Slashdot Mirror
Invisible Malware Install 65MB Large
Paperghost writes "Words fail me with this one - don't have the .NET framework on your PC to utilise the adware maker's technology? No problem, they'll download it for you without you knowing. The problem is that it's a sixty-five megabyte install." From the article: "...the size of the .NET framework to download can vary drastically depending on what extras you have - don't forget the service packs, SP1 is an extra 10 or so MB in size. But I'm actually understating the amount of space used when installed, as .NET can total up to 100MB."
I wonder if it comes with 24-hour tech support?
It's bad enough installing spyware, but now they have to go and install Microsoft software!?!?!?!
You slimy bastards!
I hope they're using bittorrent...
And the makers will of course claim that they are providing a valuable public service by keeping peoples pc's updated! Bvah!
nhnFreespirit
Sounds like somebody needs a better browser.
Your hair look like poop, Bob! - Wanker.
Any word on which browsers are vulnerable? Is this the sort of thing to be, once again, filed under "Switch to FireFox"? The author leaves a lot of unanswered questions.
Or is this the child of something that must be user-run first?
I hope the land around you yields, a crop like all the other fields, and then your waiting might make sense...
They could have at least installed the open source version of .Net, aka Mono. What were they thinking!
"With enough memory and hard drive space, anything in life is possible!"
I'm still waiting for the worm that will monitor someone's usage habits so it can stealthily download and install Linux.
I bet some people started working on it, but got into a religious argument over what distro to use and gave up.
I could also see a worm that would harvest someone's credit card number and use it to order a Mac Mini.
Help I'm a rock.
It's like apt-get for Windows, except you don't even have to ask for the software. Further proof Linux isn't ready for the desktop, I guess.
This reminds me of a couple years ago when many piece of software came bundled with spyware called NewDotNet that claimed to be "needed for next generation internet applications" - just around the same time MS started pushing .NET
I remember uninstalling it from a bunch of machines because people asked, "Do I need this?" Yes....
It would be cool if it didn't suck.
I remember the good old days when we would statically compile in our 100 Mb of needed libraries when propagating some malware. Technology just bites you in the ass sometimes.
It installs WINE.
word.
Maybe it would get wider acceptance if MS named it differently. I first heard about it a few years back, and wanting to know more, I typed .NET into Google. I got back every www.*.net website on the web, but little about Microsoft. I knew C# had something to do with this, so I typed that in. Google dropped the # and returned every page with the letter C. Then I heard about ASP.NET, and decided to look that up on Google. I got back every www.*.net/*.asp page in the world, again no useful info. Finally, I gave up and installed Linux instead. I heard that mono got me .NET on Linux, and so I looked up mono. I learned alot about being careful about who I kiss, but little else.
Unknown host pong.
I guess it'll download Mono. Hurray, malware is finally getting portable. Now if they finish Mono we can have malware on Linux too! ;-)
What happens when Longhorn-specific malware packages decide to upgrade those Win95/98 boxes still out there...
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Now I know how to install it without clicking "I agree". So we'll be seeing some benchmark results on .NET real soon now, right?
For those of us that occasionally program in C# with .NET this is a bigger pain that you know. The two most descriptive keywords of the programming environment really are meaningless nothing-words in the Web's (normally) best search engine.
Get off my lawn.
YOu know, a lot of people complain about the size of the .NET framework, but 65-100MB isn't really a lot of space considering what it does. The upfront size is off-putting, but the savings you get for it more than make up for it.
.NET programs are? .NET is the Win32 API done right (not least because of Anders Heijsberg).
Ever notice how small most
Back in the day, we had to distribute Paradox runtimes with our applications, and it was a whopping 2MB file. But that also meant Paradox applications were absolutely tiny, which made it easy to deploy updates and stuff. This can translate to a lot of savings for enterprises running on Paradox.
Consider the .NET framework for a second. Suppose you wrote something innocent like a screen saver, written in C# based on the .NET framework. How would you as an ISV "ship your software"? You can't. Not unless you sign up to ship Microsoft's software as well. You see, the .NET Framework isn't widely deployed. It is present on a small fraction of machines in the world. Microsoft built the software, tested it, released it to manufacturing. They "shipped it", but it will take years for it to be deployed widely enough for you, the ISV to be able to take advantage of it. If you want to use .NET, you need to ship Microsoft's software for them.
Who said Microsoft does not know how to ship software anymore?! Let the trojan authors take care of that!
-------
Warning: Slashdot may contain traces of nuts.
Search for dotnet instead. It works.
I am a leaf on the wind. Watch how I soar.
- It's an optional install from the XP SP1 and SP2 CDs
- It isn't included with any version of XP Home.
- It isn't listed as a critical update on Windows Update
Taking those major flaws of your arguement into account, and how Microsoft have behaved in the past with products, how you'd consider that they're 'forcingIt's a 65MB install, but only a 24MB download. From TFA:
.NET framework to download is around 23MB, though this is still a lot of bandwidth to use up without asking. In addition, the size of the .NET framework to download can vary drastically depending on what extras you have - don't forget the service packs, SP1 is an extra 10 or so MB in size.
.NET, it takes up 65MB.
the actual size of the
So once it's done its thing and installed
Guy asked me for a quarter for a cup of coffee. So I bit him.
BT Internet recently doubled the downstream rate on most of their broadband accounts, and after looking at the spyware penetration on some friends' Windows machines, 65MB malware seems completely plausible.
Prosperity is only an instrument to be used, not a deity to be worshipped. Calvin Coolidge
The long and short of it is probably yes. The Windows Installer runs in the system context and not the user context when the client is a part of an AD domain.
Running the Windows Installer in the system context is the only way that the directory can manage software on the client.
Kudos to MS for another brilliant design!
You appear to be using Linux. Please wait while we download and install Windows XP.
Progress 1% (2/690MB downloaded)
PocketGamer.org - For the gamer on the go!
Security is one of the core goals of .NET.
.NET as their preferred language of choice.
.NET, my malicious software is sure to be undeniably secure! Thanks Microsoft!"
That's why 9 out of 10 Malware authors now choose
A testamonial:
"I finally switched after being pwned by other Malware authors. All my other hack buddies laughed at me!" said 1337HaxX0r, author of AllYURComp.exe, "But now that I'm using
Karma: The only way to win is not to play.
The .NET download is just part of Windows now; sooner or later, you will need it, whether you want it or not. 65M is not all that large compared to other runtimes and libraries (C/C++ is much larger).
.NET.
The real problem here is that somehow these machines installed malware. The problem could be that they are running IE, it could be that the malware is exploiting a bug, etc.
There is a simple solution: run Linux instead. That will protect you from both malware and
I have a 28K modem, you insensitive clod.
Just make sure you read every line of the agreement for whatever application installs the spyware. If they're being cautious, they probably have a line similar to "We might install the .NET framework on your behalf, and therefore you must read and agree with all of the Microsoft .NET framework terms of service outlined at [url]", right next to the statement about how they're going to install spyware on your PC.
This isn't to say that any of it would necessarily hold up if tested in court, and it doesn't mean that Microsoft wouldn't have "issues" with the spyware distributor for bypassing the display of their license to the user installing the software. But if you're the sort of person who cares about clicking 'I agree' at all, then you should probably consider this, too.
My take was that he works in an office with a quantity of computers Q where Q is large and that the bandwidth reports showed a huge spike in traffic. 65Mb * Q = gigabytes of data, easily possible if you have 30-50 machines inhouse and they all picked up the malware.
If the g'vt kept the data on you that google does you'd better believe you'd be calling it "doing evil"
No kidding, one time I was doing some painting with some latex paint, right? And I was painting an oak table (oak is a wood with a hard core), so I wanted to make absolutely sure that the paint would bond to it. So I hopped on to google and type in "hard core latex bondage". I think it must be a bug with the parsing engine or something.
Infact some models have shown its even in a species interest to play host to a disease causing entity that is more lethal to a competitor or predator. E.g. mice that carry diseases fatal to predetors.
In rare cases tolerance gives way ot full symbiosis where each helps the other. Perhaps a bacteria that helps deal with some more dread disease or an enteric digestive aid. Something that fixes nitrogen in your roots.
So anyhow maybe the course of virsuses are indeed ones that tune up your system, protect you from other viruses and make sure your computer is working optimally. Perhaps they will get out of your way when you are actually using it and just steal cylces and bandwidth when you wont miss it.
In that case 24 hour tech support is indeed on the way.
Some drink at the fountain of knowledge. Others just gargle.
I've spent most of my computing life (20 years since I was 12) working on CP/M, macos, and linux. 2 years ago I became a Window developer.
I've found that I need administrative access to do a lot of the things that I need to as a developer. I do these things many times a day. On linux I would just sudo when I needed it. I think you can run commands as a different user on windows too, I did try it once but kept hitting problems. There's no 'man' command! DOS documentation sucks. I haven't found the equivalent of a sticky bit that I can use for my build scripts that need admin access. A lot of Windows apps are built from visual studio which doesn't have a GUI to switch to admin access for parts of the build. The philosophy is just not there - yes we should push for it. When I was developing for macos in a much bigger company the windows team used to be more sorted in this respect - but then there was a big IT department to support them - developers can't afford to spend too much of their time on system admin. Some developer's are into it and some aren't. The lead programmer on my current team is so not into it (but he is a brilliant programmer) - to make things easy for him he has domain admin - everyone knows his password! No I won't say where I work! We don't have an IT department. I think big companies that can afford IT staff do tend to be better over stuff like this.
I don't think many people would start an X session as root in linux. A lot of people will only switch to root as needed. Some are better than others about being fussy about what they do as root. (I bet a lot of people compile their kernels as root) On Windows on the other hand it is very common to login to the graphical environment as admin. A lot of the admin tools have GUI. I think both Windows and linux could be made better by making it very awkward (impossible out of the box) to start an X session / login to Windows as an admin user. I have seen new linux users start X sessions as root....normally to get things set up (often being used to Windows)....but then sometimes things don't work for them as normal users and they just give up and always login as root!
I suppose I might be guilty of the same laziness when it comes to being a new Windows user - but I'm not being paid to admin my machine....In fact I use a linux box to mail and surf so as to lower risks a bit - we were asked to find ways of avoiding Outlook - so I found an old PII and blatted gentoo on it. There is a big difference between Windows and Linux though...a lot of install stuff is done on the command line on linux. Most big distro's make it clear you're being an idiot for running X as root. I haven't seen a linux distro that doesn't make you, or strongly advise you to create a normal user account as well as a root account. Having groups as well as users makes things a lot more flexible. Unix has always been a multi-user environment. Windows just hasn't been designed that way. You've got to laugh.
Look at what the ACs pointed out... An admin still needs to start the process... however in AD with a Computer install, software is installed in the system context because no admin in logged in. And considering that an admin assigns the software to be installed i do not think that is security issue in the design.
.Net resides, and therefore a normal user will be not be able install .Net unless they increase their previledges...
Any normal user account in windows cannot write into the Windows folder where
I'm guessing that you didn't read the article or are unfamiliar with .NET. The .NET Framework is a 23 meg download, not 65. The article states that the TOTAL download of the framework + malware + spyware was 65 megs.
.Net Framework, however.
Your point does remain that the JRE is smaller than the
Tell that to the poor shlubs who try to use their dialup connections whilst they're unknowingly downloading this in the background.
p
In Korea, long hair is for old people!