[unisog] Re: Initial Observations of the Microsoft AntiSpyware Beta1

Brian Eckman eckman at umn.edu
Thu Jan 6 21:22:48 GMT 2005

Sorry for replying to my own post, but it turns out that the combination of 
Microsoft AntiSpyware and SAVCE 9.0 with January 5th defs did *not* remove 
fully remove the threat I gave it. About about 30 minutes of silence after 
a reboot, Microsoft AntiSpyware popped up alerts about an "Unknown Internet 
Explorer Toolbar" that needed approval for installation.

That figures, as this threat appears to be fairly new and advanced. I know 
one person who downloaded it and unpacked it reported that it had run 
itself automatically upon unpacking.

I don't expect other products would have handled this better. At least it 
did alert when the program "woke up" and tried to spread its evil again...


Brian Eckman wrote:

> Most of you have probably already heard that Microsoft released a public 
> beta of their AntiSpyware product, developed by Giant Software Company 
> (which Microsoft recently bought). Here is the URL for this beta:
> http://www.microsoft.com/athome/security/spyware/software/default.mspx
> I've just started playing with it (it just came out), and have a few 
> things I thought I'd share.
> It created about 1400+ registry entries while installing. Several of 
> them still refer to "GiantCompany". (Not a surprise - Symantec still 
> uses the "Intel LANDesk" registry stuff for their Corporate Edition 
> AntiVirus, after all....)
> It came with definition files dated January 4, 2005. I tried to check 
> for updates, and it said there were none. Not surprising, except running 
> packet capture software in the background revealed why - the URL at 
> giantcompany.com that it accessed in order to check for updates returned 
> a 404 ("Not Found") error. Oops... :)
> Of course, the packet capture software I used to determine this relies 
> on WinPCap. The AntiSpyware software flagged WinPCap. However, it gave a 
> good explanation of why it flagged it, it called it a "low" risk threat, 
> and the default action was to "ignore" it.
> Subsequent scans continued to flag WinPCap, even though I had chosen 
> "ignore" several times in the past. I then discovered there is an option 
> called "ignore always". That option did appear to function as I'd 
> expect, as a future scan did not flag it.
> Upon install, Microsoft AntiSpyware asks you if you want to be a part of 
> "SpyNet". Microsoft is apparently trying to make you feel as though you 
> are part of some spyware-busting community, while in reality, at least 
> at first glance, it just appears to offer you an easy way to report 
> spyware infections to them via this software. However, when I tell it to 
> inform this SpyNet, it tries to talk to an IP address over port 80/tcp 
> that is apparently not currently listening on that port. So, the end 
> user feels like they did a Good Thing by submitting this to them, when 
> in fact, the submission went into the Bit Bucket without any 
> notification to the client.
> (Of course, this is Beta software, so perhaps the framework for some of 
> this stuff isn't completed. It was still irritating to discover this. I 
> would have prefered a notice that SpyNet couldn't be accessed at this 
> time, with an option to try again at a later time. At least that way, my 
> "valuable contribution" to SpyNet wouldn't be lost forever.)
> So, I took a test machine and downloaded and ran a current, really nasty 
> threat, with Microsoft AntiSpyware Beta1 running. The AntiSpyware 
> software noticed that it tried to install CoolWebSearch (which it called 
> a "very high" threat), and recommended that I block it. It also noticed 
> when two unknown Browser Helper Objects (BHOs) tried to be installed and 
> let me block those. It also notified me of something trying to put 
> itself in the startup folder, and another thing trying to change my home 
> page, and another that installed a toolbar in IE, and allowed me to act 
> accordingly. This all worked pretty well I must say. When I told it to 
> "remove" the toolbar, it did. (Note: This was all done in real-time 
> detection.) Literally, IE with a evil toolbar installed did not have the 
> toolbar there after closing it and opening it again.
> Unfortunately, it did not detect all of the spyware that this threat 
> installed, at least not in real time. It did later complain when the 
> (still running) spyware attempted to install the BHOs again, and when it 
> tried to change the IE start page again, so at least it was easy to 
> detect that it missed something. And, each time that it had told me 
> about some Spyware that got installed, it asked me to run a full scan, 
> with a Yes/No button to start it right then. This is good, because many 
> of the spyware installers install numerous different products.
> So, I ran a manual scan, and it found more stuff. It then offered me to 
> report this to SpyNet. Again, it appeared to have worked, but the packet 
> capture confirmed the remote IP address simply sending RST packets in 
> response to the report attempts...
> Ultimately, it (sort of) did not detect and remove all of the spyware 
> installed. After the manual scan, I later received more warnings that an 
> Internet Explorer toolbar was prevented from being installed (at least 
> it warned me in real time again!). I wasn't doing anything to cause the 
> alert, so obviously, something evil remained. I tried a "full system 
> scan" (not the default), and it did not find the anything that was still 
> running. However, updated AntiVirus (SAVCE) software doing real-time 
> detection did detect several things during this full system scan 
> (because the evil executables were being accessed by the AntiSpyware 
> scan, so they were all scanned by AV as well), and the combination of 
> the two did seem to get rid of the threat. I rebooted and did not see 
> any further signs of virus/spyware activity.
> I did not see a method of reviewing (at a later time) which threats it 
> found via real-time scanning. I could only find a way to see which 
> threats were found during previous manual scans.
> Some other features of the program are not complete yet. For example, 
> you can click a link for more information about a threat, and it replies 
> that "The requested information is not currently available".
> One other observation - this appears to be a RAM hog. Just running in 
> the background seemed to take 16 MB of RAM. Launching the application to 
> do things with it added to that significantly. (While running a manual 
> scan of the hard drive, I observed about 40 MB of RAM in use in total by 
> the software's various components. This was one observation, and isn't 
> scientific at all. YMMV.)
> Another thing. It flags you each time you try to run a "script file", 
> such as a batch file. You can tell it to allow it or block it, and check 
> a box "remember this action". Checking that box seems to only affect the 
> specific batch file in its specific location. Moving it or renaming it 
> and launching it again will cause the prompt.
> I did not try to determine how easily this software could be disabled by 
> malicious software. I suspect it would not be terribly difficult, but 
> don't have any evidence to support my suspicion at this time.
> Overall it looks like it could become a solid product. It did remove the 
> things it said it removed. It did a reasonable job of detecting 
> spyware-like activity that was being performed by mostly unknown 
> spyware. I'd say it's certainly something to keep an eye on, if you have 
> enough RAM to support it.
> Brian

Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota

"There are 10 types of people in this world. Those who
understand binary and those who don't."

More information about the unisog mailing list