Quote:
Originally Posted by Perineum  Too many people who I know that are careful seem to have been hit by this.
What does everyone else think of this theory? |
Malware can be installed on systems with or without any user interactions.
With "drive bys" where a victim only has to "land" at a malicious site, all you need is to get them to click on a link, which is fairly easy to do with social networking and URL shortening. However, in order for a malicious site to install code without user interaction/knowledge, it usually has to exploit some software vulnerabilities.
People know to keep Windows updated, but many malicious sites now exploit Flash, Acrobat and Java vulnerabilities to get their junk installed, many people neglect those and other plug-ins (though later versions of Firefox will check some of them).
For malware installations that require user interactions, it may vary from a few clicks to manually downloading a file and then installing it.
Most browsers will give pop-up warnings for potentially dangerous scripts/actions, however, badly coded webpages or vulns on the servers may allow hiding of those pop-ups and clickjacking of any user action. So a victim may think s/he was simply closing a "site survey" pop-up.
Manually downloading and installing something may seem inexcusable, but there maybe extenuating circumstances, remember how long it took to get people to stop executing email attachments.
Many people still think that they can only get infected by going to porn, warez and other "risky" sites but as you know nowadays most web borne malware are installed from compromised legitimate sites. The list of well known sites that had been compromised in the past is long and include ASUS and NY Times. Many of those were from malvertizement (which may require the user to click on the ad) but users associate it with the landing site.
Secondly, people are told how easily Windows can get infected and how essential it is to have an up-to-date antivirus. Now imagine a user visiting a legitimate site s/he has been to before and suddenly there's this pop-up saying his/er system is infected and they need to download and run this file -- which their AV say is clean -- to remove the virus.
I can certainly understand why some people will download, run and even pay those FakeAVs.
As for defending against these threats, IMO most important is user education, making sure the system is patched up-to-date and use a restricted user account for day-to-day computing.
With antivirus, effectiveness against such web borne malware varies greatly -- HTTP traffic needs to be scanned before it reaches the browser but some AVs still only scan files during disk I/O. Even if HTTP traffic is scanned, it's easy to bypass the signature detection engine by encoding scripts (some are generated dynamically) and updating the malicious payloads quicker than the AV vendors can update signatures.
AV/suites that include behaviour blockers (BB)/HIPS are much better equipped to deal with such threats, I personally don't recommend any AV that doesn't include them, but they are not foolproof either (since most require user interaction) and have not be as extensively tested as signature detection -- so there's no way to tell if the BB/HIPS in any of the AVs is as good as advertised.
Firewalls are not a good choice against these kind of attack. Inbound firewall doesn't block them. Outbound firewall may catch some components but HIPS and BB are better and have less potential to cause conficts.
Blocking scripts and Flash is great if you can live with blocking them on ALL sites, otherwise, while it does lessen the overall exposure, there's no way to tell if a legitimate site that scripting and flash is permitted by rule/user has been compromised.
And I never thought I'd say this, but with Vista and W7, IE is actually a fairly secure browser because it runs in "protected mode" and has much less privilege than Firefox and Opera. Chrome is pretty good too in that respect but then there's the privacy thing.
However, all the technology above is useless if the user finds it annoying (UAC get disabled in many systems), doesn't know the security apps' limitations and is convinced that they need to install that piece of software.
As for cleaning up, the only practical way to *guarantee* that an infected sysem is clean is to nuke and reinstall. However, that's usually not practical. Normally with FakeAV what you see is what you get but that doesn't mean the bad guys won't/haven't change their tactics and piggy back other stuff with it. In addition to basic removal I would recommend at least changing any password that's stored in the browser, and for the paranoid run AV scans from a Linux boot disc.