Re: Windows Messenger Pop-up spam

[Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>]

On 2004-12-07 Kevin Davis wrote:
> > > Disabling unneeded services is not an adequate protection from
> > > malware.
> >
> > It is an adequate protection from malware that tries to attack
> > services.
>
> Which is a subset of all malware.  Probably a small subset.

It's the very same subset that's addressed by packet filters.

> The goal is to protect from all malware.

Yes. But Personal Firewalls are not The Way(tm).

> > > There are tons of malware - in fact probably the majority that set
> > > up their own "server" once it infects the target system.
> >
> > If malware is already running on the system, the box is 0wned and
> > schould be rebuilt.
>
> Of course some type of cleaning is required if malware gets on the
> box. Making a blanket statement that the box needs to be totally
> rebuilt at the slightest infection of spyware is extreme - at least
> for the home user.

It's by no means extreme. In fact, in most cases it's the only way to
restore a known good state. *Especially* for the home user, because he
is unable to see if it's safe to simply remove the spyware or not.

> The point of the discussion was what is effective in repelling malware
> attacks and vulnerable conditions.  You suggest that turning off all
> services and keeping your system patched is all that is needed.

No. It is all that's needed to protect against inbound attacks. Other
malware needs to be addressed by other means, like e.g. working with
least privilege, using mail clients that won't silently execute
attachments, keeping the system patched. And of course NOT manually
execute suspicious software (like something inside encrypted Zip
archives, where the password came with the same mail as the archive).

> That's really quite ridiculous considering the various types of attack
> vectors that are being used - malware can get on your system in the
> form of BHO in your browser.

Really? How do Browser Helper Objects get installed with Firefox?

> Malware can get on your system by opening email.

Of course. However, Thunderbird doesn't tend to execute attachments
automatically like other well-known mail or groupware clients.

> Malware can get on your system using IM, IRC,

That's why you keep your software up-to-date. A virus scanner may help
within its limitations.

> or unknowlingly downloading some cool program and it being a trojan.

Nothing will protect a user from willingly installing software that
turns out to be malware.

> You can patch and turn off all the services you want and this won't
> keep the malware away - for the typical user.

Again, I did not say that shutting down all services was able to do
that. However, I *did* say that PFWs neither would be able to do it in a
way the user can rely on.

> And doing what you suggest will most likely set up the condition that
> when such malware gets on the box, the user will literally have almost
> no chance of finding out.  At least with a firewall and AV software,
> there's a decent chance that it will be discovered.

There is a chance, yes, but not more. Maybe we're using different
definitions, but in my book "security" doesn't spell "take your
chances".

> > > That's where personal firewalls help.
> >
> > No.
>
> Yes.

*sigh*

No. See below why that is.

> > > A new, unknown process is trying to get out to the net - the
> > > firewall will catch this and alert the user.
> >
> > The firewall may possibly catch this and alert the user. Or the
> > malware may simply sneak around the firewall. Or disable it. You
> > can't rely on PFWs to control outbound traffic.
>
> You never rely on anything 100%.  It is possible that the malware will
> do as you say.  But with your advice, it won't have to sneak around
> anything and will have a low probability of being discovered.

It takes 25 lines of code to get around every single Personal Firewall
in the whole friggin' world when Internet Explorer is allowed to access
the Internet. To include other browsers would take about 25 more lines
per browser. How does a Personal Firewall detect the system's web
browser accessing the Internet? Except for not?

> > > 2. Get your systems behind a firewall (a personal firewall if a home
> > > user).
> >
> > Firewall on a router: very well. Personal Firewall: most likely not.
> > Yes, there are some exceptions, but their number is few.
> >
> > > 3.  Get your system behind a router.
> >
> > Local networks of any kind: of course. A single home computer: maybe,
> > but not a must.
> >
> > > 4.  Harden system by turning off uneeded services.
> >
> > That would be my second step. No services -> nothing to exploit. I
> > would consider using a Personal Firewall *only* if for some reason a
> > service can't be disabled or bound to a specific interface.
>
> Again, you can't always turn off all services.  Probably not even most
> of the time.

If we're talking about standalone systems: what reasonable cases do you
see where services can't be turned off completely? To be more precise: I
don't mean to turn off *all* services, but *remove* all services from
the external interface. As for systems on a local network: of course you
would use a packet filtering router there. But where do you need a
Personal Firewall in either of these scenarios? In fact, by adding
*more* code and *more* complexity a Personal Firewall may create *new*
security breaches. The Witty worm already proved this concept wrong.

> > > 5.  Employ the use of virus and spyware scanners\blockers
> >
> > Virus scanners may be useful.
>
> Why would you think so?  You seem to be claiming that using your
> method would grant you immunity from such things.

Where did I put up that claim? The method I described is supposed to
prevent inbound attacks. Virus scanning is a completely different story.

> > However, one should be aware of their limitations, since each virus
> > scanner is just as good or bad as its virus definitions.
>
> That goes without saying.

Probably on this list, but unfortunately not Out There(tm).

> > As for spyware scanners/blockers: I usually prefer to not install
> > spyware in the first place. Avoiding IE/OE helps. Much.
>
> People also generally prefer not to install viruses.  It would be nice
> if there was always a dialog popping up asking you if you wanted to
> install this virus or malware.

No. It would be nice if people started *thinking* before installing
$SHINY_NEW_TOY. Yes, I'm dreaming here.

> You have to be realistic.

That's why I consider virus scanners acceptable.

> You need to think in terms of users who aren't as savvy as you.  You
> are putting absolutley no outbound checks in place.

Those checks are useless if the malware isn't as braindead as Personal
Firewalls are. Like I said above: it takes 25 LoC to sneak around them.
*All* of them.

> Of course avoiding IE and such helps, but that's a personal choice.

Not really. IE has continued having that many critical bugs, that
noone in his right mind could possibly accept the risk of using IE.

> In general practice, until the alternatives to OE\IE become the
> dominant players, people are going to use IE and OE.

That doesn't make it less braindead.

> You can attempt to get people to use other things but don't count on
> it.  Even if they do, having no outbound checks is really quite weak
> security.  Even if there's only a 50% chance that something gets
> caught, it's worth it.

Again, we seem to use different definitions of the term "security". I
would rather *prevent* the installation of malware instead of just
*detecting* its presence when it's already too late.

> > > The small, inexpensive SOHO routers only block inbound traffic. If a
> > > user gets some malware on their system, this helps them not.
> >
> > Neither does a PFW. Once malware is running on your system, you're
> > toast. Period. Even Microsoft finally did understand that [1].
>
> What is better - having an owned box and knowing it or having an owned
> box and having no clue?

Having a box that is *not* owned?

> And no, you're not toast if *any* malware is running on your box.  In
> some (maybe many) cases, that may be true, but if I get a trivial
> spyware program installed, that does not require me to trash the box.

What makes you think, that *only* that trivial spyware sneaked around
your measures? Not detecting malware is by no means a guarantee for the
absence of malware.

> In a corporate setting where there are canned images and plentiful
> network data storage to mitigate potential loss, that may be the most
> expedient solutions.  Not necessarily the case at home.

Like I already said: *especially* for the home user it's the *only*
solution. Because he lacks the knowledge to judge whether simply
cleaning the system may suffice or not.

> > > > If there's no LAN but just a single host with Internet connection,
> > > > then why does the box need to provide any services at all? IMnsHO.
> > >
> > > You can't make a blanket statement like this for all cases.  In some
> > > cases this would be true, in others not.
> > >
> > > Lets take the Messenger service, for instance.  Some people should
> > > *not* turn off the Messenger service.  Why?  Maybe they are running
> > > one of the several virus scanning products that use the Messenger
> > > service to alert the user of a virus problem.
> >
> > Any AV software that uses the messenger service for notifying the
> > (local) user should be trashed *immediately*, because of major
> > incompetence of the vendor.
>
> I agree but that approach doesn't always leave one with many choices.
> That's just one example.  There are tons of software packages that
> install their own services - many of which are network related
> services.

Can't agree with that from my experience. Most software I had to deal
with, doesn't.

> For instance, most AV software installs an automatic updating service.
> Sure you can turn it off, but the typical user will never remember to
> update their AV signatures.

There is AV software that does automatic updates without opening ports
to the public. Like it or not, opening ports for automatic updates ist
just stupid. End of story.

> Which is worse - having that service running or having it turned off
> and AV software with 2 year old signatures?

The service is not the problem. A service does not necessarily have to
open ports to carry out its tasks.

> > I still fail to see *any* good reason why a single computer (no LAN)
> > should *not* have all services disabled.
>
> Do an experiment.  Take a box and install Windows XP on it and disable
> ALL of the services.  Use the box for a few months as your primary box
> for doing everything including getting on the net. 

BTDT. Works.

Regards
Ansgar Wiechers
-- 
"Those who would give up liberty for a little temporary safety
deserve neither liberty nor safety, and will lose both."
--Benjamin Franklin