Softpanorama

May the source be with you, but remember the KISS principle ;-)
Contents Bulletin Scripting in shell and Perl Network troubleshooting History Humor

Prev | Up | Contents | Down | Next

Softpanorama Malware Defense Strategy

Dr. Nikolai Bezroukov.

Version 4.1 (November, 2012)

Note: This is copyrighted unpublished work. All right reserved.

Contents


Introduction

There are several problems with the current PC infrastructure which make problem of malware a serious threat:

  1. There are substantial revenue stream for malware and other types of malware that gives possibility to attract and employ talent for creation of this type of software. Prosecution of malware authors is spotty. Several types of malware is profitable, sometimes very profitable, like is the case with fake antivirus like XP Antivirus 2012 which are essentially a sophisticated extortion program. Fake Data recovery scareware goes even further in this extortion path. It imitates failure of C drive (with all your never backuped data ;-) and ask for money to recover it. For those money they can hire and do hire professional programmers. And
     
  2. There are distinct abilities to exploit Google and search providers that sell Adwords or similar search phases providing a steady source of "hit and run" targets. Google can be used (and is used) as a major channel for spreading malware: malware authors can buy Google keywords and present their sites pretty high is certain searches. They also can exploit rare searches for specific products. It make sense to mark Google as dangerous site in Internet Explorer, but unfortunately this is not enough, as IE does not use inheritance and will open site even from restricted sites as normal Internet. Generally this part of IE is just that was designed by really clueless people. And in view of importance of those controls you can even suspect a foil play on the part of Microsoft.  That's why using you own Web proxy is so important.
     
  3. Misallocation of capital: money spent on commercial antivirus/antimalware software that fund antimalware vendors are better be spent on backup software to raise quality of those offerings. Taking into account that free high quality AV offerings exist (such as Microsoft Security Essentials , AVG,  Avast! Home or  Avira Antivir Personal ).  Cable Internet providers often also supply free products to their customers.  If one thinks that free offerings are inferior to commercial, he is deeply mistaken: the number of vendors in the field makes the situation similar to the situation in early XX century when  anyone with a bathtub and some chemicals could mix and sell drugs — and claim fantastic cures. These “innovators” raked in profits by skillfully marketing lousy products because customers were poorly equipped to tell the difference between effective and ineffective treatments. For example, Microsoft  free antivirus is competitive with Symantec antivirus (in a sense that both are bad ;-). As a bonus it does not contain so many extra Trojan components, components that make Symantec products more close to the malware  ;-). 
     
  4. Windows XP and Windows 7 are  a mess, almost un-penetratable, badly organized forest of folders with at least two dozen of types of system and executable files. There is an ability to sign executables, but it is not used in XP. In this sense Microsoft program loader is  junk. Only company with Microsoft money and huge talented workforce can debug this mess (wasting talent of the people employed in the process ;-), but one step left or one step right and you have an unusable system.  Rigorously patching Windows using automated installation of patches does not substantially increases your level of protection as malware authors are always one step ahead and also use holes in applications (especially Adobe products). Still those products do help to protect you from older malware (but not always -- for example Fake Data Recovery). And that's important property in view of the method of defense advocated below, as such software has better chances of finding old spyware in backups then new that just infected your computer.
     
  5. Windows registry is even a bigger mess with opportunities to launch Trojan programs in several dozen places.  Including creating your own "language" with keyboard driver that intercepts all your keystrokes. Even for a specialist it is difficult to analyze registry in order to determine what was changed recently, if you suspect presence of malware on your computer.
     
  6. IE, the favorite target for malware authors,  remains vulnerable to exploits despite frequent patching and new versions (the current is version 11).  It is the browser with high number of zero-day exploits simply due to its market share (which in 2013 dropped dramatically, but still close to  35%, while Firefox and Google Chrome are at 25% each).  If it is used as a primary browser, it should be used at least with "medium-high" or better high security setting (which prohibits loading unsigned ActiveX controls). Alternative browsers like Firefox can be used  for sites that are not rendered correctly with this setting.  But despite those common-sense measures the danger of being infected with malware during browsing remains pretty high as convenience of browsing usually overweight other considerations (and it is very inconvenient to browse most sites in IE with medium-high or high settings as they typically use some scripts, which simply will not run in this case depriving you from a part of content).
     
  7. Many Web sites such as personal blogs are infected with malware and visiting them can make your PC infected.
     
  8. In some cases commercial software behaves similar to malware transmitting stream of data to the "mothership".

Several of factors listed above makes "disinfecting" Windows a fools errant. Generally only full reinstallation guarantee that you completely get rid of complex piece of malware -- often antivirus program delete of part of the beast and remaining part can download missing parts. Also anti-virus program that scan harddrive for offenders are always one step behind malware authors. At the same time non-scanning approaches to malware defense remains under the radar as antivirus companies now represent a powerful lobby that is hostile to spread of any technology that can undermine their revenue stream. Symantec suit against Microsoft  is pretty typical reaction to such threats:

"Symantec, like a lot of security vendors, is afraid that if Microsoft catches up on security they'll win the market by default," said Plato. "I think it shows, once again, that Symantec doesn't have technology that stands on its own merits and they have to sue their way to profitability."

Also anti-virus complies often use questionable tactics to win customers ( Forbes, Jan 11, 2012)

Security firms often warn users about “scareware”: malicious software that performs fake antivirus scans and then demands the user pay for a cleanup. Now a lawsuit claims that the world’s top antivirus firm, Symantec, is itself a scareware scammer.

James Gross, a resident of Washington State, filed what he intends to be a class action lawsuit against Symantec in a Northern District California court Tuesday. Gross claims that Symantec defrauds consumers by running fake scans on their machines, with results designed to bully users into upgrading to a paid version of the company’s software.

Among alternative approaches are:

  1. Microsoft SteadyState technology (Existed in XP, was dropped in Windows 7 although can be emulated by native capabilities of Windows 7)
  2. Disposable images based defense. It exists in two major flavors

Let's discuss them one by one .

Microsoft SteadyState technology

In the past Microsoft partially tried to address the problem by creating so called "Microsoft's Shared Computer Toolkit". Which later was renamed to Windows SteadyState. It does provide high level of security for public computers and can (and should) be used with home PCs, especially multiuser PCs. Microsoft has discontinued SteadyState in 2010. As of  December 2010 , SteadyState is no longer available for download. Support for Windows SteadyState was available until June 30, 2011 through the Microsoft Support website. There is no upgrade to Windows Vista (see Microsoft decision puts public libraries at risk by Yardena Arar, April 2010 ). Although SteadyState is discontinued, it is still possible to prepare a shared computer using Windows 7 native features and support tools. Microsoft has published  guidance Creating a Steady State by Using Microsoft Technologies for implementing Steady State in Windows 7. 

People who manage public computers face daunting security and anti-malware threats. Microsoft acknowledged this fact when it introduced Windows SteadyState, an add-on for Windows XP and, later, Vista.

SteadyState essentially resets a computer whenever a user signs off, thus protecting his or her identity and data. It lets administrators restrict how users can interact with the computer — administrators can, for example, block access to programs, Web sites, the Control Panel, and disk drives.

SteadyState can also set time limits on user sessions and import user accounts (so that once you’ve set up an account on one PC, you don’t have to start from scratch on the others you manage). And when a user logs off, a feature called Windows Disk Protection erases all changes, ensuring a consistent user interface.

However, not only is SteadyState incompatible with Win7, Microsoft says it has no plans to introduce a Windows 7-compatible version. That’s leaving some IT managers scrambling for replacement technology and others vowing not to upgrade to Windows 7 at all.

.... SteadyState is descended from the Public Access Computer security software developed in the early 2000s by the Bill and Melinda Gates Foundation. It was part of the foundation’s ongoing drive to put computers into schools and libraries. In 2005, Microsoft picked up the torch with the release of the Shared Computer Toolkit and then followed with SteadyState in 2007 for Windows XP.

As Microsoft’s statement on SteadyState suggests, there are other tools available for managing shared computers. At least one forum poster said he was able to install SteadyState on Win7 systems by using the new operating system’s Vista or XP compatibility mode. But at this time, it’s not known whether all features — particularly Windows Disk Protection — will work.

Third-party solutions, such as Faronics’ Deep Freeze, don’t appeal to cash-strapped educational institutions, which are already spending considerable money upgrading to Windows 7. Faronics does offer libraries and non-profits discounted volume licensing rates that lower the $45 price to about $30 for each PC.

...

IT consultant Michael Jurayj of Saint Paul, Minn.-based House Calls Technologies thinks he can re-create some of SteadyState’s features in Win7, but he’s not happy about it. Jurayj wrote in an e-mail:

“I can probably lock it down through the Group Policy editor and the Registry, but it will be more labor intensive and therefore more expensive [for customers]. Unfortunately, it will not be as elegant and because of the expense will be less likely to be used.”

As a result, Jurayj said, he’s thinking of offering his customers the option of rolling their machines back to Windows Vista so they can use SteadyState.

But there is a simpler way to getting 90% of protection the is provided by Steady State and similar tools with zero inconveniences that are a natural part of such tools (and first of all difficulty of changing the configuration).

Disposable VM images

Disposable VM images is another approach and it can be used in Windows 7 Professional as it allows to create Windows XP compatibility VM.  Vmware can also be used for this purpose

Ghost-style bootable drive image based defense

You can eliminate arbitrary complex infections by restoration of "clean" state from the backup image.  Please note that a full disk backup to image is not that much different in time to run from full disk AV scan of the harddrive. In both case almost full content of the drive is read. But despite similar time to run, the latter provides you with the opportunity to restore this state of Windows anytime you want. As such is a better option. Please understand that the only difference between backup and AV program scan of the hard drive is that AV-program does not send the data it read to another drive and skips some files. Otherwise the amount of bytes read from the harddrive and total time required for the scan are comparable.

Please understand that the only difference between backup and AV program scan of the hard drive is that AV-program does not send the data it read to another drive and skips some files. Otherwise the amount of bytes read from the harddrive and total time required for the scan are very similar.

The stupidity of the idea of the "best AV scanner"

Typically additional hidden agenda of a user with infected PC frantic Internet search for the cure for the particular malware infection is a very popular idea that it is possible to find "the best anti-malware scanner". See for example Top Spyware Scanners.

In reality the idea of perfect cure for malware is very similar to the search of Philosopher's stone, the mysterious substance that can turn lead to gold. This is actually pretty apt analogy as infected computer is as close to a brick of lead as one can get. The problem of converting lead to gold remains intractable.

Malware is a generic term that encompasses tremendous variety of products and each approach to combat it faces limitation on certain types of malware. Also geographical distribution of various strains of malware if not uniform, in other words malware is local to particular geographical area. Only tiny percentage became global.  So while there definitely can be the best AV for a particular type of malware at given period of time (until all other get the sample and catch up) there is no and can't be "generic" best AV. Scanning approach is by definition is a solution mired in the past, as there is always a lag between the signature database and state of the things "in the wild". Also signature databases are universal while malware distribution has distinct regional features (see also Overview of VB’97). All those claims are just PR designed for really stupid users.  

For example plain-vanilla signature based scanner will fail on the root kit based malware.  It also will fail if malware is too new and was not included in the installed version of its signature database (the lag is typically at lease a week since the detection, sometimes more even for the most money rich AV vendors such as Microsoft, McAfee and Symantec who can afford farms of lab computers specifically for infections and automatic signature creation tools). For all this period it will happily report "no infections found".

Also some types of malware install additional drivers or components on the computer which can provide for the recovery of deleted components on the next reboot.  In such a component was missed then malware scanner can successfully delete malware processes and some files that constitute Trojan, but this disinfected state will last only till the next reboot.

Some malware uses random names to make it more difficult to find and delete registry entries that launch it after it started. This list can go on and on. Right now malware authors started to dust off the bag of tricks invented by DOS virus writers.  

Only changes in Windows architecture can provide lasting malware defense effects and the last thing Microsoft wants is the break in compatibility. In this sense the most secure version of Windows is Windows 8 that run on tablets with non-Intel CPUs.  Moreover frantic search for the anti-malware program that can remove particular infection subjects PC users to additional dangers. Not all anti-malware vendors play fair. The recent proliferation of fake antivirus products is one example of the trend. In January 2006, Microsoft and the Washington state attorney general filed suit against Secure Computer for its Spyware Cleaner product. On December 4, 2006, the Washington attorney general announced that Secure Computer had paid $1 million to settle with the state. That means that they have that amount of money. See also People of the State of New York v. Direct Revenue, LLC.

The truth is that there is no perfect antispyware/antivirus program and there cannot be such thing.  This is a variant of a classic "shell vs. armor" story.  Malware authors quickly adapt to the capabilities of existing tools when writing new versions or new generation of malware based on more deeply analyzed vulnerabilities of Windows and the most popular applications. Now states joined the game and part of "state-sponsored" malware got into wild. 

But even without helpful state sponsored malware, malware authors have access to funds as substantial part of malware is now about money (via direct or indirect extortion). And due to typical return on investment they do have motivation to achieve their goals. To get an idea of the technical complexity of spyware please read the description of Conficker  (see Conficker-analysis).   All this suggests that scanner based protection is far from being the best way to protect PC from spyware. It is valuable as a generic detection tool as sooner of later popular spyware will get into the signature database. But can be a month or more, if you are unlucky. Enterprise users can submit samples and get modified signature database in a day or so but that service costs money. 

My claim is that  better (or equal ;-) level of protection is achievable using image based restores of C-drive. That means that it is preferable to limit yourself to free antivirus/antispyware program like offerings from Microsoft (Microsoft Security Essentials ),  AVG Free ,   Avast! Home or  Avira Antivir Personal and invest money into creating a fast system partition images backup infrastructure. 

My claim is that  better (or equal ;-) level of protection is achievable using image based restores of C-drive. It takes less then a couple of hours and unlike AV-based disinfection is  100% reliable disinfection method.

The key value of AV/antispyware scanners is not immediate disinfection, but alerting you to the problem "after the fact" in case you missed it.  All those tools are usually are one step behind spyware writers. This is a generic weakness of AV/antispyware scanners and nothing can be done about it. They always are fighting the last war.

So buying some commercial AV/Antispyware program, for example Norton Antivirus 2010 from Symantec for $20 (which is actually $60 if you have three computers at home; see NORTON ANTIVIRUS 2010 1U/3PC ) is not a wise move.  While it might be better on some spyware it is definitely worse then Microsoft's  Security Essentials in some areas. Historically Norton Antivirus home edition used to cause so many problems on Windows to the extent it can be classified as a Trojan horse in its own right, no less dangerous then most ad-ware ;-). 

Generally the less AV/antispyware programs is running on your Pc the more stable it works. So one free from Microsoft is more then enough. At least Microsoft's software is less likely interfere with the stability of the OS. The less known and smaller is the AV company the less money they have for testing and the higher is the danger of side effects on your configuration of OS. There is no free lunch -- yes smaller companies are more nimble and often provider better quality of disinfection. But they can crash OS or interfere with some applications. 

Softpanorama Strategy: Up-to-date image of the C-drive as an effective antispyware tool

Money spent on commercial AV should better be spent for creating fast image-based backup subsystem and 1 or 2 TB USB drives. This amount of space permits creating images on a weekly basis (or even daily if you move your data folder to another partition) and keeping them for several months. In this case you can restore your computer in case of troubles in approximately a three-four hours instead of three four days.  And can resume your work in an hour or so. Saving countless hours on the phone with the vendor or researching the subject on Internet (which actually can lead to additional infections ;-). 

SATA or iSATA connection to backup permits backing up/restoring of  30G of data on C partition (which is the typical size of data on C partition in Windows XP) in approximately 15 min. USB 2.0 takes approximately twice longer but still you can fully restore 30 GB image in less then hour.  USB 3.0 is close to iSATA.

A additional step in this pretty simple but very effective anti-spyware strategy involves splitting your harddrive into two partitions and storing some of your user folders (Documents and Settings in Windows XP) and private data on the second partition, which you should backup daily using Acronis image or similar Ghost-based backup tool.  For those who store a lot of media on this drives this makes creation of the image of your system partition quicker as it has a smaller size. For those who do not store much data on the C: partition this step can be omitted.  But those are tactical issues. The key strategic idea here is using image based fast restore instead of AV/antispyware program. That presuppose rigid discipline of making backups so it is beneficial for all other not connected with spyware problem and crashes of the  computer. So the strategy has positive side effects allowing you better (actually much better than usual) protect your vital data. 

While many simpler variants are possible in variant described below we will assume usage as a backup storage one of the following devices:

To make recovery faster and less labor consuming, this backup drive can be split into two partitions: one small for booting the OS (~ 60GB) and the second for backup images. Two drives also can be used.  The idea is to have ability to boot from the partition of the second drive the OS with all components. Summarizing we need to have:

  1. The small (60-120G) partition (or drive). It will be used for restoring the image that you have so the disk can be booted into Windows and you can continue work almost immediately without frantic efforts to restore the internal C-drive (efforts that can often lead to important data destroyed, multiplying the damage from the infection).  Using the second drive is especially convenient for laptop users. In this case you can buy a drive identical or slightly bigger then you have on your laptop. If you harddrive crashes you can replace it with backup drive not waiting for delivery of a new drive. The latter happens more often on laptops because the latter usually are abused much more then desktop. 
  2. The second large partitions  (or the second drive). It will be used exclusively for storing images of the C-partition and regular backups of user data. Should have large size (at least 1TB or better 2 TB).

Prev | Up | Contents | Down | Next



Etc

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available in our efforts to advance understanding of environmental, political, human rights, economic, democracy, scientific, and social justice issues, etc. We believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit exclusivly for research and educational purposes.   If you wish to use copyrighted material from this site for purposes of your own that go beyond 'fair use', you must obtain permission from the copyright owner. 

ABUSE: IPs or network segments from which we detect a stream of probes might be blocked for no less then 90 days. Multiple types of probes increase this period.  

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least


Copyright © 1996-2016 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License.

The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info

Disclaimer:

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

Last modified: May 08, 2017