Tuesday, September 05, 2006

Autofool

Do you use any Windows XP version?

You most probably are vulnerable to a very simple attack that may make your life miserable.

1) Have you heard of the "Sony Rootkit Scandal"?

2) Do you know what the "autorun" feature is?

3) Do you always do your normal work in windows in a restricted user account?

If your three answers are negative, you belong to the highest risk group of autorun infections. If it serves of any consolation, it seems that your high risk group is majoritary.

Last year, a very smart guy at "Sysinternals.com", Mark Russinovich, discovered that Sony basicly put a malicious trojan horse software in audio cds. That malicious software automatically ran if the victim put the audio CD in a computer drive to play it. If the user had administrative privileges, then the virus corrupted the operating system configuration and sent over the internet some private information about the system that we, the public, still don't know exactly what it was. All of this supposedly with the intention of restricting the number of CD copies the user could do in the computer. The rootkit also was designed in such a way that if the victim deleted the rootkit files, then the system would be rendered unusable. That is, using the excuse of preventing piracy Sony hijacked the computers of its customers.

The very successful spread of this attack tells us the following, besides that Microsoft Windows sucks and that Sony doesn't have any kind of ethics:

  1. You can not rely on antivirus. A trojan horse as the Sony rootkit is trivial to detect by any antivirus. But they don't detect it:
    1. First, because if the design of windows security is brain-damaged, the "security" software design is brute force stupidity:
      1. The Sony Rootkit goes on to modify operating system drivers, and all kinds of delicate configurations, and on top of Windows itself not even noticing the user, the antivirus, that supposedly adds extra checks also keeps mum
      2. The SW that is doing the configuration changes is running off removable media, which should tag it as non-trustable
      3. The changes themselves are no simple "configuration change" but a "diservice pack", an antivirus should understand that this is not peanuts.
    2. Second, cry and weep, because Symantec itself, the maker of "Norton Antivirus" installs its own rootkit that hides files and messes with the system, supposedly to "protect" the users from their own folly [more details]. This mess can and has been exploited by viruses. Thus, this "security guard" company makes holes in your computer security but forgets to tell the guards to check them.
    3. Third, The existence of viruses is actually a subject in the highest interest of antivirus providers. The more paranoid and ignorant the users are, the greater profits they make. What I am saying is that the attitude of "security software providers" is to tell their users/customers: "Be as ignorant as you have always been; we will magically solve the problem for you, provided that you give us handsome money". As you may see in this article, that attitude only leads to user/consumers abused by triplicate: By Microsoft, that provides them an inherently faulty and insecure Operating System, and also puts pressure on the customers to use antivirus (see the "security notification" in XP SP2 that complaints that the computer doesn't has an antivirus); they are abused by the Antivirus providers that take money providing worthless, if not worse, software, which is not subject to any accountability of efficacy; and of course, by the hackers/crackers themselves.
    4. There are rumours that some Antivirus providers discovered the Sony rootkit, but after contacting Sony, they thought that it was Ok. This rumor, in other words, means that the antivirus companies do not simply protect your computers, but they may decide which companies' softwares are allowed to hijack them.
  2. Demonstrates that far too many users run day to day tasks such as listening to music in accounts with far too excessive administrative priviledges
  3. Demonstrates that the "autorun" feature is a grave security concern.
In Windows, there are no other ways, but to sometimes use an "Administrator" account to do otherwise mundane tasks. Some SW for Windows abusively requests the user to have administrative rights. Why? If it is for installation, most probably to install some form of a rootkit; that is, to hijack the computer. If it asks for administrative rights for day-to-day usage, then most probably the software does a task that the operating system does or should do, that reflects, either bad Windows design, that the application is not well designed to request from the Operating System the services it requires, or that the application doesn't want to use Operating System services, perhaps because the application has something to hide from the auditing tools of the O.S. services. Although this may be argued as "consensual"

In any case, my advise is to strongly prefer software that can be installed and run in very restricted accounts over software that requires too many privileges. If you like that software, then you may install it "System-Wide" using the administrative account. That kind of software exists, and tends to be Open Source. If it is Open Source, try to enjoy compiling it yourself. Then, you know that if some day you want a feature, in the worst case scenario you will very probably be able to hire someone to program it for you.

Second: TURN OFF THE AUTORUN. Right now, there are some guys developing the concept of malware that picks up the private information such as passwords and credit card numbers from a system with the autorun enabled in which a simple USB flash drive is inserted. If the user, on top of having the autorun enabled also has administrative priviledges, then the computer may get infected for good. Microsoft is so negligent about security, that XP doesn't provide any User Interface applet to completely disable the autorun, there is no reliable way other than doing it through the registry:

"NoDriveTypeAutoRun" registry key, I here reproduce the values for convenience:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Value Meaning

0x1

Disables Autoplay on drives of unknown type.

0x4

Disables Autoplay on removable drives.

0x8

Disables Autoplay on fixed drives.

0x10

Disables Autoplay on network drives.

0x20

Disables Autoplay on CD-ROM drives.

0x40

Disables Autoplay on RAM drives.

0x80

Disables Autoplay on drives of unknown type.

0xFF

Disables Autoplay on all types of drives.

[note: This information is official documentation of Windows 2000, probably applies identically to XP]
Autorun
AutoRunAlwaysDisable
NoDriveAutoRun (in HKLM)
NoDriveAutoRun (in HKCU)
NoDriveTypeAutoRun (in HKLM)

If you are not an "administrator", you are still vulnerable, because the program may lift all the data that your user account is able to read, including *your* passwords or credit card numbers...

If you look on the internet about how to disable the many autorun features, you will come across many tools such as TweakUI that do this kind of system tweaks hiding the complexities of managing the registry. Well, if you think it is acceptable to use "TweakUI" or any of its equivalents without caring to research how it is done without any tool, then you haven't get the principal idea of this post: You can not become dependent on software that you don't know exactly how it works, what it does, what it doesn't; you can not remain ignorant about the security problems that Windows has. It is very similar to do your own Due Dilligence about the stockmarket to get interested in the security of your computer.

Windows Operating Systems must be approached by you with a lot of distrust for your own sake.

Let's say that you follow the advise of rather than relying on antivirus, antispam filters, antispyware, antiworms, popup blockers; you opt to research how the computers get infected, and how it is possible to prevent the infections: Then you not only get out of the vicious cycle of malware -> paranoia -> expense -> anti-malware -> false sense of security -> malware; then you start to really understand that most antimalware is complete bullshit; that Windows sucks so much that one really has to try to use alternatives such as Mac OS X, Linux, Solaris, or any other reasonable Operating System, that tools such as Virtualization are not geek ways to lose time, you learn how to really take control of nearly indomitable Windows Operating Systems; and above all you liberate yourself from lots of frustrations, making your computing experience more enjoyable and productive.

8 comments:

howling2929 said...

To disable autorun, from a GUI application, instead of using the registry editing detailed, you may pickup the TweakUI PowerToy from Microsoft Website, or the very good (and free) TweakAll application at http://www.codeforge.co.uk (since this is a downloads page, I do not want to make this a clickable link).

If you do not want to completely disable Autorun, you may press (and keep pressed) the shift key when you insert suspect media.

Windows XP is, as far as MS OSes go, the one which makes it it easier for you to change user from normal to admin and back, so there are not many excuses to run in admin mode any more......

Eddie said...

What is the matter, Howling?

I said int he article that anyone who uses a closed source application to fiddle with security settings didn't get the idea of this article, because that someone remains as ignorant and as dependent on utility or antivirus providers as it was. The thesis here is that security can only be attained through information and learning, not installing applications that who knows what they do.

howling2929 said...

Dear Chi & audience:

Here you see one of the things were me and Chi differ. I have been turning off Autorun since Win95. First using registry tricks. So, when GUI tools to do it appeared, that was like a godsend to me.

Chi said: «security can only be attained through information and learning»

Once one learns about the problem and what it means, and its implications, it does not matter if the corrective actions are taken by means of a GUI tool or registry hacks.

I knew full well how to change the oil or a hose in my car (before I sold it, here I do not need a car)... nonetheless, I was willing to pay a trusted repairman to do it, so I do not end up covered in dirty grease, and could do other things more important to me, like visit my family and friends, or getting accepted in my MBA.

Same with this, once one understands what the security problem is, if one gets a Trusted Application (either because you try it, or someone you trust recomends it) to do it for you, so be it.

The key learning point, IMHO is not "do not rely on applications" but rather Undestand the problems, its impliations, and the avalible solutions then, implement the solutions any way you see fit.

So audience, now you know what when Chi said we were contrarian in some points, he was telling the truth...

Eddie said...

Howling, you didn't understand the article at all.

If you are to trust the provider of TweakAll the security of your computer, you may as well trust that Sony is not going to put such a damaging root kit in your computer. You must have received several orders of magnitude more recommendations about Sony.

Your argument doesn't hold. One of these days TweakAll will bury a rootkit and you will not notice until you are a victim, as those poor fellows who had viruses due to the "Norton Protect" —what an irony!

howling2929 said...

I will make one remark here, but I guess we shoul move this to mail or IM.

MacOS has a lot of propiertary code (the presentation layers, as well as the comaptibility with older code), so does Parallell, also VMWare, which you have been recomending a lot as of late.

There is WAY TO MUCH closed source code still out there. So, in the end, both in computing and in relationships, you have to trust someone, even if later on, they break your heart. Otherwise, is only Linux, plan vanilla BSD or solaris and Xen for you, my friend. you can live a decent life like that, but you will miss many good things with no garantee to be spared of the bad.

I do not realy on TweakAll for my security, I realy on TweakAll to diable the Autoplay that I know is a security problem. I do not relay on my antivirus and antispyware for my security, y realy in safe computing practices for my security which include runing an antivirus and antispyware. We SHOULD be combating ignorance and the false sense of security, but we should NOT b combating the use of applications.

Chears and ejoy the three sides of the coin post.

Eddie said...

No, we should not turn private the debate thread on trusting closed source.

This blog is *not* to agree with me, on the contrary, this blog is to *disagree* exactly the way you are doing, bringing good contrarian stuff.

On the subject of Autorun, I still think that TweakAll has a small "usefulness/required-trust" ratio; and learning to "regedit" the autorun teaches:
1) Windows sucks
2) Registry manipulation
3) Better autorun security
4) How to get by without "keep your ignorance" utilities.

It is not like you describe "to grease your hands", it is like learning to cook beef steaks.

Ah!, I forgot: The user-session switching mechanism of XP sucks big time. What you need is a session within a session, to enable important stuff such as copy and paste, so that both sessions can cooperate. the "su" mechanism in Unix is so practical because just as applications need occasional kernel services, a regular user occasionally needs to elevate its privilege level.

I wish there were a control in the Windows User Interface where you could choose your level of privileges dynamically, without having to log-off/log-in

howling2929 said...

Ok, now we are finaly converging! You speak of a ratio of "usefulness/required-trust". The thing is that each and every person makes the calculation on his or hers very own!!!

I started using TweakAll because of recomendations from trusted sources, and because it solved many of my problems (at that time) at once (memory fragmentation and more Tweaking in Win9x than was possible with TweakUI). I started in version 2, and over a 4+ years timespan, am now in version 3; therefore the ussefullness to trust ratio is very high for me. But of course, the ratio for your own needs may be different.

You are able to do a code audit of many open source tools, many people in the audience may not be. And even then, when did you do your last code audit? Have you audited your copy of firefox? Compiled from source? what about the patches?

And even lookng at the code may not be enough. Look at this clasic paper "Reflections on Trusting Trust" from Ken Thopmson (His accpentace speech for an ACM award):

http://www.acm.org/classics/sep95/

The concluding bit: "The moral is obvious. You can't trust code that you did not totally create yourself. [...] No amount of source-level verification or scrutiny will protect you from using untrusted code"

So, OpenSource, while better than closed, is not the panacea you may think it is. As I said, you have to trust someone.

Help the people learn what the problem is, the implications, the possible solutions, but leave the implementation of the solutions up to them.

And my man, I guess that you will agree with me that doing scripts or programming is like cooking steak, blindly entering Microsfot recomended registry keys (because, lest face it, you did not discovered those entries yourself ;-)) is like cleaning up the grill afterwards!

By the way ¿who do you know that "0x20 Disables Autoplay on CD-ROM drives" is really that and not "Disable autorun in all CD-ROM except those comming from our parthers"? You do not know! Therefore, if the one doing the change to the registry to 0x20 is oneself through regedit (which may revert or disable the change, you do not know) or oneself through some little program is, in the end, inconsequential..... (as long as we are doing the change explicitly because we understand the problem and its implications, and not by proxy, pushing a big flashy button that says "Make my machine more secure!!!!!")

And yes, the change user feature in XP is still a piece of turd compared to Unix´s "su". But is still way better than the Win2k or Win9x alternatives!

Eddie said...

You are not taking into account that the benefits of Open Source SW regarding secuirty are not all preventive, such as Thompson dismisses, but disuasive. If my FOSS does a misdeed, and it is detected, it won't take long until the exact offending lines of code are identified and then it will be possible to know exactly who is fooling around and exactly what is the danger