nav search
Data Centre Software Security DevOps Business Personal Tech Science Emergent Tech Bootnotes
BOFH
Lectures

back to article
World's most advanced rootkit penetrates 64-bit Windows

This topic is closed for new posts.

Development environments

From Microsoft, no less. Try Visual Studio 2005 - full or express. It is (or was) recommended that it runs as admin. Ditto Visual Studio 6, and unsurprisingly several games.

No surprise there, as coding standards a few years back were frankly pathetic, until they were started to be enforced.

1
0

Agreed that I'd like to know what program wants to make changes.

But given that even Trend et al don't provide that info, I suspect that something about the way the OS works requires truly clever people to provide that bit of info.

As for the Run As bit, are you running Vista or Win 7? I had issues with Vista, but none so far with Win 7. This to some extent mitigates the habituation training issue.

MBR issues are with us always. LILO and GRUB would only obfuscate the issue, not resolve it. If Windows grants access via direct SCSI commands, the malware can overwrite either of those too. What is needed is a reliable control for access to writing the MBR. A DIP switch or jumper on the MB can guarantee that restriction, but are a PITA for maintenance, and as indicated previously there are times when a necessary patch will update the MBR. Next best choice is the BIOS. Apparently the BIOS boys never got this to work correctly previously. Even if they did, with the current crop of updatable BIOSes I'm not sure how effective it will be.

1
0
Thumb Down

No Title required

MapPoint 2006 requires only wants to be run by the Administrator

0
0
Pint

ha

And it is exactly that reason people get infected or screw there system then blaim it on MS.

Seriously, how many times does that pop up, really? unles your a super geek or someone insistant on poking around in the system then it really doesnt happen that often, if you have a crap old program, force it to install in a different location that has had its security levels reduced, that will get around most issues of UAC, i have a wee folder tucked away for just such programs / games, and it works wonders. UAC isnt a pain, its there for the masses, everyday joe an jane who dont know shit, MS cant do any more, it cant pull a hand out of your TFT and slap you around the face with a kipper shouting you are about to install some really dodgy crap here DONT DO IT!

Vistas UAC wasnt too bad but 7 i think has nailed it, people need education now, the tools are there so stop moaning how bad MS is and go do something about it, go and teach the old guy next door whats right and wrong, help that "noob" on the forums asking daft questions because unless us techno peeps teach folk whats right and wrong they will remain ignorant of dangers until it bites them in the arse.

2
1
Silver badge
Stop

GPT

So, I'm guessing this wouldn't work on a GPT disk (although of course you need to be booting from UEFI to use GPT on a boot disk).

0
0
Silver badge

People learn from their mistakes

MS has altzheimer's

2
0
Boffin

Total Security = 0 Flexibility

There always has to be a balance between security and flexibility. Just as the only 100% foolproof way to protect yourself from network attack is to shut down all network connectivity, the only 100% secure computer platform is one that cannot execute any code that was not pre-installed and verified as being secure.

As soon as you want a general purpose computer, you immediately have to allow a certain level of risk. The question with any computer platform is does it make the right trade-offs between usability and security.

1
0
Happy

@CD001

"Name 1."

HP USB Disk Storage Format Tool

1
0

That's not an app that's a tool and one which ought to require elevated access privileges.

Okay, what it really sounds like is a nasty virus that needs to be removed from your system ASAP, but I gave you the benefit of the doubt. Not something I'm frequently of the mind to do.

0
0
Boffin

MBR writing is due to MS DRM my friends

A windows PC doesn't fill the MBR so "clever" apps have been using it as a private scratch space :

http://www.chiark.greenend.org.uk/ucgi/~cjwatson/blosxom/debian/2010-08-28-windows-applications-making-grub2-unbootable.html

including but not limited to HP ProtectTools, PC Angel, Adobe Flexnet

http://linux.slashdot.org/story/10/08/28/2112208/Some-Windows-Apps-Make-GRUB-2-Unbootable?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+slashdot%2FeqWf+%28Slashdot%3A+Slashdot%29

2
0
Unhappy

Sigh

I've known for a long time that a system set up to dual-boot using Grub from the MBR will randomly stop working and need re-GRUBbing from a stand-alone LInux CD or USB. I'd always assumed it was MS borking the MBR because they thought they owned it and didn't check. Or maybe malware.

The way that avoids this (using XP) is BOOTPART http://www.winimage.com/bootpart.htm, and install GRUB into the first sector of the linux partition instead of the MBR. Then you can boot Linux via Windows MBR and BOOT.INI. Some day I'll find out how to do the equivalent with Windows 7 (or has MS made it impossible to boot Linux via the MS boot loader? Wouldn't surprise me).

0
0
Gates Halo

UAC violations

Having managed a few networks in my time, I've dealt with windows boxes and related security issues on various levels, and nothing was more telling than when dealing with locked-down user accounts.

Most readers on this site will be accustomed to small-to-medium windows networks where most users are granted a modicum of trust and rights over their own personal systems, but when you have environments like schools, prisons, call centres it is policy to "lock it down 'til it squeaks" that you start to see some of the dirty habbits of software you previously considered respectable.

Once you've locked down a winXP system, it is nigh impossible to infect it. Buffer overflow code executions fail when they attempt restricted actions. Process user elevations never happened because policies specify a whitelist of trusted locations locally and externally that executables can be run from.

We never had a problem with the students desktops (the teachers laptops on the other hand...)

Secure, that is, until you start having to punch dirty great holes in your own security to get shoddily designed bits of software working.

Firefox is a classic example. It's self update system breaks several fundamental rules of the windows environment. The most obvious of which, attempting to write back to its' own program folder.

This should never happen. The updating component should have been installed as a local service.

What really irks me, is that these aren't brand new rules that you could forgive people struggling to catch up with. The NT family were deisgned from the get-go so that in everyday use you run as a limited user but there are still too many lazy coders out there who take shortcuts that compromise the whole systems security, forcing you to run as root.

The UAC isn't intended as a direct security measure. It's there to embarrass the coders into writing their software in compliance with the platform they are developing it for. Just think of it as a big FAIL sticker on the 3rd party software everytime you see it.

7
0
Anonymous Coward

ha

I like that, MS should change the message on UAC

"Windows has detected that running this poorly designed malware/software may result in the installation of 100 seperate viruses that will take over every aspect of your computer and may well try force you to buy some equally virus ridden "anti virus" software. Are you sure you want to allow this to run?

1
0
Alert

"... uses low-level instructions to disable debuggers, making it hard ... to do reconnaissance."

That hidden hardware debug mode on AMD processors may come in handy, after all...

-- http://www.theregister.co.uk/2010/11/15/amd_secret_debugger/

0
0
Gold badge

Why the surprise?

If someone wants to break into something they will. Windows and Linux servers are priority one as there's a lot at stake, fraud, stealing data and so on.

The news is good and bad, good because people can patch up. Bad because there's a window of opportunity for the hackers. Many vulnerabilities are usually exposed by security researchers, not the hackers, as soon as the security researchers blab about the bug it will get exploited.

0
1

Re: UAC violations

> The NT family were deisgned from the get-go so that in everyday use you run as a limited user but there are still too many lazy coders out there who take shortcuts that compromise the whole systems security, forcing you to run as root.

Problem with NT's design is that until Vista you were encouraged to run as admin.

1
2
Anonymous Coward

@ender

"...Problem with NT's design is that until Vista you were encouraged to run as admin..."

You really weren't, if you went on any MS courses, or spoke to anyone at MS they'd tell you not to run as admin, just because your pre-installed version of Windows came with an admin level account, didn't mean that MS encouraged this.

1
2
Anonymous Coward

Memory lane

This brings back some memories, propper viruses that would quite happerly spread via floppy disks to every computer in building then flash your BIOS with unusable data on a set date.

ah those were the days!

0
0

Well, I'm safe ...

... my user name is administrator and my password is passw**d.

2
0
Paris Hilton

Question here

For those of us running Win7x64 using a GPT in place of the MBR option how does this affect this? Curious because while MBR has been and continues to be the standard for drives currently on the market it would be nice to know if something like this is possible with it. Cheerio.

0
0
Anonymous Coward

Now what would be fun is...

The folk who came up with the rootkit work out how Microsoft boinked SD cards in Wp7 so the system couldn't be reset/cleaned etc.

0
0

Got that

I had a fight with a computer infected with that very nasty bit last week. Took me forever to remove it. In the end the only thing that worked was Combofix.

Nothing else even detected it.

Very nasty thing.

0
0

ASCII see it

1010111 1100101 0100111 1110010 1100101 dotdotdot

1000110 1110101 1100011 1101011 1101010 1100100 0101100

1000001 1000111 1000001 1001001 1001110 0100001(!)

1100001 1110011 __1110101 1110011 1110101 1100001 1101100 !(0100001)

<|:^(

0
0

active X is still a problem

no matter how many bits it runs.

0
0

Page:

This topic is closed for new posts.

The Register - Independent news and views for the tech community. Part of Situation Publishing