On hard disk erasures and calling home
Hethu says something interesting:
|
"If a program is running under Admin privileges, you can do very little to stop it, be it Linux or Windows, simply 'calling home' is just too polite. It can simply format your hard disk, how worse can it be?" |
First, it siffices to point out that we almost never heard of any hard-disk-erasing viruses so far, except for hoaxes. Why is this the case? I think we all can guess; a mass distructive act like virus spreading can be an act of glory: it's a fight of a kid against world - big corporations, governments etc. All the recently succesful viruses we knew of put entire networks down; attacked microsoft; but no one didn't really harm individual computers to a considerable extent. I think this is because it takes the joy of fight away - like civilian killing in a combat. On the other hand, think about the community perception - when Bush drops bombs on Iraq it's war: but if an american draws graffiti an iraqi car with a spray can, it's vandalism. The latter does negiligible damage compared to the former, but is more disrespected. You don't see a police cop slap on a president's face for bombing.
You see the difference: virus writers generally stay outta 'civilian' casualities. That's the 1337 way of fighting. I don't want to prove this conjecture; reality is more proof than necessary. You can also read A virus is not always the product of a sick mind and Perusing The Virus Author Mentality for better discussions.
In short, the script kiddies don't really want to erase hard disks. The effect of that is something they don't really like. And think, if the kid is too smart, he'd just realise that the erasure of hard disk actually reduces the chance of virus getting spread: the more you keep the machine running, the more you can infect. The first target of any virus writer is to thwart the security and to spread, than to make real personal damage.
Second: who can say it's only the script kiddies who're out there?
If this is not the case, this will be in near future: think of a virus as an email address collector: we all know how the recent viruses used people's address books to spread. What if, instead of just spreading, the virus called home, and gave the list of email address, along with the name of address book owner? A spammer at home will be really happy: first, you get a load of real shiny email addresses instead of the junk you get from web; then, you have the name of at least one of their friends --the owner of the address book-- so you can make your spam look like being originated from him. this will make it difficult to block the spam, and will force the recipient to open them.
If I'm the spammmer who would like a virus like that, would I consider erasing the hard disk? never.
Third: spyware. We have talked enough about spyware; they all work because calling home is possible. And hethu would agree that spyware is evil. You don't just have to accept it's better than hard disk erasure; well it is; but that's a different story altogether. We don't want to get our hard disks erased; we don't want to get our email addresses stolen, our credit cards forged, or our identities robbed either. Just because the possibility exist that someone can kill you, you don't say the police should give up catching robbers and pick pocket guys.
Then a bit about Firewalls.
First, a firewall is a firewall is a firewall. Ditecting viruses is the task of a virus scanner; You can get a virus through email or a removable disk and there's nothing a firewall can do for that. Actually, that's how most of the viruses come in to desktop PCs. And if a firewall gives up saying 'uh oh, now there's a virus in the machine, which can even erase the HDD, so what's the use of my hard work protecting the network?' then it's just silly. Let the virus scanner do it's work and you mind your work, which is gatekeeping the network.
Second, all those spyware and viruses do not need admin rights, which are needed for HDD formatting. So,
- If MS assumes that majority of the users log-in as admin (and we assumed that all viruses erase HDDs) it's stupid because they have to accept that their firewall is just useless, because it can then be shut off simply.
- If it says most people do not have admin rights, then a virus infection is NOT the end of the story. It's just a matter of protecting the network until someone detects it and cleans.
Think - most recent viruses used outgoing SMTP to spred. If you stopped the outgoing connections at the first infected computer, none of these viruses would have spread. This is the case for other viruses like SQL slammer etc which do not use SMTP to spread. Even for viruses lime MSBlast, the correct thing has been to stop the outgoing call in the first place. In a typical case where one infected PC infects more than one others (that's why the growth looks exponential), it's wiser to stop the attack ad the donor end. I have seen so many times how people spread viruses, how networked got jammed, how websites/ SQL servers go down, ALL because outgoing connections were possible from personal computers of unsuspecting people.
'Nuff zed.
3 Comments:
I repeat:
If an application has Admin privileges, there's no way you can stop it from formatting your hard disk.
You took that literally and went on and on on a obvious FYI lesson. Yes, no one would do that, but you completely missed the point. *sigh*
Let me put it in simple words:
No matter what-on-earth kind of firewall or whatever-you-call-it solution you have on your machine, any spywhere/virus can easily turn it off if you run with Admin privileges. Simple as that.
There is no workaround to stop this. If Windows allows the Admin - the real-blooded-human-admin to turn off the Firewall, so can a program.
You said:
"If MS assumes that majority of the users log-in as admin it's stupid because they have to accept that their firewall is just useless..."
Who's stupid? MS for creating a firewall or the users who runs as Admins?
Einstein said once: "Two things are infinite: the universe and human stupidity; and I'm not sure about the universe." And I'm afraid he's right...
It's sad to see that you have become just another whiner without giving in a Solution to the problem.
If you are still pondering:
If a program is running under Admin privileges, you can do very little to stop it; it can format your harddrive (the ultimate) and everything else imaginable in-between : Turn off All Firewalls and Security Checks, disable Antivirus software, reset the registry or uninstall all anti-sypware apps, etc. There is absolutely no stopping.
So I still don't see your point in your original post: Better than nothing, but not good enough.
My point has been (and is) that outbound blocking is somethign that must have been done, regardless of the *possibility* that a user *may* run with system previleges, and the virus *may* turn of the firewall and so on. I just tried to explain that (and why) most outgoing callers do not necessarily do that. Even with admin rights, spyware will most probably stay out of the firewall tampering, to keep their legitimate mask on.
And what about all the computers that run *without* admin privileges?
By the way, not ALL the processes are admin-terminatable. Local Security Authentication Server for instance is a system process, and admin cannot terminate it either by task manager or by programs - except for a few bugs MS had there which allowed sasser to exploit windows systems.
You say:
>> Who's stupid? MS for creating a firewall or the users who runs as Admins?
Creating a firewall is a good thing. Running as admins is possibly stupid in case one doesn't know what one does. What about assuming that all users run as admins? lets break down:
There are two possibilities: The virus allways (with admin rights or not) terminates the firewall, or it does NOT.
In first case, having a firewall only protects the machine against attacks that come as inbound connections: well, this is still good, and I didn't say it's *bad*: i just said it's not good *enough* for a firewall and why it is not.
In the latter case, we miss a lot of functionality that must have been there. I detailed possible evils of outbound connections in my post. Giving a pistol to kill and elephant is still better than giving nothing, but I prefer a double barrel shot-gun.
Having said that, I stress on my view again, MS is NICE to give a firewall - but it's just better-than-nothing. Not as better as it could have been.
Post a Comment
<< Home