Trojans, Rootkits, and the Culture of Fear


Good article Jeff. And yes, this is nothing new - George Smith has been pointing out how the AV emperor had no clothes and relies on instilling fear nearly two decades in the Crypt newsletter (and he should know, being one of the earliest authorities on the subject).


“I have a resident Linux server, which has NEVER had a virus in 9 years”

“I recently had a virus/malware issue”

Well, that’s great. Nothing like being internally inconsistent.

BTW, I have a Windows server, which has NEVER had a virus in 4 years. Not even recently.


I was attempting to make the point that traditional sandboxes didn’t work well, if at all. Sorry if that didn’t come across. I write .net programs for a living (websites, not winforms) and looking at the permissions and setup is a real drag if not downright impossible hence my comment about making it easy for programmers as well as for users.

My point was network, disk, registry, keyboard, etc are all resources that need to be protected by the OS. They should not just be given away at the double-click of a mouse. For 90% of software it should be easy to say what it may and may not do in a succinct and easily presentable manner. I don’t care if this breaks old programs. Call it Windows Secure Desktop Initiative or something catchy. If MS does it right they’ll continue to own the desktop, and every big vendor will scramble with that new upgrade to have a new little logo.

I don’t blame MS, they couldn’t have seen it coming, but for their own future they have to make fixes.

Windows continuing to be an insecure platform will push online applications as a better option, despite their limitations. Gmail and Google Docs never required an install. The future of desktop applications depends on the security of the desktop.


some readng for “safe because there are so few of them” camp:


I think we can kill a lot of birds with one stone here…

Am I the only one who doesn’t understand the need of ‘installing’ the vast majority of applications? I can understand why we need to install system components. Things like DirectX, .Net Framework, etc…but why do I need to ‘INSTALL’ games or applications?

If I have a game, I want EVERYTHING I need to run that game in the folder I tell it to. The registry is a huge mess…screw it. Everyone, stop using the registry. I’d rather see a ‘config.xml’ or a ‘config.ini’ than have to spend hours digging around the registry for whatever the application added.

The vast majority of .DLLs and crap that will get copied to the system directory will never be used by anything other than that one game or application and SHOULDN’T be put into the system folders.

When you execute a file, by default, it should ONLY have read/write permission to the folder it is in, and any sub folders.

If I’m running IE and browse to some shaddy site, IE itself, should only be able to access the folder it sits in, and sub folders. That means, ALL of the data related to IE can be found in the folder and it’s sub folders.

If I install another copy of a Windows OS - I shouldn’t have to ‘reinstall’ any of my games or apps. I should be able to browse to the folder it lives in, run it, it should work. See, during the install process a bunch of crap is put into little hidden spots of the registry and files are copied all over you HD. Without those files, the game won’t run…so you have to reinstall all of your games. It’s crap.

What I’d like to see is a filesystem based security system that views individual executable files as ‘users’. Each app, each game, each EVERYTHING, you can run has individual permissions that you can look at and modify. By default, it can’t do anything but read and write to it’s folder and subfolders. If you want IE to be able to put files in C:\MyFiles - then you need to set the permissions of C:\MyFiles to allow IE access to write to it. Anytime an application attempts and fails to read or write data that doesn’t belong to it - you’d see an error message. You know what file did it, and what it was trying to get at.

Taking it one step further, using this model, the VAST majority of applications could/would run just fine as long as the appropriate updates were made. The few installs that really should be ‘installed’ in the current sense are mostly well-known MS or other big name company products. If I go ot install the .Net Framework that should be a real install, but MS could certainly give it a ‘stamp’ of approval; just like it does with signed drivers.

If someone gets a ‘HappyBunny.exe’ and they run it, it won’t be able to do much of ANYTHING. It has read/write access to some temp folder under IE. Even if it exploits some sort of buffer overflow, or something along those lines, and can excute code, the IE process, only has read/write access to it’s folder. If the application requests access to other folders, the user would get the error message with a ‘allow/deny’ type choice and then, if they allow, since HappyBunny.exe isn’t digitally signed by MS - they get a big BIG ugly warning saying that there is virtually NO REASON for an application to need more access.

Administrator accounts could grant the programs access to system folders. Regular accounts couldn’t. This would only affect the installs of software that has a legit reason for accessing system files (virtually none). Everything else could be installed from the regular accounts.


I believe someone has made this comment already but I gave up on “anti-virus” long ago. I keep full installed (clean) images off all my computers as well as most of my direct family.

With compression now-a-days and the amazing cheapness of storage, you can have a TB array without really much cost. I have a resident Linux server, which has NEVER had a virus in 9 years, hosting the TB array and when I have issues I simply plug in my recover USB flash, or CD for some of the older computers, and dump the clean image back on my disk. If I am remote I can dial in to my server over the net, or I can just burn it to a DVD. Though the DVD solution is ungodly slow.

I recently had a virus/malware issue and within 30 minutes or so of realizing there was an issue I was up and running in newly dumped image. I do keep my documents/hard data stored on the server as well though so I don’t have to worry about data loss on the image dump.

I think everyone should use this method, it all but removes virus and malware threats.

Just my two cents.


I like RobDude’s idea, reinstalling windows should not mean reinstalling every piece of crap I own. The registry is a mess, can anyone remember off the top of their head where Unreal Tournament 2004 stores its own cd-key?

The registry was supposed to be a replacement for ini files, but I think ini files and folder permissions for an app should be what RobDude is suggesting.


That’s a bullshit. I always run as administrator and my comps never been infected.

There is only one lesson: don’t be dumb.


I’m all for spreading the (half)truth that linux/osx are safer…

the more unix based users there are, the more software will come out for these platforms.

everything is a double edged sword though. More users means more interest in the malware-creation community.



I have BEGGING for that very same scheme for years.

It sucks having to reinstall all my apps if I scrub my OS, upgrade my harddrives or change the way my “tear-off” VM is built. Just plain dumb.

The Registry was a big step backwards in usability.


Non-english people has a big advantage against all that spam virus e-mail. As my wife does not understand english, she never opens a mail not in french. :slight_smile:


I applaud the guy who can restore his system from an image in 5 minutes. You must have a smoking fast network to do that, and a small system disk. See whenever I backup/restore it takes hours and hours, and that’s to a firewire drive.

See the problem is
1 - any data would have to be backed up first. There are many stupid programs that hide data in strange folders.
2 - your disk image would always have to be up-to-date
3 - you have to keep multiple images, because what happens if you got a virus, didn’t know, and then made the backup. You’ve just backed up the virus.

You just can’t win. Virtualisation and backups are just bandaids that help but can’t solve the problem.

I just don’t bother with small scale / unknown 3rd party apps anymore because it’s not worth the risk. I stick to well-known vendors and hope for the best.


Another converted Ubuntu user here. Someone mentioned above that the WinNT security model is actually far ahead of the standard UNIX security model - and that’s true. The traditional ext3 filesystem for Linux only allocates nine bits per file for permissions information - stored as three octal numbers. It’s absolutely a holdover from the years when hard drives were measured in tens of MBs.

In contrast, the NT security model has cascading ACLs, arbitrary numbers of groups and users for a file, and far more levels of permissions the UNIX read/write/execute bits. SELinux and extended attributes (xattrs) can add the same fine-grained security to Linux, but honestly, most people outside of the security profession don’t use them.

The key difference here is that the WinNT ecosystem has a different culture - a culture of fear, as Jeff said, but also a culture of default-allow. Combined with the unfortunate integration of IE into the operating system (which is only finally being decoupled in Vista) for political reasons and we have a perfect storm, a malware deluge.

The UNIX culture, however, has a long history of multi-user computers. One of the first things you learn as a new Linux user is about file permissions, and about user accounts. It’s not like this is too hard for users to grasp - permissions are used extensively in things like Sharepoint and CMSs, where users understand and like the ability to control access. But since it’s not a part of day-to-day use of the OS, it doesn’t occur to them that files on the hard disk can have the same setup. It’s a shame, because they are, after all, working with a great security model - if they realized it.


I would like to see some answer from the VM proponents to Mr Sandman’s comments about the price of extra windows licenses… we don’t all have MSDN.


Seem to be lots of spreading of fear culture here among the comments, from some of the comments you would almost deduct that every windows installation is ridden with viruses and trojams, pherhaps I may humbly suggest you get a basic 101 computer course if that’s your experience.

Also, we have to separate between getting a virus warning visiting a site and or when getting an email and the system actually being infected, I have know people that have reinstalled the system when all that happened was that the antivirus alerted when visiting a website or that it alerted on a scan that something was in the temporary files cache, it doesn’t mean the machine was infected but most users seem to think that.

And, like I said previously, how often does this happen really ? Most people don’t get viruses on a daily basis or even on a yearly basis, that’s what it sounds like in this article and in the comments, a user with some common sense that do not download that stays away from “warez” and those kinds of things will not get a virus infection just out of the blue, it was a very long time since Windows had that kind of bugs where you could get infected just being on the internet, it just doesn’t happen today. Again, a page or a file in the cache is not an infection.


The more you blog about blogging, the less likely I am to read it. Apparently this has become the meta-blog…


I have a tech-savvy buddy with an interesting strategy. As one with in-demand skills, you’re time limited. His strategy is pretty simple - called Three Strikes.

The first time a family or friend’s computer is infected, he fixes it for free. Whatever it is. Does it require a complete rebuild? Install a proper firewall, anti-scum… whatever it takes.

The second strike is at cost. I don’t know his billing rates.

The third strike calls for a Linux install, also free.

He reports that a cousin is now running Ubuntu, and seems to like it. His Dad has had his second strike.

It doesn’t work for me, though. I have a brother who fixes Windows for a living, and seems content to keep fixing my Dad’s machine.


I don’t know if you are familiar with Winpooch: it is what i could consider the new generation of protection software, and it also comes (coincidence? i think not) from the open source universe. It is pretty much a quick fix but the only way a long-term fix could be made is if windows would take the direction suggested by RobDude.

From the Winpooch website

“Winpooch uses the API Hooking method. It spies programs when they are running and gives to the user a powerful control of their activity.For example, you can forbide a program to write in a system directory or in the registry, or else to connect to internet. That makes the difference between others anti spywares using a database of known signatures.”

Quite similar to sandboxing. Too bad it really needs the user’s ability to tell what should be trusted and what not, and it doesn’t at all fix the problem of a trusted, licenced app which has an inner vulnerability that makes it a backdoor for attacks.

But as long as the regular user would even at times ignore virus warnings from current antivirus software, as I have recently seen (mistaking .mp3.exe files for archives), there is absolutely no chance for a safe world without some big changes being made.


INI vs Registry


This is an old blog entry but I thought I’d post a comment anyway.

This is for windows people that for whatever reason have decided to keep running in admin for convenience’s sake. I am NOT advocating this over running as simple user on the desktop, but since people do it anyway… There is a way to have your cake and eat it too. Since most vulnerabilities come from running apps that connect to the internet, run those select few apps with simple user privileges, on your admin desktop. Here is how:

Get pstools from microsoft. A free download. it contains psexec
For each app, create a batch invoking psexec with the app as the parameter and -l for limited user mode.
Get a free batch file compiler to compile the batch file in an exe and make it so it doesnt display the console window
Replace your app shortcuts with those pointing to your compiled batch file. Change the icons too. Good candidate programs are your browser, torrent client, emule, m_irc, msn, whatever you know accesses the net. Make sure you also go through each program once as admin to take care of all firewall and folder permisson issues on the download folders.
You do this once when you set up the machine. Won’t take more than 20-30mins. After that its NO EXTRA HASSLE. You just get a few more cmd and psexec processes in task manager.