Soooo...
...it's an executable that loads malware. Mmm never seen that before.
What's that? You have to download it, run it, agree to the security warning and click ok...wow, now that's clever.
Security watchers have discovered a Trojan that uses built-in Windows functionality to overwrite security software and compromise systems. The malware - which poses as an antivirus update - uses Windows input method editor (IME) to inject a system, technology that normally creates a means for users to enter characters not …
would, I hope, recognise or at least be suspicious of a real malware threat as soon as we happened upon it. It's easy, we've been doing IT for years right? From 1st line support to management perhaps.
Nowadays most computer users are consumers, and with UI development as it stands, the use of computers is no longer restricted to those with the benefit of intelligence.
Exploiting this user base is easy. Ooh look a shiny thing, Ooh look a free thing, Ooh look my computer is telling me I need to upgrade my AV. The abstraction between software and machine is not as great to the user. So they don't see software written by an unknown asking to upgrade the system. They see the computer itself asking to be upgraded.
We tend to think users are stupid, well some are but mostly they just know jack about computers.
...and the atrocious state of UI development from a certain vendor.
I get those "untrusted!!!1!" popups on bloody everything, and they don't give me, computer professional, any useful information whatsoever. Can't blame non-professionals for ignoring warnings when the professionals do so too, on the exact same "information" provided.
This just goes to show that plastering yet another bloody popup with some useless warning is not a fix for a steaming heap of manure posing as "design" underneath the UI. But then, if that's all you can come up with, then that's all your customers get.
It is entirely possible to come up with more sensible approaches, it's just that this vendor has steadfastly not done so, for this reason or another. I, computer professional, long ago decided not to use any of this vendors products ever again, and yes, I've foregone jobs for it. To me the reduction of loss of sanity was more than worth it. That choice may not be available to everyone, but I contend that it's available to more people than usually thought.
Windows, by virtue of the fact it's meant to be easy to use for computer illiterates, is more prone to these sorts of attacks.
The same vulnerability exists for any OS, i.e. you run something you shouldn't it infiltrates your system and you're screwed. The difference is your average *nix user is smart enough to know what to run and what not to.
Windows security is actually pretty good. I can happily put my hand on my heart and say I have never had a virus, trojan or other malware infection on a single Windows, Linux or Mac desktop or server system I've been repsonsible for.
The problem with Windows comes when non-tech savvy users run their user account with Administrator privileges. This would be my biggest gripe about Windows default security.
What does concern me about this story is the fact that the IME component of Windows can disable the AV protection. While attacking one component to get access to another is nothing new or specific to Windows, if it can do this when the IME is running as a limited user then that *is* a big security hole.
I strongly suspect it can't. As you point out earlier, nearly all these attacks rely on being able to get admin on the box - I achieved more in preventing virus outbreaks when I killed off user admin rights at my place than I've ever done by installing AV software.
The biggest idiots in this whole game are system admins who use various application compatibility excuses to give users local admin. It's the only way these big outbreaks that take organisations down can really occur. It's an admins job to find a way to make the software work - or to have the balls to say "this is a crock of shit, is badly written, and is incompatible with our security policies" if it really is impossible. Not to use the "chmod 777" approach... By default, only the local administrator account and the Domain Admins group have administrators membership on a domain PC, and you should keep it that way.
If management insist on a "admin privs or your job" approach, then send, print and keep an email detailing the risks, so when the shit hits the fan you can point out that you told them so.
Totally agree. I was thinking more of a home/SOHO envrionment but in a corporate IT environment some sys admins need to grow a pair and do their jobs properly. They're repsonsible for security after all.
*Some* people genuinely need access to admin privileges occassionally but if a person has "Sales" or "Marketing" in their job title they should instantly be demoted to a standard user.
I remember a funny incident around 2001/2 at a company that we'll just call "Grande Bloo" when an entire campus network was brought to a standstill by a virus because one sales person removed the antivius and firewall from his laptop because he wanted more space for presentations! As quick as the sys admins removed it from one infected server it sprang up on two or three others and spammed the entire network.
"The trojan can install itself as an IME, then it kills any running antivirus processes and deletes the installed antivirus executable files. The original executable file of this trojan disguises itself as an antivirus update package."
Which product/s? Any/all or specific vendors'?
Paris 'cos she's brand aware ....