The battle against spyware... why does it even exist?

[Nebben]

Was there a sudden creation and surge of spyware when XP was released? I don't remember EVER having problems with this kind of stuff in the days of Win95/98.

Windows XP is very stable, which I like, but it's pretty ridiculous that we have to install spyware removal tools and blockers in order to prevent random popup windows and the like. I use FireFox, I have every update from Windows Update installed, I'm running MS Anti-Spyware, I'm running the XP firewall, I don't visit many websites that aren't known to be safe, and I STILL HAVE SPYWARE/ADWARE PROBLEMS.

Am I doing something wrong? Is there some program I'm using that is allowing all of this to enter my system?

I pretty much only use the following:

FireFox
Winamp
Trillian
Quake/Soldat/Other games from reputable companies
Partypoker (I'm suspecting this...)
eMule (I'm suspecting this as well...)

I'm pretty disappointed at the overhead caused by running MS AntiSpyware active protection... I just started trying it out and the RAM usage is like 120MB. That's insane.

I guess I should either switch to Linux or just shut up and take it.



The one question that I seriously cannot think of an answer to:

Why in the hell would anyone waste their time programming adware that merely causes popups on peoples' computers? Are people actually stupid enough to click "Buy spyware protection now!" from a popup that is the cause of their problem?

 

[mechBgon]

Spyware in the form of applications exists because people like money. I saw a statistic that the average spyware-infected PC makes the spyware guys $3 a year per machine. These guys know human nature pretty well... make a really slick set of smilies for your email, or a kewl screensaver, or something called PowerStrip to OC your video card with, and people will download it, click YES to the EULA without reading it... and their work is done. And that's just the scrupulous guys who do it the legal way The general public is just beginning to wake up to the fact that they can't just download and install every shiny thing they see without getting snared, I think.

If you want to shake off spyware/adware:

1) unplug your network cable

2) back up your data (yeah, you see where this is going )

3) nuke it! and reinstall while isolated from wired or wireless networks

4) apply Service Pack 2 and ensure that the Windows Firewall is enabled w/ no exceptions. Enable Data Execution Prevention for all software.

5) install your antivirus software while offline if possible

6) right-click My Computer > Manage > Users & Groups > Users, and right-click each Administrator-class account and give it a strong password like Nebben@AT. This helps prevent easy exploitation of the Administrator powers behind your back.

7) make a Limited account for your daily-driver usage. This alone is a huge help against stuff that's expecting to use your account as a springboard to mess with your Registry, your Windows directory or to install stuff.

8) connect and update your antivirus software right away, then hit Windows Update for the latest updates, then hit Office Update if you have MS Office2000 or later, then install Microsoft Baseline Security Analyzer (search MS for "MBSA") and see if you're missing anything else important.

9) double-check all your antivirus options to ensure it's got everything maxed out, like heuristics, scanning inside compressed files, is running scheduled scans at least once a week and dealing with infected stuff on the spot instead of asking you for a judgement call.

10) don't install anything that could possibly be a vehicle for malware. Like I mentioned above, even stuff like PowerStrip... yeah.

11) Use your Limited account faithfully and if you have pals who will come to visit, make them use a Limited account too. If you have problems with certain software running under a Limited account, you can (1) run it once from an Admin-class account to get it settled in, (2) give Users a full-control clearance to the program's folder if needed, or (3) temporarily make the Limited account an Admin account to get the software settled in if that's what it's wanting. Hopefully this problem is becomming increasingly rare, though, as software companies buy a clue :evil:


HTH

 

[mechBgon]

BTW our work fleet of about 85 PCs has no specific antispyware protection, we just run Limited accounts (called "Restricted-User" accounts in a domain environment or on Win2000) and antivirus software. We don't have spyware getting installed, unless you count tracking cookies maybe. Of course, we don't run eMule, Trillian or PartyPoker either Think about that Limited-account idea.

 

[Nothinman]

Was there a sudden creation and surge of spyware when XP was released? I don't remember EVER having problems with this kind of stuff in the days of Win95/98.

Because the Internet is getting more and more popular, back in 1995 there were a lot less people using it and most of those that were had a much better grasp on what they were doing so it was harder to get one up on them. That and they were all on modems, I imagine most people would click cancel when they saw "Downloading new message 1 of 1, time remaining: 5m 25s" and go back and delete it from the server without reading it. These days you can send someone an email that says "Don't run this, it's a virus" and they'll run it and wonder how they got a virus.

Spyware is really just information digging tools for advertisers, they figure you're more apt to click on a link if it's related to something you were doing recently.

 

[abspi8]

It's definitely PartyPoker.net. I'm not sure if Emule also contributes, but I noticed a 20 fold increase in popups and spyware in general after I installed partypoker. (hits self in head). And even after I uninstalled it, they're still popping up.

 

[BespinReactorShaft]

Even with FF and ZA I still get the occasional worm or two in my system32 folder.

 

[SagaLore]

Originally posted by: Nebben
Was there a sudden creation and surge of spyware when XP was released? I don't remember EVER having problems with this kind of stuff in the days of Win95/98.

There definitely was a problem spyware and 95/98. But it came in the cloak of usable programs. Webshots, Gator, Comet Cursor, Bonzai Buddy, etc. With 2k and xp, P2P programs becamse more popular and installed 3rd party spyware. Then there was a shift in how spyware was installed - with so many people using broadband and on the Internet 24/7, they started using exploits in IE, java, vbscript, javascript, and activex to get themselves installed.

I talk about this in my article Anti-Spyware Legislation.

 

[Nebben]

Thanks for the post, Mech - very helpful.

I'll be building a new PC soon, and plan to format my current one and protect it from the ground up.

I have no major issues, really, it's just the annoying popup ads that continually make their way into the system.


About Win95/98 -- the thing is, when I was using those operating systems, the only spyware there was to worry about was stuff installed with Kazaa and the like. There wasn't this constant bombardment from websites exploiting huge holes in the OS.

My question for Microsoft: If there are holes this gigantic in the use of the administrator account, why is there no mention of this at any point in the installation? Why not fix these holes? Why is the default user setup the LEAST secure configuration you could possibly have?

SP2 has fixed a lot of my problems, but there is still this se.dll/rundll32.exe crap that I'm having trouble doing away with for good. Just when I think the system is clean, it comes back.

If partypoker is indeed the cause, then I'll have to deal with it... is there a way to prevent it from installing this garbage without just not using it? I like playing on there for fun (I don't play for real money) and it's a little disappointing that I have to refrain from doing so in order to stop this.

 

[mechBgon]

My question for Microsoft: If there are holes this gigantic in the use of the administrator account, why is there no mention of this at any point in the installation? Why not fix these holes? Why is the default user setup the LEAST secure configuration you could possibly have?

The Windows users are coming from the Win95/98 universe where they are the gods of their computers, able to do anything they dasm well please, and so Microsoft would probably cause outrage if they (*gasp*) insulted their customers by blatantly locking down user accounts by default. And it's not their fault that people go installing stuff without reading the 12-page EULA and understanding what they're agreeing to. At least they'll be providing their Microsoft AntiSpyware for free when they're done beta-testing it. I bet the spyware writers are slightly annoyed at that move :evil:

 

[Nothinman]

Why is the default user setup the LEAST secure configuration you could possibly have?

Because it's the most convenient. MS is about making people happy, not making them secure. Along the same vein car companies sell you a car with the door locks and alarms, but it's up to you to actually use them. The difference is that cars are easy to secure and most people have an understanding about the whats and whys about securing their cars, but Windows (and software in general) requires a lot more knowledge to setup properly.

 

[Nebben]

It would be awesome if antispyware legislation was put into effect and the punishments were very severe. I would have no sympathy for people being sentenced to years in prison for these kinds of offenses.

It shouldn't just become illegal when someone commits credit card fraud, it should become illegal the moment that something is installed without the user agreeing to it. (This excludes bundled software ala Gator, of course -- it's nobody's fault but the user if they choose to ignore the messages in the installation). But stuff being installed with no mention of it, or from website browsing... I'd love to see harsh punishments for that.

 

[Nebben]

I've been observing the action in both my Temp folders and my running processes, and have determined that PartyPoker, upon execution, installs se.sll into the temp folder and runs it under "rundll32.exe". That name seems like some random Windows process, so I hadn't noticed it until now. Upon removing Partypoker and running a Spybot scan, I am now 100% spyware free (for the moment...)

EDIT: I uninstalled Partypoker and totally cleaned my system, then reinstalled it... is it possible that se.dll attaches itself to some random program on your drive? Because I am no longer experiencing the previously mentioned problems...

They started immediately after a PartyPoker update a few days ago.

 

[VirtualLarry]

Originally posted by: Nebben
Was there a sudden creation and surge of spyware when XP was released? I don't remember EVER having problems with this kind of stuff in the days of Win95/98.

No, it was there back then too. It's just.. the bandwagon didn't start rolling yet. And the passage of laws like the "CAN-SPAM" act, and the anti-spyware acts being proposed, seemingly legitimized an otherwise "grey" area of software, by choosing where to draw the line. (And poorly at that, I might suggest.)

There were various spyware apps back in the Win9x days too - the 16-bit versions of GetRight, using the Aureate/Radiate DLLs, things like Netscape's "SmartDownload", and a host of other "download manager"-type utils were often spyware/adware.

Also, nearly every "free ISP dialer program" app, is spyware/adware. BlueLight, WorldSpy, NetZero, Juno, all of them back in the day. (And still, actually.)

Originally posted by: Nebben
Windows XP is very stable, which I like, but it's pretty ridiculous that we have to install spyware removal tools and blockers in order to prevent random popup windows and the like.

It's interesting that you bring up XP, because XP was MS's premiere consumer OS version, with pre-loaded built-in MS "spyware/adware" (loads of phone-home goodies, and loads of things that either advertise MS or MSN, or link to their as a default information source). In other words, the OS itself and the application services that it provides, were designed to be an "OS portal", much like web sites that are designed as a "web portal" - to make money off of advertising and commission sales.

It can be fairly difficult for most average users to disable/remove those built-in things in XP (MS Messenger being the most egregious, since MS intention hid the ability to un-install it in the INF.)

Originally posted by: Nebben
I use FireFox, I have every update from Windows Update installed, I'm running MS Anti-Spyware, I'm running the XP firewall, I don't visit many websites that aren't known to be safe, and I STILL HAVE SPYWARE/ADWARE PROBLEMS.

Well, do you use Firefox for all browsing activities, or just some? Do you still use OE or WMP? Those are other well-known infection vectors. As are free software downloads with "bundled companion software". Do you P2P? That's another good source of infection. (I don't let P2P apps anywhere near my machine.)

Originally posted by: Nebben
Am I doing something wrong? Is there some program I'm using that is allowing all of this to enter my system?

Quite likely. No MS application product is safe. Discontinue usage of all of them on the internet immediately. The other possibility is that you never fully cleaned up your system in the first place. It's well known that even the best anti-spyware programs have quite a bit less than 100% coverage of the rogue programs out there. It's best to scan with two or three of them, but only reputable ones. The disreputable ones, actually install spyware of their own, while claiming to scan for and remove (a competitors) spyware.

Originally posted by: Nebben
I pretty much only use the following:
FireFox
Winamp
Trillian
Quake/Soldat/Other games from reputable companies
Partypoker (I'm suspecting this...)
eMule (I'm suspecting this as well...)

I'm pretty disappointed at the overhead caused by running MS AntiSpyware active protection... I just started trying it out and the RAM usage is like 120MB. That's insane.

I guess I should either switch to Linux or just shut up and take it.

P2P and "free online games" are a good source of spyware infections, yes. (Although, are you using the GPL ED2K network client, or a repackaged version of it? The GPL one shouldn't have bundled companion software. The stuff that you download from P2P could easily be infected with something though.)

You have to understand, MS actually designs their OSes to facilitate this sort of thing. You could say that they more-or-less gave birth to it, by making their OSes such a fertile ground for rogue-software infection. But eventually, those types of apps mutated from semi-useful co-marketing deals, into the virulent evil mess that takes over people's computers completely and spreads autonomously through the internet. (Kind of like the "Galatia Effect" from Bubblegum Crisis. Except that non of it is self-aware yet.)

Originally posted by: Nebben
The one question that I seriously cannot think of an answer to:
Why in the hell would anyone waste their time programming adware that merely causes popups on peoples' computers? Are people actually stupid enough to click "Buy spyware protection now!" from a popup that is the cause of their problem?

Apparently. Supposedly, some spammers can make millions of dollars a year, if not in a month, doing that. It boggles my mind, personally.

 

[VirtualLarry]

Originally posted by: mechBgon

My question for Microsoft: If there are holes this gigantic in the use of the administrator account, why is there no mention of this at any point in the installation? Why not fix these holes? Why is the default user setup the LEAST secure configuration you could possibly have?

The Windows users are coming from the Win95/98 universe where they are the gods of their computers, able to do anything they dasm well please, and so Microsoft would probably cause outrage if they (*gasp*) insulted their customers by blatantly locking down user accounts by default.

Not just that, but a good chunk of well-known, popular, 3rd-party applications, the types that the user purchased a PC running Windows' in the first place to use, will stop working or function improperly. That's one of the real reasons. The fact that Win9x was a commercially-viable OS to release application software on up until the last year or so didn't help either. Since the Win32 security API calls on Win9x are all just null functions, essentially, most application vendors targeting both Win9x-based and NT-based Win32 OSes didn't even bother to implement support for those security calls. Thus their software requires the user to run as Administrator, in order for it to function. Things like CD-burning programs, and even games, are the most egregious violators.

Originally posted by: mechBgon
And it's not their fault that people go installing stuff without reading the 12-page EULA and understanding what they're agreeing to. At least they'll be providing their Microsoft AntiSpyware for free when they're done beta-testing it. I bet the spyware writers are slightly annoyed at that move :evil:

Has MS officially announced that their MS anti-spyware would be free to all of the Windows-OS-running world? I find that hard to believe, but perhaps they would do it as a deperate PR move, to prevent people from defecting from Windows en-mass. (Where? I have no idea, but Mac OS is getting traction on the idea that it is a "spyware-free" platform as compared to Windows'. Which is likely to be realistically true.)

 

[VirtualLarry]

Originally posted by: Nothinman
"Because it's the most convenient. MS is about making people happy, not making them secure." <- best description ever, of MS's software design practices in a nutshell.

 

[Nothinman]

Has MS officially announced that their MS anti-spyware would be free to all of the Windows-OS-running world?

I believe it was mentioned in the PR that said IE7 would be released for XP instead of waiting for Longhorn.

prevent people from defecting from Windows en-mass. (Where? I have no idea, but Mac OS is getting traction on the idea that it is a "spyware-free" platform as compared to Windows'. Which is likely to be realistically true.)

Umm, the rest of the world? The US is the only place where MS has a strangle hold on the computer client market.

"Because it's the most convenient. MS is about making people happy, not making them secure." <- best description ever, of MS's software design practices in a nutshell.

The sad part is that if you ever talk to a MS employee, they think they're producing the best software from all points, including ease of use and security.

 

[SagaLore]

Originally posted by: Nothinman

prevent people from defecting from Windows en-mass. (Where? I have no idea, but Mac OS is getting traction on the idea that it is a "spyware-free" platform as compared to Windows'. Which is likely to be realistically true.)

Umm, the rest of the world? The US is the only place where MS has a strangle hold on the computer client market.

I think Apple is going to have a come back. The iPod has generated boat loads of revenue for Apple, and the new mini-mac is very affordable and works with standard pc peripherals. In fact I want to get one for my wife so she can do her desktop publishing at home.

I think there was a slashdot article recently that there is a linux organization focusing on distros for desktop users. In these past few years I have seen the GUI's and installers mature to a point that it could very well happen soon.

 

[Nothinman]

and the new mini-mac is very affordable and works with standard pc peripherals

It's only affordable if you take the very base model, add memory and it's now $700 or more. Add a Monitor and you're up to normal PC prices.

 

[VirtualLarry]

Originally posted by: Nothinman

Has MS officially announced that their MS anti-spyware would be free to all of the Windows-OS-running world?

I believe it was mentioned in the PR that said IE7 would be released for XP instead of waiting for Longhorn.

Huh? What does IE7's potential standalone release have to do with MS's recently-purchased and re-branded anti-spyware software? And MS has clearly stated in the past that future IE updates would no longer be released standalone for older OSes. Whether they will go against what they've said, remains to be seen. I assume that it will have to do with Firefox's adoption rates in the market.

Originally posted by: Nothinman

prevent people from defecting from Windows en-mass. (Where? I have no idea, but Mac OS is getting traction on the idea that it is a "spyware-free" platform as compared to Windows'. Which is likely to be realistically true.)

Umm, the rest of the world? The US is the only place where MS has a strangle hold on the computer client market.

I meant "where", as in, the question of computer platform/system that those defecting from MS would use. Not a geographical "where", sorry.

Originally posted by: Nothinman
The sad part is that if you ever talk to a MS employee, they think they're producing the best software from all points, including ease of use and security.

All too true! They actually believe their own FUD, 100%. Is it any wonder that it is often described as "the Microsoft mind-control ray/field, eminating from Redmond"?

Remember, XP has always been self-described as the "Most secure windows' OS yet" by MS, and yet, it is one of the worst yet in terms of security bugs/exploits. It even shipped with a number of bugs, one of which would allow web sites to delete any file off of your computer remotely, just by visiting, if they knew the pathname! Scary stuff.
(I mean the kool-aid that they drink on campus up there... no wonder they offer drinks free to employees.)

 

[SagaLore]

Originally posted by: VirtualLarry
Remember, XP has always been self-described as the "Most secure windows' OS yet" by MS, and yet, it is one of the worst yet in terms of security bugs/exploits. It even shipped with a number of bugs, one of which would allow web sites to delete any file off of your computer remotely, just by visiting, if they knew the pathname! Scary stuff.
(I mean the kool-aid that they drink on campus up there... no wonder they offer drinks free to employees.)

Let's not forget universal plug and play.

You know we wouldn't have any problems with remote buffer exploits if they redesign their OS to do this: when you run netstat, look at all the ports just waiting to be talked to. Instead, the OS by default should only have 1 port open, one of which is a secure channel. The remote machine has to present it's public certificate, which is similar to MS's passport system. If your machine accepts this certificate, then it can communicate with it as trusted. Inside domains, the certificate exchange is handled by your domain controller. In workgroups, you have to establish a serial ID to use. In the public MS can provide the certificate server. When that 1 port is being used between trusted machines, another port can open and wait, but again only for this secure certificate exchange... the session can then encapsulate whatever other protocols are needed...

 

[Nothinman]

Huh? What does IE7's potential standalone release have to do with MS's recently-purchased and re-branded anti-spyware software?

Ask MS PR, probably the fact that IE7 will include more safeguards for spyware or something and in addition they'll be making the Anti-Spyware tool available for free.

And MS has clearly stated in the past that future IE updates would no longer be released standalone for older OSes

Sure and they still say that with regards to Win2K, they've amended it to include the fact that IE7 will be released for XP SP2 machines before Longhorn is released.

All too true! They actually believe their own FUD, 100%. Is it any wonder that it is often described as "the Microsoft mind-control ray/field, eminating from Redmond"?

That and their address is appropriately "1 Microsoft Way".

You know we wouldn't have any problems with remote buffer exploits if they redesign their OS to do this: when you run netstat, look at all the ports just waiting to be talked to. Instead, the OS by default should only have 1 port open, one of which is a secure channel. The remote machine has to present it's public certificate, which is similar to MS's passport system. If your machine accepts this certificate, then it can communicate with it as trusted. Inside domains, the certificate exchange is handled by your domain controller. In workgroups, you have to establish a serial ID to use. In the public MS can provide the certificate server. When that 1 port is being used between trusted machines, another port can open and wait, but again only for this secure certificate exchange... the session can then encapsulate whatever other protocols are needed...

And now you've just made things 100x harder for people to share files.

 

[SagaLore]

Originally posted by: Nothinman

You know we wouldn't have any problems with remote buffer exploits if they redesign their OS to do this: when you run netstat, look at all the ports just waiting to be talked to. Instead, the OS by default should only have 1 port open, one of which is a secure channel. The remote machine has to present it's public certificate, which is similar to MS's passport system. If your machine accepts this certificate, then it can communicate with it as trusted. Inside domains, the certificate exchange is handled by your domain controller. In workgroups, you have to establish a serial ID to use. In the public MS can provide the certificate server. When that 1 port is being used between trusted machines, another port can open and wait, but again only for this secure certificate exchange... the session can then encapsulate whatever other protocols are needed...

And now you've just made things 100x harder for people to share files.

No way. Unless you're refering to people setting up a shared folder accessible by the entire public. Or unless you're refering to p2p networks which distributes mostly illegal content. A legitimate p2p vendor could easily setup a passport server to act as the workgroup server to allow all the other peers to participate in p2p. That's not 100x harder, it's 100x more security with only a minor change.

 

[Nothinman]

No way. Unless you're refering to people setting up a shared folder accessible by the entire public. Or unless you're refering to p2p networks which distributes mostly illegal content. A legitimate p2p vendor could easily setup a passport server to act as the workgroup server to allow all the other peers to participate in p2p. That's not 100x harder, it's 100x more security with only a minor change.

I just meant sharing files in their home. And whether or not P2P networks share mostly illegal content is irrelevant, you shouldn't shutdown the fleamarket just because some people decide to sell weed there.

Oh and you've broken compatibility with older SMB hosts and there are still a helluva lot of those out there.

 

[VirtualLarry]

Originally posted by: SagaLore
Let's not forget universal plug and play.
You know we wouldn't have any problems with remote buffer exploits if they redesign their OS to do this: when you run netstat, look at all the ports just waiting to be talked to. Instead, the OS by default should only have 1 port open, one of which is a secure channel. The remote machine has to present it's public certificate, which is similar to MS's passport system. If your machine accepts this certificate, then it can communicate with it as trusted. Inside domains, the certificate exchange is handled by your domain controller. In workgroups, you have to establish a serial ID to use. In the public MS can provide the certificate server. When that 1 port is being used between trusted machines, another port can open and wait, but again only for this secure certificate exchange... the session can then encapsulate whatever other protocols are needed...

That idea definately has merit to it. Perhaps someday, once everything is just a variant of P2P/mesh networking, something like that will happen. I was wondering myself, if there are only so many TCP/UDP "ports" to use, and all of them eventually get used up as "known ports" for services - there really should be a better way. Such as having a single port that unknown remote hosts can connect to, to discover services available on the machine. That port could require an authenticated connection (as you suggest), in order to access the directory, and again, to access any particular service on a particular port. (Or in truth, "fork" that TCP session like most server daemons already do, when some host connects to them. RPC services were actually designed to do something like that, except that MS's various RPC services are well-known to be buggy enough to not expose to the internet.

 

[kylef]

Originally posted by: VirtualLarry

Originally posted by: Nothinman
The sad part is that if you ever talk to a MS employee, they think they're producing the best software from all points, including ease of use and security.

All too true! They actually believe their own FUD, 100%. Is it any wonder that it is often described as "the Microsoft mind-control ray/field, eminating from Redmond"?

You guys really need to get ahold of yourselves if you think Microsoft employees are so different from any other employees at major tech companies around the world. "Those Microsoft employees are really messed up. They do nothing but spread FUD." Listen to yourselves! Who is spreading FUD now?

Like any large organization, there will always be some individuals who run their mouths off on topics about which they know little, giving the rest a bad name. I don't see any more or less of this at Microsoft than I've seen anywhere else in my career. Whence this Microsoft reputation comes, I have no idea. I do know that it's ridiculous.

How many Microsoft employees have you actually met? How did you meet them?

And was it a *Windows* employee you met? Because deciding that IBM's Websphere developers are really stupid and brainwashed by listening to some employee from their Global Services division is hardly a fair judgment, wouldn't you agree?