New IM Worm Installs Own Web Browser

Aquafinality writes "A new IM worm discovered recently takes the novel step of installing its own web browser onto the victims PC. Ironically titled "The Safety Browser", its default settings actually make your PC less secure - switching on pop-ups, changing your home page and hijacking your desktop with a looped music track that plays every time you switch your computer on. It's clear people cannot resist clicking "yes" to anything they're presented with via IM - with this in mind, what on Earth can we do so stop the spread of garbage like the above? To put it another way, will reducing the amount of potential "suckers" out there dissuade the bad guys from coming up with ever-more elaborate ideas such as this latest scam? Or is IM safety a lost cause?"

Again, is it IM's fault?

[yagu]

Once again, fingers pointed at some conduit when the true culprit still seems to be Microsoft's OS. If I were to click the link in gaim, on a linux machine (assume for the sake of argument, this browser is platform independent and would work on a linux box)?

Probably not, because the typical default access for a linux user is unpriveleged (I've been working intensively in the linux environment, and I'll bet I've not been logged in as a priveleged user (i.e., root) more than two or three times a year during that span). But, an extremely significant percentage (I'll bet it's over 80%) of Windows users continue to be logged in with administrative priveleges -- most without knowing and understanding what that even means.

Until there's a more consistent and pervasive culture (come on Microsoft, help out with this... how about a PSA campaing?, you can afford it) where users have non-administrative logins, there's little to be done. I still see people on older machines where they haven't even bothered to configure users for their older Windows machines... and don't have the slightest concept of partitioned separate logins for distinct different users.

This isn't entirely IM's fault.

(In the meantime, if you're a serious PC user and you want some piece of mind, spring for the extra $500 for your own machine and make it yours and yours only. It's how I've set up friends who use their computers for business/profession who've nearly given up on PC technology what with (shared home) machines popping porn, running slowly, and going Toes Up on them. Sigh.)

Re:Again, is it IM's fault?

[IamTheRealMike]

It's not the fault of IM but it's not Windows' fault either. As pointed out by others, privilege separation does not solve malware. Period, end of story, it achieves nothing. Unsurprising given that it was designed to solve an entirely different problem, back in the days when malware didn't exist.

The key problem here is that a program is able to impersonate a user in such a way that other humans can't tell the difference. People are very reliant on trust cues to guide their decision making and computers routinely present incredibly misleading trust cues. Messages that say they are from a friend but actually are not are just evil, and should not be allowed. In practice this means fixing chat programs so that they can't be controlled by other programs and ensuring the local password is encrypted sufficiently well (or simply not stored at all) that a program can't establish a direct network connection.

Re:Again, is it IM's fault?

[XXIstCenturyBoy]

Because you think that if you install Linux on Joe Somebody's machine, he will not enter the root password when asked for it?

OSes are as secure as the person using it. To think anything else is ridiculous. And that applies to every OSes.

And I'll get modded down for what I am about to say, but people blame MS for everything, saying they can't do things right, that it should be open source, security through transparency and whatever. But right now, no open source distribution out there is secure if used by a technologicaly challenge user. And some of those open source project have been worked on for years... What is MS to do? Open Windows sources and wait 20 years and go trough 20 forking projects for someone to finally get it right? All the while, only knowledgeable people will have a secure OS?

Re:Again, is it IM's fault?

[Dan+Ost]

Unless you're absolutely confident that there are no way for a local user to
escallate their priviledge, you can't trust anything on your machine after
a user account has been compromised.

I've never had a machine compromised (that I know of), but if I did, I'd
reinstall the box, just to be sure.

Re:Again, is it IM's fault?

[Iron+Condor]

Probably not, because the typical default access for a linux user is unpriveleged (I've been working intensively in the linux environment, and I'll bet I've not been logged in as a priveleged user (i.e., root) more than two or three times a year during that span). But, an extremely significant percentage (I'll bet it's over 80%) of Windows users continue to be logged in with administrative priveleges -- most without knowing and understanding what that even means.

Disclaimer: My experience is with VAX and Unix boxes in the eighties, my first Linux kernel was 0.9something but I have used Windows only since 98SE. I never really got to "learn" windows and am much less clear on the internals. On the "how is this supposed to work".

With more than two decades of serious computing behind me, I still do not understand what "Administrative privileges" really means in Windows. Or what it is good for. In U*X everything is a file and thus those magical "privileges" simply boil down to what you can do with a file (including files in /dev, /proc, directories in general, etc). There's a layer of abstraction where I understand that access to this 644 means that I can only read it, but the owner can write to it as well. That's easy.

In windows, it has never been terribly clear to me -- there appears to be some nod in the direction of file permissions, but all I've ever seen of them is that sometimes I have trouble messing with something the wife has been working on -- that kind of thing. Sometimes there's no problem. Sometimes logging in as admin solves some problem that I have but I hesitate to do so since I nevere really know what Windows does behind the scenes that might become a problem if I were to be logged in as Admin.

In the end, the preferred way to do something that I can't do as user is to fire up cygwin and do it from the linux prompt.

And ours is the rare enlightened case where someone took the trouble of setting up user accounts at install time. It was certainly not in the least obvious when and where to set up this kind of thing. I cannot fathom why I would've bothered with it if I hadn't had a Linux backgroud. It's not like XP pops up a screen during install explaining what an Admin is and how he is distinguished from a normal user.

I still see people on older machines where they haven't even bothered to configure users for their older Windows machines... and don't have the slightest concept of partitioned separate logins for distinct different users.

Of course not - why would they? This is my computer, I'm the only one using it, if the kid gets old enough to want to diddle with it I'll buy him his own computer. Why would I be setting up different "users"? I doesn't make sense in the Windows model.

U*X (and VMS and ...) was developed in a networked multi-user context of universities and research labls. Windows was developed to make one computer do one thing for one user. "Multi-user" is an afterthought. Network security is an afterthought. The entire computer-as-an-appliance model of how a computer should behave in Windows just doesn't lend itself to the notion of a "privileged account". You don't have a privileged account in your toaster or your microwave, do you?

Now it gets hairy: If I grant for a moment that there's no such thing as absolute computer security, then all these unsecured windows boxes out there are just the low-hanging fruit. Viruses and worms are only as smart as they need to be to pick those. This is fine with me as it means I merely have to have my fruit hanging higher than everybody else's. My house doesn't have to be absolutely burglar-proof -- just harder to break into than my neighbors. I'll never be perfectly termite-safe, but as long as I'm more termite-safe than my neighbors, they will attract all the termites. You get the picture.

If geeks succeede in training the masses in making their machines "more secure" it only means that the malwa

Re:Again, is it IM's fault?

[Jeremi]

That sounds like a great idea, but how can all that be accomplished without a noticeable performance decrease of nearly everything a user runs inside the guest OS?

I'm not sure how well it would work for games, but other than that, it's simple: given that a VM causes a 5-10% slowdown, just buy a computer that is 5-10% faster. :^) Most users won't notice the difference anyway... and if doing it this way means they can get rid of some or all of their current security-ware cruft, then this might actually result in a net speedup.

Re:Again, is it IM's fault?

[RockRampantly]

Not only that, but:

4) Malware can install a keylogger so that when the user legitimately needs super-user access, the malware steals the password
5) Prompt user for Admin password directly (or in the case of Ubuntu for example, the user's own password to run sudo)
6) Even if the malware can't create its own password prompt, but must use a system default prompt:
"Warning! A program is attempting to gain Administrator level access. This should only be necessary to install programs or perform other maintenance. Click Cancel otherwise."

1 -Malware prompts user for password with message above
2 -Naive user reads message, clicks cancel
3 -Malware prompts user again for password
4 -Ad nauseum
5 -User gives up and enters password

Privilege seperation can be useful for preventing automated system takovers, but where a user is involved (and that user can get super-user access) becomes moot.

Users

[hotsauce]

Lost cause. Next article please.

Re:Users

[Allnighterking]

Let me be the first to point out something..... YOU are a user. Yep So if all users and dumb, and you are a user, then you too are dumb. If you are dumb then your statement looses validity.

In my mind we need to drop the Microsoft/Apple attitude that users = idiot. If you build systems for idiots only idiots will use your system. Generally I've found that the #1 reason users I work with generally do stupid things because I've either, Improperly documented or explained what something did or how it worked, or because I created something that blocked their ability to do their job.

Very often users tend to view the people at help desks as idiots because regardless of problem the reaction and lack of willingness to care are obvious from the start. Even cultural attitudes are ignored in the move to "cater to the idiot who uses our product" In one contry clucking your tounge may be a sign of rapt attention. But in the country the user is in it may be a sign of a smug and condiscending attitude.

In one of the first lessons taught in management classes you will learn that a team of idiots is lead by an idiot. I claim that the same is true here as well. If you have idiots for users it's because you have idiots for techs.

safety

[joe+155]

I think safety is always going to be hard to push on people who don't seem to understand the importance of what you are telling them. I'm sure you'll know from your own experience how hard it is to get even your own parents to take adequate security steps. I don't understand what this virus is doing though surely you would notice a new browser and remove it? certainly not use it...

As for removing the incentive for people to do this I think it will be hard; there will always be a few "suckers" and even 1 in a million can be profitable; so it'll be hard to stop it.

Yes

[IamTheRealMike]

• Block transmission of executables at the server level
• Use something like CoreForce to prevent IM clients executing other programs (and switch "open this file" type actions via a privilege mux or RPC to a higher privileged system service).
• Use operating system level services to prevent any application scripting another, restricting that privilege to accessibility applications.

Re:Yes

[Tony-A]

The users cannot be trusted, so the OS needs to make it impossible to do something stupid.

Hogwash.
A few years of this approach and compromised computers are going for five cents each. (Must be big money in (lots of) very cheap computers)

Trying to make it impossible to do something stupid actually works like this. The apparent burden is shifted from the user (who probably has priorities not easily guessed correctly by the OS) to the OS which can handle a very few cases, and those rather poorly.

"Are you sure?" Sure of what? If the OS asks that general a question (to determine whether to proceed or not), this assumes that the user is competent enough to divine the context in which the question occurs as well as somehow knowing the correct answer. All of this WITHOUT any clue from the OS as to what is going on.
?? This is the OS that is going to make it impossible to do something stupid ??

There are things that can be done to somewhat de-booby-trap the system, and these are useful and should be done. They make things a bit safer. They cannot make things safe. When you get enough accidents, you do things to as cheaply and easily as possible prevent those kinds of accidents from repeating readily.

Sensationalism

[Toby+The+Economist]

> Or is IM safety a lost cause?

The question is sensationalist given the context.

The article describes a particular new threat - all good and well.

However, no information on the distribution of IM attacks is given. We have no idea if they are rare or frequent. How can it then be asked if IM safety is a lost cause? the question is almost orthagonal to the article; one cannot have a meaningful opionion about IM safety in general given only information about the *existance* of a particular, new threat.

IM is a communications tool

[markdavis]

As others have said, and no doubt will continue to say, you will not change the masses' behavior. The problem is not that people will click on things that look interesting, the problem is that the program will execute something presented to it.

There is no reason that *any* instant message client should ever execute other code, privileged or not. That is not the purpose of IM- IM is not a program launcher, it is a tool for communication.

Why Mac/Linux/etc. are no better than Windows

[Burdell]

As long as people will click "yes" to install/run some random bit of software, Mac/Linux/*BSD/etc. are not going to be any better than Windows. These aren't holes in the OS, they are holes in the user. Much of the malware (spam zombies, SSH password scanners, etc.) doesn't need any special privileges to run, so it could run as a normal user.

Something like SELinux may help, but then email/IRC messages can just come with instructions for the chcon command to run (people open encrypted ZIPs with the password in the body already; putting a command to "fix" a download is not that different).

Simple safety options for IM:

[ettlz]

• Don't ever give received files execute permissions on UNIX and Windows systems with NTFS
• On Windows systems, rename .exe files to .exe.unsafe. Refuse to run such files and pop up a stern warning message. If they just rename it, well they get what they deserve.

Re:I know where this is headed

[i_should_be_working]

It's funny 'cause it's true.

I'd like to do a social experiment and write a virus that pops up a window asking the question: "Install Virus?". The options are "No Thanks" and "yeah sure, pwn me". Now, I'm usually an optimist, but I think the results of this study would be depressing.

Re:IM safety?

[The_Abortionist]

I agree with your statement saying that it's hard to prevent people from executing stuff, regardless of the media used to propagate viruses, spyware, etc.

However, I think that it also underlines a serious flaw in the Windows security model. Almost everybody runs with administrator privileges because too many things just don't work otherwise. I hope, but doubt, that Windows Vista will address this issue more than simply provide a few anti-spyware utilities.

Re:It seems there's only one thing we can do.

[jZnat]

And on a more serious note, you could instead make modal dialogue boxes use better buttons than "Yes", "No", "OK", "Cancel", and "Reset". Verbs are good (e.g. "Install", "Remember", and "Unknowingly Submit Social Security Number and Credit Card Numbers to Random Company").

Restricted User-space?

[ShyGuy91284]

UNIX/LINUX place a lot of restrictions on what can be modified by the user, and is part of where their good security comes from. Perhaps if children using AIM weren't logged in under the admin account or one with similar priviledges it would prevent the whole system from being hyjacked, and would just cause that account to need to be deleted. I don't know how much Windows limits user accounts, but if this isn't within the ability of Windows, it's quite sad.

A proposal I've proposed before.

[edunbar93]

How about making a new virus that, immediately after the user does something stupid enough to install it, turns the volume up to the max in windows, and starts looping a wav file that says "MORON ALERT!! W00PWOOPWOOP! MORON ALERT!!" and starts flashing their monitor red and blue, refusing any user input until they type "I have learned today that I should be more careful about the things I click on".

Oh yeah, and it sends itself to everyone in his address book, so that the shame can be shared among others.

Why does EVERYTHING transfer files?

[DaveLV]

Maybe we can't put the genie back into the bottle, but I think the real problem is that every Internet-enabled application these days is bastardized into a file transfer mechanism. IM programs should be for typing messages back and forth between two or more people. Why should IM even have the ability to transfer files?

Re:Why does EVERYTHING transfer files?

[jb.hl.com]

Because it's a convenient feature and a perfect place to have it.

Bob: Did you get those sales figures?
Jim: No...

Bob sends file, job done.

Re:Too Bad...

[Jeremi]

I can't really feel sorry for these people. In my book, if you're dumb enough to run some strange executable, then you deserve what you get.

Maybe so, but the rest of us don't deserve what we get. Even if I'm a careful computer user and never get compromised, I still have to deal with the resulting spam, DDOS attacks, increased IT costs, etc, caused by people who do. Therefore it's in everybody's best interest to make security more idiot-proof -- we can't just say "to hell with the n00bs", because we still have to live on the same Internet as them.

Re:IM safety?

[techno-vampire]

However, I think that it also underlines a serious flaw in the Windows security model. Almost everybody runs with administrator privileges because too many things just don't work otherwise.

I'm no Micro$oft fanboi, but don't blame Bill the Gates for this. Blame lazy deveopers who can't be bothered to Do It Right. They run their bleeding edge machines as Admin and never test to see if their bloatware will run any other way. Not only that, they write programs that need every bit of RAM, every CPU cycle and every possible bit of graphics they have so that when they're finished, you have a program that can only be run on a maxed-out machine as Admin. Last, they look down their noses at you if you complain because you're "too cheap" to buy the hardware needed for their precious program. They don't understand that saying, "It works on my machine!" doesn't cut it if the average user can't afford to match their hardware or wants to keep their copmuter safe by not running as Admin.

My advice is, just say NO to programs requiring Admin and never, under any circumstances, upgrade your hardware just to play the newest game. I'm not a Libratarian, but if enough people follow my advice, the market will, indeed, take care of it.

Unfortunately that does nothing for the clueless

[Sycraft-fu]

Why? Because it becomes just another hoop to jump through. They don't consider the implications behind their action. The computer wants something, they give it what it wants to it'll shut up and let them get back to doing what they want to do.

Admin passwords are useful for knowledgable users because if you do something that shouldn't require admiin, but asks for it you can step back and think why it's asking, and approve or deny it based on more information. However clueless users won't do that, they won't know what should and shouldn't need it, so they'll just blanketly issue the admin password.

I've already witnessed this on other platforms (MacOS) that ask for admin. I was chatting with a guy while he was tinkering with his Mac, it popped up and asked for admin and he said "Huh, that shouldn't need admin"... as he was typing in his admin password (3 letters long). He even recognised that this might be a situation where it wasn't needed (it was actually, nothing harmful) but just gave it the password anyhow.

So while I think the privledge escalation is Vista is a nice try, and certianly something I'll use personally, I think it will ultimately make no difference for normal users. They'll just make it go away whenever it pops up, and they'll do that by giving it the password it wants.

Re:I know where this is headed

[Incadenza]

'Yes' and 'No' buttons are better avoided. 'Yes' and 'No' answers are only answered correctly when both the question and the answers are understood by the user. Which sounds totally silly, but believe me, we humans are totally silly (we are just in a state of denial about that). No to mention that the questions can be silly too.

It is lots better to have answers that have actions in them, like 'Install' and 'Skip', because people understand the implications of these even without understanding the questions. That is what Apple does with Mac OSX. And to be honest, I am kind of shocked that gnome and KDE did not pick this one up. To identify a problem with users brainlessly clicking 'Yes' without bothering to read the questions, and then to 'solve' this problem by switching the position of the buttons, is really bad GUI design. Come on guys, pick up a book on psychology, there's plenty of them around.

So if you want to test, test different GUI schemes. 'Install virus?' with 'Yes' and 'No' options, 'Install virus?' with 'No' and 'Yes' options, 'Install virus?' with 'Install' and 'Cancel' (or maybe 'Skip') options, or maybe even just two buttons, 'Install virus' and 'Keep system clean'. I'm sure neither of these will score 100%, but there sure will be relevant differences between the schemes.

It's just a joke and I'm not trolling

Yes, but I will use any excuse to postpone work.

Re:On behalf of language nazis everywhere...

Ironic DOES NOT mean contradictory! It also doesn't mean improbable, funny, or coincidental.

Ironically, you have defined what irony is not while failing to actually define it.

Re:IM safety?

[techno-vampire]

but the whole thing about not upgrading your hardware was pretty dumb. Don't tell me not to upgrade my hardware.

I think you misunderstood. There's no reason not to upgrade your hardware if you want to, and every reason why you should. However, you shouldn't be forced to upgrade simply because some game won't run properly unless you have the Latest And Greatest of everything. If game deveopers want the biggest market possible, write so that your product will run acceptably on whatever is mainstream at the time. Let them have features that need the best hardware, but don't make it a minimum requirement.

There's one game I play that needs a fairly advanced graphics card to get the best out of it, but there are options to turn off features as needed until it's down to whatever you have can handle. Most of them are simply eye candy anyway. The core of the game is fully functional with none of them enabled. That's the right way to do it, and that's how it should be. The game is FOSS, so the developers aren't getting anything except egoboo from it, but they're still writing for as many people as possible. Why can't commercial developers be as considerate?