Sunday, June 27, 2004

Spyware and adware... reloaded



Hackers Beware: The Ultimate Guide to Network SecurityHad some (ahem) fun today removing spyware from my kids' wireless laptop. My kids, despite their knowledge and best intentions, have inadvertently polluted their machines with some of the most virulent adware/spyware trojans known to man.

So with two firewalls, virus scanning, AdAware, and SpyBot installed, how do these kids do it? Usually, it's as simple as visiting a nefarious web site with Internet Explorer. The kids know not to accept any downloads, e.g., the ubiquitous "Would you like to download the Super-Mega-Bargain Free Stuff and Cash Back Toolbar with Universal Time-Clock Synchronizer (and a mess o' evil sh*t that will f**k your machine up) application?".

The main approach for getting kids to these sites is through instant messaging aimed (no pun intended) at pre-teens. The black-hat will create a pseudo-funny/entertaining, but entirely malicious, web site and get IM conversations going, either manually or automated, advertising the URL. Soon the URL is being passed among the innocents, and before you know it 40,000,000 machines have been turned into zombies for DDOS attacks or porn-spammers.

The strange thing is, Internet Explorer contributes to this disastrous mess in two completely different ways:

1) It has tons o' nasty exploits (that make it impossible for anyone to keep up); worse yet, some of the patches don't work right or can't be applied. What happens then? Throw the machine into the trash compactor? IE and its components go back to the days of "Writing Solid Code", one of the single biggest drivers of sh*tty software ever. I'll have a full rant on that book when I get some time to outline its egregious mistakes.

2) It supports a (toolbar) extension system that is the first victim of an aggressive spyware/adware vendor. Offhand, I couldn't tell you how to clean up hidden toolbars that have hooked into the underlying HTTP networking layer (called WinInet). But I do know that it's rife for exploitation. Why can't IE warn the user that an extension has requested installation? Oh, that's right, they don't give a crap.

Anyhow, back to the removal process. When AdAware and SpyBot don't get the trick done, I rely on the tried and true trick of checking out Task Manager to see what's happening. Hmmm... don't like the look of that process: jm39yg12.exe. I kill it. Cool. Uh oh, another process pops up: yz42ely3.exe. You can kill these things off to your heart's content... and they keep coming back.

Okay, I'll hit the registry and find out what's kicking these processes off. The registry editor is a manual configuration tool that lets savvy users change low-level settings. Not for the faint of heart, but the basic "automatic run at startup time" entries are pretty safe. Whoaa... the malware shuts down my machine when I try to run the registry editor.

Okay, restart. Command-line. Copy regedit.exe to a different name. Now I can edit the registry. I find all the favorite places where these *sswipes like to save their stubs and kill them off. One of them is called automove. It's probably the process that keeps spawning off new copies of randomly named tasks that are up to no good. Here's the trick: don't remove the registry entries... just modify the data to point at non-existent processes. In some cases, removing the registry entry doesn't accomplish anything. Some of the checking processes will recreate the registry entries. But they apparently just look to see that the keys are there... but don't validate the data inside the keys.

Anyhow, I have the machine somewhat cleaned up. And whoever wrote the "automove" app: I will hire you. You have a standing job offer.

How can we, the innocent consumer, fight back, even if we're not technically savvy? Easy. Every popup ad you see, note the domain name of the advertiser. I mean make a list of ".com" domains. Create a complaint letter and send it to:

abuse@domain.com, webmaster@domain.com, info@domain.com, sales@domain.com

with your complaint (no threats or viciousness - try something worse: you'll never give them a cent nor will anyone else with whom you're familiar... because you'll be spreading the word that their marketing practices suck).

And, if you can't get rid of the IE junk - here's an easy solution. Download Firefox - it's pretty damn tight.

1 comment:

Anonymous said...

i will love to hear your rants on "writing solid code" in the near future