“All too often people talk about the disadvantages of the Windows operating system: it has too many security flaws, it is not properly patched, it is not security oriented… Until the much talked about Vista system finally reaches our computers, there will still be plenty of time to protest. However, with the new malware dynamic, the idea that malware is restricted to specific operating systems is becoming anachronistic. It no longer matters whether the victim is a home-user or a company employee. It is now irrelevant whether the system administrator is just someone who lives round the corner or a highly qualified IT manager.”
Sorry but what has malware to do with stupidity and lack of common sence?! Well.. aside from installing the malware in the first place!
It might be me.. all tired after a long day of work and sports after it.. but since when is plain scam mail equal to Malware?!
Edited 2006-12-15 20:50
Malware is a very vague term. The cases the article describes can be classified as good ol’ phishing, IMHO, and as far as I know, phishing has been OS agnostic since day one.
Actually, the only thing that can really keep you safe in this cases is caution and common sense, and that has nothing to do with OSes.
calling these techniques malware is a stretch. Most of can be handled by snail mail and would net even require a computer.
I disagree
If you include in your definition of malware harmful digital information, the author has a point, the code he is talking about runs in software (maybe verysoftware) between the users ears. No you couldn’t do this using snail mail because the originator of the scam couldn’t replicate the information quickly enough or cheaply enough to reach sufficient punters – so this is a legitimate computer problem and so worthy of osnews.
I suggest that this problem will help to scupper Vista security.
Inbox – naked lady pics (or similar)
OS – The attachment could contain malicious code or viruses
User – click open
OS- Please add the administrative password if you wish to make these changes to your system
User – adds password
Vista security – poof gone
You think this scenario is unlikely?
No you couldn’t do this using snail mail because the originator of the scam couldn’t replicate the information quickly enough
You use the correct word here, scam. Scams existed before computers, they just didn’t have such a large target base.
If you include in your definition of malware harmful digital information
The clue is in the -ware ending. Traditionally, the computer industry has had: software, freeware, shareware, adware and malware. All of these have one thing in common, they are computer programs.
this problem will help to scupper Vista security
(is not a Non-OS-Dependant Malware)
Of course, but then there is no solution to this problem. End users HAVE to be able to run code on their computer, otherwise the computer is just a piece of furniture.
Luckily, as the computer industry is maturing, user education is increasing. Most people nowadays are aware of the dangers of opening unexpected attachments, A/V scanners are a help, but they will never catch 100% of viruses.
This article, according to its own vernacular, is just a piece of nonware. I’m sure that everyone on this site is aware of 419ers and phishing attacks, why tell us about it again?
No you couldn’t do this using snail mail because the originator of the scam couldn’t replicate the information quickly enough or cheaply enough to reach sufficient punters
Really? I would beg to differ, having worked at a company where we regularly got faxed 419 scams and various MLM scams.
“Inbox – naked lady pics (or similar)
OS – The attachment could contain malicious code or viruses
User – click open
OS- Please add the administrative password if you wish to make these changes to your system
User – adds password
Vista security – poof gone
You think this scenario is unlikely?”
The situation you describe seems typical to me. In other posts, asking for transaction PINs and passwords was mentioned. In my optinion such manner is not to be talked about as “malware” as long it doesn’t use software others than on the user’s PC, for example, if an attachment is installed to replace a standard program by a faked one so that the user doesn’t recognize it.
From the article: “The solution, as always, involves security suites that include all the features needed to protect users in a single application: from the classic antivirus to firewalls, or e-mail protection both for Windows and Linux. In this way we can keep users safe as well as their computers.”
My dear Mister Fernando de la Cuadra, Panda Software… 🙂 The solution, as always, involves intelligence and the ability of educated judging that include all the features needed to protect users by adult-like thinking. In this way the users can keep theirselves safe as well as their computers. It’s not that complicated, isn’t it?
Sounds like the author’s company is trying to break in to the Linux market for security products.
//Sounds like the author’s company is trying to break in to the Linux market for security products.//
What Linux market for security products is this?
I see no evidence anywhere that there is such a market.
There is a market, it may be small but:
Snort, IPTables, Sophos AV, ClamAV, Panda GateDefender etc…
Of course spreading FUD and Doomsday stories is a well known technique for increasing security markets.
Using Dictionary.com:
American Heritage Dictionary
mal·ware
n. Malicious computer software that interferes with normal computer functions or sends personal data about the user to unauthorized parties over the Internet.
Webster’s New Millennium™
Definition: software, such as viruses, intended to damage or disable a computer system; short for malicious software; also written [mal-ware]
The American Heritage Science Dictionary
Software that is written and distributed for malicious purposes, such as impairing or destroying computer systems. Computer viruses are malware.
Also using Answers.com:
Has a long list from TechWeb TechEncyclopedia, Hacker Slang, and Wikipedia – and they all show the same common element in their definitions – CODE! RUNNING CODE!
The article has nothing to do with malware.
Edited 2006-12-15 22:35
Bill Gates has a new pair of glasses.
I am sorry, but what is an article geared at the most basic of computer users doing on a site geared towards people interested in alternative OS’s.
The ‘malware’ mentioned in this article should be redefined as ‘spam’ and the article itself re-published as ‘things that you should look out for in your email’ in the ‘News of the World’ or USA Today and is definitely not worthy of OS News.
Hmmm…
Not sure how to say this… hmmm…
Okay, maybe this’ll do:
I have a dual-boot Fedora Core 6 / Windows XP Pro SP2 machine sitting about five feet left of me.
Both machines run Firefox. Windows has been secured by every means I have discovered ( including a network firewall with active virus scanning ). Fedora Core 6 has had no security modifications, but ( worse ) is set to provide several servers ( ftp, http, loonNet ).
The two systems don’t get equal playtime, Fedora is used about 90% of the time ‘cuz my girl-friend *LOVES* 3dDesktop ( and all the supporting goodness ).
Now, of the two operating systems, only one of those has been afflicted with ailments, Windows ( of course ).
The ailments were drive-by downloads due to the banner networks that are on nearly every site these days. Then, to make things worse, removing the gunk made the system drop into c000021a stop error. Safe Mode inaccessible, replacing winlogon, restoring the registry, nothing at all would fix it without becoming drastic. A repair-install run from the XP CD, re-application of the service packs, and the system was finally running again ( mostly ).
But, before you could count to ten, about five hundred internet explorer windows opened ( damn nice performance, actually ). Of course, that overloads the system now everytime, making it unusable.
I had to introduce my girl friend to a few alternatives to office already, so she was able to easily continue working with most of her files from Windows inside Fedora. At that point, my girl friend’s computer became Windows-free, with Fedora gaining a separate hard disk for swap ( if it ever even will (hasn’t yet needed to hit the swap, it seems, according to a few little utils in the system )). They ( my girl and her computer ) are much happier without the annoyances Windows gave them.
The machine works perfect ( for once ), and my girl can do everything she WANTS. She really has almost no requests.. and she is pretty demanding! Well, she does want me to matrix her computer with my computer and the media grid my computer controls. “The media grid” is just a computer-controlled router for A/V. The system provides full operational capabilities without the computer, but the computer can coordinate displays and inputs.
I hope to add some more robustness to that, such as split-screening, display spanning+matrix, and the like, but that is a lot of work I really don’t have time for 🙁
Hmm, back on topic: Windows Vista has a lot to make up for. So far, I see a good 30% make-up as far as in the system usability area… a doubling or so in the security area, a little bit less obtrusive alerts, twice the confusion level, ten times or so hardware usage ( not same as requirements ) and that is about it.
I have no doubt, though, that if Microsoft were to start from the ground-up, with a small team ( say 50 devs, 5 managers, 5 or so GUI artists, and the best of each that MSoft has to offer ), build a non-Windows compatible operating system, using the latest and greatest of technical knowhow and wisdom, could in fact manage to release something almost everyone would want to buy. It would take something very drastic for that to occur, and then you still have to worry about all the file formats, etc., to become truly viable, so a corporation such as Microsoft, will never EVER do such a thing in an honest effort to replace the Windows paradigm ( at least in regards to the whole anyone-can-get-in thing, which they can’t get rid of, otherwise they would lose the ability to have control over the United States government ).
Control? Yes, what else do you call making them buy your products en-mass every time you have a new version?
If you can attack Windows well enough, you can take down the U.S. government, lickety-split.
I advocate diversity with common-source. A unique binary format for every app on the system. A common neutral binary will require pre-parsing prior to being able to run on the system. A one-time check on the actions to be performed by that executable to determine whether sand-boxing needs to be deployed.
Read up on sand boxes if you don’t know what they are. Hint: they don’t have any sand in them.
–The loon
I’ts common practice to look left and right when you cross a road.About time the average user is proper educated and changes their habits.
MS never sends e-mail with direct update links.
Bank employees don’t send direct e-mail asking you to reset a PIN number.
African princes in need of a bank account don’t exist.
when in doubt never open unsollicited e-mail.
….that the existence of phishing was news.
And no, phishing isn’t malware, it’s just a plain old scam.
—————-
Non-OS-dependant malware
By Fernando de la Cuadra, Panda Software
….
“The solution, as always, involves security suites that include all the features needed to protect users in a single application: from the classic antivirus to firewalls, or e-mail protection both for Windows and Linux. In this way we can keep users safe as well as their computers.
—————–
WHY READ MORE?
WHY READ MORE?
Exactly. That’s why I always read the comments first before the article, especially those with dubious headlines.
Until someone comes up with a way similar to Apple’s fat binaries (universal binaries) and manage to make it work for Windows, Linux, BSD, Solaris, Windows, etc (and on the different hardware platforms – x86, PPC, SPARC, etc) (which is also not possible because different systems go by the magic number at the beginning of the file), the closest thing to a non-OS-dependent malware would have to be a shell script (which then discludes Windows users). And shell scripts don’t execute themselves, and no user using those systems would be stupid enough to enter the root password for it (though it could take out their home directory instead of ask for a password).
Or, maybe, programs written in interpreted programming languages? It’s easy enough to make a Python program perform a task on any machine with the interpreter. Some PC manufacturers bundle the Python interpreter with new Windows PCs (HP, for instance), so even that is becoming less of an issue for malware writers.
Linux localhost 2.6.18-hardened #1 SMP PREEMPT Sun Dec 17 18:48:46 CET 2006 x86_64 AMD Athlon(tm) 64 Processor 3000+ AuthenticAMD GNU/Linux
PAX+Grsec+xorg+nvidia+dazuko/antivir+rkhunter