Basic Computer Security/Why some computers still get sick

Why Some Computers Still Get sick


Malware has existed for nearly as long as Unix. In fact one of the first malware applications was a rootkit for Unix, documented by Cohen. It allowed a back door into the superuser account by bypassing the password. The unique thing about it, was that it was embedded in the Compiler, so that you couldn't compile a version of UNIX without incorporating it.

You would think that by now, most forms of malware, would be found and defended against. However that assumes that the people who are defending are always honest, and that new ways of creating malware are not always being built. This assumption is not realistic. There is no reason to believe that those who are hired to defend against malware in one environment will do so for another as well. In fact, there is reason for mistrust, since often the security professional that is fixing one type of invasion, is laying the seeds for the next.

Consider the compiler. You would think that Cohen's article would have us look at the compiler and eliminate all chance of it being used as a vehicle for malware, but instead we find that every compiler manufacturer, is known to have bugs in its standard library functions that open them to use as a vehicle for breaking the software.

How about virus defenders? well one virus scanner, actually hired virus hackers to test its software. The result is that ever since, that particular virus utility has been vulnerable to hackers. Why, well, it turns out that there is an industry that gathers information on attempts to defend against malware and attempts to foil them, just like there is an industry that gathers information on malware and attempts to defend against them. These two industries are in constant conflict and nations are often underwriting the bad guys. Every step you take to protect yourself is countered by the next generation of malware.

Worse, some of the worst malware, is not even a virus, but is software that perverts the design of the system software in order to embed its own version of a software package that might under other conditions be valuable, or attractive. Today everyone has heard of Pop-up blockers, but few realize that the reason we need them, is that someone at Microsoft had this wonderful idea that they should trigger a sub-window to advertise, whenever someone signed onto MSN. The malware mavins figured out how to corrupt the concept, and suddenly people were faced with a flurry of windows that they had to get rid of before they could read the base page. Malware mavins didn't care if the advertisements were tasteful or not, so many of the advertisements ended up being for porn sites. When enough little old ladies and parents complained, the pop-up blocker was developed. Note that in quite a few cases, pop-ups can still get through, for instance just last week I had 61 tabs for a single site, pop up on my browser. However instead of loading with the page, they now have to wait for the user to trigger an anchor that has been corrupted.

Since most of the time you are unaware of the source of an HTML page that you are browsing, this type of malware can be fitted in anywhere that an outsider can get access to the page source. Once Microsoft spread the idea, pop-up blockers were required, and doomed to fail, because there were other ways around the problem some of which Microsoft built into their own operating systems.

Consider the wonderful idea Microsoft had of redirecting you to the update site, when you were behind on updates and signed onto MSN. What is this but a more radical form of pop-up? Funny, that pop-up blockers don't help in this regard, isn't it? Microsoft continues to try and build automatic pop-up like software that will get past pop-up blockers. Should we be surprised if the Malware industry learns from them how to bypass the blocker and put an advertisement for a site on your screen? Do you think the virus hackers are any less smart? One problem that I have always seen with virus checkers, is that once you have found the virus, it has already dropped its payload. Except of course in cases where the source is not executed until the virus checker has checked it. This more or less eliminates viruses that are known, (as long as they can be detected early enough) and are transferred over e-mail, but doesn't eliminate other forms of transmission.

Even if we could detect all viruses, there is still trojan horses, malware that masquerades as a valuable or useful application, when it is also a delivery vehicle for some form of malware. With hundreds of sources of software on the internet, it is not surprising to find that many forms of malware are based on trojan horse infections. As a result the virus checker has to detect the trojan as well, before it drops it's payload. This would be a lot easier, if dynamic link libraries were more secure, but instead, often infections seat themselves in the system libraries by convincing the library that it is being updated with a newer version.

Even the Vaunted Registry in Microsoft products is vulnerable to insertion of malware, simply because it hides a portion of the start-up process in a database where it can affect the start-up of the computer launching a malware utility every time the computer is restarted, but where the user, unaware that the software has installed itself, cannot always defend against it.

Microsoft wanted to hide the complexity of start-up with a database that stored all the details, and in the end just gave malware another place to hide.

UNIX and LINUX operating systems claim that they don't have viruses, but in fact, some of the first and most notable viruses were found in UNIX machines, however they tightened up networking to the point where it is virtually impossible for someone to install a net-based program without a degree in network software or an installation error. It doesn't help if you need a degree to install software on your free operating system.