Well, as I rebooted, scanned, repaired, etc. my venerable Dell 8100, I had some time to reflect on some of the especially nasty methods these things use to stay alive, and the part that I played in our infection.
One method these nasties use is to add entries in your HOSTS file. Now HOSTS is one of the various means your computer uses to translate human-readable internet addresses (like say, www.theonion.com) into machine-understandable numbers ("ip addresses") like 66.216.104.235:80. This is just a text file, and on an XP system, it lives at c:\windows\system32\drivers\etc\hosts.
So if a nasty wants to prevent you from say, being able to get to the Windows update website, or the Norton Antivirus site, it can just add a simple line of text like this to your hosts file:
127.0.0.1 www.windowsupdate.com
(or whatever the proper host name is for windows update). That ip address--127.0.0.1 is a special one--it means "this computer right here that I'm sitting at--the local host.". (So if you're ever out and you see a pasty looking guy with a t-shirt that says "there's no place like 127.0.0.1", the joke is that that ip address is for 'home'. Ha ha--now you're in on the joke.
Anyway, that address is pretty much always reachable, but unless you happen to be running a web server on your machine, which will answer to the various URLs that start with www.windowsupdate.com, you'll never get anything but a 'page not found' error when you try to surf to anything starting with 'www.windowsupdate.com'. Ingenious! Nasty!
[Incidentally, you can also make your own good use of this file, by adding entries for known scummy domains, by pointing them to 127.0.0.1. Here's a good hosts file, maintained by one of Microsoft's MVPs. You see way fewer ads while browsing too. Recommended.]
One other things these scummy programs do is masquerade as protected windows operating system files. Windows has a very nice feature that prevents users from shooting themselves in the foot called Windows File Protection. This prevents users (and software installs) from removing or altering certain especially crucial operating system files. Unless the user (or software install) jumps through some hoops. The way it works is that the file delete, or overwrite appears to work, but then quick-like-a-bunny, behind the scenes, windows takes a shiny fresh version of the file from a hidden cache of pristene system files, and puts the file back the way it was.
This is a very nice thing for users (and software installs) that don't know what they're doing. It makes it just about impossible to hose a machine by monkeying with OS files. (Ask me about the time I hosed I think it was 4 laptops with my VB6 FTP client install... Oy. Bad Roy.). But spyware knows how to jump through the hoops & get their versions of these protected files onto your computer. And naturally, they don't just replace the one that's actually operating, they replace the one in the hidden cache of (formerly) pristene system files. So now windows file protection works for them, not for you. You can scan, detect the infection, and 'delete' the file (ha ha!) and then WFP comes in and helpfully 'corrects' this mistake you have made. Oy oy oy.
Sooooo... What do these two nasty methods have in common? Well, in order for them to work, they have to be run by someone with Administrator privileges on the machine. Administrators are Lord, God, King of the system--they can do pretty much any dang thing they want on the box.
And since windows evolved in an environment where there was only ever one person using a PC at a time, and that person had to be physically present in front of the machine, could put their hands on it & smash it to 1,000 pieces if they really wanted to, the windows world is still sort of getting the hang of the idea that not everybody should have Ultimate Supreme Grand Pooh-Bah access to the machine at all times. Specifically, software written for windows will frequently just assume that every user has admin privileges. This is a huge blind spot for developers (myself included) since they normally run with administrator privileges.
So, I think to myself--this is what I did to contribute to our infection. Both Laurel and I were running w/admin privs. This was the thing I could change that would ensure (or close) that we will never be infected again. And so I have downgraded both of our accounts (although I am still in the 'Debugger Users' group, which I suppose I should throw off, as I'm not really doing any development on this machine).
And so we are. And for the most part, things are going well. The one exception is the software that came with our Kodak EasyShare camera. This thing gives us a warning when we startup about how it will only work for a user with Admin privileges. And it looks like this is true--we can open the software and use it, but unless we log in interactively as a user w/admin privs (so 'Run as' does not work, alas!) the computer does not recognize when the camera is attached, and will not download new pictures. Damnation.
I even put this question to the Kodak support staff:
After getting hit by spyware I do not wish to run routinely with Administrator rights. How can I use the easyshare software with 'regular user' privileges? Thanks! -RoyTo which they helpfully replied:
We can guarantee the full functionality of the Kodak Easyshare Software only under administrator's privileges and we can only give support under this privileges.Bastards.
No comments:
Post a Comment