Malware attack vectors - approaches and setups to block these?

You know I don't ever attempt to raise problems. I have questions. Is your 'method' then to only allow certain sites any scripting or content privelages in the browser? And I already know you use the shall we say 'obscure' browser Opera to do this with.

Once you have, I presume, allowed a website to gain your 'trust' by adding it to the list of allowed to run scripts, what provisions do you have in place for 'IF' that website were to ever be compromised?

What do you do about emails? I open them as plain text always, but there are times I admit when I must follow a link or allow rich context.

I currently use SRP to reduce my applications that interact online to Basic User.

So I am wondering, as there are always holes, how you plug them?

Thanks for any insight you care to share.

Sul.

 

@Windchild

I think more and more about LUA, about how I use my computer, and how LUA is more of a hinderance to me. I understand, I am doing much to my computer rather than just using it like an average novice. For me then, LUA really does pose problems, as 75% of what I do requires admin. But, the more I deal with issues of the day with family and friends, the more I see one very clear fact. In XP, which many still have, the most common complaint is 'I can't install this program'. Using RunAs or SuRun then, I see this problem developing, where this average user who only knows how to surf and save pictures from thier camera, they need to install something. So whether SuRun or RunAs, they basically give the OK to do so. I suspect from my limited support of Vista/7, that UAC is basically 'Allowed' in the same manner.

So, while I can agree more and more, especially for the novice, that LUA poses a good solution, I still see the downfall of LUA/UAC where the novice just assumes they need to install something so they know the admin credentials and fling it around as they please. They don't have the aptitude or the desire really to check into what they are doing, they just want to do it.

Here is my question, not just limited to you though . What is considered protection, when the user themselves elevate anything they desire to admin when needed? What is the backup? If they elevate, root is acquired and the game is over. I struggle with this, and no, I don't believe the time is anywhere near to when the user will decide they must invest the time to gain knowledge.

Put it this way, with the current state of the economy, I know more and more who are doing things online now. Banking, paying bills, buying, etc. More than ever, my family and friends who only used to surf and such, are turning to more modern means of using the internet. Which of course is only just starting to show itself to me as various problems the more they use it. LUA is a great option for them, but still there exists the last straw. When they do elevate, what is left.

So I pose this puzzle. And perhaps it is not a puzzle at all, but I have a hard time seeing the solution if it is present, for them. For those Wilder-ites that are into this stuff, it is a different matter completely.

Sul.

 

The number 1 way i see peoples PC's getting infected, is through P2P filesharing. This is mainly kids/teenagers, but not exclusively, downloading dreadful pirated mp3's etc and, video files.

Often they get what they want, but not always what the're looking for lol. A lot of them are running with ActiveX/Scripting/Java etc etc running freely. Even if ActiveX isn't, the other stuff nearly always is.

Whenever i've tried to show them, and their parents, how to configure things better, most find it all very confusing. Plus they just want to surf etc without any restrictions, even though they now know why they shouldn't !

I gave up a while back trying to show people how to work with HIPS etc. It was too much for them, and i was just wasting my time.

Returnil however was received quite well with some people. But due to various serious unresolved problems with it, unfortunately i can't recommend it right now.

For most people out there in www land, i don't see an immediate solution i'm afraid.

 

Yes, this 'obscure' browser permits per-site configuration for cookies, content, scripting, etc:

​

Well, I've only five sites configured for scripting (Wilders being one) and I'm not too worried about these being compromised.

For that type of exploit you refer to: I've tested this scenario in other threads, where, using a compromised site with an injected script to install a rogue security product, I let the script run which connects out to the malware site which uses a script to download the fake scanner. The script on that site will not run because it hasn't been given prior permisson to run scripts.

My email/newsreader is Forte Agent which is text-based.

The following-a-link exploit in an email to a bad site with a script would be the same as following a compromised link in a Google search (very common exploit these days): any script on that link just wouldn't run. For an example of what can happen:

http://www.dslreports.com/forum/r22983647-Antivirus-Pro-2010

I look at current exploits in the wild and see if I'm covered (holes plugged). That's about it.

----
rich

 

Exactly what I'm doing completely problem free. I run an XP VBox limited account on a host Vista limited account, and it runs smooth as butter

As for those complaining there are too many restrictions running admin, well, if the majority use their machines like I use mine, they are surfing, opening emails, playing tunes on their media player, watching youtube vids, working with text editors or spreadsheet programs. Very typical stuff. All this is easily done in limited mode, so bs to those saying it's difficult or too restrictive. It wasn't long ago I argued against limited, thinking the same thing as some others that it would be too restrictive (I ran Power user for years), but I was proven wrong; for my needs then and now I can easily function as limited. For someone like Sully and perhaps Rmus who require admin privs most of the time, then sure, it is understandable they run admin, but I'm convinced the majority of home users can run limited. if a program doesn't work properly in limited, then it is the program's issue; poor coding the developer should fix. It's that simple.

Sorry for the rant but but there is no way it is that much hassle to take a few seconds to switch to admin or use Run as.. for the few times admin access is needed. The trade-off for a few extra minutes out of the day for far better security than full-time admin use is well worth it.

Sorry sun88, I don't buy this one iota. Download software from the trusted site - the developers - and it is 99.999997% guaranteed safe. If there is any doubt, run it sandboxed or in a virtual machine to look at its initial behaviour.

 

Yes, this is a valid point. But there's a problem. Most people will have to trust someone. You're likely to trust the tools you use to monitor what other software does on your system. You're likely to trust the OS (or if you don't, then you're already owned by my definition of the word, because everything you run in the system is running on an untrusted base, the OS - the untrusted OS). You're likely to trust quite a few pieces of software. And most certainly no-one in this forum, not even the people who make security software for a living, have completely reverse-engineered every single piece of software they're running and gone through every single line of code to make sure there aren't any malicious surprises in there, waiting for them. If someone has compiled their own OS, have they checked the compiler? Have they checked the compiler that was used to compile that compiler?

Before I get any more tedious, my point is obviously that while we shouldn't carelessly trust everyone, we have to trust quite a lot of sources. For Joe User, meticulously monitoring and analyzing software for possibly suspicious behaviour is absolutely impossible. Joe User has neither the skills nor the time resources to even attempt that. Therefore Joe User just has to trust a lot of folks. Joe User just has to find the right folks to trust, and that isn't as hard as one might think, even for someone with no real skill in computer security, as long as they're capable of logical thinking.

First, I'd like to state the obvious again. Guys like you and Rmus don't need to run as LUA. I don't need to run as LUA. Many other guys in the forum don't need to run as LUA. Most likely none of us are going to get owned even if we don't run as LUA. In any decent security forums, there are many people who can be reasonably safe without LUA, or without any security software at all. But, many of these people could still benefit from LUA, like I do. Some, of course, really can't do it, due to the things they do to the system all the time. For someone who spends all day tweaking stuff in HKLM and loading drivers and installing software, LUA is a very bad option indeed and it isn't even meant for that sort of use. Admin accounts exist for a reason, after all. In any case running LUA sets a good example to Joe User, who needs LUA a whole big lot more than some wacky forumites such as myself do! Therefore, I will recommend LUA, and I will run LUA, even though I can personally survive without it, and have.

Now, to your question: "What is considered protection, when the user themselves elevate anything they desire to admin when needed?"

Sadly, we all know the answer, don't we. If we assume the user is terminally ignorant about security (ignorance is "okay" - I'm ignorant about some things, someone else is ignorant about some other things) and our assumption happens to be correct, then nothing except blacklisting software is left and even that is only a very weak partial solution. HIPS, anti-executables and other similarly advanced security products will not work, because if the user really wants to install something, they bloody well will install it no matter how many warnings or prompts they are given, and if nothing else works, they will turn off the annoying security software. The problem is, the users are used to seeing these products warn about every install, even the known good ones. So, in these cases, either a blacklisting software detects the malicious file and forcefully deletes it before the user can run it and keeps on warning the user about the file being a VIRUS!!!11!! or the blacklisting software doesn't detect it and they get owned. Sometimes the user may actually believe the blacklisting software, because usually the blacklisting software doesn't warn them about every single install, although if the user has seen many false positives, that may be too much to hope and the user will just turn off the AV as well.

So, yeah, blacklisting is the only thing that's left. It may not be the most fashionable idea in the world, but it's better than nothing. In those cases where I can convince a "I will install anything without a moment's thought" type of user into running LUA, I'll also convince them to run an AV and use a browser that has at least some form of phish/malware site warnings for well-known bad sites.

Ultimately, we must accept reality. If the user is seriously ignorant, then he is, and nothing can really protect the system. Except not giving him the option to trust new things: don't give him the admin password, don't let him disable security software, and so on, which is typically not an option when it's their computer. Blacklisting, like a decent AV, can sometimes warn the user when they've decided to install something that is actually bad, and sometimes it may save the day, but not always. LUA, HIPS products, anti-executables, whitelisting - these can rather effectively protect the user from the silent, remote code execution type attacks that don't use social engineering, so they are not useless even when the user is ignorant.

Unfortunate fact of life it is, then, that the user can be the weakest link and frequently is. Security measures like LUA can help protect the user from some things, but can't defeat the full power of human ignorance unleashed.

 

Whats needed is an attitude of dis-trust towards the internet.

That means being suspicious of a pop-ups when browsing
That means being suspicious of applications they download from the internet.

Most people on wilders have that, while the typical PC user does not.
This would be say 50% of security right there.

However drive-by-downloads & phishing cause fear because it seems that they are outside a users control.
They are not , you just need to learn a bit about how they work and work against them.
But they are like the very smart car-thief or scam artist , you just need to put a bit of effort into understanding and combating them.
And its an inconvenience to combat them.

I think a lot of the discussion here is focusing on making the second 50% less of an inconvenience to us wilders folk - Which is exactly what I like

But that first 50% would be a great first step even if people didn't bother with the rest of it.

 

you folks know about computers. Me, I know also what it takes to not get infected. And it isnt the Bill of Rights.

Oh, and I am Admin on all machines.

 

Thanks, Windchild, for putting into simple, readable, non-technobabble language what I and I think many others, would like to have said!

Several comments within the framework of my two "categories" of malware attack vectors:

1) Remote Code Execution

(my emphasis)

2) User chooses to install

You are saying the user has two choices:

• trust the source
  
  
• trust the scanner (blacklist)
  

(Or use both)

This in a nutshell is the whole of computer security boiled down to two broad areas. From this point forward, each user takes specific scenarios and decides how to deal with them. Many have already been suggested in this thread.

As I and noone_particular and others have suggested, policies and procedures are a great first step: dealing with email and attachments; using only vendor sites to update; and so forth. It gets the brain in sync with what the day-to-day actions are. Then, security products specific to the situation can be applied, and we've seen enough examples of this already.

The big hurdle is "Joe User," as you've stated. Everyone who has contributed to this thread is capable of passing good security information on to less informed people we come in contact with, and that's really all we can do.

One other comment: we love to give advice in these forums. The most difficult poster to deal with is one who writes, "Rate My Security." How can anyone do that without knowing specifically what the poster's day-to-day computing habits are?

My favorite example: Earlier this year in another forum, this type of post came, and after much back and forth, with most respondents using the opportunity to list their favorite AV and other stuff, the poster revealed that he had a LAN. Did he have a router? Yes, he had recently purchased one. Had he changed the default password? No. How did he control file sharing? Hadn't given that any thought. It turns out that those ports were open. How were the other workstations on his LAN set up security-wise? And so forth. A can of worms was opened!

Speaking of worms: the Conficker worm would have a great party with him. Susan Bradly, MVP, was the first (I think) to warn in a Windows Secrets newsletter earler this year that having a router/firewall didn't automatically protect against Conficker where ports were open for file sharing. Conficker also had a built-in dictionary attack used to install itself along a network by guessing weak passwords by brute force. Hence, the hundreds/thousands of computers on local and corporate networks that became members in the Conficker botnet.

(This was before the USB version of conficker emerged. Also of note is that the Remote Procedure Call (RPC) vulnerability in Windows that Conficker had exploited had been patched by Microsoft for two months before Conficker emerged on the scene. What part does patching play in one's security strategy?)

That's why, as I've stated before, I no longer think it is useful (in most cases) to recommend specific products without knowing details of the user's computing habits.

ssj100 and Peter2150 have demonstrated the robustness of the Sandbox. Is that solution the best for everyone?

Setting up LUAs on a multi-user computer may be an ideal solution in that situation. For single-users, maybe so, maybe not. But who can know from a distance? And who can judge?

I think it has - thanks for starting it!

----
rich

 

With say real-time pkgs like, Avira, WinPatrol, DefenseWall, Mamutu, Prevx Edge, etc.
Occasionally run Malwarebytes, SuperAntiVirus, RootRepeal, etc.
My point is that you shouldn't just set up a defensive system using SandBoxie. and a firewall, and pretend that you are safe.
Furthermore, you failed to note that you are most vulnerable to being infected by malware, when you are installing software, not when you are casually surfing the web.

 

Au Contraire, I thank that point has been made.
Speaking for myself that is one of my smallest concerns,as nothing but trusted
(gotta trust someone!!) programs ever make it on to my real system.
Anything "if-ie" is installed in Returnil and if possible Sandboxie within Returnil,allowed to do its thing,and document conversions etc made by the software are scanned by any of a number of ondemands,saved to the real disc,and the Sandbox emptied,and Returnil booted out of.
During the time the program is active in the Sandbox its calling out can be easily blocked with restrict Internet access.
If the program will not install in Sandboxie,it is still in Returnil,and its
on-line ambitions can be thwarted by any two way firewall.
The program exes are of course scanned for anything a black lister can detect.

 

SBIE should be treated the same as SRP or vmWare. They are effective and safe, and to be honest they can be trusted. However, there always exists the exploit. SBIEs popularity sets it as a larger target than the more obscure SRP. But, any tool used to provide security, as it grows in popularity, I would assume it is also thought that breaking it provides some kind of payload for criminals etc.

So yes ssj100, I think we can trust SBIE, but I have no doubt it is not foolproof. It is only whether tzuk stays on top of any exploits found, and how widespread an exploit could become in a short time. Yet one more reason to applaud those tools that offer lifetime upgrades. This one small thing can make such a great difference. And as active as tzuk is, as popular as SBIE, as many advanced users there are, it would make sense that even when an exploit surfaces, the reaction time to mend the hole will be fast. Thus ensuring further trust of SBIE. If SRP ever finally becomes exploited on any scale, it will depend on M$ to patch the exploit. Those relying on SRP will have to wait for big brother, which may not be too swift.

Of course, first there has to be an exploit found before anything can happen

Sul.

 

I agree with that, certainly. The inconvenience to the vast majority of people is very small indeed. Most people that I know don't have any reason to install software daily. They'll spend their time in tasks like writing, email, browsing, media playback and such. They rarely need to switch to admin, and when they do, it only takes a couple of seconds to do. Certainly not too bad - perhaps easier than having to put on seatbelts every time they get in the car which they're perfectly capable of doing.

And also: LUA can help users find the right mindset. When they're in LUA, it's pretty much like they're driving to work at 50 mph in nice clear weather and with their seatbelts firmly on. They'll keep their eyes open of course, but they shouldn't be too worried. But when they log in as admin, now they've taken off the seatbelts and are driving in pretty poor weather at high speed, and they know this. Nothing to be panicking about if you know how to drive, but you should be very careful and understand the risks. So, there's a very clear distinction between doing everyday tasks and doing administrative tasks that need to be done right or things will go very badly. A distinction that is not there when the user is always admin, because he won't have to do anything to get into "admin-mode", he's already in it.

Some people that I know (mostly women, perhaps they're just naturally more careful) have even developed a genuine dislike of logging in as admin. They find it uncomfortable that when they are admin, any program they run or even their own accidental mouse click could delete important system files or their favourite programs. So what they do is they log in as admin to install something important, and when that's done, they immediately log out and feel better when they're back in LUA. That's not exactly how I would feel, but at least these people are regular, normal users that aren't too sophisticated but still have realized that it's not good to be root all the time and it really is a lot more powerful than you need to be most of the time.

What Rmus said about passing on information to people we come to contact with is certainly good to remember. Ultimately, we can't do much more than that. (Of course, we can also try to pressure software vendors into fixing their vulnerabilities and poor default configurations and such, and help blacklisting companies keep up with the loads of new malware being churned out, like many people in this forum do.) I find it always easier to help someone face-to-face, where you can really see the full details of their computer/network setup and can immediately understand the risks better. Online, you have to depend on what they're saying, and they may not know enough to tell you the right things. Online, you can give general recommendations easily, but anything more specific gets tricky (but not impossible).

 

For those who started computing with WinXP, you may not know that Win2K had "Users" and "Groups." Those I associated with emphasized the benefits of Users versus Administrators as laid out in the Win2K Help File:

This was certainly useful where several people used the same computer.

As far as security from malware, again from the Help File:

Downloading here, of course, refers to remote code execution, for if someone intended to download/install, the user would to so as Administrator. This applies to those who are tricked into installing rogue security products.

Interestingly, those I associated with at the time didn't think of Users as being a protective measure from malware, since we already had the remote code execution attack vectors taken care of:

• Drive-by download -- web based attack
  
  
• Floppy Drive/Zip DRive/USB -- autorun.inf
  
  
• Office Documents -- macro virus, etc...

It was an almost accepted principle that one's security would block malware from sneaking in like that!

However, in view of the lack of security awareness on the part of so many home users today, running as LUA is certainly to be recommended to protect against the inadvertant mistake or the drive-by download that succeeds because of lack of proper security.


----
rich

 

.

Ahaa now I understand why we some times do not understand each other.

Threat Gates = sources of possible malware
- USB stick
- Web browser
- Shared disk

Attack vectors = intrusion techniques used by malware.
- Using uncommen but existing software techniques,
like direct disk access, Injecting DLL, hooking, etc
- Using services or build in features for other purpose than intended
like gaining access through guest account/admin share, remote admin services,
wan side pings, spoofing MAC addresses
- Using exploits (is unintended access to code/data/rights through untested/unknown entry/return/error conditions of usually existing OS, services, third party add-ons/services or threat gate related software.
- and non technical attaks like using default passwords of management console apps (f.i. of your hardware router) or more complicated social engineering see for fun http://www.dummies.com/WileyCDA/DummiesTitle/productCd-047005235X,page-1.html


Cheers Kees

 

And that my friend is exactly what Sandboxie/SafeSpace and DefenseWall/GeSWall do

Why bother with system wide protection when you have covered the threatgates? So a FireWall (network level threatgate) with a Sandbox HIPS (application level threatgate) plus an AV (system wide blacklisting) is the best defense approach in terms of pop-ups/user interaction versus solid protection.