New Directions in Malware

Kaspersky Labs reports on extortion scams using malware:

We've reported more than once on cases where remote malicious users have moved away from the stealth use of infected computers (stealing data from them, using them as part of zombie networks etc) to direct blackmail, demanding payment from victims. At the moment, this method is used in two main ways: encrypting user data and corrupting system information.

Users quickly understand that something has happened to their data. They are then told that they should send a specific sum to an e-payment account maintained by the remote malicious user, whether it be EGold, Webmoney or whatever. The ransom demanded varies significantly depending on the amount of money available to the victim. We know of cases where the malicious users have demanded $50, and of cases where they have demanded more than $2,000. The first such blackmail case was in 1989, and now this method is again gaining in popularity.

In 2005, the most striking examples of this type of cybercrime were carried out using the Trojans GpCode and Krotten. The first of these encrypts user data; the second restricts itself to making a number of modifications to the victim machine's system registry, causing it to cease functioning.

Among other worms, the article discusses the GpCode.ac worm, which encrypts data using 56-bit RSA (no, that's not a typo). The whole article is interesting reading.

Posted on April 26, 2006 at 1:07 PM • 58 Comments

Comments

AGApril 26, 2006 1:51 PM

Nasty business... I need to spend more on my home security setup. At least back up the pictures of the fam to a flash drive.

George WApril 26, 2006 2:01 PM

> they should send a specific sum
> to an e-payment account maintained
> by the remote malicious user

Doesn't that leave a trail? Should somebody go catch the bad guys?

McGavinApril 26, 2006 2:08 PM

>Doesn't that leave a trail? Should >somebody go catch the bad guys?

If the demanded sum is low enough (~$100), then is it really worth the effort?

DragonhunterApril 26, 2006 2:11 PM

And if the trail (as I suspect it does) crosses international boundaries...well, that makes jurisdiction and enforcement all the tougher.

miguelitoApril 26, 2006 2:14 PM

>If the demanded sum is low enough (~$100), then is it really worth the effort?

You're joking, right? Does persecution of criminal acts need to be sustainable nowadays?

ArchangelApril 26, 2006 2:16 PM

I hate to sound like a smug bastard, but I love being a Linux user at times like this. I *don't* need to spend more money on my home security setup, at least as far as remote access to my computer is concerned. I just need to RTM and make sure my system is closed to remote access attempts.

And just try running Windows malware on it!

Not that that solves the problem for Joe User whose home computer happens to run Windows, and is probably not patched up completely, and who just clicks OK on nuisance windows so they will let him go about his business. Even a fully patched Windows install will run malware programs and let them talk, and is built around privelige escalation as a way of life.

Joe doesn't know Windows is the problem; he doesn't know there are alternatives. Windows is just his computer, the way it always works. Lamentable.

ArchangelApril 26, 2006 2:18 PM

... more to the point, Joe probably doesn't figure he needs to spend the money on an AntiVirus program, and if he does, hasn't got a clue about firewall configurations, let alone an IDS. He configures them so they don't interfere with his work.

McGavinApril 26, 2006 2:27 PM

>>If the demanded sum is low enough (~$100), then is it really worth the effort?

>You're joking, right? Does persecution of criminal acts need to be sustainable nowadays?

Is somebody going to do the work for free? Does your local police department have the time and expertise to do this investigation considering the amount of money? The FBI may have the expertise, but does it care about your $100 problem? Who is going to pursue the investigation from your organization (or household)? Is that time spent worth less than $100?

McGavinApril 26, 2006 2:31 PM

@Archangel

If there were as many Linux boxes "on desktops" as Windows boxes, then Linux would be just as vulnerable to this attack.

Right now, Linux users aren't as juicy a target as Windows users. That is what is protecting you.

ArchangelApril 26, 2006 2:32 PM

Simpler solution, though it requires keeping good backups -- the data isn't being stolen, it's just being compressed, encrypted and locked on the local filesystem. You should be able to wipe and restore the OS and data. Besides, isn't reinstall part of the Microsoft SOP for keeping your system running at its best?

Also, from the article:
"As for what should be done if the data has already been encrypted – the examples above show that antivirus companies are able to help here, and in a relatively short space of time. Users should not give in to blackmail, as any money paid to virus writers will simply encourage them to continue to write and release new variants."

kurt wismerApril 26, 2006 2:32 PM

Archangel,

not to put too fine a point on it, but this type of malware has nothing to do with remote ACCESS, they're ordinary data manipulating trojans... you can be just as susceptible to those under linux as you can under windows...

ArchangelApril 26, 2006 2:39 PM

@McGavin

I knew it was coming. Old, old saw, no teeth. This is not a volume-based problem. Even not considering the superiority of the tools available for network security, *for free*, in Linux, unices are less vulnerable on the whole. Unless it can root-escalate, code which can affect user data is generally contained. Sysadmin can nuke the partition. It can't get permission to write to dangerous things on a properly updated system, unlike Windows. Unless you run unsigned, untrusted binaries as root (i.e. are an idiot), base unix privelige protection is functional. We fix root escalations very, very quickly.

Second: try getting a trojan onto my system in the first place. Make me compile it and run it, or make someone I trust (e.g. Pat Volkerding) compile it and give it to me.

kurt wismerApril 26, 2006 2:48 PM

Archangel

>It can't get permission to write to dangerous things on a properly updated system

in this case it doesn't need to - it's making user data inaccessible... it's not about compromising the whole machine, just blocking access to something that's valuable...

>Make me compile it and run it

not all malware needs to be compiled...

Pat CahalanApril 26, 2006 2:49 PM

@ Archangel

If you're so confident in your machine's security, what's your IP address? :)

Malware is not unique to Windows. Witness the recent upswing of Mac OS X vulnerabilities, which is essentially FreeBSD.

Market presence is indeed a factor in the prevalence of malware. Hackers target the popular target.

FWIW, I'm OS-agnostic... I think they all stink (albeit in different ways).

AnonymousApril 26, 2006 3:01 PM

Pat, they all do stink, in different ways. If kurt can hack the site, he can find my IP address. If he can crack my machine and encrypt my data so that I have to wipe and reinstall, he wins this round. It is possible. It's just hard enough. I can mask the scent of my smelly OS. Can you? Can Joe User? How easily?

If he can find a good way to make me run code on my machine without it coming from a trusted source or me checksumming it and compiling it, more power to him.

OS X is only nominally FreeBSD at this point. Its vulnerabilities don't tend to be core BSD issues, from what I've seen.

Hackers target the easy market; crime is just as subject to market pressure as other activities. Popularity is not, however the primary factor in the equation, much as it does relate to monoculture and stagnation. The overwhelming popularity of the LAMP stack does not make exploits of Apache easier.

BrianApril 26, 2006 3:05 PM

@McGavin

> The FBI may have the expertise, but does
> it care about your $100 problem? Who is
> going to pursue the investigation from your
> organization (or household)? Is that time
> spent worth less than $100?

It might be worthwhile if that $100 is multiplied by lots of infected computers and lots of extortion attempts.

Joe BuckApril 26, 2006 3:08 PM

Archangel, I'll tell you mine: 192.168.2.{2,3,4}
for the three computers at our house. Good luck.

For those in the know about IP addresses, you'll see Archangel's problem immediately. :-)

It is true that market presence is a factor in the prevalence of malware, but it isn't the only factor; privilege separation usually has to be bypassed on Windows XP to get most programs to run. For example, my daughter wanted to play a Windows game, so I booted up one of our machines under Windows. I quicky found that, to make the game run, I had to make my six-year-old an administrator! This kind of thing does not occur on a MacOS or Linux box.

Furthermore, in an effort to defeat Netscape and Real, Microsoft deeply embedded their browser and media player into the deepest parts of their kernel, and the result is a security nightmare.

miguelitoApril 26, 2006 3:09 PM

@McGavin

> Is somebody going to do the work for free?

In normal societies there organisms called law enforcement agencies, which typically don't cost the victims anything. These agencies typically track down and arrest people who commit criminal acts, like, say, cyber crime and blackmail. They then hand those people to other organisms called criminal courts, which, typically, try and punish the offenders. The victim is not involved in this process, financially or otherwise.

kurt wismerApril 26, 2006 3:09 PM

Anonymous

> If he can find a good way to make me run code on my machine

while it may be difficult to get any particular person (especially any person who reads this site) to run code, there are plenty of people out there who are not nearly so careful and that doesn't really have anything to do with what operating system they happen to be running...

look at how many hoops one would have to go through to get that first mac osx worm to run, and it was still found in the wild...

ArchangelApril 26, 2006 3:15 PM

Wow, Joe Buck, you're practically my next door neighbor! I happen to be sitting at 192.168.1.64. :) Of course, you could also try the buzzer at my other door, 127.0.0.1.

AnonymousApril 26, 2006 3:29 PM

Kurt:

There's one really important aspect to the security of most Linux distributions. That's the package repository. Shortly put, Linux users are used to having a bunch of verified-safe packages that they can install, and these usually fulfill all the major functions they need.

So yes, it really is an issue of remote access. That or somehow embedding the virus into media of some sort, taking advantage of a buffer overflow, and so on.

McGavinApril 26, 2006 3:42 PM

@miguelito

>In normal societies there organisms called law enforcement agencies, which typically don't cost the victims anything.


Law enforcement agencies have limited resources. They may or may not have personel with expertise in cyber crime. So, if requested dollar amount is low, and the agency doesn't have the expertise or money to do the investigation, or you don't give your own resources toward investigation (yes, the victim has to spend resources on the investigation), then you are out of luck.

Now, you did point out the exception where a single law enforcement agency is able to connect the dots and go after an attacker who is repeatedly making attacks. But if the victims are simply eating the ransom, then each small extortion will go unreported and the dots will go unconnected.

@miguelitoApril 26, 2006 3:52 PM

> Law enforcement agencies have limited resources.

True. That's why you should file charges, at any rate. If statistics show an increasing trend in this type of crime, the corresponding resources will be increased to allow the agencies to connect the dots.

AnonymousApril 26, 2006 4:09 PM

> > Law enforcement agencies have limited resources.

> True. That's why you should file charges, at any rate. If statistics show an increasing
> trend in this type of crime, the corresponding resources will
> be increased to allow the agencies to connect the dots.

Interestingly enough, some guy named Bruce Schneier has written a few good books on the topic. Like all security, it's about tradeoffs. It may be worth going after, it may not be. Should we move manpower away from investigating murders, rapes, and grand larceny? Possibly, if there are enough of these. My guess is that it's getting disproportionate press because it's "new and cool."

kurt wismerApril 26, 2006 4:19 PM

Anonymous

you're continuing to make unwarranted assumptions about how linux users think and behave... just because you and the people you know are used to only running code that comes from well known software repositories that doesn't mean everyone is so careful... this is especially true for fresh converts from the windows world...

ChrisApril 26, 2006 4:28 PM

From the article, it seems that each of these viruses uses a hard-coded or easy-to-determine key for the encryption. One virus is mentioned as having the path to a commonly-used IDE as its key, encoded as a string resource in the virus code. The author probably hoped anyone analyzing the file would dismiss this string as an unrelated compilation artifact. So far they've tried security through obscurity and wild gesticulation without much success.

At present, it looks as though VXers are struggling with the same problems that are associated with DRM -- you have to give both the ciphertext and the key material to the very people you're trying to protect your content from. In the long run, this is an untenable position.

Kaspersky Labs seems to think the danger is that eventually the virus writers will actually use strong-enough encryption that they won't be able to effectively brute force the keys. This isn't the scenario that should worry them, or us, as they will always be able to attack the virus's implementation and recover the key material that way. It may take a little longer to develop a recovery tool but it will continue to be possible.

The nightmare is when VXers implement a robust key-distribution mechanism (or hijack someone else's) and the victim has no access to key material until they pay up. This of course presents a number of obstacles, not least is that your victim isn't exactly going to cooperate with you during the key exchange. Anyone who can solve these problems isn't going to be using 56-bit RSA, that's for sure.

Constructing a robust PKI is hard for professionals; I'm not worried about an amateur without formal training solving this in his basement any time soon.

PS: For simplicity I'm referring to all classes of malware as "viruses" because I'm being lazy. :)

BrandonApril 26, 2006 4:55 PM

I'm not the least bit sorry for anyone looking blindly to big bother for protection. Adults have the ability to make a reasonable effort. Crude lazyness is well, a nonoptimum defense strategy.

Matthew SkalaApril 26, 2006 4:59 PM

If the malware authors used RSA, or some similar public-key cryptosystem, with a random session key and sufficiently long public key included in the virus/trojan, than they could make it effectively impossible to break the encryption through reverse engineering. The malware would *not* contain sufficient information to decrypt the files. The victim would have to send the encrypted session key back to the malware author to be decrypted with the undistributed secret key. Properly implemented, it would work. It's only a matter of time until a malware author does properly implement it.

Possession of the secret key would be highly incriminating. The smart malware author would distribute copies anonymously to a bunch of people who are above suspicion as soon as possible; they wouldn't be able to continue the scam once those copies got to the anti-malware vendors, but they could keep making money until then and it would reduce the amount of time they'd have the exposure of possessing a secret that only evil people possess.

Nobby NutsApril 26, 2006 5:30 PM

@Archangel

You're suffering under a misapprehension, because you're looking at your Linux computer from a system administrator's point of view. If you are the computer's non-root user, all the interesting and valuable data almost certainly resides in your home directory tree, accessable to you. If your Firefox browser can be persuaded to install software executable by you, with access premissions to your home directory, and to run it, you're as vulnerable as a Windows user. How much harder do you think it is to persuade a Linux firefox to execute "rm -r ~/*" than a Windows one to execute "del /s" or whatever the flag is?

Windows' default administrator access just makes it easier for a cracker to screw up the *entire* machine. Both ways, you lose your personal data, and the result is the same.

kurt wismerApril 26, 2006 5:56 PM

as far as malware using public key cryptosystems effectively - as far as i know the av vendors were not able to crack the pk cryptosystem that hybris used to authenticate it's plugin updates... and that was several years ago now...

i wouldn't be so quick to assume there aren't any bad guys out there capable of implementing something that's strong - it's just that the majority of the talent-pool is pretty shallow... that's why we keep seeing things like gpcode...

Dean HardingApril 26, 2006 6:21 PM

> it's just that the majority of the talent-pool is pretty shallow

Actually, I'd say it's more that they don't *need* to create something stronger. As long as they can make money with a simple program like gpcode, then there's no need to do anything more sophisticated.

It's the same reason we still see those nigerian email scams - as long as people still fall for it, they'll keep doing it like that. No need to think of more devious scams.

WooApril 26, 2006 8:20 PM

Oh, the funny Linux advocats arise again.. with the same wrong assumptions as ever ;)
If you put the same dumb user in front of a Linux box that you here are assuming in front of the Windows box, he will do the same stupid mistakes. When I send someone a mail with "Run me, I'm funny" and a binary attached, he will run it. The program will destroy the user data equally nicely on Linux as it will on Windows. The only difference is - on Linux the OS itself might survive through privilege protection. But what does it matter? The lost user data is the valuable matter, not the core OS; and this user data is accessible to any program this user runs.
On the contrary - at least FAT based disks allow for a chance of restoration if the virus is dumb enough not to correctly wipe the original data after encryption.. ever tried to undelete/un-unlink anything on Ext2/3/razorfs/whatever?
Of course, would I want to write such a virus for Linux, I'd have to be concerned about the minimum common denominator in regards to what system/libraries etc I use. This might be the only case where the gross incompatibilities among the hundreds of Linuxes actually is good for something. Not that virus writers wouldn't find a way around that problem, if the target market would be interesting enough..

Doctor JekyllApril 26, 2006 9:07 PM

>>Doesn't that leave a trail? Should >somebody
>> go catch the bad guys?
>
> If the demanded sum is low enough (~$100),
> then is it really worth the effort?

It is if I get to kill a scammer deep in the woods.

Mitch P.April 26, 2006 10:23 PM

If the GpCode.ac work is indeed using 56 bit RSA, maybe this is a case for some practical cryptanalysis. (I'm assuming that 56 bits is the size of the modulous.. or whatever the product of the two primes is called.) Factoring a 56 bit number to recover the decryption key should be easy enough. If this can be packaged up nicely, then it can be distributed to all those who have fallen victim, so they can recover the data.

-- Mitch

Dan LewisApril 27, 2006 12:38 AM

Wikipedia has it that when DES came out, 56 bits was "thought to be sufficient". So there is some historical significance to the number.

In 1996-1998, RSA Security set up four challenges to crack 56-bit DES. The winners took the following lengths of time to crack: 96 days, 41 days, 56 hours, and 22 hours 15 minutes.

I don't know how many seconds it takes to brute-force 56-bit RSA, but I fear the day criminals wise up and really do some damage.

Mitch P.April 27, 2006 1:19 AM

@Dan Lewis

I recognized the 56-bit length as being the same as a DES key (actually, in the original spec, the key length is 64 bits, but 8 of them are "checksum" bits that aren't used in the algorithm, and no standard is specified as to how they're used to verify the key.)

But it's a mistake to equate symmetric and asymmetric keys of the same length. While most good symmetric ciphers require on the order of 2^(N-1) brute force guesses for an N-bit key (DES is a less secure algorithm, because of quirks in the algorithm, a simplistic attack can be mounted in 2^54 or 2^(N-2), but a more sophisticated differential attack can break the cipher more quickly.

However to break an N-bit asymmetric RSA key, you need only calculate the euler totient function for the modulus. This can be shown to be computationally equivilent to calculaing the prime factorization of the modulus, which a trivial attack can get in 2^(N/2) tries, and a more sophisticated algorithm (like a multiple polynomial quadratic residue sieve)will recover the factorization in far less time, though still an exponential in some function of n. I think an average desktop machine should be able to do it in a few minutes to a few hours at most.

-- Mitch

Bruce SchneierApril 27, 2006 3:32 AM

"I don't know how many seconds it takes to brute-force 56-bit RSA, but I fear the day criminals wise up and really do some damage."

I don't know either. My guess is a few milliseconds, but I could be off either way by a several orders of magnitude.

Don't confuse symmetric cryptography -- DES, AES, Blowfish -- with public-key cryptography: RSA, Diffie-Hellman. The key length requirements for the two types of cryptography have nothing to do with each other.

I don't think anyone seriously proposes RSA with less than a 1024-bit key anymore, and lots of people use 2048-bit keys. And AES is more than secure enough with a 128-bit key.

Apples. Oranges.

Bruce SchneierApril 27, 2006 3:41 AM

"Actually, I'd say it's more that they don't *need* to create something stronger. As long as they can make money with a simple program like gpcode, then there's no need to do anything more sophisticated."

Exactly. This is a primary difference between a hacker threat and a criminal threat. In the hacker world, style counts. New ideas, new tricks, new techniques -- these are all prized. In the criminal world, all that matters is success. There is no reason for a criminal to innovate any more than he has to succeed. There are lots of reasons for a hacker to.

Bruce SchneierApril 27, 2006 3:42 AM

"You're joking, right? Does persecution of criminal acts need to be sustainable nowadays?"

This has always been true. Low-value crimes just don't get the same police attention as high-value crimes. I don't think this is a bad thing; resources are limited and we have to prioritize somehow.

Thomas SprinkmeierApril 27, 2006 4:03 AM

@Woo
"""Oh, the funny Linux advocats arise again.. with the same wrong assumptions as ever ;)"""

You rightly point out that nuking the user data can be almost as annoying to the user as nuking the entire box.

But you're assuming it's a single-user, single-OS box.

My box (and I suspect a growing number of other boxes out there) is multi-user multi-boot. Malware running as superuser can not only nuke all the user data, it can do it for all the OS's installed. Much nastier than wiping out one user's data on one OS.

AlexApril 27, 2006 8:08 AM

Criminal threats differ from hacker threats in that quantity counts. Much better 1,000 x$100 thefts from the slow & tasty sheep than one beautiful effort to rob the tiger, when you might get eaten into the bargain.

If Osama bin Laden had been a criminal threat, he would have blackmailed/extorted 2,700 people over a period of years and probably no-one would have known his name.

Clive RobinsonApril 27, 2006 8:26 AM

Would help if I remember to put my name in the box...

For the above Cryptovirology links

Clive RobinsonApril 27, 2006 8:49 AM

Aside from the "My OS is Better than yor OS" arguments.

You need to think about what malware can do to your machine,

1, Remove Data.
2, Modify Data.
3, Add Data.

Each of thes offers an oportunity for crime, the first being the obvious stealing of confidential information for either sale to a competitor or for the purposes of blackmail.

The second is mainly what this blog entry has been about so far.

However the third is a little more worrying, effectivly you get fitted up, be it with a selected Payload, say pornograhy or somebody elses confidential data.

The criminal can then either blackmail you or inform on you, either way not nice you end up with a significant problem.

As an example, imagine the malware eitehr makes a "hidden" directory on your machine or it uses your browser cache area to start downloading the Payload (say Porn from sites unrelated to the criminal) a bit at a time, but only when it sees you using the keyboard.

If after a while the malware deletes it's self and cleans up, you then have the interesting situation of having your machine with undesirable material on it and not being able to say how it got there.

Even a forensic examination is very very likley to point the finger at you. Kiss good by to your job etc especially if the Payload content is it's self illegal, in which case you may end up kissing something all together worse...

Now imagine if you will I being the criminal sell this as a service to those wishing to get promotion by removing the opossition how much do you think I could charge....

Crack meApril 27, 2006 8:56 AM

> If you're so confident in your machine's security, what's your IP address? :)

127.0.0.1, try me!

alienApril 27, 2006 9:45 AM

> You're joking, right? Does persecution of
> criminal acts need to be sustainable nowadays?

Of course. Law enforcement around the world tends to have very limited funding, and they cannot afford to chase $100 crimes when there are $100,000 crimes vying for attention. The scale of the crime is a motivational barrier, if you will, or a factor that much play a role in investigators triaging which cases need attention immediately.

It sucks, but thats the real world for ya.

AnonymousApril 27, 2006 10:23 AM

@Woo
"When I send someone a mail with 'Run me, I'm funny' and a binary attached, he will run it."

He would have to chmod it first. He can't simply doubleclick on it like in Windows and Mac (?)

1915bondApril 27, 2006 11:05 AM

@Clive

Plausibly spooky. In reverse, maybe some group could use such discovery techniques to out real criminals (read creeps with illegal pR0n). A public "wall of shame" site would be a nice touch.

EvanApril 27, 2006 2:20 PM

@Clive,

Hey thanks. Several papers in the link I gave were Young & Yung, but the research section on cryptovirology.com has some much more recent stuff.

Ever since I read their 1996 paper I've been hoping people wouldn't figure out that they could use the MS Crypto API.

With regard to 56-bit RSA, I just remembered something. Back in high school, they taught RSA in the 4th-year Core Plus program. You weren't supposed to write a program to do it, so it's possible someone just thought 56-bits was more than enough, since, as Bruce mentioned, it's too large to do by hand.

Usually I get pissed when people don't know how to use Google, but sometimes it really works to our advantage...

WooApril 27, 2006 7:21 PM

@Thomas Sprinkmeier: Well, there's a slight difference between you and the average user. Especially if one talks about office PCs, as that's where the real money lies most of the time. The average PC runs one OS (be it Windows or Linux) and has one user (people at most companies have their fixed workplace, and I doubt many families at home have user accounts for each person.). So, the chance is high that most of the valuable user data is actually accessible to user-run programs to destruct.
I'd even say people would be much more pissed off if such a virus hit them on Linux, because "this Linux thing is said to be so secure". They don't factor their own faults into that equation.

@the Anonymous with the chmod argument: if THAT is the only barrier, it's a very weak one. Some of the latest virii came in .zip files and the people could even be convinced to unzip them before running. Not to mention, there is at least one widespread mail client that u+x the files automatically if delivered as mime-type executable/octet-stream (or whatever the name was).

ThomasApril 27, 2006 10:41 PM

@Woo,

I'll be the first to admit I'm not normal^Waverage :-)

In your business scenario though, valuable files _should_ be on a server, so the root-vs-user compromise is still relevant (especially if the malware spreads from the workstation to the server).

Valuable files at an office _should_ be backed up, fewer home systems are. While office files are perhaps more valuable, a home user may be more likely to have no option but to pay up.

averrosApril 27, 2006 11:33 PM

@migueIito:

> In normal societies there organisms called
> law enforcement agencies, which typically
> don't cost the victims anything.

In normal societieties people get education instead of brainwashing and know that law enforecement agencies do cost the victims - a lot. The payments to these agencies are called "taxes". Oh, and they do not protect citizens (if they did, they could've been held liable for failures to do so) - they protect the "social order", i.e. the power of those who are in the power. Incidentally that means suppressing petty crime, so the populace do not get all worked out and demand heads of the rulers, but also means not suppressing the crime too well, so the populace would be more willing to pay up.

wmApril 28, 2006 4:09 AM

One defence (against a subset of possible vulnerabilities) would be to run your web browser as a different user from your normal login -- a user with its own account and no permissions to write to anywhere else. This would stop any attack that came in through the browser from doing anything other than wipe or subvert stuff you'd previously downloaded (assuming no privilege escalation vulnerabilities...).

You could manually copy downloaded files from that account into your own account (logged in as yourself) without needing to trust anything other than the "copy" command, which can't have been subverted without root access.

Running a completely unprivileged browser like this should be trivial under Linux/MacOS X (even while logged in as your normal account in other windows) -- does MS Windows allow you to start up apps with a different owner to the current user?

I guess you'd need to give the browser access to your X server, so it may be able to hose your display, but it shouldn't be able to do any damage that a reboot won't fix.

kurt wismerApril 28, 2006 6:55 AM

"does MS Windows allow you to start up apps with a different owner to the current user?"

well, there is the runas (run as) command...

JungsonnApril 29, 2006 2:16 AM

"If the demanded sum is low enough (~$100), then is it really worth the effort?"

Ha... here comes the law of big numbers, if they infect 60.000 pc's with it * $100 right? and consider this: some people are willing to pay this, if the fee stays low. Its to little money to go to the police and start investigating each case. So it's pretty smart. So if they infect a little over 100.000 pc's, the're basicly done.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..