Trojans, Rootkits, and the Culture of Fear

Scott Wasson at The Tech Report notes that two of his family members fell victim to the eCard email exploit that has been making the rounds lately:

This is a companion discussion topic for the original blog entry at:
1 Like

I just recently switched to running a limited account on my home machine. I find it very helpful to have a copy of Process Explorer running as administrator at all times.

It requires two “logins” on boot (limited user, then run-as-admin for Process Explorer), but it means I can run other apps as admin from Process Explorer without going through the windows run-as mess. Also, if any services start acting the bollocks, you can kill them easily.

If you can trust your users to act responsibly (e.g. they won’t spawn Internet Explorer as admin), it’s definitely something to consider.

While tradition anti-virus is ineffective, they big AV players are slow to move to more effective solutions such as whitelisting. I believe there was several startups creating whitelisting AV, many of which were quickly bought up by the more traditional AV companies.

I got sick and tired of all of the security mess with Windows, so I recently switched to Ubuntu for my laptop (mainly just used for browsing). I’ve been quite pleased so far.

I liked this article for the most part, but I think what you said about the conflict of interest between anti-virus software makers and virus vulnerability is not reasonable. That’s like saying that auto mechanics want your car to break and doctors want you to get sick. This may be true to an extent but I would certainly not say that it is the status quo.

About a week after you wrote your article on ‘How to clean up a spyware infection’ I downloaded a file which I thought contained a virus but I was willing to risk it anyway. As I figured, I’ve never had a virus in my 15 years of computing, and virii are annoying at best.

How I was wrong! It did contain a virus. It launched IE7 in the background and continued to download virus after virus after virus. I d/c from the net to install antivirus/removal tools, which were all closed on the install screens.

Using your methods from How to clean up a spyware infection, I battled the virus for 4 days. Finally removing it. After doing some reading, I determined the virus was a vundoo infection which has been around for a couple of years constantly updating its form. No anti-virus vendor detects it. That’s insane!

I’ve since removed any monitoring anti-virus software and will instead rely on myself no longer being an idiot. I’ll use spyware scanners at regular intervals, monitor my services and processes, rootkit revealers, and good old fashioned google to deal with any virii that come my way.

For the less technical minded, I pity you if you happen to run into a virus such as this.

The past 2 times I got hit by worms (once last year, once this), none of my installed AV softwares (SAV, AVG Free on different computers) picked it up. One of them was W32.OlderData, and it wasn’t until a couple months later that information on it (technical details, removal) was available Symantec’s AV database.

It maybe due to geographical differences that here in Singapore, we face a different subset of viruses and malware, but it goes to show that traditional AV have no place in the current world where a kid living in basement is able to come up with something new everyday.

Even herustics detection doesn’t work as well, the number of false positives you get with those…

Upon reading your earlier spyware post I recently changed both my daughters (9 yo) and my computer to non-admin. Now whenever my daughter needs to do something admin related like repaier her IP address, or install software, she knows to switch to admin, fix it, and switch back. The admin password is her own name because, as I said to her, “it’s your machine”.

I figure that this is an excellent opportunity for her to learn about some key issues facing computer users and she is becoming surprising savvy - she uses context menus and keyboard shortcuts - something that will stand her in good stead in the future.

You shouldn’t have to “switch users” to install something that requires administrator privileges. If you right-click an executable file, there is a “Run as…” option that will let you select a different account to run the program as.

You can use this to run most things as a standard, non-privileged user, and resort to using the administrator privileges only when strictly necessary.

Then again, this feature might only be available on XP Pro, or via a setting in the group policy editor. Unfortunately I don’t have an XP Home installation to compare right now.

(it might seem like “right-clicking” and managing multiple accounts is too complicated, but the technical bar has already, in my opinion, been set high enough by the user knowing of and seeking ways to avoid spyware infestations.)

I use Linux for all my tasks and development. It’s always running. I occasionally will boot into Win for a game or two of Civilization 4, but then immediately switch back after I’m done. Kind of a learning curve if you’ve never used it before, but after my 2-3 years of experience with Linux, most Distros contain the same concepts, thus switching from one to another becomes routine in terms of system administration.

If I desperately want a program that runs only on Windows, first I check Wine and see if it emulates… if it doesn’t I then debate whether I truly need it. I check for an alternative that runs on Linux and then I check if there’s any drivers for running on Linux. If all else fails I will cautiously install it on Windows, such as Visual Studio or just use its alternative on Linux - Netbeans. I never use VS, simply because I’m never in Windows… don’t get me wrong, I like VS.

Aside from that, after using Fedora, Kubuntu and now regular Ubuntu for my desktop/server machine, and Ubuntu for my laptop for about 2 years I have not had to deal with viruses or spyware. It’s funny to me when someone at work will say something about updating virus or spyware definitions… I feel like I have been kept out of the loop as I haven’t done that in 2 years. :slight_smile:

My brother got a nasty rootkit on his laptop that had never been connected to the internet, without “just doing anything stupid.” How? He bought a Switchfoot CD and put it in the hard drive (and doesn’t run as administrator), and hadn’t turned autorun off. I spent 3 days trying to get rid of the Sony BMG rootkit, and deleted the files, but then on rebooting, it bluescreened.

How do you protect against this kind of thing?

That’s like saying that auto mechanics want your car to break and
doctors want you to get sick.

The difference here is that, all things being equal, cars will ALWAYS break down eventually, and you will always get sick or have an accident where you will need a doctor. If the threat of viruses were negated we would never need AV software – which is why the AV companies will always be in support of some sort of fear.

I once got a virus on my Linux box. But that’s because I was stupid.

I had an extremely limited account called “guest” (with password “guest”) so that my college roommate could cleanly shut down the computer during a thunderstorm. Since there was no way to log in remotely, it wasn’t a security issue.

Some months later, I installed the OpenSSH package. It was configured to allow anyone but root to log in remotely, and sooner or later a worm found its way in and tried to crack root. I noticed the excess network traffic, found a suspicious file in /tmp, destroyed it (and a couple of processes), then added the AllowUsers directive to /etc/ssh/sshd_config.

It didn’t cause any damage, and I haven’t had any trouble since then. Yay for privilege separation, boo for bad default configuration!

it’s really hard to contain any infections. as the technology evolves, so as the threats…
i’m aware of those infections that mutate in order to be not detected and all those sneaky tactics.
in my opinion, the best way to prevent such attacks is to give them the taste of their own medicine, a.k.a fight fire with more fire… xD

That is something that Debian based operating systems did marvelously, you had to ‘sudo’ EVERYTHING. It was bloody tiresome, but I kid you not, /I/ alone was responsible for crashing that machine XD.

The best advice i ever game my parents about computers was to switch to osx. for security and surfing the web its the best advice you can give anyone who does not know how to jump through the security hoops windows forces you into.

I believe the best anti-virus you can get is the one where you are not connected to the internet. If it’s sensitive enough that a compromise would ruin your day, keep that data offline.

I had a virus recently, nothing dangerous, but annoying, and it was caused through my use of internet exploder. I went to the all-knowing google and did a simple search, deleted the virus, and everything was good. I am a safe surfer, I use Firefox, the AdBlock, NoScript, and other plugins, am behind a router, and am not connected to internet when I don’t need to be.

I still don’t even have an anti-virus, for reasons stated above, they can’t catch everything, it’s all just a false sense of security. They don’t offer enough to make up for how much they cripple my system.

Why users don’t switch to Linux, and why running Windows in Admin mode is default:

  1. “Some months later, I installed the OpenSSH package. It was configured to allow anyone but root to log in remotely, and sooner or later a worm found its way in and tried to crack root. I noticed the excess network traffic, found a suspicious file in /tmp, destroyed it (and a couple of processes), then added the AllowUsers directive to /etc/ssh/sshd_config.”

  2. If you try to find instructions for copying a user profile from an admin account to a standard user account in Vista - you won’t. Nobody is revealing this deeply hidden secret. You must not only set up your desktop from scratch, but find and copy all of your customization templates - e.g., in MS Word. Golly, this is fun! Thanks, Microsoft.

I tried to take Jeff’s advice and use a limited user account on my new laptop, but I install / use a lot of programs and many of them simply will not play nice with a limited account, and constantly having to “Run as Administrator” gets old really really really fast. I am not a computer novice but I view my OS as nothing more than a device that allows me to use as wide a variety of software as I possibly can. That’s why I won’t use Vista while compatibility problems persist and why I decided not to even bother with a limited account - the hassle of having to use the nuclear option of a reformat / reinstall is less in my view than the death by a thousand cuts of trying to battle uncooperative program and typing in the admin password hundreds and hundreds of times.

Ouch… Man, using a Windows box continues to resemble living in a sewage filled back-alley. Why not just get a Mac or Linux box and jettison Windows permanently? The Windows security architecture is just outrageously broken from the ground up and no amount of patching or band-aid UI effects like Vista’s UAC will ever fix it. Unless your typical end user has some absolutely unavoidable business reasons for sticking with Windows, the vast majority of end users would be served much better by switching to an operating system that actually has an effective security model.