RSA: Microsoft on 'rootkits': Be afraid, be very afraid

Patrick, not to deminish your alert to us but I think eventually all computers and software will implode into a black hole and we will revive a quaint old system of communicating by quill and paper delivered by horseback. IMHO I think it would be a great world again where we could all slow down and talk to folks but, of course, we would still drive our Prii. :roll:

 

Sorry, bacterium.

 

Nothing new about Rootkits, they have existed in one form or another for a *very* long time. With a RTOS, you're usually aware of what threads and processes are running so you can spot anything that doesn't belong.

However, folks now expect a pretty GUI and a brainless way of interfacing with their computer. Once you turn a gadget like a computer into an appliance, all bets are off.

For example with Windows XP Pro, click on Start, All Programs, Accessories, System Tools, and System Information. Expand Software Environment and click on Running Tasks.

With my machine, I see that 43 processes are running. I know what most of them are for, though several are a mystery as I cannot find them at MSDN.

The Rootkit can effectively hide any process you want to hide from the above procedure, and more cleaver Rootkit processes can even encrypt their processes.

You could very effectively hide a keystroke logger into this hidden Rootkit to gather credit card numbers or other personal information. So if folks wonder why I'm paranoid about Identity Theft, it's because I know just how easy it is to pull off.

 

Never mind Rootkit, Let's not forget if you have a High Speed Internet connection, you can use something like Etherpeek or Snort to snoop out all the users on your domain and/or subnet.

 

I make it a point to never use tools that probe outside my firewall. Any day now, RoadRunner will probably announce that as a reason to cancel service. Or worse, forget to announce but cancel anyway...

 

Tony, u might want to consider the 250,000 pieces of mail that the post office loses EVERY DAY. there is also mail theft which has gained huge popularity around here.

a few things that help... always drop mail directly into a secured mailbox. never send mail from your home.

obtw... that does seem like a lot of mail lost, but realize that it still amounts to better than a 99.9% delivery rate... not bad

 

:lol:

Geez I missed that the first time through.

You the man Tony!

 

Good point. Here in Canada, Shaw Cable does in fact state it is their policy to immediately suspend your cable internet service *if* they catch you running any snoopware.

That's a big *if*

An easy way around that is to use your favorite airsnort to find an unsecured WiFi and then use *that* connection to run snort or etherpeek. Another way around that is to make a point of *not* trying to resolve the DNS numbers you snort up.

 

Well, I tried the Revealer. It claimed there was a Data Mismatch with my American Power Conversion UPS monitor. Then the UPS gave a beep and powered down.

I think I'll wait for a better written Rootkit snooper.

 

well that leaves me out. i live in an older apartment complex and there is no way i'll run my computer without my UPS

 

David:

Tell me about it. I'm sure you're well aware of what happens when Windows XP has the power yanked. Takes awhile for the tools to clean up the resultant mess. I'm glad I didn't have anything important running when I did that little science experiment.

 

Just a quick note that the fine folks at sysinternals have released a free Windows rootkit scanning program:

Rootkit Revealer

It's a fairly ingenious scanner that combines a high-level scan (what windows "sees"), with a very low-level scan (that bypasses APIs that are hooked by rootkits), and shows any differences. It will display a few things that are hidden by default in windows to protect users and such, but it's pretty handy to check for other things that try and worm their way in.

A rather cunning program from some very smart programmers.

Dave

 

<div class='quotetop'>QUOTE(DaveG\";p=\"67203)</div>

Just too bad it didn't work when I tried it. See my post above. It thought my American Power Conversion UPS monitor was bad, then the UPS powered down, leaving a mess for me when I booted everything back up.

 

I only use APC Smart UPS XR's. One is for my security system at the condo and another is for the same duty at the hobby farm. I have a reconditioned Matrix at the hobby farm for my home theater. Lastly, another Smart UPS for the computer.

I'm running PowerChute Business Edition for Windows XP.

 

i cant really emphasize how important having a UPS is. power problems are the root of many many seemingly weird computer issues.

for nearly everyone, its one of the best investments one can make.