Alun Jones wrote:
> "William" <starrwarz@g_~-clothes-~_m~more_clothes~ail.com> wrote in message
> news:70Vkh.40916$wc5.11798@newssvr25.news.prodigy. net...
> > On 12/28/2006 10:10 AM, something possessed Alun Jones to write:
> >> "William" <starrwarz@g_~-clothes-~_m~more_clothes~ail.com> wrote in
> >> message news:5Qnkh.7472$yC5.5798@newssvr27.news.prodigy.ne t...
> >>> Not necessarily. If you're just using it to illegally download music
> >>> and videos (not program executables), and you're careful about how you
> >>> play these (I wouldn't rely on Windows to launch them, for example, but
> >>> load them in Winamp, and don't let Winamp connect to Internet), than
> >>> you're more or less safe.
> >>
> >> Right, because Winamp has never had any vulnerabilities that can be
> >> exploited by badly formatted data.
> >
> > I didn't recommend Winamp because it was invulnerable, but simply because
> > its not Integrated into the OS, so that if it goes bad, the whole OS
> > doesn't suffer.
>
> It does if you're running as an administrator account.
>
> Windows (as with all computer systems I'm aware of) cannot distinguish
> between the user, and programs run on that user's behalf. If you, the user,
> run Winamp, and it loads a data file that causes execution through
> exploiting a buffer overflow, the malware inside of that data file can do
> absolutely anything to the system that you can do, with the exception of
> anything that requires your actual physical presence.
>
> So, if you're running as an administrator, it doesn't matter if you're
> loading exploits into a program that's labeled "part of the OS", or one
> that's labeled "third party shovelware", the exploit can do what it chooses.
>
> The answer, then, is to run as a restricted user account. I do it all the
> time - and when I do, my Internet Explorer runs as a restricted user account
> too. Exploits in the apps I use can still do anything I can do, but the
> damage is limited to my personal data, not the entire OS.
>
> You can even run as an administrator while forcing IE to run as a restricted
> user! [Search for "SAFER" and "SRP" and "Internet Explorer" for some
> articles, or see
> http://blogs.msdn.com/michael_howard...1/363985.aspx]
>
> Note, though, that once you've downloaded and run a piece of malware,
> whether it's an EXE or a buffer-overflowing MP3, that malware can do
> everything you can do as a user.
>
> > Additionally, while exploits may exist in Winamp when accessing
> > questionable media locally stored, In order for any real damage to be done
> > (i.e. a trojan downloader), Winamp would need to access the Internet (or
> > maybe that reched program Internet Explorer).
>
> Uh... no. Remember, Winamp - and any exploit it loads, as far as the
> operating system is concerned, _is_ you.
>
> It can start another program, it can inject itself into another program
> you're already running, or it can combine the two.
>
> > A good Firewall (like Kerio) should be able to prevent this from
> > happening.
>
> No, no it won't. Again, if you've told Kerio, or whatever, to allow _any_
> program to access the outside world, that program can be compromised by code
> you've run under any other program. So, your Winamp exploit can infect your
> Internet Explorer in memory (not on disk, unless you have rights to that),
> and pretend to be Internet Explorer in order to download its exploit - or,
> quite honestly, it can simply start up IE to fetch the rest of its code.
>
> But why would it need to do even that?
>
> How big are the media files you're "sharing"? Way bigger than most damaging
> code I could imagine. If you're downloading a video, or anything more than a
> few seconds of sound, you won't notice the increase in size that you get by
> adding some kind of malware.
>
> >>
> >> Oh. No, wait, actually it has. Several times.
> >>
> >> This is why the trend lately is to attack applications, rather than
> >> operating systems - the operating system vendors are getting much better
> >> at tracking and fixing problems, but many application vendors still have
> >> their heads in the sand - and so do many users
> > [snip]
> > I understand your sentiment. Clearly, you support Microsoft, and that's
> > fine. I don't agree with that sentiment, but everyone is entitled to
> > their own opinion.
>
> A => Z. Welcome to today's edition of "Jumping to Conclusions".
>
> >> In the abstract sense, there is no dividing line between code and data -
> >> data tells code where to go, and so acts as pseudo-code, in many cases.
> > Again, requires Internet access to download the trojan. Media itself
> > cannot contain the final executable code that infests a system with
> > malware, all it can do is exploit vulnerabilities that allow the said
> > malware to be installed.
>
> If you believe that, you've got a long way to go. There really is no other
> way to say it, but to note that you are completely wrong in that assertion.
> Media itself can quite comfortably contain the exploit and whatever code is
> going to execute after the exploit has taken over control of your system.
>
> >>> Also, more than likely, the P2P proggie you used had its own malware
> >>> (like Navaccel or something like that).
> >>
> >> Don't make the mistake of assuming that I'm talking about my own
> >> experiences with P2P - I've simply seen too many machines infected where
> >> the source of infection is traced to an overactive P2P exchanger.
> > Which is why if someone is going to use P2P, they should be advised (as
> > I'm trying to do) on how to use it safely. I'm not condoning such action,
> > but its kind of analogous to making sure your teenager has protection, you
> > don't want them to have to use it until they've matured, but they do, than
> > it'll be there for them.
>
> Best protection against catching malware from P2P is a membership at
> Blockbuster, or a Netflix subscription.
>
> Get your movies, and your tunes, from reputable sources who have a little
> skin in the game should you get infected through them.
>
> >>> Finally, some P2P proggies (such as Bittorrent) can be used safely (like
> >>> for downloading Linux distros), since even though you're downloading
> >>> from other computers, the tracker is administered by the Linux
> >>> Distribution and, to my knowledge, it's not possible yet to alter a file
> >>> or set of files once the tracker has already been posted without posting
> >>> a new torrent tracker.
> >>
> >> I'm glad you put me at ease there - after all, the main Linux distros
> >> have never been altered maliciously by hackers.
> >>
> >> Oh, wait, they have, haven't they.
> >> http://www.linuxinsider.com/story/32240.html
> >
> > What's this got to do with altering a bittorrent stream. The results
> > would have been the same rather bittorrent was used to download the distro
> > or if it was downloaded from the server. In fact, in this case, the
> > bittorrent tracker probably would have been the safer bet, since it was
> > the server (and not the torrent) that was hacked.
>
> The point is that you can only trust checksummed streams as much as you can
> trust the person who created the file and the checksum in the first place.
> Since most "sharing" of illegally copied material is done by people who
> would like to remain anonymous, you're relying on trusting someone whom you
> can't identify, and whose reputation (and reason for maintaining that
> reputation) is unverifiable.
>
> >> Cleaning a virus or trojan infection is only going to be effective if you
> >> can plug whatever hole they got in through - whether it's a hole in your
> >> behaviour, or in your apps, or in your OS. Even flattening and restoring
> >> just means that the attacker gets another chance to try the same thing at
> >> you, but this time on a system that's less cluttered with the debris of
> >> other previous attacks.
> >
> > Agrees with you here. So, with that, I hope that if the OP ultimately
> > decides to continue P2P, that he/she does so safely.
>
> That requires only loading files with hashes generated by trusted
> authorities. ("Authority" here means anyone with the right to say what is,
> or isn't, a valid copy of a file.)
>
> Downloading stolen movies and songs is not going to be safe. Not ever.
>
> Alun.
> ~~~~
Let's not assume the malware came through P2P. This stuff is all over
the Internet.
Raffi
Reply With Quote