Fighting Malware

Printable View

November 10th, 2003, 06:46 AM
Starfuckers|Inc

Fighting Malware
Fighting Malware

I've spent the last two days trying to recover what should be mine to begin with, my web browser and its settings, my system and how it acts, my bandwidth and how it's used. I have yet to find the source of where it all began, but little problems kept creeping in day after day. At first I could ignore them, like when I rebooted my homepage was reset to www.searchnet.net even though I set it to google.com through IE (Internet Explorer) options, and on top of that, I regedited it and it still reset. The next day out of nowhere a couple porn windows popped up out of nowhere and kept doing so over the course of the week. Then, one day when my system was running slow, I looked @ my processes list and noticed there were a few browsers open that I hadn't opened. They didn't appear on my taskbar and they used the minimal amount of memory IE could. (a little under 9k) From there I had had enough...and went to fix my system (for all you 1337 people out there, of course I shouldn't be surfing with IE, and the easy fix was to surf with a different browser, which I will, after I fix IE, it's a challenge now)

Let's get moving to what you're wasting your time reading this for, what to do to keep your machine from having the same problems. First of all let me clarify the differences in today's 'malware'. Malware is an all encompassing term, the combination of the words 'malicious software' and ranges from web bugs to full fledged trojan horses. In this brief tutorial I'll be concerning myself with adware and spyware.

Adware:

Adware is again the combination of two words, 'advertising software'. Normally adware comes bundled with legit freeware programs. The price you pay for the program is seemingly nothing, that's why it's called freeware. The way the creator of the program generates revenue for himself is with the adware. Adware will install with the freeware program, and if you try to uninstall the adware the program may cease to work. Adware will normally install components on your machine and transmit marketing information whenever you are online. If you find the banners annoying, there's usually an option to *upgrade* to the non-freeware version whcih along with some other minor changes, will rid you of all the adware. The main difference between adware and spyware is that adware contains a disclosure telling you that they will be using your information. If you're worried about such things, which you should be, some of the most downloaded programs, such as kazaa (or any p2p for that matter) tend to contain the largest amount of adware/spyware.

Spyware:

Spyware essentially is the same thing as adware in the sense that it collects information from your computer, but spyware does it without the end user's prior knowledge. In the beginning this wasn't too big of a deal, all that it kept track of was benign marketing information, what you buy and where you buy it, but lately lately this form of malware has grown to target what music ads it forces in your face, what web pages it links you to without your consent, even to the extreme, installing programs, however small, without your consent. Spyware does not respect your privacy in any way, shape, or form. There is nothing in the terms of agreement or EULA that would have warned you of the spyware you were installing, and sometimes spyware is installed simply by visiting a web site. You don't have to download anything (I should clarify, you may download something, but you didn't agree to it, you went to a site to browse, and some malicious code was executed and before you know it, you begin having the little quirky problems I did and it's a pain in the arse to get rid of) Another problem I have with spyware isn't the transmitting of my person data, I couldn't care less, but it is illegal in the United States to gather information, benign or not, without parent's consent, of children under thirteen years of age. There is no way for the program to know who is surfing, and when a naked midget chained up to another naked midget chained up to Iggy Pop on steroids pops up for all to see, it makes for some angry parents.

Some common habits of spyware:
- Collects information from your computer without your knowledge and/or consent
  Transmits a unique code to identify you (for tracking purposes) without your knowledge and/or consent
  Collects/transmits information about your computer use or other habits without your knowledge and/or consent
  Installs itself on your computer without your knowledge and/or consent
  Keeps reinstalling itself, no matter how many times you remove it
  Performs other unwholesome duties without your knowledge and/or consent
Keeping your machine malware free:

Thanks in a good part to Steve Gibson of www.grc.com and his OptOut program (which is no longer available for download, but he does have an up and coming program, labeled the GRC NetFilter, which looks to combine features of firewalls, adware/spyware destroyers, anti-virus and more into one program -- if everything turns out right, it will be quite impressive) we have over the years come a long way. He was one of the first to create a program to search out the adware and from there our good friends at lavasoft, http://www.lavasoft.de, took up where he left off and created a great program to detect and take care of adware, properly dubbed Ad-aware . For the direct download go here (as of 11/10/03). This is a straightforward program, install it, have it scan your entire system, and you might be amazed how many web tracking bugs, cookies, and 'attempted browser hijacking devices' are detected depending on how clean you keep your system.

Adware is the first step, a good program, but doesn't do anything overly exciting in my opinion. (as it is aimed more at adware than spyware) The latest and greatest of programs I like is called Spybot Search & Destroy . Spybot S&D, http://www.safer-networking.org, is used to detect and remove all sorts of spyware from your system. The direct download for the latest version can be found here . Another straightforward program with a nice interface and you take a few minutes to read what it offers it is an enormous help.

The last program I'm going to link you to takes a little more knowledge to know what to do with the results. It's called hijackthis and can be found for download here Hijackthis examines key areas of the registry and hard drives and lists their content for you to review. It is then left up to you to decide what to do with the results so be careful, if you don't know what you're doing don't remove it, you could end up removing things that legitimate programs need to run. I suggest posting your results on a computer secutiry forum for help if you don't know what to do. http://www.phorce.co.uk/forums/ will be sure to take care of you ;o) (tell them I sent you, you'll get a real special welcoming I'm sure)

I'm going to end it right there, there's a lot more to go into, such as scumware, trojanware, and yes, something called 'drug dealer ware'. That's enough to take care of probably 95-99% of the problems currently caused by adware/spyware. If you still are having problems, again, post on your favorite computer security site. Also, and maybe I will revise this tutorial after some feedback is given, programs such as tcpview (http://www.softpedia.com/public/cat/10/7/10-7-12.shtml) or procview32 (http://www.freedownloadscenter.com/U...rocView32.html) can also be used in combination with knowledge and other programs as a powerful way to fight off unwanted malware. Lastly, http://www.cexx.org/ looks like it might be an interesting site to check in on if malware concerns you, other than that, google it.

Star****ers|Inc
November 10th, 2003, 08:00 AM
nihil

Hi Star****ers|Inc,

A lot of scumware wants to alter the Registry............I use RegistryProt from diamondCS to protect against this.

http://www.diamondcs.com.au

Another good one is WinPatroll from BillP Studios............nice generic cookie manager as well :)

http://www.winpatrol.com

You might also try:

http://www.styopkin.com for "Keylogger Hunter"

Now, I have been noticing that there is a growing tendency for scumware to use the Windows "Hosts" file............well I guess that parasites need a host, so it figures?

http://www.webattack.com/get/hostadmin.html nice little tool!

If you are a P2P freak, have a look at: http://www.bitdefender.com/

And, given your experience, http://www.wildersecurity.com for "Browser Hijack Blaster" There are some other good proggies on this site as well. Spyware Blaster, Spyware Guard and so on.....

Good Luck

Quote:

when a naked midget chained up to another naked midget chained up to Iggy Pop on steroids pops up for all to see, it makes for some angry parents.

:D

Why don't I ever get any of those?
November 10th, 2003, 08:22 AM
jenjen

Very nice, thank you, good info ;)

And although I only just recently got my internet wings back on recently,
I already have heard (and felt) high praise for "hijackthis".

You're quite right about being careful not to just go blindly deleting things, as it shows "the good, along with the bad"

their own forums show quite a few examples of what is what.
http://tomcoyote.org/forums/

I was shocked to see how brazen the "worst of the worst" hijacker "coolwebsearch" has turned out to be, and the evolution of the game they play. Can't the "internet cops" :rolleyes: hunt them down.. ?

The CoolWebSearch Chronicles
The story of a thousand hijacks
http://www.spywareinfo.com/~merijn/cwschronicles.html

I would also think that everyone that still uses IE should download the CWShredder tool and just run it every week or so. (links at bottom of the chronicles page)

My thoughts are that hijackthis will be become so popular, they'll go commercial..
I just hope they don't, as no one else seems to be trying to keep on top of CWS like they have.
November 10th, 2003, 08:45 AM
Starfuckers|Inc

I did forget to mention CWShredder, I will put that in, meant to in the first place. I didn't link
to *their* forums over at hijackthis because they have too many people posting to ask questions, yours is quickly pushed off the page, especially with all the stickies, and a good amount of the time you're left with no answer. (I tried it a couple times)

And I wasn't talking about scumware in this -- scumware is a different sort of problem (software designed to steal traffic from legit sites, in short) I didn't feel like talking about it here, seemed out of place. Also, keyloggers, an entirely diff. ballgame...I didn't want this tutorial to turn into a couple chapters in a book. I did take a look @ all the major adware/spyware removers and planned on including the *top 4* (but forgot cwshredder!)

Thanks for the feedback -- will rewrite parts of it tomorrow, maybe edit the original when I'm done, should be more of an add on than a change.

Star****ers|Inc
November 10th, 2003, 08:49 AM
rmcgoo

Are there any specialty scanners that specifically look for the adware placed by kazaa or other progs? Or scanners that let you update signatures for free?
November 10th, 2003, 08:57 AM
Starfuckers|Inc

That I should mention too, good call. There are PLENTY of scanners out there targeted @ the major adware/spyware programs like kazaa (bullguard), bonzi buddy, Gator, etc... the only link I remember offhand was on pchell -- http://www.pchell.com/support/spyware.shtml
Thanks for more ideas ;)

Star****ers|Inc
November 10th, 2003, 09:03 AM
jenjen

I understand Star (bleepers) ;) , yes their place must be swamped.. it's not really that hard to look at a few of the examples that others have posted to see what's right and wrong..

I was by no means, being critical of your post by any of my statements. ( but u knew that, right?)

The whole thing covered more but I just felt like running with hijackthis, as it's important IMHO.

btw, it's been awhile, but last I knew you only have (48hrs ?) to edit any thread to make corrections/additions. (can a mod verifythis , please ?)

edit : let's not forget the good freeware "Process Explorer " from sysinternals for viewing what's REALLY happening on your computer.
http://www.sysinternals.com/ntw2k/fr.../procexp.shtml
November 10th, 2003, 01:41 PM
nihil

Hi Star.

Quote:

And I wasn't talking about scumware in this -- scumware is a different sort of problem (software designed to steal traffic from legit sites, in short) I didn't feel like talking about it here, seemed out of place. Also, keyloggers, an entirely diff. ballgame...

Over here we tend to use the expression "scumware" for anything that loads itself onto your machine that you don't want. I have not seen the expression used solely for traffic hijackers? I personally include keyloggers with scumware because they are not well detected by conventional AV...............no other logic there I am afraid :) apart from them being another way of surreptitiously gathering information about you?

I have thought for some time that it would be nice to have some sort of repository for links to various free security tools. I know that there is a downloads section, but it is very out of date and not that security specific?

rmcgoo the two that Star. has linked are good (AdAware & Spybot), and contain update mechanisms. I recommend using both, as they find things at different times. Remember that AdAware will complain about things that Sp[ybot S&D has quarantined.......this is OK and can be ignored (or just clear out the quarantine).

http://www.swatit.org is another. It is quite slow, but has found things the other two did not.
EDIT:

http://keir.net/software.html "BDE Remove 1.04" Gets rid of the Kazaa trojan, they claim.

Cheers