Larry Osterman's WebLog

Confessions of an Old Fogey
Blog - Title

Beware of the dancing bunnies.

Beware of the dancing bunnies.

  • Comments 57

I saw a post the other day (I'm not sure where, otherwise I'd cite it) that proclaimed that a properly designed system didn't need any anti-virus or anti-spyware software.

Forgive me, but this comment is about as intellegent as "I can see a worldwide market for 10 computers" or "no properly written program should require more than 128K of RAM" or "no properly designed computer should require a fan".

The reason for this is buried in the subject of this post, it's what I (and others) like to call the "dancing bunnies" problem.

What's the dancing bunnies problem?

It's a description of what happens when a user receives an email message that says "click here to see the dancing bunnies".

The user wants to see the dancing bunnies, so they click there.  It doesn't matter how much you try to disuade them, if they want to see the dancing bunnies, then by gum, they're going to see the dancing bunnies.  It doesn't matter how many technical hurdles you put in their way, if they stop the user from seeing the dancing bunny, then they're going to go and see the dancing bunny.

There are lots of techniques for mitigating the dancing bunny problem.  There's strict privilege separation - users don't have access to any locations that can harm them.  You can prevent users from downloading programs.  You can make the user invoke magic commands to make code executable (chmod +e dancingbunnies).  You can force the user to input a password when they want to access resources.  You can block programs at the firewall.  You can turn off scripting.  You can do lots, and lots of things.

However, at the end of the day, the user still wants to see the dancing bunny, and they'll do whatever's necessary to bypass your carefully constructed barriers in order to see the bunny

We know that user's will do whatever's necessary.  How do we know that?  Well, because at least one virus (one of the Beagle derivatives) propogated via a password encrypted .zip file.  In order to see the contents, the user had to open the zip file and type in the password that was contained in the email.  Users were more than happy to do that, even after years of education, and dozens of technological hurdles.

All because they wanted to see the dancing bunny.

The reason for a platform needing anti-virus and anti-spyware software is that it forms a final line of defense against the dancing bunny problem - at their heart, anti-virus software is software that scans every executable before it's loaded and prevents it from running if it looks like it contain a virus.

As long as the user can run code or scripts, then viruses will exist, and anti-virus software will need to exist to protect users from them.


  • So where can I see the dancing bunnies?
  • I don't know where you can see dancing bunnies, but I know where you can go to see squirrel fishing:

  • Larry, I don't completely disagree with your assertions, but I don't completely agree either.

    From an information security perspective, antivirus is REACTIVE in nature to an existing KNOWN threat in which a signature has been built. Antivirus is a poor substitution for security best practices that can significantly reduce and mitigate risks to UNKNOWN attack vectors. AV definitely plays a part in a defense in depth posture, but if an attacker wants to make dancing bunnies do the mambo on a victim's host, they are going to continue to find ways to do so while we rely on reactive technical safeguards like antivirus and antispyware.

    And as you point out, education isn't going to solve it entirely either. The weakest link in security is the human factor, and if someone wants to watch a bunnie dance... they will figure a way to do so.

    So what IS the right answer? Wish it were cut and dry. Least privilege can play a part here. As could virtualization and application containment. However, in the end a well designed mandatory access control system COULD indeed make for a safer computing environment that wouldn't need antivirus or antispyware. Unfortunately, the desktop landscape is not willing to be confined in such a manner. Hopefully the changing security landscape being introduced through things like LUA and application containment in Longhorn will be able to assist us here. We will have to wait and see.
  • I remember reading that comment, too. I think it was on (surprise, surprise) slashdot, in response to that article about the Channel9 interview with Steve Ballmer.
  • Dancing bunnies, huh. 300% scale wooden horses, huh. A jedi seeks not these things. A properly designed system includes a user who sees right through the dancing bunny, recognizes the Greek warriors inside, and deletes the email from the server without even downloading it.

    Unfortunately, such a user is rarely seen using a modern consumer OS.
  • Will people be able to see dancing bunnies on dumb terminals where only programs chosen by the admins are allowed to run(by registry settings)?
  • So....a properly design system AND a properly designed user? :-)

    Personally, I don't have any anti-anything software on my laptop. Hardware firewalls, text-only mail interface and I run with LUA. So far, so good...

    I don't want no steenking dancing bunnies!
  • Back in the days where no embedding scripting is there the only way to be infected is by running the executables. (I know there's more kinds of infection strategies nowadays, but this remain the most commonly seen "technique".)

    It makes me think that "lack of automation" can sooner or later be advertised as software "feature" as well. :)
  • although I agree that there will always be a need for tools to clean up after a system compromise, the need would be greatly mitigated by use of a capability based security model in addition to an accessibilty model. Perhaps this is what is meant by a properly designed system.
  • skaro:~ james$ touch dancingbunnies
    skaro:~ james$ chmod +e dancingbunnies
    chmod: Invalid file mode: +e
    skaro:~ james$ ./dancingbunnies
    -bash: ./dancingbunnies: Permission denied

    Behold OSX's superior dancingbunnies protection ;)

    Oh, and 'Secrets & Lies' is a fantastic book. Regardless of whether one agrees with the author or not, it should be read by anyone doing any security-related work in I.T.
  • Anonymous: Ok, that's it - dancing pigs... This is what happens when you post late at night...

    Dana, you may very well be right. There are some interesting things being done in this space, however :).

    I also forgot to mention that separation and sandboxing DO work on servers - because administrators are less likely to fall prey to the dancing pigs problem.

    I'm going to keep the post as bunnies even though it's the wrong term of art.

  • So won't the user just disable the anti-virus software to see the dancing bunnies? It seems like just one more technical hurdle.
  • If the operative word is NEED, then I would disagree with you Larry. "a properly designed system didn't NEED any anti-virus or anti-spyware software". Like the other person pointed out, the anti-virus software is just another technical hurdle for the person who wants to see the bunnies. But the issue should be, if I am a responsible user, I should not HAVE TO get anti-virus and anti-spyware software. In that case I completely agree with the statement you find laughable.
  • I think you are mixing up the concept of a "virus" and just a malicious executable. Is your anti-virus program going to scan for _any_ malicious program? Is it going to detect somehow the difference of bunnies.exe erasing a temp file versus erasing an imortant word document? Will it monitor all COM calls to make sure it isn't subtlely communicating with other processes and doing sly things?

    Any well written malicious program will be able to change and mutate, and having a virus-checker isn't going to help much.

    And in any case, I've known people who have had, say, MS Powerpoint or Word do more damage to their files by crashing at inopportune times than any virus has ever harmed them. Should MS Office be flagged as malicious software by anti-virus software?

    Anti-virus and anti-spyware software can be used as a last resort to try to cover-up for a poorly designed OS.. but it should be that, a last resort. The fact that it is needed at all speaks volumes about the quality of the Microsoft operating environment.
Page 1 of 4 (57 items) 1234