Invisible Processes

[Adahn]

Vista should not make it possible for a process to stay invisible;

Either improve the Task Manager, fix the base process-enumeration APIs, or
drop any mention of "security" from the hype.

 

[Zack Whittaker \(R2 Mentor\)]

I totally agree with you - the one way I tell if a virus or malware is on a
system is to check in Task Manager. You can normally spot them because of
the way they act, low RAM usage but higher CPU usage and the name of the
process in general, and if the Task Manager continues to be the way it is
and hide processes, it'll be harder and harder to track things like viruses.

You see, OK Vista has Defender installed and running by default, but that
only picks up the lower-end-of-the-scale-malware, spyware and stuff. However
if you have an actual virus, there'll be no way of getting rid of it unless
you have an anti-virus installed... it just makes more sense to have
everything show up so I totally agree with you.

--
Zack Whittaker
Microsoft Beta (Windows Server R2 Beta Mentor)
» ZackNET Enterprises: www.zacknet.co.uk
» MSBlog on ResDev: http://msblog.resdev.net
» ZackNET Forum: www.zacknet.co.uk/forum
» VistaBase: www.zacknet.co.uk/vistabase
» This mailing is provided "as is" with no warranties, and confers no
rights. All opinions expressed are those of myself unless stated so, and not
of my employer, best friend, mother or cat. Let's be clear on that one!


--- Original message follows ---

 

[Guest]

"You can normally spot them because of
the way they act, low RAM usage but higher CPU usage and the name of the
process in general, and if the Task Manager continues to be the way it
is
and hide processes, it'll be harder and harder to track things like
viruses."

So much for Vista being "security"...

 

[Howard]

Also task manager needs to show when the executable file is located.

 

[Soumik Sarkar]

I am not sure what you mean. If you are talking about the ability of
maleware to infect the kernel to hide itself, then 64bit XP and Vista has
what is called PatchGuard. This prevents malware (actually anybody for
that matter) from hooking any of the kernel tables like SSDT and IDT and
also the in-memory image of the kernel. This will make it very hard for
malware to hide itself.

Soumik.

 

[Adahn]

Thanks Zack, help get this issue out to MS will you, here's the details;


I never paid much thought to "root-kits" and the like until I decided to try
Maple Story (www.mapleglobal.com) under build 5270, as it had previously
resulted in BSODs and worse under 5219.

Now, during installation or the first-run, Windows Defender reports a new
service: \system32\npptNT2.sys

even if you elect to Block it, once the game runs you can find no traces of
it in any system monitoring tool...


Now this raises several issues;

1: It's all good that the Defender picked it up, but shouldn't it be handled
at the core/kernel level, to make it impossible for a process to stay
invisible?

2: If we're too aggressive in blocking such behavior, it'll obviously break
the program and prevent it from running at all, of course, but with all that
talk of Virtualisation and whatnot in Vista, shouldn't the OS be able to
just "lie" and assure the process that it has been hidden?

3: As an online game that uses live cash transactions, Maple Story has every
right to prevent hacking in any ways that it can, but what's to keep
malicious apps, or even Microsoft themselves for that matter, to inject
invisible processes into your system?

4: If, has others have mention on these forums, third-party tools are able
to detect and report invisible apps, why not Task Manager itself?

 

[Howard]

I just want to add that rootkits cannot be installed on x64 systems.

 

[Pierre Szwarc]

Yet. Never underestimate the hoodlums.

 

[Alun Jones]

I just want to add that rootkits cannot be installed on x64 systems.

Never mistake "has not" for "cannot".

As pointed out by Microsoft Research in their "Virtual Rootkit" paper (my take
is at http://msmvps.com/blogs/alunj/archive/2006/03/14/86313.aspx), you can
always insert a rootkit between the BIOS and the OS. Since any non-quantum
computer can be emulated by any other non-quantum computer to any degree of
accuracy, there is always a way to do this, as long as you can get the darn
thing past the requirement of needing administrative access.

Sadly, buying an x64 processor doesn't get rid of the most frequent cause of
inadvertent running-as-admin, also known as Layer 8 of the OSI stack. Yes,
while your processor may have doubled in bits, the person running it is still
the same two-bit hack he's always been, and will gladly give up his
administrator password in return for a chance at a glimpse of the dancing
pigs.

Alun.
~~~~

[Please don't email posters, if a Usenet response is appropriate.]

 

[Howard]

http://www.microsoft.com/whdc/driver/kernel/64bitPatching.mspx

I just want to add that rootkits cannot be installed on x64 systems.

Never mistake "has not" for "cannot".

As pointed out by Microsoft Research in their "Virtual Rootkit" paper (my
take
is at http://msmvps.com/blogs/alunj/archive/2006/03/14/86313.aspx), you
can
always insert a rootkit between the BIOS and the OS. Since any
non-quantum
computer can be emulated by any other non-quantum computer to any degree
of
accuracy, there is always a way to do this, as long as you can get the
darn
thing past the requirement of needing administrative access.

Sadly, buying an x64 processor doesn't get rid of the most frequent cause
of
inadvertent running-as-admin, also known as Layer 8 of the OSI stack.
Yes,
while your processor may have doubled in bits, the person running it is
still
the same two-bit hack he's always been, and will gladly give up his
administrator password in return for a chance at a glimpse of the dancing
pigs.

Alun.
~~~~

[Please don't email posters, if a Usenet response is appropriate.]
--
Texas Imperial Software | Find us at http://www.wftpd.com or email
23921 57th Ave SE | (e-mail address removed).
Washington WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.

 

[Adahn]

while your processor may have doubled in bits, the person running it is

still
the same two-bit hack he's always been, and will gladly give up his
administrator password in return for a chance at a glimpse of the dancing
pigs.

LOL?!??

 

[Guest]

Wonderful. How about we all post a random link to some page at Microsoft -
or are you suggesting that this page either supports or debunks my
statements? If that's what you intended, perhaps you can give some
explanation?

Alun.
~~~~

http://www.microsoft.com/whdc/driver/kernel/64bitPatching.mspx

I just want to add that rootkits cannot be installed on x64 systems.

Never mistake "has not" for "cannot".

As pointed out by Microsoft Research in their "Virtual Rootkit" paper (my
take
is at http://msmvps.com/blogs/alunj/archive/2006/03/14/86313.aspx), you
can
always insert a rootkit between the BIOS and the OS. Since any
non-quantum
computer can be emulated by any other non-quantum computer to any degree
of
accuracy, there is always a way to do this, as long as you can get the
darn
thing past the requirement of needing administrative access.

Sadly, buying an x64 processor doesn't get rid of the most frequent cause
of
inadvertent running-as-admin, also known as Layer 8 of the OSI stack.
Yes,
while your processor may have doubled in bits, the person running it is
still
the same two-bit hack he's always been, and will gladly give up his
administrator password in return for a chance at a glimpse of the dancing
pigs.

Alun.
~~~~

[Please don't email posters, if a Usenet response is appropriate.]
--
Texas Imperial Software | Find us at http://www.wftpd.com or email
23921 57th Ave SE | (e-mail address removed).
Washington WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.

 

[Howard]

Ok. I should have been more careful not to use that word. I agree no system
is 100% secure.
From what I understand most rootkits are patches to the kernel. By disabling
that feature in x64 operating systems makes them more secure and less
vulnerable to existing malwares.



Just curious, how are quantum computers different? They are still designed
by humans and prone to have mistakes.



Howard

Wonderful. How about we all post a random link to some page at
Microsoft -
or are you suggesting that this page either supports or debunks my
statements? If that's what you intended, perhaps you can give some
explanation?

Alun.
~~~~

http://www.microsoft.com/whdc/driver/kernel/64bitPatching.mspx

I just want to add that rootkits cannot be installed on x64 systems.

Never mistake "has not" for "cannot".

As pointed out by Microsoft Research in their "Virtual Rootkit" paper
(my
take
is at http://msmvps.com/blogs/alunj/archive/2006/03/14/86313.aspx), you
can
always insert a rootkit between the BIOS and the OS. Since any
non-quantum
computer can be emulated by any other non-quantum computer to any
degree
of
accuracy, there is always a way to do this, as long as you can get the
darn
thing past the requirement of needing administrative access.

Sadly, buying an x64 processor doesn't get rid of the most frequent
cause
of
inadvertent running-as-admin, also known as Layer 8 of the OSI stack.
Yes,
while your processor may have doubled in bits, the person running it is
still
the same two-bit hack he's always been, and will gladly give up his
administrator password in return for a chance at a glimpse of the
dancing
pigs.

Alun.
~~~~

[Please don't email posters, if a Usenet response is appropriate.]
--
Texas Imperial Software | Find us at http://www.wftpd.com or email
23921 57th Ave SE | (e-mail address removed).
Washington WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD
Explorer.

 

[Adahn]

Just curious, how are quantum computers different? They are still designed

by humans and prone to have mistakes.

and they tend to come up with "42" as the answer to most stuff, for some
strange reason

 

[Pierre Szwarc]

But, they come up with the answer even when they're not turned on... (sorry,
I can't locate the link, but it's *not* a joke)
--
Pierre Szwarc
Paris, France
PGP key ID 0x75B5779B
------------------------------------------------
Multitasking: Reading in the bathroom !
------------------------------------------------

"Adahn" <administrator@localhost> a écrit dans le message de %[email protected]...
|> Just curious, how are quantum computers different? They are still
designed
| > by humans and prone to have mistakes.
|
| and they tend to come up with "42" as the answer to most stuff, for some
| strange reason
|

 

[Zack Whittaker \(R2 Mentor\)]

LOL - it's because in the book "The Hitchikers Guide to the Universe"...
long story short, these guys on a seperate planet wanted to know "the answer
to life, the universe and everything". However, the computer took a few
million years to work it out...

"You're not going to like it... there wasn't much to go on, but the answer
I've come up with... is 42."

Also to prove the point, Google has this also:
http://www.google.co.uk/search?hl=en&q=the+answer+to+life,+the+universe+and+everything&meta=

--
Zack Whittaker
» ZackNET Enterprises: www.zacknet.co.uk
» MSBlog on ResDev: www.msblog.org
» Vista Knowledge Base: www.vistabase.co.uk
» This mailing is provided "as is" with no warranties, and confers no
rights.
All opinions expressed are those of myself unless stated so, and not of my
employer, best friend, Ghandi, my mother or my cat. Glad we cleared that up!


--- Original message follows ---

 

[Pierre Szwarc]

Thanks for all the fish, but I did spot the reference <g> However, the fact
that an Italian team did manage to get results out of a quantum computer
that wasn't turned on remains... I even remember the remark from one of the
researchers, "you get fewer mistakes from a computer that's not running"
<lol>
--
Pierre Szwarc
Paris, France
PGP key ID 0x75B5779B
------------------------------------------------
Multitasking: Reading in the bathroom !
------------------------------------------------

"Zack Whittaker (R2 Mentor)" <[email protected]> a écrit dans le message
de news: (e-mail address removed)...
| LOL - it's because in the book "The Hitchikers Guide to the Universe"...
| long story short, these guys on a seperate planet wanted to know "the
answer
| to life, the universe and everything". However, the computer took a few
| million years to work it out...
|
| "You're not going to like it... there wasn't much to go on, but the answer
| I've come up with... is 42."
|
| Also to prove the point, Google has this also:
|
http://www.google.co.uk/search?hl=en&q=the+answer+to+life,+the+universe+and+everything&meta=
|

 

[Adahn]

fact
that an Italian team did manage to get results out of a quantum computer
that wasn't turned on remains... I even remember the remark from one of
the
researchers, "you get fewer mistakes from a computer that's not running"
<lol>

Good.. first invisible processes now undead computers

just adopt some stylized pentagram in place of the Windows Flag and we can
have the sequel to Fear.com

 

[Adahn]

fact
that an Italian team did manage to get results out of a quantum computer
that wasn't turned on remains... I even remember the remark from one of
the
researchers, "you get fewer mistakes from a computer that's not running"
<lol>

Good.. first invisible processes now undead computers

just adopt some stylized pentagram in place of the Windows Flag and we can
have the sequel to Fear.com

 

[Adahn]

fact
that an Italian team did manage to get results out of a quantum computer
that wasn't turned on remains... I even remember the remark from one of
the
researchers, "you get fewer mistakes from a computer that's not running"
<lol>

Good.. first invisible processes now undead computers

just adopt some stylized pentagram in place of the Windows Flag and we can
have the sequel to Fear.com