Tuesday, August 23, 2011

Why malware works

I've just returned from a late night session at one of my clients. 

It all started with an email from a user at the site informing me that another user was having issues with their PC running slowly and not allowing their email client to function.

Most of my client sites are small offices with less than 10 users so reporting issues to me is an informal process.  So while I got the report about the other user I also had a few requests from the user that sent the email.

Turns out the other user's problems were related to a rather nasty piece of malware (TDS4 rootkit) that did all those nasty things that rootkits tend to do. 

It was polymorphic so it evaded the virus scanner...
It denied access to task manager and loaded the CPU to 100% with constant attempts
to download more malware...
And finally it tried to open random nefarious web pages.

I've been dealing with this kind of issue a lot lately but usually it's the XP 2012 Fake AV that fools users into installing the malware then digs itself in, destroys the user profile and in some cases downloads more malware allowing the infected pc to become part of a torrent serving botnet.

I had just cleaned up both the reporting user and the other user's pc 3 weeks before.  They knew what happened and why.  They were given admonition against trusting anything they didn't already use on a regular basis and shown what it was that caused the problem I had to fix.

So I got the obligatory nodding of the head and promise that they'd be more vigilant because after all security is everyone's responsibility right?

Well, I guess I should just accept that it's just my responsibility.  You think I'd learn after almost 20 years...

The sad fact is that users can care less about the damage a malicious trojan or entrenched rootkit can do to their PC.  After all, that's what you're there for and they expect you'll fix it before they're back from lunch.  The next killer app that promises endless coupons or installs a cute dancing cow on their desktop will quickly nullify every attempt to counter such social engineering.  It's not unlike a speeding driver who when caught blames the car for his actions because it goes too fast.

Not the best analogy, I know...

So the battle for social engineering is lost.  It must be because we've been droning on about responsible use of computers for decades now and our advice is still largely ignored or at least quickly forgotten. 

So now we have to take preemptive action.  That usually involves the installation of a layered protection system consisting of not just Anti-Virus but also anti-malware software to save the user from themselves. 

At my client sites I currently use Sophos for Anti-Virus and Malwarebytes for malware protection. I find it a good combination of security software that keep a small footprint and don't fight with each other when doing their jobs.  This part is important.  Avoid bloated packages that get in the way of workflow and perform only marginally.

I'm not afraid to say openly that I find Most Symantec and McAfee products to be absolutely useless when it comes to malware and rootkits.  Worse, if the consumer versions end up in a business setting. They become almost completely ineffective and are sure to cause user complaints as these lumbering giants steal system resources and get in the way of every mouse click needlessly. 

The KISS principle is very relevant here.  Stick with products that do the one thing they do well and don't try to be anything else.  I used to recommend AVAST! until it contracted the Symantec bloat disease and became an ineffective security solution. 

If you find yourself at an infected user's PC searching the Internet for another software package to do what you thought you had already paid for it's a good indicator that it's time for a change.  Sounds obvious but it's surprising how much an IT department will put up with just because they have a history with one vendor.

In some cases a user will figure out how to shut off the security software if they feel it's too intrusive.  Try to avoid that scenario if possible.  Unfortunately if your clients are still using Windows XP and have legacy software then you'll have a hard time keeping them out of the settings since there are still far too many applications that require administrator privileges.  Since an Administrator account trumps all else, any pc with user running as local administrators is at risk.  Expect some type of security issue at some point in this case.

In spite of all your efforts to deploy the perfect security suite, you're bound to get complaints from users that they can't get their favorite site to work anymore. What they don't tell you is that it's the same site that almost destroyed their PC on their last visit. They'll scowl and complain regardless of the evidence or they'll claim the security software interferes with their work. 

Unless their work is collecting coupons or evaluating dancing cow version 2.3.2 I can honestly care less.  I'm not draconian, I just don't want to bankrupt my client fixing the same problem over and over again.  It's boring and hurts your credibility in the long run.

This is where communication comes in.  You have to let your clients (the ones who sign your check) know what's going on and why you're doing it.  Explain to them the implications to their business and stress the costs involved including: lost productivity, lost data and of course the cost of having you waste more time fixing the same problem.

The only way to fight entrenched bad habits is irrefutable evidence that it's costing your client/business money.  Nobody in their right mind is going to argue your logic especially if they sign your checks

Post a Comment