Malware Scanner Finds 5% of Windows PCs Infected

BogenDorpher writes "According to statistics generated by Microsoft's new free malware scanning and scrubbing tool, Safety Scanner, one in every twenty Windows PCs are infected with malware. Microsoft's Safety Scanner was downloaded 420,000 times in just one week of availability and it cleaned up malware or signs of exploitation from more than 20,000 Windows PCs, according to statistics generated by Microsoft's Malware Protection Center. This resulted in an infection rate of nearly 5%." That seems an awfully low number, based on how quickly Windows machines are scanned for plunder after going online; though it's a few years old, here's a report that suggests (as of 2007, at least) a grace period of less than 10 seconds. That was just one instance, and an intentionally vulnerable machine, but have improvements in security software software, and in Windows itself, made things so much better since then?

Security has improved

Most of the malware now is either socially engineered or exploiting third party software (Flash and PDF, I'm looking at you!). Frankly, every OS is vulnerable to those two and finally even Apple noted they're starting to get that problem on Macs.

Re:Security has improved

[stanlyb]

Facebook? Twitter? Google even?

Re:Security has improved

[Securityemo]

How would you know? A sufficiently full-featured 0day exploit/rootkit payload could have compromised the system without you ever noticing, exchanging information with the outside world using data steganographically encoded into banner ad traffic at the network driver level. Better break out the kernel debugger. :D

Re:Security has improved

[SuricouRaven]

It used to be true, back before everyone used a home router that acted as a firewall. I remember a couple of times years back when I installed Windows XP, connected up the cable/ADSL modem to get a service pack in, and the system was infected before the service pack had finished downloading. Back then infection was often via exploting the many explotable services windows runs, which was only possible when there was no firewall (The Windows one wasn't enabled by default back then, and in any case makes exceptions for those exploitable services!). Today, as most users have a firewall even if they don't know what one is, the main vector is the web - either malicious websites, or exploits served up as ad-banners.

Re:Security has improved

[Samantha+Wright]

And also herd immunity: you're less likely to get infected if everyone else is exempt from being capable of infecting you. Firewalling routers really don't get enough love for their role in reducing the internet's trash density.

Re:Security has improved

[hairyfeet]

Bingo! As someone who fixes these things every week while there are still plenty of Adobe exploits I've noticed since Win 7 came out they simply haven't been using OS exploits like they used to, now they run social engineering because it is always easier to take control if the user helps you and by appealing to their greed, desire, or fear it really ain't hard to get them to go along.

The big attack vectors i'm seeing day after day, in no particular order, is: 1.- The "you want teh hot lesbos? you need to run our Iz_not_Viruz_iz_codec.exe to play teh vidz!" 2.- The "ZOMg you got teh viruz! To fix run our Iz_not_Viruz_iz_cleanerz.exe to get rid of it ZOMG!" 3.-The "Use the new Limewire (Iz_not_Viruz_iz_Limewirez) to download teh latest Titney_Spearz.mp3.exe tunez today!" and 4.-"Hey my BFF sent me a funny cat video! It says I should run Iz_not_Viruz_iz_LOLCatz to see teh kittiez!"

As you will notice with ALL of the above you simply don't have to bother with an exploit for ANY of those, as the user IS the exploit and is the weakest link. The last major "WTF?" that MSFT had, the "Hey lets run everybody as admin!" officially died with Vista and since 7 doesn't bug the crap out of folks with "Cancel/allow?" boxes every three seconds UAC has been left on and along with low rights mode in IE and Chromium based is doing a good job, as we saw by the numbers released the other week where there are only 4 per 1000 7 machines infected VS 14 for XP.

But as long as you have people willing to ignore or even turn off their AV (as I had the other week with a customer and the "Iz_Not_Bug_Iz_Limewire") because a malware writer waved a cookie in front of them then frankly I don't see what else can be done besides what MSFT is already doing with the free MSRT and MSE. And as we have seen with first MacDefender and now MacGuard (which doesn't even need the password anymore) on OSX and the nasty Android trojan apps it doesn't matter whether you are on an alternative OS or not, all that matters is whether or not the bad guys want in bad enough to do the work and whether you have any users who'll run "Iz_Not_Bug_Iz" style apps. sadly I've found that WAAAY too many are more than happy to do just that.

Re:Security has improved

[mcgrew]

It's improved, yes, but is still abysmal. If a bug is found in Mac or Linux, patches are put out as quickly as possible. MS waits for "patch tuesday" at the earliest. The latest IE hole affecting all versions won't be patched until August.

MS doesn't care about security itself, it only cares about the perception. And yes, Macromedia and Adobe are as bad or even worse.

Re:Security has improved

[BlueScreenO'Life]

Windows pre-xp sp2 (when it started shipping with a firewall), directly connected to the net with no hardware firewall or router in between, would get pwned by Sasser in... 30 seconds? Nay, more like 10 seconds.

Re:Security has improved

[makomk]

Standard Microsoft reputation management response to malware discussions.

Have you read the discussions here on /. and elsewhere about the latest Mac OS X malware? Apparently it's all the user's fault for deliberately installing malicious software and anyone blaming Apple in any way is spreading FUD.

The day Microsoft stops trying to deflect blame with this tired old furphy, and starts taking Human Factors science seriously, is the day Windows starts becoming secure.

They've at least put some effort into this since the XP era. At this point, they're probably a lot better than Apple, who still seem to think that letting untrusted websites automatically download and launch installer packages, and then giving the site significant control over what the installation prompt says, is a good idea.

Re:Security has improved

[Opportunist]

It was true, back in the time when XP had a remotely exploitable security hole (pre-SP2). Connect a XP-SP1 machine to the net without a router or something else blocking incoming connections and it will be hijacked in less than 30 seconds.

But the meme should have died no later than XP-SP3...

Re:Security has improved

[Opportunist]

Now, now, now... a bit less melodrama please.

While possible, most malware these days is no better than the average business software: It does what's necessary to get the job done, and nothing above. In other words, while possible to do what you describe, the overhead would be enormous. Most malware is happy when it has every base covered that keeps it out of the view of a normal on-access scanner, it will have a few rootkit-like tricks up its sleeve, but nobody (as far as I can see) bothered to mask traffic or go for crafty 0day exploits.

If you can get X infections with Y effort and X+n (nX) infections with Y*2 effort, Y effort will be taken. Simple as that. Unless they're spearfishing and want to infect a certain machine (and trust me, your porn collection is not interesting enough to warrant that), they're going for the low hanging fruit of the unsuspecting victim.

Re:Security has improved

[Opportunist]

While the vector you describe gains momentum, the main vector is still the user: Click here for dancing bunnies and a nude pic of $hot_celebrity.

Re:Security has improved

[hairyfeet]

McGrew there is actually a REASON for patch Tuesday and that is because everyone was having a shitfit that the patches would come willy nilly! With Patch Tuesday it makes it MUCH easier to plan for updates in a corporate environment, and since Windows rules the business world by a HUGE margin you can't expect them to fuck over such a large client base just because Mcgrew wants updates quicker.

That said if you show even tiniest bit of common sense .then your risk of infection is practically zip which my customers that have been running 8 years on the same XP install and simply having me come over to do an occasional memory upgrade can attest, so whether patches come out on Tuesday or the week after tomorrow really shouldn't matter! Watch how easy it is to have a nice clean running Windows from first install..

1.-Install Wndows. 2.- Run WSUS Offline from a flash, which if you've checked the little checkbox will have all the SPs, .NET, and all the patches in one nice easy to run place. 3.- Install Comodo Dragon from the same flash, so they'll have a nice browser that uses low rights mode and sandboxing and so you won't have to worry about IE, after installing go ahead and add ABP for Chrome which kills ad based malware dead. While you are at it you can install any third party software that doesn't need constant updating, I install LibreOffice, Win 7 Codec pack (which is great as it lets you burn just about any format in WinDVD maker, which folks just love) and Media Player Classic Home Cinema 4.- Go to Ninite to install the third party software that needs to be fresh, depending on the user. I usually install Flash, Foxit PDF Reader, any messenger program they use, along with Irfanview, Picasa, Avast Free, Malwarebytes, along with CCleaner and Defraggler. For burning I carry Ashampoo on the flash as folks like its layout better than CDBurnerXP. As this finishes up I usually add WinUtilities, which automates registry cleaning and the dumping of temp files along with tossing broken shortcuts. For the finale add Filehippo Update checker which only takes up 300Kb and will let them know when there are third party updates like flash, so they aren't using an old vulnerable solution.

And that's it! Notice how nothing there is more complex than going "clicky clicky" and doesn't cost you a dime? And a machine you've followed these simple steps with will be fine for anything short of user stupidity, which NO OS can keep the stupid from doing dumb shit, like running "Iz_Not_Viruz_Porn_Codecs!" trying to see teh tittiez. But a machine done this way, while sensibly having Automatic Updates set to Automatic (duh!) will give you years of trouble free service, while having all the third party software updated without the user having to constantly check for patches and with both Comodo dragon AND Avast doing sandboxing, as well as dragon running low rights mode, means web bugs really aren't going anywhere. With just a tiny bit of preparation and common sense (don't run email attachments, if they want free porn tell them to go to myfreepaysite.com which has like 5000 DVDs of porn for free, if they insist on having P2P Gnucleus or Emule with P2P shield running in Avast, no making kids accounts admin) your Windows machine will run trouble free for years, just as my customers after I'm through only need to come to me for hardware upgrades.

Re:Security has improved

[Opportunist]

Windows is as secure as any system out there. There is exactly only one reason left why Windows is still the most attacked system out there: Market share. Simple as that.

Malware is a business. It's not the pimple faced geeks of the 80s who want to stroke their e-peen and gain nerdpoints with their peers. It's business. And businesses develop software for the biggest market, it's as simple as that. Wait for MacOS to gain share and watch the malware come.

Because it does not matter anymore how secure a system is, the main attack vector is the user. And if your user is disabling any and all security a system might offer for the promise of lolcats, a crack or porn while at the same time he doesn't get suspicious why those lolcats or porn needs system level privileges, you, as the maker of the system, cannot keep him from getting infected, unless you take away his ability to install what he deems correct. Which in turn opens another attack vector: "Install this to open your system and make it do what you want (noooo, this ain't a trojan...)".

Re:Security has improved

[jcwayne]

Ahh... don't you just love smell of a fresh straw-man in the morning.

Re:Security has improved

[IHawkMike]

I'll just add that Patch Tuesday isn't only for convenience.

Often times security holes are fixed for exploits that aren't even in the wild, but have been discovered by the internal teams. Any time a security patch is released, the exploit becomes known since it's then trivial to compare the fix to the original and reverse-engineer the exploit. Releasing security fixes as they are ready would be akin to releasing exploits several times per month.

Patch Tuesday is simpler to manage for large corporations, and overall a more secure approach.

Re:Security has improved

[BlueScreenO'Life]

Huh? I'm certainly not the one pulling a strawman.

I'm just pointing out there was a time when unfirewalled Windows would get infected in a matter of seconds. It's relevant since GP used past tenses (...never taken any precautions... never had a computer compromised... ) without a time frame.

Re:Security has improved

[catmistake]

As someone who fixes these things every week

I used to be like you, IT wiz, WinAdmin, Security Expert really felt like I was on top of things. But then something just hit me last week, and I realized I've been wasting my life with this... its endless and impossible. idk how anyone really believes only 5% of windows installs are infected... that's ridiculous. I'd say it's more like 5% of windows installs are not infected. Anyhoo... I've given up that impossible fight. Now I'm desalinating the entire ocean. Hey... at least its possible.

Re:Security has improved

[AliasMarlowe]

It used to be true, back before everyone used a home router that acted as a firewall. I remember a couple of times years back when I installed Windows XP, connected up the cable/ADSL modem to get a service pack in, and the system was infected before the service pack had finished downloading.

The one that did it for me was installing XP service pack 2, in late 2004. It would download, then fail on installation and wipe itself out. This meant each attempt required a new download which was a bit tedious; I had an uncapped 3Mbps cable link, but it was annoyingly time-consuming. After complaining via email and telephone to Microsoft, I actually got a human who called me a few days later and spoke fairly good English (by her accent, I suspect she was from India).

The mind-boggling thing she told me was that to install XP SP2, I would have to disable all firewalls in the PC and router, before starting the SP installation (this included the download). Since I was incredulous, we discussed the issue further and she recommended uninstalling the firewall package in the PC but merely disabling the router firewall. At the time, I was receiving several evil packets per second, with all sorts of routing redirect requests and weird port scans. I doubt if the machine would have survived the couple of hours needed for the service pack to install, including mandatory reboots. As it was, I merely disabled the firewall software in the PC, and left the firewall enabled in the router, and the SP2 was able to install itself.

That was the day I decided to start trying out Linux live CDs. It was not long before XP was replaced by Warty Warthog on that laptop. I still use the laptop, which now runs the LXDE flavor of Lucid Lynx.

Re:Security has improved

[SuricouRaven]

The more common workaround is to download the network-deploy version.

Re:Security has improved

[AliasMarlowe]

Ahh... don't you just love smell of a fresh straw-man in the morning.

Are you deliberately denying reality or just giving us a personal demonstration of the Dunning-Kruger effect?

Did you even check the links in TFS? Here's the one from Information Week in 2007 which describes one such experiment. The unpatched XP PC stayed clean for all of 8 seconds connected without firewalls to the internet. Then Sasser and other bad stuff started installing itself on the PC. GP's assertion is valid - an unpatched XP PC can be compromised in less than 10 seconds without a firewall.

Re:Security has improved

[Opportunist]

Please go ahead and try it. Install XP SP1 on a machine, hook it up to an unprotected internet connection and watch the "miracle" happen. Granted, today the amount of infected machines trying to spread their load will have dwindled, but I guess there should still be enough about to ensure an infection within less than a minute.

There is no "botnet" scanning connections. It's simply that this particular nuisance broadcasts a request into its subnet and a few (afaik) randomly chosen subnets, permanently, nonstop. If it gets a reply from a machine that can be infected, it starts sending its payload. There's no need to "scan".

Re:Security has improved

[cavreader]

You are correct the user is the biggest threat vector going but I don't seen anything software developers can do to make a system 100% secure no matter what the user does. Super secure systems like Linux SE are usually not as user friendly as some of the popular desktop operating systems. As hard as people work to secure systems there are people working just as hard to make them unsecured so maybe this battle will be decided in the future but for now people will just have to accept some risk.

Re:Security has improved

[dotgain]

Firewalling routers really don't get enough love for their role in reducing the internet's trash density.

They do, but the minute someone makes the connection between NAT and security the dead rise and chant repeatedly "NAT is not security".

Re:Security has improved

[Samantha+Wright]

They do, but the minute someone makes the connection between NAT and security the dead rise and chant repeatedly "NAT is not security".

What a silly thing to say. NAT is security in the same sense that switching your grandmother to Firefox with an IE theme is security. Not all security measures are about actually preventing breaches. Who are these dead, and are they weakest to silver bullets, garlic, or MBAs?

(I'll concede that maybe we need another word for it, though.)

Re:Security has improved

[dotgain]

Believe me, some people really hate NAT. I was going to provide a list of the common arguments against it, but it's pointing-fingers-and-yelling-"Strawman" day here on /. today, so I'm actually going to have to wait for one of them to come along.

Re:Security has improved

[AngryDeuce]

As hard as people work to secure systems there are people working just as hard to make them unsecured so maybe this battle will be decided in the future but for now people will just have to accept some risk.

QFT. Look at all the wide open home networks out there, even today. I had my phone set to chime when it connected to an open network and the next day driving through my neighborhood I had to turn the damn thing off it was going off so much.

Re:Security has improved

[Opportunist]

The system developers cannot do anything to protect the system from the user, or at least they should not because the only way to do that is to take the "ownership" of the system out of the user's hands, not unlike what certain vendors for specialized hardware (readers or cellphones) do. I would definitely NOT want something like that on my computer.

No system can be made secure if the user disables and opens all security means for the promise of porn or warez. Even if it was Linux SE, the user would simply do what is in his power to aid the malware in its infection.

And as long as users do that, there is no way to secure the system. Simple as that.

Re:Security has improved

[Douglas+Goodall]

I have to disagree with you. Sure your machine may be behind a firewall, and because of that it is probably using NAT services to access the Internet at large. But doing so, your machine probably accesses high profile servers and services that are often infeted themselves.

Re:Security has improved

[ozmanjusri]

Windows is as secure as any system out there.

Bullshit. Try infecting my Live Linux distro.

There's plenty more Microsoft should be doing. All you apologists are achieving is delaying the inevitable.

Re:Security has improved

[goarilla]

Not only that but by default javascript is setup in modern browsers to give focus and raise javascript windows,
making killing the browser the only viable solution.

Re:Security has improved

[Opportunist]

There's plenty more MS should do, agreed. Amongst them is forcing 3rd party software writers to accept that Windows can finally distinguish between user and system space. Sadly a lot of software would cease to work if they did so nobody really wants that.

The core problem remains, though, that users still do disable all security if the software asks for it. And that's independent of the system used. So infecting your Linux box is probably not any easier or harder than infecting my Windows box. Because I guess we both would not grant root/admin access to something promising us dancing lolcats.

Well, actually you're right in one aspect, that there is more malware for Windows. Which is, as stated before, simply due to its market share. You also have a lot more people who know about the quirks and shortcomings of Windows, also because there are simply more people working on Windows security, including me. Again, simply a matter of market share and job opportunity. There's simply a lot more companies looking for people who can get their Windows environment secure than companies looking for Linux security gurus.

Actually, I'd wager if you forced everyone using Windows now to switch to Linux, you'd end up with more compromised machines. The dancing pigs clickers would get infected in either system. The security conscious people would be free of infections on either system. What's probably changing is those people who have half a clue and know now what to watch out for in Windows, how to spot something fishy, who'd have no "personal" defense knowledge in the Linux environment. They don't know what sources for software are secure, what to watch out for when installing software, what behaviour to expect from software and most of all, what requests for permissions are nothing this particular piece of software should ask for.

Re:Security has improved

[DaveV1.0]

And, doctors used to use leaches to bleed their patients, dentists didn't use anesthetics. prostitution was legal around most of the U.S., Apple had a dying market share, Linux was a pain in the ass to install.

And, I have had the exact same experience as the GP commenter. I installed and upgraded WinXP without a firewall and didn't get infected.

Re:Security has improved

[DaveV1.0]

Yeah, I did that less than two years ago. Guess what happened. No infection.

Re:Security has improved

[DaveV1.0]

This is why we need to stop forcing the browser to do things it is not suited to sooner, rather than later.

There fixed that for you. The only reason for Flash, JavaScript, etc. is to make the browser do things for which it isn't really suited. It is just laziness and cheapness: Why write a proper UI when I can just slap a web interface on it?"

Really, that mentality is leading the charge in the return to centralized computing and turning PCs into dumb terminals.

Re:Security has improved

[mcgrew]

That's true, but these days there are probably more home computers than work computers. There's no reason patches can't be rolled out when available, PLUS a comprehensive patch tuesday patch for the corporates.

Businesses, especially larger ones, are in far less danger of malware than individuals. Businesses have IT staff, most Windows users are completely ignorant (at least the ones I know in meatspace). The most dangerous ones are pretty damned ignorant, yet think they know everything. One guy I know in particular is especially bad about that. The rest don't care until their home PC is so virus-ridden that it won't even work any more, and few of them have backups or even Windows install CDs. Not that they could install Windows if they tried.

For me personally, patch tuesday is in fact a good thing, since I only use Windows at work and don't have to deal with Windows patches at all. But I'm in the minority; most home PCs run Windows, and I'd bet that for almost every PC on a work desk there's another Windows PC at home.

But then, few home users are MS's customers; computer manufacturers and businesses are. So it's understandable that MS would neglect the home PCs; they have no reason to care.

As to lack of common sense, I think rather it;s ignorance and apathy. You can't educate someone who doesn't want to learn, or who thinks they already know.

And yes, no OS is immune from an ignorant user. You can trojan anyone's box who you can fool into trusting you. I doubt even my Linux box is immune; I know I've been fooled IRL enough times (especially by women), although it would be a bit harder to fool me online.

Somehow..

[taosk8r]

I think this is more likely to have proven that the McAfee tool is crap.

Malwarebytes is pretty good, and I've heard Bullguard can sometimes get stuff that cannot.

Re:Somehow..

[dwywit]

Combofix FTW. Although it wouldn't remove a "Windows Risks Prevention" I encountered last week. It took rkill, a registry patch, and MBAM to remove it for good.
 
This was a machine "protected" by Bullguard.

Re:Somehow..

[Pseudonym+Authority]

I prefer to use Common Sense 2012 edition, and not download that hot_sex_underage.avi.exe on LimeWire or winrar-pro-full-crack-keygen.exe from The Pirate Bay, use Foxit Reader\Sumatra for casual PDF reading, and enable loading plugins on demand for Opera.

Re:Somehow..

[networkzombie]

It is never that simple. Do you have Adobe Flash installed on your Windows computer? If yes, then you are vulnerable. When you enable a plug-in for Opera, do you verify that all of the ads on that site you are visiting are from reliable sources? Doubleclick, Dailymail, Yahoo, Fastclick, and Google ads have all served up malware at least one time. Do you check the HTML code for the site to make sure they were not hacked to serve up malware? Google is still scrambling to clean their images search function. Never underestimate the people who write malware for money. They have unlimited resources and are beyond the reach of authorities (Ukraine, Russia). The only safe computer is one sealed in cement at the bottom of a lake. Confidence is your enemy. Reliable backups are your friend.

Re:Somehow..

[SuricouRaven]

I'm a bit of an expert. Professional IT technician, confident in using all versions of windows, linux and OSX. I code. I've done a bit of cracking myself - nothing major, but I know how exploits work. I'm careful. I don't get dodgy executable code from disreputable sites. I've got a good firewall, a squid proxy configured with a long blacklist of ad-servers.

I still got infected yesterday with the loathed fake-antivirus (The author is actually known, but in Ukraine). Sneaky thing managed to trick me by taking the filename SkypeUpdate.exe - so when it popped up with the permission request from windows, I just thought it was Skype running another update and clicked ok.

Took me twenty minutes to kill the thing. Finding and deleting the executable was easy enough, but it has the niftily evil trick of making itsself the default file association for .exe files... thus making it impossible to run them. In the end I had to use a command prompt to launch firefox and notepad, find a .reg file online that would reset the associations, paste it into notepad and use that to fix the association. I'm still not sure I found all the damage.

Re:Somehow..

[wesleyjconnor]

What browser are you using 'bit of an expert'? I haven't run antivirus for 10 years and i've never been infected, I torrent things daily and i've seen some of the seediest burrows of the web. Navigating the web is a sixth sense grown over years of use, same as any skill. You know a good torrent just by looking at it, you know a dodgy website as the first image loads. You have been doing this so long you don't even SEE the ads in a page. Amateur hour is over.

Re:Somehow..

[hawkinspeter]

That sounds like the problem is with windows not having proper package management. On linux, you'd be getting the updates through the package manager, so you'd immediately know that SkypeUpdate.exe was fake.

Do you run firefox with adblock and noscript? That's probably the best way to defeat 99.9% of accidental infections.

Re:Somehow..

[SuricouRaven]

Not quite. I run firefox, but no adblock - instead I use the squid proxy and it's blacklist, which I update every time I see some ads slip through. In this case my defences were compromised: I was away from home, using a public wifi hotspot, and thus running proxy-less.

Re:Somehow..

[StayFrosty]

When encountering the .exe file association thing I usually make a copy of regedit32.exe and name it regedit32.com or regedit32.bat. Since execution is based on the 3 letter extension the program will run fine. Then I can fix the file association problem. You can do this for combofix or whatever as well to get it to run as well.

Re:Somehow..

[MysteriousPreacher]

...do you verify that all of the ads on that site you are visiting are from reliable sources? Doubleclick, Dailymail...

This may indeed be the one situation in which The Daily Mail could be considered a reliable source.

Re:Somehow..

[St.Creed]

I was bitten last year because a major website for my profession ran a twitter feed and someone managed to inject malicious code into that, and Chrome happily executed it, I just saw my PDFreader start up, then close again (thank you, Adobe). And I was infected right there.

Using my PC as springboard the hackers managed to plant another infected php-file on one of the sites I run. Good fun all around and it took me a while to find and clean everything. I've since switched to a non-standard PDF-reader that doesn't execute javascript.

Sometimes you're just SOL.

Re:Somehow..

[BlueScreenO'Life]

I don't know if the dialog popped out of thin air or as a result of a drive-by download from some random site, but a file called "SkypeUpdate.exe" downloaded from anywhere but the official Skype site sounds every bit as dodgy as "jessica-alba-topless-hot-lesbian-sex-hd-video.exe" to me.

Of those who actually asked for help

[betterunixthanunix]

So a significant number of computers that downloaded the malware removal tool had malware on them. How is that surprising? Unless the installation of this tool is uniformly distributed amongst Windows users, which TFA is not entirely clear on...

Re:Of those who actually asked for help

[kvvbassboy]

What? I would say that it's the other way around. I would guess that the actual infection rates are higher. I bet that many of the people who didn't download this tool are probably the same people who are running an expired version of McAfee on their Windows XP without any Service Packs applied.

Just recently, my parents were complaining about how their computer was behaving very slow and strangely. The number of malware, crapware and toolbars I had to uninstall via remote desktop using Teamspeak (we live on different continents) was enormous. Lol!

Re:Of those who actually asked for help

[nobodie]

Ditto, or they are running a malware anti-virus or one that is so lame that it only catches 1990s viruses (like 360 in China, the crappiest piece of av shit i have ever seen.) It is clearly only the people who have the good sense to actually pay attention to good av or anti mal stuff that would be people trying this out as first users.

Re:Of those who actually asked for help

[rjbradlow]

Just recently, my parents were complaining about how their computer was behaving very slow and strangely. The number of malware, crapware and toolbars I had to uninstall via remote desktop using Teamspeak (we live on different continents) was enormous. Lol!

In my experience for customers whose machines are that far gone, or in most cases for that matter the best practice of removing all those nasties is to just back up all of the users important data, scan it to remove any sources of infection, wipe the drive and start with a fresh install. Then after all the updates and 3rd party installs are complete, install a ghost imaging service like Norton Ghost, and make a complete known good backup of the entire system which can restore it back to the same state the next time they are infected. Of course several snap shots can be made along the way as new software is installed. The beauty of this method is that the snapshots are stored on external media and not susceptible to infection provided that the external device is not left connected Or is optical CD/R or DVD/R. This practice is best served with a data backup plan as well, using an external storage device for the personal files that don't make it into a snapshot in time... i.e. are in-between a snapshot and infection. Though this method is time consuming, it is only so once and you will pull out less hair looking for all the crap you missed. Comparatively, the time to remove all infections and hope you got them all, then have a pissed customer when something shows right back up say from a root kit, this solution is best for absolute peace of mind and happy customers that will praise you to their friends on how much money you saved them in the long run. Now prepare for more customers. Final mention; I realize you are on another continent so naturally you would have to have someone with some savvy on the receiving end of your instruction to complete this for the customers who would be overwhelmed by the process. In this cat and mouse game of security, it is always the mice who win unless the cats get smart and realize that the mice will always get the cheese, so clone it and allow for those losses.

Re:Of those who actually asked for help

[rjbradlow]

P.S. Another option is to install Linux, say Ubuntu and VirtualBox OSE where the same method I described earlier applies except this time all software is free and you have a host system that can be another firewall and look into the filesystem of any given flavor of Winblows in the case if a dual boot scenario. Though it might seem a scary suggestion, it is only scary for those who have never played with the software for fear of the unknown and vicious erroneous rumors about Linux... Again from the ignorant.

. Ubuntu and VitualBox are very straightforward and easy to install and set up. The same as a Winblows install with the added benefits of a huge community support system. Eventually, those who become comfortable with Linux, completely ditch Winblows. For those who don't want to see what is happening at boot time, Linux can be configuration to boot quietly, auto login, and run your Winblows VM at startup.

Laziness grows on people, it begins in cobwebs and ends in chains.

The end of the article notes...

[Sir_Sri]

"Safety Scanner, which replaced an older online-only tool, uses the same technology and detection signatures as Microsoft's free consumer-grade Security Essentials antivirus program and its Forefront Endpoint Protection product for enterprises."

considering that by now everyone should run SOME anti virus, of which MSE is a legally free option, and that something which uses MSE's signature database finds 5% of machines have been compromised I don't think says much about computer security as a whole. Obviously there are a lot of users who *still* don't have anti virus software, which isn't really news. But MS can't exactly go including free anti virus in their OS without screams of anti trust.

Re:The end of the article notes...

[Samantha+Wright]

Well. First you'd need some malware that actually runs on XP x64...

Re:The end of the article notes...

[tibit]

It isn't?!

Re:The end of the article notes...

[lowlymarine]

Well at least that would finally make SOMETHING that runs on XP x64.

Re:The end of the article notes...

[Sir_Sri]

There are programs that run on XP64 that don't work on XP32 or 7-32/64?

Even then, XPx64 isn't exactly accounting for that 5% of installed that have been compromised.

I think kaspersky and the paid version of AVG both supported XP 64 at one point. Whether or not you could find anything that does anymore is another matter.

Re:The end of the article notes...

[Osgeld]

hey now, notepad does just fine on xp 64

Re:The end of the article notes...

[FoolishOwl]

No, it's a separate download. Fortunately, it's free.

Microsoft Security Essentials

Re:The end of the article notes...

[FoolishOwl]

It's a pity, as this is the sort of software that really should be considered an indispensable part of the operating system. At least in older versions of Windows, the security flaws were arguably design flaws in the basic operating system, and therefore the operating system publisher's responsibility to repair.

I've been pretty happy with MSE, which works smoothly and unobtrusively. I've had many headaches with McAfee, Symantec, and Kaspersky; I generally distrust the anti-virus companies.

Re:The end of the article notes...

[Sir_Sri]

I haven't gotten a virus in the 15 or so years I've been using a computer. But I don't see why I shouldn't have insurance on my house- sure it probably won't burn down. Even if that only effects 1/1000 people. But it can be a real pain to actually fix a virus infected machine and preserve all the data on it. Oh, and did I mention anti virus is free? When you had to pay for it, or had long, painful downloads that was another matter. When it's free, legal, and no noticeable performance hit what is the harm done to you by having it?

Yes.

[artor3]

That was just one instance, and an intentionally vulnerable machine [four years ago], but have improvements in security software software, and in Windows itself, made things so much better since then?

Yes.

Is it really surprising that computers with service packs, hot fixes, virus scanners, and firewalls are significantly more secure than those without?

Of course, it's also worth noting that the real infection rate is probably at least a little bit higher. The people who don't download this particular scanner are the same ones who wouldn't download the aforementioned service packets, hot fixes, virus scanners, and firewalls. The unanswered, and perhaps unanswerable, question is how many such people are out there.

Re:Yes.

[jhoegl]

I find that saying an unprotected computer connected to the internet does not follow todays current norm.
People have routers, or windows firewall (default), or both.
To say a windows machine is vulnerable today is ignorant of the knowledge of hacking.
As long as they have a firewall and dont open ports, they should be fine.

Basic hacking requirement... you have to have an open port and a service on that port that has an exploit of some type.
This is why website hacks, browser exploits, emails to get people to click, and social engineering are so important to hackers. Most people already have protection against direct attacks.

Re:Yes.

[Penguinoflight]

Don't forget about those who have viruses but the malware removal tool was unable to either detect or remove them. If you can't churn out a virus that can beat the standard set by microsoft you're in the wrong business.

Re:Yes.

Exactly, it wasn't AV that killed worms, it was the NAT routers which became standard PC equipment for non-techies between ~2002-2004.

On the LAN side Windows can still be pwned as easily as before, you basically have instant shell access to any networked Windows machines.

Re:Yes.

[geniice]

Not really. Malware aims a low hanging fruit and people taking active steps to protect their system are in all probability not worth the hassle (and downloading a onetime scanner is pretty active). The tool is also new so malwear writers probably haven't reacted to any great extent yet.

Re:Yes.

On the other hand, don't forget about those who simply install AV because they suspect they have a virus. It's like saying 25% of people have an STD because 2000/8000 people who attended an STD clinic have one.

The information isn't even new either. Lets break it down into useful stats and consider how many of those users were using UAC, and which OS they were using. It wouldn't surprise me if most infections were still on Windows XP

Re:Yes.

[jhoegl]

Why was I modded down?

Re:Yes.

[TheLink]

There's already a better paradigm on some phones. Basically the application declares upfront want sort of sandbox/permissions it needs to run. And if that is OK according to the system's settings, the OS will run the app while enforcing the sandbox.

Because the permissions are declared explicitly, it should be much easier for an "expert", or even someone with "common sense" to certify that the sandbox makes sense for the app, and maybe even digitally sign the app and its request.

So an organization (or "The Family Admin") can lock down a computer system so that only apps that request "safe sandbox templates" can run or install.

And the nerds like us, can set our systems up so that we can choose to run an app with a sandbox template of our choice (e.g. guest sandbox - looks like a new machine, no data about you available, no changes affect your "real system", once you're done with the program, it's gone).

I proposed something like this to Ubuntu and SuSE years ago: https://bugs.launchpad.net/ubuntu/+bug/156693
https://bugzilla.novell.com/show_bug.cgi?id=308760

That said, people are still going to type in their passwords and send them to the wrong places- the sandbox stuff won't prevent it. I'm not sure of a good way to prevent this. Maybe the OS/browser could keep hashes of the user's passwords and if something typed matches a known password hash but might be sent to an unexpected site/context it can warn the user (are you sure you want to send your "Bank" password to Elbonia?"). Problem is some bank sites use fancy schemes for users to enter their passwords involving onscreen keyboards with some rearranged keys etc.

Re:Yes.

[gl4ss]

well, the scanner is a reactive solution. of course you can make a program that will do all a virus would, it's a personal computer so there's no going around that, it's a rented entertainment device otherwise, so someone has to classify them as such or to classify a patter that would fit.

Re:Yes.

[St.Creed]

Sandboxing is a great concept and lots of people have proposed it. If I could restrict a program's access to just its own homedirectory and a designated datastorage location that would already be an amazing improvement.

Re:Yes.

[Opportunist]

I'd wager the former, these people usually know how to circumvent new security features before they hit the street if they meddle with their business.

The question is always, how much impact will a new security tool have on their business. If it's only a few "clued" people they use, they usually don't bother to find a way around it. If you look at contemporary malware and know a bit about security, it's actually boring. No "0day", no sophisticated self encryption, nothing really new and exciting. It's business software, often based on ancient exploits (if any exploits are used at all, the usual vector is the user), rather boring hiding techniques and you suspiciously see the same rootkit routine in all of them, just modified enough to foil scanners.

Re:Yes.

[recoiledsnake]

On the LAN side Windows can still be pwned as easily as before, you basically have instant shell access to any networked Windows machines.

[citation needed], even if it is with the default firewall turned off, for Vista and Windows 7.

datum

[tverbeek]

I fixed one this afternoon: my parent's WinXP computer. Adjust your stats accordingly.

That's Nothing!

According to Mac Defender, 100% of all Macs are infested with malware.

Meanwhile....

[PessimysticRaven]

Every new Hotmail account comes complete with no less than 10 emails promising 'bigGer Pen1s 4 hur plezures!" within the first thirty seconds of initial login.

Bad sampling techniques ...

[MacTO]

Maybe the number is accurate, maybe it isn't. But the one thing that strikes me is that this is not an entirely random survey since there are too many factors that can affect the sampling. Examples: people who do not update their software (including but not limited to this scanner) are probably more likely to have an infected machine, making the number low. Yet institutional PCs that are professionally managed (and are likely to use third party solutions) are probably less likely less likely to be infected, making the number high. So that 5%, as good or as bad as it may sound to you, is actually just a number thrown around by the marketing department.

Re:Bad sampling techniques ...

[PessimysticRaven]

Best I can tell, this is only really polling the people that CHOOSE to report it. So, yes, to second that, bad form on reporting. Shocking, I know.

Re:Bad sampling techniques ...

[tokul]

Maybe the number is accurate, maybe it isn't.

Of cause it is not accurate. Windows itself is a malware.

Re:How many are Macs?

[tverbeek]

Pretty much, yeah.

Exactly

[Giant+Electronic+Bra]

All this really 'proves' is that 95% of the people who are smart enough to download a free AV program didn't have an infection. Lets see, who uses those? Oh, I know! People who take precautions... When do they do it? BEFORE they get infected, lol.

While it is an interesting datapoint to hobknob about, this actually says ZILCH about Windows infection rate, except it probably can't possibly be LESS than 5%.

Re:Exactly

You can't draw that conclusion, either. You say that the people who download virus scanners are the smart ones who take precautions. That makes sense. But another big group that downloads virus scanners is the people who have reason to believe they have a virus. For all we know, 5% could be artificially LARGE because of that.

We just can't draw these sorts of conclusions from this study.

Re:Exactly

[dhavleak]

All this really 'proves' is that 95% of the people who are smart enough to download a free AV program....

This is a malware removal tool for people who already think they have a virus. See the Microsoft Safety Scanner main page. The very first words on that page are Do you think your PC has a virus? Not to mention it expires 10 days after download. Clearly not an AV for 'smart' people.

....except it probably can't possibly be LESS than 5%

Considering MSS is for people who think they already have a virus, I think the only conclusion you can draw is that slashdot headlines are some of the most worthless pieces of shit on the internet (and that's saying soemthing)

Re:Exactly

[Urza9814]

Except for people like myself, who always disable Windows updates (because they tend to break things as often as they fix them) and already have sufficient protection through other programs. People who know what they're doing aren't going to be downloading this tool. So it's going to be the smart people but not the really smart people I guess. The less smart people will probably have viruses, the more smart people will probably not, so who knows if it's higher or lower in reality.

Re:Exactly

[AmiMoJo]

That is why Microsoft includes the Malicious Software Removal Tool in the monthly updates. Vista and 7 both ship with Windows Defender installed, but it doesn't seem to do much... Security Essentials is now an optional update though, and hopefully will become a recommended (i.e. installed by default) one in the near future because it is actually pretty good.

But yeah, stats from the MSRT would be more interesting.

Re:Exactly

[VGPowerlord]

All this really 'proves' is that 95% of the people who are smart enough to download a free AV program....

This is a malware removal tool for people who already think they have a virus. See the Microsoft Safety Scanner main page. The very first words on that page are Do you think your PC has a virus? Not to mention it expires 10 days after download. Clearly not an AV for 'smart' people.

It's not a AV at all... it's a tool to do a one-time scan and removal of certain forms of Malware.

Microsoft Security Essentials is the full AV program, as the page you linked to even points out.

Re:Exactly

[yuhong]

Windows Defender is for spyware I think.

"as of 2007"

[QuasiSteve]

Honestly? "as of 2007"? In computer terms, that's several lifetimes.

Not only that, but just because the news article linked to has 2007 at the top, doesn't mean the findings were from 2007. The news article in which the author "just read an incredible scary article" links to said incredible scary article - http://news.bbc.co.uk/2/hi/programmes/click_online/4423733.stm - from 2005. So not only was the news article writer 2 years behind the times, you're now suggesting that we should believe that you find it incredulous that things may have improved in 6 years' time?

In that time Windows 7 and Vista have been released - both with far better security models out of the box. Even Windows XP saw a reasonable update with SP3.

Then again, by April 2005, SP2 was also distributed and guess what it enabled by default? Windows Firewall. The worm in the original article, Sasser, would not have gotten very far.

Then again, Sasser would not even have been on the system if they bothered to install the update that fixed the hole that Sasser would eventually exploit.

It's just not a very convincing example to begin with, and certainly not one you should be citing 6 years later.

Re:"as of 2007"

[Deathlizard]

On the one hand, pulling out the dead horse that is "X seconds to XP infection" and beating on it in 2011 is a new low. Even for Slashdot. On the other hand, I wouldn't be caught dead with Windows XP in this day and age even with all the patches.

Malware authors know the insides of XP so well that you have to do so many things to make a secure windows XP build that it isn't worth the time, Especially since you can install Win 7 64bit and its pretty much secure out of the box. It's much harder to root due to UAC (when turned up to full) and 64bit driver protection, it's got limited malware protection from Defender out of the box and it can run IE9, which has a lot more features in stopping malware from downloading payloads or even getting a payload in the first place if TPL's and file reputation are used. Also the system restore actually works so most non rootkit damage can be rolled back reliably.

As for the safety scanner Microsoft has, If you're running that scanner, chances are you think your system is infected. I'd be more concerned that it's that low, which tells me that the scanner is missing key virus infections. Actually my experience with it, it missed a key infection on a virus laden PC. (to be fair, it was rootkitted). MS seriously needs to release a bootable scanner similar to their system sweeper found in the Diagnostics and recovery Toolset (which found the rootkit that safety scanner missed). That and actually make a tool that reliably removes Alureon (AKA TDSS)

Re:"as of 2007"

[VortexCortex]

In that time Windows 7 and Vista have been released - both with far better security models out of the box. Even Windows XP saw a reasonable update with SP3.

With great new code-bases comes great vulnerability.

I just "removed" (and by remove I mean re-format re-flash BIOS and reinstall Windows) a bit of malware (Banker Rootkit Variant) that exploits a Java vulnerability via applet (JRE was up to date, but the old exploitable versions are still there, and can be targeted -- remove them now), then installs a rootkit via kernel driver -- Somehow miraculously bypassing the fact that drivers must be signed on 64bit MS OSes -- Oh, it's not that special it just disabled UAC first via the registry (ran a .reg -- Yes, seriously, WTF MS), then enabled "debugging mode" which disables the signed driver checks (I know, right?), then it installs a new root certificate authority in the web browser and updates the hosts file so that when you connect to several banking websites it can intercept the traffic with no security warnings in the browser -- Hint: always view the cert before you enter you credentials.

You can tell me that the brand spanking new batch of code is "more secure" than some other batch of code only after they've both been in use for the same period of time, and I can compare the numbers. "More Secure" can not be claimed until it is proven.

IMHO, Why throw out XP64/32? (sp3 is basically just an update roll up, not a whole new codebase -- 1045 days left, BTW) They were finally getting a lot of the bugs hammered out. If we did that with Linux / Unix every couple of years they would be a security clusterfuck too. (scares me that Torvalds is thinking of retiring the 2.6 kernel to move to 2.8 or 3.0...)

Re:"as of 2007"

[mgblst]

I count every install of Vista as an infection.

Re:"as of 2007"

[yuhong]

Yep, I think it is well known now that installing XP RTM and connecting it directly to the Internet without patching is not safe.

Re:"as of 2007"

Not sure about Vista's PE2, but 7's PE3 has a firewall. That would eliminate how XP was infected before the installation was completed, which was still a problem in 2007.

Of course, the submitter is lumping Win* together in the commentary.

The problem was that during the first version of XP's installation, it would bring up the TCP stack before firewalling the system. This was fixed with the release of Service Pack 1, but if you install from an original CD you will of course still be vulnerable.

And that's assuming that you're connected directly to the internet, as opposed to connecting through a router running NAT on its internal firewall. If you have a router, it's already a non-issue. IF you're that worried about it, download the XP service pack 3 installer and burn it to disc and quit using that ancient original version. It'll also be a lot faster since you don't have to patch through 3 service packs and all the hotfixes and updates.

Re:"as of 2007"

[Lonewolf666]

While we're on the topic of being vulnerable installing from original CDs, it is a really good idea to install security fixes from an offline patch collection first. I use WSUS Offline Update (http://www.wsusoffline.net/), which will download the patches from Microsoft for you and prepare an ISO for burning (or a directory for USB stick if you prefer). There may be other, similar tools but WSUS is working fine for me.
The workflow is as follows:
1) Use WSUS Offline Update on a clean computer to prepare the patch collection. Include Service Packs. Burn to DVD or copy to USB stick.
2) DISCONNECT computer where XP is to be installed from the internet.
3) Install from CD, whatever XP version you have handy.
4) Run WSUS Offline Update from DVD or USB stick. This will handle the upgrade to the latest SP and essential post-SP patches. Don't forget to reboot afterwards.
5) Now your machine is reasonably safe to go online.
As a final touch, you may want to use Windows auto-update now to get the very latest patches and the less critical ones, as the maintainer of WSUS Offline Update does limit his selection to the important stuff.
Personally, I don't run Windows auto-update anymore since Microsoft started to install unwanted Firefox add-ons that way. Instead, I rely exclusively on WSUS Offline Update, so far with good results.

Re:"as of 2007"

[Sigma+7]

p.s. this is why anyone with half a clue disables any and all browser plugins.

Wishful thinking.

The common setting you see in browsers is an all-or-nothing deal, which constrains you to visiting text only sites until you open the menu to open a preferences menu to change the setting (that affects all plugins rather than just untrusted ones.)

It took Google Chrome several attempts to get it right. First, they added plugin blocking in some menu. Then they added a button in the address bar that allows unblocking plugins. Then, the bug where that button unblocked plugins for multiple tabs/windows was fixed. Finally, they added a right-click menu to unblock individual plugins (which helped, since that first button only allowed one click).

Firefox support for blocking plugins is miles behind a non-updated version of Opera. In Opera, there's actually a menu item that disables plugins, and it's not too deep either. While the latest version doesn't allow unblocking individual plugins, it's still easy to unblock if necessary.

Oh, and if an extension implements what should be core browser functionality, then maybe it should be added to the browser instead of forcing extension authors to do the work.

Re:"as of 2007"

[VortexCortex]

Thank you for your assumptions, I see you think it was I who infected the machine -- you are wrong in this assumption. I was "removing" the malware for another party, who I agree could have been more diligent, but they shouldn't have to be so. It should require a password or large warning confirmation to disable UAC, but it didn't.

PS --The desktop background, was not changed, and in any event the user would not know what it meant, besides the fact that it was obscured by the maximized browser window, so wouldn't be seen anyhow.

Re:"as of 2007"

[VortexCortex]

Forgive the reply to myself, I found an article about a variant of this exploit you may read it yourself.

The linked article says it targets Brazilian banks, but the variant I took apart targeted US banks, and was discovered on a machine belonging to a Texan. The exploit article shows clearly how easy it would be to use a hex editor to change the certs & payload and re-purpose the malware easily, or possibly add it to an attack toolkit.

Also note to the one who downmodded my original comment: "overrated" does not mean "uncomfortably true".

Re:"as of 2007"

[godefroi]

Personally, I don't run Windows auto-update anymore since Microsoft started to install unwanted Firefox add-ons that way. Instead, I rely exclusively on WSUS Offline Update, so far with good results.

Meanwhile, the rest of us moved on to versions of Windows that don't use browser-based update systems at all.

Re:"as of 2007"

[Lonewolf666]

I doubt that Firefox plugins for Microsoft Silverlight and ActiveX were needed for Windows Update, because it can always use the Internet Explorer engine. If it needs a browser at all (Wikipedia says otherwise).
The whole thing looks more like an attempt to get wider support for Microsoft's internet technologies, by adding them to Firefox via plugin. Without notifying the user. Bad move, which got them a higher place on my shit list (now they are in shouting distance of Apple and Sony again).

Re:"as of 2007"

[godefroi]

What I'm trying to say is, they (MS) gave up on it. Years ago. Vista was released in 2006, so by then, at least, it was clear to Microsoft that the browser-based update system was more trouble than it was worth. If you insist on continuing to use XP, then you ought to stop complaining about things that even Microsoft admits were bad ideas.

Or.. "Scanner finds 95% Windows PCs not infected"?

[NotQuiteReal]

Same thing, right?

I don't know anyone who actually runs this.

[osssmkatz]

While I am glad that the online safety scanner can now clean infections, and will probably consider it in the future, it isn't a very widely used tool because of the windows live branding, rather than as a Microsoft product. Trend Micro Housecall has been around for longer. I wish more antivirus's would scan for lack of service packs or security vulnerabilities.

information is insufficient

[belmolis]

We don't have enough information to estimate the infection rate. For one thing, we don't know how good the scanner is. If it misses a lot malware, the infection rate may be much higher. We also don't know what kind of sample the downloads comprise. If only people who think they have an infection are downloading it, then the sample is biased high and the real infection rate may be much lower. Since it only detected infections in 5% of cases, either the scanner is very bad or people are downloading it as a precaution, not once they think they have an infection. If they're downloading it as a precaution, that probably means they are particularly security conscious, in which case the sample is probably biased toward a low infection rate. Overall, it looks like without more information the percentage of machines found to be infected by this scanner tells us very little.

Re:information is insufficient

[Anubis+IV]

Well said! I was about to make similar comments, but I see that you already did so, and far better than I would have. My first thought was that this was an indication that people who are security conscious still have an infection rate of 5%, but it could easily go other ways, depending on the biases, such as the ones you mentioned.

NAT to the rescue!

[ka9dgx]

The IP6 folks hate NAT, but it's the only thing that's saving personal computing at the moment. Because random inbound connections don't has through NAT devices, any home PC behind one is MUCH safer than one directly on the internet. It sucks in terms of the end to end utility of the internet, but it's the tradeoff most users are willing to make for reasonable safety.

Re:NAT to the rescue!

[WuphonsReach]

Outbound-only IP6 firewalls will offer the same level of security as NAT. With a few other advantages as well.

What will remain to be seen is whether the firewall devices can be:

- Properly configured or come with sane defaults.
- Fail in a safe manner rather then suddenly just allowing every connection through.
- Can't be switched to completely transparent by attack software.

It will be interesting in a few years as IPv6 finally takes off. I think the 3rd option is going to be the interesting one. In a IPv4 NAT'd network, the attacker has to (a) know the internal IPs and (b) add an inbound port forward to the NAT device. In the IPv6 firewall scenario, because the devices inside the network already have routeable addresses, if they can open up the firewall then they win.

The saving grace will probably be the sheer size of the address pool in a local network. Unless you sniff the traffic (or look at DNS or ARP), knowledge of active IP addresses is hard to come by via scanning. Scanning a 2^64 range for active hosts will take a few years, which will slow down any worms that attempt to spread in that manner.

A few years, as in enumerating 2^64 addresses and processing 1 million per second means you need about 585,000 years. There are ways to fine that down such as only searching the list of valid MAC addresses, which cuts the size down to 2^40 to 2^48. And you could fine that down even more by only looking for popular MAC addresses, which would probably make it 2^36 to 2^40 roughly. Scanning 2^32 @ 1 million / second takes about 80 minutes, 2^36 is 19 hours, 2^40 is 305 hours. Of course, attempting to scan 1 million hosts per second would bury most boxes and would probably require 10Gbps to pull off.

Compare that to today's networks where the local network segment usually only has 256 to 4096 possible addresses. Multiple orders of magnitude easier to scan.

Re:NAT to the rescue!

NAT is NOT security. If you want security, the most basic setup is called a stateful firewall. You may want to read about it.

http://en.wikipedia.org/wiki/Stateful_firewall

Even better, close down all services that you do not need listening. Application level firewall is another good idea.

If your security is NAT alone, then it's a sad state of affairs. NAT masks security, nothing more..

PS. For the all NAT-lovers, there exists an IPv6-NAT too. So saying that IPv6 == cannot have NAT is wrong. On Linux, steteful firewall is a prerequisite for NAT capability anyway.

Re:NAT to the rescue!

[VortexCortex]

I wonder if all these dropped unsolicited packets I'm seeing bounce off my firewall/NAT are what's causing my bandwidth usage measurements to be so much less than my ISPs capped bandwidth meter is showing... As for "end to end" blockages -- If you don't know how to port-forward, enable UPnP -- everything supports it these days, even ports of old games like Doom. However, being behind an ISPs NAT is unbearable -- that's why ip6 is needed, so that we don't end up behind an un-configurable ISP NAT router.

Even after the IP6 transition, I'll still use my firewall PC to block unsolicited packets, scan for malware, logging, access restrictions/time limits, etc. Besides, It's a part of the atmosphere... flayed and mounted on Lexan hanging from my wall (with lots of carefully routed wires and a few pretty lights that blink intermittently) -- I find wallputers more interesting/functional at than most paintings, plus it's easier to clean, takes up less space and promotes a cozy cyber-punk feel. Guests always ask "What's that?!" "Never seen a firewall?" I say. (It also helps weed out the geek girls from the uninteresting variety -- the latter never approve of "the lab" aka home office/electronics workshop, with 8 wallputers).

P.S. Just because NAT implies stateful firewall, doesn't mean you can't have the benefit of a firewall sans NAT.

Re:NAT to the rescue!

[ka9dgx]

I know that NAT doesn't help security against an advanced persistent threat, but it does scrape off the top 99% of all attacks, which is a big plus.

A stateful firewall can scape off another 99%

Locking down each service with AppArmor can scrape off another 99%

Which means you'll still have no effective security against an advanced persistent threat... you'll only be stopping 99.9999%, not all of it.

Capability based security might give you another 99%, which is good, but not enough.

Re:NAT to the rescue!

[0123456]

As for "end to end" blockages -- If you don't know how to port-forward, enable UPnP -- everything supports it these days, even ports of old games like Doom.

Never, ever, ever enable UPnP if you care about security. Allowing random applications to open up random ports is just asking to be pwned.

Re:NAT to the rescue!

[FrootLoops]

but it's the tradeoff most users are willing to make for reasonable safety.

I'd bet almost nobody consciously chooses NAT for security. They choose it because the numbers are running out, pure and simple.

Re:NAT to the rescue!

[skastrik]

Collections of active IP addresses will be readily available tomorrow, just as rainbow tables and collections of active email addresses are today.

The saving grace will probably be the sheer size of the address pool in a local network. Unless you sniff the traffic (or look at DNS or ARP), knowledge of active IP addresses is hard to come by via scanning. Scanning a 2^64 range for active hosts will take a few years, which will slow down any worms that attempt to spread in that manner.

Re:NAT to the rescue!

[GravityStar]

Explain this to me; why is UPnP so insecure? UPnP can only be switched on by a random application if that application has access to the LAN. That application is then _already_ running locally on one of the machines on the network. It can _already_ connect to random machines/ports. If that application now wants to exploit a vulnerability on one of the machines connected to the LAN, it can do it directly, no need to configure any port forwarding to let yet something else in.

I haven't yet read any realistic argumentation on why UPnP is dangerous (and I looked!). Mainly just FUD. The only security issue I can see is that _after_ the baddies take over your PC, they can open up ports.

Re:NAT to the rescue!

[GravityStar]

Besides, It's a part of the atmosphere... flayed and mounted on Lexan hanging from my wall (with lots of carefully routed wires and a few pretty lights that blink intermittently) -- I find wallputers more interesting/functional at than most paintings, plus it's easier to clean, takes up less space and promotes a cozy cyber-punk feel.

Your ideas are intriguing to me and I wish to subscribe to your newsletter.

Re:NAT to the rescue!

[WuphonsReach]

Collections of active IP addresses will be readily available tomorrow, just as rainbow tables and collections of active email addresses are today.

That depends. I suggest reading RFC 5157.

Machines that serve up public services (web servers, FTP, or anything that appears in a public DNS record) will still be heavily attacked. But machines configured via DHCP (where the assigned addresses are not sequential) or which are using the privacy addresses will be harder to find through guessing.

And in the case of the privacy addresses, those are typically only good for a few days. So the collected address list will not be much good for those end-users machines.

Would worms like Sasser have gotten as far if the search space was 1/1000th as sparse as it currently is? What if we could move that even two more orders of magnitude to only 1 in 100,000 addresses having active machines on the local network? Contrast that to probably at least a 30-50% utilization on current IPv4 networks.

Re:NAT to the rescue!

[Opportunist]

NAT is not security, but it's as close to security as many people will get.

Sure, there are FAR superior ways. But let's aim low, because that's what malware writers do, too. And as long as enough people can be infected even though NAT would kill the attack vector, NAT is a security feature. This will change when too many people use it and the attack vector ceases to work, but 'til then, it's a simple way for people to gain at least a bit of security.

Re:NAT to the rescue!

[goarilla]

Because instead of you the router admin opening up ports and tracking/knowing of what's open.
You're now relying on applications to open up ports and close them properly again (or the system - don't know how upnp is implemented).
Suddenly you have a lot of port forward entries (old unused ?) for stuff like Bittorrent, Limewire and other p2p software
Plus malware that does get into one of your client machines will be able to use your network for hosting eg; compromise one client own an entire network for further distribution.

Not serious

[lucm]

> though it's a few years old, here's a report that suggests (as of 2007, at least) a grace period of less than 10 seconds.

These numbers mean nothing. Just like statistics about domestic abuse ("1 women in 3 is victim of abuse"), that kind of thing cannot be measured so someone comes up with a pseudo-scientific number and everybody keeps repeating this stuff ad nauseam like Rush Limbaugh on election week.

Individual malware is having way too much exposure in the media for its actual damage. In an era where legitimate companies such as Facebook or Google are cornering the market on privacy violation and shameless data-mining, nobody gives a sh*t about Uncle Joe's private information. Credit card numbers are traded by the thousands and it is not cost-effective to try to harvest valuable information from individual PC - financial institutions and service providers (PSN!) are a much better target.

The name of the game is now large-scale deployment and a botnet that does not protect its nodes does not live long enough to justify an article on Wikipedia. Actually for home users I would even argue that being part of a botnet can be a good thing - the operators know what malware is serious and they have a financial stake in maintaining a healthy network of zombies; they will keep the basement wannabes away. On a global scale they are the one with the best interest for home PC security - much more than most PC owner themselves. It's like joining a gang when you go to jail for a long time - be part of the swarm and the odds that you end up becoming a silent farter are much lower.

The name "Safety Scanner" sounds like Malware

[Salvo]

Even if it isn't actually MalWare, the name "Safety Scanner" is as suspect as "Windows Recovery" or "MAC Defender".
I would have thought Microsoft's marketing department (arguably one of the greatest marketing departments in Info Tech), could have come up with something less dodgy than "Safety Scanner".

Maybe the people who were inclined to download and install "Safety Scanner" are the same people who are inclined to download and install "Windows Recovery". Making the estimate of 5% high.

Conversely, maybe the people using "Safety Scanner" were more conscientious about Computer Security and were seeking out extra protection. Making the estimate of 5% low.

Many still stuck in 2007

[dbIII]

"as of 2007"? In computer terms, that's several lifetimes.

Wrong.
There are plenty of MS Windows XP machines that have not been patched since 2007. Also how many Microsoft based machines have you seen with spreadsheets etc newer than MS Office 2003?

Malware? Scareware?

[sillivalley]

Ran this thing on a server that lives in the closet. It complained that my custom hosts file was very suspicious. It also didn't like the VNC client.

So this machine was infested with malware? I don't think so!

Yet another scareware scanner!

Re:Malware? Scareware?

[QuasiSteve]

It complained that my custom hosts file was very suspicious.

And it is. I mean, don't you think that the line
65.55.175.254 www.google.com
is suspicious?

It also didn't like the VNC client.

As well it shouldn't. Do you recall installing a VNC client? I don't recall you installing a VNC client. So why is there a VNC client on your system?

So this machine was infested with malware? I don't think so!

Yet another scareware scanner!

No, just a scanner that does what it's supposed to.. report irregularities.

Just because a lot of the virus/malware scanners in the world believe Unlocker is malware, or Snadboy's Revelation is a hacker's tool, or any compressed executable that it doesn't want to bother unpacking is by default suspicious, doesn't make these cases so; but it's still a Good Thing they're reported so that you know about them and you can decide what to do about it.

It would be a Bad Thing if it then subsequently decided to quarantine them automatically without notice for my own protection.

And if would be a Very Bad Thing if it were actually scareware of the type that marks all of your folders as Hidden, says there's a problem with the harddisk, and here's a company you can pay $50 to fix the harddisk (which won't remove all sorts of other crap that was running. As far as I can tell, the payload was delivered through a JAVA exploit. Lovely. I re-imaged their machine, at least this one kept proper backups! (see comment history for context)). That's a proper scareware product, along with the many online popups (should you see them) that appear to scan your system and find all sorts of viruses in files that don't even exist on your machine, including porn-suggesting filenames (so you're less likely to approach somebody about this), and you can pay them $50 to remove the viruses.

To equate this scanner - whatever your beef with it is - with actual scareware, is ludicrous.

Re:Malware? Scareware?

[Blakey+Rat]

VNC can legitimately be used as spyware in the classic sense. When someone remotely logs in, the local computer shows no indication that activity is being observed by someone else. (Contrast with Microsoft's Remote Desktop, where logging in remotely kicks the local user off and locks their screen.)

It's exactly the kind of thing this tool is supposed to be scanning for. What makes you think it's a false report? The scanner has no way of knowing whether you installed it, or someone else did behind your back.

10 seconds, back in 2007...not true now, though.

[Shoten]

One big thing has happened since 2007: Windows has started shipping with the Windows Firewall turned on by default and blocking inbound requests. Since network-spreading worms were the primary contagion factor back in 2007, this made a huge impact all by itself. Also, the growing prevalence of dynamic NAT in households (usually from the wireless routers that everyone has these days) also contributes to this.

Observation gives the indication

[dbIII]

it does not mean that the XP machines have gone unpatched since 2007.

No, what does tell me and should tell you is simple observation. Many XP machines in homes do not have automatic updates turned on and have never been updated after the day they were purchased. There are also a vast number of cracked copies of XP out there which have never been updated because the users are worried that an attempt to download updates will identify their XP as copies instead of purchased software.

Re:Observation gives the indication

[seanvaandering]

I was in that boat as well - and yes, a bootlegged copy of XP Pro was "good enough" - but after M$ decided to add WGA to the required security updates, everyone with half a brain knew where this was going, and I never updated again. Eventually, I reported my copy to Microsoft as illegal and got a shiny new product key for the discount price of $199 which was cheaper than going to the store and buying an OEM version (so it pays to pirate?).

The WGA update I can confirm does validate product keys (it is what forced me to upgrade), and essentially cripples the OS with a nice message that states the copy of windows is illegal and only allows you access to purchase a new product key.

Of course this was back in 2009ish or so, so I don't remember quite everything, but old article is old.

Re:Observation gives the indication

[dbIII]

What has changed recently is the XP validation doesn't work without SP3 and IE8 which doesn't come with it - thus the honest that have actually purchased XP are punished and have to muck about in safe mode with no networking to install those from burnt CDROM (or USB if they have the right driver) before they can validate and actually use the thing they paid for. No three days or three hours or three minutes grace either - you cannot use it long enough to actually download the stuff to get validation to work if networking is turned on. Those who pirate do not have to put up with such bullshit apparently. I've had to deal with a pile of such systems which have been infected by malware that wouldn't get onto a patched system - of course I've also had malware problems with machines that DO have all the current updates on MS Win7 as well.

Re:Observation gives the indication

[yuhong]

FYI, at least nowadays that WGA notification update require acceptance of an EULA even if automatically installed. I know because I have seen it.

10 seconds - a load of horse manure!

[Retron]

Those "Windows machines get attacked in 10 seconds" type things are utter rubbish. It was quoted at a recent security conference I went to and I interrupted the speaker about it as it's a blatantly false claim.

I have an unpatched Windows 2000 machine behind a cheap Netgear router. It's never once been attacked and it sits on the Internet 24/7 sending weather data to an FTP site. It doesn't get used for anything else and it's been up for four years now. The hard drive is too small to install the service packs (the machine is a P133 from 1996).

Furthermore, I don't know what ISP these people are using but I get a couple of port scans a day (at most) coming into my router. I'm on a static IP too.

It's my opinion that the 10-second claim (or 4 minutes, as in the one I heard at that security conference) was made up by a security vendor in order to hawk their products. The claim has then been spread over the years, Chinese Whispers style, until it's accepted as a truth.

Re:10 seconds - a load of horse manure!

[metrix007]

You seem like a tool. The 10 second thing was accurate for a long time, even if it was an average. What kind of tool interupts a speaker instead of asking a question at the end?

Re:10 seconds - a load of horse manure!

[Retron]

LOL, cheers for that troll reply. I put my hand up rather than blurting it out, as the speaker said when they started that if you had a comment or observation to make then you should put your hand up and he'd ask you to share it with the others (if it sounds school-like, it was a schools security conferenec).

The 10 second thing has never been true in general - at least not since 1995, which is when I first went online. The only change I've seen over the years is that rather than a single probe at a port you might now get several at once.

Note that I'm not saying that security is irrelevant, as it's clearly very important. I just have an issue with that utterly rubbish "A Windows machine gets probed within x seconds/minutes" line. It's simply not true and never has been. (Well, unless x is 604800 or something!)

Re:10 seconds - a load of horse manure!

[yuhong]

I have an unpatched Windows 2000 machine behind a cheap Netgear router.

That is because it is behind a router that is an NAT, blocking the attack.

Re:10 seconds - a load of horse manure!

[jim_kaiser]

LOL, cheers for that troll reply. I put my hand up rather than blurting it out, as the speaker said when they started that if you had a comment or observation to make then you should put your hand up and he'd ask you to share it with the others (if it sounds school-like, it was a schools security conferenec). The 10 second thing has never been true in general - at least not since 1995, which is when I first went online. The only change I've seen over the years is that rather than a single probe at a port you might now get several at once. Note that I'm not saying that security is irrelevant, as it's clearly very important. I just have an issue with that utterly rubbish "A Windows machine gets probed within x seconds/minutes" line. It's simply not true and never has been. (Well, unless x is 604800 or something!)

Dude... get your facts right. Maybe your closet server is on a safe network already. My experience at my university around 2004, before some of the major SP's, was exactly in line with the 10 seconds rule. All you needed was to plug the network in and lo and behold, before you could think about updating your AV definitions! The only way was to make a CD of latest AV. Those were the days, when running a Windows machine was impossible without an AV and a firewall like Zone Alarm. Remember Zone Alarm?

Re:10 seconds - a load of horse manure!

[maxwell+demon]

I have an unpatched Windows 2000 machine behind a cheap Netgear router.

I highlighted the relevant poar for you.

No,. your Windows computer isn't on the internet. It is on the LAN. The LAN is connected to the internet. And it does NAT on the border. There simply is no way your computer could be accessed from outside.

Re:10 seconds - a load of horse manure!

[Opportunist]

10-20 seconds was a pretty accurate infection frame for an unpatched Windows XP-SP1 machine directly connected to the internet in 2007. I've tried it myself. And considering how frequently people update their machines, I'm still convinced hooking a WinXP-SP1 machine to the net unfiltered will result in an infection within seconds.

It is NOT true for newer OSs or XP with SP2 or higher. So technically, what he got wrong was the time. A windows machine got infected in 10 seconds. It's not true anymore (for more contemporary systems).

Next time if you interrupt a speaker, at least get your facts right. Yes, it's no LONGER correct, but claiming he's spilling bull makes you look like an idiot, especially in the presence of people who probably know that he is correct, at least if he just stepped out of a time machine.

Re:10 seconds - a load of horse manure!

[Osgeld]

the one and only time its happened to me was with a brand new first print of windows XP home, I installed it got on dial up (yea thats how long ago) and before I even got to the windows update page ... BAM!

but of course now if I dare install that cd on a computer its instantly followed up with a sp3.exe on another cd and its half updated before it even gets network drivers that of course is connected to a firewalled router

Re:10 seconds - a load of horse manure!

[mjwx]

It's my opinion that the 10-second claim (or 4 minutes, as in the one I heard at that security conference) was made up by a security vendor in order to hawk their products. The claim has then been spread over the years, Chinese Whispers style, until it's accepted as a truth.

The 10 second claim was for an unfirewalled XP machine pre-SP2 directly connected to the internet.

Under those conditions, it was accurate. Now days, you get a Win 7 machine, even if it's stock Win 7 with no SP (actually pretty hard to find now) you still have a firewall not to mention the fact most people now attach their computers to the internet via NAT on a firewalled router. So since that claim, security has improved a great deal. So much so, most malware is user installed these days.

Re:10 seconds - a load of horse manure!

[Retron]

Or how about 3. The box isn't hacked, hasn't been hacked and isn't likely to be hacked. Here, have a look at the processes list:

http://i53.tinypic.com/95q7ow.jpg

Note that I don't use it for browsing the Web, email or anything other than running that weather station program.

Re:How many are Macs?

[Hylandr]

It's interesting to note that the number of infected pc's is exactly 5% of the computers that had that tool installed. Not 5% of all machines as the article implies.

Slow night on slashdot?

- Dan.

Ignoring 3rd party crapware

[Khyber]

These are likely not so bad without exposure to Adobe and Java.

Let us be honest for once.

Re:Ignoring 3rd party crapware

[WuphonsReach]

These are likely not so bad without exposure to Adobe and Java.

Let us be honest for once.

And Flash and Javascript.

(And the biggest issue with PDF, Flash and Java plugins are that they use a non-standard update mechanism instead of being built into Windows Updates. And both Oracle and Adobe are horrid about trying to install add-ons like browser toolbars, or constantly changing their update methods. Which leads to users never updating these key pieces of software, thus getting pwn'd a few years down the road.)

Re:Ignoring 3rd party crapware

[Blakey+Rat]

(Flash is Adobe.)

The biggest issue with Flash's updater is that it doesn't even attempt to check for an update until the computer is rebooted. I'm sure this works for a lot of people, but I basically never reboot my computers-- god knows how many unpatched Flash vulnerabilities I have! Hell, it may be zero. I won't know until I reboot.

It's actually safer to run Chrome, which has its own internal copy of Flash and an updater that... actually works correctly. Of course, then even the problem is you still need the Adobe Flash plugin for applications like Steam that have embedded browsers, so you really lose either way.

I can't speak for Java, since I make it a point to never run Java after getting a particularly nasty virus from it several years back.

But at this point, I wager Flash and Java are responsible for three times the viruses of any Microsoft technology. People need to stop the Microsoft bashing on security, and start giving shit to the real culprits in a Windows 7 world.

Information insufficiency

[Asmahuq]

I think lack of information can make a biased output about infection rate. So infected rate that is proved by this scanner gives us a little part of whole scenario. http://www.pranon.com/

Wonder how many wine users are infected

[G3ckoG33k]

Wonder how many wine (www.winehq.org) users are infected, as users.

http://wiki.winehq.org/FAQ#head-3cb8f054b33a63be30f98a1b6225d74e305a0459

http://www.google.com/search?q=wine+virus

Re:Wonder how many wine users are infected

[Opportunist]

Funny enough, quite a bit of malware does actually run on Wine. Tells you something about its compatibility. ;)

100%!

[purpledinoz]

I would argue that 100% of Windows machines are loaded with malware, called Windows.

Re:100%!

[Opportunist]

Windows is no malware.

Malware usually gets updated near instantly the moment its maker encounters a problem with it.

Re:Response to previous comment elsewhere

[kevinmenzel]

Because there is a guaranteed timeline for how long the product will remain serviced, and that was available knowledge when you bought the damn prodcut. AND it was EXTENDED past the original announced date.

Stop complaining about XP security. The Windows model has and likely always will be a series of paid upgrades in order to gain not only the latest features but also the latest security updates after a certain point. It's not like that was a recent change to their business model, that's how it's always been. Since Windows 1.0. So I mean, really, do suck it up.

Re:Response to previous comment elsewhere

First, they've made XP more secure. Compare SP3 with vanilla XP.

Second, Microsoft runs a business. If you're looking for a system developed under a cooperation model, there are many open source systems available for you to choose, although there are good reasons why almost nobody wants any of them on their desktops.

MSRT Installations

[RobbieCrash]

Though it doesn't name it in TFA, I'm betting that this also has something to do with the Malicious Software Removal Tool that is a part of normal Windows updates. This is downloaded and installed and run by default if you let Windows Update do its thing without manually configuring which update to install and which to ignore.

When this is run, and it detects known malware, it reports the infection and the full version (Major release, SP number, and updates that are installed) to Microsoft and attempts to remove it.

Since it's run in quiet mode at installation, I'm inclined to believe that this 5% number is pretty reliable on Windows 7 machines, somewhat reliable on Vista machines, and of marginal reliability in regards to XP boxes. Due to the nature of Windows Update settings on those OS', ranging from On by default in Vista and 7, to on if you made it so in XP.

As a sysadmin that helps look after over 10,000 desktops and close to 500 servers, I'm even more inclined to believe that 5% is accurate. Compared to what I was seeing 5 years ago, Malware is /much/ less common now. Despite the fact that it's craftier. Windows users, while still apt to click on everything that they're asked to click on, have a harder time wrecking their systems due to the security subsystem changes that have been made in Vista and 7.

Is Windows secure? Fuck no. Is it infinitely better than it was when XP came out? Unquestionably, and anyone that disagrees with that is too busy trolling Microsoft to see that they have made significant improvements.

Re:MSRT Installations

[benjymouse]

Though it doesn't name it in TFA, I'm betting that this also has something to do with the Malicious Software Removal Tool that is a part of normal Windows updates. This is downloaded and installed and run by default if you let Windows Update do its thing without manually configuring which update to install and which to ignore.

If you had bothered to read just the first 2 paragraphs of the computerworld article linked to you would have noticed this:

Microsoft cited that statistic and others from data generated by its new Safety Scanner, a free malware scanning and scrubbing tool that re-launched May 12.

And if you follow the link to the actual software, Microsoft Safety Scanner, this is the introduction:

Microsoft Safety Scanner

Do you think your PC has a virus?

The Microsoft Safety Scanner is a free downloadable security tool that provides on-demand scanning and helps remove viruses, spyware, and other malicious software. It works with your existing antivirus software.

Note: The Microsoft Safety Scanner expires 10 days after being downloaded. To rerun a scan with the latest anti-malware definitions, download and run the Microsoft Safety Scanner again.

The Microsoft Safety Scanner is not a replacement for using an antivirus software program that provides ongoing protection.

So no, this is *not* based on reporting back from MSRT. This is reporting from a tool which is labelled as a diagnostics one-off tool (works for 10 days) for users who think that their computers *may* be infected. Drawing any conclusion about infection rates from a self selected population is stupid if not outright dishonest. Timothy who wrote the hit-paragraph about the time2pwn of an unpatched XP box is most certainly being deliberately dishonest as a slashdot editor should be able to display a minimum of common consideration.

As usual the headlines are skewed by editors trying to drum up clicks and thus advertising revenue. The *text* of the original article is actually fair to the point that this is a self-selection and never claims what is in the headline. The CW editor obviously took a little liberty on the title. The title used at the front page and on slashdot is even more skewed with no basis at all, not in the article and not in reality.

67MB ?

[Hamsterdan]

And only valid for 10 days. No updates, have to re-download the whole thing to have the new definitions. It's *bigger* than most AV software...

What the heck MS ????

Re:67MB ?

[benjymouse]

And only valid for 10 days. No updates, have to re-download the whole thing to have the new definitions. It's *bigger* than most AV software...

What the heck MS ????

Maybe it was not intended to be "AV software"? From the front page of Microsoft Safety Scanner (emphasis mine):

The Microsoft Safety Scanner is a free downloadable security tool that provides on-demand scanning and helps remove viruses, spyware, and other malicious software. It works with your existing antivirus software.

...

The Microsoft Safety Scanner is not a replacement for using an antivirus software program that provides ongoing protection.

For real-time protection that helps to guard your home or small business PCs against viruses, spyware, and other malicious software, download Microsoft Security Essentials.

Re:67MB ?

[gl4ss]

well it's nowadays "microsoft security essentials".

it's pretty clearly named.

Re:67MB ?

[WuphonsReach]

Maybe it was not intended to be "AV software"? From the front page of Microsoft Safety Scanner (emphasis mine):

Equivalent tools from other sources do the job in about 1/8th the size.

(MBAM clocks in at around a 7.5MB download, and the database updates are only a few megabytes.)

Re:67MB ?

[Hamsterdan]

"Maybe it was not intended to be "AV software"? From the front page of Microsoft Safety Scanner (emphasis mine):

The Microsoft Safety Scanner is a free downloadable security tool that provides on-demand scanning and helps remove viruses, spyware, and other malicious software. It works with your existing antivirus software."

I know that...

But we're talking about 67MB! That's way bigger than most removal tools out there. It's bigger than MBAM + Rootkit buster + Spybot + A-squared, you get the point...

Heck, it's bigger than some bootable rescue CDs.

really?

[cntThnkofAname]

Only 5%?

I think they inverted the figure

[Fallingwater]

No way in hell just 5% are infected. In fact, the opposite is probably closer to the truth. I fix PCs as an occasional job, and not one Windows computer I've had to fix was completely malware-free. That's not to say 100% are infected, but the uninfected ones are probably owned by nerds who don't come to me to get them fixed, so I can't give a proper statistic. Still, the 5% figure is completely unrealistic.

Re:I think they inverted the figure

[Opportunist]

Also a flawed sample. Who calls you to repair their machine? People who have a problem with it and cannot fix it themselves. This means that you have customers who are not too computer savvy who actually SEE a problem in their machine. The chance that malware is the root or at least a contributing factor is quite high, don't you think?

Mod Parent "Funny"

[nukenerd]

Actually for home users I would even argue that being part of a botnet can be a good thing - the operators know what malware is serious and they have a financial stake in maintaining a healthy network of zombies

My title says it all.

I finally gave up....

[xandercash]

Although most viruses and malware are easy to avoid for the "informed user" the "naive user" is still a humongous target. I could NOT keep malware and viruses and unwanted Firefox toolbars off my kid's computer. I lectured them and told them how to avoid most of them (don't install things without asking me), took away their admin rights, etc. It did no good, the stuff kept appearing, even though we've tried both AVG and Norton. I think most of them are appearing because my daughter likes to Google Image search for cute puppy pictures. It makes me wonder if the malware distributing population has figured out kids are the best conduit to getting their apps on your computer. So now they're using Linux. Took them 10 minutes to figure out where everything was. Plus the machine is much faster without an antivirus running and checking everything they do.

Re:I finally gave up....

[cvtan]

I have to agree with the kid-conduit idea. I let my granddaughter on my machine for 30 minutes and I spent the rest of the day trying to undo all the garbage she clicked on.

Re:I finally gave up....

[unencode200x]

My 14-year old at the time would constantly get an XP machine infected. I bought a Vista PC (now upgraded to 7), turned on UAC, put MSE, set it to auto-update, and gave him a limited user account. He calls me when he wants to install a game and no problems since (about 2 years ago). Did the same thing for my mom and dad, no problems since...

Its backwards

[nurb432]

5% of windows machines are NOT infected with something.

I don't use an anti-virus on Windows

[transporter_ii]

I don't run an anti-virus because it slows the PC down. I have a good system worked out. I have a KVM switch with Windows on one PC and Linux on the other PC. I use Windows for my programs that won't run on Linux, and Linux to get on the Net with. I keep the amount of important stuff to a minimum on Windows, so I can reinstall easily if needed.

My windows runs very fast even on a PC with mediocre specs, and I go for years without trouble on it, though I won't say I have never had any viruses.

Now my kids, they can touch a Windows machine and, between facebook and free mp3 downloaders, have a virus on it in five minutes. I cringe when I see them on my windows machine.

Re:I don't use an anti-virus on Windows

[donaldm]

I don't run any anti virus software on my MS Win XP virtual machine. If anything goes wrong I can reinstall in about 10 minutes. Backups take about the same time, however I rarely use MS Windows since Fedora does everything I need and that includes my work environment. The predominate thing I use MS Windows for is iTunes since my wife has an iPhone and on occasion she wants a personalised ring tone. Even when I use my Virtual MS Windows I rarely use IE and if I do it is only to download tools that are Microsoft centric that are on rare occasions essential for my work

Re:I don't use an anti-virus on Windows

[FoolishOwl]

The poster had a computer so old it noticeably slows down with a virus scanner installed. Odds are, it's running Windows XP or something older, which gives everyone admin access by default.

Re:I don't use an anti-virus on Windows

[Sir_Sri]

what would be the performance hit of avast or MSE, in whatever quantitative metric you have used to determine that it slows your PC down too much.

selection bias

[thePowerOfGrayskull]

The sample is of necessity limited to users who knew about this tool and downloaded it. I suspect that group to be more security aware than most, and more likely to have a clean system to start with.

Re:Not if you hardcoded it into HOSTS yourself

[QuasiSteve]

Your entire post, which seems to be entirely about the hosts file, can be summarized by your summary:

P.S.=> Yes - Sure: Malware can use them to IT'S advantage, but then again, so can you!

All one needs to do is swap your statement and it should be obvious why malware scanners report these things;
P.S.=> Yes - Sure: You can use them to YOUR advantage, but then again, so can malware!

Malware scanners are incapable of knowing whether it was you, or a disgruntled employee, or a piece of malware, or the alignment of the planets that adjusted the hosts file.
All it can do is report that it was modified, and then let you decide what to do about it.

Now, I haven't run Microsoft's specific tool to see how it handles these things, but every scanner I've used lets you choose what to do, including the option to ignore the changes / whitelisting the file.

If you know that you made the modifications it's reporting about, then all you have to do is tell it so. On the other hand, if changes are made to it that you are not aware of, would you really want a malware scanner to just ignore it?

That's like a security researcher complaining that their anti-virus complains about the 1,287 infected files in their "%userdocs%\VirusResearch\Archives\" folder and suggesting that the virus scanner is crap because it can't tell that clearly the viruses are supposed to be there.

Windows XP + DOCSIS 2

[Nemo's+Night+Sky]

Almost a decade ago I watched as a blaster variant compromised a XP machine BEFORE THE INSTALL HAD COMPLETED. Microsoft in their infinite wisdom thought it would be cool to enable remote procedure call before you even get a desktop up. (I guess unattended setup scripts weren't enough?) Had to re-install disconnected, patch it, then setup networking. I had no machine at the time to make a patched install disc. None of that would have been a problem if I could have installed my firewall software before windows starting RPC.

How to build a Windows machine in 10 seconds?

[ZipK]

If the grace period from going on line to infection is only 10 seconds, how does one build a Windows machine that is secured with the latest patches - given that you need to be on line to get the patches from Microsoft?

Re:How to build a Windows machine in 10 seconds?

[Osgeld]

well that is only valid for XP with less than service pack 2, MIcrosoft makes it pretty easy you download the 300 or so MB windows XP service pack 3 redistributeable and burn that to a CD

install SP3 before getting on the internet, though again this is only required if your using a like first print of XP, like my copy of XP Home I bought at k-mart back in 2002 or something

Re:How to build a Windows machine in 10 seconds?

[yuhong]

Parent was talking about worms that automatically spread.

Re:You missed my point: So, I'll quote it again

[QuasiSteve]

Ah - just a case of mistaken intention, then :)

No, the hosts file in itself, and editing thereof, is (or, well, can be) perfectly fine for the reasons you cited and many more. But it's also fine that malware scanners may opt to report anything they think looks suspicious. But you're about to address that, so.. on to that.

( Editing the quotes for formatting purposes )

"if changes are made to it that you are not aware of, would you really want a malware scanner to just ignore it?"

In my case? I actually COULD! How/Why??

Well, because I long ago designed a system (first in MS SQL, then in Borland Delphi, & lately in PyThon) that updates my HOSTS file with valid security data vs. bad sites (and my hardcoded favorites too) every 15 minutes from 15 reputable respected sites for that online...

But if you designed this system - or even if you didn't design it, but at least run it intentionally - doesn't that explicitly make you aware of the changes being made? You might not know the exact changes, but you know that there's a program running that could change the content of the hosts file every 15 minutes.
My point was with regard to modifications that you're not aware of.
Now, the hosts file handling, at least under Windows, is such that there's no explicit trail of what process wrote what to it, making it difficult to differentiate your program's changes from those of a piece of malware, so in your case you'd tell the malware scanner to just ignore the hosts file; at your own risk, but you clearly understand any risks involved there (given that your app helps to mitigate such risks).

Your next section is a bit disorderly, but as far as I can tell, you're saying that malware scanners could check the content of the hosts file to perform, for example, checks that a certain host actually meets the given IP address - and if that is the case, there is no problem, and it should ignore that entry.

But then you, quite correctly, point out that DNS server records might be incorrect. Or your DNS server settings were changed. Or a TCP/IP stack injection simply returns whatever the scanner wants to hear but when e.g. iexplore.exe (just to name a browser process) asks for it, servers up the malicious website.

So rather than just implicitly trust added IP/name combination on the basis that they appear to be correct at the time of the scan, it's better to alert the user that there's a value there that's not normally in it OR wasn't in there the last time the scan was run.

Note that the above is for on-demand scanners. Any 'active' scanner (the background running things) could just monitor process access to the file and then alert the user if some process is trying to write data to it, report the data, report the process, etc.

Now, you do make one more point:

MOST folks won't check into it (& many antivirus + antispyware and even HOSTS file population for security sites have checkers for this) to see if the site actually IS bad - they'll just "fry it".

The question is... is that a bad thing?

To simplify things a bit - perhaps oversimplify - there's 3 groups of people who would get hit by a warning regarding the hosts file having entries that aren't there originally / since the last scan.

Group 1: The people who did not edit the hosts file themselves nor installed a program - such as yours - that modifies the hosts file for them.
In these cases, I'd argue that any removal of lines in the hosts file is less harmful than leaving them in, as the user clearly doesn't know why the entries are in there in the first place.

Group 2: The people who did not edit the hosts file themselves, but installed a program - such as yours - that modifies the hosts file for them.
In these cases, although it may not be desirable for the modifications to be undone - it stands to reason that the program that made the modifications will redo the mo

Re:Response to previous comment elsewhere

[kevinmenzel]

It's clearly not a defective product. It's insecure, yes, but those insecurities are "by design" - in that at some point, some coder coded something in such a way that was insecure. Complaining that this is "defective" in terms of consumer law seems folly - the claim "100% secure" was never made, so not being 100% secure is not a defect, it is merely an aspect of the product. My car is not 100% soundproof. I can hear the wind as I drive, I can hear the sound of my tires on the road, I can hear other cars pass by, and if someone is playing loud music in another car, I can hear that. My ideal car might provide a quieter experience - there are cars on the market that do provide a quieter experience - but I bought my car as is. If my car was found to be substantially less sound proof than all other cars exactly the same as mine, then this would be a defective car, however that is not the case. Windows XP is not perfect. But Windows XP is perfectly Windows XP. Heck, there have even been FREE improvements - so WIndows XP now is better than XP was. But as a customer, I don't expect them to keep improving XP forever because they never said they would. Rather, they have done what is expected as per their business model - they released new versions which cost money. Just like the new version of my model of car is a quiter ride, but in order to gain that benefit, I have to buy the new car. Yes, Microsoft relies on copyright law in order to force you to pay for their product - but copyright law is substantially older than Microsoft as a business, and thus it seems natural that their business model would take copyright law in to account. But frankly, after they stop improving a product, they aren't exactly disabling that product, are they. I mean, Windows XP still activates, and it still runs - and there is no indication that this will cease to be, or that the facility to activate the product will at some point cease. Obviosly, if the product purchased failed to activate - and thus failed to actually perform the task of operating the system, then you would have a damn good consumer case in my mind in terms of owning a defective product. If you want to change the situation from a legal perspective, you need to convince a heck of a lot of people to agree with you - and then convince all of them to take action on that topic, enacting change through the democratic/legal process. But realise that - GIVEN the CURRENT LEGAL REALITY - Microsoft ending patch support for Windows XP - leaving in a state that is not 100% secure (albeit more secure than when released, is EXPECTED, and they are CLEARLY not in the wrong.

Two things

[DaveV1.0]

First, the conclusion in the summary is wrong.

According to statistics generated by Microsoft's new free malware scanning and scrubbing tool, Safety Scanner, one in every twenty Windows PCs are infected with malware.

No, the statistics show that 1 in ever 20 PCs using Safety Scanner is infected. It says nothing of the larger population of Windows PCs. It also does not address systems running some other security program along with Safety Scanner.

Second, the statistics suffer from selection bias. The sample used is not necessarily, and probably isn't, a representative sample of Windows PCs, so the statistics are not really valid.