PDA

View Full Version : OT: Computer attacks EVAN!!



Tin Falcon
03-02-2007, 11:21 AM
Evan or anyother expert.
I Installed /updated Norton AV yesterday. Since that time I have been getting alerts that my computer has been attacked and the threat has been blocked.
1) How can a neophite find out where these ataccks are coming from. The numerical computer address is given in the security report?
2) Can should this be reported to anyone. ?
3) Is there anthing that I the operator can do to prevent this. ?
I know not be connected unless using on line services . Update AV/ Security software. I just have a single computer that is connected via dial up.
4)Any Ideas suggestions?
Tin

Evan
03-02-2007, 11:30 AM
Is there anthing that I the operator can do to prevent this. ?

Sure, it's easy. Uninstall Norton and install AVG. Problem solved.

http://free.grisoft.com/doc/1

pcarpenter
03-02-2007, 11:32 AM
There are so many "script kiddies" out there doing port scans all the time looking for vulnerabilities that you will have to consider this a regular occurance.

I am guessing you installed their firewall and *that* is what is giving you all these notices. If that is the case, you may want to turn down the warning threshold somewhat...ie...maybe log these attempts, but not have every one generate an on-screen warning.

Without more details, its a bit hard to know if these attempts are real exploit attempts or mere port scans which happen all the time....and are the reason to use a firewall. Its even worse if you have broadband service where the attacks/scans can happen even faster :D

Paul

Evan
03-02-2007, 11:40 AM
Take Norton off. Norton antivirus is a giant pig and resource hog. It installs unneeded "features" and can slow down even the fastest machine. You don't need another firewall, XP already has a stateful inspection firewall. Norton also hasn't been very secure lately and several critical vulnerabilities have been discovered repeatedly that in some cases run through thier entire product line.

It also costs money, which AVG for home use doesn't. AVG also works better and puts much less load on the machine except when it is actually doing a scan.

Peter N
03-02-2007, 12:57 PM
Evan , I appreciate that you probably know more about PC's than me, but why does everyone hate Norton AV so much?

I have the AV software (but not the other Norton bloatware packages) installed on 2 PC's at work and 3 at home, and have been happy with it for 5-6 years now.

It works very well for me and my kids, seems to work very well for blocking viruses, and once you've done a tweak to get rid of the admittedly annoying security centre popup from the system tray it runs pretty seamlessly and doesn't slow any of the PC's down to an extent that anyone would notice.

I've no affiliation obviously, but just wonder why people seem to pan it all the time.

Peter

Fueler
03-02-2007, 01:02 PM
Dump Norton. Use AVG.

Evan
03-02-2007, 01:07 PM
but why does everyone hate Norton AV so much?

Because it deserves it. The latest version of the Norton security suite runs about 14 different processes in the background. Aside from what I have already mentioned it also has a nasty habit of not uninstalling correctly. Symantec also has a reputation of making it difficult or even impossible in the past to renew your subscription in order to force you to upgrade. It also doesn't catch everything. Although no antivirus software can, Norton seems worse in that regard.

Even just Norton Antivirus alone is enough to bring an older computer to it's knees whereas AVG has no appreciable negative effect.

SGW
03-02-2007, 01:24 PM
I'm using Norton Antivirus on my computer right now. I just checked the process list, and it shows the NAV processes using 0% CPU time. In 10+ years of use at home and 10+ use on my PCs at work (mandated by the company), I have NEVER noticed that NAV is "a pig."

(Now, this is just Norton Antivirus. I don't know about their "Security Suite," most features of which I have no interest in.)

Peter N
03-02-2007, 01:33 PM
But is much of that subjective, or experience?

I'm not reallly trying to defend it, but it does do the job it is supposed to. All my connections are always-on ADSL, and no virus has crashed any of the systems since installing the software. We re-subscribe every year via the software interface and it takes about 2 minutes, although the versions we are using are 2004-2006 rather than 2007.
Ok this costs me 150 a year for all 5, but has proved it's worth IMO.

None of the PC's are new (all but one are Dell btw), 2 are 6 year old 8200's and all the systems have a least 1GB of RAM, some RDRAM some SD.
I run very processor and memory intensive CAD models in Solidworks with the AV in the background

So what I am doing that makes my experience different, or am I just the lucky 'one'?

Peter

Evan
03-02-2007, 01:35 PM
The older versions of Norton weren't bad. It didn't become really bad until after the 2002 version. A lot depends on the user settings. Most users never alter the default settings which are to check everthing every time it is even glanced at by the OS. That's plain dumb but it's a cover your ass legal thing. All AV software really needs to do is guard the gate.

Wirecutter
03-02-2007, 01:46 PM
Well you can count me as one of those that enthusiastically hates Norton. It's a resource hog, it does things behind my back (that it doesn't need to be doing), it's expensive, it nags me, it doesn't work correctly, and it is, like a virus, difficult to completely get rid of. I have a 2 year old computer that, when Norton "does something", gets so bogged down that it can't even keep the mouse cursor position up to date.

Symantec has become the Microsoft of the AV business in all the worst ways.

-Mark

madman
03-02-2007, 02:59 PM
I used to use AVG updated religiously. Then two days into a new pentiumn 4 system major virus problem complete format. AVG didnt stop it. Now been using new (bought it) Norton ) and have had no problems. If im gaming i just turn it off and at the update periods i leave it alone. No Problems. But then im in the shop a lot and not always in front of the evil computer.

BadDog
03-02-2007, 03:54 PM
Likewise, add me to the dump Norton camp, along with McAfee and most of the rest, though Norton seems the worst. Me, I've been running with NO AV for over a year on multiple machines with not so much as a single virus, worm, spy, or mal-ware intrusion. And this is on Windows XP and IE with a simple router based firewall (all with Windows crap is turned off). But you gotta know what your doing and I wouldn't recommend it for most...

Evan
03-02-2007, 04:57 PM
But you gotta know what your doing and I wouldn't recommend it for most...
Agree. I don't use AV software either except on my mail server. It is also set to filter out all executable file types. Never had a virus get through it yet.

In case anyone wonders what I use on the mail server it is F-Prot for DOS.

J Tiers
03-02-2007, 06:04 PM
jah.... norton is bad, mc Afee is at least as bad.


For every "Norton worked when AVG failed" story, there are (my WAG) 2 dozen "Norton didn't work" or "Norton was worse than the viruses" stories.

mcAfee spent the last 30 days of its 1 year run popping up a message to renew, LITERALLY EVERY 40 SECONDS!

I shot it in the head, and have never gone back.

Norton/Symantec at work...... capable of taking a 3 gHz machine down to the "AT crawl" all by itself. If it's scanning, forget doing ANYTHING else, unless you bring lunch and dinner. REgardless of what you set priority to.

AVG has worked very well, even when people have clicked on virus-laden messages by mistake.....

cuemaker
03-02-2007, 06:53 PM
Well, I havent had any virus checker on this computer for the 1.5yrs that i have had it since I built it. I do occasionally run spy sweeper and and a registry mechanic program.

I just down loaded the AVG virus checker, updated it and did a full scan of my computer.

Not one single issue was found.

So to say "i have used norton/avg for years with out any issues" may not exactly say anything for the products themselves. Sometime maybe we are lucky. I certainly will let the AVG program run in the backround cause some protection is better than none and I dont need to press my luck anymore

Is the spy-ware program worth using and keeping in my tray also? or is Spy Sweeper good enough?

Thanks

aostling
03-02-2007, 07:18 PM
Sure, it's easy. Uninstall Norton and install AVG. Problem solved.

http://free.grisoft.com/doc/1

Or, get a Mac.

I went to high school with Peter Norton (in Seattle). I wonder if even HE uses NAV these days.

Mike W
03-02-2007, 07:33 PM
I use Trend Micro and don't have any problems. I renewed it for 2 years and the cost was about $34.

rohart
03-02-2007, 08:20 PM
I always though his heart wasn't really in it for several months before he sold out, wasn't it to Informix first, in the early nineties ? Commander was his only real brilliance. I made my editor on those lines.

Pity there was never a market for multiple DOS windows, macros etc. I've never found a sensible way to windofy it along the lines of Salamander, which I don't think cuts the mustard. Too unwieldy, when it's slickness you're after in the first place.

madman
04-16-2007, 08:22 PM
Its the WORST program out there. They dont know what they are doing and im amazed they are even in business today. Dullards they should learn to flip burgers cause thats wher theyre headin real fast.

wmgeorge
04-16-2007, 08:55 PM
I agree with Evan. The OLD Nortons was great, the OLD PC Tools was great, (we are talking 5 -10 years ago) now its exactly what Evan describes... is is a Oink oink, take it off.



The older versions of Norton weren't bad. It didn't become really bad until after the 2002 version. A lot depends on the user settings. Most users never alter the default settings which are to check everthing every time it is even glanced at by the OS. That's plain dumb but it's a cover your ass legal thing. All AV software really needs to do is guard the gate.

CCWKen
04-16-2007, 09:12 PM
Add me on the "Norton is crap" list. Besides being a pig and worthless, it's the most hacked AV software in the World. It has to run so many processes to keep itself from being hacked. It's so busy testing itself, nothing else runs. I'd say within a week, you'll find a virus on your system.

Dump it and get AntiVir!

wierdscience
04-16-2007, 09:22 PM
I have found what works best for me is to have all my AV programs stored safely away on CD in the CD rack until needed.

I find that running Adaware and Spybot S&D takes care of most problems I have.

studentjim
04-16-2007, 09:45 PM
I used NAV all the time until they tried to screw me out of a rebate two years in a row. Sent them an email saying they could keep the rebate and I would keep my money at renewal time. Had my rebate within three weeks but I use avast antivirus now. No more NAV

speedsport
04-16-2007, 10:10 PM
I had Norton AV installed just long enough to see that it was trying to move in and take over, DUMP!, downloaded and installed AVG and haven't looked back.

cybor462
04-16-2007, 10:33 PM
Well well young men...... I have Norton and I feel it is the best bang for the buck! So do not even try to dump on it. It must be because you guys are not secure enough to use it.

Ok now that I p*ssed you all off I can say SLOW DOWN,COOL OFF.;)

Really, I use Norton and so far it does a good job. It has caught a few virus/bugs but not many as I scan all the time and keep fairly high security on my system.

And Oh did I tell you I do not go to porn sites. You pervs out there that do:D get most of that stuff from those sites.

Now now it is not that I do not like the fair sensual bods of great looking naked babes!:cool:
It is just not worth all the trouble with adware/spyware/virus and the like.

So maybe you need to revise the dump on Norton by saying or adding the disclaimer;

Do not use Norton if your babe hunting online on porn sites. The software gets too excited and fails to perform(he he) see I gots humor, and then allows attacks on your system. May just be getting you ready for when the wife finds out where you be surfin!:eek:

ckelloug
04-16-2007, 10:34 PM
Norton scored nearly last in the tests run by Virus Bulletin, a trade journal of the antivirus industry. AVG and F-Prot are both much better at detecting and cleaning viruses according to the Virus Bulleting test as are almost *ALL* other antivirus programs except perhaps for Mcafee.

F-Prot is a pay product but it's 20 bucks a year for personal use and that license applies to 5 computer you own personally. I found it many years ago cleaning up an outbreak of the monkey virus. They heave a free trial version and a free dos version so when somebody calls you and you need another AV program besides avg and clamav, it's handy.

Evan
04-17-2007, 01:56 AM
I use the DOS version of F-Prot to check all the mail on my mail server. The mail handler hands every e-mail to a DOS shell and F-Prot checks it and hands it back with a flag set or not set. F-Prot DOS can't be attacked by any of the usual windows bugs as it doesn't depend on Windows at all. It has never missed a virus yet. It's very fast too.

cybor462
04-17-2007, 10:09 AM
I use the DOS version of F-Prot to check all the mail on my mail server. The mail handler hands every e-mail to a DOS shell and F-Prot checks it and hands it back with a flag set or not set. F-Prot DOS can't be attacked by any of the usual windows bugs as it doesn't depend on Windows at all. It has never missed a virus yet. It's very fast too.
Could that be used in a Dos shell within Windows or would that be defeating the purpose of keeping it outside the Windows environment?

Maybe I need to make a change.

Swarf&Sparks
04-17-2007, 10:27 AM
Damn!
Misleading headline
"Computer attacks EVAN!!"

I know he's retired but I doubt there's a computer on the planet that would dare attack Evan. :eek:

ckelloug
04-17-2007, 10:59 AM
Evan would just sic his "Guard-PDP-11" on it and any computer that would dare attack Evan would be sent yelping into the sunset.

tattoomike68
04-17-2007, 12:32 PM
Your first line in security is a router.

I dont even use antivirus or a firewall , for over 3 years now.

sch
04-17-2007, 04:27 PM
FWIW the computer mags were really down on Norton, in the
time frame Evan mentions, '02 et seq but reviews of the most
recent version, being sold right now have been much more
favorable. Bloatware is a term that has been applied but IIRC
that has been toned down a bit in the most recent version.
Essentially all the commercially available firewall/AV programs
have moved to the subscription model, though freeware
versions of several exist, but not of the complete packages.
So you have to get a firewall here, AV there, antispam and
antispybot elsewhere. Windows firewall is an in blocker only.
Commercial firewalls are in and out blockers, reducing the
ease with which a computer can be converted to a zombie.
If anything gets past the windows FW it does nothing to block
outflow.

J Tiers
04-17-2007, 08:16 PM
Well, I havent had any virus checker on this computer for the 1.5yrs that i have had it since I built it. I do occasionally run spy sweeper and and a registry mechanic program.

I just down loaded the AVG virus checker, updated it and did a full scan of my computer.

Not one single issue was found.

So to say "i have used norton/avg for years with out any issues" may not exactly say anything for the products themselves. Sometime maybe we are lucky. I certainly will let the AVG program run in the backround cause some protection is better than none and I dont need to press my luck anymore


I have found what works best for me is to have all my AV programs stored safely away on CD in the CD rack until needed.

I find that running Adaware and Spybot S&D takes care of most problems I have.

Good luck, kiddies.....! You are very trusting and credulous, watch out that someone doesn't lure you with a nice piece of candy......

I recently took 30+ adware and 314 viruses off a friend's computer. With AVG, by the way, that and spybot and adaware.They had NO Av stuff on at all.

He and his wife used it for business only, and it had slowed to a crawl, barely able to work, and unable to do anything on the 'net.

The viruses etc had apparently deleted the XP firewall, and had set up blocks to prevent web access to AVG, Zonealarm, and other AV sites.

So much for the "I'm all right, Jack" school of computer maintenance.

Peter Sanders
04-17-2007, 10:43 PM
Hi

After reading the others' comments, I would like to add my own. I have been in the computer industry since 1975, so I do have some experience.


Evan or anyother expert.
I Installed /updated Norton AV yesterday. Since that time I have been getting alerts that my computer has been attacked and the threat has been blocked.

This is something that (nowadays) is happening ALL the time as computers are searching for other computers that they can attack or otherwise compromise.

It HAS been going on "behind the scenes" on your pc for a long time, it's just that now NAV is showing you the instances.


1) How can a neophite find out where these ataccks are coming from. The numerical computer address is given in the security report?

In my experience, via my own pc, they mostly came from Taiwan or China, though they can be from ANYWHERE worldwide. I turned off these warnings after ensuring that they were all being blocked by my Firewall/AV program.


2) Can should this be reported to anyone. ?

Not really, it would be a waste of your time trying to isolate the pc and then trying to find out the user - forget the idea.


3) Is there anthing that I the operator can do to prevent this. ?

No, you cannot prevent the attempts, though of course you DO want to prevent any security breach.

With broadband a good router with an inbuilt firewall is the first step.


I know not be connected unless using on line services . Update AV/ Security software. I just have a single computer that is connected via dial up.

If you are on dialup then you need a software firewall and AV.


4)Any Ideas suggestions?

My preference and STONG recommendation is the TrendMicro Internet Security Suite (TIS). It is IMHO the BEST Firewall/AV out there. Many of the products including NAV do the job though in varying degrees of capability.

Norton Anti Virus (NAV) though good, is well known to be a resource hog. This is true of many versions. The VERY early NAV were ok, though they did not catch many of the viruses at the time.

BTW the standard windows firewall is not the best at its job. It *IS* better than nothing at all,but there are many BETTER products out there of which TIS is the best.

Ignore the comments about being ok without AV. Yes we can all take the risk but why bother when it is now relatively simple to take good preventative measures. Those that have been without AV have been lucky and most likely on broadband with an inbuilt firewall.

Just blocking EXE files may not prevent attacks. Viruses have been known to be included in many more file types including IMAGES!

cybor462
04-17-2007, 10:49 PM
Just started a well needed adware/spyware scan. Geez I am now paranoid.

BadDog
04-18-2007, 01:51 PM
In general, I agree on most points.

Ignore the comments about being ok without AV. Yes we can all take the risk but why bother when it is now relatively simple to take good preventative measures. Those that have been without AV have been lucky and most likely on broadband with an inbuilt firewall.
Not necessarily true. For the average user, yeah; but you can actually be much safer with no AV if you know what you're doing. The only protection I have in place is a simple router with firewall closing down almost all ports. But my OS, email, browser, etc. are all reconfigured from defaults, defaults which are the actual root of the problem. And it has nothing to do with being "lucky" as I have intentionally tried to infect this computer and did not succeed.



Just blocking EXE files may not prevent attacks. Viruses have been known to be included in many more file types including IMAGES!
Absolutely true. You can get a "virus" from many unexpected sources including data files if the system that processes them has vulnerabilities. The use of JPG images as a propagation vector had to do with the fact that the processing system had a defect that allowed you to take the input (what was supposed to be just) data, but was actually just binary code like you would find in an exe, and then set IP (a register, but IP stands for instruction pointer) to that address to begin execution of the data as code. Obviously this applies to anything, but with the prevalence of JPGs on the web, obviously this was a huge issue. BTW, technically, this was a trojan, not a virus.

One other thing to consider, there are online "AV tools" which proclaim great things, they even give you a free on-line scan, or even a free tool to download. Some are honest attempts at providing a useful product/service teaser using a valid advertising technique. But others are just scams that may report HUNDREDS of virus/spy-ware/mal-ware/trojan/etc. infections, SO YOU BETTER BUY OUR FULL FEATURED PRODUCT RIGHT AWAY SO WE CAN CLEAN THESE FOR YOU!!!! Likewise, such a tool might claim to be detecting attacks when there are none as a means of making the user confident in their purpose AND more likely to jump on that subscription plan! For the Novice, these can seem very valid and scary, and the real is difficult to separate from the fiction. This probably does not apply to the current issue since it seems to be related to NAV, which like any "big name" would have too much to loose to stoop to that level, but something to think about.

Evan
04-18-2007, 02:44 PM
Known as "The JPEG of DEATH".

The very latest vulnerability is a "zero day" exploit that take advantage of a bug in the animated cursor routines in user.dll. All versions of windows are affected and it allows complete owning of your box. Make sure you do your update and if you aren't keen on Windows update there is a third party patch that I am more impressed with as the only change it makes is to restrict the allowable source of animated cursor files to the system directory.

Get the patch here: http://research.eeye.com/html/alerts/zeroday/20070328.html

Note that this vulnerability is called a zero day vulnerability because it was discovered and exploited by the hackers first. That means there were zero days to react to the threat and patch systems. There are thousands of malicious websites using this exploit and merely visiting the site will take over your machine. It can also be e-mailed.

Evan
04-18-2007, 02:49 PM
This probably does not apply to the current issue since it seems to be related to NAV, which like any "big name" would have too much to loose to stoop to that level, but something to think about.
I don't think they are above reporting every single ping as an "attack".


Evan would just sic his "Guard-PDP-11" on it and any computer that would dare attack Evan would be sent yelping into the sunset.
Heh. That was much more modern that the first machine I programmed.

http://vts.bc.ca/pics/g15.jpg

All vacuum tubes.

BadDog
04-18-2007, 03:22 PM
The very latest vulnerability is a "zero day" exploit that take advantage of a bug in the animated cursor routines in user.dll. All versions of windows are affected and it allows complete owning of your box. Make sure you do your update and if you aren't keen on Windows update there is a third party patch that I am more impressed with as the only change it makes is to restrict the allowable source of animated cursor files to the system directory.

Also note that this threat is not significant if you do not run as admin. The worst it can do is crash the app that tried to display it...

Evan
04-18-2007, 05:20 PM
The word is that there are unpatched privilege escalation vulnerabilites, including in Vista. Once it has any amount of control it can escalate to system privilege because of the .ani file execution is a system function.

From the link I posted:



Impact:
Arbitrary code execution under the context of the logged in user
A web browser remote code execution vulnerability has a very high impact since the source of the malicious payload can be any site on the Internet. An even more critical problem is generated when clients are administrators on their local hosts, which would run the malicious payload with Administrator credentials. Exploitation impact can vary from the reported trojan installation to full system compromise by coupling this attack with a privilege escalation vulnerability to acquire SYSTEM access.

cuemaker
04-18-2007, 07:05 PM
Good luck, kiddies.....! You are very trusting and credulous, watch out that someone doesn't lure you with a nice piece of candy......

I recently took 30+ adware and 314 viruses off a friend's computer. With AVG, by the way, that and spybot and adaware.They had NO Av stuff on at all.

He and his wife used it for business only, and it had slowed to a crawl, barely able to work, and unable to do anything on the 'net.

The viruses etc had apparently deleted the XP firewall, and had set up blocks to prevent web access to AVG, Zonealarm, and other AV sites.

So much for the "I'm all right, Jack" school of computer maintenance.

Well, let me be a little more thorough in my comment. I have had a personal computer connected to the Internet since 1991. I currently have 3 connected to the net, my work puter, wifes and a laptop for the kids. I have built my own except the laptop. The laptop was wiped clean with a fresh install of XP when i got it. I have never, ever had a program like AVG, Norton or McAfee running. I have done spyware stuff etc but dont remember when I started that.
Only virus I ever remember having to deal with was Yankee Doodle(1993?).

Since that post of mine, I now have AVG running and it scans all 3 every nite. Not one single issue reported.

about 2 weekends ago, I checked my inlaws. They have had that puter for about 5yrs. Up till recently they had an adult son living with them (and he isnt bright what so ever) who loved to cruise porn. Only issues they had where pop ups that deeply pissed off my religiously inlaws. So it was my job to remove that stuff. I ran AVG, spybot, a registry mechanic and cleaned up some stupid program stuff. Only issues where stuff like "Tangent?"sp? and the like for adware. Removed. No virus stuff.

That is the sum of my personal experience.

BadDog
04-18-2007, 08:36 PM
Evan:
Yes, there is always a risk of a privilege escalation vulnerability being exploited.

But the reality is, something WAY over 99% of these "attacks" (of whatever flavor, trojan, virus, whatever...) are actually very "dumb" and clumsy when you get down to it. Just finding examples in the wild of exploits using these escalation vulnerabilities on Windows is exceedingly rare. On the other hand, black-hats attempting to escalate privileges on other platforms, such as various *NIX flavors, is pretty common because the native culture teaches users to NOT used admin/root except specifically where required. Thus, to do anything of consequence, you MUST find a way to escalate. And this was true all the way back to the days of hacking Mainframes. This is completely inverted in the Windows culture which tries to ignore the admin/user issues altogether by having everyone run as admin (Vista being the first real attempt to change that).

Consider the following:
1) In general, escalation is not required for most Windows instances. Any code a user executes is already running as admin! So return on effort to implement an exploit of one or more escalation vulnerabilities is very small.
2) Escalation vulnerabilities are among the highest priority fixes. So they get fixed ASAP with the resulting patches pushed aggressively to those affected. This means to have a decent increase in total compromised systems, you have a very narrow window of opportunity to maximize return. Beyond that, you need to implement multiple exploits to catch enough of those who did not apply the patch in order to make it at all worthwile.
3) The most desirable targets are those with "always on" connections, and the vast majority of these are novice users (or not) with cable/DSL who also tend to leave Auto Update turned on. So window of opportunity for significant payback of an escalation exploit is, again, relatively small.
4) Identifying and utilizing escalation vulnerabilities usually requires a greater level of skill and understanding than most exploits exhibit. Triggering a kernel mode transition (the most common path of/to escalation) AND getting your code to run IN that context is much, MUCH harder than just getting your code to run.

So, adding these escalation exploits to a given attack increases its size and complexity for something that won't improve results for the vast majority of systems. Most are either already admin OR patched if not. Even the most diligent of hackers will quickly work this out for themselves and opt for a single, relatively simple exploit that they have discovered (via information sharing or through their own experimentation/examination) that will still net over 99% of what the extra work would have gotten them.

I've worked with "ex-hackors" in the past, and as usual, the Hollywood version (or Slashdot) could not be further from the truth. Most Windows "HaX0rZ" :rolleyes: are anything BUT a diligent and brilliant computer elite, intimately familiar with both computer software AND hardware. Rather they are most often more like the childish prankster who delights in stuffing a potato in your exhaust for kicks because he read it on a web site, even though he doesn't understand anything relevant about cars or IC engines much less why it might work (or not) in a given scenario. Not a great analogy, but it was the best I could come up with on short notice. There are exceptions obviously, but even the exceptions, particularly being that they are the smartest of the bunch, are not prone do doing the extra work for small gain. These "best of the bunch" are also often in it only for the prestige and/or challenge. Because of the perceived vulnerabilities in Windows, the majority of which are due to the culture of never even closing the door, much less locking it, there is no prestige even if you DID find and implement a supremely elegant hack. As a result, many of these higher caliber hackers will tend to gravitate to hacking non-Windows systems for the added prestige and generally show complete contempt and disdain for Windows hackors.

Now, if the Windows culture changes, due to education or measures like introduced into Vista (neither are likely given the whining over UAC in Vista), then escalation will become part of the required toolkit for hacking on Windows. But until then, simple economics and human nature will make it a very small concern.

Evan
04-18-2007, 10:23 PM
BadDog,

There is another element in the equation today that didn't apply just a few years ago. Money. Many of the people hacking Windows systems are doing it for plain old cold cash. They build bot nets and then sell them for cash to criminally minded people, often located in the former East Bloc countries to use for extortion, porn distribution and indentity theft. Many of the "hackers" are simply programmers from those countries who have fallen on hard times with the reduction in defense spending and related jobs.

In this case this attack was well orchestrated. Many web sites have been hacked to present the vuln to visitors and many more have been set up with harmless appearing themes (not just porn) to catch more fish (over 2000 sites so far). On top of that there has been a major coordinated "spam run" featuring links in the spam that direct users to these sites.

This isn't the work of a frustrated nerd who can't get laid. This is a professional job.



A second group in Eastern Europe, which has been known to use other vulnernabilities in Microsoft's software to install malicious software on machines, "have also added the .ani attacks to their arsenal," Websense said. Those attacks are directed at servers and users in the U.S.

The motivation of the Eastern European group appears to be collecting banking details using form-grabbing software or keyloggers, Websense said. The group has also been known to try to use exploits to install bogus anti-spyware programs.


http://www.tmcnet.com/usubmit/2007/04/10/2473510.htm

BadDog
04-18-2007, 10:55 PM
I'll agree with that assessment 100%. And you're right, that statement about relative ability of hackors was based on past experience, not recent changes. Things are always changing in this field. But even when you mix in the economics of down on their luck "real" programmers with non-trivial skill sets (including some post boomers in the US), the return on investment still doesn't support the cost/value of rights escalation attacks. When you can compromise 1000 computers without the effort, or 1002 (and it may not net any increase at all) with more than twice the work, why bother?

I'm not saying there is no profit motivation to hack Windows, that would be WAY off base. I'm just saying there is no motivation for trying to exploit escalation vulnerabilities that may exist. They are too hard to find, too hard to implement when you do, and soon after they are first exploited, they are identified and become super high priority for a fix as well as instantly slashdoted so people are looking for the fix. Simple Trojans and primitive social engineering of users running as "admin" is still FAR and away the leading contributor to successful "attacks". And that won't change until the culture changes. Nothing MS or aftermarket AV can do will make much difference until then. To think otherwise is like expecting cops to stop crime. They *might* stop it once in a while if they happen to be in the right place and recognize that it's happening, but generally they are just attempting to clean up the mess. Hmm, still not an ideal analogy, but much better than my last I think... ;)