Analysis of Spyware 246
scubacuda writes "What actually happens when you install adware/spyware/malware? Follow the Bouncing Malware examines what's downloaded, redirected, and obfuscated. A fascinating read. (Part two was postponed in order to cover a new My Doom variant.)"
Why is this YRO and not IT? (Score:0, Informative)
No spyware here (Score:2, Informative)
I switched to Mozilla about 2 months ago and not only do i never get spyware cookies due to its easy to use cookie blocking and plugins, but its so much better in many respects. I still have to use IE on some pages that contain video files, and i do have a few gripes but overall its much better and lets me control my internet experience on many more levels.
Re:firefox testimonial (Score:4, Informative)
Re:malware honeypot? (Score:3, Informative)
We all now how well that worked
Face it : malware is the new spam, and it is a lot harder to detect & isolate. OSX & linux users may be safe for now since the problem is moved from mailserver to client machine, but it is only a matter of time until java malware shows up.
The ONLY solution is keeping the OS secure, the firewall tight and the user aware not to click bogus utilities. That and a network wide hosts file that redirects a lot of crap.
Working version (Score:2, Informative)
Working version of the article (for now): http://isc.sans.org/diary.php?date=2004-07-23 [sans.org]
Re:Even Sevens (Score:2, Informative)
Re:Mozilla Firefox - it solves most problems.... (Score:1, Informative)
Just not IE! (Score:5, Informative)
I've been using Opera since v5.x and have never looked back. Lately I've seen a lot of improvement in Firefox but they are still playing catchup with Opera.
For whatever reason Opera only seems to get a nod here when it should be getting a lot more but cest la vie. I personally will continue to support Opera until they sell out or whatever but I hope that they, and everyone else, realize that having a marketplace full of a few, maybe even many diffrent browsers will only help everyone in the long run.
Currently I am installing Firefox for people who just need to use anything but IE; mostly end users. For a power user however Opera is the way to go.
Re:Spyware is just another form of a virus (Score:4, Informative)
A program that can infect other programs by modifying them to include a possibly evolved copy of itself.
"A parasitic program written intentionally to enter a computer without the user's permission or knowledge. The word parasitic is used because a virus attaches to files or boot sectors and replicates itself, thus continuing to spread. Though some viruses do little but replicate, others can cause serious damage or affect program and system performance. A virus should never be assumed harmless and left on a system." -- Symantec
Get your terminology straight. If it doesn't infect other software, it is not a virus. Your argument is like saying malnutrition is a virus because it makes you sick.
Startup Cop (Score:4, Informative)
I avoid spyware by... (Score:3, Informative)
Re:I avoid spyware by... (Score:2, Informative)
You really need to take a look at some of the vulnerabilties in IE. You don't have to click any popup or banner ads; they can install whatever they want just because the ad popped up in the first place. Did you RTFA? This particular spyware infection started by opening a popup frame that was 1 pixel by 1 pixel; you wouldn't even know that something had popped up, let alone have to click on it. Then it used a
Look, the most telling quote in the whole article is:
and it is strictly because you are running IE and Windows!
Re:Startup Cop (Score:5, Informative)
First, get HijackThis. If you're not very familiar with windows internals, run it on a couple clean systems to get a feel for what should be there.
If it isn't being blocked by some really nasty spyware, AdAware or one of those is a good first step to remove the easy stuff before you tackle the hard stuff.
Now, run HijackThis on the infected computer. It will take some practice to learn what is bad and what isn't, but some things will be obvious. In the case of TVM, there will be a startup item (O4 iirc) for tvm.exe, a URLSearchHook for tvmbho.dll, and a bunch of BHO entries for randomly named 'ms????.dll', and possibly a few more dlls in the system32 directory. (I havn't personally ever seen a valid BHO entry, but YMMV.) The important thing to do here is to make a list of files to delete in the next step. At this point you can check the suspicious entries and click 'fix', then re-scan the computer and see how many of them come back. In the case of TVM, several of them will, most notably being the tvm.exe startup item. Killing tvm.exe won't help with this, either.
Now, on to removing hard files. In this case, tvm.exe is hard because it loads with explorer so it's always 'in use'. A couple of the ms????.dll files are hard because they are in use and/or get replaced on reboot by tvm.exe if they're gone. There are three methods to remove these.
First, safe mode. This is easy, albeit time consuming waiting for reboots, but doesn't work for all files. (In TVM's case, it works.) Just reboot into safe mode and delete each file on your list, then use HijackThis to remove the registry entries.
Second method. Faster if you're a decent typist, works for files (like tvm.exe) that hide their process inside explorer.exe so you can't kill them. Open a command prompt and task manager. Use task manager to kill any visible tvm.exe (or whatever) tasks, then kill explorer.exe. Your shell goes away. Use the command prompt to delete the files, then run HijackThis and remove the registry entries. (You can re-run explorer from the prompt when you're done.)
Third method. Slow, complicated, but works for files that can't be deleted by either of the other two methods. This method also works remotely through most desktop-sharing type connections, unlike the other two. Once you've figured out where the files are being launched from (HKLM\Software\Microsoft\Windows\CurrentVersion\Ru n in TVM's case), open regedit and go to that key. (NOTE: If you're using windows 2000, you'll need to use regedt32 instead of regedit, but the rest of the process is similar) Click on the key (The entire folder, not the individual entry) and choose permissions from the file menu (or right-click menu in XP). Now you need to deny access to everyone for that key. If you're not familiar with permissions, the exact steps are to click 'Add', type 'Everyone' as the name, hit 'OK', hit 'Advanced', highlight the 'Everyone' entry and hit 'Edit', then check the 'Deny' column next to 'Full Control', then OK out. Reboot. The files won't load (and neither will and of the other startup items in that registry key), so you can delete them and run HijackThis freely. When you're done, run the registry editor again, and in the permissions window for the key in question just click on your 'Everyone' entry and click 'Remove', then reboot one more time.
Hope that helps, and good luck.
Re:I avoid spyware by... (Score:1, Informative)
1: Not visiting porn sites.
BARMP!!! Does the 'look-a-like' Yahoo site look like a pr0n site to you?
2: Not going to the default homepage network.
Thanks for playing! Your default homepage doesn't matter an iota.
3: Not downloading and installing Kazaa or PTP apps of that ilk. .
Obviously you've never heard of Web Bugs [eff.org]
4. Not clicking on any popup or banner ads.
Goto #3.
5. Never agreeing to install any software as a result of visiting a web site, unless it's Macromedia, Apple or Microsoft.
Just not getting it are we? Goto #3.
Your Internet experience of "ignorance and bliss" is just that. This stuff is out there, it's rampant and guess what.... it thrives because of the ignorance/bliss/don't care attitudes of people like you. PERIOD
Wake up! One of these days - you'll find your computer and all the real value (DATA) destroyed or worse STOLEN because of this menace.
REGMON and FILEMON (Score:3, Informative)
SysInternal [sysinternals.com]
To get utilities like REGMON and FILEMON.
While people has used them for other purposes (for example, figuring out where sharewares store dates), they can useful tools against spywares too.
Run them before doing anything you think MAY be dangerous, and you'll be able to see spyware activities right in front of your eyes.
Re:firefox testimonial (Score:2, Informative)
pac file [schooner.com]
I use it in addition to a decent hosts file. I even combined the two. That way the freeking browser doesnt even ASK to be nuked. Before popup blocker was put into Mozilla and IE this is what I used. I rarely saw a popup, and my spyware count went to 0. Sometimes it pukes on itself but someone was kind enough to put a 'turn it off for now' thing. Which is kind of cool as with a hosts file you have to move it out of the way then back when done. There is also a plugin for mozilla I belive that does something similar. But for someone who has to use both its pretty easy to keep running.
The reason I like the pac thing a little better as it snags whole domains. Where as a hosts file only gets 1 site. Also sometimes you want to goto one site but not part of that site. Its pretty powerfull...