Slashdot Mirror

← Back to Stories (view on slashdot.org)

Russinovich Says, Expect Vista Malware

Posted by kdawson on from the UAC-be-damned dept.

Hypertwist writes "Despite all the anti-malware roadblocks built into Windows Vista, Microsoft technical fellow Mark Russinovich is lowering the security expectations, warning that viruses, password-stealing Trojans, and rootkits will continue to thrive as malware authors adapt to the new operating system. Even in a standard user world, he stressed that malware can still read all the user's data; can still hide with user-mode rootkits; and can still control which applications (anti-virus scanners) the user can access. From the article: '"We'll see malware developing its own elevation techniques," Russinovich said. He demonstrated a social engineering attack scenario where a fake elevation prompt can be used to trick users into clicking "allow" to give elevated rights to a malicious file.'

5 of 193 comments (clear)

  1. An Expected Approach by gooman · · Score: 5, Insightful

    He demonstrated a social engineering attack scenario where a fake elevation prompt can be used to trick users into clicking "allow" to give elevated rights to a malicious file.

    That is the scenario I have been envisioning since I first installed RC1. Microsoft is conditioning users to agree to about anything by having so many intrusive pop-ups. People just want to get on with their computing experience. Maybe they will read the warning a few times at first, but after a short while they just respond without reading because that is how they get to the next step. Of course malware writers will use this method, it is almost as if Microsoft has given them a gift.

    --
    "Kittens give Morbo gas!"
  2. Re:And ... ? by QuantumG · · Score: 4, Insightful

    I love the way people say "you need to reinstall" .. as if you're going to do better building the box to be secure this time.

    --
    How we know is more important than what we know.
  3. User Mode Rootkits? by WiseWeasel · · Score: 5, Insightful

    From the summary:
    "malware... can still hide with user-mode rootkits"

    Did that strike anyone else as odd? User mode rootkits... wouldn't that be "userkits", or just trojans/viruses/malware? If it doesn't have root access, I don't think you can call it a rootkit.

    --
    "I like systems, their application excepted", George Sand (French)
  4. Read what I had posted, okay? by khasim · · Score: 4, Insightful

    In reality though in any reasonable system quite a number of configuration files have been modified, and the users have stuff in their home directories that does not directly come from any installation CD that could be used for at least a user-level exploit (which makes a root exploit dramatically easier).

    I had already addressed that.

    I had said:
    "Any file that is NOT accounted is suspect and can be individually evaluated. Most of them should be data files that are not executable."

    Again, you should be able to automatically validate the system files, then you manually check the others. Those others include the config files, user files and so on.

    In such a system it is generally quite a bit less work actually to do a reinstall and reconfiguration than combing all the files with the kind of comb you need to catch all things evil.

    If that were correct than your newly installed box would be cracked as soon as those user files were restored.

    And, yes, they will need to be restored.

    So, in EITHER case those files will have to checked for "all things evil".

    But in my scenario, the box is validated FASTER and you can identify the files that were added/replaced.

    More importantly, you can validate whether the box WAS compromised.

    It's like trying to find the proverbial needle in the haystack, except that the needles have been deliberately hidden and you don't know how many there are - and if you miss one, you lose.

    I take it that you don't work on Linux boxes much.

    There are a finite number of files on the box. And EVERYTHING is a file.

    The more of them that you can automatically validate, the smaller the number of files that you have to search through. This isn't magic. It's something called "Computer Science".

    In your scenario, you rebuild the box, restore the users' files ... and you've just been compromised again.
  5. So, why weren't they saying this BEFORE release? by dpbsmith · · Score: 5, Insightful

    Funny how it's all happy-talk before release, and it's only afterwards that they start to "lower expectations."

    Remind me again, what was supposed to be so good about Vista? Oh, yeah, all the stuff like WinFS that somehow never happened.

    And when people pointed that out, the answer was "but the really important thing is security, which Vista does have."

    --

    "How to Do Nothing," kids activities, back in print!