
McAfee quarantines svchost.exe on millions of WinXP machines worldwide - andreyf
http://andreyf.tumblr.com/post/538652366/hacker-attack
======
tumblen
Crazy to think about the consequences of a mistake like this. This was sent by
a friend to an email list I'm on:

"Well, consider this community hospital fubared.

IT dudes running around pulling out their hair. If it wasn't affecting patient
care it would be a humorous scene-but I can't check xray's, or labs or
anything. Took out a horrendously bloody gallbladder this morning, and I can't
tell (labwise) if she's still bleeding...not good."

~~~
billybob
Wow. Kinda makes me wonder if we should be using general-purpose computers for
so many things. The anti-virus is kind of a major single point of failure for
machines that need to do just a few specific things.

~~~
cookiecaper
I don't think we need to move to special machines, we just need to move to
sensibility in choices. Why do these need to be running Windows? Even if
they're running Windows, why do they need an antivirus? Are you letting people
on attachments from their email or browse the internet on the same box that
you're using to read X-rays and other medical imagery? Kind of weird to do
that, right?

I need to think about how to exploit this to promote the installation of *nix-
based systems and get people to hire my company to do it.

~~~
niels_olson
Doc here: do you run a subversion client or an IDE on the same machine you
check email or browse the web with? kind of weird to do that, right?

I'm all for _nix-based systems. Please, oh please, convince these people to go
to_ nix and web app (that aren't slaved to IE: eg, AHLTA, or Fuji's Synapse
imaging software). I will give you their numbers.

~~~
cookiecaper
I actually freelance with a group that is making a web app for viewing medical
imagery. Has a Flex-based frontend, though.

I guess I don't understand the use case -- I had assumed that the computers
needed to tell if a patient was bleeding or not were connected to a machine
that did some kind of image-taking or internal measurement, and that that
machine was the stationary "is patient bleeding machine" computer. Do doctors
generally perform analyses like that one on personal computers or normal
workstations? I guess I just got a false impression from medical dramas or
something.

~~~
jonknee
What if the doctor reading the scan is in another city/country? That's
becoming increasingly more common.

Though on the AV front it doesn't make sense to have all of your
organization's computers running critical software to update at the same time
(no matter what software, it just happened to be the anti-virus this time).

------
thaumaturgy
I don't have time to counter all the misinformation here. Just a couple quick
points:

\- McAfee has been crap for a long time now; they're not much better than
Norton's products from the last few years.

\- Corporate networks are running McAfee because McAfee (and TrendMicro, and
other garbage a/v vendors) provide incentives to VARs, consultants, resellers,
etc.

\- However, this is a far cry from "all antivirus is bad". There are plenty of
good products available, some of them are free, and they don't have serious
negative impacts on system performance. The on-demand catch rating of some of
these products exceeds 97% in independent lab testing, which is pretty damn
good.

\- If you use a company computer, and you have disabled antivirus on your
system because you don't like it, you are putting not just your _company's_
computer, but your company's _network_ at risk. In most "serious" companies,
this would be grounds for termination, and I don't blame them. I would also
like to emphasize that the workstation you use belongs to your employer, not
you.

\- I don't care how smart you think you are, if you're running Windows, you're
at risk. Even current versions of Firefox are vulnerable to remote exploits,
and we've been seeing a hell of an uptick recently in website infections. That
blog that you've been visiting for years might try to hit your computer with
something nasty tomorrow, and you'll never even notice. For that matter, a lot
of website administrators don't realize they have a problem for a long time.

\- Rootkits are getting very quiet and very sneaky. I think we're starting to
see a trend where computers are coming in with a couple of different
infections: one is a recent rogue antivirus infection which drives the user to
get help, and the other is an older rootkit that's been running quietly in the
background for a while.

You guys should know better.

~~~
tsally
Speaking as someone who knows something about these things, it is clear that
you are not as informed as you are making yourself out to be. There are two
reasons why I say that. (1) Your knowledge of the AV industry is outdated.
McAfee has actually been trending upwards in recent years. (2) A 97% detection
rate is obviously bullshit. If any product achieved a detection rate anywhere
close to that number, the false positive count would be through the roof. As
this incident makes clear, the cost of a false positive can be astronomically
high. Again, any AV product advertising or claiming 97% detection is bullshit.
Any AV engine can achieve that number if accepts an unrealistic number of
false positives. The fact that you even quoted that number makes me question
your qualifications for giving advice about AV.

For non technical people reading this thread, the general sentiment of other
commentators is correct. Most AV is garbage. It will protect you from about a
1/3 of what is out there at the cost of computer performance. Make an educated
decision about whether to run it at home or not. On your corporate network, do
whatever your security guy tells you to do.

~~~
thaumaturgy
Not that I'm all that interested in getting into a pissing contest with Some
Guy From The Internet, but:

1\. I've been doing virus and malware cleanups for people since -- well, since
1995 or so, at least.

2\. I've recently begun presenting seminars on basics for novice computer
users.

3\. I was among the first to clean up the rather nasty kbiwkm rootkit a while
back. One of my clients was infected with it before there had been an a/v
response, and before anything could be learned about it anywhere.

4\. I've recently begun to get contacted internationally (well, from Canadian
individuals, anyway) to clean up websites infected with various sorts of nasty
bugs.

5\. Most importantly, I follow the results and reports from av-
comparatives.org religiously; they're not affiliated with any particular
antivirus vendor, product, or group, their tests appear to be very thorough,
their methods appear to be fairly rigorous, and they provide reasonable
results for a number of different metrics related to antivirus products, all
in a regularly-released report that's quite readable.

6\. I started a company three years ago to address the various flaws that I
saw in the I.T. industry, one of which was the number of people that got hit
with viruses over and over again. I have a very, very low rate of repeat virus
cleanups for my clients, many of whom are novices that are particularly
susceptible to multiple computer virus vectors. You might feel like being
snarky and saying that I never hear back from them because they don't care for
the service, but then again, I'm currently experiencing my third straight year
of 300% growth, and most of my "marketing" comes from word-of-mouth.

But, I don't have a blog, so of course I'm not an expert. Carry on.

edit: ohbtw, two of today's systems that were infected with rogue antivirus
also had up-to-date and active McAfee installations, which isn't at all
unusual. But, yeah, you're right, it's much better now than it used to be.

~~~
tsally
First, congratulations on your success with your business. 300% growth over
multiple years is very impressive. Second, I didn't mean to be negative or
snarky (I can be abrasive sometimes, so sorry about that). It's just that no
one experiences detection rates that high in the real world. If AV actually
worked that well, it would be incredible. I'd be the first person to publicize
it.

In regards to AV Comparatives, I responded to why their tests aren't relevant
in in the real world here: <http://news.ycombinator.com/item?id=1284321>. The
bottom line is that detection rates as high as 97% are generally regarded by
industry experts as inflated (John Viega says in one of his books that some
people estimate actual detection rates to be around 30%). AV companies
themselves would never use that number as a part of their marketing campaigns.
You'll note that on the product pages of the AV products tested, the numbers
aren't listed. If a 99.6% detection rate was actually. valid, don't you think
it would be displayed in large and bold letters on the product page?

I'm not saying people shouldn't run AV, but we need to be honest about the
actual capabilities of these products. Even if actual detection is only 30%,
30% is better than 0%.

------
azim
The fact that you're here means your computer is working, but just in case
anyone you know needs the instructions to disable McAfee:

Boot the affected client into Windows Safe Mode with Networking (Hit F8 During
the system boot phase.)

Disable the McAfee McShield service by opening the Registry Editor
(regedit.exe), and set the McAfee McShield service to the Disabled startup
type: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\McShield\Start=4.

Once you've rebooted in to normal mode you can rollback definitions from the
McAfee gui.

------
mrcharles
Just another nail in the coffin of the usefulness of AV systems. And good
riddance.

My work computer actually has McAfee on it, which I've disabled through the
registry. Don't like how slow it makes my computer.

Education, people! It's better than buying useless feel-good software.

~~~
billybob
I think it's interesting to consider computer viruses and biological pathogens
in terms of "optimum harmfulness."

A cold virus's best strategy, for example, is to keep you awake coughing so
your immune system is weak, make you sneeze and cough and have a runny nose so
you spread germs, etc. But it shouldn't kill you, especially not before you
pass it on. I've heard (did I read it in Guns, Germs and Steel?) that
syphillis used to be more deadly, but that it got milder as an adaptive
strategy.

Likewise, computer viruses probably have a pain threshold they shouldn't pass.
If they can do their masters' bidding without hacking you off so bad that you
format the computer, they'll be more successful.

Possibly unwarranted conclusion: computer viruses are now widespread precisely
because they're Not That Bad.

So, are they worse than antivirus software? A lot of non-geeks may be asking
themselves that question today. "Dang, we got a virus one time, but it didn't
keep the computer from BOOTing!"

McAfee has just demonstrated a computer autoimmune disease.

~~~
thaumaturgy
Well, first off, I have bad news for you: the more recent rootkits we've been
seeing are doing exactly this. They are very quiet, very sneaky, very hard to
remove, and they just _love_ it when you purchase items online.

As far as whether viruses or antivirus software are worse to deal with --
well, I have three systems in the shop so far today for virus infections that
were so bad that it rendered the computer unusable. One woman told me she
broke down and cried because her brand new laptop got infected yesterday and
quit working just before she was supposed to do online college course work.

Running without A/V software is exceptionally stupid at this point, even if
you think you're smarter than everyone else.

~~~
smutticus
The last computer virus I got was the stoned virus on a DOS 6.2 machines
sometime around 1989-90.

And I never run anti-virus software. At home I have Windows, OS X and Linux
boxen and not in 20 years have I had a computer virus.

It's really all about usage patterns more than anything else.

~~~
msbarnett
If you haven't run av in 20 years, one wonders what you base the claim of not
having had a virus in 20 years on.

~~~
kentosi
The comment probably should've been rephrased as "i haven't been hampered by
any virus in 20 years".

------
jswinghammer
I don't understand why people install antivirus software on their machines. I
read once that their catch rate is something like 20-30% which strikes me as
no better than 0% for all the good it does most of their customers. It just
seems to slow down computers a lot and yield little benefit other than
protection for the IT staff when things go wrong.

I could make antivirus software that does nothing and probably make people
happier by virtue of the fact that I'm not taking their system's resources.

~~~
mattmaroon
You read Hacker News, which means you probably know more about computers than
at least 99% of the population, and far more than 98%. Seriously, consider
that.

Take something you don't know about. For me it's cars. If prevailing wisdom
was that unless you bought some $40 item for your car, it could easily be
stolen, you'd probably buy it right?

This is what people are told: Windows is insecure and anyone with a clue can
just steal your credit card number. I know that if I just don't install crap
from the internet, and have a reasonable firewall, I'm not going to get a
virus. I haven't had antivirus in over a decade, though I've run some web-
based ones on occasion to check, and have never had a problem. I know that,
and you know that. My dad (who is much closer to the other 98% of the
population) doesn't know that.

(As for corporate use, you answered your own question. IT staff installs it
for no reason other than to be able to prove to their boss that it isn't their
fault when stuff goes wrong. )

~~~
Periodic
For the IT staff, the fact that your computer slows down is an externality; it
is not their problem. If the anti-virus can catch a few viruses and doesn't
result in many help-desk tickets, then it makes their lives easier. Cleaning
up a virus is a tedious task, as even a simple re-imaging can take a while,
and that's if you can use a standard image.

They also don't know how smart their users are. Some of them are great, and
might read HN, but others will go download any game or smiley pack they can
find.

If IT staff were paid based on how smoothly the computers run, they might have
a different opinion. Their current goal is usually just to make sure it runs
at all.

~~~
furyg3
> Their current goal is usually just to make sure it runs at all.

Indeed. I'm the lead of the "IT Staff" at a small non-profit (~70 users)
running mostly on second-hand desktops. Two-thirds of our staff is unpaid,
usually interns who are here a few days a week for 3 months, and then they're
gone and someone new takes their place. Training proper computer behavior is
hard.

So... we run A/V (not McAffee), because we have to. We also lock down the
systems hard, not because I think that's a nice thing to do to your users, but
because we have to. Imaging all these different desktop models is difficult,
and we have very limited resources for doing re-imaging/re-installs/virus
cleaning/whatever.

My goal is to enable you to sit down at your computer and be able to perform
your job. A 20% performance hit on all computers is worth it if it means that
20% of the computers _aren't_ down for maintenance. :)

~~~
watmough
There are a couple of ways to address the virus problem besides installing
anti-virus on Windows.

Here's a few things I'd consider if I wanted to run an office with minimal
computer support:

    
    
      - run the LTS Ubuntu instead of Windows
      - maybe run OS X, on Mac Minis if buying new hardware
      - install one Windows terminal server for critical Windows-only software
      - lock down firewall to permit only whitelisted web-sites
      - run locally hosted (I believe this is possible) Google Docs as office software
    

Windows virus problems, people surfing Facebook, porn, you-tube, Twitter etc.,
will suck away time in an office if you don't get some kind of a handle on it.
I hate offices where stuff is super locked-down, but put in charge, I'd want
to screw things down pretty tight.

Obviously developers, salespeople might be somewhat of an exception... it's a
hard call to make.

------
andreyf
Err, might be a good idea for an admin to change the URL to a more credible
source, like <http://isc.sans.org/diary.html?storyid=8656>

Or at least: [http://www.engadget.com/2010/04/21/mcafee-update--
shutting-d...](http://www.engadget.com/2010/04/21/mcafee-update--shutting-
down-xp-machines/)

------
postfuturist
<http://xkcd.com/694/>

------
dsplittgerber
If I were a trader, I'd short McAfee right now. This probably means lots of
settlements.

EDIT: This could actually be a profitable venture. Somewith with at least
basic HN-type knowledge and a daytrading account could make serious money.
Finance professionals most probably have no idea how important specific IT
news are during the day. One should be able to trade ahead of consensus pretty
easily.

~~~
cynicalkane
You'd be making a trade based on how the market responds to news. Just because
you care about this news doesn't mean the market will. Unless the settlements
are enormous, the market never will.

~~~
andreyf
_Unless the settlements are enormous, the market never will._

Or if they lose big clients. My wife tells me all computers in PWC's NYC
office are out.

~~~
spamizbad
Shame on PWC for not upgrading to Vista or Windows 7. A firm that large should
have more foresight in IT planning.

~~~
iron_ball
I can't tell if that's sarcasm or not.

------
Jd
Anyone think that this might be an ingenious hack by a "virus" writer? Instead
of targeting the computer, target the manufacturer that makes the code that is
supposedly protecting the computer. If so, I'll bet all it took was one line
in one list of malicious files.

No one may have thought to protect those back doors...

------
alecco
Some virus guy wrote about the problem of the economic model of major
antivirus vendors. Corporate profit interest go against making a decent long
lasting antivirus and instead benefit from incremental constant updates.
That's why they mostly avoid behavioral analysis and localhost security
checks. Instead they just use brute force pattern matching and constant
updates.

A subscription model is detrimental to users' security. But try to explain
that to your PHB who reads websites and magazines making money on
advertisements from the industry.

------
jules
I had this same problem with AVG on my parents' PC some time ago: it deleted
an essential system file, making the computer unable to boot even in safe
mode. I then did what they said that I should do, thereby fucking Windows up
completely. Luckily I was able to recover important files via Ubuntu.

------
Hexstream
"- Don't worry, Skynet will take care of the virus in no time.

\- Skynet _IS_ the virus!!!"

------
Qz
The anti-virus scam strikes again!

------
Daniel_Newby
Why does AV software not have a secure checksum-based whitelist? It is not as
if Microsoft keeps the important system files secret.

~~~
jxcole
For that matter, why didn't they test this on at least one machine before
releasing it? Is it not standard to have a release process that includes
testing?

~~~
adamsmith
Not to mention incremental roll outs, which would have caught this problem
before it hit every win xp machine.

------
dfranke
So they've finally identified Windows as a virus? About damned time.

