I am currently running knoppix from a cd, that's my general preference as well. Which should be a viable option for windows by the way, a highly usable live cd version of windows would be a great boon to a number of people, one of the many things our friends in redmond haven't pursued. Comparing apples to apples, there is no way to run as a non-root user in windows, if you have access to the drive you have access pretty much, that is, you can't keep a user from running software that causes registry entries, and thus there is no security model, as the windows registry is pretty much the holy grail of owning the windows box. I have the option of removing software with which there are known security issues but no patches available on an installed linux system, you have that option as well, as long as there isn't a microsoft line of bs about it being an integral part of the OS. So if you have a windows box and there's a IE vunerability you have no supported option for removing IE, and if redmond has decided they aren't going to fix it, you're out of luck. I suppose you could simply implement a policy that IE is never used, although this relegates you to manually managing updates, as IE is the automated tool for Windows updates. Lets get away from "infected", lets use "should be treated as compromised", in my experience these machines are "infected" but lets implement a policy of "treating a machine as compromised" that has been a situation where someone with malicous intent could have run arbitrary code. I think that your average linux box has a life expectancy about 1000 times as long as your windows box, before it should be "treated as compromised" under such a policy. We can even wait for evidence, we won't "treat as compromised" the windows box until we have a registry change we can't explain, or a logfile entry that we don't know what is. Or unexplained network traffic from the box.
As to how the hijacking occurred, I suspect that there was a vunerablity in IE that was still unpatched after windows updates had been run, and that one or more of the four manufacturers websites I went to had compromised webservers, probably related to under-patched IIS installations. This machine was running no services and was NATted a couple of times, including running by itself on the second NATted subnet. Unless I was a the stupid user, doing something stupid by running windows updates and downloading hardware drivers, there was no stupid user intervention on this install. Sitting far away across the Internet, I am better equipped to determine than anyone trusting in the security of an unpatched windows box with no anti-virus protection of the status of that box, if he believes he's "clean as a whistle". I've seen Windows compromised repeatedly by people using it without having done anything paticularly "stupid" . Blaming the user seems to be the windows model of security, but I find this to only be reasonable if you agree that windows is insecure if you "USE" it, and thus all the problems are the "USE"rs fault. I tend to believe that I know what I am doing and I don't find Windows to be "perfectly" anything, paticularly usable.
I am guessing that you have not tried avast's BART product, as I suggested to the original poster, if you'll give it a try, I think you'll find otherwise unknown but quite verifiable malware running on your machine as well.
http://avast.com/eng/buy_avast_bart_cd_vi.html
"...no lietenant your men are already dead." Why don't you run over to avast.com and get thier bart cd (because your compromised OS isn't a viable platform for detection) and run a scan and let us know how many different forms of verifiable infection are found. Maybe not being a moron to you is cutting the cable on your internet connection, but outside of that, your windows box is infected, period. I have seen clean windows 2000 installs with thier browsers hijacked, after all available updates were run before 4 manufacturers sites were reached to download drivers. Maybe I'm a moron too, but I don't think so, I think you are simply unaware that your "clean as a whistle" pc is 0wned.
Slashdot Mirror
I am currently running knoppix from a cd, that's my general preference as well. Which should be a viable option for windows by the way, a highly usable live cd version of windows would be a great boon to a number of people, one of the many things our friends in redmond haven't pursued. Comparing apples to apples, there is no way to run as a non-root user in windows, if you have access to the drive you have access pretty much, that is, you can't keep a user from running software that causes registry entries, and thus there is no security model, as the windows registry is pretty much the holy grail of owning the windows box. I have the option of removing software with which there are known security issues but no patches available on an installed linux system, you have that option as well, as long as there isn't a microsoft line of bs about it being an integral part of the OS. So if you have a windows box and there's a IE vunerability you have no supported option for removing IE, and if redmond has decided they aren't going to fix it, you're out of luck. I suppose you could simply implement a policy that IE is never used, although this relegates you to manually managing updates, as IE is the automated tool for Windows updates. Lets get away from "infected", lets use "should be treated as compromised", in my experience these machines are "infected" but lets implement a policy of "treating a machine as compromised" that has been a situation where someone with malicous intent could have run arbitrary code. I think that your average linux box has a life expectancy about 1000 times as long as your windows box, before it should be "treated as compromised" under such a policy. We can even wait for evidence, we won't "treat as compromised" the windows box until we have a registry change we can't explain, or a logfile entry that we don't know what is. Or unexplained network traffic from the box.
As to how the hijacking occurred, I suspect that there was a vunerablity in IE that was still unpatched after windows updates had been run, and that one or more of the four manufacturers websites I went to had compromised webservers, probably related to under-patched IIS installations. This machine was running no services and was NATted a couple of times, including running by itself on the second NATted subnet. Unless I was a the stupid user, doing something stupid by running windows updates and downloading hardware drivers, there was no stupid user intervention on this install. Sitting far away across the Internet, I am better equipped to determine than anyone trusting in the security of an unpatched windows box with no anti-virus protection of the status of that box, if he believes he's "clean as a whistle". I've seen Windows compromised repeatedly by people using it without having done anything paticularly "stupid" . Blaming the user seems to be the windows model of security, but I find this to only be reasonable if you agree that windows is insecure if you "USE" it, and thus all the problems are the "USE"rs fault. I tend to believe that I know what I am doing and I don't find Windows to be "perfectly" anything, paticularly usable. I am guessing that you have not tried avast's BART product, as I suggested to the original poster, if you'll give it a try, I think you'll find otherwise unknown but quite verifiable malware running on your machine as well. http://avast.com/eng/buy_avast_bart_cd_vi.html
"...no lietenant your men are already dead." Why don't you run over to avast.com and get thier bart cd (because your compromised OS isn't a viable platform for detection) and run a scan and let us know how many different forms of verifiable infection are found. Maybe not being a moron to you is cutting the cable on your internet connection, but outside of that, your windows box is infected, period. I have seen clean windows 2000 installs with thier browsers hijacked, after all available updates were run before 4 manufacturers sites were reached to download drivers. Maybe I'm a moron too, but I don't think so, I think you are simply unaware that your "clean as a whistle" pc is 0wned.