%7 Microsoft Warns of Impossible to Clean Spyware

Slashdot | Microsoft Warns of Impossible to Clean Spyware: "Re:Unpossible to Clean SpyWare?
(Score:4, Interesting)
by Werrismys (764601) on Friday February 18, @09:27PM (#11719168)
'Honestly, VMWare is the best way to use Windows :-)' You could not be more right. I have been advocating VMware before, but for a reason.

I have set up 98SE, 2000Pro, XP environments (clean) under VMware and can easily create a 'clean' environment to test stuff. The snapshot feature is excellent, just snapshot the VM in question and if/when the software fucks up, restore.

The virtual hardware is the same every time. No driver issues. In fact, the current desktop PC's are so fast that it would make sense to run Winblows in them exclusively under VMware.. just store the user dirs on server. Get a new PC? Just copy the virtual disks and configuration.

I've been using VMware since its introduction and am currently using the 4 (and 5beta) versions for desktop use. I've had no use for the expensive server version yet since most of the servers are already running Linux.. but for those legacy Win32 apps VMware is really a blessing. Even been testing BSD's and SuSE distros with it."
-----------------=========

Sysinternals.com is a Good site
(Score:5, Informative)
by tristanj (797805) Alter Relationship on Wednesday February 23, @09:52AM (#11755734)
Sysinternals has been around a while. These guys really know their stuff when it comes to Windows operating systems.

Here are some good tools of their that I use frequently

Autoruns

http://www.sysinternals.com/ntw2k/freeware/autorun s.shtml [sysinternals.com] shows a complete list of programs that start up automatically when windows starts. Filemon

http://www.sysinternals.com/ntw2k/source/filemon.s html [sysinternals.com] Filemon shows all filesystem access, so you can see which files programs are accessing. I have found it very useful in diagnosing software problems and fighting spyware. Regmon

http://www.sysinternals.com/ntw2k/source/regmon.sh tml [sysinternals.com] Like filemon, but for registry access. Shows keys being read and created. Pagedefrag

http://www.sysinternals.com/ntw2k/freeware/pagedef rag.shtml [sysinternals.com] Defrags the registry hive (most of the registry is stored on disk but is not typically defragmented by many tools) and paging file. Also many others here

http://www.sysinternals.com/ntw2k/utilities.shtml [sysinternals.com]

IMHO any windows admin should have this stuff installed. Many of the utils come with source code.============
==============

OSX definitely has some positives.
(Score:4, Informative)
by nortcele (186941) on Friday February 18, @04:41PM (#11716422)
(http://slashdot.org/)
OSX is more secure in many ways. For those that know what they are doing... (they usually don't get infected but that's beside the point) you can use the "chflags schg " command as root to lock a file so that it cannot be modified. The flag can only be cleared in single-user mode. Standard linux distros with ext2/ext3/reiserfs don't have that. I'm not real up to speed on WinXP or 2003, so I don't know if they have a single user mode (or a real multi-user mode ). But OSX can be hardened to where you can be sure the kernel or critical libs cannot be updated.
-----------------------

Re:Argument for Partitioning
(Score:5, Informative)
by slaker (53818) on Friday February 18, @04:15PM (#11716080)
There does exist a tool called "linkd" in the Windows 2003 Server resource kit, which allows you to set mount points via the command line.

So you install a system. Use two partitions. Pull the drive. Install 2nd drive on working windows machin. Copy the "Documents and Settings" to the second partition of the newly installed drive. Then use linkd to create a "Documents and Settings" mount point from one partition to the other.

As a semi-serious builder/hobbyist, when I build a system, I use preconfigured sysprep images where I have already done this (the mount point linkage IS copied by programs like ghost that support NTFS5). I can restore a single partition or the whole disk. Either way. I distribute a restore DVD to my customers that can fix their spyware- and virus-hosed Windows installs without killing all the pictures they took with their digital camera etc.

It took me a bit of fiddling to make sure I have the process right, but for the number of times it's saved me two hours' work, I almost want to cry.
--------------------

Bruce Schneier on the Prototype Detection Tool
(Score:5, Informative)
by Noksagt (69097) on Friday February 18, @04:04PM (#11715927)
(http://arc.nucapt.northwestern.edu/)
Bruce covered the tool in a recent post [schneier.com] on his blog. He says:

This is a really interesting technical report from Microsoft. It describes a clever prototype -- called GhostBuster -- they developed for detecting arbitrary persistent and stealthy software, such as rootkits, Trojans, and software keyloggers. It's a really elegent idea, based on a simple observation: the rootkit must exist on disk to be persistent, but must lie to programs running within the infected OS in order to hide.


Here's how it works: The user has the GhostBuster program on a CD. He sticks the CD in the drive, and from within the (possibly corrupted) OS, the checker program runs: stopping all other user programs, flushing the caches, and then doing a complete checksum of all files on the disk and a scan of any registry keys that could autostart the system, writing out the results to a file on the hard drive.

Then the user is instructed to press the reset button, the CD boots its own OS, and the scan is repeated. Any differences indicate a rootkit or other stealth software, without the need for knowing what particular rootkits are or the proper checksums for the programs installed on disk.

Simple. Clever. Elegant.

In order to fool GhostBuster, the rootkit must 1) detect that such a checking program is running and either not lie to it or change the output as it's written to disk (in the limit this becomes the halting problem for the rootkit designer), 2) integrate into the BIOS rather than the OS (tricky, platform specific, and not always possible), or 3) give up on either being persistent or stealthy. Thus this doesn't eliminate rootkits entirely, but is a pretty mortal blow to persistent rootkits.

Of course, the concept could be adopted for any other operating system as well.

This is a great idea, but there's a huge problem. GhostBuster is only a research prototype, so you can't get a copy. And, even worse, Microsoft has no plans to turn it into a commercial tool.

This is too good an idea to abandon. Microsoft, if you're listening, you should release this tool to the world. Make it public domain. Make it open source, even. It's a great idea, and you deserve credit for coming up with it.

Any other security companies listening? Make and sell one of these. Anyone out there looking for an open source project? Here's a really good one.

Note: I have no idea if Microsoft patented this idea. If they did and they don't release it, shame on them. If they didn't, good for them.

----------------------

Hmm
(Score:5, Informative)
by ctr2sprt (574731) on Friday February 18, @04:17PM (#11716121)
(Last Journal: Saturday June 25, @10:44AM)
Maybe I'm missing something, but this doesn't seem like anything new. Google for HackerDefender, I'm sure you'll find some relevant links. It intercepts the appropriate system calls to make itself completely invisible: it hides its processes as it's running, it hides the services that start them, etc. I've been seeing it on my employer's Windows servers for quite some time. There are ways to clean it, though they could of course be circumvented as well. The foolproof way to remove it is to boot from a special Windows boot CD and delete the files it uses.

Unless there's something really new and complex going on here, not only is this not new, but IT professionals already have ways of dealing with it. In our case, on a live system with one reboot required. I wouldn't call it minor, certainly (10 minutes of downtime is 10 minutes of downtime), but... hell, if script kiddies have been using this for months and months...

------------------

Already in the wild?
(Score:4, Interesting)
by kilocomp (234607) on Friday February 18, @04:57PM (#11716614)
One of the computers I support had a very nasty piece of spyware. I am not sure if it was exploiting the same things described by Microsoft, but it had the following symptoms:
1. The process would not show up in task manager
2. The related files would not show up in Explorer
3. The related registry keys did not show up in regedit
4. It some how was being called by Winlogin, so it ran even in safe mode.

The way I detected it was by using several Sysinternals utilities http://www.sysinternals.com/ [sysinternals.com]. I have a script that uses pslist to monitor all processes on the network and this spyware was not smart enough to hide from that. A remote regedit session enabled you to see the related registry files. I had to use BartPE http://www.nu2.nu/pebuilder/ [nu2.nu] to mount the drive and clean out the related files and registry ke
----------
Re:Ok...
(Score:5, Informative)
by Zocalo (252965) on Friday February 18, @04:17PM (#11716114)
(http://www.zocalo.uk.com/)
Actually, most *NIX rootkits have been intercepting system calls to the kernel and replacing common command tools that might be used to detect and remove them for ages. I haven't heard of one that can avoid detection by the likes of Chkrootkit [freshmeat.net] and Rootkit Hunter [freshmeat.net] yet, other than by being brand new of course. Naturally, that doesn't automatically mean that it's impossible to write one though.
-------------------==========

Reputation Counts
(Score:5, Insightful)
by Ridgelift (228977) on Wednesday February 23, @11:26AM (#11755485)
Mark Russinovich and Bryce Cogswell have been providing invaluable tools for years. Even if Microsoft released a rootkit detection package tomorrow, I would still use sysinternal's over anything Microsoft provides because "there is no anonymous team of programmers or writers behind Sysinternals" [sysinternals.com]. They put their name on everything they give away and sell.

When it comes to trust, people put their names on things they know are trustworthy. I can't count the number of times I've felt betrayed by Microsoft's products not doing what they're supposed to do, only to discover a flaw in their product that they knew about but didn't tell so as not to affect sales. I also can't count the number of times utilities such as NTFS for DOS [sysinternals.com] have saved my butt in the field.

Way to go Sysinternals.
==================================

Microsoft BSA
(Score:5, Informative)
by TheFlyingGoat (161967) on Wednesday February 23, @11:19AM (#11755415)
(http://members.surfeu.fi/kklaine/primebear.html | Last Journal: Tuesday March 15, @02:16PM)
While you're at it, download the Microsoft Baseline Security Tool [microsoft.com]. It's not quite the same, but it's an excellent tool for anyone looking to make their Windows box more secure. It can also scan computers on your network (that you have rights on), so you can easily find all the Windows boxes on your network that aren't up to date on their patches, have Guest accounts enabled, or other bad things.
\\\\\\\\\\\\\\This proves once more...
(Score:4, Interesting)
by Spy der Mann (805235) <(moc.liamg) (ta) (todhsals.nnamredyps)> on Friday February 18, @04:55PM (#11716590)
(Last Journal: Wednesday October 12, @02:42PM)
how flawed this operating system is.

Flaw #1: Any app can make arbitrary changes to the registry.
Flaw #2: Any app can make arbitrary changes to the system files.
Flaw #3: There is no "safe-mode" for core utilities, that would bypass any hijacking of system calls.

Now can anybody explain to me what was the point of having "system, readonly" attributes, if they can just be turned off?

Bill Gates never wanted to admit it. But this is just proof that Windows is nothing but MS-DOS "on steroids".

Till a few days ago, I thought Linux would be the doom of Microsoft, defeating it like David defeated Goliath. But it turns out.. Goliath is about to die from a genetic anomaly. His very nature gave him a short lifespan.

Oh joy...
--------