This is pretty typical… you’ve received a really nice looking email stating that there’s a great deal on a new and more powerful anti-virus system for your PC. Who doesn’t want that, right?

This, unfortunately, is a great way to get malware on your machine. How about that… the idea that you’re trying to protect your PC leads you into a trap where you cannot get out installing some kind of crap-ware that, at least, completely goobers up your machine.

So you’ve clicked the link. What now?

Notice… it looks like my browser has disappeared! Oh No! Well, I’d better click cancel because I don’t know what’s going on here!

Well isn’t that strange? My browser is back but it looks like some sort of regular explorer window and it’s scanning my PC. Look at all the viruses I have on my PC… right?

Well, actually I am pretty sure I don’t have any viruses. So I am going to click cancel here.

I love it when they beg! I will click OK here.

Well, how about that! It returned me back to the “Anti-Virus” scanner. I guess I have no choice but to install, right? WRONG!

From the Windows Task Bar (that blue thing on the bottom), right-click with your mouse or trackpad, or whatever, and select Task Manager. This will open up a new window.

Click on the “End Task” button. This will prompt you to confirm.

Go ahead and choose “End Now” to kill this bad-boy.

So… you may ask, what would happen if I go ahead and install the software the way they want me to? Well, all kinds of fun stuff would happen.

First, as you can see, I now have “lots of viruses” on my machine, which they promise to clean… all for only $69. And I can’t clean them or update the software without purchasing a license key. Do I dare trust these folks with my credit-card??? I think not!

Oh, how about that? They’ve changed my hosts file so that all google sites point to some server in Poland somewhere. Hmmm… can you say “Bulletproof Host”?

I wonder what else they’re doing. Wanna bet there’s an infostealer and/or keystroke logger on the machine as well? Signs point to yes! As I analyze, I will fill you in.

The point here is:

1. Don’t click on everything you get in email
2. You can bail out of a hostile web session with Task Manager
3. Don’t believe everything your computer tells you
4. Don’t install software you don’t trust
5. Don’t buy something if you don’t want it
6. Not everything is as it seems
7. etc…

More next time…

Cause of Death… too many security controls?

There was an email I was reading, posted to one of the lists I monitor, that was essentially arguing that CPU, memory, hard-drive space, and network bandwidth, cannot keep up with the amount of security controls that will be required to protect a Windows machine from being infected. You can read the email here.

This got me thinking… I can see his point and I can agree with it on some levels, but has the exponential growth in unique malware actually been observed beyond simple mutation? I mean, first, multiple variants seem to exist in each type of exploit; but at the end of the day they take advantage of a common system weakness… so work-arounds, awareness-training, and patches are actually probably more effective than any sort of anti-malware software to begin with. It’s like the difference between just hanging a sheet over a doorway (AV) and actually closing the door (patching and/or workaround). The sheet might filter the light, but it’s not really going to stop much from coming in.

Second, aren’t many malware systems defending themselves by shoring up their installs through their own security means, in order to prevent other malware from displacing them? If that’s the case, a single malware infection might actually be beneficial (but nor desirable… twisted logic here) as opposed to not having any infections to begin with.

Third… it seems that one of the ways that the AV vendors have been combating this performance issue is by stripping out support for protection from older forms of malware as they see the vendor (in this case Microsoft) provide patching. I think this commentary might be valid if you look at the entire malware landscape as monolithic itself, and that every single form of malware were the basis for the next kind, and that to be protected, you had to include specific instructions for combating every single piece of malware as sort of a barrier to entry to any (malware genetic interdependence, which I think is ludicrous). But, if OS/app code is properly patched and operating systems and applications are properly configured to do exactly what they are supposed to do, and specific malware is targeted towards specific vulnerabilities that no longer exist through proper reconfiguration and patching techniques, all the protection pieces he’s saying will grind your machine to a halt, could in theory at least, be removed for those solved vulnerabilities.

It’s a simple use-case analysis… apply the right controls for the right kind of environment… for (a simplistic) example; if I don’t have Windows RPC enabled (stand-alone home box, no Microsoft Network Client loaded, running no services, no file/print sharing) then why do I need a) patches to fix an RPC buffer overflow vulnerability, b) protection to combat the introduction of an RPC attack, and c) signatures to detect the attack on the host (they could be shifted into the network).

Since the premise that those controls and fixes are expensive, from a system performance standpoint, may be correct, why would I choose to implement them… or at least implement anything other than or beyond a patch or reconfiguration to solve the vulnerability (which by the way IS probably interdependent on the installation of other process-fixes, patches, etc… true software interdependence)? I mean, if a signature for a particular attack doesn’t exist to begin with, why bother with the framework associated with hosting that signature (an A/V product). If the signature is known, then shouldn’t we already be taking mitigating steps as opposed to relying directly upon the signature, due to the very polymorphic nature of malware, to begin with? I mean, if you’ve put all your eggs in the AV basket, you deserve what you get.

Similarly… if I run a browser that is configured to be harder to compromise, or if I run in a sandbox or other restricted session-type, then do I need all of these protections piled on top of each other… especially if the session is virtual or temporal to the extent of the time it is used? Probably not because the risk that I am going to become infected is greatly reduced. If an infection attempt is made, and I am running in one of these contained systems, what difference does it make if it is successful anyways? Do I even need to be notified that it’s happened? I guess so… so I could close my session, and start anew.

The author doesn’t state it, but it seems he is driving at an agenda supporting the elimination of Windows from the common desktop. He fails to point out that there is no shortage of Linux and Linux application vulnerabilities. There are regularly multiple vulnerability announcements regarding the Linux kernel and applications on the FD list every week. So what’s the difference? I believe that the low rate of malware infection among these types of systems is directly related to the operating-system security model used (default non-privileged), the fact that the community-approach IS used to validate code (which does support one of his premises) and the fact that there just aren’t that many people surfing or interacting with malware delivery systems from Linux machines (~1%). There just is no target here. If we were able to reverse the situation and Linux was at ~90+ percent of the desktop marketplace, I fully believe that the problem would be significant as well, but probably not quite as bad due to the default privilege levels and community code-review.

The privilege factor primacy is even more pronounced when one looks at the kinds of attacks that are, in-fact, regularly occurring. Breaking into boxes (anywhere but in TV-Land) doesn’t actually happen much… malware delivery is being performed through social (mostly web 2.0) engineering techniques. If you’re socially engineered and you’re on a Windows box, you’re trained (especially with Vista now) to simply click yes; since you’re admin, you’re owned. And all the malware protection, patching, and configuration techniques in the world didn’t stop it from happening! If there’s a signature available for the attack, that’s great, but what was the impact to your system; how expensive (resource-wise) was it to have that level of protection in-place? Why not simply fix the problem by attacking the root-causes, as opposed to constantly trying to win an arms-race by running a signature-based AV product? I guess that’s where I differ in opinion… Windows, using a correct security model, patch-levels, configuration, and awareness-training, can be protected without having to grind the system to a halt by burdening it with 100MB of AV signatures.

$0.02 for the day