Imagine that a user goes looking around for a new browser. They’ve downloaded Firefox and Chrome but they’re just not satisfied. So they come across a website advertising a “cool new browser” and download it. The website says “Because the browser is new and makes lots of connections to the internet your antivirus may pick it up. Don’t worry, this is simply a false positive, we’re full accredited and you can see that we’ve signed the installer.”
The user runs the .exe, a little “This software is signed but we don’t recognize the cert” comes up and asks for Admin. Makes sense, most programs ask for admin when installing.
They install it, a browser installs (let’s say a reskinned firefox) but so does a malicious payload that embeds itself into the system.
No exploits were used, purely social engineering.
Most people would blame the user here. They should have known better, they should have double checked, they should have kept an AV up to date, blah blah blah.
This is stupid. Users are not capable of ‘knowing better’ nor should they be required to in order to use a system in a secure manor. We create advanced heuristics, which analyze malware on a code level and correlate it with past malware and we still only ever get like…. 50% of the malware without unruly false positives. Stop treating humans like they can analyze code better than an advanced heuristics engine.
Security necessarily has to be handled at the lowest possible level ie: hardware or kernel. There is no getting around that. You can have superfluous layers and exude your common sense but it’s easily bypassed (click here to find out why everyone is vulnerable) and in the end security absolutely has to come from the OS.
In this case Windows should have either detected the payload reliably or prevented the rootkit payload from installing. It should have done something.
Thankfully Microsoft has implemented things like PatchGuard and SecureBoot that limit malware without truly limiting the user so had this user installed it on an EFI 64bit system the malware would have been limited to Admin and couldn’t have bypassed too many security systems.
No, I am not advocated a walled garden. That approach doesn’t work, it limits the user not the software. Limiting the user isn’t good because we always find away around it and we simply won’t use the product.
To reiterate: nearly everyone gets the question of “who is to blame?” wrong. I’ve seen so few people ‘get it’ and they’ve all been (perhaps coincidentally) security researchers. The answer is always “the operating system” or “The OS and the AV” or whatever but the user should never be blamed and anyone who resorts to what amounts to victim blaming probably just doesn’t understand what security is about.