Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.

Windows 7: Malware and the Web - we need a NEW Approach

17 Nov 2009   #1

Linux CENTOS 7 / various Windows OS'es and servers
Malware and the Web - we need a NEW Approach

Hi all
just a suggestion -- Dinesh won't like this I know as he's so busy testing current AV / security systems - but I think this is the way forward with computer security.

I think we can all basically agree that the REAL problem these days is MALWARE.

Classical viruses whilst a nuisance are relatively easily dealt with and are treated in general via AV software that does a REACTIVE scan -- i.e your computer is scanned at some point in time AFTER a virus has entered your system.

These days for reasonably intelligent users we can rule out viruses being installed by people downloading "questionable software / music etc". If you get a virus from a download then you probably need to tighten up your download strategies. - If you knowingly download "dubious stuff" then it's your own fault anyway.

Malevolent software these days is installed and run almost excusively via MALWARE which classical AV software is (as far as ordinary home users are concerned) powerless to prevent in PROACTIVE mode (that is detection at the time it happens - not via a scan afterwards).

The major threat is in the so called DRIVE BY infections -- this is where you visit a site - could be a quite legal site which has been hijacked without the site owners knowing.

The site executes a rogue script in your browser which - can run anything on your computer at at least the authorisation level that the user running the browser user has - for example it can explore and upload data from your disks quite legitimately -- how would any AV software detect that for example unless you have some real time monitoring of your disks -- this adds a lot of overhead to the OS.

It can pass you to another site and even download porno on to a remote users hard drive without the user knowing -- a court case recently nearly ended up with someone nearly going to jail because of questionable material being discovered on his computer - in spite of the fact he hadn't knowingly downloaded any of it.

Remember at this point in time the script has already been executed, done its business and GONE - so AV software would never be aware of anything untoward taking place on the users computer.

It's totally not feasable to prevent script execution in a browser -- Most of the Internet sites wouldn't work at all.

So we need some way of controlling what scripts actually run in a browser and if necessary AV software should be able to check these functions online without slowing the machine down to debug levels.

A start would be in the BROWSER DESIGN itself. For example if link to a new URL is wanted this should only be done via say the browser calling a Windows API function on the HOST machine to examine the url and then allow or or deny the request. (Rogue IP addresses could be stored in a data area on the Host machine).

Similarly any I/O function - in particular data UPLOAD could also be done via an API call rather than in the browser script.

I'm not an expert in the internals of IE or Firefox but I started doing a little messing about with running some scripts and its amazing what can be done even with a tiny bit of knowledge. You can run almost anything on a remote machine from a browser without the remote machine being aware of anything -- and I'm not even an expert in the whole idea of web programming at all. (Great when you've got a LAN for testing this stuff).

Those sites that offer to fix your registry or look for drivers by checking your machine --- NEVER EVER EVER run these type of apps ONLINE as if any of these sites get hijacked you've just thrown away the keys of the kingdom.

This shows actually how easy it is for a remote site to execute something on your computer - although in these cases the sites are open about what they are doing and usually make you install a small application.

So I'd suggest (it probably won't happen until Windows 8 or later) that the whole scripting part of a browser is re-written so it works ONLY by proper documented interfaces using genuine API calls which can be protected.

The whole idea of "plugins" is also a joke and a loophole again for "nasties". If for example I need to read a PDF document why shouldn't the browser just use an API to start acrobat reader (or your pdf applicatiuon) just like the double click in windows explorer. It shouldn't need a "plug in". A simple Windows API is all that's needed.

OK it might have to start a new window for the pdf document but with multiple / large monitors and decent memory sizes these days what's the problem.

Restricting browser code to basically just calling registered API's would at a single stroke eliminate 99% of current malware.

The biggest threat to your computer is actually via sites that scan your disks looking for data such as bank passwords etc etc rather than in simply infecting them with viruses.

If you must use current AV software then at least choose one that logs ALL sites visited whether you actually see them whilst browsing or not and then rigorously check the logs later.

So until browser code is re-written here's a call to AV software companies -- If you want to stay in business forget about making bigger and bigger databases of known windows .dll's / .exe's and comparing them against typical current viruses but - try and get a handle on the REAL problem -- Browser scripting and Drive by malware with REALTIME (Pro-active) protection.

REACTIVE SCANNING (i.e "After the fact") is totally 100% USELESS in these situations.

Places like the NATO site in Brussels are aware of this and no production systems are connected in any way AT all to the public internet -- even the cabling etc is separate.

To get stuff from a test / dev environment to a QA system and then PROD is a mega hassle -- stuff is first copied on to specially authorized devices which are then scanned by military strength software. Finally after written authorisation and a "Data Quality" review the data can be uploaded to the target machine - but this is done by security personnel sitting at the local machine -- no network is used.


My System SpecsSystem Spec
17 Nov 2009   #2

Windows® 8 Pro (64-bit)

Hi Jimbo, nice post and I agree with what you say. some AV like nod32 and kis 2010 have web scanner to protect users from scripts. Its not 100% effective but atleast they make an effort to stop bad scripts.
My System SpecsSystem Spec
17 Nov 2009   #3

Linux CENTOS 7 / various Windows OS'es and servers

Hi Dinesh

If you have influence with these companies - try and get them to start working on these lines.

I was horrified when I started messing around with scripts to see how easy it was to do all manner of things on remote machines -- and I'm only a beginner in Scripting -- although I do have a bit of experience in OS design -- remember IBB OS /360 / 370 systems -- still a blueprint for OS design.

My System SpecsSystem Spec

17 Nov 2009   #4

Windows 7 Ultimate x64 SP1

Avast Pro has a script blocking module. And if you use a browser like Firefox, the add on No Script is good. I don't think I'd call it a joke.
My System SpecsSystem Spec
17 Nov 2009   #5
Uber Philf

W7 RTM Ultimate x64

Thats some great reading material, really got to me.

I'm not sure, but i think AVG also has a web scanner, i haven't used it in a while (using MSE) but yeah.

I keep an eye on what i visit, and avoid nasty sites.

Thanks for the info Jimbo.
My System SpecsSystem Spec
17 Nov 2009   #6

Windows® 8 Pro (64-bit)

Yeah the NoScript Add-on is a great tiny utility as mentioned by Aaron. I use Noscript & adblock plus with FF.
My System SpecsSystem Spec
17 Nov 2009   #7


Quote   Quote: Originally Posted by jimbo45 View Post
If you get a virus from a download then you probably need to tighten up your download strategies. - If you knowingly download "dubious stuff" then it's your own fault anyway...
What a short-sighted point of view, because when one person is infected that same nasty can spread to other computers they interact with - so the 'hapless user' that's duped into being served a worm or other virals or malware... well, it doesn't take a genius to realise they're not going to be the only user affected!

Everyone who interacts with the same 'hapless user' is equally at risk, so are you saying that it's then also their own fault if they cop a hit? Sheesh... the people you should be criticising are the toerags who author the nasties...
My System SpecsSystem Spec
17 Nov 2009   #8

Linux CENTOS 7 / various Windows OS'es and servers

Hi Qdos

Viral infection spreading usually occurs via E-mail and p2p sites so if you act carefully you shouldn't get anything just because another computer has an infection.

The actual point of the post was basically to say that a lot of classical AV software isn't much good - especially the FREE versions - aginst the newer types of Malware.

By all means install AV software - but please be aware of what it is actually PROTECTING you from and what the limitations are.

Of course if you share a computer with an 8 year old who is downloading loads of stuff from the web then you will need some sort of guard. - But as I also pointed out most AV software is REACTIVE which means by the time you discover there IS a virus on the machine it's too late.

For example you might be downloading a simple mp3 file. Most virus scanning software will look for known .exe / .dll files.

Now even a beginner could encode some binary bytes in the mp3 file (there's always a few artifacts in an mp3 so it won't sound horrible when you try and play it) which would run a small program expanding a compressed virus made up of binary bits embedded at different points of the mp3 file -- rather like the various "codices" alledged to be embedded in the bible.

Virus scans haven't got much of a chance against this type of infection - a little bit of machine code knowledge and a binary file editor is all that's required.

I'm not saying you coud do this in 5 mins but you should get an idea of one way a virus can hide itself from a virus scanner. You certainly can't have a DB containing every MP3 on the planet with all encoding options - so a comparison detecton method is impossible - and the virus writer will ensure the mp3 file has a correct CRS and SHA1.

Reasonably experienced users shouldn't normally ever encounter a Virus.

MALWARE as I said in the post is a TOTALLY different animal and blocking scripts isn't 100% effective if you want to browse the web.

BTW You don't even have to "run the script" if the browser just inserts the machine code and executes it so even a "Script blocker" isn't seriously effective.

Popup blockers just stop "known scripts".

A Malware writer isn't going to make things obvious and easy.

And I agree - of course we should vent anger against the "low-lifes" - but that's a given anyway.

To sum up all the post was trying to say is that most AV software - especially FREE or "Lite" editions are relatively ineffective against these modern types of attacks - so I'm sorry if you mis-interpreted the post.

I'm as interested as the next guy in SAFE, SECURE computer systems - but please don't let us all be lulled into a false sense of security.

No intention was to rubbish anybody - but in no way am I going to pay for a product that doesn't even realld actually do "what it says on the tin".

(And BTW - how does one know that the "Safe" site you've just visited hasn't been hi-jacked -- even IBM and MS get infiltrated from time to time).

Malware 101 -- delete all traces of "alternate" sites visited and delete all traces of the site in the software logs on remote machine. - Not that difficult to do BTW.

One of the best logs which is relatively "tamper proof" is to switch on the hardware log on your router -- simple but often overlooked. Most routers have a "IP address visited" log in them which your malware writer probably won't be able to touch.

My System SpecsSystem Spec
17 Nov 2009   #9

Windows 7 ultimate 32bit OEM 6.1 Build7600

I use Noscript & adblock plus with FF
My System SpecsSystem Spec
17 Nov 2009   #10

Linux CENTOS 7 / various Windows OS'es and servers

Quote   Quote: Originally Posted by neoasr View Post
I use Noscript & adblock plus with FF

Hi there

Won't work 100% of the time -- every time you access web sites with any sort of designs - there's some CSS stuff there -- what about even the W7 site

even this site uses some scripting

for example as a start - code extract just view "Source" in IE.

<!DOCTYPEhtmlPUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" ""> <htmlxmlns="" dir="ltr" lang="en"> <head> <metahttp-equiv="Content-Type" content="text/html; charset=ISO-8859-1" /> <metaname="generator" content="vBulletin 3.8.4" /> <metaname="verify-v1" content="KYRdS+aaZmSme3ViQqFlpzri2XmKhjPBDxF9Y7X5IO0=" /> <metaname="keywords" content="windows, seven beta, Microsoft, windows 7, Windows 7 Forums, windows 7 tutorials" /> <metaname="description" content="Windows 7 Forums the biggest Windows 7 discussion forum, friendly help and many Windows 7 tutorials that will help you get the most out of Microsofts new Windows 7 Operating System." /> <styletype="text/css" id="vbulletin_css">

Style: 'SF Default'; Style ID: 33

@import url("clientscript/vbulletin_css/style-afbf1b94-00033.css");

</style> <linkrel="stylesheet" type="text/css" href="clientscript/vbulletin_important.css?v=384" /> <styletype="text/css" id="bbcode_css"> <!-- .............................. etc etc.

My System SpecsSystem Spec

 Malware and the Web - we need a NEW Approach

Thread Tools

Similar help and support threads
Thread Forum
Approach for going from XP 32 to Win7 64?
I have a home-built PC that I'm aiming to do some hardware upgrades on during the holidays. I'll be putting in a new MB, processor, memory, and video card, which will change the architecture from 32 bit to 64 bit. The drives and power supply are all less than a year old, so I'm keeping...
Installation & Setup
New approach to pirates?
Right now I'm very sick... It's horrible and my thinking process is very hazy, I was playing a few games on my PSP and it was hard to know what was going on. Anyway, I just read a few articles about piracy from "TorrentFreak" and have thought of a more moral and simple solution to piracy. If a...
Chillout Room
WinLogin Virus - What approach ?
I decided to ask here on this forum, hoping someone had the information I was looking for in regards to AVAST finding a virus in the WinLogin.exe. I'm not quite sure what method to take I know that AVAST can take care of it using some automatic method but I don't want AVAST to take care of it...
System Security

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 03:40.
Twitter Facebook Google+ Seven Forums iOS App Seven Forums Android App