Coffeehouse Thread

7 posts

Forum Read Only

This forum has been made read only by the site admins. No new threads or comments can be added.

Why design Windows (or any OS) like this

Back to Forum: Coffeehouse
  • User profile image
    Heywood_J

    The other day there was an announcement about some new malware:

    "Backdoor.Rustock.B is a back door Trojan horse that allows a compromised computer to be used as a covert proxy. It uses advanced rootkit techniques to hide any files and registry subkeys it creates."

    As I was reading about the program, I started thinking "why would any OS allow programs to do this?"  For example:

    * Uses NTFS Alternate Data Stream to hide its driver (creates hidden alternate data streams)
    * Creates a hidden device service  %Windir%\System32:lzx32.sys
    * Uses advanced Rootkit techniques to hide the registry subkeys it creates and to prevent access to the alternate data streams file.
    * Removes its entries from many kernel structures including the Services Control Manager, Object manager, and the loaded module list, to prevent detection.


    Hidden services?  Hidden registry keys?  Hidden data streams?

    Forgive me for being naive, but I don't get it.  Why would any OS allow these sort of things?  Why does any legitimate program need to hide anything?


  • User profile image
    blowdart

    Heywood_J wrote:


    Hidden services?  Hidden registry keys?  Hidden data streams?

    Forgive me for being naive, but I don't get it.  Why would any OS allow these sort of things?  Why does any legitimate program need to hide anything?


    Hidden data streams are great for storing meta data in, where you don't need it embedded in the actual data itself.

  • User profile image
    figuerres

    Heywood_J wrote:
    The other day there was an announcement about some new malware:

    "Backdoor.Rustock.B is a back door Trojan horse that allows a compromised computer to be used as a covert proxy. It uses advanced rootkit techniques to hide any files and registry subkeys it creates."

    As I was reading about the program, I started thinking "why would any OS allow programs to do this?"  For example:

    * Uses NTFS Alternate Data Stream to hide its driver (creates hidden alternate data streams)
    * Creates a hidden device service  %Windir%\System32:lzx32.sys
    * Uses advanced Rootkit techniques to hide the registry subkeys it creates and to prevent access to the alternate data streams file.
    * Removes its entries from many kernel structures including the Services Control Manager, Object manager, and the loaded module list, to prevent detection.


    Hidden services?  Hidden registry keys?  Hidden data streams?

    Forgive me for being naive, but I don't get it.  Why would any OS allow these sort of things?  Why does any legitimate program need to hide anything?




    don't blame the OS....

    they took things that were built to help and abused them.

    I am not sure what is meant by some of this but...

    files and the "Mutilple streams" stuff is very handy for many things.
    they are not "Hidden" per-se just not shown as seperate files.

    and the registry -- I think like files it has acl's so you can keep users from mucking with keys that the system needs...
    I have had to modify reg- acl's a few times to fix a problem. if you do not have read permissions on a sub-key then you can't read it.
    if it's used by a driver to store data that alteration of same would create system problems then why not?

    so they are just abusing the system.... the problem is that once something gets elevated permissions (rootkit etc...) then it can hose things so many ways.... we need to keep the rootkits from working first, then see if we can detect other things and halt them.

    another reason for usermode drivers, less places to get to elevated code privleges.

  • User profile image
    shreyasonli​ne

    No matter what type of system you build, it can be abused. Nothing is perfect.

    Lets consider an example bench in a garden meant for relaxing. A malacious person can stand on the bench with muddy boots and make the bench dirty. Now, will you say why build a bench like this, which allows you to stand on it with your dirty boots?

    The feature which rootkits use is also used by your anti-virus software, your firewall, or a disk defragmenter tool (which can defrags files which are being read simultaneously by another program)

    Shreyas Zare

  • User profile image
    julianbenja​min

    the Macintosh file system has multiple data streams as well per file.  But so far, that hasn't gotten abused, as it's not a majority.  Windows machines are the majority.

    Like the others said, it's not a question of why build a system like this.  Everything has the potential of being abused.  Why build fast cars when people die everyday from accidents?

  • User profile image
    DoomBringer

    Hidden reg keys?  If its in the registry, I can find it.

  • User profile image
    eddwo

    The "hidden" registry keys, processes and services are not using a feature of the OS to hide themselves, they are modifying the internals of the OS so that it lies to itself and to the user.

    No OS is designed to allow itself be rootkitted, but once you allow 3rd party code to execute in kernel mode all the security procedures built in become moot.

    An OS is just code sitting in memory, and when you execute some code with enough permissions all memory locations become accessible, a malicious program can make the OS believe that the files it wants so hide simply don't exist.

    The only protection against something like this is a system like the NGSCB that allows the kernel to prove to itself that it hasn't been modified in any way from a known state at boot.

Conversation locked

This conversation has been locked by the site admins. No new comments can be made.