Linked by Thom Holwerda on Tue 4th Apr 2006 18:53 UTC
Privacy, Security, Encryption In a rare discussion on the severity of the Windows malware scourge, a Microsoft security official said businesses should consider investing in an automated process to wipe hard drives and reinstall operating systems as a practical way to recover from malware infestation. "When you are dealing with rootkits and some advanced spyware programs, the only solution is to rebuild from scratch. In some cases, there really is no way to recover without nuking the systems from orbit."
Order by: Score:
That's what I do.
by AxXium on Tue 4th Apr 2006 19:08 UTC
AxXium
Member since:
2005-12-30

I repair PC's as a hobby and a way to earn extra money.

Well with having and supporting children, there is no such thing as extra money, hehe.

But I agree with the artical.

I can be a rather complex and daunting task to remove malware.

We all know that several malware removal applications often have their own quirks and I have seen one app that removed them all.

Normally I would have to use at least 3 different malware removal apps to be assured that 99% of the malware has been removed.

Sometimes it's just better to start from a clean state.

Especially if Grandma's Norton antivirus subscription ran out two years ago, lol.

Wiping the HDD clean is the only sure way, other than installing Linux that is.

Reply Score: 5

RE: That's what I do.
by abraxas on Tue 4th Apr 2006 19:16 UTC in reply to "That's what I do."
abraxas Member since:
2005-07-07

Normally I would have to use at least 3 different malware removal apps to be assured that 99% of the malware has been removed.

Sometimes it's just better to start from a clean state.


While this is very true it's pretty sad. There is rarely ever a time that one antispyware program will remove all threats and even when you use three or four programs to get as much crap as you can out, you are still sometime left with an unusable system. I think that is unacceptable. It's so easy to completely swamp a Windows PC in spyware that I think it borders on negligent on the part of Microsoft.

Reply Score: 4

RE[2]: That's what I do.
by Tom K on Tue 4th Apr 2006 19:46 UTC in reply to "RE: That's what I do."
Tom K Member since:
2005-07-06

How is this Microsoft's fault?

There are no impossible-to-detect rootkits for Linux? ;-)

Reply Score: 0

RE[3]: That's what I do.
by JoeBuck on Tue 4th Apr 2006 19:59 UTC in reply to "RE[2]: That's what I do."
JoeBuck Member since:
2006-01-11

OK, let's assume that you suspect that your Linux system has an "undetectable rootkit". You just boot up a live CD version of Linux, which bypasses the cloaking, and you can detect any tampered-with files. On a package-based system (whether based on RPMs like Red Hat or .deb files like Debian or Ubuntu), you can either verify that none of the system files have been tampered with or replace those that are.

This kind of thing isn't possible on a Windows system because there's too much undocumented cruft to reliably distinguish between what should be there and what should not be, and there isn't a Windows equivalent of the live CD (which cannot be tampered with because it is on a read-only device).

Reply Score: 2

RE[4]: That's what I do.
by BluenoseJake on Tue 4th Apr 2006 20:09 UTC in reply to "RE[3]: That's what I do."
BluenoseJake Member since:
2005-08-11

There are several "live" cd products available for windows, the most common one being WinPE, the basis for Barts WinPE CD, it is a free product that runs a bare windows environment customizable with whatever sofware you want to install. I run one with mcafee and Norton, firefox and adaware and spybot, this setup will clean just about any system, just like a liveCD. So it is possible on Windows, and not that hard to get going either

Reply Score: 3

RE[4]: That's what I do.
by Tom K on Tue 4th Apr 2006 21:17 UTC in reply to "RE[3]: That's what I do."
Tom K Member since:
2005-07-06

What do posts with incorrect statements get modded up? It boggles the mind.

A skilled Windows admin can very well detect what has been tampered with, and what hasn't, given a Windows live CD (of which there are a few).

Reply Score: 0

RE[5]: That's what I do.
by rattaro on Tue 4th Apr 2006 23:02 UTC in reply to "RE[3]: That's what I do."
rattaro Member since:
2005-08-22

>A skilled Windows admin can very well detect what has been tampered with, and what hasn't, given a Windows live CD (of which there are a few).

You must know more than Mike Danseglio, as he says it's better to reinstall, just in case you didn't RTFA.

Reply Score: 1

RE[6]: That's what I do.
by Celerate on Wed 5th Apr 2006 02:43 UTC in reply to "RE[5]: That's what I do."
Celerate Member since:
2005-06-29

And there's a good reason for that, even the most experinced sysadmins don't know every single system file in Windows despite what the owner of the comment you quoted said. They change constantly, and even comparing checksums isn't much good when you have to get system updates.

If there were some kind of online DB with valid files and their checksums offered by Microsoft then software running off a secure liveCD could check. Having a list locally wouldn't help because it could easily be modified by malware. Other than that there really is not way to be completely sure on Windows.

I'm not even sure Linux has anything that can be used to verify system file integrity, unless packages contain checksum information that can be pulled for each indiviual file worth checking. Linux is only safer because it's more secure by design, rootkits would require root access and on an up to date system that's usually something that can only be gotten from the admin.

Reply Score: 1

RE[3]: That's what I do.
by archiesteel on Tue 4th Apr 2006 21:09 UTC in reply to "RE[2]: That's what I do."
archiesteel Member since:
2005-07-02

There are no impossible-to-detect rootkits for Linux?

Prove there are.

Reply Score: 1

RE[4]: That's what I do.
by Tom K on Tue 4th Apr 2006 21:22 UTC in reply to "RE[3]: That's what I do."
Tom K Member since:
2005-07-06

Here's one that came up as one of the first results on Google: http://www.sans.org/y2k/t0rn.htm

Don't be blindly faithful towards Linux. As long as a Linux system is root'ed, anything could be done to it that would be very difficult or impossible to detect -- it all depends on the skills and tools available to the attacker.

Once a system has been suspected infiltrated, the only safe option is to do a complete re-install.

Reply Score: 1

RE[5]: That's what I do.
by archiesteel on Tue 4th Apr 2006 21:33 UTC in reply to "RE[4]: That's what I do."
archiesteel Member since:
2005-07-02

Here's one that came up as one of the first results on Google: http://www.sans.org/y2k/t0rn.htm

Uh, no. You said "impossible-to-detect" rootkits, yet rkhunter detects it, and even on the page you linked to the author indicates several ways to detect it (though rkhunter is still the easiest).

Don't be blindly faithful towards Linux. As long as a Linux system is root'ed, anything could be done to it that would be very difficult or impossible to detect -- it all depends on the skills and tools available to the attacker.

I'm not blindly faithful towards Linux, which is why I regularly use rkhunter to scan my boxes. And I know very well what a rootkit can do (hey, even Windows has rootkits now!).

In fact, I do believe I know a lot more about Linux security - and probably Windows security as well - than you do. And my experience tells me that the Malware Problem is 1000x worse on Windows, despite what anti-Linux posters such as you would (unsuccessfully) try make us believe.

Malware on Linux is possible, but it won't be a real issue until Linux gains more marketshare, and it will never be as severe as it is for Win2K/XP today.

Edited 2006-04-04 21:41

Reply Score: 2

RE[6]: That's what I do.
by sappyvcv on Tue 4th Apr 2006 22:37 UTC in reply to "RE[5]: That's what I do."
sappyvcv Member since:
2005-07-06

There are no "impossible to detect" rootkits for Windows either. So what's your point?

Reply Score: 1

RE[6]: That's what I do.
by Tom K on Tue 4th Apr 2006 22:39 UTC in reply to "RE[5]: That's what I do."
Tom K Member since:
2005-07-06

I'm not disputing that malware is a problem on the Windows platform. What I'm disputing is people who claim that it is Microsoft's fault. The only fault of Microsoft in the case of malware on Windows is that they have a huge share of the market, and by default make users Administrators.

There is nothing about the design of the platform itself that makes it more susceptible to malware -- just user practice.

Reply Score: 1

RE[5]: That's what I do.
by SEJeff on Wed 5th Apr 2006 00:18 UTC in reply to "RE[4]: That's what I do."
SEJeff Member since:
2005-11-05

Redhat 6.1, wow that is modern. Now lets see you try that on a modern redhat version like say RHEL4 or Fedora Core 5.... hmmmmm, I don't think it would be so easy.

Security Features in newer redhat distros:
1.) Exec-shield kernel module to help prevent buffer overflows and utilizing the NX (No Execute) instruction on newer CPUs. (XP SP2 shipped a similar feature to the NX part but not as featurefull as exec-shield).
2.) Packages compiled with a hardened compiler using something called FORTIFY_SOURCE to also prevent buffer overflows.
3.) Extra checks in the C libraries to prevent buffer overflows *yet again*.
4.) SELinux Mandatory Access Control preventing compromised system daemons from doing much harm whatsoever.
6.) Checksums of every single file installed with rpm can be verified by doing 'rpm -V packagename'. It is easy to tamper with files, it is extremely difficult to tamper with the rpm database.

I won't even get into firewalls...

This is called proactive security my friend and it is designed to never give hackers a chance. The Microsoft school of security is "reactive" and involves patch patch patch.

Don't be blindly faithful against things you don't really know about and you think google will teach you.

Reply Score: 1

RE[4]: That's what I do.
by TheMonoTone on Wed 5th Apr 2006 03:14 UTC in reply to "RE[3]: That's what I do."
TheMonoTone Member since:
2006-01-01

catch 22 anyone?

Reply Score: 1

RE[2]: That's what I do.
by ma_d on Tue 4th Apr 2006 20:31 UTC in reply to "RE: That's what I do."
ma_d Member since:
2005-06-29

As a programmer, the concept of cleaning utilities on a computer baffles, confuses, and irritates me.

Seriously, I will never understand how people can use all these utilities and not be bothered.

Reply Score: 1

RE[3]: That's what I do.
by sequethin on Tue 4th Apr 2006 20:41 UTC in reply to "RE[2]: That's what I do."
sequethin Member since:
2005-07-06

it's become so commonplace that there's probably more malware pretending to be a cleaning util than anything else. The days of bonzi buddy are gone, long live "free super pc fix it doctor spyware remover tool"

Reply Score: 2

RE[3]: That's what I do.
by abraxas on Tue 4th Apr 2006 20:43 UTC in reply to "RE: That's what I do."
abraxas Member since:
2005-07-07

There are no impossible-to-detect rootkits for Linux? ;-)

Show me one Linux PC swamped with malware. Point me in the direction of Linux malware that installs itself into startup. Please show me the magic of making files executable in linux without chmod. After you accomplish that maybe, just maybe I will concede that Microsoft has nothing to do with the malware problems Windows users face today.

Reply Score: 2

RE[4]: That's what I do.
by linuxh8r on Tue 4th Apr 2006 20:56 UTC in reply to "RE[3]: That's what I do."
linuxh8r Member since:
2006-01-09

A) There is no start up in Linux.
B) Did MS write the malware? NO.

That would be like saying it's Boeing's fault that a 747 got hijacked.

Think dude!

Reply Score: 1

RE[5]: That's what I do.
by dylansmrjones on Tue 4th Apr 2006 21:06 UTC in reply to "RE[4]: That's what I do."
dylansmrjones Member since:
2005-10-02

Well, MS _did_ write the malware, sort of. They decided not to care about security at a time where security at home was very new and obviously needed (1997),

MS has for years failed to try to raise the security level. Only _after_ XP was released has MS begun a somewhat decent policy on security. But it's still a joke compared with other OS'es (apart from hobby OS'es in early development).

Yes, Microsoft is at fault for creating insecure systems which are very difficult to secure.

Reply Score: 1

RE[5]: That's what I do.
by Jarsto on Wed 5th Apr 2006 07:24 UTC in reply to "RE[4]: That's what I do."
Jarsto Member since:
2005-10-06

"That would be like saying it's Boeing's fault that a 747 got hijacked."

I think I actually would say that if Boeing didn't provide a sturdy door between the cabin (IE ActiveX) and the cockpit (system ActiveX).

Reply Score: 1

RE[5]: That's what I do.
by abraxas on Wed 5th Apr 2006 00:13 UTC in reply to "RE[3]: That's what I do."
abraxas Member since:
2005-07-07

A) There is no start up in Linux.

You are clueless. It's called INIT.

B) Did MS write the malware? NO.

That's why I said negligence. Look up the definition.

That would be like saying it's Boeing's fault that a 747 got hijacked.

No it's nothing like that. Actually that might even be the worst analogy I have ever heard.

Reply Score: 1

"nuking the systems from orbit"
by vitae on Tue 4th Apr 2006 19:12 UTC
vitae
Member since:
2006-02-20

Wow, what a statement ;)

Reply Score: 1

Welll DUH!
by JLF65 on Tue 4th Apr 2006 19:12 UTC
JLF65
Member since:
2005-07-06

This is what I've been telling people for a long time. Even when you CAN clean up a system, it's usually easier and faster to nuke it and start over. After the first dozen reinstalls, you find that reinstalling is much easier than cleaning.

A few pointers to help make it easier and quicker: put all the latest apps you normally install (Firefox, firewall, office apps, etc) on a CDR. Keep it up to date. Most of the MS security updates also have the option of downloading to be run off the drive instead of updating directly across the net. Save those to another CDR as you update your Windows system. Then you don't have to download them all again when you reinstall.

Reply Score: 2

RE: Welll DUH!
by kamper on Tue 4th Apr 2006 19:19 UTC in reply to "Welll DUH!"
kamper Member since:
2005-08-20

A few pointers to help make it easier and quicker: put all the latest apps you normally install (Firefox, firewall, office apps, etc) on a CDR. Keep it up to date. Most of the MS security updates also have the option of downloading to be run off the drive instead of updating directly across the net. Save those to another CDR as you update your Windows system. Then you don't have to download them all again when you reinstall.

A far faster way to do it is to set the system up the way you want it, then image it and use that to restore later.

Reply Score: 4

RE[2]: Welll DUH!
by jfryman on Tue 4th Apr 2006 20:58 UTC in reply to "RE: Welll DUH!"
jfryman Member since:
2005-07-06

The only problem I have with that is patch managment.

Take for example XP. Let's say that when XP was first released, a system was setup and imaged for backup. Things run smooth until today... a good run of about five years or so.

The image is restored, and within minutes a working computer is brought back to order... only to be infested within minutes of the exploits running around on the Internet.

So, with images, how does one manage patches? Even with XP SP1, there are plenty of patches that need to be installed to bring a computer up-to-date, and without them... the first plug into a network connection could bring the machine down quickly.

I'm sure there are solutions for those who know how to accomplish such things... but what about for Grandma and Grandpa? Even with an image and instructions on how to use it.... they restore an unpached image and it's game over before it begins.

Reply Score: 1

its the only way to be sure.
by TezKAh on Tue 4th Apr 2006 19:14 UTC
TezKAh
Member since:
2005-07-06

I found it highly amusing that I was advising a friend who got a virus that McAfee (haha yeah, i know...) couldn't fix (he actually got to the point where he couldnt run / uninstall the program) to simply format (nuke it from orbit... its the only way to be sure).


Lo and behold, even Microsoft advises to do that...


Hope vista is better with this, but I've "switched" already. ;)

Reply Score: 1

Not as far fetched as it seems.
by kadymae on Tue 4th Apr 2006 19:24 UTC
kadymae
Member since:
2005-08-02

Where I work, the public use computers are set to re-image the C: drive every time a person logs out.

Yes, that means a hella-long boot cycle, but damn'd if it hasn't nipped our problems in the bud.

Reply Score: 1

eMagius Member since:
2005-07-06

We just use DeepFreeze here. If the users can't make persistent changes, they can't screw things up.

Reply Score: 2

What a relief!
by alcibiades on Tue 4th Apr 2006 19:31 UTC
alcibiades
Member since:
2005-10-12

Its what I always tell people - if spyware is detected, the only solution is reinstalling from scratch, but I always felt like a paranoid maniac, or at least, I felt this is what the world thought I was being. So to have it confirmed by the official MS security guy is an enormous relief. Now I can say, MS says....so lets go.

If you go into any computer workshop around here, you will find PCs on benches running anti spyware stuff. The shops, if you mention Linux to them or give them a live CD, look at you as if you were an idiot. If you suggest maybe they can't be sure they have cleaned them, and it takes too much time, and reinstalling would be simpler, just stop talking to you. Obviously someone who knows nothing.

Good to have ones conclusions confirmed once in a while.

Reply Score: 1

RE: What a relief!
by Kancept on Tue 4th Apr 2006 20:53 UTC in reply to "What a relief!"
Kancept Member since:
2006-01-09

I ran a shop for over 7 years here. We used linux and other OSes in the backed. The reason we look at you like that is that most of us charge hourly. I generally pull the HD, slap it on another win-system and disinfect from there, so that their filesystem isn't "live". It gets done, usually fairly well, and it sucks up enough time that we made our money without having the customer think it was so simple.

And before you tear into that, usually if a job was done too fast, clients would think we were lying to them about the repair being needed and not want to pay. You have to find the right balance in your area of too fast vs. gouging.

Customers are fickle and not loyal for the most part, and you have to find the happy medium.

It's also not good form to walk into a repair shop and tell them they should try something. With all the machines on the benches being automated for repair for the most part these days, what do you think we do all day? Right, we surf the web, read up on things, and tinker with our own systems. Most shops aren't a bunch of n00bs with Adaware and spybot.

I now help a library part time and we have DeepFreeze on all their public systems. Every evening when they close, the systems undo anything automatically. All persistent images, nothing gets changed. Works great. The new version allows s writeabre area, which should be fine for most home users once they setup their systems how they want.

Edited 2006-04-04 20:57

Reply Score: 2

RE[2]: What a relief!
by alcibiades on Wed 5th Apr 2006 06:42 UTC in reply to "RE: What a relief!"
alcibiades Member since:
2005-10-12

"It's also not good form to walk into a repair shop and tell them they should try something."

No I agree. They are friends actually, and I don't make a general practice of it! But they are a lot less sophisticated than you guys sound. Like most around here, they just load spybot and so on, and then run them on the machines themselves. So you see a couple machines on the bench with each several hundred items detected. You can't know you have cleaned them. And when they come back, well, there never was, could not be, any guarantee. As for Deep Freeze, don't think they have heard of it.

It not just the infections, its the hospitals and surgeries as well!

Reply Score: 1

RE[2]: What a relief!
by aGNUstic on Wed 5th Apr 2006 12:54 UTC in reply to "RE: What a relief!"
aGNUstic Member since:
2005-07-28

Kancept,

I would have to agree with you on the DeepFreeze. At my work as former lab supervisor at a community college I used deep freeze on all the 125 (5 labs) computers in my area.

It may have been a pain in the @rse to work with in its early version it helped keep my systems clean and ready to go at every reboot.

The online, Internet-capable, labs were always being ripped by one virus or another, malware, surf-by downloads, changed desktops (some not appropriate from one class to another, generally the back rows where hard-core porn addicts sit and surf), etc. After a reboot, DeepFreeze put it back to the clean-and-pristene settings. I was the first to use it there with a 120-user license and then the institution bought a campus-wide license and put it on their online terminals.

Too bad Micros has not really listened. A third-party company had to step up and create a solution for Micros's rock-solid software. Using DeepFreeze allowed me to get back to doing what a Linux and MS systems administrator should do: working with people and servers.

Reply Score: 1

This is SOP for all systems
by anonymous-bert on Tue 4th Apr 2006 19:32 UTC
anonymous-bert
Member since:
2006-02-16

Not just Windows.

Reply Score: 1

RE: This is SOP for all systems
by Peragrin on Tue 4th Apr 2006 21:41 UTC in reply to "This is SOP for all systems"
Peragrin Member since:
2006-01-05

Really? Show me one *nix based system where a single downloaded movie can force a complete reinstall of the system? The only case where this is even considered an acceptable solution is if you have had a rootkit installed.

it generally takes a skilled cracker to get a rootkit installed unlike windows were you can automate the entire through an IRc bot, and an image file.

If Windows and a default secure file system, and default secure separate user accounts, well over half of their problems would dry up. i am still hoping Vista brings us those two very simple ideas, but I have a feeling that they will be cut so it an get out the door.

Reply Score: 2

sappyvcv Member since:
2005-07-06

What's not secure out NTFS?

Reply Score: 1

What about Joe User?
by moleskine on Tue 4th Apr 2006 19:42 UTC
moleskine
Member since:
2005-11-05

He is right if you get a really nasty infection. OTOH this is also classic Microsoft stuff. They have created a nasty problem, but apparently it is the rest of the IT industry's responsibility to clear it up, not so much Microsoft's. The small matter of how much of their monopoly profits are ploughed back into tackling malware isn't mentioned.

In the meantime, the flaks and fudders suggest just shell out for Vista and malware will be last year's problem. Corporates with IT managers may be able to use Ghost, auto-installers, etc., to get back running but for the home user this is not a happy state of affairs to put it mildly.

Reply Score: 2

HP already does this
by JoeBuck on Tue 4th Apr 2006 19:51 UTC
JoeBuck
Member since:
2006-01-11

HP's PCs come with a recovery partition, and a mechanism to restore the system to its state as-shipped just by holding F10 down on boot.

Of course, any security updates have to be re-installed, along with any apps not supplied by HP, and all user files are lost.

Reply Score: 1

RE: HP already does this
by aGNUstic on Tue 4th Apr 2006 20:23 UTC in reply to "HP already does this"
aGNUstic Member since:
2005-07-28

"HP's PCs come with a recovery partition, and a mechanism to restore the system to its state as-shipped just by holding F10 down on boot."

I removed the MS "license" plate, the MS badge "of shame", and the HP "MS recovery" partition. I haven't had a single issue with my computer since then.

Reply Score: 2

Is it possible to reinstall?
by rattaro on Tue 4th Apr 2006 19:52 UTC
rattaro
Member since:
2005-08-22

New computers with XP preinstalled don't include extra copies of XP. Are the restore discs adequate to solve this problem? I did not see this addressed in the article, but I think it's by far the most important question.

Reply Score: 1

Inevitable.
by Shaman on Tue 4th Apr 2006 19:59 UTC
Shaman
Member since:
2005-11-15

When you have an OS as hacked-together as Windows (I cringe at what Vista has under it now with all its rewrites, delays and Ballmer cracking the whip), it's inevitable. You can patch the barn, but the mice will always find their way in.

Reply Score: 1

RE: Inevitable.
by CuriosityKills on Tue 4th Apr 2006 20:22 UTC in reply to "Inevitable."
CuriosityKills Member since:
2005-07-10

Care to point out what is hacked together in Windows? From a Kernel point of view, Windows XP (NT based systems) have one of the most well designed kernel.

Do you really think Linux can handle these Viruses?

Think of a typical scenario:

A user is running as a normal user (not as admin in windows or root in Linux). They visit a website and get this message of free access to pr0n by installing their software. Linux will prompt the user to type the root password and then install the software. Windows XP will fail installation and user will go to admin account and install it.

At the end, user installed the spyware. I don't see where is the protection?

When i think of protection, digital signing installations can be a way but then again people will cry wolf on that (if microsoft do that). I initially hated their decision to only allow signed drivers on Vista 64-bit but looking at people like you, i think it is a good decision. That is the only way to <STRIKE> prevent </STRIKE> protect casual users.

Do you have any alternative better idea? If yes, enlighten us, if not, then do yourself a favor, stop bit*hing about Microsoft for no reason.

Edited 2006-04-04 20:30

Reply Score: 1

RE[2]: Inevitable.
by graigsmith on Wed 5th Apr 2006 02:40 UTC in reply to "RE: Inevitable."
graigsmith Member since:
2006-04-05

"A user is running as a normal user (not as admin in windows or root in Linux). They visit a website and get this message of free access to pr0n by installing their software. Linux will prompt the user to type the root password and then install the software. Windows XP will fail installation and user will go to admin account and install it. "

i dont think this could NEVER happen in ubuntu. because anything that gets downloaded can not run. the ability to run is a permission in linux, and downloaded files simply can not just run. Plus firefox could not install anything but more plugins. it wouldn't be allowed to play with system permissions. as all that is sandboxed.

the reason why it works in internet explorer is because activex can actually install more than plugins.

Reply Score: 3

RE[3]: Inevitable.
by CuriosityKills on Wed 5th Apr 2006 07:12 UTC in reply to "RE[2]: Inevitable."
CuriosityKills Member since:
2005-07-10

You chose to totally ignore all the information i had in my last post. If you can't run the downloaded binary then the user will make it an executable and run it. ActiveX don't get installed automatically. User has to click Yes and accept it to run.

The malware author insist users on running as admin to install it and since users know they can only install as admin, they will do it.

Driver signing and some similar methods to validate a binary seems the only way out.

Reply Score: 1

RE[4]: Inevitable.
by Ookaze on Wed 5th Apr 2006 09:51 UTC in reply to "RE[3]: Inevitable."
Ookaze Member since:
2005-11-14

If you can't run the downloaded binary then the user will make it an executable and run it

Most won't because they won't know how to do it, but Murphy's law is still there, so it could happen.
This is social engineering though, and has nothing to do with the load of malware that installs itself without user intervention on Windows.

ActiveX don't get installed automatically. User has to click Yes and accept it to run

Have you never seen an average user on Windows or what ? They are so sick of dialogs popping up they don't understand, that they automatically validate any of them without reading. So your "click Yes" is no issue to malware writers.

The malware author insist users on running as admin to install it and since users know they can only install as admin, they will do it

Users already runs as admin on Windows, as Windows is unusable if you are not admin.

Reply Score: 1

RE[2]: Inevitable.
by Finalzone on Wed 5th Apr 2006 07:02 UTC in reply to "RE: Inevitable."
Finalzone Member since:
2005-07-06

Care to point out what is hacked together in Windows? From a Kernel point of view, Windows XP (NT based systems) have one of the most well designed kernel.

Do you really think Linux can handle these Viruses?


Obviously you need to learn about permission system on Linux/*nix. Given the diversity of the distros, virus writers have hard time to target kernel.

A user is running as a normal user (not as admin in windows or root in Linux). They visit a website and get this message of free access to pr0n by installing their software. Linux will prompt the user to type the root password and then install the software. Windows XP will fail installation and user will go to admin account and install it.

At the end, user installed the spyware. I don't see where is the protection?


No matter the OS, that user deserved it as it shouldn't even download software of the suspicious website. No OS can protect the users for their own stupidities.
On a distro like Fedora, these spywares are virtually useless because of extras layer of security like NoExec and SELinux.

Reply Score: 1

This just in...
by sequethin on Tue 4th Apr 2006 20:18 UTC
sequethin
Member since:
2005-07-06

you have to reinstall windows once a year regardless of whether or not it has malware, just to keep it from going senile...

Reply Score: 2

RE: This just in...
by linuxh8r on Tue 4th Apr 2006 20:26 UTC in reply to "This just in..."
linuxh8r Member since:
2006-01-09

That's funny, I've never re-installed Windows. I have Win 2K running on a old K6 since year 2001. If you're re-installing that often you need to go back to school and learn how to use/set up computers.

Although, with the last kernel upgrade of Linux (non-udev to udev) it totally borked my machine. Yes, I could've done brain surgery to make it work but it was easier to re-install.

Reply Score: 0

RE[2]: This just in...
by sequethin on Tue 4th Apr 2006 20:37 UTC in reply to "RE: This just in..."
sequethin Member since:
2005-07-06

I was half-joking, but if you google for "reinstall windows once a year" (with the quotes) you get things like "Many experienced users reinstall Windows once a year". I also read that in maximum pc magazine, which is not necessarily an authoritave resource... but it's a great mag and I believe what they say most of the time.

I actually don't have problems with my windows system at home but it's a dual-boot system that has freebsd running most of the time so I guess your 5 year old windows install is a better testament to the fact that miracles can indeed happen... ;)

Reply Score: 2

RE[3]: This just in...
by linuxh8r on Tue 4th Apr 2006 21:01 UTC in reply to "RE[2]: This just in..."
linuxh8r Member since:
2006-01-09

It's not a miracle if it happened twice (yours and mine) ;) .

Reply Score: 0

RE[2]: This just in...
by thabrain on Tue 4th Apr 2006 22:09 UTC in reply to "RE: This just in..."
thabrain Member since:
2005-06-29

Your analysis is based upon experiental information that does not coincide with established empirical data.

In other words, just because your individual experience did not get the result does not mean that everyone else's PC's were set up incorrectly.

Your experience is an exception, not a hard-fast rule.

Reply Score: 2

RE: This just in...
by ma_d on Tue 4th Apr 2006 20:34 UTC in reply to "This just in..."
ma_d Member since:
2005-06-29

My one install finally bit the dust when I switched to an ATI card, from nvidia.
It'd been slowing since, but that was about 3 years.

Reply Score: 1

Angel--Fr@gzill@
Member since:
2005-12-23

!!!

Well the guy is right, but, I am not sure he is going to be promoted inside Ms!

!!!

Edited 2006-04-04 20:30

Reply Score: 1

OT: Test
by CuriosityKills on Tue 4th Apr 2006 20:31 UTC
CuriosityKills
Member since:
2005-07-10

<STRIKE> Testing strike </STRIKE>

OSNews Staff: Why don't you let us use STRIKE tag?

Edited 2006-04-04 20:32

Reply Score: 0

Required
by jfryman on Tue 4th Apr 2006 20:39 UTC
jfryman
Member since:
2005-07-06

As the attacks are becoming more and more sophisticated, it is becoming more and more difficult to remove 100% of the threat.

If 100% is not removed, then the possibility that some rogue trojan or rootkit is hiding in some NTFS data stream that was overlooked, and within minutes/hours/days... whatever the timeframe for the wakeup to occur, the system is back to where it was, prior to the 'cleanup'.

Only a full wipe can *guarentee* a clean system, otherwise you're just taking chances.... even the best guys may miss something, and that is exactly what the attackers are banking on.

Reply Score: 1

RE[5]: That's what I do.
by Shaman on Tue 4th Apr 2006 20:52 UTC
Shaman
Member since:
2005-11-15

>you have to reinstall windows once a year regardless
>of whether or not it has malware, just to keep it
>from going senile...

Not entirely true, but for many people it is. Those of us who leave all the eye-candy features turned on, add virus checking, shareware utilities, etc. and try out plenty of software (often warez, for Joe Average), Windows doesn't last. It start slowing down and finally begins to malfunction. It's true, I've seen it on machines owned by friends and family who can't seem to leave well-enough alone. I blame the registry and DLL confusion.

Doubt I'm telling anyone anything new here.

Credit where credit is due, though. I keep my Windows systems very clean, leave a large amount of space, provide lots of memory and don't leave software that I don't intend to use installed. And, I don't use a virus checker, because I don't use Outbreak and Exploder, nor do I use warez or any shareware doodads which almost always end up cluttering my workspace. End result? I have less problems and better performance in my Windows experience than anyone I know. Of course, I only use it to run the occassional Galactic Civiilizations II game or maybe a little Homeworld II... and load Firefox now and then.

Reply Score: 2

Bad idea
by miro on Tue 4th Apr 2006 21:38 UTC
miro
Member since:
2005-07-13

The linux way of installing apps is to get them from a trusted possibly signed repository. ActiveX was a bad idea, just as the open button on malware.exe download dialog. what i hope to see is a save as dialog running in a separate process. this way apps only have to have read&write access to a config file (maybe directory), using fast ipc to "save as" process to open/save other files.

Browser: Opera/8.01 (J2ME/MIDP; Opera Mini/1.2.3214; en; U; ssr)

Reply Score: 2

RE[7]: That's what I do.
by archiesteel on Tue 4th Apr 2006 23:15 UTC
archiesteel
Member since:
2005-07-02

I'm not the one who brought up "impossible-to-detect" rootkits, sappy. If you want to play your usual role as MS apologist, at least make sure you've followed the conversation before butting in.

Reply Score: 1

RE[7]: That's what I do.
by archiesteel on Tue 4th Apr 2006 23:19 UTC
archiesteel
Member since:
2005-07-02

There is nothing about the design of the platform itself that makes it more susceptible to malware -- just user practice.

False on two accounts. There are at least two design flaws that make the platform more susceptible to malware:

a) making files executables through a file exension
b) the deep integration of IE into the OS

Fortunately, b) is finally being dropped. a) still remains, though.

Anyway, I'll repeat the usual: if popularity is what makes Windows more vulnerable, then why are MS apologists in favor of its continued dominance? Wouldn't Linux gaining a larger market share make Windows more secure?

I have yet to receive a single good answer from all the anti-Linux posters and MS apologists out there.

Reply Score: 3

RE[8]: That's what I do.
by TheMonoTone on Wed 5th Apr 2006 03:16 UTC in reply to "RE[7]: That's what I do."
TheMonoTone Member since:
2006-01-01

Your missing C) the system is near useless as anything but an administrator level account

Reply Score: 2

RE[8]: That's what I do.
by CuriosityKills on Wed 5th Apr 2006 07:15 UTC in reply to "RE[7]: That's what I do."
CuriosityKills Member since:
2005-07-10

Archiesteel:

How does making files runnable by extension makes it more vulnerable? In Redhat, user can download an RPM and package manager will prompt root password to install it. What exactly is your point? Or are you going to point me to different (out of 100s) Linux distro?

Deep IE integration into OS, OK what exactly is deep ingeration into OS? IE is a user land component, it is not ingerated into kernel or something. Again you are simply trying to mislead people due to your strong Linux bias, it seems.

Reply Score: 0

RE[9]: That's what I do.
by Ookaze on Wed 5th Apr 2006 09:58 UTC in reply to "RE[8]: That's what I do."
Ookaze Member since:
2005-11-14

How does making files runnable by extension makes it more vulnerable?

Have you never heard of mail viruses ? These things are only possible because of that "feature".
That's why only Windows is plagued by them.

In Redhat, user can download an RPM and package manager will prompt root password to install it

Yes, and then, the package manager will complain about the package not being signed. Even worse, RH is already ahead, and the default SELinux installation will prevent the rootkit to do any harm, or at least will make life hard for the malware.

Deep IE integration into OS, OK what exactly is deep ingeration into OS? IE is a user land component, it is not ingerated into kernel or something. Again you are simply trying to mislead people due to your strong Linux bias, it seems

Simple terms for you to understand : deep IE integration in the system, is when a browser like IE that works with untrusted data, can manipulate low level OS things like modifying files or formatting the disk.

Reply Score: 1

Linux security vs Windows Security
by SEJeff on Wed 5th Apr 2006 00:06 UTC
SEJeff
Member since:
2005-11-05

I really do hate to say this as I will sound like a fanboi saying it, but I don't get any viruses on Linux. My parents don't get any viruses on their 3 linux computers. My buddy doesn't get any viruses on his linux computer.

None of those machines run antivirus or antispyware software, just a simple firewall with no open ports. XP is a mess, even with SP2, I see machines hopelessly infected with spyware and is sickens me.

Once Vista is (finally) released and more secure, then Linux will have a bit more of a competitor. In the meantime, there isn't much of a comparison.

Reply Score: 1

CuriosityKills Member since:
2005-07-10

SEJeff honestly do you think viruses don't exist on Linux because its more secure?

I thought people write viruses to cause big impact. What would they get by trying to infect <5% of total desktops that too when 90% of them are run by tech savvy people?

Think...a lil bit more please.

Reply Score: 0

Jarsto Member since:
2005-10-06

"I thought people write viruses to cause big impact. What would they get by trying to infect <5% of total desktops that too when 90% of them are run by tech savvy people?"

What would they get by trying to infect Google?

Reply Score: 1

CuriosityKills Member since:
2005-07-10

What was the last time Windows 2k3 Servers were infected remotely?

Edited 2006-04-05 07:54

Reply Score: 1

Jarsto Member since:
2005-10-06

"What was the last time Windows 2k3 Servers were infected remotely?"

In a test situation with unpatched servers not that long ago:
http://www.osnews.com/story.php?news_id=13929
http://www.techworld.com/security/news/index.cfm?NewsID=5535

In real life with competent admins I wouldn't know. I think some worms were capable of doing it, at least before patches were released, whether they actually did is more than I can say. The point I was making however is that there are high-profile Linux targets out there.

Reply Score: 2

Ookaze Member since:
2005-11-14

SEJeff honestly do you think viruses don't exist on Linux because its more secure?

I can assert it. Look for "Linux virus howto" to get some clue.

I thought people write viruses to cause big impact. What would they get by trying to infect <5% of total desktops that too when 90% of them are run by tech savvy people?
Think...a lil bit more please


And would people get by writing so much viruses for IIS, infecting < 21 % web servers when 90 % of them are run by tech savvy people ?
Think ... a lil bit more please.

Reply Score: 2

SEJeff Member since:
2005-11-05

Are you honestly that ignorant of the facts, or are you just trolling? <5% desktops is an irrelevant figure as there are quite a bit of Linux servers on the internet. It's funny how most of the exploits you see are for crappy php software or web applications instead of Apache. Can the same be said for IIS?

I listed a number of reasons *why* linux is more secure. The only comparable feature XP has is that it uses the NX (No eXecute) bit on newer cpus. I listed 6 reasons why linux is more secure and XP only has one of those. I didn't get into default users being administrators OR firewalls whatsoever so that could be a few more. Linux is more secure because security was built-in from the start, not bolted on as an afterfact. Linux spawns from the ideas of Unix/minix with full multiuser, security, and networking. Windows spawns from DOS, single user, no security, and (initially) no networking.

Linux is more secure because it is built on a more solid foundation.

Maybe *you* should think a lil bit more please?

Reply Score: 2

Only possible 8-10 times with WinXP?
by Darkelve on Wed 5th Apr 2006 07:41 UTC
Darkelve
Member since:
2006-02-06

Isn't it so that the Windows XP CD-Rom only allows for eight to ten reinstalls? Something to do with copy protection if I remember.

That would seriously, erm... 'compromise' the usefulness of this solution for a lot of people.

Reply Score: 1

Really, is this so unexpected???
by mcrbids on Wed 5th Apr 2006 07:56 UTC
mcrbids
Member since:
2005-10-25

Once a *nix system has been rooted, the only way to be *SURE* you are clean is to wipe and reload.

Sure, you could remote the drive in rescue mode or something to remove cloaking, but even then, are you *sure* you found everything?

Really?

If you just answered yes twice, then you are naive, and I'm glad you aren't admin to any of my systems. Yes, Unix/Linux tools are far superior, and yes, they are much, much more secure. Oh, and yes, the reliability is legendary. No, I don't have problems with viruses. I've kicked out black hats on more than one occasion, and generally had good results.

But, once you are rooted, the best thing to do is to prepare a replacement ASAP. It's not just the system files - *ANY* script or file on the system is potentially untrustable, and all it takes is a *single* file out of place, and you potentially right back at square one.

Reply Score: 2

Drive Organization
by fishpond on Wed 5th Apr 2006 12:18 UTC
fishpond
Member since:
2006-03-27

Reinstalling an image to a windows boot drive is definitely the best way to ensure a clean system.
However, the effort required to set up a Windows environment such that all user related files are stored on a partition other than the boot drive is quite remarkable and hardly feasible with just the OS-supplied tools.
Large companies with dedicated IT support staff usually do this, for small companies it's quite an investment and it does not happen for home environments unless there's someone with relevant IT skill and quite a bit of time. Also because, without an additional disk imaging solution, the OS reinstall forces reinstall of all SW packages as well.
If Microsoft really sees things as stated in the article, I'd expect an installation procedure offering by default to clearly distribute OS/user settings, files and directories over two different partitions.

Reply Score: 1

RE[9]: That's what I do.
by archiesteel on Wed 5th Apr 2006 16:11 UTC
archiesteel
Member since:
2005-07-02

I was going to reply to your personal-attack-disguised-as-an-argument, but Ookaze already did.

If you don't understand how having the right file extension makes the system more vulnerable, then you obviously know little about computer security.

As far as deep integration into the OS, well, if it wasn't before, why is MS claiming that IE7 will no longer be?

I am not trying to mislead anyone, I was simply highlighting the Windows design flaws that have had an impact on security. It is true that I have a pro-Linux bias, but I use both OSes equally, and apart from these security liabilities (and the fact that it is proprietary) I think that Windows is a fine OS. Unlike you, it seems I am able to be objective about these issues...

Reply Score: 1

archiesteel
Member since:
2005-07-02

Virus propagation is easier in Windows because e-mail attachments can be made executable by affixing the right file extension. Since Windows hides file extensions by default, a naive or distracted user can double-click on an attachment without realizing that they've just installed a trojan. This isn't possible on *nix systems.

That said, if you really believe that popularity is the only factor why Windows has 1000x the number of viruses Linux has, then you should really be advocating that more people use Linux. Following your logic, by decreasing Windows' market share, you will make it more secure. Don't you agree?

One fact is indisputable: malware isn't a real problem for Linux as we speak, and it is a crippling problem for Windows. So if you want to be secure, switch to Linux now. When the OS becomes more popular and possibly more virus-prone, you can always switch back to Windows, which will have become more secure by then (always according to your logic).

Reply Score: 1