public. I guess now that everyones happy with the SP3 and feel that its all cool since their machines behave as it should that its all cool....LOL you better think about that deeply.....bad apples everywhere......anything is possible.

 

As for UAC, XP may be run as a limited user which will block the same kind of stuff that Vista's UAC blocks, but usually without offering a prompt. That does make it harder to use because some things just fail to happen with no explanation. However, it makes it much harder to give an inappropriate approval to a prompt as no such choice is offered. It could actually be said that UAC subjects the the user to pop-up fatigue thus resulting in inappropriate approvals. Of course the same could be said of most HIPS and "leak proof" firewalls.

As for hardware rootkits, this sounds like the usual paranoid BS that gets spread around here.

 

UAC is only effective when you understand what it is. A lot of people thinks it is just a nag "Are you sure you want to do this?" prompt so they either turn it off or mindlessly click OK.

Let's say one of these users goes to a wallpaper site to find a certain wallpaper searched on Google. Right when the page loads all of the sudden the screen goes black and a UAC prompt pops up. This person would probably think "oh crap, there's that annoying UAC again--I want my Fuzzy Bunny wallpaper!" and clicks OK without thinking why a wallpaper site is wanting elevated privileges to begin with. And then after they get zapped with all kinds of malware they moan and groan saying that Vista is no more secure than XP.

For years now people have been complaining of the insecurity of Windows and when they finally get a secure one they turn the most important security feature off. Go figure.

[BTW, the above scenario is based on a real event. I encountered this last week on a wallpaper site though I was not looking for fuzzy bunnies, lol]

 

That won´t stop them from being ITW.

No, UAC is effective by default. Automatical downloader installation is blocked by default. Nobody would allow a unexpected Executable from nowhere, so UAC is effective from the ground for usual, oldschool malware.