back to article World's most advanced rootkit penetrates 64-bit Windows

A notorious rootkit that for years has ravaged 32-bit versions of Windows has begun claiming 64-bit versions of the Microsoft operating system as well. The ability of TDL, aka Alureon, to infect 64-bit versions of Windows 7 is something of a coup for its creators, because Microsoft endowed the OS with enhanced security …

COMMENTS

This topic is closed for new posts.
  1. JaitcH
    Pint

    The reason we give MS a break is because ...

    they don't pretend to by a fault free culture unlike a certain California guy we know who is residing, virtually, in his cloud cuckoo land in North Carolina.

    Next play is Microsoft's.

    The US should locate these guys and give them senior positions in their cyber offensive group.

    1. ThomH

      You fell for semantics

      All Jobs has ever said is that Macs don't have any viruses since OS X. And he hasn't said that in a while. It's the people with vested interests who have extrapolated this to argue that the OS has no security holes.

      Apple last released a security update on the 12th, admitting to the need for 100+ security patches. That was the seventh security update this year.

      Generally the argument tends to be one side claiming the OS is uncrackable, the other arguing that it's just that nobody can be bothered cracking it. The reality is probably in between. See the fantastic run of 64bit Windows for evidence that mere market share does not determine the number of successful attacks, see the existence of a few bits of known Mac malware, all of them based on social engineering, for evidence that the OS at least isn't a Windows 95 knockover.

    2. Anonymous Coward
      Linux

      The reason we give MS a break ?

      > The reason we give MS a break is because ... they don't pretend to by a fault free culture

      Wha' ???????????????????????????????

      1. Anonymous Coward
        FAIL

        21st century vocabulary

        "Wha' ???????????????????????????????"

        Care to elaborate, kid?

        1. Anonymous Coward
          Headmaster

          Surprised

          AC may indeed care to elaborate, but in the meantime I would second his surprise at the stated reason for giving Microsoft a break.

          Just admitting to ones mistakes, on its own, is worthless. MS products are good, as is their support; that's why they got where they are and why so few have chosen the alternatives*.

          *(I have no worthwhile ideas as to who is the closest to perfection).

  2. jake Silver badge

    A MBR virus? You have got to be kidding me ...

    ... the late '70s called, they want their malware back.

    On the other hand, it's quite telling that MS code is still vulnerable to such ...

    1. Tzael

      Re: A MBR virus?

      Yeah I was smiling when I read the article, thinking back to my misspent youth of capturing, walling and analysing various viruses. Back then it was the norm to infect master boot records for floppies, and later the same methods were applied to hard drives.

      At least the MBR is a fairly painless thing to disinfect in most cases. May be a few problems for people with multiple operating systems installed, but if someone's technically minded enough to be able to manage the installation of multiple operating systems then they're going to be comeptent enough to resolve an infected MBR :)

      1. Michael 77
        Paris Hilton

        @ Tzael

        "... if someone's technically minded enough to be able to manage the installation of multiple operating systems then they're going to be comeptent enough to resolve an infected MBR :) ..."

        Oh yes, especially while a root-kit is active.

        Sure.

        1. George Marian
          Go

          Sure...

          Just pop in an appropriate bootable CD and issue the necessary commands.

  3. J. Cook Silver badge
    Coat

    Heh. The wheel of Reincarnation keeps turning.

    Sure it's a exceptionally sophisticated rootkit, but using the MBR? That's old skool, and there's no skool like the old skool. :D

    Mine's the one that has "Damn you kids, get off my lawn" embroidered on the back.

  4. This post has been deleted by its author

    1. Eddie Johnson
      Badgers

      ROM Boot could work...

      ROM Boot could work... If the software development model wasn't based on going to market with alpha code then releasing a never ending series of patches to almost get it up to release level just in time for it to be end of lifed in favor of the shiny new alpha release.

      In some ways I think the internet has destroyed software quality because it made it too easy for developers to release known buggy or nonfunctional code. How many times have you purchased software, delivered on a CD and had it fail to install, only to be directed to download something different? One of Quickbooks recent releases was like this - they were shipping CDs that didn't work then forcing people to make 600M downloads.

  5. Anonymous Coward
    Grenade

    No surprise

    Driver signing was just a scheme to coerce hardware manufacturers to pay micro$oft money. Anybody who thought it was actually a useful security measure is hopelessly naive.

  6. TeeCee Gold badge
    Alert

    The important (and missing) bit.

    How the hell does it write to the MBR and does it throw a "Do you want to allow this?" UAC message when this happens? If not, there's your security hole right there. If it does, then we're back to getting the user to say yes to the "please pwn my box" message and no OS is proof against that.

    Of course it can bypass driver signing if it has access in the boot process. Rooting the bootloader so you can change the OS boot parameters will give you the keys to the kingdom on just about any OS. That's not a vuln, but how it got that access in the first place might be.

    Incidently, what happens if your machine was built by someone with more than two brain cells and has its BIOS MBR write protection on in normal operation.............?

    1. Ian Yates

      BIOS MBR write-protection

      I haven't used this in years.

      I enabled it on a XP machine that had been running fine for months, and it destroyed the MBR on boot.

      Recovered the data and did a fresh install, but the MBR protection destroyed it a second time.

      Living by the "fool me once" code, I've never bothered again; maybe I should. I assume either XP didn't like it or my BIOS had a fault.

      Perhaps I'll ghost my boot drive and give it a shot... I'd say "it can't hurt", but see above.

    2. Anonymous Coward
      FAIL

      MBR Virus protection...

      An excellent way to trash your hard disk from Win95 onwards. I really have no idea why this option has persisted. The MBR is accesses and altered by the OS from time to time, updates and other things. Fir instance installing the MS Recovery console will mess with it. Something oft done to recover dead systems. Disabling MBR access then toasts the machine in a spectacular manner and requires another 10 minutes screwing with the install CD (Which most people dont have).

  7. Paul Crawford Silver badge
    Unhappy

    What ever happened to MBR write protection?

    Once upon a time, boys and girls, virus writers used to use the Master Boot Record as a common way of infecting systems. In my day, often as a bootable floppy that might be accidentally left in the A: drive. What you run at start-up can trounce almost any protection the OS has (as demonstrated here).

    So the motherboards started to have MBR write-protection that you needed to disable if you are updating the OS or partition tables, and that made it a whole lot harder to do.

    Then it vanished. Why?

    This rootkit is an example of just how hard, if not impossible, it is to have a useful general-purpose computer that can't be hacked by a malicious boot loader. MS' Windows 7 may be the choice target today, but the underlying techniques apply to all OS, even my beloved penguin.

    I really wish there was a physical switch to enable/disable such access, then only when it *really* needed to be modified would your 1st stage boot loader be so vulnerable.

    1. max allan

      Mainly because it was useless...

      I had MBR protection turned on and did several tests changing the MBR, none of them were blocked.

      I think BIOS writers realised it was useless and dropped it.

  8. BristolBachelor Gold badge
    WTF?

    LoadIntegrityCheckPolicy

    So MS added protection to 64 bit and then gave it a registry key called 'LoadIntegrityCheckPolicy' that roughly translates as 'IWantMyWindowsInsecureRapeAndPillageMe' and that malware can set to enable loading other malware?

    1. Peter Kay

      It's a boot time only parameter

      All drivers have to be signed on 64 bit Windows, but if you're doing driver development it's possible to press F8 on each boot and disable the signing requirement. There are options like DSEO to sign individual drivers and remove this restriction.

      Until a rootkit can compromise a system with UAC set to its highest level (password on any admin level change) and without the user clicking on something to allow admin privilege, frankly I'm not impressed.

      If they've got user level code to hack the MBR, then it's still not hacking the OS, but questions need to be asked about why that's possible.

      1. CD001

        which

        ----

        Until a rootkit can compromise a system with UAC set to its highest level (password on any admin level change) and without the user clicking on something to allow admin privilege...

        ----

        Which this one can't :)

  9. Anonymous Coward
    Anonymous Coward

    Linux waffle yawn dribble...

    go to

    www.google.com

    click in search box.

    Type Linux Rootkit

    Hit return or click on the search button.

    1. The BigYin

      Umm...

      ...no one mentioned Linux.

      If one knows the root password (or equivalent) in *any* OS and ons says "Yeah, sure, do what you want to my system Mr. Malware" then that OS install is pretty much pwned.

      Having signed/trusted repositories lessens the risk but does not remove it completely, people can add new repps and repos themselves can accidentally host nasties (either through naïvety or actions of a malicious party).

      What people need to do, is get out of the habit of downloading "SuperFunHappyTimes" from website X and installing it without thinking first. People also need to be suspicious of installs that ask for elevated privileges, this should not be required for end-user software (and if it is required, then there is something wrong with the OS design).

      And now, just to keep you happy "This would never happen on Linux as Linux is much better, users more tech savvy and less likely to install random crap for dodgy websites."

      1. Ian Yates

        UAC

        "elevated privileges, this should not be required for end-user software (and if it is required, then there is something wrong with the OS design)"

        Completely agree.

        I think Win7 has a pretty decent balance in this respect - I haven't found many apps that require elevation when they shouldn't. Mass Effect was the last oddity, that springs to mind.

        However, I was playing with some USB debuggers the other day, so I had UAC messages every few minutes for install/start/debug/etc., and ended up clicking the accept button without even - this made me pause because I suddenly realised that I had no idea if I'd accepted it for the app I was even using...

        I think the UAC screen needs two changes:

        1) Drop the stupid fade effect on the rest of the desktop. It adds an annoying black-screen pause while I wait for my (high-spec) PC to display it. Or is this on purpose? Just seems pointless and annoying to me.

        2) In contrast to point 1, either have a two-step process (an "I accept" checkbox to enable the "OK" button), or a couple of seconds countdown on the button (a la Firefox's addon confirmation).

        The difference is that I can be reading the info on the app requesting elevated privilegs while I wait.

        /rant

        1. CD001

          This is a title, this is only a title...

          ----

          elevated privileges, this should not be required for end-user software (and if it is required, then there is something wrong with the OS design)

          ----

          Sort of ... it's only legacy apps/games that I've found that require elevated privileges to run on Windows 7. This was a flaw with every previous version of Windows and it's only because Win7 is supporting them that it's continued into 7 - so it's not entirely the fault of the current OS more that it's supporting apps that used this flaw in previous incarnations of Windows. Still, I always get the UAC prompt when it happens.

          ----

          1) Drop the stupid fade effect on the rest of the desktop. It adds an annoying black-screen pause while I wait for my (high-spec) PC to display it. Or is this on purpose? Just seems pointless and annoying to me.

          ----

          You know you can turn it off yourself right?

          1. corrodedmonkee

            that's...

            The first thing I do when I reinstall Windows. I realised I don't mind UAC. I just hate the fade in effect.

          2. Ian Yates
            Thumb Up

            I didn't know

            but I do now. Cheers, all!

            Peter Kay raises on interesting point, though.

            I'll see if the benefits outweigh the risks.

        2. Fuzzysteve

          use local policies

          You can disable the fade effect if you want. it's known as the secure desktop (as takes control, rather than just popping a box)

          Just fire up mmc, load the group policy object editor snap in, and go to computer configuration->windows settings->security settings->local policies->security options.

          The policy is User account control : switch to secure desktop[...]

          Course, there's probably a security implication.

          1. Peter Kay

            Insecure desktops can have keystrokes intercepted, etc

            The problem with the historical design of Windows is that it's difficult to fully isolate one application from another, in terms of window message and key stroke and mouse interception. Secure desktop manages this.

            http://blogs.msdn.com/b/uac/archive/2006/05/03/589561.aspx

          2. Anonymous Coward
            Gates Halo

            Or you could....

            go to User Accounts under Control Panel and adjust the slider in the UAC section to not show fade......

        3. Goat Jam
          FAIL

          3rd option

          "either have a two-step process (an "I accept" checkbox to enable the "OK" button), or a couple of seconds countdown on the button (a la Firefox's addon confirmation)."

          do what *nix does and make the user move their hand away from the mouse and enter a password for a privileged user in order to proceed.

          Hopefully the fact that the normal clicking frenzy that overcomes Joe Public whenever UAC pops up is interrupted for a moment will provide enough time for the brain to engage and more rational behaviour will ensue.

          Fail is for Microsoft for simply training their idiot users to just keep clicking the annoying boxes until they stop.

          1. CD001

            You can...

            ----

            do what *nix does and make the user move their hand away from the mouse and enter a password for a privileged user in order to proceed.

            ----

            You can do that as well - set up an admin account with a password but don't use it. Log in on a limited privileges account and whenever UAC requires admin rights you need to enter the admin password... much like *nix.

            The only real problem is, again, legacy apps that'll make you enter the admin password every time you boot them up (it's not much of a faff if you're only having to enter the password when there's a software install/upgrade).

            You only get the UAC prompt with an "OK" click-box if you're already logged in as an admin; it's a bit like running as a pseudo-admin really since you'll still need to grant access to programs via the UAC prompt on a per-instance basis.

            Unlike previous incarnations of Windows - it seems that with Win7 (much like *nix and OSX) the user really is the weakest link - and boy are there some weak links using Windows ;)

          2. Anonymous Coward
            Anonymous Coward

            @Goat Jam

            You can get UAC to ask for a password, I used to have it setup for this, but as I pay attention to my UAC box I thought it was a bit overkill.

            It's not setup by default, though.

  10. Dave Cradle

    Heh.

    So if your machine is already compromised to the point they can change the MBR (which any half decent AV should spot and prevent) then they can run this admittedly very clever bit of code on your machine.

    Pisser if you're infected, but easy to prevent.

  11. Anomalous Cowherd Silver badge

    What the?

    How the fuck can unprivileged code still write to the MBR? In 2010?

    Given this was the attack vector of choice back in the mid 80's, surely it would have occurred to someone to close this by now.

    1. Aaron 10
      Headmaster

      History...

      "Those who don't know history are bound to repeat it..."

      I'll stick with my EFI-BIOS system, thank you.

  12. Paul_Murphy
    Linux

    Yes they are clever bunnies.

    However I would like a clue as to how to detect this, so I can go ahead and install a linux distro instead.

    ttfn

    1. CD001

      Read

      Read the article from Prevx perhaps?

      Since this rootkit won't work unless you give it privileges to start with it can still be stopped by properly using UAC - not really any different to *nix - just that you don't get (m)any "if you would like to pwn your system please su this virus" type things on *nix ... and, generally speaking, *nix users aren't clueless enough to su something unwittingly.

  13. EXAFLOPS'R'US
    Alert

    Back to the 90s

    I remember back when boot-sector viruses were the norm. Over the last 2 decades, this changed to infected EXEs, then email worms, then drive-by malware and then hidden services and rootkits. Over that time traditional antivirus vendors seems to have forgotten about bootsectors and MBRs and focus purely on file-level detection. Whoops. Round we go again. Considering how easily it is to compare the boot-region with a known good example, or indeed a previous backup of the current boot-region, it's damn negligent for the current generation of antivirus applications not to check for this!

    I've personally had to clean TDL4 from a few clients' machines in the last few weeks - I have to say it's extremely impressive in its sophistication. Additionally, most of the TDL4 specific removal tools and my favourite ComboFix, which 'clean' the MBR, only replace the first chunk of the MBR and not the whole code, causing Vista, in particular, to go into a 0x0000008E endless loop on boot up. The fix for this seems to be to use 'Testdisk' to write a new MBR, which kills the boot process completely, then using the Vista CD, repair startup option to create a fresh boot-region.

    1. Anonymous Coward
      Anonymous Coward

      Avira has rootkit checks in it, even in the Personal version!

      As above.

      Sysinternals also provide a rootkit scanner.

  14. Tigra 07
    Welcome

    No Tit Required

    That's almost scary to think about.

    Still, it's always the same people in these botnets.

    Careful internet browsing, scanning downloads from trusted places and running antivirus should really be taught in school.

    Or infected people should be blocked from the internet.

  15. Real Ale is Best
    Linux

    "Once installed it is undetectable by most antimalware programs."

    So which ones is it detectable by?!

    Not that I care ;-)

    1. Nigel 11
      Boffin

      Detectable by ...

      A rootkit on the hard disk can be detected by a scanner that is not handicapped by operating from within the compromised O/S. One that boots off a CD or DVD for example. Theoretically, a perfect rootkit cannot be detected from inside by any means once the O/S it infects has booted.

      Freeware: get one of the LInux rescue kits such as Trinity Rescue Kit or Recovery is Possible. Shut down windows, boot, update the ClamAV definitions off the net, and scan your hard disk. The commercial AV vendors ought to encourage offline scanning, but maybe it presents problems in how they protect their revenue stream.

    2. Anonymous Coward
      Alert

      Those I know of...

      Combofix will get it > Vista64, as far as I know it still doesnt like 7

      Avast will get it assuming its not been nobbled already. (drive installed in a nother well protected PC)

      Bullguard (and thus probobly bitdefender) gets it

      Malwarebytes gets it but misses the MBR infection, how bloody useful

      SpybotSD misses it totally as does Adaware as of time of writing.

      The usual suspects (McCrappe, NotOn) miss it totally

      We;ve gone from rarelye seing Alueron to seeing it on a daily basis in the space of two weeks :(

      Annon as I'm already in trouble with Symantec

  16. Ken Hagan Gold badge
    Dead Vulture

    Nothing to see here

    From the linked Prevx blog...

    "The dropper is using a non conventional - though well known - way to patch the drive's master boot record. It opens an handle to PhysicalDrive0 and then overwrites the MBR by using SCSI commands."

    So if malware is already running with administrative privileges, it can write whatever it likes to your hard-drive and thereafter hide its presence.

    Who knew?

  17. N2

    No surprises

    Same old shit (from Microsoft) different day

    Yawn.

  18. Owen Carter
    WTF?

    Oh sodding great..

    I got severely foobaa'd by the f****ing driver signing policy recently; left me swearing and staring at the totally wonky hoops you need to jump through to bypass this and get some useful (but unsigned) drivers onto my Win7/64 box.

    'At least' I consoled myself 'MS is finally getting really serious about security'.. (but only while they could charge people for signing the drivers).

    MuHaHaHaHa face slapped now.

  19. max allan

    UAC : waste of space

    As far as I can tell UAC is completely useless.

    "A program would like to make changes to your computer, do you want to allow it?"

    What changes, where, why, etc....

    There is a lot of apps that are borked by UAC and need to be "run as administrator" to work properly (like inability to create files even in areas you can create files in without being administrator)

    And a lot of apps that require UAC confirmation when really they shouldn't need it.

    So you get in the habit of pressing "Yes" because if you don't, you don't get to run 90% of what you want.

    Next question, why does the MBR actually affect Windows? Surely you can replace the MBR with something else like lilo or grub and I wouldn't expect that to affect Windows' policy on deciding whether to allow unsigned drivers FFS.

    Sounds like an easy fix/preventative would be to install lilo/grub and make sure that you see their boot screen before you get into Windows. If the MBR is changed then you wouldn't see them unless it's really f-ing clever.

    1. CD001

      *sighs*

      ----

      There is a lot of apps that are borked by UAC and need to be "run as administrator" to work properly

      ----

      Name 1.

      I can only name 1 on my Windows 7 box - it's a game, an MMO that's more than 13 years old and only when running the legacy client.

      Granted the UAC prompt isn't the most informative prompt ever - but UAC is a good thing.

      1. Peter Kay

        Development environments

        From Microsoft, no less. Try Visual Studio 2005 - full or express. It is (or was) recommended that it runs as admin. Ditto Visual Studio 6, and unsurprisingly several games.

        No surprise there, as coding standards a few years back were frankly pathetic, until they were started to be enforced.

      2. Ty Cobb
        Thumb Down

        No Title required

        MapPoint 2006 requires only wants to be run by the Administrator

    2. The Fuzzy Wotnot
      Unhappy

      Bang on

      ' So you get in the habit of pressing "Yes" because if you don't, you don't get to run 90% of what you want. '

      There's the money shot! That is the Acheilles heel of of UAC, people get in the habit of clicking Y and that's what kills a pretty good idea.

    3. Tom 13

      Agreed that I'd like to know what program wants to make changes.

      But given that even Trend et al don't provide that info, I suspect that something about the way the OS works requires truly clever people to provide that bit of info.

      As for the Run As bit, are you running Vista or Win 7? I had issues with Vista, but none so far with Win 7. This to some extent mitigates the habituation training issue.

      MBR issues are with us always. LILO and GRUB would only obfuscate the issue, not resolve it. If Windows grants access via direct SCSI commands, the malware can overwrite either of those too. What is needed is a reliable control for access to writing the MBR. A DIP switch or jumper on the MB can guarantee that restriction, but are a PITA for maintenance, and as indicated previously there are times when a necessary patch will update the MBR. Next best choice is the BIOS. Apparently the BIOS boys never got this to work correctly previously. Even if they did, with the current crop of updatable BIOSes I'm not sure how effective it will be.

    4. Anonymous Coward
      Pint

      ha

      And it is exactly that reason people get infected or screw there system then blaim it on MS.

      Seriously, how many times does that pop up, really? unles your a super geek or someone insistant on poking around in the system then it really doesnt happen that often, if you have a crap old program, force it to install in a different location that has had its security levels reduced, that will get around most issues of UAC, i have a wee folder tucked away for just such programs / games, and it works wonders. UAC isnt a pain, its there for the masses, everyday joe an jane who dont know shit, MS cant do any more, it cant pull a hand out of your TFT and slap you around the face with a kipper shouting you are about to install some really dodgy crap here DONT DO IT!

      Vistas UAC wasnt too bad but 7 i think has nailed it, people need education now, the tools are there so stop moaning how bad MS is and go do something about it, go and teach the old guy next door whats right and wrong, help that "noob" on the forums asking daft questions because unless us techno peeps teach folk whats right and wrong they will remain ignorant of dangers until it bites them in the arse.

  20. phuzz Silver badge
    Stop

    GPT

    So, I'm guessing this wouldn't work on a GPT disk (although of course you need to be booting from UEFI to use GPT on a boot disk).

  21. Tom 7

    People learn from their mistakes

    MS has altzheimer's

  22. dcrole
    Boffin

    Total Security = 0 Flexibility

    There always has to be a balance between security and flexibility. Just as the only 100% foolproof way to protect yourself from network attack is to shut down all network connectivity, the only 100% secure computer platform is one that cannot execute any code that was not pre-installed and verified as being secure.

    As soon as you want a general purpose computer, you immediately have to allow a certain level of risk. The question with any computer platform is does it make the right trade-offs between usability and security.

  23. Blubster
    Happy

    @CD001

    "Name 1."

    HP USB Disk Storage Format Tool

    1. Tom 13

      That's not an app that's a tool and one which ought to require elevated access privileges.

      Okay, what it really sounds like is a nasty virus that needs to be removed from your system ASAP, but I gave you the benefit of the doubt. Not something I'm frequently of the mind to do.

  24. LawLessLessLaw
    Boffin

    MBR writing is due to MS DRM my friends

    A windows PC doesn't fill the MBR so "clever" apps have been using it as a private scratch space :

    http://www.chiark.greenend.org.uk/ucgi/~cjwatson/blosxom/debian/2010-08-28-windows-applications-making-grub2-unbootable.html

    including but not limited to HP ProtectTools, PC Angel, Adobe Flexnet

    http://linux.slashdot.org/story/10/08/28/2112208/Some-Windows-Apps-Make-GRUB-2-Unbootable?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+slashdot%2FeqWf+%28Slashdot%3A+Slashdot%29

    1. Nigel 11
      Unhappy

      Sigh

      I've known for a long time that a system set up to dual-boot using Grub from the MBR will randomly stop working and need re-GRUBbing from a stand-alone LInux CD or USB. I'd always assumed it was MS borking the MBR because they thought they owned it and didn't check. Or maybe malware.

      The way that avoids this (using XP) is BOOTPART http://www.winimage.com/bootpart.htm, and install GRUB into the first sector of the linux partition instead of the MBR. Then you can boot Linux via Windows MBR and BOOT.INI. Some day I'll find out how to do the equivalent with Windows 7 (or has MS made it impossible to boot Linux via the MS boot loader? Wouldn't surprise me).

  25. Psymon
    Gates Halo

    UAC violations

    Having managed a few networks in my time, I've dealt with windows boxes and related security issues on various levels, and nothing was more telling than when dealing with locked-down user accounts.

    Most readers on this site will be accustomed to small-to-medium windows networks where most users are granted a modicum of trust and rights over their own personal systems, but when you have environments like schools, prisons, call centres it is policy to "lock it down 'til it squeaks" that you start to see some of the dirty habbits of software you previously considered respectable.

    Once you've locked down a winXP system, it is nigh impossible to infect it. Buffer overflow code executions fail when they attempt restricted actions. Process user elevations never happened because policies specify a whitelist of trusted locations locally and externally that executables can be run from.

    We never had a problem with the students desktops (the teachers laptops on the other hand...)

    Secure, that is, until you start having to punch dirty great holes in your own security to get shoddily designed bits of software working.

    Firefox is a classic example. It's self update system breaks several fundamental rules of the windows environment. The most obvious of which, attempting to write back to its' own program folder.

    This should never happen. The updating component should have been installed as a local service.

    What really irks me, is that these aren't brand new rules that you could forgive people struggling to catch up with. The NT family were deisgned from the get-go so that in everyday use you run as a limited user but there are still too many lazy coders out there who take shortcuts that compromise the whole systems security, forcing you to run as root.

    The UAC isn't intended as a direct security measure. It's there to embarrass the coders into writing their software in compliance with the platform they are developing it for. Just think of it as a big FAIL sticker on the 3rd party software everytime you see it.

    1. Anonymous Coward
      Anonymous Coward

      ha

      I like that, MS should change the message on UAC

      "Windows has detected that running this poorly designed malware/software may result in the installation of 100 seperate viruses that will take over every aspect of your computer and may well try force you to buy some equally virus ridden "anti virus" software. Are you sure you want to allow this to run?

  26. K. Adams
    Alert

    "... uses low-level instructions to disable debuggers, making it hard ... to do reconnaissance."

    That hidden hardware debug mode on AMD processors may come in handy, after all...

    -- http://www.theregister.co.uk/2010/11/15/amd_secret_debugger/

  27. Giles Jones Gold badge

    Why the surprise?

    If someone wants to break into something they will. Windows and Linux servers are priority one as there's a lot at stake, fraud, stealing data and so on.

    The news is good and bad, good because people can patch up. Bad because there's a window of opportunity for the hackers. Many vulnerabilities are usually exposed by security researchers, not the hackers, as soon as the security researchers blab about the bug it will get exploited.

  28. ender

    Re: UAC violations

    > The NT family were deisgned from the get-go so that in everyday use you run as a limited user but there are still too many lazy coders out there who take shortcuts that compromise the whole systems security, forcing you to run as root.

    Problem with NT's design is that until Vista you were encouraged to run as admin.

    1. Anonymous Coward
      Anonymous Coward

      @ender

      "...Problem with NT's design is that until Vista you were encouraged to run as admin..."

      You really weren't, if you went on any MS courses, or spoke to anyone at MS they'd tell you not to run as admin, just because your pre-installed version of Windows came with an admin level account, didn't mean that MS encouraged this.

  29. Anonymous Coward
    Anonymous Coward

    Memory lane

    This brings back some memories, propper viruses that would quite happerly spread via floppy disks to every computer in building then flash your BIOS with unusable data on a set date.

    ah those were the days!

  30. Wombat

    Well, I'm safe ...

    ... my user name is administrator and my password is passw**d.

  31. James O'Brien
    Paris Hilton

    Question here

    For those of us running Win7x64 using a GPT in place of the MBR option how does this affect this? Curious because while MBR has been and continues to be the standard for drives currently on the market it would be nice to know if something like this is possible with it. Cheerio.

  32. Anonymous Coward
    Anonymous Coward

    Now what would be fun is...

    The folk who came up with the rootkit work out how Microsoft boinked SD cards in Wp7 so the system couldn't be reset/cleaned etc.

  33. Pat 4

    Got that

    I had a fight with a computer infected with that very nasty bit last week. Took me forever to remove it. In the end the only thing that worked was Combofix.

    Nothing else even detected it.

    Very nasty thing.

  34. bugalugs

    ASCII see it

    1010111 1100101 0100111 1110010 1100101 dotdotdot

    1000110 1110101 1100011 1101011 1101010 1100100 0101100

    1000001 1000111 1000001 1001001 1001110 0100001(!)

    1100001 1110011 __1110101 1110011 1110101 1100001 1101100 !(0100001)

    <|:^(

  35. cmaurand

    active X is still a problem

    no matter how many bits it runs.

This topic is closed for new posts.

Other stories you might like