I found your article very interesting, I have a couple of comments which may be useful to you and or others.

Firstly, with the removal of 0dayz exploit, while using safe mode alone used to be the solution. Now hoevever, due to the level of shell integration seen in some of these spyware programs, it is no longer safe to load explorer.exe. Instead boot to safe mode with command prompt, load ad-aware from there. Even with old definitions by comparison to the newer exploit (in the case of spyware that is known but has auto-updated itself), ad-aware can often still remove the file so long as it is not in use (thus no explorer.exe).

Secondly, protecting against future infection. I was also impressed at the bold statement to move away from internet explorer, however there are some features I find in IE which just cannot be delivered elsewhere. Speed is one such feature (I have had my head near bitten clean off for saying that, but it is true, internet explorer loads fast and processes pages more progressively than most browsers (yes it cheats as half of it is loaded already)). Feature argument or not, some people just dont want to move away from the MS browser, and in this case we need to theorise how to lock it down. My first suggestion is to pay careful attention to the settings in tools->advanced. I have seen many administrators laugh and chuckle when this is suggested, and the only suitable answer is REREAD! Install on Demand can be switched off, and this is highly recommended if you want a more secure system. As usual with removing a feature, you need to remedy other side effects, so go and get flash, shockwave, svg and maybe full java so that your users can still see these formats. You could turn off third party browser extensions, that will stop any spyware from hijacking the browser, however, you loose third party browser extensions. ActiveX settings, well... It is true to say that there exists sites which use activex productively, but this is not enough to solve our problem. What can be done? Group Policy - thats right. ActiveX has the ability to be signed and should be, settings should be customised to cull unsigned ActiveX and still be dubious of even signed ActiveX. If install on demand is switched off, this combination is effective against most of the spyware installers to date. On several desktops I have default security settings, a version of Norton with Adaware scanning regularly. Install on Demand is off, and third party extensions are On due to the use of the google toolbar (which has popup blocking, just make sure you disable script debugging also). Famous last words of a security guy, "it's been hard as nails so far". This system is not impervious -but that having been said its pretty good. We have tested it against several of the recent hijacking trojans too, and it stood up to the test. If combined with a deep inspection firewall this can be very strong.

Stronger still - what? It can be done, although its not graceful. What about running your internet browsing off the desktop? A server running internet browsing can be quite a productive strategy, and can help maintain the solidarity of your desktop environments. This is costly however, especially in large corporations. An alternative to using a server is to use a guest account to run all copies of internet explorer. This is a nasty idea though, as where do file dialogs start when saving? under a different use context, thats right. Well this can all be solved with a little bit of scripting and some reghacks, but its not ideal. All recommendations point to simply using antoher browser, but hopefully this is some food for thought on the possibility of not doing so.

Enjoyed your article,

Thanks,

raggi.
Mantissa 51.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/250/26968#26968