Coffeehouse Thread

8 posts

Forum Read Only

This forum has been made read only by the site admins. No new threads or comments can be added.

RATware

Back to Forum: Coffeehouse
  • User profile image
    billh

    Yay. 2006: Year of the "Rootkit" and Year of "Ratware". Well, like we didn't figure this one was coming.

    http://www.msnbc.msn.com/id/9898957/

    The article wrote:
    Forget phish. It's rats that are about to cause the most trouble for Internet users.

    Clever computer criminals have recently become much more sophisticated in their attacks against online banks, experts say. The Internet is now awash in programs called "remote access Trojans," or RATs, that feed on online banking passwords.

    Trojan horse programs have traditionally sneaked their way onto computers by posing as desirable free software, such as electronic greeting cards or file-sharing programs. The malicious programs are hidden, and like the Greek soldiers hidden in the famous wooden horse, jump out to attack once they're safely inside. But others are pushed onto computers without any interaction at all, through various software vulnerabilities. In that case, consumers would likely have no way of knowing their machine has been subdued.

    These new remote-access Trojans are designed specifically to lurk in the background, waiting until the unsuspecting user types the name of a well-known bank into a Web browser. Then, the program springs into action, copying every keystroke. The data is sent back to the criminal, who now can raid the online bank.

     

  • User profile image
    mot256

    Hi,

    You could say South Africa has "been there past that"...
    Crime? Well it's Africa.
    Look at www.absa.co.za or www.standardbank.co.za and you will see that we're already have a solution for those problems here...

    mot256

  • User profile image
    borosen

    billh wrote:

    Yay. 2006: Year of the "Rootkit" and Year of "Ratware". Well, like we didn't figure this one was coming.

    Regarding this Rootkit feature:

    Why does operating system support this feature?

    (i.e. hiding files, drivers etc)

  • User profile image
    W3bbo

    borosen wrote:
    billh wrote:

    Yay. 2006: Year of the "Rootkit" and Year of "Ratware". Well, like we didn't figure this one was coming.

    Regarding this Rootkit feature:

    Why does operating system support this feature


    Because it was a good idea at the time Wink

    But "Driver viruses" are nothing new though.

  • User profile image
    Mike Dimmick

    borosen wrote:
    Why does operating system support this feature?

    (i.e. hiding files, drivers etc)



    The OS supports loading drivers into kernel mode (obviously). Once loaded that driver can do anything to the running OS image - including hooking the system service table, which is where the entry points to all kernel mode APIs live. A driver can hook the directory listing API (NtQueryDirectoryObject?) and simply not return all of the results, thus hiding files. This avenue is allegedly blocked on x64 versions of Windows which supposedly don't allow the system service table to be modified.

    You can also use DLL injection techniques to load a DLL into every process on the computer (that the current user has access to). That DLL can hook FindFirstFile(Ex) and FindNextFile (rewrite the import address table) so that the files don't show up in directory listings. There are a variety of methods - they all use mechanisms that are intended to support debugging, or extension of the platform in the case of Windows Hooks. The Import Address Table has to be writable so that the loader can actually hook up the imported functions.

    I think by now Microsoft could remove the AppInit_DLLs registry key. Its original purpose was to allow additional controls (window classes) to be made available to every process, but I think every control library requires you to link to and initialise it (e.g. InitCommonControlsEx). However, that still leaves the CreateRemoteThread and Windows Hooks avenues open. Both serve a useful purpose and I'm not sure how they could be constrained and yet keep compatibility. Even if you could constrain some of the APIs (e.g. make CreateRemoteThread fail unless the calling process is debugging the process that the thread will be created in) the rootkits will simply follow the path that remains open (e.g. debug all processes running as this user).

  • User profile image
    borosen

    Thanks Mike.

    Too bad, it seems as we have to cope these 'features' for some time to come...

  • User profile image
    Charles

    We'll dig into what Vista will bring to the table in this regard. Clearly, things need to be able to run in kernel mode without being signed entities from Microsoft. Compatibility is crucial and we can't go breaking applications. Hard problem. Keep in mind that you as a user are the first defense (the code has to get on your system, after all). Please remember to be very wary of installing any software that you don't completely trust (This is where Sony deserves a kick in the pants with respect to them knowingly hacking their own customers...).

    We are innovating security in Windows.

    C

  • User profile image
    W3bbo

    Charles wrote:
    We'll dig into what Vista will bring to the table in this regard. Clearly, things need to be able to run in kernel mode without being signed entities from Microsoft. Compatibility is crucial and we can't go breaking applications. Hard problem. Keep in mind that you as a user are the first defense (the code has to get on your system, after all). Please remember to be very wary of installing any software that you don't completely trust (This is where Sony deserves a kick in the pants with respect to them hacking of their own customers..).

    We are innovating security in Windows.

    C


    How about a special warning dialog that shows whenever any kind of kernel-mode software is installed?

    Maybe with a link to a web-page with a lookup code so you can check the latest updates.

    And how about letting the users turn off Autoplay/Autorun fully, without having to meddle with Group Policy (thus blocking Windows XP Home Ed. users from stopping it from running in the first place)

Conversation locked

This conversation has been locked by the site admins. No new comments can be made.