[unisog] Re: Initial Observations of the Microsoft AntiSpyware Beta1

Brian Eckman eckman at umn.edu
Thu Jan 6 21:22:48 GMT 2005


Sorry for replying to my own post, but it turns out that the combination of 
Microsoft AntiSpyware and SAVCE 9.0 with January 5th defs did *not* remove 
fully remove the threat I gave it. About about 30 minutes of silence after 
a reboot, Microsoft AntiSpyware popped up alerts about an "Unknown Internet 
Explorer Toolbar" that needed approval for installation.

That figures, as this threat appears to be fairly new and advanced. I know 
one person who downloaded it and unpacked it reported that it had run 
itself automatically upon unpacking.

I don't expect other products would have handled this better. At least it 
did alert when the program "woke up" and tried to spread its evil again...

Brian

Brian Eckman wrote:

> Most of you have probably already heard that Microsoft released a public 
> beta of their AntiSpyware product, developed by Giant Software Company 
> (which Microsoft recently bought). Here is the URL for this beta:
> http://www.microsoft.com/athome/security/spyware/software/default.mspx
> 
> I've just started playing with it (it just came out), and have a few 
> things I thought I'd share.
> 
> It created about 1400+ registry entries while installing. Several of 
> them still refer to "GiantCompany". (Not a surprise - Symantec still 
> uses the "Intel LANDesk" registry stuff for their Corporate Edition 
> AntiVirus, after all....)
> 
> It came with definition files dated January 4, 2005. I tried to check 
> for updates, and it said there were none. Not surprising, except running 
> packet capture software in the background revealed why - the URL at 
> giantcompany.com that it accessed in order to check for updates returned 
> a 404 ("Not Found") error. Oops... :)
> 
> Of course, the packet capture software I used to determine this relies 
> on WinPCap. The AntiSpyware software flagged WinPCap. However, it gave a 
> good explanation of why it flagged it, it called it a "low" risk threat, 
> and the default action was to "ignore" it.
> 
> Subsequent scans continued to flag WinPCap, even though I had chosen 
> "ignore" several times in the past. I then discovered there is an option 
> called "ignore always". That option did appear to function as I'd 
> expect, as a future scan did not flag it.
> 
> Upon install, Microsoft AntiSpyware asks you if you want to be a part of 
> "SpyNet". Microsoft is apparently trying to make you feel as though you 
> are part of some spyware-busting community, while in reality, at least 
> at first glance, it just appears to offer you an easy way to report 
> spyware infections to them via this software. However, when I tell it to 
> inform this SpyNet, it tries to talk to an IP address over port 80/tcp 
> that is apparently not currently listening on that port. So, the end 
> user feels like they did a Good Thing by submitting this to them, when 
> in fact, the submission went into the Bit Bucket without any 
> notification to the client.
> 
> (Of course, this is Beta software, so perhaps the framework for some of 
> this stuff isn't completed. It was still irritating to discover this. I 
> would have prefered a notice that SpyNet couldn't be accessed at this 
> time, with an option to try again at a later time. At least that way, my 
> "valuable contribution" to SpyNet wouldn't be lost forever.)
> 
> So, I took a test machine and downloaded and ran a current, really nasty 
> threat, with Microsoft AntiSpyware Beta1 running. The AntiSpyware 
> software noticed that it tried to install CoolWebSearch (which it called 
> a "very high" threat), and recommended that I block it. It also noticed 
> when two unknown Browser Helper Objects (BHOs) tried to be installed and 
> let me block those. It also notified me of something trying to put 
> itself in the startup folder, and another thing trying to change my home 
> page, and another that installed a toolbar in IE, and allowed me to act 
> accordingly. This all worked pretty well I must say. When I told it to 
> "remove" the toolbar, it did. (Note: This was all done in real-time 
> detection.) Literally, IE with a evil toolbar installed did not have the 
> toolbar there after closing it and opening it again.
> 
> Unfortunately, it did not detect all of the spyware that this threat 
> installed, at least not in real time. It did later complain when the 
> (still running) spyware attempted to install the BHOs again, and when it 
> tried to change the IE start page again, so at least it was easy to 
> detect that it missed something. And, each time that it had told me 
> about some Spyware that got installed, it asked me to run a full scan, 
> with a Yes/No button to start it right then. This is good, because many 
> of the spyware installers install numerous different products.
> 
> So, I ran a manual scan, and it found more stuff. It then offered me to 
> report this to SpyNet. Again, it appeared to have worked, but the packet 
> capture confirmed the remote IP address simply sending RST packets in 
> response to the report attempts...
> 
> Ultimately, it (sort of) did not detect and remove all of the spyware 
> installed. After the manual scan, I later received more warnings that an 
> Internet Explorer toolbar was prevented from being installed (at least 
> it warned me in real time again!). I wasn't doing anything to cause the 
> alert, so obviously, something evil remained. I tried a "full system 
> scan" (not the default), and it did not find the anything that was still 
> running. However, updated AntiVirus (SAVCE) software doing real-time 
> detection did detect several things during this full system scan 
> (because the evil executables were being accessed by the AntiSpyware 
> scan, so they were all scanned by AV as well), and the combination of 
> the two did seem to get rid of the threat. I rebooted and did not see 
> any further signs of virus/spyware activity.
> 
> I did not see a method of reviewing (at a later time) which threats it 
> found via real-time scanning. I could only find a way to see which 
> threats were found during previous manual scans.
> 
> Some other features of the program are not complete yet. For example, 
> you can click a link for more information about a threat, and it replies 
> that "The requested information is not currently available".
> 
> One other observation - this appears to be a RAM hog. Just running in 
> the background seemed to take 16 MB of RAM. Launching the application to 
> do things with it added to that significantly. (While running a manual 
> scan of the hard drive, I observed about 40 MB of RAM in use in total by 
> the software's various components. This was one observation, and isn't 
> scientific at all. YMMV.)
> 
> Another thing. It flags you each time you try to run a "script file", 
> such as a batch file. You can tell it to allow it or block it, and check 
> a box "remember this action". Checking that box seems to only affect the 
> specific batch file in its specific location. Moving it or renaming it 
> and launching it again will cause the prompt.
> 
> I did not try to determine how easily this software could be disabled by 
> malicious software. I suspect it would not be terribly difficult, but 
> don't have any evidence to support my suspicion at this time.
> 
> Overall it looks like it could become a solid product. It did remove the 
> things it said it removed. It did a reasonable job of detecting 
> spyware-like activity that was being performed by mostly unknown 
> spyware. I'd say it's certainly something to keep an eye on, if you have 
> enough RAM to support it.
> 
> Brian
> 


-- 
Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota
612-626-7737

"There are 10 types of people in this world. Those who
understand binary and those who don't."



More information about the unisog mailing list