Google’s Malware Detection: Worthless at Best
Dangerous at worst.
Google has rolled out a new feature where it attempts to inform people that they think they are browsing from malware infected PCs. It’s a noble idea, and I don’t want to rag on them too much, but it is also a terrible idea. Most of the time I would say something like ‘at least someone is trying.’ But I can’t with this one. There so many problems with the idea in general, and their advice is so unbelievably wrong it borders on malicious.
How It Works
When you do a search on Google.com, Google will look at the IP address of the incoming web request, and compare it to a list of IP address that known malicious proxies use. If it’s on that list, your results page will show a banner that says something like: “Your computer appears to be infected” and then link you to their wonderfully ignorant help page: http://www.google.com/support/websearch/bin/answer.py?answer=1182191
When you do a search on Google, your web browser is sending a request to Google’s servers. When Google receives this request, one of the fields in it is your computers IP address – think of it as a return address on an envelope. Malware is able to modify your machine so that every web request you make is routed to one of their “proxy” servers. Once the request hits their server, they can read it, modify it, or do whatever, and then forward it on to the site you were trying to reach. Now, when that site gets the request (Google in this case) the return address isn’t your computer, but instead the malware’s proxy. Google will do the search, send the page to the proxy, and the proxy will send it back to you. You likely have no idea that this proxy is siphoning your requests and watching everything you do. I made a slideshow demonstrating the concept:
So what Google is attempting to do here is look at the IP address of the request and if it is from a known malicious proxy, include this malware warning banner at the top of the results.
What’s Wrong With it?
Look at the “Malware Response” part of the slides, see how the response also gets routed through the malware proxy? That proxy is able to edit the page that Google sends back and is in complete control of the content. They could replace the banner to say “You’re computer is infected with malware, click here to download antivirus software” and then link them to a fake anti-virus Trojan that could extort money. Every link on this page could be modified to point to more Trojans: http://www.google.com/support/websearch/bin/answer.py?answer=8091. How many users are going to think that this fake anti virus program is legitimate now that Google is pointing them there? This just shows a complete lack of technical understand by Google, and advice from a source like that is always the worst type of advice.
What Should They Have Done?
Nothing. There is absolutely nothing a remote website can do if your computer has been modified by malware. A remote site cannot even accurately warn you you are infected because the proxy can just remove the warning before the page reaches your machine. All of the advice given here to fix your machine once it is infected is as worthless as snake oil. The only thing you can do to remove malware from an already infected machine is to reformat it and start over. If you are lucky and have a backup that you trust, you could try reverting to that.
Please, please, please, please please do not click on any banner or link that tells you that your computer is infected. This has been common advice to battle fake antivirus Trojans for a while now, but apparently Google wasn’t listening.
Out of Azure
I’m losing my Azure subscription at the end of the month. As Microsoft employees, we can get MSDN accounts for personal use. These were regular retail MSDN Ultimate accounts, which starting last year included a single Azure instance (running 24 hours a day for a month) and an Azure storage account. In August our accounts are changing to a special type of account on for Microsoft employees that has everything the old account had, except for the free Azure subscription.
I’m kind of sad about it because I was enjoying writing in Azure and learning a bit about it, but my site gets close to zero regular readers, and Azure is a little expensive for a site that can’t generate any sort of revenue. I can’t complain though, having a year of the service gave me a great chance to learn how to write and run a service there and I learned a lot. I plan to write up a fairly detailed post mortem someday.
So, this all means that I am moving the site back to WordPress. To celebrate this, I’ve picked out a new theme that a hate a little bit less than the old one. I’ll also be moving my posts from the Azure bin to this site, so you’ll see a bunch of new posts in the RSS.
System Center App Controller
Friends and family have asked me “what do you work on?” a few times, and for various reasons I always give a pretty terrible answer. One of the reasons why that is hard to answer for me is because the product I work on is brand new, and until this recently wasn’t announced. In fact, it didn’t even have a name until Tuesday. These type of products are tough to talk about because they are constantly changing and evolving before they get locked down and announced.
On Tuesday, we were formally introduced as System Center App Controller at Microsoft’s Worldwide Partner Conference. It was demod during Satya Nadella’s(President of Server and Tools Business) keynote presentation. You an watch it all here: http://digitalwpc.com/Videos/VisionKeynoteVideos/2/SatyaNadella. He gives about five minutes of background context, and then the demonstration starts.
Put simply, App Controller is a management portal that allows an App Owner to manage and deploy Services and Virtual Machines in Windows Azure and System Center Virtual Machine Manager 2012. This bridges the gap between the public cloud service (Azure) and an internal private cloud infrastructure (VMM) and lets the App Owner work in both of these environments at the same time, with a unified experience. Here are some screenshot from the web:
The demo in the keynote really did a great job explaining what this is all about and showing off some of the cool features, so I hope you take the time to watch it.
Public Wi-Fi Dangers with Android Phones
Turns out there is a nasty vulnerability affecting pretty much every Android phone out there. Since it involves connecting to public Wi-Fi networks it seems like a good follow post to one of my previous post.
Here’s how it goes: When you connect to a site like Facebook for the first time, you exchange your credentials with the site and in return the site generates a unique session ID. After the credential exchange, all you need is your session ‘token’ to authenticate with the site. This token is only valid for a period of time (configured by the site, some are 30 minutes, 2 weeks, some never expire). This allows you revisit the site and remain logged in with out entering your credentials every time. Android phones are set by default to automatically reconnect to Wi-Fi networks that they have already connected to. Once connected, the apps on the phone automatically connect to their corresponding web service, either exchanging session tokens or real usernames and passwords.
Here is what an attacker can do: If a person has connected their phone to a common public Wi-Fi hotspot, say Starbuck’s Wi-Fi, whose SSID just happens to be “Starbucks” then the next time their phone sees a network named “Starbucks” it will automatically connect to it. All an attacker has to do is set up a malicious hotspot near a real one, name it the same thing, and wait for the phone to come into range of the network and automatically connect. Once connected, they can grab session tokens and then they can operate on that site as that user, as well as eavesdrop on what is being sent to the service.
Since most sites only use SSL for logging in, your user name and password for the service is protected. However, there is a pretty good chance that the site does not use SSL for the rest of the session and simply sends the session token in plain text. The problem is that Android will reuse the session tokens generated while the phone was connected to the previous trusted Wi-Fi network, mean that your session ID is free game for anyone to use.
Best way to mitigate this is to shut off the option to automatically connect to networks that the phone has already connected to.
Much more detail here: http://www.uni-ulm.de/en/in/mi/staff/koenings/catching-authtokens.html
Secure Mobile Browsing
I’ve written, and rewritten this post about three times already, and I’m tired of thinking about it. I’m just going to write out whatever comes to mind on the subject and just post it as is.
This started as a conversation with wife about the safety of mobile banking. We were driving away from our credit union and I wanted to check to see if a transaction had posted yet, so I pulled out my smart phone and browsed to the credit union’s site and checked. She told me that she has reservations about browsing sensitive (banking, email, etc.) on a smart phone.
With this post I intend to explain what happens when you browse the mobile web and hopefully put to rest some fears.
Websites can be connected to in two different ways: unencrypted (HTTP) or encrypted (HTTPS). Most sites will use a hybrid approach and use HTTPS for the login or checkout page, and then HTTP for the rest of the site. Banks however, should use HTTPS 100% of the time. I blogged a while back about HTTPS, so I’m just going to paste what I wrote then here:
[With HTTPS] the goal is to establish a unique encryption session between your computer and the server, so that eavesdroppers aren’t able to steal your valuable information as it gets sent along the line. This is accomplished by using the Secure Socket Layer (SSL) protocol. SSL uses public-key cryptography to securely establish a session (symmetric) key that is used to protect the subsequent data. This is how it works:
Client (you and your browser) connects to a server over https:// (port 443)
Server sends you it’s public certificate – This certificate contains the server’s public key .
Client generates a random number, encrypts it with the server’s certificate and sends it – This number is the premaster key
Server takes the premaster key along with some other random numbers that were exchanged and generates the session key
Now that you and the server have agreed on the same key all the data sent from this point forward will be encrypted.
So we can now settle on the fact that if the site you are browsing to is using HTTPS, then no one can eavesdrop and steal any of your info. This is true whether you are browsing from your home computer, work computer, mobile phone connected to 3G, or mobile phone connected to an open Wi-Fi network.
So, why do some people say it is unsafe? There is an added risk of phishing attacks when you are browsing on a network you don’t trust (unsecured open Wi-Fi). Since all the traffic from your phone to the website will have to travel through this router that you don’t trust, the attacker could send you to a page that looks just like your bank’s page, at which you will log in, get some sort of error, and then be redirected to the real page. You will probably think that you typed your password wrong, try again, get through, and never think twice about it again.
So that is the only reason why you shouldn’t do any sensitive browsing on an open Wi-Fi network. All other networks are safe, provided the site uses HTTPS. If it doesn’t, it doesn’t matter if you trust the network or not, everyone can see everything you do.
Would love some questions if anything is unclear and I will do a follow-up.
Spear Phishing
What it is, how to avoid it, and why everyone is talking about it right now.
http://recyclebin.novielli.org/blog/posts/2011/4/Spear%20Phishing
Blog update
Here’s what has been going on:
Tried to write my own blog engine. Motivation was to learn more about web dev, specifically MVC2 and Windows Azure. End result was a somewhat decent tool and some good learnings. I’ll post about it more here in the next few posts.
Working on a WP7 app as a side project at work. Can’t talk about the app spefically, but I do plan on writing some WP7 dev related posts.
Kinect is awesome. That is all.
Enhanced Mitigation Experience Toolkit
I learned about this tool at Microsoft’s Bluehat 2010 conference this year. A blurb from their website explains it as
“EMET provides users with the ability to deploy security mitigation technologies to arbitrary applications. This helps prevent vulnerabilities in those applications (especially line of business and 3rd party apps) from successfully being exploited. By deploying these mitigation technologies on legacy products, the tool can also help customers manage risk while they are in the process of transitioning over to modern, more secure products. In addition, it makes it easy for customers to test mitigations against any software and provide feedback on their experience to the vendor.”
EMET allows you to set certain security mitigation techniques into programs that are unable to write these techniques into the code. You could have a legacy application that is no longer being developed, an executable that is currently being exploited that you would like to harden, or just any particularly risky program that you want to sure up.
Here is a screen shot:
My current configuration:
I decided to pick all internet face application (Messenger, Mesh, IE) and a few of the more highly targeted programs (Adobe Reader, Office) and enable all of the security mitigations that EMET can provide.
It’s a neat little tool, and it works really well. I have not noticed any performance impact.
IE9 Taskbar Integration
IE9 – http://www.beautyoftheweb.com/ – has an awesome new feature that lets you pin websites to the Windows 7 task bar. You simply drag the tab down to the bar and it gets pinned and starts to function more like a regular application. With just a little bit of markup, web developers and add tasks to their jumplist, and give an overlay tile to show up to the date information.
Here is a screen shot of Twitter pinned to the taskbar:
To the left is LinkedIn, and Amazon is to the right. The other two icons are Live Writer and Live Photogallery. As you can see, web pages look just like normal applications.
Also, when you pin an website, the colors and header of IE change to match the branding colors of the site. It’s as if IE steps out of the way, and lets the website own the entire experience.
WordPress.com has jumped in on this and added taskbar and jumplist integration for every WordPress.com blog. Go ahead and drag The Recycle Bin to your taskbar and see for yourself!
SDET Interview Follow Up Post
I’ve received enough emails and comments about my Microsoft SDET interview post that I should probably respond to them. Most of the comments are people asking for solutions to the problems. I really don’t like simply giving out the answers to problems since I don’t think it helps anyone to just have the answer. The main point I was trying to get at in my original post is that getting the answer correct isn’t necessarily important as long as you show critical thinking and problem solving skills. Apparently I didn’t really get that point across very well.
Since you all have asked so many times and they won’t really do you any good anyway, here are the answers to some of the problems.
Actually, I have a better thought about this. The reality is that the answers to the questions don’t matter at all. Interviewers really don’t care if you get the question right, all they care about it is how you think about problems. Unless you are interviewing for a specific task in which you need to be an expert in that field, then simply knowing answers off the top of your head will do you no good.
So let’s close this and move on. I have lots of other things I want to post about instead.
Pulling Me Back
It’s been well over a year and a half since I posted to this blog but I keep getting new comments added to it! I tried moving to different domains and blogging services, but nothing really stuck and I just wasn’t writing very much anyway. I’ve been kicking around a lot of ideas in my head lately and writing them in a notebook, so I feel like I’ve got a lot of content now that I can start writing into posts. I wanted to try and reinvent things and start anew on a different site, but then I check the stats here and realized that I am still getting hundreds of hits a day, thousands not too long ago. So, I guess I won’t change what’s working, and I’ll start writing to this place again. Look out for more posts coming soon.
Back to spaces
In typical fashion, I am moving this blog again. I completely screwed up my BlogEngine.net install the other day while trying to update it. It aggravated me an awful lot, and then I realized that I just don’t care enough to be messing with this all the time. I also am starting a migration away from a self-hosted server (6 year old laptop sitting in the closet) to a real “cloud" hosted set up. I run two sites off of this box, one being this blog, the other being a web portal that my family is supposed to be able to use to keep in touch and stuff. I’m going to be moving the family site over to Windows Azure, and I was planning on hosting this blog there, but then again, I remembered how little time I have for this stuff and how this blog really shouldn’t require any time outside of writing. So, back to Spaces. I’ll let the Windows Live guys worry about keeping the blog working, and in the meantime I’ll just write.
Upcoming topics:
Windows Azure: what it is, what I’ve learned, and what it all means
Emerging Computing Trends: I’m going to take a look at what the near future of computing my look like (ultra portable, mobile, cloud)
What it is and how it works: to augment the series on future trends, I’m going to take a look at the past and the current technologies that make up our computing lives and try to explain them to people that use them everyday but have always wanted to know how or why they work the way they do. Some example of this would be email – I’ll take a look at how it started, the underlying protocols (smtp, imap, pop) and how it’s changed (Exchange, webmail), and maybe venture a guess as to where it is going.
Alright, thanks for sticking with me through all the ridiculous changes. Maybe this will be the final resting place for the Bin.
Oh, and if you are bookmarking this, I having picked a URL in Live Spaces yet so it is just my cid.spaces.live.com. That will change, so don’t bookmark it. I am redirecting my domain name here so you can bookmark that instead: http://recyclebin.novielli.org
Privoxy
The AdBlock guys did some interesting analysis on exactly how much bandwidth, space, and recourses web advertisement are taking up and wrote about it in this blog post [adblockplus.org]. They develop an ad-blocking plug-in for Firefox, so they definitely have a one-sided opinion on the issue. It’s interesting either way to see just how much these ads “cost” you. Add this post together with the one from here a while back about malware coming in though advertisements, and it makes you want to block them all the more.
On top of plug-ins for your browser there is another (arguably better) way to block ads, and that is a web filtering proxy. A proxy is simply a filter that sits in between your internet browser and the web and can help you control what you receive or send out. I’m current running Privoxy, an open source local proxy and absolutely love it. It is really simply to use – just install it, and set your browsers connection to use a proxy at 127.0.0.1 port 8118. Its a quick and dirty way to block advertisements for any browser on your system with use browser plug-ins.
Junk “Journalism”
I love it when a article gets posted that is so clearly and obviously wrong to everyone reading it that the page fills up with comments fixing all the writer’s mistakes. The part I love most about it is that it reveals all the lazy and incompetent writers out there, since there will be an endless amount of “new” stories that are just working off of the one junky blog post.
Example: Windows 7 versions announced. Engadget got this story completely wrong. They editorialized, added a biased slant, and manufactured some nerd rage to completely distort the announcement. To be clear – consumers will have two versions of Windows 7 to decide from (Home Premium, and Professional). All other SKUs will not be available for consumers to purchase. One of the versions is only available in developing countries at a very discounted price. Another will be only installed by OEMs, marketed for netbooks (no, you aren’t limited to running just three apps at a time ::rolls eyes::). The other (Enterprise) is for businesses that need volume licensing (not you Engadget). Also, no prices have been announced for any version of Windows7, so putting Vista equivalent prices next to the new versions is inaccurate, leads to confusions, and is just plain dumb.
I can’t for the life of me figure out what the problem with multiple SKUs is. The Windows OS has over a billion customers, and not all of them have the exact same needs. What is the alternative? Offer just one version and the listen to everyone complain about paying for features that don’t want?? Plus, I thought these were intelligent, tech minded people – they can’t read a check list and decide what version they want (pick 1 out of 2, ZOMG!!11!!) I guess the part that confuses me the most, is that people actually read that site, and take it seriously…
Here’s the facts for this story
http://www.microsoft.com/presspass/features/2009/feb09/02-03Win7SKU-QA.mspx
[UPDATE]
Slashdot gets it wrong too – but I think they do it on purpose…
Teaser Feeds
It really bothers me when websites truncate their posts in RSS feeds and only show you little snippets of the story. It defeats the purpose of RSS – and renders my offline reader useless. I can understand why they do it; they want to get page views and ad impressions, and most of the time the post isn’t that interesting so I skip it. But really, does the Whitehouse.gov RSS feed have to do it too?
Cold News
January 15th came and went – and we all still have a job. Twitter flurried, experts predicted, and news trucks descended on campus like vultures on a kill, but in the end, everyone was duped. Internet rumors can be nasty beasts, but one with the widespread implications on peoples lives and a local economy like this one, really should be scrutinized a bit more before it’s believed. I almost feel bad for the Q13Fox guy who had to stand outside in the cold at 6m trying to get his story, or the KOMO4 people, disappointed I’m sure that they don’t have a video of a mass of despondent souls walking out of their offices a final time on their way to the dole line. I almost feel bad for them, but really, I don’t. They all too eagerly play into the game, fuel the rumors, and revel in the thought of having a bad situation to stick their cameras in. I don’t know what’s going to happen tomorrow, I don’t know if there will be layoffs or not, but I do know that if I get a pink slip not a single one of those “journalists” will be getting their sound bite from me.
ActiveX Redux
Google has decided to throw away years of progress in Web security, JIT interpreters, and general common sense and implemented a weak rehash of the ActiveX control. Dubbed Native Client, this new plug-in architecture will allow websites to deliver raw x86 code to users in an attempt to “create richer and more dynamic browser-based applications.”
First of all, there is nothing browser-based about running native code. The browser is simply the distribution medium for your native application. Is Google admitting that AJAX and browser applications aren’t all they’re cracked up to be?
In all the hilarious irony however, we shouldn’t lose sight of how awfully bad this idea really is. I mean, it’s just a terrible idea. Pushing raw machine code down the pipes is not a reasonable solution to the problem. We tried this with ActiveX – it’s been a mess. Sure, they’ve put some thought to security – a thinly veiled ‘sandbox’ that statically analyzes the bytes for any “dangerous commands” before it executes. Yeah, I’m sure no one is going to find a way around that….
Really, it’s ideas like this that guarantee that anti-virus vendors will always have a job…
This Week in MalWare
There have been several interesting malware stories in the news this week.
There’s a new worm circulating the social network called Koobface. Basically, you get a message from on of your friends that says something along the lines of, “I found this video with you in it, check it out,” and then you click on the link and the website tells you to update your Flash player. Of course, this isn’t an update to Flash, but rather a worm that steals passwords and account information. McAfee’s Avert Labs has a good piece of advice that everyone should follow to stay safe on the web:
Do not follow any unexpected hyperlinks you receive over the Web, Email, or IM, even if they are received from someone you know. It’s best to ask for confirmation from the sender; that they intentionally sent such a link.
On the other end of hyperlinks, it’s best to install software and updates from the source (such as adobe.com in this case) rather than trusting the content from a third-party website.
FireFOX
There’s also a new trojan that is specifically targeting the Firefox add-ons system and masquerading as a legitimate extension called Greasemonkey. The trojan gets installed through traditional means (codecs, flash update, etc) and installs into the add-ons and extensions folder. Once it’s been installed, it runs as a normal add on would, and watches what websites get visited. It looks for about 100 different sites, ranging from gaming to banking sites. Once it finds a site that it knows, it records the user name and password and reports back to the attacker. The piece of malware takes advantage of what I believe is a major design flaw in Firefox; any extension has complete access to everything the browser gets. This is a major reason way IT departments are reluctant to deploy FF on their networks. You really need to be careful when you are installing extensions, and make sure that they from a trusted source. If browsing a local intranet page with confidential information, it is a best practice to either use a clean FF with no add-ons, or Internet Explorer.
OSX
Thirdly, Apple found itself in the malware spotlight after someone found an old support article in which the company recommended running anti-virus software on OSX. This sort opinion sort of flies in the face of their advertising campaign that says that OSX is immune to viruses due to it’s superior architecture. The controversy really started to mount with Apple quietly pulled that article from their support database and did a complete 180 on the issue. I think Apple is doing it’s users a disservice by acting so defiant about the issue. Suggesting that it’s users protect themselves with a modern anti-virus client which does more than just protect against viruses (it helps mitigate damage from trojans, phishing scams, and general data loss) does not mean that their product is flawed, or somehow inferior, it just means they care about their users. Throughout all of this debate though, people seemed to lose sight of the real reason why OSX users should have AV clients on their machines – they can still receive and forward Windows viruses! So please, if you’re on a shared open network, be courteous, and run an AV client.
Here are some of the links
http://blog.trendmicro.com/cyber-crimainals-target-firefox-users/
Full Disclosure
It’s been about a month since Microsoft released MS08-067 – which I posted about here. Since the patch was released, malware writers have scrapped together a worm that is spreading through the internet, swelling the ranks of their already impressive botnet. How does this happen? Wasn’t the bug fixed? Well, let’s take a look at what happened. First, the hole in the system stayed hidden for years – no one knew it existed, not MS security, hackers, or the all-knowing Slashdotters. This is not necessarily a bad thing – because a vulnerability that no one knows about isn’t really a vulnerability at the time, right? It isn’t once the bug was discovered and disclosed that we started having a problem. In this case, the turnaround was fairly quick. MS reacted appropriately and released an out-of-band update and pushed out a lot of press about how imperative it is that people update their machines. The problem is, not everybody is going to update their machine. These people are exceptionally vulnerable right now because in sending out a patch, Microsoft not only told everyone about the bug, but practically sent exploit code to the bad guys. You see, a patch is like the inverse of an exploit – and hackers can take these files and analyze them to figure out exactly what component of the system is vulnerable. There is a time span of mere hours between a patch release and the first sighting of in-the-wild exploitation.
So, my question is, what are we supposed to do? These bugs are going to exists. All operating systems will have a bug like this. Don’t believe the drivel that gets spouted about how Windows is architecturally inferior to all other systems, therefore it is the only one to have these problems. Programmers and testers are human, they make mistakes. The question here is, how do you deal with these bugs once their found. Obviously, you have to disclose them. People need to be made aware of the situation. But once you tell people about the bug, and patch it, then some people are more at risk than they were before. I guess you could take comfort in the fact that less people are at risk (those who patched) but maybe, the overall risk has increased – because now there is a worm spreading. So, do we need a less informative way to disclose the information – just tell people to update without saying what the problem really is? Well, that won’t work either, because really, all the important information is found in the binary patch that gets sent out from Windows Update. Bad guys have a Windows box too, and they get the update. OK – encrypt the patch? Won’t work, they’ll just diff their machines – it might slow them down a couple of hours, but that’s about it. So, I’m at a loss, I guess I have to accept the fact that patches will lead to full disclosure, which will lead to exploitation. I guess we just have to hope that people update their systems when they’re asked to. But, I hate this conclusion – most cause of that H word… maybe we can make updates work they do in video games land – force you to update before it will allow you to connect to the internet again. Any ideas?
Critical Update
Please update your Windows machine now if you haven’t already. Microsoft released an out-of-band update to patch a critical hole that is present in all versions of Windows. Vista and Server 2k8 users are at a slightly less risk since “the vulnerable code path is only accessible to authenticated users” – but still, if you haven’t updated, do it now! This is not an everyday type of vulnerability, but rather a widespread wormable hole that has serious implications if it remains unpatched.
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
