Slashdot Log In
New IM Worm Installs Own Web Browser
Posted by
CmdrTaco
on Sun May 21, 2006 10:21 AM
from the safety-first-everyone dept.
from the safety-first-everyone dept.
Aquafinality writes "A new IM worm discovered recently takes the novel step of installing its own web browser onto the victims PC. Ironically titled "The Safety Browser", its default settings actually make your PC less secure - switching on pop-ups, changing your home page and hijacking your desktop with a looped music track that plays every time you switch your computer on.
It's clear people cannot resist clicking "yes" to anything they're presented with via IM - with this in mind, what on Earth can we do so stop the spread of garbage like the above? To put it another way, will reducing the amount of potential "suckers" out there dissuade the bad guys from coming up with ever-more elaborate ideas such as this latest scam? Or is IM safety a lost cause?"
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
IM safety? (Score:5, Interesting)
It's very hard to stop people executing something thats sent to them by someone they know - but for other vector methods, perhaps people should consider an IM client that doesn't [securityfocus.com] include [cert.org] activeX [computerworld.co.nz]
Anyway, mildly interesting, the worm makes no attempt to hide iteself with a "You are beaten, it is useless to resist" desktop paper (!) and music on startup (from TFA) Worse still, music starts to blare out of your PC. Not just any old music - bad music. Bad looped music, with screeching guitars and awful drum n' bass beats.
But not to worry XP SP2 users, you're protected.... again from TFA: snigger....
Re:IM safety? (Score:4, Funny)
Parent
Re:IM safety? (Score:4, Informative)
Parent
Unfortunately that does nothing for the clueless (Score:5, Insightful)
Admin passwords are useful for knowledgable users because if you do something that shouldn't require admiin, but asks for it you can step back and think why it's asking, and approve or deny it based on more information. However clueless users won't do that, they won't know what should and shouldn't need it, so they'll just blanketly issue the admin password.
I've already witnessed this on other platforms (MacOS) that ask for admin. I was chatting with a guy while he was tinkering with his Mac, it popped up and asked for admin and he said "Huh, that shouldn't need admin"... as he was typing in his admin password (3 letters long). He even recognised that this might be a situation where it wasn't needed (it was actually, nothing harmful) but just gave it the password anyhow.
So while I think the privledge escalation is Vista is a nice try, and certianly something I'll use personally, I think it will ultimately make no difference for normal users. They'll just make it go away whenever it pops up, and they'll do that by giving it the password it wants.
Parent
Re:IM safety? (Score:5, Insightful)
I'm no Micro$oft fanboi, but don't blame Bill the Gates for this. Blame lazy deveopers who can't be bothered to Do It Right. They run their bleeding edge machines as Admin and never test to see if their bloatware will run any other way. Not only that, they write programs that need every bit of RAM, every CPU cycle and every possible bit of graphics they have so that when they're finished, you have a program that can only be run on a maxed-out machine as Admin. Last, they look down their noses at you if you complain because you're "too cheap" to buy the hardware needed for their precious program. They don't understand that saying, "It works on my machine!" doesn't cut it if the average user can't afford to match their hardware or wants to keep their copmuter safe by not running as Admin.
My advice is, just say NO to programs requiring Admin and never, under any circumstances, upgrade your hardware just to play the newest game. I'm not a Libratarian, but if enough people follow my advice, the market will, indeed, take care of it.
Parent
Again, is it IM's fault? (Score:3, Insightful)
Once again, fingers pointed at some conduit when the true culprit still seems to be Microsoft's OS. If I were to click the link in gaim, on a linux machine (assume for the sake of argument, this browser is platform independent and would work on a linux box)?
Probably not, because the typical default access for a linux user is unpriveleged (I've been working intensively in the linux environment, and I'll bet I've not been logged in as a priveleged user (i.e., root) more than two or three times a year during that span). But, an extremely significant percentage (I'll bet it's over 80%) of Windows users continue to be logged in with administrative priveleges -- most without knowing and understanding what that even means.
Until there's a more consistent and pervasive culture (come on Microsoft, help out with this... how about a PSA campaing?, you can afford it) where users have non-administrative logins, there's little to be done. I still see people on older machines where they haven't even bothered to configure users for their older Windows machines... and don't have the slightest concept of partitioned separate logins for distinct different users.
This isn't entirely IM's fault.
(In the meantime, if you're a serious PC user and you want some piece of mind, spring for the extra $500 for your own machine and make it yours and yours only. It's how I've set up friends who use their computers for business/profession who've nearly given up on PC technology what with (shared home) machines popping porn, running slowly, and going Toes Up on them. Sigh.)
Re:Again, is it IM's fault? (Score:5, Interesting)
Probably not, because the typical default access for a linux user is unprivileged (I've been working intensively in the linux environment, and I'll bet I've not been logged in as a privileged user (i.e., root) more than two or three times a year during that span).
I'm not sure how long user privilege separation is going to continue to be the great protection it is now, once the majority of desktop users have it. Consider a single user desktop with privilege separation (linux, vista (supposedly) or os x):
1) Malware downloaded & executed by dumb user.
2) Malware sets itself to start at that user's privileges when the user logs in.
3) Malware can do many things at malware level at least when user is logged in (including periodically checking its update server for local privilege escalation exploits it can run).
We're about to enter an age of smarter malware, that takes its time getting root, and keeps a low profile (maybe a little keylogging here or there) until it does... you read it here first
Parent
Re:Again, is it IM's fault? (Score:4, Insightful)
4) Malware can install a keylogger so that when the user legitimately needs super-user access, the malware steals the password
5) Prompt user for Admin password directly (or in the case of Ubuntu for example, the user's own password to run sudo)
6) Even if the malware can't create its own password prompt, but must use a system default prompt:
"Warning! A program is attempting to gain Administrator level access. This should only be necessary to install programs or perform other maintenance. Click Cancel otherwise."
1 -Malware prompts user for password with message above
2 -Naive user reads message, clicks cancel
3 -Malware prompts user again for password
4 -Ad nauseum
5 -User gives up and enters password
Privilege seperation can be useful for preventing automated system takovers, but where a user is involved (and that user can get super-user access) becomes moot.
Parent
Re:Again, is it IM's fault? (Score:5, Interesting)
I think using virtual machines as sandboxes could go a long way towards improving security also. Imagine a distro with a super-locked-down secure OS that only ever runs a single app, which is a virtual machine app (VMWare, Xen, whatever). The user does everything inside this virtual machine's guest OS, and never installs or runs any other software on the host OS.
With that setup, it would be easy to "checkpoint" the state of the system and restore it whenever things have gone wrong (due to malware, user mistakes, whatever). (A clever diff-based mechanism might be able to make OS-state saves/restores fast enough to be done automatically in the background, say once a day). Even if the guest OS was completely compromised by malware, it would still be impossible for the malware to prevent the user from using the (uncorrupted) host OS to "rewind" the computer back to before the infection occurred. The host OS could also keep an audit trail of what happened when inside the guest OS, to help the user find out where things went wrong.
Parent
Re:Again, is it IM's fault? (Score:4, Insightful)
I'm not sure how well it would work for games, but other than that, it's simple: given that a VM causes a 5-10% slowdown, just buy a computer that is 5-10% faster.
Parent
Re:Again, is it IM's fault? (Score:3, Insightful)
The key problem here is that a program is able to impersonate a user in such a way that other humans can't tell the difference. People are very reliant on trust cues to guide their decision making and computers r
Re:Again, is it IM's fault? (Score:4, Insightful)
Disclaimer: My experience is with VAX and Unix boxes in the eighties, my first Linux kernel was 0.9something but I have used Windows only since 98SE. I never really got to "learn" windows and am much less clear on the internals. On the "how is this supposed to work".
With more than two decades of serious computing behind me, I still do not understand what "Administrative privileges" really means in Windows. Or what it is good for. In U*X everything is a file and thus those magical "privileges" simply boil down to what you can do with a file (including files in /dev, /proc, directories in general, etc). There's a layer of abstraction where I understand that access to this 644 means that I can only read it, but the owner can write to it as well. That's easy.
In windows, it has never been terribly clear to me -- there appears to be some nod in the direction of file permissions, but all I've ever seen of them is that sometimes I have trouble messing with something the wife has been working on -- that kind of thing. Sometimes there's no problem. Sometimes logging in as admin solves some problem that I have but I hesitate to do so since I nevere really know what Windows does behind the scenes that might become a problem if I were to be logged in as Admin.
In the end, the preferred way to do something that I can't do as user is to fire up cygwin and do it from the linux prompt.
And ours is the rare enlightened case where someone took the trouble of setting up user accounts at install time. It was certainly not in the least obvious when and where to set up this kind of thing. I cannot fathom why I would've bothered with it if I hadn't had a Linux backgroud. It's not like XP pops up a screen during install explaining what an Admin is and how he is distinguished from a normal user.
I still see people on older machines where they haven't even bothered to configure users for their older Windows machines... and don't have the slightest concept of partitioned separate logins for distinct different users.
Of course not - why would they? This is my computer, I'm the only one using it, if the kid gets old enough to want to diddle with it I'll buy him his own computer. Why would I be setting up different "users"? I doesn't make sense in the Windows model.
U*X (and VMS and ...) was developed in a networked multi-user context of universities and research labls. Windows was developed to make one computer do one thing for one user. "Multi-user" is an afterthought. Network security is an afterthought. The entire computer-as-an-appliance model of how a computer should behave in Windows just doesn't lend itself to the notion of a "privileged account". You don't have a privileged account in your toaster or your microwave, do you?
Now it gets hairy: If I grant for a moment that there's no such thing as absolute computer security, then all these unsecured windows boxes out there are just the low-hanging fruit. Viruses and worms are only as smart as they need to be to pick those. This is fine with me as it means I merely have to have my fruit hanging higher than everybody else's. My house doesn't have to be absolutely burglar-proof -- just harder to break into than my neighbors. I'll never be perfectly termite-safe, but as long as I'm more termite-safe than my neighbors, they will attract all the termites. You get the picture.
If geeks succeede in training the masses in making their machines "more secure" it only means that the malwa
Parent
Re:Again, is it IM's fault? (Score:3, Insightful)
OSes are as secure as the person using it. To think anything else is ridiculous. And that applies to every OSes.
And I'll get modded down for what I am about to say, but people blame MS for everything, saying they can't do things right, that it should be open source, security through transparency and whatever. But right now, no open source distribution out there is secure if used by
Re:Again, is it IM's fault? (Score:3, Insightful)
escallate their priviledge, you can't trust anything on your machine after
a user account has been compromised.
I've never had a machine compromised (that I know of), but if I did, I'd
reinstall the box, just to be sure.
It seems there's only one thing we can do. (Score:5, Funny)
Re:It seems there's only one thing we can do. (Score:3, Funny)
Re:It seems there's only one thing we can do. (Score:3, Insightful)
Reflex Action (Score:3, Interesting)
safety (Score:5, Insightful)
As for removing the incentive for people to do this I think it will be hard; there will always be a few "suckers" and even 1 in a million can be profitable; so it'll be hard to stop it.
Yes (Score:5, Insightful)
Re:Yes (Score:3, Insightful)
Hogwash.
A few years of this approach and compromised computers are going for five cents each. (Must be big money in (lots of) very cheap computers)
Trying to make it impossible to do something stupid actually works like this. The apparent burden is shifted from the user (who probably has priorities not easily guessed correctly by the OS) to the OS which can handle a very few cases, and those rather poorly.
"Are you sure?
Sensationalism (Score:4, Insightful)
The question is sensationalist given the context.
The article describes a particular new threat - all good and well.
However, no information on the distribution of IM attacks is given. We have no idea if they are rare or frequent. How can it then be asked if IM safety is a lost cause? the question is almost orthagonal to the article; one cannot have a meaningful opionion about IM safety in general given only information about the *existance* of a particular, new threat.
IM is a communications tool (Score:5, Insightful)
There is no reason that *any* instant message client should ever execute other code, privileged or not. That is not the purpose of IM- IM is not a program launcher, it is a tool for communication.
Geeks want to know (Score:5, Funny)
does the browser pass the Acid2 test?
I know where this is headed (Score:5, Interesting)
You KNOW they will. That's the level of what we're talking about.
For one thing people have become accustomed to random stuff showing up on updates and upgrades. The remore operatior will simply launch a splashscreen that says "A gift from Microsoft for your loyalty!" and people will go nuts. For another thing, there is a good deal of evidence accumulated over the many years of this malware war that the users who are keeping malware authors in business are total noobs. Many are developmentally disabled, or are children, or are computer phobes who avert their eyes when the machines "does something odd". Some are simply dumb as cabbages. They click "yeah sure, pwn me" on every dialog box because they are functioning as part of the attached peripherals a NOT an intelligent user.
No, I'm not bitter. I'm not being sarcastic. I've woken to the reality. This is our world, and we white hats are just a liitle slow on the uptake is all. What this suggests about computer ownership (like maybe you need an operator's license, as required with radio broadcasting, if you are going to traffic in the public sphere) is probably the next frontier of the discussion, that's all.
Re:I know where this is headed (Score:5, Insightful)
I'd like to do a social experiment and write a virus that pops up a window asking the question: "Install Virus?". The options are "No Thanks" and "yeah sure, pwn me". Now, I'm usually an optimist, but I think the results of this study would be depressing.
Parent
Trusted Computing (Score:3, Interesting)
1. An OS with a solid configurable TC implementation.
2. A knowledgeable computer user sets up the OS for the executablerunning IM user.
3. The OS is configured to only run applications from certain vendors (Mozilla, StarOffice, Microsoft?).
I would love to have TC for my sisters computer. She has never had the need to run any applications besides the ones I have installed.
Or is this already possible with any OS? The ability to specify a list of allowed executables and the disability for a user application to change the list.
Re:Trusted Computing (Score:3, Informative)
It infuriates me, but it wouldn't even be noticed by the sort of people who catch this "worm" (surely actually a virus, as the user is required to run it him/herself?).
I don't know how its done, but it seems to be at a fairly low level (doesn't just apply to
Re:Trusted Computing (Score:3, Informative)
I can think of at least [wikipedia.org] two [apple.com]
Isn't gonna happen. (Score:5, Funny)
When you try to make everything idiot-proof, you just raise the quality of the remaining idiots.
My quarter to two in the morning idea (Score:5, Funny)
Give out odd numbered IP addresses to Linux users, and even numbered addresses to Windows Users.
Then Linux computers just turn off access from even numbered source addresses.
Problem solved.
Ok - time for bed.
Why Mac/Linux/etc. are no better than Windows (Score:3, Insightful)
Something like SELinux may help, but then email/IRC messages can just come with instructions for the chcon command to run (people open encrypted ZIPs with the password in the body already; putting a command to "fix" a download is not that different).
Disable automatic execution even with a dialog. (Score:3, Informative)
I've never had the same person come to me twice with "I've downloaded and opened a file and I'm infected." Give people even a small bre
The browser it installs is.... (Score:5, Funny)
Simple safety options for IM: (Score:3, Insightful)
Do the Safety Browse (Score:5, Funny)
we can leave your friends behind
Cause your friends dont browse and if they dont browse
Well theyre are no friends of mine
I say, we can browse where we want to,
catch a virus we will never find
And we can act like we come from out of this OS
Leave the real one far behind,
Well... (Score:5, Funny)
Clearly there isn't enough evolutionary pressure on the heard. What the good guys need to do is build computers that explode when the user does something stupid.
-Grey [wellingtongrey.net]
How is this an "IM" worm? (Score:3, Interesting)
Perhaps re-examining the actual exploit rather than delivery medium as the cause would be a good way to head toward right direction in my opinion.
Restricted User-space? (Score:3, Insightful)
A proposal I've proposed before. (Score:3, Insightful)
Oh yeah, and it sends itself to everyone in his address book, so that the shame can be shared among others.
Why does EVERYTHING transfer files? (Score:5, Insightful)
Re:Why does EVERYTHING transfer files? (Score:5, Insightful)
Bob: Did you get those sales figures?
Jim: No...
Bob sends file, job done.
Parent
make a friendly worm... (Score:5, Interesting)
"hi, your computer is obviously insecure - may I install
[] firefox
[] thunderbird
[] AVG free (Antivirus)
[] hijackthis
[] and one of the following freeware firewalls: [insert firewalls here]
for you? - P.S. I'll install the software from official mirrors, no faked, phishing software - if I wanted to harm you, I could have done this already
[No] [Yes]
may I also interest you in
[] OpenOffice
[] miranda
[] bsplayer
[]
[No] [Yes]
May I recommend myself to your friends?
[No] [Yes]
thank you for your interest
I'll remove myself from your system now. goodbye!
[OK]
I think most people that stick with ms software do this because they have no clue how to install alternative software (seriously - my family uses PCs for 14 years now and still they call me and ask me how to install this and that software) so make a "worm" that assists you in making your pc more secure (and shows you that you need it at the same time) maybe put in links to small, easy-to-understand "getting started" sites...
Call me a glutton for punishment (Score:5, Funny)
Does anyone have a link to the really bad music this worm subjects its victims to? Hearing it would seriously enhance my sense of schadenfreude...
--JoeRe:Call me a glutton for punishment (Score:4, Informative)
Parent
It's been done before (Score:3, Interesting)
The solution.. (Score:3, Funny)
Unfortunately we can't do that yet, so the problem remains unsolveable.
I have a solution! (Score:3, Funny)
A slightly lower-tech implementation has worked for me. When my friends ask me to fix their computer for the 30 billionth time after they infected it, I smack them in the back of the head and tell them not to be a moron, and then send them on to pay the Geek Squad to deal with their problems.
Where these people used to be reinfecting themselves on a weekly basis, they seem to have stopped now, so a combination of physical and wallet pain seems to be the best motivation to not be a retard.
Re:Too Bad... (Score:5, Insightful)
Maybe so, but the rest of us don't deserve what we get. Even if I'm a careful computer user and never get compromised, I still have to deal with the resulting spam, DDOS attacks, increased IT costs, etc, caused by people who do. Therefore it's in everybody's best interest to make security more idiot-proof -- we can't just say "to hell with the n00bs", because we still have to live on the same Internet as them.
Parent
Re:Users (Score:5, Insightful)
In my mind we need to drop the Microsoft/Apple attitude that users = idiot. If you build systems for idiots only idiots will use your system. Generally I've found that the #1 reason users I work with generally do stupid things because I've either, Improperly documented or explained what something did or how it worked, or because I created something that blocked their ability to do their job.
Very often users tend to view the people at help desks as idiots because regardless of problem the reaction and lack of willingness to care are obvious from the start. Even cultural attitudes are ignored in the move to "cater to the idiot who uses our product" In one contry clucking your tounge may be a sign of rapt attention. But in the country the user is in it may be a sign of a smug and condiscending attitude.
In one of the first lessons taught in management classes you will learn that a team of idiots is lead by an idiot. I claim that the same is true here as well. If you have idiots for users it's because you have idiots for techs.
Parent