Originally posted by: Markbnj
That's the problem with these bastards. Since effective enforcement is not being done on an international scale, we all end up with machines that are armoured like an M1 tank. From what I hear you have to explicitly tell Vista it is ok every time you take some action that requires higher privs. That's going to be frustrating as hell.
Personally, I think the international community should get together, track some of these guys down, and put them away for 20. A few of those and you'll chase them into the remote corners of the 3rd world, and then we can slap firewalls around those countries.... or something.
Trouble is that there is no such thing as a 'international community'. The closest you get is the UN which is full of third world country's governments trying to push everybody around in a attempt to hide their own 'crimes against humanity' and try to get 'human aid' to help finance and feed whatever petty internal war they have going on at the time and a few big players playing games to keep themselves at the top.
I doubt they could give a crap less about anything as pedestrian as 'computer security'.
People have to be out for themselves and work to protect themselves. It's same as it ever was and probably ever will be. Your responsable for your own security. Laws and law enforcement haven't stopped criminals from being a-holes yet.
---------
As far as not-being-able-to-recover from malware.
In Unix-land the only tried-and-true way to recover from a successfull root exploit is to wipe the machine and start over. That's why you aren't going to see a big market for things like anti-malware and anti-virus stuff in 'enterprise' unix stuff.
What you'll see is a lot of tools and items to detect a successfull attack.. Like Tripwire being used to detect any system files and drivers that may have been tampered with. (which you have to take a machine down to check it.. Modified kernels and kernel drivers put into place by hackers will provide false information about files/filesizes/file checksums to fool the most sophisticated sorts of file scanners) or IDS systems like Snort that assist in monitoring network traffic for any sort of suspicious activity.
However you won't find much in the way of tools to recover from a successfull attack. It's actually very pointless. With a Kernel-module-rootkit you can't trust your own OS. You can't trust any tools to detect backdoors.. Even if you isntalled them after the fact on a machine that you have off the network. You will never be sure what sort of things the hackers did or anything like that. You will never be sure what sort of system files they modified or anything like that.
So it's actually a lot easier, a lot faster, and a hell of a lot cheaper (for businesses) to simply format and reinstall.
It's been like this for years and years.
With the introduction to Windows 2000 Microsoft had reached a level of security that is about the same level of sophistication found in most Unix boxes at the time. So then hackers began using technics used to compromise unix systems on Windows. Things like driver-based rootkits and such started popping up.
The idea is that after you hack a machine you install the rootkit. It loads a driver up, or you modify a existing driver or whatnot, that then goes and modifies how the system kernel behaves so that you can avoid detection from things like anti-malware or anti-virus. Then you have modified system binaries and hidden tools that help you do whatever you want to do.. Like setting up a IRC channel, or a ftp server, or a vehicle to launch other attacks.
In fact early on the ONLY way people knew these things were going on was that some of the driver-level rootkits people were using had a bug(s) in them that caused BSOD and caused mysterious backtraces and such. Nowadays, of course, these things are more sophisticated.
And with Sony's DRM rootkit blunder has popularized the use of rootkits to subvert windows computers so now every script kiddie in the world knows how these things work and more professional crackers (that is programmers who make livings on hacking secure computers) provide now well-tested tools to them to acomplish things like having armies of script kiddies (unkowingly) inserting backdoors into computers around the world with no legal risk to themselves.
With the new abilities that Pacifica from AMD and VT from Intel has openned up a new avenue of new and more sophisticated rootkits.
With these items it will be possible for a hacker to slip a Virtual Machine hypervisor underneath a operating system. That is they create a rootkit that then operates UNDERNEATH a system kernel. This is even more effective and more difficult to detect then before.
This is because these items will create a virtual machine environment for your Operating System to run in. No kernel drivers to cause BSOD. No modified system binaries to alert checksum'ing programs on a machine that is taken down. No need to do anything like that. It's also operating system independent. The same thing will work for Windows XP as it does Linux as it does OpenBSD as it will for Windows Vista.
It's even possible that uninstalling and reinstalling a OS won't wipe it out.
Microsoft working with the University of Michigan University have created several proof-of-concept viruses/rootkits that exploit VM environments to hide themselves. Details are outlined in this pdf.
http://www.eecs.umich.edu/virtual/papers/king06.pdf
The major barrier is that you have to reboot the machine to get the VM-based rootkits to 'lift' your operating system into their VM environment. This isn't that difficult if you think about it. With linux you'd just install the vm and wait for the administrator to do a kernel update. With desktop windows you'd just have to wait around for a security update or install it as a virus in another program like a shareware item. They'd bring up the dialog 'Please reboot now' and you'd reboot and then the damage is done.
That's what TPM (trusted platform module) is designed to provide a means to counter act. It's designed to create a hook into the hardware that can't be virtualized so that there will be a way to check the checksums of any hypervisor running your system (like Xen or Vmware server editions) and the kernels as well as most other things.
So using that it should provide a means to allow a way to detect even VM-based rootkits.
Unfortunately it's also going to be used for DRM. This provides a HUGE financial insentive for all sorts of people to crack hardware-based TPM for a whole veriaty of reaons. It may be used to prevent people from installing Linux on computers.. like MS did with first Xbox's DRM stuff (although obviously it didn't use TPM). Software pirates will want to hack it and they have all sorts of money and sophisticated tools to reverse engineer hardware. Then you have professional hackers that will need to figure out ways around it to keep comprimised machines hidden from those machine's administrators. And since it's hardware-based item it's not like your going to be able download a patch to fix any flaws with it.
In computer security a ounce of prevention is worth 3 tons of cure...
