New IM Worm Installs Own Web Browser

Aquafinality writes "A new IM worm discovered recently takes the novel step of installing its own web browser onto the victims PC. Ironically titled "The Safety Browser", its default settings actually make your PC less secure - switching on pop-ups, changing your home page and hijacking your desktop with a looped music track that plays every time you switch your computer on. It's clear people cannot resist clicking "yes" to anything they're presented with via IM - with this in mind, what on Earth can we do so stop the spread of garbage like the above? To put it another way, will reducing the amount of potential "suckers" out there dissuade the bad guys from coming up with ever-more elaborate ideas such as this latest scam? Or is IM safety a lost cause?"

Re:Trusted Computing

[bcmm]

They have some interesting locked-down Windows boxes at my sixth form. You can't write to the C drive (obviously), and you can't run executables from your own network folder, or from USB sticks, or in fact from anywhere you have write access to.
 
It infuriates me, but it wouldn't even be noticed by the sort of people who catch this "worm" (surely actually a virus, as the user is required to run it him/herself?).
I don't know how its done, but it seems to be at a fairly low level (doesn't just apply to starting things with Explorer but instead gives the same error even if you try to launch things from office macros, batch files, etc.). If something like this were built into windows (the machines at school have a lot of RM stuff in them, so I suspect it isn't a Windows feature), it would at least protect idiots that have bright friends and family to set stuff up for them. It's much simpler than TC, and the admin can log in (with a separate password you wouldn't even have to give your sister) and install things as normal, even if MS doesn't like it.

Re:Trusted Computing

[sqlrob]

Or is this already possible with any OS? The ability to specify a list of allowed executables and the disability for a user application to change the list.

I can think of at least [wikipedia.org] two [apple.com]

Disable automatic execution even with a dialog.

[argent]

In my 20 years of system administration I have often had people come to me and say "Peter, I just clicked the wrong button and my computer's acting funny." I've less often had people say "Peter, I downloaded a file to the desktop and opened it and my computer's acting funny." I've had several people say "Peter, I just clicked the wrong button AGAIN and I think I'm infected."

I've never had the same person come to me twice with "I've downloaded and opened a file and I'm infected." Give people even a small breathing space to think about what they're doing, without that reflex "gotta push a button" effect, and social social engineering is MUCH harder.

So...

You can solve this for most people simply by not including a mechanism for running untrusted content. Don't pop up a dialog box asking "What do you want to do with this application you just downloaded? (Open) (Show) (Ignore)". Don't even ask "The file you just asked to open is an appliaction? (Infect Me) (Cancel)". Just don't put the user in the position of deciding, right then, what to do with the file. Ever.

Firefox: get rid of the XPI install-from-web stuff. Let the user download the XPI and open it explicitly.

Apple: Dont' "open safe files after downloading"... there are no "safe files".

Microsoft: get rid of ActiveX and security zones and for god's sake don't try and make .NET-in-the-browser into the next Active Desktop disaster.

All of the above: If it's a file you've got a safe application for... a *safe application*, not a *safe file*... open it explicitly IN THAT APPLICATION. Don't go "this is a ZIP file so I'll open it in whatever random program the user has for opening archives". Keep a database of safe programs to use on untrusted content like you keep a database of plugins people have explicitly installed. This would resolve SO MANY security issues... damnit.

(don't treat archives as "safe files", but that's another rant)

(in fact there's a lot of ranting [scarydevil.com] I could add here...)

Re:IM safety?

[jacksonj04]

If you get hold of the CTP, you'll find that Vista actually does this. If something needs to prod around with something which should need admin (Registry, system folder etc) then you will be prompted for your admin password. Even if you're logged in with an admin account, it will ask you again.

Re:I know where this is headed

[Simon Donkers]

I'd like to do a social experiment and write a virus that pops up a window asking the question: "Install Virus?". The options are "No Thanks" and "yeah sure, pwn me". Now, I'm usually an optimist, but I think the results of this study would be depressing.

You mean, welcome to MSN plus [msgplus.net] install, would you like us to bundle adware with this program to really annoy you?
[yes] [no]

Re:Why does EVERYTHING transfer files?

[m50d]

Because there is a perception that users should not be running servers. In particular, typical users are told "you need a firewall", which would block any webserver they actually managed to set up. KDE has a very nice system tray webserver, but how many distributions have iptables set up so it's inaccessible? Not to mention how many people are behind NAT these days.

Users need a way to transfer files to each other. What they should do is run an actual server for this, but they are told they should not, so every end user program gets a file transfer protocol tacked on - users can't be expected to say "yeah,get the file from http://my.ip.address:8080/foo [my.ip.address]", so they're given a way to transfer directly.

Re:Call me a glutton for punishment

[Bambi Dee]

Try demoplanet.tv, the homepage shown in the article. That might just be it.

Re:Again, is it IM's fault?

[drsmithy]

Umm ... the local Windows Administrator account (or any account in the local "Administrators Group") is not bound by ACLs.

Yes, it is. There are many things an "Administrator" cannot do.

It can force ownership upon itself when it's not able to automaticly override.

This is a different thing to "not being bound by ACLs".

The unix 'root' user effectively bypasses the entire unix security system. That is, security restrictions simply are not applied if UID=0. The Administrator user can (and does) not do this. Indeed, no account in Windows can do this, as it has no concept of a "superuser".