Microsoft sees huge success combatting "autorun" malware

Discussion in 'Apple, Inc and Tech Industry' started by neiltc13, Jun 18, 2011.

  1. neiltc13 macrumors 68040

    neiltc13

    Joined:
    May 27, 2006
    #1
    [​IMG]
    (MSRT = Malicious Software Removal Tool)

    [​IMG]

    http://blogs.technet.com/b/mmpc/archive/2011/06/14/autorun-abusing-malware-where-are-they-now.aspx

    http://www.engadget.com/2011/06/18/microsoft-to-malware-your-autorunning-days-on-windows-are-numbe/

    ----

    Looks like they stubbed out one of the main ways things like this can spread. I haven't had a problem with malware or viruses at all on Windows 7.
     
  2. munkery macrumors 68020

    munkery

    Joined:
    Dec 18, 2006
    #2
    Autorun is abused to provide an easy vector to execute malicious code without having to initially exploit a vulnerable process in memory.

    All the malware vectors related to autorun were eliminated except in relation to USB which looks to be finally fixed.

    Unfortunately, most malware, such as browser exploits, achieves code execution by exploiting processes in memory as opposed to abusing autorun.

    This fix will not impact malware that does not propagate via USB.
     
  3. roadbloc macrumors G3

    roadbloc

    Joined:
    Aug 24, 2009
    Location:
    UK
    #3
    That is very impressive. Grats to Microsoft, they've done a great job here.
     
  4. maflynn Moderator

    maflynn

    Staff Member

    Joined:
    May 3, 2009
    Location:
    Boston
    #4
    I read that article and was quite impressed myself.

    I think MS has turned the corner on malware and is starting to have a fully robust OS that has few vulnerabilities
     
  5. Peteman100 macrumors 6502

    Joined:
    Apr 28, 2011
    Location:
    Berkeley, CA
    #5
    I think we can all agree that less malware is better for everyone
     
  6. munkery, Jun 19, 2011
    Last edited: Jun 19, 2011

    munkery macrumors 68020

    munkery

    Joined:
    Dec 18, 2006
    #6
    In reality, Autorun ceased to be an big issue with the release of Windows versions that use UAC. Although, it still affected Windows XP, which does dominate in market share.

    Prior to UAC, Autorun allowed the installation of malware to the system level in the typical Windows XP setup without requiring user interaction (other than inserting USB in this case) or exploitation of a process in memory.

    Discretionary access controls implemented with UAC prevent system level access via autorun. Of course, autorun could have been used prior to this fix to deliver a payload that achieved privilege escalation to the system level. But, those payloads can also be delivered via other vectors, such as browser exploits.

    This achievement in the battle of MS against malware is not very newsworthy.
     
  7. neiltc13 thread starter macrumors 68040

    neiltc13

    Joined:
    May 27, 2006
    #7
    It is newsworthy because it provides real figures that show that even a small change can make a huge difference.
     
  8. PlaceofDis macrumors Core

    Joined:
    Jan 6, 2004
    #8
    agreed, and good work on Microsoft's part. Any, and every, step in combating malware is a positive one.

    lets hope that we can one day get to the point where we don't have to worry about malware on our computers.
     
  9. munkery macrumors 68020

    munkery

    Joined:
    Dec 18, 2006
    #9
    The graphs are biased in that the data presented only shows a small subset of the type of infections that target Windows systems to make it appear like MS has made big impact on malware infecting the platform. This is not a "huge difference" in concerns to the bigger picture.

    This type of malware would have never been such as big issue if MS would have used a better default implementation of discretionary access controls in Windows XP in the first place.

    So, are we really going to give MS props for fixing an issue that could have been mostly prevented prior to the release of Windows XP?
     
  10. KingCrimson macrumors 65816

    Joined:
    Mar 12, 2011
    #10
    Is OS X immune to all malware?
     
  11. PlaceofDis macrumors Core

    Joined:
    Jan 6, 2004
    #11
    hindsight is 20/20. they finally worked away around fixing a way that malware has spread, while keeping the functionality that they wanted. as far as i can tell at least. no one, and nothing is perfect.
     
  12. munkery macrumors 68020

    munkery

    Joined:
    Dec 18, 2006
    #12
    No OS will be immune to all malware.

    Malware that the user actively installs via an installer will never be eliminated from any OS.

    Malware that exploits processes in memory will exist as long as methods exist to bypass security mitigations that prevent this type of exploitation.

    Malware that can be prevented with a better default implementation of DAC shouldn't occur in the first place. It's not like knowledge of how to do so was not available at the time Windows XP was released.

    Wow, it only took 10 years!
     
  13. *LTD*, Jun 19, 2011
    Last edited: Jun 19, 2011

    *LTD* macrumors G4

    *LTD*

    Joined:
    Feb 5, 2009
    Location:
    Canada
    #13
    OS X is immune to every single instance of Windows viruses and Windows malware in existence.

    There is currently no way to remotely infect (a destructive, spreading virus) even a vanilla OS X installation. This has been the case for OS X's entire existence, and has always been the case for xNIX systems.

    All we have for OS X that have been in the wild are around 2-3 trojans since 2001. That's it. Apparently we get a new one every two years or so. OS X isn't really immune to those specifically.
     
  14. roadbloc macrumors G3

    roadbloc

    Joined:
    Aug 24, 2009
    Location:
    UK
    #14
    You do realise that the first virus was for UNIX? :rolleyes:
     
  15. Jagardn macrumors 6502a

    Joined:
    Apr 18, 2011
    #15
    Although true, Microsoft is just learning how to avoid it now. :rolleyes:
     
  16. Rodimus Prime macrumors G4

    Rodimus Prime

    Joined:
    Oct 9, 2006
    #16


    Just like Windows is immune to every single instance of OSX malware and do we need do not need to go back any farther than Mac Defender to prove OSX is not immune to Malware. Also you do not get one every 2 years. It just ever few years a new on makes the news and spreads really fast in the wild. Most malware just like the window Malware has very few installs and never really makes the news. Macdefender just spread pretty far and wide.

    Techelocally speaking what is being spread by this Autorun is a trojan if you want to go by definitions and on Vista and windows 7 it required you the user clicking yes to it installing.
     
  17. *LTD* macrumors G4

    *LTD*

    Joined:
    Feb 5, 2009
    Location:
    Canada
    #17
    It was a proof-of-concept.
     
  18. SandynJosh macrumors 68000

    Joined:
    Oct 26, 2006
    #18
    My thoughts exactly!

    MS wanted to have the same plug and play functionality that MacOS has enjoyed for a long time, they just did some serious foot dragging in fixing how to get there.
     
  19. roadbloc macrumors G3

    roadbloc

    Joined:
    Aug 24, 2009
    Location:
    UK
    #19
    And that changes anything how? And what about the rest? There has been more for UNIX strains. Why do you think there is is a 'virscan' command in IBM's AIX?
     
  20. *LTD* macrumors G4

    *LTD*

    Joined:
    Feb 5, 2009
    Location:
    Canada
    #20
    Same reason theres antivirus software for Macs.
     
  21. KingCrimson macrumors 65816

    Joined:
    Mar 12, 2011
    #21
    So basically what you're saying is if you click "NO" you'll never get a trojan on Windows 7?
     
  22. Rodimus Prime macrumors G4

    Rodimus Prime

    Joined:
    Oct 9, 2006
    #22
    yep. That is exactly what I am saying. Windows 7 account controls force you to say yes or no. Admins get a just yes or no question. Non admins get a box that says enter admin user name and password.
     
  23. munkery macrumors 68020

    munkery

    Joined:
    Dec 18, 2006
    #23
    Admin accounts in Windows 7 should still be password protected for two reasons:

    1) The API in Windows 7 that encrypts user data related to protected storage incorporates the user's password into the encryption key to strengthen the encryption. If no password is set, then the encryption algorithms applied to the user account are not as strong.

    2) UAC authentication can be stolen via spoofed windows in admin accounts where a unique identifier (user account password) is not contingent to successful UAC authentication. UAC prompts that do not ask for a password are less secure due to the potential to be spoofed.

    Also, UAC itself, regardless if a password is required, has not shown itself to be very robust. UAC bypass vulnerabilities are common.

    Within the list of public and unpatched zero-days linked below, there is an example of a "win32k.sys" vulnerability that could potentially be exploited to bypass UAC. It has been known for 318 days and counting.

    http://www.vupen.com/english/zerodays/

    Below is a guide to help turn that vulnerability into an exploit.

    http://www.exploit-db.com/bypassing-uac-with-user-privilege-under-windows-vista7-mirror/

    This following link shows all the "win32k.sys" vulnerabilities that have been found so far in just this year.

    http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=win32k+2011
     
  24. Rodimus Prime macrumors G4

    Rodimus Prime

    Joined:
    Oct 9, 2006
    #24

    I believe Admin accounts in windows 7 require a password (not a 100% sure as my account is always passworded)
    Just you do not have to enter a password if you are log in as an admin.
    Now on my computer my admin accounts have always had a password and I always have 2 admin accounts. One that I use and one that is called zBackup. It is exactly that. An admin account created but never used. It is there just in case I do something stupid and screw up my setting on my primary.
     
  25. munkery macrumors 68020

    munkery

    Joined:
    Dec 18, 2006
    #25
    The admin accounts in Windows 7 do not require a password by default and having the admin account in Windows 7 password protected at login only solves issue #1 but not issue #2.

    UAC must require password authentication to prevent issue #2.

    No account type prevents against UAC being bypassed via exploitation.
     

Share This Page