Slashdot Mirror
Analysis of Spyware
scubacuda writes "What actually happens when you install adware/spyware/malware? Follow the Bouncing Malware examines what's downloaded, redirected, and obfuscated. A fascinating read. (Part two was postponed in order to cover a new My Doom variant.)"
> And that's were I'm going to end it for today. In the next part, I'll take a look at what happens as this chain of malware continues on it's merry way, and I'll also investigate what happens when I fire up IE the next time and visit my new home page.
Personally, I think you should examine ways to get even. Even-Stevens.
Up until this point, I've seen lots of anti-spyware put out that blocks spyware and protects your system from unjustified Reg entries etc., but it generally stops there. It's a shield when what we need is a shield and a sword.
Covenants, without the sword, are but words, and of no strength to secure a man at all -Hobbes
What I would like to see is anti-malware that bites back, hard.
We had this site going a while back that was going to test anti-trolling methods, like by taking a troll user and stuffing them in their own world. All their posts would be modded up and their view of the site was totally different than the users who were not trolls. Of course in tests it was easy enough for them to spoof their IP to get past this, but many of them didn't realize how to do it.
But for malware sites, what if we came up with a solution that would detect it and let it believe it was working, but generated the data needed to put these goofs in jail. I think the SETI distributed computing model could be slightly altered to work to this end.
Then we could get Even-Stevens.
The dangers of knowledge trigger emotional distress in human beings.
Ive heard that MyDoom 3 has just been released too... a much darker scarier variant which seems to have originated on mars
What actually happens when you install adware/spyware/malware?
I'm not sure. Let me ask BonziBUDDY...
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Nah, i feel more like
Mua ha ha ha ha ha ha ha! Inferior beings! I run an antiquated version of SPARC solaris, and NOTHING is compatible with SPARC solaris! Not even spyware!
GAAH! MY PRINTER IS ON FIRE!!! PUT IT OUT! PUT IT OUT!
I have been an IE devotee since v4.x came out. I have recently moved over to Firefox in order to stop me having to keep up with all the security problems I started to experience only inthe last couple of months.
Seriously, how hard can it be for MS to write an application as straightforward, yet secure as Firefox.
I downloaded Service pack 2 release candidate and noted a lot of security improvements and features, but in agreeance with with MS whom today released the full Service pack 2, it seems to mainly add 'bars and locks' to your 'doors and windows'. Whereas Firefox seems to be a better neighborhood to live in from the start.
I wonder if someone can whip up a honeypot that'll reverse-engineer some of the malware out there, munge all the URLS down and give proof that someone is doing this on purpose.
Then maybe the state DA's will jump in and make a lesson of a malware producer or two. That is, if they are local. IF not, LART until their router is unplugged.
This 'ware business is seriously getting out of hand and MUST be dealt with, one way or another. IF we have to force these jokers to go overseas, fine, then we'll do so and isolate their domains at root DNS.
First rule of holes; When in one, stop digging.
Usually, I skeptical about "Freeware", but Mozilla's Firefox has been a glorious exception. Not only is it faster, more intuitive, and easier to use than IE, it is also MORE SECURE. Unlike IE, Firefox does not allow ActiveX and VBScripts to run - and this is a blessing.
Please consider giving it a try.
Happy surfing.
I've found that all the spyware can be kept down to basically zero if you do what I do (even for Windows users). I use Firefox and not IE (it's interesting to look at how many hits ad-aware gets for tracking cookies etc. with IE)... And speaking of ad-aware, I run it regularly. Honestly, spyware statistics would go way way down if people ran an anti-spyware program now and then. I find in my experience, when you run it for the first time and get 500 - 1500 "objects" found, it wakes the user up as to what sort of crap is on there, and after that they seem to be pretty good about running it themselves.
Join the Empire! http://www.empirereborn.net/
How about the bastards who make browser hijackers? Removing CoolWebSearch's affiliates wastes so much goddamn time at my office, it's literally taking nearly three hours a week.
And don't deny it - their affiliates DDoSed SpywareInfo because it told people how to remove their bastardly malware and provided CWShredder.
I say we go after them, drain their coffers dry, and donate the funds to the Mozilla Foundation or something.
Striking fear in the authors of godawful fanfiction, I am here, appearing in darkness, Tuxedo Jack!
Look, I have worked on systems that have had hundreds of infections, from viruses and spyware. I routinely subject a drive from a machine with spyware to the same checks and controls I do with viruses. I start by removing the victim drive and putting it in a secondary control system. Only then can I properly remove the hooks installed to prevent you from really removing things.
I've seen everything from DLL hooks to putting itself into the system restore file or hidden OEM restore partitions. This way windows itself will *fix* your removal. I've seen where they try to emulate legitimate hotpacks and patches. It's pretty simple really, if a program installs surreptitiously, disguises itself, and takes steps to prevent it's removal - than it is a virus.
Funny thing is that a lot of people just don't care. I remember that visual plugin for Winamp: Wild Tangent Valentine Dancer. It turned out to be spyware (and so did the rest of Wild Tangent's plugins and apps) but a lot of people just wanted to see a girl dancing on their screen. They just don't care. Not aware of the results of a spyware infested computer and blinded by some digital hottie. The result is over 3,707,559 downloads.
- Save a tree, eat more woodpeckers
I realize that Firefox and Mozilla get all the glory here on /. due to them being OSS but the bottom line in all of this is just that IE is the one to blame.
I've been using Opera since v5.x and have never looked back. Lately I've seen a lot of improvement in Firefox but they are still playing catchup with Opera.
For whatever reason Opera only seems to get a nod here when it should be getting a lot more but cest la vie. I personally will continue to support Opera until they sell out or whatever but I hope that they, and everyone else, realize that having a marketplace full of a few, maybe even many diffrent browsers will only help everyone in the long run.
Currently I am installing Firefox for people who just need to use anything but IE; mostly end users. For a power user however Opera is the way to go.
Really, I know what I'm doing...Ohhhh, look at the shiny buttons!
You know that your C compiler might well be infected to compile some spyware and backdoors into itself and applications it compiles?
First, get HijackThis. If you're not very familiar with windows internals, run it on a couple clean systems to get a feel for what should be there.
If it isn't being blocked by some really nasty spyware, AdAware or one of those is a good first step to remove the easy stuff before you tackle the hard stuff.
Now, run HijackThis on the infected computer. It will take some practice to learn what is bad and what isn't, but some things will be obvious. In the case of TVM, there will be a startup item (O4 iirc) for tvm.exe, a URLSearchHook for tvmbho.dll, and a bunch of BHO entries for randomly named 'ms????.dll', and possibly a few more dlls in the system32 directory. (I havn't personally ever seen a valid BHO entry, but YMMV.) The important thing to do here is to make a list of files to delete in the next step. At this point you can check the suspicious entries and click 'fix', then re-scan the computer and see how many of them come back. In the case of TVM, several of them will, most notably being the tvm.exe startup item. Killing tvm.exe won't help with this, either.
Now, on to removing hard files. In this case, tvm.exe is hard because it loads with explorer so it's always 'in use'. A couple of the ms????.dll files are hard because they are in use and/or get replaced on reboot by tvm.exe if they're gone. There are three methods to remove these.
First, safe mode. This is easy, albeit time consuming waiting for reboots, but doesn't work for all files. (In TVM's case, it works.) Just reboot into safe mode and delete each file on your list, then use HijackThis to remove the registry entries.
Second method. Faster if you're a decent typist, works for files (like tvm.exe) that hide their process inside explorer.exe so you can't kill them. Open a command prompt and task manager. Use task manager to kill any visible tvm.exe (or whatever) tasks, then kill explorer.exe. Your shell goes away. Use the command prompt to delete the files, then run HijackThis and remove the registry entries. (You can re-run explorer from the prompt when you're done.)
Third method. Slow, complicated, but works for files that can't be deleted by either of the other two methods. This method also works remotely through most desktop-sharing type connections, unlike the other two. Once you've figured out where the files are being launched from (HKLM\Software\Microsoft\Windows\CurrentVersion\Ru n in TVM's case), open regedit and go to that key. (NOTE: If you're using windows 2000, you'll need to use regedt32 instead of regedit, but the rest of the process is similar) Click on the key (The entire folder, not the individual entry) and choose permissions from the file menu (or right-click menu in XP). Now you need to deny access to everyone for that key. If you're not familiar with permissions, the exact steps are to click 'Add', type 'Everyone' as the name, hit 'OK', hit 'Advanced', highlight the 'Everyone' entry and hit 'Edit', then check the 'Deny' column next to 'Full Control', then OK out. Reboot. The files won't load (and neither will and of the other startup items in that registry key), so you can delete them and run HijackThis freely. When you're done, run the registry editor again, and in the permissions window for the key in question just click on your 'Everyone' entry and click 'Remove', then reboot one more time.
Hope that helps, and good luck.