I wrote about it 4 months ago: http://cranked.me/2008/04/zomg-viruses.html
Please don’t forget comments that look like a part of official messages from your blogging engines, from authentic blogging engine domain, and look like ‘Please see ‘here’’
The solution? Use a safe operating system. Your sister/mom/dad/granny will not be able to break anything if they run under their own account with stripped rights.
When I was looking into OpenID I noticed that MyOpenID (https://www.myopenid.com/) has an anti-spoofing feature where you upload a custom image which is displayed on every page once you are logged in. This allows you to (hopefully) spot if the web page isn’t from the correct source.
Applied to this problem, by making your UI unique in some way, you should be able to spot when a user interface element is fake.
The giveaway of boxes where you have to click OK or Yes is also zero for the vast majority of computer users, educated or not. There are so many boxes to click OK/Yes in your daily routine that people just don’t read them.
When the confirmation for Are you sure you want to close Word and Do you want to install this nefarious executable look identical safe for the words, people are going to click OK almost every time.
The reason for this unexpected behavior is that we have learned to decide what we want BEFORE the box pops ups. When we click the X, we have already decided that yes, we want Word closed, so we click OK. When we click on the FUI Virus scanner, we have already decided that yes, we want to proceed and remove the virus. We aren’t going to consider clicking Abort on a box that we expect to lead to the removal of the virus, and because of that we don’t read it.
The solution to the problem is, of course, to make the user actively do something that forces him to consciously recognize that he has to make a serious decision. If instead of a Yes/No box there was a text field, where the user had to enter yes i really want to install this suspicious file, I’d expect the amount of people who still want to see the dancing bunny to go down considerably.
2 Ciaran: NoScript won’t help in case of non-tech-savvy user. They will just use IE because Firefox doesn’t show pages correctly.
On the resizing and hiding firefox windows:
http://goodblimey.com/archives/2004/06/05/stop-browser-resizing-in-firefox/
In the end, though, nothing is ever 100% secure, and it doesn’t need to be. Viruses aren’t actually the major threat people perceive them to be. While yes, they do make your PC slower, so does the new Office you installed, and while yes, they send your clicks to nefarious advertising companies, my mum just really doesn’t care.
Excuse me …
viruses are big business today. Having a virus infested PC these days means in most of the cases that you are now a part of a botnet. Sending spam and contributing to DDOS attacks to whomever the controller wants. In essence, your PC is no longer yours, It wont be long until we see ransom asked to have your PC functioning again.
Virusses are a very grave threat these days, but not to the infected PC, but towards everyone else. That is why most virusses are so harmless to the PC they infect. It is beneficial for them that the PC ramains functioning and operational.
I get these on my Mac and giggle at the idea that my Windows directory is infected on it. You’d think they’d do some basic OS filtering…
Eleven words: NoScript is tedious if you already know what you are doing.
@Marting Probst,
I think you are correct that this should be an uncommon operation (downloading and executing code from a website). However, the reality (and maybe the problem) is that it is not.
As an admin, I am installing things constantly, but that is not much of a problem. Except the problem is, when I see my not-too-web-savvy friends on the web, they are constantly downloading things (I mean constantly). Even more than I am. Regular users constantly download and execute things—that’s why they use the internet. They get music, screensavers, games, videos, demos, and whatever else says download me!
People are generally just clicking on whatever looks like fun, and honestly they might not even really care if it breaks something in the OS. It’s not like they have to fix it.
So, I would have to agree, the solution would be to make it so they can’t install things if they do not understand the implications—but would they use a computer then?
Why won’t it let me do this!?
Not have the windows for programs and documents use the same ui.
2 Craptaculus: go visit a site that starts with ‘g00d-stuff’ and ends with ‘.com’ without NoScript and tell us how the fact that you know what you are doing helps.
Similarly to what J. Stoever was saying about not using the default GUI, one approach to the problem is to undermine the attacker’s ability to spoof the GUI by using a different GUI than the attacker expects. As a Linux user, whenever I see these sorts of things pop up on my desktop, I just slough it off because I know those Windows-style widgets and mock Windows apps don’t belong on my XFCE desktop.
It’s not enough just to break the homogeneity of the UI though, as the user may still be duped. If you’re using an entirely different OS than the attacker expects, then even if you download the payload it isn’t going to do the attacker much good.
I have to say, I disagree that Microsofts security model would make any impact on this type of hack.
This FUI is making you think it is one of the good guys and therefore even if by default you weren’t in as an Administrator, you would want to be in order to get this virus checker to work, right?
The only way around this problem is to educate all internet users that what they see isn’t always real. More importantly, if you have specifically asked for something, don’t do it. Any recommendations by any website should be considered completely unreliable.
Obviously this isn’t an easy thing to do and as always us techs will continue to get calls from friends and families asking us to unwravel the horrendous state their home pc’s have gotten into.
One thing I’ve started doing is installing a virtual temporary pc onto friends computers. If you want to browse the web, use this. A small lesson to explain everything will be gone as soon as they shut down and they’re as safe as houses.
Robin
@ Aaron G: What will you do once your dad will come with infected machine and tell you that the website didn’t contain bad spelling/grammar, random capitalization, exclamation marks and a word ‘FREE’?
I bet a bottle of Jack Daniels’ there exists at least one malware site with perfect grammar and no phrases like Your may have Spyware!
Lynx
Poor English is also usually a dead give-away.
Your may have Spyware!
I’m not so sure about that. The latest versions of McAfee have some blatant spelling and grammatical errors in the installers of their Dutch software 
Best regards,
Onno
The FUI looks convincing but I think the file download dialog should give it away for most people.
I don’t know, Kalle. You think users are actually reading and understanding the file download dialog, much less the warning?
Well I hope most people do. But of course there will always be people who don’t know what they are doing. But I’m not sure there is anything that could protect them… 
My mother uses FF3 with NoScript
Keep in mind that sometimes the faking of thick clients is intentional and not with bad intentions at all…
More and more web pages try to offer the full package.
Part of the expirience is showing a full interface with elements the user already knows from other software.
So any technique that disables/scans for those elements is out of the question.
A great way to block about 80% of the threats is block all exe’s. Your average grandma has no need for anything executable on the pc. If she wants something installed for a particular purpose, she’ll be on your phone anyway because the step-by-step wizard is too hard.
also, browse opera
@Lee Many people who don’t have English as their first language (or even second language), will not noticed mistakes in grammar or spelling. Also, as Jeff already pointed out, many (most?) users don’t actually read the contents of the dialogs.
Although some people will always be tricked, I think many problems can be avoided by following two simple rules:
This will work most of the time, as long as the dialogs themselves haven’t been hijacked or faked (i.e. in Jeff’s example, both the JavaScript dialog and the download dialog are genuine, so just clicking Cancel and No would prevent infection).