Malware will thrive, even with Vista’s UAC

[QUOTE]Despite all the anti-malware roadblocks built into Windows Vista, a senior Microsoft official is lowering the security expectations, warning that viruses, password-stealing Trojans and rootkits will continue to thrive as malware authors adapt to the new operating system…
[/quote]
http://blogs.zdnet.com/security/?p=175

They just had it coming. They said Vista was safer too many times, while hackers were already playing with the betas. Besides, Vista wasn’t ready for prime time anyway.

Hi malware fighters,

Explaining Mark’s words he is only commenting the workings of UAC.
It is not to be taken in a wider context. That UAC does not mean
security ‘boundary’ but more of an ‘awareness’ thingie for users
and developers alike (and what if you rename executables?) was
known for quite some time.
Mark says malware can also enter your machine with normal ‘user’ rights.
And that is his way of saying that with Vista we cannot sit and lean back
where security is concerned.
The real security issues in Vista do make the difference. Here you hear
the same credo’s over and over again: prevention; correction, protection.
“So when the malware sh*t hits the fan try to protect as best as you can.”

polonus

Unfortunately I have now seen some Vista systems with malware, I believe that some people will click OK to anything. So it is still reliant on the keyboard interface

Hi essexboy,

The only way to secure these users is to take their keyboard away.

polonus

Never a truer word spoken in jest ;D :smiley: my old mate

We’ve already had one here. Couldn’t get any of the usual tools to run …

Very true and is often seen in the acceptance of firewall pop-up permission requests as they don’t know what is a genuine connection. Some block all requests screwing with their ability to use the internet and those that accept everything. Finding a happy balance for some is difficult.

There are currently very few tools that run on vista so it is manual removal, oh joy. I have just finished one of those. Avast deleted 300 files I then deleted a further 400 plus 5 rootkits, OK it was a honeypot and I wasn’t allowed to use tools but it was hard, with a very steep learning curve

How do you find them without the tools? Especially the rootkits.

Hi mauserme,

That is why the technical descriptions of malware are so very important. I learned most about the inner workings of malware through the descriptions of Sophos’s. A lot of the bigger vendors now do not attach the malware description, only a minor description of the kind of malware and its workings, which is a pity really. For analyzing malware and appropriate cleansing routines it is vital to know the files, the processes, and whatsever changed in the registry. For dlls and processes there is ample information inside online databanks.
I think the special “Hogwart” tools will be adopted for Vista as well, just a matter of time. But you see CCleaner has to adopt to the restructurization as do ATF Cleaner, the BFU scripts, the lot, same as forensics. M$ still has this strike to it, that is called “security through obscurity”, change the way files are organized a bit, and make it harder for malware and cleansers alike, and call this enhanced security… It is like in the days of the old Roman Empire - this policy worked until the pagans found out they had to look for the right messengers to churn their heels a bit better to get to the vital information. There is nothing new under the sun really,

polonus

How do you find them without the tools? Especially the rootkits.
By using a lot of analysis scans. Silent runners, DSS, Winpfind regsearch etc. It is hard work but you do learn a lot about the inner workings of the registry. By tools I meant anti-spyware scans, SDfix, Haxfix, Combofix etc. I was allowed to use Avenger- that is scary.

The first Boot scan with Avast gave this

Number of searched folders: 803
Number of tested files: 18051
Number of infected files: 247

The second added another 62