Spyware Sucks

Email with malicious links targetting Australians and the National Australia Bank

As you will see in this SANS alert, there is an email circulating that is targetting Australians - specifically, customers of the National Australia Bank.

Of special note is the fact that the email targets not only Internet Explorer vulnerabilities, but targets Firefox users as well - the bullseye on Firefox's butt is getting steadily larger.

Regarding the IE vulnerabilities, note that MS06-006 was patched in February 2006, MS03-011 was patched in April 2003 and MS06-014 was patched in April 2006.

The Firefox vulnerability was fixed in build 1.0.5.

We have been receiving copies of this email at the office, but Exchange's Intelligent Message Filter ("IMF") has been diverting all copies directly to the spam bucket where I can examine and delete them safely.

IMF is built in to SP2 for Exchange and is available as a separate download for SP1.  Note that if you already have IMF on a SP1 box, you will need to remove it before installing SP2.

Once again, those of us who are fully patched, and have the latest service packs applied, are safe from active use of known exploits.

Bill Gates prepares to cease full time work at Microsoft to concentrate full time on his charity

http://www.microsoft.com/presspass/press/2006/jun06/06-15CorpNewsPR.mspx

Bill says: ""I believe with great wealth comes great responsibility - the responsibility to give back to society and make sure those resources are given back in the best possible way, to those in need," he said. Gates added, "It's not a retirement, it's a reordering of my priorities.""

Is patching important?

Hell yes.

SANS reports on vulnerabilities already being exploited:
http://isc.sans.org/diary.php?n&storyid=1415

And remember what happened to Circuit City?
http://msmvps.com/blogs/spywaresucks/archive/2006/06/03/98941.aspx

This is the reality friends .. once an exploit is public, or even semi-public (published to areas of the net where only the geeks lurk) it *will* be exploited.

Life experience tells me that the most critical updates.. those that should *never* be deferred, are those that affect Internet Explorer.  Why?  Because so many programs use it (or parts thereof).  Do you use Outlook?  Outlook Express?  View your emails in HTML?

I remember reading, a long time ago, a tale of woe from a Firefox user.  He (mistakenly) believed that because Firefox was his default browser, and because he never used IE, that he could download freeware willy nilly and practice unsafe net practices.  Boy, was he shocked the first time something he downloaded and installed bypassed Firefox and started using Internet Explorer.

Therefore, get thee patched.   Be safe and be careful.

Cumulative update for Internet Explorer

Yes, this Tuesday is/was Patch Tuesday.:
http://www.microsoft.com/technet/security/Bulletin/MS06-021.mspx

Heads up; the cumulative update includes the change to handling of activex controls, except this time it cannot be disabled by the compatibility patch.

Now, I know that some of you have issues with this, but please remember, MS were boxed in a corner with this - if you want to get angry at anybody, get angry at those behind the EOLAS patent.

Please, don't avoid this update simply because of the activex changes.  The other security updates are too important.  If your third party software will break irretrievably, that is a different story.  If you're in that situation you need to get on to your program vendors and start ratting cages. 

Have we *completely* lost the plot???

The latest in reality TV....

"Ten cats in search of owners will spend the next 10 days in a New York store window, their every move caught on camera for a reality TV show on which they will compete for best sleeper and mouse-catcher ... viewers will be asked to vote off one feline contestant each day."

Ok... stop the world.. I want to get off.

http://www.news.com.au/story/0,10117,19455459-13762,00.html

Do you Yahoo? You might want to be careful.....

"Until Yahoo patches the flaw, Symantec recommended users steer clear of the [web based email] service or disable the browser's JavaScript capabilities before reading any web mail."

Strong words... http://www.itnews.com.au/newsstory.aspx?CIaNID=33594

Current state of play: Malicious Software Removal Tool

Wow, MSRT cleaned a PC with 251 different infections - how on earth did that PC manage to boot up, let alone get on the net and download the MSRT.

There are some fascinating statistics in a report just released by MS:

Windows Malicious Software Removal Tool: Progress Made, Trends Observed
http://www.microsoft.com/downloads/details.aspx?FamilyId=47DDCFA9-645D-4495-9EDA-92CDE33E99A9&displaylang=en

"The MSRT has removed 16 million instances of malicious software from 5.7 million unique Windows computers over the past 15 months. On average, the tool removes at least one instance of malware from every 311 computers it runs on."

I am seeing a definite increase in malware infections.  I don't know if others will agree but I'm seeing fewer infections via freeware and a sharp increase in infection via email and Web site hacking to inject hostile code.  The purpose behind malware is also becoming more hostile - the aim is moving away from simple advertising and hijacking of search engines and home pages to turning machines into spambots and DDOS zombies.

Ok, so now I understand why I've always like Robert Scoble...

Guess what I bought......

Ok, so I love my gadgets and geek type toys....

http://www.tomtom.com/products/product.php?ID=143&Language=8#

I have *got* to get the Dr Felix voice  ... or John Cleese.... or Mikey... or The Don... or Andy McDriver (who sounds *just* like Sean Connery... I wonder....).  Heck, why not just get the whole lot...
http://www.tomtom.com/plus/services/voices.php

Userfriendy hits the "damn I know that guy" button...

http://ars.userfriendly.org/cartoons/?id=20060612

The guy on the phone ranting about the name servers and the FBI... I *so* know somebody like that.. if only I was as brave as cartoon character Greg...

Smitfraud again, but this time its personal...

I had to battle another Smitfraud infection this weekend, but this time it was much closer to home and let me tell you that being so close to the situation emotionally is real bad for the stress levels.

What follows is the story of infection and removal as I can best reconstruct from my notes, logs and emails.

Mode of infection:

The network runs Citrix Metaframe XP on a Windows 2000 Server SP4 box.  The verson of Office in use is MS Office XP SP3. 

On the night of Thursday 8 June our network was spammed by many emails with subjectlines like "China domestic dogs and cats are raised to be killed for their fur", "Horrifying videos of the the cruel slaughter of dogs and cats in China" and "Moral? Love? Humanism? Just a beautifull sound of blood streaming from the warm pet's body".

One of the above emails was viewed using Outlook XP's Preview Pane and our network was immediately infected with no further interaction.

Symptoms:

Lots of Internet Explorer pop-ups in the terminal session of the infecting user pointing to www.razespyware.net (please do NOT go to that site).

Trend Antivirus for SMB V2.0 immediately reported the following infected files, showing a pop-up window in *all* terminal sessions (you can imagine what effect *that* had on the entire office):

s.exe (bkdr_small.bvr), winapi32.dll (troj_vb.alt), reger.exe (troj_adclick.aq) and mswinb32.dll (troj_generic).

Cleanup:

Unfortunately for Trend, there was far more to this infection than just those four files.  Trend successfully removed s.exe on the first attempt, and reger.exe after 24 attempts.  24 failed attempts were made to remove winapi32.dll and one failed attempt was made to remove mswinb32.dll.

S!Ri's Smitfraudfix (run after Trend reported it had "quarantined" the above four files)detected: 

C:\WINNT\system32\intxt.exe
C:\WINNT\system32\mswinb32.dll (also detected by Trend but not successfully removed)
C:\WINNT\system32\mswinb32.exe
C:\WINNT\system32\mswinf32.dll
C:\WINNT\system32\mswinf32.exe
C:\WINNT\system32\mswinup32.dll
C:\WINNT\system32\mswinxml.dll
C:\WINNT\system32\shell386.exe
C:\WINNT\system32\winapi32.dll (also detected by Trend but not successfully removed)
C:\WINNT\system32\winlfl32.dll
C:\WINNT\adw.htm

Files I found that were not detected by any programme were:

C:\WINNT\system32\svchw.exe
C:\WINNT\system32\tmp_n.dll (a hidden dll that I originally thought this was a legitimate file related to our document management system)
C:\WINNT\system3\page.htm
C:\WINNT\system3\dllsys.dll
C:\WINNT\system3\svcsys.dll
C:\WINNT\adw.htm
C:\WINNT\3no.exe
C:\WINNT\tmpfile027.exe

My grateful thanks to Dean of Calvert Technologies for all of his time, patience and input while I was trying to decide whether the above files were legitimate or malware - I'm betting the guy *so* wishes he wasn't on my IM list now ... all those pings ... "Hey Dean, can you check if dllsys.dll exists on your W2K box" ... and svcsys.dll ... and tmp_n.dll ... and lots of different *.exe files

I also found some evidence of *old* malware infection, being:

c:\searchsquire.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\beta.exe

After checking, and doublechecking, and triple checking, and quadruple checking (killing the server or any of the programmes on it by deleting the wrong file would have been a *bad thing*) I left tmp_n.dll alone under the misapprehension that could be legitimate, and ran Killbox.  I tell you now, my hands were shaking for the first time in all my years of malware fighting - if I killed the server or any installed programme by deleting the wrong file(s) it would have been a disaster.

I was able to delete all of the malware files except for svchw.exe using Killbox.  svchw.exe was automatically recreated (by tmp_n.dll) and it took a couple of passes using Killbox before I was able to replace svchw.exe with a dummy copy.

After running Killbox to get rid of all of the malware files I rebooted the server and discovered we were in trouble.  The server kept bluescreening within a minute or two, referencing the file win32k.sys.  The only time it did not blue screen was when the server was booted into safe mode.  This was very bad news because the other terminal server died on Monday (hard drive failure) and without this remaining server we were in big trouble.

Again, hooray for Dean.  He knew what was the likely cause of the win32k.sys blue screen and knew exactly what to do.  We had to disable nearly all of the automatically starting services to stabilise the system, and then reinstalled Service Pack 4 for Windows Server 2000 to repair the damage.  Then, it was a matter of restarting one service at a time (again under Dean's guidance) until all were running and the system proved stable.

At this stage I thought the machine was clean, until 24 hours later when I saw the following error:

16 Bit MS-DOS subsystem
c:\WINNT\system32\svchw.exe
The NTVDM CPU encountered an illegal instruction.
CS:0000 IP:0077 OP:fo37050a02
Choose close to terminate the application.

Choosing "close" left NTVDM.EXE as a running process taking up 25% CPU usage... three more errors left CPU usage at 100% and extremely sluggish.

Ok, so something was using NTVDM.EXE to call svchw.exe and was crashing when encountering the dummy svchw.exe, but what?  The only possible candidate was tmp_n.dll - the file I had originally assessed as possibly legitimate and too risky to remove.

tmp_n.dll was difficult to remove and was always in use - even in safe mode   Not only that, the system instability it caused thanks to the ntvdm crashes made working on the server quite difficult.

By peeking into tmp_n.dll using Process Explorer (something I should have done in the first place, dammit) I discovered that its purpose was to download a file called 6.exe from URLs at jamming.cn and sonofyork.cn.  An antispyware fighter who is way smarter than me dug deeper and reported that 6.exe was apparently renamed as svchw.exe (thanks Dave).

Every attempt to replace tmp_n.dll with a dummy using Killbox failed (although it did lose its hidden attribute). 

There was an entry referencing tmp_n.dll in HKLM\SOFTWARE\Microsoft\Windows\NT\CurrentVersion\Windows\AppInit_DLLs.  I deleted that entry, and and then got rid of the file the old fashioned way (DEL /F C:\WINNT\system32\tmp_n.dll)

Hopefully the server is now clean enough to keep it in service until it is decommissioned on Friday - there may still be an infection in wininet.dll lurking, but as long as it has no files to call, I think we'll be ok although I *will* be watching the server very closely - we survived, albeit with very frayed nerves and far too many new grey hairs.

Robert Scoble is leaving Microsoft???

This day just gets more and more surreal...

http://scobleizer.wordpress.com/2006/06/10/correcting-the-record-about-microsoft/
http://www.siliconvalleywatcher.com/mt/archives/2006/06/microsofts_top.php

Somebody needs to update Wikipedia:
http://en.wikipedia.org/wiki/Robert_Scoble

Yahoo have released a customised version of IE7 Beta 2

I must admit, I don't find a Yahoo branded version of IE7 Beta 2 to be an attractive options, but hey - somebody may want it:

http://downloads.yahoo.com/ie7beta/index.php

Overwhelming demand for Vista Beta 2 downloads is putting the Net at risk???

My first reaction to the following was "you're kidding me, right?  I must be misreading, or somebody is overreacting".  So, I confirmed the situation with Terri via Instant Messenger, and she has posted the request to The Hive, so I can say that I am as sure as I can be that the following request is legitimate.

MS wants us to spread the word.  Apparently demand for Vista Beta 2 is breaking previous download records:

"1) We are hitting a legitimate threshold as to how fast we can serve up the bits without affecting the rest of the Net.

2)  People should consider ordering the DVD While we are excited to see the huge demand, this is more about being good citizens and helping users who are waiting know they can order the DVD."

The backlog is so large now that ordering a DVD may be quicker.  If you have already requested a download, you can return to the site and change your selection to DVD.

Bink.nu quotes MS:

"So, we are literally saying that if we increased our bandwidth any further there's a possibilty of taking down the Internet - people might have problems with World Cup viewing, etc"

So there you have it; demand for the Vista Beta 2 download is so high, MS are getting concerned.  But, take down the rest of the Net?  That doesn't feel right to me.

Renaming a computer breaks IE7 RSS synchronisation

Ok, so maybe "breaks" is strongly worded.  How about "stops RSS synchronisation from working and no error messages are seen; you have to work out for yourself what is wrong".

You guessed it - my RSS feeds stopped synchronising.  At first I thought that perhaps my new firewall (Comodo) was interfering, but the force refresh command, "msfeedssync forcesync" works, so it can't be that.

The obvious next step is to check that synchronising is enabled - it is.

Next, make sure that the default synchronisation schedule hasn't changed - nope, still the same, set to 15 minutes.

Next, look at the scheduled task - aha.. here we go.

Yesterday I changed my computer's name as part of troubleshooting problems adding it to my new SBS2003 network (we couldn't work out what was wrong, eventually giving up on the SBS connectcomputer wizard and reverting to the old fashioned way of doing things). 

It seems that changing my PC name is what broke RSS synchronization.  Hopefully all I need to do is edit the settings under "Run As" on the Scheduled Task's "Task" tab to match the new computer name.  In 5 minutes or so I will find out if I have fixed the problem   Edit: Yep, all fixed.

It is unfortunate that IE7 does not show any error message when it is unable to update feed because of an incorrect user name or password.

Experimenting with Office 2007? Want a book to help you familiarise yourself with all those changes?

There is a PDF copy of a yet-to-be-released book available for download that you may find helpful:

Author's site:
http://www.revisionsplus.com/

Download link:
http://download.microsoft.com/download/3/5/a/35a8cb9f-1349-4645-ac2a-49ba61834826/First-Look-2007-Microsoft-Office-System.pdf

Windows Vista Beta 2 released to the public

It has been announced in The Hive that Windows Vista Beta 2 is available for download via the "Windows Vista Beta 2 Customer Preview Program":
http://www.microsoft.com/windowsvista/getready/default.mspx

Enjoy!!

Looking inside a spambot

Bear with me, this is going to be a long post.

The SANS Internet Storm Centre is discussing a nasty malware discovered recently by a reader:
http://isc.sans.org/diary.php?storyid=1388

I have also been dealing with a spambot at the request of Wayne Small, SBS MVP of Correct Solutions.  This machine is a desktop box owned by a high ranking official at a big company so, of course, our primary concern was infection of the corporate network when the user VPNed into the network.

When we first started looking at the machine we knew something was wrong because Trend had warned of a single infected file - being system32\uieaucix.exe, reported as troj_galapoper.a

Our goal on this occasion was not to clean and return - we fully intended to reformat the machine before returning it to the victim (sorry, customer).  This is the third time the PC has been infected that I know of, and its simply safer for all that it be wiped clean, OS installed afresh, protective software installed and user accounts locked right down.  Our plan was run a few scans, monitor the system with a few specialised tools, assess how well the antivirus and antispyware products were working, and try to work out how the infection occurred in the first place (and therefore how to prevent it from happening in the future).

What I thought was going to be pretty standard forensics "ok-the-machine-is-infected (yawn) lets-get-it-cleaned, reduce user permissions and give it back" turned out to be anything but.  While I was connected to the PC via VNC something bad on that box woke up.  A slew of connections were made to Russia right before my eyes and things suddenly got very very interesting.  This was very cool - sure, I've seen many reports of infected PCs, and helped users fix their machines from afar using various automated products and analysis logs, but I've never had the chance to be hands on with a real, live, actively pumping spambot - even if only via VNC.

{Side note: spamcop was the first to blacklist the IP address of the spambot - as of this evening spamcop had removed the listing but two other groups had taken its place}

Like the malware reported to SANS, the malware I was dealing with was *not* hampered by antivirus protection, antispyware protection or the firewall.

Using Plastic Sniffer (thanks Colin for pointing me to that sweet little programme) we grabbed a sample of the spam being sent by the bot:

--------
2   ) JE-  P   e   Received: (qmail 6595 invoked from network); Mon, 5 Jun 2006 17:21:44 +1100  Received: from unknown (HELO wy.vp) (***.***.***.***)   by 44-140-222-203.static.techex.net.au with SMTP; Mon, 5 Jun 2006 17:21:44 +1100  Message-ID: <002d01c68868$5158859d$3126decb@wy.vp>  From: "Ike Milligan" <ypisjda@*******.com>  To: <ybarra@******.com>  Subject: falsification baby boomer  Date: Mon, 5 Jun 2006 17:12:02 +1100  MIME-Version: 1.0  Content-Type: text/plain;   format=flowed;   charset="Windows-1252";   reply-type=original  Content-Transfer-Encoding: 7bit  X-Priority: 3  X-MSMail-Priority: Normal  X-Mailer: Microsoft Outlook Express 6.00.2800.1106  X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106    Trading alert!  We pick our companies based on there growth potential.  We assume many of you like to "trade the promotion" and may have  made some big, fast money doing so.  Get  A M S N  first thing tomorrow, this is going to explode next 2-3  days!!!  Looking for a company with some good news?  Here's one!  We see big things happening everyday, so we say keep your eye on   A M S N  and watch for a big movement !!!  Here is a special company that may be set to make a move in the near  future - this could be your opportunity to be ahead of the curve!  This stock will explode. Do not wait until it is too late.    Trade Date : 05.06.06  Company Name : Amerossi International Group Inc.  Ticker :  A M S N   Price : $0.05  4-7 Day Trading 
--------

The process that was sending the spam, and phoning home to Russia, was a file called taskdir.exe - small netstat sample below:

--------
Proto  Local Address          Foreign Address        State           PID
  TCP    HOMEPC:4885         mc3-reserved.hotmail.com:smtp  SYN_SENT        2704
  [taskdir.exe]
  TCP    HOMEPC:4887         mail.rediffmail.com:smtp  SYN_SENT        2704
  [taskdir.exe]
  TCP    HOMEPC:4889         mail.rediffmail.com:smtp  SYN_SENT        2704
  [taskdir.exe]
  TCP    HOMEPC:4893         scanner4.spamcow.com:smtp  SYN_SENT        2704
  [taskdir.exe]
  TCP    HOMEPC:4890         cluster-c.mailcontrol.com:smtp  ESTABLISHED 2704
  [taskdir.exe]
  TCP    HOMEPC:4892         mta-v24.mail.yahoo.com:smtp  ESTABLISHED     2704
  [taskdir.exe]
  TCP    HOMEPC:1059         81.177.26.21:http      CLOSE_WAIT      2704
  [taskdir.exe]
  TCP    HOMEPC:1185         81.177.26.21:http      CLOSE_WAIT      2704
  [taskdir.exe]
  TCP    HOMEPC:1187         81.177.26.21:http      CLOSE_WAIT      2704
  [taskdir.exe]
--------

There was a slew of connections to Russia, as well as a multitude of constantly changing Port 25 connections.

--------
  TCP    HOMEPC:1059         81.177.26.21:http      CLOSE_WAIT
  TCP    HOMEPC:1185         81.177.26.21:http      CLOSE_WAIT
  TCP    HOMEPC:1187         81.177.26.21:http      CLOSE_WAIT
  TCP    HOMEPC:1216         81.177.26.21:http      CLOSE_WAIT
  TCP    HOMEPC:1218         81.177.26.21:http      CLOSE_WAIT
  TCP    HOMEPC:1229         81.177.26.21:http      CLOSE_WAIT
  TCP    HOMEPC:1308         81.177.26.21:http      CLOSE_WAIT
  TCP    HOMEPC:1317         81.177.26.21:http      CLOSE_WAIT
  TCP    HOMEPC:1319         81.177.26.21:http      CLOSE_WAIT
  TCP    HOMEPC:1328         mail.heifer.org:smtp   FIN_WAIT_2
  TCP    HOMEPC:1531         81.177.26.21:http      CLOSE_WAIT
  TCP    HOMEPC:1601         ff-mx-vip1.prodigy.net:smtp  ESTABLISHED
  TCP    HOMEPC:1604         uklon01sd01.lendlease.com:smtp  FIN_WAIT_1
  TCP    HOMEPC:1609         202.175.129.154:smtp   SYN_SENT
  TCP    HOMEPC:1611         xa.mx.aol.com:smtp     ESTABLISHED
  TCP    HOMEPC:1665         81.177.26.21:http      CLOSE_WAIT
  TCP    HOMEPC:1921         81.177.26.21:http      CLOSE_WAIT
  TCP    HOMEPC:2068         81.177.26.21:http      CLOSE_WAIT
  TCP    HOMEPC:2226         81.177.26.21:http      CLOSE_WAIT
  TCP    HOMEPC:2228         81.177.26.21:http      CLOSE_WAIT
  TCP    HOMEPC:2231         81.177.26.21:http      CLOSE_WAIT
  TCP    HOMEPC:2233         81.177.26.21:http      CLOSE_WAIT
  TCP    HOMEPC:2316         81.177.26.21:http      CLOSE_WAIT
  TCP    HOMEPC:2546         81.177.26.21:http      CLOSE_WAIT
  TCP    HOMEPC:2666         81.177.26.21:http      CLOSE_WAIT
  TCP    HOMEPC:2945         81.177.26.21:http      CLOSE_WAIT
  TCP    HOMEPC:3128         81.177.26.21:http      CLOSE_WAIT
  TCP    HOMEPC:3210         81.177.26.21:http      CLOSE_WAIT
  TCP    HOMEPC:3218         81.177.26.21:http      CLOSE_WAIT
  TCP    HOMEPC:3220         81.177.26.21:http      CLOSE_WAIT
  TCP    HOMEPC:3308         81.177.26.21:http      CLOSE_WAIT
  TCP    HOMEPC:3310         81.177.26.21:http      CLOSE_WAIT
  TCP    HOMEPC:3458         81.177.26.21:http      CLOSE_WAIT
  TCP    HOMEPC:3601         81.177.26.21:http      CLOSE_WAIT
  TCP    HOMEPC:3703         81.177.26.21:http      CLOSE_WAIT
  TCP    HOMEPC:4086         81.177.26.21:http      CLOSE_WAIT
  TCP    HOMEPC:4090         81.177.26.21:http      CLOSE_WAIT
  TCP    HOMEPC:4092         81.177.26.21:http      CLOSE_WAIT
  TCP    HOMEPC:4100         81.177.26.21:http      CLOSE_WAIT
  TCP    HOMEPC:4143         81.177.26.21:http      CLOSE_WAIT
  TCP    HOMEPC:4145         81.177.26.21:http      CLOSE_WAIT
  TCP    HOMEPC:4380         81.177.26.21:http      CLOSE_WAIT
  TCP    HOMEPC:4590         81.177.26.21:http      CLOSE_WAIT
  TCP    HOMEPC:4657         81.177.26.21:http      CLOSE_WAIT
  TCP    HOMEPC:4934         81.177.26.21:http      CLOSE_WAIT
--------

Ok, so we know that the machine is definitely infected and is pumping out spam as we watch.  But, this machine has Windows Defender installed - it also has the Trend Micro Client/Server Security Agent installed.  It also has a firewall installed that is part of the Trend product and which is managed by the "big company" IT Department.

I sat there and watched all this activity using a few different programs - Process Explorer, Plastic Sniffer and APM.  None of the resident protective software was showing any sort of alarm, despite there being infection and active malware processes on the machine. The firewall that is part of the Trend software was letting everything through unimpeded. 

We know that taskdir.exe is a primary baddy - I submitted the file to virustotal - three scanners reported the file was "trojan.w32.abwiz" so why was Trend silent?

I eyeballed the machine and found some files that I knew were suspicious even without the benefit of scans. 







Let's do a smitfraud scan and see what else it finds:

C:\WINDOWS\adware-sheriff-box.gif FOUND !
C:\WINDOWS\adware-sheriff-header.gif FOUND !
C:\WINDOWS\alexaie.dll FOUND !
C:\WINDOWS\alxie328.dll FOUND !
C:\WINDOWS\alxtb1.dll FOUND !
C:\WINDOWS\antispylab-logo.gif FOUND !
C:\WINDOWS\blue-bg.gif FOUND !
C:\WINDOWS\BTGrab.dll FOUND !
C:\WINDOWS\buy-now-btn.gif FOUND !
C:\WINDOWS\close-bar.gif FOUND !
C:\WINDOWS\corner-left.gif FOUND !
C:\WINDOWS\corner-right.gif FOUND !
C:\WINDOWS\dlmax.dll FOUND !
C:\WINDOWS\facts.gif FOUND !
C:\WINDOWS\footer.giff FOUND !
C:\WINDOWS\free-scan-btn.gif FOUND !
C:\WINDOWS\h-line-gradient.gif FOUND !
C:\WINDOWS\header-bg.gif FOUND !
C:\WINDOWS\infected.gif FOUND !
C:\WINDOWS\info.gif FOUND !
C:\WINDOWS\no-icon.gif FOUND !
C:\WINDOWS\Pynix.dll FOUND !
C:\WINDOWS\reg-freeze-box.gif FOUND !
C:\WINDOWS\reg-freeze-header.gif FOUND !
C:\WINDOWS\remove-spyware-btn.gif FOUND !
C:\WINDOWS\true-stories.gif FOUND !
C:\WINDOWS\spyware-sheriff-header.gif FOUND !
C:\WINDOWS\spyware-sheriff-box.gif FOUND !
C:\WINDOWS\star.gif FOUND !
C:\WINDOWS\star-grey.gif FOUND !
C:\WINDOWS\warning-bar-ico.gif FOUND !
C:\WINDOWS\win-sec-center-logo.gif FOUND !
C:\WINDOWS\windows-compatible.gif FOUND !
C:\WINDOWS\yes-icon.gif FOUND !
C:\WINDOWS\ZServ.dll FOUND !
C:\WINDOWS\system32\alxres.dll FOUND !
C:\WINDOWS\system32\CWS_iestart.exe FOUND !
C:\WINDOWS\system32\dailytoolbar.dll FOUND !
C:\WINDOWS\system32\exuc32.tmp FOUND !
C:\WINDOWS\system32\jao.dll FOUND !
C:\WINDOWS\system32\mirarsearch_toolbar.exe FOUND !
C:\WINDOWS\system32\questmod.dll FOUND !
C:\WINDOWS\system32\runsrv32.dll FOUND !
C:\WINDOWS\system32\runsrv32.exe FOUND !
C:\WINDOWS\system32\shellgui32.dll  FOUND !
C:\WINDOWS\system32\taskdir.exe FOUND !
C:\WINDOWS\system32\tcpservice2.exe FOUND !
C:\WINDOWS\system32\txfdb32.dll FOUND !
C:\WINDOWS\system32\udpmod.dll  FOUND !
C:\WINDOWS\system32\zlbw.dll FOUND !

But... and this is a worry... the HijackThis log was clean.

The smitfraud test missed a few malware files being ipod.raw.exe, winsub.xml and svcp.csv.

I also found a other few scattered malware files not featured above, including winapi32.exe and bbbxvhcr.kvx.

--------
Let's see what the online/installed antivirus and antispyware applications have to say - remember, I did not clean *anything* before running these scans.

A full scan of C drive using the resident Trend Micro Client/Server Security Agent reported **zero infection**.

Ewido detected only Adware.SpySheriff (HKLM\Classes\TypeLib\{31F9B5A7-5B94-445D-922C-E97BF52F5FD7) and Adware.VX2 (HKLM\SOFTWARE\RespondMiter)

Trend Housecall online scan failed to run.

Trend Micro Antispyware for the Web detected only Adware_PopsStop (HKLM\SOFTWARE\RespondMiter)

There are a *lot* of files being missed by the scanners.
--------

We should think about why creating a limited user account did not protect this machine.  Its history makes things kind of blurry.  The user ran as admin, and therefore was infected as admin, before I created the limited user account.  We *thought* the machine was clean the last time we worked on it - all scans were fine and I pulled out some pretty big guns.  Nothing untoward in running processes, multiple reboots didn't trigger a resurrection of malware, the rootkit scans were fine as well.  HJT logs were great, all online scans were clean.  Great, I thought, good to go.

But something remained.  The smitfraud infection was simply too new for all files to be detectable using the automated tools at the time of the cleanup.  I see in the old logs that *some* files were detected, but others weren't.  Files that appear in smitfraud/smitrem scans *now* didn't appear in the scans back in early May.  What's the lesson I learn from that?  I don't trust automated cleaners. I detect first, then I get in there and search for anything else that may be related to that infection by hand, then I clean using something like killbox so that I can get *all* the files at the same time, not just those spotted by automated scans.

We're not sure exactly how the reinfection occurred.  Trend alerted about *one* infected file (troj_galapoper.a) weeks after the apparently successful cleanup.  My hypothesis is that the infection remained dormant for as long as the limited user account was the only one used; then the user may have swapped over to his admin account to do something that couldn't be done in his limited user account and WHAMMO - the system got reinfected.  He then swaps back to limited user account, but its too late. The damage is done.

Then, when I logged in as admin to do some poking around before the reformatting - DOUBLE WHAMMO - something phones home, new files are downloaded, and the PC transmutes into a spambot.

Its obvious the automated tools let us down.  That leaves us with a state of play where, if there are signs of infection, our only choice may be to manually comb through the computer and eyeball installed files if *anything* else is detected to make sure nothing is missed - that makes cleanup extremely labour and time intensive, and to be honest, simply not practical - there are only so many hours in a day - but at the same time, names like "dailytoolbar.dll" and "CWS_iestart.exe" are so obvious I would *not* have missed the vectors if I had eyeballed all files.  I may have to start charging for direct 'Sandi can you please help' requests if I'm going to have to spend a day or so of intense digging to make sure we're not missing anything.

--------
The firewall

There has been a lot of discussion about stateful firewall protection versus "full" protection.  Many things have been said to me about why tight firewalls don't work, including that users will simply say yes to every prompt because they want to see the dancing pigs, or that they will say no and break their systems, or they will say yes because they don't understand what is being asked of them and they are worried they will break their systems if they say no.  That's all well and good, but the fact remains - the infected machine would not have failed the leak test, and taskdir.exe would not have been able to send all that spam (or connect to Russia to download even more bad stuff) if the firewall had alerted the user and asked for permission to send the data.  It really bothers me that these things can happen, in the background, and the user receives no warning at all until they're suddenly lumped with a massive ISP bill, or they are cut off by their ISP because the ISP has spotted the viral traffic.  A user should not have to go digging through their system folders or use specialised programs like Plastic Sniffer and Process Explorer to find out if there are nefarious activities occurring on their machines.

I'm preparing to test a new firewall called Comodo firewall that may make a difference:
http://www.personalfirewall.comodo.com/whats_new.html?currency=USD&region=Australasia&country=AU

If Comodo really does detect "DLL/Code injections" etc, that is one hell of a big step forward.  We need to assess it from the point of view of the home user.  Its all well and good to say that iexplore.exe wants to act as a server, that it is a 'safe' application and that it wants to listen on port 1609UDP but that means nothing to the home user.  Hopefully the 'more details' button in the screenshot provides more useful information.

Thanks heavens for Babel Fish

My mother-in-law phoned tonight; she speaks no English, my German is very rusty, despite three years of formal studies.  Time and lack of practice has led to my being able to translate German to English, but I struggle with translating English back to German again.  

Hubby is travelling at the moment.  I remember enough German to know that Schwiegermutter immediately feared hubby was ill and in hospital, or that something else was badly wrong.

Hooray for Babel Fish;  Flugzeug (aeroplane), Feiertag (holiday) and "Telefon Sonntag" (call on Sunday) was all that was needed to set the poor woman's mind to rest.

IE7 Beta 2 and Remote Assistance - broken

Unfortunately I've been so busy lately I've been out of touch with my newsgroups; now I am back in there I'm seeing several reports of Remote Assistance being broken when IE7 is installed, with removing IE7 being the only fix.

There's no mention of the problem in the Release Notes (although I do note a problem with Citrix ICA on Vista which is of especial interest to me) or in the IE blog and it seems the problem will not be fixed before final release - bummer