Surfing With The Queen Of Faerie
There have been a couple of recent posts in which I have eschewed dropping link credits because of the astonishingly bad nature of the net neighborhood I’d have been sending you to, with a link. Apparently my last aside about this alarmed Dr. Whiplash, when I wrote:
I found it at another one of those Russian sites where the malware-installing popups are particularly aggressive. My ice is good, your ice may not be so good, and they aren’t exactly the original photographers in any case, so my sense that I ought to link-credit them is outweighed by my sense that I ought not to give them the chance to trick you into installing their bot-net software irreversibly into your registry.
Rhetorical excess on my part? Probably. But mostly defensible, I think. Dr. Whiplash asked, fairly enough, in a comment:
Bacchus, I’ve been reading your blog long enough to know that you are WAY more computer-savvy than I am, and in fact, are one of the wisest, most experienced, ‘puter/net sherpas that I know of. Therefore, on behalf of those of us in that small segment of interwebs-challenged folk in your blog family, could you please take a moment to tell us a bit more about the bot-net danger? I’m completely in the dark here…
Also, being as you are not one known generally to mince words… did you really mean irreversibly? My computer is only protected to just a SLIGHTLY above average level, and now you’ve got me afraid of doing some of the normal porn-surfing that I enjoy (branching off on some of your links), that can get pretty far away from the original source sometimes.
Flattery aside, it was a fair set of questions, and by the time I’d answered them, I realized I’d written a blog post that deserved not to be buried in the comments. So, I’m promoting the bulk of my answer to this post.
First of all, I don’t mean to be a fear-monger. And my info may be somewhat out of date. I’m not a tech guy, I’m just a guy who spends way to many hours every day at his computer.
I’m running a current and automatically updated version of a comprehensive security package from Norton on an old but updated version of Windows. I’m pretty secure, but from time to time, stuff slips through.
Generally, if I make no human errors, nothing seriously bad can happen; the security packages are pretty good these days if you let them keep themselves up to date. Typically you have to consent to some sort of very unwise install for the worst of what happens below to occur; but some of the popups can be very misleading/persuasive if you aren’t viewing them with top-level skepticism.
The range of threats range from annoying pop-ups and pop-unders of those robot ads pretending to be girls wanting to chat with you that won’t go away, all the way to a comprehensive spyware root kit that installs itself so thoroughly (with encrypted hooks in your registry and auto-restarting processes that hunter-kill anything that looks like new anti-spyware processes starting up) that they are very very very difficult to uninstall. I won’t say “impossible” – the one time I got one of these, it took me three hellish days, but I succeeded. However, I know other serious computer users who claim they were defeated and had to “nuke it from orbit, it was the only way to be sure” – which is to say, reformat their hard drives and start over. And I know many, many people who are not “power user” types whose mode of death for the last computer they owned was “It got all junked up with popups and stuff so it wouldn’t boot any more, I stuffed it in the closet.”
The bot-net thing is a particular payload that comes with the worst of these root kits; it hasn’t ever happened to me. That’s a set of software instructions that gets on your computer and connects to the net and waits for further instructions; essentially, it makes your computer into a low-level criminal zombie machine. Then when some cracker needs 10,000 or a million computers to carry out a denial of service attack or to break some password at a bank that only allows three guesses from any one IP address, he just rents 10,000 or a million infected zombie machines from the guy who “owns” the infested zombie network that includes your machine.
Google has a concept about “bad neighborhoods” on the net when it comes to this stuff, and so do I. You can tell before the popups ever start popping up, usually, when you’ve entered a bad net neighborhood, just by the types of ads on display and the confusing ways they are mixed in with the links you are looking for. (A good way to see this is to pick a recent-release movie and google it in concert with “free download” or “torrent” – proceed at your own risk! – for skilled professionals only, drivers on closed track, do not attempt at home.)
When you are in a bad net neighborhood and the popups and popunders are accumulating at the fringes of your browsing experience like wolves around a dying moose, the basic rule is like when visiting fairyland: “Don’t eat the food, don’t drink the wine, and don’t agree to nuthin’.” Kill every window you didn’t ask for with the x the OS provides, making very sure you aren’t being fooled by an imposter; and if that’s not possible, kill the browsing session with {ctr-alt-del}. If that’s not possible, power down your box, as gently as possible but as firmly as necessary. The “yes/no” boxes and variants on them are never safe, because they can be jiggered behind the scenes so that whatever you think you are clicking on, you actually clicked on the overlay for the button that gave permission to install the root kit.
From long experience of talking about this sort of thing, I can predict that it may be followed by comments from people using (1) operating systems other than windows; (2) non-standard browsers; (3) specialized browser plugins; or (4) other specialized security software. These people will explain how they never have such problems. Some of them will be trying to be genuinely helpful; more will be displaying smug superiority. All will be missing the point with respect to me personally; if I depart too much from the basic-windows standard-browser mainstream that most of my readers will always be living in, I’ll lose the ability to detect when I’m in one of those bad neighborhoods. And that would be bad.
Shorter URL for sharing: https://www.erosblog.com/?p=5455
So, as a simple question, what browser do you use as a matter of course?
(I personally use Chrome because I’m a Software Developer and I like it’s separate process model. But I’m currently using Firefox because it can be had as a portable and makes it easy to keep my not-so-want-friends/family/coworkers-to-know-I-write-smut browsing distinct from my regular browsing.)
Mostly Firefox. I stuck with Internet Explorer far longer than I wanted to because it’s still by far the majority browser that my readers use, but I finally decided that I deserved something a little bit more standards-compliant and user-friendly. And the reader numbers were climbing high enough to make it not totally crazy. I do also keep Internet Explorer and Safari for Windows handy to do sanity checks on certain pages that I create or visit.
Great post! Thank you.
One caveat, however. It is the fashion these days for ne’er-do-wells to throw in a pop-up window which realistically and convincingly spoofs the sort of warning window that an anti-virus program or browser like Firefox puts up when your computer is under attack. There are many versions of this malware out there and the latest of them are designed so that clicking on anything at all (even the standard Windows “x” button in the upper right corner of the window) will launch the installation of the malware.
The only safe way to deal with this situation is to press CTRL+ALT+DEL, choose START TASK MANAGER from the menu, find any and all programs on the APPLICATION tab that you do not recognize, highlight it (them), and click the END TASK button. If in doubt (there won’t be that many applications in use unless one is hopelessly multi-tasked) kill ’em all. Then close your browser. And start over. AND avoid that neighborhood in the future.
There’s a relatively simple solution to this risk. Get a copy of Virtualbox (free from Oracle, formerly Sun) at http://www.virt...x.org. Install it and create a virtual machine running a second copy of Windows. Once Windows and whatever web-browsing (and photo viewing) utilities are installed, shut down the virtual machine and take a snapshot of it – this is a built-in feature of Virtualbox, well documented in the manual.
When you want to go down the nastier side of the web, or think you might be lured there, or just feel paranoid, do your surfing in the virtual machine. When you’re done, roll it back to the snapshot. Any changes that malware has made to the system will be undone completely – it’s like having a time machine. It’s done at a low enough level that current malware, as far as I know, can’t do anything to avoid it, partly because the VM is physically powered down during the process. Doesn’t matter how many clever tricks it uses to keep running if the plug is pulled and the hard disk is forcibly returned to a previous state.
You can also do it the other way – create a VM where you only go to known safe sites, that you can do your banking and other sensitive stuff in. You don’t necessarily need to snapshot this one, at least if you want to keep bookmarks and so forth, but if you create both kinds then please don’t get them mixed up!!
You can use VMware or Parallels to do this as well, but they’re not free – Virtualbox is.
What the above poster says- you can be completely safe with little effort from within Windows, as long as you keep your browser sandboxed.
“relatively simple solution” … “little effort”
Orpheus, Jordan: You’re obviously not talking to the people I’m trying to help. Successfully sandboxing my browser would be a stretch for me. For the users of average skill I’m trying to advise and protect with this article, you might as well have said “Take a spork and a left-handed canticle, walk briskly to the moon, and do what comes naturally. Easy peasy!”
I know you meant well, but: nearly useless advice, due to the mismatch between where you’re at and where the target audience is.
Bacchus – If your target audience’s “average skill” is as low as you figure (and I do agree) then one thing they can do even as an unskilled user is be “entirely legit”. Ie legal registered OS, legal registered antivirus software, legal copies of any applications they use and a common browser that is well supported. Then they need to get all the automatic update stuff turned on and KEEP all those legal programs current.
I have found that many users in my circle of friends and family got into trouble when they tried to get something for nothing – this applies to pirated OS updates which would not update, pirated copies of apps and games some buddy gave them, “free” antivirus or malware removal stuff they found somewhere etc. Also where they go on the net gets dangerous when they go looking for stuff they don’t want to pay for (my wife got us infected once looking for free stuff for teachers).
A porn site trying to sell you a membership is unlikely to give you VD, but “free stuff” – especially if you know the same stuff is for sale at legitimate sites is a sure sign you are gonna get more than you (didn’t) pay for.
I was amused by you reference to ice. It takes me back to my youthful reading.
So maybe someone needs to sell a “Bombproof Browsing Package”, basically a Linux VM that boots straight into Firefox and then gets snapshotted back to a known state every time it’s shut down. Do you think there’s a market for that kind of thing?
There might be a need for a product with that functionality, but I’m not sure there’s a market for it. Again, it’s the problem that people who understand the problem well enough to know they need it, probably don’t need it, or can find ways to accomplish the same thing for free, or to avoid the problem entire.
Which is not to say you couldn’t sell a ton of packages through fear-based marketing to people who don’t understand what they are buying. Lot of money in that game. But, you know… fear-based marketing.
Bacchus, I’ve gotta thank you for taking the time to answer my questions.
Also, my intuition had been telling me that what I read in the second paragraph of Peter Grimm’s comment (#7.) was true….
I don’t think that most of the porn sites (that are trying to sell me something), are quite as suspect as the torrent/rapid-share downloads of free books that my girlfriend collects. She thinks its the other way around, but I’m awfully suspicious of the motivations of some people offering you stuff for free, that often takes a lot of time for them to prepare for someone else…
I knew that becoming a zombie computer was a hazard, but I never thought of guys actually renting out zombie networks for brief attacks. To my way of thinking, that’s a very plausible motivation.
I’ve always worried about those random boxes where you are asked out of the blue to vote on which actress is sexier, or which candidate would make a better President, or “whose nose is this?” People who can’t resist voicing an opinion, are at a major risk when they click on an answer, no?
Once again, the Erosblog Institute of Higher Education has improved my everyday life…
A lot of the interactive poll banners are just trying to suck you in to “sticky” interactions where they can suck up some of your consumer info; but in a sufficiently bad neighborhood, of course, any click is dangerous and they’ll use any ruse to get the click.
I definitely agree that hunting for free stuff gets people in trouble, but this is a carefully nuanced statement. It’s the search phase that’s typically dangerous; the predators use our greed against us, since we’ll typically take more risks when we’re trying to get “something for nothing” than we would during a commercial transaction. So when you go searching for free stuff, you’ll encounter a lot of bogus search results junked up with hostile code that’s out to eat your computer’s BRAINZ!
The nuance, though, is that those junked-up search results are essentially parasitic; the folks trying to junk up your computer are acting as parasites. The host in this analogy would be the pirate/file-sharing community. Whatever other moral failings you care to lay at the feet of the pirates, I don’t think they are actually putting all that work into preparing and distributing files in order to junk them up again with spyware; it’s my impression they hate the spyware assholes just as much as the rest of us do.