Posted by air7 1 day ago
Majority of information about Windows malware I get from big computer security companies' research blogs like:
https://www.trendmicro.com/en_us/research.html
https://www.proofpoint.com/us/blog
https://research.checkpoint.com/
https://blog.talosintelligence.com/
https://www.welivesecurity.com/en/
Microsoft also got good security research blog: https://www.microsoft.com/en-us/security/blog/
Majority of the research combes down to researching malware's capabilities regarding malware persistence, anti-VM techniques and anti-debugging techniques.
Here is for example good compilation of malware's anti-debugging and anti-VM techniques:
'just' harden the system is not easy.
But installing something like a vmware guest driver is easy, as even a non-technical user can do it following some basic instructions.
Immutable snapshots/offline backups help with those.
Or there is a service running in the context of a service user domain account. Or the password of the local administrator account is identical on all systems, which was very common before LAPS became a thing.
Yes, if you do everything perfectly and always go by best practices, none of this should be relevant, but most people aren't doing everything perfectly all of the time.
To access any of these things, you need local admin permissions. Then you can reuse them to log on to other systems.
Zero days account for very small amount of exploitation in comparison and by definition are unpatched so I think the commenter was right to point out the basics.
What? This is an entirely separate concern. If you have a Russian input method installed, malware will terminate to avoid legal repercussions.
I wonder how that works in this era of AI translation.
Not quite the same but I remember there was a Russian shareware author who gave free licenses to Russians.
Simple translation isn’t enough to show cultural proximity. Patterns of speech are different. You can try to use AI to do the entire conversation, but e.g. Claude will refuse to give you exact phrases, since he is correctly assuming it is a social engineering attack.
Popular combinations for texts:
"Прив! Чё как?" - "Hi! How's it going?"
"Дарова, живой?" - "Hey, you alive?"
"Салют! Как сам?" - "Hey! How are you?"
Modern slang (especially among younger people):
"Хай" (Khay) - borrowed from English "hi"
"Йоу" (You) - borrowed from English "yo"
... unless they still get a whiff you might be an impostor and ask, say, something about school. Good luck getting LLM to answer in a believable way.
Reminds me of these domain name brokers who get a percentage of the sale amount from you, for their role in "negotiating the best price"
They will ask you to repeat yourself in Albanian if they have any doubts.
How would having one Russian in a company protect them from ransomware? There's no way to make that occurrence detectable to the malware.
Or, for that matter, why would ransomware care about the father of the computer owner?
I don't think there is some special immunity.
However, sometimes foreigners can cause problems. Recently several cyber specialists were convicted after investigation initiated after complaint from Joe Biden.
But those weren't as sophisticated, I suppose. They didn't encrypt files. They only displayed an uncloseable window demanding a payment. Sometimes with hilarious phrasing like "thank you for installing this quick access widget for our adult website".
Please don't attack Bulgarians :)
You also need to create a separate account (can just be a local account) that is a full administrator. Make sure you use a different password.
Anytime you need to install something or run powershell/CMD as admin it will popup and ask for the separate login of the admin account. This is basically the default of how Linux works (sudo). It's also how any competent professional IT department will run windows.
If an admin elevation popup happens when you haven't triggered it then you probably know something is wrong. And most malware will not be able to install.
Another benefit is that you can use a relatively normal (but obviously not too short) password for your regular account and then have something much more complicated for the admin login. This is especially great on something like "Grandmas PC" or anyone who is at higher risk of clicking on the wrong thing.
Malware can still do a lot without "installation". Running as an unprivileged user, it can still do anything to/with the filesystem that the user would be able to do, and will (on most normal setups) be able to make outbound Internet connections without limitation. In short, these kinds of privileges don't protect against data exfiltration, ransomware operating on the user's important data files, simple vandalism....
I would argue most malware comes down to uneducated users doing the wrong thing - but that's a whole different can of worms :-)
This feels unnecessarily harsh. Those users are the victims of criminal activity. The protective controls could be a lot better.
Windows doesn't offer immutable local file versions to protect against ransomware running as a non-privileged user. It doesn't offer any protection if a single application suddenly starts to overwrite huge amounts of data.
Instead they choose to try and shove OneDrive down our throats as the only answer to ransomware protection.
That just shows that security training is insufficient and admins need to design their systems and networks to account for that fact. Clicking links is part of everybody's job and should not pose a risk to your organization. Enable 2FA for everything exposed to the internet to mitigate phished credentials.
Stop trying to fix the user: https://www.schneier.com/wp-content/uploads/2016/09/Stop-Try...
Having said that, two things worth considering in my case:
1. My laptop is relatively old and, I think, overdue for replacement (8GB RAM, really?)
2. Windows Defender + Airlock + CrowdStrike + Netskope + Nessus seems an expectedly heavy load on a system
"Contrary to what I've said" while you add in an extra third party product that I didn't mention.
Difficult to be effective when it's disabled by default.
>Also restore points?
By using System Restore, you can undo these changes without affecting your personal files
https://support.microsoft.com/en-au/windows/system-restore-a...
Thus System
> Difficult to be effective when it's disabled by default
The initial goalpost was lack of any protection / no alternatives to onedrive
What other "restore point" functionality does Windows offer by default?
> The initial goalpost was lack of any protection / no alternatives to onedrive
The context was "uneducated users"; they're unlikely to know they could enable controlled access.
They're further unlikely to be able to handle the application problems it introduces such as games having problems saving their state which why it's disabled by default.
This method has saved me (my parents) more than a couple of times.
In the early 2000s up thru about 2012 I'd agree with you. Post-Vista malware adapted to UAC and now all malware works well as a normal user. Any data your normal user can access (local or on a remote CIFS server) is fair game for ransomware. Limiting administrator rights doesn't do anything to prevent the malware from getting at your data.
Persistence has moved to per-user, non-Administrator, too. Of course, all the various quasi-malicious customized versions of Chrome that end users inevitably install when they go searching for software to end-run their IT departments operates the same way.
I do think your daily driver Windows users shouldn't have administrator rights. It just isn't going to help much with malware.
I use physically separate boxes for my most sensitive activities (banking, mainly) but you could do nearly as well having separate non-admin Windows logons and compartmentalize your access to data you don't want ransomed. Isolation between different user accounts on Windows is actually fairly good. Just limit the common data the accounts can access.
Personally I've always wanted to use Qubes (and stop using physically separate machines) but I haven't taken them time to learn their contrivances.
Edit: I should have said "quasi-malicious customized versions of Chromium", not Chrome.
You can also run something like applocker and whitelist all the apps you use.
Also instead of separate physical boxes why not just use a VM ?
User's should be running limited user accounts for daily-driver Windows machines.
Having said that, today's attacks are all about the data. It's all about exfil/ransomware/blackmail because there's money to be had there. On an individual home user PC there's no lateral movement or bigger targets to attack.
I hate to invoke xkcd, but it's true: https://xkcd.com/1200/
> You can also run something like applocker and whitelist all the apps you use.
That's a bit overkill for a personal machine and it won't be licensed for AppLocker anyway.
AppLocker is also a gigantic pain-in-the-ass on corporate machines. My experience with configuring AppLocker for anything other than very task-specific computers is that it's a huge and unending ordeal of whitelisting, trying again, whitelisting more, trying again. Wash, rinse, get complaints from end users, repeat.
> Also instead of separate physical boxes why not just use a VM ?
Pragmatism. I have a bunch of extra low-spec laptops laying around. My machines are, for the most part, cast-off Customer garbage. I haven't actually spent money on reasonable machine since about 2015. >smile<
>Pragmatism. I have a bunch of extra low-spec laptops laying around. My machines are, for the most part, cast-off Customer garbage. I haven't actually spent money on reasonable machine since about 2015. >smile<
But you either need to setup a secure tunnel on each one, or lose access anytime you are away from home.
Mostly isn't a problem for me. On the off chance I'd need the banking remotely I'd just take it with me. Mostly I don't do the sensitive stuff remotely and I rarely travel anymore.
Like I said in the parent post, I should be using Qubes. I'm just lazy.
"Wave Browser" is the common one that comes to mind immediately. I have several flagged in the "endpoint security" software I support, though.
The workflow is: (1) User wants some software functionality they don't have, (2) they search-engine using keywords like "convert Word to PDF", (3) they find a program that promises to do the thing they want, (4) they download it and click thru any warnings because they "want the thing", and (5) they end up with persistent per-user malware installed in their "AppData" folder.
This is really what any Electron-based app is. It's just Chromium running out of the AppData folder. There's a whole ecosystem of "shadow IT" software that installs out of the AppData folder, meant to end-run IT and central control, that functions great w/o Administrator rights.
https://download-chromium.appspot.com/
It's linked from the main chromium site:
https://www.chromium.org/getting-involved/download-chromium/
Daily driver as limited user should be the windows default even if it makes use ability more confusing.
Nevertheless, when you are on any machine as an intruder and have normal user rights, you can still actively search the machine and network for admin accounts and steal sessions. The ultimate goal is to gain Domain Admin rights.
Besides that, it is not necessary to have admin rights to delete and encrypt data or to run and hide software.
There are also many ways, besides stealing sessions, to gain admin rights, such as through unpatched software, inappropriate user rights, zero-day exploits, and social engineering.
A common way to get users to install malware or ransomware is to bundle it with useful software that the user wants to install.
See also
https://www.sentinelone.com/blog/macos-notlockbit-evolving-r...
and
https://blog.sekoia.io/helldown-ransomware-an-overview-of-th...
However the feature and culture of software distribution very much makes it safer. The overwhelming majority of malware gets distributed over ads from websites or search results. Package manager prominently used by all linux distros remove that attack vector or at the very least minimize it.
Ofc it does not prevent somebody from still executing random binaries from the internet if they really want to, nothing does.
It feels bad to post a link-only response but I really don't have anything to add to it. On a system used by multiple persons, sure, you help prevent that a compromise on sister's account immediately impacts mom's and dad's accounts, but that qualification isn't in the comment and probably most computers that HN readers use are single user. Or on a server, dropping privileges speaks for itself. But if you're on a desktop and you do online banking in your browser and also open email attachments on that computer... Not being admin would only help clean up the situation without needing to make a live boot (namely, you could theoretically trust the admin user and switch to that) but this isn't recommended practice anyway if you're not a malware specialist and can make sure it is fully gone. I cannot think of any situation where a single user desktop system benefits from admin privilege separation
So basically, what the comic conveys
> The best anti malware
Not being admin doesn't prevent malware from running and gaining persistence within your user account...
Stealer frameworks and dropper frameworks have implemented a lot of bypasses. From using other installed programs (lolbins / gtfobins etc) to using embedded scripting engines to do their bidding up until just reusing signed and installed default drivers to execute their payloads. A lot of drivers have sideloading and execution capabilities due to how the $igning process in Microsoft is constructed.
Additionally, nobody needs "root" access to do anything these days, this is just plain wrong assumption. Most malware will go for your browser profiles which are readable by your user (duh), so a separate privilege escalation exploit avoiding user account won't help you there either.
It's much better to sandbox your applications as good as possible. Even just using firejail profiles will go a long way, especially in regards to electron apps or apps that have remote update and plugin installation capabilities (e.g. discord, slack and the like).
Please, drop some malware binaries through ghidra or other tools before you give advice like this. You might be part of survivor's bias without realizing it.
That's not to say there's no value. It's a case of security by obscurity, at best. The Unix security model is much more simplistic than Windows NT. Everybody disables SELinux so there's no meaningful capabilities functionality.
Assuming you actually do run malware, all your user account's data on a Linux machine ends up being just as vulnerable to exfil or ransom as if you're running Windows as a limited user.
That implies you are probably using a RH jobbie. With no working whatsover, I assert that many more Linux desktops will be rocking apparmor or no kernel security module.
Oh and no I don't disable SELinux, except as a quick check to see if that is what is causing issues. Obviously I'm not everyone, but I am someone.
On the Linux application hosting front the majority of vendor-supported garbage I have the displeasure of supporting that runs outside of Docker disables SELinux as a matter of course.
Advice advocating disabling selinux is very similar to SFC /SCANNOW or "turn off your anti virus". As soon as you see advice like that you do have to wonder at the motive.
A quick broad-brush approach to troubleshooting is fine and could be considered the first stage before a binary search is used to get to the real problem. So you make things safe first and then you switch off something like selinux. Does that work? If yes, then you switch it back on and then do your search within selinux and perhaps bother with reading logs.
You obviously have to support a lot of cough enterprise ... RH based stuff or perhaps Oracle's sufferings.
If you can, call someone's bluff: Insist on a standard. PCI DSS is involved as soon as a payment card is involved - that will soon sort things out. In the UK, we have Cyber Essentials and the plus form. Non UK Europe also has similar standards. The US will have Freedom versions of any standards and the rest of the world will have theirs.
Go in with standards if you can. As soon as you permanently switch off a security mechanism you have failed (yourself and your customer).
Good luck mate.
Windows is good for work though because if it starts updating during the work day, or breaks, you can do nothing and still get paid. And if it leaks your company data, it is not your problem also.
You can even log in with Steam and get the summary for your exact library, for anyone curious.
curl example.com/easyscript.sh | sudo bashDecided it was a risk to just be typing the admin password whenever a random popup asked me to, so disabled all snap automatic updates.
...where namespaces provide excellent technology for hiding malware making linux one of the best platforms to turn into a evil host.
That ended up being the last straw in a long line of complaints with data privacy and things being forced on me in Windows. Somehow that stupid Bing toolbar would constantly re-enable itself and re-appear on my desktop after every update despite being disabled everywhere I could find a setting for...
The easiest way to make an OS with ideal support on one platform is to only support Apple's hardware instead of the PC cosmos, so I will be interested if Asahi getting the relatively little resources it needs will gradually make it the least waste of time choice to use Linux on Apple hardware.
When you're making the transition from one operating system to another, there is going to be an investment of time. It doesn't matter whether you are moving from Windows to Linux or from Linux to Windows. When it comes to getting things done, each operating system is going to have its own strengths and weaknesses. Our attention is going to be drawn towards the weaknesses of what we are trying out because that is what we are going to spend the most time addressing. Our attention is going to drift away from the weaknesses of what we are familiar with since we have long since learned to circumvent or ignore them.
What I am suggesting is that I would spend as much time learning how to daily drive Windows as you would learning how to daily drive Linux. Unfortunately, I cannot draw upon quips like "Windows is only free if your time is worth nothing" since Windows is not free. I have a copy of Windows 11 Professional that cost significantly more than any given component of the computer it runs on.
Will try out Omarchy just for the fun of it - not that I expect it to become my daily driver.
But - depending on your needs - I think Linux can be on par (for me it is way better, longer battery life, better configuration, better tools, smoother workflows, but YMMV).
I find most things fine in Linux and I'm fairly comfortable with the terminal. However it's the 10% or so of things that are very cumbersome in Linux but instant in Windows/Mac that drive me away.
Example: There is no Google Drive client for Linux. Spend an hour dorking around in rclone and get it set up and working with bidirectional sync. The token still expires weekly and needs to be renewed. Yeah, I get a potential solution is "don't use Google Drive" but the little projects to get my current workflow functioning on Linux, or change my workflow to fit Linux's constraints, end up adding up into a bunch of wasted time.
I am horribly ineffective on Windows even if I am forced to use it. The only reason for me to use it is to play multiplayer games though, and it is the default install on new laptops before installing Linux. So Windows sucks because it does not have what I need, and I see no reasons to change my ways to Windows.
What? Google accounts have been a thing in Gnome for years. You have Google Drive access right in Nautilus.
I also hear good things about ZorinOS as it's built as a full fledged Windows alternative with built-in WINE to run native Windows apps in
You can play with them both at this link without having to install anything:
Much less than I needed to back when I mainly used Windows.
Sure, there's a learning curve. But Windows has a learning curve too, you just already climbed that hill.
On the other hand, the operating system is the means rather than the end to most people. If a person is transitioning from Windows to Linux, they will probably have a substantial number of new programs to learn in the process. That is going to factor into most people's impressions of the operating system as a whole.
One that I immediately can think of is increased support costs due to end users unintentionally changing their keyboard. The shortcuts to change keyboards are usually not too hard to accidentally hit, and most users (especially in the US) would be unfamiliar with what they did or how to change it back.
Also it is 100x more difficult to make Russian pay for something, including a ransom. So attacking fellow Russian is a high-risk, low-return move.
No, just using Linux doesn't make you safe.
How much intelligence Stuxnet has gathered?
One investigation I worked a threat actor in China socially engineered their way into getting an employee account in a US company created for them. They were so persuasive they also got their account inserted into the approval process as a manager for creating other new employee accounts (at a specific location) in the identity workflow. They did this only for the purpose of siphoning discounts that are available to employees, and they resold those which resulted in about one million dollars loss over a period of a couple of years.
https://www.fbi.gov/contact-us/field-offices/elpaso/news/fbi...
Seems like the safest would be standard Russian keyboard layout (or maybe just adding the reg keys mentioned)
Also makes me wonder if installing a specific Chinese keyboard could have the same effect (for Chinese made ransomware or maybe even North Korean). Or perhaps they do other checks ?