In Test, Windows 7 Vulnerable To 8 Out of 10 Viruses

As Windows 7's market share passes 3.6%, up from 1.9% the day before launch, llManDrakell notes an experiment they did over at Sophos. They installed Windows 7 on a clean machine — with no anti-virus protection — with User Access Control in its default configuration. They threw at it the next 10 virus/worm samples that came in the door. Seven of them ran; UAC stopped only one baddie that had run in the absense of UAC. "Lesson learned? You still need to run anti-virus on Windows 7."

Not suprising

[plague3106]

For one, they watered down UAC. Second, UAC won't do anything if the virus simply attaches itself to your user account, instead of the whole system. UAC is supposed to help keep malware gaining admin rights and infecting your system, not to stop it from running.

Re:Not News!!

[jeffb+(2.718)]

Anyone who uses any computer (including Mac AND Linux) without anti-virus is asking for what they get.

Yep, I've been "asking for what I get", and getting what I ask for, by running Macs without anti-virus for almost 25 years now.

I use Avast Home Edition. It's free (just registration required), fast, and small-footprint.

Yeah, I'll pop that right onto my Macs, especially after reading these five-star reviews. Five reviews with one star each makes five stars, right?

Actually, that is sort of news

[Space+cowboy]

I'm running several macs, both at home and at work, and the only time I've ever run an anti-virus on any of them was at the request of my ISP last month - there was a report of a virus originating from my home IP address. I downloaded and ran the latest ClamAV, and of course there was no virus on the machine, it was a spoofed IP address...

Over the past 5 years, that's the only time I've ever run a virus check. It came up with 0 viruses. I conclude that the likelihood of me getting a virus on a mac is still small compared to my XP box, which every time I run a virus check flags *something* new as wrong/suspicious. Sometimes I can even tell if the something is innocuous or dangerous...

Slashdot likes to say that anecdotal evidence is meaningless (which of course it is), but when a sufficiently large collection of anecdotes all say the same thing, we call that consensus. The general consensus is (I believe) that Macs are a lot less likely to be infected than Windows boxes, so your 'Anyone who uses any computer (including Mac AND Linux) without anti-virus is asking for what they get' statement is in fact news to me.

Simon

MS did by default

[Sycraft-fu]

So in Vista, UAC had only two settings: On and off. When it was on the system functioned with real separate privileges. You had to escalate to perform administrative actions. Ok well people bitched and whined and bitched and whined about that since you had to do it for things like changing file permissions or accessing system control panels. Thus Microsoft relented and watered it down for 7, having two settings in between on and off. It is set to one of those by default. More or less it asks for permissions for a program trying to get admin access, but not a user initiated operation.

Re:MS did by default

[jpmorgan]

Not quite. Microsoft added a cryptographic whitelist of programs that are automatically allowed to elevate. Certain parts of Windows are then allowed to automatically elevate (like file properties dialogs, the control panel, etc...). Since there's no way to distinguish the source of events, NT 6.x also enforces mandatory access controls, and places programs with administrator privileges in a high integrity level, which prevents low integrity processes from interacting with them.

That's why some things still require two steps. The 'first click' causes explorer (or whatever part of Windows you're dealing with) to automatically elevate and switch to a high integrity level. But since that click could have been injected by unprivileged malware, rather than an actual mouse click, the program then requires a 'second click' confirmation. Since it's running at a high integrity level now, that second click can only come from other high privilege programs or drivers. One special case is the UAC settings control panel... that places itself into a high integrity level immediately so that malware can't inject keystrokes to turn off UAC.

Re:Not News!!

[Kohenkatz]

Yeah? Can you point to ONE virus in the wild that has ever bitten any Mac or Linux user?

Yes, I know it's from 2006. But it answers your question: http://www.internetnews.com/dev-news/article.php/3601946

Re:Not News!!

[abigsmurf]

Remote Shell trojan (which despite the name is self replicating and therefore a virus). Designed specifically to be spread by users running trustworthy executables without the need for admin rights. And yes, it did infect a number of systems 'in the wild'

In Test, Kdawson Posted 10 out of 10 FUD Stories

[Sycraft-fu]

Seriously, this guy is almost pathological in his determination to distribute as much FUD as possible about Windows.

Taco: Fire this retard. The stuff he posts is NOT news for nerds. It is thinly veiled, and ineffective, smear pieces. Real stories about OS problems are interesting. Kdawson's FUD isn't.

Re:Not News!!

[Bacon+Bits]

When you have little or no say in what software gets selected for use but are required to maintain local support for the same software as well as maintain the security of the network, it is not a waste of time at all. You do not give users Admin privileges. You give them the permissions they require to do their job and no more. That's basic best practice.

It's really not even that difficult to figure out. Nine times out of ten, the program either wants to write to HKLM\Software\$appname or wants to write to two or three configuration or log files in %programfiles%\$appname. About a quarter of the time (IMX) the documentation contains detailed information about what permissions are necessary. After that it's merely a case of using the various SysInternals monitors to figure out what's causing the problem. Between Xcacls and regini it's not difficult at all to script the changes. I typically maintain a single script which checks for the presence of each application and, if found, applies the necessary permissions changes.

Re:Not News!!

[Animaether]

Exactly.

From GP:

Trojans don't count.

Well there go the vast majority of Windows viruses, too.

In fact, from the test they did...

- didn't run
Troj-Bredo-M
W32/Autorun-ATK
Troj/Banker-EUT

-- Ran
Troj/FakeAV-AFY
Mal/EncPk-KY
Mal/EncPk-KP
Troj/Agent-LIW
Troj/FakeAV-AFX
Troj/Zbot-JN
W32/Autorun-ATC

So 6/10 were definite Trojans (Troj/). I.e. some piece of software saying it's all sorts of good stuff, but in reality is a virus.

Then there's the Autoruns - last I knew, autorun, even on Vista, by default doesn't open a darn thing. So I guess either they changed Autorun settings, or they simply told Windows to run the program (a virus).

Lastly, the Mal/EncPk ones. They're deemed malware because they're packaging and encryption signatures that often get used by malware authors (even though they have legitimate uses, blabla). What do they envelop?
Mal/EncPk-KY: sadly sophos' site doesn't detail, but other sites will tell you that this, too, is a Trojan with Bredolab blargh.
Mal/EncPk-KP: "About this threat: The Trojan arrives as an attachment in fake e-card messages, with text as follows"

So that's 8/10 trojans, and 2/10 that might as well be classified as such unless I'm wholly mistaken about autorun.

Again GP:

provided you're not stupid enough to run an executable from an untrusted source

That's the real issue - and one that applies to any operating system.
Not saying Windows isn't less secure.. on the other hand, I don't remember Microsoft suggesting that UAC was a 100% solution against viruses. Just against those that try to do admin-y things when you yourself aren't running as admin. That's usually the thing people point out with Linux "it can't infect the rest of the system". Well that's great - but that won't stop it from, for example, turning your machine into a spam zombie as long as the user is allowed to send e-mail.

newsflash...

[damn_registrars]

... you can use your preferences to choose which authors you do or do not want to see stories from. If you dislike KDawson's choice of stories so much, you can opt to not display them. Hell, you have a lower UID than I do, and this feature has been available for the entire time I have been a member here. Why you don't know about it is beyond me; why you opt not to use it is even more of a mystery.

Or you can just continue trolling. The choice is yours.

Re:Not News!!

[99BottlesOfBeerInMyF]

The funny thing is the article you cite doesn't mention any virus for Linux or OS X that is in the wild. It talks about malware, which it claims is increasing, but does not list any specific item. It doesn't say if any of the malware is a virus or if any of it is propagating in the wild. You've failed in that regard.

Re:Not News!!

[negRo_slim]

And I would be willing to bet the same could be said for Security Essentials.

Been running AVG for years, but ever since I installed SE it's caught shit in video files before they've even finished downloading. As well as a couple JavaScript attacks from websites I wouldn't think twice about visiting. I can't even remember the last threat AVG found aside from cookies.

Re:May require admin privileges anyway

[jpmorgan]

Windows 7 has a whitelist (based on authenticode signatures) of programs which are allowed to automatically elevate. However, it also has mandatory access controls, which segregates programs into different integrity levels. When UAC elevates a program, it is placed in a high integrity level. Lower integrity levels aren't allowed to inject things like keystrokes into higher integrity levels.

So you are somewhat right, but mostly wrong. Malware could trick a trusted program into bypassing UAC and autoelevating, but after elevation the malware won't be able to interact with the trusted program anymore. And since all the trusted programs require a second user interaction before doing anything after elevation, tricking a part of Windows into auto-elevating doesn't help malware at all.

Re:Not News!!

[tomhudson]

Not really. First, the most it could do is infect your own files, not the system. Second, you would have to run it - it can't spread by itself. Do people running linux run strange executable binaries that people send them? No. It's not like Windows, where reading your email can infect your machine.

But UAC works perfectly fine at frustrating me!

[Tomji]

Just recently had to edit the Host file. (Local DNS file).
Could not save it because of UAC, and didn't get a UAC prompt either, had to give up and disable UAC first.

Re:Firewall?

[LordLimecat]

I thought it was common knowledge that viruses dont need admin to do a large number of things? I could swear this comes up every time arguments about whether linux can get viruses start. Viruses dont need admin to auto run (users can have per-user settings on that), send packets, send email, launch popups, install BHOs, install firefox addons, read files, etc etc etc.

The things "non-admin" stops are the important things, like installing drivers, installing rootkits, installing LSPs, hooking system files, patching system files, etc etc etc. THOSE are all that matters. If you have a computer set up for the family to use with a non admin account (on XP), the point isnt that you think itll prevent them from getting crapware, its that the crapware wont affect other parts of the system (hopefully).

Its also a hell of a lot easier to remove viruses installed with non-admin priveleges-- the difference is night and day. Non admin viruses usually just stick a single entry (maybe 2) in the startup list, and SysInternals Autoruns or HijackThis cleans that in about 15 seconds. Admin-installed viruses tend to take on the order of 15-30 minutes of manual removal, or booting into linux, or running combofix, or some combination of the 3, and if you screw up once and miss a file the whole thing reinstalls.

FWIW Im an IT consultant (part of my job is helpdesk) and I have yet to deal with a nasty virus / rootkit on Vista. XP on the other hand, I've seen viruses that took 45 minutes to remove even with tools like SDFix, the SysInternals suite, and launching ubuntu to manually remove the infected DLLs sorting by date.

Re:Missing the point of the article

[trouser]

Valid point but......the plural of virus is viruses. No need to capitalize trojan either, unless you're referring specifically to The Trojan Horse or the brand of condom.

http://en.wikipedia.org/wiki/Plural_form_of_words_ending_in_-us#Virus

The Mac threat is non-zero but overblown.

[Valdrax]

Hitting Google is apparently easier than doing research. I went through the articles on your "osx+virus+in+the+wild" link, and what I found on the first pages was...

• 4 pages on Leap-A: A Trojan that requires one to give an admin password after opening what's supposed to be an image file. It propagates itself via iChat file transfers, but it still requires an idiot to give a password upon opening a file that shouldn't require one.
• 1 forum post by someone worried about an unidentified Mac virus in the news around the same time as Leap-A.
• 1 page on Inqtana-B: A false positive from an AV package.
• 1 blog post by someone bragging about how there aren't any self-propagating Mac viruses in the wild.
• 1 nigh-incomprehensible wiki article on AV software for Macs.
• 2 articles on Inqtana-A: (See below.)

None of these (except possibly Inqtana-A) would be a threat to semi-competent users, and the only article that isn't from 2006 is the garbled wiki page.

Now if you want some actual research on Mac OS X viruses, you can check a vendor's site:
http://www.sophos.com/security/analyses/viruses-and-spyware/search-results/?search=OSX&action=search&x=0&y=0

Interestingly, what the site won't tell you is that most (if not all) of these viruses are phantom menaces; you have to Google each one yourself for that kind of detail. Many are proof-of-concept never seen in the wild, and most exploit holes already patched in the OS. All are trojans that require serious PEBKAC to run, even the only two known "worms" for the plantform -- Inqtana and Tored.

Inqtana, a virus one that got some notoriety and media attention is an example of all three -- a proof of concept (with an expiration date) that attacked an old hole in the Bluetooth stack and which required victims to consent to accept the download from an infected machine. Tored was an email worm that required you to execute an attachment on a very stupid looking spam email payload. Both are basically glorified trojans -- nothing on par with Conficker.

Now, trojans aren't complete non-issues, but savvy computer users currently have very little to fear from running a Mac w/o AV software since there are currently no self-instantiating viruses for the platform in the wild. Don't download pirated software (and risk something like iWorkS which hides itself in installers for certain programs), and don't trust installers where none should be present.