RSA: Microsoft on 'rootkits': Be afraid, be very afraid

RSA: Microsoft on 'rootkits': Be afraid, be very afraid
Rootkits are a new generation of powerful system-monitoring programs

News Story by Paul Roberts

FEBRUARY 17, 2005 (IDG NEWS SERVICE) - Microsoft Corp. security researchers are warning about a new generation of powerful system-monitoring programs, or "rootkits," that are almost impossible to detect using current security products and could pose a serious risk to corporations and individuals.
The researchers discussed the growing threat posed by kernel rootkits at a session at the RSA Security Conference in San Francisco this week. The malicious snooping programs are becoming more common and could soon be used to create a new generation of mass-distributed spyware and worms.

With names like "Hacker Defender," "FU" and "Vanquish," the programs are the latest generation of remote system-monitoring software that has been around for years, according to Mike Danseglio and Kurt Dillard, both of Microsoft's Security Solutions Group.

<snip>

http://www.computerworld.com/securitytopics/security/story/0,10801,99843,00.html

Microsoft is not only insecure, but they have put special insecurity hooks into it for law enforcement use.

Darwin (which is what MacOS X really is) is open source. I have read through much of it. As have many others.

are not part of the open source and not listed in Darwin.

While debugging... I've seen nothing strange there. (Yes, I read Power-PC machine language.)

But then again, I have not looked at all of them. But I know that many others have looked at all parts of the system whether open source or not - and nobody has spoken up yet with anything hinky.

Ever see any blondes or redheads while stepping through looking for security holes?

if you can figure it out.

users to make it worthwhile.

Let me know when you succeed.

worked on a large software project. Do you have an advanced degree in Comp Sci. How in the world could you even claim that? I have
all of the above. Large systems can be broke. BTW, what do
you think of that Order n2 algorithm Mac uses for page faults,
pretty cheezy huh!

vs mac and unix

November 24: mi2g Intelligence Unit (London) reports that Mac OS X and BSD Unix are the "world's safest and most secure 24-7 online computing environments". Their conlcusion? ...

"More and more smart individuals, government agencies and corporations are shifting towards Apple and BSD environments in 2004," according to DK Matai, Executive Chairman, mi2g. "For how long can the truth remain hidden that the great emperors of the software industry are wearing no clothes fit for the fluid environment in which computing takes place, where new threats manifest every hour of every day. There is an accelerating paradigm shift visible in 2004 and busy professionals have spotted the benefits of Apple and BSD because they don't have the time to cope with umpteen flavours of Linux or to wait for Microsoft's Longhorn when Windows XP has proved to be a stumbling block in some well chronicled instances."

more...
http://www.mi2g.com/cgi/mi2g/press/021104.php

see also...
http://XvsXP.com - for the best comparison and discussion of the two os's by experts and users... test your knowledge there ;->

peace

stole the windowing and mouse concepts from Xerox Palo Alto PARC.
MAC is an okay system, but no system is impermable to design flaws.
If the were more than a few Mac users, then it would be worth hacking.

Have fun.

I am happy to be on a platform the skript kiddi3z don't understand well enough to even try to attack.

Even if windows were exactly as popular as the mac, though, the skript kidz would go after windows... For the same reason that burglars will go after the house with an open window before the one with the steel bars next door. Sure, you can break into a house with steel bars, but why would you spend the time and effort to do that when you can step right into the one next door???

lack of interest by the hacker community. :)

If you think it is so easy, lets see you do it?

where on earth did you get this figure?

The latest browser and OS statistics from w3schools (a pretty reliable non-partisan source) have the percentage of Mac users at 2.9%. Its one hell of a stretch to go from 2.9% to 13%

12.95% of all hits come from Macs! (And none of these are Macintosh oriented sites!)

The biggest innovation the Mac had over the Xerox Star was overlapping windows. On a Star, windows can't overlap; on a Mac, they've always been able to.

...however, our WinNT/2K/XP workstations have been lambasted by spyware, trojans and viruses. I spend most of my day cleaning them up...

I surely hope you are not the company IT person, If you are you should be fired for allowing that crap to get installed in the first place.

I've written complete operating systems, and done device drivers and low-level code for almost any system you can name, and lots and lots of embedded systems.

part of the design team that decided in their infinite wisdom
that no user would ever need more than 640K. Mac is an okay
system, but no one wants to do matrix inversions on it.

But I agree, if all you want is raw compute power, an Athlon running Linux is cheaper per floating point operation completed.

However, almost every math library ever developed for Linux or BSD installs really easily on the mac, and that is in fact how I use this one I am typing on.

I also use an eMac and an ancient iMac as real-time MP-3 transcoders. They work great.

And if you look at the transforms Photoshop does, they are very compute intensive, and I know very, very few graphics professionals who prefer any system other than a Mac for that.

Sounds like you were...

Since you were on that team (or say you were), I'm curious and always have been about this: what made them decide that nobody would ever need more than 640K? What was the reasoning behind the decision?

That little misstep caused me a bit of frustration back in the day.....

Wish you wrote more. We AmigaHeads really could have used some more drivers. :D

We looked at making an Amiga based set-top box when I worked at Zenith. But we couldn't get them to sell us the rights.

I can tell, regarding the lost opportunities of Commodore.

Remember: I used to work with, and am good friends with Dave Haynie. He has a million stories about Commodore and their ineptitude.

and it still works, amazingly enough.

Or maybe not so amazingly- that's a durable little box!

on edit: CCS64 is a neat little emulator. I can use all my old C64 software again :D

I'm loving the BS you guys are making up here. :)

Yeah, let's ignore the 70% or so (according to netcraft) of webservers that run apache, most of which are probably not running windows.

Cause who would ever want to hack a webserver, right?

go with MandrakeLinux 10.1 or Suse Linux Pro 9.2

I'm still a newbie to Linux (I don't even know how to compile programs...only install via RPMs)

And I'm using it fine...and it comes bundled with all the software I'll ever need. I think I've only downloaded 3 software programs that didn't come with the three FREE CDS (available in ISO format online).

I use Mandrake...used to use Suse, which is great, but my Suse didn't have support for the GNOME desktop...so I switched to Mandrake to try it out (Suse supports GNOME, but you got to install it yourself...hard.)

I'm using Linux right now...and I'm save from 90% of all viruses, and spyware...

More reason to free yourself...use open-source OS.

But I used to do only Slackware...

RedHat, Debian, Mandrake, Slack, and Fedora/RedHat. For some reason, I always get a kernel panic on install with Mandrake on this machine. No idea why; it just does. not. install. Period.

Which is strange, because it's the only distro I've ever NOT been able to at least get running with most if not all my hardware working as well.

Question: why doesn't ATI support their hardware well enough in linux to have it working properly after installing only ONE package, without editing XF86Config-4? I never had to patch my NV drivers.... twice.

Yeah, I had to apply a patch for my ATI driver to work, then I had to patch the patch. Ridiculous.

ANY OS. ANY Architecture. It's ALL vulnerable.

if the programmers develop versions of this "rootkits" for different OS, different architectures, etc.

And if they do program rootkits for Linux computers..the Linux developers will develop protections against those "rootkits"...whereas Windows users will be at the mercy of the "protections" offered by the creators of the "rootkits".

There's nothing they can think of that the open-source developers can't develop a block to.

Look to asset managemnet packages, system monitoring packegs, etc. etc. etc.

To play in that marketspace, the packages MUST work and play with all platforms and that means all platforms come with these vulnerabilites.

but Linux developers can just easily develop easily-distributable BLOCKS against this...

Linux developers include a large community of non-corporate, freedom-minded individuals.

There is no major threat to the security of LInux/Unix system users that , when it comes out, cannot be analyzed and protected against.

I'm not scared of these Toolkits...there's ALWAYS gonna be a programmer in the world that will develop software components to the OS that will protect it from this...

Take a look at Linux (and even Windows) anti-SPAM, anti-spyware, and anti-virus programs. Someone's always developing software to secure the computer.

Linux and OSX are already vulnerable to rootkits ,however the services commonly used for infection are usually turned off. Before even thinking about connecting to the net you need to turn off unneeded services and install a firewall. That's just common sense.

Obscurity != Security

Here's a funny Mac parody:
http://www.happynowhere.net/mac_parody.php

I'm not a Redmond fangirl ,however the Mac fanboy preaching gets old. I enjoyed Linux when i used it briefly ,but installing programs is a pain (dependency hell anyone?).

Argghh.
What next!

Sue

www.apple.com

You'll be so happy, I promise. Look at me, I'm happy! :D

Have Wintel and Mac machines. What can I do on a Wintel that I can't on a Mac with OSX? At least on the Mac I can open and read ALL the files from the Wintel machine. The only real world difference is that Wintel OS such as XP is security swiss cheese. And yes, the Mac can be infiltrated. But it is a much smaller target because of market share so less people devote time to screwing them up. Where did people get the idea that a computer that demands that you pay most of your attention to its needs rather than your own is more productive and "complex." Truly baffling to me.

know how. Mac's are just a toy!

But then I don't have an advanced comp sci degree so what do I know. :D

Getting a Mac to make yourself secure against this type of thing will make you feel better perhaps, but won't REALLY accomplish anything because they are vulnerable too.

In short, a Mac would just be a, well, a placebo :)

November 24: mi2g Intelligence Unit (London) reports that Mac OS X and BSD Unix are the "world's safest and most secure 24-7 online computing environments". Their conlcusion? ...

"More and more smart individuals, government agencies and corporations are shifting towards Apple and BSD environments in 2004," according to DK Matai, Executive Chairman, mi2g. "For how long can the truth remain hidden that the great emperors of the software industry are wearing no clothes fit for the fluid environment in which computing takes place, where new threats manifest every hour of every day. There is an accelerating paradigm shift visible in 2004 and busy professionals have spotted the benefits of Apple and BSD because they don't have the time to cope with umpteen flavours of Linux or to wait for Microsoft's Longhorn when Windows XP has proved to be a stumbling block in some well chronicled instances."

more...
http://www.mi2g.com/cgi/mi2g/press/021104.php

see also to learn more about the differences between the os's...
http://XvsXP.com

peace

and saying that the MacOSX, for all its BSD-Unix roots, is still vulnerable.

http://www.computerweekly.com/articles/article.asp?liArticleID=131513&liArticleTypeID=1&liCategoryID=2&liChannelID=22&liFlavourID=1&sSearch=&nPage=1

All systems are vulnerable..but consistently, Unix and Linux systems are the most secure (with the FreeBSD and other BSD flavors beating out the Linux on security, but only for a little).

If you're running Linux or Unix...you're relatively safer than Windows or MacOSX

not absolutes

http://XvsXP.com - learn & discuss the diferences with experts and users, an excellent resources for those wanting to get to the nitty gritty.

peace

More secure does not equate 100% secure and all platforms are vulnerable to this technology.

November 24: mi2g Intelligence Unit (London) reports that Mac OS X and BSD Unix are the "world's safest and most secure 24-7 online computing environments". Their conlcusion? ...

"More and more smart individuals, government agencies and corporations are shifting towards Apple and BSD environments in 2004," according to DK Matai, Executive Chairman, mi2g. "For how long can the truth remain hidden that the great emperors of the software industry are wearing no clothes fit for the fluid environment in which computing takes place, where new threats manifest every hour of every day. There is an accelerating paradigm shift visible in 2004 and busy professionals have spotted the benefits of Apple and BSD because they don't have the time to cope with umpteen flavours of Linux or to wait for Microsoft's Longhorn when Windows XP has proved to be a stumbling block in some well chronicled instances."

more...
http://www.mi2g.com/cgi/mi2g/press/021104.php

see also...
http://XvsXP.com - for the best comparison and discussion of the two os's by experts and users

peace

Mi2g are seen by many many people as an absolute joke. If they issued a press release reporting sunny weather, I'd get an umbrella.

I've been involved in network security audits in the past & I can say with certainty that security never comes from the OS or software. Security, or conversely, insecurity is a human issue.

A well secured Windows system will be as hard to break into as a well secured Linux/BSD/Mac/anything system. An insecure system is insecure regardless of whether it is Windows or any other OS.

I've seen Mac and Linux systems that could be broken into in under a minute, just as I've seen Windows systems that are equally as insecure. I've also seen Windows systems that can't be hacked into, just as I've seen similar Mac and Linux systems.

The moment that you start to believe that your computer is safe simply because its a Mac or its Linux or its not Windows is the moment that your secure system becomes insecure.

by George Peter Staplin and Cameron Laird
03/13/2003

OpenBSD is widely recognized as "one of those other OSes"--an operating system available, like Linux, without licensing fee, but with its own character distinct from any other OS. Only recently, though, have people begun to learn that that the US Defense Advanced Research Projects Agency (DARPA) partially funds the Canadian-based OpenBSD project. Why is the US military paying ideology-driven foreign hackers? What's the effect on development of the OS?

Focused on Security

Independent Alberta-based kernel hacker Theo de Raadt is the creator, overseer, and taskmaster of the OpenBSD project. Security has been a consistent strength of his professional career. While centered in Canada, the OpenBSD advanced operating system team De Raadt leads includes members from around the world.

OpenBSD has focused on security, reliability, and quality since its launch over 7 years ago. The team follows such standards as POSIX, ANSI, and most of X/Open. Since 1996, formal audits of the base system's source code have further buttressed its reputation for security. Thousands of companies, including Adobe and Network Security Technologies, Inc., use OpenBSD, although many of them keep their choice private for security reasons.

Security and Audits

"Security" and "audit" mean something different to OS programmers than they do in civilian life. Security refers to everything done to protect a system. This certainly concerns "AAA" (authentication, authorization, and accounting) as ways to keep "bad guys" from wreaking havoc, but also involves a variety of expedients, from "Are you sure?" buttons to log files, which protect users from their own mistakes.

An audit is an attested review of quality and integrity performed by an independent professional. OpenBSD reviewers carefully study individual programs and parts of programs, to verify that nothing can go wrong. "Go wrong" here means, for example, that the program doesn't burn its CPU or launch missiles if a user (perhaps accidentally) enters a longer data-field than expected.
Military Contracts

DARPA has funded OpenBSD through a program known as Composable High Assurance Trusted Systems (CHATS). The University of Pennsylvania oversees the specific proposal behind this grant, called Portable Open Source Security Elements (POSSE). The grant money has allowed De Raadt to hire former part-time volunteers as full-time employees. This staffing accelerated development and provided time for the team to report on its research by writing academic papers.

more...
http://www.onlamp.com/pub/a/bsd/2003/03/13/darpabsd.html?page=last&x-order=date

peace

you obviously have not read up on FreeBSD 5.3 and comparisons to Linux...

I've tried installing FreeBSD 5.3 and Freesbie 1.1 (same system, but easier install).

I had problems with installation..it's not user friendly.

But...all articles i read give BSD the top rating for security and server-side applications...it's in Desktop stuff that it does not shine...(although, if you are a techie...you could run any slick Linux-available Desktop and the same software...and make it an equally strong computer).

If you know what you are doing, you can make FreeBSD be more desktop-useful than Windows...while having the most stable, secure environment around..

If you don't have the knowledge (I don't), go with a Linux flavor...which will give you roughly equal security and stability...with a little easier user-friendly performance. I recommend Mandrake 10.1 and Suse 9.2 Pro for newbies.

Whatever you do...don't stay with Microsoft...I use Windows 2000 Service Pack 4 as a dual-boot on my computer ONLY for gaming...everything else, Mandrake Linux 10.1

are just a piece of hardwaare....like SPARC, Intelx86 and other computers. It's what is running on them that matters.

If you want security on Macs, run a PowerPC Linux on it...MacOSX has a Unix-derived BSD running the low-level stuff, but it's still vulnerable to attacks to the MAC GUI. Run a Linux or Unix or other open-source, secure OS on the PowerPC, G3, G4, and G5, and you'll be a lot safer.

Basically...if you want security, look for a Linux or Unix-derived system for your architecture...it's the most secure environments at this moment...whether you go with a BSD flavor or Linux distribution is your choice...but both are infinitely safer then regular Windows (for x86s) or MacOS (for MAC).

all lies! :nuke:

http://www.mi2g.com/cgi/mi2g/press/021104.php

November 24: mi2g Intelligence Unit (London) reports that Mac OS X and BSD Unix are the "world's safest and most secure 24-7 online computing environments". Their conlcusion? ...

"More and more smart individuals, government agencies and corporations are shifting towards Apple and BSD environments in 2004," according to DK Matai, Executive Chairman, mi2g. "For how long can the truth remain hidden that the great emperors of the software industry are wearing no clothes fit for the fluid environment in which computing takes place, where new threats manifest every hour of every day. There is an accelerating paradigm shift visible in 2004 and busy professionals have spotted the benefits of Apple and BSD because they don't have the time to cope with umpteen flavours of Linux or to wait for Microsoft's Longhorn when Windows XP has proved to be a stumbling block in some well chronicled instances."

see also...
http://XvsXP.com

unix/linux is still to geeky for MOST users and that is why macs make an excellent choice.




more...
http://images.apple.com/macmini

peace

peace

until the 90's. Go figure.

Monday, July 09, 2001

NAI Labs Partners With DARPA to Secure Open Source Operating System

$1.2 Million Contract to Enhance Operating System Security Services

NAI Labs, the advanced research group within PGP Security, a division of Network Associates, Inc., announced a $1.2 million contract awarded by the U.S. Navy's Space and Warfare Systems Command to develop security extensions to the Open Source FreeBSD operating system. This work, which is funded under the Defense Advanced Research Projects Agency (DARPA), will be done in partnership with members of the FreeBSD developer community, assuring tight system integration and rapid technology transfer. The project will be led by NAI Labs Research Scientist Robert Watson, and NAI Labs Chief Scientist Lee Badger. The work will be done in part by sub-contractors from the FreeBSD development community, including Kirk McKusick, Poul-Henning Kamp, Jonathan Lemon, and Eivind Eklund. The $1.2 million will be paid over the life of an 18-month contract.

Today's evolving military and business processes increasingly rely on Open Source systems to power network infrastructure, network services, file and database servers, and workstation environments. Unfortunately, these systems have traditionally lacked advanced security features, such as Mandatory Access Control, required for secure environments. Likewise, other advanced security techniques developed by the security research community have often failed to transition to off-the-shelf systems.

more...
http://opensource.nailabs.com/news/20010709-cboss.html

bone up

peace

say doesn't detract from the fact that the so-called Berkley
Unix code did not even have thread support until the late 90's.
I know, we had to build our own thread support. DARPA is for
anything free, then they stela it and modify it under government secrecy. Let's see, what else didn't UNIX have to the late 90's,
I know, dynamic link libary support. Doh!!!

no thread support. They've been in various flavors of Unix (especially BSD) since the idea evolved.

http://www.serpentine.com/~bos/os-faq/FAQ-1.html#The-history-of-threads

I think you must be confusing the idea of threads with the idea of no pre-emptive multitasking in previous Mac operating systems before X.

Or maybe you're just thinking of POSIX threads in particular. But that would have been more late 80s/early 90s.

If you think that MacOS X is so vulnerable, lets see you compromise it. I don't think you can do it. How many viruses do you think there have EVER been for ANY version of MacOS?

I already know of several unpatched exploits for current Windows OSs, and thousands of distinct bits of malware over the life of the product.

Windows is quite simply rotten, and I speak as somebody who has developed very complex device driver code for Windows!

I've read extensively on this...

FreeBSD and other BSD's are the most secure systems...Linux comes after them...after Linux, MacOSX, and after MacOS, Windows.

That's the order, security wise...bottom line, Unix and Unix-derived systems (Linux, MacOSX) are the most secure in the world...MacOSX is less secure than Linux because of the Macintosh GUI software...but its BSD roots (Darwin) give it a measure of stability and security that is miles ahead of previous MacOS systems, and Windows.

http://www.ntcompatible.com/thread27777-1.html

Don't get me wrong...I'd run MacOSX over Windows any day...it's a great OS, and it correctly is moving the BSD-type systems toward mainstream, GUI desktop use...

But Linux beats it...and so does the purer BSDs.

Best way to find out...try Linux for Macs...and try MacOS...decide which one you like.

And I've run MkLinux and Yellow Dog Linux on a number of macs.

And I've had systems attacked.

The Mac and Linux are totally on a par with each other in that regard.

I was at IBM. It's not that bad. Took me 600 lines
of C to wite "Hello World" on the first IBM Windowing OS.

I could tell you stories about writing Win-Modem drivers for US Robotics/3Com and the things we found inside Windows-98 and Win-2K that would make you ill.

==================
GROVELBOT.EXE v3.0
==================



This week is our first quarter 2005 fund drive. Democratic
Underground is a completely independent website. We depend almost entirely
on donations from our members to cover our costs. Thank you so much for
your support.

the last virus i remember hitting a mac was sometime around 1992 (seriously). i as a musician know hundreds of mac owners, and i don't know one who even bothers with virus protection, spyware protection, popup protection, you name it, because it's not something that bothers us. Perhaps the biggest security problem we have is our lack of knowledge about security, because it's such a non-issue.

As for the comment about the mac being a toy, it's laughable, delusional rubbish. i love seeing the faces of PC based friends when they watch me put Panther through it's paces - now that's real shock and awe...

Someone please explain this to me. I know they all create bugs to do this but this thing with Microsoft seems to be more blatant.

It is like going to buy a new kitchen table and the furniture salesman being allowed to enter your home anytime he wants. There must be something i am not getting. IS THIS LEGAL?

Rubbish! If it has to send its traps back out onto the wire it can be detected. Not that it would probably even get past my firewall. Shouldn't be too hard for AV/security software to manage.

Unfortunately, I have personal experience with Hacker Defender on a network and worked with MS tech support for some time to understand what was going on. Ultimately the recommendation was to format and reinstall from scratch to ensure all traces were gone.

This was early last year and I had never heard of rootkits at the time. This network had a firewall, antivirus software and many other defenses but it still got put on there somehow (weak passwords? - ex employee?) It loaded at the kernel level and appeared to be legitimate services and it hid certain files and folders from the system itself. It was only when we were in the process of doing some upgrades that we discovered something very strange was going on.

It was very frustrating and nothing that we had ever seen before. It was extremely difficult to find any information on and nerve-wracking to research on the Internet because it brought us to many sites that were booby-trapped in their own way.

If you do research this subject, be careful.

the internet, ie, supporting IIOP and HTTP, without virus
protection. Who knows, virus writers may get around to the
neglected Mac community if more users show up, but that's highly
unlikely.

... it seems to me that all of these hacks, regardless of the target OS, are targeted at one fundamental weakness: that OSs need to allow "trusted users" to modify the OS itself. But this in addition to -- and significantly different from -- allowing users to install applications. The most significant difference in security that I see between Unix and Windows is that Windows makes little if any distinction between the two. Since you can't do much on Windows without having "administrative privileges," hackers have found easy access through broken Windows to modify the OS when a "trusted user" simply opens an e-mail attachment or visits a website. But patching the holes as they're discovered isn't really doing anything about the underlying problem.

Unix-based OSs are safer because users don't normally run under accounts that are allowed to modify the OS and core utilities. The tradeoff is that Unix users need to deal with geeky sysadmin stuff in those cases where they do need those privileges. And although it's harder to do, these OSs are still vulnerable when hackers can find any way to impersonate a "trusted user."

I think the root of the problem (pun intended) is in trying to deal with security using "artificial intelligence" -- i.e. rule-based security policies -- instead of allowing users to exercise some real intelligence on a case-by-case basis.

I'd be perfectly happy with Windows security if there was just some way to define a set of core resources that couldn't be modified without my explicit permission. I think I could deal with having a window pop up and say, "Hey, I've got a program here that wants to put some stuff on your OS directory, make a tiny little change to the program you use to see what's on your OS directory, replace the program you use to access the Internet, set a program to run every time you start up, make a few changes to Registry entries that really belong to the OS and other applications, and start up a server on one of your IP addresses. Is that OK with you?"

Another one of them debates where everyone thinks they are right and the opposing viewpoint is wrong...

Just like a political debate!

A guy I know has a good phrase for discussions like these: "Sir, it's just a computer." :)