From Thanh Nien Daily: Survey
finds computer virus explosion in Vietnam:
security center said Wednesday 232 computer viruses, adware, and
spyware were spotted this year, up from 84 last year. A survey of 2,000 users by the
Hanoi University of Technology’s Bach Khoa Inter-network
Security Center (BKIS) showed 94 percent of
computers to be infected with viruses, and 87 percent
with spyware and adware.
Spyware is a
covertly gathers user information through the user's Internet
connection, usually for advertising purposes. Adware
is a form of spyware that collects information about the user to
display advertisements in the web browser based on the information it
collects from the user's browsing patterns.
percent of the surveyed
users said their companies or organizations had to stop working for at
least one day due to virus infections. Viruses
hit 96 percent of computers of people working in the field of commerce,
95 percent in education, and 94 percent in services.
... By late
last month, Vietnam
had 9.9 million Internet users, or over 11.9 percent of the total
population, compared with 6 million and 7.3 percent a year earlier.
Nearly 2.7 million were Internet subscribers, many of whom used
broadband, the Vietnam Internet Network Information Center told Xinhua,
noting the country's total international bandwidth stood at 3,505 Mbps.
Vietnam linked up with the global computer network in December 1997.
Here's the situation as I see it. This country got a fairly
population of users. They're growing rapidly too: the figures above
equate to 65% growth per annum. Most use the Internet
Cafes or at work, some use them over a phone modem, and very few use
broadband connections like ADSL. Accordingly, technological literacy is
growing - albeit slowly. Two years ago, many Internet Cafes didn't have
software; even the administrators didn't know any better. Installation
is now the norm. However, I'm not sure how many people suss out that
you're supposed to keep your anti-virus
files up to date as well.
Installation isn't enough; you've got to download the latest patches to
fight the newest viruses. Antiviral software are essential for Windows
machines in this day in age. But they have to be used properly, and not
just as a totem to ward off evil. For these reasons, I'm dismayed (but
not too shocked) at the 9X% incidence of infection.
I wouldn't blame the users too much, however. First,
people speak Vietnamese... but computer security material is generally
written in English. This discriminates aagainst the computer
- but it really causes problems for the amateurs, the computer
hobbyists and so forth in this country. Unless someone translates for
them, they'll be kept in the dark like everyone else. The second
problem is that most users don't use their own machine. It's owned by
someone else, whether it is their employer or the local cafe. If the
machine crashes, it's not their problem, but that of the people who are
meant to maintain the machines. (Do not pass Go; go straight to coffee
break.) In short, they've got less incentive to learn. One final
factor: this is a place where hardware is expensive, but
is pirated and cheap. If the machine is well and truly cocked up, you
save as much as you can and reinstall. Never mind that you've
about 20 new security patches as well.
Then, there are incidents when the lack of local knowledge
interferes with my machine, and I get really pissed off. A
ago, when my wife had her own graphic design business, some one decided
to install PurityScan
don't click) on some of the computers, including my laptop. The woman
thought it was some sort of anti-viral software. Alas, it's not; it's spyware,
as I tried to explain to her afterwards... but I got the feeling she
wasn't grokking what "spyware" was.
And there was that time, a month ago, when I got
reconnected to ADSL, and someone decided to turn the firewall off. Imbecility.
Now, we have a new virus on the scene: the Windows
Metafile Vulnerability. It's a nasty one, too. From Wikipedia:
The Windows Metafile
vulnerability is a
vulnerability in Microsoft Windows which was first disclosed on Bugtraq
on 27 December 2005 , and subsequently used in a variety of
exploits. The vulnerability, located in gdi32.dll, arises from the way
in which Windows operating systems handle Windows Metafile (WMF) vector
images, and permits arbitrary code to be executed on affected computers
without the permission of their users. Windows versions from Windows 98
to Windows Server 2003 R2 are known to be vulnerable to the exploit,
while versions as old as
Windows 3.0 are probably also vulnerable. Exploits of this
vulnerability are thus among the very few examples of genuine drive-by download.
So we've got a 15 year old bug that's now become a problem.
what I know about Microsoft quality assurance, I'm not too
surprised. However, this is the sort of bug where you could infect
yourself instantaneously by viewing the wrong page. Especially with
that abomination called Internet Explorer, which still seems to be the
norm here. But other browsers aren't safe either. The flaw is in the
operating system, and how it display the file.
Don't trust your anti-virus software either. We learn
from the Internet
Storm Centre how the malicious WMF files could be tweaked in
almost infinitely random permutations - making it harder to detect by
antiviral software. This quotes an email by "white hackers" Metasploit,
who are trying to show how the WMF vulnerability could be exploited:
We released a
new version of the metasploit framework module for the WMF
flaw, this one uses some header padding tricks and gzip
encoding to bypass all known IDS signatures. Consider this
"irresponsible" if you like, but it clearly demonstrates that a
run-of-the-mill signature-based IDS (or A/V) is not going to work for
this flaw. If anyone has any questions about why we are releasing these
types of modules so early after the disclosure, feel free to drop me an
So what can you do, dear reader? Fortunately, there are
several things you can do.
- First: check if you are vulnerable. From IDA
Pro, you can download a program from that address, and run
it. It will not infect your machine; it will only test it, and state
whether you are vulnerable or not. I have run this program.
- Secondly, if you are unprotected, install
the patch on your computer. It's not by Microsoft, I'm afraid;
they seem to be on an extended New Years Break. But there's a temporary
hotfix also by IDA Pro. What it does is disable the dodgy
command in gdi32.dll. I've installed it. It works fine. Microsoft will
probably get around to releasing an "official" patch in a fortnight or
so. But that may be a little long to wait.
- Thirdly, Sunbelt
Blog recommends that you unregister
As CERT says,
“Remapping handling of Windows Metafiles to open a program
other than the default Windows Picture and Fax Viewer (SHIMGVW.DLL) may
prevent exploitation via some current attack vectors. However, this may
still allow the underlying vulnerability to be exploited via other
known attack vectors.” ... At any rate, here’s how
you do it. From the command prompt, type REGSVR32 /U
SHIMGVW.DLL. A reboot is recommended. (It works
post reboot as well. It is a permanent workaround). You can
also do this by going to Start, Run and then pasting in the above
command. This effectively disables your ability to view images using
the Windows picture and fax viewer via IE. However, it is not the most
elegant fix. You’re probably going to have all
kinds of problems viewing images. But, no biggie: Once the exploit is
patched, you can simply type “REGSVR32 SHIMGVW.DLL”
to bring back the functionality.
- Finally, it won't do you any harm (and it will do you a lot
of good) if you stop using Internet Explorer. Perhaps you could change
to another browser like Firefox, which both my wife and I use
happily. This may be hard at work if clueless system
administrators insist you use IE. But you have no excuse at
How will this affect the Vietnamese computing community? There
is some awareness, at least: Nhân
Dân has an article on it, and so does VCDOnline.
But it looks like there's going to be a lot of infected machines. It
will take time for information to percolate down to the users. More
people will use the Internet, ignorant of viruses and adware and
spyware. Most people already on line won't change their habits; they'll
continue to use IE, and forget to update their anti-virus patches, and
their machines will end up trashed. Then they'll reinstall and start
again. Just like anywhere else, really.
Oh, and I'd best say Happy New Year. We'll need it.