Fog Creek Software
Discussion Board




Personal computer security - worse than ever

Last night I helped someone 'fix' their 'broken' computer.  As with the other eight or nine people I've helped in the past year or so, this one was loaded with all sorts of trojans.  This one busted the computer so bad, they were unable to connect to their Hotmail or run secure connections (mixed blessing, considering the possibility of keyloggers/form scrapers).

Among the nastier features:

-undetected by AdAware AND Spybot S&D, and yes, I got the updates for both products, and ran multiple times.

-it disabled the ability to run Windows Update, by somehow denying permission to install the Windows Update-related ActiveX control.

-would close MSCONFIG if I tried to run it.  I didn't try REGEDIT, but I assume that the same would happen (I've seen this before).

-broke the IE6SP1 installation (which I sneakily downloaded without windowsupdate, yay for me), so IE-related security updates are broken.

-two processes that load each other, so the Windows Task Manager can't necessarily close them both without a rousing game of Process Whack-A-Mole (hint: HUMANS ALWAYS LOSE).

-If it is installed under Services, then it is cleverly named.  Most trojans don't bother to hide themselves and simply name themselves "r00tar11113043etc", or leave out any sort of description, but this ... well, so far I haven't found it, so it's either not there, or cleverly hidden.


This is a Windows XP laptop machine 'always-on' the internet via DSL.  I have borrowed it to try and figure out what it's doing, and the next thing I'll run is an AVG antivirus scan, or maybe one of the free webscans, then maybe AVG.  Whatever.

The point is, that I have never seen machines as hosed as in the last year.  Used to be, if someone had a problem with their machine, it was some sort of hardware error or a conflict or a "oops I deleted C:\WIN95" error.

Now, it seems like EVERY non-tech-aware person's machine is just swimming in unauthorized processes.  And I'm not only talking about your Gators and your HotBar users.  One friend got his internet cut off because his machine was used as a spam-relay box.  I cleaned out the computer and told him to call tech support to get it back up and running--

--and a lot of you are thinking, "Who are these people that install all this crap?"  I honestly don't believe that all of these trojans come from clicking "yes" on everything, or running "FunScreensaver.Exe" attachments.  I believe that these worms/trojans/whatevers are actively rooting your systems, so the only thing you need to do to infect your machine is to simply turn it on.

And the severity of it--my 'clients' were going to sell their computer because it is now 'too slow'.  Even the XP laptop purchased in 2002, 'too slow'.  Old viruses used to a)completely hose your computer, or b) do nothing at all.  New viruses do unbelieveably frightening things, but NEVER break your computer.

And the worst part of all this is that without fail, there's an outdated Norton/McAfee virus scanner running in the background too, gleefully oblivious to all.  People THINK they're protected, but the fact is, they're several layers away from protection.  Not only will the antivirus software packages NOT protect you from the hottest new viruses (virii, whatever), they will also NOT protect you from OS vulnerabilities, IE vulnerabilities, and general stupidity/PEBKAC vulnerabilities.


I think someone could make a killing bundling a firewall, spyware remover, antivirus, and 'MSIE security add-on'.  If they could sell these as recovery kits for $50-$100, with ... maybe a two-year subscription included, and if they actually fixed the machines' problems on install (maybe even make it a bootable CD), then you would have an excellent deal.  Because trust me, EVERYONE, and I mean absolutely EVERY PERSON, needs this product.  People need a 'general security product' for Windows, that just HANDLES it.


One parting thought: what is the use of virus scanners anymore?  They don't detect worms automatically, they don't (usually) provide a firewall, they absolutely don't deal with spyware, they don't remind you to UDPATE YOUR PATCHES ALREADY, IDIOTS whenever a new security vulnerability/fix is published, they don't seem to do anything.  Except rake in an increasingly-large pile of money, and provide (false) security for the poor sods who don't know what's going on.

pds
Wednesday, March 31, 2004

Two processes that watch out for each other?  Sounds like the Friar Tuck/Robin Hood hack that the Motorola fellows pulled a while back.

http://www.jargon.net/jargonfile/t/TheMeaningofHack.html

About halfway down the page.  Search for 'Back in the' to get to the beginnging of the story.

Andrew Hurst
Wednesday, March 31, 2004

Dear pds,
                The problem is basically that people don't update their virus definitions.Often this happens because the bundled copy or Norton is a ninety-day trial version. When it runs out they don't realize they've got to pay.

                I've never had a virus on any of my personal machines that has not been caught by the anti-virus; I use AVG but the same would be true of any  other package.

                A combination of Zone Alarm, AVG and automatic Windows updates would do all that you require, and be completely free. Throw in a copy of Ad-Aware and Spam Bayes (new version 0.9 now out - works for Outlook or any other client) and you have a pretty complete package that hasn't cost you a penny.

Stephen Jones
Wednesday, March 31, 2004

The number of virus and trojans I get in the mail has increased exponetially.  I remeber it was a big deal when I would get one and would be bunch of fun to disect and analyze it.  Now I get dozens a day.  I bet it will get worse before gets better.

Bill Rushmore
Wednesday, March 31, 2004

It's also the case that you'll get a single trojan and then people will use that to install other trojans.

I think the problem is more-or-less:
1) We are in the midst of a cambrian explosion of mallicious programming.  People are exploring new and different ways to flick off a good percentage of the world with one fell swoop and/or make illegal profits.  There's a lot of stuff going around and people don't have ingrained defensive responses like they did for other things (An example of this is the method one fills out a check to make sure that people can't easily alter the written-out amount or numerical amount on the check)
2) People don't *want* to take their computer in for yearly service, but they also can't be relied upon to maintain it themselves.
3) ISPs don't have the money to spend the time to cut off users who are clearly infected/spamming/etc nor do they have the time to help people disinfect their machines.
4) Because we are in the cambrian explosion, and there's incentive to do so, vulnerabilities are being found at an accelerated rate.
5) Monoculture and widespread adoption of high speed internet makes your target clear -- Unprotected Windows machines on DSL/Cable connections.
6) A longstanding tradition of disclaiming liability for software, and no good way to phase in product liability without causing software prices to skyrocket and the computer market to collapse.
7) Boundries of what's allowable to do are being discovered by people breaking them. 
8) No consistent legal framework and very little social framework remaining to build rules and formalities and structures around.  Attempts at legal frameworks have been poorly constructed (DMCA, CAN-SPAM, CDA, etc)
9) Most of the solutions that come to mind quickly either create new problems or just don't work.
10) Machines are more connected than ever before, therefore giving more available machines to connect to and infect.

Flamebait Sr.
Wednesday, March 31, 2004

>>"so the only thing you need to do to infect your machine is to simply turn it on."

Really?  So how is it that I've had a cable modem that's connected to the internet 24/7 since 1999 and my total number of viruses/trojans/adware/spyware for the past 5 years is exactly ZERO.

Windows has plenty of flaws, but the biggest computer security problem continues to be clueless moron users.

My Cousin Vinniwashtharam
Wednesday, March 31, 2004

My Cousin:

I bet it's a question of the network. I watched a XP home system blastered in under five minutes (fresh install) on a busy campus network.

And then there's the obvious one of: how are you sure it's zero, really sure? Some of the latest ones do some really nasty things, and are invisible to slightly out of date AV systems.

Mike Swieton
Wednesday, March 31, 2004

My cousin, most of the users are clueless moron users.

Petruk
Wednesday, March 31, 2004

"My cousin, most of the users are clueless moron users."

Then, perhaps we need another OS, even simpler than Windows, because it's clear that, unlike advertised, Windows is not the OS that even your granny can use without a hitch :)

Paulo Caetano
Thursday, April 01, 2004


Thanks again, Microsoft.

doorab
Thursday, April 01, 2004

" Even the XP laptop purchased in 2002, 'too slow'."

Actually, the only thing that makes my Win2K workstation too slow is the anti-virus.

I particularly love it when he checks inside archive files, e.g.
- When I make the mistake of pressing arrow down in Explorer, and pass by a zip or jar file. Everything stops, while the AV gets 90%+ CPU.
- When I launch a java app. The first 2 min (approx.) are just the AV at 90%+ CPU. I imagine it must be going through every jar the app is loading.

Paulo Caetano
Thursday, April 01, 2004

Do you mind if MS bundles good anti virus, pop-up blockers, ad-aware like software, better firewall than currently available in XP? I mean there is one group of setup called "Security" which already includes all of the above, with enough protection available even in "Standard" setup? I think at least it can reduce the risks, since it's already there for the stupid common users to use even without them knowing its availability :)

Kimberley
Thursday, April 01, 2004

I don't mind what security software they bundle - all they have to do is stick somewhere clearly separate and allow OEMs to swap them for other suppliers equivalents.  I suspect it's the last bit that would be an issue.

a cynic writes...
Thursday, April 01, 2004

""Who are these people that install all this crap?"  I honestly don't believe that all of these trojans come from clicking "yes" on everything, or running "FunScreensaver.Exe" attachments."

Well, you'd be surprized. In my experience 95%+ of people
a> do not bother with installing patches
b> fall for every single social engineering trick in the book, including opening every attachment, even when the whole mail is in Chinese and they couldn't read one single character of it "just to see what it is".

I have been running Windows NT/2K/XP/2K3 on broadband on many machines for several years without virus scanners or any form of anti-trojan/spyware. Common sense is still the best protection.

Just me (Sir to you)
Thursday, April 01, 2004

"Do you mind if MS bundles good anti virus, pop-up blockers, ad-aware like software, better firewall than currently available in XP?"

I would prefer something different: Force every vendor to document each process their products launch, and the associated DLLs.

Then, I'd only need a simple interface that shows each process, with its attached DLLs, and the ability to shoot processes/unload DLLs to my heart's content. Shoot down whatever is not documented, and see what happens.

Yes, I realize this solution would be useful to only 0.0005% of the user universe. :)

Paulo Caetano
Thursday, April 01, 2004

"The problem is basically that people don't update their virus definitions"

Who cares about anti virus software. I don't. Look, it's looking out for YESERDAYS problems mostly. Sure it's the most up to date, but how up to date IS that? I can write a custom virus just for you sir, and it don't detect it. It also goes NOWHERE NEAR the root cause.

fw
Thursday, April 01, 2004

I got a whole lab of 50 machines infected with MSBlast just because I connected the master machine to the college network for five minutes to ransfer the programs.

The culprit appears to be the switches which are infected but according to the sysadmin can't be cleaned of the virus because Marconi no longer supports them.

With new machines you are often in a Catch 22 situation. You connect them to the internet to download the latest anti-virus definitions or security patches and the machines get infected before the download has finished, or even before the download has started.

Stephen Jones
Thursday, April 01, 2004

Stephen,

might it help to use TCP/IP filtering to just let in port 80 traffic untill the time you are fully patched?

Just me (Sir to you)
Thursday, April 01, 2004

Rules of the Internet:

1. All email is either spam or malicious

2. All packets are probes or attacks

3. All hosts are compromised and/or owned

...with a few minor exceptions!

Max Hadley
Thursday, April 01, 2004

What I would do with a new macnine is install all the patches from a CD or network share. Most users wouldn't.

With MSBlast it was simply carelessness. I hadn't realized it was still on the network. I'm not the network admin, and of course all the machines I use are patched. As the students machines were not connected to the outside network, and the students have no access to the floppy or CD or USB drives, and as the link machine had no email client and only copied a set of files that had already been virus checked I thought I was safe :)

Stephen Jones
Thursday, April 01, 2004

Funny you should mention this. A couple of months ago, I noticed that I had cleaned up about a dozen or so computers from the "Friends-and-Family" network. We were getting a lot of calls from clients, and employees at client sites, asking us to look at their home computers for the same reasons. In the last year we've probably done a dozen or more of these for clients and their employees. I asked around the office and every single employee had been through the whole cleanup effort on at least two or three computers for their family (Aunt Betty, Cousin Ed, Grandma ...)

We started noticing a pattern here, and we're guessing that there's some money to be made.

Informally, we decided to look into offering the cleanup of these infected PCs as a service along with our normal business. We've been cleaning client's home computers ever since. Then we got the bright idea that we could sell this service to the general public. We're working on that right now. It's still in the prototyping phase, and we're launching a pilot "trial" offering on it some time this month to see what it's going to take to make this fly, and, more importantly, if we can actually make money on the thing.

I think that there's a lot of money to be made in our local area based on the number of computers we've cleaned up over the last year or so. The problem is going to be to find potential customers. For (I'd assume) everyone here, the service is about useless. We're all technical enough to keep our machines patched, firewalled, scanned and, in general, keep them clean. Our target market is Grandma and Uncle Al -- those who have computers, but not a clue about how to keep them up to date.

The prototype web page can be found at http://www.pcprotectionservice.com

I'm open for suggestions. We've never targeted the general public, home users, consumer market. If you get a chance, take a look at the site and let me know your thoughts. We're going live with the pilot launch this month and if it looks like it can turn a profit, we'll be trying to market the thing in our local area.

Any constructive criticism of the idea, or the web site, is welcome. Thanks for your input.

Sgt. Sausage
Thursday, April 01, 2004

It has come to my attention that there is an issue with the site mentioned in my previous post: http://www.pcprotectionservice.com

As such, the site has been taken off line.

Public apologies to the individual involved -- you know who you are.

Sgt. Sausage
Thursday, April 01, 2004

First, an update:

The infected XP laptop's internet explorer component is hosed.  So step two is reinstall everything.  I tried uninstalling/reinstalling internet explorer, and no dice.  It refuses to install several components, so I am just going to reinstall XP from scratch.  Starting about now.


Last night I spent at a DIFFERENT friend's house, fixing his two DSL-connected computers.  Same problems.  A third computer sits permanently disconnected from the internet because the owner doesn't want it 'screwed up'.  Anyway, the combination of (safe mode+MSCONFIG)/AVG/Spybot S&D fixed the computers, and it turns out that AVG detected some 60 infected files on one of the machines.  Might I add, this is the first time I've seen an antivirus program detect *anything* in literally eight years.  Naturally, Spybot found several more items AVG did not detect.

Maybe now you can understand why I have no respect for the Symantecs and the McAfees.  I agree with someone above who mentioned that antiviruses no longer solve a problem.  They solve a particular subset of the 'security' problem, but don't do any sort of good job on securing your computer as a whole.  People don't care if their software blocks viruses (virii) or worms or trojans or even blocks the Gator installation that came bundled in the Kazaa install.  They just want their computer to work, and they want the 'security' program to keep their computer working.  So the entire concept of an antivirus program is antiquated--viruses in the early 90's just happened to be the only security threat to your computer.  Now we need the antivirus software companies to step up and actually provide a solution.  But, again, they're too busy counting their money and creating awful UI's to bother.

Even if their solution in XP is to programmatically manage the XP firewall component, that's fine.  Or to just buy one of the spyware removal programs and loosely integrate that into their product.  That's fine.  And if they manually let their users know when a Windows critical update has been released, or just install the Windows Critical Update Notification tool for their users, that's fine.  They just need to take care of all the security hazards, not draw the line at 'virus-blocking' and ignore the more important hazards.  But again, they're probably too busy with all the money they're making right now.




Best of luck to you 'Sgt. Sausage' and your business endeavors, because this is a solution to an increasingly-prevalent problem.

pds
Thursday, April 01, 2004

Most of these products aren't even detected by a nightly updated Symantec (and probably not by others -- this is the only one I have experience with)!

It's very strange, it can't possibly be that much work to add signatures for known spyware as well? Wouldn't the market economy have seen to this a long time ago? Or do I dare to suspect that there are more ... complicated economic interests at work here?

Jonas B.
Thursday, April 01, 2004

Anti-virus programs detect worms and trojans. The reason they don't detect spyware is that spyware is doing nothing untoward.

Tracking cookies are not a securiyt threat even thoug you dislike them. Many of the other spyware programs have been installled by the user when he decided to install adware on his machine. Writs would be spawning quicker than copies of Blaster if the programs were classed as viruses.

And I can't understand the mentelity of some of the posters here attacking the use of anti-virus suites. Here they are cursing at having to clean up all these infected machines, and yet not one of these infected machines had an updated anti-virus running.

Stephen Jones
Thursday, April 01, 2004

Maybe you missed the part where I mentioned that SpyBot caught a full range of junk that AVG missed just moments before?  Like the Golden Casino popup that was the dude's primary concern.  Not a virus, but what is classified as 'spyware'.

Oh, and he was running Norton Antivirus, running outdated virus definitions, like the other nine people.  Most of them had the false impression they were secure because they were 'running an antivirus'.

And I didn't say that antivirus programs should start classifying spyware as viruses and removing them--that's your own invention.  They need to incorporate spyware removal tools into their protection suite.


So again, I will state that:

a) Antivirus suites no longer serve their unwritten purpose, general computer security;

b) AV suites give an illusion of security that doesn't exist, on many different levels (expired subscriptions, ignored spyware, does not keep up with security patches, etc).

c) I have an irrational hatred for the AV companies, mostly built off of many multiple, negative, personal experiences and a few fantastically traumatic experiences, but at least partially built off of imagined fantasies and hot air.  Just so you know.

pds
Friday, April 02, 2004

The Golden Casino pop-up is a nuisance but not a security threat!

The big companies do offer full firewall and anti-virus suites. They probably prefer to leave Spyware and Spam blocking out because of the fear of being sued.

The problem with firewalls, spyware and spam blockers is that they all need tuning. On the other hand an anti-virus that runs all the time and automatically updates itself can be left to itself; it will find two or three false positives a year, and that is on all the machines in the world and not just one individual machine.

Join the two features in one suite and you run the risk they don't run the ant-virus because of problems running the others.

The economics of home computing is changing. In the past the main cost was hardware, and for the non-tech savvy the cost of installing and repairing that hardware. Now that cost is only a little more than the cost of software, and what is beginning to be needed is tech support to configure seciurity and other software.

Stephen Jones
Friday, April 02, 2004

"On the other hand an anti-virus that runs all the time and automatically updates itself can be left to itself"

Except, of course, when you're installing software. There's often the warning - turn off you AV or horrible things will happen :)

These days, I believe the firewall has assumed the primary role of protection that the AV had a few years ago.

Paulo Caetano
Friday, April 02, 2004

I agree with Paulo. AV now is more on the curative side than preventive.

Ali
Friday, April 02, 2004

Firewalls won't protect you from viruses in email attachments, or on CDs or pen drives.

Firewalls have become more important because updated anti-virus protection works,

Stephen Jones
Friday, April 02, 2004

"Firewalls have become more important because updated anti-virus protection works"

I'm not saying you're wrong, but I believe the most important reason why firewalls have become more important isn't that AV works, but rather that a good firewall can:
1. Prevent the infection, if it comes via port scanning + vulnerability exploit. The firewall is useless against e-mail viruses (but so is the AV, until it's updated with the virus signature).
2. Contain the infection, if it spreads via an unauthorized port.
3. Prevent the payload, if it uses an unauthorized port.

This always works. No update needed. As you said, it needs tuning, but once tuned, you almost forget it's there.

E.g., my wife's net PC became infected with MSBlaster. It never had a chance, because when Zone Alarm asked if I wanted to allow it to access the internet, I just said no. As Ali said, it's preventive. No need to wait for an update to a signature file, or whatever.

Of course, I cleaned the system with the AV, but I had to wait until the virus list was updated.

Paulo Caetano
Friday, April 02, 2004

Hey, who's using my name?
I've had to cycle through 3
names already on JOS!

Ali
Tuesday, April 06, 2004

*  Recent Topics

*  Fog Creek Home