Understanding the Unscrupulous
How do these programs get on my computer!?! Why do they keep comming back!?!
Spy-ware, Mal-ware, all evolved from websites that wished to get more information about thier visitors, that cookies and browser request's couldn't tell them. The intention was good, but somewhere along the line, the good became evil. Now these programs are added to your PC without your concent and or knowledge. They learn your habit's, by monitoring and logging your website usage, and typically reporting that usage back to someone. They also try to cater to your "needs and wants" by putting pop-up advertisements on your pc, thinking that you may be interested. They are seldom correct, and most force their advertising upon you, and don't care if you want it or not. These programs make the Spy-ware maker money, and most do it deceptively. Often you can find that the "OK"and "Cancel" buttons do the exact same thing, where they are not supposed to. No matter what button you click on, your sending a "hit" to the advertiser and making them money, as hits and this type of traffic are what their pay is based off of. Even the "X" that closes the popup can be set to generate a hit in their favor.
ClearSite Network Management System
ClearSite is a complete frontend to RRDTool, and so much more. Here is a quick list of it's capabilities as of this release! 7-01-2008.
- Windows Domain/LDAP login system
- No need for a secondary login, simply use your AD domain or LDAP login
- Real-Time Ajax search for:
- IP, MAC Address, CSS Content Rule/Owner/Service
- Graphing and detailed information for:
- Port Statistics, Port Speed/Duplex, Host IP, Host MAC address, Port Vlan, Port Location, Port Status
- Content Rule/Owner/Services
- Automatic/Dynamic discovery and maintenance of:
- Router/Switch interfaces/ports, Memory and CPU's
- CSS Content rules, Owners, Services, Memory and CPU's
- Trunked ports and CDP neighbors
Internet Explorer: A.K.A. Infested Explorer
ActiveX is the main vector for Spyware to enter your machine without your knowledge. ActiveX is tightly intergrated into IE and probably will not go away anytime soon. Microsoft has known, and stated that ActiveX was never designed with any real security or authentication since '96 or '97. People who start writting ActiveX programs, can instantly see how lax the security is, this posting by a ID software programmer is a startling example of what many of us already know.
- NOTE: ActiveX isn't the only entrance point for Spyware or other pest's, but it does appear to be the entrance of choice. Scripts are another vector for getting spyware on to a PC, but they are easier to spot for the most part.
This is a great article discussing the up comming full release of IE7, it mentions things like lowering your privileges to help mitigate, as well as M$ turning off certain ActiveX controls. Page 1 and Page 2
Here is a recent comparison between FireFox and IE done by two University of Washington professors, indicating that IE is 21% more likely to be infected
I've got Spyware, how do I get rid of it, and prevent this in the future?
Getting rid of Spyware can be a hard task. We are not going to go into how to remove all spyware, but we are going to show you how to use good tools to get the job done as best they can. There are also different steps to follow depending on the Windows OS your using. We are also going to outline some best practices to keep Spyware from comming back in the future.
Tools of the Trade: Anti-Spyware and Anti-Virus Software
Below are the recommended Anti-Spyware and Anti-Virus software that Xinn.org impliments and uses for it's customers.
- Ad-Aware: LavaSoft's Ad-Aware is one of the best free removal tools available!
- Spybot Search and Destroy: Spybot is also very very good to use.
- Microsoft's Anti-Spyware: This tool from Microsoft is useful, however not as up to date as the others.
- Mcafee Internet Security Suite: This suite of tools are wonderful, but not free :(
Removal on XP Pro or Windows ME
Windows XP and Windows ME have a feature called System Restore. System Restore is meant to help users in case something happens to the PC during normal operation, or after a recent upgrade or service pack/hotfix being applied, it's intended to allow you to "roll back" the PC to the previous (working)state. In our experience, System Restore points need to be well maintained in order for this to work properly. And even then, in our experience anyway, the product doesn't work as well as one would hope. Be that as it may, System Restore backs-up files and settings on your machine a few times a day. If you were to get a virus, or Spyware, and it was on your system for any length of time, chances are that System Restore backed those pest's up. And if you cleaned those pest's off your PC, upon reboot, you'd find that System Restore has placed them back on the PC again. You must delete the system restore point in order to purge those files from your system completely. Safe-Mode or Last Known Good Configuration will not be able to assist you in cleaning Spyware or Viri from your PC if the system has backed these files up to the _Restore folder.
This article here, describes how Anti-Virus tools cannot access this folder, and therfore cannot clean it. Despite claims made in this document and others that your AV could catch the files when they are being written back to a folder during a restore, we maintain that your AV will not, as the restore is done as the OS is booting up, before your AV becomes active. Here are the instructions from the two top AV companies on how to turn system restore off: Mcafee Norton
Once System Restore is OFF, you can then proceed to clean the PC of Spyware or Viri. Remember to reboot after you've cleaned the PC, and if you wish system restore can be re-enabled. WE RECOMMEND LEAVING SYSTEM RESTORE OFF. By default system restore takes 10-12% of EACH hardrive or partition in your computer. If you have more than one partition, or drive, you will have two or more restore repositories that should be turned off. If you don't have XP pro, or Windows ME, you can simply run the tools above and get rid of most of the pest's. Each vendor has a different database of pest's, and no one will ever have a complete and total list, nor will they be able to find each and every piece of spyware on your PC, but if you adhere to the guide below, you may never have to worry about Spyware for a long long time!
Preventing Future Infestations: Best Practices and Alternate Browsers
In our opinion, turning off ActiveX and messing with the scripting security settings in IE is not good enough, and or causes too many problems for many users. Our advise is to use an alternate broswer altogether, and should you need to access a site that requires ActiveX to work properly, such as Windows Update or Office Update for example, then use IE for that. For any sites that do not require ActiveX to work properly, which is 99% of them in our estimation, using an alternate browser such as FireFox, Netscape, or Opera. Perhaps the overall best security measure you can do is to follow the number one best practice that applies to all OS's- Do day to day activities as the lowest privledged user/acount you can. We have written a best practice document here:
- Best Practices: Understanding Group Privledges, Access, and Security Restrictions
If your running as an administrator for your day to day tasks, your asking for trouble. Admin groups and accounts are intended for Administration purposes only, so if your not installing software or making system wide changes, chances are you do not need to run as an Admin. There are of course exceptions to this rule, Microsoft has a good list of programs reported not to function unless running with elevated privledges. Have a look at our RunAs VBScripts if you have programs that you use often that require such privledges.
What is a RootKit? Who would give me such a thing?
A RootKit is a piece of software capable of intercepting data sent to/from the processor and or RAM of your PC. Rootkit's are able to hide themselves from detection because they can intercept all data that passes through the kernel, and manipulate that data in any fashion it see's fit. For an attacker, these rootkits are the ultimate tools to install on a system. They are hard to detect, difficult to remove, and unless they are poorly coded they will likely remain on the PC for it's life.
The problem with Sony's rootkit, and even it's patch is the fact that it's able to be used by others, besides Sony. Once the rootkit is installed, it requires ADMIN privledges by the way for it to work, any program that you add $sys$ to the name of, or any registry key/value that you add the $sys$ to the begining of will become hidden!! Please read the article from the Sysinternals Blog, here is an excerpt:
- I studied the driver.s initialization function, confirmed that it patches several functions via the system call table and saw that its cloaking code hides any file, directory, Registry key or process whose name begins with .$sys$.. To verify that I made a copy of Notepad.exe named $sys$notepad.exe and it disappeared from view. Besides being indiscriminate about the objects it cloaks, other parts of the Aries code show a lack of sophistication on the part of the programmer.
We've added our predictions and opinions here on this page with regard to "Sony's rootkit": Sony, what were they thinking?
Rootkit's including Sony's require Administrator rights for them to be installed. As we've covered before, unless your doing an Administrative task, you shouldn't need administrator privleges. There are numerous tools out there to help you detect rootkits, they require a good deal more of interaction than your typical spyware, which is hard enough. You need to read and understand the instructions for rootkit detection and removal. We recommend you create back-up's of your valuable data before procedding with rootkit removal.
- RootKit Revealer- by Sysinternals
- BlackLight- by F-Secure
- IceSword (english version)- by "pjf_" of Xfocus.net?
- FLister- by joanna at invisiblethings.org
Use Caution when your using any of the tools on this page!!!! Make back-up's often!