WinFixer, SystemDoctor: Social Engineering at its worst?

Discussion in 'other security issues & news' started by Rmus, Apr 26, 2007.

Thread Status:
Not open for further replies.
  1. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    While phishing and similar Social Engineering techniques get the most press, WinFixer should also be included as a Social Engineering problem - one of cybersecurity - as much as a malware problem.

    From Wikipedia
    http://en.wikipedia.org/wiki/WinFixer
    http://www.symantec.com/security_response/writeup.jsp?docid=2005-120121-2151-99
    Social engineering (security)
    http://en.wikipedia.org/wiki/Social_engineering_(computer_security)
    The popularizaton of this term is credited to reformed computer criminal and security consultant Kevin Mitnick.

    Links to recent blogs posted here highlight the on-going efforts to stop this sordid mess at its source, and these efforts are to be commended:

    http://msmvps.com/blogs/spywaresucks/archive/2007/04/22/857830.aspx
    However, efforts to dry up the source of such activity will never succeed, as long as there a demand - whether artificial or real. As one solution succeeds, the perpetrators will find another means of supply, and the cat-and-mouse game will continue.

    Surprisingly - or maybe not - there isn't much suggested about how we users can effectively fight the problem. One approach:

    http://www.revenews.com/wayneporter.../getting_the_fix_on_winfixer_aol_network_now/
    This still avoids the problem: why do people succumb to these things? What if you don't want to spend your time fiddling with Hosts files? What if you support advertising on web sites? Not everyone blocks ads. The real solution involves becoming informed so that you can make intelligent decisions: not all adverts are created equal.

    Compare this approach:

    Why is Cyber Security a Problem?
    http://www.us-cert.gov/cas/tips/ST04-001.html
    Social engineering-How the way we think makes us more vulnerable
    http://www.microsoft.com/uk/businesscentral/newsletters/bulletins/social-engineering.mspx
    The lure of WinFixer and related products begins with a notice that appears on your screen warning you that your computer may be infected, and you should immediately stop everything and check it out. Unless you understand how your computer works, how you do get infected, and question how this notice appeared, then you are liable to take the bait. The above Wikipedia article has some screen shots of these messages/dialog boxes.

    Early last year this type of exploit was brought to my attention. Someone phoned who had recently received computer instruction from an acquaintence of mine, who was out of town, hence, I received the call, as I participated in discussions of security strategy with her. She was worried that her computer might be in a bad state because of a message that just suddenly appeared on her screen. Now, she knew how computers got infected, and couldn't imagine what this message meant. I asked her to leave the computer as is, and I sent a friend over to check it out. Piecing everything together revealed that she had searched for some home shopping sites, and going to one redirected her to a type of site referred to in the above spywaresucks blogs.

    Sometime later, I found a similar scam involving RegClean. Here is an excerpt from a later test:

    RegClean Exploit

    This type of remote code execution is similar to a WinFixer typical infection:

    http://en.wikipedia.org/wiki/WinFixer#Typical_Infection
    Now, this person was not technically savvy. I doubt she knew what a rootkit is, or kernel mode, or hook. She watched her computer being assembled at a local shop, knew the components. She knew basically how a computer worked, learned security basics and understands the attack points which malware use, and was confident in her security set up. So, she questioned the alert: She used her brain. She was not "confused into believing [her] PC is infected with viruses, spyware and/or other forms of malware."

    http://msmvps.com/blogs/spywaresucks/archive/2007/04/25/877948.aspx
    I would suggest that the number of potential infectees is directly proportional to the number of uninformed people who don't know enough about their computer, probably have no security strategy, and therefore have no confidence in their ability to make wise decisions.

    So, how can more people become informed? Well, it's back to the same problem of How do you reach people? Everyone *you* can help is one less "potential infectee" out there.

    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
  2. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,699
    Hello,

    I am amazed how these things work.

    I have never ever ever ever once clicked on an ad - just like I have never ever been convinced to buy anything based on a TV commercial. I simply do not see ads. I'm blind to them.

    Besides, stupid ad scams only work for IE users, which almost makes it okay ... You have to suffer for the choices you make ...

    How can we help? Unfortunately, this does not work. Most people simply plainly refuse to be helped. Even when they have a serious problem, you help them only temporarily. They quickly resume the ugly habits they have learned and those cannot be unlearned.

    It really does not matter who they are or what their education is. Most people are inert. I know some quite brilliant people that when you mention words like Firefox, their eyes glaze. They simply cannot cope with this new information. Norton, Explorer, Outlook are forever engraved in their brains.

    Education can only work with new generations - properly. The existing generations will struggle, just like the radio generation did when the TV popped.

    Think about VCRs - so simple - yet most people can't handle them, even though they have been around for 30 years. And it will take at least half that much before people get to treat the Internet as a default rather than something new and revolutionary, as it was only 5-6 years ago.

    Most of the us, the geeks, don't even begin to comprehend how far and alienated the computers are from the common chum.

    Money is a good way to teach people. They need to get scammed - that way they will learn. Or licensing. An Internet license. Just like a driving license.

    Good will? Willingness to learn? Those are select few. Those people will heed the advice and actually try to change and improve.

    The only real way to make people learn is a revolution. But it won't be happening in the politically correct word of powerpoint presentations where every little bugger with a suit, a tie, a laser pointer, and 320 lines of code that install a toolbar is all of a sudden a promising startup CEO.

    If people started throwing molotovs at offices of the businesses that rip them off, there would be far less scams. But today, everyone is immune in their little glass cubicle, enjoying the vagueness of Internet laws and 20-year legislation constipations that take for each case.

    Of course, there will never be a law against these, because they generate money for people who generate ads - hand in hand they go, like a merry couple.

    Real solution: community computer-oriented solutions - Linux.

    Mrk
     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hello, Mrk -

    If everyone did that, our economy would have to be restructured. Advertisements are one way of bringing information about products to the public. I use advertising in my work, as do many people. Scams and abuse of advertising flourish because people are tricked. The two ways of fighting this are covered in my post. I choose to emphasize the way that focusses on helping people defend against the trickery and not succumb to the "laws in human logic known as cognitive biases." (what a great phrase!)

    Most = what %age of your survey? Will your sampling hold up under statistical scrutiny?

    This has not been my experience at all, and I'm sorry your experiences have led to your conclusion.

    Again, this has not been my experience. The idea that "you can't teach an old dog new tricks" may apply to dogs, but with respect to human beings, it isn't necessarily so. Excepting for senility or some other mental factor, I've found that the "older" generation is quite capable of understanding the basics of computing. My most striking example was my 83-year old stepmother, who, upon being widowed, found herself in the postion of having to take care of the computer herself.

    Older people, children, and all in-between age groups -- each requires a different approach; it's one of the challenges of teaching -- to adapt and develop different strategies.

    Granted, some people seem to be "unteachable" but I've not found that to be related to age, rather, to obstinancy.

    I would venture to say there are more than just a select few. You are correct in using the word "willingness" because you can't force someone to want to learn.

    I'm not sure what you mean by "community" but if it includes the idea of "grass-roots" then this is an effective way of reaching people. I've been a grass-roots person all of my life, computing is just one aspect of it. A good example: a friend in my group has an acquaintance back east somewhere who volunteers her Saturdays to help children in an orphanage learn computing skills. She arranged for some used computers to be donated. Another person goes weekends to a retirement center and gives computing instruction. In social groups, I've discovered in general conversations that many people are not sure of themselves with certain things in computing, but don't want to say so. Once they feel comfortable in admitting this, they become very receptive to being helped. So, community - small groups of people - is very effective in reaching people.

    This type of action will never result in permanent solutions. History has shown that you can kill people, but not ideas. Once offices are destroyed, others will just spring up someplace else. A good analogy is the drug trade, where drastic measures taken in Colombia are just forcing the activities to move to other areas.

    The real solution: reduce the demand and the supply follows suit.

    You might not get much argument here!

    Now, this is simply not correct. Any browser can redirect. I've encountered this many times in following up these things using Opera. It's true that it take IE to trigger the remote code executions, but the page itself is still in front of of the person, who then has to make a decision, as in the example I gave in my first post.

    Besides, ad scams come in email, often just a message enticing the user to reply for a free gift, or whatever. Or all of that money in Nigeria. Or that free laptop. I'm not talking about the remote-triggering in email attachments, just the simple response to a message.

    Well, you are convincing at times. But as the Emperor said to Mozart in Amadeus, "You do not persuade" -- that helping people become more intelligent and competent computer users isn't worthwhile or fruitful.

    The alternatives are not very encouraging.


    regards,

    -rich
     
  4. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,699
    Hello,

    I did not say that helping people is not worthwhile or fruitful - otherwise, for instance, I would not be running my website - or would have loaded with crap ads.

    Helping is good - and making a difference, no matter how small - ever better. I appreciate your enthusiasm and optimism, but the computer world is far from the enlightened image they wish to sell us.

    It's just another projection of humanity - and unfortunately, it does not portray well. Humans are greedy and lazy things and will only do what's necessary to survive. Internet does not feature high in the survival chain, leaving most people on the fast-and-easy track.

    Many people will learn - and wish to learn. Young people are relatively easy to convince. But people in their 30s or 40s, those for those Internet was not a default when growing up - and yet they figure they are hip and cool - are the worst population. Very obstinate. I'm talking about hundreds of people of all kinds I have met at different work places.

    And it's not that they don't listen to advice. They do. They just forget it 10 minutes later. Or block out after 3 sentences. Call me naive, but I just don't get it.

    I know people who are older or old and can handle any new information with grace and wisdom. But again, they do not represent the worldwide - in the parts where a computer is not a luxury - cross of the population.

    Simply put, you have those will listen and those won't. The second kind are hopeless. They will always do what they think is the right way - be it surfing the net or pouring 'mineral' water instead of the anti-freeze coolant into the engine radiator or having 5 kids but no money to support them...

    Regarding the experience (and bitterness):
    I have successfully reformed dozens of people and made even dozens of converts to Linux. I'm very happy and feel proud of these achievements. But against them stands a titanic of ... hediots ...

    I still believe a major fault lies in the capitalistic image of the successful business that allows scam industries to thrive so blatantly.

    Think about it. Example. Someone puts ads/malware on your machine. You lost 2 years of work. You sue. The case prolongs for 7 years. In the end, the judge wiggles a finger at the naughty scammer and punishes him with 3 weeks of community service. The scammer repents, says he's sorry and reforms, and after 3 years opens another company, which now delivers the same content, only now they do it under slogans of consumerism and such. Big companies take notice of the rising little star and invite him to meetings, where they sip San Pelegrino, smoothen their ties and chuckle over charts. And all of a sudden, they are all big shots.

    Alternative, the citizen gets angry, Molotovs the offices. Goes to jail for three years. A typical Hollywood-style scenario. Poor businessman attacked by angry mob - all because he tried to get his piece of the dream.

    But it all begins with the feeling of impunity. The evildoer knows that digital crime is only a white crime. It's nothing compared to honest criminals who rob stores and houses. So he and his pals will do it again and again and again and no one will care except the victims.

    The common man will get cankered for downloading 3 dollars worth of a song. But the big shots scamming thousands of people will only get more money. At worst, they will go through a bit of a trial, an article somewhere on the net, a settlement deal worth 0.01% of what they stole, and a chance to repeat it under a different name 6 months later.

    Ads/malware/social engineering are an extension of a concept. If these people were exposed to the same kind of threat or punishment that "physical" criminals are, they would think 54 times over what they do. And they certainly would not have offices all along the sunny coat of California, driving Lexuses and whatnots.

    Solution is to hijack the user outside the circle of money grabbing. Once that happens, all of the ugly faces will simply evaporate, be they MPIA, RIAA, Sony, Gator, Shmator, or any other.

    Mrk
     
  5. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    This is a sad thead. :(
    Both of you are expressing frustration and disappointment and helping in any way you can; there seems to be a groundswell slowly gaining some momentum of awareness of the various forms of exploits around but 'we' are -still- chasing rather than leading.

    It's such a big topic it's hard to grapple with.
    Repeated expressions of despair.

    Around the world we have become conditioned to accept advertising for everything and this is a ruthless extension of same and goes into the realms of brainwashing. Most peeps fail to exercise any critical analysis of what they see and often what they do. The mainstream media manipulates us to a different but equally savage level.

    As to Winfixer I was talking to some friends at work when one of them mentioned this problem: I was amazed to find that of the group I was working with on that day that about 25% of them had either seen or clicked on the dl.!! :mad:

    I went ahead and organised some little impromptu seminars for anyone at work to come to and take them through Winfixer and the like.
    Seemed to go quite well: most people had the usual unpatched M$ and ood AV. :blink:

    I would hope that employers would offer some "Security 1.01" courses in house: may save them a lot of trouble.

    Windows will be around for a long time to come.
    Many potential users get scared of Macs or just steered away to M$ by their local retailer.
    Linux is still a bit complex for the bulk of consumers.

    Just have to hold the line as best as possible.
    Thanks for the great links above: will incorporate them into my little talks.

    Something is getting through here: latest surveys in Oceania show 25% of users on FF
     
Loading...
Thread Status:
Not open for further replies.