D
David H. Lipman
From: "FromTheRafters" <[email protected]>
| http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%
| 3AWin32%2FRustock.A!gen
| http://www.viruslist.com/en/analysis?pubid=204792011
Old stuff -- Why are you posting this ?
| http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%
| 3AWin32%2FRustock.A!gen
| http://www.viruslist.com/en/analysis?pubid=204792011
Old stuff -- Why are you posting this ?
F
FromTheRafters
David H. Lipman said:
Because they call this "rootkit" both a "trojan" and a "virus". It just
seemed to me that it can't very well be both.
D
David H. Lipman
| Because they call this "rootkit" both a "trojan" and a "virus". It just
| seemed to me that it can't very well be both.
OK
| seemed to me that it can't very well be both.
OK
T
The Central Scrutinizer
Right so if you use mal-ware, you cover both...
F
FromTheRafters
That's fine for most purposes, but there comes a time when one needs to
know what exactly a malware program [is/does].
Most experts label non self-replicating malware programs as trojans and
self-replicating ones as viruses (or worms).
I am quite used to the "Virus found" alerts stating a trojan was found -
that's not what I'm finding here - I'm finding technical details
suggesting that this malware trojan is viral.
In the first case
1) it infects programs (code injection into processes named 'explorer')
2) it copies itself to an NTFS volume (as a file or as an ADS to a
directory)
As these functions seem disjoint (and non-recursive), I think it falls
short of being viral.
In the second case
"The rootkit was classified as Virus.Win32.Rustock.a, since Rustock is
in fact a fully functional file virus that operates in kernel mode."
I've even seen some write-ups that claim that it is "polymorphic"
because it is variously encrypted when it lands on new hardware. True in
the sense that it may be self-responsible for its many different forms,
but I'm more used to polymorphic being a label of spreading mode for
viruses and not for being variously encrypted using some hardware
constant as a decryption key.
As an aside not related to this malware, I'm also wondering about the
oxymoronic "user mode rootkit" - if it is a user mode entity, what does
"root" have to do with it?
know what exactly a malware program [is/does].
Most experts label non self-replicating malware programs as trojans and
self-replicating ones as viruses (or worms).
I am quite used to the "Virus found" alerts stating a trojan was found -
that's not what I'm finding here - I'm finding technical details
suggesting that this malware trojan is viral.
In the first case
1) it infects programs (code injection into processes named 'explorer')
2) it copies itself to an NTFS volume (as a file or as an ADS to a
directory)
As these functions seem disjoint (and non-recursive), I think it falls
short of being viral.
In the second case
"The rootkit was classified as Virus.Win32.Rustock.a, since Rustock is
in fact a fully functional file virus that operates in kernel mode."
I've even seen some write-ups that claim that it is "polymorphic"
because it is variously encrypted when it lands on new hardware. True in
the sense that it may be self-responsible for its many different forms,
but I'm more used to polymorphic being a label of spreading mode for
viruses and not for being variously encrypted using some hardware
constant as a decryption key.
As an aside not related to this malware, I'm also wondering about the
oxymoronic "user mode rootkit" - if it is a user mode entity, what does
"root" have to do with it?
F
FromTheRafters
I can accept it as being a rabbit jumping from service to service once
installed on the system.
installed on the system.
T
The Central Scrutinizer
FromTheRafters said:
I attended a conference a few months ago that had a talk about non
admin user virus issues. Even if not admin, the CEO of a company
still has access to critical data and info. If the CEO were to get a virus
or malware the results for that company or user could be devastating.
Simply removing admin privs from everyone is not necessarily the
end all answer. So when I hear about "user mode rootkit", it makes
me wonder if that would be similar.
--
D
David H. Lipman
From: "The Central Scrutinizer" <[email protected]>
| I attended a conference a few months ago that had a talk about non
| admin user virus issues. Even if not admin, the CEO of a company
| still has access to critical data and info. If the CEO were to get a virus
| or malware the results for that company or user could be devastating.
| Simply removing admin privs from everyone is not necessarily the
| end all answer. So when I hear about "user mode rootkit", it makes
| me wonder if that would be similar.
| --
You are correct "Simply removing admin privs from everyone is not necessarily the end all
answer." when you take into consideration the exploitation/vulnerability vector in terms
of buffer overflow conditions and an elevation of privileges.
However, it does reduce the capcity to be infected to some degree.
| I attended a conference a few months ago that had a talk about non
| admin user virus issues. Even if not admin, the CEO of a company
| still has access to critical data and info. If the CEO were to get a virus
| or malware the results for that company or user could be devastating.
| Simply removing admin privs from everyone is not necessarily the
| end all answer. So when I hear about "user mode rootkit", it makes
| me wonder if that would be similar.
| --
You are correct "Simply removing admin privs from everyone is not necessarily the end all
answer." when you take into consideration the exploitation/vulnerability vector in terms
of buffer overflow conditions and an elevation of privileges.
However, it does reduce the capcity to be infected to some degree.
F
FromTheRafters
The Central Scrutinizer said:
Running as a limited rights user only makes it more difficult for
malware to be sticky. Since the malware has the rights of the user,
there is still much that it *can* do.
There are no "end all" answers, only measures that can be taken to
reduce impact.
The "root" in rootkit is the *nix term for the higher privilege account.
The "kit" refers to a set of modified programs (tools and utilities)
that a user with root privileges could use to replace the ones on the
target system (to hide nefarious activities from the victim). The
attacker needed to have root privileges in order to implement the kit.
Now, both "root" and "kit" no longer apply to what is actually happening
in a user mode rootkit scenario. Granted, it is the Windows equivalent
of a similar purpose, to hide certain information (about nefarious
activities) from the user.
D
David H. Lipman
From: "FromTheRafters" <[email protected]>
| Running as a limited rights user only makes it more difficult for
| malware to be sticky. Since the malware has the rights of the user,
| there is still much that it *can* do.
| There are no "end all" answers, only measures that can be taken to
| reduce impact.
| The "root" in rootkit is the *nix term for the higher privilege account.
| The "kit" refers to a set of modified programs (tools and utilities)
| that a user with root privileges could use to replace the ones on the
| target system (to hide nefarious activities from the victim). The
| attacker needed to have root privileges in order to implement the kit.
| Now, both "root" and "kit" no longer apply to what is actually happening
| in a user mode rootkit scenario. Granted, it is the Windows equivalent
| of a similar purpose, to hide certain information (about nefarious
| activities) from the user.
A little something by Marco Giuliani of Prevx on the most prevalent RootKit threat
http://www.prevx.com/blog/139/Tdss-rootkit-silently-owns-the-net.html
| Running as a limited rights user only makes it more difficult for
| malware to be sticky. Since the malware has the rights of the user,
| there is still much that it *can* do.
| There are no "end all" answers, only measures that can be taken to
| reduce impact.
| The "root" in rootkit is the *nix term for the higher privilege account.
| The "kit" refers to a set of modified programs (tools and utilities)
| that a user with root privileges could use to replace the ones on the
| target system (to hide nefarious activities from the victim). The
| attacker needed to have root privileges in order to implement the kit.
| Now, both "root" and "kit" no longer apply to what is actually happening
| in a user mode rootkit scenario. Granted, it is the Windows equivalent
| of a similar purpose, to hide certain information (about nefarious
| activities) from the user.
A little something by Marco Giuliani of Prevx on the most prevalent RootKit threat
http://www.prevx.com/blog/139/Tdss-rootkit-silently-owns-the-net.html
F
FromTheRafters
David H. Lipman said:
Thanks David.
That's one stealthy sucker.
....lets just hope that no wormable exploit comes along that gets admin
rights.