Slashdot Mirror
How Windows Gets Infected With Malware
Orome1 writes "Since Up to 85 % of all virus infections occur as a result of drive-by attacks automated via commercial exploit kits, CSIS has actively collected real time data from them for a period of three months. The purpose of their study is to reveal precisely how Microsoft Windows machines are infected with malware and which browsers, versions of Windows and third party software that are at risk. They monitored more than 50 different exploit kits on 44 unique servers / IP addresses. The statistical material covers all in all more than half a million user exposures out of which as many as 31.3 % were infected with the virus/malware due to missing security updates."
Salient point is that, fully updated and patched installs let 70% of the infections through.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Understandably... Given the zoo of updaters you get by installing just a handful applications, I too disable disable them, except for Windows update itself. (Well, I used to, I still have a XP copy somewhere on an old laptop, I migrated fully to Linux years ago). However, doing that and running as Limited User pretty much took care of not being infected. It also helped, not using the system browser.
As I understand, these days infection most often occurs over Adobe Flash, Adobe Reader, Internet Explorer, in that order.
Ahhh...the great dumpster continuum. Many a free computer will be found there. -- sowth (748135)
A window can get infected? Lies I tell you!
Having to work for a living is the root of all evil.
Java JRE issue is confusing. If the problem is with Java and specs, it should be platform independent. So it is the Windows implementation that is at fault? I don't know.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Update early. Update often.
Uh, Linux geek since 1999.
I guess dont use java, adobe reader or flash, or IE, and you should kill 90% of possibilities.
Looking at the graphs and statistics, I ended up wishing they'd factored in usage share, to make the numbers more meaningful.
I mean, if (say) 70% of users used XP and 30% of users use Win7, then seeing 70% of the exploits on XP and 30% of the exploits on Win7 doesn't tell you much other than there's an exploit that is the same across them. It does NOT mean that XP is more vunerable than Win7. Ditto the breakdown by browsers. Without usage share factored in, the numbers can be misleading in either direction.
- Spryguy
There are three kinds of people in this world: those that can count and those that can't
Simply Click HERE! ;)
How much is your data worth? Back it up now.
How Windows [machines] get infected.
I didnt have trouble parsing that; possibly if you turned the brainpower spent making snarky responses to reading comprehension you wouldnt have had the issue either.
User's patches not up-to-date. User got infected.
The applications the malware targets are unsurprisingly the same-ol-same-ol. Windows, Java, IE, Adobe.
Perhaps the real questions should be:
- Why is patching so ineffective?
- Why is patch frequency not decreasing over time (these are *very* mature applications) ?
Join the Slashcott! Feb 10 thru Feb 17!
IE is the default browser on more systems than anything else. And even if Firefox is installed, the API calls on windows for http downloads use the IE engine, unless you go to some trouble.
Unfortunately I run into areas where I am unable to upgrade the JRE due to incompatibilities with newer versions. For instance, in dealing with a Dell DRAC, the old Chassis says it'll support 1.4_5 something or other or newer. The problem is with the exact version it works fine but upgrading JRE on my system causes it to fail and refuse to start up the console java app. So I have a Windows laptop at my desk that is kept at that specific version of the JRE so I can continue to access the chassis until it's replaced. It's just one example but it's one I have to deal with on a periodic basis.
[John]
Shit better not happen!
They need to incorporate the option of turning on automatic, silent upgrades like Google Chrome has - many end users don't recognize the "Hey I've got an update" balloons on their machines, and just ignore them until they wind up several versions out of date. Also, Adobe needs to cut out this "reboot required" nonsense for Adobe Reader. Not everyone is able to reboot machines at a drop of a hat, and it's annoying to have to schedule a reboot on a server for a program that didn't require a reboot for installation and is only used once every few months. (I seriously update Adobe more than I use it on many machines.)
Occasionally living proof of the Ballmer peak.
Grammars be important, their how we speech proper. Kapeesh?
What talk bout. We no talk that here.
which is totally what she said
It looks like they were mainly studying browser based attacks, the CVE's I looked up all had to do with browser code injection, along those lines.
They go on to state 85% of virus infections (do they mean malware / spyware?) are caused by drive by attacks (website exploits)
I'm not sure of and am to lazy to look up the actual figures, but I would dedicate that 85% to email based attacks, not Nigerian scams, but infected attachments, embedded code, etc.
Oh well, I'm demoting the scope of these statistics to browsers only...
and also state that I believe WIndows gets infected buckets more by email based attacks for many reasons including the ease of guessing email addresses on a domain, as well as user trust that who is sending them the email knows their email so they may know them, etc...
http://www.net-security.org/images/articles/102011-infection.jpg
Avoid Java, Flash, acrobat and IE Explorer and you avoid around 95+% of the entry points. IOW it does not seem to be opera or mozilla which is vlnerable, but the added cruft plug in.
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
There were multiple Windows machines being discussed. "Gets" is only appropriate for the singular case, so the usage of the plural "get" was correct.
Pedantic fail.
TL;DR:
The majority of infections are (in order): JRE, Acrobat Reader, Flash, and a minority are actual browser exploits and/or Quicktime exploits. No word on the versions but I expect that they are all well-known and long-patched holes.
Part of the reason I run with Java disabled, Flashblock installed, etc.
Natural != (nontoxic || beneficial)
Unless you force users to update software before continuing to use it, they will nearly always pick the "remind me later" option. Updates to packages like these need to be automatic and enforced for all but the most managed of users, or this problem will just go on forever.
It this issue affected only the individual users, it would be one thing. But the fact that clicking the "remind me later" has a disastrous effect across society means that you can't just rely on people to do the smart thing. They won't. They'll do the quick, easy thing.
One might wonder how you ever manage to read headlines if you cant grasp the concept of implied words. Its not exactly uncommon for a headline to drop words, nouns and verbs alike.
Why, Msn.com has the headline "Dust storms, Bear attacks, more". Oh noes! Theres no verb in those sentences! WHAT are the dust storms doing? Or perhaps the dust is currently storming, and its the object of the attacks and storms that we are missing? However will we decode this headline? And what is the bear attacking?
Really folks, if you cant get this, slashdot is probably not the site for you.
"With this study CSIS has received confirmation that our security program Heimdal is addressing a market not adequately covered by a proper patch routine or policy for this area. "
The article never equates user exposures with infections.
(so it isn't clear if that other 70% actually result in infections...)
Nerd rage is the funniest rage.
I call BS - many Linux repositories package and provide Adobe and Oracle software all the time, without issue, and without "extra toolbars and such" being installed when you use their packages. Are you really really sure that MS isn't imposing a requirement that Adobe and Oracle find unacceptable? (go ahead, call me cynical) Or possibly that MS won't allow the licenses under which such packages are provided?
"Ahh! I see you're in that indeterminate Schrodinger state where - oh, uh
http://secunia.com/vulnerability_scanning/personal/
I'm sure it's not unique, but I like that it does keep track of third-party programs and services - especially the seemingly purpose-built attack vector: Flash.
"Storms" and "attacks" are both verbs. The dust is storming, the bear is attacking. There was an s missing from the headline. It's a Slashdot meme to make jokes about the poor editorial quailty. You need to relax and get over it.
which is totally what she said
Perhaps. I was trying to give MS the benefit of the doubt, as my colleague typically does. I guess it could be just laziness on MS' part.
which is totally what she said
Not correct. You might be able to make the case for "attacks" being a verb, but ONLY if it is referring to a single bear doing the attacking. If it is referring to several incidents, it would be "bear-attack", plural-- that is "bear attacks" (noun).
Dust storm, however, is a noun, and I have never heard the usage that would indicate the dust was storming something-- you would have to think the dust was breaching the walls of something, which is a bit of a stretch.
From the context (being a headline, the use of what appears to be a plural combined with the word "more"), it seems obvious that they are referring to several incidents involving dust storms, and several incidents involving bear attacks.
No, it's called shitty application developers that don't want to leverage the tools Microsoft provides for securing their applications.
I've gotten arguments from developers who SWEAR they can do it better--and by better, I mean "I should be able to put my application anywhere on the system and the system shouldn't be exploitable by any bugs in my code."
I shit you not, we argued over this for a while.
Microsoft provides developers every tool they need to make a Windows application that can operate on least privilege but they REFUSE to use it.
There are many holes that have been overlooked by developers; however, education of the end user is just as important.
Mike W
My friends & family run $OS with the browser running in an isolated user account, works quite well
So do most windows users. Luckily for the virus makers, its pretty easy to pester the user with a zillion gksudo / consent.exe prompts requesting elevation-- all it takes is clicking "allow" if you dont have a password set, and its all over.
I'm not surprised you haven't found any root-kits.
(+1, Disagree)
Find out how Windows gets infected with Malware by downloading this exclusive EXE *FOR FREE*.
/me sips his coffee and ponders a new sig...
The old vulnerabilities of putting an activeX control, tricking a RPC, or targetting a buffer overflow in Windows XP or IE 6 are long gone.
IE 9 on Windows 7 and IE 10 in Windows 8 are one of the mose secure web browser out there. Not seriously?
It is compiled with VC 2010 and has crazy ASLR, Dep (data execution prevention), and even checks exception handling at compile times to make sure it not abused. Even if you you could figure out how to do a buffer overrun and poke some bad instructions in ram, its addressing is all randomized so targeting the kernel or a particular dll to execute is all but impossible. This is especially true under WIndows 7 where the whole system has a scrambled layer of ram addresses that is always changing. It is a bitch to do now.
Even IE 8 which is not a modern browser in today's standards (still mediocre), is ok secure wise when patched compared to its horrible past siblings of IE 6 and IE 7.
Modern IE is not IE 6, or IE 7 by a longshot. As I.T. professionals you need to learn newer things. It does not make sense to target Windows or IE vulnerabilities because by the cracker finishes the trojan MS will likely fix it via a Windows update.
Flash however is compiled with adobe's with no such security checks at compile time! Doh. Even worse many users have 2 year old flash 9 still that is never auto updated. You can run bad javascript in PDFs that crossite to a badsite and a whole other nasties. I use Foxit and it even caught a PDF that did just that and had xss cross site scripting protection. Thank God.
Flash is never updated, does not have the resources as MS, and Oracle doesn't give a shit about Java and refuses to patch security glitches. The RMI by its very nature is to allow foreign natively compiled code so no crazy hacks needed.
The solution? Ban flash at work, setup IE to use Java for selected Intranet sites only in a protected zone. It is very easy to setup and any administrator at work should always do that. Youtube is not business productive anyway and is the only real reason to use Flash. ;-) You can ban these with Chrome and I assume Firefox as well but you can't do particular sites like IE can. Ms put them there for a reason.
Do these steps and your support will go down by at least 50% at work. Guarantee it.
http://saveie6.com/
3% of successful infections used a feature that nobody I know about has ever used (beyond accidentally pressing F1).
Just goes to show that even the most benign features could potentially harbor a security risk if the programmers didn't do their job right, regardless of operating system.
All those pie charts are kind of useless unless they normalize them for percent of installed base... Oh, IE makes up the largest number of browser infections? Maybe because IE makes up the largest number of browser users. Windows 2000 gets far less malware than Windows Vista? Probably not actually more secure... just has far fewer users anymore.
The tendency for infection is correlated to how popular the OS is, goes the oft-repeated idea.
For relative infectibility, I quote the "exposed to malware" numbers from the article. They make it a little ambiguous whether this means actual infections. And for relative popularity between Windows OSs, I quote from the Wikipedia article on Windows (with some averaging).
"Exposed To Malware"- XP - 41%
- Vista - 38%
- 7 - 16%
(Relative) Install BaseAppears to be a large discrepancy between these numbers. Any explanations? On the face of it it looks like it is not true that popularity of OS correlates highly with infection rate.
So do most windows users.
I dispute that, and assert that most home users run using the default Admin account that was automatically created by the manufacturer.
"I don't know, therefore Aliens" Wafflebox1
Anyway, several years ago $DAUGHTER was headed off to University and it was time for her to take responsibility for her own computer, so we went shopping at Fry's and she got the usual mobo, PSU, HDD, video, etc. for the case I bought her. She and $HERSELF (not her mother but ...) then built the box and, following the online instructions, did a Stage One installation of Gentoo.
Worked like a champ for four years, she kept it up and all w/o my needing to hold her hand (not that I object to holding her hand, even now.) She only replaced it because a laptop suited her needs better in grad school. So she wiped a new ThinkPad down to bare metal and installed Ubuntu. Here we are four years later and she's doing her dissertation on that ThinkPad, still no help required from Dad.
And before anyone asks:
* No, she's not a CS or other tech major. Sociology, actually.
* She already has a boyfriend and he's about 6'4" of professional outdoorsman.
Lacking <sarcasm> tags,
Someone didnt pay attention to the Vista and Win7 changes. As in Ubuntu default installs, the user has admin "capabilities", but they are dropped most of the time. To actually use them, you must click through a UAC prompt that is functionally identical to gksudo.
Someone didnt pay attention to the Vista and Win7 changes.
The only non-XP Windows systems I've seen in the past 5 years is the Win7 Starter on my wife's (brand new) netbook.
Other than that, we're pure Linux at home and XP at work, so there was nothing to not pay attention to (if that makes any sense).
"I don't know, therefore Aliens" Wafflebox1
Ah, well perhaps you shouldnt have commented on Vista and windows 7. You see, WinXP market share is under 38%, so my comment about "most windows users" was accurate.
Incidentally, 7 really is worth the upgrade-- dont judge it based on Starter which really is awful and is usually put on devices that should never have run windows to begin with.
perhaps you shouldnt have commented on Vista and windows 7
Point *slightly* taken.
7 really is worth the upgrade-- dont judge it based on Starter which really is awful and is usually put on devices that should never have run windows to begin with.
I'm not going to pay an extra $100 on a $250 computer. When/if my wife comes upon it's limitations (so far she hasn't) then we'll discus what to do.
"I don't know, therefore Aliens" Wafflebox1
Yes, I dont think I would spend the money if it were that much. But if you can snag a $30 student upgrade, its worth it, and if you are getting a new computer, might as well go for 7. The new GUI is much better (as in, it improves productivity), cross-GPU-vendor multi-monitor is supported, and theres heaps of other goodies. To be sure, there are annoyances, but all in all I think 7 was a good direction.
Now if only they hadnt thrown that all out for the mess that is Windows 8.....
But if you can snag a $30 student upgrade, its worth it
Guess we're not upgrading... :)
cross-GPU-vendor multi-monitor is supported, and theres heaps of other goodies.
It's a netbook, for Christ's sake.
Now if only they hadnt thrown that all out for the mess that is Windows 8.....
I know the feeling. I've held our desktops back to Ubuntu 10.04 and 10.10 because my wife hates change and I hate (1) change for change's sake and (2) pandering to mythical Linux newbies.
"I don't know, therefore Aliens" Wafflebox1
Designing and building trails for the Forest Service, for one. As in, spending more time hiking with a pack and sleeping in a tent than under a roof. In between doing things by hand rather than with power tools because the tools are too hard to get to where the work needs to be done.
Lacking <sarcasm> tags,
Apparently you can't answer easy, simple questions. I realize that you're posting as AC, but could you provide me with the state that you live in so that I can direct you to your state's Department of Developmental Services, so that they can help you learn the art of responding to easy questions? With any luck, they can team you up with a second grader who can teach you how to respond to sentences that end with question marks: "?".