31-May-06 -
Microsoft on Spyware - Give Up
"Nuke the system from orbit"

I spend a huge amount of time now removing adware, spyware, worms and viruses from Windows computers, time that's 100% unproductive and very expensive to the clients. Unfortunately their computers have become impossible to use without clean-up. Every month these clean-up projects become more difficult as infections become more sophisticated.

The Los Angeles Times had an article a few months ago about people who have had to give up using the Internet because they just can't afford it. Computer stores are charging $300 to $350 for clean-up, and destroy the client's valuable data in the bargain.

While I seldom charge that much and have yet to lose any data, it's still a royal pain for everyone. I will have their computer for more than a day and often all the major programs have to be reinstalled.

Tragically, the clean-up won't last. If kids under 24 have access to the computer it'll be reinfected in about 10 minutes. For a careful adult who's just paid a big clean-up bill it can take hours.

Recent surveys have shown an infection rate of well over 80% for business computers with Internet access. I'd say the infection rate for Internet connected home computers is about 100%.What can be done to alleviate this problem? Microsoft says "Nothing". Mike Danseglio, a manager in Microsoft's security group (who suggested "Nuke the system from orbit") advised businesses to create a scheme where each PC is imaged to, and all data is saved on, servers so the PC can just be wiped out and reinstalled easily. This solution is not practical for most home and small business users.

Why do we have this problem?

• The security design of Windows is horrid and impossible to fix even if Microsoft wanted to fix it which they don't really want to do. They made Windows insecure and "tightly integrated" for their own purposes.
• There's big money in infecting your computer with spyware and adware, from forcing you to click on sites that pay the perpetrator money or from selling information gathered to marketing companies.
• There's big money in planting spyware on your computer that steals your credit card and bank account information and passwords into sites you visit.
• There's big money in turning your machine into a zombie under outside control to launch mass email (spam) campaigns.
• There's big money in turning your machine into a zombie for use in criminal extortion. "I've got 243,000 zombies at my command so pay me $50,000 or I'll launch a DOS (Denial of Service) attack that will put you out of business".

Why can't firewalls stop this activity? Because it originates from inside the firewall and looks like legitimate activity to the firewall. While software firewalls can detect and stop some inside activity, they're running on the infected machine so can be subverted, and they interfere with business networks.

Why can't antivirus and anti-spyware software simply remove this stuff? "Anti" programs are running on the infected machine and can be subverted. Further, "root kits" are being used to hide the infections so Windows and programs running on Windows can't detect them. Infections use multiple watchers and when one copy is removed a replacement is instantly started - this now happens even in "Safe Mode". When a removal program makes changes in the Windows registry, the changes are seen and immediately "fixed" by the watchers.

How does it happen? Generally the infection comes either in an email or from a Web site you visit (the owner of the site may not even be aware an infector has been planted on his site). The infection generally exploits an unpatched flaw in Windows or a program running on Windows (most often Internet Explorer but other programs as well).

To protect your computer from these flaws you must keep up to date with your Microsoft patches, which are usually placed on Microsoft Update on the 11th of each month (there may be delays due to an agreement with Homeland Security). Unfortunately, a brand new Windows XP SP2 computer needs to download and install at least 40 patches, and in actual tests computers were often infected before all those patches could be downloaded.

Another thing you can do is to use FireFox instead of Internet Explorer. Not entirely foolproof because some parts of Internet Explorer are still active and, of course, it is still running on Windows, but it's a lot safer. Unfortunately, to get your Microsoft Updates you have to use Internet Explorer and have it set as your default browser.

The real cure is to dump Windows and install Linux, or get Apples. Very few of you are currently willing to do that and many simply can't because specialized software you depend on locks you into Windows.

How do we cope in our office? Simple, we use PMMail for email and FireFox for our Web browser - running on the OS/2 operating system - total immunity. We have only one Windows computer used for customer support and odd jobs. and it's rarely used on the Internet.

Isee a time, pretty soon now, when many business will have Linux computers for Internet access and no Internet access at all on their Windows computers.

- Andrew Grygus

Additional Reading

• Infected Windows PC? Just nuke it - The Register.