Spyware Sucks

A tale of woe:
http://www.vividreflection.com/blogEntry.php?id=16

A few observations:

"they were asking for too many personal details to download a free trial so I decided to see if there were any copies floating around on the file-sharing networks. This was a big mistake!" - I think this is where I should say "serve you bloody right for going down the warez path" but I'm too nice to say that ;o)

" it wasn’t long before I soon discovered that I couldn’t cut or copy stuff from Firefox." - ok... keep this in mind for later...

"I tried a lot of things, ran dozens of leading spyware destroyers and it still didn’t fix it." - reference my opening paragraph here.  Oh, and by the way, what *were* these "dozens" of "leading spyware destroyers".  I don't think there are "dozens" of legitimate "leading" spyware destroyers out there.  Sooner or later you have to get in there and get your fingernails dirty.  Automated products simply can't cut it with the latest and greatest malware.

"If anything, Firefox was the only browser that flagged up any problems and I doubt I would have worked it out otherwise…"  Um, ok, I must be missing something here.. how the heck did Firefox help him work things out? The guy spent weeks labouring under the misapprehension that he was dealing with a bug for chrissakes. 

Side note:  I find it an amazing irony that the guy would have spotted there was a definitive malware problem sooner if he was *not* running Norton Internet Security, which was so kind as to mask his problems for weeks.

Ok, so what have we learned here? 

First, STAY AWAY FROM FILE SHARING NETWORKS.  They are a primary source of malware infection.  If you're unwilling to share "personal information" for that free software then go without.  Quid pro quo. 

Second, running Firefox will not protect you if you do dumb things. 

Third, Norton Internet Security will not protect you if you do dumb things - hell, I don't think *any* software out there will give us complete protection if we do dumb things.

http://minimsft.blogspot.com/2006/05/all-good-things.html

"If doing something hurts, stop it. Same goes for something that's not fun. And, you know, currently, this oddly enough isn't fun. Thrilling certainly. Wildly educational, thanks to the comments coming in, absolutely. But not fun. There are other things going on in the world that I'm missing out on, and they are beginning to take a higher priority. For me."

Y'know, I've considered working for MS a few times - have even had a couple of interviews - but then a guy that I've known for years experienced a shock when his job of many years standing at MS was outsourced with little warning, I watched another friend working himself into the ground to meet various crazily unrealistic deadlines (I still worry about him) and another whose position "didn't work out".  I have another friend who is considering working for MS and I've had to really bite my tongue and sit on my hands to stop myself from projecting any negativity/concern as my friend moves in that direction - after all, although I know some people who are not happy at MS, I also know some who are happy, and who knows... maybe my friend will be happy there and he will be the one with a strong enough cattle prod to rouse the Behometh.  After all, we MVPs have been able to do so at times ;o)

I'll miss Mini (aka Who da'Punk)'s insights into employment life at MS (and the views of those who post comments in his blog).  Did he frighten people away from working for MS?  That is quite possible.  Did he do good?  I honestly don't know - it may be unrealistic for those on the blog to give him credit for the demise of the trended 3.0's and the return of the towels, or it may not be.  Only the upper echelon of the powers that be at MS know the answer to that question.

Of course, I may be way off the mark calling Mini a "he"... I just hope he/she never reveals his/her name .. let him/her remain anonymous ;o)  And before you ask, I don't believe that Mini is Bill Gates, or anyone else in the upper echelon for that matter (the head honchos, I hope, understand the difference between "breaks" and "brakes") {ducking and running for cover}

Now, if only I could work out how to turn off that flashing red 'message waiting' light on my new desk phone.. as far as I know, this new phone doesn't even *have* an answering machine built in.. there's no reference in the manual, and no buttons on the console - weird.

Internet Explorer 7 has a slightly different name in Windows Vista - "Internet Explorer 7+"   There are extra features in Vista that will not be made available in XP, such as parental controls and protected mode, therefore it makes sense to differentiate between the two versions.

When it has already been patched... take the brou haha triggered by Symantec's "alert" to its subscribers about an alleged unpatched vulnerability in Windows 2000's file sharing protocol.

Scary words were used by various parties who picked up on the alert, and ran with it, including "unpatched vulnerability"... "zero day bug"... "Immunity will make the exploit public in June"...

"By Immunity" said "the exploit leverages a flaw in the operating system's kernel that can be triggered through SMB, and will give an attacker full access to the PC"
(cite: http://www.informationweek.com/news/showArticle.jhtml?articleID=188500259)
(cite: http://www.itnews.com.au/newsstory.aspx?CIaNID=33055)

"Symantec said "Immunity is considered to be a reliable source and we are of the opinion that this information should be treated as fact," and "An official security update from Microsoft will likely not be in development until after June when the information is released.""
(cite: http://www.informationweek.com/news/showArticle.jhtml?articleID=188500259)
(cite: http://www.itnews.com.au/newsstory.aspx?CIaNID=33055)

But then.... Microsoft said:

"We just want to let everyone know that we've investigated this claim and found the vulnerability being discussed is fixed by MS05-011, a security update released almost 16 months ago. We contacted our partners on this and made sure they understood this is not new. What *is* new is that someone reportedly has found a different way to exploit the vulnerability. But if you have the update, you're protected."
(cite: http://blogs.technet.com/msrc/archive/2006/05/25/430278.aspx)

Oops....

Update for Outlook Express 6.0 on Microsoft Windows XP (KB918651)
http://www.microsoft.com/downloads/details.aspx?familyid=86b68a78-f325-4a95-98c2-98af2256ccc3&displaylang=en

This update does two things:

1) A backup of your DBX database is made before compation of the database occurs, just in case something goes wrong.  The backup DBX will be moved to the Recycle Bin once compation completes successfully.  Also, if compaction is dome manually via File, Folder, the compaction counter will reset.

2) It gives us back the ability to save and use emails as templates.

I simply cannot resist sharing this little gem.  Qantas International has an "on demand" entertainment system which is, apparently, newly installed on the particular aircraft from within which I was writing this blog post.  Sadly, the entertainment system was experiencing problems, so the pilot had to reboot the system (Captain: "I ask all passengers not to press any controls for 20 minutes" - frazzled mother of disobedient toddler: "Don't touch those buttons.... I said don't touch those buttons... Its broken, don't touch those buttons")

So, guess what I see on the entertainment screen while the system is rebooting - Windows CE!!!

Who would have thought...

International Business Class Rocks... except for when there's a crying baby and disobedient toddler in the row behind you.. so much for getting some work done, and some sleep, in peace and quiet during the flight.  The overwhelming sound in the cabin as the plane was positioning for take-off and even the cabin crew were seated and buckled in, was: "Sit down and put on your seatbelt... sit down and put on your seatbelt.. sit down and put on your seatbelt"... (for chrissakes mother, PICK THE KID UP, PUT HIM IN HIS SEAT, BUCKLE HIM IN AND HAVE DONE WITH IT!!!)

Even as a Gold Status Frequent Flyer, it can be hard to get a points upgrade to Business Class but I got it this time (which is just as well, considering I have over 130,000 points to get rid of despite upgrading to business every time I fly).  Fantastic food - Chivas Regal all the way - a Qantas Skybed - power for my laptop - a very swish toiletries pack (despite the flight being only 5 hours).

While we're on the topic of international travel, I see in my latest CES Smartbrief email that regulators are considering lifting the ban on using cell phones in flight - I sure hope they don't. 

http://money.cnn.com/magazines/fortune/fortune_archive/2006/05/29/8378024/index.htm

Oh, and by the way, somebody's phone did turn on in the plane today... how do we know that?  When the Captain made an announcement over the intercom the whole plane could hear the too-familiar sound of mobile phone interference that we all know and hate - see, they're not telling porkies when they say that mobile phones can interfere with electrical equipment. 

I am *so* glad my CDMA phones don't generate that sort of interference.  I am so *not* looking forward to CDMA being phased out in preference to 3G in a few years time.

I'm heading off to the aiport in a few minutes to travel to Singapore for a Windows Vista lab.  Hopefully I'll have some really cool stuff to blog about over the next few days.

I see the Office 2007 *public* beta is out as well (check out www.microsoft.com/office).  Office 2007 is *really* different but worth having a look at.

See you in Singapore.

http://www.viruslist.com/en/weblog?weblogid=187189654

BTW, a matrioshka is a Russian nesting doll.

Some areas of the net are in a flap about the MS Word exploit that has been the focus of some publicity recently.  Some sites are even advising that we should consider dumping MS Word in preference to OpenOffice.

Come on guys.  We shouldn't even be thinking about fighting this thing by moving to a different programme.  Why?  Because it does not address a core problem.  The thing about this exploit is that it will only succeed if the user has administrator privileges.  We all know that we shouldn't be running our machines with administrator privileges, but all of us also have clients that absolutely insist that they must run as admin because a mission critical application will not run without it.

So, what can we do under such circumstances? How do we protect our clients from this exploit and other admin dependant exploits if they have a mission critical application that will not run without administrator privileges? 

Preferred option - reduce their rights anyway, and use RunAs - stick a shortcut on their desktop that grants only the mission critical application administrator privileges:
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/windows_security_runas.mspx?mfr=true

Your user still isn't happy?  They just don't like non-admin?  They're telling you its *their* machine and they want administrator rights?  Well, short of washing your hands of any responsibility and walking out the door never to return, there is another trick you can use.  What if you could let your stubborn client run as admin, but bump down particular applications to limited user rights *at the same time*?  Sound interesting?  Read on... :o)

Michael Howard has posted an article to the Security Developer Centre that is of especial interest to those who are faced with "I must be Admin" users who also wanted to be protected from the Word exploit:
http://msdn.microsoft.com/security/securecode/columns/default.aspx?pull=/library/en-us/dncode/html/secure01182005.asp

You'll note that by using Software Restriction Policies you can stop a programme from running at all, or force it to run as a limited (basic) user.  If you want to really lock things down you can use Constrained or Untrusted. 

There is one very important limitation to this trick that we must be aware of.  Software Restriction Policies are path dependent.  That is, you must set a specific target path to the application for this to work.  If, for example, an executable is moved or copied to another directory, the restriction policy will fail.

Do you want to refresh all your RSS feeds at the same time? Run the following command (thanks Jean-Marc, a French Windows/Shell User MVP, who discovered it) - I've tested it, and it works a treat - wish I'd known about it right from the start.

msfeedssync forcesync

I spend *far* too much time chasing after false positives in antivirus and antispyware applications, and too much time shouting down misinformation - do a search for the words "false positive" in this blog and you'll see what I mean.  (Note: please do NOT assume that just because Trend is highlighted so often in my blog that they are have more false positives than anybody else - they're don't - its just that I use it more than any other product.  In addition, I have developed an excellent working relationship with Trend over the years in the area of false positives and work closely with them to try and get such problems resolved as quickly as possible.  I find them to be very responsive.  Some members of the online community have come to realise that I can generally get quick action on Trend problems and therefore I am more likely to hear about Trend FPs than problems affecting other products.)

Ok, so now that I've made sure that Trend will still respect me in the morning ;o) let's have a look at the MS Word Zero Day exploit - it is real and has been given various names, including:

Backdoor.Ginwui and TrojanMdropper.H (Symantec)
BackDoor-CKB!cfaae1e6 (McAfee)

Y'know, I wish the antivirus companies would get their act into gear and start ensuring that there is some consistency when they give nasties names.

Now, so far I see no reason to panic.  The exploit that was reported and has some areas of the online community in a tizz seems to have been a limited, targeted attack - think low-level industrial espionage.  That's not to say that others, thanks to this publicity, won't try to do the same thing, but at the moment, incidents of use of the exploit are not running rampant.

Second, I'm seeing some potential misinformation about the symptoms of this infection - we'll lie blame at McAfee's door for this - the problematic knowledgebase article is here:
http://vil.mcafeesecurity.com/vil/content/v_139539.htm

The article states, in the "Symptoms" section:

"Presence of *one or more* of the following Windows Registry key(s):

• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\gui30svr
• HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\ {8ecc055d-047f-11d1-a537-0000f8753ed1}
• HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\Root\ legacy_gui30svr\0000\driver = "{8ECC055D-047F-11D1-A537-0000F8753ED1}\0024"

The problem lies with the reporting of the (highlighted) second registry key as evidence of infection. 

HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\ {8ecc055d-047f-11d1-a537-0000f8753ed1} seems to be a standard registry key appearing on every XP Pro machine that I have examined so far.

Now, the first key, referencing gui30svr is suspicious.  The third key, referencing Enum\Root\legacy_gui30svr is also suspicious.

If you have the first key, or the third key, I would have a closer look at your machine.  If you only have the 2nd key (highlighted in red) I would not be worried.

Apparently the problem with the McAfee article has been reported to the powers that be and, hopefully, will be changed soon.  In the interim, PLEASE do not go into a panic and reformat your PC or delete that key on the McAfee article's say-so.

Cool - I'm almost famous - quoted on InfoWorld :o)
http://weblog.infoworld.com/securityadviser/archives/2006/05/zero_day_msword.html