Trojans, Rootkits, and the Culture of Fear

Felix, I could buy a PC better than the Mac mini at a lower price.

As virus removal specialists we often run into new virii before the Av companies know about it. The new root kit versions are a nightmare unless you have a signature for what the infection looks like and detect it via booting off an alternative operating system using a live CD (e.g. BART, Linux Live, attach hard drive to third party machine …) We are dealing with this by using a home brew application that recognizes known good files (using hash algorithms and file info) and then checking out the unknowns and adding them to our database. As always the old fashioned boot from an alternative disk method is still the best for removing virii and malware. (alternative data streams however can be a pain).

Our best detection / validation method is to watch traffic from a supposedly clean machine on the firewall. It soon gives itself away by sending spam (which we block), going to weird sites and other strange behaviour.

While virtualisation is a good answer it also requires truckloads more resources and cost than the average user can handle. It is also adding another piece of technology to defeat an issue which shouldn’t exist.

I am not a linux biggot, or a mac fanatic but those systems dont get infected like windows. IE is the main bug bear here and it is not going away. As long as Microsoft keep adding functionality as a part of their operating systems kernel functions or integrated into the kernel we are stuffed.

Using Mozilla Firefox, Safari or opera reduced most spyware infections by 95%. disabling active X reduces your chances of catching spyware further. Using Thunderbird, Eudora, Lotus Notes, etc for email reduces you chances of an infection to almost zip and then disabling messenger, SSDP and other un-needed services from running and you have a very hardened system.

We surf all over the net with no problems. Our Pcs use less than 100Mb of ram on startup and we don’t get virused. We also have admin rights on our Pcs but removing those may make us more secure. However two solid years of surfing all over the net chasing rubbish and we are still safe.

The issue is not admin rights, it is hardened machines with the excess crud turned off and safe programs (patched as required) running in place of insecure apps. My 2c worth

I am an IT administrator for a middle sized company and I think putting your pc in a limited user role will not stop the more advanced rook kits, worms, trojans, etc. I recently encountered newer evils that create admin accounts on your pc and then run amuck. They are also kind enough to assign their own passwords for the admin acct and by the time you discover the horrible issue at hand (could be only seconds) the only cure is a wipe and a reinstall. They think of everything an experienced IT person would do to remove them and prevent you from doing anything short of watching it happen. Linux and Apple systems are not “safe” they are just less of a target because they have less users. Personally, I think virtual OS’s and Web browsers may be the way to go in the future, until then keep your eyes peeled, because it just keeps getting worse.

I’ve been running on Jeff’s advice here for quite some time and I could say that it’s been the best advice I’ve ever taken for my home machines.

There was a time when running Spybot SD would reveal malware appearing and reappearing every day; since the switch to limited accounts I would run Spybot once every month, sometimes once every three or so months and no new malware would crop up anymore.



a) I develop in Visual Studio
b) I play too many Windows games
c) I can’t afford a Mac

Linux/Mac Advocates:
I too agree with what you’re saying; but I see problems with either OS being a solution:

  1. Businesses that are serious about security tend to firewall and lock down everything right down to the kitchen sink. Windows is fairly safe in this environment, especially with email, browsing, and running privileges restricted. This is usually an adjusted running cost already in the budget I’ve found, so there is no real gain here. Linux conversion is usually too high a cost for MIS (the OS is usually a small percentage of it’s real cost, sure linux is free but training support staff isn’t).
  2. The people that really need to be protected from themselves are home users, and - as happens in my own household - most people using the home pc are interested only in things linux can’t offer. For one, installation of any new software is painful (although this is a lot better recently if Ubuntu is anything to go by, it’s still not straightforward enough to know if you have all required components). For another, the “good” games are all windows only(ie, anything recent including non-mainstream games like 90% of all kids games).

You forgot one thing: use a NAT router. Most Windows services still run as the local system, so even if you don’t run as Administrator, passive infections are still a risk. NAT pretty much eliminates that.

The last thing you want is for your system to be compromised while you’re downloading all the security patches!