Author Topic: New Windows Rootkit  (Read 6697 times)

0 Members and 1 Guest are viewing this topic.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
New Windows Rootkit
« on: July 13, 2006, 12:51:40 pm »
http://it.slashdot.org/article.pl?sid=06/07/13/1456217&from=rss

The cool part is that it uses NTFS' Alternate Data Streams.  ADS' are a poorly documented/mostly unknown feature of NTFS which lets you hide a file within another file such that it can't be spotted with most tools. 

Additionally, the rootkit blocks ADS-reading, making it impossible to even detect that the ADS stream exists. 

Offline Warrior

  • supreme mac daddy of trolls
  • Hero Member
  • *****
  • Posts: 7503
  • One for a Dime two for a Quarter!
    • View Profile
Re: New Windows Rootkit
« Reply #1 on: July 13, 2006, 12:57:15 pm »
Lol that's genius.
One must ask oneself: "do I will trolling to become a universal law?" And then when one realizes "yes, I do will it to be such," one feels completely justified.
-- from Groundwork for the Metaphysics of Trolling

Offline Newby

  • x86
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: New Windows Rootkit
« Reply #2 on: July 13, 2006, 01:01:27 pm »
Hooray for M%body%#039;s poor documentation that allows a rootkit to succeed! :D

Didn't you show us how to use ADS at one point in time, iago?
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline Ergot

  • 吴立峰 ^_^ !
  • x86
  • Hero Member
  • *****
  • Posts: 3724
  • I steal bandwidth. p_o
    • View Profile
Re: New Windows Rootkit
« Reply #3 on: July 13, 2006, 01:26:14 pm »
So... if you don't use NTFS, are you safe?
Who gives a damn? I fuck sheep all the time.
And yes, male both ends.  There are a couple lesbians that need a two-ended dildo...My router just refuses to wear a strap-on.
(05:55:03) JoE ThE oDD: omfg good job i got a boner thinkin bout them chinese bitches
(17:54:15) Sidoh: I love cosmetology

Offline Newby

  • x86
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: New Windows Rootkit
« Reply #4 on: July 13, 2006, 01:29:12 pm »
So... if you don't use NTFS, are you safe?

That's actually what I wondered. I told my dad that, and he laughed at me.

I wonder why... FAT32 sucks and Windows refuses to format a partition as FAT32 if it's <32 GB in size (iirc that's the size, I know FAT16 was 2/4gb, so eh?) so eh? I doubt any WinXP users are using FAT32...
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline Ergot

  • 吴立峰 ^_^ !
  • x86
  • Hero Member
  • *****
  • Posts: 3724
  • I steal bandwidth. p_o
    • View Profile
Re: New Windows Rootkit
« Reply #5 on: July 13, 2006, 01:36:43 pm »
So... if you don't use NTFS, are you safe?

That's actually what I wondered. I told my dad that, and he laughed at me.

I wonder why... FAT32 sucks and Windows refuses to format a partition as FAT32 if it's <32 GB in size (iirc that's the size, I know FAT16 was 2/4gb, so eh?) so eh? I doubt any WinXP users are using FAT32...
:(! I do...
Who gives a damn? I fuck sheep all the time.
And yes, male both ends.  There are a couple lesbians that need a two-ended dildo...My router just refuses to wear a strap-on.
(05:55:03) JoE ThE oDD: omfg good job i got a boner thinkin bout them chinese bitches
(17:54:15) Sidoh: I love cosmetology

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: New Windows Rootkit
« Reply #6 on: July 13, 2006, 01:54:12 pm »
Hooray for M%body%#039;s poor documentation that allows a rootkit to succeed! :D

Didn't you show us how to use ADS at one point in time, iago?
Yeah, I was going to link to it but didn't feel like finding it. 

So... if you don't use NTFS, are you safe?
You're safe from that rootkit, yeah.

Offline MyndFyre

  • Boticulator Extraordinaire
  • x86
  • Hero Member
  • *****
  • Posts: 4540
  • The wait is over.
    • View Profile
    • JinxBot :: the evolution in boticulation
Re: New Windows Rootkit
« Reply #7 on: July 13, 2006, 08:21:37 pm »
It's really a neat plan of attack, but it's still susceptible to the fact that you have to be a moron downloading shit and be a privileged user to do it:
Quote
Mailbot.AZ is usually installed to the system by a separate dropper component, detected as Trojan-Dropper.Win32.Small.ape. When the dropper is executed, it drops the rootkit driver to %TEMP%\pe386.sys and runs it. After installation, the dropper deletes itself from the system.

You need to be a privileged user to run drivers, yes?
I have a programming folder, and I have nothing of value there

Running with Code has a new home!

Our species really annoys me.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: New Windows Rootkit
« Reply #8 on: July 13, 2006, 08:22:41 pm »
Of course you have to be a privileged user.  Of course, on Windows almost everybody is. 

Offline MyndFyre

  • Boticulator Extraordinaire
  • x86
  • Hero Member
  • *****
  • Posts: 4540
  • The wait is over.
    • View Profile
    • JinxBot :: the evolution in boticulation
Re: New Windows Rootkit
« Reply #9 on: July 13, 2006, 08:23:50 pm »
Ergot:
Quote
If the file system does not support Alternate Data Streams, the driver is installed to:

%SystemRoot%\System32\Drivers\pe386.sys
No, you're not safe without NTFS.


Also interesting:
Quote
Executes from dynamically allocated memory
so NX should prevent execution.
« Last Edit: July 13, 2006, 08:26:19 pm by MyndFyre[x86] »
I have a programming folder, and I have nothing of value there

Running with Code has a new home!

Our species really annoys me.

Offline Warrior

  • supreme mac daddy of trolls
  • Hero Member
  • *****
  • Posts: 7503
  • One for a Dime two for a Quarter!
    • View Profile
Re: New Windows Rootkit
« Reply #10 on: July 13, 2006, 09:03:35 pm »
Vista should stop this if you arn't priviledged then? If anything Microsoft just rehauls that section of NTFS, releases a patch, and boom. Rootkit gone.
One must ask oneself: "do I will trolling to become a universal law?" And then when one realizes "yes, I do will it to be such," one feels completely justified.
-- from Groundwork for the Metaphysics of Trolling

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: New Windows Rootkit
« Reply #11 on: July 13, 2006, 10:12:54 pm »
Also interesting:
Quote
Executes from dynamically allocated memory
so NX should prevent execution.

I've never actually seen NX used.  However, depending on how it's programmed, it might be able to mark the pages as executable before using them, which I think is possible if you are running code as administrator. 

Offline Quik

  • Webmaster Guy
  • x86
  • Hero Member
  • *****
  • Posts: 3262
  • \x51 \x75 \x69 \x6B \x5B \x78 \x38 \x36 \x5D
    • View Profile
Re: New Windows Rootkit
« Reply #12 on: July 14, 2006, 12:45:39 am »
Hooray for M%body%#039;s poor documentation that allows a rootkit to succeed! :D

Didn't you show us how to use ADS at one point in time, iago?
Yeah, I was going to link to it but didn't feel like finding it. 

I've referenced it semi-frequently for testing purposes. I like it, it's a neat little trick, and I was sure this would happen eventually.

http://www.x86labs.org:81/forum/index.php/topic,22.0.html

BTW: in an effort to not bump that old topic, I'll say it here.

I've never tried deleting the original, but I would imagine it woulnd't work.

Wrong, not only does it still work after you've deleted the file and emptied the recycle bin, but the txt (example in that original post) size will not enlarge.
« Last Edit: July 14, 2006, 12:47:38 am by Quik »
Quote
[20:21:13] xar: i was just thinking about the time iago came over here and we made this huge bomb and light up the sky for 6 min
[20:21:15] xar: that was funny

Offline Blaze

  • x86
  • Hero Member
  • *****
  • Posts: 7136
  • Canadian
    • View Profile
    • Maide
Re: New Windows Rootkit
« Reply #13 on: July 19, 2006, 11:24:57 am »
I currently use this trick to store cdkeys so nobody can see them.  :)
And like a fool I believed myself, and thought I was somebody else...

Offline AntiVirus

  • Legendary
  • x86
  • Hero Member
  • *****
  • Posts: 2521
  • Best
    • View Profile
Re: New Windows Rootkit
« Reply #14 on: July 20, 2006, 03:02:58 am »
Okay, I am a newb.. But how do you get these "hidden" files out of the hidden folder if you can't see them?

 ??? :-[
The once grove of splendor,
Aforetime crowned by lilac and lily,
Lay now forevermore slender;
And all winds that liven
Silhouette a lone existence;
A leafless oak grasping at eternity.


"They say that I must learn to kill before I can feel safe, but I rather kill myself then turn into their slave."
- The Rasmus

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: New Windows Rootkit
« Reply #15 on: July 20, 2006, 09:25:18 am »
Okay, I am a newb.. But how do you get these "hidden" files out of the hidden folder if you can't see them?

 ??? :-[
You access them differently, I think it's by putting a colon after the filename.  Something like "innocentfile.txt:virus.exe".  I explained it more in Hiding Files in NTFS, which happened to be the 22nd thread on the forum (and it's in the wrong category now! :-o!)

Offline AntiVirus

  • Legendary
  • x86
  • Hero Member
  • *****
  • Posts: 2521
  • Best
    • View Profile
Re: New Windows Rootkit
« Reply #16 on: July 20, 2006, 01:45:42 pm »
Mmk.. I'll look around and try it out a bit.  Thanks.
The once grove of splendor,
Aforetime crowned by lilac and lily,
Lay now forevermore slender;
And all winds that liven
Silhouette a lone existence;
A leafless oak grasping at eternity.


"They say that I must learn to kill before I can feel safe, but I rather kill myself then turn into their slave."
- The Rasmus

Offline Newby

  • x86
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: New Windows Rootkit
« Reply #17 on: July 27, 2006, 03:40:18 pm »
There IS documentation for NTFS ADS! lol. One freakin' page. Wow.
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT.