Updated 02-23-2005 Security Risk: *****
Microsoft Warns of New Security Threat
System monitoring programs, called rootkits, may pose a
serious danger to your PC. Paul Roberts, IDG News Service/Pcworld.com Thursday,
February 17, 2005 Microsoft security researchers are warning about a new
generation of powerful system monitoring programs, or "rootkits," that are
almost impossible to detect using current security products and that could pose
a serious risk to corporations and individuals.
The researchers discussed the growing threat posed by kernel
root kits at a session at the RSA Security Conference in San Francisco this
week. The malicious snooping programs are becoming more common and could soon be
used to create a new generation of mass-distributed spyware and worms.
With names like "Hacker Defender," "FU," and "Vanquish," the
programs are the latest generation of remote system monitoring software that has
been around for years, according to Mike Danseglio and Kurt Dillard, both of
Microsoft's Security Solutions Group.
The programs are used by malicious hackers to control, attack,
or ferret information from systems on which the software has been installed and
are typically installed on a machine without the owner's knowledge, either by a
virus or following a successful hack of the computer's defenses, they say.
Running in the Background Once installed, many rootkits simply
run quietly in the background but can easily be spotted by looking for memory
processes that are running on the infected system, monitoring outbound
communications from the machine, or checking for newly installed programs.
However, kernel rootkits, which modify the kernel, or core
request processing, component of an operating system, are becoming more common.
Rootkit authors are also making huge strides in their ability to hide their
creations, says Danseglio.
In particular, some newer rootkits are able to intercept
queries or "system calls" that are passed to the kernel and filter out queries
generated by the rootkit software. The result is that typical signs that a
program is running, such as an executable file name, a named process that uses
some of the computer's memory, or configuration settings in the operating
system's registry, are invisible to administrators and to detection tools, says
Danseglio.
The increasingly sophisticated rootkits and the speed with
which techniques are migrating from rootkits to spyware and viruses may be the
result of influence from organized online criminal groups that value stealthy,
invasive software, says Dillard.
One rootkit, called Hacker Defender, which was released about
one year ago, even uses encryption to protect outbound communications and can
piggyback on commonly used ports such as TCP (Transmission Control Protocol)
port 135 to communicate with the outside world without interrupting other
applications that communicate on that port, he says.
Detection Options The kernel rootkits are invisible to many
detection tools, including antivirus, host, and network intrusion detection
sensors (IDS) and anti-spyware products, the researchers say.
In fact, some of the most powerful tools for detecting the
rootkits are designed by rootkit authors, not security companies, they say.
There are few strategies for detecting kernel rootkits from an
infected system, especially because each rootkit behaves differently and uses
different strategies to hide itself.
It is sometimes possible to spot kernel rootkits by examining
infected systems from another machine on a network, says Dillard. Another
strategy to spot kernel rootkits is to use Windows PE, a stripped-down version
of the Windows XP operating system that can be run from a CD-ROM, to boot a
computer, then comparing the profile of the clean operating system to the
infected system, according to Dillard and Danseglio.
Microsoft researchers have even developed a tool, named
"Strider Ghostbuster" that can detect rootkits by comparing clean and suspect
versions of Windows and looking for differences that may indicate a kernel
rootkit is running, according to a paper published by Microsoft Research.
Still, the only reliable way to remove kernel rootkits is to
completely erase an infected hard drive and reinstall the operating system from
scratch, Danseglio says.
Although rootkits are not unique to Windows, the popular
operating system is a rich target and makes it easy for malicious hackers to
disguise the presence of such programs, according to Jonathan Levin, of
Symantec's @stake division who attended the presentation at RSA.
The operating system's powerful APIs (application programming
interfaces) make it easy to mask behaviors on the system. The company's popular
Internet Explorer Web browser is also a frequent avenue for malicious hackers,
viruses, and worms that could drop a rootkit on a vulnerable Windows system,
Levin says.
Better tools could be built to detect the current crop of
kernel rootkits. However, rootkit authors are adept at spotting new detection
techniques and modifying their programs to slip around them, Danseglio says.
"These people are smart. They're very smart," he says.
FBI Issues Warning About Computer Virus 2/23/2005
WASHINGTON (AP) - The FBI warned Tuesday that a computer virus
is being spread through unsolicited e-mails that purport to come from the FBI.
The e-mails appear to come from an fbi.gov address. They tell
recipients that they have accessed illegal Web sites and that their Internet use
has been monitored by the FBI's "Internet Fraud Complaint Center," the FBI said.
The messages then direct recipients to open an attachment and
answer questions. The computer virus is in the attachment.
"Recipients of this or similar solicitations should know that
the FBI does not engage in the practice of sending unsolicited e-mails to the
public in this manner," the FBI said in a statement.
The bureau is investigating the phony e-mails.
The agency earlier this month shut down fbi.gov accounts, used
to communicate with the public, because of a security breach. A spokeswoman said
the two incidents appear to be unrelated
