What do I do when Windows XP ends?

[Ignitionnet]

Quote:

Originally Posted by heero_yuy

Nothing like checking on running tasks and also who has hooked what API is there.

What exactly do you use to show you what is playing with APIs?

It sounds impressive but I'm not entirely sure how software running in ring 3 would be able to monitor the actions of software running in ring 0, or what process monitor is going to tell you beyond that a system call was made, it will report back what the rootkit is providing.

AVG and other things use the same system calls the rootkit has hooked and will have the exact same issues.

I'm actually asking the question as I genuinely have no idea how you would be able to detect rerouted system calls from user space, or what use looking at running tasks would be.

[Ignitionnet]

Okay. When I have some time I'll rootkit a VM and see what that program spots then probably start another thread in the security section.

It would be good to see what it actually does. If it's just monitoring IATs of processes and their calls to windows APIs through their IAT it'll be nonethewiser from a decent rootkit, the rootkit will rewrite the destination of the call in RAM and then redirect to the original API.

If the rootkit is playing games in ring 0 with the IDT, SSDT and copying its own handlers to dlls you're probably hosed whichever way.

EDIT: Just to be clear I don't recommend anyone do what I''m going to on a real machine. Dynamic analysis of nasty files does involve running them which means all your bases will belong to the nastiness maker

These programs are useful to watch things that aren't trying hard to hide themselves, you can get a good idea of their behaviour for sure. I use Process Monitor quite a bit when reverse engineering Windows binaries to get a high level view of what a program is doing.

Probably a bit late but you may have found https://www.coursera.org/course/malsoftware interesting.

[Ignitionnet]

Quote:

Originally Posted by heero_yuy

I bow to your greater knowledge here. Could be an interesting exercise.

Hah don't bow to my knowledge on this stuff, I'm just an enthusiastic amateur.

[Qtx]

API monitor and Process Explorer (good old sysinternals, now MS) may allow you to spot some of the simple viri but usually rootkits send back false information to the API calls they use. Detecting a proper rootkit through looking at processes and memory is nigh on impossible, you have to rely on what is written to disk.

Programs that try to detect if you have a rootkit installed usually do things like use the windows API functions to get directory listings or on all folders (which often rootkits intercept and return a listing minus it's own files) or registry entries and then use raw disk reads to see if the results are the same. Many rootkits like TDSS look out for certain programs being run and will intercept many rootkit killer type programs but changing the executable name is enough to bypass that.

Obviously the best way to detect a rootkit is to boot from a cd, stopping the rootkit loading up and hiding itself which is what would happen with a normal boot. If you can't do this, I suggest using something like Combofix from the bleeping computer website which works very well.

Persistent BIOS rootkits have had a few proof of concepts and they are the ultimate really as there is no way to find those. At present there is no way to install these except by tricking a user in to doing it themselves, although I wouldn't put it past the three and four letter agencies to be able to it without user interaction.

As large corporations will continue to get XP support for some time, I expect someone will start releasing the patches they get to the general public.

---------- Post added at 13:37 ---------- Previous post was at 13:13 ----------

Quote:

Originally Posted by Ignitionnet

Okay. When I have some time I'll rootkit a VM and see what that program spots then probably start another thread in the security section.

Keep in mind some rootkits are virtual machine aware and can break out to the main machine using vulnerabilities in the software. Most of the issues are patched in later versions but there is always the possibility of there being a new unknown vector for them to take advantage of.

[qasdfdsaq]

Just use some super obscure VM that is not binary compatible with the host like Oracle VM (and I mean Oracle VM on Solaris, not Virtualbox). :P

[Kabaal]

Something that seems to be getting overlooked in the forgetting "to run Windows Update for a few months (or years)" comparisons is that when software stops being supported efforts to compromise it ramp up rather significantly.

[Qtx]

17% of home users computers are still using XP according to a report I saw today. One is six is not a good amount. Add on top what anti-virus vendors are saying in another thread I started and you can see this will get messy.

[Ignitionnet]

Quote:

Originally Posted by Qtx

Keep in mind some rootkits are virtual machine aware and can break out to the main machine using vulnerabilities in the software. Most of the issues are patched in later versions but there is always the possibility of there being a new unknown vector for them to take advantage of.

Wont be of any use to the rootkit if it does. It's not going to be in a Windows hypervisor.

[Qtx]

Quote:

Originally Posted by Ignitionnet

Wont be of any use to the rootkit if it does. It's not going to be in a Windows hypervisor.

Windows hypervisor has been broken by exploits on numerous occasions. There was this one a few months back but that was the host access the guest. Although the idea behind hypervisors is great for protection, they can have their own problems too.

From 2012

Quote:

A newly disclosed vulnerability that affects multiple virtualization products could allow an attacker to obtain administrative-level rights in the hypervisor and run arbitrary code or access any account of their choosing.

That warning arrived Tuesday in the form of a security advisory released by the U.S. Computer Emergency Readiness Team (US-CERT). "Some 64-bit operating systems and virtualization software running on Intel CPU hardware are vulnerable to a local privilege escalation attack," it read. "The vulnerability may be exploited for local privilege escalation or a guest-to-host virtual machine escape."

[Taf]

http://www.malwarebytes.org/antirootkit/ FREE

[Ignitionnet]

Quote:

Originally Posted by Qtx

Windows hypervisor has been broken by exploits on numerous occasions. There was this one a few months back but that was the host access the guest. Although the idea behind hypervisors is great for protection, they can have their own problems too.

From 2012

Unsure if you read but I said that it won't be running inside a Windows hypervisor. I'm not using a hypervisor for security but because you need a hypervisor to run VMs on.

It'll actually be running on a dedicated ESXi host, whose other guest OS are a couple of proprietary Linux-based VMs along with a very cut down proprietary Linux OS and a ridiculously basic Linux OS that does nothing but emulate a WAN.

Even if a nasty is able to log into one of the *nix VMs as root it just gets that one machine. That host has access neither to the Internet or to the rest of my LAN as it sits in an isolated 'DMZ' VLAN which has no routing outside of the VLAN and no access to its first hop router besides DHCP and DNS.

Better not to mix the home network and the lab network.

[qasdfdsaq]

Doesn't ESXi (or was it ESX) run on top of a modified RHEL core?

[Ignitionnet]

ESXi uses its own kernel. It has a ton of similarities to RHEL, etc, but uses its own kernel and has a very small selection of libraries available. Any exploit would need to be compiled specifically for ESXi.

To actually do anything would require a rootkit that runs on Windows, uses a red pill to detect the Hypervisor, then breaks out of its VM by exploiting ESXi which would require various statically linked libraries and/or payloads which it can't download as it doesn't have Internet access, and manages to take control of ESXi.

Something that does all that would be absolutely state of the art and likely way beyond my capability to analyse anyway. I'm not going to be downloading mysterious malware to test but recognised Windows PE only samples

[Qtx]

Yeah, I was just giving that as an interesting example. ESX/ESXi has had it's fair share of exploits too but i'm not aware of any infections that make use of them. If it was connected to the net (I saw your box wasn't) then it could still be possible for an outside attacker to elevate themselves to full control of the box rather than the one virtual machine, if you run the old versions or a new exploit is found. All manual work though.

Was just making the point that hypervisors were not 100% foolproof like they are supposed to be.

Was thinking of getting a microserver to run ESXi on and just have lots of servers on it as vm's running all at the same time.

[Ignitionnet]

Fortunately none of those are for ESXi 5.5 so I'm probably all good for now.

Hypervisors are like everything else, if there's a vector there're probably bugs.

---------- Post added at 22:13 ---------- Previous post was at 22:09 ----------

Quote:

Originally Posted by Qtx

Was thinking of getting a microserver to run ESXi on and just have lots of servers on it as vm's running all at the same time.

Sadly due to memory requirements I use a full server for ESXi. My microserver is actually on my home network and does more mundane duties.