If you make your machine look like a malware execution sandbox, a lot of malware will terminate to avoid being analyzed. This is just part of the cat and mouse game.
Yea sophisticated malware checks how many CPU cores PC has, how much hard drive space, some even check hardware temperature or if any debuggers are present. Windows malware got pretty sophisticated in the last 30 years.
> If you make your machine look like a malware execution sandbox, a lot of malware will terminate to avoid being analyzed. This is just part of the cat and mouse game.
What? This is an entirely separate concern. If you have a Russian input method installed, malware will terminate to avoid legal repercussions.
There is evidence that this will worked for ransomware like Patya and for groups like Fancy Bear or Cozy Bear and Conti. Mostly because the Russia gov. unofficial guaranties immunity if the target is not Russian.
Also, if you identify as Russian or write Russian in the chats or mails to them, they will de-crypt your systems for free.
It's not that simple, I think. There are many Russians everywhere, and probably they work at victim companies too, so just being Russian won't be enough, if ransom could be in the millions. You'll have to convince them that the company is Russian-owned, or that your father works in FSB, or whatever.
I think the reason why they don't want to attack Russians is because the victim would file a complaint to police, and police will have no choice but to start an investigation. And foreigners won't cause any problems in this sense.
I don't think there is some special immunity.
However, sometimes foreigners can cause problems. Recently several cyber specialists were convicted after investigation initiated after complaint from Joe Biden.
As a Russian who removed "winlockers" from so many of my not-so-tech-literate schoolmates' computers in the late 00s, I disagree :D
But those weren't as sophisticated, I suppose. They didn't encrypt files. They only displayed an uncloseable window demanding a payment. Sometimes with hilarious phrasing like "thank you for installing this quick access widget for our adult website".
The best anti malware on any version of windows has always been to make your default account you use everyday a non admin account.
You also need to create a separate account (can just be a local account) that is a full administrator. Make sure you use a different password.
Anytime you need to install something or run powershell/CMD as admin it will popup and ask for the separate login of the admin account. This is basically the default of how Linux works (sudo). It's also how any competent professional IT department will run windows.
If an admin elevation popup happens when you haven't triggered it then you probably know something is wrong. And most malware will not be able to install.
Another benefit is that you can use a relatively normal (but obviously not too short) password for your regular account and then have something much more complicated for the admin login. This is especially great on something like "Grandmas PC" or anyone who is at higher risk of clicking on the wrong thing.
> If an admin elevation popup happens when you haven't triggered it then you probably know something is wrong. And most malware will not be able to install.
Malware can still do a lot without "installation". Running as an unprivileged user, it can still do anything to/with the filesystem that the user would be able to do, and will (on most normal setups) be able to make outbound Internet connections without limitation. In short, these kinds of privileges don't protect against data exfiltration, ransomware operating on the user's important data files, simple vandalism....
> The best anti malware on any version of windows has always been to make your default account you use everyday a non admin account.
In the early 2000s up thru about 2012 I'd agree with you. Post-Vista malware adapted to UAC and now all malware works well as a normal user. Any data your normal user can access (local or on a remote CIFS server) is fair game for ransomware. Limiting administrator rights doesn't do anything to prevent the malware from getting at your data.
Persistence has moved to per-user, non-Administrator, too. Of course, all the various quasi-malicious customized versions of Chrome that end users inevitably install when they go searching for software to end-run their IT departments operates the same way.
I do think your daily driver Windows users shouldn't have administrator rights. It just isn't going to help much with malware.
I use physically separate boxes for my most sensitive activities (banking, mainly) but you could do nearly as well having separate non-admin Windows logons and compartmentalize your access to data you don't want ransomed. Isolation between different user accounts on Windows is actually fairly good. Just limit the common data the accounts can access.
Personally I've always wanted to use Qubes (and stop using physically separate machines) but I haven't taken them time to learn their contrivances.
Edit: I should have said "quasi-malicious customized versions of Chromium", not Chrome.
Usually, private individuals are not the target of ransomware attacks by organized criminals. Companies often have to pay a lot more money to get their data back. The Petya ransomware is a good example of this.
Nevertheless, when you are on any machine as an intruder and have normal user rights, you can still actively search the machine and network for admin accounts and steal sessions. The ultimate goal is to gain Domain Admin rights.
Besides that, it is not necessary to have admin rights to delete and encrypt data or to run and hide software.
There are also many ways, besides stealing sessions, to gain admin rights, such as through unpatched software, inappropriate user rights, zero-day exploits, and social engineering.
A common way to get users to install malware or ransomware is to bundle it with useful software that the user wants to install.
Unfortunately a lot of modern software triggers UAC popups now. Games (for anticheat and/or network connectivity), development tools (for network connectivity or debugging), updaters for stuff that live-updates like Electron apps, etc.
Its easy to reinstall the OS. Its a lot more damaging if you lose your childs birthday photos, tax documents and anything you actually care about. This is where the entire PC security fiasco breaks down, since I want my docs directory protected FROM any system installed app/driver. I want an OS that asks for permission when accessing doc directory.
It feels bad to post a link-only response but I really don't have anything to add to it. On a system used by multiple persons, sure, you help prevent that a compromise on sister's account immediately impacts mom's and dad's accounts, but that qualification isn't in the comment and probably most computers that HN readers use are single user. Or on a server, dropping privileges speaks for itself. But if you're on a desktop and you do online banking in your browser and also open email attachments on that computer... Not being admin would only help clean up the situation without needing to make a live boot (namely, you could theoretically trust the admin user and switch to that) but this isn't recommended practice anyway if you're not a malware specialist and can make sure it is fully gone. I cannot think of any situation where a single user desktop system benefits from admin privilege separation
So basically, what the comic conveys
> The best anti malware
Not being admin doesn't prevent malware from running and gaining persistence within your user account...
This is good advice, but it will not protect you against any malware that has been written in the last 10 years.
Stealer frameworks and dropper frameworks have implemented a lot of bypasses. From using other installed programs (lolbins / gtfobins etc) to using embedded scripting engines to do their bidding up until just reusing signed and installed default drivers to execute their payloads. A lot of drivers have sideloading and execution capabilities due to how the $igning process in Microsoft is constructed.
Additionally, nobody needs "root" access to do anything these days, this is just plain wrong assumption. Most malware will go for your browser profiles which are readable by your user (duh), so a separate privilege escalation exploit avoiding user account won't help you there either.
It's much better to sandbox your applications as good as possible. Even just using firejail profiles will go a long way, especially in regards to electron apps or apps that have remote update and plugin installation capabilities (e.g. discord, slack and the like).
Please, drop some malware binaries through ghidra or other tools before you give advice like this. You might be part of survivor's bias without realizing it.
> But is there really a downside to taking this simple, free, prophylactic approach? None that I can see
One that I immediately can think of is increased support costs due to end users unintentionally changing their keyboard. The shortcuts to change keyboards are usually not too hard to accidentally hit, and most users (especially in the US) would be unfamiliar with what they did or how to change it back.
It has always been this way and will continue to be. Russia along with north korea consider ransomware to be legitimate economic activity. It's part of their hybrid warfare strategy.
Yes, absolutely. This is mostly a legal/enforcement decision. If you avoid Russian authorities, they avoid you. Also Russia is nowhere near as fertile ground as the US. There are plenty of low paid entry level office workers in the US who will gladly update their AP payment information for business email compromise (BEC). $2.77 billion lost to BEC in 2024, the most lucrative category. Total losses in the US were $16 billion from 859,532 complaints.
One investigation I worked a threat actor in China socially engineered their way into getting an employee account in a US company created for them. They were so persuasive they also got their account inserted into the approval process as a manager for creating other new employee accounts (at a specific location) in the identity workflow. They did this only for the purpose of siphoning discounts that are available to employees, and they resold those which resulted in about one million dollars loss over a period of a couple of years.
As an aside, can anyone comment on how we can estimate the source of a cyber attack with any confidence? People and groups say "oh we know it's russians because of the methods used, they're known methods by russian groups". But if these methods are so clearly indicators of a certain group or certain national origin, then wouldn't it be effortless to then mimic those same methods to make it appear it's those groups when it's not?
It feels like if you had a battleship with a Russian flag and it fired on a US ship and ran way and wasn't caught, it'd be silly to be like "oh it's definitely the Russians 100%" because of the flag when it could have been a literal false flag. And there is a ton of political motivation to do false flags these days.
As someone using a Russian keyboard, I still got my fair share of viruses back in the day, before I knew the basics of cybersecurity. I wonder how prevalent that actually is in the grand scheme of things, or if it's overblown in the article.
I think it is to do with the targeted/campaign attacks. Ordinary spread of viruses in some rar files are generic enough. Otherwise if you are an outfit working from CIS countries it is just a logical due diligence not to become a target of their internal security people. For instance if you create a botnet and rent it, then some other group might do proper damage using it; it is safer to just host it outside.
I would find the why more interesting. Is there a common library virtually all ransomware uses? Are virtually all ransomware copy pastes of each other? Is there a popular forum post detailing the trick?
There are lots of malware families. Russian hackers, scammers, and such are basically celebrated in Russia for attacking the west. But they get in big trouble if they screw anything up inside Russia. Hence, the "safety mechanism" here.
I wonder if Ukraine has been removed from the exclusion list since then. A quick Google search says that the keyboards layouts are different from Russian keyboards.
And other CIS countries. It turns out if the authorities don't prosecute computer criminals and wire fraudsters unless there's a domestic victim, they will run amok.
Just add those two keys into your registry: https://github.com/Unit221B/Russian
For persistance install the russian keyboard driver, and switch back to your original.
That's a funny way to combat Russian made malware but I think Russian malware checks which keyboard language you are currently using and not which ones are in total present on your OS.
The Internet is by definition universal. Autonomous Systems make their own routing decisions. We cannot cut them off the Internet any more than we can cut off their sea access. If we were to do so (analogous to a naval blockade) you'd have succeeded in only cutting off civilians. Government sponsored or tolerated criminals would still ply their trade like in N Korea.
I wonder what DeekSeek agents would do if they discovered at some future time that USA and China are in a kinetic War. Because we don't have the ability to analyze hidden motivations in model weights, it's impossible to predict, although it seems like it would be easy to do at least basic testing (in a sandbox) to seek if it takes any unexpected actions or tries to get data from any unexpected URLs thru agents.
You can't simply ask the AI what it would do in that case, because it will have been trained to deny that it has any harmful plans, and indeed it may not "know", which is a type of attack I've called "Hypnosis Threat Vector". An AI Agent can be trained to be harmful, and not have any way of even self introspecting what it's "Trigger Words" are. The Trigger Words could indeed be some news headline that only China knows how to inject into the news cycle, causing many agents to notice them and then "wake up" to preform what they're "hypnotized" to do.
ttul|8 months ago
mrkramer|8 months ago
Melatonic|8 months ago
ronsor|8 months ago
general1726|8 months ago
rzzzt|8 months ago
thaumasiotes|8 months ago
What? This is an entirely separate concern. If you have a Russian input method installed, malware will terminate to avoid legal repercussions.
tempodox|8 months ago
exiguus|8 months ago
userbinator|8 months ago
I wonder how that works in this era of AI translation.
Not quite the same but I remember there was a Russian shareware author who gave free licenses to Russians.
atemerev|8 months ago
mdhb|8 months ago
codedokode|8 months ago
I don't think there is some special immunity.
However, sometimes foreigners can cause problems. Recently several cyber specialists were convicted after investigation initiated after complaint from Joe Biden.
grishka|8 months ago
But those weren't as sophisticated, I suppose. They didn't encrypt files. They only displayed an uncloseable window demanding a payment. Sometimes with hilarious phrasing like "thank you for installing this quick access widget for our adult website".
I_am_tiberius|8 months ago
Shorel|8 months ago
Please don't attack Bulgarians :)
johannes1234321|8 months ago
unknown|8 months ago
[deleted]
Melatonic|8 months ago
You also need to create a separate account (can just be a local account) that is a full administrator. Make sure you use a different password.
Anytime you need to install something or run powershell/CMD as admin it will popup and ask for the separate login of the admin account. This is basically the default of how Linux works (sudo). It's also how any competent professional IT department will run windows.
If an admin elevation popup happens when you haven't triggered it then you probably know something is wrong. And most malware will not be able to install.
Another benefit is that you can use a relatively normal (but obviously not too short) password for your regular account and then have something much more complicated for the admin login. This is especially great on something like "Grandmas PC" or anyone who is at higher risk of clicking on the wrong thing.
zahlman|8 months ago
Malware can still do a lot without "installation". Running as an unprivileged user, it can still do anything to/with the filesystem that the user would be able to do, and will (on most normal setups) be able to make outbound Internet connections without limitation. In short, these kinds of privileges don't protect against data exfiltration, ransomware operating on the user's important data files, simple vandalism....
EvanAnderson|8 months ago
In the early 2000s up thru about 2012 I'd agree with you. Post-Vista malware adapted to UAC and now all malware works well as a normal user. Any data your normal user can access (local or on a remote CIFS server) is fair game for ransomware. Limiting administrator rights doesn't do anything to prevent the malware from getting at your data.
Persistence has moved to per-user, non-Administrator, too. Of course, all the various quasi-malicious customized versions of Chrome that end users inevitably install when they go searching for software to end-run their IT departments operates the same way.
I do think your daily driver Windows users shouldn't have administrator rights. It just isn't going to help much with malware.
I use physically separate boxes for my most sensitive activities (banking, mainly) but you could do nearly as well having separate non-admin Windows logons and compartmentalize your access to data you don't want ransomed. Isolation between different user accounts on Windows is actually fairly good. Just limit the common data the accounts can access.
Personally I've always wanted to use Qubes (and stop using physically separate machines) but I haven't taken them time to learn their contrivances.
Edit: I should have said "quasi-malicious customized versions of Chromium", not Chrome.
noisem4ker|8 months ago
exiguus|8 months ago
Nevertheless, when you are on any machine as an intruder and have normal user rights, you can still actively search the machine and network for admin accounts and steal sessions. The ultimate goal is to gain Domain Admin rights.
Besides that, it is not necessary to have admin rights to delete and encrypt data or to run and hide software.
There are also many ways, besides stealing sessions, to gain admin rights, such as through unpatched software, inappropriate user rights, zero-day exploits, and social engineering.
A common way to get users to install malware or ransomware is to bundle it with useful software that the user wants to install.
eestrada|8 months ago
kevingadd|8 months ago
smallstepforman|8 months ago
Aachen|8 months ago
It feels bad to post a link-only response but I really don't have anything to add to it. On a system used by multiple persons, sure, you help prevent that a compromise on sister's account immediately impacts mom's and dad's accounts, but that qualification isn't in the comment and probably most computers that HN readers use are single user. Or on a server, dropping privileges speaks for itself. But if you're on a desktop and you do online banking in your browser and also open email attachments on that computer... Not being admin would only help clean up the situation without needing to make a live boot (namely, you could theoretically trust the admin user and switch to that) but this isn't recommended practice anyway if you're not a malware specialist and can make sure it is fully gone. I cannot think of any situation where a single user desktop system benefits from admin privilege separation
So basically, what the comic conveys
> The best anti malware
Not being admin doesn't prevent malware from running and gaining persistence within your user account...
udev4096|8 months ago
cookiengineer|8 months ago
Stealer frameworks and dropper frameworks have implemented a lot of bypasses. From using other installed programs (lolbins / gtfobins etc) to using embedded scripting engines to do their bidding up until just reusing signed and installed default drivers to execute their payloads. A lot of drivers have sideloading and execution capabilities due to how the $igning process in Microsoft is constructed.
Additionally, nobody needs "root" access to do anything these days, this is just plain wrong assumption. Most malware will go for your browser profiles which are readable by your user (duh), so a separate privilege escalation exploit avoiding user account won't help you there either.
It's much better to sandbox your applications as good as possible. Even just using firejail profiles will go a long way, especially in regards to electron apps or apps that have remote update and plugin installation capabilities (e.g. discord, slack and the like).
Please, drop some malware binaries through ghidra or other tools before you give advice like this. You might be part of survivor's bias without realizing it.
unknown|8 months ago
[deleted]
Phurist|8 months ago
kube-system|8 months ago
One that I immediately can think of is increased support costs due to end users unintentionally changing their keyboard. The shortcuts to change keyboards are usually not too hard to accidentally hit, and most users (especially in the US) would be unfamiliar with what they did or how to change it back.
fred_is_fred|8 months ago
pogue|8 months ago
throwaway48476|8 months ago
Hilift|8 months ago
One investigation I worked a threat actor in China socially engineered their way into getting an employee account in a US company created for them. They were so persuasive they also got their account inserted into the approval process as a manager for creating other new employee accounts (at a specific location) in the identity workflow. They did this only for the purpose of siphoning discounts that are available to employees, and they resold those which resulted in about one million dollars loss over a period of a couple of years.
https://www.fbi.gov/contact-us/field-offices/elpaso/news/fbi...
93po|8 months ago
It feels like if you had a battleship with a Russian flag and it fired on a US ship and ran way and wasn't caught, it'd be silly to be like "oh it's definitely the Russians 100%" because of the flag when it could have been a literal false flag. And there is a ton of political motivation to do false flags these days.
KnuthIsGod|8 months ago
v5v3|8 months ago
kgeist|8 months ago
sublimefire|8 months ago
charcircuit|8 months ago
chisleu|8 months ago
v5v3|8 months ago
gmargari|8 months ago
e_y_|8 months ago
fracus|8 months ago
adastra22|8 months ago
supertrope|8 months ago
rurban|8 months ago
mrkramer|8 months ago
amelius|8 months ago
zzo38computer|8 months ago
Razengan|8 months ago
culebron21|8 months ago
lenerdenator|8 months ago
unknown|8 months ago
[deleted]
gazatunnelrats|8 months ago
[deleted]
jekwoooooe|8 months ago
[deleted]
supertrope|8 months ago
skeezyboy|8 months ago
quantadev|8 months ago
You can't simply ask the AI what it would do in that case, because it will have been trained to deny that it has any harmful plans, and indeed it may not "know", which is a type of attack I've called "Hypnosis Threat Vector". An AI Agent can be trained to be harmful, and not have any way of even self introspecting what it's "Trigger Words" are. The Trigger Words could indeed be some news headline that only China knows how to inject into the news cycle, causing many agents to notice them and then "wake up" to preform what they're "hypnotized" to do.