Microsoft has won a court-issued take-down order against scores of domains associated with controlling the spam-spewing Waledac botnet. The software giant's order allows the temporary cut-off of traffic to 277 Internet domains that form command and control nodes for the network of compromised machines. Infected (zombie) machines …
Educating Users Would Be Better Idea
If Microsoft actually had a clue about PC security they would educate users about *not* running their PC in Administrator mode, except to install software, configure network and printers etc.
This should be both explicitly told the user at install time and it should be communicated in TV spots. Then there should be something like "safewindows.com" with a couple of educational videos for end users.
But hey, that is much tooooo complicated for the stupidos running windowze.
Like here you mean?
great in principle. I have so many programs that I reject on our domain because they wont run as a normal user.
educating users would be better Idea
Except relying on the average user to not do something is bound to fail. A simpler solution that would defeat most/all malware infections is to set the Microsoft Word Viewer as the default and make normal.dot read-only per user. Oh, and lastly not using Internet Explorer, or Outlook ...
Far too many applications either won't run properly when run under a 'standard user' account or won't run at all. Many more won't install, won't update, won't do certain basic tasks. Microsoft has no control over this. I set up my father's system (WinXP) with a 'standard' account and hid away the admin account; before six months were up he was so pissed at the way things worked (or, rather, didn't work) that he insisted that I give him admin privs on what was, after all, his computer. Six months after that, he was so pissed at what were sufficiently clear to even a very non-technical 77-year-old retiree were serious security problems with Windows that he junked it and got a Mac instead... which he runs from a 'standard' account, not an admin account, 'cause that actually can be made to work properly there. This is in large part because the apps he runs on the Mac (many of them written by the same people as those he'd run on Windows) do _not_ misbehave nearly as badly when not granted admin privs at all times.
And, oh, Tuxers, go suck on an ice cube, he didn't even consider running Linux 'cause the apps he runs don't work there. Period. End of story. And no, he's not about to learn how to write replacements for 'em himself, and I'm not gonna do it either. The apps in question include certain popular word-processing, spreadsheet, and associated other productivity apps, certain personal-finance and tax-prep apps, and a whole bunch of entertainment apps, many of which later not only are both Mac and Windows compatible and are_ NOT_ available for Linux, but the Mac and Windows versions ship on the same damn disc. And which he spends literal hours playing, so he simply is not going to consider a system that doesn't support them. And, no, I can't understand why a simple game would need admin privs in Windows, either. Especially when that same game doesn't need admin privs in Mac OS X.
Nine times out of ten those pesky "only an admin can run it" programs WILL run if you give the user modify permissions to that specific program's Program Files Folder. No other privileges required.
Of course that really irritates the 'I was using this program as an excuse to get admin rights on my box and install what I like" crowd.............
I get sick and tired of having to work out applications which require admin rights because of bad design - it really hacks me off.
Most of these applications will work as non admin but you will possibly need to change registry permissions on branches or folder permissions but it takes time to work it all out - Process Monitor is a big help for this though.
Microsoft should make user accounts to default to user level only and make it differcult to setup administrator accounts and make warning appear like if running a standard application as admin (i.e. like Gnome and KDE applications do under Linux).
They should also make a application which will monitor an application to check for it's folder and registry usage (you can do this with Process Monitor and filtering by application but it's a real pain if you're setting up a new PC with multiple applications like this).
I don't think Microsoft are always to blame for the security of Windows; it just users are lazy and use Admin for everything.
are said programs microsoft products?
As much as I love pointing out every mistake MS makes, they really has no control over what ISVs write (hence being an "Independnt" Software Vendor).
I suppose they could take an iphone-like approach where every bit of software has to be approved, and get a microsoft-approved cryptographic-signiture. you'd have to by everything from the microsoft store... They could even get HW vendors to include a chip (let's call it a "Trusted Platform Management" chip) so the hardware would only run signed code.
hmm... anyone else think this might get antitrust regulators on them? RMS would have a heartattack!
"And, no, I can't understand why a simple game would need admin privs in Windows, either. Especially when that same game doesn't need admin privs in Mac OS X"
Game developers are the worst cowboys in the industry.
Back in the DOS days some games would require that you boot from their disk to run - which was just asking to be infected by old school boot-sector viruses.
Points to the real problem
"he didn't even consider running Linux 'cause the apps he runs don't work there."
The real problem here, as ever, are the users. I often get the 'I don't care about the dangers just make it work' ran t from people I am trying to help. To me this is the same as crying toddlers in shops screaming 'but mummy I want the shiny things' . Users have been trained by clever marketing to think that the occasional virus infection and the cost of clean-up/re install/replacement is part of the cost of owning a computers. They don't see it as such as bad thing. I find it amazing how many people say that they have nipped out to PC world and bought a new computer because the old one was old and had slowed down so much. It's like people think computers wear out as they get older.
If you told people that in order to use a particular brand of in car entertainment system they could no longer lock their car doors they might think twice about having it installed. On the other hand they might just think 'but I want the shiny things , the man in the shop told me it would do everything I want'.
"Microsoft's enforcement action is welcome, but it treats only the symptoms - and not the root cause - of the botnet epidemic."
Yep. We all know the cause... MS themselves and their sloppy OS.
The first poster started by saying "If Microsoft actually had a clue about PC security..." which I think sums up the problem nicely.
If the IP originates in Asia, BLOCK IT.
How many times do we have to read the word "China" in these articles before network administrators get the clue and start blocking traffic based on geography? Just how many company networks really need to serve traffic from China? Heck, most could probably safely block any non-US traffic with no impact on their business.
They will get none of the email coming from their own factories. Wouldn't get much done that way. I've got two words for you, 'global' 'economy'.
Please be sure to let the general public know if you ever implement such a strategy, so that those of us who have friends, family, or business in India, the Philippines, South Korea, or Japan can avoid you.
I hate to admit it
...but AC has a point. If I put a rule on our main firewall that drops all inbound traffic NOT from the USA and ALSO drops all outbound traffic to anywhere EXCEPT the USA (and the UK for The Reg of course), my network and users would have ZERO impact. Unless of course there's a search result piping me to a bot drone "web server" punting malware. Since Google or their ilk don't provide search results from their "anywhere in the world" datacenters /directly/, shouldn't be an issue. Now, to look up the IP ranges provided to US-based carriers....
"Heck, most could probably safely block any non-US traffic with no impact on their business."
Well that's right because we're so backwards over here in Europe that we have no idea what this internet thing even is.
More tea anyone?
must have a title
Block - Asia (excluding Japan, maybe South Korea), Eastern Europe, Africa, Central and South America
Then , of course, you can selectively block and unblock more specific areas.
Block The Register?
Time for a change?
Isn't it time (or rather well overdue?!) for some kind of replacement for good old SMTP mail with security provisions built in to stop, or at least cut down a lot, of the spam scum??
Re: Time for a change?
> Isn't it time ... for some kind of replacement for ... SMTP ?
SMTP delivers what you tell it to deliver. So would a replacement. Having spam delivered securely would do more harm than good, because people might be that much more inclined to believe that they really, truly had won the lottery.
A different question: how long before this botnet reconfigures to use a new set of domain names? Hours, days or weeks?
The reason everyone runs their copies of windows in an admin account, I'm afraid to say, is down to the plethora of poorly designed software that still besieges the windows platform today.
It all snowballed when MS merged their corporate and home windows platforms, replacing the frankly disgusting 95/98/ME with the NT kernel in XP.
MS naively assumed that the 3rd party market would slowly come round, and start writing their software in adherance of the windows security model, but to this day Adobe, Mozilla, Apple and Google still routinely flout the model, forcing users to run as admins.
This is the reason they introduced the UAC in vista, to highlight how often even the biggest name mainstream products break these rules.
Until the rest of the software industry read a couple of technet articles start start writing their code correctly people will continue to blindly 'allow' on the UAC, because Mozilla et al have conditioned them to do so every time it tries to update itself.
Sadly MS still provide the option to turn UAC off entirely.
"Adobe, Mozilla, Apple and Google still routinely flout the model, forcing users to run as admins"
What utter tosh. Maybe some crap force you to do it but I can at least vouch for these companies. Our XP Windows network is locked down completely and no users have admin rights. All software from Adobe, Mozilla, Apple and Google run perfectly in limited user mode where installed.
the windows security model ?
> MS naively assumed that the 3rd party market would slowly come round, and start writing their software in adherance of the windows security model, but to this day Adobe, Mozilla, Apple and Google still routinely flout the model, forcing users to run as admins.
Do you have any citation or evidence for that statement. The writers of the software use standard calls to the Windows API, it's not their fault it's as full of holes as Swiss Cheese. An unterminated string should not bring the entire 'windows security model ' to its knees ...
@Psymon: Get your facts right
You can get around most of the problems with the old "right-click and run as administrator" ploy which MS don't educate people enough about. I suppose it costs too much money to print a small booklet "Getting started with..." </sarcasm>
Not Mozilla. Once installed you don't need to be admin for it to update
I don't use Google apps. Apple requires the right-click treatment.
Out of your list, only Adobe are sinners, with that bloody awful system for updating Flash. Oh, and add Microsoft, since they require an Administrator account to run Windows Update.
Are you sure about these?
Adobe and Firefox; never had a issue with either though (I mean running them - updating is possibly different story though).
If you want to test applications; download Process Monitor (direct link http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx), logon as admin account and watch said application (you will possibly want to filter by "process name") - you can show network/registry/file access and it's quite good but it's made by Mark Russinovich and Bryce Cogswell of System Internals fame).
We've also renamed administrator account via GP, changed password and removed all users from administrator account (but we are still working thought this).
It is possible to work around this; I'm sure businesses do or will in time but it means documenting all of said applications and making a proper process control. We were forced to by a government agency (I work in public sector; the same type of public sector which you guys/gals slag off!).
"but to this day Adobe, Mozilla, Apple and Google still routinely flout the model, forcing users to run as admins."
What are you talking about ?? I use an non-privileged account on NT, XP and now on VISTA for more than ten years now. With all sorts of regular stuff like Firefox, IE, OpenOffice, Ultraedit, VC++, cygwin and the SW I developed on my own. Never had problems with viruses.
It *really* is an issue of education.
MS could really help the situation by making installation a bit more complex (asking for two passwords and rejecting if it is the same for admin/normal) *and* educating the user about this very issue of the dangers of root access. AFAIK Apple routinely installs a root and a normal user. They have no virus issues.
MS dumbs down the proper NT tech in XP and later to the Win95 security model.
Also, SW which, for no good reason, needs admin privileges should be labeled as a "security threat" in a dialog box every time the user starts it.
Apple - root, admin and user
Apple include a root account in Mac OS X, but this is effectively an invisible account to both administrators and users, requiring it to be activated as it doesn't run by default.
An admin account can install software, create/delete users and effectively manage a Mac day to day without impediment, but can't get down to system level stuff that requires root access. A password is required to install software or make changes that affect other users.
A user account requires an Admin user name and password to install software, and to make changes that affect other users.
Microsoft, by failing to enforce proper privilege separation in Windows, are complicit in the Botnet's existence in the first place.
The trouble is, there's so much "legitimate" software out there -- mostly developed by self-taught "programmers" using pirate copies of Visual Studio -- that relies for its normal operation on exactly the same sloppy security practices used by malware, and would be royally broken by properly-enforced security.
My spam folder looked a bit light today.
Re : Educating Users Would Be Better Idea
I agree, educating users to use more secure operating systems is a good idea.
Except that you can't
Educating users, or anyone else, about anything, is impossible. They don't want to know and you can't make them, so there.
Well, technically, Windows is no longer insecure by design. One feature inherited from VAX/VMS is access control lists; which, if the truth be told, afford even finer-grained control over security than the world's favourite Unix-like systems.
However, a lot of existing -- and legitimate -- Windows software simply expects to get the free run of the machine, thus requiring users to disable the very security features that would prevent malware from doing its nasty stuff.
To fix it all would be highly non-trivial. A lot of it is custom software written for businesses, either under contract or by staff who are no longer with them; and nobody ever thought to ask for the Source Code. That means a total, ground-up rewrite.
And if all the software a business uses has to be rewritten from scratch, then some awkward questions will need to be asked. Such as: Why didn't the manager overseeing the firm's custom software project demand the Source Code at the time? and: Given that there is really no alternative save for the entire application layer to be rewritten, need the underlying OS really still be Microsoft Windows?
The only way to avoid this nightmare and maintain security will be to run each individual application on top of its own private copy of Windows inside its own private VM, with only as much access to "the outside world" -- including the local filesystem -- as it absolutely needs. And that's not nearly as unfeasible as it sounds, what with processors sprouting ever more cores and more gigahertz.
It just means that code that is well-enough behaved to be allowed to run natively under a secure-by-design OS will run blisteringly fast, on hardware that is well-enough spec'ed for totally-sandboxed code to run just tolerably.
Shoot the "root cause"
"Microsoft's enforcement action is welcome, but it treats only the symptoms - and not the root cause - of the botnet epidemic."
The root cause of the epidemic is the criminal. Hunt them down, shoot them dead, and then no more "epidemic." The other epidemic is a networked PC on every desk, all running the same OS and chipset (there is no difference between AMD and Intel; there is a difference between x86, PA-RISC, Power, Alpha, SPARC, etc.), operated by people with no clue.
...in Dubai recently by any chance?
In related news....
.... Microsoft have been given the go-ahead by a US jugde to oversee the takedown of all domains associated with a rogue application going by the name of "Open Office". Microsoft sucessfully demonstrated to the court that Open Office has now managed to somehow, despite their best efforts, replace MS Office on over 11 million US desktops despite having no commercial distribution network or support mechanism.
An MS lawyer was quoted as saying "Open Office is a malicious program that is specifically targetting users of older, more unsecure versions of MS Office. Once [Open Office] is installed these older versions are then quickly underused, and in some cases removed completely. This cannot be allowed. This software is denying the users of older versions of our software the benefits and cost savings from being able to upgrade to the latest version of MS Office at our current competitive pricing schemes".
A n email that was leaked following the hearing, from a Verisign employee to Microsoft shows that other domains might be included in future court cases: "Ubuntu.com seems to be getting quite a bit of bandwidth spikes at the moment, might be worth monitoring" it read.
How about better spam fighting tools for US?
I'd like to be a better Samaritan--if only someone would give me better tools. You'd think the email people would be glad to offload some of their burden to other people. It might not kill the spammers (slowly, please), but at least I'd feel better if I had an option to do something about it. I'm thinking of something like SpamCop, but with more iterations and better analysis, and built right into my email system for me to confirm the proposed countermeasures and hopefully to earn recognition as a 'spam fighter first class'.
I dream of being the spammers' worse nightmare.
2 fold problem
1) Development environments which don't *warn* developers what does actually *needs* admin privileges, so they can *decide* to move those insecure functions to one risky module, or replace them with higher security versions.
2)Users whose system is set up with Admin privileges, and who don't know there are higher security options.
This will continue as long as developers (especially on Windows) persist in expecting the users apps to have *full* privileges on their hardware. BTW this is not just a hacker thing. IIRC versions of at least 1 of the NHS hospital management systems would not *run* on desktops with only user privileges. This in an environment where security is *supposedly* a concern.
Although I think a name-and-shame website might be a good idea.
Thumbs up to MS for doing it. But I do wonder what proportion of the scam generating machines on the Net are running Windows.
@ Not really, Danny 14
"great in principle. I have so many programs that I reject on our domain because they wont run as a normal user."
Really? we're a college running a mix of Windows xp desktops and server 2003 Citrix boxes. We use old naff 9x era education software for some things, loads of current apps, google earth, paint.net etc and an MIS product based on .NET that uses SQL server back end. I've found VERY few apps that can't run as a basic user, a few NTFS permissions tweeks to files and reg entries here and there gets almost anything running.
You just need to learn to use Process Monitor and you'll be there in no time ;)
Focusing on the wrong thing
Hey, I like a good solid round of Microsoft thrashing as much as the next guy, and don't get me wrong, I think Microsoft's approach to security is a bit like putting a high-security Medeco lock on a glass door, but...
If I become the king of the world and start calling the shots, one of the things I'd do is to make ISPs more responsible for handling their share of the problem.
It'd go a long way if ISPs, rather than simply pulling the plug on malware sites and being done with it, were required to freeze the contents of such sites and drop an email to law enforcement. Not asking them to do any more than that--just click a few buttons--and I realize that a lot of the sites (and malcreants) are outside the range of Western law, but it'd help.
Laws making ISPs financially responsible for knowingly hosting malware, with the presence of at least one complaint email to the ISP's abuse@ address constituting prima facie evidence of knowingly hosting malware, would remove the financial incentive to host such malware. It's surprising how many ISPs, even right here in the US, will respond to "you are hosting virus downloaders" with "yeah, so?"
The C&C traffic for many botnets is well understood. ISPs can do filtering and deep packet inspection to look for P2P traffic but they can't do anything about botnet command and control traffic? You hear that sound? It's the sound of the world's smallest fiddle playing in sympathy for the poor overburdened ISPs that have plenty of time to play lap dog for the RIAA by searching for college kids downloading the latest Metallica track but can't do anything about large-scale organized crime activity on their networks.
This kind of crime is economic crime. There are a surprisingly large number of ISPs, many of them located in the US, that benefit economically in direct and indirect ways by facilitating that crime. A bit of economic liability would probably do a lot to make the problem evaporate.
User mode/Admin mode?
I will personally return as 'unfit for purpose' and claim my money back on ANY 'normal' program which requires Admin privileges to run.
I don't care what it says on the box about fitness for a specific purpose.
If that means returning half a dozen A3 Flatbed scanners, a DVD copier or any other every expensive HW because the accompanying SW sucks unleaded gasoline... So be it.
(Those are examples of stuff we've returned at the office because it can't be used with normal user accounts)
And I will DEFINITELY NOT add 'change' rights to the program files folder, or any subfolder in it.
There is even a *reason* to block C&C traffic
C&C traffic is guaranteed *not* to contribute to an ISP's revenue generating bandwidth.
Slowed machines discourage users from viewing complex (but possibly more profitable) web sites because (although they are unaware of this) their PC is spewing out crap 24/7 as they can't wait for site to load.
Just a thought.
The legal power the judge assumed here borders on a separation of powers Constitutional violation. The judge essentially gave Microsoft the authority to declare war on these computers. There are also some striking similarities to the law enforcement process of obtaining a search warrant, except Microsoft isn't a police force! I won't go into detail, but if you are interested in a more detailed legal analysis, check out the link below:
- Vid Hubble 'scope scans 200000 ton CHUNKY CRUMBLE ENIGMA
- Google offers up its own Googlers in cloud channel chumship trawl
- Bugger the jetpack, where's my 21st-century Psion?
- Interview Global Warming IS REAL, argues sceptic mathematician - it just isn't THERMAGEDDON
- Apple to grieving sons: NO, you cannot have access to your dead mum's iPad