Jim Lawrence
accessd at shaw.ca
Sat May 23 12:44:15 CDT 2009
I must admit that my knowledge is not totally first hand. A fellow who works predominantly with Servers and Linux type systems in particular, but also works with Windows products gave me his understanding of the relationship. On those Linux/Unix systems, unless you as an operator, you specifically enter the root/administrator password, before an application can have access to any root functions. Even then the Kernel and core functions are locked down completely. Windows has an odd layered system, in which, if certain applications, request it, they get access to the 'system' layer, which is only slightly below full administration rights. From there any app, offending or otherwise has access to root directories like the 'windows' and sub-system and to the registry. Maybe there are restrictions but a rogue application can do incredible damage from this position. Finally, if the rogue app ever achieves root access it can go directly after the Windows kernel. The Windows system layer was created with the best of intensions, to allow easy updates, confirmation of licensing and attempting to separate the user from any of the complex back-end processes. One of Windows strengths and weaknesses is in its design and its corporate nature. Windows is a proprietary product much of its functionality is hidden so when a problem with the OS occurs there is only one source for the final solution. Much of the designing efforts are spent at guaranteeing that the product is not pirated or copied, that all advancements are carefully copywrited and that it has complete control over its creation and direction. At 17 billions dollar in receipts last year, it is a very viable corporate entity but it can not be all seeing and given the expanding complexity of the computer world the company has less ability to set trends or direction. The Linux world is a very loose group of products. It is more like a cottage industry than a company where it is estimated that 3 to 4 million people work on its evolving design. The product is mostly open-source so hiding a process (or some kind of virus) is nearly impossible. Most of the new inventions in the computer industry have their source from this pool. It is estimated that the profits from this industry are somewhere at 10 Trillion world wide and growing at a phenomenal rate. Comparing the two paradigms show a stark contrast. One is a tightly controlled corporate entity and the other is wild capitalistic/socialistic frontier where only the best survive and wild innovation is rampant. Both entities have there place and I utilize both in every day business but I spend as much time removing Windows viruses as I spend doing other system support. The job is system support is made doubly complex when a system failure can be either deliberate or a setup issue... you can never know which or it could be both. Jim -----Original Message----- From: dba-tech-bounces at databaseadvisors.com [mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of Rocky Smolin Sent: Friday, May 22, 2009 9:08 PM To: 'Discussion of Hardware and Software issues' Subject: Re: [dba-Tech] Virus trying to get in... Why would it never happen on a Linux/BSD system? Because they're not targeting it? OR because Linux/BSD doesn't have vulnerabilities to viruses or Trojans? Rocky -----Original Message----- From: dba-tech-bounces at databaseadvisors.com [mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of Jim Lawrence Sent: Friday, May 22, 2009 8:27 PM To: 'Discussion of Hardware and Software issues' Subject: [dba-Tech] Virus trying to get in... Hi All: Has anyone experienced the 'Spyware Protect 2009' trojan/virus? It had started on a client's site but according to the following link it was not fully installed: http://www.xp-vista.com/spyware-removal/spyware-protect-2009-removal A client sort of caught it part way through the insertion process along with the oline protection software, 'Windows OneCare' and the installation did not complete. The core of 'Spyware Protect 2009' app would keep prompting to be installed. (Something like a vampire that will not come in unless invited?) Hopefully I have got rid of it as the prompting app is a thing called sysguard.exe, hidden, read-protected and stashed in the Windows directory (It has to be deleted from the command prompt when in 'safe mode') and it is activated through a standard entry in the registry: HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Run/Sysguard.exe How the code got in I have no idea, though one site suggested it may have come through some codec pacted in a graphic file. The original source is supposed to be out of Russia but it is appearing up everwhere. Considering the desktop was running run-time-protection, windows firewall, had all the current updates, the client was running it only in user mode and it switched to running at 'system' level; it just goes to show weak the system and all the protection really is... this would never happen on a Linix/BSD system. Sorry to sound grumpy but it took two hours to uncover and remove and I was late for supper... and the client was very grumpy while I had to stay cool and calm. Jim _______________________________________________ dba-Tech mailing list dba-Tech at databaseadvisors.com http://databaseadvisors.com/mailman/listinfo/dba-tech Website: http://www.databaseadvisors.com _______________________________________________ dba-Tech mailing list dba-Tech at databaseadvisors.com http://databaseadvisors.com/mailman/listinfo/dba-tech Website: http://www.databaseadvisors.com