Spyware following spam into the enterprise

TalkBack 3 of 54:

Next »

« Previous

• Thread View
• Flat View

Re: Spyware is even worse than spam in my view

> I use four free tools: Ad-Aware and Spybot to
> scan for and delete this filth, Spywareblaster
> to prevent it from ever being installed, and
> HiJackThis as a general tool to see what's
> being loaded on startup and to remove some of
> the nastier elements of spyware which take over
> your start page in Internet Explorer, for
> instance. (Check Google for the download
> locations) Using these four programs plus
> making a careful analysis of what's under the
> Program Files folder and what is set in the
> registry to start up, I've always been able to
> tidy up the machines I support.

You need one more critical, semi-free tool in my opinion: TDS-3 (http://tds.diamondcs.com.au). Just like adware/spyware/malware is a different class of software than viruses and worms, trojan horses (especially RATs, or Remote Access Trojans) are in a class by themselves, and they are far more dangerous. Trojan horses are typically concealed better, and are used primarily to steal data (your tax returns? your medical records? your online banking logins and records? proprietary company information? -- all are vulnerable) and passwords as well as to take over control of machines. Most spyware scanning tools like Spybot-Search & Destroy, Lavasoft's Ad-Aware, and Webroot's Spy Sweeper do a good job of adware/spyware/malware detection and removal but are unable to detect trojan horses. TDS-3 can detect spyware too, but it specializes in trojan horse detection and removal, and it works very well in my opinion.

I use Spybot-S&D, Ad-Aware, and Spy Sweeper when cleaning PCs at work, and between the three of them they do a good job of removing the vast majority of adware/spyware/malware, and each tends to catch a few things the others don't.

But I then follow up by installing TDS-3, manually updating its database (simple instructions on their web site; the auto update feature is available to those who pay and register), and running a full scan. TDS-3 is a pro level tool with tons of capabilities, hence the overwhelming interface, but the Help files are good and can step you through simple scanning operations. It takes a little longer than the other tools, but it is more thorough. It's a bummer there is no "nuke everything you found" option when it's done -- you have to right-click on each item in the list one at a time and select "Delete," but it's still an invaluable tool. (Maybe there is a way to set up automatic removal and I just haven't discovered it yet.)

After cleaning up with TDS-3, follow mreilly19's suggestion to carefully scrutinize the Program Files folder and the registry startup keys (HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and the same key under HKEY_CURRENT_USER). If an exploit is running at startup you'll see a REG_SZ value pointing to the executable, so Google any suspicious entries to see if it is known spyware, etc. Track down the file being loaded and delete it, then delete the corresponding reg key.

If you can't delete the file it is because it is running in memory. Go into Task Manager -> Processes tab and End Process. Watch the list and the number of running processes in the lower lefthand corner. The number should decrease by one and stay that way. If after a few seconds another weird process name pops up in the list, you've got a particularly nasty exploit to deal with. Reboot your machine into Safe Mode (not available in NT4). Safe Mode loads Windows 2000/XP with only the core services/processes needed to boot the OS. This means the Startup folder and the registry's Run keys are ignored, and rouge processes are prevented from loading into memory. You can then delete the offending files followed by the reg keys that load them at a normal startup. Reboot normally.

After all of this, it still doesn't hurt to check running processes in Task Manager (Windows NT/2000/XP) one last time and Google any suspicious looking process names. It is still possible for an exploit to evade detection no matter how many tools you throw at it, and the authors are getting better at picking process names that look like they are part of the OS.

I spent most of last week at work cleaning machines. In each case, Spybot-S&D, Ad-Aware, and Spy Sweeper removed tons of garbage and the PC looked clean and performed much better. But a quick check of the registry and Task Manager showed unknown processes still being loaded. A full scan with TDS-3 revealed as many as 17 RATs still infesting the system. In one case an exploit remained even after scanning with TDS-3. That's why a careful inspection in necessary afterwards.

I don't consider my job done until I've covered all the known bases, and that includes trojan horses. Trojan horses are sure living up to their name. Not only are they evading detection and removal on millions of PCs, they are flying under the radar of the mainstream press as well.

Chris, waiting patiently for Symantec's newer corporate client tools that can remove and prevent this stuff...

Posted by: crm_z   Posted on: 06/01/04 You are currently: a Guest | Members login | Terms of Use

Alert moderator to an offensive message

Subscribe to this discussion via Email or RSS

SponsoredWhite Papers, Webcasts, and Downloads

• The True Costs of Virtual Server Solutions VMware In an economic environment that is repeatedly heralding the message "do ... Download Now
• Virtualization: Architectural Considerations And Other Evaluation Criteria VMware Of the many approaches to x86 systems virtualization available in the ... Download Now
• Why Isn't Server Virtualization Saving Us More? A Few Small Changes May Dramatically Increase Your Efficiency VMware Companies have rapidly adopted server virtualization over the past few ... Download Now