Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Privacy Operating Systems Software Windows Your Rights Online

Analysis of Spyware 246

Posted by timothy from the incompatable-with-my-OS dept.
scubacuda writes "What actually happens when you install adware/spyware/malware? Follow the Bouncing Malware examines what's downloaded, redirected, and obfuscated. A fascinating read. (Part two was postponed in order to cover a new My Doom variant.)"
This discussion has been archived. No new comments can be posted.

Analysis of Spyware More

Analysis of Spyware

Comments Filter:

  • Even Sevens (Score:5, Interesting)

    by mfh ( 56 ) on Saturday August 07, 2004 @11:41AM (#9908610) Homepage Journal
    > And that's were I'm going to end it for today. In the next part, I'll take a look at what happens as this chain of malware continues on it's merry way, and I'll also investigate what happens when I fire up IE the next time and visit my new home page.

    Personally, I think you should examine ways to get even. Even-Stevens.

    Up until this point, I've seen lots of anti-spyware put out that blocks spyware and protects your system from unjustified Reg entries etc., but it generally stops there. It's a shield when what we need is a shield and a sword.

    Covenants, without the sword, are but words, and of no strength to secure a man at all -Hobbes

    What I would like to see is anti-malware that bites back, hard.

    We had this site going a while back that was going to test anti-trolling methods, like by taking a troll user and stuffing them in their own world. All their posts would be modded up and their view of the site was totally different than the users who were not trolls. Of course in tests it was easy enough for them to spoof their IP to get past this, but many of them didn't realize how to do it.

    But for malware sites, what if we came up with a solution that would detect it and let it believe it was working, but generated the data needed to put these goofs in jail. I think the SETI distributed computing model could be slightly altered to work to this end.

    Then we could get Even-Stevens.

    • Re:Even Sevens (Score:5, Insightful)

      by FooAtWFU ( 699187 ) on Saturday August 07, 2004 @11:47AM (#9908651) Homepage
      What I would like to see is anti-malware that bites back, hard.

      Well, you could feed the spyware's controllers some fudged data, but how do you think you're going to get a SETI@Home-like model to "generate the data needed to put these goofs in jail"? Please, explain how repeated computation of fast Fourier transforms will do anything to uncover the spyware's owner. :)

      Suppose we managed to get your nice antispyware software to collect data on the spyware's owners. What form do you think that data will take? I'm guessing it would be little more than IP addresses. Perhaps you can convince the authorities to subpeona the ISP for the owners of those addresses, but I doubt it. Good luck.

      • Re:Even Sevens (Score:3, Interesting)

        by Anonymous Coward
        Perhaps you can convince the authorities to subpeona the ISP for the owners of those addresses, but I doubt it.

        Why is it that "the authorities" are interested in subpoenaing the addresses of filesharers, but not illegal malware scammers?

      • Re:Even Sevens (Score:3, Interesting)

        by bhtooefr ( 649901 )
        You could say that your Internet browsing patterns, or things you entered into forms, were copyrighted (say that you were attempting to create a geographic art form by traveling the Internet, and use that as the thing that they broke copyright on), and get them with 512(h) of the DMCA (all you need is a "good faith belief that someone violated your copyright", after all)...

    • Re:Even Sevens (Score:4, Insightful)

      by LostCluster ( 625375 ) * on Saturday August 07, 2004 @12:23PM (#9908783)
      You're missing a key point. Spyware operators can't be put in jail because they're not breaking any laws simply by publishing spyware. Being scum is not a crime.

      A virus gets onto a user's computer through security holes, but malware simply walks through the front door stating their evil intents in a clickwrap TOS that the user usually doesn't read. There's no crime in getting people to agree to something stupid in exchange for a silly little app that runs in the corner of their screen.

      • Re:Even Sevens (Score:2, Informative)

        by nkh ( 750837 )
        I don't have Windows, but I've seen stories on /. about users infected by spywares, instead of the usual TOS clicking.

        • Re:Even Sevens (Score:5, Interesting)

          by Crizp ( 216129 ) <chris@eveley.net> on Saturday August 07, 2004 @03:09PM (#9909573) Homepage
          I got a cousin whose Windows XP would display 31 (he counted them) popups (a new, different one after the previous had been closed), when he logged on his user profile.

          After I reinstalled XP for him, I installed Firefox and ordered him to use that and forget about IE unless he wanted to be hit upside the head with my cluestick. He doesn't know much about the underlying technology of computers and recent software but everyone in the family understands when I say "use that and evil stuff might be installed on the PC even if you're only surfing around". They take my word for it as I'm the resident geek.

          I did the same with his family's computer. Now I just have to explain stuff to the youngest son who insists on using BearShare, Kazaa (even if I've said NOOOO!) and such stuff. He downloads and installs small programs. Once, the family computer was infected with over 150 viruses.

          My cousin is extremely happy with Firefox, once I've shown him the concenpt of tabbed browsing, he's never looked back. And the computer don't get as much spyware installed now. The younger brother screws that up a bit 'cause he won't listen. Damn nu-metal ignoramus :)
      • I would say that most spyware out there is not even installed by a program with the permission of the user, but IE holes that allow websites to install crud.
      • RTFA. He went to a web site which had a popup which, through a series of iframes and such, including obfuscated code etc., wound up exploiting a vulnerability in IE to download a progra, and change some keys in the registry

      • Re:Even Sevens (Score:4, Interesting)

        by ScrewMaster ( 602015 ) on Saturday August 07, 2004 @10:56PM (#9911506)
        Actually, no. The vast majority of mal-ware is installed via drive-by downloads using Internet Exploited^H^H^H^Hrer. The only reason people see a click-through is because they're lucky enough to install an application that happens to ask for permission ... and I've seen a number of these things that go ahead and install themselves even if you click No. Once you've run the setup program you're probably screwed.

        I did something similar to the article's author some time ago, although I wasn't particularly detailed in my "analysis." I set up a dummy XP Pro machine (unpatched, since that's how Joe Average's machine will likely be even if he does have broadband and knows how to use WindowsUpdate) and started browsing around for a couple of days as I normally would. I installed no applications other than those that came with XP. At the end of my test period, I had a couple of dozen different unauthorized apps running that entered the system solely through the browser. No warnings, no click-throughs ... just stealth downloads. The test machine was a reasonably fast 1.4GHz Athlon but it was decidedly sluggish at the end. I did have to get rid of a couple of browser hijackers along the way just so I could continue the test. I used Spybot and Ad-Aware to get some idea of the actual programs that were installed: the list was pretty extensive but I have no idea if I found them all. The network it was attached to is otherwise pretty thoroughly firewalled and anyway these weren't worms.

        And I wouldn't be so sure these jerks aren't breaking any laws. Regardless of the privacy implications, spyware causes damage. Trashed systems, lost data, personnel time spent cleaning infestations and so forth. I've seen corporate workstations with thirty or forty spyware applications running simultaneously, causing major performance loss and instabilities. It wouldn't be hard for a corporation with a few hundred workstations to get the FBI interested with a legitimate damage claim of a few hundred grand in losses.

        Spyware, malware, adware, spam ... all of these are parasitical activities on the part of a diseased few. And they have been greatly aided and abetted in their behavior by the likes of Microsoft, who either by design or by incompetence made such things trivial to implement on a vast scale. My feeling is that, given the relative importance of the Internet to all of the world's largest economies (and to the developing nations that would like to use it to improve their own lot) some kind of immune system will have to be developed to deal with these parasites. That may involve gunshot wounds to the head, I don't know.
    • [test anti-trolling methods} by taking a troll user and stuffing them in their own world. All their posts would be modded up and their view of the site was totally different than the users who were not trolls.
      Posted by userID #56 on /.

      Now I understand how I got Excellent Karma! :-)

  • In other news (Score:4, Funny)

    by Anonymous Coward on Saturday August 07, 2004 @11:42AM (#9908619)
    Ive heard that MyDoom 3 has just been released too... a much darker scarier variant which seems to have originated on mars

  • What happens? (Score:5, Funny)

    by Rosco P. Coltrane ( 209368 ) on Saturday August 07, 2004 @11:43AM (#9908621)
    What actually happens when you install adware/spyware/malware?

    I'm not sure. Let me ask BonziBUDDY...

  • firefox testimonial (Score:5, Insightful)

    by Anonymous Coward on Saturday August 07, 2004 @11:46AM (#9908640)
    I have been an IE devotee since v4.x came out. I have recently moved over to Firefox in order to stop me having to keep up with all the security problems I started to experience only inthe last couple of months.

    Seriously, how hard can it be for MS to write an application as straightforward, yet secure as Firefox.

    I downloaded Service pack 2 release candidate and noted a lot of security improvements and features, but in agreeance with with MS whom today released the full Service pack 2, it seems to mainly add 'bars and locks' to your 'doors and windows'. Whereas Firefox seems to be a better neighborhood to live in from the start.

    • Re:firefox testimonial (Score:5, Interesting)

      by TheHawke ( 237817 ) <rchapin.stx@rr@com> on Saturday August 07, 2004 @11:51AM (#9908659)
      Oh Mod this parent up!
      You hit the nail on the head several times with firefox's security. It does seem to have marked improvements over IE in security, blocking 'wares from going off in your system, to barring banners from starting up, ever!

      Of course I maintain a hosts file that pretty much keeps them at bay.

      http://www.pelicancoast.net/~nighthawke/hosts.zi p

    • Re:firefox testimonial (Score:5, Insightful)

      by Rosco P. Coltrane ( 209368 ) on Saturday August 07, 2004 @11:56AM (#9908672)
      Seriously, how hard can it be for MS to write an application as straightforward, yet secure as Firefox.

      Perhaps lots [ca.com] of [symantec.com] people [bitdefender.com], including Microsoft itself [theinquirer.net], have an interest in perpetuating the myth that software is inherently insecure.
      • Here's my homebrew mod point for you, sir. Right on the money.

        Insecure software creates a whole economy for crutch-software. If software were secure, entire corporations would go bankrupt.

        • Re:firefox testimonial (Score:4, Funny)

          by Donny Smith ( 567043 ) on Saturday August 07, 2004 @02:01PM (#9909279)
          Oh, I get it now - Microsoft makes shitty OS and then secretly invests in anti-virus companies to make money!

          Shiiit, maybe I should have put this in the slashdot-user-friendly format with little numbers as in:
          1. Write shitty OS
          2. Invest in A/V vendors
          3. Profit

          What a bunch of bullshit.
          • Yeah good point! Gosh I was silly to think that Microsoft would engage in dubious business practices! Golly, it's completely shocking to think that Microsoft stands more profit more from the A/V business than from fixing its own security problems.

            Hmm.. let's think about that. Let the flaws continue and create an industry that doesn't compete with core Microsoft business. When that industry is rolling in cash, point out that Microsoft has them by the balls. If they fixed the flaws, those businesses wou

    • Just not IE! (Score:5, Informative)

      by yoshi_mon ( 172895 ) on Saturday August 07, 2004 @12:42PM (#9908887)
      I realize that Firefox and Mozilla get all the glory here on /. due to them being OSS but the bottom line in all of this is just that IE is the one to blame.

      I've been using Opera since v5.x and have never looked back. Lately I've seen a lot of improvement in Firefox but they are still playing catchup with Opera.

      For whatever reason Opera only seems to get a nod here when it should be getting a lot more but cest la vie. I personally will continue to support Opera until they sell out or whatever but I hope that they, and everyone else, realize that having a marketplace full of a few, maybe even many diffrent browsers will only help everyone in the long run.

      Currently I am installing Firefox for people who just need to use anything but IE; mostly end users. For a power user however Opera is the way to go.
      • For a power user however Opera is the way to go.

        I guess I'm not sure what the difference is between an average Firefox user and a "power user" of the web, then. If there are features that Opera has that you simply can't get in Firefox/Mozilla, you'd do your crusade a service by posting what they are.

        • While Firefox's extensions do allow for many things that Opera does not, not many of them are really what I would consider browser features. I really don't want/need a game in a browser. Uptime tracking is neat but not really essential.

          Now don't get me wrong, I just downloaded 9.3 and it looks great. Works great. Updates are coming fast. I would almost say it ties with Opera in total useablity but for one little thing.

          F12. F12 is what I mean when I talk about Power Users. Unless I'm missing somethi
      • Opera annoys me to hell, as a power user It's just got to much to do, firefox is quick, simple and I can use it fast, very fast :)

      • I moved to Opera three days ago after finally getting cheesed off with having IE launch spyware apps and then crash virtually every time I opened it.

        I have the free version right now, in which I can even choose whether I prefer Google ads or big, noisy banners. I went with Google, since I am a Gmail fan anyway. One of my friends thinks I am a wuss for thinking this, but I actually like the text ads by Google. They are becoming familiar, and they virtually disappear on the Opera interface unless I need the

    • I have been using either Moz suite or FF for years (and netscape before that), but recently reformatted for a new HD/XP install... I was forced to use IE to redownload FF, and browsed around while it was d/ling, and to my suprise I got 40 items of spyware! In 10 mintues. A couple of them ad-aware wouldn't pick up, something called WebRebates.exe...

      Never again... Its bad enough my browsing efficiency is much reduced on IE now (damn mouse gestures!), and my system resources take a decent hit... But I sp

  • malware honeypot? (Score:5, Interesting)

    by TheHawke ( 237817 ) <rchapin.stx@rr@com> on Saturday August 07, 2004 @11:47AM (#9908649)
    I wonder if someone can whip up a honeypot that'll reverse-engineer some of the malware out there, munge all the URLS down and give proof that someone is doing this on purpose.

    Then maybe the state DA's will jump in and make a lesson of a malware producer or two. That is, if they are local. IF not, LART until their router is unplugged.

    This 'ware business is seriously getting out of hand and MUST be dealt with, one way or another. IF we have to force these jokers to go overseas, fine, then we'll do so and isolate their domains at root DNS.

    • Re:malware honeypot? (Score:2, Interesting)

      by Anonymous Coward
      Let's give credit where credit is due!

      Did you RTFA? The spyware he mentioned all loaded automatically using exploits that are only available in IE and Windows! This is all courtesy of Microsoft!

      Face it: these people would not be able to do these things without Microsoft's brain-dead approach to secure design. If you wanna sic DA's on somebody, point them at Microsoft!

    • Re:malware honeypot? (Score:3, Informative)

      by selderrr ( 523988 )
      You mean like we want to do with spammers ?
      We all now how well that worked


      Face it : malware is the new spam, and it is a lot harder to detect & isolate. OSX & linux users may be safe for now since the problem is moved from mailserver to client machine, but it is only a matter of time until java malware shows up.

      The ONLY solution is keeping the OS secure, the firewall tight and the user aware not to click bogus utilities. That and a network wide hosts file that redirects a lot of crap.

      • Re:malware honeypot? (Score:5, Insightful)

        by TheHawke ( 237817 ) <rchapin.stx@rr@com> on Saturday August 07, 2004 @12:38PM (#9908859)
        I do not disagree, and let me reinforce the point. the 'wares take a direct path to customers systems from known sources, unlike virii.
        If someone goofs and winds up on a site like the article mentioned, guess what, the customer just hit a malware mine.

        It's not like the lovebug bit where it spread like wildfire, at random, the 'wares are more focused and actually show a purpose behind their creation: to retrieve personal information on the user behind the keyboard.

        Under Federal and State regulations, this shows Willing Intent to Commit Malice, possible violations of Wiretapping Laws,and is grounds for prosecution to the fullest extent of the Law.
        • that is under the assumption that malware spreads only via http clicks... I consider it very likely that future malware will spread trhu direct connections, P2P networks, infected downloads, ...

          If the malware itself operates in a silent way (i.e. not blatantly plop ads all over your screen, but rather replace existing ads with his own crap), it can be very tricky to pinpoint a guilty party

    • Re:malware honeypot? (Score:2, Insightful)

      by base3 ( 539820 )
      The state AGs are too busy taking campaign money from the copyright cartel and sending threating letters to "P2P companies" to worry about spyware.

  • Mozilla Firefox - it solves most problems.... (Score:4, Interesting)

    by Gigantic1 ( 630697 ) on Saturday August 07, 2004 @11:56AM (#9908668)
    Those poor soles running Internet Explorer (like ME until recently) don't know what they are missing by not switching to Firefox, Opera, and some of the other fine browsers out there.

    Usually, I skeptical about "Freeware", but Mozilla's Firefox has been a glorious exception. Not only is it faster, more intuitive, and easier to use than IE, it is also MORE SECURE. Unlike IE, Firefox does not allow ActiveX and VBScripts to run - and this is a blessing.

    Please consider giving it a try.

    Happy surfing.

  • Spyware Prevention (Score:4, Insightful)

    by Tiberius_Fel ( 770739 ) <fel AT empirereborn DOT net> on Saturday August 07, 2004 @11:56AM (#9908670)
    I've found that all the spyware can be kept down to basically zero if you do what I do (even for Windows users). I use Firefox and not IE (it's interesting to look at how many hits ad-aware gets for tracking cookies etc. with IE)... And speaking of ad-aware, I run it regularly. Honestly, spyware statistics would go way way down if people ran an anti-spyware program now and then. I find in my experience, when you run it for the first time and get 500 - 1500 "objects" found, it wakes the user up as to what sort of crap is on there, and after that they seem to be pretty good about running it themselves.

    • make it fun (Score:3, Interesting)

      by zogger ( 617870 )
      it's weird but it's hard to get people to download and run antimalware stuff. But they WILL download and run other things, so, I got an idea, code one of those anti virus anti malware things so it works like a video game, you hunt and destroy the individual malware doodads graphically.

    • Re:Spyware Prevention (Score:3, Insightful)

      by MyHair ( 589485 )
      (it's interesting to look at how many hits ad-aware gets for tracking cookies etc. with IE)

      I don't think Ad-Aware (or other spyware scanners) checks Firefox cookies. I just ran and older version and it only found an Alexa registry entry, but I opened my Firefox cookies.txt and found a doubleclick.net cookie in there.

      I'm a Firefox user/fan and IE hater, but Firefox doesn't inherently block tracking cookies, so I had to pick at your example. (Yes, Firefox does allow forcing per-session cookies, but it's no

  • And let's not forget... (Score:5, Interesting)

    by Tuxedo Jack ( 648130 ) on Saturday August 07, 2004 @11:58AM (#9908680) Homepage
    How about the bastards who make browser hijackers? Removing CoolWebSearch's affiliates wastes so much goddamn time at my office, it's literally taking nearly three hours a week.

    And don't deny it - their affiliates DDoSed SpywareInfo because it told people how to remove their bastardly malware and provided CWShredder.

    I say we go after them, drain their coffers dry, and donate the funds to the Mozilla Foundation or something.
    • Heh, the chances of anyone going after the several parties responsible for browser hijacking, and winning in a timely manner, are slim to nil with the average judge's knowledge of computers.
      And then I highly doubt the money would go to something worthy. The lawers would get at least a 1/3 of a large settlement, and unless Mozilla did the suing, little money would go there.
    • I have that same problem at my office. I've been looking at a few solutions. I've found 2 that seem like they'd work well.

      1. Norton Ghost - Since it's a single particular user's machine that keeps getting it, this would work well. He will, of course, bitch about losing his pictures every time we wipe the drive, though.

      2. RIS - F12 is your friend, I've learned. At least during the boot process. Having a RIS setup would make installation quick and hopefully painless. (Yeah, right.)

      There's another CoolWebSe

  • No spyware here (Score:2, Informative)

    by SteveXE ( 641833 )
    I managed to keep my pc pretty much spyware free when running IE aside from the day to day tracking cookies.

    I switched to Mozilla about 2 months ago and not only do i never get spyware cookies due to its easy to use cookie blocking and plugins, but its so much better in many respects. I still have to use IE on some pages that contain video files, and i do have a few gripes but overall its much better and lets me control my internet experience on many more levels.

  • Spyware is just another form of a virus (Score:5, Insightful)

    by onyxruby ( 118189 ) <onyxruby&comcast,net> on Saturday August 07, 2004 @12:25PM (#9908792)
    How long will it take people to realize that spyware is just another form of a virus? I remember when people used to argue trojans weren't viruses and now people have finally come to accept them as just another form of a virus.

    Look, I have worked on systems that have had hundreds of infections, from viruses and spyware. I routinely subject a drive from a machine with spyware to the same checks and controls I do with viruses. I start by removing the victim drive and putting it in a secondary control system. Only then can I properly remove the hooks installed to prevent you from really removing things.

    I've seen everything from DLL hooks to putting itself into the system restore file or hidden OEM restore partitions. This way windows itself will *fix* your removal. I've seen where they try to emulate legitimate hotpacks and patches. It's pretty simple really, if a program installs surreptitiously, disguises itself, and takes steps to prevent it's removal - than it is a virus.

    • Spyware/Adware is only as much a virus as a worm is. Guess that makes it a worm. Viruses infect other programs, worms propagate themselves as a program. There is a grey area when they hook themselves into assorted libraries, though.

    • Re:Spyware is just another form of a virus (Score:4, Informative)

      by sploo22 ( 748838 ) <dwahler.gmail@com> on Saturday August 07, 2004 @12:56PM (#9908953)
      Wrong. Here are some definitions of a computer virus:

      A program that can infect other programs by modifying them to include a possibly evolved copy of itself.

      "A parasitic program written intentionally to enter a computer without the user's permission or knowledge. The word parasitic is used because a virus attaches to files or boot sectors and replicates itself, thus continuing to spread. Though some viruses do little but replicate, others can cause serious damage or affect program and system performance. A virus should never be assumed harmless and left on a system." -- Symantec

      Get your terminology straight. If it doesn't infect other software, it is not a virus. Your argument is like saying malnutrition is a virus because it makes you sick.

    • Re:Spyware is just another form of a virus (Score:3, Insightful)

      by Anonymous Coward
      User: Wow! SuperKaazaMidgetCursor! (I agree.) (I agree.) (I agree.)

      Peter Norton: SpyVirus removal complete!

      User: Norton broke my SuperKaazaMidgetCursor. No more free MP3s and naked strippers on my desktop WAH! I want my money back!

      [The big difference between Anti-Virus and Spyware-Removal programs, is that the former is based on program behavior, and the latter makes value judgements about what is 'good' software or 'bad' software. I don't think any developers want a situation where they have to get
    • Nope, what the media call "virus" is nothing to do with anything. The media definition of "virus" is any bad software (what non-media types with a clue call malware).

      A virus is a piece of malware that embeds itself in other programs. This is often done by gluing the malware code onto the end of an innocent executable and modifying the start of the real program so it jumps to the malware code first.

      AFAIK there hasn't been a virus written in a _long_ time.

      By contrast, most of what the media call viruses

  • A lot of people don't care (Score:5, Interesting)

    by . visplek . ( 788207 ) on Saturday August 07, 2004 @12:26PM (#9908801)
    Funny thing is that a lot of people just don't care. I remember that visual plugin for Winamp: Wild Tangent Valentine Dancer. It turned out to be spyware (and so did the rest of Wild Tangent's plugins and apps) but a lot of people just wanted to see a girl dancing on their screen. They just don't care. Not aware of the results of a spyware infested computer and blinded by some digital hottie. The result is over 3,707,559 downloads.

    • It's not that the dancer is spyware, it's that wild tangent is. In order to run it, or any other wild tangent content, you have to install the wild tangent player.

    • Re:A lot of people don't care (Score:4, Funny)

      by Anonymous Coward on Saturday August 07, 2004 @01:08PM (#9909019)
      You wouldn't happen to know the URL for that dancing girl, would you?
    • AIM includes WildTangent. You have to remove WT after installing AIM.
      • AIM includes WildTangent. You have to remove WT after installing AIM.

        You can't just run an installer either, you have to go looking for it in the Windows folder, and delete it, otherwise it keeps running. The really infuriating part is I found a text file in the folder where it is installed that contains a long diatribe about why WildTangent doesn't consider their crap spyware. They can bite me. AOL should not work with these dicks.

        This is why I installed GAIM [sourceforge.net]. Problem solved!

    • We need an open source project to provide this functionality in a spyware-free format. The reality is that people need dancing girls, they need strippers on their desktop, they need other bells and wistles. And they will install them, so I'd rather see them install GNUGirl and GNUBuddy.
      • Flash should work pretty good.

        Are there security holes in Flash? Have not heard of any.

        SVG would also be a good idea, it is equivalent to Flash but completely standardized and open and the files are text. Unfortunately there are no working implementations yet.

  • pollution (Score:4, Interesting)

    by wobblie ( 191824 ) on Saturday August 07, 2004 @12:28PM (#9908812)
    the only effective way to combat this is to pollute/crapflood their databases, in a massive sustained effort. A DDos they they are just begging for.

    Just how that's done is another matter; but how long will it be before some enterprising young soul comes up with a daemon that generates false information and does nothing but pollute spyware databases? If it can be done with SETI, it can be done here ... the caveat is that the machine would have to be "infected" to do this ...
    • the caveat is that the machine would have to be "infected" to do this ...

      Run it all in VMware.

      This would actually be a cool project to do for Defcon. If anyone is interested in something like that, e-mail me: scubacuda#iname-c0m

  • Working version (Score:2, Informative)

    by fuctape ( 618618 )

    Working version of the article (for now): http://isc.sans.org/diary.php?date=2004-07-23 [sans.org]

  • I want an integrated tool! (Score:4, Interesting)

    by gone.fishing ( 213219 ) on Saturday August 07, 2004 @12:53PM (#9908938) Journal
    I hate spyware. It is much worse than most of the viruses I've dealt with. As a support technician in a large corporation I deal with it every single day. Some days, all day.

    I'd love to see a tool that would deal with all security threats to the desktop. A single tool that would protect against viruses, malware and would act as a smart desktop firewall. We already use an anti-span service but I think the tool should do that too. In the workplace it should be centrally controlled and updated automatically. It should report on attemts and allow the networking folks to use this data to stop stuff at the corporate firewall.

    While I am dreaming, I think I'd even like to tool to provide a transparent, managable method of deploying service packs and patches to the desktop (although that is I admit probably better seperately with software deployment tools).

    I suppose the server boys would probably need a tool to keep those back-room boxes squeeky clean too. Maybe a special server version of the same software could be slapped on those bad-boys.

    I understand why companies are reluctant to share data but in the case of "common security threats" I think that an exception should be made and an automated but monitorable system of threat identification and reporting should be built into the software so as soon as a new threat is identified it can be made available to everyone using the software.

    Then we can all cooperativly figure out who is doing this and we can publish that information somewere (like slashdot?) and we can provide them with a little justice!
    • If only it were *that* easy....

    • You support a large corporate network that allows their users installation rights (face it, most spyware doesn't install unless you have rights to install BHOs, ActiveX controls or other rights)? You work in a large corporation who runs a windows network and doesn't know how to push patches out over AD, or the nicer 3rd party products out there that do it?

      What's your ticker symbol, because I don't ever want to buy stock in a company that can't run a network properly.

  • Startup Cop (Score:4, Informative)

    by blackmonday ( 607916 ) on Saturday August 07, 2004 @01:12PM (#9909034) Homepage
    There's a really nice tool on the net called startupcop that was made by the ZDNet people, released, then dropped. You can still find it on google as "startcop.zip". It's a nice program that shows you what starts in Windows when you boot. My friend had about 60 different adware/spyware programs on his machine. I was able to remove most of them except for this pesky TV something adware which would not uninstall. And something else, there's some other kind of app that won't let adaware or spybot run. Its a giant pain in the ass, my friends PC is unusable, eve with Mozilla, and he ahs a $50 a month broadband bill. The sons of bitches who make these programs need to be put in jail. There, now i feel better.

    • If you're using Spybot - Search & Destroy, make sure you have it set to Advanced mode rather than the default. Then you get a Tools option in the left-hand selector bar. Open that up, and there's whole pile of tools and reports, including startup and BHOs.

    • Re:Startup Cop (Score:5, Informative)

      by Jade E. 2 ( 313290 ) <slashdot@perlsCO ... minus herbivore> on Saturday August 07, 2004 @02:42PM (#9909463) Homepage
      this pesky TV something adware which would not uninstall
      OK, here you go, JD's quick guide to removing hardened spyware, such as TV-Media (tvm.exe). (This is mainly for stuff that the spyware removers can't delete, or that won't let AdAware and it's friends run.) This is even maybe a bit semi-on-topic, wow.

      First, get HijackThis. If you're not very familiar with windows internals, run it on a couple clean systems to get a feel for what should be there.

      If it isn't being blocked by some really nasty spyware, AdAware or one of those is a good first step to remove the easy stuff before you tackle the hard stuff.

      Now, run HijackThis on the infected computer. It will take some practice to learn what is bad and what isn't, but some things will be obvious. In the case of TVM, there will be a startup item (O4 iirc) for tvm.exe, a URLSearchHook for tvmbho.dll, and a bunch of BHO entries for randomly named 'ms????.dll', and possibly a few more dlls in the system32 directory. (I havn't personally ever seen a valid BHO entry, but YMMV.) The important thing to do here is to make a list of files to delete in the next step. At this point you can check the suspicious entries and click 'fix', then re-scan the computer and see how many of them come back. In the case of TVM, several of them will, most notably being the tvm.exe startup item. Killing tvm.exe won't help with this, either.

      Now, on to removing hard files. In this case, tvm.exe is hard because it loads with explorer so it's always 'in use'. A couple of the ms????.dll files are hard because they are in use and/or get replaced on reboot by tvm.exe if they're gone. There are three methods to remove these.

      First, safe mode. This is easy, albeit time consuming waiting for reboots, but doesn't work for all files. (In TVM's case, it works.) Just reboot into safe mode and delete each file on your list, then use HijackThis to remove the registry entries.

      Second method. Faster if you're a decent typist, works for files (like tvm.exe) that hide their process inside explorer.exe so you can't kill them. Open a command prompt and task manager. Use task manager to kill any visible tvm.exe (or whatever) tasks, then kill explorer.exe. Your shell goes away. Use the command prompt to delete the files, then run HijackThis and remove the registry entries. (You can re-run explorer from the prompt when you're done.)

      Third method. Slow, complicated, but works for files that can't be deleted by either of the other two methods. This method also works remotely through most desktop-sharing type connections, unlike the other two. Once you've figured out where the files are being launched from (HKLM\Software\Microsoft\Windows\CurrentVersion\Ru n in TVM's case), open regedit and go to that key. (NOTE: If you're using windows 2000, you'll need to use regedt32 instead of regedit, but the rest of the process is similar) Click on the key (The entire folder, not the individual entry) and choose permissions from the file menu (or right-click menu in XP). Now you need to deny access to everyone for that key. If you're not familiar with permissions, the exact steps are to click 'Add', type 'Everyone' as the name, hit 'OK', hit 'Advanced', highlight the 'Everyone' entry and hit 'Edit', then check the 'Deny' column next to 'Full Control', then OK out. Reboot. The files won't load (and neither will and of the other startup items in that registry key), so you can delete them and run HijackThis freely. When you're done, run the registry editor again, and in the permissions window for the key in question just click on your 'Everyone' entry and click 'Remove', then reboot one more time.

      Hope that helps, and good luck.

    • Sysinternals [sysinternals.com] provides an array of tools for monitoring your system. e.g. Autoruns [sysinternals.com] provides the same info as startcop. Filemon [sysinternals.com] shows all filesystem activity, in real-time, with optional filters. I use it, in combination with the registry monitor regmon [sysinternals.com], to monitor software installation.

  • I avoid spyware by... (Score:3, Informative)

    by vudufixit ( 581911 ) on Saturday August 07, 2004 @01:39PM (#9909168)
    1. Not visiting porn sites 2. Not going to the default homepage network 3. Not downloading and installing Kazaa or PTP apps of that ilk. 4. Not clicking on any popup or banner ads 5. Never agreeing to install any software as a result of visiting a web site, unless it's Macromedia, Apple or Microsoft. I still run IE, and I have a bare minimum number of XP fixes.

    • Re:I avoid spyware by... (Score:2, Informative)

      by Anonymous Coward
      Then you are gonna get it eventually!

      You really need to take a look at some of the vulnerabilties in IE. You don't have to click any popup or banner ads; they can install whatever they want just because the ad popped up in the first place. Did you RTFA? This particular spyware infection started by opening a popup frame that was 1 pixel by 1 pixel; you wouldn't even know that something had popped up, let alone have to click on it. Then it used a .chm exploit that looks like it opens whatever page the spywar

  • As an IT Consultant, this is a huge problem..... (Score:3, Interesting)

    by djhankb ( 254226 ) on Saturday August 07, 2004 @04:26PM (#9909878) Homepage
    For my clients, many of them have spent 1000's in my time repairing these issues. I can't say that it's bad for *my* business, but for them... Many are tired of paying for me to be the network Janitor. And I am with them.... Being the Network Janitor isnt much fun.

    On the flipside, a simple solution that I've been implementing, is a simple linux box, setup as a transparent proxy, using Squid, with DansGuardian (a pay-for product) doing content filtration, as well as stopping Active-X controls dead in their tracks.

    This has proved to be very cost effective, around $300-400 in my time to setup, and stops the junk dead.

    Perhaps some other IT managers can put this software to use.

    -H

  • REGMON and FILEMON (Score:3, Informative)

    by Wolfier ( 94144 ) on Saturday August 07, 2004 @05:23PM (#9910146)
    If you're a Windows user, I suggest you go to:

    SysInternal [sysinternals.com]

    To get utilities like REGMON and FILEMON.

    While people has used them for other purposes (for example, figuring out where sharewares store dates), they can useful tools against spywares too.

    Run them before doing anything you think MAY be dangerous, and you'll be able to see spyware activities right in front of your eyes.

Slashdot Top Deals

Math is like love -- a simple idea but it can get complicated. -- R. Drabek

Close