Slashdot Mirror

← Back to Stories (view on slashdot.org)

Russinovich Says, Expect Vista Malware

Posted by kdawson on from the UAC-be-damned dept.

Hypertwist writes "Despite all the anti-malware roadblocks built into Windows Vista, Microsoft technical fellow Mark Russinovich is lowering the security expectations, warning that viruses, password-stealing Trojans, and rootkits will continue to thrive as malware authors adapt to the new operating system. Even in a standard user world, he stressed that malware can still read all the user's data; can still hide with user-mode rootkits; and can still control which applications (anti-virus scanners) the user can access. From the article: '"We'll see malware developing its own elevation techniques," Russinovich said. He demonstrated a social engineering attack scenario where a fake elevation prompt can be used to trick users into clicking "allow" to give elevated rights to a malicious file.'

26 of 193 comments (clear)

  1. Actually by Anonymous Coward · · Score: 5, Funny

    I'm really quite surprised by this.

    1. Re:Actually by SEMW · · Score: 4, Interesting

      Actually, I'm really quite surprised by this. Quite surprised by what, that programs running in user-mode can still access the current user's data and programs in their home folder? Hardly news.

      (I was slightly confused by the statement that programs "can still hide with user-mode rootkits", though -- surely if a rootkit is running with LUA privs, it wouldn't be able to hide itself? I thought the whole point of a rootkit was that it allows malicious programs to maintain root (i.e. highest privilege) access undetected, which would make "user-mode rootkit" a bit of a contradiction in terms, unless I'm misunderstanding somewhere...?)

      (And whilst I'm posting, "...a social engineering attack scenario where a fake elevation prompt can be used to trick users into clicking "allow" to give elevated rights to a malicious file"? If it's a prompt that will give a malicious program elevated rights when the user clicks 'allow', what part of it is fake? Surely a fake/spoofed dialogue box wouldn't *actually* be able to grant elevated rights (pretty much by definition); and the text in the *real* elevation prompts can't be changed, since they run in 'secure desktop' sandbox mode, no?)
      --
      What's purple and commutes? An Abelian grape.
    2. Re:Actually by lpw · · Score: 3, Interesting

      Providing a truly secure OS is antithetical to the Windoze Nature, i.e., that of an OS for dummies. Maintaining a secure system takes time, know-how, and sometimes even reading some fucking manual. But Microsoft's "operating systems" are intended for the PC, a platform where the majority of users are not willing to make that investment. Eventually, once the novelty of MS Paint wears off, a user needs to install another application in order to actually accomplish something useful on the PC. Because MS necessarily assumes that the user is a brain-dead clod, a simple scheme like the allow-or-deny elevation masquerade is necessary (and, of course, the user can be easily duped into installing malware). Anything more sophisticated, and the appeal (and usability) of Windoze to the masses suffers, because it's no longer "user friendly." After all, if grandma needs to dick around with file and process permissions, why not just install Linux? No version of Windoze will be a truly secure system until its user base becomes better educated, which is a requirement that Microsoft will never enforce to protect their bottom line.

    3. Re:Actually by 313373_bot · · Score: 3, Interesting

      What if Microsoft wrote a new OS, and no one bothered writing applications for it, not even malware? Despite all ineffective security and bad design decisions, the prevalence of viruses, trojans and spyware on previous Windows versions were (and are) in part due to their sizable market share. If Vista Me II isn't being attacked like old Windows, is it because it's so more secure, or is it because no one cares? Only time will tell, but I can't take of my mind the image of a mighty tree falling in the middle of a forest, with no one to hear it.

      --
      ^[:q!
    4. Re:Actually by Fhqwhgadss · · Score: 4, Interesting
      surely if a rootkit is running with LUA privs, it wouldn't be able to hide itself?

      Too bad there are lazy software companies pulling this kind of shit. The developer's link to this piece of shit "patch" is listed under the headline "Convekta's products are compatible with Windows Vista !!!" (just disable the single most important security feature of the OS). I'd bet that over half of all Vista boxes will have LUA disabled within 12 months of installation. What do you have then? A new OS with the security enhancements removed and untested code running in "every user is a superuser" mode, just like XP without the 6 years of bugfixes. Don't tell me XP has limited accounts; using XP under a limited account takes more effort than using Linux ever did.

      The only thing keeping the malware writers away from Vista so far is its piss-poor market penetration, not its security enhancements.

      --
      How does a 7-person democracy cut a pie? Into 4 pieces.
    5. Re:Actually by ady1 · · Score: 3, Funny

      mighty tree falling in the middle of a forest, with no one to hear it. Surely you can examine the logs later on.
  2. Well, no shit by hairykrishna · · Score: 4, Funny

    In similar news, despite a wide variety of new content, online pornography remains disproportionately popular.

    --
    "Physics is to math as sex is to masturbation." -R. Feynman
  3. Vista malware by psaunders · · Score: 5, Funny

    Russinovich Says, Expect Vista Malware Old news. Vista has been available for months now.
    --
    Karma police, arrest this man. He talks in math. He buzzes like a fridge. He's like a detuned radio.
  4. Smilies by yotto · · Score: 4, Funny

    So you're telling me I shouldn't have installed these smilies? Here, let me try a typical smiley face. :-@*&^^^ NO CARRIER

    --
    Pulp Audio Weekly - Geek News and Reviews
  5. And ... ? by khasim · · Score: 5, Interesting

    So now you know that Vista can be compromised ... what are you doing about it?

    Where's the clean boot disk that I can use to scan a Vista box? How do I validate all the files on it?

    What is your answer to AFTER the box has been cracked?

    1. Re:And ... ? by WrongSizeGlass · · Score: 3, Funny

      What is your answer to AFTER the box has been cracked? I've found that super glue works pretty well, bu nothing is as good as blue duct tape. Blue duct tape rules.
    2. Re:And ... ? by QuantumG · · Score: 4, Insightful

      I love the way people say "you need to reinstall" .. as if you're going to do better building the box to be secure this time.

      --
      How we know is more important than what we know.
  6. Duh! by Cervantes · · Score: 4, Funny

    From the "No fucking shit, sherlock" file...

    Malware writers will write malware for the latest OS? And they'll try and find ways around the blocks? And in the millions of lines of code, they'll find a weakness and succeed? Holy shit, I never would have guessed!!

    Seriously, sometimes when I read Slashdot, a small part of my brain cries out in pain, and then is silent forever.

    --
    If I knew the wedgies I gave you back in 6th grade would have resulted in this . . . I might have taken a moments pause.
    1. Re:Duh! by Workaphobia · · Score: 4, Funny

      > "Seriously, sometimes when I read Slashdot, a small part of my brain cries out in pain, and then is silent forever."

      This was only the first in a sequence of articles, the next being "Hackers can break into unsecured wireless routers."

      The Jedis are going to feel this one.

      --
      Evidently, the key to understanding recursion is to begin by understanding recursion. The rest is easy.
  7. Hey, Russinovich by Ranger · · Score: 3, Insightful

    Vista is Malware!

    --
    "You'll get nothing, and you'll like it!"
  8. Standard plug-in joke #3: by Black+Parrot · · Score: 4, Funny

    In Russinovich, malware attacks Vista.

    --
    Sheesh, evil *and* a jerk. -- Jade
  9. An Expected Approach by gooman · · Score: 5, Insightful

    He demonstrated a social engineering attack scenario where a fake elevation prompt can be used to trick users into clicking "allow" to give elevated rights to a malicious file.

    That is the scenario I have been envisioning since I first installed RC1. Microsoft is conditioning users to agree to about anything by having so many intrusive pop-ups. People just want to get on with their computing experience. Maybe they will read the warning a few times at first, but after a short while they just respond without reading because that is how they get to the next step. Of course malware writers will use this method, it is almost as if Microsoft has given them a gift.

    --
    "Kittens give Morbo gas!"
  10. Not necessarily. by khasim · · Score: 5, Interesting

    I can boot with a LiveCD and mount the hard drive so that NONE of its files are being run.

    Then I simply match each and every file on the hard drive to the package that it should have come from and validate the md5 checksum.

    Any file that is NOT accounted is suspect and can be individually evaluated. Most of them should be data files that are not executable.

    Remember, in Linux, everything is a file and the boot process is very clearly defined. If something is running on your machine, you can find what it is and why it is running.

    Any system that REQUIRES a complete tear down after ANY vulnerability is exploited is NOT a well designed system. There has to be a way to validate each section of the system.

  11. Unix-style permissions are not enough. by earthbound+kid · · Score: 5, Interesting

    People sometimes talk like strong enforcement of Unix-style permissions is sufficient to provide local security. I find that argument totally unconvincing. Yes, it's nice to have the confidence that with modern OSes like Linux, OS X, and (probably) Vista I won't end up like the old Windows where you have to reformat a disk to try to clear the deeply dug in roots of some spyware crap from the system, but there's still the pretty damn big issue of all my data. Namely, having to reinstall the OS would be a pain, and I'm glad I don't have to waste an hour doing it, but losing all my data (documents, photos, music, and to a lesser extent application preferences) would be devastating. The data on my PowerBook is my life, and the reassurance that at least I don't have to reinstall OS X would be cold comfort at best. True, I do make a monthly backup onto an external drive that is normally unplugged (and thus out of range of rm *ing attacks), but probably most users don't follow this practice. Besides, a subtler virus could just silently corrupt my data over a period of months, so that I don't notice what's going on until my backups are no longer any good!

    There is a solution to the problem, but it requires a deep rooted change in how things are done. What I propose is that we shift from permissions by user to permissions by application. Right now, any app that my user launches can erase any of my files. That's ridiculous! Much more logical would be allowing me to decide which subset of my files each app can user and how. So, for example, I would let FireFox write downloads to my desktop and its preferences and caches to subfolders of the Library, but I wouldn't want it to be able to erase any of my other files under any circumstances. In fact, most of the time I don't even want FireFox to be able to read my local files, but I'd be willing to put in a password to let it do on a time limited basis so during uploads and the like.

    Basically, what I'm proposing amounts to sandboxing every app. This may seem harsh, but why not do it? What's the advantage of letting any app destroy any of my files? Make them at least beg me for permission first, I say!

    So, that's what's on my wishlist for the future of OS level security.

  12. User Mode Rootkits? by WiseWeasel · · Score: 5, Insightful

    From the summary:
    "malware... can still hide with user-mode rootkits"

    Did that strike anyone else as odd? User mode rootkits... wouldn't that be "userkits", or just trojans/viruses/malware? If it doesn't have root access, I don't think you can call it a rootkit.

    --
    "I like systems, their application excepted", George Sand (French)
  13. pfffft.. by Jose · · Score: 5, Funny

    malware tends to only be available for popular OS's! I am sure that Vista will remain safe from such attacks.

    --
    The basic sleazeware produced in a drunken fury by a bunch of UCBerkeley grad students was still the core of BIND. --PV
  14. Read what I had posted, okay? by khasim · · Score: 4, Insightful

    In reality though in any reasonable system quite a number of configuration files have been modified, and the users have stuff in their home directories that does not directly come from any installation CD that could be used for at least a user-level exploit (which makes a root exploit dramatically easier).

    I had already addressed that.

    I had said:
    "Any file that is NOT accounted is suspect and can be individually evaluated. Most of them should be data files that are not executable."

    Again, you should be able to automatically validate the system files, then you manually check the others. Those others include the config files, user files and so on.

    In such a system it is generally quite a bit less work actually to do a reinstall and reconfiguration than combing all the files with the kind of comb you need to catch all things evil.

    If that were correct than your newly installed box would be cracked as soon as those user files were restored.

    And, yes, they will need to be restored.

    So, in EITHER case those files will have to checked for "all things evil".

    But in my scenario, the box is validated FASTER and you can identify the files that were added/replaced.

    More importantly, you can validate whether the box WAS compromised.

    It's like trying to find the proverbial needle in the haystack, except that the needles have been deliberately hidden and you don't know how many there are - and if you miss one, you lose.

    I take it that you don't work on Linux boxes much.

    There are a finite number of files on the box. And EVERYTHING is a file.

    The more of them that you can automatically validate, the smaller the number of files that you have to search through. This isn't magic. It's something called "Computer Science".

    In your scenario, you rebuild the box, restore the users' files ... and you've just been compromised again.
  15. So, why weren't they saying this BEFORE release? by dpbsmith · · Score: 5, Insightful

    Funny how it's all happy-talk before release, and it's only afterwards that they start to "lower expectations."

    Remind me again, what was supposed to be so good about Vista? Oh, yeah, all the stuff like WinFS that somehow never happened.

    And when people pointed that out, the answer was "but the really important thing is security, which Vista does have."

    --

    "How to Do Nothing," kids activities, back in print!

  16. But the website said to answer yes by noidentity · · Score: 5, Informative

    I was trying to print some online coupons recently and special software had to be installed. On the installation instructions, it said to run the intstaller than answer "yes" to the question it asked (obviously whether it should be allowed to modify system files). What's the use of OS security if users regularly install software which requires admin access? (due to some kind of Digital Restrictions Management scheme of course)

  17. Security through obscurity by EmbeddedJanitor · · Score: 4, Funny

    Well, to hack/infect/trojan a Vista system you first have to find one. Considering the high switchback rate to XP that's going to be harder than previously expected.

    --
    Engineering is the art of compromise.
  18. Not surprising, but.... by adachan · · Score: 3, Insightful

    I have yet to be convinced that Vista itself isn't actually malware. Here is my reasoning:

    1. Usually malware comes bundled with something that I am interested in actually using. I was kind of interested in trying the aero interface of Vista, so I installed it. After doing that I noticed weird things with my computer (lockups, hard drives failing to read and write) -- a sure sign of malware.

    2. After installing Vista, my system tends to be slower. This is a clear indication of malware being on my system.

    2. Strange windows keep popping up telling me messages I am not interested in. This tends to happen also when malware is installed on a computer.

    There are several other issues, but these are the main ones. I looked at some websites describing malware, and according to security experts, these are key factors indicating that its highly likely I have some malware on my computer. I think I will have to get rid of Vista becasue not only will it eventually allow for malware to run inside of it, in fact, it IS malware!!!