3.2 New Windows Versions

Team-Fly

	Malicious Mobile Code: Virus Protection for Windows By Roger A. Grimes
	Table of Contents
	Chapter 3.  Windows Technologies

Both Windows ME and Windows 2000 contain features and components helpful for diagnosing and preventing malicious mobile code. This section of the chapter will cover only the new features related to malicious mobile code security.

3.2.1 Windows ME

Windows Millennium Edition was released on September 14, 2000, as the last version of the 9x platform. It is designed for home users, and isn't as reliable or secure as Windows NT. Containing a slew of new multimedia enhancements, it sports a user desktop and TCP/IP stack borrowed from Windows 2000.

3.2.1.1 System restore

A new System Restore feature backs up important system files every 10 hours, by default, and can be used to restore earlier system states in the event of system corruption. It attempts to replace damaged system and program files without overwriting user data and personal settings. It compresses and stores files changed in the Windows or Program Files folders for later restoration purposes. The System Restore wizard (Start Programs Accessories System Tools System Restore) can be used to automate recovery from many malicious code attacks, instead of the manual methods we rely on in the older versions.

For good or bad, Microsoft removed the ability to boot to MS-DOS from the Startup menu. Fortunately, the Windows ME startup disk will allow a boot to DOS when such access is needed.

3.2.1.2 System file protection

Windows ME and 2000 have new mechanisms that although not built specifically to defeat malicious mobile code, can prevent many types from spreading. Called System File Protection (SFP) in Windows ME and as Windows File Protection (WFP) in 2000, it can prevent many system programs and crucial .DLL files from being replaced , modified, or deleted. If a virus or Trojan attempts to mess with a protected file, the original file is restored. And although both file protection versions (I collectively identify them as xFP ) achieve nearly the same goals, they use different mechanisms. Windows 2000 protects all .SYS , .EXE , .DLL , .OCX , and .TTF files installed from the original Windows 2000 CD-ROM. Windows ME protects files listed in FILELIST.XML (and also listed in SFPDB.SFP ). Both programs store digital signatures of each protected file in separate catalog files to be used when a file modification is noted. xFP runs in the background and springs into action whenever a monitored folder gets updated because of a file modification. Windows ME uses VXDMON.VxD and STMGR.EXE to do the monitoring, and Windows 2000 uses WINLOGON.EXE . xFP then finds the changed file, determines whether it is supposed to protect it or not, and if so, looks at a catalog file containing digital signatures to see if the changed file is approved. New files, if digitally signed from previously approved sources, are allowed to stay. Otherwise , xFP will grab a stored copy of the original file (stored in %SystemRoot%\System32\Dllcache, DriverCache\I386, or \RESTORE, from the network if installed from there, or from the original install disk) and replace the unapproved file.

By default, file xFP activity does not result in messages being sent to the screen to alert the user. In some cases, when a large number of protected files have been modified, the user will notice a substantial temporary slowdown while the original files are being restored. In Windows ME, SFP changes and attempts are logged to SPLOG.TXT , and in Windows 2000, most WFP actions are sent to the System Log in the Event Viewer .

Windows 98 with the command-line utility, System File Checker (SFC.EXE) , was the first Windows version to attempt to protect important system files. It does not run in the background automatically protecting files and is not robust enough to be an effective MMC deterrent. Although also available in Windows 2000, SFC is not normally needed to protect or restore files.

3.2.2 Windows 2000

Microsoft released Windows 2000 (originally called Windows NT 5.0) in 1999. Although there are at least four different flavors, 2000 Professional is the replacement for Windows NT Workstation, and 2000 Server is the upgraded version of NT Server. Unlike Windows ME, that only contained a sprinkling of new security features, Windows 2000 is chock full of new security features. Some old features have been given additional strengthening, while many new ones give greater protection. However, with any software product with enhanced functionality, there are new areas that might be inviting to malicious hackers.

First, some of Windows NT's standard features have been toughened:

• The registry is protected with tougher default permissions to prevent nonadministrators from modifying the registry inappropriately.

• Default file and volume permissions have been tightened to prevent regular users from modifying the operating system or shared applications. NT 4.0 had the same ability, but in 2000 the default settings are more secure.

There are lots of new features, too.

• Windows 2000 attempts to break the limited domain trust model of previous NT versions with its new X.500-style Active Directory service. Novell Netware has had a similar directory service called Novell Directory Service (NDS) for many years . This change will probably result in larger and larger trust relationships, which MMC will take advantage of.

• Although the underlying SAM security database is still used in NT native mode, users and groups can now access objects stored across many domains using the Active Directory database. Enterprise Administrators and Universal Groups allow access to objects directory-wide. This, of course, means that compromises of universal objects can allow farther-reaching system damage.

• Windows 2000 comes with the Security Configuration tool to analyze, configure, and maintain the security policy of every 2000 PC within the enterprise. This tool was known as Security Configuration Editor in Windows NT 4.0, but could only manage the local computer it was installed on. The improved version comes with several predefined security policy templates that can easily be applied across your organization.

• Windows 2000 has a much needed Safe mode, which like Windows 9x, allows a minimized system to be loaded for troubleshooting and repair. To access the Windows 2000 Advanced Options menu where you can select different levels of Safe mode, hit F8 during bootup . Although there is no official MS-DOS boot mode, there is a Safe mode with Command Prompt that loads Windows 2000 in a minimal state with CMD.EXE (VDM ) as the default shell. Whenever Windows 2000 is started in Safe mode, a log file is recorded tracing the success and failure of different device drivers during bootup. NTBTLOG.TXT can be found in the root directory and used to troubleshoot bootup problems.

• Driver Signing is included in Windows 2000 (and in Windows 98) to alert users if unapproved drivers are attempting to load. Approved drivers are tested by a Microsoft lab for compatibility and given a digital signature (actually an accumulation of all the drivers needed for a particular install are signed as one digitally signed driver package). Approved drivers with a valid signature are installed without user interference. If an unapproved driver is attempting to install, Windows 2000 will alert the user and allow the process to be completed or blocked.

• Along with the Windows File Protection mechanisms, viruses masquerading as drivers should be detected and blocked. A File Signature Verification tool ( SIGVERIF.EXE ) has been included to allow users to discover which files do and don't have valid digital signatures. System File Checker (SFC) is an extension of the Windows File Protection component. SFC.EXE is a command-line utility that can be used to scan all protected files and verify their versions. Most .SYS, .DLL, .EXE, .TTF, .FON , and .OCX files installed by Windows 2000 are protected. An unrelated tool, Driver Verifier (VERIFIER.EXE) , can be called to display all installed drivers and expose errors in kernel-mode drivers.

• Windows 2000 uses industry standard security in form of Kerbose , IPSec (Internet Protocol Security) , Point-to-Point Tunneling Protocol , and PKI (Public Key Initiative) to protect data sent between two machines from being captured.

• Locally, the Encrypting File System (EFS) is used to encrypt files belonging to a particular user. Each file on a Windows 2000 NTFS volume can be set with the EFS attribute. The file is stored in an encrypted state and decrypted on the fly when requested by a user or application with the appropriate security. If a hacker or malicious mobile program copies EFS-protected data to an unauthorized location, there is a stronger likelihood that the data will be unreadable. Unfortunately, if the hacker is using your security rights to view the data, 2000 decrypts the data as if it were you. Also, encrypted files copied across the network or to FAT volumes will not be encrypted. So a hacker can copy your file to a new location that doesn't support EFS, and Windows NT will decrypt the destination copy.

• If Windows Installer detects a bad install or uninstall, it will attempt to fix the damage. For example, if two Windows application .DLL s share the same name , the Windows Installer will make sure they get installed to separate directories, and make sure the correct one gets called by the application that installed it. Again, this feature could play a role in disabling some known Trojans and viruses.

• Disk Quotas allows administrators to limit how much disk space a user can utilize. In previous versions of Windows NT, Trojans could create thousands of fake files with the single purpose of using up all of Windows NT's disk space and forcing a crash. Disk Quotas have the potential to limit how much space a Trojan of that type could fill up.

3.2.2.1 Potentially abused components

Some Windows 2000 enhancements, while providing greater functionality, also seem ripe for exploitation:

• For years, Windows NT security experts have recommended that administrative types NOT use administrator-privileged accounts as their normal user accounts. Doing so gives malicious code a better chance of operating with better file access permissions. The experts recommended that administrative-users have two accounts -- one for administrative tasks, the other for normal user tasks . But the 30 seconds it takes each time to log on and out of a Windows NT system repeatedly during the day was a barrier to most companies implementing this advice.

• Windows 2000 has a Run As feature, which allows a user to launch another process with the credentials of another user (i.e. administrator). You can start a new process using Start Run RUNAS / <username> :: <machine_name>\ ADMINISTRATOR.CMD, where machine_name is the name of the local computer. A console window will appear asking for the secondary user's password. Any programs started in this context will operate under the secondary logon's security context. Alternatively, you can right-click a program icon while holding down the right Shift key, select Run As, and then fill in the Run program as other user prompts. While a great utility for administrators, it's not hard to see that malicious code might be able to exploit this new feature to gain otherwise inaccessible privileges.

• The Advanced Configuration and Power Interface (ACPI) lets laptop users put their machines into hibernating mode (remember HYBERFIL.SYS ) to save laptop batteries. Several Trojans used the similar feature set in Windows 9x to close down applications without giving users the chance to save their modified data. While hibernating systems don't usually lose unsaved data, there are instances where a premature shutdown can. This level of interface to hardware is sure to open up a new type of exploit.

• Distributed File System (DFS) allows multiple hard drives on different machines (including on some non-NT computers) to host a single Windows NT logical volume. It can be used to store files across multiple servers or to redirect drive shares to other servers. Besides allowing malicious mobile code easy access to files on multiple file servers, it significantly complicates the file and data recovery in the event of volume or file corruption. Special tape backup software is needed to backup and restore DFS volumes.

• Windows 2000 supports Offline Files and Folders . Mobile users can download files to their local systems, work on them as if they were still located on the workstation or file server, and then upload the modified files back to their original locations upon redocking. The Synchronization Manager compares and updates offline folders and files when appropriate. Malicious code may be able to manipulate this feature to send files remotely or upload malicious code to the server (whereas it might have been otherwise blocked by default).

• AutoComplete is a feature Internet Explorer users are familiar with. As with previous versions, AutoComplete uses previously selected or typed entries as a way to guess what might be typed in a particular future situation. For example, typing in a partial URL in the browser allowed IE to present the full URL tag so the user could just hit the Enter key if headed to the same place. AutoComplete has stronger integration in Windows 2000, added to features like Run (Windows 9x has had this for a while), Windows Explorer, and Map Network Drive. Malicious programs can use the cached AutoComplete responses to track user preferences and passwords, and gain access to new resources. Trojans have been built that exploit cached choices from AutoComplete, and more use means more chances for maliciousness.

• The Microsoft Management Console (MMC) is Microsoft's way of providing a somewhat centralized administrative tool for managing system resources. Different management tools, called Snap-Ins , can be added to extend the functionality of the MMC. The different configurations of MMC, and its current snap-ins, can be saved and recalled to customize a default administrative tool set. It has already been demonstrated that malicious code can use the saved MMC configuration files to gain higher security access or cause damage.

3.2.3 Future Windows Versions

As we go to press, Microsoft is working on their next generation Windows release, Windows XP . According to Microsoft, the "XP" stands for experience. The desktop versions ( Home Edition & Professional ) should be out by the end of 2001. Among other things, it sports a more-graphical interface utilizing new, integrated, HTML-based skins (skins are covered in Chapter 8). The new look is familiar enough that most Windows users should have no trouble adapting. Occupying nearly 1 GB of disk space, Windows XP is the first version for consumers that combines the 9x and 2000 codebases and gets rid of DOS.

Analysts say Windows XP will provide advanced protection against malicious mobile code using a yet unannounced digital signing initiative. Internet Explorer, Office 2000, Windows 98, ME, and 2000, all use digital signatures in varying ways for authentication and security (covered in detail in Chapter 11), but exactly what will be used on Windows XP has not been released. Here are some Windows XP technologies that have been revealed in beta testing:

• XP will allow on-the-fly switching between different users without requiring a logoff or reboot.

• Windows XP will be enabled with Microsoft's Passport authentication technology (used with HotMail and MSN today) so that when a user logs on, she will also be automatically authenticated to any Passport-enabled web site or service. There is no separate secondary logon.

• The Professional version includes a built-in feature that will allow XP users to take remote control of other XP workstations using Windows Terminal Server technology.

• Windows XP incorporates system restore points as introduced in Windows ME. A restore point is automatically made after every driver update.

The version after Windows XP will be Microsoft's first operating system to be built around their .NET strategy (discussed in Chapter 15). Each new version of Windows attempts to close the cracks exposed by previous bouts with malicious code, and ends up adding new ones.