Newest Windows OS security threat? Kernel Rootkits.

An article titled Microsoft on ‘rootkits’: Be afraid, be very afraid from the folks over at Computerworld has me seriously thinking it may be time to finally make that switch over to Linux for anything outside of gaming. Microsoft’s own security experts are warning that new breeds of virus and spyware are starting to show up that make use of “kernel rootkits” to hide themselves so well that they are virtually undetectable and near-impossible to remove short of completely formatting the hard drive and reinstalling everything from scratch.

Rootkits have been around for quite awhile and are quite popular with criminals looking to engage in identity theft or make use of your PC to relay SPAM or launch DDOS attacks, but they’ve been relatively easy to detect and remove using many freely available tools for that purpose.

However, kernel rootkits that modify the kernel component of an operating system are becoming more common. Rootkit authors are also making huge strides in their ability to hide their creations, said Danseglio.

In particular, some newer rootkits are able to intercept queries or “system calls” that are passed to the kernel and filter out queries generated by the rootkit software. The result is that typical signs that a program is running, such as an executable file name, a named process that uses some of the computer’s memory, or configuration settings in the operating system’s registry, are invisible to administrators and to detection tools, said Danseglio.

One rootkit, called Hacker Defender, released about a year ago, even uses encryption to protect outbound communications and can piggyback on commonly used ports such as TCP Port 135 to communicate with the outside world without interrupting other applications that use that port, he said.

The kernel rootkits are invisible to many detection tools, including antivirus, host and network intrusion-detection sensors and antispyware products, the researchers said. In fact, some of the most powerful tools for detecting the rootkits are designed by rootkit authors, not security companies, they said.

That’s bad. That’s really bad. And unless Microsoft can come up with a reasonable method of dealing with this growing problem then it’s going to be the best argument yet for abandoning Windows like rats from a sinking ship. Currently the only method available from Microsoft is a tool they’ve dubbed “Strider GhostBuster” that will compare a clean version of Windows against a machine that you suspect has been compromised, but the only solution if it has been is to erase your hard drive and reinstall from scratch. That’s not going to be very practical for most folks out there who aren’t professional geeks and it’s not an appetizing prospect for those of us who are.

So what’s the alternative? Well, there’s really only two choices at the moment: Switch to some form of Linux for your PC, which isn’t going to set too well with folks used to the Windows way of doing things, or invest in a new Macintosh, which is also Linux based these days, but a heckuva lot easier for the average Joe to work with.

For Window’s folks thinking of making the jump to Linux there’s one distro that aims to make the transition as smooth as possible: Xandros. Widely regarded as one of the easiest to install and use for Linux novices and designed in such a way as to feel familiar to folks used to using Windows, Xandros holds the promise of making Linux accessible to the average computer user. It still has a learning curve to it, but one that isn’t as steep as many other distros.

For folks who want something that’s potentially even easier to use than Windows XP the folks at Apple are ready to welcome you with open arms. My biggest complaint against the Macintosh has always been that it’s on the expensive side compared to the PC, but for many people the ease of use and the security it brings with it justify the premium Apple asks for it. For people like my parents who can’t afford to spend a whole lot on new Macintosh and already have various PC components on hand there’s the Mac Mini retailing for $499. You get the base unit and that’s it. You supply the monitor, keyboard, and mouse which many PC owners will already have on hand. Considering you can get a complete PC system including those items and often a printer for about the same price it’s still not cheap, but it’s not a bad way to make the switch if you’re looking for the least expensive way to do so. Short of buying used, that is.

So is it time to trash the PC and make the switch to one of the above options? Depends on your personal comfort level and finances, but it’s getting harder to justify the risk that Windows is becoming. Longhorn, which Microsoft promises will be way more secure, is still a good year or two away unless they rush it (they’ve already dropped one of the biggest changes it was going to bring: WindowsFS) and even then there’s no guarantee it’ll address this new threat. Personally, I’m looking at setting my PC up to dual boot and getting my hands dirty in Linux with a new enthusiasm.

20 thoughts on “Newest Windows OS security threat? Kernel Rootkits.

  1. Switching to Linux may not be as painful as you think. Distros have come a long way. A “power-user” friend of mine even used my machine for web-surfing and such a while back for an hour or so, and never realized it wasn’t Windows until I told him.

    Games aren’t as much of a bugaboo as they used to be either, and it’s getting better. A large number of cutting-edge games either run under Linux with Wine or have native Linux versions. Still not all, though, so it’s worth checking about the ones you personally care about.

  2. It should be pointed out that UNIX and Linux rootkits have been around for years.  You can google some of the better-known ones.  Linux kernels in particular are trivial to subvert, because the source-code is readily available and they support loadable modules without even the need for a reboot.  That’s not a criticism of open source, it’s just an observation.  Once someone compromises your machine, there’s never a “guaranteed” way to uncompromise it, other than reinstalling from the ground up—that’s true of any OS.

    And honestly, no sysadmin worth paying would just “clean” an infected system and return it to service.  The point of virus removal software, at least in my mind, is to get a system working well enough to recover any needed data.  Of course, if you’ve put all your data on a separate partition, there’s no need to do even this.  Two words: Norton Ghost.  The only other reason to boot a known-infected PC is to try to figure out how it got infected.

    I suppose this will make me a Microsoft shill in some eyes, but after running XP on 3 home computers for 4 years, I’ve never had a virus, spyware, or any other type of infection.  The plain fact is that if you keep your system updated and don’t install random software off the web, you won’t get virus infections.  All the infected computers I’ve fixed were either:

    1. Bare-naked-open on the internet, plugged into a Cable modem with no IP masquerading or firewall.  Even this isn’t a problem anymore, if you run service pack 2 and don’t disable the built-in firewall software.

    – or –

    2. Owned by someone who doesn’t think twice about installing random software in exchange for promises of dancing babies, better screensavers, free porn, or incredible weight-loss.  Obviously, a lot of this crap is malware.

    It should be emphasized that ANY operating system is vulnerable to #2.  If you give the user the ability to install software, some of them will install malware.  The best you can do is educate users about “what not to do”.  After breaking their systems enough times, the message will sink in.

    Also, one minor quibble: MacOS 10 is based on FreeBSD, not Linux.  The two are related in the sense that they are both UNIX rewrites.  They don’t share a common ancestry, however.

    Now’s the part of my response where I prognosticate.

    Going forward, I expect “real” operating systems like Linux, Windows XP, and MacOS to disappear from most home users’ computers.  Looking at the technologies Microsoft has been pushing in .NET and Longhorn, it’s easy to see where they are going: smart clients running software served by centralized servers.  Ie, everything Java promised but never delivered.  This will be an unbelievable cost-savings to businesses.  Anyone who’s worked in this field for any amount of time knows how much time tech spend fixing or reloading employee computers.  Busineses have been trying to get rid of those techs forever.

    The plain fact is that most people don’t need an “operating system”, whether Windows, MaxOS, or Linux.  In a few years, I expect your “computer” will be a souped-up Xbox with a keyboard and mouse, and Windows, Office, and even Firefox will live on your ISP’s server.  The software license cost will be part of the Broadband bill you pay every month.

  3. I’ve been a PC/windows user for ages.  I started back on Windows 3 and I’ve used all the versions since (save WinME).  I know tons of tricks and I’m definitely the “computer guru” in my family.

    For reasons I really can’t even remember offhand, I decided to get a 15” PowerBook to supplement my regular desktop PC (running WinXP).  At the beginning I got kind of frustrated with OS X because I couldn’t figure out how to do things that I already knew how to do on my PC.

    Over the months, though, I’ve really come to like OS X.  In fact, virtually all of my daily surfing and such are now done on my PowerBook and not on the windows box.  The more I use OS X, the more I like it.

    So, basically, I guess what I’m saying is that OS X is absolutely worth a look, even for die-hard PC users like I was.  Before you know it you’ll probably be hooked like I am.

  4. If you would like to try out Linux without actually installing it on your hard drive, you can download an ISO of one of several distributions on a Live CD. Knoppix and SimplyMepis are two that I have found to be great live CD’s. Mepis, btw, also has a simple option so that if you would like you can then install the version you are looking at onto the hard drive itself – but be aware, you can and probably will overwrite your version of windows if you install. Even without installing it tho, both are good distros that will give you a good idea if you would like Linux or not.

  5. Did you guys read the definition? This has always been a Unix/Linux/VAX problem. Swapping systems isn’t going to make it better. I remember the old days with a simple sendmail bug in VMS (read the Cukoo’s Egg)…ROOT BABY!

    I can write a simple virus for Solaris and email it to a Solaris user and take over his account…or root. if he has root…in a couple of minutes. The OS doesn’t matter.

    I remember writing some code to get a girls middle name on a Solaris system. All I did was poll the user id and when she executed my program, I popped up an interface asking her to verify her middle name to continue access. It worked quite well…

    If 99% of the people use an operating system, the virus/hackers will move to that platform. Linux isn’t more secure than Win32. In fact, I’d say it is less secure because most hackers aren’t focusing there.

    I can promise you this, with an open source OS, there are more people programming. I always put a back door in anything I write. What do you think they are doing?

    Just because Tammy The Housewife with a Dell computer executes an email attachment for a naked picture of Fabio, doesn’t make the OS any less secure. She will do the same thing whether it’s Unix or Win32.

  6. Indeed there are rootkits of a similar nature for Unix/Linux/VAX OSes, but from what I understand in my reading up on the subject they’re not nearly as big a problem as what these new kernel rootkits for Windows are turning out to be. Granted that’s partially due to the smaller market share. Still, it doesn’t necessarily take interaction on the part of a clueless user to have viruses and/or spyware invade their systems these days even for folks who make the effort to keep their systems patched. The opposition has got some very skilled people working for them these days and even Microsoft admits it’s tricky keeping up. It’s one thing to have to deal with a system that you can easily determine has been compromised and another thing entirely when you can’t.

  7. Well, rootkits aren’t as much of a problem for *NIX users as much because most of them simply reinstall from an image instead of trying to “clean” out the infection. Simply load the image, then go see if there’s any patches for that pesky kernel… If only it was that easy with Windows… Even with Norton Ghost it’s never a guarantee that the image restoration will go as planned under Windows… I’ve seen BSOD’s and random crashes in the middle of the process that meant the permanent loss of the data for that machine (they tried swapping hard drives, etc and it ended up just being a bad image or bad media, they could only narrow it down to those two things). With Linux or BSD it’s not so difficult because alot of those kits, etc can’t get installed in the first place due to the program needing root access to begin with to install, which in any standard *NIX environment is not going to happen. In WinXP, Win2k3, etc, it WILL happen quite often because the default account settings are that user accounts have root. This is completely the opposite philosphy of any sane security setup for a system. Until MS gets away from such insecure “default” practices, then of course things such as rootkits will pose a significant threat.

  8. Mainly commenting just to subscribe to this thread… but as an aside I always keep my data on a separate hard drive from my OS.  It’s less agonizing to restage that way.

    I use Windows on most of my machines and have had no virus problems – just like Daryl – but for most users wouldn’t it be nice if their OS booted from a CD and they just used the hard drive for data?

    I mention it because we use BoothBox on our walk-up email stations.  The machines have no floppy or hard drives.  After 5 minutes of inactivity the machine reinitializes the kernel from the CD, which takes about 15 seconds.  To get at the CD drive itself, you’d need a screwdriver, which would be pretty conspicuous because it is mounted inside the machine like a hard drive.

  9. Just like Daryl and DOF, I’ve kept AV, firewall, and spyware apps running, along with keeping patched, and haven’t had trouble.  I think the biggest prob is with a user who’ll run anything for smilies or open any email attachment w/o a second thought.  I usually see those on systems I’ve worked on.

    I worry more about a cracker exploiting an OS/browser hole to load some silent-but-deadly rootkit from a hijacked website than getting snookered by a trojan horse.

    I do the same as DOF, with the second hdd for data.  I’ve gotten to the point that I’m just going external with my extras – when I get a dvd burner, it’s gonna be USB, and I’ll likely do the same when I upgrade my data drive.  Easier than gutting one system to move to another, and it makes the idea of a small footprint box look attractive.  Although, nothing says I work on my own system quite like that beige faced dvd drive in the middle of my black & grey Dell box!

  10. nothing says I work on my own system quite like that beige faced dvd drive in the middle of my black & grey Dell box!

    Two words, Ragman: “spray paint.”  Use a nice bright red and people think you’ve got something really exotic in there.  tongue wink

    Alas, if there were anything really nasty running on my machine, I probably wouldn’t know it until it was too late as I’m hardly a security expert. 

    I have a friend at the National Center for Supercomputing Applications in Urbana, IL who is a security expert, though.  He says that Linux is full of vulnerabilities, but fewer of them are serious.  Not sure why it makes a difference – how many serious vulnerabilities does it take?  A snake only needs one hole.

  11. Ragman, I have a whole list of Case Modding websites that’ll show you the ins and outs of turning your boring old box into a custom hotrod that hides the dusty Pentium II processor you’re running inside it if you’re interested. Case Modding is one of those things I plan to get into big time once I have a house with a garage or other work area to make a mess in. Already got my Dremel up on a shelf just waiting for the day.

    Dave M., thanks for the link. It eases my mind to no small extent that there are people already coming up with tools to help combat this issue. When Microsoft is saying it’s a problem their having trouble dealing with then I tend to get a little worried.

  12. Les, as stated earlier, this isn’t a “new” problem. The Screen Savers had a show about it way back when Leo and Pat were still hosts and the channel was still TechTV.

    Microsoft is saying that they are having problems dealing with it probably because it’s near to impossible to detect that a RootKit was installed. This is true with the Linux side too.

    Detecting them is also tricky, so seeing the SysInternal’s tool is a relief. I’m not sure what was available for detection before that. I believe that the TSS segment showed something, but I don’t remember now.

    The scary part is that removing RK’s are probably a difficult task for even people like us (I suspect that SysAdmin’s don’t have problems with removing them if they have to), let alone people like our parents.

  13. Please don’t switch to the Mac people. I’m enjoying my little paradise over here and don’t want the island run over by old PC users. grin

  14. the only thing about Linux is that it doesn’t support certain hardware such as wireless cards. usually it will support the bigger brands like Belkin, NETGEAR, Linksys, etc. I was use to windows and didn’t want to change to Linux, my brother bugged me about it until i agreed to use “WUBI” to try it out. After a week of playing around, i realized that Linux can do just about anything windows can do and more. I now have taken windows completely off my hard drive and now have the 64 bit version of Ubuntu Hardy Heron. It’s taking time to learn but it’s more secure then windows. If you want to try Linux without loosing windows you can download “WUBI” at http://wubi-installer.org/.

  15. We’ve discussed Linux quite a bit here on SEB. It has its advantages and disadvantages just like any other OS, but it has a ways to go in the user friendly department before it’ll supplant Windows anytime soon.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.