Spyware Sucks : Security, safety and privacy on the Internet, Vulnerabilities, viruses and exploits, General stuff

80% of new malware defeats antivirus...

sandi — Thu, 20 Jul 2006 12:52:00 GMT

Ok, so tell me something I *don't* know:
http://www.zdnet.com.au/news/security/soa/Eighty_percent_of_new_malware_defeats_antivirus/0,2000061744,39263949,00.htm

The time is long past that I have depended on any antivirus or antispyware product to clean a system properly, or detect all malware files. Instead I depend on products such as Process Explorer, GMER, Killbox, various rootkit analysers, packet sniffers and anything else that helps me analyse a system and search for, then analyse, then kill, aberrant processes and files.

At best, antivirus and antimalware products will reduce the signal to noise ratio by getting rid of the high profile, obvious, easy to remove stuff. They may get rid of the files and services with big "shoot me" targets on their backsides, but the real important stuff is too often missed. I have blogged several times about my work cleaning up malware infested PCs and servers and how the commercial products simply didn't pick up everything that is installed, even missing the primary re-infector.. the file/files that are instrumental to reinfection of a system.

It doesn't do any damn good to get rid of the files with "shoot me" painted on their butts if the primary re-infector is left untouched. I have seen HijackThis logs with *dozens* of entries pointing to randomly named malware files... each new entry being evidence of a failed attempted to remove malware by an antivirus or anti spyware application. Is it any surprise that I have lost faith in commercial products as a whole?

A respected associate of mine pointed out that if the AV and antispyware companies are not called in to deal with the "weird and wonderful" infections that cross my desk every week, then those companies will not have the opportunity to improve their product and add detections. That is fair enough, but here is the problem. *Their* reach is far greater than mine. They should be seeing this stuff before I do. If a misconfigured terminal server is hit, and that terminal server is the only one a company has, then I don't have the freedom, or the time, to make a phone call and wait for <fill in name of antivirus company> to get back to me. And anyway, even if they add detection for *that* malware, within a week something else will hit that is also not detected properly, and so it goes on and on and on and on and on.

So what do we do? Depending on software to protect our computers is not working. Cure-all software isn't doing the job. In the end, prevention is the only cure.

Do you surf the Web using an administrator account? That is bad.

Do you download freeware without checking into its spyware reputation? That is bad.

Do you visit the seedier side of the internet? That is bad.

Are you forgetting to patch your system? Bad.

Have you turned off your pop-up blocker? Bad. A primary infector, nowadays, is pop-up windows.

Have you reduced your Internet security settings because a favorite site won't work properly at default security levels? Bad.

Did you turn off your firewall 'cause your ISP told you to when you were having problems? Bad.

Have you avoided installing Service Pack 2 for XP because one of your software products is "not supported" in SP2 environments? Bad... stick that software on a PC that isn't used for Web surfing. The same goes for software that will not run unless the user had administrator rights.... if you *must* use such software then fine, run as Admin, but if you must go on the net log in to a limited user account and surf from there.

Does that sound like too much inconvenience? Believe me, if you get infected the inconvenience you suffer then will be far worse. Its not that hard to get used to multiple accounts. On my networks I have two accounts, an administrator account and a regular user account. I only log in as administrator when I require elevated permissions for a specific task. For the rest of the time, I use a normal user account. It took a little while to get used to, having to swap log ins, but the temporary pain is worth the security gain.

MS Word Exploit - Administrator Rights - Oh my...

sandi — Sun, 21 May 2006 03:24:00 GMT

Some areas of the net are in a flap about the MS Word exploit that has been the focus of some publicity recently. Some sites are even advising that we should consider dumping MS Word in preference to OpenOffice.

Come on guys. We shouldn't even be thinking about fighting this thing by moving to a different programme. Why? Because it does not address a core problem. The thing about this exploit is that it will only succeed if the user has administrator privileges. We all know that we shouldn't be running our machines with administrator privileges, but all of us also have clients that absolutely insist that they must run as admin because a mission critical application will not run without it.

So, what can we do under such circumstances? How do we protect our clients from this exploit and other admin dependant exploits if they have a mission critical application that will not run without administrator privileges?

Preferred option - reduce their rights anyway, and use RunAs - stick a shortcut on their desktop that grants only the mission critical application administrator privileges:
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/windows_security_runas.mspx?mfr=true

Your user still isn't happy? They just don't like non-admin? They're telling you its *their* machine and they want administrator rights? Well, short of washing your hands of any responsibility and walking out the door never to return, there is another trick you can use. What if you could let your stubborn client run as admin, but bump down particular applications to limited user rights *at the same time*? Sound interesting? Read on... :o)

Michael Howard has posted an article to the Security Developer Centre that is of especial interest to those who are faced with "I must be Admin" users who also wanted to be protected from the Word exploit:
http://msdn.microsoft.com/security/securecode/columns/default.aspx?pull=/library/en-us/dncode/html/secure01182005.asp

You'll note that by using Software Restriction Policies you can stop a programme from running at all, or force it to run as a limited (basic) user. If you want to really lock things down you can use Constrained or Untrusted.

There is one very important limitation to this trick that we must be aware of. Software Restriction Policies are path dependent. That is, you must set a specific target path to the application for this to work. If, for example, an executable is moved or copied to another directory, the restriction policy will fail.

Follow-up on Messenger Plus! (Subtitle: There's a human being behind Messenger Plus)

sandi — Sat, 15 Apr 2006 14:21:00 GMT

My regular readers will know of the brouhaha (translation: uproar) about the new Sponsor Program for Messenger Plus!

As a brief recap, the new Sponsor no longer installs a Search Bar or Passthrough Toolbar, nor does it change your home page. But, the pop-up windows remain, as do the unremovable favorites.

A price was paid for the above changes. The following did not occur on my test systems before the changes to the Sponsor occurred (except for the adultfriendfinder advertisements, which I complained about back in December).

Within minutes of installing the Sponsor Program pop-up and dialogue windows appeared that attempted to install various types of malware, including Vundo aka Winfixer (a very disreputable malware known to use rootkits to avoid removal). There was also ErrorSafe (betrayware), adult orientated advertisements, and a few other attempts to download and install unidentified activex installs.

One thing I did notice was that the Jamster pop-up advertisements seem to have disappeared, at least for me.

My blog entries were cited in various antispyware forums and hits on my blog went through the roof. Its not surprising - back on 5 March a hit analysis showed that my blog about Messenger Plus! versus Windows Defender is the third most popular post in the history of the site, beaten only by my articles about how to uninstall, and install, IE7:
http://msmvps.com/blogs/spywaresucks/archive/2006/03/05/85484.aspx

Anyway, a link to my latest blog was posted to the MP support forums... a cat landed amongst pigeons, so to speak ;o)

Now, before we go any further I shall tell you that Patchou and I, since the link to my latest blog entries was posted to the MP! forums, have exchanged several *long* emails. There's stuff that Patchou has shared with me and asked that I not repeat, and vice versa, so I do apologise but I will not be posting the nitty gritty of our discussion.

Patchou and I spoke very openly and honestly with each other - no holding back - yet at the same time there was no name calling by either of us, which brings me to what I need to do now, which is apologise.

<apology mode on> My blogs about the new MP! Sponsor ran under the headline "Patchou: You are an <insert unflattering description here>". In Part 3 I called Patchou "the lowest of the low". Both statements were too personal, attacking the person rather than the sponsor program. For that I apologise. </apology mode off>

"Aarrgh! Betrayal! Where is the infamous flamethrower!" I hear some cry. Let me reassure that the flamethrower is still there, and that it is still focused on the Sponsor Program. That being said, it has become obvious that by "getting personal" I'm not progressing the anti-malware campaign. We need people to listen, not shut down lines of communication because we're getting personal.

Look at the MP! support forums. The overwhelming reaction to my blog was defensive - instead of saying "hmm, maybe there's a problem here, let's check it out", the majority said "but its optional, can't you read the install windows"? (paraphrased) Of course, the fact that the Sponsor Program install notificastions have no relevance to malware that is installed via pop-up windows, didn't seem to occur to them.

I hate to think what would have happened if Patchou had not seen the thread - how long was shutting down the malware pushers delayed because those in the forums didn't pause and test the allegations instead of jumping straight into the "but its optional" justification routine? And, how much of the delay can be blamed on me? How much delay was caused by defensiveness that was a result of my strident complaints about Patchou and his Sponsor? Its something worth thinking about.

Ok, so anyway, Patchou posted in the now removed thread in the Messenger Plus! forums that, of the stuff that I reported on, adultfriendfinder will go and ErrorSafe were being shut down.

So where do we go from here? Let's wait and see. I am planning to re-test the sponsor next week, after giving time for Patchou and those behind the Sponsor to clean things up. The tests will be comprehensive, involving people based all over the world. I'd like to expand that pool of testers.

Do you want to contribute? Send me an email via the "Contact Sandi" link at www.ie-vista.com if you want to join the "Watch Squad". I've been made to understand that any information about malware being installed by the sponsor will be appreciated so that action can be taken, so get in there and let Patchou know. For your own safety you'll need to be using XP XP2 or Windows Vista .. users of earlier operating systems cannot safely install the sponsor unless and until we can show that the sponsor is safe to install.

This is what I would like the Watch Squad to do:

Install the Sponsor Program (ensuring antivirus and antispyware products are disabled first - the Sponsor Program is detected by many antivirus and antispyware programs as adware, spyware or the swizzor trojan).

Send screen shots of the sponsor desktop links and details of where the links go (including URLS and screen shots).

Screen shots and specifics of pop-up windows that appear. The screenshots need to display attempted activex downloads.

Screen shots of the Favorites installed together with information about whether the favorites are viewable in Windows Explorer or the Organise Favorites window, and whether it is possible to right click a Sponsor favorite in the drop down list and select "delete".

Details of the country in which the PC being used for tests is located.

Information about the Sponsor Program's behaviour will be posted to my blog *AND* sent to Patchou. Patchou stated in the now removed thread in MP! that he had taken action about the original problems highlighted in my blog. Let's keep the information flowing and see what happens.

Rest assured that my apology (which is genuine), is not going to stop the flamethrower from being pointed at the Sponsor Program. I do intend to try and not be so personal though - even when *really* angry and unable to understand how such blatent attempts to install malware slipped through the cracks.

My next post, when I find the energy (likely after about 12 hours sleep) will be about the Windows HOSTS file and whether it should be used as a security tool...

Its Patch Day!!

sandi — Tue, 11 Apr 2006 22:27:00 GMT

Bulletin Summary:
http://www.microsoft.com/technet/security/Bulletin/ms06-Apr.mspx

Note: This month's cumulative update includes the 912945 changes, but there is also a compatibility patch for corporations that have critical applications that don't work with the changes. The compatibility patch should *not* be used by the casual surfer simply because they don't like the changes wrought by 912945 - that's just delaying the inevitable because the patch is temporary.

Critical Bulletins:

Cumulative Security Update for Internet Explorer (912812)
http://www.microsoft.com/technet/security/Bulletin/ms06-013.mspx

Vulnerability in the Microsoft Data Access Components (MDAC) Function Could Allow Code Execution (911562)
http://www.microsoft.com/technet/security/Bulletin/ms06-014.mspx

Vulnerability in Windows Explorer Could Allow Remote Code Execution (908531)
http://www.microsoft.com/technet/security/Bulletin/ms06-015.mspx

Important Bulletins:

Cumulative Security Update for Outlook Express (911567)
http://www.microsoft.com/technet/security/Bulletin/ms06-016.mspx

Moderate Bulletins:

Vulnerability in Microsoft FrontPage Server Extensions Could Allow Cross-Site Scripting (917627)http://www.microsoft.com/technet/security/Bulletin/ms06-017.mspx

Ahhhh, now they know....

sandi — Sun, 09 Apr 2006 08:50:00 GMT

I've received an alert that Patchou's posse know about my blog entries about Patchou's new Sponsor Program:
http://www.msghelp.net/showthread.php?tid=58047

This will be interesting - I wonder if the apologists will make it past the "but its optional" excuse and start to consider what the Sponsor Program exposes users to.

Edit: 5.58pm 9 April 2006 (+0800). The thread at msghelp.net linked to above has been locked, and the Sponsor Program is not installing. Just tested on several systems using an installer downloaded on Saturday. Saying yes to the Sponsor is not installing the Sponsor Program.. no shortcuts on the desktop... no pop-ups.

Uninstalling offers an option to remove the Sponsor. Requesting removal of the the Sponsor does NOT trigger the well-known dialogue box asking that we enter a series of letters/numbers to prove we're human.

I'm not the only person to see that the Sponsor is suddenly not installing - check page 2 of the above thread (before it disappears completely).

Coincidence? I'll let you decide.

All in all this is a good few days work if the sudden disappearance of the Sponsor means that no further victims will be exposed to the malware I and others have reported.

Haven't seen the report on Patchou's new Sponsor Program? Start here:
http://msmvps.com/blogs/spywaresucks/archive/2006/04/07/89691.aspx

Or, jump straight to the nitty gritty about the Sponsor:
http://msmvps.com/blogs/spywaresucks/archive/2006/04/07/89692.aspx

Grab the popcorn gang - its a fascinating study in:
http://redwing.hutman.net/~mreed/warriorshtm/swarm.htm

Keep an eye on Blog comments; I'll be letting any/all comments through unless the language is so strong that it's unacceptable to a general audience.

BTW, in case you're wondering how effective the "optional" excuse is, you should check out the documents that are being made public regarding the Direct Revenue lawsuit. Some of the malware tactics that users are exposed to via the Messenger Plus Sponsor as detailed in my blog are also used by Direct Revenue (cite: Affirmation of Justin Brookman; The People of the State of New York v DirectRevenue, LLC and Joshua Abram, Alan Murray, Daniel Kaufman and Rodney Hook, individually; Supreme Court of the State of New York).

Dale Begg-Smith: The pressure is still on

sandi — Tue, 07 Mar 2006 22:33:00 GMT

http://blogs.zdnet.com/Spyware/wp-trackback.php?p=786

My previous Blog post is here:
http://msmvps.com/blogs/spywaresucks/archive/2006/02/20/84260.aspx

I'm pleased the pressure is still on. I suspect Dale thinks that eventually the attention will all go away. The anti-spyware fights are just a tad more persistent than that...