Oli Warner About Contact Oli on Twitter Subscribe

Viral Insurance Racket

Friday, 8 December 2006 antivirus security

The fear of infection is power over users.

We’ve all seen the films. A mobster goes to see the restaurant owner and offers to sell him insurance against nasty accidents happening to him that might ruin his livelihood. If he doesn’t pay, his business gets burnt to the ground, flooded or blown up. The typical mob tactic for funding organised crime. If there’s nothing to sell, make something to sell.

This is mirrored in today’s politics. Following World War II, politicians offered beautiful images of hope and glory but when they couldn’t deliver that, we quickly found ourselves presented with a gloomy picture of death and destruction saying: “it could be a lot worse… especially if you [say we cannot reinterpret the Geneva convention/vote for the other people]”. I’m not saying there isn’t a problem; just playing on public fears to get more power is not going to solve anything.

Around the same time as terrorism from unknown threats was creeping into our everyday lives, another threat has come at us: viruses, spyware, Trojan horses, backdoors, spyware, adware, malware, pop-ups and malicious software. Year on year we are reminded from left right and centre that there are fifty billion malicious programs for each computer user in the world with thousands more coming out every day; that the viruses could destroy all our work (and families); that adware and spyware can steal our credit card numbers and bank details just before we’re all declared bankrupt; that our machines can be made slaves, filling the pockets of spammers.

I have no problem with the statement that any of those could happen. I could have a seizure, crash my car into a fuel-tanker and kill a hundred people. I could wake up tomorrow and forget how to breathe. A million worse things could happen to me but if I worried about every single threat to my existence, I would get nothing done. In fact the worrying would become the prime threat to my living. The fact is there are many better ways of addressing the problems of “what-if” than trying to build a wall around yourself, especially when that wall, however tall, is only one set of bricks thick.

How do we get malware?

Historically viruses were something that wormed their way around a computer, installing themselves in so many places, making them impossible to remove before their payload was delivered. “A payload”, I hear you ask… That’s the whole point of the virus. Almost every virus ever written has been more than a “because it can” affair. There have been ones focused on destroying as much data as possible, ones that aim to spread out across networks and infect other computers and more and more today, money is involved and there’s no cash in anarchy.

The problem with the argument at hand is in order for me to contract any one of these nasty ailments, I have to actively find and activate said nasty. Most spyware is installed by a user being too stupid to tell that “debbie_does_dallas.avi.exe” is an executable and not a video file. Other programs like that come through illegitimate download sources, such as fake sites pretending to offer the user something (be that a program, a crack or porn) when in fact they’re just pushing out something loaded with crap. Some is targeted in that a person makes something especially for one person but that’s very rare and still usually requires that someone to do the “deed” of opening it without question.

A heavy part of why people fall victim to malware is also down to the way people run Windows. It’s not neccessarily their fault, it’s how things are setup by default. When you install Windows, you are asked to make a user and that’s it. What it doesn’t tell you is that the user is running with administrative permissions which, in turn, means anything the user does and anything the programs that the user runs do can read, write and edit anything on the computer. So when a user gets hold of something bad and runs it, all the default system security in place stands for precisely nothing. I’ll come back to this later on when I make my suggestions.

The last “big” entry hole is exploits. An exploit is a method of drawing behaviour that was not designed from a targeted application. A recent example of this is in the Windows Vector Mark-up Language. Almost none of you will recognise it but it’s a tool Windows can use to draw a picture to screen from a basic text-syntax, a lot like Scalable Vector Graphics. There was a sequence of characters you could put in a VML document that would break the functionality of the VML engine so bad that any further code would be executed by the system. In short, if someone puts code to load Calculator in a VML doc after the exploit code and you opened this document, calculator would load. Loading calc is a tame example. Most commonly it orders your PC to download and install some spyware or adware to make the writer some money.

This particular exploit was only found when people started noticing things installing themselves but most potential exploitable holes are caught by programmers or security techs and the developers of the application are notified. Any application that can receive external data can be exploited. Who is to blame for exploits? The programmers are partially to blame because they left security holes in their code but some applications are too complex to catch all the bugs on the first pass.

How Does An Antiviral Application Help?

An antiviral application works by monitoring all the files that are running on your computer, all the files that are being read/written/edited and occasional all the other files in big batch scans. It compares the internal data of every file against a massive database of every known virus. The antiviral companies build these databases up from viruses they find around the world and each time your antiviral application updates it gets more of these definitions so it can protect you against more nasties.

When an antivirus detects a file matching a definition, it moves it away from the eyes of the user and the computer, commonly known as quarantine; a holding area where you can decide whether to annihilate it or try to remove the virus.

As such, an antivirus can only protect you against programs or files that you download. It cannot protect you from exploits forcing their way into your computer. I repeat: you can have 15 antiviral applications running but if you visit a site that is targeting an exploitable hole on your computer, it will execute. Just as if you’re hosting a web server or database for a large multinational. If there’s an exploit available, no antivirus can stop someone exploiting it.

Some of the newer antiviral packages offer “script” scanning to stop downloaded exploits coming in but these won’t protect your web, database server or any accessible Windows services.

Common Sense 2.0

I do not run a traditional antivirus application. As I noted on my recent round-ups on What Slows Windows Down and What Really Slows Windows Down, antiviral programs were the heftiest of the bunch. Scratch that. They obliterated the performance of the testing machine. This is because they need to monitor every file on your computer and as soon as one is read or edited, it needs to check to make sure that there’s nothing bad about to happen. It’s a noble idea, but it means you take your shiny, speedy new computer and attach ball and chain.

I use my own intuition, paired with slightly more secure software. It doesn’t limit what I do with my computer – far from it – just helps me avoid being in the situation where I need an antivirus in the first place.

Secure your browser

Firefox is the first thing. A massive amount of bad things come in through Internet Explorer. This is mainly down to how Microsoft coupled IE with the operating system, so tightly bound, that it’s a bit like looking for a hole in a sieve. Most of it stems from how a library called ActiveX will allow websites to execute code on your computer. It is only supposed to allow limited access to your computer, but it is still up to users to choose what to install or not and a lot of users will just do what the computer tells them to. Sad but true. And with running the computer as an administrator, this gives the application unlimited roaming ability.

Besides stopping support for such a dangerous entry point, Firefox is open source. This means that the code behind the program is freely accessible to anyone so when a bug is reported anyone can look to fixing it. Paired with its large user base, bugs get fixed extremely fast.

Secure Google

Even with Firefox people can still download and install bad things, thinking that they are good things. This brings me onto my second application of choice: McAfee SiteAdvisor. SiteAdvisor is a browser plug-in that sits at the bottom of the screen and tells you if the site you’re on (or the site you’re about to go to from Google) is good and clean or if they’re giving out adware, scamming you or link to sites that do that sort of thing.

They automatically scan all their files given for download plus they use user-reviews of each site to give its rating as either green orange or red. It’s so simple a child could use it.

I should state now that these sorts of things aren’t going to detect the very latest things spamming up Google. Detecting the ones that don’t want to be found by SiteAdvisor will take Common Sense.

So here I am. Protected against browser exploits by a fairly unexploitable browser and protected against accidentally downloading badness from SiteAdvisor. I could do other things to enhance my protection though, without the need for an antivirus.

Secure how things run

I could stop running my programs from the administrator account. This is probably one of the simplest things to do right now. I suggest testing this out by making a new account on your computer and giving it “user” status. From that level a virus has very little option for installing itself in the foundations of the operating system (unless it exploits its way through, giving itself administrator permissions, which can happen).

Some things “need” to be run as administrator, like games but this is no reason not for running as a user instead of administrator. You can right-click the executable (or shortcut) and use Run-As to load any application as the system administrator. It’s also quite import to make sure any of your administrator accounts have passwords on to stop any potential baddy being able to break through.

Secure your computer

Another option is to use another, more secure operating system. The way Windows works is one of the key features that makes it insecure. Linux is another piece open source software, made by thousands of voluntary contributors over many, many years. It’s based on a UNIX model of executing things which is very secure. It runs on the same premise of running your things as a user with little system control and asks you for your administrative (root) password when it needs to make system changes. Things can still be exploited but because they’re a) open source, they’re more likely to be fixed faster and b) running as a low-permission user, they cannot affect the whole system like something running as administrator could.

Secure your inbox

Email is another key entry point for viruses. I know more than enough people to count on my fingers (in binary) that have caught something after opening an email and going “I wonder what this is?” Yes, I know they’re all incompetent fools but it is very easy to do. Therefore, as much as it pains me to say this, you might benefit from an antivirus solution. However, not one that runs all the time. Several of the smaller (and free) antivirus programs can be set and used exclusively in batch mode where external applications can ask them to scan the a file. With things like this you can set your email application to send all attachments to the AV before they hit your inbox and the only time you lose CPU/RAM is when you get an attachment.

Along the same lines, you can leave a shortcut on your desktop to the AV and drag files you’ve just downloaded and aren’t sure about onto it, meaning you never have to guess but you also never have to have your computer held captive.

Stopping Exploits

Having a direct connection to the internet is one of the easiest ways to get your Windows machine exploited. By that I mean it doesn’t go through a network before it hits the internet. The BBC did a test using an unpatched honeypot (a machine available on the internet to catch people trying to break into it) and in 1 evening, 50 people had tried to get in. I’m not entirely sure what they counted in that but I was slightly surprised that the number was so low.

Scanning for exploitable computers is really easy. *AHEM* I’m not saying I have done it, but I’m also not saying I don’t know people that have. Too many negatives. All it comes down to, is scanning every computer on the internet. Luckily for those people looking for exploitable computers, the internet is organised by IP addresses, meaning you only need to select a range eg: 212.74.*.* and run from 0-255 for each “*”. When it takes less than a second per IP, it’s easy to see why so many people get hacked.

They’re scanning for services to exploit. This is very different from the user-level exploit (like the recent VML one) in that it works against servers, be those web servers, mail servers, ftp servers, VNC servers, anything. People check for what has an unfixed exploit using one of many popular “security” sites and then go out and ask the internet (via the scanning method I just mentioned) who’s running that version of that product.

Once they find a computer running something exploitable, they can run their exploit code on it and install whatever they like. They now own that computer.

The only real way to protect yourself against this completely is by not hosting a server on the internet. That’s often not an option. Bringing this back to Windows for a second, I should say that Windows hosts multiple services, that are built-in to its networking stack. You do not want to be giving access to these over the internet, but that’s the default behaviour.

There is one way to protect yourself from a lot of these things though. A router that uses NAT routing, commonly referred to as a firewall. This is, in essence, another computer which manages your connection to the internet. By default, it only allows outbound (that is from your computer(s) to the internet) connections and their replies. This stops “scanners” being able to question your computer for details or them trying to connect to a service and exploiting it. You can open holes in the firewall to allow servers to be reached, if you need them accessible.

If you need to host something, just make sure you keep on top of it. Don’t install something and think “that’s it”. You need to keep updating it on a regular basis otherwise you’ll find your servers being used against you.

Another method of allowing controlled access to servers is using a Virtual Private Network. This is another server (so, yes, it can be exploited too) which allows access to an internal network using access controls. This adds another stepping stone that hackers have to overcome before they can start exploiting services.

Conclusion

Antivirus organisations spreading fear about how the internet is turning into one huge virus need to hush up now. There will always be people who are technologically retarded

There is no reason for an antivirus to be a “standard” application that we all install. People that need it can have it but those that don’t, clearly don’t. Why do you need to be told to donate your CPU to look for malicious files that aren’t there?

What happens if you get something? Unless it’s being obvious, you probably won’t notice until it does something that is obvious… The likelihood of it doing something obvious is good, though. Most viruses end up sending as much spam or loading as many adverts as possible that they’re hard to miss.

I do run an online virus scan every month or so and still no viruses after a few years without an AV. But that’s me. I’m sure, as most people will comment on, lots of people cannot be trusted without an AV: kids, grandparents, hobbits and squirrels are all the most likely people to just accept that the nasty site is telling them that they “need to install a video codec” before the free screensavers can be downloaded. If you’re managing a computer for someone like this, regardless of there being an AV, they should definitely be set to user level. People like that can do too much damage by themselves, regardless of a virus.

If you are going to use an antivirus, make sure you know what you’re letting yourself in for. Make sure you’re using one that isn’t going to rape the performance of your computer. There’s no point in having the AV if you cannot use the PC anymore.