Anti Rootkit Blog

Rootkit researcher Joanna Rutkowska has revealed that Microsoft has blocked the method that she used to install her Bluepill Rootkit.

On her blog Joanna wrote “It quickly turned out that our exploit doesn’t work anymore! The reason: Vista RC2 now blocks write-access to raw disk sectors for user mode applications, even if they are executed with elevated administrative rights.”

She then goes on to say that when she first demonstrated her method at the Black Hat conference recently she gave 3 ways for Microsoft to fix the exploit problem. Microsoft had choosen the easiest option to them and that was to block Raw Disk Access from usermode. This method that Microsoft chose has far reaching affects on software companies that provide Disk Editor software. These companies will now have to have a signed digital driver to access the Raw Disk Access. This also means that an attacker would “borrow” the driver from the Disk Editing Software and use it to bypass the block Microsoft has used.

The other 2 options Joanna gave were to Encrypt the Pagefile and  Disable kernel mode paging. The option Microsoft took does not make the problem go away, it just adds another layer for an attacker to get through.

Well done Microsoft you have just made the attackers work a bit harder and you have also made some look at signed drivers a bit closer and added more info to their malicious info arsenal.

Keep Safe

regards
Steo
www.antirootkit.com

Microsoft has bought Winternals Software which was founded by Mark Russinovich. The software company which produces systems recovery and data protection solutions was founded in 1996 by Mark Russinovich and Bryce Cogswell.

The acquisition also includes the popular website Sysinternals.com which has over 10000 registered users. The future plans for the company have not been announced but Microsoft said it was looking for ways to integrate Winternals software with its own, “Microsoft is evaluating how the Winternals products and technologies can be integrated within Microsoft offerings to maximize customer value.”

Mark will keep his blog going and will head team of researchers that can develop the software further. Mark is well known for publicizing the Sony Rootkit fiasco last year.

“I’ve had my eye on Mark for some time,” said Jim Allchin, co-president of the Platforms & Services Division at Microsoft. “The work he and Bryce have completed in system recovery and data protection illustrates the depth of thinking and skill they will bring to future versions of Windows. The addition of their deep kernel-level expertise to our existing strong talent will help provide us with the edge we need to continue to raise the quality and functionality bar for Windows on both the client and the server.”

Mark will be wished well by all his followers and hopefully he might be able to turn the Security Profile of Microsoft around somewhat.

Keep Safe

regards
Steo
www.antirootkit.com

New malware attacks have been targetting several versions of Microsft Word according to Symantec and many other Anti Virus companies. A trojan horse is sent in a specially crafted Word document which takes advantage of a previously unknown Word vulrabiity to infect users PC’s. The Trojan Horse has the ability to allow a remote intruder to gain access and control over the computer. The Trojan Horse also hides any files or processes that it uses to avoid being found. Sophos has determined that it hooks the following API’s

Kernel32.dll FindFirstFileW
FindNextFileW
Module32NewW
Psapi.dll EnumProcessModules
GetModuleFileNameW
Advapi32.dll EnumServicesStatusA
EnumServicesStatusW
RegEnumKeyA
RegEnumKeyExA
RegEnumKeyExW
RegEnumKeyW
RegEnumValueA
RegEnumValueExA
RegEnumValueExW
RegEnumValueW
RegQueryValueExA
RegQueryValueExW
RegSetValueExA
RegSetValueExW

Sophos has calle the Trojan Troj/Oscor-B but it is better known to users as W32/Ginwui.A or Backdoor.Ginwui.

The person or people who wrote the Trojan had exclusive knowledge of a vulenrability in MS Word and sent specially crafted Word documents to email addresses belonging to a particular company in Asia. The object was to retrieve information from the computers that were affected.

This seems to be a new direction malware writers are taking and it is worth a lot of money to the hackers, etc who are constantly trying to find vulnerabilities in software that are unknown to all other users. This enables them to attack software and have a small chance of being found out in the initial stages. Apparently there is big money being paid for exclusive knowledge of holes in software.

A complete list of affected Word versions is available here ..http://xforce.iss.net/xforce/xfdb/26556

The one lesson for everyone with regards to this infection is to beware of attachments from anyone who you are not familiar with.

Keep Safe

regards
Steo
www.antirootkit.com

Mike Danseglio, program manager in the Security Solutions group at Microsoft, said in a presentation at the InfoSec World conference that in order to remove rootkits users will have to wipe their hard drive and reinstall the operating system again.

When a rootkit is installed on a PC it hides itself, files, running programs and network traffic from the user and the users anti-virus and anti-spyware scanners. A rootkit can be detected by looking into the kernel areas that can be used by rootkits. Once a rootkit is found though it can be removed but the files, etc that it was hiding may not be easily found. To this end the only way for users to know that the rootkit and the files it was hiding are completely gone is to wipe the drive.

This may be overkill as most “in the wild” rootkits hide variants of existing malware and viruses. By removing the rootkit the underlying malware can be caught by any decent anti-virus or anti-spyware scanner. Wiping a hard drive and reinstalling the operating system is not going to be an easy task more the majority of computer users. These users are the very users who will get hit by rootkits.

Keep Safe

regards
Steo
www.antirootkit.com

Researchers at Microsoft Research and the University of Michigan have demonstrated that rootkits can be hidden within a Virtual Machine environment.

The researchers came up a Proof Of Concept code called Subvert that loads a Virtual Machine Monitor (VMM) that contains other malware of use to criminals like keyloggers, etc. The VMM is installed under an existing Operating system using vulnerabilities in the Operating system. When the PC is booted it loads the VMM which in turns loads the users normal Operating system, whether it be XP, Linux, etc. The user will not know the VMM is loaded as there will be no tell tale signs. The VMM does not use much processing power or memory and will not present any information to the normal OS.

“Any code running within an attack OS is effectively invisible. The ability to run invisible malicious services in an attack OS gives intruders the freedom to use user-mode code with less fear of detection,” the researchers said.

Existing anti-rootkit tools commonly rely on comparing file system and API discrepancies to check for the presence of rootkits, a technique that wouldn’t be able to unearth virtual machine malware. The researchers hope their work will help security firms adapt their technology in order to combat the new class of threat.

Keep Safe

regards
Steo
www.antirootkit.com

eweek.com has reported that Microsoft have implement tighter security measures in the 64bit Version of their new operating system Vista. Kernel mode drivers will be required to be digitally signed in order to be used. Microsoft will require all drivers to have a PIC (Publisher Identity Certificate) which is based on a Verisign certificate.This is an important step for Microsoft to take and will help to stop many rootkit’s from taking hold. This implementation will not stop all rootkit’s from running as a rootkit author may go and acquire a PIC for themselves and thus the rootkit can be installed legitimately.

This will not stop Usermode rootkit’s that do not need to hook into the kernel, although I’m sure Microsoft will have something up their sleeve with regards to users running malicious code in user land.

This is one good step that Microsoft ar taking in the fight against rootkit’s. It shows that Microsoft are serious about rootkit’s and I am sure that there will be other features in Vista that will make it rootkit unfriendly.

Keep Safe

regards
Steo
www.antirootkit.com