Rootkitware... how are regular people supposed to cope?

[Ariphaos]

...besides get macs or linux?

So my sister put off updating Acrobat reader, and got infected with a rootkit through a pdf file. The rootkit binds itself to the filesystem, and is loaded with the file system - my previous trick of safe-mode-command-prompt no longer works with these, though ComboFix will still deal with them. Of course, since it still thinks it's a critical file, otherwise apparently innocuous edited files and drivers may remain, looking for these... and prevent loading Windows afterwards.

It does not stop there, however. Thanks to Microsoft's 'Kill Linux' efforts, it is possible to ensure that windows XP install discs (at least) simply will not function, through a disturbingly large variety of means. Sometimes it's trivial - you can tell any geek to delete obviously malformed files on the root of the drive... but a broken MBR?

This problem seems fundamental to how Windows currently works. It's not going to go away, and it's not going to get any easier. This is insane.

[Beowulf]

Broken MBR? fixmbr

And then you flatten and reinstall, and patch everything back to normalcy.

[Andrew_Fireborn]

... Christ... I already had enough reason to hate PDFs. But that's some seriously strong virality.

[Kitsune]

Does it just go through Adobe or does it go through Foxit as well?

[Stark]

'Rootkitware'? ROFFLE.

[Ariphaos]

Broken MBR? fixmbr

And then you flatten and reinstall, and patch everything back to normalcy.

You need to be able to run it. It busted the on-disk recovery console too. If you're going to flatten it's fairly easy to clear the mbr via linux, however.

Does it just go through Adobe or does it go through Foxit as well?

I don't believe so, this took advantage of the flaw found in 8.11 and my sister hadn't updated.

Yeah, UNIX certainly doesn't have a problem with rootkits. In fact, it actually is fundamentally impossible for them to even be written, due to its vastly superior modular, orthogonal, stable, and secure design. On top of that, it is powerful and just a beauty to use and code for; it really is the answer to everyone's computer woes.

Something I want to point out over your sarcasm - it was Linux's lack of a microkernel structure that I was pining for throughout this. So I find your discussion of modularity amusing.

'Rootkitware'? ROFFLE.

It was being used to drive some smitfraud type application, but was operating on an entirely new level above and beyond malware I'd seen before.

[Dominus Atheos]

Yeah, UNIX certainly doesn't have a problem with rootkits. In fact, it actually is fundamentally impossible for them to even be written, due to its vastly superior modular, orthogonal, stable, and secure design. On top of that, it is powerful and just a beauty to use and code for; it really is the answer to everyone's computer woes.

Some people are, of course, stuck with Windows and its many faults, so you have to deal with this bullshit, but Linux to the rescue! You can always use a LiveCD to wipe the drive clean, allowing Windows to finally be reinstalled. Obviously, you'll want to keep backups though, which is just a good idea anyway given how riddled with security holes and generally fragile Windows is. If you don't have them, maybe you can retrieve at least some, if not most, of the data using a Linux LiveCD (again) before nuking the drive. There is a LiveCD available somewhere (I forget where; Linux gives you so much freedom to choose that I could never remember all the great options, but they are all free, so just search the web, and if it doesn't work, no big loss, just try another one) that has virus scanners built in. Definitely use one of those on any files recovered from the drive to ensure no malware will slip through to your new Windows install.

After you are back up and running, be sure to keep the backup files around, since we both know it is only a matter of time before the new Windows install will get compromised too, so you'll want to make the recovery process as easy as possible.

Are you being sarcastic? I mean, I know I think all that stuff you just said (about XP anyway), but I was under the impression you thought it was an okay operating system and that Linux was not the answer to everyone's computer woes.

And for the record, I think the answer to everyone's computer woes is either Linux or Vista. This only happened because XP allows everything to run as admin by default, and any operating system that doesn't do this will fix most computer woes, except trojans since 3rd party programs are always going to be a weak point in an OS and if something can convince you to give it admin/root access, it can do anything it wants to your computer.

[Stark]

DA, can you go into more detail with how this kind of threat interacts with UAC? I don't have any experience outside of home use with Vista, so I've never really looked at how current threats go splat against the security model.

[Dominus Atheos]

DA, can you go into more detail with how this kind of threat interacts with UAC? I don't have any experience outside of home use with Vista, so I've never really looked at how current threats go splat against the security model.

Sure. All programs under XP runs with full administrator access to the entire computer including system files and can make any change it wants to without the user even being aware. Under Vista, Linux, and Mac all programs run as a normal user, which means they can't make any changes that affect the entire system, only changes that affect that one user. If a program tries to make a change that affects the entire system, UAC and the Linux and Mac versions will stop it and ask the user if it wants to give that program permission to do that.

I don't know if you use Windows at work or ever at school, but any half-way competently set up business system will have all users run as users and only the system administrators have administrator access (thus the names). If you have used one of those systems, you should remember how every time you tried to install a program, change a system setting, or do anything to the c:\Windows directory the system told you are not authorized to do that and to get an administrator if you wanted to do it. It's the exact same principle except applied by default to every program on the computer.

It's the biggest security improvement to Windows and the biggest reason Mac and Linux were so superior to XP in terms of security. It's mind-bogglingly crazy that all programs under XP had unfettered access to the entire system without any sort of checks what so ever.

[Stark]

Heh. Yeah, I've worked with XP for years; I was curious to see how common XP-defeating exploits (like the primitive pdf thing in the OP) interact with UAC; I'm familiar with how user rights work. In a situation like the OP, would it throw up a UAC prompt? If so, that's a giant step forward but there's a good chance people would click on it anyway. I guess the Vista malware might detect it and block it silently, but as I said I don't have any commercial experience with Vista. Once you've UAC-authorised an application for xyz (an install, say) does that give the installer rights to do anything it wants? I'm interested to know what granularity it has.

[Dominus Atheos]

Heh. Yeah, I've worked with XP for years; I was curious to see how common XP-defeating exploits (like the primitive pdf thing in the OP) interact with UAC; I'm familiar with how user rights work. In a situation like the OP, would it throw up a UAC prompt?

Yes, it would throw up a UAC prompt in Vista and the equivalent prompt in Linux and Mac.

If so, that's a giant step forward but there's a good chance people would click on it anyway. I guess the Vista malware might detect it and block it silently, but as I said I don't have any commercial experience with Vista. Once you've UAC-authorised an application for xyz (an install, say) does that give the installer rights to do anything it wants? I'm interested to know what granularity it has.

No, unfortunately the security model doesn't have very much granularity. A program is either running with user permissions or admin permissions, and the same is true of Linux and Mac. Basically when Microsoft was working on Windows NT they copied over the security model from Unix that Linux and Mac are based on and Vista inherited that and was the first to apply it by default to every account. It could stand to be a lot more secure, but since it's "as good" as the competition I doubt Microsoft is ever going to do that.

[Ariphaos]

Heh. Yeah, I've worked with XP for years; I was curious to see how common XP-defeating exploits (like the primitive pdf thing in the OP) interact with UAC; I'm familiar with how user rights work. In a situation like the OP, would it throw up a UAC prompt? If so, that's a giant step forward but there's a good chance people would click on it anyway. I guess the Vista malware might detect it and block it silently, but as I said I don't have any commercial experience with Vista. Once you've UAC-authorised an application for xyz (an install, say) does that give the installer rights to do anything it wants? I'm interested to know what granularity it has.

They either need to rely on the user disabling UAC (How often does that get recommended here?) convincing the user to allow a bad change, or somehow finding a way to bypass it.

The problem Microsoft has is a rather disturbing number of hardware and software companies simply do not get how big a problem that first item can become if that gets encouraged.

[phongn]

Yeah, UNIX certainly doesn't have a problem with rootkits. In fact, it actually is fundamentally impossible for them to even be written, due to its vastly superior modular, orthogonal, stable, and secure design. On top of that, it is powerful and just a beauty to use and code for; it really is the answer to everyone's computer woes.

I hope you are being sarcastic, because nothing you have said is true.

[Turin]

I don't know if you use Windows at work or ever at school, but any half-way competently set up business system will have all users run as users and only the system administrators have administrator access (thus the names).

Maybe not with typical office drone software (Office or whatever), but a good deal of higher-end software has to be run as admin in XP. Which means giving power user access to nearly every Tom Dick and Dumbass in your organization if you're, for example, an architectural or engineering firm.

[phongn]

No, unfortunately the security model doesn't have very much granularity. A program is either running with user permissions or admin permissions, and the same is true of Linux and Mac. Basically when Microsoft was working on Windows NT they copied over the security model from Unix that Linux and Mac are based on and Vista inherited that and was the first to apply it by default to every account. It could stand to be a lot more secure, but since it's "as good" as the competition I doubt Microsoft is ever going to do that.

That's not true. Processes can be run with fine-grained ACLs under Windows.

[Dominus Atheos]

No, unfortunately the security model doesn't have very much granularity. A program is either running with user permissions or admin permissions, and the same is true of Linux and Mac. Basically when Microsoft was working on Windows NT they copied over the security model from Unix that Linux and Mac are based on and Vista inherited that and was the first to apply it by default to every account. It could stand to be a lot more secure, but since it's "as good" as the competition I doubt Microsoft is ever going to do that.

That's not true. Processes can be run with fine-grained ACLs under Windows.

Really? I thought when UAC prompts me for something I was giving the program admin access, but you're saying it's just for one action? Is there any way to configure the prompt to tell me which action?

[Dominus Atheos]

I don't know if you use Windows at work or ever at school, but any half-way competently set up business system will have all users run as users and only the system administrators have administrator access (thus the names).

Maybe not with typical office drone software (Office or whatever), but a good deal of higher-end software has to be run as admin in XP. Which means giving power user access to nearly every Tom Dick and Dumbass in your organization if you're, for example, an architectural or engineering firm.

What programs are you running that require admin access? Here is a list of everything that requires admin access (at least in vista):

• Changes to system-wide settings or to files in %SystemRoot% or %ProgramFiles%
• Installing and uninstalling applications
• Installing device drivers
• Installing ActiveX controls
• Changing settings for Windows Firewall
• Changing UAC settings
• Configuring Windows Update
• Adding or removing user accounts
• Changing a user’s account type
• Configuring Parental Controls
• Running Task Scheduler
• Restoring backed-up system files
• Viewing or changing another user’s folders and files

Nothing on that list should be anything any normal program should ever need to do. What are some examples of things that your programs need to do that require admin access?

[Stark]

That's not true. Processes can be run with fine-grained ACLs under Windows.

Is this app-dependent or OS dependent? I was under the impression that what DA said was the case, ie that a given process is either admin or not, similar to rights elevation under Linux. I'm curious to know what kind of spoofing is effective with regard to Vista's UAC (since I believe that fake Vista window virus install tihng from a few months back got right past it by authorising something seemingly mundane?).

And yeah, I find everyone who recommended to disable UAC in Vista pretty funny.

[phongn]

That's not true. Processes can be run with fine-grained ACLs under Windows.

Is this app-dependent or OS dependent? I was under the impression that what DA said was the case, ie that a given process is either admin or not, similar to rights elevation under Linux. I'm curious to know what kind of spoofing is effective with regard to Vista's UAC (since I believe that fake Vista window virus install tihng from a few months back got right past it by authorising something seemingly mundane?).

You can assign processes limited, user or administrative rights in XP. User-level rights can also be monkeyed with via Group Policy, so you could have a process under a certain user restricted.

[Dominus Atheos]

That's not true. Processes can be run with fine-grained ACLs under Windows.

Is this app-dependent or OS dependent? I was under the impression that what DA said was the case, ie that a given process is either admin or not, similar to rights elevation under Linux. I'm curious to know what kind of spoofing is effective with regard to Vista's UAC (since I believe that fake Vista window virus install tihng from a few months back got right past it by authorising something seemingly mundane?).

You can assign processes limited, user or administrative rights in XP. User-level rights can also be monkeyed with via Group Policy, so you could have a process under a certain user restricted.

So you can create a new group and run a process under that group and by doing so, control what actions it can and can't perform like allowing it to write to program files but not the windows folder? That's pretty neat and it sure would be nice if Microsoft could configure UAC to check what action the program is trying to perform and just punch a hole in the ACL for that one program for that one action. But it's not like that right now, so in any default configured Vista box, UAC functions the way I described?

[Stark]

That's really what I was asking; if you can elevate a process/app for a single action group (like writing to a folder) but not for other actions (like writing to the MBR). I don't think it's like this now, I believe it's the way DA describes (and the way I believe elevation works in Linux too).

[phongn]

That's really what I was asking; if you can elevate a process/app for a single action group (like writing to a folder) but not for other actions (like writing to the MBR). I don't think it's like this now, I believe it's the way DA describes (and the way I believe elevation works in Linux too).

Elevation is an all-or-nothing affair, but there's more fine-grained process controls available.

[Dominus Atheos]

That's not true. Processes can be run with fine-grained ACLs under Windows.

Is this app-dependent or OS dependent? I was under the impression that what DA said was the case, ie that a given process is either admin or not, similar to rights elevation under Linux. I'm curious to know what kind of spoofing is effective with regard to Vista's UAC (since I believe that fake Vista window virus install tihng from a few months back got right past it by authorising something seemingly mundane?).

It should be impossible to spoof UAC. Back in XP, when the system asked you "are you sure you want to do this?", programs would put a dialog box in front of the windows box that said something completely different and when you clicked on the okay button on the spoof box, you were actually pressing the "allow this program to do what ever it wants" button on the windows dialog box. (You probably know this already but I'm just explaining it for all the people who don't who might be following this discussion)

In Vista, UAC prompts darken the whole screen and leave nothing on there except the UAC box, so it's impossible to put something in front of it. For some bizarre reason I haven't figured out, Windows 7 will remove this feature so it's UAC boxes may be vulnerable to spoofing.

[Dominus Atheos]

That's really what I was asking; if you can elevate a process/app for a single action group (like writing to a folder) but not for other actions (like writing to the MBR). I don't think it's like this now, I believe it's the way DA describes (and the way I believe elevation works in Linux too).

Elevation is an all-or-nothing affair, but there's more fine-grained process controls available.

So if I'm understanding you right, you can launch a program with specific actions it can and can't do (like writing to a folder but not to the MBR) but if it needs elevation for any reason, the only thing you can do is give it full system-wide access?

[Stark]

I imagine the thinking was that UAC would be too complex For most people if it had grades of request and too annoying if it was per-action - people already think it's so annoying theyll turn it off after all.