Microsoft's AntiSpyware Disabled by Spyware

Ruke writes "A trojan has targeted Microsoft's AntiSpyware program, deleting all files within the C:\Program Files\AntiSpyware folder, as well as logging keystrokes at several online banking sites." The good news is that it's a Trojan, so one still has to bother with running an attached file.

Yeah

[The+Bungi]

The good news is that it's a Trojan, so one still has to bother with running an attached file.

Not that that has ever prevented Slashdot from reporting things like these as "vulnerabilities".

Re:And in other news

[Tuxedo+Jack]

Believe it or not, someone's actually documented this.

Norton 2005 gets pimpslapped by a .vbs file WITH SCRIPT BLOCKING ON.

Warning: Link is to .swf file. Flash player required.

Re:Trojan Man?

i was humming "the muffin man"

Re:Its the content, not the wrapping, but....

[JimmehAH]

The description at Sophos (an AV firm) might be easier on the brain (i.e. not get anyone's grammar hackles up).

Troj/BankAsh-A

Talk about misleading

[Fringex]

It isn't spyware it is a Trojan. Spyware are programs either secretly installed by a base program to monitor your habits of browsing and usage or installed but mildly covered. This is a Trojan intent on stealing banking passwords and such. Two completely different things.

Hardly a new concept

[DigitalCrackPipe]

We've seen viri/trojans that delete antispyware before. All the more reason to install software somewhere other than the default location, and to run more than one antispyware/antivirus solution.

Also, when software starts disappearing from your computer you might want to look into it.

Re:how long before patch?

[rewt66]

"Regular users"? Come on, this is Windows we're talking about here. Granted, you can run as other than administrator, and if your head is bolted on tight, you do, but realistically... how many people do that? One percent? And they're the smart ones, who aren't as likely to run a trojan in the first place.

I think the trojan is probably pretty safe from that particular OS protection...

Re:Wait for it....wait...wait....

[dubstar]

Actually, I've found the MS AntiSpyware software has been quite good. I first tried it on a machine where Adaware and Spybot had already been run (with the newest defs available), the MS one still found 13 instances (some 67 files/keys) of known spyware AND was able to remove them. Adaware and Spybot just don't seem to cut it anymore.

Re:Wait for it....wait...wait....

[kngthdn]

You don't have the system hooks turned on.And, yes, a batch file can destroy your computer. Think "format /s c:" here.

Everybody seems to miss this:

1) Open AntiSpyware's main window
2) Click on "real time protection"
3) Then click on each of the 3 agents...Internet (9 checkpoints), System (25 checkpoints), and Application (25 checkpoints)
4) Enable *all* of the checkpoints...they are Win32 system hooks...
5) Try installing some spyware. ; ) It won't work.

Also, don't fool yourself, antivirus software does not protect against spyware.

Re:it *is* vulnurability

[Software]

It takes a little work, but you can use Windows as a non-administrator. The best resources I've found for setting this up are at Aaron Margosis's blog; see http://weblogs.asp.net/aaron_margosis/ and specifically http://weblogs.asp.net/aaron_margosis/archive/2004 /07/24/193721.aspx

It's not as easy to use as OSX (or KDE), but it works. I use it everyday on my primary computer. I'll grant that it's not going to help most users (the ones who run every executable sent to them), but for people who want to use good security principles and still install software every once in a while, it's a good thing.

Re:Using VS.NET without Administrator?

[dioscaido]

Why should a limited user be able to attach to a system process and debug it?

You can develop with VS.NET2003 as a limited account just fine. The case you mention is special, and you either need to run the webserver's application pool as your identity to debug, or run VS.NET2003 as Administrator. Not a huge deal, just do 'runas...' and start VS.NET as Administrator.

No reason to abandon running as a Limited Account.

Re:Final solution?

[cnettel]

There are what's called Volume Shadows in Windows XP and later (naturally more accessible in the server version). It's basically what you describe. You can revert a disk to a previous state, or mount it and copy specific files back.

Naturally, this feature is not unique in any way to the NTFS implementation of Windows, but as we're discussing MS problems here, that's the most directly relevant thing. Any journaling FS could/should be able to do this. And, still, remember that the only safe thing if your system really has been compromised is a physically separated backup.

There's also (even in...shrug... Windows Me) System Restore, which does provide a degree of restoration of Registry and files to a previous point in time.

The problems here are things like for how long you should go on keeping old versions, how do you know when the malware change was done, how sure can you be that the malware in question isn't capable of injecting itself into the previous versions, and so on.

Re:it *is* vulnurability

[Spy+der+Mann]

Yes, but shouldn't the Operating System files be PROTECTED from such trojans? i.e. setting access privileges or something?

Re:Best Antispyware...

[JQuick]

Believe it or not, a lot of us are running Windows 2k/XP without these problems.


I believe you. Large numbers of users are not affected by these problems. However, a large percentage of users are adversely affected. Your experience appears to be atypical.

Yes, I'm not using IE. Yes, I'm not using Outlook Express. Yes, I'm behind a firewall. I'm not claiming to be 100% secure, but buying a Mac or switching to Linux would do little to improve my computing experience. Never mind the stuff I wouldn't be able to do because I use software that isn't 100% supported.


How ironic. You describe the safety of your current environment, and dismiss alternatives using identical criteria. You claim that an alternative to windows would not improve your situation, and support this claim by alluding to things which you could no longer do (presumably because you rely on programs which exist only on Windows.) What's ironic is that you do so after implying that you owe part of your safety not running several other programs.

So, you are comparatively safe, and content with your environment. Good for you, I do not begrudge you that. However, your statements strike me as disingenuous. You blithely gloss over the fact that there are already things you cannot do (programs you cannot run) just to remain safer in your chosen environment.

Call me old fashioned, but something is terribly wrong when a user cannot use the software bundled with their system, in the way it was intended to be used, without compromising the safety or performance of the system. Computers should serve their users. They should not break or degrade because the user actually runs the software as intended by the designers.

Your anecdotal evidence suggests that you are not as cozy as you claim. A wider view of the situation suggests that your reported condition is far from the general case.

A recent study commissioned by AOL and the National Cyber Security Alliance (NCSA), suggested that the majority of home users are adversely affected by spyware and other malware.

The NSCA is supported by the Homeland Security Department and the FTC. It is also supported by a large number of tech corporations with either financial or political lobbying interest in computer security: the board of directors includes representatives from Cisco, Symantec, RSA Security, McAfee, Microsoft, and Bell South.

This group strikes me is far from impartial, as each member (public or private) has significant interest in publicizing (or magnifying) certain security risks. These vested interests should suggest we take the report with a grain of salt. Despite this, the results are quite interesting.

They polled a random sample of (PC using) AOL subscribers and also gained access to their computers to inspect them for viruses and malware. They found that:

77% considered themselves safe from threats.
66% had been infected with a virus in the past.
20% were currently infected with viruses.
80% were currently infected by spyware (averaging 93 sypwares/host)
89% of owners with infected PCs were unaware of these conditions.

The survey's margin of error was +/- 5.4%

These are home users, business users, and highly technical users are sure to be better protected on average.

Despite this, the protection of businesses comes at very high costs measured in hardware/software/wages/training. Sophisticated home users also spend additional time and/or money protecting themselves.

Here are links to pdf files containing a press release and summary of the raw data.

http://www.staysafeonline.info/news/NCSA-AOLIn-Hom eStudyRelease.pdf
http://www.staysafeonline.info/news/safety_study_v 04.pdf

Re:Trojan MAAAANN

[Jim_Callahan]

Well, given that Paris was probably the most famous trojan, and stole the most beautiful woman in the world from her husband, I could probably outline a few theories.

Re:it *is* vulnurability

[supergnom]

The difference is that on a Linux system the user is aware that she is installing software. In the windows world, you try to open an email ("the_numbers.xls" with a ton of spaces and ".scr" at the end). You do NOT think you're installing a screensaver!

Firefox, for example, has a dialog that says that you are about to install extentions - the "install" button is timed to a few seconds before being enabled, so the user does not accidentally click it.

Getting spyware by installing a malicious application is harder to prevent, and such software should probably be installed in the user's home directory, not as root.