Microsoft's AntiSpyware Disabled by Spyware

Ruke writes "A trojan has targeted Microsoft's AntiSpyware program, deleting all files within the C:\Program Files\AntiSpyware folder, as well as logging keystrokes at several online banking sites." The good news is that it's a Trojan, so one still has to bother with running an attached file.

Blocker blocker blocker...

[Indy+Media+Watch]

None of this is a surprise and a series of new malware tools attempt to disable various protective services.

For example, deleting the MSI Installer Service such that when you try to install something like SpySweeper the installer won't work properly.

Alternatively, killing Antivirus or Personal Firewall processes or placing known good-guy websites in the restricted zone of Internet Explorer.

The 'solution' IMHO is to have multiple layers of defence and to some extent, perhaps to use less popular tools (i.e. not McAfee and Norton) which won't be on the malware's 'hitlist'.

I know security through obscurity isn't a solution, but in this case, security through not being one of the masses may be.

I say this having spent nearly a whole day trying to remove Spyware from a friend's laptop.

Sure it's a Trojan? Is it spyware?

[Chordonblue]

Don't ask anti-virus people for a straight answer - they're terrified. If one of these apps seems to have a legitimate purpose than no matter how it gets on your computer, no matter what else it does, it seems like it's immune from deletion by AV.

The AV people are tyring to walk an increasingly thin line between malicious spyware and malicious viruses. Pretty soon, they're going to have to make some hard decisions.

Re:Sure it's a Trojan? Is it spyware?

[LiquidCoooled]

I think this is very ease to solve in its preferences.

A simple role selection box.
Make it default to current "careful" practice.
Allow the option to change to tolerate all known valid adware, but remove trojans, this leaves the mild things on for kids with desktops and novelty crap.
Possibly a stronger option for workplaces etc which basically deletes anything even remotely compromising.
Have the strongest option locking the machine to the working set of executables at installation time.

Windows is with us, running as admin is unfortunate, but a great many people worldwide do, we can't change that, so lets protect them as much as possible :)

Let the user decide.

Re:it *is* vulnurability

[thockin]

How many MacOS X users just type their admin password whenever it is requested? Most of them. It's just an annoying part of running MacOS X

Re:MS Software crap? Really?

[Anita+Coney]

Windows runs in root. That means that by default all user accounts are created will full administrative access.

OSX and Linux (and nearly every other OS under the sun) creates user accounts with limited rights. That means things cannot happen without your specific permission.

In Suse 9.2, for example, when I need to do something like that requires root access, I'm asked to supply a password.

A similar thing happens in OSX. When you install software you're asked for a password.

Accordingly, by default Windows is less secure as programs can install and system settings can change behind your back and without your permission.

I admit that Windows gets a lot of attacks because it's a big target. However, everyone has to realise that a lot of the attacks occur simply because Windows is insecure by default.

Re:C:\Program Files\...

[Mishura]

OK. That's all and good, but what if a trojan/virus scans the REGISTRY? Even if you install said software to C:\usr\local\, it is still going to find it.

MS needs to get rid of the damn registry first. Then we can start talking about other methods. Although I will say that it is a start. I myself, usually install in subdirectories outside C:\Program Files\ like C:\Games, C:\apps, C:\pr0n, etc..

Also, I neat trick that I used to do with win9x PCs is instead of using C:\WINDOWS for windows-centric files, use: C:\WOS (As in Windows Operating System--a jab at its DOS roots.) Not sure if it really helped, but its hard to tell since I was never hacked, virus/spyware-infected or anything else. Still I'd get bluescreens but thats because of shitty apps/games or MS's memory management.

That is all.

Re:it *is* vulnurability

[Zeinfeld]

This is true, but let's face it. To say that this is a real example of how GNU/Linux is superior is kind of a cheap shot. If GNU/Linux were mainstream, what would the normal user do? Download goodies.tar.gz from your email, compile and su to install it. Tada, your system is screwed. This is what an "average," unsuspecting, Unix user would do. Buffer overflows and the like are legitimate vulnerabilities, but to blame Microsoft for a trojan being written is just not a legitimate criticism. Any operating system that lets the user install anything is "vulnerable" to trojans.

Bingo, the problem isn't Windows, its Windows Users.

There are folk who try to avoid spam by making everyone who sends them email 'pass' a Turing test. There are folk who avoid security problems that requires a monumental effort in makework learning to use.

Linux is nowhere near as secure as open genera where security measures are superflouous, there are only 200 or so people who know how to hack it and we know where they all live.

Or even more obscure, ITS with no security at all, but again the number of possible candidates is very very small.

There is a way to fix this though, write a trigger in the O/S so that any process that attempts to delete program files/microsoft/anti-virus is automaticaly halted. Or install the software with admin privs.

My three year old son does not have admin privs on his account for this very reason.

Re:Can't have it both ways.

[DaedalusHKX]

You DOLT... its BONZI buddy, in reference to the purple gorilla thing that is not as popular as weatherbug (whom a client argued with me about) and then reinstalled it and claimed I hadn't cleaned out her computer completely and she wanted a refund!!

Secondly! You are not familiar with Active X are you? Most computers by default do not allow Active X unsigned plugins. Okay, downside of all that is that Active X and its only existing interpreter (official one at least) being Internet Explorer are both more exploit prone than 1 year old PHP implementations done by microsofties in a GUI environment (we all know how clean THEIR code is).

All in all hatred of microsoft is bred of three things... Linux is better and they're trying to kill the movement... microsoft marketing is made of lies... microsoft enforcers are all based on greed or stupidity... very little else goes behind their reasoning.

P.S. I have seen some pretty bad ass implementations of spyware kids, and most of them rely on "microsoft technologies" or that are "cutting edge" so cutting edge in fact that they cut themselves.

Re:Final solution?

[creysoft]

There are what's called Volume Shadows in Windows XP and later (naturally more accessible in the server version). It's basically what you describe.

Then make it more accessible in the home version. Slap a cute GUI on it, give it an animated talking animal assistant, or give it a built in version of solitaire. Whatever makes it easy and practical for Grandma.

There's also (even in...shrug... Windows Me) System Restore, which does provide a degree of restoration of Registry and files to a previous point in time.

That's just for the operating system, and even still, it's kind of a pain in the ass.

The problems here are things like for how long you should go on keeping old versions, how do you know when the malware change was done, how sure can you be that the malware in question isn't capable of injecting itself into the previous versions, and so on.

The length should be adjustable, and should default to about a month's worth of changes. As for knowing when the malware infection occurred, that would probably require some new, currently unthought of system. Perhaps the system needs to start keeping hashes of files around, and doing regular checks for unexplained changes. When it finds a something fishy, it asks the user if s/he wants to undo recent changes to that file. Nobody's saying it would be trivial, but proactive management is almost always better than reactive management.

As far as keeping it out of previous versions, that's what write access controls are for. As I said in my post, it would require some architectural changes for Microsoft.

With regard to physical hardware separation, that would be something hardware manufacturers would have to help out with.

The fact of the matter is that protecting any network-enabled system is work, and users don't want to do that work. It becomes our job, as the tech industry, to do it for them. Not out of altruism, but to prevent their failure to act from harming us.