Microsoft's AntiSpyware Disabled by Spyware

Ruke writes "A trojan has targeted Microsoft's AntiSpyware program, deleting all files within the C:\Program Files\AntiSpyware folder, as well as logging keystrokes at several online banking sites." The good news is that it's a Trojan, so one still has to bother with running an attached file.

Its the content, not the wrapping, but....

[Deekin_Scalesinger]

The news itself might be interest, but in the realm of well written articles this will not make the list. A choice nugget from TFA:

<<< The password stealing Troj/BankAsh-A Trojan, discovered yesterday, is a spyware. It keeps a track of user activities on the computer. It spies on you. >>>

Er, didn't we cover the spying part two sentences ago? Is A spyware? A spyware what?

<<< The Trojan also removes important entries of the antispyware in the registry and thus literal kills the antispyware. >>>

Literal? Come on - this reads worse than half of the AC posts in YRO. I hate playing the grammar nazi, but this was painful to read...

Best Antispyware...

[jo_ham]

The best antispyware is buy a Mac, or install your favourite distro.

Sorry, but there it is.

It gets tiring fighting the broken dam, you can't hold all the water back forever.

Re:Best Antispyware...

[JQuick]

The parent was moderated "Troll"?

Obviously it touched a nerve for somebody.

The bottom line is that currently spyware is only a problem on Windows. Thus, running any viable alternative to Windows is the most effective way of avoiding spyware at the moment.

Running a GNU Linux distro, any of the BSDs, or Macos X are all viable options, and arguably the most efficient solution to the problem of spyware.

Granted, many might find these options unsuitable for a variety of reasons. However, labeling that suggestion a Troll does not make it untrue. Wasting time and CPU to either spyware or anti-spyware software both seem objectionable. Systems which provide desired functionality, and do not require additional effort to continue functioning normally are a sensible choice for many.

Wait for it....wait...wait....

[WordODD]

How long till the Slashbots come out in droves proclaiming M$ sucks and their spyware removal sucks and they should all go to hell because a trojan(more like a crappy little batch file) is able to disable their program. Nevermind the fact that with the way this program works it would be just as effective on AdAware or SpyBot...and nevermind the fact that before running this trojan the MS spyware program TELLS YOU NOT TO!!

Re:Wait for it....wait...wait....

[Tony+Hoyle]

I have it installed and it has caught *nothing* since being installed... luckily AVG is up to scratch.

I routinely run .bat files and it has never fired on one of those... why would it? Whoever heard of a .bat virus?

And in other news

[cr0y]

Viruses shut down norton antivirus.

I mean really, who didn't see this coming?

Re:And in other news

[Nik13]

And they tend to do other nasty things like prevent running regedit and other system tools/AV, process hiding, using filenames that look like system processes, and a whole host of nasty tricks.

It wouldn't be surprising if they started attacting other things like norton's expiry dates/licenses as well, or plain corrupting some registry entries necessary for apps to run. (How long before they replace legit windows keys with the FCKGW ones so people can't get updates anymore?) I won't be surprised either when they start coming up with more advanced techniques against other antispyware apps, or tools like HijackThis. It's pretty much inevitable.

As most lusers run as admins (and use IE, to make things worse), they could do a LOT of evil things if they get imaginative. But that won't make the lusers learn or anything. They'll just keep putting up with it and do nothing.

Re:And in other news

[Deathlizard]

Hell. Spyware deletes Adaware if you want a precedent. There's a CWS varient that will close ANY antispyware app for months now. The most interesting one I've seen is one that host blackholes adaware to a site that downloads outdated ad-aware defs and redirects most of the popular download locations to one of the billion or so "The most wonderful spam me to death Search site in the world!!!" site.

A lot of spyware out there disables the anti-spyware that exists either by deleting it or not allowing it to update to get the latest defs. Just because their now targeting the MS antispyware offering as well as the other offerings they target 1) doesn't suprise me and 2) shouldn't suprise anybody else.

The real question is going to be if they can stop it from happening in the next beta release. I doubt they can, but it might be able to protect itself with it's real time scanning engine by not allowing you to modify the directory without your express permission or the registry keys it uses.

And it's a sure bet...

[Tuxedo+Jack]

That by the end of this week CoolWebSearch "affiliates" will be bundling it with their software to ensure that they remain undetected (except by HijackThis, Ad-Aware, and Spybot).

Beta version

[Indy+Media+Watch]

From the article: "Microsoft Antispyware is still in its Beta version (experimental version).

It's a bit early to point the finger.

Re:Beta version

[irokitt]

Also worth noting, how many viruses/trojans/whatever have started by disabling Norton, or McAfee, or Network Associates? High profile anti-virus programs get targeted for removal all the time. So this isn't just Microsoft's bag.

Do you work using restricted accounts

[McDutchie]

All the more reason to do all your real work under a user account with limited privileges and definitely never to allow others who use your computer to run with administrative privileges. Since nothing can touch C:\Program Files from a regular user account, the trojan would be ineffectual.

For all its security efforts, Microsoft continues to let users run as administrator by default, which is downright irresponsible. I just spent an evening cleaning an acquaintance's computer of a persistent, multiple spyware infection because of this policy of Microsoft. Needless to say I created separate restricted user accounts for all members in the household, but the Microsoft installer should have done this from the beginning! You cannot expect regular users to do anything except go with the default.

I also installed Firefox, and set all of the Internet Exploder security settings on "High" on all accounts except the administrator one (so that Windows Update can be run).

Re:Do you work using restricted accounts

[omicronish]

Windows still is not a true multiuser system. Get back to me when I can run the damn file browser as super user, and Joe Six Pack can play games as a restricted user.

For things that do not work as non-admin, just use the "Run as" command on the context menu for the icon in the start menu. That's better than browsing or doing work as Administrator all the time. Additionally, for most games if you give Users read-write access to the game directory they'll run fine under a non-administrator account.

The reason Explorer doesn't work well with runas is that by default it checks if it's already running, and quits if it is. The problem is that the taskbar is Explorer, so when you try to run Explorer as Administrator it'll see itself and immediately quit. The workaround is simple: login as Administrator, go to Control Panel, Folder Options, View, and check "Launch folder windows in a separate process." This only needs to be done once, and Explorer should work with runas afterwards. Furthermore, I believe this is the only instance in which runas is 'crippled' :P

And finally, that games do not work under all users isn't a technical limitation of Windows. After all, games are applications just like Word, Excel, Photoshop, yet users can run all those programs fine. Based on what I've seen, the failure of games to run under non-administrator accounts is due to one of the following reasons:

• Copy protection requires Administrator privileges to run.
• Saved games are stored in the game directory. But C:\Program Files is read-only to regular users, hence the requirement to run as Administrator. If you're a dev, please store the damn save files in the user's profile.
• Game has a lame Administrator check in addition to the above two.

Note that in all these cases it's the fault of the game developer. Complain to them or don't play their games if this bothers you, but in no way is Windows restricting such games from running as non-admin.

To those who are still running as Administrator, please reconsider. How often do you install applications anyway? Is an additional right-click, Run as, type in Administrator password that difficult? I do homework, debug applications, run games, etc. all from a regular account. It's not that difficult.

Re:Do you work using restricted accounts

[aero2600-5]

"All the more reason to do all your real work under a user account with limited privileges and definitely never to allow others who use your computer to run with administrative privileges. Since nothing can touch C:\Program Files from a regular user account, the trojan would be ineffectual."

You're forgetting one major problem. Let's do a hypothetical situation here to help you understand. Let's pretend that you've managed to get the average Windows user to use a regular user account and only user the admin account when they need to install something. In this fantasy world, guess what will happen? The average user is going to log out of his user account, log into the admin account, and install whatever retarded, virus-laden, spyware-supported software he just downloaded. You could argue that they would put more thought into what they install that way, but let's be realistic. They won't. The only thing that will help this is educating and training the average Windows user so that they understand that the internet isn't as friendly as they would like it to be. The only reason this training isn't mandatory like driver training is because the average person doesn't care if his neighbor is slowly killing his computer. If they were to do away with driver training, the average person would pitch a fit, as he doesn't want his stupid neighbor driving into his house. This is going to sound horrible, but the reason why GNU/Linux/Unix doesn't have such a large problem with users installing retarded shit is not because of the seperation between admin and regular users accounts. It's because of the much steeper learning curve with GNU/Linux/Unix. There are quite a few less idiots running GNU/Linux/Unix.

Don't get me wrong. There are still idiots using Linux. Slashdot proves that every day. There are just less of them.

Aero

Very insightful my friends!

[nerd256]

"you have to consciously or unconsciously run the EXE to install the server side on your computer."

This is opposed to your computer plugging itself in, tapping into the internet, downloading and running itself?

Seriously, every peice of malware one gets is result of human action or inaction. If one were more conciencious of the threat, they would take necessary precautions. ( install Firefox/Linux )

I also think this title tries to make a funny or ironic statement at the expense of accuracy. A Trojan is not what I consider spyware, or, something that sneaks it way in via website, javascript, etc... A trojan targets just teh fools.

Re:Yeah

"vulnerabilities" is terse and more polite than the truth.

User of microsoft windows continue to be diligent in running whatever piece of software comes in an email attachment. Sometimes the mail program will launch the file automatically, but independant reports show users will click on anything and everything presented to them. There doesn't seem to be this problem in the unix world where safegaurds exist to prevent the modification of files outside the users home directory. Given the abundancy of idiots in the world today, this problem is expected to persist for a long, long time.

yeah, windows has a vulnerability, and that vulnerability is clueless users.

Re:how long before patch?

[Tjoppen]

How about denying your user write access to system related folders?

Beta Blame

[ackthpt]

From the article: "Microsoft Antispyware is still in its Beta version (experimental version).

It's a bit early to point the finger.

What? Wait until tomorrow? This isn't a Spyware problem, it's a virus scanning problem for your incoming mail.

it *is* vulnurability

[RelliK]

The fact that you have to run as administrator to get any work done is a security hole big enough to drive a truck through. It is ridiculous that you can trash your filesystem just by double-clicking a mail attachment. *All* linux distributions I've used set up a user account for you and encourage you to use it. Mandrake, for instance, gives you a big red warning if you start KDE as root.

Until microsoft fixes this it will be plagued by security holes. And don't give me this bullshit about usability -- Mac OS X got it right, why can't windows?

Re:it *is* vulnurability

[lasindi]

The fact that you have to run as administrator to get any work done is a security hole big enough to drive a truck through.

This is true, but let's face it. To say that this is a real example of how GNU/Linux is superior is kind of a cheap shot. If GNU/Linux were mainstream, what would the normal user do? Download goodies.tar.gz from your email, compile and su to install it. Tada, your system is screwed. This is what an "average," unsuspecting, Unix user would do. Buffer overflows and the like are legitimate vulnerabilities, but to blame Microsoft for a trojan being written is just not a legitimate criticism. Any operating system that lets the user install anything is "vulnerable" to trojans.

lasindi

Re:it *is* vulnurability

you have to run as administrator to get any work done

Not true. I don't know who modded you up, but this is a lie. Let me guess, you last used Windows in 1995, right?

I run Windows XP in a non-admin account every day. Some apps don't work but you know what? That's their problem, not Microsoft's. If an app doesn't work that way then there's no point in using it, period.

Windows has the means to be secure. It's not the company's fault that every two-bit developer out there wants to write to the system directory.

Re:it *is* vulnurability

It takes a little work, but you can use Windows as a non-administrator.

Yes, it's just that half the applications you want to use, including Microsoft software, require admin privs just to run.

Re:it *is* vulnurability

[mrjohnson]

"Your point about running as admin all the time is a pretty valid one, though. But I'm not convinced that the UNIX user model is perfect either."

What is? I guess we'll just have to settle for "massively better." :-)

Re:it *is* vulnurability

[jackbird]

They are if AutoCAD is involved. Or Quickbooks. Or any number of other high profile productivity apps.

Of course, it's the application vendors' fault for failing to understand that this is a huge problem and they should probably learn to play nice with the documents and settings folder, but MS doesn't seem to be doing much screaming at them about it.

Re:it *is* vulnurability

[JQuick]

I will play devil's advocate.


Bingo, the problem isn't Windows, its Windows Users.


Really, this stance strikes me as the antithesis of the problem. It is programmers who bear the blame here. I'm not singling out Microsoft programmers (despite the large and tempting target they present). I'm talking about most people who write system software or applications for general use.

Here on slashdot, we are predominantly geeks. We enjoy technology and learning about technology. In some cases, a large minority of us mistake our interests in these as evidence that these activities are somehow inherently important. Those who do so gain certain psychological and social pleasure from this knowledge and interest. This is part of being human. We consider ourselves special and important.

Computers and software are marketed to and used by the general public. People, being people, think that their interests and their knowledge is important. Learning about hardware/software/security, etc. is not interesting to them, therefor the fact that they tend not to spend time doing so should come as a great surprise. Geeks tend to see this lack of interest as evidence of a problem (and at times as an affront to their own sense of self worth). This seems a rather shallow and unproductive view. Human beings focus on those things that interest them. Pleading with them to attend to things we think are important, or looking down on them for this lack of interest, is a fruitless path.

The problem is not users. The problem is that we have created hardware and software which does not adequately match the needs of the users. Software should match the requirements of its users not require them to change their typical behaviors to meet the needs of the software.

Some people are destructive and malicious. Well designed software takes this into account, and provides authorized users with reasonable protection from those who would try to harm them. Well designed software behaves in consistent and predictable ways so that users of varying levels of experience, knowledge or interest can benefit from its use.

Software should be designed for the people who will use it. Most programs suck, because they are designed for a particular business goal, or designed by geeks based on their own knowledge of how they would like to use it. It is no wonder, that most software leaves the average person cold. It is arcane, inconsistent, and requires too much knowledge. Users are not stupid. They are not lacking in intelligence or ability. They are lacking in a sense of enjoyment and sufficient interest to use software the way the geeks designers intend.

Great software takes its users interests and expectations into account.
Great developers strive to understand users and write software which serves them.

So, we are the problem, not the users. Blaming people for their own human nature is not the way to go here. Projecting our own failures of understanding onto the users is a misguided attempt to pass the buck.

Re:it *is* vulnurability

[Zeinfeld]

Really, this stance strikes me as the antithesis of the problem. It is programmers who bear the blame here. I'm not singling out Microsoft programmers (despite the large and tempting target they present). I'm talking about most people who write system software or applications for general use.

I agree with this as well. I am not saying that the users are at fault, what I am saying is that there is a strong statistical bias here. The Linux community does not have the slightest interest in doing what it takes to attract non-technical users.

It is very easy to design a security interface for people with strong technical skills. Designing a user interface for the typical user is very very hard.

Most people do not want their lives to be taken over by the machine which is what UNIX demands. They don't want to think about running the computer, they want to think about the problem they bought the computer for or to play games or any other important use.

Linux just does not target the core demographic that the Internet criminals are trying to reach, mostly rich retirees and people who think they need body part enlargement. Not only is linux 5% of the market it is an uninteresting 5% for the criminals, mostly students and 20 somethings.

Here's the fix:

STOP LOGGING ON AS ADMINISTRATOR!

Problem solved.

You wouldn't log in and do everything as root on your Unix machine, and run random scripts, would you?

Why did this make it to the front page news?

[Jugalator]

So, someone developer an application that deletes some files and installs a keylogger. Whoop-de-doo... :-S

Re:Why did this make it to the front page news?

[MustardMan]

It's on the front page because it gives an excuse to take a cheap shot at MS, troll for a flame war, get lots of hits, and bring home some advertising dollars.

Not a problem....

[MBraynard]

I imagine if the OS could prevent you from writing a program that deleted files in a directory and enabled a keystroke logger, you clowns would whine that MS is limiting your ability to use their OS.

You *should* be able to install such a program on your computer. You *should* also be smart enough to know what you decide to put on your machine.

Thank you Symantec

[Supp0rtLinux]

So thanks to today's news that Symantec programs may execute programs that should be flagged, one must now only use a solid product like Symantec Anti-Virus to load up software to remove Microsoft's anti-spyware software. Beautiful. Perhaps I should save everyone the time and hassle and just make a website with a malformed jpg or gif that loads an ActiveX script to then download the trojan and thus get it all done in one shot. Vulnerability after vulnerability after vulnerability. Perhaps this guy wasn't so far off.

Of course, I can't help but point out the obvious: rumors keep abounding that M$ will charge for its anti-spyware and anti-virus softwares. So let me see if I'm clear on this... they write shitty code that I'm forced to use (since the apps I need only run on Win32), and then I have to pay again for software to keep people from exploiting the software that was shitty to begin with. Isn't that a bit like selling you a piece of shit car, then charging you to use your warranty when the clutch fails on day #2 of ownership? You know, many of us thought that the day would come that M$ would charge for access to WindowsUpdate. Is there anything they won't charge for? Don't they ever say "we fucked up... here's a freebie on us"? Or "you already paid $300 for our OS... here's a way to secure it for free".

Re:Old news

Slashdot is not here to break news.
Slashdot is here to point us to interesting things on sites which we would not normally visit.

As a result of that, it is a _requirement_ for other sites to have covered the issue first.

Don't complain just because you don't understand how slashdot works - by your UID you've been here enough years that you should have figured it out by now.

C:\Program Files\...

[YrWrstNtmr]

This is one of the main faults (along with running as Administrator) in the MS world. The default location is easy to target, and everyone's PC is set up the same. C:\Program Files\... can be hardcoded into the malware to delete or otherwise cripple the target application.

Install elsewhere. I've found very, very few applications will not accept another partition to install to.

Can't have it both ways.

[b00m3rang]

When Microsoft released their Antispyware, everyone said, "Oh, well, Microsoft didn't do anything, they just bought the software from Giant.". Now that there's a problem, "Whoa, Microsoft's software really sucks. It's sure is all their fault."

Pick a side, people.

Re:Can't have it both ways.

[randallpowell]

I blame the hackers, users, and Microsoft equally. MS should have changed AntiSpyware somewhat or a user could hae placed it in a different folder or a hacker could have done something productive and make a Firefox extension. All 3 are to blame.

True enough, but remember the meatware issue too

[lorenlal]

Yes, IE has plenty of holes that allow exploits to ravage a system. That definately falls on the maker.

But, if you're a jackass who's making software to spy on people, claim it's something else, and then put in measures to ensure that the programs run "no matter what..." Well, I'm willing to put plenty of responsibility on you.

It doesn't matter what platform the author is targeting, nor what company makes that platform. You're still trying to find unethical (an in many cases illegal) ways to get your stuff to run on an unsuspecting target, and you plan on stealing with it (be it bank account numbers, passwords, or something as little as bandwidth to push ads).

Spyware targets whatever will attempt to remove it. I've seen trojans that prevent some scanners (Ad-Aware and Spybot especially) from detecting that the spy process even exists. I've seen processes that create backups to make sure that both keep each other running if one ends or gets cleaned out. It's something new all the time with these people. It was only a matter of time before something like this targeted Giant's product regardless of whether MS got involved or not.

Nonsense..

[PurpleXanathar]

1) If Windows had protected the antispyware program in some special way, we were now all complaining about antispyware being considered "special" by the OS and thus being in unfair competition with other spyware programs.

2) On any Unix machine you have to be root to install most of the software (you usually have to be root before rpm or make install) : a simple trojan relying on *stupid* user behaviour can be written for any platform and this is not a security problem of the platform, is a security problem of the user's brain.

3) From 2, even if the default user was not administrator, most people would simply try to install this new porn-lemmings game they received and they would "run as" it (just like you su - make install on linux).

4) It's not even only a problem in the user brain. I wonder how much would it take to discover 5 malicious lines inserted in some big open source project. This *is* a possible evet, it could be an angry sourceforge employer, a security hole somewhere, a

5) It seems to me whatever the choice of MS is in any particular matter, there is always someone who takes it to bash it down. When the fact is ridiculous like in this example, this kind of behaviour is detrimental to the whole community. Do you live to make Linux great ? Than use your time to make it the perfect OS, not to make Windows appear the worst OS ever - 90% of users have chosen it as the best product for them and they will not change their mind because you are bashing it down, they will change their mind when they'll see something better *for them*. ..Go and flame me now.