LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for December 4, 2008

KSM runs into patent trouble

Tux3: the other next-generation filesystem

LWN.net Weekly Edition for November 27, 2008

LWN.net Weekly Edition for November 20, 2008

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

difficulty of detecting rootkits

difficulty of detecting rootkits

Posted Oct 28, 2004 1:02 UTC (Thu) by mbp (guest, #2737)
In reply to: Steve Ballmer's "executive letter" by jwb
Parent article: Steve Ballmer's "executive letter"

Well, yes and no. I've looked at about five machines with rootkits installed in the last couple of years. In every case it was possible to detect the rootkit while the machine was still running, with a bit of intelligent analysis. (Yes, I did tell the owners to reinstall from trusted media.) In theory there are rootkits which by playing kernel tricks can be absolutely undetectable, but the ones I've observed in the wild are not quite that good. Somebody who does security full time might have much better numbers.

The big difference is that by rebooting from any of a number of live CDs you can get Linux back to an absolutely trusted state, from which detecting a rootkit is reasonably easy. This is harder on Windows for several reasons:

* the recovery console is text only, but many useful programs require a GUI

* NT recovery will (by default) not access the disks unless it can read the SAM database and check the administrator password. (Surely one of the most idiotic features ever, given the person is physically on the console and could boot Linux to look at the disks anyhow.)

Given the chance of trying to recover a rooted Linux machine or a rooted Windows machine I'd choose Linux.

(I barely use Windows these days so I may be wrong.)

(Log in to post comments)

difficulty of detecting rootkits

Posted Oct 28, 2004 3:01 UTC (Thu) by bojan (subscriber, #14302) [Link]

> * NT recovery will (by default) not access the disks unless it can read the SAM database and check the administrator password. (Surely one of the most idiotic features ever, given the person is physically on the console and could boot Linux to look at the disks anyhow.)

Yeah, there is that one. There is also the thing with LocalSystem having more privileges than Administrator. Basically, the system is designed to not trust the very person that is supposed to be in charge of it (eh?). And yet, to bypass that is trivial - just run a service as LocalSystem that leaves a shell open. Not to mention the fact that many services actually already run as LocalSystem, therefore being completely exposed anyway.

Then there is the explanation as to why the graphics drivers should run in the kernel. Here is the summary. In the old NT 3.51, if the graphical subsystem died (which ran in userland), although the kernel stayed up, there was no way to do anything with the system (one needs a GUI to do things on NT). So, the "logical" solution was to put the GUI into the kernel and gain some speed instead. Hello? How about making the system in a way that it can be used WITHOUT the GUI? But no, that would look too much like Unix :-)

And it goes on and on...

difficulty of detecting rootkits

Posted Oct 28, 2004 15:17 UTC (Thu) by mmarq (guest, #2332) [Link]

" Given the chance of trying to recover a rooted Linux machine or a rooted Windows machine I'd choose Linux.

(I barely use Windows these days so I may be wrong.) "

If you understand by a rootkit, the immense quantity of "Trojan" software out there, and growing, it should not be very smart to letting it rest at the care of a single anti-virus/anti-trojan program... it is already a *false security*.

I'm not an real expert in the field, can only talk about my experience, and it seems to me that the question is not what rootkit/trojan 'Trend to be' more elaborated, a Windows or a Linux one, because since Linux is much more difficult to penetrate it *must* have a more elaborated rootkit and so a 'trending' more difficult removal...

The question would be: Are you willing to face a 'potencial Linux rootkit' incident every year, growing perhaps to 2 or 3 incidents a year in the next couple of years, or are you willing to face a 'potencial Windows rootkit' incident every month, growing perhaps to an incident every week in the next couple of years ??... (its exponencial)

The answer is : 'Support Service Providers' you need to *Get Serious* !

difficulty of detecting rootkits

Posted Oct 29, 2004 1:56 UTC (Fri) by jtc (guest, #6246) [Link]

There's some useful information in your post. I'm sure Microsoft would appreciate it if you posted it in their comments/feedback section of the article. Oops! It looks like they don't have a feedback section. [I guess they're rather like the Bush administration: "We don't need any stinkin' feedback."]

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds