New Malware Report Hits Vista's Security Image

An anonymous reader recommends a Computerworld article on a new report from Australian security vendor PC Tools. The company released figures on malware detection by its ThreatFire product, and in its user base 27% of Vista machines were compromised by at least one instance of malware. From the article: "In total, Vista suffered 121,380 instances of malware from its 190,000 user base, a rate of malware detection per system [that] is proportionally lower than that of XP, which saw 1,319,144 malware infections from a user base of 1,297,828 machines, but it indicates a problem that is worse than Microsoft has been admitting to." Microsoft hasn't responded yet to this report.

Re:the problem is combining ...

[J_DarkElf]

No need to slam Vista (or Windows in general) -- the problem is combining a dumb user with /any/ OS he can get admin rights on.

No matter how good your antivirus/antispyware/OS, once an idiot user figures out that by closing a certain app or clicking "yes" somewhere he can run the funny application he got by e-mail, he will do so, and the system is potentially infected.

Re:What kind of malware?

[Skrynesaver]

Malware is not defined anywhere in the article.

While incomplete it did say that:

PC Tools has publicized details of some of the malware types it has found on Vista systems during its scans, including three pages of variants based on Trojan.Agent, a few of which were described as serious.

Not a definition of what they classed as malware, but 3 pages of Trojans would seem to indicate that they found something, no?

Re:Self-selection bias?

[joelstobart]

Seriously,

27% of all the machines were owned by a marketing company. Its sunk in.

Sudo copied Windows - hmmmm ... "Sudo was originally written by Bob Coggeshall and Cliff Spencer "around 1980" at the Department of Computer Science at SUNY/Buffalo".

As for the virus remark - Its more difficult to write Linux viruses. User level permissions are more rigorous. The browsers don't have ActiveX. People who use Linux tend to know what a firewall is; and don't click yes in reply to "would you like to install" dialogues so much.

Re:PR != Security

[Kalriath]

Vista has one and only one major security-impacting feature - The "Train users to always click yes" interface to privilege escalation. And I feel confident saying that very, very few
of us consider that a "good" thing.

Get users on Linux, and we'll be seeing the "Train users to always click yes (or in CLI mode, prefix with "sudo") approach to privilege escalation"

Wait, that sounds familiar. Oh, wow! Both my post and yours are virtually identical!

Seriously, people bash UAC, but it's pretty much identical to sudo.

Re:What kind of malware?

[Dekortage]

To quote TFA:

"It is important to highlight that all systems used in the research pool were at the very least running PC Tool's ThreatFire and that because the technology is behavioral-based, the data refers to threats that actually executed and triggered our behavioral detection on the client machine", said PC Tools' CEO, Simon Clausen.

I don't use ThreatFire, but "behavioral-based" and "threats that actually executed" doesn't sound like a cookie. They could mean it, but it doesn't sound like it.

Re:What kind of malware?

[Anonymous Coward]

ThreatFire, which is what did the analysis in the survey, does not detect cookies as it's behavior-based, it only detects "real" malware that executes (i.e. it runs as an application, which cookies don't) and does something "bad".

Re:Vista and UAC ..

[Colonel Korn]

They're called cookies, not malware.

Yes, Threatfire labels tracking cookies as malware, and yes, that means this story means nothing. I'm not fan of tracking cookies, but they're not a big deal to most people.

Re:Vista and UAC ..

[Colonel Korn]

Threatfire considers tracking cookies, like the ones from Google (aka Doubleclick) to be a 2 on a scale of 1 to 5 in terms of severity of malware. This is a junk article and really shouldn't have been posted.

Re:PR != Security

[Jugalator]

Indeed, but if we're comparing a Windows UI feature, we should perhaps compare it to a UI feature of a Linux desktop distribution, not command lines, because the command line is already widely regarded being a barrier of entry to the users Windows is geared for.

And if doing this, the approach becomes virtually identical. Well, one difference being that I have to actually *enter* the password in e.g. Ubuntu if doing an "administrative task", while I don't have to do this and just click through under UAC if I'm an admin. However, even UAC requires an entered password if you're a non-admin. The UI will change depending on the Windows user type.

Re:What kind of malware?

[Dr_Barnowl]

Microsoft decided that for their systems, a compromise between level 2 and level 1 was necessary.

In addition, .NET contains Code-Access-Security (CAS) mechanisms that let you get all the way up to level 6.

4 : .NET APIs are marked with permissions, and .NET assemblies can declare which permissions they need to run. System policy can restrict which applications even get to run, and allow some applications to run with restricted function.

5 : A sandbox is slightly different but can be considered to be a special case of 4 (or a virtual machine, or however else you implement it). Again, .NET will allow you to configure access : to printers, sockets, domains, DNS, environment, files, UI, storage, the registry, threading, calls to unmanaged code, printers, the event log, performance counters, database client libraries, and the data execution protection features of modern CPUs.

6 : .NET can base it's CAS policy on assemblies being signed.

Level 7 I consider to be a special case of level 6 ; where only the people building the OS install have valid signing keys.

ALAS

Firstly, this litany only applies to .NET managed code.
Secondly, .NET comes configured out-of-the-box to allow all code executed from a source on the local machine full trust.

Go to the back of the class, Bill [ranum.com]

To be fair, I don't think most malware writers implement their babies in .NET, not least because not all users have it installed by default, even if it is a Windows Update. But it has a great code security model, marred fatally by it's default configuration.

If it had a dialogue that appeared when you ran software for the first time, asking you for trust parameters, and particularly drawing attention to the lack of a cryptographic signature from a certificate itself signed by a trusted party, it might make some users think twice about running all the insidious crapware they install just for a few emoticons or screensavers.

Re:Self-selection bias?

[Sancho]

No, he really wasn't.

gksu, which acts more or less like a GUI front-end to su, dims the background when you use it. I don't know if it's a configurable option, or how long it's been doing that, but I first noticed it a little while after Vista started dimming the screen on UAC prompts. That's what the GGP was referring to.

gksudo:
Dims screen, asks for permission to perform administrative operation, asks for password.

UAC:
Dims screen, asks for permission to perform administrative operation, asks for password if you are not administrator.

The comparison is obvious, and while sudo itself was written before permissions were even a twinkle in Mr. Gates' eyes, gksudo's current behavior does emulate Vista's.

Re:PR != Security

[dhavleak]

Except that forcing people to enter their *Admin* password to escalate their privileges also forces them to stop and think "hmmm does this program REALLY need that type of access?"

Sudo and UAC both grey out the entire desktop, and pop a system modal dialog that prevents you from doing anything else until you respond to it. If that's not enough to tell the user something big is happening, the password part isn't going to help either.

Additionally if the person is not an admin for that machine, they won't be able to install the software without someone's help, ideally an individual who took the time to NOT give them an admin account for just this reason... so they wouldn't install malware by mistake.

Right, and that's exactly how it works for UAC as well. If you're not an admin, your only option for installing something that requires admin access is calling an admin to help out. You won't get a UAC prompt (you have to do what's known as an 'over-the-shoulder' elevation instead, which requires the admin to enter their user/pass to "run as admin").

SUDO doesn't work if it is turned into an obligatory prompt dialogue that people just click through mindlessly.

The reports of UACs annoying-ness are greatly exaggerated. As a Vista user since around launch date I can tell you I'm not used to seeing a UAC prompt at all. Patch Tuesday and Firefox updates are probably the only time I see them -- and that's exactly the way it should be.