Beware of the dancing bunnies.


I saw a post the other day (I’m not sure where, otherwise I’d cite it) that proclaimed that a properly designed system didn’t need any anti-virus or anti-spyware software.

Forgive me, but this comment is about as intellegent as “I can see a worldwide market for 10 computers” or “no properly written program should require more than 128K of RAM” or “no properly designed computer should require a fan”.

The reason for this is buried in the subject of this post, it’s what I (and others) like to call the “dancing bunnies” problem.

What’s the dancing bunnies problem?

It’s a description of what happens when a user receives an email message that says “click here to see the dancing bunnies”.

The user wants to see the dancing bunnies, so they click there.  It doesn’t matter how much you try to disuade them, if they want to see the dancing bunnies, then by gum, they’re going to see the dancing bunnies.  It doesn’t matter how many technical hurdles you put in their way, if they stop the user from seeing the dancing bunny, then they’re going to go and see the dancing bunny.

There are lots of techniques for mitigating the dancing bunny problem.  There’s strict privilege separation – users don’t have access to any locations that can harm them.  You can prevent users from downloading programs.  You can make the user invoke magic commands to make code executable (chmod +e dancingbunnies).  You can force the user to input a password when they want to access resources.  You can block programs at the firewall.  You can turn off scripting.  You can do lots, and lots of things.

However, at the end of the day, the user still wants to see the dancing bunny, and they’ll do whatever’s necessary to bypass your carefully constructed barriers in order to see the bunny

We know that user’s will do whatever’s necessary.  How do we know that?  Well, because at least one virus (one of the Beagle derivatives) propogated via a password encrypted .zip file.  In order to see the contents, the user had to open the zip file and type in the password that was contained in the email.  Users were more than happy to do that, even after years of education, and dozens of technological hurdles.

All because they wanted to see the dancing bunny.

The reason for a platform needing anti-virus and anti-spyware software is that it forms a final line of defense against the dancing bunny problem – at their heart, anti-virus software is software that scans every executable before it’s loaded and prevents it from running if it looks like it contain a virus.

As long as the user can run code or scripts, then viruses will exist, and anti-virus software will need to exist to protect users from them.

 

Comments (57)

  1. Anonymous says:

    So where can I see the dancing bunnies?

  2. Anonymous says:

    I don’t know where you can see dancing bunnies, but I know where you can go to see squirrel fishing:

    http://www.utacm.org/gallery/?pid=3946&cid=176

    🙂

  3. Anonymous says:

    Larry, I don’t completely disagree with your assertions, but I don’t completely agree either.

    From an information security perspective, antivirus is REACTIVE in nature to an existing KNOWN threat in which a signature has been built. Antivirus is a poor substitution for security best practices that can significantly reduce and mitigate risks to UNKNOWN attack vectors. AV definitely plays a part in a defense in depth posture, but if an attacker wants to make dancing bunnies do the mambo on a victim’s host, they are going to continue to find ways to do so while we rely on reactive technical safeguards like antivirus and antispyware.

    And as you point out, education isn’t going to solve it entirely either. The weakest link in security is the human factor, and if someone wants to watch a bunnie dance… they will figure a way to do so.

    So what IS the right answer? Wish it were cut and dry. Least privilege can play a part here. As could virtualization and application containment. However, in the end a well designed mandatory access control system COULD indeed make for a safer computing environment that wouldn’t need antivirus or antispyware. Unfortunately, the desktop landscape is not willing to be confined in such a manner. Hopefully the changing security landscape being introduced through things like LUA and application containment in Longhorn will be able to assist us here. We will have to wait and see.

  4. Dean Harding says:

    I remember reading that comment, too. I think it was on (surprise, surprise) slashdot, in response to that article about the Channel9 interview with Steve Ballmer.

  5. Anonymous says:

    Dancing bunnies, huh. 300% scale wooden horses, huh. A jedi seeks not these things. A properly designed system includes a user who sees right through the dancing bunny, recognizes the Greek warriors inside, and deletes the email from the server without even downloading it.

    Unfortunately, such a user is rarely seen using a modern consumer OS.

  6. Anonymous says:

    Will people be able to see dancing bunnies on dumb terminals where only programs chosen by the admins are allowed to run(by registry settings)?

  7. Anonymous says:

    So….a properly design system AND a properly designed user? 🙂

    Personally, I don’t have any anti-anything software on my laptop. Hardware firewalls, text-only mail interface and I run with LUA. So far, so good…

    I don’t want no steenking dancing bunnies!

  8. Anonymous says:

    Back in the days where no embedding scripting is there the only way to be infected is by running the executables. (I know there’s more kinds of infection strategies nowadays, but this remain the most commonly seen "technique".)

    It makes me think that "lack of automation" can sooner or later be advertised as software "feature" as well. 🙂

  9. Anonymous says:

    although I agree that there will always be a need for tools to clean up after a system compromise, the need would be greatly mitigated by use of a capability based security model in addition to an accessibilty model. Perhaps this is what is meant by a properly designed system.

  10. Anonymous says:

    skaro:~ james$ touch dancingbunnies

    skaro:~ james$ chmod +e dancingbunnies

    chmod: Invalid file mode: +e

    skaro:~ james$ ./dancingbunnies

    -bash: ./dancingbunnies: Permission denied

    Behold OSX’s superior dancingbunnies protection 😉

  11. Anonymous says:

    http://en.wikipedia.org/wiki/Dancing_pigs

    Oh, and ‘Secrets & Lies’ is a fantastic book. Regardless of whether one agrees with the author or not, it should be read by anyone doing any security-related work in I.T.

  12. Anonymous: Ok, that’s it – dancing pigs… This is what happens when you post late at night…

    Dana, you may very well be right. There are some interesting things being done in this space, however :).

    I also forgot to mention that separation and sandboxing DO work on servers – because administrators are less likely to fall prey to the dancing pigs problem.

    I’m going to keep the post as bunnies even though it’s the wrong term of art.

  13. Anonymous says:

    So won’t the user just disable the anti-virus software to see the dancing bunnies? It seems like just one more technical hurdle.

  14. Anonymous says:

    If the operative word is NEED, then I would disagree with you Larry. "a properly designed system didn’t NEED any anti-virus or anti-spyware software". Like the other person pointed out, the anti-virus software is just another technical hurdle for the person who wants to see the bunnies. But the issue should be, if I am a responsible user, I should not HAVE TO get anti-virus and anti-spyware software. In that case I completely agree with the statement you find laughable.

  15. Anonymous says:

    I think you are mixing up the concept of a "virus" and just a malicious executable. Is your anti-virus program going to scan for _any_ malicious program? Is it going to detect somehow the difference of bunnies.exe erasing a temp file versus erasing an imortant word document? Will it monitor all COM calls to make sure it isn’t subtlely communicating with other processes and doing sly things?

    Any well written malicious program will be able to change and mutate, and having a virus-checker isn’t going to help much.

    And in any case, I’ve known people who have had, say, MS Powerpoint or Word do more damage to their files by crashing at inopportune times than any virus has ever harmed them. Should MS Office be flagged as malicious software by anti-virus software?

    Anti-virus and anti-spyware software can be used as a last resort to try to cover-up for a poorly designed OS.. but it should be that, a last resort. The fact that it is needed at all speaks volumes about the quality of the Microsoft operating environment.

  16. Vince, as long as users are allowed to add code to the machine, then you’re going to need anti-virus and/or anti-spyware.

    There is no PC operating system currently available that can protect users from malicious content that they download. You can lock a machine down to the point where users can’t install executable content (on Windows, OSX and *nix), but then the machine isn’t a PC anymore, it’s a computing resource 100% managed by an IT department.

    If users can download and run executable content, then malicious software will continue to exist.

    I’m not saying that virus scanners aren’t another hurdle. But they are a necessary hurdle. So is running with restricted rights, and proper admin/user privilege separation, and sandboxing, and…

  17. Universalis says:

    " but then the machine isn’t a PC anymore, it’s a computing resource 100% managed by an IT department."

    On this definition most people who have PCs don’t need PCs. Many of us would happily accept the occasional visit from (or to) the computer therapist if that meant we were proof against viruses or anything else that makes the system bagadap.

  18. Anonymous says:

    Larry, anti-V and anti-S cannot protect against or repair all of the ills caused by any executable you put on your machine. You are avoiding the real issue which is that the OS network services and common applications like Outlook are the entry points for malicious things that get in despite normal responsible use. No one expects someone to repair or protect against the most overt dancing bunny example, they simply want a system that does not usher the bad guys in through the back door.

  19. Anonymous says:

    I still think you are misusing the term "virus". Viruses are self-propogating, and in general don’t involve users intentionally downloading and executing code.

    The users I have to support who run windows (mainly my family members) in general _don’t_ download random EXE files off the internet, nor save them from e-mail. Yet they do need to run anti-viruses and anti-spyware programs. Why? Mainly due to Internet Exploer bugs.

    I think it is perfectly reasonable to make it _extremely_ difficult to install executable programs as a user. Yes, people will complain, but then let them enable it and face the risk. Just because a minority likes to complain is not a good reason to put _all_ users at risk out of the box.

    Relying on anti-virus software to protect you from malicious binaries is just a losing proposition.

  20. Anonymous says:

    "I saw a post the other day (I’m not sure where, otherwise I’d cite it) that proclaimed that a properly designed system didn’t need any anti-virus or anti-spyware software."

    This is correct. Windows is not correctly designed. Neither is Unix, nor Apples.

    A correct design exists and is practical, but it’s fundamentally different from everything we know in practice, and people aren’t very good at thinking that far outside of the box.

  21. Anonymous says:

    Unrelated to the previous posts, but why do you list "no properly designed computer should require a fan" as an unintelligent comment?

    I consider one of the biggest failings of modern desktops is the fact that they waste so much energy that they require fans.

    Hopefully we will soon move back to a world w/o fans. In fact I think computers should have _no_ moving parts. Much higher reliability. Thankfully the vast majority of computers int the world today don’t have fans, only desktops and servers do, so there is hope.

  22. Anonymous says:

    One of the problems with more intelligent users is that they merely fall prey to cleverer bunnies.

    Recently, I happened to get a PayPal scam email while I was bored, and opened it (in my text-mode email program), and couldn’t see an obvious scam about it — it was a "You just paid $650 for this vulgar thing, here’s your receipt", with no obvious "click here if this is a mistake" link. This raised my curiousity, and so I saved the source of the email to a file, and pawed through it, and discovered that all the usual "About paypal" and such links in it were fake. Hmm. Wonder what they’ve got at the back end of those, then? So I went to the root of the site, first, and discovered an apparently legitimate orthopedic shoe company. The actual link involved very odd subdirectories, though — I’m guessing the shoe company’s server had been hacked — so then I tried the actual link, to see what it was, and how plausible a fake it was. It came up blank.

    And my anti-virus program popped up to say, "This file that just got dumped in your browser’s file cache? It’s got this exploit in it…."

    Oops.

    Luckily it was an exploit for a different browser than the one I use, but still. A dancing bunny, disguised in plain obvious sight. And I fell for it.

    (And, Larry, I have to say that I like the term "dancing bunny" a lot better, so I’m glad you kept it.)

  23. Vince, I was hoping someone would notice that one 🙂

    It comes from an industry luminary who designed a computer with this design philosophy. Unfortunately, the tolerances for this computer were such that putting a piece of paper on top of the computer would cause it to melt down.

    Low power consumption and low heat are wonderful goals. But to say that a computer is flawed because it has a fan…

  24. Anonymous says:

    Larry, your post is crazy. Why should code being executed by the web browser (or a process spawned by the web browser) such as in your example be allowed to write to the registry or to the hard drive?

    If the user wants something to affect the state of their computer then it’s perfectly fine to get the user to do one step of extra work (i.e. browse to the folder where the executable was downloaded to and run it) as it is not something very often.

    The user has every right to expect the code to show the dancing bunnies, but not to overwrite random files on their hard drive.

  25. Anonymous says:

    LarryOsterman said: Low power consumption and low heat are wonderful goals. But to say that a computer is flawed because it has a fan…

    Very strange example. I agree that a proeprly designed machine should not burn up if thermal constraints are over-loaded, but how does this in anyway say that machines must have fans? I agree with the luminary. Any machine with a continuously operating fan is poorly designed.

    My primary machine is a G3 600MHz iBook running Linux. Except in _extreme_ cases (ambient room temperature above 90 degrees and running cpu-intesive task) the fan in it does not come on. The machine is completely silent except for the hard-drive noise. It is great. Contrast that to most of the windows machines I’ve had the misfortune of using; often even when idle the fans on them are so loud you have to crank up the soundcard volume if you want to listen to music. Poor design.

  26. But your ibook has a fan. In the eyes of that luminary, it’s a flawed design. It should be able to handle all normal use without it.

    Rob: Who said anyting about the web browser? The user received an email that said: Save this java file on your hard disk and run it. When the security popup comes up, be sure to click "yes" or you won’t see the bunny. On some machines, you’ll need to disable the firewall, to do that, you do this.

    And they quite happily do that, and install the root kit.

  27. Anonymous says:

    Dear Reader of this Blog:

    To see dancing bunnies, go to Home Depot and buy a sledgehammer. First smash your computer case with the hammer a few times, then smash yourself on the head with it. If you do it properly, you’ll see dancing bunnies!

  28. Anonymous says:

    Now you are just being rediculous. If apple wanted, they could have created my iBook without a fan, and had it do CPU throttling or some other heat mitigation measure. It was probably a bit more cost effective to have an emergency fan. You are quoting this visionary out of context. Was s/he against the noise of the fan? Against moving parts? Did it look ugly in a clear case?

    I also too think it is a bit of a failure that my iBook has to have a fan, but am willing to live with the fact because I need it so rarely.

    Just because something is not easy with current technology does not make it laughably rediculous to call for its elimination.

    If I really must have fan-free computing I’ll fire up my Apple IIe or my old Cyrix 486 box which both survive just fine with passive cooling.

  29. Roger, read this script. Look what it says. It says, "Rabbit gets klunked, rabbit sees *stars*." Not birds, STARS.

    It’s not dancing bunnies, it’s dancing STARS.

    It’s my understanding that the visionary in question believed that passive cooling should be sufficient for all computers.

  30. Anonymous says:

    Here’s a free version of a software product for end users using Windows Desktops that uses virtualization to solve end user problem of dancing bunnies

    http://www.greenborder.com/downloads/tdThankyou.html

  31. Dean Harding says:

    > Why should code being executed by the web browser (or a process spawned by

    > the web browser) such as in your example be allowed to write to the registry

    > or to the hard drive? If the user wants something to affect the state of

    > their computer then it’s perfectly fine to get the user to do one step of extra work

    But that’s actually the point. It doesn’t matter if the browser executed the code directly, or whether the user’s gone through 100 steps to get the code to execute: if the you *can* go through (any number of) steps to execute code, then the possibility of malicious code will always be there.

    Now, obviously Anti-virus software is just another step (I mean after all, the email could say "to see the dancing bunnies, turn off your anti-virus, use the password ‘showmethebunnies’ to unzip the attachment, and run ‘sucker.exe’" and you’d *still* get people infected.) But the point is that anti-virus software is not a sign of a badly-designed operating system. It’s just another line of defense, another hurdle, that malicious software developers have to jump over.

    The problem is somewhat confounded by the number of legitimate software installers which tell you to "disable your anti-virus software" to install the product. All you’re doing there is conditioning your users to disable their AV whenever they install something…

  32. msemack says:

    Ben Bryant,

    "You are avoiding the real issue which is that the OS network services and common applications like Outlook are the entry points for malicious things that get in despite normal responsible use."

    You’re going to have to clarify that statement a bit more. What "normal responisble" use of Outlook causes a machine to get infected?

    You don’t get infected with an e-mail virus unless you actually run the infected attachment. Outlook doesn’t run it for you. You have to do that yourself.

    In fact, by default, Outlook will block most "dangerous" attachment types such as EXEs.

  33. Anonymous says:

    I’ve read all those posts suggesting that the solution to the malware problem is to add hurdles so the user cannot run the malware without confirming they want to in any number of ways. You’ve all absolutely missed the reason that antivirus software is a better solution than anything you’ve suggested.

    The "solutions" suggested here all pose hurdles to the user for legitimate use as well as when malware is involved. Those hurdles are likely to cause:

    a) first frustration

    b) second an automatic, undiscerning, mechanical response after the hurdle is seen a few times – eventually offering no protection at all

    Antivirus software is superior. It offers little interference during legitimate use. The user is more likely to be surprised and take notice of warnings when they occur. The warnings can be worded in a very strong way because they’re only displayed when it is incredibly likely that malware is involved. The user is usually not presented with any way to bypass the protection because it is almost certain that malware is present.

  34. Anonymous says:

    > What’s the dancing bunnies problem?

    > It’s a description of what happens when a

    > user receives an email message that says

    > "click here to see the dancing bunnies".

    That is indeed a big problem. But an equally big problem is when a user receives an email message that tells Outlook Express "automatically click here without waiting for the user" and Outlook Express obeys. Or Internet Explorer, or whoever.

    Wednesday, July 13, 2005 1:43 PM by vince

    > And in any case, I’ve known people who have

    > had, say, MS Powerpoint or Word do more

    > damage to their files by crashing at

    > inopportune times than any virus has ever

    > harmed them.

    Yup. And even Windows 95 without crashing, and Windows 2000 during boot, and most likely Windows 2003 during boot but fortunately I caught that one just in time. Even a former employer who granted ownership of every Word document in the company to Ethan Fromme lost fewer files than that.

    Wednesday, July 13, 2005 8:31 PM by Amit Joshi

    > Here’s a free version of a software product

    > for end users using Windows Desktops that

    > uses virtualization to solve end user

    > problem of dancing bunnies

    That page doesn’t mention anything being free for end users, and they do demand (maybe not enforce, I didn’t try it, but they do demand) a business e-mail address not a personal e-mail address.

    By the way, do you know if their product is really so effective that every Windows Update will be disabled? They see to be promising that, but I don’t have a chance to check.

    By the way, speaking of Windows Update, there’s another reason why users have been trained to click for dancing bunnies.

  35. Anonymous says:

    [quoted]

    http://www.greenborder.com/downloads/tdThankyou.html

    [/quoted]

    I viewed the page with lynx and didn’t found anything interesting. But the idea of disabling DEP troubles me. 😛

    Good security related programs should be designed to work with (at least with those that do not offer the same functions) other security related software so as to add additional protection against attacks.

    What the web site suggest sounds analogical to me as being told to go naked on a street by a stranger. 🙂

  36. Anonymous says:

    Larry Osterman said:

    > Who said anyting about the web browser? The user received an email that said: Save this java file on your hard disk and run it. When the security popup comes up, be sure to click "yes" or you won’t see the bunny. On some machines, you’ll need to disable the firewall, to do that, you do this.

    There has to become a point where the user realises that they are having to jump through too many hoops and what they are doing is wrong. Maybe I’m being too optimistic and there will be a day of carnage when someone spams these types of people saying "flicking the voltage level switch on the back of your computer will double its performance." Maybe evolution taking effect to remove these people from the computer equivalent of the gene pool?

    I still hold that any child processes of an internet application (web browser, email client, news reader, whatever) should be run with reduced privileges.

  37. Anonymous says:

    "There has to become a point where the user realises that they are having to jump through too many hoops and what they are doing is wrong"

    Not if every time they install anything they have to jump through those same hoops.

    This is why virus scanners work so well, they only put an obstacle in the way when something is wrong. This greatly increases the chances that the dialog will make the user stop and think. Combined with a general awareness that computer viruses exist and are a bad thing, it’s a very effective technique.

    "I still hold that any child processes of an internet application (web browser, email client, news reader, whatever) should be run with reduced privileges."

    Where does that end though? The user will just be given instructions to save the file to disk and double click it (or whatever your favourite OS metaphor is.) If they think they want to run it, nothing is going to stop them trying. The only cure is to educate people not to want to run things and that’s the hardest problem to solve.

  38. Anonymous says:

    I’m a security geek. I spend a lot of my time educating administrators and developers on the "dancing bunnies" problem: a bad guy will always execute arbitrary code on a box inside the enclave. Period, done, dot, no questions, always.

    I’m glad you get it.

    But what about the next step down that path, Larry? Consider the sysadmin of a large corporation, whose networks contain data sensitive enough to warrant an intelligent, determined attacker. Banks, credit card companies, governments, etc. There’s no virus signature or spyware definition for his code. What is he to do?

    Yes – there are tons of technologies to help further harden the network and make the job more difficult. But the bottom line remains: some bad guy has a rootkit running on my network, I don’t know about it, and there are no real tools to find it. Heaven help me if the use had admin access and the rootkit is taking active hiding measures vice the passive, plain-sight techniques popular with spyware.

    We need a serious culture change in the security technologies we provide to the sysadmins. Those guys have no chance, and once a bad guy has got his bunnies in the door, he’s not coming out.

    J.J.

  39. Anonymous says:

    Never underestimate the ingenuity of complete fools.

  40. Anonymous says:

    "Consider the sysadmin of a large corporation, whose networks contain data sensitive enough to warrant an intelligent, determined attacker. Banks, credit card companies, governments, etc. There’s no virus signature or spyware definition for his code. What is he to do?"

    a) lock down workstation configuration (including Software Restriction Policies)

    b) use Windows DRM

    It’s really not that hard (especially with MS software)

  41. Anonymous says:

    What annoys me is when people get all flustered when an Anti-Virus program finds something. All I can say is "Aren’t you glad it found it before it could do any damage?".

    But they don’t see it that way. To them, the message is a frightening annoyance.

    BTW: I’ve never had a virus since XP came out and I have no clue where most of the spyware comes from that I have to clean off people’s systems.

    I guess it wouldn’t be a good marketing move for MS to say "Look, we never get this junk on OUR computers and we’re using the same OS as you. I guess the problem must be you, not the OS".

    THAT would go over well 😉

  42. Anonymous says:

    the argument I’m hearing here is that the only security vulnerabilty that Outlook, and by extension I suppose Outlook express, has is that users open attatchments. This is so obviously not true that I am worried that the people making it are on Microsoft supplied drugs. This is the implication of the blog post, but it also a statement made by various commenters. This is so much bull, do I actually have to compile a list of links here to various Outlook vulnerabilities over the years that did not require anyone to open any attachment?

  43. Anonymous says:

    Vince,

    As regards CPU fans, intel didn’t trust OEMs to calculate the correct heatsink so they supplied fans with the CPUs so it didn’t matter.

  44. Anonymous says:

    "a) lock down workstation configuration (including Software Restriction Policies)

    b) use Windows DRM

    It’s really not that hard (especially with MS software)"

    Have you actually deployed either of those two technologies in a production environment, larger than your testing lab? The technology isn’t ready yet and the industry isn’t supporting them. Token effort, with no follow through.

    JJ

  45. Moz says:

    Secrets and Lies… interesting title. There’s another book called that by some guy Schneier as well. I prefer the first one (see URL)

  46. Anonymous says:

    Late Reply larry but you I was thinking about this and you know really there are other Dancing bunny’s that do not even require code to run. Heck the user can be dumb enough to damage themselves. For example the jdbgmgr.exe Email hoax. This still continues to circulate the internet, it circumvents all virus software, requires no code to run.

    http://www.sarc.com/avcenter/venc/data/jdbgmgr.exe.file.hoax.html

    I think I have said before I work at a large Fortune 500 company and you know it seems every month some email hoax runs through and we get users calling the help desk. We even had one call one time while I was in the help desk area talking to a tech support guy telling him how to fix a problem. The problem was one user wanted to know why on the intranet I developed he was getting pop up adds for porn. I was walking him through trying to find the spyware this user somehow got installed. Any I over heard another help desk person telling someone that called "No Bill Gates does not have an email tracking program and he is not reading your email, and no I wouldn’t count on him sending you a check later on." So yes while antivirus can help, locking down a PC can help, I am so thankful somedays that a vast majority of my apps are all server based. I do really love the days when I get to create windows services that run on servers even the Domain Admins can’t mess them up.

  47. Anonymous says:

    Damn this is so well said. This article was called the stupidest ideas in computer security. I cannot believe the nerve in people trying to marginalize antivirus utilities…they must never have worked at a helpesk before.

  48. Anonymous says:

    Raymond today has a discussion up about the folly of trying to set security with a granularity of per-DLL. …