If you've visited Microsoft's home page recently, you probably noticed that Microsoft is now offering an antispyware tool--Microsoft Windows AntiSpyware (Beta). Microsoft acquired the antispyware tool when the company bought the tool's creator, a small software firm ironically named GIANT Company Software (and I thought I was being arrogant registering bigfirm.com a while back). I stumbled across the tool a few months ago and tried GIANT's 14-day trial. I was impressed because it went beyond the usual, "Oh my gosh, we found 4000 cookies on your system!" scare tactics and offered intelligent advice about the spyware and adware it found on my system. After the trial period ended, I was ready to pay for the program, but Microsoft bought GIANT and is now offering the antispyware tool free. (At least, for now; Mike Nash, Microsoft corporate vice president of the Security Business & Technology Unit, cautioned that the tool might not stay free. (That's another discussion, though.) You can download the tool at http://www.microsoft.com/athome/security/spyware/software/default.mspx.
So far, Microsoft hasn't messed with the functionality that GIANT built into the tool, and I hope it stays that way. But I have a few thoughts about how to make the GIANT product a behemoth. First and foremost, Microsoft's spyware strategy desperately needs a CD-ROM-based, bootable tool. Years ago, I attended a Microsoft security briefing at which a speaker talked about "root kits," something that sounded scary but unlikely to be a threat back then. But that threat has become all too possible now, according to my colleague Mark Russinovich. (Mark tells me do-it-yourself software hacker tools are available that make creating these root kits virtually a point-and-click matter.)
A root kit is a Trojan horse program that sits silently on your computer and does pretty much whatever it wants. Recall that Trojan horses can be programs that launch Distributed Denial of Service (DDoS) attacks, such as the widespread Mydoom virus. Other Trojan horses might be keystroke loggers--programs that record every key you press, including passwords--and ship them over the Internet to a malicious user who seeks to steal your identity and assets. You can find Trojans running on your system in several places: They might show up as a service, as a running program in the Windows Task Manager list, or as an entry in your registry's Run keys. A run-of-the-mill antivirus program can find and eliminate such Trojans.
Root kits are dangerous because they can "stealth" themselves. They modify the basic, low-level parts of the OS, instructing Windows to keep them off its lists of running services and processes and to not display them in the registry. And a simple hard-disk scan won't detect the program files. Because antivirus and antispyware programs must rely on the OS to find running programs, they're powerless to find root kits, much less eliminate them.
Imagine how devastating the effects of a root kit attack could be. What if someone has already built a root kit that spreads quietly and calls no attention to itself--one that waits until some date, such as December 25, 2006, then activates and erases hard disks. How do you defend against this type of attack? You could, I suppose, run a network sniffer such as Ethereal or Microsoft Network Monitor and examine network traces for unexpected network activity, but the volume of traffic on a network segment would make that a Herculean task. No, the way to attack root kits is by exploiting the way that they modify the OS to hide themselves--or at least modify the copy on the hard disk.
What if you could boot a simple OS from a CD-ROM or a USB storage device such as a USB thumb drive? The OS simply needs to be able to contact the Internet to get the latest pattern files and to read and write FAT, FAT32, and NTFS drives so that it can scrub the infected files. Our old DOS systems were vulnerable to stealth viruses, but we could deal with these attacks. We could cold-boot our systems from a write-protected, bootable floppy disk that contained a virus-scanning program. Microsoft has a bootable version of its OS called Microsoft Windows Preinstallation Environment (Windows PE); why not combine it with its new antispyware tool and make a really groundbreaking tool? Of course, if Windows is too big to fit on a CD-ROM or a USB drive, I suppose Linux is always an option ...
