Defending Against New Rootkits That Beat BSD, Linux, Mac, Vista, AMD and Intel

Great, so that means we’re damned if we upgrade, damned if we don’t. What kind of a messed up future are we going to have here?!?

I assume you mean “shut down and LEAVE IT OFF”

I’ve been wondering if a system already running under a hypervisor like Vmware’s ESX server would be vulnerable to this?

Also: if a machine’s bios were EFI (like the new Macs), couldn’t something like this take such complete control that even booting from CD wouldn’t unlatch it?

Also, I wonder about detection issues: the computer can be a bald faced liar, but the wall clock doesn’t lie. Wouldn’t it be possible to detect a compromised system by code timing? Difficult, I suppose..

@1c3d0g: The road to the future is filled with potholes.

@Tony:

1. Hardware virtualization happens first, even before Ring 0.
2. Short answer: True. Medium answer: Like many deadly rootkits, these are non-permanent. After shutdown, they vanish. The reasoning goes like this: Permanent rootkits must be stored in a place that is ultimately findable. Memory resident rootkits are hard to spot, and leave few or no footprints. If a number of nodes are infected by a rootkit, it can always reinfect any re-started computer, when the node freshly announces itself to the network.
3. Once a rootkit has its hands on all your system levers, it can tell you anything it wants… up to the limit of the programming abilities of its Evil Master.

Not to worry. The same folks who got us into this mess will get us out… I hope.

It’s my understanding that you need to be running as the “root/administrator” user in order for this virus to be effective.

“Rutkowska explained that the security systems in Vista can be sidestepped by using a piece of malicious software she had created and dubbed as Blue Pill. She also admitted that she had to perform the hack in higher privileged administrator mode rather than the lower privileged user account control.”
Taken from From http://www.techtree.com/techtree/jsp/article.jsp?article_id=75054&cat_id=582

That being the case this will only effect Nix admins who use the root account as thier personal login. Can I see a show of hands of who does this on a Nix system? …Crickets chirping… thought not.
My point?
When “Rutkowska says there’s no reason why the Blue Pill can’t take out any x64 roll outs of Linux or BSD either.” We seem to be missing CRUCIAL information. Such as “She also admitted that she had to perform the hack in higher privileged administrator mode rather than the lower privileged user account control.” Details, details…..

This is a grim look on the future of computer security. I’ve started to compile a list of resources and programs to help protect computers against rootkits at http://www.rootkitshield.com/ But now after reading this article, I’m not even sure if there are any good ways to protect against this type of threat.
I suppose an intrusion detection system could detect packets going out to the rootkit creator, but if they have control over the hardware itself with this type of rootkit, then they can probably just run their own OS on the processor without the original OS ever knowing.

In the battle of attackers vs defenders of computer systems it looks like the attackers are ahead once again.

(Warning do not read this is if you always run as root on a Nix system as to avoid frustration. It will only serve to frustrate you more and possibly strike fear into your heart! You have been warned.)

Hello BJ Gillette,
Interesting point, that you make there with the admit to doing… addition to my above comment.

“Thanks to the success of Linux, lots of new and frustrated admins are committing early-Windows administrative gaffes… especially when installing new software.

Don’t kid yourself. The sins of Windows are being visited on Nix.”

I do see the “real world” point you make here and it is a good one.

Here are my thoughts on it.

Current M$ practices are to run by default with admin privileges for many reasons the most well known is for the sake of convenience(install hardware, software etc…). You can try to make current versions of Windows use the more secure Nix type methods but you would be facing a lot of work. So it is fair to say that you would really have to want to secure your system in that way. Since M$ ships its product insecure by default it is safe to say that it is their fault the system runs that way by default. The “SysAdmin” is clearly not responsible for M$ policy and have come to accept the insecure nature of M$ products they are given. In short it is easy to say “it is not the SysAdmins fault”. Their bosses see their point as there is no where for the blame to fall as M$ offers no warranty of any kind on their products.

Said bosses decide that it is time to look to a Nix system as a solution.

Enter the Nix system.
By default it uses a much more secure approach to authentication which to the previously innocent SysAdmin is frustrating. They hate having to remember that pesky root password or type their own password to change system wide settings. So they do as you said above and solve their frustration by just running as the root user all the time and tell no one. Within a short period of time they are fired, do you know why? Because it is now officially their fault that the system broke. They were warned cautioned and told to never run as the root user in every training class, manual, howto and by every consultant that ever talked to them about the Nix based authentication. Unless it was absolutely necessary and only for very short periods. Keep in mind here that there is a vast difference between providing root access to a process that allows for the installation of software or hardware and running exclusively as the root user.

So for the “silent minority” of frustrated and previously blameless M$ SysAdmins that are taking the approach you mentioned with a Nix system I have only these two things to say.

1.) You are going to get caught! It is inevitable.
and
2.) Unemployment sucks man!

BJG: “Here’s a hint”

And how many of those “just happened to be there” guys and gals that can “understand the screen prompts”( did you really write that? WOW) are likely to be running any form of *nix? Hehhehe thought so.

Just about everyone here already understands the nuances of rootkits. But when you’re trying to tell a non-tech what rootkits do, they often give us the open mouthed stare. Check out OmniNerd for an easy primer on rootkit technologies for educating your hard-headed users/supervisors.

http://www.omninerd.com/2005/11/22/articles/43

Hi land0.
Doggone it, land0, you’re getting close to gutting my article for today.

Really? I plead the great minds… defense. hehe

Here’s a hint: Lots of networks in small businesses are run as needed by the guy or gal who can best understand the screen prompts. No matter what happens to their networks, their jobs are 100% secure.

Looking forward to reading this one.

“Undetectable”. “Memory resident”. Um. Presumably, the “blue pill” code is either in memory that can be read by some system-level program, or has made a finite amount of memory unavailable, and, in theory, unaccounted for (by tabulation of total memory allocated to current OS and application functions)? Can someone explain either why that last statement is fallacious, or how the first two claims are not in conflict? Thanks.

“unaccounted for”
Um. Theoretically Blue Pill hypervisor filters everything the o/s sees. Thanks.