New Windows Rootkit

[iago]

http://it.slashdot.org/article.pl?sid=06/07/13/1456217&from=rss

The cool part is that it uses NTFS' Alternate Data Streams.  ADS' are a poorly documented/mostly unknown feature of NTFS which lets you hide a file within another file such that it can't be spotted with most tools. 

Additionally, the rootkit blocks ADS-reading, making it impossible to even detect that the ADS stream exists. 

[Warrior]

Lol that's genius.

[Newby]

Hooray for M%body%#039;s poor documentation that allows a rootkit to succeed!

Didn't you show us how to use ADS at one point in time, iago?

[Ergot]

So... if you don't use NTFS, are you safe?

[Newby]

So... if you don't use NTFS, are you safe?

That's actually what I wondered. I told my dad that, and he laughed at me.

I wonder why... FAT32 sucks and Windows refuses to format a partition as FAT32 if it's <32 GB in size (iirc that's the size, I know FAT16 was 2/4gb, so eh?) so eh? I doubt any WinXP users are using FAT32...

[Ergot]

So... if you don't use NTFS, are you safe?

That's actually what I wondered. I told my dad that, and he laughed at me.

I wonder why... FAT32 sucks and Windows refuses to format a partition as FAT32 if it's <32 GB in size (iirc that's the size, I know FAT16 was 2/4gb, so eh?) so eh? I doubt any WinXP users are using FAT32...

! I do...

[iago]

Hooray for M%body%#039;s poor documentation that allows a rootkit to succeed!

Didn't you show us how to use ADS at one point in time, iago?

Yeah, I was going to link to it but didn't feel like finding it. 

So... if you don't use NTFS, are you safe?

You're safe from that rootkit, yeah.

[MyndFyre]

It's really a neat plan of attack, but it's still susceptible to the fact that you have to be a moron downloading shit and be a privileged user to do it:

Mailbot.AZ is usually installed to the system by a separate dropper component, detected as Trojan-Dropper.Win32.Small.ape. When the dropper is executed, it drops the rootkit driver to %TEMP%\pe386.sys and runs it. After installation, the dropper deletes itself from the system.

You need to be a privileged user to run drivers, yes?

[iago]

Of course you have to be a privileged user.  Of course, on Windows almost everybody is. 

[MyndFyre]

Ergot:

If the file system does not support Alternate Data Streams, the driver is installed to:

%SystemRoot%\System32\Drivers\pe386.sys

No, you're not safe without NTFS.


Also interesting:

Executes from dynamically allocated memory

so NX should prevent execution.

[Warrior]

Vista should stop this if you arn't priviledged then? If anything Microsoft just rehauls that section of NTFS, releases a patch, and boom. Rootkit gone.

[iago]

Also interesting:

Executes from dynamically allocated memory

so NX should prevent execution.

I've never actually seen NX used.  However, depending on how it's programmed, it might be able to mark the pages as executable before using them, which I think is possible if you are running code as administrator. 

[Quik]

Hooray for M%body%#039;s poor documentation that allows a rootkit to succeed!

Didn't you show us how to use ADS at one point in time, iago?

Yeah, I was going to link to it but didn't feel like finding it. 

I've referenced it semi-frequently for testing purposes. I like it, it's a neat little trick, and I was sure this would happen eventually.

http://www.x86labs.org:81/forum/index.php/topic,22.0.html

BTW: in an effort to not bump that old topic, I'll say it here.

I've never tried deleting the original, but I would imagine it woulnd't work.

Wrong, not only does it still work after you've deleted the file and emptied the recycle bin, but the txt (example in that original post) size will not enlarge.

[Blaze]

I currently use this trick to store cdkeys so nobody can see them. 

[AntiVirus]

Okay, I am a newb.. But how do you get these "hidden" files out of the hidden folder if you can't see them?

 

[iago]

Okay, I am a newb.. But how do you get these "hidden" files out of the hidden folder if you can't see them?

 

You access them differently, I think it's by putting a colon after the filename.  Something like "innocentfile.txt:virus.exe".  I explained it more in Hiding Files in NTFS, which happened to be the 22nd thread on the forum (and it's in the wrong category now! :-o!)

[AntiVirus]

Mmk.. I'll look around and try it out a bit.  Thanks.

[Newby]

There IS documentation for NTFS ADS! lol. One freakin' page. Wow.