According to The Register, “Researchers say they’ve devised a way to bypass protections built in to dozens of the most popular desktop anti-virus products, including those offered by McAfee, Trend Micro, AVG, and BitDefender. The method, developed by software security researchers at matousec.com, works by exploiting the driver hooks the anti-virus programs bury deep inside the Windows operating system. In essence, it works by sending them a sample of benign code that passes their security checks and then, before it’s executed, swaps it out with a malicious payload.”
I do not see this product there, wonder if they have not tested it…
I guess it’s not there because it’s not vulnerable. The exploit needs the anti-virus driver to hook system service table (and then screw up by not copying arguments from usermode before processing them). SSDT hooking is considered a very very bad practice and Microsoft even actively prohibits this on 64bit systems (compatibility with legacy code is the only reason why it still works on 32bit systems).
I doubt Security Essentials would use SSDT hooking to do it’s job.
IIRC, Microsoft initially banned SSDT hooking for Vista, but Symantec and McAfee went whining to the EU (rather than rewrite their stuff to work without it), so Microsoft undid the ban before RTM. In other words, the EU actually forced Microsoft to make Vista less secure in order to placate Symantec and McAfee. Even the slashdot crew (largely) sided with Microsoft, IIRC. Though some of the usual MS bashers accused Microsoft of banning SSDT hooking in order to elimintate competition to Microsoft One Care.
People feel free to correct the above.
It’s my understanding that MS Security Essentials doesn’t use SSDT hooking, nor did/does MS One Care. But I didn’t think it had been banned altogether for 64bit. I thought McAfee and Symantec were still doing it even for 64bit?
Edited 2010-05-09 22:16 UTC
I don’t know the extent of the hooking on 32-bit in those products (though I have seen some funny bits of code in crashdumps that were apparently known hooks of AV software).
On 64-bit, NT has taken active measures to discourage hooking, and I haven’t encountered anything so far. As far as I undertstand it, MSE does not interact with the OS in an undocumented way.
Good to know they banned it on 64. Was not aware of that. I assumed they’d have to keep it, due to legacy software. I mean you can run 32 bit apps non emulated on 64 bit windows, right? So are those 32 bit apps not usable on 64? Or is there some slight of hand that makes it all magically work together without any security problems?
And this is why a good browser and an ad-blocker is the best anti-virus you can get.
You can strap a face-hugging anti-virus to Windows eating up all your resources, but it can never stop the viruses getting into the machine in the first place. It^aEURTMs just a glorified clean up tool.
And this is why a good browser and an ad-blocker is the best anti-virus you can get.
Uhh… no. No matter how good your browser and adblock are you can still download things. And if you happen to download something with a virus having an adblock and a good browser will not help you in the least.
And damn, I’d love to see you removing viruses from an already-infected system with just a combination of a browser and an adblocker!
No, browser+adblock+scriptblock is good against ONE attack vector, whereas an antivirus tries to protect you against multiple vectors AND can sometimes successfully de-infect an already compromised computer.
Edited 2010-05-09 09:19 UTC
An anti-virus does not close attack vectors for viruses. It cannot patch crappy software. Once the virus is already on the machine and running, then the anti-virus freaks out and does what it can.
And most anti-viruses are useless at cleaning up viruses as well. They^aEURTMre automated, and if they can^aEURTMt deal with it, tough luck to you. Ever seen an anti-virus with manual clean up tools like HiJackThis?
When fixing people^aEURTMs computers, I install Firefox+AdBlock and Microsoft Security Essentials. MSSE is basic, but doesn^aEURTMt eat so much RAM, runs quickly and most importantly gets on with the job without nagging the ever loving crap out of you.
This combination sees a 90%+ drop in infection rates, the rest is up to the user downloading things they shouldn^aEURTMt or just pure bad-luck with a new exploit.
Norton and McAfee aren^aEURTMt worth the bytes they consume. And any anti-virus is as good as useless if you _don^aEURTMt sort your browser out first_.
This is proof that Antivirus is no substitute for your own common sense. Most people get infected by social engineering these days, that or pirated software downloads from bad sources. If you don’t want to get a virus, don’t do stupid stuff on your computer.
Not that simple anymore. How I pine for those days when you could be safe with IE6 with just some common sense.
The two major attack vectors are Flash and PDF. You only have to _view_ a page to be infected. And major websites have let through poisoned adverts on occasions. It^aEURTMs something that could even happen to OSAlert.
Yeah, this is the bad part. You can do a lot to fight Flash attacks by installing adblock and flashblock, but haven’t tried the latter so dunno how inconvenient it is to constantly have to enable flash on sites that use it for navigation.
As for PDFs, I open a lot of them, and with some of them running javascript and god knows what else, I’m not real sure how you go about protecting yourself from these. I mean, if you gotta open them, you gotta open them.
Use a PDF reader that isn’t Adobe.
Do you have any recommendations? I tried Foxit, but it just doesn’t cut it.
http://en.wikipedia.org/wiki/Okular
http://okular.kde.org/images/screenies/okular-backend-pdf-1.png
Bonus feature: you can run it on a secure OS!
Edited 2010-05-10 11:02 UTC
No, common sense isn’t always enough, however what I meant was that most computer users seem to treat their antivirus as a cure-all and don’t even bother to use what common sense they do have. That’s why they get infected even with an antivirus installed. They treat it as a license to act stupid.
I was stroke by the level of naivness of some of the readers here. Some of them seem to say, that ‘the common sense is now enough to save your OS from infections’, or ‘antivirus apps are not sufficient, so we need to get rid off them and trust our common sense and not download from the bad sources’.
The thing is that Windows platform is very popular and is degrading day by day. No matter what you do you won’t be secure, ’cause the problems arise from the different places – social networking sites, news sites, infected flash ads, hidden vulnerabilities and so on. You can replace Adobe Reader with Foxit and it’s OK, but after some time the problem will move into that app, mostly because of Windows platform popularity, bad design and lack of responsible thinking of the MS crew. This war is already lost, especially in a Windows world, although it’s possible for the infections to spread onto other platforms.
Edited 2010-05-09 10:50 UTC
Some of them seem to say, that ‘the common sense is now enough to save your OS from infections’, or ‘antivirus apps are not sufficient, so we need to get rid off them and trust our common sense and not download from the bad sources’.
The thing is that Windows platform is very popular and is degrading day by day. No matter what you do you won’t be secure, ’cause the problems arise from the different places – social networking sites, news sites, infected flash ads, hidden vulnerabilities and so on.
For the common computer user no, common sense ain’t enough. Mostly because they lack common sense altogether.
But for geek audience? It is often plenty much enough. I have 3 PCs here, two of them running WinXP, one of them Linux. Adblock+FlashBlock+NoScript combined with an external firewall has been enough so far, haven’t gotten a single infection for 3 years now.
I’m curious here … how do you know?
In a world where Windows vulnerabilities are actively traded between black-hats who are demonstrably growing ever more clever, experienced and devious year in year out; in a world where there are hundreds of thousands of exploits against windows such that no single detection scheme has any chance at all of detecting them all; in a world where Windows insists on backwards-binary-compatibility that can keep malware an active threat for over 10 years in some cases; and in a world where the very best malware is defined as malware that is NOT detected at all, by anything, how exactly do you know that your Windows machines don’t have an infection?
‘m curious here … how do you know?
In a world where Windows vulnerabilities are actively traded between black-hats who are demonstrably growing ever more clever, experienced and devious year in year out; in a world where there are hundreds of thousands of exploits against windows such that no single detection scheme has any chance at all of detecting them all; in a world where Windows insists on backwards-binary-compatibility that can keep malware an active threat for over 10 years in some cases; and in a world where the very best malware is defined as malware that is NOT detected at all, by anything, how exactly do you know that your Windows machines don’t have an infection?
First of all, almost all malware sooner or later cause instabilities or incompatibilities. I have not noticed anything such except when it has been a hardware issue, and those has been fixed by replacing the hardware
Now secondly, I have my Linux box on 24/7 and it keeps logs of all kinds of suspicious network activities. It has not noticed anything suspicious, there has been no attempts of break-in or anything inside the network, only from the outside.
Also, if I leave the computers on and monitor the network the only data moving there are DHCP-related, with occasional check for updates to software.
I’d say I am pretty confident there are no breaches.
Really, man, you constantly spreading FUD about Windows, while advocating Linux in every other post really gets tiresome. We get it … you like Linux, M$ Window$ $uck$. Now, let it be.
And to add to the discussion. Windows run responsibly is as good as any other OS (UI and security wise) and better overall because it offers you access to a lot more software.
I haven’t said a thing about the MS Window$ thing … what is that exactly? Wouldn’t Microsoft sue them for getting too close to Microsoft’s trademark names?
While that is true (at lest, the point about there being a lot more Windows software available, that at least is true), in the context of this topic it doesn’t help, for two reasons:
(1) Competing Operating Systems have access to a vast range of software in every category, so how does it matter to anyone if there are one hundred viable choices for a given application in Windows, and only ten in Linux?
(2) Windows also allows access to infinitely more malware, thousands of times more malware in actual fact … which is an observation that is getting more back on topic.
Edited 2010-05-09 12:59 UTC
What are you talking about??
Well, that is 10 times the chance you’ll find a good application or one suited to your needs. Sounds good to me.
That is because Windows has way more market-share, not because of Linux’s super duper security.
Please guys, lets not turn this into a flamewar then the fact is both Windows and Linux are adequate for most peoples general purpose computing.
Actually it’s a mixture of all 3:
1/ greater market share so greater incentive to attack
2/ greater security (which Windows is getting better at, but it still has room for improvement)
3/ and better defaults (Windows is getting better at this too)
I’ll elaborate:
1/ this is pretty self explanatory – the more installs, the more incentive to attack
2/ one example jumps to mind: in windows anything with a .EXE (amongst others) executes. This is often how e-mail viruses spread (or rather used to). In Linux files don’t have a right to execute unless you set a permission (much like setting a read-only or read-write permission). So you can’t accidentally execute a Linux app from a webpage, e-mail or so on.
3/ XP was awful for defaulting users with Administration rights – thus giving the computer illiterate full and potentially dangerous access to the entire OS. Where as Ubuntu -which in my opinion is one of the lesser-secure Linux distros and one also squarely aimed at “dumb users” (for want a better term)- sets people up a user. Windows UAC was intended to go some way to evening the score and it is better than nothing, but it’s still not as secure.
However, damning as my post might sound, I do whole-heartedly agree that Windows in the right hands and with the right configuration is secure.
I am talking about your strawman argument. It was you who mentioned Window$, not I. It was you you introduced a silly disparaging term, not I.
I said 100 viable choices, versus 10 viable choices. That means what I meant was that for Linux you could find 10 good applications (of a given purpose) suited to your needs, and say 100 for Windows. The thing is, you only need one.
Also, what good is it to anyone if there is ten times the choice (when you only need pick one) on the system that carries 100 times the risk?
So? Your point?
Regardless of the reasons why the malware situation is like it is, the fact remains that the situation is that you run many times the risk in running Windows.
Imagine that you are in a room, blinfolded, with an air rifle. You are taking a series of randomly-aimed shots (representing your sessions on the Internet, running Windows). There is a beach ball somewhere in the room, representing malware which can compromise an unprotected Windows XP system. After a few hunderd shots, you are going to hit the beach ball.
If you take more shots, you may even hit the volleyball also in the room that represents the malware that can compromise an unprotected Windows 7 system, or the tennis ball that represents the malware that can compromise a protected Windows 7 system.
It is likely to be an eternity, however, before you hit the rice grain that represents active malware that can compromise a Linux system.
Edited 2010-05-09 23:24 UTC
For most people, even if they used Linux, OSX, BSD, VMS, whatever you will still have problems if you get compromised.
First of all the first rootkits were actually developed for Unix, not Windows.
Second, once an application is compromised you can say goodbye to all the data you have on your home directory.
And that is what is actually important, say bye to all your documents, personal photos, bank account info.
Sure in the end your lovely Linux installation will be safe, but your data will be gone, or in the hands of someone out there.
Without common sense everyone is F**** regardless how secure the OS might be.
With common sense I wouldn’t store things like bank account details unencrypted and would make backups of my files, documents and photos.
Edited 2010-05-09 11:51 UTC
Precisely.
Also … with common sense, one wouldn’t install any software for which no-one except the author can tell what is in it. Even if that isn’t always practical, it still makes perfect common sense to keep to an absolute minimum any software for which only the author can see the source.
Edited 2010-05-09 11:57 UTC
Also … with common sense, one wouldn’t install any software for which no-one except the author can tell what is in it. Even if that isn’t always practical, it still makes perfect common sense to keep to an absolute minimum any software for which only the author can see the source.
Bah, and again you’re spouting your twisted half-truths in an effort to promote F/OSS software.
First of all, if the closed-source application is used by enterprises then it is fairly certain there are no hidden malware payloads inside it. They’d notice it, that’s why they have extensive network monitoring software in the first place.
Secondly, both closed-source AND open-source applications have bugs. Being open does not make something immune to such. And bugs can be used for malicious purposes, even in F/OSS applications.
Malware often travels via channels which offer/claim a special “deal” on closed source software, even on closed-source applications as used by enterprises. No individual, or even group of individuals, who is(are) not the author, has(have) even the slightest chance of verifying that they copy they receive is not already infected.
While this is true in and of itself, it does not address any of the points:
In such a world, if one is running Windows, it doesn’t help at all if some open source software has bugs. Besides, as soon as a bug is identified, being open source it is fixed by somebody, most often within days, sometimes within hours.
Edited 2010-05-09 12:46 UTC
Malware often travels via channels which offer/claim a special “deal” on closed source software, even on closed-source applications as used by enterprises. No individual, or even group of individuals, who is(are) not the author, has(have) even the slightest chance of verifying that they copy they receive is not already infected.
So, basically you’re saying that 3rd parties re-package the software and add malware in it? But well, again, open-source or closed-source makes no difference. Hell, I’ve seen even GIMP being sold somewhere, and just as well I’ve seen a few GIMP packages with several malware applications and toolbars in them.
The fact remains that all malware is closed-source. If one simply adopts a policy of installing an absolute minimum of software that is closed source, one effectively makes one’s system such a small target that it won’t be compromised in the first place.
Malware cannot hide “in plain sight” in open source applications.
IIRC the Netsky worm was open-source, which is what lead to all the variants.
Edit: Also it is possible to write some seriously underhanded code in languages such as C. Just sayin’.
Edited 2010-05-09 14:19 UTC
Yes it was open source, but so what? That meant that everybody knew it was malware. This is the whole point.
The point is that software distributed as open source, via distribution repositories, is code that anyone (who did not write the code) can verify, and it is ALSO code that those who did write the code run themselves.
Linus Torvalds runs Linux. Given open source distribution methods, it is possible for you to be assured that you are running the same code as he does. It is also possible to be assured that no-one has put the Netsky worm code inside a package within a repository.
Why?! Do you read the source code from every single application that you install?
Do you think even the package maintainers from your distribution do? Do they understand every single programming language used to develop the applications they package?
Do you think then when someone writes a malware application in open source would make it obvious?
Of course not. Even better it would use some kind of self modifying code with encryption to make it hard to understand what is going on.
Sure with open source it is relatively easy to track down malware, assuming people proof read the source code and have enough knowledge.
Now if the other OS start having the same attention span as Windows, how many people it would take to track down every day, every possible malware popping up in open source repositories?
Now if the other OS start having the same attention span as Windows, how many people it would take to track down every day, every possible malware popping up in open source repositories?
This is where you have misunderstood things: not everyone is given full permission to write to the repositories. You submit a patch, they review it, and only then if it gets accepted it will be written in the repo.
So, if you tried to inject malware inside some popular open-source application you’d have to hack one or another of those accounts who have writing privileges and only then you’d be able to inject the malware payload. And well, all the modern systems like CVS and Bazaar keep track of changes to the code and allow you to roll back to previous states with just one or two commands.
Assuming the repository is not attacked with a man on the middle thus making some users with the required user rights inject the malware code without noticing it.
And this assuming that the application/code is done through the official repositories anyway.
There are lots of open source applications that aren’t available in the distributions official repositories.
With some social engineering it is quite easy to make people install applications or click in certain pages, and then they are owned.
I do use Windows and Linux every day since the 1.0.9 kernel days, so I am not a Linux or open source newbie.
If Linux or Mac OS X become a valuable target, for sure we will face the same set of security issues as Windows does.
Assuming the repository is not attacked with a man on the middle thus making some users with the required user rights inject the malware code without noticing it.
And this assuming that the application/code is done through the official repositories anyway.
There are lots of open source applications that aren’t available in the distributions official repositories.
With some social engineering it is quite easy to make people install applications or click in certain pages, and then they are owned.
Are we talking about source code repositories or binary package repositories here?
As far as I know all the source code traffic is SSL encrypted so it’s pretty hard to actually do any man-in-the-middle there. And binary package repos are cryptographically signed. I know it can be fooled with enough work, but it’s not too easy to do it.
If Linux or Mac OS X become a valuable target, for sure we will face the same set of security issues as Windows does.
I don’t think it would become as bad as it is with Windows, but it’s true that Linux isn’t some sort of impenetrable fortress either; there would be malware and viruses for Linux distros too.
It is quite easy actually to do this. I have a working proof for it, developed for a company some years ago.
You can install a Webserver which allows modules, like Apache or IIS, then develop a proxy module that also handles HTTPS requests.
The webserver decrypts the SSL request and gives the decrypted data to the module for further processing.
In a former company we used this technique to redirect HTTPS requests through an internal network that was only able to do HTTP.
If the motivation is there, there is always a way.
For Mac OSX, sure, it uses closed-source binary distribution just as Windows does. End users have no reliable means of determining that all of software they install is malware-free. This is the very topic of this thread.
Linux users … not entirely correct. Linux users have a chance of making a viable system with no, or at least very little, closed-source software on it. Malware can exist only in closed-source software. The Linux package/repositiory distribution system has an impeccable record over many years for delivering open source software to millions of Linux end users without a single known instance of malware ever being distributed.
Given those facts, Linux is a hugely more difficult target to hit for malware authors.
Edited 2010-05-09 23:38 UTC
These are the wrong questions. For example … it does not matter if I read and understand the source code of applications I use, as long as someone who did not write the code does, and as long as the developers who did write the code also use it as is themselves.
Your whole set of queries is actually answered by a simple observation: In the decade or so that Linux distribution repositories have been operating, for thousands of packages, for tens of distributions, serving millions of users, there has never been a single instance to date on record of an end user’s system getting infected with malware via the open source package repository distribution system.
The practical, real-world performance of this method of distribution of software is: “IMPECCABLE RECORD”.
So the real questions you need to ask yourself are these: “Does it actually work? In using it, can I keep a system malware-free”? The record to date says that the answer is: “Yes indeed, it works beautifully”.
The impeccable record does not prove nothing in terms of security.
It like you saying to me that so far no one robbed your place, so it is very safe.
For me it only means that so far, no one bothered to write such malware to Linux, because it is not important as a platform. There return on investment is still too low.
Just wait when Linux gets even more exposure.
I also do use Linux and install lots of open source applications, but I also know that so far we had luck.
Now you are getting downright silly.
Everyone in the millions of Linux users these past ten years or so, since the beginning of the repository/package managers system of distribution, across dozens of different Linux distributions, has been able to download from amongst thousands of packages, and be completely safe during the entire time … and you count it as of no significance. That is more than a little stupid, it is downright pig ignorant IMO.
Linux already runs most of the Internet infrastructure on the planet, and has a major part of the server market. These millions of machines are all high-value targets.
http://en.wikipedia.org/wiki/Comparison_of_Windows_and_Linux#Market…
33.8% of server revenue for Linux, compared to 7.3% for Windows.
Speaking of high-value targets, Linux runs most of the worlds supercomputers:
http://en.wikipedia.org/wiki/Supercomputer#Operating_systems
http://en.wikipedia.org/wiki/File:Operating_systems_used_on_top_500…
Linux has 88.6% of this market.
Here is a company that runs a million Linux servers:
http://en.wikipedia.org/wiki/Google
Linux is also very strong in embedded systems.
There are probably more CPUs on the planet running Linux than anything else, including Windows (not every machine is a desktop after all).
Exactly how much “exposure” would you want it to get?
Good for you, if true … but what do you want … a medal?
Pfft!
Linux has a huge market share of computing, particularly in respect of high-value machines:
http://www.itpro.co.uk/615985/why-the-london-stock-exchange-went-fo…
http://en.wikipedia.org/wiki/IBM_Roadrunner
http://en.wikipedia.org/wiki/File:Roadrunner_supercomputer_HiRes.jp…
http://en.wikipedia.org/wiki/Jaguar_%28computer%29
http://en.wikipedia.org/wiki/File:JaguarXT5.jpg
Linux software distribution repositories have been running for a decade or more, serving millions upon millions of Linux users, some of them running very-high-value target machines, with not one single instance of malware propagating via that distribution system on record, and YOU (some random poster on the Internet) think it is just down to luck?
Wake up and smell the coffee!
Sheesh!
Edited 2010-05-10 10:50 UTC
Hmm, the first rootkit was believed to be written in 1990 or even earlier. At that time, how could one write a windows rootkit? Or, more precisely, every program written for windows at that time had full privilege, so, who would need a rootkit for windows then?
Exactly, by that I wanted to say that even Unix is not that safe if you know where are the week points.
True. No OS is bullet proof. But that does not mean that windows is as safe as other OS.
Actually, I was not deprecating role of the common sense. I was just saying that is is definitely NOT enough, even for a ‘geek’. It has been already told here, that rootkits tend to stay undetected, so you WON’T notice them by any chance *unless* you do offlne hd scan via external medium.
And once again: of course rootkits come from unix, but it’s Windows that’s being attacked all the time, mostly because of it’s popularity.
BTW user with a common sense doesn’t hold its data in a home directory, but has a backup scheme to ensure data safety. Security is a process, not a product or conviction.
Still you would have the data available on your home, even with backups.
Even if it is not available in your home directory, an owned application would be able to browse all accessible areas from your internal/external/networked drives and look for information.
Remember if an application gets owned, there is nothing the OS can do about it. The worm will have the same process rights as the original application.
Not if the data in question was never stored on the computer to begin with……
True, but hard to avoid for some type of data.
Then again, the safest computer is an unplugged computer.
Just another thing I will have to think about at work now, I wonder when “protection” software will be available for the “anti-virus” product.
I really enjoyed seeing Charlie Miller quote that even running as a limited user in Windows won’t be of any help against this type of attack.
Sigh…..
*nah nah nah nah* this doesn’t exist.
http://www.milw0rm.com/platforms/linux
Says absolutely nothing about what was actually claimed in this thread, which was: (1) There is very, very little malware for Linux, and (2) there is no malware at all distributed via open source repositories.
Those two points, which were actually what was said, remain unrefuted.
yeah and there’s even less for Haiku. so?
It’s another reason to run as limited user, or to use DropMyRights or such (with proper permissions set).
The above exploit will bypass an antivirus or HIPS. But unless there’s something about it I’m missing it does not constitute a privilege elevation, which means that if the attacker is attacking from a limited account then the malicious payload will execute as a limited user. Your realtime AV won’t see it as it executes, but in all likelihood it still won’t work.
(Unless the payload is a privilege elevation exploit, which in turn launches the actual malware. Then you’re screwed.)
Edited 2010-05-10 18:40 UTC
And on Windows 7, privilege elevation is free! http://www.osnews.com/story/21499/Why_Windows_7_s_Default_UAC_Is_In…
Will we have to run every process in their own VM someday ?