Softpanorama

May the source be with you, but remember the KISS principle ;-)
Contents Bulletin Scripting in shell and Perl Network troubleshooting History Humor

Softpanorama Bulletin
Vol 25, No.04 (April, 2013)

Prev | Contents | Next

Bulletin 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007
2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018
Jan Feb Mar Apr May Jun Jul Sept Oct Nov Dec

Architectural approaches for increasing Windows resistance against malware

Dr. Nikolai Bezroukov

Version 0.95


Copyright 2012-2013, Dr. Nikolai Bezroukov. This is a copyrighted unpublished work. All rights reserved.



Introduction

Strategically Windows is very complex and as a result of this complexity very insecure system with almost zero integrity checking because security was never the Microsoft development priority. And generally speaking, should not be Microsoft top priority, as they are in the consumer market, not Pentagon software development market (althouth they are now definitely a target of some Pentagon efforts ;-). And that consumer nature of Windows is reflected in Windows architecture which does not segregate well between "system" components and "applications" components (although Authenticode does help a lot).

Windows historically started as GUI on top of DOS, a one user OS for an isolated PC. And that heritage is strongly reflected in modern Windows architecture, becuase it structured user expectations even after Windows was completly rewrittten as Windows NT. Unlike Unix which from the beginning was a multiuser system and needed to pay great attention to the tasks of separating user and application activities from system activities in Windows there is no such separation. Typically Windows users are logged as administrators and application can install whatever they wish on the system with almost zero control. At the same time modern Windows provide reasonably comfortable environmt is user mode too, and this is used in enterprise deployments of Windows.

The fact that Windows became dominant consumer OS with over 80% of the market changed the game completely. Any "monoculture" of this magnitude attracts attackers like honey attracts flies. Moreover, Windows is now used far beyond its scope of applicability (for example in computers which control industrial processes -- SCADA devices). Also despite, in essence, being a consumer OS, Windows now is widely used by governments, which theoretically should use something like Trusted Solaris. And recently we face government-sponsored attempts to write information stealing Trojans for Windows as if regular cyber criminals are not enough (see, for example, description of Flame).

It goes without saying that for a consumer oriented OS enough money and research can produce devilish exploits that will penetrate even fully patched Windows XP or Windows 7 installation like knife goes through the butter. And it's naive to think that this situation can be changed. That mean that Windows can be now and will be in foreseeable future an easy target for determined and well funded attackers.

A good thing about determined and well funded attacker is that they are pretty selective in their targets and probably will never try to get into computer of a regular Joe User. They go after a bigger fish. But a bad thing is that methods used by them now are in the open and will be gradually adopted by lower level cyber criminals and first of all by those who specialize in stealing financial information. That means that regular consumers now should pay special attention to this type of activity and preferably use for it a special PC (which is just a minor inconvenience). Old laptop with reinstalled minimal Windows installation is a good first platform for doing financial transactions and taxes. This PC should not be used for anything else.

There are several major things that you need to be aware of based on fundamental architectural weaknesses of Window:

And this problem of "chronic Windows insecurity" became more noticeable in the last couple of years and actually drive people from Windows to Apple. If not all, but the most defections of Windows users to Apple are driven by considerations that Windows became "a can of worms". And I think this information should get to Microsoft brass. There is a hope that Microsoft will gradually improve Windows, not if they don't take well publicized and effective measures situation for them can deteriorate despite the best efforts of Microsoft engineers. The problem is that many really effective antimalware measures break compatibility and as such is hugely undesirable form other points of view... The other go again the nature of Windows as a consumer system (for example signing of all executable that can run with root privileges with Authenticode).

If not all, but the most defections of Windows users to Apple are driven by considerations that Windows became "a can of worms".

I suspect that as of 2012 malware became strategic threat to Microsoft dominant positions and revenues in consumer market. Windows insecurity (inability of Microsoft to stop recurrent infections of user PCs by architectural methods) now became the selling point of alternative OSes and first of all Apple OS X. The most typical explanation of people who switched to Apple has nothing to do with the interface or slick design. It is "I am tied to fight malware/viruses in Windows" and "Apple has MS Office and that almost all what I need; and it does not have viruses". The latter is not true, but even if people just believe that Apple is more secure against viruses then Windows, that will generate migrations. Apple also greatly benefit from "security by obscurity" as it currently represents just 3% of the market or so.

Gradual erosion of Windows position also happening due to growing share of Android devices sales, which with stylus represent more viable alternative to PC then before (see, for example, Samsung Galaxy Note 10.1 with S-pen as a typical representative of this class of tablets). Currently Android positions in tablet market, unlike desktop, are weak, but that might change as version 4.2 which represents more competitive platform for tablets then previous versions of Android. Attempt of Microsoft to capture part of tablet market while admirable distracts its attention to security problems. Windows 8 forte is touch interface that gives it opportunity to compete neck to neck with iPad and Android tablets, not so much greater security.

Architectural problems of Windows

This is a big and complex topic we will just scratch the surface here. The key idea behind writing thissection is show that you just can't secure Windows, no matter what you try. It is unsecure by design. First of all I would like to say that Microsoft is a great software development organization that brought to the world such masterpieces of software as MS Word 6 for DOS, Visual C++ 6.0, Excel 2003, FrontPage 2003, and many more. Which will be used and are used for many, many years after those version were discontinued by Microsoft.

Most of strategic goals of Microsoft, until recently, were not aligned well with the security. Now the train, unfortunately, left the station as architecture of Windows is by-and-large fixed and changing it will break compatibility with valuable for consumer products and also deprive of revenue dozens of security companies which now control Microsoft in more ways than you can think (as Symantec lawsuit had shown). Simply put, finding security exploits in Windows and, especially, protecting users from them became quite big and extremely profitable business. Using them to exploit PC users became also quote profitable business as revenue of fake antivirus companies can attest. In such a situation, any single company even as big as Microsoft will be outnumbered and outgunned and will find itself on a losing side. To a certain extent that was unavoidable development due to huge success of Microsoft Os in consumer market where they essentially wiped out all the competition. Monocultures are always more successfully attacked.

Microsoft did demonstrated some courage under fire and managed to changing the situation to the positive with Windows XP SP3 after set of network worms and, especially in Windows 7, where signing of executables was at last (better late then never) promoted to the key files. Windows 7 also attempts to mitigate "universal admin mode" under which Windows are typically used via UAC. But here like in other attempts to beef up Windows security they forget to test social engineering side of equation. One of the questionable benefits of UAC is that it has conditioned people to believe that as long as the screen background is grayed out they can trust whatever is on the screen. As XP Antivirus Pro scareware demonstrated, this is not a reasonable assumption (Anatomy of a malware scam). Latest worms also represent is kick in chin for Microsoft and Windows 8 has some additional measures that help better to protect it from attacks. But it does not change the whole grim situation with Windows security, when user need to pay "security tax" just to use their PCs.

But in 2011 and 2012 Microsoft has found themselves under the barrage of heavy artillery with such monsters as Flame and Duqu. That completely changed the picture again and put on the forefront the architectural problems of Windows, which are many. Unfortunately, some of security flaws of Windows are unsolvable within the current compatibility framework.

Problematic Microsoft Decisions in Windows Design

Microsoft made several very bad for security decisions (should we call them blunders ?) in Windows design. They are partially dictated by desire to make Windows more user friendly. Among those we can mentions the following (no attempts was made to create an authoritative list here):

For a long time Microsoft just did not pay any attention to security at all and was primarily concerted with growth of market share (and then maintaining its dominant position) and compatibility issues. It essentially created and nourished the huge antivirus industry that now sucks a lot of money from consumers (this is a real Microsoft Tax).

But truth be told, Microsoft does not exist in vacuum. And other software development companies are much worse. Some popular application running under Windows such as Adobe products often represent far greater threat then Microsoft OS or any of Microsoft applications. Also as for applications, I am not sure that flaws in IE design were less important contributor to the current explosion of Windows malware then Windows OS problem in and by itself.

Overcomplexity

Microsoft generally can be considered to be a king of software complexity. It used it as a way to weed out competition and created such masterpieces as Excel, FrontPage, Word and several other "all-dancing-all-signing" software applications. The fact that they still are able to debug Excel is a testament of Microsoft unique abilities. But on OS level this infatuation with overcomplexity returns and bite them. And recently it did really hard ;-)

Typical Windows XP installation has over 300 drivers in C:\WINDOWS\system32\drivers\ and more then 2000 files in C:\WINDOWS\system32. The methods for determining from where and when particular driver of executable came are rudimentary. The methods of determining if particular driver or executable belongs of Windows or not are even more so outside signed executables.

Registry

The idea of registry as a specialized for configuration settings database was a great one. But implementation did not have clear architectural blueprint and degenerated into a mess. The key here in my opinion is understanding that registry should be more like a specialized virtual filesystem with timestamps for all elements and protection from unauthorized access on various levels (including using immutable attribute). To me it's classic example of "road to hell is paved with good intentions".

Microsoft wanted to replace the mess that text file configuration file represented and in a process created even a bigger mess. Level of architectural thinking in registry design is so low that now it is impossible to correct it without massive problems with compatibility.

Now Windows registry with its innumerous ways of launching executables is a perfect hiding place for malware. Inpenetratable maze of hives where you can hide an elephant, not just a single malware executable.

Still couple of changes in the direction of making it more filesystem line can make it more secure:

Structure of Windows directories

Structure of Windows system directories is also pretty chaotic. Application programs write their files God knows where. There is at least half-dozen of Temp directories, which are not automatically cleaned on shutdown. That prevent designating certain directories as read-only like it is possible in Unix during mounting of partitions. But that of course cuts user-friendliness of Windows, as any update of the drive became more complex procedure that requires reboot to safe mode. By extension Windows update also became limited to safe mode, which as the recent malware had shown can be a good thing to do.

In view of tremendous complexity of Windows, there should be a clear, iron distinction between system (Microsoft and its trusted partners providing drivers like Intel and Nvidia) and "application" directories in filesystem. No Symantec of MacAfee junk should ever pollinate system directories ;-). That "exile" should also be extended to third party drivers and DLL. And it goes without saying that no application program should be able to write to system directories.

Windows has a one interesting attribute that can be enhanced -- so called system attribute. For example, the system attribute should be used as a lock (may be with a physical button on the computer case) that allows changing critical files and directories. Once set it none should be able to remove it in the normal mode, only in safe mode. That change actually can be implemented by a binary patch to Windows and used in secure environments along with other measures. System attribute can play the role that the "immutable" attribute plays in Unix and it should be automatically assigned to signed executables and in Professional edition and higher it should be changeable only in safe mode.

Situation, when any malware can install drivers, like is the case in Windows XP, this is just a very bad architecture. And when IE does not automatically use "sandbox" for running non-signed ActiveX, it is also a very bad architecture.

File attributes

Visibility of attributes of files and folders in Windows without special tools is ridiculously low. That creates massive opportunities for abuse.

Mess with private updaters

Yes another problem is Windows update process which each and every software producer implements independently and that create a large network of covert channels into your system. Each updater can be malicious and represent a hidden channel via which malware is delivered to the computer. Historically this already was the case with Microsoft update.

Why Microsoft can't enforce a single update mechanism for all software packages? Why Adobe, the company that I disrespect and don't trust should have its updater on my system. Why Symantec should be another one. Google with its history of collecting excessive information about user browsing behavior another one (and pretty difficult to remove ;-). Mozilla yet another one. And so on.

And how difficult is to compromise one of several dozens of updaters installed, some of which are really just dirty hacks.

I think that update process is a soft underbelly of Windows and as such should be especially protected. May be it should be performed in a special mode, distinct from normal. The fact that Windows update is running as a regular process behind the user back is an architectural weakness that was already exploited and will be exploited in the future.

One way to "castrate" all this swarm of windows updaters is to block target IPs with which they communicate. The best way to do this is to use a private IP space with proxy. Non proxies protocols in this case will simply die out, and proxied can be tightly controlled. You can also block specific processes from using TCP/IP, which is a simpler

Mess with private schedulers

Similar situation exists with private schedulers. Almost each large software vendor has one and installs it (for obvious reason to control his update process). Backup program vendors like Acronis have one. Antivirus vendor have another one. And so on.

Dominant tradition of using Administrative account for regular work

Another negative factor is a strong, dominant tradition of using administrator account for browsing Internet and reading email in consumer PCs. Again Microsoft did some steps to mitigate this "tradition" in Windows 7 (by introducing User Account Control (UAC) ), but they are not very successful. This horrible "tradition" is way too strong to overcome, but that makes Windows even more vulnerable than it should be. Web browsers and its plugin run with user credentials and if you are not an administrator, malware has much less "open space" to exploit. But typically only in corporate environment you can see users who do not administrator access to the desktop. This policy is enforced centrally and makes Web browsing much more secure.

Dual role of AV and security vendors as useful services providers and as ambulance chasers or worse

Each AV company on the market tries to cover the whole filed. And fail miserably. There is no specialization among AV companies. Each of them claim that they are latest and greatest in everything. This is not true. The reality is that many Trojans in a wild are not detected by those companies in a six months period since first infection, in a year or never if infection scope is local and company mainly operate on a different territory. They are not more and more rely on automatic creation of signatures and malware authors know that and take countermeasures.

So when choosing an AV product it is important to understand that in a sense you are choosing from junk. It might work against more or less trivial threats. But as if the Trojan that infected your PC is complex you might not be lucky. Both McAfee, Symantec and Microsoft Security essentials list as healthy files obvious Trojans, even if customers send them samples several months before. Here is one telling example. There are cases of infection that demostrate themselve (among other psossble scenarios with four files in Desktop

-r-x------+ 1 nnb None 28365 Dec 9 2010 geraam.exe
-r-x------+ 1 nnb None 53121 Dec 9 2010 kiaqas.exe
-r-x------+ 1 nnb None 57217 Dec 9 2010 mssvig.exe
-r-x------+ 1 nnb None 53121 Dec 9 2010 stdlas.exe
Those files (and respectively PC infection) are known since September 2012 or even earlier. But if you scan those files with a bunch of commercial antivirus none will be able to disinfect them. A couple will warn you about generic threat that those files represent. But this is about it. Here are results for the file done 2012-12-02
Antivirus Result Update
Agnitum Suspicious!SA 20121201
AhnLab-V3 Spyware/Win32.Zbot 20121202
AntiVir TR/Crypt.XPACK.Gen 20121202
Antiy-AVL - 20121202
Avast Win32:Virtu-C 20121202
AVG Win32/Heri 20121202
BitDefender Gen:Variant.Symmi.6097 20121202
ByteHero - 20121130
CAT-QuickHeal - 20121201
ClamAV - 20121202
Commtouch - 20121201
Comodo UnclassifiedMalware 20121202
DrWeb Trojan.Siggen4.22099 20121202
Emsisoft Virus.Win32.Suspic.AMN (A) 20121202
eSafe - 20121202
ESET-NOD32 a variant of Win32/Kryptik.ANIX 20121202
F-Prot - 20121201
F-Secure Gen:Variant.Symmi.6097 20121202
Fortinet W32/Suspic 20121202
GData Gen:Variant.Symmi.6097 20121202
Ikarus Virus.Win32.Heri 20121202
Jiangmin - 20121202
K7AntiVirus Riskware 20121130
Kaspersky Virus.Win32.Suspic.gen 20121202
Kingsoft Win32.AutoInfector.a.(kcloud) 20121119
Malwarebytes Trojan.SpyEyes 20121202
McAfee Generic.dx!bfzg 20121202
McAfee-GW-Edition Heuristic.LooksLike.Win32.SuspiciousPE.J 20121202
Microsoft - 20121202
MicroWorld-eScan Gen:Variant.Symmi.6097 20121202
NANO-Antivirus Trojan.Win32.Siggen4.yjqnv 20121202
Norman W32/Troj_Generic.EJKWZ 20121202
nProtect - 20121202
Panda Trj/OCJ.A 20121202
PCTools - 20121202
Rising - 20121130
Sophos - 20121202
SUPERAntiSpyware - 20121202
Symantec Suspicious.MH690.A 20121202
TheHacker - 20121202
TotalDefense - 20121202
TrendMicro TROJ_SPNR.06JB12 20121202
TrendMicro-HouseCall TROJ_SPNR.06JB12 20121202
VBA32 Malware-Cryptor.General.3 20121130
VIPRE Trojan.Win32.Generic!BT 20121202
ViRobot - 20121202

In reality this is a password stealing Trojan that belong to Win32-Zbot family.

In other words, insecurity of Windows feeds multiple security companies which often produce useless or harmful products or are trying to sell marginally useful services. And in case of fake anti-virus vendors, harmful services bugled with extortion. Like Dan Schrader, the chief security analyst at Trend Micro aptly said: "Anti-virus companies have always been seen as ambulance chasers, and sometimes, it's true..." But the truth is that sometimes they overstep this role. Theoretically those companies should produce services and goods that are of value to PC users. The problem comes in the profit motivation here, because for some of those people, there's no such thing as enough. For example:

One wrong click and your PC is unusable situation with Windows

One wrong click and your PC is unusable. Or if your favorite site was broken and became malware distributor just a visit to this site. And recent racket performed by worms designed for financial gain is far from the work of amateurs, it is quite sophisticated. If you analyze July 2012 version of "Data Recovery" scareware, or launched in the second half of 2012 version of another fake called "Security Shield" as well as various version of Win32:Sirefef – a family of malware that controls infected computer’s Internet activities by redirecting requested URL to a different one, you will feel real anger toward Microsoft and other software vendors (Adobe recently became favorite target of malware authors with its pathetic Acrobat and insecure Flash as they provide ready backdoors for those who want to penetrate your computer; it looks like Adobe is patching Acrobat each week).

Microsoft is under pressure with shrinking market share and they can't switch to total signing of executables as this will destroy the industry they created (AV vendors) which became powerful enough to control Microsoft technical direction so that it does not hurt their profits. They tried to tighten the screws in Windows 7 but the security industry fought back (with Symantec suing them -- this company is really the most greedy and nasty of all AV vendors) and won. Like with financial industry you, the user, is a lucrative franchise that can be milked by both malware vendor and AV vendors. Squeezes from both sides.

Recently quite prominent position was achieved by a new type of malware which is called Scareware (but is as close to extortionware as one can get ;-). It's the main purpose of this scam creation is financial gain via some sort of implicit threat to the user. It became a real problem for Windows users, but also exists for Apple OsX.

The number of users who paid those extortionists is probably millions so we can talk about hundred of millions or even a billion of dollars of criminal revenue. This is not profits at the level of narcobarons revenue but this is not a small change either. XP Antivirus 2008 was remarkably successful defrauding scheme that brought authors around 100 million dollars.

On February 10, 2010 the United States District Court for the District of Maryland entered a default judgment and order for permanent injunction against Jain, Sundin and Innovative Marketing, Inc. that imposed a judgment of more than $163 million. Subsequently, on May 26, 2010, Jain, Sundin and Reno were indicted by a federal grand jury for the United States District Court, Northern District of Illinois for wire fraud, conspiracy to commit computer fraud and computer fraud. The indictment alleges that from December 2006 to October 2008, Jain and Sundin placed false advertisements on the websites of legitimate companies. Currently both Jain and Sundin are fugitives and the FBI is offering a $20,000 reward for information that leads to their arrest..[18]

That means that against new high volume, high penetration speed written by professional programmers exploits AV software is always late. As Jesper M. Johansson noted in his 2008 whitepaper Anatomy of a malware scam devoted to XP Antivirus 2008 and 2012 scams:

This type of malware is very, very disturbing. One can only wonder how many users have been duped into installing ineffective security software, and what happened to their private information and credit card data when they paid for it. The presence of such software, and the overall very high quality of the ruse it presents, is frightening. More than likely, thousands of people have been fooled. In fact, this type of deception has been around for several years now, and it would not still be here if it did not work well.

This should serve as a dire warning to all: be extremely careful what you trust, and question everything that looks even remotely suspicious. For example, no website can run an anti-malware scan on your computer simply by your visiting the site. Any site that purports to do so is almost certainly run by criminal gangs.

Using PC for committing financial crimes including creation of army of zombie computers that are remotely controlled by the "master" of particular zombie network and used for spamming and other purposes make elimination of malware really difficult as it is now created not by malevolent amateurs, but by highly paid professionals who analyze deeply internals of Windows. That limit usefulness of security companies like McAfee, Kaspersky, etc as their opponent operates now work on the same or higher level of technological sophistication as they are. Other approaches are needed. At the same time to abandon Windows based on its insecurity is an overreaction. Linux is probably more secure as installed, but relative absence of high profile exploits is mainly connected to the fact that on desktop it is niche OS. Android might change that and there is already a mess with Android security... Also in a way if you can access Facebook from a device you do not need malware. You already have it ;-)

Another type of malware ( is called Remote Access Trojans( RATs). Some of malware belonging to this category can be part of any other type of malware, but most often can be found with data stealing Trojans

Facing this new generation of cyber-criminals even former IT security professionals like myself feel insecure and start viewing their own PC as a snooping device that is constantly on. You start feeling like the main hero of The Conversation(1974), the famous film by Frank Coppola. This is the way I how feel about PC :-).

Facing this new generation of cyber-criminals even former security professionals like myself feel insecure and start viewing their own PC as a snooping device that is constantly on.

Social sites is another problem. Some of them like Facebook are essentially private information collecting agencies masquerading as social sites. Facebook and other services are collecting so much information on their users that (as famous Onion spoof suggests), they actually outdid three letter agencies. In any case you can say privacy good buy. It is privacy of crowded street with video cameras each ten yards. Not all people can close their Facebook accounts as for many (not me) they represent essential services, a new reincarnation of AOL. Even if you don't have Facebook account, Facebook can collect (based on your IP) list of sites that you visited if the site has "Like" button.

That means that there is a need to create a special architecture to make our PCs more secure. Architectural approaches to increasing security are the most promising because they fundamentally change the environment in which malware operated. And the law of evolutions is that the more specialized organism is and the more adapted to the current environment it becomes, the more disruptive are to it even small changes in the environment. This is perfectly true about the malware which is a highly specialized software that makes several implicit assumption about the way PC operates.

Architectural methods of increasing Windows malware protection level

While fundamental weaknesses of Windows as a consumer system make infections inevitable, there are step that increase the level of Windows "malware resistance" and cut the time and effort for returning the system to normal (in the order of increasing complexity). Some useful method of working with Windows that really increase security are difficult to acquire and I failed and returns to my old good ways multiple times. Please remember that something like Flame can be installed on you computer any time you visit unknown web site or open email with attachments and there is no way to prevent it even if you've all AV in the world installed on your PC with the most recent signatures and other bell and whistles. That also should serve as a motivation and nobody wants to be a hapless victim. To fight the invaders is the basic human instinct. And we should defend out territory and make life of cyber criminals more difficult to the extent we can without unduly harming our own productivity.

Adopt dual (Tandem) computer mode

Currently computers are so cheap that using two to increase security is no-brainer. One computer should be dedicated to "sensitive transaction and information" such as tax forms access to your financial records and such. The other should be used for everything else. They can share a file system via network attached drive. Never use the same computer for browsing Web and reading email and for working with confidential information such as preparation of your Tax forms and Bank and investment sites. Use "Tandem computing" with one "disposable" computer used for browsing and Webmail.

That means running your applications on a "trusted computer" on one computer and Web browser and email from the second computer (which can be either virtual -- easy to implement on Windows 7 Pro or "real") with the "disposable" image.

No matter whether you implement "disposable computer" using real computer or virtual image you should never store any confidential documents on it or access your financial and other important sites from it. The second "sensitive information" computer should generally have minimal necessary for work number of applications installed and should be shut down when you are not using it. With towers you can put "disposible computer on your left side and your "trusted" computer on the right side and label them as "Secure" and "For Web browsing". Then you need to learn the discipline using each for particular tasks. The first step is to delete non-relevant book marks from each computer.

You can access "disposable" computer from trusted using Windows Remote Desktop but not vise versa. Those who know Linux well can also use a Linux machine (in this case you can use VNC) which provide higher level of protection because Linux is much less popular them Windows and rarely is targeted by malware authors. As such it is safer for Web browsing. When you enable Remote Desktop, by default anyone who belongs to the local Administrators group on the machine can log on to it remotely using Remote Desktop Connection. The same arrangement can be used on your working place, for example

With the current prices that set you back $300 for additional new desktop (Dell Inspirion 660s is $299 with Intel G465 CPU and 2 GB of memory: adequate for browsing and watching video. And a used one is just $150. Actually $150 is just three year subscription to a AV package such as McAfee or Symantec that provide only illusory protection while the second PC provides you real protection from malware with less hassle. Again you can connect to it using Windows Remote Desktop One advantage the setup with two identical laptops that I discovered is that you have an extra battery and tan take it on long trip on airplane. For example Dell E6320 can last one battery approximately 5 hours which is not enough for flights from the USA to Europe but two battery accommodate 9 hours flight just fine. And for laptops an additional battery is usually quite expensive and can cost as much as $130.

On laptop virtual machine can be used and Windows 7 Pro is perfect for that. One trick that helps is to make setting in IE in administrative account high for your "fortress laptop". That's generally make browsing intolerable enough to switch to other account to see the sites ;-).

You can "specialize" Windows installation on your "insecure computer" by using methods of protection of public computers. In XP and Vista you can use Windows Disk Protection (requires freeing some space on the harddrive by shrinking C partition) or some similar approach ("Install and forget" in Acronis). You can also emulate this mode on Windows 7. In this case changes made during the session will be discarded on reboot, which provides perfect protection against malware, protection unachievable with the traditional AV tools.

But there is a better and simpler way to protect your "insecure" part of the tandem: just use a virtual machine on the second computer. Most dangerous malware typically detects present of VM and just refuse to run, suspecting that it got into AV lab environment. Which is extremely desirable behavior, the behavior that what we need. Here is a pretty telling note by a user with nickname pbust, made in February 22, 2012 in Wilders Security Forums:

Approximately 1 out of every 6 malware samples we receive every day in 3rd level PandaLabs (called "critical malware" = most dangerous) is VM-aware and will either not run or run differently in a VM or sandbox environment. There's also readily-available tools to runtime-pack or crypt malware with detection of VM, Norman sandbox, Anubis, CWSandbox, etc.

Windows 7 Professional and Ultimate allows running second Windows instance (so called Windows XP-mode) which can be used for his purpose even on a single laptop allowing you to have a more secure environment within a single, portable computer. With virtual image is it easy to dispose all changes made to Windows configuration: you just overwrite the image with a backup. The Windows XP-mode is highly integrated with Windows 7, offering seamless operation (MICROSOFT VIRTUALISATION TEAM, 2009). That allows laptop users to benefit from "dual computers" configuration and enjoy complete protection from spyware as the browser and email are running is a separate, disposable Windows XP SP3 instance (virtual image). The installation for this additional Windows XP SP3 is free to download for Windows 7 Professional, Enterprise and Ultimate owners.

another important Windows XP-mode has an advantage as it can be implemented on a single laptop and enjoy "tandem computing" in a completely portable way. In case of real computer this mode can be enhanced using a third party separate firewall (for example a custom Linux box).

See also Managing Remote Desktop and Windows Disk Protection for more information.

Never re-use passwords on different sites

Take special measures that that compromise of your account on one site, for example linkedin or gmail did not cascaded into compromise of your more important accounts. Break the opportunity to exploit your other accounts, especially financial accounts by stealing your password from social site and like by individualizing passwords with, say, two letter that reflect the site. For example, you can use am.camry.le12 for your Amazon account and eb.camry.le12. for eBay account. Or a.camry.le12.n and e.camry.le12.y. Don't worry too much about all this buzz about weak passwords. Passwords should be easily memorazable first, as the number of attempts to break them by brute force is very limited in most circumstances. There are also other more sophisticated ways to implement this idea. Have a master list of all your passwords and keep it in handwritten paper format in a safe or on a SD card inserted in one of your old, disconnected, phones that has ability to read SD cards (Old Blackberry phone is perfect for this purpose).

Use your backups strategically for enhancing of your security

Backups can be used strategically -- not just as backups but also as a powerful security technology. See Softpanorama Spyware removal strategy for detailed explanation of ideas behind this strategy and steps necessary for accommodating it for the purposes of malware defense.

The key idea here is that a good disk image creating program (ghosting program) is worth a dozen of anti-spyware, anti-virus tools. It does not mean that the are useless. Microsoft Security Essentials (renamed into Windows Defender in Windows 8) is a good free AV tool that is well integrated and well tested with Windows for compatibility. So to ignore it is unwise.

But even for company with huge resources like Microsoft, it is very difficult to cleanly uninstall sophisticated malware which was designed with one or several mechanisms of recreating itself if some part is preserved after the cleanup. Also malware that is infected your computer is just one of hundred of instances for Microsoft and mostly is processed for creation of signatures automatically, so this approach has obvious limitations for sophisticated spyware which checks the environment in which it operates.

But by using an image restoration you can defeat even the most sophisticated spyware. The only precaution is that you should have multiple (for example daily) backups as the point of infection can be quite remote in time from the point of detection. It also make sense to perform a full backup of drive C before installation of any new programs. Windows 7 64 bit has around 60GB on system partition (without user data). Windows XP system partition footprint is typically 50GB or less (if user data are stored on the different partition). That will take less that an hour to backup such a partition which is a minuscule amount of time in comparison with the time usually spend in restoring Windows system after the infection (two or three days are common). You can do it daily or weekly but in any case this way you always have several previous versions that might be not infected. Existence of full C-partition backup also provides a baseline that gives you an opportunity to understand what changes the installation performed on your system. Add to this registry snapshot (less then 200MB) and you are well equipped to resist even the most sophisticated malware. Unlike AV program which depends on the recency and quality of their database this approach will work as it does not need to understand what this malware is about. It just return you to the "status quo".

Adopt a separate user data partition setup

Splitting the "system" hard drive into smaller C (System) partition (say 80-120 GB) that contain just OS files and a larger Data partition with user data is a very simple to accomplish in Windows 7. see

Adopt a "separate user data partition" setup: dual partition Windows configuration

Windows 7 can shrink system partition on the fly so freeing space in typical "all hard drive is C partition" configuration is just one click away. This logical step allow to shrink the size of "system" partition which in turn makes restoration of your OS from backup much more easier (as user data will be a separate partition) and your personal data more secure and more easily recoverable. On desktops instead of shrinking system partition and creating an new one for data it is easy to install a second harddrive, This approach is also possible on laptops with replaceable media bay, for example Dell Latitude Laptops -- you can simply replace DVD with the second harddrive and use USB DVD when needed.

This setup also makes use of Softpanorama Spyware removal strategy easier as amount of data you need to backup on C partition is much less then in the case all your hard drive in one huge C Partition.

Limit use of administrative account to minimum and use separate accounts for key tasks

Cyber criminals generally are conditioned to a "single account" PCs and even if they get admin privileges by exploiting some windows hole they generally limit their information search activities to this broken account (keylogging is a different matter as it works for all accounts)

For example, if you create account taxi to make your taxes by logging to it and install Intuit or TaxCut only for it. That makes your financial information more secure especially if after submitting taxes you make an encrypted archive out of data directory and delete actual files. Creation of taxes and other once a year reports can be neatly separated by using different accounts which actually helps you organize you files as well.

Differentiate security of accounts by setting IE security for Internet zone to high on those account that matter.

Please note that sharing applications between accounts is more difficult. For example Cygwin has difficulties if you use it simulaniously from Administrator accoutns and from a regular user account, as directories created while logged as Administroar are not writable from a a regular account.

But is you are not going to extreme modest separation of your activities between different account does help. It is actually pretty quick to switch to a different account. Takes less then 10 sec. so it is not time or effort prohibitive. But it requires disipline that is difficult to aqure for user who never used Unix and got used to a "single account" environment to such an extent that "single account usage" is almost synonymous with Windows. BTW Windows 7 provides much better protection from malware for regular user accounts then for administrator account (or any account with admin privileges)

Windows 8 does more steps in the direction of converting Windows into more secure "appliance for browsing the Web emailing and shopping" so it might be better for entry level users then Windows 7. Not so for advanced user,s as it tried to hide all command line related Windows capabilities. And that's really hurts.

Using a non-privileged account is very important for Google searches: according to Blue Coat Security Lab users are four times as likely to be infected by compromised search results when compared to spam emails. An only alternative to switching to "surfer" account is to use high security setting for Internet zone and regular medium setting for trusted zone (you need to replicate your favorites in trusted zone and maintain them in sync). But that mangle many Web sites that depend on JavaScript.

Unfortunately the dominant culture of Windows usage is to use all powerful admin account for everything. Only some large enterprises limit their users to proper "less powerful" accounts as they can afford to administer PCs by a separate dedicated staff and they are more interesting in unification and security of corporate data then productivity of the users. This recommendation typically is ignored by users but it requires very little discipline as most users do not install anything often.

Never store important data in folders belonging to User home directory tree for account you use to browse the Web. If confidential data are not used pack them with the archiver using password for protection. Create executable self-unpacking archives as in case your archiver become incompatible with old backup format you still have access to the data. Most modem Archivers such as rar, 7zip, WinZip, has capability to encrypt the archives using user supplied password. You do not need complex password for this, but you need to save it in some paper form so that it never lost. This is a simple and reasonably reliable way to protect your financial data.

Always a different account for your tax preparation, bank access then from browsing and reading email. Encrypt your financial data with zip, 7zip or similar archiver, so that unencrypted stage was limited to periods when you are really working with them. There is no sense to give up your financial data such as IRS returns, etc that typically are stored on the same computer and the same account you use for browsing the WEB. That's plain vanilla negligence. Why you want to give all those data to the first jerk who manage to install a malware on your computer.

Practice "separation of duties" policy. When you browsing unknown sites run IE only under some regular user account that can't write to the registry (use switch to user option -- it's really fast). Never do "leisure" browsing from the account with admin privileges. Create yet another account and use only it for financial transaction, never for browsing the Web. Starting with Windows Vista and Windows 7, Microsoft introduced User Account Control (UAC), which, when enabled, allowed users to run with least user privileges. This scenario limits the possibility of attacks by malware and other threats that require administrative privileges to run.

You can configure UAC in your computer to meet your preferences:

For your "secure" accounts make IE it less malware friendly by setting high security mode for Internet Zone

Unlike Chrome, IE does not use sandboxing, but generally IE 10 is a secure browser. So malware authors attack you mainly via applications such as Aobe Reader (fake PDF files) or Flash (fake Flash files). In ideal case the whole browser should run in a disposable VM. Also IE as a dominant browser is attacked more often. But still you can make IE 9 and 10 (but not IE8, which should never be used; on XP please use Chrome or FireFox browser) less malware friendly. The problem with this recommendation is that it is actually easier said then done.

Anyway there are there are three steps that are implementable to make your Web browser less of a "gateway for malware":

Again, a much better way to secure the browser is to run it in VM as is possible with Windows 7 Professional and above by using Windows XP compatibility box. Or (for desktops) on a separately ("disposable") computer which is reimaged each night.

Keep the set of "trusted" images and periodically (in extreme case each reboot)
reimage of your computer from the trusted image

This method is often used at university labs and proved to be quite efficient as for malware protection. It is especially effective defense from RATS -- remote access Trojans -- which convert your PC into remotely controlled zombie. Despite all security programs that you have installed RATs can exist on your computer for months if not years. That means that if you store confidential information on your computer it is vital to reimage your computer when you start some important or confidential activity. In modern world doing something confidential on "dirty" image is neither confidential, not prudent.

On most PCs the set of installed applications nowadays is quote static and this fact makes creating so called "trusted image" much simpler. In you update your trusted image in parallel with main computer then restoring it when you are infected or need to perform some highly secure activities like filing your annual tax return (it goes without saying that you tax return should be copied from the harddrive to USB dives and backup CR-ROM. Do not leave highly confidential data like you tax return on your primary computer. You can also use a separate computer for highly confidential activities. Many households have such computers collecting dust in the closet. Reimage it once a year (tax preparation) or each time you need to do something that needs additional security. Do not use it for Internet browsing.

You can use "brute force" approach and restore the image using Ghost-like program ( for example Acronis True Image ) or linux live CD and Partimage. If your laptop has SSD this method is pretty fast, with restore less then 20 min. In this case the "Windows of opportunity" for malware is the period between re-imaging of the computer. Moreover as image is static you are better equipped for scanning dynamically registry, system and /Users folders for new executables that entered the system.

This method is OK mainly for advanced Windows users and IT professionals.

Using a Web proxy

This is a typical method used in enterprise environment for protecting users but it is relatively easy to implement in home environment too. If you use a second physical computer that is running Linux for browser this is a natural thing to do and a very worthwhile enhancement. The key advantage is that all you Web transactions are logged and can be analyzed to see who is telegraphing information from your computer. You will be surprised how many vendors do that. If you have a box with a Web proxy (either real of virtual) you can point to it your Web browsers. In this case you ability to block sites by various criteria are extended by capabilities of the proxy. That permits blocking such snoopy sites as Facebook which polluted tremendous amount of sites with "like" button and copycats of this idea from Google. For home office and small firms Squid is free and very good Web proxy that I highly recommend. For larger firms appliances like Blue Coat are typically used. This method can protect you from many threats as well as excessive attention of Facebook and other information collecting monsters. It also moved the definition of "trusted sites" to the proxy level. For corporate environment it also can serve as anonimizer as all requests are coming from a single IP address. That method requires some Linux qualification and the desire to learn squid or other Web proxy configuration.

Using "on the fly" integrity checking and/or baseline checking of registry and critical directories

With current laptops with 4GB of memory, SSD drives and 3 GHz dual core CPUs and even more powerful desktops, scanning harddrive does not consume much resources and if it is artificially slowed it is not even noticeable. The simplest way is to run periodic, say once an hour scan and compare critical directories and critical parts of registry with the baseline. This method detects critical changes of configuration within a certain amount of time after they occurred although not "on the fly". As such it is a valuable method of protecting yourself from Data Stealing Trojans -- a new and dangerous class of malware that is created with the criminal intent to defraud you from your assets. But this method require higher level of qualification that regular user have so it is mostly suitable for advanced users and corporate environment. It also requires quit a bit of discipline in maintaining baseline and installing/upgrading applications and OS on your reference computer (which can be the same computer in which you just swap harddrive) first before installing it on your "main", working horse computer.

Installation of new applications and upgrade of OS should first be done of a reference computer on which there is no user activity. Individual user can create such reference computer by buying second harddrive identical to the one that is installed on the desktop/laptop for system image and replacing it each time one need to install software. Without maintaining reference image is difficult to sport the infection of you primary computer. In addition existence of reference image simplifies verification that nobody run anything in addition to what is installed on the computer. This is the way images are created in corporate environment. Usually this method requires existence of support personal who is at least part time are responsible for the maintenance of the reference image. It is difficult to implement for individual user. But this is the only method that allow you to protect yourself from the compromise introduced by the insider who has physical access to the computer. For example a corporate spy who tried to install some programs on your computer. Although in modern PCs you can install boot password making booting your computer without credentials much more difficult. Some laptops also have capability to use smart cards for boot authentication (Dell Latitude is one example).

Firewalling your network and controlling traffic to Internet

This allow logs all the rejection and as such provides "on the fly" information as for components of PC which are trying to communicate to outside world without your permission and outside your control. Typically that setup requires high level of qualification and is support intensive so it is limited to large corporate environment. Although I saw them in some computer enthusiasts home networks.

Usage of your cashing DNS server

Running your own DNS root server stops many attacks cold as after infection they will be no able to figure out how to communicate back to "mothership". Still they can do damage like deleting or modifying information on the computer. Several major corporation use this approach for protecting internal networks (not just DMZ but all internal network). This is a major undertaking and requires good knowledge of DNS and analysis of typical activity on the computer.

Conclusions

There are two general recommendation:

Steps described above can be foiled by determined attacker, but they do increase level of Windows "malware resistance" and decrease the time it take to return Windows setup to normal after the infection without investment in some expensive tools or hardware. Methods presented should not be used indiscriminately, you can select those that most suit your needs. You will be better off, if you create your own "protection set", depending on specific on your situation. For example, for people who know Linux well, more emphasis can be made on using Linux for Web browsing and media consumption. Also it is easier to implement networking components of malware defense such as caching DNS and Web proxy (Squid) on Linux.

I hope that this flexible approach will be useful for those who what to follow "semi-independent" path of securing their own Windows installation and not to be completely dependent on security companies.



Etc

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available in our efforts to advance understanding of environmental, political, human rights, economic, democracy, scientific, and social justice issues, etc. We believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit exclusivly for research and educational purposes.   If you wish to use copyrighted material from this site for purposes of your own that go beyond 'fair use', you must obtain permission from the copyright owner. 

ABUSE: IPs or network segments from which we detect a stream of probes might be blocked for no less then 90 days. Multiple types of probes increase this period.  

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least


Copyright © 1996-2016 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License.

The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info

Disclaimer:

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

Last modified: October, 11, 2015