cio.com — Security researchers have discovered a new type of rootkit they believe will greatly increase the difficulty of detecting and removing malicious code. Other factors that help make Rustock invisible are that it has no process, instead running inside the driver and in kernel threads. It doesn’t hook into any native API & controls kernel functions.
Jul 15, 2006 View in Crawl 4
yourtechsupportJul 15, 2006
They could make one, but it would be part of a subscription service. "Windows Colon Cleanser".
Closed AccountJul 15, 2006
I'll say it just one more time...The reason this works is because windows, since the beginning of time, has allowed ring zero access to any application that wants it. Microsoft has got to know full well that this is the most serious security hole that there can possibly be (because you learn that kind of thing in any operating system class worth its weight--don't tell me no one at microsoft understands this)--and they've not done a damn thing in all these years to fix it.
tercJul 15, 2006
@BillDoEWow, someone that can handle someone dissagreeing with them, (even if apparently this was completely unfounded, just some clarification)BillDoE added to friends
morningcoderJul 15, 2006
After noticing some suspicious network traffic initiated by some Windows Explorer extension in my firewall log, I have rebuilt my whole machine, and remove my wife's account from admin group. Now every other day, she will complain about a program used to work now broken, and I have to spend half an hour or so with regmon and filemon from Mark Russinovich (sysinternals.com) to manually find out what registry keys and files/directories her programs need access to and grant her account rights to access them.If one more thing breaks, I'm installing Linux on her machine.
monsieurevilJul 16, 2006
Who in the mainstream OS world doesn't allow ring 0 access to system? Multics, Linux, UNIX, Windows - all do...
Closed AccountJul 17, 2006
"According to researchers, other factors that help make Rustock invisible are that it has no process, instead running inside the driver and in kernel threads. It doesn’t hook into any native API, and controls kernel functions via special IRP functions."If an OS gives that much power to an ordinary end user, then the basic design is seriously flawed (as if we didn't know this before). The very fact that most windows users run with admin rights only compounds this problem. Access control was something microsoft didn't really "get" (just like they didn't really get TCP/IP networking - remember winsock on win3.1/95 and the other kludges), and it was non-existent during the windows 3.x, 95, 98 days. What we have now, as a result, is a hodge podge of access control mess compounded by a huge number of applications which require all sorts of access permission changes, so the user gets sick of it and runs as admin.