Blog

  • Windows Vista’s Built-in Rootkit

    Windows Vista has an especially annoying implementation of file permissions. As I’ve ranted on before, Administrator accounts within Vista aren’t really like the “root” accounts of *nix systems. The main difference lies with the fact that Administrators in Vista do not have outright permissions to access all files on the hard drive.**

    This poor implementation of the permissions structure can be exploited by malware to make files that are undetectable to Anti-Virus products. Let’s go through the following demo to show you just how this works:

    virus0.jpg

    First off, I downloaded the eicar malware test file from here. It’s a file that’s detected by pretty much all anti-virus products out there.

    virus2.jpg

    I then ran the free version of AVG. AVG detected, and removed, the suspicious piece of malware. This is what’s supposed to happen. Now let’s introduce into here the Windows Vista Rootkit Deluxe aka. Windows Permissions.

    This time I created a new account in Windows Vista, with user-level permissions. While the fact that I chose this account type is rather irrelevant, it does highlight the fact that programs don’t need to run with admin-level permissions to make this rootkit work. And new accounts in Vista can be made with ease when you’re on an administrator account to begin with; something which nearly all Vista home users are. A program only has to run a script with the command:

    net user testaccnt /ADD

    Now running as the user testaccnt, I downloaded the eicar file again, only this time I used the permissions to deny access to all but my own account. This included denying access to the main Administrator account.

    virus4.jpg

    And what happened? Because all but the dummy account had read/write access to the file, when I ran AVG as any account but the dummy one created, it didn’t detect the viral file.

    virus5.jpg

    Admins can’t delete the file manually through Explorer either (below, left.) That dummy account, however, can (below, right.) In fact, the easiest way to delete the file is for admins to use the CLI tool cacl, and re-assign the file’s permissions to match those of other “normal” files. The admin can then use del command or Explorer to rid themselves of the file.

    virus6.jpg virus8.jpg

    There you have it folks: programs can create dummy accounts, and use those in conjunction with Windows permissions to evade themselves from the detection of anti-malware products. For all intents and purposes, a rootkit, included with every copy of Windows Vista out there. Because this is all permissions-related, I have a sneaking suspicion that anti-rootkit software won’t pick this up.

    AVG’s Anti-Virus program has been confirmed, via this demo, to be susceptible to this kind of trickery. I have not tested the susceptibility of other anti-malware products.

    **jabzor points out: System’ vs ‘Admin’; users run as admin or less while services and especially AV will run as ‘nt authority\system’ or ‘nt authority\networkservice’ unless they specify a custom account. Administrators can change the permissions to any file they want with ‘cacls’ a handy built-in cli tool I use all the time, similar to chmod for windows but more powerful.

    Greetz: DanielG (pointed me to Eicar), jabzor, Murd0c, droops, slick0, StankDawg, RightCoast, BinRev, GameRadio (C4 & Kobar).

  • The No-Win situation of Modern Internet Piracy

    First of all, I’d like to clarify that as it pertains to this argument, I refer to piracy as this notion of listening/watching/installing content without compensating those that developped the work.

    What I’d like to introduce to this argument is this idea of “access.” Today, we have a situation whereby people have much more access than their financial means permits. This in turns signifies that people are exposed to much more art, much more entertainment, and much more creativity software than would otherwise be possible.

    Therein lies the flaw of the current anti-piracy pursuits. Either the industry is expecting for people to reduce their access – expose themselves to less music, avoid using creativity software – or they’re expecting people to pay more. Both of these are inherently unrealistic goals.

    And so it seems like the only reasonable expectation is more access for the same amount of money. Now with music, you might explain this off as redistribution of funds. The same amount of money goes in, but what changes is how many people get it. In doing so, however, you are devaluating the worth of these items.

    To make the point more clear: think of Adobe Premiere. This is a very expensive piece of software, for which there is no decent free/cheap alternative. What this means is that if people don’t have it, or some equivalent, then they can’t do video editing. It’s simply outside their means. However, if you expect them to sell it for less, then you’re hurting Adobe’s bottom line. It will hinder their ability to produce future software, just as illicitly downloading music would hurt a band’s ability to make more music.

    For Adobe, that $1000 price point represents maximum profitability. Though more people would purchase it if it were $59, those numbers would still represent less profits than that $1000 mark. The reason being of course that all these professional companies can afford to pay the $1000, and that offsets gains by appealing to the interests of students and the general populace. A hit to that bottom line, however, will ultimately hurt Adobe and thus the economy.

    So no matter what happens, it’s a loose-loose situation. As it stands, the war on piracy is the industry trying to cut off that access to match what it was in the pre-filesharing days. Cut off kids from listening to Led Zepplin for the first time; and cut off amateurs from dipping their toes in the world of computer-aided creativity. It’s too easy to say that those companies “should adapt to the Internet age”, because if you’re going that route, then you’re excusing this economically-hurtful activity.

    There is no easy way out. More access for less money is not a reasonable expectation. If you go that route, you hurt the economy – and thus culture. If you don’t go that route, you’re cutting off access – and thus culture.

    It should be noted that this question of access is somewhat of an unfair conundrum to hand down to the industry – for without the prevalence of this kind of piracy, it wouldn’t exist at all. The question now becomes should it be ignored entirely, now that it is here. Does that even matter, given the irrelevance of this kind of argument in the face of those who reduced spending due to piracy.

    Thus concludes the ramblings of a disgruntled student.

  • Warner Bros. cancels screenings in Canada

    TORONTO (Hollywood Reporter) – In a pre-emptive strike against movie piracy originating from Canada, Warner Bros. Pictures said Monday it will cancel preview screenings of its movies north of the border.

    Frustrated with unauthorized camcording of its new releases in Canadian cinemas, the studio said it will immediately halt all “promotional and word-of-mouth screenings” of upcoming releases.

    Source. While drastic, let’s see who is hurt by this:

    Canadian Movie Critics: They don’t get to preview films in advance, in order to release reviews in time for the movie’s actual theatrical release.

    Film’s Financial Interests: In this I include the cast, the director, the crew, etc. Simply said: films with no [positive] reviews make less money than films with positive reviews. They are in essence being used as pawns to armtwist the Canadian government to enact legislation it allegedly already has.

    Consumer: Well, they don’t get reviews from the papers. At which point some will turn to the Internet. So there’s little consumer collateral, but the message sent is clear: enact legislation.

    It’s a drastic move. Do I think it will work? To enact legislation: yes. To curb camcording in Canada: no. Nevertheless, if it’s already illegal, I don’t see anything wrong with making it illegal again. After all, what is there to lose by enacting such legislation?

    I will, however, raise hell if they try to push through a DMCA equivalent along with this anti-camcording bill.

    I’m sure the directors will appreciate their films being sacrificed as tools to armtwist the government into enacting [arguably] ineffective legislation.

  • Free Speech?

    It’s interesting how the digital world forces questions time and time again of what constitutes free speech. Take the following:

    02 F9 1C 02 9D 75 E3 52 D7 41 56 C5 63 56 88 C0

    Suffice to say that that string of text has sparked take-down notices across the Internet. Threats of lawsuits are everywhere over this, and yet, it isn’t hate speech. It isn’t the reproduction of a copyrighted work. It’s not even really a trade secret. It is, however, an important piece of the puzzle in decrypting the new high-definition DVD discs. There’s one of these strings in every high-def player out there, but no one is supposed to be able to identify it, much less publicly disclose it.

    What do you think? Should it be permissible to utter that string on the Internet? Does it have to do with context?

  • Beautiful lecture on Journalism

    June Callwood was one of the great Canadians of the twentieth century. She passed away April 14th, 2007. She was a journalist by trade, and a wonderful donor of her time, having co-founded over 50 organizations dedicated to helping those in need.  In 2002, she gave a lecture on journalism and ethics, and I very much recommend that you give it a listen.

    It applies not just to journalists, but anyone who reads papers, and writes their own ideas to share to people. You can listen to it here:

    http://podcast.cbc.ca/mp3/ideas_20070423_2085.mp3