Deathlizard's Journal: Mythbusting Computer Security

I constantly see a ton of posts on Slashdot talk about security issues regarding their PC's. Most of these posts drive me up a wall because most of them seem to not understand how easy it is to infect a computer. Since I've gotten sick of posting the reasons every time a security issue comes up, I'm going to maintain them in this journal entry.

Myth #1: My machine is secure because it's running (Insert OS other than Windows here. Usually Linux or OSX)
First off, I'm not defending Windows. Windows XP with the default setup is bad. Really bad. But it's not the fault of the OS as much as it's the fault of the developers putting Convenience over Security. At least they are wising up with Vista.

First, understand that viruses are much different today then they were just 5 years ago let alone 10. 10 years ago and through the dos/win9x period, there was one basic type of virus. This type of virus had the potential to do massive damage to the entire operating system, and totally FUBAR the PC. For the interest of this article, we'll call it a Deep Penetrating virus or Deep Virus.

Now in today's world, you have multiple user accounts and user permission operating systems becoming mainstream in the PC world. Particularly the WinNT variants, Linux, OSX, ETC. These operating systems can be affected by two different types of viruses, The Deep Penetrating Virus like DOS usually had to deal with and the Shallow Penetrating Virus. The shallow virus is simply a virus that infects the user account of the person that is currently logged in and executing it.

Now generally speaking, most well set up OS's will give the user only user access. (Instead of XP's stupid give everyone Admin mode.) This user sandboxing allows only a shallow virus to infect a PC. A shallow virus cannot do as much damage as a deep virus, because a shallow virus cannot natively get access to the critical operating system's files, but that's where the fun begins. You see, all it takes is a local exploit that escalates user privileges and BAM, that harmless shallow virus is now a deep virus destroying everything on your drive. Also, if there is no local exploit that the shallow virus can use to escalate it's privileges, it can still do network wide damage using the access it does have such as DOS pinging someone, or spamming, or do spyware/adware banner popping, ETC. The only difference is that it only does it when that particular user is on instead of all the time.

Now, let's introduce the law of Stupidity into this equation...
The Law of Stupidity: 99% of computer users don't know what they are really doing.

Which brings us to John Q Ignoramus here. Now John is an idiot so his computer admin at work locks his work machine down. John gets an e-mail that says that if he open's this file, it will show him the Pam and Tommy Lee video. Since John really wants to see this file for some reason, he opens it, but nothing happens, so he just goes on his way, but in the computer itself it actually executed and infected his user account so it will start every time he logs in. Now every time he logs in, its going to SPAM everyone in his address book mailing list about Pam and Tommy Lee or just plain stock SPAM, or it'll just send his address book mailing list to someone to SPAM them for him, or better yet, wait until it gets orders from some black hat to ping somecompany.com all day because the black hat stubbed his toe on his staircase and is looking for revenge, or download another program to take advantage of a recent exploit and delete everything on the hard drive including the OS. I'm sure your imagination could take over from here. Hopefully the admin realizes whats going on when he looks at whats sucking 90% of the company's bandwidth, because John wont care until it starts affecting him personally.

Now I know what all of you OSX guys are saying, so I'll address that next.

Myth #2: My OS is Secure because I run as a User account and any administrator privilege prompts for my Admin account, and I know better then to put that in

You might, but what about John above? Let's say he's now at home running the same setup as above except he knows his admin password for his machine. (After all he owns it.) Now, since his computer at work is a POS in his mind, surely his high end PC will run the Pam and Tommy Lee video! So he runs it and instead of nothing happening, it prompting him for his Admin Password, well I'll just type that in and my Pam and Tommy Sex dreams will come true! Bam!! His box is now the Black Hat's box, and you can turn your Imagination back on again. Also, just as before he is going to do nothing about it until he can't use the computer anymore because it's spamming and DOSsing all day instead of looking at the pretty girls on the interwebs.

Now, let's introduce the happy fun world of Social Engineering. If there's one thing you should look into, read up anything you can find on Kevin Mitnik. This guy practically invented the term Social Engineering. He also went to Jail for a few years because of it. Now in a nutshell, Social Engineering is the art of fooling/Annoying someone into doing something that benefits you. This is by far the most powerful tool in the Virus Writer's arsenal. I've actually been fooled by it once while studying a file I absolutely knew was a virus. How you ask? They simply made the icon for the Executable file a Folder icon. Since I had to unzip the virus out of the zip file the virus was in, my subconscious brain immediately thought folder and clicked on it thinking subconsciously it was a folder created by the zip software with the virus in it. As soon as I did it I almost immediately realized what I did and was shocked and infected the VM with a virus. Now if someone who Knows what they are doing can get tricked by something as a simple icon change, imagine poor John.

Basically, all the black hat would need to do it make a shallow/deep virus hybrid that infects his user account and prompt you for the admin account every 5 minutes or so. Eventually, John will get so annoyed at the prompt that he will either put the password in hoping that it will stop the endless prompting, or make a mistake and put it in when he really wanted to put the password in for something else. Bam! Black hat 0wnage!

And, just for the sake of argument, the above applies if it takes a lot of steps to get a program to execute after you download it. you could have 20 complex steps involved and John will go through all 20 steps if he really wants to see Pam doing the naughty dance. (This also explains why Vista still gets infected.)

Myth #3: My machine will never get spyware, because I use (Insert Browser other than IE here. Usually Firefox)
This is my personal favorite. Yes IE is bad (more on why below) and Firefox is seriously whipping its tail, but if you truly believe that a new browser will solve all your spyware problem your seriously mistaken.

First, why is IE so bad? One word: ActiveX. Microsoft in its infinite wisdom decided that it needed the answer to Java and it needed it YESTERDAY!!! OMG!!! If we don't compete with Java, the Java Box Sun's pushing will catch on, and rivers will run red with blood, and the antichrist will rise from the ashes of hell, ETC!!! So MS decided that the best (IE: Fastest) way to compete with Java was to make a whiz bang way to basically make it easier to install executable code on your machine with no sandboxing or execution security whatsoever. So your probably asking "Then how does it protect users from malicious code?" where someone at MS raises their hand (probably some embodiment of a PHB) and says "Why, we make them digitally sign the program of course, because nobody will want to make a virus for ActiveX if they need to buy a digital signature!" well, that works fine and dandy until Virus Inc. walks in, buys a digital signature and proceeds to revolve their business around spamming you to death. So simply put, if MS made ActiveX properly and forced it to be confined to a sandbox like Java did it never would have ever been as big a problem as it is today, but MS didn't look as security when they designed ActiveX, they looked at what customers (IE:PHB) wanted that Java wasn't delivering, which was speed at the time. So someone at MS got the bright idea to run native code instead of run-time code, and BAM! ActiveX.

Now comes problem 2, which is single user windows. Windows9x ran as administrator (Root) at all times regardless of who's logged in, so when you ran a executable file under windows, it could do anything from show a spreadsheet to format your Hard drive. Java since it was sand-boxed couldn't do this without prompting you like crazy that you were probably doing something stupid right now if a program was trying to do something malicious (not that John wouldn't just allow it anyway if it had anything to do with Pam). Even under 2000/XP, by default your running as Administrator because they decided that running all those legacy programs was more important than security, so the problem still exists today.

How could MS fix it? well they could emulate the core OS run-time for activeX programs (or any executable called by IE for that matter) so that it's completely separate from the primary OS so anything that is run under it is effectively sand-boxed, or they could enforce permissions on the next OS release. (Which will somewhat fix it. See Myth #1) It looks like for vista their choosing option 2, although IMHO they should remove all native legacy support from vista and VM anything legacy in a kernel-space designed specifically for the legacy application, but that's another story.

So why are other browsers so secure when it comes to Spyware? Simple: they don't support ActiveX. By not supporting ActiveX they avoid one of the big Spyware conduits, but that's not the only way you get spyware. Don't believe me? Ok, using your Third Party Browser, download Kazaa (or just about any P2P app these days it seems) from their web site and then tell me you can't get spyware from a third party browser. I've seen spyware in so many installers it's practically an epidemic. Hell, Even AOL's Instant Messenger is jumping on the Bundle Bandwagon and throwing weatherbug adware around for fun. It's got to the point that most file sites are actively testing all of the installers they get for spyware intrusion and delisting them if they find spyware in them. So basically, that Rico Suave Theme you downloaded has more than just Rico in it. It's probably got coolwwwsearch, SaveNow and god only knows what else.

And it doesn't stop there. Some of these Virus Inc's are trying out Firefox extensions and Java on for size. At least the Mozilla Group is keeping them at bay but for how long?

Myth #4: IE is insecure because it's merged into the OS/runs in Ring 0
IE doesn't and never ran in kernel space. It ran in and as the Windows Shell. It's the same thing KDE does with Konqueror in Linux. Where this myth came from I'll never know. My guess is some evil manipulating Clown out of one of those horror movies.

Now, not to say that there wasn't a problem with the way Microsoft did shell integration. They used to allow folders to have HTML files (namely folder.htt) to change the look of each folder. This was Really Stupid and some viruses used to use it as a way in by exploiting IE. Fortunatly in the latest Service packs of 2000/XP they disabled this "feature" (although they did not remove it. In theory a virus could turn it on for you, and another virus could infect using what the first virus turned on.) Also keep in mind that you could turn web page view off on the older shells and this problem immediatly goes away.

But even with the above problem, the shell integration didn't increase the risk. Case in point? Windows NT. It has it's own file browser shell and you can install IE on it and it can run inside the Explorer shell without integrating it as the Explorer shell, and you'll get the exact same exploits that windows NT would get if you Installed IE as a fully integrated explorer/IE shell. Even the folder.htt exploits would run on a non-integrated IE.

So what increased the risk then? Simple. IE4 Security Zone implementation. Seriously, IE3 was the most secure browser MS has ever made, Why? because there was only one single security zone and it was set to High, also the ActiveX component in IE3 did not do auto install. If MS stayed with this simple security model none of this would have ever been a problem, but in IE4, they decided that HTML on your machine or on your local network is safe. This was another Really Stupid move, and it's been going on for so long that IE7 Might be the browser that finally fixes this stupidity once and for all by setting all the zones except restricted sites to medium security by default. Don't get me wrong. the Zone Idea is a sound one, and programs such as SpywareBlaster use security zones effectively, but if MS implemented it right in the first place there would be a lot less virii out there.

As for exploits, Myth #3 covers a lot of them, and code exploits can and will happen in Every Browser, Including Netscape, Opera, Firefox and even Konqueror. The difference here is that these guys write simpler and more manageable code, which results in faster turnaround time for patches. That's the Real advantage the other browsers have over IE, that and they didn't make stupid mistakes like Security Zones and ActiveX.

Myth #5: Windows XP can never be secured because of all the Security Holes
I'm calling BS on this one, and I'll tell you why. I work for a Small Private College. We have a laptop program for students as well as maintain some computer labs with desktops. The labs have had the same Operating system (XP) on them for over two years under heavy usage and not one of them ever had spyware/viruses or any of the other happy fun "screw your box" exploits that seem to plague every laptop 15 minutes after we hand it to a student. Why? Because we protect the Lab PC's that's why, and not with some exotic "erase the drive every time" solution like Clean Slate or the Shared Computer Toolkit. All we use is the built in security protections and policies to protect the PC's from what would basically be described as PC hell. On the laptops, the Students have admin access and can have a field day installing every porn and P2P Program they find, and they get spyware filled almost immediately. I seriously had a Laptop come in and it scored 17079 on Adaware. I've yet to see adaware score anything above 50 cookies on any of the lab boxes because they can't install anything on them.

How easy is it, well it's not if you never did it, and theres a lot of steps you have to go through but basically all you have to do is 2 things
-Remove the idiotic CREATOR OWNER permissions on the C:\, C:\program files, and C:\windows folders. Turn off simple file sharing to see the permissions right.
-Make user accounts for everyone using the PC or get a domain to handle the user part.
-Not really necessary, but gpedit.msc is your friend as well if you're really dedicated.

For people that are starting out, the shared computer toolkit (the Configuration part. Not the Hard drive protection part) can help you with a lot of the basic security settings if your a novice to securing your machine, but is not necessary to secure XP if your familar with the above steps I mentioned. Oh, and another thing. Stay away from the stupid Networking Wizard. Whoever thought that having the shared documents folder automaticially open wide with read and write permissions when you run this should be shot dead, then hanged, then the corpse should be Burned while the body is still swinging on the rope and the ashes secured in order to keep the stupid sealed away for all eternity. I swear they made this feature so the Nimda virus could live forever.

You do those simple things, and XP is hard to crack. Not impossible by any means (it can still take a shallow virus hit but you can minimize the impact further by giving all users guest permissions so their profile gets deleted, or by using a mandatory user profile), but it's pretty solid. It only sucks out of the box because Microsoft wanted it to.

Myth #6: Open source software is more secure then closed source software, so I don't need to protect myself
Open source code tends to be higher quality code and has faster patch turnaround times. I won't dispute that. But that doesn't mean that it's totally secure. People make mistakes. Mistakes could go on for years undetected until that mistake turns into a major exploit.

A perfect example of this is the Linux kernel itself. It's been in development for years, been looked at by hundreds if not thousands of people, and they're Still finding security exploits in it. Is it's Linus's fault, or the programmers, or the OSS model in general? No. Mistakes happen, patches come out, and all is well.

Now don't get me wrong, Linux Vs the NT kernel is like night and day. There could be hundreds of NT kernel exploits that we or even Microsoft don't know about. Would it be less if NT was open source? Most likely, but I can make a safe bet that it would never be to the point where we could say, "Well we're finished, this kernel has absolutely no security holes in it whatsoever!" for either NT or Linux.

Although Open source can be more secure than closed source, no software should be considered totally 100% secure. That's why you should always plan for the worst case scenario when it comes to software and not rely on a single security point of failure. Spending the time to layer security measures Always Pays off in the end no matter what OS you use.

Myth #7: There are no Linux/OSX Viruses
There are viruses for Linux and OSX, not near the amount windows has, but they definetly exist.

The reason there isn't more is because of three things
-Smarter people running them
-Better security practices in the OS
-Small Market Share

First off, users of these systems, Especially Linux tend to be higher on the computer scale than the majority. I'd say there somewhere in the top 10% of knowledgeable computer users. Thats still somewhat dangerous, but nowhere near the 90-99% moron zone you'll find most in the Windows world hang in. This alone shrugs off some of the real simple Social Engineering scams right off the bat.

Second is that the security models were put into these OS'es from day one. This is really easy when you don't have huge market share and don't care about compatibility, like Apple when they chucked OS9 for OSX but got a better system out of it, or Linux which came from a background that has had 30+ years of security refinement. Microsoft doesn't want to go down the "chuck all the software out the window" road even though it would benefit them greatly, so their stuck with less secure legacy code, which attracts virus writers because it's easier to exploit.

Third is their Market Share. Lets say you write software for Virus Inc. Are you going to attack the OS with A)2% B)8% or C)90% market share. I remember a time when my SAT coach said to answer C if your not sure what the answer is, so I'm going with C. Notice that Firefox is starting to get a bullseye on it? thats because it's Browser Market Share is growing rapidly, and it's starting to attract some Black Hats. the same goes with OS's as well.

Keep in mind, that although it's harder to infect these OS's and they have far less viruses, they still have a couple, and it's only going to get worse over time so it makes sense to be prepared then to be sorry when you get hit hard.

Myth #8: There are 180000+ windows viruses
This is another favorite one of mine. OSX and Linux guys love waving this myth around. This semi-myth comes from your friendly neighborhood virus vendor.

You see, there are a lot of viruses for windows, mostly because of the way MS makes it easy to exploit their OS as well as its OS dominance over other operating systems, but a good portion of that 180000 number is over inflated. For example, a lot of those viruses are variants of the same virus. And examples of these are the netsky and beagle variants. Beagle has got something around 70+ variants and netsky is around 50+. Most of these variants do the same thing as their predecessors but are updated slightly to infect more PC's. Even if a source virus has a single byte change, (for example changing a string in a virus from "screw MS" to "screw M$") it's classified as a variant of that source virus. Most AV firms count each variant as its own separate virus as well as other programs such as jokes and spyware. That's why Mcafee detects 178000+ viruses and Symantec, who only counts viruses and not variants, counts 72000+. Why do AV vendors do this? To say that they detect more than their competitor, I Mean what would you buy, the virus scanner that detects 72000 viruses or the virus scanner that detects 180000 viruses?

Now, 72000+ is a lot smaller but even that number is somewhat inflated. Why? Because Symantec never removes legacy viruses from their databases, (and they shouldn't) but you must understand that a virus circa 1990 has a very slim (to none) chance of infecting a Windows XP PC today and doing any kind of damage. First off, With NTFS replacing FAT as the default partition used by windows today, most boot sector viruses simply cannot attach to NTFS and do any damage to it because they are obsolete and don't know how to cause damage to NTFS. (or how to even read the hard drive correctly for that matter) Also, windows XP and Office 2003 are a lot different than its previous incarnations of DOS, Windows, and Office. Many viruses written for DOS, Windows 95/98 and Office 97 will not work in XP or office 2003 since Microsoft has patched the holes the older viruses used to exploit, also dropping this number considerably. Removing Office (or not having it in the first place) from your PC also removes any Macro virus threat that exploits Office to spread. Basically, that count is based on every virus that Symantec has found over the entire course of the PC, from Brain in 1986 to the latest Beagle today.

Now, even though you could possibly cut that 72000+ viruses in half and made it as low as 36000+ infect capable viruses for windows XP, (I honestly don't know the real number. Symantec could possibly tell you) that number is still very high vs. Other Operating systems that did security over convenience, but it sure isn't 180000+

Myth #9: Microsoft should focus on patching their OS instead of releasing a Free Antivirus product
This is a more recent myth that OSX/Linux people have been waving around since MS announced that they would release a free antivirus suite, and it has a simple answer.

You can't patch stupid.

Sounds simple right, or sounds like an insult that Bill Clinton would say during the 92 campaign. Anyway, the point is that the computer is only as secure as the person in front of the PC, and if the user (most likely) falls within that "Law of Stupidity" I mentioned in Myth #1, then it's a disaster waiting to happen.

Let's say for the sake of argument that you have a magic "Fix" button that would immediately remove every single bug from every software line of code on your PC. So you push this Fix button and BAM! You system is bug free. No bugs, no exploits, no problem right? Well, let's give the magic button to John Q Ignoramus here and see what happens. He presses the button, removes all bugs from his system, sees a trojan horse masquarading as a Pam and Tommy lee video program taunting him from his favorite web site, downloads and runs the program and all of a sudden he's sending spam! Wait a second! That's not supposed to happen! The Linux guy told me so!

What?! The Linux guy said I should have secured the PC first? Well here's the magic "Secure" button that secures your PC to a user level! So first press the fix button to get rid of that nasty spam thing, then press the secure button to secure it down! Now John a simple user on his exploit free magic PC. He then sees the Pam and Tommy lee video program on the desktop, and clicks on his dream of Pam's desire. Oops! He's sending spam again!! How you ask? because it's one of those shallow Viruses I was talking about in Myth #1. It's running within his user account and doesn't need any privilege escalation to spam.

Hold it! The Linux guy screams! His system still isn't secure enough! Fine. It's time we turn that security button up to max security!! At this point, the only thing John can do is run legitimate programs that were originally installed by an IT professional in his user account, and every other executable is denied! So John sees the Pam and Tommy video clicks on it and "access denied!" the Linux guy was right! M$ is out to take our money and destroy every other OS on earth! But Wait!! This is John's computer! There is no IT Nazi trying to keep the man down by knocking John's door down and dragging him away from the keyboard every time he tries to fulfill his Pamela fantasy! He has a way to install programs on his own PC!! So he simply follows the procedure to install the Pam and Tommy lee video program and his PC is spamtastic again. Linux guy foiled again!

I guess we could try the DRM button now but I doubt the Linux guy would be for that, considering he thinks that DRM is a tool by "The Ballmer" to force Linux freedom fighters away from fertile PC ground, But I hear the OSX guy is all for it. Either way, it's not like Virus Inc. couldn't get it digitally signed.

Now I know that the Max Security example even invalidates AV software, since John would just click ignore to watch bosoms fly, but the point of the above was to illustrate that you can't patch stupid. How do I know? Because Vista's UAC was an attempt by Microsoft to patch Stupid. What did most people do with Vista's UAC? They either turn it off or immediately hit allow without a second thought. Windows 7 makes it prompt less but it still does nothing because to UAC, every program is bad, and people get indoctrinated with the prompt to the point that they never read it anymore. So much for patching stupid.

So how does AV software help if they just click ignore anyways. Well, first off you get rid of ignore. Make it so you HAVE to deal with it by either quarantine or disinfection with quarantine for backup. That way, if it's a virus, problem solved and if it's a false positive, you can restore it from quarantine.

Second, it's a prompt that you will not see every day, since it only appears when a virus is detected. People tend to read things that are less frequent than others. If you see a prompt once a month vs. a prompt 10 times a day, you'll probably pay more attention to the once a month one.

Third and most important, AV software has the potential to retroactively fix mistakes. If you did click on a 0 day virus that your AV software missed, chances are that within a week or less, your AV scanner will say you have a virus even though it allowed you to run it before. Nothing else short of an IT guy looking at your process list once a month can do this, although I'm assuming that your AV software can detect the file in the first place.

Basically, it all comes down to layering security to protect someone from themselves. That's why I believe that Antivirus software should be included in all operating systems free of charge.

More as I think of them...

What virus do you know of for OS X?

[DisownedSky]

Just curious. I haven;t heard of or run into one.

Re:What virus do you know of for OS X?

[Deathlizard]

Most of them are simple viruses, and were handled by patches or never in the wild (Laboratory).

Mas OS in general never attracted a huge virus crowd, even pre OSX there were I think less than 1000 viruses in the entire history of the Macintosh. This could change soon, especially with the new Intel Macs. If someone figures out a way to install windows on a mac, they will start selling tons of them, and OS X market share will rise since most people who bought it will at least try to dual boot OS X and Windows

Re:What virus do you know of for OS X?

[DisownedSky]

OK, I didn't do thorough research, but I have found several web sources claiming that there are currently zero (0) OS X viruses in the wild. For example: http://www.pure-mac.com/virus.html [pure-mac.com].

Re:What virus do you know of for OS X?

[Deathlizard]

And you won't find one, because most of them are trojan horses, and for some reason Mac users don't call them viruses.

http://www.thexlab.com/faqs/malspyware.html/ [thexlab.com] has a list of them. Sony had a rootkit for OS X. There was a script that torched everyhing in a users account. One completely disabled all security measures and spread like Nimda did with windows by copying to all open network shares. And yes, they are all low risk because they execute as shallow viruses. (except the Sony one, that probably requir