New IM Worm Installs Own Web Browser 479
Aquafinality writes "A new IM worm discovered recently takes the novel step of installing its own web browser onto the victims PC. Ironically titled "The Safety Browser", its default settings actually make your PC less secure - switching on pop-ups, changing your home page and hijacking your desktop with a looped music track that plays every time you switch your computer on.
It's clear people cannot resist clicking "yes" to anything they're presented with via IM - with this in mind, what on Earth can we do so stop the spread of garbage like the above? To put it another way, will reducing the amount of potential "suckers" out there dissuade the bad guys from coming up with ever-more elaborate ideas such as this latest scam? Or is IM safety a lost cause?"
Re:Trusted Computing (Score:3, Informative)
It infuriates me, but it wouldn't even be noticed by the sort of people who catch this "worm" (surely actually a virus, as the user is required to run it him/herself?).
I don't know how its done, but it seems to be at a fairly low level (doesn't just apply to starting things with Explorer but instead gives the same error even if you try to launch things from office macros, batch files, etc.). If something like this were built into windows (the machines at school have a lot of RM stuff in them, so I suspect it isn't a Windows feature), it would at least protect idiots that have bright friends and family to set stuff up for them. It's much simpler than TC, and the admin can log in (with a separate password you wouldn't even have to give your sister) and install things as normal, even if MS doesn't like it.
Re:Trusted Computing (Score:3, Informative)
I can think of at least [wikipedia.org] two [apple.com]
Disable automatic execution even with a dialog. (Score:3, Informative)
I've never had the same person come to me twice with "I've downloaded and opened a file and I'm infected." Give people even a small breathing space to think about what they're doing, without that reflex "gotta push a button" effect, and social social engineering is MUCH harder.
So...
You can solve this for most people simply by not including a mechanism for running untrusted content. Don't pop up a dialog box asking "What do you want to do with this application you just downloaded? (Open) (Show) (Ignore)". Don't even ask "The file you just asked to open is an appliaction? (Infect Me) (Cancel)". Just don't put the user in the position of deciding, right then, what to do with the file. Ever.
Firefox: get rid of the XPI install-from-web stuff. Let the user download the XPI and open it explicitly.
Apple: Dont' "open safe files after downloading"... there are no "safe files".
Microsoft: get rid of ActiveX and security zones and for god's sake don't try and make
All of the above: If it's a file you've got a safe application for... a *safe application*, not a *safe file*... open it explicitly IN THAT APPLICATION. Don't go "this is a ZIP file so I'll open it in whatever random program the user has for opening archives". Keep a database of safe programs to use on untrusted content like you keep a database of plugins people have explicitly installed. This would resolve SO MANY security issues... damnit.
(don't treat archives as "safe files", but that's another rant)
(in fact there's a lot of ranting [scarydevil.com] I could add here...)
Re:IM safety? (Score:4, Informative)
Re:I know where this is headed (Score:2, Informative)
You mean, welcome to MSN plus [msgplus.net] install, would you like us to bundle adware with this program to really annoy you?
[yes] [no]
Re:Why does EVERYTHING transfer files? (Score:3, Informative)
Users need a way to transfer files to each other. What they should do is run an actual server for this, but they are told they should not, so every end user program gets a file transfer protocol tacked on - users can't be expected to say "yeah,get the file from http://my.ip.address:8080/foo [my.ip.address]", so they're given a way to transfer directly.
Re:Call me a glutton for punishment (Score:4, Informative)
Re:Again, is it IM's fault? (Score:3, Informative)
Yes, it is. There are many things an "Administrator" cannot do.
It can force ownership upon itself when it's not able to automaticly override.
This is a different thing to "not being bound by ACLs".
The unix 'root' user effectively bypasses the entire unix security system. That is, security restrictions simply are not applied if UID=0. The Administrator user can (and does) not do this. Indeed, no account in Windows can do this, as it has no concept of a "superuser".