Analysis of Spyware

scubacuda writes "What actually happens when you install adware/spyware/malware? Follow the Bouncing Malware examines what's downloaded, redirected, and obfuscated. A fascinating read. (Part two was postponed in order to cover a new My Doom variant.)"

Why is this YRO and not IT?

[Anonymous Coward]

oh yes, because IT colours suck dick.

No spyware here

[SteveXE]

I managed to keep my pc pretty much spyware free when running IE aside from the day to day tracking cookies.

I switched to Mozilla about 2 months ago and not only do i never get spyware cookies due to its easy to use cookie blocking and plugins, but its so much better in many respects. I still have to use IE on some pages that contain video files, and i do have a few gripes but overall its much better and lets me control my internet experience on many more levels.

Re:firefox testimonial

[scubacuda]

Check out this host file [everythingisnt.com] also.

Re:malware honeypot?

[selderrr]

You mean like we want to do with spammers ?
We all now how well that worked


Face it : malware is the new spam, and it is a lot harder to detect & isolate. OSX & linux users may be safe for now since the problem is moved from mailserver to client machine, but it is only a matter of time until java malware shows up.

The ONLY solution is keeping the OS secure, the firewall tight and the user aware not to click bogus utilities. That and a network wide hosts file that redirects a lot of crap.

Working version

[fuctape]

Working version of the article (for now): http://isc.sans.org/diary.php?date=2004-07-23 [sans.org]

Re:Even Sevens

[nkh]

I don't have Windows, but I've seen stories on /. about users infected by spywares, instead of the usual TOS clicking.

Re:Mozilla Firefox - it solves most problems....

[Gigantic1]

Read the FAQ, you'll see that you can't mod and post on the same piece of news.

You can if you post as an Anonymous Coward.

Just not IE!

[yoshi_mon]

I realize that Firefox and Mozilla get all the glory here on /. due to them being OSS but the bottom line in all of this is just that IE is the one to blame.

I've been using Opera since v5.x and have never looked back. Lately I've seen a lot of improvement in Firefox but they are still playing catchup with Opera.

For whatever reason Opera only seems to get a nod here when it should be getting a lot more but cest la vie. I personally will continue to support Opera until they sell out or whatever but I hope that they, and everyone else, realize that having a marketplace full of a few, maybe even many diffrent browsers will only help everyone in the long run.

Currently I am installing Firefox for people who just need to use anything but IE; mostly end users. For a power user however Opera is the way to go.

Re:Spyware is just another form of a virus

[sploo22]

Wrong. Here are some definitions of a computer virus:

A program that can infect other programs by modifying them to include a possibly evolved copy of itself.

"A parasitic program written intentionally to enter a computer without the user's permission or knowledge. The word parasitic is used because a virus attaches to files or boot sectors and replicates itself, thus continuing to spread. Though some viruses do little but replicate, others can cause serious damage or affect program and system performance. A virus should never be assumed harmless and left on a system." -- Symantec

Get your terminology straight. If it doesn't infect other software, it is not a virus. Your argument is like saying malnutrition is a virus because it makes you sick.

Startup Cop

[blackmonday]

There's a really nice tool on the net called startupcop that was made by the ZDNet people, released, then dropped. You can still find it on google as "startcop.zip". It's a nice program that shows you what starts in Windows when you boot. My friend had about 60 different adware/spyware programs on his machine. I was able to remove most of them except for this pesky TV something adware which would not uninstall. And something else, there's some other kind of app that won't let adaware or spybot run. Its a giant pain in the ass, my friends PC is unusable, eve with Mozilla, and he ahs a $50 a month broadband bill. The sons of bitches who make these programs need to be put in jail. There, now i feel better.

I avoid spyware by...

[vudufixit]

1. Not visiting porn sites 2. Not going to the default homepage network 3. Not downloading and installing Kazaa or PTP apps of that ilk. 4. Not clicking on any popup or banner ads 5. Never agreeing to install any software as a result of visiting a web site, unless it's Macromedia, Apple or Microsoft. I still run IE, and I have a bare minimum number of XP fixes.

Re:I avoid spyware by...

[Anonymous Coward]

Then you are gonna get it eventually!

You really need to take a look at some of the vulnerabilties in IE. You don't have to click any popup or banner ads; they can install whatever they want just because the ad popped up in the first place. Did you RTFA? This particular spyware infection started by opening a popup frame that was 1 pixel by 1 pixel; you wouldn't even know that something had popped up, let alone have to click on it. Then it used a .chm exploit that looks like it opens whatever page the spyware writer wants! You don't have to browse to porn sites; they will do it for you! Then it gets around to resetting your home page to whatever the author wants; this could certainly be a porn site, too. And it goes on and on...

Look, the most telling quote in the whole article is: ...you may be the one that plunked down a grand at your local consumer electronics store to purchase your PC, but THEY own it.

and it is strictly because you are running IE and Windows!

Re:Startup Cop

[Jade E. 2]

this pesky TV something adware which would not uninstall

OK, here you go, JD's quick guide to removing hardened spyware, such as TV-Media (tvm.exe). (This is mainly for stuff that the spyware removers can't delete, or that won't let AdAware and it's friends run.) This is even maybe a bit semi-on-topic, wow.

First, get HijackThis. If you're not very familiar with windows internals, run it on a couple clean systems to get a feel for what should be there.

If it isn't being blocked by some really nasty spyware, AdAware or one of those is a good first step to remove the easy stuff before you tackle the hard stuff.

Now, run HijackThis on the infected computer. It will take some practice to learn what is bad and what isn't, but some things will be obvious. In the case of TVM, there will be a startup item (O4 iirc) for tvm.exe, a URLSearchHook for tvmbho.dll, and a bunch of BHO entries for randomly named 'ms????.dll', and possibly a few more dlls in the system32 directory. (I havn't personally ever seen a valid BHO entry, but YMMV.) The important thing to do here is to make a list of files to delete in the next step. At this point you can check the suspicious entries and click 'fix', then re-scan the computer and see how many of them come back. In the case of TVM, several of them will, most notably being the tvm.exe startup item. Killing tvm.exe won't help with this, either.

Now, on to removing hard files. In this case, tvm.exe is hard because it loads with explorer so it's always 'in use'. A couple of the ms????.dll files are hard because they are in use and/or get replaced on reboot by tvm.exe if they're gone. There are three methods to remove these.

First, safe mode. This is easy, albeit time consuming waiting for reboots, but doesn't work for all files. (In TVM's case, it works.) Just reboot into safe mode and delete each file on your list, then use HijackThis to remove the registry entries.

Second method. Faster if you're a decent typist, works for files (like tvm.exe) that hide their process inside explorer.exe so you can't kill them. Open a command prompt and task manager. Use task manager to kill any visible tvm.exe (or whatever) tasks, then kill explorer.exe. Your shell goes away. Use the command prompt to delete the files, then run HijackThis and remove the registry entries. (You can re-run explorer from the prompt when you're done.)

Third method. Slow, complicated, but works for files that can't be deleted by either of the other two methods. This method also works remotely through most desktop-sharing type connections, unlike the other two. Once you've figured out where the files are being launched from (HKLM\Software\Microsoft\Windows\CurrentVersion\Ru n in TVM's case), open regedit and go to that key. (NOTE: If you're using windows 2000, you'll need to use regedt32 instead of regedit, but the rest of the process is similar) Click on the key (The entire folder, not the individual entry) and choose permissions from the file menu (or right-click menu in XP). Now you need to deny access to everyone for that key. If you're not familiar with permissions, the exact steps are to click 'Add', type 'Everyone' as the name, hit 'OK', hit 'Advanced', highlight the 'Everyone' entry and hit 'Edit', then check the 'Deny' column next to 'Full Control', then OK out. Reboot. The files won't load (and neither will and of the other startup items in that registry key), so you can delete them and run HijackThis freely. When you're done, run the registry editor again, and in the permissions window for the key in question just click on your 'Everyone' entry and click 'Remove', then reboot one more time.

Hope that helps, and good luck.

Re:I avoid spyware by...

[Anonymous Coward]

Unfortunately - your "feel good" posting doesn't even pass the "mustard test".

1: Not visiting porn sites.
BARMP!!! Does the 'look-a-like' Yahoo site look like a pr0n site to you?

2: Not going to the default homepage network.
Thanks for playing! Your default homepage doesn't matter an iota.

3: Not downloading and installing Kazaa or PTP apps of that ilk.
Obviously you've never heard of Web Bugs [eff.org] .

4. Not clicking on any popup or banner ads.
Goto #3.

5. Never agreeing to install any software as a result of visiting a web site, unless it's Macromedia, Apple or Microsoft.
Just not getting it are we? Goto #3.

Your Internet experience of "ignorance and bliss" is just that. This stuff is out there, it's rampant and guess what.... it thrives because of the ignorance/bliss/don't care attitudes of people like you. PERIOD

Wake up! One of these days - you'll find your computer and all the real value (DATA) destroyed or worse STOLEN because of this menace.

REGMON and FILEMON

[Wolfier]

If you're a Windows user, I suggest you go to:

SysInternal [sysinternals.com]

To get utilities like REGMON and FILEMON.

While people has used them for other purposes (for example, figuring out where sharewares store dates), they can useful tools against spywares too.

Run them before doing anything you think MAY be dangerous, and you'll be able to see spyware activities right in front of your eyes.

Re:firefox testimonial

[len_harms]

you may find this usefull as well.
pac file [schooner.com]
I use it in addition to a decent hosts file. I even combined the two. That way the freeking browser doesnt even ASK to be nuked. Before popup blocker was put into Mozilla and IE this is what I used. I rarely saw a popup, and my spyware count went to 0. Sometimes it pukes on itself but someone was kind enough to put a 'turn it off for now' thing. Which is kind of cool as with a hosts file you have to move it out of the way then back when done. There is also a plugin for mozilla I belive that does something similar. But for someone who has to use both its pretty easy to keep running.

The reason I like the pac thing a little better as it snags whole domains. Where as a hosts file only gets 1 site. Also sometimes you want to goto one site but not part of that site. Its pretty powerfull...