Wouldn't it be easy for someone to name a downloader or trojan file with what looks like a legitimate driver file name and trick the unknowing user into downloading and executing that file?
Of course it would! And that is exactly the mindset you should have: distrusting, skeptical and suspicious.
For instance, Norton identifies the threat on one of the sites as Spyware.Perfect at the link "http://www.soft32.com/download/63-253156-1/i_bpk2007.exe" I don't know what that looks like on the actual page (because I didn't want to go to the page),...
I did, and unfortunately the download link doesn't work. I've never used Soft32.com before, so I don't consider it implicitly trustworthy, and since I can't download the file in question, I guess I won't have a chance to confirm. In any case, the driver version offered there is so old I didn't even consider it anyway.
...but if someone titled that link as "Atheros Driver AR5005G," how would I know that it is spyware and not a legitimate driver?
You wouldn't. (Well you might, I mean I would, but more on that later...) Here is where the distrusting, skeptical and suspicious mindset must be combined with a little common sense and some experience. In the end, unless you want to write your own OS, software, drivers, etc. you have to trust *somebody* at least *sometimes*. The simple answer is that you use your knowledge and experience, combined with some common sense to decide who or what is trustworthy or not. See in my previous post where I said:
"Where possible, I prefer to download the latest drivers directly from the chipset manufacturer. Unfortunately unlike many other device manufacturers, Atheros does not provide drivers to end-users, meaning they can't be downloaded from the Atheros site."
By default I consider both the device OEM and the chipset mfr. as trusted sources, which is one reason why I only download drivers from them where possible. For example, just last night I was at a friend's house, and he mentioned he was having problems with his Linksys WMP600N Wireless-N
card, where it wasn't staying connected and the Linksys Wireless Manager software was making him click a button to reconnect every time that happened. He was kind of far from the access point, and had low signal strength, but I thought I'd see if I could improve the situation. The first thing I did was to uninstall the Linksys "Manager" software, telling him that he should just use Windows built-in software to manage the wireless connection, and that most of those client manager programs are garbage. Windows has a setting to automatically "Connect when this network is in range", which would prevent him from manually having to click to reconnect if the connection momentarily dropped. Then I looked at his driver and decided to see if a newer one was available. He was using v1.2.1, and Linksys had a newer v.1.4.3 available (which I would implicitly trust, being from Linksys and all <g>), but I decided to check with the chipset mfr. to see if something even newer was available (which I would also trust). The Linksys specs.
didn't indicate what chipset was used in the card, but the PCI Vendor/Device code was VEN_1814&DEV_0601
, which pointed to a Ralink RT2860
chip. Unlike Atheros, Ralink does provide drivers
to end users, and they had a much newer version 1.4.12 available for XP, which is what I downloaded and installed. With the new driver, and with Windows managing the connection, his dropout problem was solved.
While in the Atheros case I would have liked to get an implicitly trustworthy driver directly from Atheros, that was not possible, so I had to decide among the other sources I had found what was trustworthy or not. There are several general purpose software download sites that I consider trustworthy, such as MajorGeeks
, etc. However, in this case none of my known trusted sites had what I thought were the latest Atheros drivers, so I had to venture into untrusted territory.
Here is where I probably have an advantage over most users. I *do* know what a driver is supposed to "look like", and was able to examine the files using various tools in order to verify to my satisfaction that the files and contained code were from Atheros and contained no malware. If I have any lingering suspicion about a downloaded program and am unable to fully verify it by examining the files/code myself, I will then usually scan it with a manual scanner like ClamWin
and even if it passes that, will run it in a quarantined environment such as a Virtual Machine or a quarantined physical test system I have on hand, before ever deploying it on any actively used systems. So, while I would by *no means* automatically consider any of the sites that turned up in the search as trustworthy, I personally vetted the specific driver I found and recommended (in fact I'm currently using it on my own system), and so far am giving a thumbs-up for the Station-Drivers site
in general. So in that case I guess the question then becomes, do you trust ME
...aren't there viruses or other malicious software that download immediately upon visiting a particular website?
Simple answer: No, *if* you keep updated. But to be completely honest and accurate the answer is: Theoretically and technically "Yes", but essentially and practically (for updated users) "No". See in my previous post where I said:
"I keep up-to-date with Windows updates, which pretty much eliminates the possibility of anything being installed on my system without my active participation (i.e. without tricking me into installing something)."
By "pretty much eliminates"
I mean that while it is possible to be hit by a zero day exploit
(a bug or flaw that is actively exploited before the update to correct it appears), encountering such things would be exceedingly rare for any user who stays up-to-date (i.e. one who has Windows Automatic Updates
To show how timely this is, a vulnerability in IE that could allow remote code execution
by viewing a specially crafted Web page was reported on November 23, 2009
, and a patch to correct the problem was released on December 08, 2009. For those who don't keep their systems up-to-date, the threat of exploits like this is much more real, because once an update is published, malicious programmers are now aware of it and can begin writing exploitative code, counting on the fact that many people will not install the update.
Bottom line: By keeping your OS, browser and other important applications updated, and by acting like an educated, skeptical user and only running *trusted* software (and thoroughly vetting and/or testing anything you don't implicitly trust), you can avoid problems with malware without having to use bog-the-system-down anti-malware software. Scott.