Security optimize

The 10 faces of computer malware

The complexity of today's IT environment makes it easy for computer malware to exist, even flourish. Being informed about what's out there is a good first step to avoid problems.

The complexity of today's IT environment makes it easy for computer malware to exist, even flourish. Being informed about what's out there is a good first step to avoid problems.


With all the different terms, definitions, and terminology, trying to figure out what's what when it comes to computer malware can be difficult. To start things off, let's define some key terms we'll use throughout the article:

  • Malware: Is malicious software that's specifically developed to infiltrate or cause damage to computer systems without the owners' knowledge or permission.
  • Malcode: Is malicious programming code that's introduced during the development stage of a software application and is commonly referred to as the malware's payload.
  • Anti-malware: Includes any program that combats malware, whether it's real-time protection or detection and removal of existing malware. Antivirus and anti-spyware applications and malware scanners are examples of anti-malware.

It's important to remember that like its biological counterpart, malware's number one goal is reproduction. Damaging a computer system, destroying data, or stealing sensitive information are all secondary objectives.

Keeping the above definitions in mind, let's take a look at 10 types of malware.

Note: This article originally appeared as an entry in our IT Security blog. It is also available as a PowerPoint presentation and as a PDF document in our Downloads Library.

1: The infamous computer virus

A computer virus is malware that's capable of infecting a computer but has to rely on some other means to propagate. A true virus can spread from the infected computer to a non-infected computer only by attaching to some form of executable code that's passed between them. For example, a virus could be hidden in a PDF file attached to an e-mail message. Most viruses consist of the following three parts:

  • Replicator: When the host program is activated, so is the virus, and the viral malcode's first priority is to propagate.
  • Concealer: The computer virus can employ one of several methods to hide from anti-malware.
  • Payload: The malcode payload of a virus can be purposed to do just about anything, from disabling computer functions to destroying data.

Some examples of computer viruses currently in the wild are W32.Sens.A, W32.Sality.AM, and W32.Dizan.F. Most quality antivirus software will remove a computer virus once the application has its signature file.

2: The ever-popular computer worm

Computer worms are more sophisticated than viruses, being able to replicate without user intervention. If the malware uses networks (Internet) to propagate, it's a worm rather than a virus. The main components of a worm are:

  • Penetration tool: Malcode that leverages vulnerabilities on the victim computer to gain access.
  • Installer: The penetration tool gets the computer worm past the initial defense mechanism. At that point, the installer takes over and transfers the main body of malcode to the victim.
  • Discovery tool: Once settled in, the worm uses several methods to discover other computers on the network, including e-mail addresses, Host lists, and DNS queries.
  • Scanner: The worm uses a scanner to determine if any of the newly found target computers are vulnerable to the exploits available in its penetration tool.
  • Payload: Malcode that resides on each victim's computer. This could be anything from a remote access application to a key logger used to capture user names and passwords.

This category of malware is unfortunately the most prolific, starting with the Morris worm in 1988 and continuing today with the Conficker worm. Most computer worms can be removed by using malware scanners, such as MBAM or GMER.

3: The unknown backdoor

Backdoors are similar to the remote access programs many of us use all the time. They're considered malware when installed without permission, which is exactly what an attacker wants to do, by using the following methods:

  • One installation method is to exploit vulnerabilities on the target computer.
  • Another approach is to trick the user into installing the backdoor through social engineering.

Once installed, backdoors allow attackers complete remote control of the computer under attack. SubSeven, NetBus, Deep Throat, Back Orifice, and Bionet are backdoors that have gained notoriety. Malware scanners, like MBAM and GMER, are usually successful at removing backdoors.

4: The secretive Trojan horse

It's difficult to come up with a better definition for Trojan horse malware than Ed Skoudis and Lenny Zelter did in their book Malware: Fighting Malicious Code:

"A trojan horse is a program that appears to have some useful or benign purpose, but really masks some hidden malicious functionality."

Trojan horse malware cloaks the destructive payload during installation and program execution, preventing anti-malware from recognizing the malcode. Some of the concealment techniques include:

  • Renaming the malware to resemble files that are normally present.
  • Corrupting installed anti-malware to not respond when malware is located.
  • Using Polymorphic code to alter the malware's signature faster than the defensive software can retrieve new signature files.

Vundo is a prime example; it creates popup advertising for rogue anti-spyware programs, degrades system performance, and interferes with Web browsing. Typically, a malware scanner installed on a LiveCD  is required to detect and remove it.

5: Adware/spyware: more than an annoyance

  • Adware is software that creates popup advertisements without your permission. Adware usually gets installed by being a component of free software. Besides being irritating, adware can significantly decrease computer performance.
  • Spyware is software that collects information from your computer without your knowledge. Free software is notorious for having spyware as a payload, so reading the user agreement is important. The Sony BMG CD copy protection scandal is probably the most notable example of spyware.

Most quality anti-spyware programs will quickly find unwanted adware/spyware and remove it from the computer. It's also not a bad idea to regularly remove temp files, cookies, and browsing history from the Web browser program as preventative maintenance.

Malware stew

Up until now, all the malware discussed has distinctive characteristics, making each type easy to define. Unfortunately, that's not the case with the next categories. Malware developers have figured out how to combine the best features from different types of malware in an attempt to improve their success ratio.

Rootkits are an example of this, integrating a Trojan horse and a backdoor into one package. When they're used in this combination, an attacker can gain access to a computer remotely without raising any suspicion. Rootkits are one of the more important combined threats, so let's take a deeper look at them.

Rootkits: Completely different

Rootkits are in a class all their own, choosing to modify the existing operating system instead of adding software at the application level, like most malware. That's significant, because it makes detection by anti-malware much more difficult.

There are several types of rootkits, but three make up the vast majority of those seen in the wild: user-mode, kernel-mode, and firmware rootkits. User-mode and kernel-mode may need some explanation:

  • User-mode: Code has restricted access to software and hardware resources on the computer. Most of the code running on your computer will execute in user mode. Due to the restricted access, crashes in user-mode are recoverable.
  • Kernel-mode: Code has unrestricted access to all software and hardware resources on the computer. Kernel mode is generally reserved for the most trusted functions of the operating system. Crashes in kernel-mode aren't recoverable.

6: User-mode rootkits

It's now understood that user-mode rootkits run on a computer with the same privileges reserved for administrators. This means that:

  • User-mode rootkits can alter processes, files, system drivers, network ports, and even system services.
  • User-mode rootkits remain installed by copying required files to the computer's hard drive, automatically launching with every system boot.

Hacker Defender is one example of a user-mode rootkit. Luckily Mark Russinovich's well-known application Rootkit Revealer can detect it, as well as most other user-mode rootkits.

7: Kernel-mode rootkits

Since rootkits running in user-mode can be found and removed, rootkit designers changed their thinking and developed kernel-mode rootkits. Kernel-mode means the rootkit is installed at the same level as the operating system and rootkit detection software. This allows the rootkit to manipulate the operating system to a point where the operating system can no longer be trusted.

Instability is the one downfall of a kernel-mode rootkit, typically leading to unexplained crashes or blue screens. At that point, it might be a good idea to try GMER. It's one of a few trusted rootkit removal tools that has a chance against kernel-mode rootkits, like Rustock.

8: Firmware rootkits

Firmware rootkits are the next step up in sophistication, with rootkit developers figuring out how to store rootkit malcode in firmware. The altered firmware could be anything from microprocessor code to PCI expansion card firmware. This means that:

  • When the computer is shut down, the rootkit writes the current malcode to the specified firmware.
  • Restart the computer and the rootkit reinstalls itself.

Even if a removal program finds and eliminates the firmware rootkit, the next time the computer starts, the firmware rootkit is right back in business.

9: Malicious mobile code

In relative anonymity, malicious mobile code is fast becoming the most effective way to get malware installed on a computer. Mobile code is software that's:

  • Obtained from remote servers.
  • Transferred across a network.
  • Downloaded and executed on a local system.

Examples of mobile code include JavaScript, VBScript, ActiveX controls, and Flash animations. The primary idea behind mobile code is active content, which is easy to recognize. It's the dynamic page content that makes Web browsing an interactive experience.

What makes mobile code malicious? Installing it without the owner's permission or misleading the user as to what the software does. To make matters worse, it's usually the first step of a combined attack, similar to the penetration tool used by Trojan horse malware. After that, the attacker can install additional malware.

The best way to combat malicious mobile code is to make sure that the operating system and all ancillary software are up to date.

10: Blended threat

Malware is considered a blended threat when it seeks to maximize damage and propagate efficiently by combining several pieces of single-intentioned malcode. Blended threats deserve special mention, as security experts grudgingly admit they're the best at what they do. A blended threat typically can:

  • Exploit several known vulnerabilities or even create vulnerabilities.
  • Incorporate alternate methods for replicating.
  • Automate code execution, which eliminates user interaction.

Blended threat malware, for example, may send an HTML e-mail message containing an embedded Trojan horse along with a PDF attachment containing a different type of Trojan horse. Some of the more famous blended threats are Nimda, CodeRed, and Bugbear. Removing blended threat malware from a computer may take several pieces of anti-malware, as well as using malware scanners installed on a LiveCD.

Final thoughts

Is it even possible to reduce the harmful effect malware causes? Here are a few final thoughts on that subject:

  • Malware isn't going away any time soon. Especially when it became evident that money, lots of money, can be made from its use.
  • Since all anti-malware applications are reactionary, they are destined to fail.
  • Developers who create operating system and application software need to show zero tolerance for software vulnerabilities.
  • Everyone who uses computers needs to take more ownership in learning how to react to the ever-changing malware environment.
  • It can't be stressed enough: Please be sure to keep operating system and application software up to date.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

150 comments
denberg
denberg

Excellent article , complusive reading, thank you!

sdavidson
sdavidson

I use Macrium Reflect frequently to make images of my C: drive. This has worked for me in the past because if I get a virus, I simply restore from an image dated before I got infected. Is this a good strategy in your opinion (in addition to using an anti-virus program of course)? It sounds like this would not help me if infected by a firmware rootkit.

sdavidson
sdavidson

I use Macrium Reflect frequently to make images of my C: drive. This has worked for me in the past because if I get a virus, I simply restore from an image dated before I got infected. Is this a good strategy in your opinion (in addition to using an anti-virus program of course)? It sounds like this would not help me if infected by a firmware rootkit.

fred.stumpp
fred.stumpp

Since computers are integral to various health and safety systems, it is only a matter of time before malware causes death and disaster. Attack the problem at the source - tell your elected officials you want to see government take a more aggressive stand in identifying and prosecuting hackers. We need punishments proportional to the maliciousness and potential danger posed by these criminals.

El Machete
El Machete

Wow! I have never read an article so precise and to the point. Very informative for sure. I should read this before I started fighting malware for the last two days on a clients computer

ipl_001
ipl_001

Congrats on this very useful document! It is very important to educate as many people as possible on the Web and you do well: the better the level of knowledge, the more secure the Web will be for everyone... For everyone as dangers also come from "computer illiterate" people. Thanks again Michael! WTG

rwboyd
rwboyd

I thank you and my customers thank you. Next time a client asks the difference between a virus, a worm etc. I'll just refer them to this article.

roger
roger

Clear and right on target. That's the best, readable description of malware I've seen, and you didn't pull any punches. Especially appreciate your comments on the reactionary character of anti-malware. Great job.

CharlieSpencer
CharlieSpencer

but I'm glad it resurfaced. Excellent refresher, Michael.

rpr.nospam
rpr.nospam

A good first step to avoid problems with malware is not using Microsoft Windows :-) The first mistake that an average user of a MS Windows system does is logging in with an user account that has administrative rights on the system. That way every piece of junk that user runs from an e-mail message or from the Internet also has administrative rights to do what ever it likes on the system. In the Windows NT family of PC operating systems and beyond the standard installation procedure should have included creation of two user accounts: the admin account and a normal ("restricted") user account (without administrative rights). The users must have been taught to use the admin account only for administrative tasks (system wide settings and software installation), and to use a normal user account for regular log in to Windows. IMHO, this is really not a difficult demand to the users as everybody knows that a car has a gas and a break pedal. That way users would be saved from a huge number of problems with malware, while the application developers would be forced to write applications in a better way (even today I can see that programmers write application software that doesn't run properly if run by a normal user in Windows).

lcarniato
lcarniato

A really well written summary !! While impossible to be "all inclusive" this article gives the fundamentals and beyond. Great Job, Thank You !!

Capt_Skippy
Capt_Skippy

Nice breakdown. Now if only end users will learn and stop clicking every pop up they see :/

bitdoctor
bitdoctor

[Preface: WHY is TechRepublic JUST NOW sending me this article when, clearly, it was written back in MAY?! EXCELLENT article, overall, BTW!] Regardind definitions: For example: when did "worm" get re-defined? A virus can propagate across the Internet - that never has been in question. Originally, "worm" meant, exclusively (or almost exclusively), "Malicious code that is propagated via email." Worms can happen via Outlook/Exchange or SMTP on the LAN, WAN or Internet. It's just bothersome that these terms seem to be so fuzzy and often re-defined on a whim. We need SANS or some accepted security organization to decide on a 'standard, universally-accepted' definition. The trojan definition looks pretty close to a universally-accepted definition; and you're spot-on on the rootkit definition as well. You mention 'rootkits,' and yet you don't mention the Sony (wasn't it Sony) rootkit that got distributed via their claim of trying to protect their music - instead, you mention the Sony thing in one of the previous slides - my understanding is that it was indeed, a rootkit - and that's a HUGE distinction - to be aware that, if you played one of their music CD's, you got a rootkit installed, without your knowledge, to collect information you never agreed to (CD label aside). And, in more than one place, within the slides, you mention LiveCD, assuming the reader knows what that is, yet you never once mention what is a "LiveCD;" is it a CD that is not "dead?" Please always remember to define and clarify such things, rather than assuming the reader "knows." (I do know, because I've been in the industry some 25 years, but the point is valid - not all of us are Microsoft/Windows-centric; myself, I am 'multi-platform/multi-o/s). Regards, Jeff Mason

Rondil
Rondil

These tips are meant for home users. Tip #1 Never type in Account numbers while running Windows. I would be willing to bet that 80-90 percent of computers out there have some form of spyware loaded. Always assume your PC is infected. Tip #2. When surfing the Internet always do it from a limited account. To make it happen go to Control panel then User Accounts. Click on Create a new account then Name it. Click next then give the account limited permissions. Then click create accounts. From what I have been told rootkits cannot be installed while you are running in a limited account. Tip #3 When you want to buy something over the Internet figure out how much money you need and then go to your bank and buy a gift card. My bank sells them for 2 bucks. You must log onto their web site and register it. Use it to make your purchase then log back on and find out how much is left. Burn up any left over money the next time you go to the grocery store. If a hacker gets your card number he gets nothing. https://www.harlandclarkegiftcard.com/ Tip #4 Be very careful using torrent programs.. Every time I use one my PC gets loaded with spyware. Porn torrents are especially bad for containing malware. Tip #5 The next time you reinstall windows do the following. Disconnect your machine from the internet during install. Make sure you install your firewall and anti-spyware before you connect up. Downlaod your updates, drivers and install your favorite apps. As soon as you have your machine set up the way you like it make a hard drive image. Norton ghost , Acronis trueimage or Driveimage XML are three good programs for this. Store it on an external hard drive. Now when your PC gets all screwed up just reformat and write the image back on. Problem solved. Bet your PC runs a lot faster too. Tip #6 If your running Firefox and you should. Make sure you have the status bar on. Click View and make sure that Status bar has a check mark. I'm running Firefox 2 so they may have moved it in version 3. The status bar lets you see where a link is going to when you hover over it. A web programmer can hide this info but I will never click on a link that is hidden. Also talk to your kids about why they should be careful clicking on links and how to tell what they are clicking on. Tip #7 Install a host file on your PC. You can get one at http://www.mvps.org/winhelp2002/hos... A host file forces all bad web addresses to go to your loopback address instead of the bad web site. It also blocks connections to many advertising web sites. So when you visit a web page a lot of the adds won't show up. You will see an error message on the web page where the ad would have been. The page will still load fine. Your web access will speed up a little since you won't be wasting bandwidth on ads. Tip #8 Turn off auto run for thumb drives etc. That way when a buddy shows up with some kewl pictures on his drive he doesn't load his trojans while hes there. Just google ?turn off autorun usb? for how to do it. Tip #9. If you want to do banking over the Internet never use windows. Instead download a copy of Linux and burn it to a CD. Get one that will boot from the CD like Ubuntu. To the best of my knowledge when it gets burnt to a CD-R nothing can ever be changed on the CD. Make sure your PC is set to boot to CD/DVD drive first and boot Linux. It will be a little slow but there is virtually a 0 percent chance of any infection being present. When your done banking pop the CD out and reboot back to Windows. It may be a hassle but imagine the hassle if some asshat gets access to your bank account. Tip #10. Keep temp files cleaned out as malware often gets stored there. Get a copy of Crap cleaner and make it easy on yourself. Get it at www.ccleaner.com

dixon
dixon

...that I've ever read a better treatment of the subject anywhere. Very clear, concise, thorough, accurate and altogether very well written.

seanferd
seanferd

That's a really good descriptive list. Makes me want to fire up a printer with a full tray of paper...

melekali
melekali

...succinct and excellent summary, Michael. I applaud you.

wmiori
wmiori

Thank you very much for Mr. Kassner's Tech Republic article of May 12. I am not an IT person, but I try to learn these matters because they affect family, friends, and co-workers. This article was the most comprehensive view of the issue I have seen and the kind of information I would gladly share with my co-workers (who are secretaries like myself). Although we are not IT professionals, we have to deal with security threats as well. Mr. Kassner's article would make a tremendous overview for the kind of information we need. Thank you again and please keep up the good work. Bill Miori

casternj
casternj

is everyone still using BART PE with MBAM, GMER and other utilities

capeterson67
capeterson67

or as close to it as you are going to get? I use Faronics' "Deep Freeze". It makes any changes to a "frozen" volume impossible. All you need to do is restart the PC and the system boots up in the same exact state it was in before any changes were made. To accommodate the obvious need for end-users to save files and data, I will either partition the drive at system prep and leave the logical drive unfrozen for file storage and retrieval or I will map and assign a network location for end-users to store their materials. Drives can be unfrozen when updates are necessary for required functionality. I use this strategy for most of my larger customers who simply cannot lose time to malware threats to their IT infrastructure. I also service several public libraries and this approach is invaluable when dealing with public use computers.

Michael Kassner
Michael Kassner

That the article is of help. It was a labor of love to be sure.

Michael Kassner
Michael Kassner

It was fun. Being a generalist, I learned a great deal as well.

Neon Samurai
Neon Samurai

Using Windows is not always by choice. Be it a work provided machine, specialized software need or simply thinking that what came installed by the computer shop is all there is, it's not always possible to choose a different platform. I wish it was and the only real clinchers these days are poorly designed hardware and specialized software needs which will always dictate the OS under them (AutoCAD, Adobe, big name games). Using a regular user and a separate admin account is a great idea on any platform. On Windows, it keeps the user from breaking there own system. A regular user account can still install software though which remains a problem. Skype is a benign example but it means malicious software can do the same thing. Being able to put the home directories on a separate partition and have it mount non-executable would help that somewhat. There is also the issue of poor privileged separation. Malware needs only to take the extra step of breaking out of the user account to run things as administrator. We'll have to see how win7 holds up though UAC allowing software to disable it defeats it's purpose. Admin and regular user have been more clearly separated at least and the ActiveDirectory has more control over workstations through group policy.

Michael Kassner
Michael Kassner

You have me curious, what additions are you thinking about? I'd love to hear them.

JCitizen
JCitizen

I still say my in-depth defenses will give any malcoder a run for his money. My clients insist on banking and shopping online, I give them the same advice you do to try and scare them off the web shopping scene, but no cigar. So I am forced to ad additional defensive layer in addition to/ or supplemental to your strategy. They know full well the risks after I give them my anti-pep talk. Some of them switch to phone shopping after that. Most give up online banking entirely.

SubgeniusD
SubgeniusD

That's not practical for frequent shoppers. I would've added Tip #3 - PayPal - get it, use it. I also consider Google Checkout a secure fund transfer resource. I have not entered a credit card number on-line for a couple years now. If the site does not have PayPal I use the contact form and tell them why they just lost my business. My PayPal account is connected to a checking account that I monitor with a "balance alert" if it goes over or under pre-set thresholds. Over and I transfer to secure savings acct. So if I ever do get hacked the damage will be tolerable and I'll know about it right away by a low balance alert. Tip #9 - This is 2009 and you don't need to carry a Linux cd around anymore. All major distros boot off thumb drives and most have "light" or "mini" versions for basic functionality. And while you're at it why boot back into Windows when you can easily do almost everything in Linux these days? I'm not a zealot - have Win 7 RC on Virtual Box on this machine. Tip #11 - Always keep your browser updated. As Windows gets harder to penetrate, malware writers are concentrating on browser exploits like "man in the middle" - and these are OS independent. If you're interested (and you should be) these guys give great weekly presentations on these and related security topics: http://www.pauldotcom.com/

Michael Kassner
Michael Kassner

I appreciate your comments. It was a tough one as I had to understand it to write it.

TechTeach_z
TechTeach_z

but I'll save some trees and just forward a link to some people who NEED to read this...thank you!

PurpleSkys
PurpleSkys

very well written..makes me want to get some paper myself

f.stephens
f.stephens

Thanks Michael. It was very well written and for a non-IT Pro to be able to understand is great. I am a retired general security specialist. who has a smattering of IT security background. Keep up the good work Frank

bitdoctor
bitdoctor

No,a "regular user" (non-priviledged) cannot install anything - you must be at least a 'power user.' We are talking Windows XP Professional & Vista Business and those types of platforms (as long as you have "properly tightened them down"). I use both UNIX/Linux and Windows and, beleive me - ANY O/S that is not properly secured can be compromised - it's one of the things I test for (and against) - as part of standard security setups. MOST Windows breaches are due to sheer stupidity on the part of the person managing the servers, workstations and network. With XP Home, ANYTHING is possible and there is no 'separation.' With XP Pro and higher, there is all the granular, discreet separation you need (especially with AD adn Group Policies and security templates and the list goes on) - with full ability to restrict 'precisely' what someone can or cannot do; what prompts and tabs they are allowed to even see - and "breaking out" to admin level is not as simple as you make it sound - as long as patches are up-to-date. Granted someone will find a new "buffer overflow" from time to time, which may allow privilege escalation, but that's more rare now than it was even one year ago, and even MS is getting better at preventing privilege escalation in such situations. And again, ANY o/s where you can have 'root' or 'admin' level will allow you to enable/disable any feature you desire - so your UAC example is a moot point - If I am an 'admin,' I can do as I please - on UNIX/Linux or on Windows - makes no difference. On UNIX/Linux, I can (as root) disable whatever 'security feature' I want - XP/Vista is no different - or, as a quote: "With admin/root privileges, comes great responsibility." ANYBODY on UNIX/Linux or Windows, can (as an admin) circumvent ANY feature they desire. UAC only allows software to disable it, IF you are at the admin level. On Vista HOME and XP HOME - you are ALWAYS at the 'admin level.'

JCitizen
JCitizen

sell this as a 50 pack of pamphlets, I gladly by it to had out to all my clients, and then some. I could give out a hundred at the local college for sure! I'd do it, just for the philanthropy of it. You should get your dues for this hard work! Sorry I never saw this till now.

Michael Kassner
Michael Kassner

It was a fun research project. Had to make it simple so I could understand.

Michael Kassner
Michael Kassner

My next one is in the works and called 10 ways to detect malware.

Neon Samurai
Neon Samurai

And that would also be the further information that I can now go off and read. As I said, Skype itself is not a real concern for us but the proof of concept that it can be done is. Application specific blocks are a pain as they are reactive rather than an effective general block proactively put in place. Bit of a pain that it's not the default behavior induced by joining an AD but if there is a way to address it, that's almost as good. Now I'm off to do some reading.

bitdoctor
bitdoctor

Then you don't have your XP Pro sufficiently tightened down. To be honest, the information is freely available - just do Google and visit some of the top tech sites (even, heaven forbid, Microsoft's own site ;-) Yes, even locally, standalone XP stations can be tighted (without even using group policies - using 'local security policies' as needed) so that NOBODY but an 'admin' can install things - it takes a bit of effort, but it can be done. And, yes, even group policy via 2003 Server DC's is sufficient as well - when pushing to XP Pro workstations, to tighten workstations all the way from "Kiosk mode" (sort of "locked-down-to-the-max") to lesser secure modes. In the GPO console, you can set these policies domain-wide, or via specific machines and so forth - it really is quite granular. Again, all the docs are available on-line, with tips for disabling menu items, disabling 'program install ability,' etc. Just off-hand: http://www.tech-archive.net/Archive/WinXP/microsoft.public.windowsxp.general/2007-03/msg01858.html http://forums.techguy.org/windows-nt-2000-xp/104580-how-disable-any-all-software.html And, as some articles point out, you sometimes have to find the specific installer related to the app and/or the specific app files themselves and, once you know that info, you can then put in custom policies to block those specific apps - you can even get creative enough that, even if the user tries to rename the installer or the app, you can still block it - you would likely have to know what type of app Skype is - is it Java/Javascript-based; is it VB-based; etc. - Internet-based/ActiveX, Javascript and VB/VBscript are somewhat different issues - as you might imagine - some apps can get installed via browser, and may need to get blocked via IE policy as well as back-end 'app-blocking' policy. It's all there - you just have to 'dig' a bit, and make sure you close all the holes and cover all the bases. As for UAC - thanks - I wasn't aware of a bug where it can be disabled via user-mode - but I've avoided Vista like the plague, for the most part, except where I am 'forced' to support it.

Neon Samurai
Neon Samurai

This is on WinXP Pro SP3 authenticating against a domain server. If installed as administrator, Skype will install to the Program Files directory and be available to all users. If installed as a regular user, it will only be available to that user by installing to there own Local Settings directory. I've had two regular users do this on there own and had our Windows support people confirm the issue on test systems. Skype is less of an issue for us but the fact that it can be done by software causes me some concern. The comment was not comparing OS or suggesting any OS couldn't be configured to be less secure. Of course any OS can be left wide open through configuration or lack of it. No amount of blinky lights and black boxes can protect any OS from the user or poor administration. winXP Home is a much worse case; I agree there. It's insecure by design. Worse privileged separation, poor user management, user names displayed as icons by default, crippled networking support. It's just bad in general and far below the scope of a security discussion. My only complain with winXP and group policy is that it's all wide open by default. One has to go through it and enable all the security featuress. My last foray back into the guts of Windows was last week's list of services that should be disabled. If you've got the group policy version of BlackViper.com then I'd be very interested to read that. The local policy settings that are displayed though not enabled are great for some things and rather limited for others. Again, it's winXP Pro meant for business use, sold with business class hardware and left wide open so I'm the lucky security geek that gets to through it before discussing new policy changes with the support team that will do the implementation. For a regular user, breaking into another account is going to take some effort. For malware coming in through the browser it's easier depending on the browser and IE has done a good deal to mitigate this. Malware on the system outside the browser has a much greater advantage. Patching is definitely critical but a lacking habit among many home users and a delayed practice in most businesses as they have to run it on the test machines first. Neither patching issues are unique to Windows of course. As for a user willing to put a little effort in; locally stored LM hashes break easy, CIFS/SMB cleartext protocol is an issue for network traffic, pass-the-hash can borrow tickets from other connected users so a regular users. But, like I said, this is winXP and MS is getting better so we'll have to see how Win7 holds up when it comes out. Of course programs with root/admin rights can do much more than lower privileged; that's not even a remote question. Offhand, has MS fixed this behavior in Win7 yet: http://www.darknet.org.uk/2009/02/windows-7-uac-vulnerable-user-mode-program-can-disable-user-access-control/ I would love my understanding of UAC to be a moot point if you have updated information on that. Also, if you do have group policy setting tips I'd be interested in reading more on that. I'd like to get more control through group policy over which services are enabled, what permissions users have, general local system config settings and such. I'm limited to win2003 Server at the moment though I hear win2008 Server provides much more control through the domain controller.

JCitizen
JCitizen

I'll do my durn best!! Ha! :) You know rat poison is soooo under-rated. It keeps me alive! :O

seanferd
seanferd

Stay oot the durn ospital! I wish you good health. And good reading. :)

PurpleSkys
PurpleSkys

...stay out of the hospital that is...feel better soon

JCitizen
JCitizen

all of your fine articles; if I can stay outta the hospital long enough! :(