Larry Osterman's WebLog

Confessions of an Old Fogey
Blog - Title

Beware of the dancing bunnies.

Beware of the dancing bunnies.

  • Comments 57

I saw a post the other day (I'm not sure where, otherwise I'd cite it) that proclaimed that a properly designed system didn't need any anti-virus or anti-spyware software.

Forgive me, but this comment is about as intellegent as "I can see a worldwide market for 10 computers" or "no properly written program should require more than 128K of RAM" or "no properly designed computer should require a fan".

The reason for this is buried in the subject of this post, it's what I (and others) like to call the "dancing bunnies" problem.

What's the dancing bunnies problem?

It's a description of what happens when a user receives an email message that says "click here to see the dancing bunnies".

The user wants to see the dancing bunnies, so they click there.  It doesn't matter how much you try to disuade them, if they want to see the dancing bunnies, then by gum, they're going to see the dancing bunnies.  It doesn't matter how many technical hurdles you put in their way, if they stop the user from seeing the dancing bunny, then they're going to go and see the dancing bunny.

There are lots of techniques for mitigating the dancing bunny problem.  There's strict privilege separation - users don't have access to any locations that can harm them.  You can prevent users from downloading programs.  You can make the user invoke magic commands to make code executable (chmod +e dancingbunnies).  You can force the user to input a password when they want to access resources.  You can block programs at the firewall.  You can turn off scripting.  You can do lots, and lots of things.

However, at the end of the day, the user still wants to see the dancing bunny, and they'll do whatever's necessary to bypass your carefully constructed barriers in order to see the bunny

We know that user's will do whatever's necessary.  How do we know that?  Well, because at least one virus (one of the Beagle derivatives) propogated via a password encrypted .zip file.  In order to see the contents, the user had to open the zip file and type in the password that was contained in the email.  Users were more than happy to do that, even after years of education, and dozens of technological hurdles.

All because they wanted to see the dancing bunny.

The reason for a platform needing anti-virus and anti-spyware software is that it forms a final line of defense against the dancing bunny problem - at their heart, anti-virus software is software that scans every executable before it's loaded and prevents it from running if it looks like it contain a virus.

As long as the user can run code or scripts, then viruses will exist, and anti-virus software will need to exist to protect users from them.

 

  • > Why should code being executed by the web browser (or a process spawned by
    > the web browser) such as in your example be allowed to write to the registry
    > or to the hard drive? If the user wants something to affect the state of
    > their computer then it's perfectly fine to get the user to do one step of extra work

    But that's actually the point. It doesn't matter if the browser executed the code directly, or whether the user's gone through 100 steps to get the code to execute: if the you *can* go through (any number of) steps to execute code, then the possibility of malicious code will always be there.

    Now, obviously Anti-virus software is just another step (I mean after all, the email could say "to see the dancing bunnies, turn off your anti-virus, use the password 'showmethebunnies' to unzip the attachment, and run 'sucker.exe'" and you'd *still* get people infected.) But the point is that anti-virus software is not a sign of a badly-designed operating system. It's just another line of defense, another hurdle, that malicious software developers have to jump over.

    The problem is somewhat confounded by the number of legitimate software installers which tell you to "disable your anti-virus software" to install the product. All you're doing there is conditioning your users to disable their AV whenever they install something...
  • Ben Bryant,

    "You are avoiding the real issue which is that the OS network services and common applications like Outlook are the entry points for malicious things that get in despite normal responsible use."

    You're going to have to clarify that statement a bit more. What "normal responisble" use of Outlook causes a machine to get infected?

    You don't get infected with an e-mail virus unless you actually run the infected attachment. Outlook doesn't run it for you. You have to do that yourself.

    In fact, by default, Outlook will block most "dangerous" attachment types such as EXEs.
  • I've read all those posts suggesting that the solution to the malware problem is to add hurdles so the user cannot run the malware without confirming they want to in any number of ways. You've all absolutely missed the reason that antivirus software is a better solution than anything you've suggested.
    The "solutions" suggested here all pose hurdles to the user for legitimate use as well as when malware is involved. Those hurdles are likely to cause:
    a) first frustration
    b) second an automatic, undiscerning, mechanical response after the hurdle is seen a few times - eventually offering no protection at all
    Antivirus software is superior. It offers little interference during legitimate use. The user is more likely to be surprised and take notice of warnings when they occur. The warnings can be worded in a very strong way because they're only displayed when it is incredibly likely that malware is involved. The user is usually not presented with any way to bypass the protection because it is almost certain that malware is present.
  • > What's the dancing bunnies problem?
    > It's a description of what happens when a
    > user receives an email message that says
    > "click here to see the dancing bunnies".

    That is indeed a big problem. But an equally big problem is when a user receives an email message that tells Outlook Express "automatically click here without waiting for the user" and Outlook Express obeys. Or Internet Explorer, or whoever.

    Wednesday, July 13, 2005 1:43 PM by vince
    > And in any case, I've known people who have
    > had, say, MS Powerpoint or Word do more
    > damage to their files by crashing at
    > inopportune times than any virus has ever
    > harmed them.

    Yup. And even Windows 95 without crashing, and Windows 2000 during boot, and most likely Windows 2003 during boot but fortunately I caught that one just in time. Even a former employer who granted ownership of every Word document in the company to Ethan Fromme lost fewer files than that.

    Wednesday, July 13, 2005 8:31 PM by Amit Joshi
    > Here's a free version of a software product
    > for end users using Windows Desktops that
    > uses virtualization to solve end user
    > problem of dancing bunnies

    That page doesn't mention anything being free for end users, and they do demand (maybe not enforce, I didn't try it, but they do demand) a business e-mail address not a personal e-mail address.

    By the way, do you know if their product is really so effective that every Windows Update will be disabled? They see to be promising that, but I don't have a chance to check.

    By the way, speaking of Windows Update, there's another reason why users have been trained to click for dancing bunnies.
  • [quoted]
    http://www.greenborder.com/downloads/tdThankyou.html
    [/quoted]

    I viewed the page with lynx and didn't found anything interesting. But the idea of disabling DEP troubles me. :P

    Good security related programs should be designed to work with (at least with those that do not offer the same functions) other security related software so as to add additional protection against attacks.

    What the web site suggest sounds analogical to me as being told to go naked on a street by a stranger. :)
  • Larry Osterman said:
    > Who said anyting about the web browser? The user received an email that said: Save this java file on your hard disk and run it. When the security popup comes up, be sure to click "yes" or you won't see the bunny. On some machines, you'll need to disable the firewall, to do that, you do this.

    There has to become a point where the user realises that they are having to jump through too many hoops and what they are doing is wrong. Maybe I'm being too optimistic and there will be a day of carnage when someone spams these types of people saying "flicking the voltage level switch on the back of your computer will double its performance." Maybe evolution taking effect to remove these people from the computer equivalent of the gene pool?

    I still hold that any child processes of an internet application (web browser, email client, news reader, whatever) should be run with reduced privileges.
  • "There has to become a point where the user realises that they are having to jump through too many hoops and what they are doing is wrong"

    Not if every time they install anything they have to jump through those same hoops.

    This is why virus scanners work so well, they only put an obstacle in the way when something is wrong. This greatly increases the chances that the dialog will make the user stop and think. Combined with a general awareness that computer viruses exist and are a bad thing, it's a very effective technique.

    "I still hold that any child processes of an internet application (web browser, email client, news reader, whatever) should be run with reduced privileges."

    Where does that end though? The user will just be given instructions to save the file to disk and double click it (or whatever your favourite OS metaphor is.) If they think they want to run it, nothing is going to stop them trying. The only cure is to educate people not to want to run things and that's the hardest problem to solve.
  • I'm a security geek. I spend a lot of my time educating administrators and developers on the "dancing bunnies" problem: a bad guy will always execute arbitrary code on a box inside the enclave. Period, done, dot, no questions, always.

    I'm glad you get it.

    But what about the next step down that path, Larry? Consider the sysadmin of a large corporation, whose networks contain data sensitive enough to warrant an intelligent, determined attacker. Banks, credit card companies, governments, etc. There's no virus signature or spyware definition for his code. What is he to do?

    Yes - there are tons of technologies to help further harden the network and make the job more difficult. But the bottom line remains: some bad guy has a rootkit running on my network, I don't know about it, and there are no real tools to find it. Heaven help me if the use had admin access and the rootkit is taking active hiding measures vice the passive, plain-sight techniques popular with spyware.

    We need a serious culture change in the security technologies we provide to the sysadmins. Those guys have no chance, and once a bad guy has got his bunnies in the door, he's not coming out.

    J.J.



  • Never underestimate the ingenuity of complete fools.
  • "Consider the sysadmin of a large corporation, whose networks contain data sensitive enough to warrant an intelligent, determined attacker. Banks, credit card companies, governments, etc. There's no virus signature or spyware definition for his code. What is he to do?"
    a) lock down workstation configuration (including Software Restriction Policies)
    b) use Windows DRM
    It's really not that hard (especially with MS software)
  • What annoys me is when people get all flustered when an Anti-Virus program finds something. All I can say is "Aren't you glad it found it before it could do any damage?".
    But they don't see it that way. To them, the message is a frightening annoyance.

    BTW: I've never had a virus since XP came out and I have no clue where most of the spyware comes from that I have to clean off people's systems.

    I guess it wouldn't be a good marketing move for MS to say "Look, we never get this junk on OUR computers and we're using the same OS as you. I guess the problem must be you, not the OS".

    THAT would go over well ;)
  • Except they do get it on their computers.
    http://www.proudlyserving.com/archives/2004/11/all_my_base_are.html


  • the argument I'm hearing here is that the only security vulnerabilty that Outlook, and by extension I suppose Outlook express, has is that users open attatchments. This is so obviously not true that I am worried that the people making it are on Microsoft supplied drugs. This is the implication of the blog post, but it also a statement made by various commenters. This is so much bull, do I actually have to compile a list of links here to various Outlook vulnerabilities over the years that did not require anyone to open any attachment?

  • how about this list, boy so many vulnerabilities.

    http://www.google.com/search?hl=en&lr=&c2coff=1&q=outlook+vulnerability++site%3Akb.cert.org&btnG=Search
  • Vince,
    As regards CPU fans, intel didn't trust OEMs to calculate the correct heatsink so they supplied fans with the CPUs so it didn't matter.
Page 3 of 4 (57 items) 1234