baba_yu
2005-02-21, 11:36 PM
微軟稱rootkit軟件給用戶帶來嚴重安全威脅
【eNews消息】微軟公司的安全研究人員警告稱,利用當前的安全產品,幾乎無法發現名為「rootkit」的新一代功能強大的系統監測軟件,它會對企業和個人帶來嚴重的安全風險。
在「RSA安全會議」期間的一次研討會上,研究人員討論了內核級工具帶來的日益嚴重的威脅。這種惡意的監測軟件已經越來越常見,很快就可能被用來開發能夠大規模傳播的間諜件和蠕蟲。
據微軟公司安全方案部門的邁克和迪拉德表示,名為「Hacker Defender」、「FU」、「Vanquish」的這些軟件是最新的遠程系統監測軟件,它們已經存在數年時間了。這類軟件被黑客用來控制、攻擊系統,或從系統中竊取資料,它們通常是在用戶不知情的情況下被安裝到系統上的。
一旦安裝後,許多「rootkit」只是在後台「靜靜地」運行,但是,通過檢查被感染系統上內存中的進程,就能夠輕易地發現它們。但是,修改內核的內核級「rootkit」正在越來越常見。邁克說,「rootkit」作者使他們的軟件隱身的能力也取得了飛速的發展。特別是,一些新型的「rootkit」能夠截獲傳遞給內核的系統調用,過濾由「rootkit」軟件生成的查詢,其結果是軟件正在運行的典型特徵,例如可執行文件名、佔用一定內存的進程、註冊表的變化,都無法被系統管理員或掃瞄工具所發現。
越來越精巧的「rootkit」軟件和技術由「rootkit」軟件向間諜件轉化的速度都可能與有組織的犯罪分子有關。迪拉德表示,一種在一年前發佈的名為「Hacker Defender」的「rootkit」軟件甚至能夠對與外界的通訊進行加密,在不影響其它使用同一端口通訊的應用軟件的情況下利用TCP 135端口與外界通訊。
研究人員稱,對於包括反病毒、網絡入侵探測傳感器、反間諜件產品在內的許多安全產品而言,內核級「rootkit」是隱身的。他們說,一些最強大的「rootkit」探測工具也是由「rootkit」作者,而非安全廠商開發的。幾乎沒有辦法能夠發現被感染系統上的「rootkit」,尤其是每種「rootkit」的表現各不相同,而且隱身方法也多種多樣。
迪拉德說,有時,將被感染的系統與網絡上的另一台系統相比較可能會發現「rootkit」。另一個發現內核級「rootkit」的方法是利用Windows%20資訊中心' target='_blank' class='article'>Windows PE顴鈰鰼q光盤上啟動計算機的精簡版Windows XP。據微軟研究院發表的一篇論文稱,微軟公司一直在開發一款名為「Strider Ghostbuster」的工具,通過比較被感染和沒有被感染的Windows PC來發現是否有「rootkit」在運行。邁克表示,刪除內核級「rootkit」最可靠的方法是格式化硬盤,並重新安裝操作系統。
據賽門鐵克公司@stake部門的喬納森表示,儘管「rootkit」並非Windows所獨有的,但Windows的普及性使得它成為了「rootkit」作者的靶子。Windows功能強大的API使得掩藏系統操作非常容易。另外,微軟公司漏洞百出的IE也可能成為「rootkit」進駐Windows的通道。
邁克表示,更好的掃瞄工具能夠發現現有的內核級「rootkit」,但「rootkit」作者正在迅速地適應新的探測技術,並對他們的軟件進行修改,使它們能夠躲過檢測。他說,這些人非常聰明。
Super-Trojan Rootkit
The last years there were some problems with virusses writing data to the BIOS/CMOS/NVRAM.
One of them was:
http://www.symantec.com/avcenter/venc/data/cih.html
But this is destroying data there, not to allocate a trojan/rootkit or other program there.
Another thing is that in newer CMOS/BIOS/NVRAM it is possible to 'swap'
drives in there.
If you have a (just an example) ASUS P4P800 motherboard and 2 IDE disks let's say one of 80GB and one of 120GB you can choose in which one to be your first 'physically' disk.
And you can (ALSO) choose which of your disks will be the boot disk at the next startup.
It is nothing new, back in the old days, we already wrote assembler programs with 'debug' to change your CMOS/BIOS/NVRAM settings.
I Asume this is still possible, but again it is about changing data in there,
not storing a program there.
On SUN Microsystems (Solaris/Unix) hardware, i still (often) write programs that change (and store) DATA in NVRAM.
Confused? i hope you're not ...
Devinco: Hi tuatara,
What if you use something like Partition Magic 8 to delete the partitions?
Sometimes YES this can solve the problem, but if the table is really corrupted,
then PM8 doesn't know what kind of partition it is, it knows that it is not FAT FAT32 FAT64 NTFS,JFS, VFS , EXT FS, EXT2 FS, EXT3 FS, and if it is BEOS MAC-OS,QNX reisser etc. etc.
It can not.
Quote:
I think if you look back on my old posting you will see me almost always mentioning for you to reflash your BIOS, FDISK, then reformat.
Some paople can't just wipe their hard drives for critical info but they can still reflash their BIOS.
Of course.. but for a novice this can be dangerous, if the 'reflash' is stopped
halfway it can be the end of a motherboard's life.
Quote:
I have seen a few hard drives that would not work unless they were low level formated first, then formated normaly.
That is true, if the partitiontable is corrupted this can solve the problem,
but with low-level format there is another problem, and that is that a low-level format has to be done with a tool that belongs to the disk
(BRAND and disk model must be correct).
If you are performing a low-level format with a wrong tool,
f.i. the tool from old BIOS-es NVRAM's or freeware tools, this can mean
that your harddisk will be broken after this.
(In the worst case ...)
If you know what you are doing this isn't a problem,
we even open broken disks here in our lab ...
That is also something i would NOT recommend for a novice
unless want to trow it in the bin anyway.
Are you saying that using a hard drive and partition eraser utility like Killdisk can (In the worst case) brake my HD?
No, because i have never seen that product, so i don't know ..
What i was refering to is, that if you have a low-level format program for
a wrong disk it can (worst case) brake your disk.
This is why:
In the early days, your computer 'knew' how many heads,cylinders and tracks and sectors etc. your harddisk had.
Because otherwise it couldn't find its data.
In those days, a systemadmin could write data on the platter and location he
would like to use.
B.t.w. # platters = ( # heads / 2) .
This (writing to a precise location on the disk) was done for performance issues.
But later on, the growing disks sizes became a problem,
for lots of BIOS/CMOS/NVRAM's (on the mainboards).
They did not support those.
There was a maximum number of Cylinders of 520 for example.
So, disk makers started making disks wich 'fooled' the NVRAM/CMOS/BIOS and OS.
It informed the OS etc. that it had more heads then the disk really had.
Well known example, on a disklabel was written:
"520 Cylinders 64 Heads 63 Sectors" but it really (physically) had 16 heads! and much more Cylinders then supported.
This way you could have a disk with more MB's in your system.
The only problem was/is, that the disk ITSELF must translate this.
Under the hood it works with other number of heads etc. then your PC thinks.
So,the physical number of heads, the organization of sectors on the medium is not of concern to the high level of the operating system. The OS doesn't have to know.
Now if you low-level a disk , it wants to physically write to your disk,
just the sysadmin did, to make this possible the diskmaker has to create a program, that works around this translation, if not the heads can be moved to a position that in some cases ( i have seen this lots of times with older disks)
physically crashed the disk.
I suspect that most modern disks, don't physically crash anymore,
but it still is not a good idea to low-level format a Seagate disk with
a low-level format tool of Fujitsu or so.
BTW a normal format (and partition remove) on most OS-es WIN95/98/ME (rm -fr / filesystem remove etc). doesn't remove any USER-data (it is just like removing the index of a book).
If you look directly to the data it is still there.
(For the insiders, yes ... there are still people that don't know this).
Even if you write a 1 on each bit, and a zero after that, most data
can still be restored in a lab.
said the oldtimer ....
【eNews消息】微軟公司的安全研究人員警告稱,利用當前的安全產品,幾乎無法發現名為「rootkit」的新一代功能強大的系統監測軟件,它會對企業和個人帶來嚴重的安全風險。
在「RSA安全會議」期間的一次研討會上,研究人員討論了內核級工具帶來的日益嚴重的威脅。這種惡意的監測軟件已經越來越常見,很快就可能被用來開發能夠大規模傳播的間諜件和蠕蟲。
據微軟公司安全方案部門的邁克和迪拉德表示,名為「Hacker Defender」、「FU」、「Vanquish」的這些軟件是最新的遠程系統監測軟件,它們已經存在數年時間了。這類軟件被黑客用來控制、攻擊系統,或從系統中竊取資料,它們通常是在用戶不知情的情況下被安裝到系統上的。
一旦安裝後,許多「rootkit」只是在後台「靜靜地」運行,但是,通過檢查被感染系統上內存中的進程,就能夠輕易地發現它們。但是,修改內核的內核級「rootkit」正在越來越常見。邁克說,「rootkit」作者使他們的軟件隱身的能力也取得了飛速的發展。特別是,一些新型的「rootkit」能夠截獲傳遞給內核的系統調用,過濾由「rootkit」軟件生成的查詢,其結果是軟件正在運行的典型特徵,例如可執行文件名、佔用一定內存的進程、註冊表的變化,都無法被系統管理員或掃瞄工具所發現。
越來越精巧的「rootkit」軟件和技術由「rootkit」軟件向間諜件轉化的速度都可能與有組織的犯罪分子有關。迪拉德表示,一種在一年前發佈的名為「Hacker Defender」的「rootkit」軟件甚至能夠對與外界的通訊進行加密,在不影響其它使用同一端口通訊的應用軟件的情況下利用TCP 135端口與外界通訊。
研究人員稱,對於包括反病毒、網絡入侵探測傳感器、反間諜件產品在內的許多安全產品而言,內核級「rootkit」是隱身的。他們說,一些最強大的「rootkit」探測工具也是由「rootkit」作者,而非安全廠商開發的。幾乎沒有辦法能夠發現被感染系統上的「rootkit」,尤其是每種「rootkit」的表現各不相同,而且隱身方法也多種多樣。
迪拉德說,有時,將被感染的系統與網絡上的另一台系統相比較可能會發現「rootkit」。另一個發現內核級「rootkit」的方法是利用Windows%20資訊中心' target='_blank' class='article'>Windows PE顴鈰鰼q光盤上啟動計算機的精簡版Windows XP。據微軟研究院發表的一篇論文稱,微軟公司一直在開發一款名為「Strider Ghostbuster」的工具,通過比較被感染和沒有被感染的Windows PC來發現是否有「rootkit」在運行。邁克表示,刪除內核級「rootkit」最可靠的方法是格式化硬盤,並重新安裝操作系統。
據賽門鐵克公司@stake部門的喬納森表示,儘管「rootkit」並非Windows所獨有的,但Windows的普及性使得它成為了「rootkit」作者的靶子。Windows功能強大的API使得掩藏系統操作非常容易。另外,微軟公司漏洞百出的IE也可能成為「rootkit」進駐Windows的通道。
邁克表示,更好的掃瞄工具能夠發現現有的內核級「rootkit」,但「rootkit」作者正在迅速地適應新的探測技術,並對他們的軟件進行修改,使它們能夠躲過檢測。他說,這些人非常聰明。
Super-Trojan Rootkit
The last years there were some problems with virusses writing data to the BIOS/CMOS/NVRAM.
One of them was:
http://www.symantec.com/avcenter/venc/data/cih.html
But this is destroying data there, not to allocate a trojan/rootkit or other program there.
Another thing is that in newer CMOS/BIOS/NVRAM it is possible to 'swap'
drives in there.
If you have a (just an example) ASUS P4P800 motherboard and 2 IDE disks let's say one of 80GB and one of 120GB you can choose in which one to be your first 'physically' disk.
And you can (ALSO) choose which of your disks will be the boot disk at the next startup.
It is nothing new, back in the old days, we already wrote assembler programs with 'debug' to change your CMOS/BIOS/NVRAM settings.
I Asume this is still possible, but again it is about changing data in there,
not storing a program there.
On SUN Microsystems (Solaris/Unix) hardware, i still (often) write programs that change (and store) DATA in NVRAM.
Confused? i hope you're not ...
Devinco: Hi tuatara,
What if you use something like Partition Magic 8 to delete the partitions?
Sometimes YES this can solve the problem, but if the table is really corrupted,
then PM8 doesn't know what kind of partition it is, it knows that it is not FAT FAT32 FAT64 NTFS,JFS, VFS , EXT FS, EXT2 FS, EXT3 FS, and if it is BEOS MAC-OS,QNX reisser etc. etc.
It can not.
Quote:
I think if you look back on my old posting you will see me almost always mentioning for you to reflash your BIOS, FDISK, then reformat.
Some paople can't just wipe their hard drives for critical info but they can still reflash their BIOS.
Of course.. but for a novice this can be dangerous, if the 'reflash' is stopped
halfway it can be the end of a motherboard's life.
Quote:
I have seen a few hard drives that would not work unless they were low level formated first, then formated normaly.
That is true, if the partitiontable is corrupted this can solve the problem,
but with low-level format there is another problem, and that is that a low-level format has to be done with a tool that belongs to the disk
(BRAND and disk model must be correct).
If you are performing a low-level format with a wrong tool,
f.i. the tool from old BIOS-es NVRAM's or freeware tools, this can mean
that your harddisk will be broken after this.
(In the worst case ...)
If you know what you are doing this isn't a problem,
we even open broken disks here in our lab ...
That is also something i would NOT recommend for a novice
unless want to trow it in the bin anyway.
Are you saying that using a hard drive and partition eraser utility like Killdisk can (In the worst case) brake my HD?
No, because i have never seen that product, so i don't know ..
What i was refering to is, that if you have a low-level format program for
a wrong disk it can (worst case) brake your disk.
This is why:
In the early days, your computer 'knew' how many heads,cylinders and tracks and sectors etc. your harddisk had.
Because otherwise it couldn't find its data.
In those days, a systemadmin could write data on the platter and location he
would like to use.
B.t.w. # platters = ( # heads / 2) .
This (writing to a precise location on the disk) was done for performance issues.
But later on, the growing disks sizes became a problem,
for lots of BIOS/CMOS/NVRAM's (on the mainboards).
They did not support those.
There was a maximum number of Cylinders of 520 for example.
So, disk makers started making disks wich 'fooled' the NVRAM/CMOS/BIOS and OS.
It informed the OS etc. that it had more heads then the disk really had.
Well known example, on a disklabel was written:
"520 Cylinders 64 Heads 63 Sectors" but it really (physically) had 16 heads! and much more Cylinders then supported.
This way you could have a disk with more MB's in your system.
The only problem was/is, that the disk ITSELF must translate this.
Under the hood it works with other number of heads etc. then your PC thinks.
So,the physical number of heads, the organization of sectors on the medium is not of concern to the high level of the operating system. The OS doesn't have to know.
Now if you low-level a disk , it wants to physically write to your disk,
just the sysadmin did, to make this possible the diskmaker has to create a program, that works around this translation, if not the heads can be moved to a position that in some cases ( i have seen this lots of times with older disks)
physically crashed the disk.
I suspect that most modern disks, don't physically crash anymore,
but it still is not a good idea to low-level format a Seagate disk with
a low-level format tool of Fujitsu or so.
BTW a normal format (and partition remove) on most OS-es WIN95/98/ME (rm -fr / filesystem remove etc). doesn't remove any USER-data (it is just like removing the index of a book).
If you look directly to the data it is still there.
(For the insiders, yes ... there are still people that don't know this).
Even if you write a 1 on each bit, and a zero after that, most data
can still be restored in a lab.
said the oldtimer ....