[unisog] Re: Initial Observations of the Microsoft AntiSpyware Beta1

David Foster foster at ncmir.ucsd.edu
Fri Jan 7 18:19:56 GMT 2005


Sorry if I missed something, did you try SpyBot or Ad-Aware on
this threat?

Dave


> X-Umn-Remote-Mta: [N] eckman.oitsec.umn.edu [160.94.247.245] #+LO+TS+AU+HN
> Date: Thu, 06 Jan 2005 15:22:48 -0600
> From: Brian Eckman <eckman at umn.edu>
> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) 
Gecko/20040910
> X-Accept-Language: en-us, en
> MIME-Version: 1.0
> To: UNIversity Security Operations Group <unisog at lists.sans.org>
> X-Enigmail-Version: 0.86.1.0
> X-Enigmail-Supports: pgp-inline, pgp-mime
> Content-Transfer-Encoding: 7bit
> X-Mailman-Approved-At: Thu, 06 Jan 2005 21:37:57 +0000
> Subject: [unisog] Re: Initial Observations of the Microsoft AntiSpyware Beta1
> X-BeenThere: unisog at lists.sans.org
> X-Mailman-Version: 2.1.5
> List-Id: UNIversity Security Operations Group <unisog.lists.sans.org>
> List-Unsubscribe: <http://www.dshield.org/mailman/listinfo/unisog>, 
<mailto:unisog-request at lists.sans.org?subject=unsubscribe>
> List-Archive: <http://www.dshield.org/pipermail/unisog>
> List-Post: <mailto:unisog at lists.sans.org>
> List-Help: <mailto:unisog-request at lists.sans.org?subject=help>
> List-Subscribe: <http://www.dshield.org/mailman/listinfo/unisog>, 
<mailto:unisog-request at lists.sans.org?subject=subscribe>
> X-Spamscanner: mailbox5.ucsd.edu  (v1.5 Dec  3 2004 17:34:44, -0.0/5.0 3.0.0)
> X-Spam-Level: Level 
> X-MailScanner: PASSED (v1.2.8 5563 j06M2tNU035926 mailbox5.ucsd.edu)
> 
> Sorry for replying to my own post, but it turns out that the combination of 
> Microsoft AntiSpyware and SAVCE 9.0 with January 5th defs did *not* remove 
> fully remove the threat I gave it. About about 30 minutes of silence after 
> a reboot, Microsoft AntiSpyware popped up alerts about an "Unknown Internet 
> Explorer Toolbar" that needed approval for installation.
> 
> That figures, as this threat appears to be fairly new and advanced. I know 
> one person who downloaded it and unpacked it reported that it had run 
> itself automatically upon unpacking.
> 
> I don't expect other products would have handled this better. At least it 
> did alert when the program "woke up" and tried to spread its evil again...
> 
> Brian
> 
> Brian Eckman wrote:
> 
> > Most of you have probably already heard that Microsoft released a public 
> > beta of their AntiSpyware product, developed by Giant Software Company 
> > (which Microsoft recently bought). Here is the URL for this beta:
> > http://www.microsoft.com/athome/security/spyware/software/default.mspx
> > 
> > I've just started playing with it (it just came out), and have a few 
> > things I thought I'd share.
> > 
> > It created about 1400+ registry entries while installing. Several of 
> > them still refer to "GiantCompany". (Not a surprise - Symantec still 
> > uses the "Intel LANDesk" registry stuff for their Corporate Edition 
> > AntiVirus, after all....)
> > 
> > It came with definition files dated January 4, 2005. I tried to check 
> > for updates, and it said there were none. Not surprising, except running 
> > packet capture software in the background revealed why - the URL at 
> > giantcompany.com that it accessed in order to check for updates returned 
> > a 404 ("Not Found") error. Oops... :)
> > 
> > Of course, the packet capture software I used to determine this relies 
> > on WinPCap. The AntiSpyware software flagged WinPCap. However, it gave a 
> > good explanation of why it flagged it, it called it a "low" risk threat, 
> > and the default action was to "ignore" it.
> > 
> > Subsequent scans continued to flag WinPCap, even though I had chosen 
> > "ignore" several times in the past. I then discovered there is an option 
> > called "ignore always". That option did appear to function as I'd 
> > expect, as a future scan did not flag it.
> > 
> > Upon install, Microsoft AntiSpyware asks you if you want to be a part of 
> > "SpyNet". Microsoft is apparently trying to make you feel as though you 
> > are part of some spyware-busting community, while in reality, at least 
> > at first glance, it just appears to offer you an easy way to report 
> > spyware infections to them via this software. However, when I tell it to 
> > inform this SpyNet, it tries to talk to an IP address over port 80/tcp 
> > that is apparently not currently listening on that port. So, the end 
> > user feels like they did a Good Thing by submitting this to them, when 
> > in fact, the submission went into the Bit Bucket without any 
> > notification to the client.
> > 
> > (Of course, this is Beta software, so perhaps the framework for some of 
> > this stuff isn't completed. It was still irritating to discover this. I 
> > would have prefered a notice that SpyNet couldn't be accessed at this 
> > time, with an option to try again at a later time. At least that way, my 
> > "valuable contribution" to SpyNet wouldn't be lost forever.)
> > 
> > So, I took a test machine and downloaded and ran a current, really nasty 
> > threat, with Microsoft AntiSpyware Beta1 running. The AntiSpyware 
> > software noticed that it tried to install CoolWebSearch (which it called 
> > a "very high" threat), and recommended that I block it. It also noticed 
> > when two unknown Browser Helper Objects (BHOs) tried to be installed and 
> > let me block those. It also notified me of something trying to put 
> > itself in the startup folder, and another thing trying to change my home 
> > page, and another that installed a toolbar in IE, and allowed me to act 
> > accordingly. This all worked pretty well I must say. When I told it to 
> > "remove" the toolbar, it did. (Note: This was all done in real-time 
> > detection.) Literally, IE with a evil toolbar installed did not have the 
> > toolbar there after closing it and opening it again.
> > 
> > Unfortunately, it did not detect all of the spyware that this threat 
> > installed, at least not in real time. It did later complain when the 
> > (still running) spyware attempted to install the BHOs again, and when it 
> > tried to change the IE start page again, so at least it was easy to 
> > detect that it missed something. And, each time that it had told me 
> > about some Spyware that got installed, it asked me to run a full scan, 
> > with a Yes/No button to start it right then. This is good, because many 
> > of the spyware installers install numerous different products.
> > 
> > So, I ran a manual scan, and it found more stuff. It then offered me to 
> > report this to SpyNet. Again, it appeared to have worked, but the packet 
> > capture confirmed the remote IP address simply sending RST packets in 
> > response to the report attempts...
> > 
> > Ultimately, it (sort of) did not detect and remove all of the spyware 
> > installed. After the manual scan, I later received more warnings that an 
> > Internet Explorer toolbar was prevented from being installed (at least 
> > it warned me in real time again!). I wasn't doing anything to cause the 
> > alert, so obviously, something evil remained. I tried a "full system 
> > scan" (not the default), and it did not find the anything that was still 
> > running. However, updated AntiVirus (SAVCE) software doing real-time 
> > detection did detect several things during this full system scan 
> > (because the evil executables were being accessed by the AntiSpyware 
> > scan, so they were all scanned by AV as well), and the combination of 
> > the two did seem to get rid of the threat. I rebooted and did not see 
> > any further signs of virus/spyware activity.
> > 
> > I did not see a method of reviewing (at a later time) which threats it 
> > found via real-time scanning. I could only find a way to see which 
> > threats were found during previous manual scans.
> > 
> > Some other features of the program are not complete yet. For example, 
> > you can click a link for more information about a threat, and it replies 
> > that "The requested information is not currently available".
> > 
> > One other observation - this appears to be a RAM hog. Just running in 
> > the background seemed to take 16 MB of RAM. Launching the application to 
> > do things with it added to that significantly. (While running a manual 
> > scan of the hard drive, I observed about 40 MB of RAM in use in total by 
> > the software's various components. This was one observation, and isn't 
> > scientific at all. YMMV.)
> > 
> > Another thing. It flags you each time you try to run a "script file", 
> > such as a batch file. You can tell it to allow it or block it, and check 
> > a box "remember this action". Checking that box seems to only affect the 
> > specific batch file in its specific location. Moving it or renaming it 
> > and launching it again will cause the prompt.
> > 
> > I did not try to determine how easily this software could be disabled by 
> > malicious software. I suspect it would not be terribly difficult, but 
> > don't have any evidence to support my suspicion at this time.
> > 
> > Overall it looks like it could become a solid product. It did remove the 
> > things it said it removed. It did a reasonable job of detecting 
> > spyware-like activity that was being performed by mostly unknown 
> > spyware. I'd say it's certainly something to keep an eye on, if you have 
> > enough RAM to support it.
> > 
> > Brian
> > 
> 
> 
> -- 
> Brian Eckman
> Security Analyst
> OIT Security and Assurance
> University of Minnesota
> 612-626-7737
> 
> "There are 10 types of people in this world. Those who
> understand binary and those who don't."
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog


   << All opinions expressed are mine, not the University's >>

  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
   David Foster    National Center for Microscopy and Imaging Research
    Programmer/Analyst       University of California, San Diego
    dfoster[at]ucsd[dot]edu  Department of Neuroscience, Mail 0608
    (858) 534-7968           http://ncmir.ucsd.edu/
  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

   "The reasonable man adapts himself to the world; the unreasonable one
   persists in trying to adapt the world to himself.  Therefore, all progress
   depends on the unreasonable."   -- George Bernard Shaw




More information about the unisog mailing list