Can you think of one trojan that's ever spread inside a device driver?
Uh yes. Tons of rootkits run kernel-mode code and hook into the kernel to hide themselves.
FU and Apropos spread inside of device drivers? Fascinating. Wait, no they don't. Huh. They're spread in adware like everything else.
By the way, tons of rootkits also run on library or application level and are also impossible to detect, given that it's polymorphic code (among other intelligent authoring choices liking hiding from the task manager), not kernel mode, masks a good trojan from detection.
As for the theory "they'll just pay a few hundred dollars and get their kernel-mode malware signed", I don't think it's borne out in practice. As far as I can tell, the only revocations they've had to do were with the ATi security hole and with Atsiv. Perhaps the fact that you need to provide proof of a business with a physical address to get a signing certificate is sufficient incentive to keep malware authors to stick to user-mode
Right. The same criminals who manage to get fake ATM machines installed around europe and sell human beings in Canada are really going to be stumped if they have to come up with a few hundred bucks and 'proof' of a physical business. You know the Russian mafia drives computer crime these days, right? We've known that for five years. Not that they'll have to... wait, this sounds familiar... aha!
Not that they'll have to, they'll stick to user-mode software.
The whole point is that user-mode rootkits are easier to detect than kernel-mode rootkits, and that the driver signing requirement has largely kept out kernel-mode malware. Do you have any evidence at all of the criminal malware-signing ring you claim is so inevitable?
And really, you're claiming that you can hide a user-mode rootkit just as well as a kernel-mode rootkit? The common opinion of security experts is that you can't (see here, here and here).
Kernel mode rootkits involve system hooking or modification in kernel space. Kernel space is
generally off-limits to standard authorized (or unauthorized) users. One must have the appropriate
rights in order to view or modify kernel memory. The kernel is an ideal place for system hooking
because it is at the lowest level and thus, is the most reliable and robust method of system hooking.
Kernel-mode rootkits can be even more powerful since, not only can they intercept the native API in kernel-mode, but they can also directly manipulate kernel-mode data structures. A common technique for hiding the presence of a malware process is to remove the process from the kernel's list of active processes. Since process management APIs rely on the contents of the list, the malware process will not display in process management tools like Task Manager or Process Explorer.
I assume you have some sort of paper or something to back your point up?
RandomEngy on
Profile -> Signature Settings -> Hide signatures always. Then you don't have to read this worthless text anymore.
I assume you have, finally, even one example of a third party driver that's a vector for malware? You know, such drivers being the topic of conversation?
By the way, user level rootkits can mask themselves just as effectively from the task manager, and, again, it's polymorphic code that makes them hard to detect. Actually in most ways kernel level trojans are easier to detect (if you're aware of the symptoms) by BSODs from the massive instability they tend to introduce into operating systems.
I suggest that we've come to an obvious impasse: you consider the trade off of lost third party drivers to be worth whatever security improvement comes of driver signing, and I don't. If nothing else, it seems we agree on that much. And we've certainly managed to derail the thread sufficiently.
I assume you have, finally, even one example of a third party driver that's a vector for malware? You know, such drivers being the topic of conversation?
By the way, user level rootkits can mask themselves just as effectively from the task manager, and, again, it's polymorphic code that makes them hard to detect. Actually in most ways kernel level trojans are easier to detect (if you're aware of the symptoms) by BSODs from the massive instability they tend to introduce into operating systems.
Yeah, I'm sure organized crime has some ties to malware. What I asked you for was evidence that they are mass-forging certificates and using them to sign malware. Which is the only thing that's relevant. I did google "signed malware" and could only find 3 isolated examples which were all revoked quickly.
And yes, user-mode malware does have ways to mask itself. The whole point it that kernel-mode malware has more tools at its disposal and can do a better job. I've linked to multiple security experts who say as much. You've just been making vague references and waving your hands. And if it's well written it won't create the BSODs. But hey, I guess assuming malware writers don't know what they're doing is an effective enough defense?
Also, drivers being a vector for malware here is completely irrelevant. What is relevant is their ability to include the driver in their payload to get access to the kernel. Just because it isn't spread by device drivers doesn't mean there are no security gains from requiring kernel-mode drivers to be signed.
Anyway, I don't think you understand the tradeoff fully quite yet. If you better understand the other side maybe you can simply disagree with their decision rather than rage at them for taking away your precious device freedoms.
RandomEngy on
Profile -> Signature Settings -> Hide signatures always. Then you don't have to read this worthless text anymore.
Erm, if you actually take a look in your own three links, they also say the 'vague hand waving' information that you don't like hearing from me. And I understand the issue just fine, I also just happen to know that the vast majority of malware, bad or not, is usermode, and that kernel mode malware's only advantage against detection is against kernel-level malware detectors.
And why would organized crime have to mass forge certificates? You have the worst reading comprehension in the world. I specifically said they wouldn't have to, as the great majority of trojans are user-mode, but would be able to if they wanted to, as these things are hardly written by pimple faced kids in the basement anymore.
Allowing custom drivers would be as easy as a scary warning when an installer is trying to insert unsigned kernel mode code.
Anyway, I don't think you understand the tradeoff fully quite yet.
That's cool. I think you're a generally misinformed idiot who's changed his arguments every third post or so, not that you had much choice in the matter. I said first, and maintain, that a user's system is a user's system, and they should be able to run anything they want on it.
Sorry. I'm sure it's only still here because flame wars don't pull people other people in on this sub-forum as much as they do in the majors. I'll cease and desist, as being disruptive is something I only try to do while being simultaneously helpful.
I know IPX is outdated and worthless, but the games relying on it are pretty fun. I guess I can just accept the situation that Mac users have put up with for years, which is that we'll just need to keep old computers around to run old stuff.
That said, it seems like there ought to be some way to wrap an IPX game in TCP/IP or something.
also SEMANTICS!!!
*Edit: actually, this isn't even my problem (though it will be when I build a new PC) it's just a friend had a Vista 64 machine and wanted to play some Diablo multi with me.
Erm, if you actually take a look in your own three links, they also say the 'vague hand waving' information that you don't like hearing from me. And I understand the issue just fine, I also just happen to know that the vast majority of malware, bad or not, is usermode, and that kernel mode malware's only advantage against detection is against kernel-level malware detectors.
And why would organized crime have to mass forge certificates? You have the worst reading comprehension in the world. I specifically said they wouldn't have to, as the great majority of trojans are user-mode, but would be able to if they wanted to, as these things are hardly written by pimple faced kids in the basement anymore.
Allowing custom drivers would be as easy as a scary warning when an installer is trying to insert unsigned kernel mode code.
Anyway, I don't think you understand the tradeoff fully quite yet.
That's cool. I think you're a generally misinformed idiot who's changed his arguments every third post or so, not that you had much choice in the matter. I said first, and maintain, that a user's system is a user's system, and they should be able to run anything they want on it.
Peace.
Except it's hand-waving by security experts.
And I changed my argument once, in light of new information, and was up front about it. Information that you weren't even able to find. You could stand to do the same thing instead of steadfastly denying the obvious despite all facts.
Also this is how the "crime" thing went:
You: It's super-easy to sign a piece of malware, they'd just do it so often it would offer no benefits at all.
Me: I have not seen any evidence of mass forged certificates for malware.
You: It's totally easy for them to mass forge certificates, organized crime has all these links to malware, they'd do it in a flash.
Me: But they haven't.
You: But organized crime wouldn't have to mass forge certificates, stupid!
You're backtracking from arguments and acting like you never made them at all. You try to reinforce this alternate reality by insulting me for responding to them.
You also keep on bringing up irrelevant arguments. Most malware is user-mode. Great. However my point wasn't that kernel-mode malware comprised the majority of malware, it was that it can be harder to detect and remove. And so preventing kernel-mode malware would be a good thing for security. You said it yourself "...and that kernel mode malware's only advantage against detection is against kernel-level malware detectors." Yeah, malware that's able to make itself completely undetectable, even from kernel-level malware detection, isn't anything to be concerned about?
RandomEngy on
Profile -> Signature Settings -> Hide signatures always. Then you don't have to read this worthless text anymore.
0
Zxerolfor the smaller pieces, my shovel wouldn't doso i took off my boot and used my shoeRegistered Userregular
edited August 2008
....... Yeah, so LoneIgadzra, if your friend doesn't want to backrev to XP or dual-boot, I'd say install a virtual machine (VirtualPC is free from your good friends at MS), slap XP on it, and be done with the business. Not entirely ideal, but fuck it, it'll work.
Most trojans also just run in user mode and hijack the registry on start-up. Is Microsoft going to revoke the certificate on visual basic because it's used to write so many trojans? I wonder. Can you think of one trojan that's ever spread inside a device driver?
Take a look. Guess I'm not the only one who came to the DRM conclusion. Given Microsoft's forays into digital delivery (MS's political stance in the last five years, too) this seems pretty sensible. Being the OS that's considered 'safe' for content delivery would do a lot for their desktop market share as digital movie/tv show/music delivery gets more popular.
Anyways, malware is big business, and even if it took several hundred dollars spent on a certificate to write it, the organized crime that backs Big Bad Malware would happily pay. They make millions off it. Not that they'll have to, they'll stick to user-mode software.
You: It's super-easy to sign a piece of malware, they'd just do it so often it would offer no benefits at all.
Me: I have not seen any evidence of mass forged certificates for malware.
You: It's totally easy for them to mass forge certificates, organized crime has all these links to malware, they'd do it in a flash.
Me: But they haven't.
You: But organized crime wouldn't have to mass forge certificates, stupid!
Yeah, what I wrote sounds a whole lot like your version. As much fun as it is to watch you make shit up I'd rather just let this thread die.
"Anyways, malware is big business, and even if it took several hundred dollars spent on a certificate to write it, the organized crime that backs Big Bad Malware would happily pay."
does sound a lot like
"It's totally easy for them to mass forge certificates, organized crime has all these links to malware, they'd do it in a flash."
What else were you trying to say? And if your answer is "it would force them to user-mode malware," that's exactly my point.
P.S. Feel free to let the thread die at any time.
RandomEngy on
Profile -> Signature Settings -> Hide signatures always. Then you don't have to read this worthless text anymore.
I realize this thread has gone wildly off topic, but if the OP is still looking for an answer for his original problem I recommend Virtualbox. It is free and allows you to virtualize a machine inside your machine. So you could virtualize 2000 inside of Vista and put it on a ipx network (I assume I have never done so myself).
Only downside with this plan is you need a copy of whatever OS you want to virtualize.
Microsoft Virtual PC 2007 is free. I would honestly recommend just running Tiny XP or 98SE in virtual. Since a lot of the old games were actually designed to run in 98SE.
Posts
FU and Apropos spread inside of device drivers? Fascinating. Wait, no they don't. Huh. They're spread in adware like everything else.
By the way, tons of rootkits also run on library or application level and are also impossible to detect, given that it's polymorphic code (among other intelligent authoring choices liking hiding from the task manager), not kernel mode, masks a good trojan from detection.
Right. The same criminals who manage to get fake ATM machines installed around europe and sell human beings in Canada are really going to be stumped if they have to come up with a few hundred bucks and 'proof' of a physical business. You know the Russian mafia drives computer crime these days, right? We've known that for five years. Not that they'll have to... wait, this sounds familiar... aha!
And really, you're claiming that you can hide a user-mode rootkit just as well as a kernel-mode rootkit? The common opinion of security experts is that you can't (see here, here and here).
Some choice quotes:
I assume you have some sort of paper or something to back your point up?
http://www.ecommercetimes.com/story/31679.html
I assume you have, finally, even one example of a third party driver that's a vector for malware? You know, such drivers being the topic of conversation?
By the way, user level rootkits can mask themselves just as effectively from the task manager, and, again, it's polymorphic code that makes them hard to detect. Actually in most ways kernel level trojans are easier to detect (if you're aware of the symptoms) by BSODs from the massive instability they tend to introduce into operating systems.
Take it easy,
Erik
Yeah, I'm sure organized crime has some ties to malware. What I asked you for was evidence that they are mass-forging certificates and using them to sign malware. Which is the only thing that's relevant. I did google "signed malware" and could only find 3 isolated examples which were all revoked quickly.
And yes, user-mode malware does have ways to mask itself. The whole point it that kernel-mode malware has more tools at its disposal and can do a better job. I've linked to multiple security experts who say as much. You've just been making vague references and waving your hands. And if it's well written it won't create the BSODs. But hey, I guess assuming malware writers don't know what they're doing is an effective enough defense?
Also, drivers being a vector for malware here is completely irrelevant. What is relevant is their ability to include the driver in their payload to get access to the kernel. Just because it isn't spread by device drivers doesn't mean there are no security gains from requiring kernel-mode drivers to be signed.
Anyway, I don't think you understand the tradeoff fully quite yet. If you better understand the other side maybe you can simply disagree with their decision rather than rage at them for taking away your precious device freedoms.
And why would organized crime have to mass forge certificates? You have the worst reading comprehension in the world. I specifically said they wouldn't have to, as the great majority of trojans are user-mode, but would be able to if they wanted to, as these things are hardly written by pimple faced kids in the basement anymore.
Allowing custom drivers would be as easy as a scary warning when an installer is trying to insert unsigned kernel mode code.
That's cool. I think you're a generally misinformed idiot who's changed his arguments every third post or so, not that you had much choice in the matter. I said first, and maintain, that a user's system is a user's system, and they should be able to run anything they want on it.
Peace.
That said, it seems like there ought to be some way to wrap an IPX game in TCP/IP or something.
also SEMANTICS!!!
*Edit: actually, this isn't even my problem (though it will be when I build a new PC) it's just a friend had a Vista 64 machine and wanted to play some Diablo multi with me.
Except it's hand-waving by security experts.
And I changed my argument once, in light of new information, and was up front about it. Information that you weren't even able to find. You could stand to do the same thing instead of steadfastly denying the obvious despite all facts.
Also this is how the "crime" thing went:
You: It's super-easy to sign a piece of malware, they'd just do it so often it would offer no benefits at all.
Me: I have not seen any evidence of mass forged certificates for malware.
You: It's totally easy for them to mass forge certificates, organized crime has all these links to malware, they'd do it in a flash.
Me: But they haven't.
You: But organized crime wouldn't have to mass forge certificates, stupid!
You're backtracking from arguments and acting like you never made them at all. You try to reinforce this alternate reality by insulting me for responding to them.
You also keep on bringing up irrelevant arguments. Most malware is user-mode. Great. However my point wasn't that kernel-mode malware comprised the majority of malware, it was that it can be harder to detect and remove. And so preventing kernel-mode malware would be a good thing for security. You said it yourself "...and that kernel mode malware's only advantage against detection is against kernel-level malware detectors." Yeah, malware that's able to make itself completely undetectable, even from kernel-level malware detection, isn't anything to be concerned about?
Yeah, what I wrote sounds a whole lot like your version. As much fun as it is to watch you make shit up I'd rather just let this thread die.
does sound a lot like
"It's totally easy for them to mass forge certificates, organized crime has all these links to malware, they'd do it in a flash."
What else were you trying to say? And if your answer is "it would force them to user-mode malware," that's exactly my point.
P.S. Feel free to let the thread die at any time.
Only downside with this plan is you need a copy of whatever OS you want to virtualize.