Slashdot Mirror
Failing Grades For Most Anti-Spyware Tools
serbach writes "Steve Gibson posted this link to a superb test of about two dozen top Anti-Spyware programs: Eric L. Howes conducted the test over a two-week period in October. The results surprised me: only 3 ASW programs had a 'batting average' of better than .500 when it came to eradicating the broad range of spyware in the test. Freeware star Spybot Search & Destroy came in a distant 7th with an average of only .376. The top three? Giant Anti-Spyware, Spy Sweeper, and Ad-Aware. These test results are well worth your time."
Ars-technica also just did a review. Check it out.
o va l.ars
http://arstechnica.com/reviews/apps/spyware-rem
$_='while(read+STDIN,$_,2048){$a=29;$b=73;$c=142;
I've been using a few different anti spyware tools in parallel because it seems as if there isn't a single tool that can reliable remove all spyware.
Free Firefox news reader.
The attitude to directed advertising programs or "spyware" on Slashdot. Especially when you step outside the parochial echochamber that is Slashdot discourse and speak to people who actually use these programs. On the whole, they are actually happy to get these novelties for "free", like the funny little desktop buddy, or the search bar, weather report or stopwatch.
I used to work for one of the companies that distributed a "spyware" program through download.com, and we had continual PR problems with being lumped in with the worst offenders of the spyware world. We didn't do drive by installations, or hide our intentions: we just traded our customers data for use of our program. What, exactly is wrong with that? Why is Slashdot pretending all of us are as bad as each other, as if in this, as with all fields, there isn't a spectrum of behaviour?? Even some linux users are bad, just look at the DDOS at sco.com. I'm sure noone here would condone that behaviour.
(Posted anonymously, not interested in karma bonus.)
I gonna get firefox and ad-aware asap. I also want to get screwed! No more than 2 weeks right?
I wonder what it is like...
Well Spybot may not do great, but it certainly does enough to clean up a persons PC so it works again without crashing every 5 minute.
My reccomendation is firefox or mozilla or even opera if you prefer it.
I do however note that if you take a clean system and then visit msn.com, then run spybot etc you will find that there are little evils that appear on your system.
It now appears that the best option is to wave goodbye to MS if you can. Pick a nice linux distro (eg Ubuntu or whatever suits you) or even MacOS X and feel that little bit safer.
...though I would have liked to see how the pre-emptive SpywareBlaster changed the results...
I've always found a combination of Ad-Aware and HijackThis do an excellent job of keeping all things spyware under control. Ad-Aware for more frequent scans, and the odd hit of HijackThis when things seem screwy. Admittedly, I don't know how much spyware I actually miss but it seems to keep XP happy for most part :)
What's your secret? I have Ad-aware, Spybot, SpywareGuard, Spyware Blaster, Zone Alarm on my main PC. I use Firefox. I hardly ever (to be honest) visit pr0n sites. I hardly ever do any P2P stuff. And occassionaly, I DO still find the odd malware on my PC.
Never is a loooong time. Even Sean Connery learned Never to Say Never Again.
I've seen spyware targeted at firefox and java applets that would want me to install something I was not curious enough to see. Fortunately, I was always asked if I want to install (security mechanism in Java and Firefox). I think grandpa' will click ok on those boxes, without reading them first.
I'll do the stupid thing first and then you shy people follow...
you never know where your internet connected peecee might be sending it's bytes.
hmmm why is that activity LED blinkin?
Now I'm the grandest Tiger in the Jungle!
This isn't a standard issue MS bashing troll but you do have to question whether given the ease at which programs (which is what spyware is) can install themselves on someone elses computer with little or no user intervention , Windows is fit to be allowed on the internet. If all windows systems were taken offline then almost all viruses and the like would disappear almost immediately along with spambots and other unpleasent creations of the black hat fraternity. I'm not pretending this is feasible but you have to wonder what the net would be like if only relatively secure OS's were allowed to use it.
If you can limp yourself to download it, I've found Ad-Aware does an outstanding job in most cases. But you must have the new (free) version to do any good, The rate of evolution of these beasts are high, and they apparently came up with a new engine for Ad-Aware SE, that I've seen fund hundreds of objects that Ad-Aware 6, a moment before with current updates, had missed.
Makes most machines usable again, and quickly.
http://WeedTracks.com/ - 80,000 Weed files, Legal, Sharable Digital Distribution
These test results are well worth your time.
No they are not. I already burned all Windows CDs in the fire. You wan't believe how much time I gained by doing this!
There you are, staring at me again.
I dont use any, and have no problems.
That's kind of the point. If spyware broke your computer immediately, you'd know it's there and would be able to remove it.
If you've never checked for spyware, it might be on your system.
You can declare that you know you don't have a disease because you were never tested for it.
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
What's wrong with the general public is they don't give a damn about computer security. Nor should they have to -- a computer is supposed to be a generic consumer product, usable by anyone.
Unfortunately that's a long way from the truth. But I think you should blame the engineers and computer scientists, not the end users.
That's what SpywareInfo's for.
http://www.spywareinfo.com
It's arguable that they're the biggest antispyware site out there, and if nothing else, they can get the CoolWebSearch strains that even Ad-Aware and Spybot can't get (real-yellow-pages, linklist, et cetera).
(Disclaimer: I'm a Trusted Advisor there.)
Striking fear in the authors of godawful fanfiction, I am here, appearing in darkness, Tuxedo Jack!
What's your secret?
He has no secrets. I am currently logging in to his machine, if you call Windws 98 a machine. he can either pay me for real spy removal tools or I email his files to his mother.
Love,
Mr. Hacker
I don't have spyware cuz I check processes for new things that pop up (XP Pro). I've had malware before and I reformat ASAP. Now, one nifty line of defense I use is a freeware program called Startup Monitor. http://www.mlin.net/StartupMonitor.shtml
I don't have spyware cuz I check processes for new things that pop up (XP Pro).
What about programs that appropriate the names of legitimate windows processes? Or ones that take advantage of the shortcomings in the font used in the task manager to look like a legitimate process?
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
This is a very good solution :
http://www.freedownloads.nl/hitman_pro.htm
It's dutch and it runs Ad-aware, Spysweeper , Spybot S&D, Stinger, Spywareblaster , ect...automaticly....
A decent browser, good av software and a patched os will protect you from most things but the reality is that most people will click on the okay button of the "Can I please install malware on your computer" dialogue box! Users are exposed to so many dialogue boxes during the day for puerile reasons, they become conditioned to mindlessly clicking on things to get to their destination. So that when one pops up for a decent reason, they click on the damn thing anyway. Non-techies out there have no idea of cyber-hygiene, which in todays environment is the equivalent of not using a condom while you bang crack ho's while mainlining H from a shared needle (almost)!
Ah! Then try Security Taskmanager instead of that crappy windows taskmanager. Sorry, it's not free, but has a trial period. http://www.snapfiles.com/get/securitytask.html Also, StartupManager (the free one that I can't recommend highly enough, see grandparent) catches stuff that tries to run at startup which is at least a valuable tipoff that something is wrong.
The anti-spyware game is a real case of horses for courses - one tool will detect some spyware and miss others, while another will find all the bits the other missed, but miss off a couple it didn't. There really is no 'definitive' spyware removal tool and it's foolish to say there is. I advise people to run both Ad-Aware and Spybot with latest updates at least once a week to ensure almost all spyware is found and removed, as I've had too many instances of one of the two missing out five or six items on every sweep that the other one found straight away.
.dll that a program the user makes use of hooks into, the program may stop working, and who would get blamed? the anti-spyware vendor. Hey presto, Spybot looks like pure evil because they just killed off Joe User's cool new P2P app because keylog32.dll got wiped. This happened a lot when Kazaa was big - naive users getting told by techy types to run Spybot every now and then to clear spyware ended up bitching because it nuked the spyware that Kazaa checked for before starting up. They didn't seem to care about privacy when protecting it stopped them getting their MP3s and porn.
.exes, they will visit dodgy sites and they will do all manner of things because they believe they are safe. They don't understand that spyware blockers only work against known types of spyware, not all spyware in total. Naive users seem to think it's an agreement between spyware vendors and anti-spyware companies when it is, to all intents and purposes, an arms race which the anti-spyware groups will always in second place.
/. are now serving ads to the Microsoft 'Get the Facts' campaign? Is this Slashdot putting one over on Microsoft by taking the money they throw at them when they know no-one here will believe it, or have they reached a new low, actually showing not just Microsoft ads, but ones that feature blatant FUD against FOSS?
You could probably get even better performance by running more than those two, but I'm not going to harrass my clients to start running half a dozen programs just to remove spyware and it's a pretty rare thing to come across a piece of spyware, even a humble cookie, that both of those two miss. Anyway, my point is this; You can't just run Ad-Aware or Spybot and think you're protected. Until an anti-spyware tool has a 100% record against all known spyware, I won't consider them anything near a definitive tool, or a licence to behave recklessly on the net, something which too many naive people seem to do.
The problem with anti-spyware tools is three-fold;
a) They are made by private companies and individuals who's credentials and/or decency cannot be guaranteed. They could easily take kickbacks from spyware companies in exchange for 'excluding' their programs from the scan list. Sure, it might not be happening now, but what's to stop Lavasoft suddenly to start taking kickbacks to let the less insiduous spyware through? Unless you're on the inside of a company like that, you can never be sure. I'm sure Lavasoft aren't doing anything like that, as these results prove, I'm merely using them as an example - any anti-spyware app people trust is in an immensely powerful position on the user's computer, and any money-seeking company can theoretically be bought out.
c) When they remove a spyware
c) People do, as I mentioned above, use them as an excuse to behave recklessly on the internet - they will install random
Anyway, what was my point again? Oh yes, that these statistics are misleading for naive users. Ad-Aware and the others are now going to start shouting from the rooftops about how they're one of the top 3 anti-spyware apps on the market, and thousands of lusers will trust themselves to it implicitly solely because of that blurb, while the reality is Ad-Aware still misses stuff, and it is more than fallible. That 'lowly' Spybot has turned up half a dozen items Ad-Aware failed to find at least three times for me, but I wouldn't run that on it's own either - Everybodyb knows it's a good idea to get a second opinion, especially when it's free.
Also, does anybody else find it funny that
Dealing with lawyers would be a lot less tedious if they all looked like Casey Novak.
The reasons seem to be simple;
Yet, the test results show that the spyware detectors aren't in the arms race against spyware that I described above. Instead, many spyware revisions aren't detected at all. Either they don't know about the spyware revisions, the spyware is not being tested for, or the spyware is being ignored on purpose.
Right now, the bar that the spyware creators have to leap is very low. Both social engineering and direct injection onto systems make spreading these things fairly easy to do for the spyware maker. Tie that in with many spyware detectors not detecting completely, and not being used consistantly, and I don't see an end to this problem soon for most people.
What to do? I'll leave that to others for now. I have my own lists. It is a security issue so the systems should be considered to be on hostile networks and hostile users. I consider 2 hours to lock down a Windows XP system to be a reasonable minimum amount of time to spend on each system -- unless automation tools are used.
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
User stupidity is still the number one security problem.
I run a small IT consultancy, and nearly every internet connected PC we work on has a significant spyware infection on it. It's not only our job to remove it, but to prevent it coming back. The things that I've noticed after fixing a lot of problems:
This won't stop everything by any means, but it slows down reinfection. End users need to change habits - reading EULA, not just clicking OK, using passwords - but this isn't something you can do with a couple of hours work, so people aren't willing to do it. I have no solution to that problem.
Seriously guys, none of these spyware removers are even remotely perfect and they all suck time and CPU cycles. I disavow any knowledge of this guy, Mike Lin, but his itty-bitty FREEWARE program kicks butt.http://www.mlin.net/StartupMonitor.shtml It does one tiny little thing with almost zero overhead, it tells you what wants to insinuate itself into one of the several startup vectors of Windows. And gives you the option of not allowing it. Any spyware must have some part that runs at startup. This gives you a warning and a filename for googling to remove whatever you have contracted. Probably works for many worms, viruses, and trojans too.
A car is a generic end-user product as well. But if the engine catches on fire because the owner hasn't changed the oil in 12 months, despite the car manual prescribing a change every 5,000, documentation from the dealer saying the same, and red blinking light in the dashboard, no one blames the engineers. The exact same thing is true of sypware and viruses - it is a well known problem, the user's companies and ISPs tell them not to open the attachments, Windows XP even issues a warning prompt, but they do it anyway.
You can engineer many problems, but you can never engineer away human idiocy. There will always be some idiot who will find a way to kill themselves with a pair of dull safety scissors.
No, friend, you really don't.
The point is not that we technically proficient people can deal with SpyWare but rather that the 99% of computer users who are not technically adept can use their computers, the internet and their email without having to fight a constant battle with unwanted intrusion.
What other mass-produced, home appliance can you think of that requires a deep understanding of its inner workings? We, as the technicians, should be hanging our heads in shame that we have failed, in over 20 years of trying, to devise a machine and an interface and a secure environment that allows the end-user to enjoy the internet or office suite or any other application with such carefree abandon as they do their TV or Dishwasher or Microwave.
Sure people need to be careful, just as they do when driving or using a blender, but surely it is not beyond the wit of man to hide the complexity of the system. Surely a better use of our time and effort, rather than trying to play catch-up with 'the man' is to start finding common ground upon which we can progress best practices... Let the Corporations then compete on price and feature-sets from that good and solid foundation rather than firing off in their own directions with their own agendas and muddying the already dirty waters.
We have a lot of work to do, I'm afraid.
quidquid latine dictum sit altum viditur
Yes it does. Since the applet only runs within the context of a given page makes it spyware unfriendly. Spyware generally sits in the backround gathering information on what you do. Since applets are limited to one page this eliminates spyware possiblities. An applet can only communicate with the server it originated from also. (Unless you click those grant permission things) This also makes it difficult send information to spyware hq. Generally applets have little if any information about the page they reside on.
Folks, you should check out this Sun Java Plugin Arbitrary Package Access Vulnerability
HOwever , these programs could do anything which is the worrying part. 99% of them may just be Gary Grocer trying to make some extra money
I think you're underplaying the seriousness of Gary Grocer's nefarious activities. After all, he's an internationally-wanted credit card fraudster who is also notorious for using zombified PCs to send spam.... that's how he makes his "extra money". (Note: There is a reward for the capture of him and his money-laundering associate, Freddy Firefighter).
"These people are scum, " says Florida's Head of Anti-Fraud Investigations, Calvin Criminal.
"Damn right, " adds his colleague, Alvin Arsonist.
"Slashdot - News and Chat Sites Deviant". (Click "homepage" link above for details).
Until engineers and computer scientists can make computers idiot proof, I don't see why we should consider computers a 'generic consumer product'. You need a license to drive a car, since the car is by no stretch of the imagination idiot proof. If you try driving a car in traffic without any sort of training you'll most likely end up hurting yourself and others.
Similarily, using a computer with a broadband connection to the Internet without at least some idea of how to make the computer secure (i.e. antivirus software/firewall) will most likely result in a computer infected with trojans and spyware, causing problems for the owner. What's worse, his computer will probably infect other computers as well.
Sometimes the concept of an "Internet license" similar to the driver's license actually seems like a good idea. A driver's license doesn't stop car accidents from happening, but a least you're keeping some of the worst morons off the road.
I can concur with the grandparent. I have a windows box running xp, and use firefox and thunderbird. It lives behind NAT from my linux box, and I never see any spyware/malware crap.
I just ran Ad-Aware for the first time in a while (it told me my definition file was 109 days old), and it prompted me to go download an upgrade. Ironicly, it launched IE for this (firefox is definately set as default). Once it finished updating and running a full scan, it found 4 whole 'bad' things, which in this case were IE tracking cookies (doubleclick.net, etc). 2 of those 4 had a creation date of today, meaning they were picked up in the process of downloading that adaware update...
While we should be grateful for the work done by the reviewer, I cannot but notice that the results are hard to find out.
I, for one, would like to see some conclusion or recommendation or rating (Anti-Spyware A - goog; Anti-Spyware B - shit; Anti-Spyware C - excellent).
I know the article focuses on falling efficiency, but still, it's a bit overwhelming to go over those huge tables.
About half the time a user removes spyware from a PC that is running really sluggish, I've found that it the spyware removal utilities does NOT repair the winsock registry keys. Thus, you can't even get TCP/IP connectivity. You will know it's broken if you get an IP of 0.0.0.0 or will fail instantly to repair the LAN connection in XP and just get a 169.x.x.x address.
; en-us;811259
If you do plan on removing a heavly invested PC, be sure you know how to fix repair winsock.
If the customer is running XP with SP2, then you can run the "netsh winsock reset catalog" command (without quotes) to repair the connection and reset the winsock settings back to defaults. However, if the PC does not have SP2 installed, you will have to check out this link http://support.microsoft.com/default.aspx?scid=kb
For Win9x users, check out this link http://support.wadsnet.com/winsock/winsock98.asp
Life is not for the lazy.
Seems to be more and more firefox is leaning towards the 'Weve blocked this, click here to find out why' approach, would be nice if this was extended to all areas including dangerous java programs/etc.
I'm surprised that they don't mention this piece of s**t. But since I haven't yet seen a program that can remove the latest version, I'm not surprised. This insidious piece of work actually installs a device driver which continuously monitors its files and prevents deletes etc.
Even starting in so-called 'safe mode' won't stop it. You have to boot with a CD and erase it manually.
The people who wrote it are 3721. something, and a link to it even appears on the default Chinese search page. In theory it just allows for Chinese name searches, but in reality does much more.
You have been warned - please don't visit the site.
The general public is composed of people who literally can't tell the difference between Adobe Photoshop and Adobe Acrobat Reader, or Mozilla Firefox and Mozilla Thunderbird. This is no hyperbole, I know many people with this problem and I'm sure you've met some yourself. They'll call and say, "I'm having a problem with my Adobe." Or ask you repeatedly which application you're in right now when you're both looking at the screen, even though the applications present completely different interfaces. The person usually will have been using the applications in question for months or years, and still can't tell them apart without thinking about it really hard.
Is it simple ignorance? No, that could be easily corrected. Is it sheer stupidity? No, these people are otherwise of average intelligence or better. It's some kind of weird mental blindness that comes over people whenever they are faced with a computer screen. It's conditional stupidity, and it's one of the main problems with the general public. Most of them will never learn to be careful until you hook up a car battery to their earlobes that gives them a physical notice whenever they do something stupid. Otherwise they just don't seem to be equipped mentally to grasp the concepts involved in using a computer responsibly. The software industry hasn't exactly been helping matters, but they have a monumental task ahead of them. I think computers are just too abstract for a lot of homo sapiens sapiens to deal with.
The secret is to turn JavaScript OFF.
"Moreover, users should learn to practice safe computing habits, which include avoiding web sites and programs of unknown or dubious provenance and carefully reading End User License Agreements and Privacy Policies."
Am I the only one who doubts that will come true any time soon, we all know how to click on a button as a reflex action, reading a lengthy EULA full of lawyerspeek... that's a headache.
I've said this before, but here goes again: what's "wrong" with non-nerds is that they're used to the Real-World "security model". The real world doesn't work like computers do.
In the real world, you don't have to have an absolutely-unbreakable titanium-plated vault door to your house, nor bullet proof windows. If anyone wanted to hack your front door down, it's worth a maximum 5 minutes with an axe.
Real world locks also aren't supposed to be unbreakable. Au contraire. By computer security standards, they're a catastrophe. Most allow 1-pin-at-a-time attacks, which in computer security is the worst anti-pattern. Locks with master keys allow easy escalation of privileges too.
It's all documented vulnerabilities (or exploits) and they've been known for ages, and never fixed.
But they work IRL anyway. Yes, any kid could lockpick your front door, or hack it down, or just throw a brick through the window to get in. But people still use locks, doors and windows.
Why? Because the IRL (In Real Life) you don't live in a lawless no-man's-land where any kiddie with a lockpick is l33t and free to pick your lock. IRL your real defense isn't the lock, but the law.
The lock or the door just markers. They just say "you're not supposed to be past this point uninvited, and if we find you inside, we'll throw your sorry ass in state jail."
(If you're a die-hard gun fanatic, feel free to replace by "if I find you in, you'll get a gut full of buckshot." Same idea: there'll be repercursions. The door just marks the point beyond which the thief is not supposed to go, not _the_ deterrent itself.)
And people instinctively expect the same kind of rights and protection to apply to the online world too. "This is my computer, you're not supposed to be on it. Your playzone ends at the ISP, and this side is my private property."
Unrealistic expectation? Maybe. But it exists nevertheless.
Unreasonable expectation? Not at all.
A polar bear is a cartesian bear after a coordinate transform.
What's wrong with the general public is they don't give a damn about computer security. Nor should they have to -- a computer is supposed to be a generic consumer product, usable by anyone.
That would work if a computer had about the same features and abilities of a toaster.
Unfortunately, a computer is mixture of hardware and computer software that can do office tasks, multimedia, file sharing, communications, and gaming. The feature set is easy to upgrade and expand through software installations.
In addition, due to most computers being connected to the rest of the world, the cost benefits of spyware/viruses (creating spamming relays is big money) and the fact that trying to infect an individual computer is effectively free, the problem is apparent.
Any product with a ton of features and abilities requires user training. Its possible to easily design a car that doesn't require knowledge to drive -- as long as everyone will only go to the mall or the grocery store. But people use their autos for many destinations, over many different roads, and thus we require people to learn how to use cars.
A computer is no different.
Want to write documents? A typewriter works. Some of the electric ones were quite nice. Want to send text messages? SMS over mobile phones. Want to send documents? Fedex. Games? A console. Music? A radio.
Want to do all of the above, and more, with the ability to extend the features and easily upgrade for less cost? Okay. But it will require some training.
If you disconnect yourself from the internet, and lose that feature set, you will probably be secure. Even disconnected, not knowing what you are doing will have consequences. If you are lucky, the only consequence will be wasting your own time. If you are unlucky, you will be frustrated by fighting with the computer all the time to do what you want, how you want it.
Do you want to connect to the net? Congratulations, now you are exposed to the worst people in the world. Would you be cautious walking down a street in Romania with your credit cards in your wallet? Why aren't you cautious while you are online, making purchases, connected to the same network as a Romanian hacker?
I'm sorry, but we can't not create an idiot-proof box. We can't even make a box that requires zero knowledge to run. Our best bet is education.
I'm not a programmer, but yes it is my understanding that sandboxing only applies to running a Java applet in a web browser or something similar.
;)
Most Mac users aren't plagued by viruses, trojans or spyware simply because there isn't much of that stuff around for the Mac platform. This is for several reasons. One is that Macs still only represent about 5% of the computing world. Another is that Mac OS X has a better security structure and default security settings than the dominant OS. Another reason is that many Mac users are the type of people who simply don't put up with installing crap on their computer, and see no reason to install useless free junk. Mac users typically want to actually use the computer to get something done. It already looks pretty, why mess with that?
If your physics professors are the only people using their computers, they must not be staying on legitimate physics and news websites. Something must be out of the ordinary for them to be contracting spyware. To get spyware you have to download some software, either manually or through a bug in the browser. Your typical website catering to educators isn't going to allow that sort of automatically installing code on their website. These professors of yours must be straying off the reservation at some point, or getting it through email attachments, or quite possibly a worm.
Firefox could possibly help them if you start with a clean system, but if they are actually going out and downloading FREE ANIMATED MOUSE CURSORS!!! they will need some re-education on how to keep their computer safe. Mac + Firefox would be a vast improvement, but unless they were restricted from installing any software (yes, this can be done) they will eventually get themselves in trouble. For general web browsing it is definitely a much more secure environment, but only if you know not to do something stupid. Java is certainly more secure when using Firefox on either platform, since you aren't using the buggy MSJava implementation.
Don't stop at replacing IE with Firefox. Outlook/Outlook Express is just as bad. Apple Mail is very nice on the Mac, but Thunderbird also works, and of course is cross-platform. And none of this is going to be very effective on Windows if you don't have a solid firewall to go along with it, and anti-virus software. On the Mac, turn on the built-in firewall to increase the already decent security.
Even better would be to turn Web Developers off Java Script ;)
Linux is not Windows
You could simply buy an iBook and look at it as a peripheral for your cryo-cooled 1337-gamerboi PC.
You use the PC for playing "City of HalfEverDiabloCraft III" and for generating dubious overclocking benchmarks and storing your MP3's on your terrabyte RAID with the windowed 250gb SATA disks.
You use the Mac for web surfing, email and IM, to store critical documents you don't want eaten by Virii (making sure to back them up to CD-R every now and again) and generally Doing Usefull Stuff.
That way, your precious game time is uninterrupted by Microsoft's Keystone Kops approach to secuirty and monoculture attacks. Let's face it... you ain't never gonna be able to lock down your Windows box, no matter how much money and third party utilities you throw at the problem.
Alternatively, OpenBSD on any old laptop is another way to dodge the spyware bullet, if your Unix Fu is the stronger.
SoupIsGood Food
You'd think that the hosts of "Innovators of Wrestling" would yank it if it were downloading crap onto people's computers without their knowledge - in violation of the LAW!
But then again, I've seen how well most System AdminDUHstrators manage their sites; perhaps my surprise is simply the result of my moring coffee not kicking in yet.
And here is a question for the class to consider: Given the difficulty of removing spyware in a machine which is running the spyware, why has somebody not taken Knoppix, Wine, the NT filesystem wrapper code, and a virus cleaner, and created a boot disk that would
- mount the users disk using the NTFS in the kernel
- locate the native NTFS DLL, MD5 check it, and assuming it is not corrupt use it to mount the system R/W
- Use winelib to access the registry and clean it
- Run the filescan and purge to remove the infections
. That way, you would need to reboot twice (once to boot into the CD, once back into Windows).Granted, for me this question is of academic interest only - I don't run Windows anymore. But for those of us who have relatives still stuck in purgatory, this might be a better way to run.
www.eFax.com are spammers
One of the main stupid things in Windows is that you have to log in to the whole GUI mess as administrator---whereas in proper systems (where the GUI, e.g. X, is an optional part of the OS) you open an xterm and use su so that only the processes run from that xterm have root privileges. There's little temptation to run a web browser or word processor as root.
First off, I love linux, but in this case I think there's a better tool for the job. (The following is not really a shameless plug).
I use Bart's PE Builder. In a nutshell, it's a bootable cd with a Win32 network, disk (with native NTFS support) and GUI API load. The best thing is that it's built using actual Windows dll's and the like. Of course, you have to have a copy of XP or Server 2003 to built it, and it may not be strictly within Microsoft's licensing agreement to use their IP in this fashion, but that doesn't bother nor stop me.
Anyway, there's a native Ad-Aware plugin for BartPE, and I've hacked together a Spybot S&D plugin, as well. My usual proceedure is to boot the system with my cd, run AAW & S&D to clean up files on the hard drive. Then, I boot from the hard drive into safe mode with networking support, install the latest versions of AAW & S&D, and run them again. This cleans the registry as well (which unfortunately I haven't figured out how to do under BartPE... yet). This method has worked well in situations where the system is so infested I can't start from safe mode.
Part of the problem is that even with the proliferation of anti-spyware programs, often to completely eradicate these nasties, manually crawling for files and registry entries may be necessary. At least for the forseeable future I don't see this becoming a fully automated task.
This isn't just something encountered online though is it?
When it transfers itself to an EU citizen's PC and runs in the background collecting information it is acting within the EU. The EU could conceivably extradite the people responsible for this and try them as crimes have been comitted in the EU as surely as a cracker gaining illegal entry to an EU government computer from a terminal in the US has comitted a crime.
There's two utilities I use on a regular basis for winsock fixing:
1. LSP Fix. This program will let you see what dll's are embedded in your TCP/IP stack. Most of the time it will even detect stuff that's not supposed to be there, but you do have the option to override its judgement. Spybot S&D also has the ability to look into the stack, but you can't use it to remove offending modules, nor see their actual dll filenames.
2. Winsock XP Fix. This nifty little utility will basically reset all registry settings for the stack back to what they're supposed to be. This is usefull if some nasty has totally trashed the stack on its way out the door. It would also appear it works on earlier versions of Windows (certianly Win2k) but I've never tried it on anything but XP.
I used to joke that as long as people break their computers I'd have a job, but there are times when the spyware thing really drives me up a wall...
I've recently seen a rash of new spyware that registers a .dll or ten into the TCP/IP stack, or even in some cases a device driver. Those are truly the beasts. And, of course, the normal Windows startup routines don't necessarily apply, since Windows will include the dll's at launch, and once they're hooked into a process, they'll go about their nasty business as part of what may otherwise be considered a legitemite executable. The line between spyware and a virus/worms/trojans these days is so incredibly thin, it's hard to see anymore.
If it hasn't already become obvious I'm all in favor of dropping large objects on the scumbags that make this kind of stuff. Say, a super-large special order 1000 ton ACME anvil, to start?
There's another class of evilness that doesn't involve startup and that's BHO's (or Browser Helper Objects), which come into play when IE is started and have full access to the computer.
I'm not sure what the secret to success is, but the secret to failure lies in trying to please everyone -Bill Cosby
It says right in the story summary that they covered SpySweeper.
It is the one piece of software i've found that gets rid of everything i throw at it. On my client's machines, I used to run adaware and spybot, and then spysweeper if there were still popups. Now i just run spysweeper from safe mode once and it's all taken care of.
"Upon attaching the waterblock to my penis, I began to notice that I know nothing about computers." -- JRockway
Actually... I'll take it a step further. It's not mental blindness, it's willful ignorance. These are the people that will say they don't want to know anything about "that computer stuff". After painfully explaining to them what was wrong with the machine (damn you new.net, damn you to hell!), and explaining why it was causing problems (it's sending you to different places then you want to go, think of it as a malicious gas station attendant that reverses all directions for his own sick amusment), they'll wait until after you leave, and then re-install it.
These are also the same people who argued that Windows ME was the same as Windows 2K, because the Millenium was in 2000.
Nephilium
Slab: Jus' say "AarrghaarrghpleeassennononoUGH" -- Detritus' war on drugs Terry Pratchett, Feet of Clay
I've been doing spyware removals for customer's at my job for over a year now. At first it was easy, just run Ad-Aware and you're done. Now some of the spyware programs are getting much more deceptive and can actually startup in safe mode making it nearly impossible to remove.
:)
At this point the first thing i do for a scan is use a USB adapter and connect the hard drive to my test station then clear all temp folders and run spysweeper and adaware to find any files. Then i reconnect the drive adn boot directly into safe mode and rerun both programs to clean out any registry entries. Finally i go through with hijackthis to repair any damage to the browser.
Ive tried out Giant spyware and it seems to work fairly well but the stupid tray app WILL NOT GO AWAY even after haing all of its startup options unchecked.
Also, the new version of Pest Patrol from eTrust keeps detecting a small text file in my 3 year old compressed video drivers as a keylogger
I'm not surprised Spybot did badly.
These things go in cycles, kind of like the Darwinism that didn't work quickly enough on the germ plasm that somehow evolved into the amoral mockeries of humankind that write spyware/malware.
Adaware was widely used for a while, then I started noticing that it wasn't working so well.
Then Spybot is/was hugely popular and extremely effective, so I've started to notice that it too is missing stuff now (or is unable to remove what it finds).
Virus...er...spyware writers are working against these programs, and it's only natural that they are evolving their code to defeat at least the most successful/widely used anti-spyware programs out there.
You wouldn't expect the flu inoculation from 5 years ago to protect you this year, would you? Spyware - and it's counteragents - are the same.
-Styopa
I used to think that what Windows needed was an SU ability, so you'd run as a normal user, and enter the admin password when needed. I still think that's a good idea, but I've come to realise it won't do shit to stop spyware.
For those that don't know, Mac OS-X does just this. You run as a user, and it asks for root when something requires root to execute. Good idea, don't want to be running as root full time. So I'm hanging out in a recording studio, chattering with the engineer, who is also piddling around on his computer while we talk. He's doing something, a box popos up and asks for root and almost before I can see what it wants he whips off the root password and goes back to talking to me.
I asked him about this and he said well EVERYTHING requires it. Anytime you install any app, it needs root. It's just part of the install process.
Well I realised that would be the attitude most non-tech users would take. Installs need root. It's even correct in most cases. So the spyware that's piggybacking on whatever app they want gets root through the install, and then you are back to where you started. The extra verification step isn't any good since people just give it without checking.
I still think it's a good system for those of us that would be suspicious when some little app with no DLLs/libraries to install whines for root, but a normal user isn't going to know the difference. They'll give it root, and get spyware'd.
What I do not understand is how can this be legal. To me this is no different than a trojan (the viral type not the condom.) Maybe it does not self-replicate and spread, but it still hijacked my friends computer. I thought that the malicious or destructive control of a computer without the users consent was illegal according to federal law. Why is it the the government will go after script kiddies, but does not go after the corporate goons who are no better? Oh, wait, I forgot. Script Kiddies do not make political contributions. I'm going to email my congressman.
Insert Generic Sig Here:
Slimeware er, spyware is the bane of my existance. I work for a large company and do not have final say about how the desktops are configured (I would do it differently), I support a special group and nearly all of my people have "admin rights" on their computers. I agree that these people need admin rights for some of the functions that they have to do but figure about 95% of the time they could run as a "super user" without any problems at all.
Very nearly 100% of the computers I touch are infested with slimeware. Running several commercial apps will clear most of the crap that is found but one or two apps seem to come back within a day or two (even if the user claims that they have not been on the internet). It has gotten to the point where I actually believe some of them!
I've found that what seems to be happening is that the slimeware distributors are playing a little versioning game. As soon as the major spyware removal tools are able to kill a specific version of slimeware, the slimeware authors make a new version that they then distribute.
It takes time between the release and the time that the spyware removers catch up and in the meantime, it is up to people like me to figure out how to clean up the mess. I am pretty hard-nosed and will spend a couple of hours searching the registry, booting from CD and deleting files and that kind of stuff to kill off the slimeware. Others who do similar jobs just re-image the machines. Soves the problem faster but I don't think the users are quite as happy. They have to reconfigure the machine to how they like it and there is always the risk of lost data.
I'd love to see these purveyors of filth in prison. Many of them serve up porn and put it on kids machines! They are guilty of a crime every time this happens. Why can't we do something?
Anyway, I don't blame the spyware removal people for these setbacks. They work hard to keep up but just can't.
Im my dreams, I dream of a single tool that sits on the desktop and checks for viruses, slimeware, spam, and other threats and inconveniences. I'd like the tool to be able to be programmed to block access to various applications and websites too. I'd like the same tool to have some sort of "safe recovery" feature that allows me to move back in time to a stable configuration that would not delete data.
These are just dreams but will someone somewhere please make my dream come true? Corporate IS departments everywhere would thank you with money from their budget!
Computer science shows us that it's impossible to accurately detect a virus (some combination of undecideability and Rice's theorem, I'm thinking). Spyware is a "virus" in this sense, and since we can't detect viruses, we can't get rid of them. In theory, then, it's impossible to have a secure computer program (because even if it did, we couldn't detect that it had achieved such security).
Obviously there are heuristics that antivirus (and antispyware) programs use to "detect" viruses, but ultimately the virus-maker-versus-virus-detector problem is an arms race: virus-detectors try to keep up with virus-makers by discovered new heuristics to "detect" viruses, and virus-makers keep trying to outwit these new heuristics with ever-more-clever viruses.
In practice, a human being can detect the difference between a legitimate application and an unwanted application (hence the popups from firewalls and antivirus tools asking, "Do you want to allow this activity?"), but also in practice, many human beings do not exercise this ability. My grandmother, for example, sees those questions as a nuisance and simply clicks the left-most button no matter what the question asks.
Both in theory and in practice, this is an arms race and ultimately an impossibility.
And a close second, or perhaps tied at number one, is the negative attitude of a lot of knowledgeable types. They're very quick to assume the average user is "stupid" because he doesn't know how to format a floppy disk, for example. I actually heard a couple of techs laughing about this behind someone's back the other day. Well, those two guys probably had to use DOS to format disks back in the day, but when's the last time you went to the store and bought an unformatted disk? The current crop of "average" users has never had to deal with that, so why would you assume that when such a situation arises, they're just going to know what to do? And when all they encounter is derision and ridicule when they ask questions, how likely is it that they're going to continue to ask questions so that they can learn?
And then there's the nerd factor. A lot of people, particularly young women, are terrified that if they display any computer-centric knowledge beyond the bare minimum needed to get by from day to day, they'll be tagged as a Poindexter and ostracized. Sure, you can tell them that they shouldn't give a rip about what other people think, but never underestimate the power of peer pressure. I had an interesting conversation about this topic with someone from some educational institution a couple of years back, and she said that it was such a problem that it was causing many young people to think twice about taking computer-related courses -- and that was leading to a shortage of qualified IT staff. This may have changed a bit today, but not a lot, I'd wager.
Recent case in point: after dropping the phone on my desk for the umpteenth time while tucking it between my neck and shoulder, so that I could look up something on the PC while talking to someone, I asked my manager for a phone headset. He figured that would be a good idea, and asked the young (20-ish) woman on the other side of the office if she'd like one, too. Her reply: "Ohmigod, I'd look like a NERD!"
Some time ago, this same person was asked by another employee how to perform some sort of basic (to you and me) operation one one of the other PCs in the office. She gave him some instructions, and tagged them with "Gee, I hope you don't think I'm a NERD for knowing that."
I doubt she's a prime candidate for reading up on what spyware is, how to avoid it, and then finding, downloading and installing something like Ad-Aware -- much less telling anyone else how to do so. And I think she's representative of a lot of "average" users.
Well, first of all, they don't have to do anything to use the airbags, they're there by default.
/. crowd it isn't so bad. We're interested in this stuff so we're in-the-know about it. Most people (our parents, siblings, friends, etc.) simply aren't.
As for the locks, it's not really that simple. It's like being on your own to locate and/or purchase locks for your car after the initial car purchase. Every 4th street corner has some guy peddling locks, and there's no governing entity stating which locks work and which locks don't.
From there, you not only have to decide which lock or locks to use, but you have to figure out how to install them, as well as maintain them. How often have you had to do maintenance to the locks on your car?
For you and I and the bulk of the
My Tech Posts on Twitter
I just fixed a client's machine that was heavily infected with spyware. While I was finishing up protecting the machine, I decided to look at his Zone Alarm programs list (my clients rarely have firewalls installed, so it didn't occur to me to check earlier).
There were something like two or three dozen spyware entries in the programs list. 90% of them were 'allowed'. And they were all manually configured! That means that Zone Alarm popped up "awojethk.exe wants to access the internet" warnings, the person clicked the "Remember this setting" box, and clicked yes!
Argh!
Here's what I do in these situations...
First, it requires a windows machine (NT,2K,XP) using the NTFS filesystem. FAT32 won't work because it don't do ACLs
1. Create a new local administrative account to work under (this is important read the whole thing here!)
2. Run Ad-Aware, Spybot S&D, and Hijack This, under this new admin account keep all the directories the spyware created, or make note of them so you can re-create them later.
3. Now, delete everything contained in these folders, then you start changing permissions on all these folders to deny Everyone access (including administrators), and take ownership of all these directories, when spyware trys to re-install itself it will fail. This method works real well when nuisance kids come back and try to re-install kaazaa, iMesh, etc. If you deny access to the kaazaa folder it won't come back unless they're smart enough to take ownership back and change permissions, or install it in a different directory.
4. This is the kicker: Install Firefox to replace IE, and Firebird to replace Outlook/Outlook Express. Run a search (F3) for iexplore.exe and msimn.exe and change permissions on them just like we did with the spyware folders.
5. This is my favorite: Now delete the IE icon and Outlook icons and change the Firefox and Firebird Icons to look just like IE and OE (MUHAHAHA).
6. Now login as Administrator and delete the user account we just created to do all this stuff.
If nuisance user must have IE to access a dumb banking website that's coded in shitty client side ASP or something like that; write a VB script, or batch file or whatever to use the runas command (similar to sudo in unix) to launch iexplore.exe under a less privileged account; point this back to the normal IE icon and it becomes seamless for the user.
You can take it even farther and deny write access to all the Run keys in the registry to keep crap from getting loaded in the System Tray. You can also deny write access to the Root of the Program Files folder, if you deny access to the whole folder including subdirectories and files it will break a number of applications that love to write metadata, temp files and such in the Program Files folder, like Microsoft Office 2000 (let's not even get started on how many Microsoft developers don't know where temp files and metadata belong). Of course if you do these things the user won't be able to install programs. If the user isn't running as an administrator they won't be able to write to the root of Program Files anyways, but they still can put stuff in their own Run key and the global Run key!
Sorry this is so hacked together, I'm in a hurry, want to go eat lunch NOW...
grep -iw skynet
Cars are not computers, yes. Computers are not cars, yes. You get a gold star.
But both computers and cars are complex multi-purpose devices. They are not commodity television sets or VCRs whose software only perform one basic function (watching a channel, recording a channel).
The more you can lock down and restrict the software on a device, the more secure and useable it can be. This is why crashes in phones and PDAs are so much less common than PCs.
The instant you give the user the ability to install whatever they want, all bets are off.
Flexability and Idiocy-proofness are inversely proportional for any complex system. There is no way around it, you can't have your cake and eat it too.
No I don't expect that Joe user should know how to swap out a DIMM. But I do expect that he should read the manual. I also expect him to read and heed warnings from his ISP about malware. If they can't do that then either
a) They can't complain when they get malware / virii
b) They shouldn't use a PC, since they won't take the time, they should use a locked down Internet Appliance.