Follow-Up: Why Microsoft Can't Stop Root Kits

I'm glad so many of you liked my commentary about root kits last month. (You can read the article at the URL below.) Root kits are basically Trojan horse programs that run on your network but that you can't find because they "stealth" or hide themselves. Windows Task Manager, Windows Explorer, antivirus programs, and other applications can't detect the presence of these stealthed programs. Root kits stealth themselves by modifying the part of the OS that reports about the running processes. The root kit then stays invisible with the help of these modified OS components. In my commentary, I argued that to combat root kits, antivirus vendors need to somehow distribute their scanners on a bootable CD-ROM that could read NTFS drives as well as start up an IP stack and download an up-to-date pattern file from the antivirus vendor site.

Many of you wrote asking whether I had heard about "BartPE." Yes, I've heard about Bart Langerweij's BartPE. He's figured out which files to burn onto a CD-ROM to create a fairly complete, self-contained copy of Windows Server 2003 or Windows 2000. You'll immediately see the value of a BartPE CD-ROM that you can boot from and run enough of the OS to repair your system. But that's not what I'm looking for. I don't want a bootable Windows CD-ROM. I just want a bootable CD-ROM that contains an antivirus scanner and cleaner that gets its pattern files from the Internet. I suppose a BartPE CD-ROM in combination with a trip to, where you'll find Trend Micro's free ActiveX scanner, would do the job, but I don't want to abuse Trend Micro's hospitality.

But why are root kits possible? Is it because of some sloppiness on the part of Microsoft's OS architects? Another evil Redmondian plot? Nope, not this time.

The only way that a program running on most any OS can get a list of the running processes (e.g., user applications, drivers, services, OS components) is by asking the OS for that list. That was true with the first mainframe OS I ever ran (IBM OS/360), it's true for the Windows NT family, and as far as I know, it's true for all offshoots of the UNIX/Linux family. Windows systems include a small number of APIs--hooks into the OS--and any application that tries to find out which processes are running depends on these APIs. The APIs are nothing more than a set of programs on the computer's hard disk. Now suppose a malicious user wants to write some kind of malware--perhaps a program that erases your hard disk or supports a Distributed Denial of Service (DDoS) attack--but doesn't want your antivirus software to be able to detect it. The attacker could rewrite those programs so that they wouldn't report the existence of certain processes (i.e., the accompanying malware) and replace the program files on your hard disk with the modified versions. He or she could then install the malware, cause it to automatically start up on your computer every day, and wham! Not only do you have something nasty running on your system, you don't know it. The point I'm making is that an OS is nothing more than software, and you can write software to do anything you want, including ignore certain processes. A malicious user could also modify Windows Explorer to not show a given file or modify regedit to not show certain registry keys. Please understand that I'm simplifying here a bit; the typical bad guy might not actually modify those files but would instead install some kind of filter on them to accomplish the same goals.

How does an attacker install these filters and programs on your system? Can't Microsoft change the OS to protect us from this threat? Again, no. Installing these stealthing filters or programs on an OS is no different than installing a patch or a new feature. This malware is installed because a user opens an email attachment, runs a program, or agrees to install an ActiveX control. Or it's installed through a worm that can run code on an infected computer. Except for the last case, these OS modifications are acceptable to the OS because they're installed by someone with administrative powers. That's the important part of the point: Installing malware is possible because most of us have full administrative powers on our computers.

In the current Windows culture, users spend most of their time logged on as a local administrator. Until users either hand over administrative powers to IT staff or spend most of their time logged on as a local user with the ability to shift to administrative powers via the RunAs command, attackers will be able to use Trojans, root kits, and the like to install bad stuff on our systems. (Ask any UNIX/Linux expert whether it's a good idea to spend the whole day logged in as an administrator, you'll get a look of horror.)

So, in the end, Microsoft can do little to reduce the threat of Trojans and root kits. As with so many security problems, this isn't a silicon-based problem--it's a carbon-based one. With time and culture change, it'll go away.

Microsoft Takes On Spyware

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.