Unless you’ve been sleeping under a rock, you know that rootkits are bundles of code that act as invisible cloaks for other software. When doing its job properly, a rootkit allows the cloaked software to operate without interference or detection by users, managers, or protective software, including antivirus, antispyware and rootkit detectors.
It is critical to note that rootkits irrevocably change your operating system. As top rootkit author Greg Hoglund says, a rootkit “inserts backdoors into existing programs, and patches or breaks the existing security system.”
For this reason, rootkits are often deployed for projects most users don’t appreciate, like trojans, viruses, spyware and Digital Rights Management (a la Sony BMG). As an operating system that enjoys a huge audience, Microsoft Windows is a giant target. And the best rootkit for Windows?
Rootkit.com lists Hacker Defender as “the most popular and wide spread rootkit today.” Hacker Defender’s creator, holy_father (hf), offers several versions of the Hacker Defender rootkit. All are aimed at all versions of Windows NT, XP, 2000 and 2003. hf has graciously agreed to answer a number of questions about rootkits and Windows security for Email Battles readers. We have edited his comments only as required to form a bridge between his understanding of english and yours. The hope from both sides: You will better understand the how-and-why of rootkits, and how to protect yourself from them.
While Hacker Defender does not subvert Windows 95, 98 or Millenium, hf offers plenty of insight into those products:
Since we know the NT architecture, we don’t want to waste time with something like 9x/ME. These systems are useless. There is no reason to use them any more.But rootkits for these systems exist. They are downloadable on the net. We are just not interested in these systems because there is no reason.
We can’t force security companies to try to secure 9x/ME boxes when we know it is impossible unless they implement the NT kernel again. That’s the reason we are coding NT rootkits - because we know it is possible to secure an NT box and so we want companies to do it.
Nevertheless, a lot of companies are still using Windows 98 and Windows Millenium (ME). Is it possible to protect 98 and ME from rootkits? The response is not encouraging:
Simple to answer - No it is not possible. But of course, that is not 100% true. I’ll try to explain.Unlike the NT kernel, Windows 98, ME (95 too) implements no security. There is nothing like process protection, or even kernel protection.
Your application that runs in usermode can directly access kernel structures and code.
That’s why these 9x and ME systems crash a lot. They are unstable because, if there is a bug in any userland
application, it may damage other processes or even kernel memory, directly without any special code.You can write a tiny application - like three lines of code - to rewrite all kernel memory and this is a 100% OS crash.
Now, why is this not 100% true?
You can always implement the code that will make NT from your 9x systems.
If you understand that, you also know that it is not very smart to do. A much much cheaper way is to get some “real” OS - with standard protection mechanisms, security etc., like NT OS or *nix OS or many others.
There is no reason to use Windows 9x/ME in today’s world because of this. There is no security. And if one tries to implement security there, he would just try to implement whole NT kernel again.
Upshot: If you absolutely must use Windows 95, 98 or Millenium, keep them as far away from the Internet as possible.
Background:
13 comments
Comments feed for this article
September 11th, 2006 at 6:28 am
Pingback from A (now open) letter to Nick Francesco « Limulus
December 13th, 2005 at 4:18 pm
ME_user
I’m still using ME, and I haven’t had any problems with rootkits.
December 13th, 2005 at 4:22 pm
m$h8tr
Dude, you can be riddled with rootkits, and NOT EVEN KNOW IT! If you’re still running ME, you’re screwed.
December 13th, 2005 at 10:42 pm
VnutZ
Honestly, if you’re running an older version of windows, you’re likely completely ‘owned’ by automated hacking programs across the Internet. To better understand why you have no idea you were hacked, read OmniNerd’s article on how rootkits work:
http://www.omninerd.com/2005/11/22/articles/43
December 14th, 2005 at 1:11 am
98 user
Actually, I’ve stopped using 98 only last year, because it could no longer efficiently support my new rig. It’s damn secure. While the whole world worried about Blaster and Sasser, I was completely unaffected. Just keep a Firewall up, an alternative browser on and safe computing practices. Remember… 9x/ME’s own security weakness can be used against rootkits too… there’s no way a rootkit can completely wrest control from me. Ran it for close to 6 years without incident, clean as a whistle. Because unlike dimwits who run just any piece of code they find, I make sure I know what I’m doing.
December 14th, 2005 at 9:36 am
Big Red
My laptop’s running ME. Have had problems with it for several years. It locks up a lot, which usually leads to it’s being powered down improperly. Of course, scandisk then comes up automatically upon re-boot. Scandisk typically fails mid-process, saying another Windows program or other program is getting in the way. Thanks for the article. It just may be that the problem is a rootkit issue.
December 14th, 2005 at 11:22 am
Sum Yung Gai
This is why I use GNU/Linux and OpenBSD. The only time I’ve ever gotten owned on one of those boxes was when I was negligent and ran an old, vulnerable version of SSH (v1.2.27) back in the year 2000. I deserved what I got that time. Since then, I’ve learned my lesson and never been owned again on GNU/Linux or BSD.
However, I got seriously owned with a Windows NT 4.0 box running Exchange Server 5.5 in the year 2003. Yes, I had all the patches. It was replaced with a GNU/Linux box running postfix and courier-imap, and it’s proven bulletproof to this point.
December 15th, 2005 at 12:25 pm
m$h8tr
SpannerITWks, you wouldn’t even know if you were secure. holy_father is one of the world’s top experts on this stuff, and he’s telling you that it’s not possible to secure Win 95/98/ME. You’d be wise to listen.
December 15th, 2005 at 12:41 pm
SpannerITWks
m$h8tr
How could you possibly know if am Secure or not? you can’t, nor can any body else! You or they do NOT know the precautions i have taken, and continue to do as and when.
Maybe you arn’t aware that i have communicated with HF on several occasions on different topics. My previous comments were NOT directed at HF, but genearally to people reading who may think that NT/XP etc are safe. They might be safer outa the box in “Some” areas than 98 etc, but we’ve all seen how they still get penetrated Daily, but i Don’t!
I do read his stuff, and others too, and i acknowledge he is gifted and i DO have respect for him. I understand his modus operandi in giving the “Security + Software” people a kick up the ass to tighten things up, and that’s a Good thing. What people do with his RK’s is up to them, not HF.
He has previously said that his main focus and expertise is Rootkits on NT etc systems. I like him only recently discovered the RK for 98 posted on hxdef!
Only i know if i allow anything in to my PC or not from wherever, and i’m Very careful what i do and where i choose to surf. Sometimes i take calculated risks on purpose to see if my defences stand up. So far they have i’m pleased to say.
Others using non NT etc systems might not be so lucky, for the reasons i gave earlier as well.
But it’s very interesting to note that week after week after week, i keep on seeing scores of people in many forums, and that i know, who get infected with all sorts of crap, including RK’s, that are running XP etc PC’s.
As well as tightening things up as i mentioned before, here’s something else you can do that’s Proven to help protect, it’s an Excellent App that works on ALL Win OS’s including 98.
-
BOClean enables you to:
Destroy trojans and remove registry entries
Detects and destroys malicious spyware
Detects and destroys malicious *ROOTKITS*
Disconnect the threat without disconnecting you
Generate optional report and safe copy of evidence
Automatically sweep and detect in the background
Both Updates and Upgrades FREE of charge
http://www.nsclean.com/boclean.html
-
Regards,
Spanner
December 15th, 2005 at 12:45 pm
SpannerITWks
So 98SE can’t be secured hey, says who? They probably havn’t tried, and more than likely are talking about a - Straight outa the Box - scenerio. In which case of course i would agree.
Disabling ALL sorts of Completely uneeded services etc etc goes a Very long way to securing things, also on XP etc!
Throw in a few very good Security Apps too, properly configured and you’re laughing, well i am anyway lol.
Next we’ll be hearing that IE can’t be made VERY secure, but it can be and IS 4 me and plenty of others.
Maybe some people arn’t aware of the NTFS partion/s on XP etc with all those ADS Streams that nasties Can + Do hide in. Try looking through All those when you have some spare time!
The main vector for intrusions of any kind on ANY system are the user. Clicking on this n that etc and visiting dodgy sites and DL stuff they arn’t certain of or where it Really came from with crap inside etc etc.
If you get your system sorted whatever flavour it might be, then it’s Sorted. bearing in mind the above.
I don’t suffer Any uninvited intrusions, so i’m living proof it can be done.
Spanner
December 22nd, 2005 at 5:33 am
George
I use win 98 and win xp and with 98 i never had problems
George ( george@balcanicsoft.com )
January 17th, 2006 at 2:53 am
Federico Bianchi
DOS-based systems are plain hopeless from a security point of view (no proper protection by design, dumb file system, etc.). They have one real advantage over any NT-based OS, though: a functional emergency mode - plain old DOS - where you can work everything out with little or no hassle. I wish I had a really *workable* repair console built in SMSS.EXE to be triggered at reboot when necessary via the menu prompt.
January 27th, 2006 at 4:15 pm
win9x
Such BS.