About | Buy | Forum | Industry Watch | Learning Curve | Products | Search | Twitter | Xnews
Home » Learning Curve

Fighting Malware on Windows

Why it doesn't work. Why it only costs you more money and heartbreak.


Buy It

Try It

Charlie Miller recently reiterated the obvious for the mainstream media: that it's not significantly more difficult to design and implement a secure operating system but it's a Sisyphean feat to try to 'secure' an insecure operating system after the fact.

Take a very accessible example: imagine there's a major system vendor enjoying dominance in the standalone personal computer market when suddenly all of those personal computers aren't personal anymore. Suddenly they're connected to ambiguous networks no one had really given much thought to. Suddenly anyone can get in and do anything they want. What happens now?

That's exactly what happened to Microsoft - and to you if you're a Microsoft user.

Personal computer security - back in the days the machines were 'standalone' - was about guarding physical access. There were no user accounts; anyone capable of accessing and starting up these machines attained full control, could do anything they wanted. Supposed speed bumps like marking files 'read only' changed nothing: the user removes these attributes without difficulty.

Microsoft 'operating systems' weren't designed to be used in a network - they weren't designed to be connected willy nilly to computers anywhere. Take away the need for physical access to gain control of the computer and there were no controls over who could get in, who could do what.

Things were reasonably OK until the 'web revolution' in the mid 1990s and were mostly OK for a while after that - until the 'black hats' fully grasped what a gold mine they had in Windows. Starting on 5 May 2000 things starting taking a turn for the worse. The science of malware burgeoned.

Microsoft calamities do not affect real operating systems designed to work in networked environments. They simply can't happen there. Real operating systems are built in an entirely different way. Security is built from the ground level. No one has to scramble to fight the bad guys after the fact.

The bad guys simply can't get in.

The Microsoft Malware Scramble

All of the cottage industries that have popped up like mushrooms after a rain are premised on one inalienable fact: Windows can't protect itself. Microsoft have a page listing the more prominent vendors in the field.

'We recommend you install security software to help protect your computer from viruses and other security threats', write the vendors of the system who've failed to protect you themselves.

You'll notice Microsoft have added products of their own to the mix. They want in on this lucrative rainmaker market and their revenues have otherwise been hurting of late as more and more people wise up to what they're doing and get off Windows.

Fifteen (15) antivirus vendors; you could spend a small fortune and subscribe to them all and you still wouldn't be secure.

The Virus

The computer virus has always proliferated on PCs. Strictly speaking a virus is a type of malware that attaches itself to 'executable code'. It can grab onto an ordinary program file like a leech or it can also infect a hard drive boot sector (which also contains executable code). The virus makes sure the host code still runs - but it sees its own code runs first - code that searches for way to spread and cause some type of damage.

Computer viruses have never been an issue with Unix systems. Most of the vendors pictured above have long since tried to 'scare' Unix users into buying their rather slipshod products for the various Unix platforms; unsurprisingly no one's taking the bait. Unix systems simply aren't attacked by viruses.

Deep rooted viruses on a Unix computer are theoretically impossible anyway. All sensitive system files are owned by a user account most users will never come into contact with. They're buried inside subdirectories of directories all clamped down as inaccessible and owned by the same unreachable user account. You can run the programs but you can't touch them. You can't get into their directories and do anything at all.

Trojans and the Registry

'Simplicity is the goal of all good design', said Dan Geer who was sacked from his security firm for merely suggesting Microsoft bilked their Windows users. And by simplicity Geer was implying both 'elegance' and 'strength'.

Perhaps it takes a system engineer to appreciate why simplicity is such a cornerstone of good design; perhaps a minute's reflection on the simplicity and strength of the 'pyramid' is all that's needed; whatever: Microsoft systems are the antipode of simplicity. In terms of complexity they dwarf even monster IBM mainframe systems.

It's not necessary to go into detail about how Microsoft screw up so wonderfully but pointing out they have a bad habit of never synthesising ideas, never borrowing from the world of computer engineering at large, always following management's directives to recreate de facto technologies as their own, and always adding on more and more plumber pipe may convey an appreciation for how fouled up things are.

Details of these increasingly complex and unwieldy systems are not always forthcoming; redundancy pops up all over the place; for every update there are new unnecessary nooks and crannies were the 'bad guys' can hide. And there's one particular type of 'bad guy' who needs such nooks and crannies to survive.

The trojan.

The trojan is something that appears to be one thing but in fact does something else. It's going to want to sneak onto your system. And above all it's going to want to stay there. It's not enough to run today; it wants to run tomorrow too. And every day. It must therefore trick the system into starting it on each system startup.

Thanks to the debilitating complexity of Windows there are way too many places a trojan can reside to trick Windows into starting it up.

Trojan Clones

And thanks to some pretty clever APIs brought to Windows by David Cutler the 'bad guys' have further tools at their disposal to stop antivirus and anti-spyware tools from getting rid of them.

The tools David Cutler added to Windows are good tools; almost all systems have similar tools; but they're not great to have around an insecure system like Windows.

What the advanced trojans do - why they're almost impossible to eradicate with the third party software Microsoft recommend: they clone themselves: they create exact copies of themselves and hide in different areas of your system. And once in place they protect each other.

Using tools such as the change notification they can immediately detect when an anti-spyware tool has found a clone out and removed it: a change notification is a notification sent to an application by the file system - it tells the application there's been a change in a particular directory the application wants to monitor.

The file system sends a message to the application as soon as anything happens in the monitored directory; perhaps a file has been renamed; perhaps a file has been added; perhaps a file has been removed. The clone then checks for the existence of its sibling. Should the sibling not be found the clone creates a new copy - which it now hides in yet another unknown location.

The eradication process becomes a never ending game of 'hide and seek' where the trojan and its clones always stay several steps ahead of the anti-spyware tools being used.

You the Windows user don't have a chance.

The Outer Perimeter

Something Windows users regard as commonplace: there are messages dropping into the inbox you must never touch; you can't know in advance what messages are dangerous; but if you inadvertently select one of them your Windows computer can be compromised 'just like that'.

The same holds for what are called 'drive by' attacks: websites so laden with malware that merely visiting them compromises your Windows computer 'just like that'.

Do you seriously think this is how the Internet was meant to work? Perhaps you've never given it any thought before. So do it now. Do you seriously think this is the way these 'advanced technologies' were meant to work?

The fact of the matter is Windows has very little protection at its outer perimeter and none whatsoever inside that 'first line of defence'. Should any of the 'bad guys' make it into your web browser or your inbox it's game over.

Secure computer systems are never made to work like this. They never have been and they never will be.

Charlie Miller recently reiterated the obvious for the mainstream media: that it's not significantly more difficult to design and implement a secure operating system but it's a Sisyphean feat to try to 'secure' an insecure operating system after the fact.

Goodbye to the Ghetto

What's it like for people who've lived their entire lives in a ghetto when they're suddenly invited to visit their friends in a gated community? What happens at dinner time? What happens when they see their upper crust friends take the plates and bowls out of the cupboard and put them directly on the table?

Aren't you supposed to wash those things before you serve food in them? What about the cockroaches running around in the cupboards? How long is it going to take to convince them their friends in the gated community don't have a roach problem?

How long is it going to take to convince Windows users they don't have to restart their computers all the time?

How long is it going to take to convince Windows users there's no Ctrl-Alt-Delete anymore when they leave Windows?

How long is it going to take to convince Windows users they don't need antivirus and anti-spyware when they leave Windows?

See Also
The Technological: Wsnpoem
The Technological: The Malware Ruse
The Technological: They Think It's OK
The Technological: The Microsoft Ghetto

About | Buy | Forum | Industry Watch | Learning Curve | Products | Search | Twitter | Xnews
Copyright © Rixstep. All rights reserved.