The vast, barren wasteland of desktop security

Discussion in 'malware problems & news' started by Gullible Jones, Jun 29, 2016.

  1. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    It's been a while since I've seen serious malware problems. On my home network, ad blockers and outbound packet filtering seem to take care of most of it. It's security by statistics, not by good engineering, but it does work (for now).

    But. A couple weeks ago, I spoke with a relative who often has computer problems. I'll call her Edna. She's quite intelligent, but also a perpetual computer novice, and lives in an area largely bereft of competent IT people. Usually she brings her laptop to Best Buy or such, and the people there wreck it even further through stupidity. Or, in some cases, just flatly take advantage of her without fixing anything - deliberately installing stuff she doesn't need so they can bill her, etc.

    The original problem might be an accidental misconfiguration, or a driver problem, or (frequently) that the hard disk needs aggressive defragmenting, because NTFS doesn't do its chores like a good little filesystem. Whenever I visit Edna, I try to fit in some maintenance on the laptop in order to stay ahead of such things.

    So, when I talked with her on the phone earlier, and she was complaining the system had auto-updated to Windows 10 and had lost settings and stuff, I thought: "Okay, this is more of the usual, and maybe some weirdness from the forced Win10 upgrade."

    Nope. Turned out there were 3-4 different varieties of malware on the machine, comprising 200+ files. One of these was a fake browser - a Chrome knockoff that usurped the position of default browser, and aggressively spammed popup everywhere she browsed.

    She had not, as far as she recalled, installed any of this stuff deliberately. Most of it she didn't even know was on the machine. From some of the files I found, poking around, it looked like it had been installed automatically by malware droppers.

    I ran a scan with MBAM, which, to its vast credit, actually flagged most of the rubbish. I also scanned with Hitman Pro, which maybe unsurprisingly flagged absolutely nothing. The remaining stuff I disabled with Sysinternals tools, then manually deleted the files.

    Kudos to the folks at MalwareBytes for actually keeping up with the times. Everyone else? Get your freaking act together.

    But, get this:

    This was Windows 10, 64 bit, with all the latest updates.
    UAC/MIAC was enabled across the board.
    SmartScreen was enabled.
    She was browsing with Google Chrome (the real deal), also up to date.
    Defender/MSE/whatever was running and up to date, though the malware had partly disabled it.

    So... She had Microsoft's best OS with its best access control, best reputation heuristics, an antivirus engine etc. etc. Plus Google's best browser that uses Microsoft's best access control etc. And everything was up to date. And she got hit by an effective drive-by install anyway, at least once; and at least one instance of malware acquired the admin privileges needed to tamper with MSE. Completely in spite of all the exploit mitigation and access control measures.

    I've seen similar Win7 and Win10 setups not get malware, with much more risky and aggressive use patterns. Know what the difference is? They have ad blockers. Ads don't get rendered, there's no malware exposure in the first place.

    Pathetic, isn't it?

    As part of the cleanup, I installed uBlock Origin in Chrome (the real Chrome). I would have liked to wipe and reinstall; but the laptop was upgraded from Win7. Restoring from the recovery partition, and going through the entire upgrade process again, probably would have taken a week.

    And, my conclusions:

    1. Ad companies are far too greedy.
    2. The Windows desktop platform is a bad joke.
    3. Software companies do not serve the interests of their customers.
    4. Also: water is wet, cats are cute, and cyanide compounds are highly toxic.
    5. Computing isn't doomed, its doomsday already happened.
     
  2. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Even if she didn't install anything herself, was she the only one who used the computer during that period? Pardon me, but I highly doubt the malware droppers installed themselves when she visited some website...
     
  3. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    5,237
    Agreed.
     
  4. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    2,867
    Location:
    Australia
    ... And I would have considered a fresh clean Win10 install.
     
  5. VoodooShield

    VoodooShield Developer

    Joined:
    Dec 9, 2011
    Posts:
    4,865
    Location:
    United States
    I could not agree more Gullible Jones! Do you see how irritating it is when this stuff gets on the machine? Imagine cleaning up that stuff for 11-16 years... although, I do not hardly ever have to do it anymore, but it is still frustrating when I do have to do it. Now you know why I am determined to end malware ;). If she needs a free VS Pro license, please let me know (support@voodooshield.com)... it would be a good test, you did say she was a novice after all ;).
     
  6. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    217
    @Gullible Jones :

    I highly doubt this story.

    Like @J_L mentions - with the setup you list, no way will anything just jump out of the browser and install itself.

    What has happened here are just another case of light social engineering. Light because this is nothing more than a user that has downloaded PUAs/PUPs and installed them, whenever the advertised words was appealing enough.

    Reset Windows 10 completely without keeping any programs or settings.
    Then activate PUA detection in Windows Defender.
    Then install a good adblocker.

    Easy and quick solution.
     
  7. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,054
    Sometimes this procedure is neither easy nor quick. I find image restore much easier and also quicker.
     
  8. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    217
    Restoring an image will always be faster.

    But since we hear about a user that needs to bring the PC to a shop in order to have a driver installed, then the chances of that user having a clean and working image to restore from are probably very, very, very small.

    A full reset will take an hour on new hardware and a few hours on older hardware.

    So yes, easy and quick solution that will get the users back in working condition without worries and without the user having to bring PC anywhere.
     
  9. VoodooShield

    VoodooShield Developer

    Joined:
    Dec 9, 2011
    Posts:
    4,865
    Location:
    United States
    Please do not take this wrong, but are you seriously suggesting that this is all that needs to be done, and her computer will never be infected again?

    If that is the case, our work is done, we can all pack up and go home!

    You said that you highly doubt this story... dude, it happens ALL OF THE TIME!!! Even when you add a good antivirus to the mix. I cannot count the number of times that a client has looked at me dead in the eyes and said "I have antivirus software, how did I get a virus?".

    And the answer is not restoring the image or reinstalling the OS... you cannot do that each time the computer is infected, it is a major pain.

    The answer is properly protecting the computer in the first place, with an effective solution.

    To me, I would think the conversation should turn to the various security software options that would work best for Edna, that would actually prevent this from ever happening again to her. Remember... it is not just her computer that is at risk. If this continues, she could end up spending several thousands of dollars and 5-7 years fixing an identity theft issue.

    I know there is a lot of great security software on the market. If Edna wanted to play it safe and add 1-2 more layers of protection, what would you recommend in addition to what you have already recommended?
     
  10. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,121
    Location:
    USA
    I do IT support and unfortunately see this scenario on a regular basis. I have no doubt your friend didn't install any of the malware deliberately and didn't know what was on the machine or how it got there. The problem is most of the time users inadvertently give consent by clicking on a bogus pop-up or not opting out of PUPs, etc. Many people who are otherwise competent in their lives do not behave intelligently when using computers. They don't read the screens, can't follow directions, can't discern BS, etc; they are rendered helpless, and no matter how much security is implemented by Microsoft or anyone else it can't compensate for this.
     
  11. VoodooShield

    VoodooShield Developer

    Joined:
    Dec 9, 2011
    Posts:
    4,865
    Location:
    United States
    Absolutely!!! So what do we do to fix this issue?
     
  12. Bowhunter26

    Bowhunter26 Registered Member

    Joined:
    Jun 22, 2016
    Posts:
    33
    Location:
    Arkansas, USA
    +1 VoodooShield :thumb:
     
  13. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    No one seems to have brought up the fact that all of this could have easily happened prior to the user installing windows 10, the OP has made an assumption that this happened after Windows 10. The way the OP has worded the story does not corroborate with that theory.

    Also, did you wipe the laptop when it was purchased or is it still loaded with crapware that could have caused this?
     
  14. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    217
    Please don't take this the wrong way either, but stories like the one in opening post are more fiction then fact.

    No way did those PUPs silently bypass every bit of native security in Windows 10 and breach Chrome as well, and simply drop onto system out of the blue.

    As to your question of if I would add 1-2 layers more, then what I suggested earlier ??

    No, I wouldn't.

    The PUPs/PUAs that was on the users system was without a doubt downloaded and installed by the user. Either directly or through bundled installers.

    Activating PUA detection would have blocked those.

    I see no value in adding bells and whistles on top of what I suggested earlier.

    Personally I utilize every bit of native security available in Windows 10 and only adds a adblocker and a exploit blocker.
    The adblocker has become necessary because of the horrible state the web are in nowadays.
    The exploit blocker I only install on those of my systems where I still have a few legacy programs that can benefit from it.
     
  15. VoodooShield

    VoodooShield Developer

    Joined:
    Dec 9, 2011
    Posts:
    4,865
    Location:
    United States
    Dude, I see it with my own eyes... I have been living that life since 1999, and it is extremely frustrating. People who work in the industry see this on a daily basis know the truth.

    That is why 5 years ago, at 3am in the morning, I realized that the best way out of the malware epidemic is to lock the computer when it is at risk.

    Go to Best Buy / Geek squad, or any Mom and Pop computer shop, and ask them how bad the malware situation is. They will tell you.

    The three biggest reasons (IMHO) that malware has reached epidemic proportions is because people either bury their head in the sand, they are complacent, or they do not want to be bothered with effective security software.
     
  16. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    217
    Lots of water under the bridge since back then. :)

    And on Windows 10, as this thread is about, the situation are quite different from earlier OS editions.
     
  17. VoodooShield

    VoodooShield Developer

    Joined:
    Dec 9, 2011
    Posts:
    4,865
    Location:
    United States
    I fully admit that the Windows 10 security mechanisms are better then ever. But just remember, this happens with every single release, then a year or two later, the malware authors have essentially full access. I remember thinking how great Windows Defender was in Windows 8... how long did that last ;).

    Have you seen this? https://www.virusbulletin.com/testing/vb100/latest-rap-quadrant/

    83% Reactive Detection
    66% Proactive Detection

    Do you ever go skydiving? In the next year or two, I hope to open a parachute startup, it would be a great business to be in. If you ever need a parachute, let me know, I will give you a discount on the ones that have a failure rate of 17-34%.
     
  18. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    217
    Are you sure that is the tangent line this thread should follow ??

    Old test charts ??

    Other tests shows WD with 99.8% detection rate.
    Then there's facts like all those tests are done without SmartScreen.
    Another fact are the internet facing programs used in those tests are anything else except UWP apps, in order to have even a tiny attack vector left.

    As for your skydiving suggestions - I have two friends who are both certified instructors. One with 15 years experience, the other 19 years experience. Both military background.
    I think I'm covered in case I feel an urge to jump out of airplanes. :)
     
  19. Appaloosa

    Appaloosa Registered Member

    Joined:
    May 13, 2016
    Posts:
    18
    Myself I wouldn't be so worried about how it arrived but why windows security was ignoring it. I have had enough little quirks with windows default security that I just can't trust it. But I'm not going to elaborate because the insinuation of being a liar would put my blood pressure through the roof. Even partially disabled it should have been throwing a fit, even if it was just about being partially disabled.
     
  20. VoodooShield

    VoodooShield Developer

    Joined:
    Dec 9, 2011
    Posts:
    4,865
    Location:
    United States
    That was the latest VB RAP Quadrant. Do you ever run malware tests on your own?

    Here is what I was talking about earlier when I was basically suggesting that Windows Security's efficacy is cyclical:

    http://www.howtogeek.com/173291/goo...w-recommends-you-use-a-third-party-antivirus/
     
  21. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    217
    1 : That article is a falsum.
    It has been discussed countless times here at Wilders and everywhere else on the internet.

    The article twisted Microsoft's words into the opposite of what Microsoft actually said.

    However - ever since that false article was published online, tons of third-party security vendors has linked to it in an attempt to badmouth Windows native security and in an attempt to make themselves look smart.

    So I don't think you should use that link as proof of anything.

    If you want the proper version of the story then here are a few links for you :

    https://blogs.technet.microsoft.com/mmpc/2013/10/09/our-commitment-to-microsoft-antimalware/

    https://askleo.com/do-i-need-to-stop-using-microsoft-security-essentials/

    2 : This thread are about Windows 10 security.

    The security improvements in Windows 10 are huge when compared to every earlier Windows edition.

    Tons of regular posters here on Wilders including myself post links to official Microsoft postings about Windows 10 native security on a regular basis.

    So I don't understand why you are bringing in anything related to earlier OS editions ??

    3 : You and I got into this thread for different reasons.
    I (and several others) posted about what was plausible in opening post and what was definitely not plausible.
    You posted from a marketing point of view with suggestions about using your application.

    Since you noticed that if the user followed my advice, then your application would not be needed - so you responded to my post.

    20 posts or so later - here we are. :)

    Perhaps it's time that the two of us just agree that we see two different solutions for the original poster :

    You would really, really like the user to use your application.

    I think the user should simply enable a security feature already present in Windows 10.
     
  22. VoodooShield

    VoodooShield Developer

    Joined:
    Dec 9, 2011
    Posts:
    4,865
    Location:
    United States
    In all fairness, even Microsoft disagrees with you "In an interview with Dennis Protection Labs, Holly Stewart, the senior program manager of the Microsoft Malware Protection Center, said that Microsoft Security Essentials was just a “baseline” that’s designed to “always be on the bottom” of antivirus tests. She said Microsoft sees MSE as a first layer of protection and advises Windows users to use a third-party antivirus instead."

    I am not here to market, I am here to find bugs in VS and to discuss malware. If I wanted to do marketing, I would join Spiceworks. Less than 1% of our sales come from Wilders and giving one person one free license to VS is not going to affect VS one way or another. I am just truly tired of people getting malware, and I know from experience what it takes to stop malware.

    Users can either listen to people who have experienced the malware epidemic first hand, and take their advice. Or they can listen to someone who obviously has not been on the front line, battling this fight for 16 years... it is up to them.
     
  23. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    217
    Just because you link to the same incorrect article on two different sites, still doesn't make it true.

    As already explained - that article you link to are a falsum.
    When it was first posted back then, then several other sites copied it and posted the same false claims.

    You have now found two copies with zero value.

    If you want the correct version, then I already supplied you with two links in my post just above yours.

    But I can repeat them if you want :

    https://blogs.technet.microsoft.com/mmpc/2013/10/09/our-commitment-to-microsoft-antimalware/

    https://askleo.com/do-i-need-to-stop-using-microsoft-security-essentials/

    Or search Wilders. They have been posted so many times.

    :)
     
  24. VoodooShield

    VoodooShield Developer

    Joined:
    Dec 9, 2011
    Posts:
    4,865
    Location:
    United States
    Okay, you convinced me with your two links that contained massive amounts of hard data to support your argument.

    The OP completely fabricated his story, people are simply never infected with malware anymore, and all of the hacking scandals (that were a direct result of malware) never happened... it was all make believe.

    There is no reason to lock your computer when it is at risk anymore, so we can all pack up and go home.

    The malware crisis is solved! When people ask me what security software they recommend, I will just say "Windows".
     
  25. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,633
    Location:
    UK
    I want to change the debate a little to clarify this point. It came to my attention recently that Windows Defender's PUA detection is available to Windows 10 home and small business environments if a particular registry key is added to the system. Whilst we can argue the effiacy of such detections, I wonder how many general home users know how to activate Windows Defender's PUA detection to get this additional protection. Sure, there are blogs and websites that explain how to do this but by default there is no way of being aware that there is an opportunity to add this because it was only enabled for Microsoft Enterprise customers.

    If everything I have said is correct, I'm surprised PUA detection isn't on by default for home users in particular as PUA installations would appear to be more of a problem in home environments judging by posts we often see here on Wilders and elsewhere, such as the one at the start of this thread.
     
Loading...