Malware scanners fail
Train users to minimize the risk
Blog A recent spate of virus-ridden computers has left me feeling philosophical about the state of desktop management. Fortunately for me, these computers were not part of my corporate network, instead they were personal computers or servers maintained by other systems administrators. The cases come from all over. Family, friends, that nice shopkeep with the excellent wonton soup, or a friend of a friend in over his head with a server he maintains for charity.
If you’re a sysadmin you’ve probably noticed the rate of serious infections is on the rise. Not piddly little spambots of keyloggers, but sophisticated rootkits that sneak in through gods only know what vector, establish themselves and then start downloading friends. Regardless of the anti malware (AM) protection you have in place, these little gems blow right past it. If you are fantastically lucky, the attack kit that the malware downloads after getting its bearings will be clumsy enough that your AM software will actually let out a plaintive bleat. Right before it is cruelly and finally silenced by the elegant and sophisticated attacker. More often than not however, the malware will install completely silently. You don’t notice its there until it has connected to a command and control server and been ordered to download something annoying onto your computer. The favourite bits of accompanying downloadable malware at the moment are fraudulent anti-virus or “encrypt your data unless you pay” scams.
Malware isn’t solely a Windows phenomenon either; I have recently spent my time rebuilding a set of Macs after the infamous “someone who is most definitely not me” opened (and executed) some accursed e-mail attachment. In the past two weeks alone I have been presented with no less than five Linux systems, all of which had been systematically rooted and converted into command and control nodes for botnets. The past month has seen Windows 2000 through 7, OSX Tiger and Snow Leopard, RHEL 4, and Ubuntu 8.04 all pass through my bench. Every one of them so thoroughly compromised that rebuilding the systems was just quicker.
Because of the cross-platform nature of these attacks, I think it important to set aside the nerdrage operating system jihads that form when we start talking about malware infections and systems being rooted. I want to talk about general systems security here; malware and patch management. One of three factors (or a combination thereof) led to the demise of each of these systems. “Fundamental software design flaws” are simply not among them. In this article I want to tackle the first and most pressing of these: inadequate user knowledge.
It’s easy to rag on “stupid users.” Forums very quickly fill up with commenters preaching “some people shouldn’t be allowed on the internet.” Others shrug off inadequate user knowledge as some form of Darwinism that is anyone’s fault or responsibility other than our own. I challenge this notion; I will instead point the finger of blame at myself, and at every single one of you reading this article. If you are reading this article, then you have more than the average Joe’s knowledge of computers. Chances are very high that you are a programmer, systems administrator, IT management or a power user. We are the people in the know about computer security. If we don’t spread our knowledge, how can we expect users to ever learn?
The first and most important thing to teach our many and varied users is to stop using default configuration browsers. I don’t care if it’s IE, Chrome, Firefox, Safari, Opera or even Bolt. If you can’t throw no-script (or an equivalent) on there, jettison it right now. Remember the part where the AM scanners are all fairly worthless? Even with the most sophisticated AM scanners on the market, a single cross-site scripting attack or infected flash ad and you are hooped. In my experience, no-script is something even the densest among us can learn if the individual teaching it has the time and patience to explain how it works. (Admittedly, you may possibly be explaining its function to certain users several times.) This one single tool can virtually eliminate two of the most common attack vectors with a 15 minute usage lesson, and for this reason alone needs to be first on the list.
Next up is PDF readers. Why anyone thought it was a good idea that PDFs be even a tenth as complicated as they are is absolutely beyond me. Regardless, infected PDFs have displaced infected office files as the “new black.” There are some simple and important solutions to this problem. The first is to disable as much of the plug-ins and add-ons in your PDF reader software as you feel you can get away with. Adobe Reader is by far the worst, but even Foxit or PDF Xchange can be vulnerable. If at all possible, switch to one of the two alternatives, and then disable their extra features.
If your users run Firefox, consider a plug-in called “Web Of Trust” (WOT.) It essentially allows users from across the web to “rank” sites for trustworthiness, vendor reliability, privacy and child safety. It conveys this information through coloured circles next to links on a webpage, as well as an icon by your address bar. The system can of course be gamed; if Anonymous decides to alter the rating of a website that irks them, then they certainly have the manpower to do so. The point isn’t so much that WOT be one hundred percent reliable. Rather that its constant presence causes users to think about the fact that some websites may not be good places to go. The constant subtle reminder that there are in fact reasons to think about a website before visiting it has in my experience had the cumulative effect of raising user website paranoia. If nothing else, you’ll find they stay away from links with “red circles”, and this can do nothing but help keep their infection rate down.
As sadly worthless as AM scanners generally are, it is still absolutely vital to keep them around. They won’t block the latest and the greatest, but they do tend to pick up the many forms of malware that have been around long enough to be classified. Even the freebies like Clamwin or Microsoft Security Essentials generally make a noise before they are nuked, and the more sophisticated ones can take quite a pummelling before the malware eventually wins. My advice regarding AM scanners is twofold: first and foremost, have more than one. You need a resident scanner, preferably something with some teeth; (ESET, Symantec, BitDefender, etc.) These full-blown suites come with hooks into your e-mail software, your browser, and usually incorporate a fairly robust application-specific firewall. You also need some non-resident scanners that you can fire up after the primary has bought the farm. Malwarebytes’ anti-malware is top of my list, with Trend-Micro’s Housecall a close second. A quick GooBing will bring up numerous other alternatives.
The second bit of AM scanner related advice is that the user needs to be trained in their use. AM scanners are not fire-and-forget missiles; you need to keep an eye on them otherwise one day they will be silently killed by some new piece of malware and you won’t even have noticed.
The difference between various pieces of security software is critical as well. It is a rare user who understands the difference between an AM scanner and a firewall. When connected to the internet, it is critical to keep your shields up. The number of users I see running systems naked to the net (no firewall or even a home router) is absolutely appalling. Microsoft did a good thing incorporating a firewall into XP SP2, and by the time Windows 7 rolled around it was robust and reasonably impenetrable. The problem is that users have no clue how to use it. I’ll lay some of the blame for that one on Microsoft’s shoulders; it most certainly isn’t the most intuitive interface in the world. The rest needs to be shared by the users themselves, and those who should have trained them in the basics of their computer’s security. If our users disable their firewalls because they “get in the way,” then a user training intervention is absolutely required.
There are other things users need to know, but which probably aren’t going to get through. “Don’t open attachments from strangers” is always good advice, but those infected attachments can come from trusted friends and colleagues as well. “If you get infected, pull the network cable out and call for help” would probably also be high on my list, but then how can they use myface or catch up on twitter? I don’t have the answers to these ones, except to say that each user must be handled differently; their reasons for disobeying common sense need to be addressed individually. They aren’t going to read a website telling them all about security, but you’d be surprised how much stock they put in a five minute conversation with the nerd working the counter at Futureshop.
Though I have covered a few points above, I have saved the most important user training item for last. If you don’t remember any suggestions from this article then I want you to remember this one; teach your users not to run as the superuser. Modern operating systems can be run at hybrid privilege levels. Each task executes as an unprivileged task, but the option to run it as the superuser is little more than a right-click away.
Now I’m an old luddite; I simply abhor change for change’s sake. I need a strong reason to embrace anything new, and I want you all to know I love my Windows XP. It has been a faithful old friend for a very long time, but ladies and gentlemen...its time has come. Mac OSX, Linux and Windows 7 all can be run as non-privileged users. Each of these operating systems has a mature and robust method for escalating tasks that require administrative privilege to run. XP does not. With XP, you are running as administrator or you are not. As such, depending on how poorly behaved the programs your users run are, the case can be made in XP that you actually “need” to run as administrator. If this is truly the case then it is time to bite the bullet, and upgrade to Windows 7 or Linux. There is just no longer an excuse for an ordinary user to ever be running as the superuser.
As important as user training is, there are two other very important factors to discuss in relation to malware and patch management. The first is patch management itself, both at an operating system level and an application level. The last and possibly most heartbreaking reason for system compromise is misconfiguration. Misconfiguration is something that I consider largely a server problem, but desktop administrators need to bear this burden as well. My next article will explore both of these, and try to uncover what we as systems administrators can do to harden the desktops in our care.