Going commando on the internet

Contrary to popular belief; Microsoft is NOT a PC, nor is a PC Microsoft. For most of us have learned what we know from friends, family and acquaintances……all of whom have asked the same question which is based on an assumption. “What version of Windows are you using?

Given the dominance of Microsoft in the marketplace it’s an understandable assumption that everyone else does use Windows. The idea that anything else can exist does not even cross many users minds, so the things that are almost exclusive to Windows are seen as “PC” issues……not the accurate label of “Microsoft” issues.

I’ve recently switched from Windows XP Pro to Mandriva Linux 2007 and am having to relearn and adapt with all the misconceptions. It feels odd, but liberating….it also allows your PC to be more productive in doing what YOU want it to do. When you have to bolt on lots of programs just to keep your PC working, it takes up resources which could be used to help you do what you want to do.

The most obvious of these is the “PC virus” (I include all malicious code like Trojans, key loggers etc in this category). These are targeted at MICROSOFT flaws, they do not affect Linux, UNIX or Apple Mac users. The paranoid mindset of having a good anti-virus program constantly updated with regular scans is not needed outside a Windows operating system……it is hard to retrain your mind that you don’t need it outside Windows. I can dance happily through the wilderness of the internet with no anti-virus, and be confident of being totally safe. It is the PC equivalent of going commando in a field of thorns.

The programmers of malicious code want to hit as many users as possible with as little customization in their work. They know that most users will use Windows, and many of those will use the built in Windows programs like Internet Explorer or Outlook Express. They also know that many users don’t keep their PC’s updated, or have no anti-virus or firewall protection……they are ripe for exploitation.

To infect a PC they have to get their code to execute (run) on the users PC…..somehow. Most of these are either in unsolicited email (spam) or an innocent looking website which runs a script to download the file and run it. With some set ups, the user is like a moth in a hurricane, with others they don’t even notice the draft.

Malicious code is written for WINDOWS PC’s and as such is in a WINDOWS format. The hackers know that a normal user in Windows has ADMINISTRATION rights. This means that the code will run and change whatever it likes without you seeing ANYTHING, or being asked for anything. Microsoft see this approach to security as “we don’t want to keep interrupting the users to ask permission for something, so we give permission as standard”……it’s an “ease of use” idea. It’s also a hackers dream.

I’ll run through the website infection comparison next. In these Windows examples it depends what versions of different things you have and if they’re up to the minute patched or not whether or not you’re hit, and how badly. Internet Explorer 6 has different holes to Internet Explorer 7, Windows Vista may have a security hole in it’s Outlook Express that Windows XP Pro didn’t. You’re AVG may not have detected the virus you’re being hit with yet, where McAfee may have, and fitted a patch….if you have it updated.

There are so many combinations which alter the steps below….but ALL Windows have some common threads. This is by no means a complete list, but a taster to give you the idea. These programs are the one’s targeted by hackers, along with the operating system itself. They seek out and exploit security flaws in THESE programs……of which there are ALWAYS more found, quicker than they can be patched.

  1. They ALL have Internet Explorer

  2. They ALL have Windows Explorer

  3. They ALL have Outlook Express

  4. They ALL have Windows Media Player

  5. They ALL have Windows Messenger

  6. They ALL have a C: Drive with the Windows and Programs folders

Windows with Internet Explorer.

  1. The download script on the infected website runs, and Internet Explorer acts on it without any questions asked. The script tells the users PC to download the infected file, and then execute (run) it when downloaded.

  2. The file executes as per instructions, and installs itself into the heart of the system (usually C:Windows/System 32/ or C:Programs/) overwriting the safe files like iexplore.exe (Internet Explorer) with an infected version.

  3. Your anti-virus program (assuming it’s up to date and running) let’s you know the file is infected (in most cases…..and often AFTER it’s infected) and offers to start a scan to remove it. Avast (free for home use) is a notable exception here, in that it spots the infected file and gives you an option to disconnect from the website…..something ALL anti-virus programs should do in my opinion.

  4. The sequence of instalment steps can be invisible to the user, or they can be a change of home page which you can not delete, or a flood of pop ups when you browse, or a shortcut you can’t delete……or no sign at all.

Windows with a decent browser like Firefox (with the NoScripts extension).

  1. The download script tries to run, but is stopped by the NoScripts extension. It needs to be allowed to run. Sometimes this does not stop them, but 99% of the time it will.

  2. Since many websites use many scripts (most of which are benign) it’s easy to allow a script without knowing it’s dangerous…so we’ll assume you have allowed one by mistake.

  3. A download confirmation window pops up asking you to accept “iexpore.exe”. This would be a red alert for me…..you cancel it. No doubt it will keep trying if you stay on the page…..but we’ll assume you have accepted by accident.

  4. Your anti-virus program (assuming it’s up to date and running) let’s you know the file is infected (in most cases…..and often AFTER it’s infected) and offers to start a scan to remove it.

  5. The infected file downloads and executes as instructed to do by it’s creator……and installs like the steps above. Notice the safe guard steps from visiting to being infected?

Linux / UNIX with any browser (they are all designed with security in mind) but for this example we’ll assume Firefox (again with the NoScripts extension).

  1. The download script tries to run, but is stopped by the NoScripts extension. It needs to be allowed to run. Sometimes this does not stop them, but 99% of the time it will.

  2. Since many websites use many scripts (most of which are benign) it’s easy to allow a script without knowing it’s dangerous…so we’ll assume you have allowed one by mistake.

  3. A download confirmation window pops up asking you to accept “iexpore.exe”. This would be a red alert for me…..you cancel it. No doubt it will keep trying if you stay on the page…..but we’ll assume you have accepted by accident.

  4. The infected file downloads and tries to execute as instructed to do by it’s creator…and a box pops up on your PC asking you what to do with this bizarre .exe or .dll file. These are WINDOWS formats. They are useless in a Linux / UNIX or Apple Mac PC.

  5. Let’s assume you have an emulator like WINE or Cadega which tricks your Windows software into thinking it’s running on a Windows PC. It knows what an .exe and .dll are…..and won’t ask. If you don’t have an emulator there will be no C: drive as this is a WINDOWS file system, which means no Windows/System 32/ or Programs/ folders.

  6. ALL system administration needs ROOT access. Any time you try to install or uninstall a program you need to enter the ROOT password, without that…..it can do nothing….but for this, let’s assume that when the root password was asked for that you gave it….again, that’d be a red flag if it popped up without me initiating it.

  7. The infected program executes as its programmed to do…….only to find that all the extra files it’s relying on to worm it’s way into your PC don’t exist…..and that the emulators have to be intentionally run.

Since malicious code is written for Windows, and is in .exe or .dll format usually, there are several hoops they have to jump through before they can run. For me, an infected site only ever gets to step 2…..or if it’s very sneaky and I’m exhausted, it may occasionally get to step 3. Writing malicious code for Linux / UNIX or Apple Mac’s are simply not worth a hackers time and hassle.

  1. There are 100’s of distributions with different configurations of programs….which would mean writing LOTS of different versions of the code, along with a script to detect which operating system a visitor is using….so they can be sent the right version. Linux allows you to disable or limit your net footprint…..so this can be misleading.

  2. ALL Linux / UNIX require ROOT access to install, and have many safety steps in between the website and the users PC. The default user account is a USER, not a ROOT one, with limited rights on the system.

  3. Linux packages (programs) come in all different file extensions, and are handled in different ways by different distributions. I need .rpm files, someone in Ubuntu needs .deb (NONE do .exe or .dll unless though an emulator). Many require compiling on the users PC, which requires a little command line interaction.

  4. Most Linux users have taken some measures to learn about their PC, and learn to interact with it more. This means they are often more educated in spotting malicious code attempts in websites…..so they won’t accept the infected file in the first place.

  5. Linux / UNIX is a community based set up, which means that it’s built and maintained by the people. Those people find flaws very quickly, and also work very quickly to patch the system. Often a security hole in your PC will be fixed before you knew it was there…..hours, or at the most, days later.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: