"Spyware bad guys (and also phishing people) started using rootkits
technology to stay hidden in a system. The problem is that at the moment
the technology to defend a Windows system from these things is very poor.
In fact antivirus companies have just started adding basic anti-rootkits
technology. So the problem is serious, and well outlined by this question:
Is the closed source code of Windows preventing us from actively defending
our systems?"
"Imhotep" <Imhotep@nospam.net> wrote in message
news:KfCdnRIjyucGg6beRVn-jQ@adelphia.com...
> Is the closed source code of Windows preventing us from actively defending
> our systems?"
(But only if you bother reading the article, as opposed to an unattributed
"source").
Bad data in = bad data out ;o)
--
Hairy One Kenobi
Disclaimer: the opinions expressed in this opinion do not necessarily
reflect the opinions of the highly-opinionated person expressing the opinion
in the first place. So there!
Imhotep <Imhotep@nospam.net> wrote in
news:KfCdnRIjyucGg6beRVn-jQ@adelphia.com:
> "Spyware bad guys (and also phishing people) started using rootkits
> technology to stay hidden in a system. The problem is that at the
> moment the technology to defend a Windows system from these things is
> very poor. In fact antivirus companies have just started adding basic
> anti-rootkits technology. So the problem is serious, and well outlined
> by this question: Is the closed source code of Windows preventing us
> from actively defending our systems?"
>
>
> http://www.viruslist.com/en/analysis?pubid=168740859
>
>
> Imhotep
>
IMHO (although I'm hardly humble) the question of open-source is largely
irrelevant to the issue of rootkits. FWIW (doncha love acronyms?) the
concept of rootkits was imported to Windows from the *nix world.
Unix or Windows rootkits operate at the level of binaries. Where the
binaries come from (open- or closed-source) is immaterial.
Regards,
PS Full HD OTFE encryption provides a large measure of protection
(although not complete protection) against rootkits and other malware.
PPS The only complete protection (passing over hardware tampering such as
compromised BIOSs) is something like hash-checking essential files after
booting from a known-good CD.
> Imhotep <Imhotep@nospam.net> wrote in
> news:KfCdnRIjyucGg6beRVn-jQ@adelphia.com:
>
>> "Spyware bad guys (and also phishing people) started using rootkits
>> technology to stay hidden in a system. The problem is that at the
>> moment the technology to defend a Windows system from these things is
>> very poor. In fact antivirus companies have just started adding basic
>> anti-rootkits technology. So the problem is serious, and well outlined
>> by this question: Is the closed source code of Windows preventing us
>> from actively defending our systems?"
>>
>>
>> http://www.viruslist.com/en/analysis?pubid=168740859
>>
>>
>> Imhotep
>>
>
>
> IMHO (although I'm hardly humble) the question of open-source is largely
> irrelevant to the issue of rootkits. FWIW (doncha love acronyms?) the
> concept of rootkits was imported to Windows from the *nix world.
Ah...ok...not sure what that has to do with the article but, yes, you are
correct rootkits were first developed on UNIX...again not sure what that
has to do with the article or what the hell FWIW means....
> Unix or Windows rootkits operate at the level of binaries. Where the
> binaries come from (open- or closed-source) is immaterial.
Ah...ok...again not sure what that has to do with the article or what point
your are trying to make...
> Regards,
>
> PS Full HD OTFE encryption provides a large measure of protection
> (although not complete protection) against rootkits and other malware.
Another is *not* running user's accounts with any privileges...which is one
of the easiest (well, if you use UNIX/Linux/BSD) things you can do.
> PPS The only complete protection (passing over hardware tampering such as
> compromised BIOSs) is something like hash-checking essential files after
> booting from a known-good CD.
Sure but that would be a real pain-in-the-*** to do everytime you boot.
Also, if you do not reboot frequently that measure becomes useless (ie you
need to reboot with a cd with the saved file hashes to detect a break in
after the fact)
On 28 Sep 2005 23:25:59 GMT, "nemo_outis" <abc@xyz.com> wrote:
>PPS The only complete protection (passing over hardware tampering such as
>compromised BIOSs) is something like hash-checking essential files after
>booting from a known-good CD.
Something like Tripwire? What would be the equivalent for Windows?
> "Imhotep" <Imhotep@nospam.net> wrote in message
> news:KfCdnRIjyucGg6beRVn-jQ@adelphia.com...
>> Is the closed source code of Windows preventing us from actively
>> defending our systems?"
>
>> http://www.viruslist.com/en/analysis?pubid=168740859
>
> No.
>
> (But only if you bother reading the article, as opposed to an unattributed
> "source").
>
> Bad data in = bad data out ;o)
>
The "" generally means it is a quote from some source...if you do not like
his/her comments write them. ;-O
> On 28 Sep 2005 23:25:59 GMT, "nemo_outis" <abc@xyz.com> wrote:
>
>>PPS The only complete protection (passing over hardware tampering such as
>>compromised BIOSs) is something like hash-checking essential files after
>>booting from a known-good CD.
>
> Something like Tripwire? What would be the equivalent for Windows?
The problem that exists is this. An application is generally requesting
(using) a kernel API in some way-shape-or-from. In other words the
application is not looking directly at the file directly on the disk. So,
if a rootkit is installed, and you are running a security app like Tripwire
on the same infected machine, then it really is useless (your asking the
rootkit if the system is infected). That is why the other posted said
"...booting from known-good cd".
This tool addresses a number of the worst virus and worm families/variants
including a number of the Hacker Defender rootkits. It is updated on the
second Tuesday of the month and should be re-downloaded and re-run then each
time as well as when you suspect problems."
"Imhotep" <Imhotep@nospam.net> wrote in message
news:nLednRXK2Ppz36beRVn-rA@adelphia.com
> speeder wrote:
>
>> On 28 Sep 2005 23:25:59 GMT, "nemo_outis" <abc@xyz.com> wrote:
>>
>>> PPS The only complete protection (passing over hardware tampering such
as
>>> compromised BIOSs) is something like hash-checking essential files after
>>> booting from a known-good CD.
>>
>> Something like Tripwire? What would be the equivalent for Windows?
>
> The problem that exists is this. An application is generally requesting
> (using) a kernel API in some way-shape-or-from. In other words the
> application is not looking directly at the file directly on the disk. So,
> if a rootkit is installed, and you are running a security app like
Tripwire
> on the same infected machine, then it really is useless (your asking the
> rootkit if the system is infected). That is why the other posted said
> "...booting from known-good cd".
>
> Im
Imhotep <Imhotep@nospam.net> wrote in
news:_YednWF3VdbaoKbeRVn-3w@adelphia.com:
> nemo_outis wrote:
>
>> Imhotep <Imhotep@nospam.net> wrote in
>> news:KfCdnRIjyucGg6beRVn-jQ@adelphia.com:
>>
>>> "Spyware bad guys (and also phishing people) started using rootkits
>>> technology to stay hidden in a system. The problem is that at the
>>> moment the technology to defend a Windows system from these things
>>> is very poor. In fact antivirus companies have just started adding
>>> basic anti-rootkits technology. So the problem is serious, and well
>>> outlined by this question: Is the closed source code of Windows
>>> preventing us from actively defending our systems?"
>>>
>>>
>>> http://www.viruslist.com/en/analysis?pubid=168740859
>>>
>>>
>>> Imhotep
>>>
>>
>>
>> IMHO (although I'm hardly humble) the question of open-source is
>> largely irrelevant to the issue of rootkits. FWIW (doncha love
>> acronyms?) the concept of rootkits was imported to Windows from the
>> *nix world.
>
> Ah...ok...not sure what that has to do with the article but, yes, you
> are correct rootkits were first developed on UNIX...again not sure
> what that has to do with the article or what the hell FWIW means....
Perhaps I misread your post - did you not frame the central question in
terms of Windows being closed-source?
But, no, I see I did NOT misread your post - that is indeed how you
framed the question. And the point of my response was that framing the
problem that way is unhelpful - a red herring, in fact. Open- or closed-
source has very little to do with the problem of rootkits - or with
solutions.
In fact, rootkits are common on many of the open-source *nices (and have
"migrated" to closed-source Windows only relatively recently). The
*nices are where rootkits first came to prominence, emphasizing my point
that open- or closed-source is hardly the central aspect.
So what part of my point did you find confusing or unclear?
Incidentally, FWIW means "for what it's worth." I would have expected
an old-timer to be familiar with acronyms and buzzwords, but, if not, let
me refer you to, for instance:
>> Unix or Windows rootkits operate at the level of binaries. Where the
>> binaries come from (open- or closed-source) is immaterial.
>
> Ah...ok...again not sure what that has to do with the article or what
> point your are trying to make...
Again, my point is that open- or closed-source is not the key aspect. A
rootkit compromises the OS at the executable binaries level and NOT at
the source-code level.
>> Regards,
>>
>> PS Full HD OTFE encryption provides a large measure of protection
>> (although not complete protection) against rootkits and other
>> malware.
>
> Another is *not* running user's accounts with any privileges...which
> is one of the easiest (well, if you use UNIX/Linux/BSD) things you can
> do.
>
>> PPS The only complete protection (passing over hardware tampering
>> such as compromised BIOSs) is something like hash-checking essential
>> files after booting from a known-good CD.
>
> Sure but that would be a real pain-in-the-*** to do everytime you
> boot. Also, if you do not reboot frequently that measure becomes
> useless (ie you need to reboot with a cd with the saved file hashes to
> detect a break in after the fact)
There are a number of protections that can be applied against rootkits:
before, during, or after the fact.
Windows, whatever its other deficiencies, has rich and sophisticated
permissions, policies, and control mechanisms - every bit the match of
the *nices. While I concede unhesitatingly that most users don't use
them and often run naked in admin mode, that is not an inherent flaw of
the OS.
Next: If you do not have constant control and custody of the machine,
there is a significant risk that someone can manually install a rootkit,
no matter what permission mechanisms the OS invokes when running. Full
OTFE HD encryptiuon is a significant protection against this major class
of risk any time the system is not running! The alternative is
validating everything from known-good sources before each boot (or just
taking your chances, I suppose).
> Hi Imhotep - FYI, just in case you were unaware of it. The following is
> from my Blog, addy in my Signature below:
>
>
> "Either run on-line at the first link or download (thus saving for future
> use) and run the Microsoft Malicious Software Removal Tool, here:
>
> http://www.microsoft.com/security/ma...e/default.mspx and here:
> http://www.microsoft.com/security/ma.../families.mspx
>
> This tool addresses a number of the worst virus and worm families/variants
> including a number of the Hacker Defender rootkits. It is updated on the
> second Tuesday of the month and should be re-downloaded and re-run then
> each time as well as when you suspect problems."
>
>
Thanks for the info. I do not use Windows but, I am sure it will help other
people here. Do you mind if I cut and paste your links for the next "virus
help" question? :-)
Re; the M$RT, FYI it claimed to have completely cleaned Win32/Gael.a,
but when I rebooted it had *not* cleaned
c:\windows\system32\userinit.exe, which then proceeded to re-infect the
whole machine. Re-booting in safe mode with command prompt, and
killing the userinit process, it was possible to copy a clean userinit
from write-protected flashdisk (floppy works too) right over the
infected one. Haven't had any dramas since *fingers crossed*.
Hi Imhotep - Not at all - the principle purpose of that Blog is to help
people with malware issues. However, there are a number of other virus and
trojan related tools identified therein as well, and I do try to keep it
updated, so I would suggest that you point them to the whole Blog rather
than (or at least in addition to) just the MSRT links, if that's what you
meant. :)
"Imhotep" <Imhotep@nospam.net> wrote in message
news:L8CdnXrWi4tP0qbeRVn-tw@adelphia.com
> Jim Byrd wrote:
>
>> Hi Imhotep - FYI, just in case you were unaware of it. The following is
>> from my Blog, addy in my Signature below:
>>
>>
>> "Either run on-line at the first link or download (thus saving for future
>> use) and run the Microsoft Malicious Software Removal Tool, here:
>>
>> http://www.microsoft.com/security/ma...e/default.mspx and here:
>> http://www.microsoft.com/security/ma.../families.mspx
>>
>> This tool addresses a number of the worst virus and worm
families/variants
>> including a number of the Hacker Defender rootkits. It is updated on the
>> second Tuesday of the month and should be re-downloaded and re-run then
>> each time as well as when you suspect problems."
>>
>>
>
> Thanks for the info. I do not use Windows but, I am sure it will help
other
> people here. Do you mind if I cut and paste your links for the next "virus
> help" question? :-)
>
> Im
> Hi Imhotep - Not at all - the principle purpose of that Blog is to help
> people with malware issues. However, there are a number of other virus
> and trojan related tools identified therein as well, and I do try to keep
> it updated, so I would suggest that you point them to the whole Blog
> rather than (or at least in addition to) just the MSRT links, if that's
> what you
> meant. :)
>
<snip>
>
> Perhaps I misread your post - did you not frame the central question in
> terms of Windows being closed-source?
>
> But, no, I see I did NOT misread your post - that is indeed how you
> framed the question. And the point of my response was that framing the
> problem that way is unhelpful - a red herring, in fact. Open- or closed-
> source has very little to do with the problem of rootkits - or with
> solutions.
Do you generally quote yourself? Neither do I. That was the introduction of
the story where I first came across the article...hence the quotes.
"Spyware bad guys (and also phishing people) started using rootkits
technology to stay hidden in a system. The problem is that at the moment
the technology to defend a Windows system from these things is very poor.
In fact antivirus companies have just started adding basic anti-rootkits
technology. So the problem is serious, and well outlined by this question:
Is the closed source code of Windows preventing us from actively defending
our systems?"
Although, I do believe in the merit of open source and open standards over
proprietary source and standards...
> In fact, rootkits are common on many of the open-source *nices (and have
> "migrated" to closed-source Windows only relatively recently). The
> *nices are where rootkits first came to prominence, emphasizing my point
> that open- or closed-source is hardly the central aspect.
Now idea how this topic became an open source vs proprietary source
discussion...
Yes, rootkits first hit unixes about 10 years ago when windows 95 was just
new...now they are being used against Windows. Now, using *that* as a
justification for "...emphasizing my point that open- or closed-source is
hardly the central aspect" is weak at best.
> So what part of my point did you find confusing or unclear?
I understand your point, I just don't agree with it. There are many more
things to consider when comparing open standards/open source to proprietary
source/proprietary standards than just the history of rootkits...
>
>
> Incidentally, FWIW means "for what it's worth." I would have expected
> an old-timer to be familiar with acronyms and buzzwords, but, if not, let
> me refer you to, for instance:
Nah, I am not a member of the acronym fad group. I'll just spell it out,
thank you.
> http://kb.iu.edu/data/adkc.html
>
>
>
>>> Unix or Windows rootkits operate at the level of binaries. Where the
>>> binaries come from (open- or closed-source) is immaterial.
>>
>> Ah...ok...again not sure what that has to do with the article or what
>> point your are trying to make...
>
>
> Again, my point is that open- or closed-source is not the key aspect. A
> rootkit compromises the OS at the executable binaries level and NOT at
> the source-code level.
All binaries are "born" from source :-)
>
>
>
>
>>> Regards,
>>>
>>> PS Full HD OTFE encryption provides a large measure of protection
>>> (although not complete protection) against rootkits and other
>>> malware.
>>
>> Another is *not* running user's accounts with any privileges...which
>> is one of the easiest (well, if you use UNIX/Linux/BSD) things you can
>> do.
>>
>>> PPS The only complete protection (passing over hardware tampering
>>> such as compromised BIOSs) is something like hash-checking essential
>>> files after booting from a known-good CD.
>>
>> Sure but that would be a real pain-in-the-*** to do everytime you
>> boot. Also, if you do not reboot frequently that measure becomes
>> useless (ie you need to reboot with a cd with the saved file hashes to
>> detect a break in after the fact)
>
>
> There are a number of protections that can be applied against rootkits:
> before, during, or after the fact.
>
> Windows, whatever its other deficiencies, has rich and sophisticated
> permissions, policies, and control mechanisms - every bit the match of
> the *nices. While I concede unhesitatingly that most users don't use
> them and often run naked in admin mode, that is not an inherent flaw of
> the OS.
Honestly, I will take FreeBSD over MS whatever everytime.
One of the more serious problems with Windows was how it, and third party
software, did not address non privileged users very well. This has resulted
in people running their accounts with local admin privs. Would you surf the
the Internet logged in as admin? Why would you surf the web in *your*
account with admin privs since, really, they are the same account with
respect to system privileges....
The other problem with Microsoft is, frankly, they are too busy with other
projects to really make quality software. They are too busy, trying to
maintain too many markets and have become reliant on the attitude of "what
else are you going to run on your desktop?" This arrogance has caused them
to lose touch with their customer's needs.
> Next: If you do not have constant control and custody of the machine,
> there is a significant risk that someone can manually install a rootkit,
> no matter what permission mechanisms the OS invokes when running. Full
> OTFE HD encryptiuon is a significant protection against this major class
> of risk any time the system is not running! The alternative is
> validating everything from known-good sources before each boot (or just
> taking your chances, I suppose).
>
> Regards,
Imhotep <Imhotep@nospam.net> wrote in
news:D4idnWCZ0tGe6KbeRVn-jg@adelphia.com:
> <snip>
>>
>> Perhaps I misread your post - did you not frame the central question
>> in terms of Windows being closed-source?
>>
>> But, no, I see I did NOT misread your post - that is indeed how you
>> framed the question. And the point of my response was that framing
>> the problem that way is unhelpful - a red herring, in fact. Open- or
>> closed- source has very little to do with the problem of rootkits -
>> or with solutions.
>
> Do you generally quote yourself? Neither do I. That was the
> introduction of the story where I first came across the
> article...hence the quotes.
Perhaps that was the intro where you first came across the story but there
was NO such quote in the url you cited:
"Imhotep" <Imhotep@nospam.net> wrote in message
news:sNWdnfv1EOez96beRVn-sA@adelphia.com
> Jim Byrd wrote:
>
>> Hi Imhotep - Not at all - the principle purpose of that Blog is to help
>> people with malware issues. However, there are a number of other virus
>> and trojan related tools identified therein as well, and I do try to keep
>> it updated, so I would suggest that you point them to the whole Blog
>> rather than (or at least in addition to) just the MSRT links, if that's
>> what you
>> meant. :)
>>
>
> You use adelphia? Are you in Florida?
>
> Im
"Imhotep" <Imhotep@nospam.net> wrote in message
news:_YednWB3VdZloKbeRVn-3w@adelphia.com...
> Hairy One Kenobi wrote:
>
> > "Imhotep" <Imhotep@nospam.net> wrote in message
> > news:KfCdnRIjyucGg6beRVn-jQ@adelphia.com...
> >> Is the closed source code of Windows preventing us from actively
> >> defending our systems?"
> >
> >> http://www.viruslist.com/en/analysis?pubid=168740859
> >
> > No.
> >
> > (But only if you bother reading the article, as opposed to an
unattributed
> > "source").
> >
> > Bad data in = bad data out ;o)
> >
>
> The "" generally means it is a quote from some source...if you do not like
> his/her comments write them. ;-O
The convention is that anything quoted is, indeed, written in quotes. And
then a link provided to the article *quoted*.
AFAIK, it has never been convention to post a quote and then cite something
completely unrelated... and, has been pointed out, the article is utterly at
odds with its "intro", except when viewed through the most rose-tinted of
spectacles ;o)
Incidentally (I'm being lazy, and only posting the once) the argument
between elevated vs. non-elevated privileges is also a little spurious. Yes,
running "naked" admin can get you a whole host of additional vectors, but it
is utterly irrelevant to the actual installation of a rootkit.
To use the inevitable car analogy, it's the nail in your tyre that causes
the puncture, not which route you chose to drive back from work.
"Hairy One Kenobi" <abuse@[127.0.0.1]> wrote in
news:sAP_e.2893$9l4.314@newsfe4-win.ntli.net:
>
> Pedant, moi? :o)
>
> H1K
After being chided for ending a sentence with a preposition, Churchill
responded dryly, "That is the sort of arrant pedantry up with which I shall
not put."
speeder wrote:
> On 28 Sep 2005 23:25:59 GMT, "nemo_outis" <abc@xyz.com> wrote:
>
>
>>PPS The only complete protection (passing over hardware tampering such as
>>compromised BIOSs) is something like hash-checking essential files after
>>booting from a known-good CD.
>
>
> Something like Tripwire? What would be the equivalent for Windows?
Tripwire
An additional FYI, courtesy of MVP Steve Winograd:
The beta version of F-Secure BlackLight rootkit remover, which had been
set to expire on October 1, has been extended to January 1. You can
download the new version here:
"Jim Byrd" <jrbyrd@spamlessadelphia.net> wrote in message
news:YtednWy_l_411qbeRVn-tA@adelphia.com
> Hi Imhotep - FYI, just in case you were unaware of it. The following is
> from my Blog, addy in my Signature below:
>
>
> "Either run on-line at the first link or download (thus saving for future
> use) and run the Microsoft Malicious Software Removal Tool, here:
>
> http://www.microsoft.com/security/ma...e/default.mspx and here:
> http://www.microsoft.com/security/ma.../families.mspx
>
> This tool addresses a number of the worst virus and worm families/variants
> including a number of the Hacker Defender rootkits. It is updated on the
> second Tuesday of the month and should be re-downloaded and re-run then
each
> time as well as when you suspect problems."
>
>
>
> "Imhotep" <Imhotep@nospam.net> wrote in message
> news:nLednRXK2Ppz36beRVn-rA@adelphia.com
>> speeder wrote:
>>
>>> On 28 Sep 2005 23:25:59 GMT, "nemo_outis" <abc@xyz.com> wrote:
>>>
>>>> PPS The only complete protection (passing over hardware tampering such
as
>>>> compromised BIOSs) is something like hash-checking essential files
after
>>>> booting from a known-good CD.
>>>
>>> Something like Tripwire? What would be the equivalent for Windows?
>>
>> The problem that exists is this. An application is generally requesting
>> (using) a kernel API in some way-shape-or-from. In other words the
>> application is not looking directly at the file directly on the disk. So,
>> if a rootkit is installed, and you are running a security app like
Tripwire
>> on the same infected machine, then it really is useless (your asking the
>> rootkit if the system is infected). That is why the other posted said
>> "...booting from known-good cd".
>>
>> Im
No Defense Against Windows Rootkits? 
Linear Mode
