I used to work as a cashier at a grocery store, and I've worked as a cashier in a department store as well. I'd like to think that I was a pretty good one (fast and efficient), too. Unfortunately, I can attest to the fact that this does not imbue one with any inherent speed at the self-checkout lane.
It's a question of familiarity. When I was a cashier, by the end of the first day or two of training, I was pretty familiar with the setup; I was using it all day. You start scanning as fast as it will go, hitting the buttons, and looking ahead at what you're about to scan so you can be prepared for produce etc. Self-checkout, on the other hand, is a whole different ballgame.
Every one of those self checkout lanes is a different setup, and I'm just not familiar with it. That means I have to take a few extra seconds to read the screen for each item, fight with the bagging scale, etc. Add that up over your typical checkout and it means it just takes longer than standing in line. *But* - and here's why these things are still successful at all - it's not the length of time it takes to get out of the store. It's the length of time it takes for something to start happening. I guarantee that if you had one person start self checkout immediately and another wait in line, even if the person who waited in line was done first, they'd feel like they were there longer. It's instant gratification, something is happening right away, regardless of whether it's more or less efficient.
Heh...I was reading the comments since this particular article is of some interest to me, and ran across your comment. I'm the author of AIMFix, so obviously your post stuck out;)
I see this stuff all the time, the majority of the people I see with IM worm infections are running either Symantec or McAfee antivirus suites, with the occasional Trend Micro, or PC-cillin user. It's not a lack of Antivirus protection that's getting people in trouble. It's a combination of factors:
a) malware writers are getting smarter - lately the majority of the virus links involve either MySpace or Facebook as a enticement to click b) recent code tends to include rootkit technology in bits and pieces, install as kernel-level drivers and services instead of user-mode processes c) the AV companies aren't keeping up; not even close.
I spend a lot of time keeping AIMFix up to date, sometimes several updates a day. It's a console application still, mostly because I'd rather use my coding time to fight the malware functionality than on making a GUI for Windows. When I started AIMFix I knew nothing about C++ programming, and all I wanted to do was automate the process of killing processes and deleting files. Then I had to include registry keys. Then there were new ways of hiding, such as installing as part of Userinit or Winlogon. Hell, some of these worms even look for and terminate any copies of AIMFix (that was pretty flattering:).
Lately everything is kernel level or has a kernel-level component at least. I've seen maybe one user-mode worm in the past few months. I imagine that before long the rootkit technology will advance even further, and eventually I won't be able to fight it with a user-mode applicaton at all anymore. In a way it's been the main impetus for me to learn more programming skills and delve much deeper into Windows than I ever wanted to.
I typically use Linux or BSD whenever humanly possible, and at the moment AIMFix is cross-compiled on my Linux box. For the time being I can get away with this because AIMFix doesn't need a kernel driver or other components that aren't possible to cross-compile, but I'm sure that before long I'll have no choice but to develop exclusively on Windows.
The evolution of malicious code is happening much faster than the anti-malware community for a number of reasons, not the least which being how much easier it always is to destroy than to protect. Try knocking a house down with a bulldozer versus stopping someone with a bulldozer from knocking down a house;) I'm not really sure there is any solution to the problem, but if there is, it's definitely not signature and reaction-based protection like we have today, it will be in either hypervisor virtualization technology and/or proactive heuristics.
I hear you on this one. I've worked customer service and collections on the phone to pay my bills as a college student. When I was on the phone with a customer, I would be as polite as humanly possible and do my job as best I could. After all, these are generally people with a problem, since they hadn't paid their bill for one reason or another).
The people who were calm and polite in return got their problem(s) resolved immediately. People who started yelling before I even finished introducing myself end up arguing for 30 minutes. I'd finally get them to calm down and work with me, the problem would get resolved, and then they'd end up apologizing to me for yelling at me. It's a lot easier to be polite in the first place, and make someone actually want to help you.
I have the same problem on my Dell laptop that I was given by the company I work for, and I've only had it since midway through February. After maybe two months of use the thing had already completely discolored where my hands rest on the palmrest.
By contrast, I have an IBM laptop with a lightly textured plastic top (instead of a smooth palmrest) which I've owned for something like a year and it hasn't discolored or shown any signs of wear at all.
Frankly I think the bottom line is that anything smooth plastic is going to get worn down, and if it's white, it's going to look dirty too. It's not rocket science or necessarily bad manufacture, it's just a fact of life/chemistry/physics. Admittedly, it wouldn't be the first thing I'd have thought of when picking out a laptop, but after my experience will Dell I'll certainly be thinking about it now. I don't blame Apple per se, but I can definitely sympathize with people who buy a stylish new piece of gear and watch it turn nasty. I bought one of the black video iPods and it sucked watching it collect scratches across the face, but that's also a fact of life with something you carry around constantly...
Yep, and they've been around since 1997 doing exactly this kind of stuff...sounds to me like they think they have something that's been profitable for them.
When you're in business to sell or make money from software, it's not about doing something new, it's about doing something profitable. Do I give a hoot about stuff like this? No...but that just means I'm not the target audience. User-generated content and buzzwords seems to have worked for MySpace, with a 500 million dollar purchase price.
The idea might not be "sexy" to the geek audience, but I'll bet it's working really well for them financially;)
Maybe it's just me, but it seems to me like driving a vehicle with a manual transmission actually causes you to be a better driver in some respects.
a) You can't eat/talk on a phone/shave/apply makeup etc nearly as easily when one hand is needed to shift. Obviously this isn't as true on the highway, but definitely for in-town driving.
b) You can't zone out and totally ignore the road, unless you like the roar of an engine banging against the rev limiter nonstop...
c) When you drive a manual transmission, you tend not to pull right up to the ass end of the car in front of you, because you realize that they just might need an inch or two to roll back as they leave from a full stop.
d) Have you ever tried driving in stop-and-go traffic with a stick shift? I am convinced that traffic conditions would be immensely better if everyone had to drive with a clutch, because it makes you insane constantly working the clutch, gas, and brake back and forth to move forward 6 inches at a time, so you're going to either make sure it's worth it, or not cause the situation in the first place. Conversely, with an automatic, it's just releasing the brake a little and then applying it again.
e) Paying attention to your car, your speed, and the road around you in general is easier and more likely if every few moments you need to shift gears.
I started driving an automatic transmission and moved to a manual later, and the first thing I noticed was how much more involved I became with my driving. Similarly, when I drive other people's cars or rental cars for extended periods of time, I notice small differences in my own driving. So maybe it's just me, but it certainly seems like the smarter the car is, the less the driver has to work, and the less the driver pays attention.
For some reason I'm reminded of the story of the RV that crashed on the highway, and the investigation turned up that the driver had turned on Cruise Control and went in back to make himself a sandwich...
No, it's definitely not just you. I work with [removing] IM-based viruses as a hobby project, and there has been a clear shift from simple executable file viruses to full rootkits. Along the way I've seen everything from loading with the shell or userinit to winlogon to bogus kernel drivers.
It's my personal (and professional) opinion that this is likely to become the norm. I give it another year or two before the majority of malware is all rootkit-based. It's far too easy to incorporate rootkit technology, and far too difficult to remove. It seems only a natural step in malware evolution.
I recommend Rootkits: Subverting the Windows Kernel for further reading on the subject. The first two chapters were enough to convince me that rootkits are a more than viable path for malware to take. Perhaps more importantly, no matter what the security companies put into their software, once the system has been compromised, there is no way to trust the running system, period. The only way to verifiably clean a rootkit-infected system is to take it offline and scan it from a known clean (read-only) media.
Back when I still did Windows support at a help desk level, we had one virus that came out that was infecting anywhere from 20,000 to 50,000 files and up. (I think it was a MyDoom variant?) The thing would make copy after copy of itself, infect files, all kinds of crap. We'd scan the computers with McAfee and it'd sit there just constantly finding more files.
It used to be almost fun fixing all the computers back then, because I was good at it and I could get just about anything cleaned up. Now these things are turning into these nasty rootkit-based nightmares that make me oh so glad I'm not in that business anymore. I've since moved to a completely Linux-based platform for everything I do and I no longer do desktop support (Although I do maintain an antivirus tool). I can't imagine how much it would suck to be still back at the support center; I'm sure they'd just end up reformatting everything. Granted, it's not impossible to clean these new variants, but at a certain point you: a) Go beyond the technical capabilities of the student workers at the help desk to fix b) Go beyond a reasonable time limit to get this computer fixed so you can move on to the fifty other computers in the queue c) give up in frustration
Ever try compiling it, particularly on Slackware? I liked GnuCash when i tried it last, but trying to install it can be a real pain in the ass if you dont have a package for it available. Converting it to GTK in this instance was more than a cosmetic change, it was probably to get away from Gnucash's heavy dependencies on legacy libs and make future code changes more portable.
The experts hired to do that can get quite creative, so of course the software is going to have to be quite good to get companies to consider replacing their experts [...]
Funny coincidence! I'm getting married in November, and I met my fiancee because of my work with AIMFix antivirus tool for IM viruses. If she hadn't gotten an IM virus, we would never have met and I wouldn't be getting married in Hawaii:)
I've been dealing with AIM viruses since 2003 (I run AIMFix, an IM-specific virus removal tool), and I've watched them grow exponentially. On top of that, the attack methods have become infinitely more sophisticated. Where it used to be a userland executable, usually an exe, it moved to.pif and.scr files. It started with the usual "Run" entry in the registry, then started to mess around with the shell settings, winlogon settings, services, and legacy win.ini items. The latest variants are actually including code from various rootkits (mostly the FU rootkit) to hide themselves from memory and the registry.
My prediction is that these will only grow worse as time goes on. It's far too easy to include even more sophisticated rootkit technology in with the worm code, IM is getting ever more popular, and it's effective, plain and simple. Something about the IM format makes it both easy to mimic real "conversation" ("hey, check out these pics of me drunk at New Years!"), and somehow less suspicious than similar messages sent via email.
As far as I'm concerned, rootkits are going to become the norm for Windows worms/viruses within a year or two. why bother with a simple executable that's easy to find and kill when you could make your code invisible to the running system? Frankly, I have no idea what the next step becomes for those of us writing anti-virus tools and cleaning programs. Bootable CDs that can verify the system? I don't pretend to have the answer just yet, but I can say with confidence that we'll be seeing more of this as time goes on, and I sincerely hope that the AV companies can step up to the plate in time.
I completely concur here. If you compare running Linux with a full GUI/DE like KDE or Gnome, I'd say you're pretty comparable as far as memory and CPU requirements for Windows. However, what Linux is great at is flexibility.
You can take an old Pentium box, throw 50MB of the Linux kernel and associated utilities, and make a perfectly serviceable firewall/router out of it. I know plenty of people out there running Pentium II machines as web servers and home file servers. Hell, I did it myself at one point. The only reason this is a viable use for these machines is because you have the flexibility to hack apart the open source software into nice convenient, small footprint packages.
For example, I had a Pentium III machine that I used to host my first ever website. It was perfectly capable of running Windows, and I originally hosted my site on Windows 2000 Server. During this time I first started using Linux, and decided to move my hosting to Linux. I reformatted the machine with Mandrake Linux, ran it with no GUI, and watched my page serving time drop dramatically. It's not magic or anything particularly mystical about Linux, it's just a lot less overhead when there's no GUI and DE running constantly.
When people ask why I use Linux, the main reason I give is flexibility. I can do *anything* with my Linux system. I have never really poked around the source code to my OS or most of the utilities, but the fact that anyone can means that there are lots of things available to me simply because some hobbyist with free time and good coding skills did.
Actually, RootkitRevealer doesn't scan for known rootkits...it scans for common signs of a rootkit in general (hidden registry keys or inconsistent data, for instance). That's not to say you're wrong, but I just wanted to point out that RootkitRevealer is a little more clever than just scanning for known rootkits:)
Tell me about it. No more ability to scan in Safe Mode, no ability to run at all if the IE security settings are jacked up, and if mshtml is exploited, then Symantec's products are screwed.
Whose brilliant idea was it to make an HTML GUI for a *security* product using libraries from the system that are easily compromised by unrelated events (IE security levels)?
Right around the time they started with that was when I stopped recommending their products and started recommending AntiVir.
I'm running Firefox 1.0.7 on Kubuntu (Breezy Badger) and it doesn't crash here. It definitely hung for a good long while on the next startup while it tried to parse the history file, but it did eventually start up normally.
Sure...and they could also put a big fat warning symbol next to urls that end in executables and tell people "this is a program!" before they download it.
They could probably even set up filters to prevent blacklisted urls from even being transmitted. Hell, with AOL's money and power it's highly likely they could get most of the virus sites shut down much faster than you or I can.
But if there's one thing I've learned in the years I've been fighting the IM virus battle, it's that AOL doesn't do a damn thing until it's so huge that they *have* to do something, or the media gets involved enough to make it an issue. I deal with this crap every single day. I create definitions for new virus variants for my AIMFix software, answer hundreds of emails from (usually virus infected) users, and analyze various bits and pieces of the malware themselves. Hell, I've even tracked the authors down to their home address & phone in a couple of cases. It's not like AOL couldn't take care of all of this if they really wanted to. Hell, they could even just pay me to do it full time - I work cheap;) But the honest truth is that they don't care unless they have to. When it comes to the scale of priorities, welfare of the users hardly even registers for AOL. What matters is revenue, and unless the virus(es) directly impact revenue, they could care less.
It's often frustrating to me that a relatively minor investment on the part of AOL (and other parties, I might add) could make my life a lot less busy and make the life of a virus writer that much more difficult. It's hard to see dozens of people email me in one weekend because they had their passwords stolen and their account hijacked, or hear from thousands of frustrated and upset people whose computer is suddenly a mess of spyware and ads. I can't even imagine what it'd be like to have your screen name sending out IMs to all of your friends, infecting them with the very same unpleasantness while you sit there helpless. Sure, much of that can be attributed to the end user, but AOL sits in a position to help save a lot of these people from themselves and they just aren't interested.
I wrote and maintain a free AIM / IM specific antivirus tool called AIMFix that removes these two worms in several variations. I've been working with this stuff since 2003 (AIMFix is used by dozens of Universities as part of official cleaning procedure and recommendations, see the users page for details). In particular, these two worms have been eating all of my free time for the last three or four days with several variants and some new behavior (installing as services only, rather than registry keys all over the place, etc). They're also hiding as Windows filenames, but in different directories, like C:\Windows\svchost.exe (instead of system32), C:\Windows\taskmgr.exe, etc.
It is so incredibly weird seeing these stories in the media. I've been so deep into researching them and writing updates to AIMFix to keep abreast of everything that it comes as a total surprise to see a media outlet cover them. I've gotten countless emails from people who got hit by these two worms, and I've become quite familiar with the symptoms over the past few days, yet at the same time I'm uniquely ignorant of the rest of the story (the AI aspect, etc) because I only end up dealing with the nitty gritty that happens on the symptoms and removal level. Go figure.
Glad to see I'm not the only one interested in this. I actually looked at writing a clone tool for Debian based systems for both chkconfig and the "service" command from RedHat. I got as far as creating the service clone: http://jayloden.com/service_clone.htm but I didnt get to the chkconfig yet. Now that you've reminded me I may have to mess around with this again.
I haven't played with the tools the other replies mentioned (though I plan to now), so I can't comment on them, but it's definitely not a bad idea to clone the RedHat toolset, since it allows familiar ground for a lot of people used to RH environments, and I think chkconfig is reasonably intuitive and easy to use, to boot.
Glad to see I'm not the only one who feels that way about Symantec nowadays. I used to be a big Norton AV champion, and then one day they just kinda started to go downhill. I don't think I've seen a virus removed by Norton anytime in the past two years, just a warning that says it can't clean the file or quarantine it and a big "your system is infected" message. Now that you can't run AV scans with Norton in Safe Mode anymore, it's pretty much useless. It's always sad to see a good product turn to crap like that.
Slashdot Mirror
Even better, use Joanna Rutkowksa's Red Pill technique, which effectively identifies a VM in a single instruction based on the address of the IDTR.
I used to work as a cashier at a grocery store, and I've worked as a cashier in a department store as well. I'd like to think that I was a pretty good one (fast and efficient), too. Unfortunately, I can attest to the fact that this does not imbue one with any inherent speed at the self-checkout lane.
It's a question of familiarity. When I was a cashier, by the end of the first day or two of training, I was pretty familiar with the setup; I was using it all day. You start scanning as fast as it will go, hitting the buttons, and looking ahead at what you're about to scan so you can be prepared for produce etc. Self-checkout, on the other hand, is a whole different ballgame.
Every one of those self checkout lanes is a different setup, and I'm just not familiar with it. That means I have to take a few extra seconds to read the screen for each item, fight with the bagging scale, etc. Add that up over your typical checkout and it means it just takes longer than standing in line. *But* - and here's why these things are still successful at all - it's not the length of time it takes to get out of the store. It's the length of time it takes for something to start happening. I guarantee that if you had one person start self checkout immediately and another wait in line, even if the person who waited in line was done first, they'd feel like they were there longer. It's instant gratification, something is happening right away, regardless of whether it's more or less efficient.
Heh...I was reading the comments since this particular article is of some interest to me, and ran across your comment. I'm the author of AIMFix, so obviously your post stuck out ;)
:).
;) I'm not really sure there is any solution to the problem, but if there is, it's definitely not signature and reaction-based protection like we have today, it will be in either hypervisor virtualization technology and/or proactive heuristics.
:)
I see this stuff all the time, the majority of the people I see with IM worm infections are running either Symantec or McAfee antivirus suites, with the occasional Trend Micro, or PC-cillin user. It's not a lack of Antivirus protection that's getting people in trouble. It's a combination of factors:
a) malware writers are getting smarter - lately the majority of the virus links involve either MySpace or Facebook as a enticement to click
b) recent code tends to include rootkit technology in bits and pieces, install as kernel-level drivers and services instead of user-mode processes
c) the AV companies aren't keeping up; not even close.
I spend a lot of time keeping AIMFix up to date, sometimes several updates a day. It's a console application still, mostly because I'd rather use my coding time to fight the malware functionality than on making a GUI for Windows. When I started AIMFix I knew nothing about C++ programming, and all I wanted to do was automate the process of killing processes and deleting files. Then I had to include registry keys. Then there were new ways of hiding, such as installing as part of Userinit or Winlogon. Hell, some of these worms even look for and terminate any copies of AIMFix (that was pretty flattering
Lately everything is kernel level or has a kernel-level component at least. I've seen maybe one user-mode worm in the past few months. I imagine that before long the rootkit technology will advance even further, and eventually I won't be able to fight it with a user-mode applicaton at all anymore. In a way it's been the main impetus for me to learn more programming skills and delve much deeper into Windows than I ever wanted to.
I typically use Linux or BSD whenever humanly possible, and at the moment AIMFix is cross-compiled on my Linux box. For the time being I can get away with this because AIMFix doesn't need a kernel driver or other components that aren't possible to cross-compile, but I'm sure that before long I'll have no choice but to develop exclusively on Windows.
The evolution of malicious code is happening much faster than the anti-malware community for a number of reasons, not the least which being how much easier it always is to destroy than to protect. Try knocking a house down with a bulldozer versus stopping someone with a bulldozer from knocking down a house
-Jay
P.S. Glad AIMFix was able to help
I hear you on this one. I've worked customer service and collections on the phone to pay my bills as a college student. When I was on the phone with a customer, I would be as polite as humanly possible and do my job as best I could. After all, these are generally people with a problem, since they hadn't paid their bill for one reason or another).
The people who were calm and polite in return got their problem(s) resolved immediately. People who started yelling before I even finished introducing myself end up arguing for 30 minutes. I'd finally get them to calm down and work with me, the problem would get resolved, and then they'd end up apologizing to me for yelling at me. It's a lot easier to be polite in the first place, and make someone actually want to help you.
I have the same problem on my Dell laptop that I was given by the company I work for, and I've only had it since midway through February. After maybe two months of use the thing had already completely discolored where my hands rest on the palmrest.
By contrast, I have an IBM laptop with a lightly textured plastic top (instead of a smooth palmrest) which I've owned for something like a year and it hasn't discolored or shown any signs of wear at all.
Frankly I think the bottom line is that anything smooth plastic is going to get worn down, and if it's white, it's going to look dirty too. It's not rocket science or necessarily bad manufacture, it's just a fact of life/chemistry/physics. Admittedly, it wouldn't be the first thing I'd have thought of when picking out a laptop, but after my experience will Dell I'll certainly be thinking about it now. I don't blame Apple per se, but I can definitely sympathize with people who buy a stylish new piece of gear and watch it turn nasty. I bought one of the black video iPods and it sucked watching it collect scratches across the face, but that's also a fact of life with something you carry around constantly...
Yep, and they've been around since 1997 doing exactly this kind of stuff...sounds to me like they think they have something that's been profitable for them.
;)
When you're in business to sell or make money from software, it's not about doing something new, it's about doing something profitable. Do I give a hoot about stuff like this? No...but that just means I'm not the target audience. User-generated content and buzzwords seems to have worked for MySpace, with a 500 million dollar purchase price.
The idea might not be "sexy" to the geek audience, but I'll bet it's working really well for them financially
Maybe it's just me, but it seems to me like driving a vehicle with a manual transmission actually causes you to be a better driver in some respects.
a) You can't eat/talk on a phone/shave/apply makeup etc nearly as easily when one hand is needed to shift. Obviously this isn't as true on the highway, but definitely for in-town driving.
b) You can't zone out and totally ignore the road, unless you like the roar of an engine banging against the rev limiter nonstop...
c) When you drive a manual transmission, you tend not to pull right up to the ass end of the car in front of you, because you realize that they just might need an inch or two to roll back as they leave from a full stop.
d) Have you ever tried driving in stop-and-go traffic with a stick shift? I am convinced that traffic conditions would be immensely better if everyone had to drive with a clutch, because it makes you insane constantly working the clutch, gas, and brake back and forth to move forward 6 inches at a time, so you're going to either make sure it's worth it, or not cause the situation in the first place. Conversely, with an automatic, it's just releasing the brake a little and then applying it again.
e) Paying attention to your car, your speed, and the road around you in general is easier and more likely if every few moments you need to shift gears.
I started driving an automatic transmission and moved to a manual later, and the first thing I noticed was how much more involved I became with my driving. Similarly, when I drive other people's cars or rental cars for extended periods of time, I notice small differences in my own driving. So maybe it's just me, but it certainly seems like the smarter the car is, the less the driver has to work, and the less the driver pays attention.
For some reason I'm reminded of the story of the RV that crashed on the highway, and the investigation turned up that the driver had turned on Cruise Control and went in back to make himself a sandwich...
No, it's definitely not just you. I work with [removing] IM-based viruses as a hobby project, and there has been a clear shift from simple executable file viruses to full rootkits. Along the way I've seen everything from loading with the shell or userinit to winlogon to bogus kernel drivers.
It's my personal (and professional) opinion that this is likely to become the norm. I give it another year or two before the majority of malware is all rootkit-based. It's far too easy to incorporate rootkit technology, and far too difficult to remove. It seems only a natural step in malware evolution.
I recommend Rootkits: Subverting the Windows Kernel for further reading on the subject. The first two chapters were enough to convince me that rootkits are a more than viable path for malware to take. Perhaps more importantly, no matter what the security companies put into their software, once the system has been compromised, there is no way to trust the running system, period. The only way to verifiably clean a rootkit-infected system is to take it offline and scan it from a known clean (read-only) media.
Back when I still did Windows support at a help desk level, we had one virus that came out that was infecting anywhere from 20,000 to 50,000 files and up. (I think it was a MyDoom variant?) The thing would make copy after copy of itself, infect files, all kinds of crap. We'd scan the computers with McAfee and it'd sit there just constantly finding more files.
It used to be almost fun fixing all the computers back then, because I was good at it and I could get just about anything cleaned up. Now these things are turning into these nasty rootkit-based nightmares that make me oh so glad I'm not in that business anymore. I've since moved to a completely Linux-based platform for everything I do and I no longer do desktop support (Although I do maintain an antivirus tool). I can't imagine how much it would suck to be still back at the support center; I'm sure they'd just end up reformatting everything. Granted, it's not impossible to clean these new variants, but at a certain point you:
a) Go beyond the technical capabilities of the student workers at the help desk to fix
b) Go beyond a reasonable time limit to get this computer fixed so you can move on to the fifty other computers in the queue
c) give up in frustration
Ever try compiling it, particularly on Slackware? I liked GnuCash when i tried it last, but trying to install it can be a real pain in the ass if you dont have a package for it available. Converting it to GTK in this instance was more than a cosmetic change, it was probably to get away from Gnucash's heavy dependencies on legacy libs and make future code changes more portable.
Funny coincidence! I'm getting married in November, and I met my fiancee because of my work with AIMFix antivirus tool for IM viruses. If she hadn't gotten an IM virus, we would never have met and I wouldn't be getting married in Hawaii :)
I've been dealing with AIM viruses since 2003 (I run AIMFix, an IM-specific virus removal tool), and I've watched them grow exponentially. On top of that, the attack methods have become infinitely more sophisticated. Where it used to be a userland executable, usually an exe, it moved to .pif and .scr files. It started with the usual "Run" entry in the registry, then started to mess around with the shell settings, winlogon settings, services, and legacy win.ini items. The latest variants are actually including code from various rootkits (mostly the FU rootkit) to hide themselves from memory and the registry.
My prediction is that these will only grow worse as time goes on. It's far too easy to include even more sophisticated rootkit technology in with the worm code, IM is getting ever more popular, and it's effective, plain and simple. Something about the IM format makes it both easy to mimic real "conversation" ("hey, check out these pics of me drunk at New Years!"), and somehow less suspicious than similar messages sent via email.
As far as I'm concerned, rootkits are going to become the norm for Windows worms/viruses within a year or two. why bother with a simple executable that's easy to find and kill when you could make your code invisible to the running system? Frankly, I have no idea what the next step becomes for those of us writing anti-virus tools and cleaning programs. Bootable CDs that can verify the system? I don't pretend to have the answer just yet, but I can say with confidence that we'll be seeing more of this as time goes on, and I sincerely hope that the AV companies can step up to the plate in time.
Wait...I'm confused. Is this another John Dvorak article, or what?
I completely concur here. If you compare running Linux with a full GUI/DE like KDE or Gnome, I'd say you're pretty comparable as far as memory and CPU requirements for Windows. However, what Linux is great at is flexibility.
You can take an old Pentium box, throw 50MB of the Linux kernel and associated utilities, and make a perfectly serviceable firewall/router out of it. I know plenty of people out there running Pentium II machines as web servers and home file servers. Hell, I did it myself at one point. The only reason this is a viable use for these machines is because you have the flexibility to hack apart the open source software into nice convenient, small footprint packages.
For example, I had a Pentium III machine that I used to host my first ever website. It was perfectly capable of running Windows, and I originally hosted my site on Windows 2000 Server. During this time I first started using Linux, and decided to move my hosting to Linux. I reformatted the machine with Mandrake Linux, ran it with no GUI, and watched my page serving time drop dramatically. It's not magic or anything particularly mystical about Linux, it's just a lot less overhead when there's no GUI and DE running constantly.
When people ask why I use Linux, the main reason I give is flexibility. I can do *anything* with my Linux system. I have never really poked around the source code to my OS or most of the utilities, but the fact that anyone can means that there are lots of things available to me simply because some hobbyist with free time and good coding skills did.
Actually, RootkitRevealer doesn't scan for known rootkits...it scans for common signs of a rootkit in general (hidden registry keys or inconsistent data, for instance). That's not to say you're wrong, but I just wanted to point out that RootkitRevealer is a little more clever than just scanning for known rootkits :)
http://linux.slashdot.org/article.pl?sid=05/11/08/ 140203&tid=220&tid=106
I'm no Microsoft fan, but Linux and Unix boxen aren't invulnerable.
Tell me about it. No more ability to scan in Safe Mode, no ability to run at all if the IE security settings are jacked up, and if mshtml is exploited, then Symantec's products are screwed.
Whose brilliant idea was it to make an HTML GUI for a *security* product using libraries from the system that are easily compromised by unrelated events (IE security levels)?
Right around the time they started with that was when I stopped recommending their products and started recommending AntiVir.
"it's like competing in the special olympics. Even if you win, you're still retarded"
NOTE: the above is a *joke*. If you do not have a sense of humor, please ignore this comment and move on.
I'm running Firefox 1.0.7 on Kubuntu (Breezy Badger) and it doesn't crash here. It definitely hung for a good long while on the next startup while it tried to parse the history file, but it did eventually start up normally.
Sure...and they could also put a big fat warning symbol next to urls that end in executables and tell people "this is a program!" before they download it.
;) But the honest truth is that they don't care unless they have to. When it comes to the scale of priorities, welfare of the users hardly even registers for AOL. What matters is revenue, and unless the virus(es) directly impact revenue, they could care less.
They could probably even set up filters to prevent blacklisted urls from even being transmitted. Hell, with AOL's money and power it's highly likely they could get most of the virus sites shut down much faster than you or I can.
But if there's one thing I've learned in the years I've been fighting the IM virus battle, it's that AOL doesn't do a damn thing until it's so huge that they *have* to do something, or the media gets involved enough to make it an issue. I deal with this crap every single day. I create definitions for new virus variants for my AIMFix software, answer hundreds of emails from (usually virus infected) users, and analyze various bits and pieces of the malware themselves. Hell, I've even tracked the authors down to their home address & phone in a couple of cases. It's not like AOL couldn't take care of all of this if they really wanted to. Hell, they could even just pay me to do it full time - I work cheap
It's often frustrating to me that a relatively minor investment on the part of AOL (and other parties, I might add) could make my life a lot less busy and make the life of a virus writer that much more difficult. It's hard to see dozens of people email me in one weekend because they had their passwords stolen and their account hijacked, or hear from thousands of frustrated and upset people whose computer is suddenly a mess of spyware and ads. I can't even imagine what it'd be like to have your screen name sending out IMs to all of your friends, infecting them with the very same unpleasantness while you sit there helpless. Sure, much of that can be attributed to the end user, but AOL sits in a position to help save a lot of these people from themselves and they just aren't interested.
-Jay
Dammit slashdot...that link was supposed to be http://jayloden.com/aimfix.htm
If you want the binary only: http://jayloden.com/AIMFix.exe
I wrote and maintain a free AIM / IM specific antivirus tool called AIMFix that removes these two worms in several variations. I've been working with this stuff since 2003 (AIMFix is used by dozens of Universities as part of official cleaning procedure and recommendations, see the users page for details). In particular, these two worms have been eating all of my free time for the last three or four days with several variants and some new behavior (installing as services only, rather than registry keys all over the place, etc). They're also hiding as Windows filenames, but in different directories, like C:\Windows\svchost.exe (instead of system32), C:\Windows\taskmgr.exe, etc.
It is so incredibly weird seeing these stories in the media. I've been so deep into researching them and writing updates to AIMFix to keep abreast of everything that it comes as a total surprise to see a media outlet cover them. I've gotten countless emails from people who got hit by these two worms, and I've become quite familiar with the symptoms over the past few days, yet at the same time I'm uniquely ignorant of the rest of the story (the AI aspect, etc) because I only end up dealing with the nitty gritty that happens on the symptoms and removal level. Go figure.
-Jay
Glad to see I'm not the only one interested in this. I actually looked at writing a clone tool for Debian based systems for both chkconfig and the "service" command from RedHat. I got as far as creating the service clone: http://jayloden.com/service_clone.htm but I didnt get to the chkconfig yet. Now that you've reminded me I may have to mess around with this again.
I haven't played with the tools the other replies mentioned (though I plan to now), so I can't comment on them, but it's definitely not a bad idea to clone the RedHat toolset, since it allows familiar ground for a lot of people used to RH environments, and I think chkconfig is reasonably intuitive and easy to use, to boot.
-Jay
Glad to see I'm not the only one who feels that way about Symantec nowadays. I used to be a big Norton AV champion, and then one day they just kinda started to go downhill. I don't think I've seen a virus removed by Norton anytime in the past two years, just a warning that says it can't clean the file or quarantine it and a big "your system is infected" message. Now that you can't run AV scans with Norton in Safe Mode anymore, it's pretty much useless. It's always sad to see a good product turn to crap like that.