If you've visited Microsoft's home page recently, you probably noticed that Microsoft is now offering an antispyware tool--Microsoft Windows AntiSpyware (Beta). Microsoft acquired the antispyware tool when the company bought the tool's creator, a small software firm ironically named GIANT Company Software (and I thought I was being arrogant registering bigfirm.com a while back). I stumbled across the tool a few months ago and tried GIANT's 14-day trial. I was impressed because it went beyond the usual, "Oh my gosh, we found 4000 cookies on your system!" scare tactics and offered intelligent advice about the spyware and adware it found on my system. After the trial period ended, I was ready to pay for the program, but Microsoft bought GIANT and is now offering the antispyware tool free. (At least, for now; Mike Nash, Microsoft corporate vice president of the Security Business & Technology Unit, cautioned that the tool might not stay free. (That's another discussion, though.) You can download the tool at http://www.microsoft.com/athome/security/spyware/software/default.mspx.
So far, Microsoft hasn't messed with the functionality that GIANT built into the tool, and I hope it stays that way. But I have a few thoughts about how to make the GIANT product a behemoth. First and foremost, Microsoft's spyware strategy desperately needs a CD-ROM-based, bootable tool. Years ago, I attended a Microsoft security briefing at which a speaker talked about "root kits," something that sounded scary but unlikely to be a threat back then. But that threat has become all too possible now, according to my colleague Mark Russinovich. (Mark tells me do-it-yourself software hacker tools are available that make creating these root kits virtually a point-and-click matter.)
A root kit is a Trojan horse program that sits silently on your computer and does pretty much whatever it wants. Recall that Trojan horses can be programs that launch Distributed Denial of Service (DDoS) attacks, such as the widespread Mydoom virus. Other Trojan horses might be keystroke loggers--programs that record every key you press, including passwords--and ship them over the Internet to a malicious user who seeks to steal your identity and assets. You can find Trojans running on your system in several places: They might show up as a service, as a running program in the Windows Task Manager list, or as an entry in your registry's Run keys. A run-of-the-mill antivirus program can find and eliminate such Trojans.
Root kits are dangerous because they can "stealth" themselves. They modify the basic, low-level parts of the OS, instructing Windows to keep them off its lists of running services and processes and to not display them in the registry. And a simple hard-disk scan won't detect the program files. Because antivirus and antispyware programs must rely on the OS to find running programs, they're powerless to find root kits, much less eliminate them.
Imagine how devastating the effects of a root kit attack could be. What if someone has already built a root kit that spreads quietly and calls no attention to itself--one that waits until some date, such as December 25, 2006, then activates and erases hard disks. How do you defend against this type of attack? You could, I suppose, run a network sniffer such as Ethereal or Microsoft Network Monitor and examine network traces for unexpected network activity, but the volume of traffic on a network segment would make that a Herculean task. No, the way to attack root kits is by exploiting the way that they modify the OS to hide themselves--or at least modify the copy on the hard disk.
What if you could boot a simple OS from a CD-ROM or a USB storage device such as a USB thumb drive? The OS simply needs to be able to contact the Internet to get the latest pattern files and to read and write FAT, FAT32, and NTFS drives so that it can scrub the infected files. Our old DOS systems were vulnerable to stealth viruses, but we could deal with these attacks. We could cold-boot our systems from a write-protected, bootable floppy disk that contained a virus-scanning program. Microsoft has a bootable version of its OS called Microsoft Windows Preinstallation Environment (Windows PE); why not combine it with its new antispyware tool and make a really groundbreaking tool? Of course, if Windows is too big to fit on a CD-ROM or a USB drive, I suppose Linux is always an option ...
End of Article
I am assuming that when you discuss the possibility of a DDoS attack, you are assuming that large numbers of computers have these Trojan Horses installed via Root tool kits and will all select the same target at the same time? How will they coordinate? They don't call it distributed for nothing. How will all the routers, server, and PCs all attack a select target?
Anonymous User January 27, 2005
Hello,
No probem at all to create a bootable Windows XP with all the tools you like with Bart's Builder PE in a breeze ;) JacK
Anonymous User January 28, 2005
Coordination could be as simple as having a list of targets and setting the attacks to occur at a predetermined time (after your malware has a chance to propogate).
Anonymous User February 02, 2005
Certain types of trojans connect to IRC channels and recieve instructions to carry out DDoS attacks. This is how many DDoS attacks are co-ordinated.
Anonymous User February 23, 2005
As far as a bootable CD, I think Knoppix rocks. Combine it with Bitdefender or a similar Linux antivirus, and update the virus definitions, you have a great way of scanning PCs from a bootable CD. The only drwaback is that Knoppix can only read NTFS partitions, so it can't delete any files.
stewconsult February 23, 2005 (Article Rating: )
Try rootkit revealer from sysinternals: http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml
Anonymous User February 24, 2005 (Article Rating: )
Better than BartPE is the Ultimate Boot CD for Windows: http://www.ubcd4win.com/ UBCD4Win is based on BartPE, but includes a virus scanner that can update itself from the Internet, Ad-Aware, and other tools.
Anonymous User February 24, 2005
BartPE was the originator in adding plugins such as virus, spyware, web browsers...etc. BartPE is amazing.
Anonymous User March 02, 2005
You must be a registered user or online subscriber to comment on this article. Please log on before posting a comment. Are you a new visitor?
Register now
Picking a favorite product from an impressive crowd of competitive offerings is never an easy task, and such was the case with our Editors' Best and Community Choice awards this year. ...
An often irreverent look at some of the week's other news, including some post-PDC some soul searching, a Google Chrome OS announcement and a Microsoft response, Windows 7 off to a supposedly strong start, the Jonas Brothers and Xbox 360, and so much more ...
Free CDs Offer Fundamental Content for IT Pros Are you up to speed on the latest technologies and solutions? Don't miss out on your chance to get up to speed quickly on fundamental, in-depth information on some of the hottest topics in our library of content.
Let Your Users Reset Their Own Passwords: Free Download Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.
Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!
Deep Dive into VMware vSphere, eLearning Series Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
)
)
Register
How will they coordinate? They don't call it distributed for nothing. How will all the routers, server, and PCs all attack a select target?
Anonymous User January 27, 2005