Microsoft Says Recovery from Malware Becoming Impossible

http://www.eweek.com/article2/0,1895,1945808,00.asp

Microsoft Says Recovery from Malware Becoming Impossible
By Ryan Naraine
April 4, 2006

LAKE BUENA VISTA, Fla.—In a rare discussion on the severity of the Windows malware scourge, a Microsoft security official said businesses should consider investing in an automated process to wipe hard drives and reinstall operating systems as a practical way to recover from malware infestation.

"When you are dealing with rootkits and some advanced spyware programs, the only solution is to rebuild from scratch. In some cases, there really is no way to recover without nuking the systems from orbit," Mike Danseglio, program manager in the Security Solutions group at Microsoft, said in a presentation at the InfoSec World conference here.

Offensive rootkits, which are used hide malware programs and maintain an undetectable presence on an infected machine, have become the weapon of choice for virus and spyware writers and, because they often use kernel hooks to avoid detection, Danseglio said IT administrators may never know if all traces of a rootkit have been successfully removed.

---------

Microsoft admits that its operating systems are such trash that they cannot even begin to secure them!

THIS is why you need to move to either Linux or MacOS X as your operating system, and do so ASAP.

:popcorn:

I'm putting a word in for LInux. I've converted my formerly microsoft pc's to Fedora Core Linux. Cheaper than buying a mac.

I'm more interested in media production, though, and no PC is going to challenge a Mac on that, no matter what it's running.

How's that?

... but Bill Gates' bugware sucks stale shit!

Okay, i take it back... it sucks the finest, freshest shit available!

your mother wears army boots.

:evilgrin:

Why do you think we love them so much?

I have a Mac at home (typing this on it now) and have done Mac development. Do Java development an my shop is Windows, but we all want Macs.

I think the PC/Mac thing gets out of hand; but I think it is bad when a system can get that badly infected with malware, you gotta blow it away.

was $2,500 + tax. Therefore, I didn't get it. :(

Mac Mini. I'm going to load it up with RAM and get a KVM switch so I don't have to get a new monitor. My old G4 will dual boot OSX and Linux.

Like watching HDTV on an old television.

It suits it's intended purpose just fine.

Never heard of this particular MS problem, but it couldn't have happened to a more deserving company.

And what OS are you running right now? I run both linux and MS machines and I would hate to see how the average user would get along with linux. Sure it's a lot easier now to get up and running but there are still a lot of 'gotchas' with it. Besides, if everyone dumped windows and switch to linux(or MacOS) then you would simply send up having more and more malware developed for those systems since that is what everyone is using. If you think that linux is more secure than windows just because it's linux then I suggest you take a look at number of security notices that released.

linux is open source. People all over the world work to fix problems. Yes, there are lots of security alerts- but the source is available for anyone at all to plug the hole. Micro$oft doesn't allow that.

I truly do think if Micro$oft were to open its source the bugs would get fixed faster. It's akin to buying a car with the hood welded shut, and those would never sell.

Businesses nees to start demanding Windows source code, and threaten a move to open source until it happens.

...mostly so I can play Microsoft Train Simulator. But I also use it to record a show or two when the two main recording Macs are occupied.

I have used Linux as a Desktop in the past and loved it. And it has only improved since then. I especially love AbiWord which is a great WP that can open and save MS Word format files.

Microsoft Vista is much more rights-driven than even NT/2k/XP model. Users, like on a *nix system, will not have "administrator" rights which means they will exist in a sort of rights-sandbox.

Microsoft will do everything over the next few years to convince you that even the secure models of NT/2k/XP have failed due to malware. In reality, feature-rich (read "bells and whistles") operating systems produced by Microsoft itself have been exploited more and more easily by hackers willing to test the security parameters that Microsoft will not.

Hackers do not "break" programs. Poorly coded/structured programs, like an old barn, provide a great deal of cubbyholes in which all sorts of vermin can invest themselves.

In 5 years, Microsoft will be saying the same thing again after having claimed victory.

By producing a product which is secure (say, NT) then introducing numerous "features" (Windows XP) which have not been properly tested or designed, Microsoft invites the destruction of one paradigm so that they may sell you another.

PB

The potential is that the freshly rebuilt machine will almost immediately become re-infected.

So, the logical answer becomes leave it alone or change operating systems. Or continually rebuild!

:popcorn:

They did a test where they were unable to get the security patches downloaded and installed before it was compromised.

Mind you W-98 is ancient and the worst of all systems that were Internet ready.

Because nobody is looking for them.

I've heard an unpatched Windows 98 machine in default configuration will get hit within about 20 seconds.

Microsoft had one version.

CompuServe shipped a different one.

Third-party providers (e.g. Chameleon, Wollongong, etc.) each had their own

And on and on and on, and you could run only one at a time.

Our email is as screened as it gets, but once every year or two, something gets through.

As far as web downloads go, we sign a paper that says we acknowledge what's in my header.

Or insert a music CD.

Or somebody with an infected bluetooth device could simply pass within range.

You don't nee to take any affirmative action like downloading something.

If you really believe that these guys wouldn't find a way to infest LINUX or MAC O/s if they were running on 95% of the desktops in the world - I think as a FORMER hacker you're wrong.

always find a way.

As a former hacker, I would assume then that you understood that an open-source operating system is able to evolve against threats much more quickly and compltely than an in-house one. More so, that Microsoft is made of many departments each fighting for funding and doing little to understand the overall integration of their product. They are chiefly concerned with their marketshare in the OS, not running as efficiently and safely as possible.

PB

I also understand that these scum don't spend their time trying to attack operating systems where they won't get the most bang for their bucks.

I have had my own issue's with MS. I never said it was perfect.

But give these guys an open source O/S and I bet they stay three steps ahead of the people trying to keep it safe. Defending an Operating system is playing catch-up, and always has been.

Sir, they have the source code for the open-source operating systems in question. To boot, these operating systems are responsible for the safe running of enormous financial institutions all the way up to spacecraft.

And yet they keep on turning unperturbed by the disturbances of the upper deep. They are not perfect, but far less flawed than the material produced by Microsoft.

PB

Their targets are the average user surfing the net for porn, paying their bills online, and sending pictures of the new kitty to Aunt Edna.

The object is to spread as quckly and quietly as possible.

You speak eloquently about operating systems so I assume you know that this malware isn't coming from teenage hackers looking for prop's from their buddies. This is a business for these scum sucking weasels. They know that attacking a large financial institution will bring down the LEO on their heads. But, operating the way they do, they know it'll take a long time for most 'users' to find their leechware.

Microsoft operating systems famously help them achieve that goal. Much, much more so than if the clients would have a secure operating system. If I do not repspond to further replies please understand that I am not shirking your conversation- I have appointments in a few hours and will be leaving soon.

PB

Long sentences in federal pound-me-in-the-ass prison!

I think it is unlikely that you will find a way to do to Linux or MacOS X what is done routinely and daily to Windows.

In your expert opinion. I think there are some who need to understand why it would be harder to pull off.

Microsoft has a code base they guard jealously, and which few people see all of. Worse, even they do not know what much of the code is supposed to do! (I know this from many conference calls with them while working on a USB WinModem driver a few years ago.) There is basically no way to validate all of that code against stack overrun attacks or to insert code to do bounds and range checking because they are mortally afraid of breaking it and so breaking software that people already own and expect to have run. And they would break software because that software often depends on the bugs, intentionally or not, in order to do what it does! See, the lack of support from Microsoft for developers on obscure features means that people explore the code's operation for themselves, and if they find a way to use it and make happen what they want, they do it. This has the effect of locking-in mistakes in the code in such a way that fixing them makes everything break. And Microsoft often patches things by masking a bad behavior. They don't remove the offending code, which they don't understand, they just layer some code ahead of it (a head patch) or behind it (a tail patch) to fixup the mess that they need to fix up, and simply cannot be sure that they have made it work except in the one case of the bug report they are working on at the time. This is why Microsoft so often has to patch patches.

MacOS 1-9 was in a similar bind. People could and did explore the code for themselves and would make use of unpublished features!

Linux, BSD, and Darwin (the BSD-derived Microkernel OS upon which MacOS X is based) are open source code. Anybody can look at the code. Anybody can contact the developers of the code. And anybody can submit a bug fix with the expectation that it will be in the next release if it makes sense to the maintainers. And the code is criticized extensively by developers and so gets stronger with each release. There is not a single line of code in any of those that is not understood and which cannot be changed if an exploitable hole is found. Moreover, patches for holes come more quickly from such a process than they ever could for the Microsoft code base.

Even the Mac OS GUI API, Cocoa, and its little brother, Carbon, are far more open than the MS code base. And they have APIs where undocumented features are discouraged and where the developers are trained not to depend on them. And they do not need to depend on any of that because Apple is responsive to developers in the construction of those APIs, so nobody needs to grope in the dark to get something done. And because the APIs are clean, the underlying code can be changed at will as long as it passes the qualifying tests for the API without breaking any user applications, and so any hole that is discovered can be closed quickly and efficiently.

Run your systems in with limited rights and then use a kick ass Anti-virus program. That will go a lot further.

1. A Penguin Head will drop his OS bomb into the channel.
2. His fellow Penguin thralls will jump on the bandwagon and spew venom against Bill Gates and MS.
3. A couple of MS people will clearly demonstrate the fallacious gratuitous assertions by the Penguin Heads. (Note this is not saying they demonstrate that one OS is safer, more secure, or better than the other, just that the Penguin Head argument is illogical and irrational.)
4. The Penguin Heads will whine about how bad Windows is.
5. The MS supporters will defend the Windows product.


Finally the Penguin heads will claim they are being assaulted and will DEMAND that no one discuss the issue with them and then think they have won the OS war.


Sounds like FreepTards doesn't it.

:toast:

Linux is not immune, nor are Macs. One thing about MS though, you sure can get a lot of software packages with the OS and from what I have experienced, every piece of hardware I have ever had, you could get a driver. I cannot say this is true with Linux or Apple.

Truth is, I am kinda partial to FreeBSD. But any OS can be hacked.

The "if everyone used Linux" argument works not only for viruses, but drivers as well.

Any OS can be hacked, sure -- but there's a difference between having your user account hacked and the whole damn system. So far, I've found that OpenSource Developers have been taking privilage elevation holes nice and seriously, whereas Win32 privilage levels are really just a novelty item in the first place.

That said there's plenty of very badly written and poorly maintained OpenSource. Of course, that too might change with a larger desktop user-base.

between all the kids in the house, and the roomie who likes to collect malware, I do a complete scrub at least once every 6 months. Sometimes it's just easier.

Strange though, I haven't had to do mine in over 3 years. knock wood

http://www.eweek.com/article2/0,1895,1936666,00.asp

VM Rootkits: The Next Big Threat
By Ryan Naraine
March 10, 2006

Lab rats at Microsoft Research and the University of Michigan have teamed up to create prototypes for virtual machine-based rootkits that significantly push the envelope for hiding malware and that can maintain control of a target operating system.

The proof-of-concept rootkit, called SubVirt, exploits known security flaws and drops a VMM (virtual machine monitor) underneath a Windows or Linux installation.

Once the target operating system is hoisted into a virtual machine, the rootkit becomes impossible to detect because its state cannot be accessed by security software running in the target system, according to documentation seen by eWEEK.

The prototype, which will be presented at the IEEE Symposium on Security and Privacy later in 2006, is the brainchild of Microsoft's Cybersecurity and Systems Management Research Group, the Redmond, Wash., unit responsible for the Strider GhostBuster anti-rootkit scanner and the Strider HoneyMonkey exploit detection patrol.

<snip>

that this "proof of concept" needs to be installed by somebody with root privilege.

They were demonstrating what is possible. Elevating your permission levels is not something that is impossible. All it takes it a poorly patched system or a newly found exploit for the need of having SU privileges to become a non-issue.

I invite you to try.

It's amazing how many exclusively-Micro$oft users don't fully understand the idea of "root access".

But then, Window$ has been noted in the past for that concept's conspicuous absence from its OS, so that shouldn't really be a surprise.

I've had a DLL hijack on my machine and The Hack kept coming back,
even after I did a full system restore.
With extra security tactics, I think that I have eliminated it for good,
but then again now after eading this I'm not sure, I think I'll doublecheck!:dilemma:

be written for linux. Same for the Mac.

What needs to happen is to quit diverting funds to profiteering bush friends in iraq and start foreing politicing for globablly arresting the giant spyware rings.

...and all the stuff Microsoft puts in to make my life easier, makes my life easier. Foe example, I rely on using VBA for many Excel issues and many of the third party programmable controller programs I use to program manufacturing equipment supports VBA. Unfortunately, these tools are hijacked by lowlife assholes to damage our computers, but Bill Gates gets the blame. And while he gets blamed for what these lowlifes do, he's given more money to medical and AIDS research than entire countries. Even with this, he is hated only slightly less than George W. Bush.

If you don't want rootkits because of what some assholes do, format your partition as FAT32. Rootkits only work on NTFS systems.

If Apple had the market share Microsoft does, Steve Jobs would be the asshole.

What does "format your partition as FAT32" mean, and how does one do that?

....if you're going to reformat your hard drive (as suggested), when you install NT and greater (Windows 2000, XP, etc), you have a choice to format the partition as FAT32 or NTFS. If you choose FAT32, you get 2 bonuses (I'm sure there are more, but this off the top of my head). One, rootkits won't work. Two, if you boot to a floppy, you can read your hard drive's contents.

On the down side, you have crappier/non-existent security, a slower system, limited file sizes, and limited clusters to name a few. In my opinion, it's better to keep NTFS so you can have object permissions and make sure you have a great anti-virus program with a solid firewall.

Believe me, as everyone has stated - there is nothing that is being done in Microsoft operating systems that can't be done on any other OS. Microsoft just happens to be the biggest and easiest target to affect the masses. While Microsoft could stand to improve in many areas , blaming Microsoft for the actions of idiots is like blaming the car when a drunk uses a car and gets into an accident.

Microsoft does not put those features in to make it easy to kill your computer. They do it so people like me can use those features to create better software cheaper and allow you to lock down your systems as loose or tight as you want.

The same people complaining about malware damage probably use the least amount of security settings available because it's more convenient than acknowledging pop-ups that warn you your system is vulnerable with some actions.

> Believe me, as everyone has stated - there is nothing
> that is being done in Microsoft operating systems that
> can't be done on any other OS.

People who say this have no idea what they are talking about.
There actually *ARE* secure operating systems out there;
Microsoft just doesn't happen to make any of them and
for reasons of compatibility with older software, isn't
liable to make any of them soon.

Hints:

o VMS, especially with the DoD extensions.

o MVS.

o And yes, most commercial Unix systems (and that includes
MacOS/X). Probably Linux, too.

There are good, technical reasons why these systems are
all far more secure than any version of Windows.

Tesha

....you've used thin client systems as a basis for your statement. That's an apple/oranges comparison. And I'm calling bullshit on your Linux/Mac claim.

But since I'm only offering an opinion on this matter based on my experience, I could care less if you erase MS from your hard drive and go with some cryptic system you can't do shit on. Nobody has to justify their hatred of Microsft with me. Have at it - you have plenty of company.

Sorry, you're the one who said there were no secure operating
systems. And, BTW, VMS was perfectly capable of running on the
desktop or in individual workstations, not just with "thin
clients".

So is Unix.

And you can call bullshit all you like, but the sad truth is
that either Linux or MacOS/X are far more secure than the
Windows presentation layer of Windows. The underlying NT
underpinnings of Windows may be secure, but in order to be
backwards compatible to ancient, crappy programs, Microsoft
made the upper layers of the system a Swiss cheese. Plus,
the ported presentation layer code was badly designed,
badly implemented, and badly tested.


> some cryptic system you can't do shit on.

Please, try not to prove your ignorance.

Tesha

I'd like to add a couple cautionary notes here:

1) FAT32 does not support any sort of file/folder security. If you are using multiple Windows accounts (as are supported in Windows NT/2000/2003/XP) FAT32 does not provide any way to secure files owned by other users. If you do use FAT32, you probably should not store any sensitive data on that partition.

2) If you format the partition as NTFS, you can run the recovery console (in Windows 2000/2003/XP) and get access to your files from a CD. The recovery console can also be installed on the hard drive and provide access to the files from the command line (provided that you have a physical disk type that is supported natively by these Windows versions). This will allow you to perform a wide variety of tasks including copying files that will fit on a floppy to that drive.

As far as root kits working or not on NTFS systems, a system that is properly configured (that is, accounts with appropriate restrictions are being used) will not allow a root kit to install since a User doesn't have installation rights. The simple answer is (as always) DON'T use an Administrator account as your primary login to the system, since it has privileges & rights that you don't need 98% of the time or more. Create accounts that are User or Power User and use them instead. Most of the Windows viruses will not be significantly hampered by this, since they currently use VBScript or other scripting engines that are enabled by default (ease of use, remember?) but this will stop malware that require the installation at Administrator level to be able to work.

...and all very good points.

For the record, I did state security with FAT32 was a problem in a following statement and recommended NTFS as such. As you correctly stated, simply properly securing your system would alleviate almost all security problems.

When I looked at McAfee anti virus it has a keylogging type of component which can read your email (it is hidden).

Why would a rootkit on work on a NTFS partition? Perhaps have a different definition of what a rootkit is, I dunno but I am not following you.

....requires using Alternate Data Streams - only available with NTFS. A rootkit is embedded in another file with the use of Alternate Data Streams. That's what makes it so stealthy. Once you know where it is (usually known by the creator and a file that can be safely assumed to be on the computer), you can manage it just like any other type of file.

And why does Alternate Data Streams exist? Ironically, to provide compatibility with HFS, or the old Macintosh Hierarchical File System.

But why do you say that those are required for a rootkit? If a rootkit simply relied on ADS to hide its existence then it's not that sophisticated of one.

The man sat on millions for way too long.

I've worked with literally hundreds of Windows machines including desktops, laptops, high-performance workstations, and servers and never had to reinstall the OS because of any kind of virus, malware, etc.

Microsoft admits that its operating systems are such trash that they cannot even begin to secure them!

All you really have to do to secure a Windows system is practice safe computing.

:boring:

...since so many systems come with a ton of BIOS PROM with the protection jumpers left off, which an advanced virus can infest and have control of your PC milliseconds after you hit the on button, hard drive or no.

I'm series.

Alpha's/Sparcs aren't oddball enough, though. Ya gotta go for MIPs or somesuch.

Yes, I am joking.

/ Define two symbols for I/O Transfer (IOT) instructions
/
TSF = 6041 / Teleprinter Skip-on-Flag
TLS = 6046 / Teleprinter Load Sequence (Clear flag and print from AC)
/
/ (Many PDP-8 assemblers contained these very basic IOTs predefined)


*200 / Assemble the following code starting at location 0200
/ (the beginning of Page 1 in Field 0)

START, CLA CLL / Clear the AC and the Link bit
TAD (DATA-1) / Point AC just *BEFORE* the data (accounting for later pre-increment behavior)
DCA 10 / Put that into one of ten auto-pre-increment memory locations
LOOP, TSF / Test the printer "ready" flag, skip if ready
JMP .-1 / Jump back if not yet ready
TAD I 10 / Pre-increment mem location 10, fetch indirect to get the next character of our message
SNA / Skip on non-zero AC
HLT / Else halt at end of message
TLS / Clear the printer "ready" flag and output character contained in the AC
CLA CLL / Clear AC for the next loop
JMP LOOP / Jump back for the next character

DATA, "H / A well-known message
"e /
"l / NOTE:
"l /
"o / Strings in PAL-8 and PAL-III were "sixbit"
", / To use ASCII, we'll have to spell that out, character by character
" /
"w /
"o /
"r /
"l /
"d /
"! /
015 /
012 /
0 / Mark the end of our .ASCIZ string ('cause .ASCIZ hadn't been invented yet!)

(Sorry about the goofy formatting, but DU strips the spaces on output)

I was a PDP-8/PDP-15 guy back in the day.

Microsoft was on its high horse lecturing Apple about how to go about practicing proper security on its OS X machines. How interesting.

from surfing the internet and doing their jobs. And one question. If Linenuts is so great, why don't schools use it?

Corporate is not going to change now, the investment in MS is too high. Get over it.

I thought it was really state of the art.

Or do you have to shovel coal into it somehow?

And I'll start recommending it to my boss for our critical systems.

Thanks for the heads-up, Bill!

You'd be smart to do so.

Many mission critical systems that were based on proprietary
Unixes are now switching over to Linux.

And LAMP powers most of the web!

Tesha

made VirtualServer free. It will run on XP pro.

So you can install a VS machine, make an image of it, and then just surf from it. If it gets wasted just reload its image. Takes seconds.

for Mozilla. And run a firewall and free virus scanner. I know you're a Mac fan and you just love to yell "the sky is falling" every time there's some anti-Windows article out there, but to be honest it's getting quite stale. Linux is fun for a hobby machine (DVR software like MythTV is awesome) but in many real world business and home applications it just doesn't fit the bill. If you like Macs, go right ahead and buy them. The fact is that any computer that has been "rootkitted" (no matter what OS) is probably going need its hard drive completely wiped.

And their computer can be reletively clean. Reletively.

it works for me.

Only reason I do not use it instead of Linux for my servers is that the server providing company only supports Linux.

And as Linux Is Good Enough (tm) that is what I do.