Trojans, Rootkits, and the Culture of Fear

It’s funny when I see my bro’s XP laptop. There are always all these SpySweepers and AV programs with their little tray icons. They are always updating something and asking if they should run again. What a waste of resources and time!

When I first switched to Linux I specifically remember feeling the freedom of not having to deal with all that mess. But I also like the feeling of scanning my system and finding everything to be alright. So I filled that void with rkhunter.

I do the following:

  1. I run Mac OS X and do a full, bootable backup once a week on two alternating external hard disks. I do incremental backups of documents daily. The firewall is on, and I run Little Snitch, but I do not run a Mac antivirus application.

  2. All Windows stuff runs under Parallels. Whenever I install something, I make a copy of the image. That way, if something goes wrong, I can just go back to a known clean version. I do run an antivirus app under Windows, but do not actually expect it to do much good.

  3. I never store actual documents on the Windows image, but always write them to the Mac’s hd so I can back it up, and so it can’t be messed with if Windows gets infected.

In other words, I do some stuff to prevent an infection, but more importantly, I make sure that I can quickly go back to a working version of all of my stuff if something goes wrong. Best case, I throw away the Windows image and make a new copy of the last known working version. Worst case, I boot from the external HD, clone it back onto my Mac, and copy back any files changed since the last full backup.

I do not expect to be able to get rid of the virus once it’s on my system.

Cue the “OS X is more secure because it’s a smaller target” cries.

Wait, am I the first? W00t!

So how does running in a virtual machine protect your data if the virtual machine is compromised? It just makes it easier to restore the machine to an uncompromised state.

“If you try to find instructions for copying a user profile from an admin account to a standard user account in Vista - you won’t.”

Actually, last I tried (granted, in 2000 and XP) it was just a matter of going to the user account in the administrator console and removing him from the “Admin” group. Has that changed in Vista? Does this not do what I think it does in 2k/XP?

“This is partially the fault of Windows software developers who fail to test as standard user.”

I disagree. If “run as admin” (right-click on the installer and do so, or get prompted for the admin prompt when you just run it, however Vista does it) behave differently than logging out, logging in as an admin, and then running it: there’s a bug in Window’s prompted privilege escalation.

Yes, I would love for most software to be able to install without admin access. Perhaps that’s what you meant. However, it is definitely Microsoft’s fault that full-login and “sudo” logins behave differently in some (relatively large) percentage of installers.

“I think virtualization is the only rational way to protect users from themselves-- and that’s why virtualization is the next great frontier for computer security.”

I think, were “sudo” to work properly in Windows, and standard user to be fully effective (I have no evidence that it is not; however, like OS X, it is such a severe minority of the universe that we won’t know how secure it really is until it gains more traction), that you’d have a lot easier time getting users to use that effectively than to get them to use a VM properly.

As you noted, the “safety” of the VM is that your important data is not exposed in it. So, you can download and install an application, try it out, and decide if it’s useful. This works great if you don’t want to “try out” this application using any of your “real” data. But, that’s what a large number of people will want to do. So, their “real” data goes on a “shared” drive which is then available to the “walled” VM and the standard OS (which might itself be a VM), and, suddenly, there’s no data security. Then, the only “security” the VM allows is the granularity of applications installed in it (only install a few apps in the VM and the virus can only spread to a few apps and you have less to reinstall afterward), but your data is just as likely to be published for credit card number sifting or encrypted and held ransom.

All of which is to say: no matter what you put in front of users, they will find a way to foil it.

“Linux/OSX is more secure than Windows” argument is just wrong. Windows, obviously, is a bigger target. Like, at least an order of magnitude bigger. Plus, it’s the place where all the vulnerable users are. So malware writers naturally prefer to spend their time attacking windows – it’s just good business sense for them to invest time into that platform.

I’ve since removed any monitoring anti-virus software and will instead rely on myself no longer being an idiot

This approach doesn’t scale, even with a sample size of 1 :slight_smile:

Sandboxing - it’s mostly the answer. And not done the way .net’s access permissions work

Actually I don’t think traditional .NET/Java sandboxes work very well, because they’re hard for developers to understand:

http://www.codinghorror.com/blog/archives/000820.html

how does running in a virtual machine protect your data if the virtual machine is compromised?

Presumably most of your data is outside the VM, and thus in a parallel universe that’s unreachable from inside the VM.

However, this relies on a scarcity: the mechanic’s time. The antivirus software developer does not have an analogous scarcity, so for him it really is a conflict of interest.

The more credible and fearsome the threats, the more money the antivirus vendor stands to make. Software licenses are like printing money, almost literally. It’s just unfortunate when what you’re selling is fear.

No one ever develops or tests their software outside an admin account, not even Microsoft.

And isn’t this the real problem? The way admin has been so thoroughly and completely institutionalized in Windows? Vista has a band-aid, but I don’t think it’s enough.

“Linux/OSX is more secure than Windows” argument is just wrong.

It’s not wrong in the sense that RUNNING AS ADMIN HAS BEEN INSTITUTIONALIZED IN WINDOWS.

Running as an admin will always make you much more vulnerable by default.

This won’t change until Microsoft ships an OS where running as a standard, limited user is the default policy.

  • Make a habit of reading email through a web mail interface instead of a desktop mail program. It’s much safer.

  • AV’s are still good. Just because they don’t catch everything, doesn’t mean they are useless. At least they would have blocked the attachment that caused the problem in the first place or warn you before clicking that attachment as in “This might contain a virus… are you sure?” type of warning.

  • If I download an executable which I suspect, I run it in Sandboxie (free from sandboxie.com). This way I know what files it’s reading and writing in the sandbox. Using a VM doesn’t help me much if the program is doing something invisible in the background. I see ‘run it in a VM’ advice all the time but what if the program ran fine and it installed an invisible lurking trojan which wakes up after a week and, say, after a few days of using it in the VM, you decide it was safe to install in your OS, how did the VM protect you in this scenario?

A previous poster stated that perhaps it should be illegal to distribute malware, and maybe this is the route that needs to be taken. How do we catch these people who knows thats not my area of expertise, but maybe it’ll help.

If people are writing new viruses every day hows my shitty McAfee av suite going to pick those up. I rely on my firewall and my router to keep the bad guys out.

A lot of people here are making the intelligent argument that this problem is OS independent. With so many non-tech savvy users running windows it makes more sense to attack windows than linux or OSX or insert awesome operating system here because of the sheer number of users.

So until this becomes a non issue figure out what works for you, do your best to educate your loved ones, and use your head when downloading or opening files from the scary interweb.

Anti-virus software on a pc is like drinking stagnant pond water THEN ingesting the chlorine (horribly visual comparison, but think about tap water). It can’t act appropriately to protect users from viruses. The best way is to stop them at the source.(i.e put the chlorine in before distribution.)

Unfortunately, attacking malware-creators poses an issue, there is no solid line separating malware from legitimate software.

An example of the fuzzy line is the WhenUSaveNow program, it has popups, but the user HAS to AGREE to install said program, the program fully notifies what it does to the user, but I consider it malware.

Let’s say we define what’s malware and what’s not, then we might end up with another McDonald’s hot-coffee-warning, bull crap lawsuit.

I am taking a large risk as Admin, but the alternative is too inconvenient for me, it all depends on what the user has to lose.

Geek Squad lives off of the ignorance of the average user, the same way AV progs do. Ignorance is not bliss, it hits your wallet.

You asked, “how do you protect users from themselves?”

My first answer is education. A lot of intelligent people are scared of machines for good reason …they know that they don’t really know how to protect themselves.

Josh (comment #5) said, “I’ve since removed any monitoring anti-virus software and will instead rely on myself no longer being an idiot.”. wtg

Having a comfortable relationship with computers for 25 years (even though I’m a non-techie), I’ve gotten to the point where I can explain all my cautious habits and even verbalize why things just don’t feel right and raise my antennae sometimes, but not fully enough to really teach others beyond ‘helpful tips’ which isn’t really enough.

Vera

I agree that running as Administrator is at the heart of the virus (trojan/malware) epidemic. The extra hassle that is needed to install a new program is perfectly acceptable, it provides a suitable hindrance to inadvertently installing a new program.

Unfortunately, many applications and devices require and/or assume administrator privileges. This is increasing the exposure on Windows NT and is not something that other operating systems have allowed (Mac OSX, Linux, etc.).

I think it would help if computers were viewed more as an appliance, where they perform a specific set of tasks and don’t mutate frequently. It is a device for word processing, email, web browsing, etc. but is not intended to be updated with the latest goofy screensaver app.

Look at it this way – how many people change out the upholstery in their car?

In the meantime, if you can run as a regular user rather than Administrator you will have some protection from inflicting irreparable damage to your os.

I must respectfully disagree with Eric.

I am a developer; I’m constantly installing and uninstalling programs. The average user might not need to do this, but I absolutely HATE running as non-administrator on anything except Linux, which gives me the handy su command.

Computers are not appliances from my point of view; they’re user-centric tools.

What good would a table saw be if you couldn’t change blades relatively easily to cut tile instead of wood, or replace them in case of breakage?

What good would a hammer be if you had to stop hammering and enter a password giving it permission to pound the next nail in?

On the other hand, I can definitely see the inverse of this. Normal users won’t have to install/uninstall many programs nearly as frequently as I do, in the same way as the average homeowner won’t be doing rough-in construction in their garage. If I’m going to be doing this level of work, hopefully I can be trusted not to entirely screw up my computer.

What I would really like in a permissions system is the ability to define what my programs should and shouldn’t be allowed to do–ON MY TERMS.

Most of the programs I install (text editors, for instance) have absolutely NO NEED to access the Windows folder–and if one of them tries, I want to know about it!

What really needs to be done is to give users the ability to tell the OS what programs can and cannot perform specific actions, both at install time and at any time afterwards. Installing a trojan isn’t that big of a deal if your operating system refuses to let it access the filesystem or use any network connections.

Microsoft likes it a lot when you buy a new computer every year. They won’t fix anything.

kingbee,

Windows has a significantly more advanced security model than OS X and Linux only recently caught up when ACLs showed up there. The Windows security model is more akin to SELinux. The only issue is that tightening down the machine leads to compatibility and usability issues.

And there really is nothing stopping anyone from making precisely the same attacks as have been made against Windows on Linux or Mac OS X. If you download a program and run it, the OS really has no choice but to follow your directives. The program then just does what it wants: parties over your data, opens ports to the outside world, joins botnets, emails your friends. Neither MacOS nor Linux are likely to be completely free of Escalation of Privilege issues, and in both cases the program could piggyback onto other legitimate requests for the root account to truly worm its way into your system. The trojan horse attack that Jeff describes is simply not a reflection of the security of the OS. It’s more about the security-consciousness of the user and the generally hostile climate on the internet.

If there were serious legal consequences to distributing malware (i.e. jail time) and serious pursuit of those who make this software, perhaps we could clean up the internet so that it is safe for our wives, parents, and children. Windows apps will improve slowly (we can accelerate this slightly by vocally refusing to buy apps that do not run correctly on Vista under low rights), but that is not the real source of the danger, and the world will still be bad because people’s low-rights accounts will be the new target.

It seems to me anyone who is complaining that running windows as a normal user like Linux does, isn’t getting the point. They aren’t doing it like linux. Does a normal user do installs in Linux? Use admin to install. If you are logged in as a user and want to install use the runas command, or in some instances there is even a menu option for runas if you right-click on the desired file. Same goes for trying to run a program that needs to be run as admin. Just because that one program needs admin access does that mean everything you use during that time has to have admin access.

Windows has a command line the more you use it the better off you’ll be and as a note runas is like sudo.

example uses:
runas /user:administrator cmd
runas /user:administrator c:\where ever\photoshop.exe

To find out more options just type runas w/o and parameters.
if you need a link to keep you from typing make that command a batch file.

Running as an admin will always make you much more vulnerable by default.

Only because so many pieces of Windows malware assume that you’re running as admin currently. I think if there was some mass change in the average computer user to using low-privilege accounts you’ll find that malware writers are quite able to cope with running in userland and/or tricking the user into providing credentials. The exact methods will change, but I think the overall picture will remain largely the same. Certainly, running as non-admin is good advice for an individual in the present, but it’s by no means a solution for the overall problem.

Virtualization presents some interesting possibilities, but it will be interesting to see how well users will tolerate the inconvenience of shuffling files to and from the sandboxed environment and it still doesn’t deal with the problem of people installing a “nifty screensaver”.

I’m slowly coming to the conclusion that desktop security (for the home user, enterprise is a different story) is an intractable problem on a general purpose computer. Limited purpose appliances have potential, but seem to be unlikely to be accepted on the market (they certainly haven’t been accepted in the past).

I gave up on Windows years ago - that was the easy bit. Getting my family and friends to move away from Windows is proving to be much harder.

Perhaps I should wait until after they have spent hundreds of s having their machines de-scumware’d and suggest they by a Mac to save money !!

I run as a limited user and I do have the odd badly-written program that requires write access to its own folder or some other idiocy. All I do is switch to admin and give my user account write access to just those folders that the program requires to run properly. Never had a problem since.

Installers are another thing entirely. No one ever develops or tests their software outside an admin account, not even Microsoft. Even Firefox and Thunderbird cannot handle the concept of a non-admin user when it comes to updates.

@nksingh: I guess that you have highlighted the fact that the real issues are non-technical. OS X and Linux seem safer in practice with less sophisticated tech because developers and users have a different set of cultural expectations. If Microsoft absolutely committed themselves to the idea of a environment that is safe by default now it would break existing software and irritate core constituencies, so they have to somehow change how people think with incremental changes to their products. I don’t envy them their position.

It’s worrying that Microsoft has entered the AV market - as Jeff says there is an inherent conflict of interest there.