"Rootkits" Emerge as New Threat on Windows
by Arie Slob
Hello Windows users,
Security researchers are warning Microsoft users that so-called "rootkits" - powerful system-monitoring programs - are posing an increased security risk to computer users.
On UNIX (type) systems rootkits have been around for years, but the latest versions of the most popular ones - with names such as "Hacker Defender", "Vanquish" and "FU" - are now more then capable of "infecting" Windows computers.
On Windows the name "rootkit" isn't really appropriate if we look at the definition of it from the UNIX world. A rootkit on the UNIX platform generally describes a collection of tools to obtain or maintain root access using stealth techniques.
If we look how specific tools from a rootkit are used in UNIX, we have tools to "obtain root", usually done by elevation of privilege. Next come the tools to get & maintain permanent access to the machine, and last but not least, tools to hide the presence of these tools.
"Translated" to the Windows platform, the tools to gain root access would be accomplished by an 'exploit tool' on Windows, exploiting known vulnerabilities on (un-patched) systems. Maintain access would be accomplished by installing a backdoor on the Windows System.
The tools that do the "hiding" on UNIX systems typically do this by replacing system binaries such as 'ps', 'find', 'top', 'netstat' and/or others. But replacing binaries on Windows is much harder, and on NT-based systems (Windows 2000 / Windows XP), nearly impossible to achieve because of Windows File Protection (WPF).
So on Windows, the 'rootkit' is a separate tool, which does the 'hiding'. It can hide nearly anything you want: files, folders, user accounts, processes, registry entries, network connections.
To get a 'rootkit' on a Windows machine requires the system to be compromised first. This could be done by most modern malware/spyware/adware, and that is what seems to be happening more & more.
Once installed on a target machine, these programs are then used to control, or find (sensitive) information from the systems they are installed on. Many of the new rootkits will run quietly in the background on infected systems. Some of these can be easily detected, but the more advanced rootkits (kernel rootkits for example) have the ability to hide themselves from the operating system.
These rootkits are invisible to most of the current detection tools such as anti-virus, network intrusion-detection and antispyware products.
How to guard against backdoors & rootkits
As explained, today's rootkits require a system to be compromised. It is very uncommon for a system to be targeted for any other reason than because it was vulnerable. So your main line of defense is to stay current on all patches available for your operating system.
Having an up-to-date anti-virus scanner installed should also help in many cases.
Looking at running services or processes on your machine would also be a good practice to do on a routine basis. On larger networks, host scanning can provide useful information to the system administrator. An application such as TCPView will allow you to locate which applications have open ports on your system.
Another Sysinternals tool called Process Explorer can be of help in identifying which program has a particular file or directory open. It shows you information about which handles, DLLs and processes that have been opened or are loaded.
Microsoft researchers have developed a new tool called Strider GhostBuster, which can detect rootkits by comparing clean & suspected versions of Windows. Technology from Strider GhostBuster may be incorporated into Microsoft products in the future. Personally, I think this would make a good addition to Microsoft's Windows AntiSpyware product!
Today, several tools to detect the presence of rootkits are available:
It looks as thought we will see an explosion of 'rootkit infections' throughout 2005. This seems to be the new industry crime rings are turning to, as (email) spam becomes less profitable.
On the MSR Strider Project Web site, Microsoft researchers also list some simple steps you can take to detect some of today's "ghostware".
Give your comments on this article.
Microsoft Windows Security Bulletin Summary for April, 2005
The security updates for April 2005 include several high-priority updates for Microsoft Windows and Microsoft Internet Explorer, a component of Windows.
Severity Rating: Critical
Severity Rating: Important
Microsoft also published an MSN Messenger update, an Office Word update, and an Exchange update.
Recent Support BBS Postings
Poll: What improvements do you want Microsoft to make to Windows?
Windows Virtual Memory Too Low - Windows XP
Wireless Network with Hardware Firewall - Networking
Goodbye to Privacy - General Discussions
Booting from USB External Hard Drive - Hardware
Microsoft Windows Malicious Software Removal Tool
The Microsoft Windows Malicious Software Removal Tool checks Windows XP, Windows 2000, and Windows Server 2003 computers for and helps remove infections by specific, prevalent malicious software-including Blaster, Sasser, and Mydoom.
Recommend This Newsletter!
Do you enjoy reading this Newsletter? Why not tell your friend(s) about it?
Recommend this Newsletter!
April 12, 2005 Enterprise Update Scan Tool
Microsoft has released a new tool designed to help enterprises detect updates provided with the Microsoft Security Bulletins released April 12, 2005. This tool is a command line scanning tool built for the sole purpose of helping customers determine systems that may need security updates provided with the released bulletins. Users of this tool should have experience in deploying software to corporate environments and with using command line tools. More information on this tool can be found in the readme.rtf documentation packaged with the tool download.
Download [723 KB]
Foxit PDF Reader for Windows
View and print your PDF files almost instantly with Foxit PDF Reader, a FREE download of less than 1 MB, far smaller than the bloated Adobe Acrobat Reader.
Download [862 KB]
Windows TechFile: Troubleshooting Windows Explorer Errors
I get messages from people having problems with Windows Explorer crashes on a regular basis. Mostly they go something like this: "When I right-click a file in Windows Explorer, I get a message that Windows Explorer has encountered a problem and needs to close" or "When I try to browse through the folders on my computer, I receive an error message that Windows Explorer needs to close."
Read Full Article
Windows XP Tip: Adjust Internet Time Synchronization
Windows XP has the capability to automatically synchronize the clock on your system with an Internet time server. By default, only two servers are provided: time.windows.com and time.nist.gov.
Read Full Article
Tell a friend about this Newsletter!
Need Help with Windows? Ask your questions here!
Our Web Sites
Rose City Software