Slashdot Mirror
Russinovich Says, Expect Vista Malware
Hypertwist writes "Despite all the anti-malware roadblocks built into Windows Vista, Microsoft technical fellow Mark Russinovich is lowering the security expectations, warning that viruses, password-stealing Trojans, and rootkits will continue to thrive as malware authors adapt to the new operating system. Even in a standard user world, he stressed that malware can still read all the user's data; can still hide with user-mode rootkits; and can still control which applications (anti-virus scanners) the user can access. From the article: '"We'll see malware developing its own elevation techniques," Russinovich said. He demonstrated a social engineering attack scenario where a fake elevation prompt can be used to trick users into clicking "allow" to give elevated rights to a malicious file.'
with companies like ask.com (who run smileycentral a well know spyware site) nothing will change
just click on setup.exe and you can have this fantastic free screensaver, be the envy of your friends !
Vista is Malware!
"You'll get nothing, and you'll like it!"
He demonstrated a social engineering attack scenario where a fake elevation prompt can be used to trick users into clicking "allow" to give elevated rights to a malicious file.
That is the scenario I have been envisioning since I first installed RC1. Microsoft is conditioning users to agree to about anything by having so many intrusive pop-ups. People just want to get on with their computing experience. Maybe they will read the warning a few times at first, but after a short while they just respond without reading because that is how they get to the next step. Of course malware writers will use this method, it is almost as if Microsoft has given them a gift.
"Kittens give Morbo gas!"
I love the way people say "you need to reinstall" .. as if you're going to do better building the box to be secure this time.
How we know is more important than what we know.
but...but.....
vista is supposed to be completely secure.......
feelings of betrayal over buying a whole new PC to run this POS OS are setting in. Allow or deny?
From the summary:
"malware... can still hide with user-mode rootkits"
Did that strike anyone else as odd? User mode rootkits... wouldn't that be "userkits", or just trojans/viruses/malware? If it doesn't have root access, I don't think you can call it a rootkit.
"I like systems, their application excepted", George Sand (French)
Well, you had better, because if you don't, you'll have go through the same again. Many people learn from their mistakes, fortunately. Reasonable security even on Windows is not that hard, if you take the steps before the compromise.
> "Quite surprised by what, that programs running in user-mode can still access the current user's data and programs in their home folder? Hardly news."
The GP was being extremely sarcastic. I'm sure most of the people who read this summary, or even just the title, thought "Duh" and wondered why an expert like Russinovich didn't have anything more insightful to say.
> "surely if a rootkit is running with LUA privs, it wouldn't be able to hide itself?"
Well it wouldn't be able to hide itself from the root, but I don't see why it couldn't hide itself from other limited user apps.
> "If it's a prompt that will give a malicious program elevated rights when the user clicks 'allow', what part of it is fake?"
The fake part would be the premise under which it is requesting additional rights. Maybe it's masquerading in the dialog as a service the user already has.
I like the quote from the article: "Elevations are a convenience and not a security boundary".
Evidently, the key to understanding recursion is to begin by understanding recursion. The rest is easy.
I had already addressed that.
I had said:
"Any file that is NOT accounted is suspect and can be individually evaluated. Most of them should be data files that are not executable."
Again, you should be able to automatically validate the system files, then you manually check the others. Those others include the config files, user files and so on.
If that were correct than your newly installed box would be cracked as soon as those user files were restored.
And, yes, they will need to be restored.
So, in EITHER case those files will have to checked for "all things evil".
But in my scenario, the box is validated FASTER and you can identify the files that were added/replaced.
More importantly, you can validate whether the box WAS compromised.
I take it that you don't work on Linux boxes much.
There are a finite number of files on the box. And EVERYTHING is a file.
The more of them that you can automatically validate, the smaller the number of files that you have to search through. This isn't magic. It's something called "Computer Science".
In your scenario, you rebuild the box, restore the users' files
Funny how it's all happy-talk before release, and it's only afterwards that they start to "lower expectations."
Remind me again, what was supposed to be so good about Vista? Oh, yeah, all the stuff like WinFS that somehow never happened.
And when people pointed that out, the answer was "but the really important thing is security, which Vista does have."
"How to Do Nothing," kids activities, back in print!
Let's put this simple. You're right, permissions by user isn't enough. But if we set permissions by app, eventually, Windows users will become accustomed to clicking "Accept" to every app permission that occurs, creating the same state we're in now. Do I read all of the XP pop-ups? Yes, I do, as well as all my Spybot pop-ups, as I don't want a randow BHO installed on my system. Does everyone read those pop-ups? Hell no!!! And that's the reason why I have to clean out my girlfriend's computer on a monthly basis. I can't expect her and children to read every pop-up and understand what's going on. As any sysadmin knows, it comes down to the average user. We can try to educate them as much as possible, but until they do learn, we have to have some permissions-based system so that we can try to keep average users out of their computer enough to stop zombied boxen from happening everywhere. Am I trying to educate my girlfriend? Yes, but it's not a simple process.
"The only constant in the universe is change." - Unknown author
By definition, the user base of Windose will always wallow in mediocrity. Microsoft needs to take responsiblity for this, if it wants to dominate the OS marketplace.
"Wants to dominate" ? What _have_ they been doing then ?
I think that MS missed their opportunity to make Vista really secure. They could have developed a brand new API, and sandboxed the old API in a virtual machine environment, to maintain backwards compatibility.
Way, way too many negative tradeoffs. 99% of software would not be native and its functionality would suffer significantly.
Then publish decent standards for building applications, particularly with respect to file permissions, drivers etc, so developers can genuinely create robust applications that don't require administrative privileges to run.
What's wrong with the current ones, that have been around for more than a decade ? Hell, what's wrong with just good old common sense and decent developer practices ?
No developer has had any excuse for releasing software that needlessly requires Administrator privileges for at least 8-9 years. None.
Enforce the standards by making them mandatory for using the OS installation mechanism. Enforce proper use of the correct installation mechanisms by disabling rogue installation hacks with system updates (i.e. deliberately break third party vendor's software if it's crap).
Oh yeah. Microsoft deliberately breaking third party software. I can just imagine how well that will go over, given the flack they cop when they _accidentally_ break some random piece of software.
Good plan you've got there, tiger. If you were lucky, you might have even managed to get all of it spoken in a product design meeting without being laughed out of the room.
This isn't the open source world where developers can just go around breaking shit willy-nilly to make end users conform to some arbitrary plan for the hell of it (despite many people here insisting to the contrary).
I have yet to be convinced that Vista itself isn't actually malware. Here is my reasoning:
1. Usually malware comes bundled with something that I am interested in actually using. I was kind of interested in trying the aero interface of Vista, so I installed it. After doing that I noticed weird things with my computer (lockups, hard drives failing to read and write) -- a sure sign of malware.
2. After installing Vista, my system tends to be slower. This is a clear indication of malware being on my system.
2. Strange windows keep popping up telling me messages I am not interested in. This tends to happen also when malware is installed on a computer.
There are several other issues, but these are the main ones. I looked at some websites describing malware, and according to security experts, these are key factors indicating that its highly likely I have some malware on my computer. I think I will have to get rid of Vista becasue not only will it eventually allow for malware to run inside of it, in fact, it IS malware!!!
You might not know how an internal combustion engine works, but you certainly have trained to use a car and have a license.
Even if you know almost nothing a about your car, you certainly know when something wrong is with your engine. I've seen people do things with computers that would roughly be equivalent to driving with the engine on fire. Not only people don't bother to learn the most basic things about computers, they also ignore any problems they see and keep going like nothing is happening.
Using a computer is definitely harder than using an engine, since it can do many more things. Yet people use them without even basic training or maintenance.
GPG 0x1B479C78