Softpanorama

May the source be with you, but remember the KISS principle ;-)
Home Switchboard Unix Administration Red Hat TCP/IP Networks Neoliberalism Toxic Managers
(slightly skeptical) Educational society promoting "Back to basics" movement against IT overcomplexity and  bastardization of classic Unix

Malware Defense History

by Dr. Nikolai Bezroukov.

Copyright: Dr. Nikolai Bezroukov 1994-2013. Unpublished notes. Version 0.80.October, 2013

Contents : Foreword : Ch01 : Ch02 : Ch03  : Ch04 : Ch05 : Ch06 : Ch07 : Ch08 : Ch09 : Ch10 : Ch11 : Ch12 : Ch13


Chapter 3: Architectural Methods of Malware Defense

Architectural methods of increasing Windows malware protection level

Around architectural steps that help to increase Windows security are (in the order of increasing complexity and return on investment):

  1. Predominant usage of non-privileged account for Web browsing and mail. Windows does not have a standard component like su and sudo in Unix for "on the fly" change of privilege, but you can login via VNC as administrator in a separate screen. Windows provide much better protection of user accounts then the account with admin privileges.   Unfortunately the dominant culture of Windows usage is to use all powerful admin account for everything. Only some large enterprises limit their users to proper "less powerful" accounts as they can afford to administer PCs by a separate dedicated staff and they are more interesting in unification and security of corporate data then productivity of the users.
     
  2. Using a separate "user data" partition: dual partition Windows configuration. Splitting the "system" hard drive into smaller C partition (say $100-120GB) and a larger Data partition is a very simple in windows 7 (which can shrink system partition on the fly) and logical step that makes restoration of your OS from backup much more easier (as user data will be a separate partition) and your personal data more secure and more easily recoverable. On desktops instead of shrinking system partition and creating an new one for data it is easy to install a second harddrive, This approach is also possible on laptops with replaceable media bay, for example Dell Latitude Laptops -- you can simply replace DVD with the second harddrive and use USB DVD when needed.

    Not only this simple step makes both backup and reinstallation of Windows much simper. It also permits using Softpanorama Spyware removal strategy. The key idea behind this strategy is that a good disk image creating program is worth a dozen of anti-spyware, anti-virus tools. It does not mean that the are useless. Microsoft Security essentials is a good free AV tool that is well integrated and well tested with Windows for compatibility. So to ignore it is unwise. the same applied to Windows Defender which is also adequate as most modern malware are worms not viruses if we use a strict definition of what computer virus is. But even for company with huge resources like Microsoft, it is very difficult to cleanly uninstall sophisticated malware which was designed with one or several mechanisms of recreating itself if some part is preserved after the cleanup. But by using an image restoration you can defeat even the most sophisticated spyware. The only precaution is that you should have multiple (for example daily) backups as the point of infection can be quite remote in time from the point of detection.  It also make sense to perform a full backup of drive C before installation of any new programs. Windows 7 64 bit has around 60GB on system partition (without user data). Windows XP system partition footprint is typically  50GB or less (if user data are stored on the different partition). That will take less that  an hour to backup such a partition which is a minuscule amount of time in comparison with the time usually spend in restoring Windows system after the infection (two or three days are common). You can do it daily or weekly but in any case this way you always have several previous versions that might be not infected. Existence of full C-partition backup also provides a baseline that gives you an opportunity to understand what changes the installation performed on your system. Add to this registry snapshot (less then 200MB) and you are well equipped to resist even the most sophisticated malware.   Unlike AV program which depends on the recency and quality of their database this approach will work as it does not need to understand what this malware is about. It just return you to the "status quo".
     
  3. Dual browser arrangement and periodic cleaning of cookies. Using two browsers instead of one can dramatically increase your security from Web exploits. For example, you can use IE in high security mode that allow no scripts to be executed and Firefox for trusted sites. You can also set IE to delete its temp cache when you close the browser (it does this in "In private" browsing mode, and this mode should be used as the most secure was to access "grey" sites. It makes it more challenging for malware authors to infect IE8 or IE9 in this mode -- malware authors typically are oriented on a "typical setup" and are keen to exploit some third party full of security holes application (standard Trojan horses of all PCs -- Adobe Acrobat and Flash plug-in;-). Also using IE in high security mode partially cuts "snoopers" like Facebook (no cookies are allowed).
     
  4. Eliminating most odious snoopers from your software. The line when a software that performs snooping can be classified as malware is very fuzzy. In addition to Facebook which is an information collection site masquerading as a social site, many legitimate sites and programs now have snooping components and connect to "mothership" periodically to transmit some information from your computer. So line between spyware and legitimate programs gradually becomes more and more fuzzy.  For example programs developed by Goggle (Google toolbar, Chrome, etc)  also have a huge appetite for collecting information about your browsing activities, especially if you login as Google user so that activity can be associated with your account. It looks like with Google++  Google business model is not that different from Facebook and that's why that promote Google Groups++ as there is no tomorrow.  That means that as a browser or email software developer Google is much less attractive than as an author of search engine.

    Periodic cleaning of cookies also helps to preserve your privacy and should be scheduled as a weekly activity. It is also possible to preserved just selected cookies for the sites you trust as cookies are often used to simplify authentication to the site. At least this shows all those jerks who collect information on you who is in control :-).  Requires some discipline but can be implemented by all Windows users. Stronger version of this defense uses browser of am second (possibly virtual) PC (see below).
     
  5. Running "trusted computer" on one computer and Web browser  from the second computer (virtual or "real") with the "disposable" image.  The best way is to create "disposable computer" on a real PC is use Remote Desktop to the second computer from your main machine. That can be Linux machine (in this case you can use VNC). When you enable Remote Desktop on a server, by default anyone who belongs to the local Administrators group on the machine can log on to it remotely using Remote Desktop Connection. If you are a power user the other way to achieve this is to run Windows Disk Protection on XP or emulate it on Windows 7. Windows 7 Professional and Ultimate allows running second Windows instance (so called XP-mode) which can be used for his purpose.  Requires  qualification to setup the second computer as "disposable image computer" and to use Remote Desktop. See also Managing Remote Desktop and  Windows Disk Protection for more information.
     
  6. Periodic (say weekly) prophylactic reimaging of your computer from trusted image. This method is often used at university labs and proved to be quite efficient as for malware protection and especially from RATS -- remote access Trojans -- which convert your PC into remotely controlled zombie. On most PCs the set of installed applications nowadays is quote static and this fact makes creating so called "trusted image" much simpler. In you update your trusted image in parallel with main computer then restoring it when you are infected or need to perform some highly secure activities like filing your annual tax  return (it goes without saying that you tax return should be copied from the harddrive to USB dives and backup CR-ROM. Do not leave highly confidential data like you tax return  on your primary computer. You can also use a separate computer for highly confidential activities. Many households have such computers collecting dust in the closet. Reimage it once a year (tax preparation) or each time you need to do something that needs additional security. Do not use it for Internet browsing.

    You can use "brute force" approach and restore the image using Ghost-like program ( for example Acronis True Image ) or linux live CD and Partimage. If your laptop has SSD this method is pretty fast, with restore less then 20 min. In this case the "Windows of opportunity" for malware is the period between re-imaging of the computer. Moreover as image is static you are better equipped for scanning dynamically registry, system and /Users folders for new executables that entered the system.

    This method is OK mainly for advanced Windows users and IT professionals.
     

  7. Using a Web proxy. This is a typical method used in enterprise environment for protecting users.  If you have a box with a Web proxy (either real of virtual) you can point to it your Web browsers and this does much more in increasing your security then is possible just by using two browsers in different security modes. For home office and small firms Squid can be used. For larger firms appliances like Blue Coat are typically used. This method can protect you from many threats as well as excessive attention of Facebook and other information collecting monsters. It also moved the definition of  "trusted sites" to the proxy level. For corporate environment it also can serve as anonimizer as all requests are coming from a single IP address.  That method requires some Linux qualification and the desire to learn squid or other Web proxy configuration.
     
  8. Tandem computing for users with one disposable computer possibly firewalled from trusted computer. Using two computers with common SAMBA partition: one disposable that is recreated from image on each reboot and used for insecure services like Web browsing and one "trusted" that does not have Web browser installed. The second "disposable computer can be either Linux or Windows (this means that you will be limited to Firefox as your primary and only browser). All Web browsing is done only via disposable computer to which you connect either via Windows remote desktop or VNC. This arrangement can be enhanced using firewall. Disposable computer can be either physical computer or virtual instance. Windows 7 professional and higher allows running Windows XP which can be you "disposable system" which permit using this configuration on laptops. This method requires good understanding of networking and ability to configure samba, remote desktop or VNC...
     
  9. Introduction "on the fly" integrity checking and/or baseline checking of registry and critical directories. With current laptops with SSD drives and 3 GHz dual core CPUs scanning harddrive does not consume much resources and if it is artificially slowed done it is not even noticeable.  The simplest way is to compare critical directories and critical parts of registry with the baseline. This is the only method that detects critical changes of configuration as soon as they occurred "in real time".  But this method require quit a bit of discipline in maintaining baseline and installing/upgrading applications and OS on your computer. Typically installation of applications and upgrade of OS should be done of a reference computer on which there is no user activity. Individual user can create such reference computer by buying second harddrive identical to the one that is installed on the desktop/laptop for system image and replacing it each time one need to install software. Without maintaining reference image is difficult to sport the infection of you primary computer. In addition existence of reference image simplifies verification that nobody run anything in addition to what is installed on the computer. This is the way images are created in corporate environment.  Usually this method requires existence of support personal who is at least part time are responsible for the maintenance of the reference image. It is difficult to implement for individual user. But this is the only method that allow you to protect yourself from the compromise introduced by the insider who has physical access to the computer. For example a corporate spy who tried to install some programs on your computer. Although in modern PCs you can install boot password making booting your computer without credentials much more difficult.  Some laptops also have capability to use smart cards for boot authentication (Dell Latititude is one example).
     
  10. Firewalling your network controlling traffic to Internet via Web proxy and address translation. This allow logs all the rejection and as such provide "on the fly" information as for components of PC which are trying to communicate to outside world without your permission and outside your control.  Typically that setup requires high level of qualification and is support intensive so it is limited to large corporate environment. Although I saw them in some computer enthusiasts home networks.
     
  11. Usage of your own DNS root servers.  Running your own DNS root server stops many attacks cold as after infection they will be no able to figure out how to communicate back to "mothership". Still they can do damage like deleting or modifying information on the computer. Several major corporation use this approach for protecting internal networks (not just DMZ but all internal network). This is a major undertaking and requires good knowledge of DNS and analysis of typical activity on the computer.



Etc

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D


Copyright © 1996-2021 by Softpanorama Society. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to to buy a cup of coffee for authors of this site

Disclaimer:

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Last modified: March 12, 2019