The Insecurity of Security Software

H316 writes "BusinessWeek is reporting that, despite a number of software products meant to safeguard Windows PCs from harm, a rising number of them endanger their hosts because of poor design and flaws. From the article: 'A new Yankee Group report, to be released June 20, shows the number of vulnerabilities found in security products increasing sharply for the third straight year -- and for the first time surpassing those found in all Microsoft products.'"

it wasn't supposed to be like this!

[yagu]

Yeah, don't know if this has changed, but on one of my machines my "virus" protection software absolutely needed Internet Explorer, and would override my default browser setting to use IE for any of it's "transactions"... Considering the history and track record of IE and my long ago decision to eschew any use of IE this was upsetting to say the least. I cancelled my subscription, sent a letter, and re-upped with a different vendor. To this day, I've never gone back to check to see if this vendor has "fixed" their approach, though I never got any response to my letter. (I choose not to name names, it isn't necessarily about "them"... I find this to be a somewhat absurd universe that an entire industry has grown up around an OS stillborn in the context of capable security (not perfect, just capable!) Heavy sigh...

Not to worry, though, maybe an industry will spring up around the security software industry... providing us with meta-security software...! (even heavier sigh.)

Aside: (but related), I wonder, has anyone ever investigated, researched, done any benchmarks about how many/what percentage of CPU cylces are allocated just for virus checking (and other security checks)?

Re:it wasn't supposed to be like this!

[SilverspurG]

Not to worry, though, maybe an industry will spring up around the security software industry... providing us with meta-security software...! (even heavier sigh.)

Sounds like the insurance industry. Next thing you know, you'll be receiving $500 fines for not subscribing to at least one security software scam.

Re:it wasn't supposed to be like this!

[jp10558]

Well, what I do that seems to work is use NOD32 with only on demand scanning, and use drive images to keep everything going well. But that might be beyond most non techies.

Chocolate Sprinkles

[Bimo_Dude]

I can't remember where I read it, but it goes something like this:

"If you put chocolate sprinkles on shit, all you have is shit with sprinkles on top."

The point being, the software that runs on top of any OS can only be as secure as the OS itself.

And this report is funded by whom?

[Psionicist]

Anyone here actually trust Yankee Group anymore? Remember this? http://linux.slashdot.org/article.pl?sid=05/04/05/ 007214&tid=163&tid=187&tid=109&tid=98&tid=106 Well, it turned out that the study was funded by a windows house: http://filtered.typepad.com/markjones/2004/04/abou t_face_on_y.html "The survey was funded and carried out by Sunbelt Software, a vendor of Windows utilities, which publicised the survey through a mailing list called W2Knews, which bills itself as "The world's first and largest e-zine designed for NT/2000 System Admins and Power Users"."

So who funded this report?

For secure applications, don't use a PC.

[CyricZ]

It's painfully obvious that for any applications requiring real security, you just plain shouldn't use a PC. I got ragged on a lot by my coworkers, but I always recommended an OpenVMS (on Alpha or real VAX) solution. Funnily enough, that stopped after their PC based solutions running Windows 2003 Server were cracked on a weekly basis. And that was on one of our smaller, less known websites. Our major web sites, which we run off of our OpenVMS cluster, remain completely secure.

Indeed, VMS offers the best combination of security through security and security through obscurity. The system itself is inherently rock-solid, stable and secure. Combined with the fact that most script kiddie crackers, and even some of the more seasoned pros, lack basic VMS knowledge, you're looking at very reliable systems from a security standpoint. The chance of becoming the victim of crackery is very minor.

This is surprising?

[Debiant]

I've avoided anti-virus programs far as I can recall. I use them, but I don't like to run them in real time or pay too much for them.

Basic problem with them is that they're just more complex code above already complex code, that tries to fix the problems that is mainly caused by that complexity in the first place.

Result is much slower computer that the anti-virus software inadvertly affects like a viruses would.
Stopping programms, and causing something not work correctly.

All virus programs are basically parasites, anti-virus programs are just bigger parasites far as I'm concerned.
They have their place, but they should be simple, free and not be the answer for security. When they are not, they're themselves a risk.

Non-Security

[Saeed+al-Sahaf]

also the fault of the users who become overly confident that nothing can harm their computers

But it is the security firms that promote this idea that if you run their software, your box is "bullet proof". The truth is that these companies are mercenary, and would say just about anything to get people to buy the latest version and than subscribe to updates. I'm not a tinfoil hat type, but there are some who have said such companies have no interest at all in reduction of threats, because it results in lower sales.

Simple, use the windows firewall and MS antivirus

[Glamdrlng]

I'm sure it's just a coincidence that the Yankee Group, who are not exactly known for the impartiality, have released a report saying that 3rd party security apps (read that, AV, firewall, and spyware blockers) are insecure just as Microsoft gets ready to take their spyware software out of beta and unveil their antivirus software. Riiiight.

Aside on an aside

[93+Escort+Wagon]

"Aside: (but related), I wonder, has anyone ever investigated, researched, done any benchmarks about how many/what percentage of CPU cylces are allocated just for virus checking (and other security checks)?"

On a related note - aren't some of those cpu-cycle-eating virus scan options rather redundant? (Serious question) if you've enabled on-the-fly virus scanning of reads/writes from/to the disk, aren't the other options - incoming email scans, for instance - unnecessary? I guess I'm wondering which "added protections" are driven by marketing rather than actual need.

Told you so!

[Hosiah]

Told yah, told yah, and told yah. I've never had any faith in security software, since the concept first came out.

The software can't detect the virus on your machine until it's scanned for it. It can't scan for it until it knows the signature. It can't know the signature until it gets an update from the company. The company can't include the signature in their update until somebody discovers the virus in the first place and reports it. By the time somebody discovers it, it was already there, got to your hard drive, infected it, and left. Buh bye!

The only security is do-it-yourself security. Learn to think like a cyberterrorist, and you will defend yourself from cyberterrorists. Don't just go to the store and buy one of the books marketed to people like you. Those things are always 90% hot air, and only incidentally contain anything useful.

I mean visit the "underground" websites, join the clubs, fake being what they are (they're all fakes anyway, so they'd never make you.) while you learn what they do, learn about TCP/IP, learn Visual Basic and Javascript and other favorite cracker languages, and most importantly, learn what's on your own hard drive. You should be able to do a low-level grovel through your entire directory tree, read every file, and not have a single byte of that data surprise you. Get some kind of tool for tracing processes and threads. You can keep one open all the time, and with practice, you can get to name every process, daemon, and socket before the system is about to use it. Get a hex editor and learn how to read hex - it's the easiest thing in the world, and the editor even helpfully translates text codes into words for you in a side column. You should at least be able to tell what first few numbers start which kinds of files.

I've never relied on a third party for security, and I never will. I've used security software occasionally, and without fail it eventually breaks down. For one thing, security software is usually the first thing targeted and disabled.

Learn or Burn!

This is very true

[DigitlDud]

When Microsoft turned on the automated bug reporting in XP the biggest reported cause of crashes was video drivers. But second to that was security software. Virus scanners and the like. Security software has a tendency to dig deep into the system and then crash. Virus scanners will install low-level file system filters to intercept activity, and then have a buffer overflow, bringing the whole system down with it.

Of course since this was found out. Microsoft has been holding security software conferences and getting vendors to fix their shit. And Longhorn tries to more actively fix the problem by sandboxing kernel file system filters amoung other things.

Update on My Client's Trojan Problems

[Master+of+Transhuman]

I loaded a thirty-day trial version of TDS-3 on her machine and found there were only a couple trojans left.

One of them was that goddamn crap that names a file "t?skmgr.exe" - so that you can't delete it from the XP Recovery Console because stupid Microsoft won't let the RC delete command run wildcards (for "security" reasons, right?), and you can't SEE it in Explorer because it looks just like taskmgr.exe, so you can only tell which one it is by looking at where they appear in the file listing. Then they make it a hidden, system and read-only file and of course it's in use by a process, so Windows won't let you touch it.

Bart's PE and Knoppix couldn't help me with this one.

Acting on a tip from the Net, I loaded Winfile, the old Windows NT file manager, and managed to rename it, move it to another directory, so it couldn't be run, and after rebooting into safe mode, I could delete it.

The other trojan was the one that originally was driving me nuts. I forget how I finally got rid of that one.

There was still at least one spyware somewhere, so I loaded HijackThis on and got rid of some more crap.

And finally I found a "Security Agent" from "CastleCops" which was actually a trojan. The service was running but the rest of it had already been cleaned, so I disabled the service.

Plus I went into the Registry and clobbered everything I could find that wasn't a known user, Microsoft or Dell installed program. I think I cleaned out a lot iof spyware keys that even all the other antispyware programs didn't find.

Then I checked the client's account status and found she was running as Administrator, so I switched her to limited. That caused TDS-3 to stop working under her account (apparently it needs not only Admin status to install, but to run, no surprise given what it does). I got confused by XP's stupid "tri-mod flag" technigue of labeling all file folders faux "read-only" into thinking somehow the disk was screwed, but I finally determined that was not the case. So she's back to running as Administrator until I can tell her to create a new account (because I don't know what's been installed by her as Administrator so I don't think it's safe to just change her back to limited - something other than TDS-3 might break) and move her desktop icons over to the new profile.

She seems to be clean now - no system error messages, no popups, and the system seems stable.

It only took me another eight hours - mostly because I don't have a Bart's PE and Knoppix that's REALLY loaded with anti-trojan, AV, spyware and other tools. That's my next project - buff up my bootable tools so I can access ANY file ANYWHERE and kill it.

I get my hands on the asshole wrote that "PurityScan" adware trojan, I'm gonna nail his knees to the floor with railroad spikes - so he stays put while I really do some damage to him.

Somebody needs to start scanning Web sites where this crap comes from, report the assholes to the law, and get the lot thrown in jail. NONE of this stuff came in through email because my client uses Web mail exclusively. That means it came from Web sites. So why not set up a Web scanner that visits suspicious Web sites, downloads this crap into a sandbox, logs everything as evidence, then publishes it as a blacklist - a "reverse honeypot"?

Re:Update on My Client's Trojan Problems

[Foolhardy]

For deleting/moving files that are in use, take a look at the PendingFileRenameOperations value under the HKLM\SYSTEM\CurrentControlSet\Control\Session Manager key. This value is a multi-string set of pairs of filenames: the first in each pair is the source file and the second is the destination. If the destination is blank, the source file is deleted. The session manager does this very early in the boot process, before any other user-mode processes have started. The file paths are native NT, not Win32, so there are no wildcards and you'll have to prefix the paths with \??\ if you want to use drive letters.
For example, set the first two strings to \??\C:\WINDOWS\system32\t?skmgr.exe and blank to delete t?skmgr.exe on next reboot.

Re:McAfee and Symantec are out there to make money

1) "Doctors" (in the usual sense of physicians) don't find cures. MD PhDs, biologists, etc. do.

2) When someone does find a cure or a treatment, that person rarely makes any extra money either way. We actual researchers have no motivation to aim for the best financial solution. It's insulting to see someone taking Chris Rock's _joke_ seriously.

3) Despite my objections to the medical case, I think that this behavior is much more believable in the realm of software.

Re:Norton

[anubi]

I have noted this paradigm since I loaded my first antiviral products for Win95.

My system slowed to a crawl. I do a lot of CAD design, and the responsiveness of my system is very important to me, as I do a lot of independent work and I am working on my own time, not paid by the hour like a lot of corporate stuff.

So, I nixed the constant scanning, as well as the routes viruses routinely come in ( javascript, Microsoft Outlook, unverified but suspected plug-ins such as RealPlayer, etc. ). Yes, I still run ZoneLabs firewall which lets me know if some site I hit upon is likely to be hostile by the relentless torrent of port connection attempts some unleash on me. Or if I hit upon business sites which require me to enable JavaScript or use some proprietary technology for them, I regard them with the same distrust they may regard to me if I asked them to leave the till of their cash register open, don a blindfold, and trust me not to rummage through their cash. I am fully aware they are asking me to open channels which are used for viral counduits into my machine.

I do like to run integrity monitors from time to time to see if any of my core files have changed, as I still run old DOS/WIN95 installations, and it is simple enough to lock down a few core files and processes, as WIN95 was coded in a day where acceptance of new technology was highly dependent upon understanding of how it worked.

All of my debugging tools (SoftICE, WDASM, IDA ) work great with the old code - if I have any rough edges with anything, its easy enough to open up and fix. Thats something I flat can not do with today's technologies, whose security lays in keeping people like me ignorant of the inner workings of critical computational infrastructures so that someone else can produce code I can neither alter or verify its true intents. My own take is the later code is made mostly for corporations who settle disputes with negotiators and litigation, not a debugger.

If people only knew how their stuff worked, we would not need antivirals.

But then, IP protection would not be possible either.

As a people, we must decide which is more important to our survival - seeing to it our needs are met by fully comprehending how our stuff works, or seeing to it that others have a right to keep the rest of ignorant, and trust them to "do the right thing".

We are heading down a slippery slope these days.

You think the DOS attacks against servers are bad? Just wait for the next wave of viruses which are not designed to snoop, but to alter the machine just enough so its hyper-security software detects the hiccup and uses its full authority to deny obeyance to its own legal rightful owners...

I see the day coming when some huge corporation gets locked out of its own database by some trivial little data manipulator function over some expiring authorization code embedded by some little no-name contractor several years ago... The database is locked. Strong hardware security locks prevent bypass. The contractor died. How do you handle a problem like this through legal means? Sue God to have Him resurrect the dead programmer so he can reauthorize the code?

Or, as one old wise man told me, "Trust, but verify".

I feel vindicated

[Moraelin]

As I've been saying before, it's not just that they're insecure too, it's that it's a pain even when working as intended. In fact, it's often worse not just than Windows's being vulnerable, but actually worse than being virused.

They're slow for a start. At work we've tried copying the same large directory full of many small source files to a file server, once with Norton Antivirus running on the workstation and once without. Without it takes tens of seconds. With it, it takes slightly over 40 minutes.

And we're talking pretty good workstations. I hate to think of the poor bugger running it at home on some Cyrix 300+ box. (Yes, there are quite a few of those still in use.) I believe being virused and spywared six ways to sunday wouldn't slow their machine as much.

But wait, it goes downhill from there.

At one point I wanted to install Windows 2000 on a new machine. As fate would have it, I didn't have a firewall on a CD, and didn't know yet about the IPSec filtering built into Windows itself. (Yeah, noob.) So I decide to make a sacrificial install, let it get virused (took 10 seconds flat) while I download a firewall, then format and reinstall.

But then I get curious, and after blocking the ports, I try to play with the virus. The saddest part? Installing Norton didn't even recognize it. The almost as sad part? It slowed down the machine more than the virus did.

And then it goes even more downhill, e.g., McAffee. Ooer. Now that was a festering piece of crap.

1. Probably the "least" of problems: the ActiveX updater requires IE to run, but it's too stupid to actually launch IE. It launches whatever default browser is currently configured, e.g., Mozilla or Opera, and then can't update. So basically if you installed Mozilla or Opera on someone's computer to protect them from IE exploits, they won't be able to update McAffee. Stupid.

2. At one point, after an update, I ended up with _two_ versions of it running at the same time. Presumably because the original installation was on the "D:" drive, while the stupid updater installed the new version to the default directory on "C:". So then I had both running at the same time (and slowing down the machine accordingly.)

It's just sad, folks. You know that a piece of software is written by retarded monkeys when it can't even remember a simple setting like the install directory.

3. Their "privacy" part, and the fashionable rushing to proclaim _any_ cookies as "spyware", basically made it impossible to use any web site that requires login.

4. When uninstalling it, point 2 struck again. It only uninstalled one of the versions, and left the other running. With no obvious uninstaller entry, or any other recourse than to manually edit the registry and manually delete files. (Did I mention "coded by clueless monkeys" yet?)

And so on.

And then there's the occasional over-reacting oddball, like G-Data, which (among other nuissances) quarantined all versions of MIRC I had downloaded or installed, for no reason than IRC being in their opinion a security risk. Not a discovered vulnerability in it, not a virus, just an opinion that IRC is bad. Right. So does that mean they'll quarantine IE and Outlook Express soon too, or? Disable the TCP/IP stack because that's where viruses come from? Or?

Or, G-Data again, which still can't keep their code and data segments separated, so it won't run with the NX (no execute) bit protection in XP. Riiight. So a security product can't deal with the Windows security option that prevents buffer overflow attacks. I'm impressed.

I dunno, it's an industry that I find outright sad. Now I can understand a corporate intranet blog site, or something else that doesn't really matter, being coded by cheap monkeys off the street and designed by marketroids purely for buzzwords' sake. ("Oooh, let's _pretend_ we save them from spyware too.") But from an industry whose self-proclaimed goal is to make Windows secure, they have no excuse for doing such a half-arsed job.