A story about spyware

Slashdot | The 12-minute Windows Heist: "I run a company that provides contract support and administration for small- to medium-sized businesses. We also do some work in the residential sector, but it's not our focus.

In order to test the malware-busting skills of new employees, I would routinely infect a test machine with adware and spyware. I had two methods, based on the two most common scenarios we've encountered:

1. Bored employee surfing pr0n and online casino sites or downloading free screensavers.
2. Teenaged child using P2P apps or browsing sites that offer song lyrics or buddy icons for IM apps.

I would use a stopwatch and time myself, stopping at 15 minutes. For Case 1, I'd search Google for 'casino' or 'sex' and hit those sites. For Case 2, I'd search for 'lyrics' or 'buddy icons' and hit the top ten or fifteen sites listed.

At no time did I ever click 'yes' when prompted to install software. The point was to attract the 'drive-by' malware, the ones that didn't put an entry in 'Add/Remove Programs', the ones that were the hardest to remove (e.g., randomly named polymorphs, malware that sees if one tries to terminate the process or remove a registry key and re-installs, malware that prevents anti-spyware programs from running, etc.).

In fifteen minutes, I can infect an XP box with between 400 and 600 objects (by AdAware's count). That's the result of hitting between 10 and 15 sites. Often, that's enough to inflate the number of running processes from 30 or so to about 60. Pop-ups appear even if IE isn't explicitly running. Case 1 infections often leave the computer in an unusable state, and by unusable state I mean 'tits and ass all over your screen'.

I give a prospective employee two hours to disinfect the computer, though I do cut major slack if it takes longer but they've got the right attitude and methodology. If hired, I show them how to get this down to under an hour (AdAware, Spybot, UBCD, manual cleaning, etc.).

Malware removal is about 30% of our billable hours. Since our contracts with our clients call for a certain amount of hours of service and maintenance each quarter, bug hunting is a distraction from the real work of administration: keeping up to date with patches and software updates, implementing our infrastructure upgrade roadmap, and software support and training. In other words, nearly a third of the time we spend doing productive work for our clients is spent whacking malware that targets Windows PCs.

Finally, we do try to come to terms with the fact that sometimes this is a human resources problem and not a technological problem. In Case 1, Employee X should not be surfing pr0n or playing Texas Hold-em on the job. As contractors, we try to block certain sites at the firewall, though that's a game of whack-a-mole, and we encourage all workstations to have monitors that face a common area (knowing someone can randomly shoulder-surf you is a big deterrent). Case 2, the residential case, is more problematic, since the sites that install drive-by malware are pretty innocent (lyrics, IM buddy icons). Permissions/ACLs would help, but there are so many applications that need admin rights to run that it's a joke. I've steered a few residential customers towards Apple Mac Minis and iMacs and have had no complaints after the fact.

Bottom line: it's a fucking jungle out there."


Anonimiškas sakė…
Tinklaraščio administratorius pašalino šį komentarą.

Populiarūs šio tinklaraščio įrašai