Slashdot Mirror

← Back to Stories (view on slashdot.org)

Vista Designed to Make Malware Easy

Posted by CmdrTaco on from the it-wasn't-that-hard-in-xp-either dept.

SlinkySausage writes "Trojan horses masquerading as 'cracks for Vista' are starting to appear on pirate boards. More worrying though, Microsoft has confirmed that Vista's image-based install process is designed to allow third-party software to be slipstreamed into the installation DVD. Great for corporate deployment of Vista with software pre-installed, but also a huge benefit for malware writers, who can distribute Vista images with deeply-rooted malware."

13 of 311 comments (clear)

  1. So? by Nemetroid · · Score: 5, Insightful

    Pirates risk getting malware with their downloaded Vista. Is this a problem?

    1. Re:So? by 6Yankee · · Score: 5, Insightful

      Yes.

      What about everyone else on the Internet who gets DDoSed or spammed by this malware? Last time I checked, I was on the Internet - for me, therefore, this is a problem.

    2. Re:So? by molnarcs · · Score: 5, Interesting
      This article is troll, especially the "designed to make malware easy" part. This has nothing to do with design - it is an option that I'm quite surprised Microsoft didn't take away from Vista (if they did, you'll have an article complaining about it).

      Slipstreaming is essentially remastering Vista (and XP-s) ISOs to include the latest patches/service packs, i.e. in case of XP, this allows you to have a windows install that won't get you rooted in 5 minutes after you go online (with SP2). You can also include drivers or basically anything you have installed. In other words, you can install win XP, firefox, ffmpeg codecs, a viruscanner, openoffice, etc., and then you can make a custom ISO that would install windows XP and all that software in one go! This is good if you maintain a number of PCs in a comp. lab.

      This feature makes life of sysadmins a lot easier, and I'm glad MS didn't take this away - I wouldn't be surprised if the control freaks did. To turn this into a "Vista designed to make malware easy headline" is simply trolling, and article should be tagged troll accordingly. Especially since almost all operating systems have this ability (to remaster the ISOs to include updates/security fixes and 3rd party programs. Basically this is what linux distributions are about).

    3. Re:So? by ribond · · Score: 5, Insightful
      the bar for insightful drops ever lower.

      This is another FUD piece. Vista makes it more difficult to modify the installation sources. In XP and previous os's the installation sources were just a pile of binaries. Anyone with write access to the source could take out one thing and add another...

      With Vista the OS is already built and closed up inside of an image file... to review:

      in vista in order to "exploit" this "vulnerability" you need to have write access to the installation sources and the tools and knowledge to rebuild the share (the image format is not "zip", you need a certain understanding of the process to make this go).

      in XP you just need access to the shares.

      And in what way is this different from any other thing that you'll ever install on your computer?

    4. Re:So? by alienw · · Score: 5, Insightful

      Actually, what is really amusing is that people who pirate their software tend to be knowledgeable enough to avoid getting viruses and tend to know how to remove them. On the other hand, many people who BUY software tend to be clueless and an easy target for malware writers. Despite software industry propaganda, it is practically unheard of for pirated software to be infected with viruses or spyware (unlike most legal downloads). While I am sure many of the "vista cracks" posted on message boards are indeed trojans, perfectly cracked images are probably already starting to become available from more reputable sources... But hey, I'm sticking with Ubuntu -- it's a better system and it doesn't cost $200.

  2. This is idiotic by readams · · Score: 5, Insightful

    This article is just dumb. You can make custom Linux images with custom software also. If you download a random Vista ISO and install it, you deserve what you get, just like you would if you download a random Linux ISO.

    1. Re:This is idiotic by lowe0 · · Score: 5, Informative

      Say what? Any official source for Vista ISOs (MSDN and the like) include MD5 sums.

      Now, if you're downloading the software illicitly, you deserve a compromised copy.

  3. Corporate deployment by RonnyJ · · Score: 5, Insightful
    Great for corporate deployment of Vista with software pre-installed, but also a huge benefit for malware writers, who can distribute Vista images with deeply-rooted malware.
    Given that the former is much, much more likely, how about an article entitled 'Vista Designed to Make Corporate Deployment Easy' ?
  4. Pile of FUD by jb.hl.com · · Score: 5, Insightful

    What, the, fuck?

    So you can customise the install disc yourself and slipstream software into it? Surely that's been possible with every single distro of Linux for the last few years or so now? Could put malware into a custom Ubuntu CD, couldn't you? Not a new thing.

    More to the point, unless you download your version of Vista from some obscure warez site, it's very unlikely to have malware slipstreamed into it; UNLESS YOU PUT IT IN YOURSELF.

    Just because something has the capability to have malware put into it does not make it bad. This is a stupid fuss being made of nothing. I'd say I expect better from Slashdot, but considering the number of Microsoft/Zune/Vista bashing troll articles that are getting posted these days I'd be lying.

    --
    By summer it was all gone...now shesmovedon. --
  5. Designed to panic by Z0mb1eman · · Score: 5, Insightful
    The amount of spin in this story is making me dizzy.

    Getting malware when downloading a crack is always a possibility, yes.

    However, this entire story smells of FUD - this is one of the oldest arguments software vendors use to scare people away from pirated software - "All pirated software has viruses in it! Don't use it, it'll make your computer blow up! Make sure your copy is legit!" It's a valid argument, and they have every right to defend their products from piracy, but I suspect it is often overstated.

    Then take this article's headline - "Vista Designed to Make Malware Easy". We've gone from fact (one Vista crack was found - and caught by people downloading it - with malware in it), to speculation during an interview, to an entire Slashdot headline. Good good. The relevant part from the interview:


    Dan Warne: I know that I have a cynical journalist's mind, but isn't that a bit of a risk for malware to be injected into Vista install DVDs, given that those apps are executed before logon?

    John Pritchard: Yes, well I would certainly recommend when people are looking at any content they make sure they have the approved and hologrammed DVDs to make sure they're dealing with the genuine product, to get away from not knowing where the source comes from. But if they have got control of the unattend and built it themselves then hopefully they know what they are putting on it.


    Finally, if the above headline is correct, then how is it different from "Linux Designed to Make Malware Easy"? Anyone can bundle a rootkit with a Linux distro and put a torrent of it up somewhere. Heck, it's even easier, since Linux is free and open to start with. The bottom line is, if you're not getting your software from a trusted source, then you have no reason to trust it.

    I'm gonna go lie down for a bit until the spinning stops.
    --
    ClutterMe.com - easiest site creation on the Net. Just click and type.
  6. Re:How did this end up on the main page? by synthe · · Score: 5, Informative

    The SHA-1 hash is available on any official downloads (Vista, Office 2007, etc) from Microsoft. That includes TechNet, MSDN, and Connect (Beta testers) download links. For reference, b71e04564ca22e4d9928e59298eff87cf62b382b is the SHA-1 hash from the TechNet Plus download of Vista x86 (one DVD includes all versions except Enterprise).

  7. Re:Sympathy? by antifoidulus · · Score: 5, Insightful

    The fact that that got modded up is proof that slashdot is in the the throes of groupthink. I don't run windows, I use Linux at work. I'm not a "microsoft shill" but the groupthink on this site is getting REALLY old. Want a story accepted? Just go on a psuedo-intellectual rant that contains the words "open source", bash Microsoft, or mention the RIAA. Guess what, the world of technology is MUCH wider than that, and most of the stories on slashdot have little to no real consequence. But stories of real consequence rarely to never actually get discussed at slashdot because they don't conform to the groupthink.

    Microsoft has issues, but this isn't one of them. Not to mention the language the submitter used is unabashedly anti-microsoft. Articles like this just go to show that slashdot editors will accept ANYTHING that remotely supports their groupthink. An users like yourself just gobble it up while denying there is any groupthink going on.

    --
    Monstar L
  8. Re:It *IS* their problem by SausageOfDoom · · Score: 5, Insightful

    No, you are incorrect. I am not pro-MS, I am not anti-linux, I am just a pragmatist. I was, in fact, speaking from personal experience, although with generic friend-of-a-friend OAPs as opposed to ones I am related to.

    Yes, she will probably find it just as easy as a Microsoft OS - but it will be different. It will be different to her, and different to anyone else she might ask for help, and that's the problem.

    In the past I have been quite eager to suggest to people to install Knoppix (and later Ubuntu) when I got called in because their hard drives failed or when Windows ME/XP got so clogged with malware that they couldn't do simple tasks such as open the filer. However, it became a nightmare to support them - by the time I was at university I'd be getting called several times a week with one problem or another. But I couldn't send them to someone else - there wasn't anybody else who had linux experience.

    You say that she would need no extra help from now on. Have you ever actually met an old person? They're not like us. They're slow. They're senile. They're virtually dead. It's a miracle they can remember how to turn the machine on in the first place. Even if you write them out detailed bullet-point instructions with screenshots (which I've tried) they still manage to get it wrong. This happens with Windows, it happens with Linux. Sure, I've come across a few who have taken to computers and haven't needed any help past the first few days, but in my experience the majority will always need someone to hold their hand. Hell, that bit's not just limited to OAPs, most people I meet over 50 seem to have that same problem.

    In your rush to flame me as an MS fanboy, you seem to have completely missed the key point in my original post - sure, little Johnny might be able to train her up in how to use it, but she will always have problems and questions. She will always want to learn how to do something new with her expensive toy, she will always want to fiddle with things, and she will always get confused. She will always need help. And by installing an OS that most people don't have experience of, he'd just be tying himself into supporting her until she dies.

    I love Linux, I run my business on top of it, I tell my friends to use it. Software compatability is a minor issue, re-training is a minor issue. But when it comes to installing it for someone else, the deal-breaker is that there is no wide-spread support readily available for them yet, so I'm stuck helping them until they die, or until I reinstall Windows and can palm them off onto someone else.