Re: Spyware becomes increasingly malicious
On Thu, 15 Jul 2004 09:00:16 PDT, Jeff Shultz [EMAIL PROTECTED] said: Such dangerous file attachments included .jpg, .pdf and music files. Once bitten, twice shy: http://cert.uni-stuttgart.de/archive/bugtraq/2001/02/msg00168.html .JPG's are HTML, didn't you know? :) pgpLhDo1FDrRe.pgp Description: PGP signature
Re: Spyware becomes increasingly malicious
On Wed, 14 Jul 2004 22:52:07 PDT, Alexei Roudnev [EMAIL PROTECTED] said: O, noo. You click a button 'I agree' which means nothing for 99.99% of people over the world. Here is a difference. Do not expect people to 'agree' if you do not enforce them to follow this (and if your system do not violate 'common sense'). Do you saw any idiot who read this licenses (I never seen any)? It became (many years ago) some kind of ritual, like indian dances before going to the war. It's rare that the user actually even TRIES to read the license... http://www.cypherpunks.ca/dell.html pgpLeqNh6DnfM.pgp Description: PGP signature
Re: Spyware becomes increasingly malicious
On Wed, Jul 14, 2004, Michel Py wrote: - In exchange for his life, appoint Saddam Hussein to rid us of spyware writers. As he's on a roll, let's put spammers in the deal, too. The guy has a proven track record, problem is most of us live in a society that oppose his methods, so this does not fly. Can we call Godwin out on this comment? Guys, girls, etc. This whole MacOS is based on BSD which has been looked at for years discussion is actaully quite silly. Why? Because the majority of the code in MacOS X which would be abused is not going to be BSD based. A bug in cat? tar? sed? No. It'll be a bug in Mail.app, how it ties into the Helper app, possibly Finder.app and Applescript. It'll be some image overflow in Safari, via Khtml and Aqua's rendering engine. It'll be something that Is Very Not Going To Ever Have Been A Part of What You Call BSD. So, I call crapola on that argument, and invoke a Godwin-for-21st-century based on the above comment. Lets move on. Adrian -- Adrian ChaddI'm only a fanboy if [EMAIL PROTECTED] I emailed Wesley Crusher.
Re: Spyware becomes increasingly malicious (let's return to reality)
Ok, let.s return to reality (sorry for moving this thread into the OS related flame). First of all, even if OS have not any caveats, it will not protect it from spyware/adware. if I want to install my 'Cool-Search' into million of computers, all I need to do is to write fancy game, and offer it 'free of change' in exchange of 'Allow to show you ads once / day'. That's all - you will have everything installed explicitly. But 'hidden' installation makes it much more easy for spyware, and is (in general) a very big evil. System must distinguish between 'USER' mode (use applications but do not change system behavior) and 'INSTALL' mode (install/delete/add software, processes and so on). In many cases, system must ask password to do any such action. (If you know MS, you can image which nightmare is to implement it -- I worked with IDS such as Osiris and had a fun, guessing what system decide to change today. But it is not a problem in most other OS). Second, but even worst, problem is absense of ANY system interface showing you, what is starting, stopping and running. It is not any problem to remove spyware, from common point of view - just open 'list of running processes' and 'Startup list' and uncheck everything you do not want to see. Problem - such interface does not exist, is not possible because of complexity (there are milluions ways of starting anything) and can not trace a history of processes (because of, again, extra complexity, unlimited usage of 'classes' and 'objects' and 'pluginns' and 'toolbars' and so on). Anyway, good 'change history' system could easily revert such changes back so that instead of very complex 'adaware' scaners we will have just 'change history, revert ?' button. Third is more easy for ISP - if we can not fight with bad software, fight whith those who got a profit using it. For SPAM - ok, there is not ANY way to stop sending spam (fort now), but any SPAM advertices someone, and this someone is always 100% identified - so fight (limit, flood by calls, overload by false information, etc) SPAM benefitiants, learn them do not purchase 'We will send your advertice to 10M people over the world'. The same in case of adaware. For spyware, fight those who receive information back - by any way. - Original Message - From: John Underhill [EMAIL PROTECTED] To: Niels Bakker [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, July 14, 2004 1:12 PM Subject: Re: Spyware becomes increasingly malicious Ok.. but has BSD been attacked on the scale that MS code has? I would argue no, not even close. Do you believe BSD is invulnerable to attack? Hardly.. Unless you want to go back to text based browsers and kernals that fit on a floppy, it is extermely difficult to eliminate all vulnerabilities in the code of a sophisticated OS. The more complex the system, the easier it is to break, and with the level of automation currently expected by most users, this requires a very complex build. Could MS be made more secure, of course. Do I think they are actively working on the problem, yes. If Novell or Mac had risen to the top of the OS heap, would they be catching all the viruses now? I think they would. Really, my point was not to argue this, but that there is no justification for malicious code, that you can't simply pawn it off on MS as being the real problem. By doing that, you are saying that people creating spyware and viruses are not culpable for their actions, that they should be allowed to create havoc and destroy systems, because really they are only leveraging 'features' built into the operating system. - Original Message - From: Niels Bakker [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, July 14, 2004 3:31 PM Subject: Re: Spyware becomes increasingly malicious Sorry, it was a _technical_ question - is MAC OS known as having pests and ad-ware in the comparable numbers (if any)? * [EMAIL PROTECTED] (John Underhill) [Wed 14 Jul 2004, 19:45 CEST]: This is spurious logic. You are suggesting that Mac is a more secure operating system, and I would suggest that it is probably far less secure, because it has not had to withstand years of unearthing vulnerabilities in the code. It has. Darwin is based on years of development in BSD code. -- Niels. -- Today's subliminal thought is:
Re: Spyware becomes increasingly malicious
** Reply to message from Alexei Roudnev [EMAIL PROTECTED] on Wed, 14 Jul 2004 22:52:07 -0700 May be, idea was that people read 'license', click button (I agree) and follow it - never write a code which violates this license? But it is not true - 99.99% people do not read it and behave as a common sense is saying not as [EMAIL PROTECTED] MS lawers fictioned... They see a wall wih a gates - and they go thru this gates, no matter what is written on the posters around (except, as I said, if they see an angry dog next to the gate). /On the other hand, they knows that coffee is hot and waterfall is dangerous and dogs can bite -:)/. You must design yous system for this behavior, not for people who _read a license_. This licenses are good only for 2 goals - (1) use them as a toalet tissue; (2) in case of serious violation allows to suite user if he is in USA... -- they do not change people behavior even a bit. Unfortunately, Internet is not in USA, so even if we will have 100 strict laws prohibiting spyware, it will not help to fight this pests and pets... System must defend itself. For awhile there, one of the top tech support issues we had to deal with was new - and automatically implemented - feature in Outlook Express that blocked a person from running or saving something that Microsoft considered a dangerous file attachment. Such dangerous file attachments included .jpg, .pdf and music files. Oddly enough, it didn't seem to include .doc or .xls files. You know, the ones that actually can contain macro viruses. Because of Microsoft's ham-handed and all or nothing attempt at security many people now don't trust or ignore any warning messages they may receive - they simply want to view their file attachments. -- Jeff Shultz A railfan pulls up to a RR crossing hoping that there will be a train.
Re: Spyware becomes increasingly malicious (let's return to reality)
- First of all, even if OS have not any caveats, it will not protect it from spyware/adware. if I want to install my 'Cool-Search' into million of computers, all I need to do is to write fancy game, and offer it 'free of change' in exchange of 'Allow to show you ads once / day'. That's all - you will have everything installed explicitly. - Not necessarily true. Security/permissions plays a major part in the effectiveness of adware and spyware. A majority of consumer Windows OS's run with the default login as an admin user. When a user chooses to install Cool-Search, their user rights allow for registry changes and alterations of system libraries, which cause ads to display when using IE. Can this be prevented by running Windows as a non-privileged user, yes. But people want to install their Cool-Search and non-privileged users can't install anything. When using OS's other than Windows, users can install their own binaries, but they do not have access to modify the system binaries. Then can still browse with the system wide Mozilla/whatever, but their actions will not have the ability to alter anything that will allow for ads to be served when browsing, or for browsing habits to be sent to a third party. User information is still vulnerable, and the potential is still there, but a single user's infection/installation will generally not have the same impact on the system. -b On Wed, 14 Jul 2004 23:52:27 -0700, Alexei Roudnev [EMAIL PROTECTED] wrote: Ok, let.s return to reality (sorry for moving this thread into the OS related flame). First of all, even if OS have not any caveats, it will not protect it from spyware/adware. if I want to install my 'Cool-Search' into million of computers, all I need to do is to write fancy game, and offer it 'free of change' in exchange of 'Allow to show you ads once / day'. That's all - you will have everything installed explicitly. But 'hidden' installation makes it much more easy for spyware, and is (in general) a very big evil. System must distinguish between 'USER' mode (use applications but do not change system behavior) and 'INSTALL' mode (install/delete/add software, processes and so on). In many cases, system must ask password to do any such action. (If you know MS, you can image which nightmare is to implement it -- I worked with IDS such as Osiris and had a fun, guessing what system decide to change today. But it is not a problem in most other OS). Second, but even worst, problem is absense of ANY system interface showing you, what is starting, stopping and running. It is not any problem to remove spyware, from common point of view - just open 'list of running processes' and 'Startup list' and uncheck everything you do not want to see. Problem - such interface does not exist, is not possible because of complexity (there are milluions ways of starting anything) and can not trace a history of processes (because of, again, extra complexity, unlimited usage of 'classes' and 'objects' and 'pluginns' and 'toolbars' and so on). Anyway, good 'change history' system could easily revert such changes back so that instead of very complex 'adaware' scaners we will have just 'change history, revert ?' button. Third is more easy for ISP - if we can not fight with bad software, fight whith those who got a profit using it. For SPAM - ok, there is not ANY way to stop sending spam (fort now), but any SPAM advertices someone, and this someone is always 100% identified - so fight (limit, flood by calls, overload by false information, etc) SPAM benefitiants, learn them do not purchase 'We will send your advertice to 10M people over the world'. The same in case of adaware. For spyware, fight those who receive information back - by any way. - Original Message - From: John Underhill [EMAIL PROTECTED] To: Niels Bakker [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, July 14, 2004 1:12 PM Subject: Re: Spyware becomes increasingly malicious Ok.. but has BSD been attacked on the scale that MS code has? I would argue no, not even close. Do you believe BSD is invulnerable to attack? Hardly.. Unless you want to go back to text based browsers and kernals that fit on a floppy, it is extermely difficult to eliminate all vulnerabilities in the code of a sophisticated OS. The more complex the system, the easier it is to break, and with the level of automation currently expected by most users, this requires a very complex build. Could MS be made more secure, of course. Do I think they are actively working on the problem, yes. If Novell or Mac had risen to the top of the OS heap, would they be catching all the viruses now? I think they would. Really, my point was not to argue this, but that there is no justification for malicious code, that you can't simply pawn it off on MS as being the real problem. By doing that, you are saying that people creating spyware and viruses
Re: Spyware becomes increasingly malicious (let's return to reality)
The problem is Active-X, not the OS. Anything running from the browser should be in a sandbox as it is with Java applications, the same is true for the email client. Active-X gives scripts running from the browser and the email client access to the entire machine in the name of functionality. In some cases users are prompte to authorize the installation of software when they get to a web page. Even when they choose No, the software continues to install. Its a security hole big enough to drive a tank through. Mozilla is your friend. Curtis -- Curtis Maurand mailto:[EMAIL PROTECTED] http://www.maurand.com On Thu, 15 Jul 2004, Brett wrote: - First of all, even if OS have not any caveats, it will not protect it from spyware/adware. if I want to install my 'Cool-Search' into million of computers, all I need to do is to write fancy game, and offer it 'free of change' in exchange of 'Allow to show you ads once / day'. That's all - you will have everything installed explicitly. - Not necessarily true. Security/permissions plays a major part in the effectiveness of adware and spyware. A majority of consumer Windows OS's run with the default login as an admin user. When a user chooses to install Cool-Search, their user rights allow for registry changes and alterations of system libraries, which cause ads to display when using IE. Can this be prevented by running Windows as a non-privileged user, yes. But people want to install their Cool-Search and non-privileged users can't install anything. When using OS's other than Windows, users can install their own binaries, but they do not have access to modify the system binaries. Then can still browse with the system wide Mozilla/whatever, but their actions will not have the ability to alter anything that will allow for ads to be served when browsing, or for browsing habits to be sent to a third party. User information is still vulnerable, and the potential is still there, but a single user's infection/installation will generally not have the same impact on the system. -b On Wed, 14 Jul 2004 23:52:27 -0700, Alexei Roudnev [EMAIL PROTECTED] wrote: Ok, let.s return to reality (sorry for moving this thread into the OS related flame). First of all, even if OS have not any caveats, it will not protect it from spyware/adware. if I want to install my 'Cool-Search' into million of computers, all I need to do is to write fancy game, and offer it 'free of change' in exchange of 'Allow to show you ads once / day'. That's all - you will have everything installed explicitly. But 'hidden' installation makes it much more easy for spyware, and is (in general) a very big evil. System must distinguish between 'USER' mode (use applications but do not change system behavior) and 'INSTALL' mode (install/delete/add software, processes and so on). In many cases, system must ask password to do any such action. (If you know MS, you can image which nightmare is to implement it -- I worked with IDS such as Osiris and had a fun, guessing what system decide to change today. But it is not a problem in most other OS). Second, but even worst, problem is absense of ANY system interface showing you, what is starting, stopping and running. It is not any problem to remove spyware, from common point of view - just open 'list of running processes' and 'Startup list' and uncheck everything you do not want to see. Problem - such interface does not exist, is not possible because of complexity (there are milluions ways of starting anything) and can not trace a history of processes (because of, again, extra complexity, unlimited usage of 'classes' and 'objects' and 'pluginns' and 'toolbars' and so on). Anyway, good 'change history' system could easily revert such changes back so that instead of very complex 'adaware' scaners we will have just 'change history, revert ?' button. Third is more easy for ISP - if we can not fight with bad software, fight whith those who got a profit using it. For SPAM - ok, there is not ANY way to stop sending spam (fort now), but any SPAM advertices someone, and this someone is always 100% identified - so fight (limit, flood by calls, overload by false information, etc) SPAM benefitiants, learn them do not purchase 'We will send your advertice to 10M people over the world'. The same in case of adaware. For spyware, fight those who receive information back - by any way. - Original Message - From: John Underhill [EMAIL PROTECTED] To: Niels Bakker [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, July 14, 2004 1:12 PM Subject: Re: Spyware becomes increasingly malicious Ok.. but has BSD been attacked on the scale that MS code has? I would argue no, not even close. Do you believe BSD is invulnerable to attack? Hardly.. Unless you want to go back to text based browsers and kernals that fit on a floppy, it is extermely difficult to eliminate all vulnerabilities in the code of a sophisticated OS. The more complex the system, the easier it is to break
Re: Spyware becomes increasingly malicious
Most of the lastest versions appear to install themselves using the ByteCode Verifier vulnerability in the Microsoft Virtual Machine. MS do not publish full system specs, and they use undocumented features themself. So, what other companies are doing? Yes, correct, they are experimenting, searching for the undocumented features. They found it, and no one can separate bugs and undocumented features. These are all results of MS approach _I am doing everything myself and do not want others to compete with me_. Ok, so please do not complain on those who uses your undocumented features, undocumented API (and ohh, it is not my API, it is a bug... as they are saying now). Are you sure that it is a bug, but not a backhole created by MS for themself? I am not. Fully patched systems don't get the stuff installed. Or - after others found this backhole, they decided to seal it. You can not prove that it is a bug, as I can not prove that it was a feature. Any undocumented API is not different from a bug - it is just something which is not documented but exists. I'm sure the authors are working on newer injection methods Just as MS is working on new undocumented API's. Of course, they are - hackers, spyware designers and MS developers... I do not see a difference. Though the blame might be placed on Microsoft for having a flaw in their code, this wasn't part of any IE feature. Please, specify a difference between 'flaw in the code' and 'backhole created for their own purposes'. If they claim 'our developers use only specified API' and 'we specify and document every system call and every function which can be used legally, from technical point of view', then I agree. But they never did and never would. if they do it, they lost their monopoly. Result - full zoo of pets, pests, and other animals in every home computer running Windoze. May be, this particular feature was a bug, I can agree - but I do not see a difference (still). I do not blame MS, but what about spyware on MAC-s - is it so easy to write and install spyware there? I don't really want to get into the argument of why people choose Sorry, it was a _technical_ question - is MAC OS known as having pests and ad-ware in the comparable numbers (if any)? microsoft products to attack, but if someone was going to choose a product to attack, from which they were going to try and make the most money/impact off of, do you think they would choose the product with the largest user base? I think that's the case here. It would be a poor business decision not to, and these people are definetly out to make as much money as they can off of these exploits. This is 100% legal at this point (and even if it is not legal, who bored about it outside of USA? No anyone!). It really shouldn't be legal. It is someone gaining unauthorized Hmm. Is it legal for MS developers (for example, office developers) to use undocumented APIs? What's a difference? What does it mean 'access' - you open my web page, and your IE download my GIF file - is it authorised (my GIF is installed into your computer)? You allow Active X to run, even if ActiveX can install software - it is enough to be authorised. These is common sense - if there is a road, it is authoruised to hike it (except if there is a closed gate or an angry dog on the way). At least, it is common sence on 90% of the world. Of course, we can create many laws making common sense useless, but do not expect anyone outside to follow it. Internet is not located inside, so - you can make a conclusion. MS provoked people to search for undocumented things - it is common sense which say me that it results in my home computer making unpredicted actions - and I can not blame spyware writers, I should blame MS writers... (I do not like spywriters, anyway, but they are making their business..) access to computer systems and altering data on those machines. Not to mention that people are profiting from these intrusions. Of course, they are. MS is profited from undocumented API's, as well. Where is a difference? -Brian
Re: Spyware becomes increasingly malicious
MS do not publish full system specs, and they use undocumented features themself. Ok, say MS puplished their code tomorow, what do you think would happen? All the crackers and virus writers of the world would join hands and sing 'joy to the world' and forgive MS for their tresspasses? I suggest that many of these virus writers are not motivated by an elitist ideaology, but rather by financial gain, and the sense of empowerment borne of damaging a global system. I agree that MS, like many large companies, have not always behaved in an ethical manner, and have been driven largely by bottom line economics, but what is done is done, and that doesn't absolve virus and spyware writers of the damage they are doing to the internet community. So, what other companies are doing? Yes, correct, they are experimenting, searching for the undocumented features. They found it, and no one can separate bugs and undocumented features. These are all results of MS approach _I am doing everything myself and do not want others to compete with me_. Ok, so please do not complain on those who uses your undocumented features, undocumented API (and ohh, it is not my API, it is a bug... as they are saying now). Are you sure that it is a bug, but not a backhole created by MS for themself? I am not. So MS has undocumented 'features', so what? When you install their software you agree to a licence, and that you are using their software bound by their terms and conditions. Am I afraid big brother is watching, that MS is spying on me? Not really, nothing to see. Do I think that some of these practices are unethical? Yes, they probably are, but when I agreed to that licence I gave up my right to complain. Arguably, the internet would not be where it is today without MS, and that this design principle of automating as many processes as possible is what has made the internet a universally accessable medium, and that this automation creates security vulnerabilities is simply the trade off made for that accessability. Or - after others found this backhole, they decided to seal it. You can not prove that it is a bug, as I can not prove that it was a feature. Any undocumented API is not different from a bug - it is just something which is not documented but exists. Just as MS is working on new undocumented API's. Of course, they are - hackers, spyware designers and MS developers... I do not see a difference. I see a very distinct difference, and that is that I have made a choice to use the MS product, that I have given my consent to them by way of a licence agreement, if they clearly abuse that trust, I will choose an alternative product, that is free enterprise in action. But I did not give the hacker and spyware writer permission to invade my privacy and damage my systems. Using MS products is not an open invitation to criminals to disrupt my networks, or absolution for criminal acts. Please, specify a difference between 'flaw in the code' and 'backhole created for their own purposes'. If they claim 'our developers use only specified API' and 'we specify and document every system call and every function which can be used legally, from technical point of view', then I agree. But they never did and never would. if they do it, they lost their monopoly. Result - full zoo of pets, pests, and other animals in every home computer running Windoze. May be, this particular feature was a bug, I can agree - but I do not see a difference (still). MS has a monopoly, it's true, but the reason for that monopoly is not entirely because of unfair business practices, it also has a lot to do with their original design mission. That was and still is, to make their OS as easy to use as possible. You and I may know how to use linux, but up until a couple of years ago, this was just too complex an operating system for the average home user. That much of the MS code is undocumented, is probably a good thing, because it makes the virus writers work more difficult. Do I think that these undocumented features serve some devious purpose? If someone can come up with hard evidence of that, I will change operating systems. Sorry, it was a _technical_ question - is MAC OS known as having pests and ad-ware in the comparable numbers (if any)? This is spurious logic. You are suggesting that Mac is a more secure operating system, and I would suggest that it is probably far less secure, because it has not had to withstand years of unearthing vulnerabilities in the code. I have heard an OS compared to a sphere, the larger the sphere the more surface area: the larger the OS, the more area to protect. The last time I installed Red Hat, it weighed in at nearly 2 gigs, Mac around the same. Now, you can fit a 1000 page novel in a 3 meg file, so consider, there are millions of pages of code in an OS, and regardless of your operating system of choice, there are innumerable flaws that beg exploitation. The only reason MS is consistantly
Re: Spyware becomes increasingly malicious
Sorry, it was a _technical_ question - is MAC OS known as having pests and ad-ware in the comparable numbers (if any)? * [EMAIL PROTECTED] (John Underhill) [Wed 14 Jul 2004, 19:45 CEST]: This is spurious logic. You are suggesting that Mac is a more secure operating system, and I would suggest that it is probably far less secure, because it has not had to withstand years of unearthing vulnerabilities in the code. It has. Darwin is based on years of development in BSD code. -- Niels. -- Today's subliminal thought is:
Re: Spyware becomes increasingly malicious
Ok.. but has BSD been attacked on the scale that MS code has? I would argue no, not even close. Do you believe BSD is invulnerable to attack? Hardly.. Unless you want to go back to text based browsers and kernals that fit on a floppy, it is extermely difficult to eliminate all vulnerabilities in the code of a sophisticated OS. The more complex the system, the easier it is to break, and with the level of automation currently expected by most users, this requires a very complex build. Could MS be made more secure, of course. Do I think they are actively working on the problem, yes. If Novell or Mac had risen to the top of the OS heap, would they be catching all the viruses now? I think they would. Really, my point was not to argue this, but that there is no justification for malicious code, that you can't simply pawn it off on MS as being the real problem. By doing that, you are saying that people creating spyware and viruses are not culpable for their actions, that they should be allowed to create havoc and destroy systems, because really they are only leveraging 'features' built into the operating system. - Original Message - From: Niels Bakker [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, July 14, 2004 3:31 PM Subject: Re: Spyware becomes increasingly malicious Sorry, it was a _technical_ question - is MAC OS known as having pests and ad-ware in the comparable numbers (if any)? * [EMAIL PROTECTED] (John Underhill) [Wed 14 Jul 2004, 19:45 CEST]: This is spurious logic. You are suggesting that Mac is a more secure operating system, and I would suggest that it is probably far less secure, because it has not had to withstand years of unearthing vulnerabilities in the code. It has. Darwin is based on years of development in BSD code. -- Niels. -- Today's subliminal thought is:
Re: Spyware becomes increasingly malicious
Ok.. but has BSD been attacked on the scale that MS code has? I would argue no, not even close. Do you believe BSD is invulnerable to attack? Hardly.. I don't believe anybody is claiming that. However, the BSD code has been out *and* has been publicly scrutinized for quite a bit longer than Windows. Unless you want to go back to text based browsers and kernals that fit on a floppy, it is extermely difficult to eliminate all vulnerabilities in the code of a sophisticated OS. The more complex the system, the easier it is to break, and with the level of automation currently expected by most users, this requires a very complex build. However, Microsoft creates complexity by design, because they integrate more and more stuff into the basic OS, and because all the various applications gain more features with each new release. Could MS be made more secure, of course. Do I think they are actively working on the problem, yes. Looks to me like they are actively working in two directions: - Trying to make the systems more secure by teaching developers to think about security, etc. - Trying to make the systems less secure, by making them steadily more complex. (And please don't try to tell me the *users* are demanding all the new features that MS put into the systems.) It will be interesting to see which direction wins out in the long run. If Novell or Mac had risen to the top of the OS heap, would they be catching all the viruses now? I think they would. They would certainly be catching viruses. Would they be catching *as many* viruses as MS? We don't know. Really, my point was not to argue this, but that there is no justification for malicious code, that you can't simply pawn it off on MS as being the real problem. However, you can certainly argue that MS is *part of* the problem, or that they have *created* a large part of the problem themselves. Steinar Haug, Nethelp consulting, [EMAIL PROTECTED]
RE: Spyware becomes increasingly malicious
John Underhill wrote: [snip long post] One of the best posts I have seen in a long time; thanks, John. So the question remains, what do we do about it? That's where it gets tough. Let's begin with what we can't do about it: - Declare that using IE is illegal. This literally takes an act of congress. And, it would be almost impossible to enforce. Anyway, let's pretend for a moment that congress does outlaw IE _and_ can enforce it, it still does not do us much good: whoever will replace Microsoft on the marketplace will quickly become very much like Microsoft because the market demands it. We (citizens of the world) have Microsoft because, short of wanting Microsoft itself we collectively wanted what Microsoft makes the way they make it, which comes at a price. - Make IE safe. The nature of the beast is that it can't be: it would require a tremendous reduction in features, which in turn will drive the market towards a more featured browser, which will be unsafe. Kind of the same argument as above. - In exchange for his life, appoint Saddam Hussein to rid us of spyware writers. As he's on a roll, let's put spammers in the deal, too. The guy has a proven track record, problem is most of us live in a society that oppose his methods, so this does not fly. - Hire a large number of the brilliant minds that read this list to write a counter-spyware solution that target the spyware writers. This does not fly either, because the battlefield is not level: we would target a limited and hard-to-find group of hijacking experts, that in turn have the entire world population of dumb users and unsecure browsers to play with. So, as it appears to me we can't solve for good hunger in the world, peace in the middle east, and the spyware problem. John Underhill wrote: So the question remains, what do we do about it? Save for legislative and/or legal action (that we do not do here), I'm afraid that the only thing we can do in here is to blackhole, and do it right. I don't like it much, but I have not heard any other suggestions so far. Michel.
Re: Spyware becomes increasingly malicious
So MS has undocumented 'features', so what? When you install their software you agree to a licence, and that you are using their software bound by their O, noo. You click a button 'I agree' which means nothing for 99.99% of people over the world. Here is a difference. Do not expect people to 'agree' if you do not enforce them to follow this (and if your system do not violate 'common sense'). Do you saw any idiot who read this licenses (I never seen any)? It became (many years ago) some kind of ritual, like indian dances before going to the war. terms and conditions. Am I afraid big brother is watching, that MS is spying on me? Not really, nothing to see. Do I think that some of these practices are unethical? Yes, they probably are, but when I agreed to that licence I gave up my right to complain. Arguably, the internet would not be where it is today without MS, and that Of couse, you are correct here. this design principle of automating as many processes as possible is what has made the internet a universally accessable medium, and that this And which makes it a good dinner table for the pests, viruses and so on... May be, idea was that people read 'license', click button (I agree) and follow it - never write a code which violates this license? But it is not true - 99.99% people do not read it and behave as a common sense is saying not as [EMAIL PROTECTED] MS lawers fictioned... They see a wall wih a gates - and they go thru this gates, no matter what is written on the posters around (except, as I said, if they see an angry dog next to the gate). /On the other hand, they knows that coffee is hot and waterfall is dangerous and dogs can bite -:)/. You must design yous system for this behavior, not for people who _read a license_. This licenses are good only for 2 goals - (1) use them as a toalet tissue; (2) in case of serious violation allows to suite user if he is in USA... -- they do not change people behavior even a bit. Unfortunately, Internet is not in USA, so even if we will have 100 strict laws prohibiting spyware, it will not help to fight this pests and pets... System must defend itself. automation creates security vulnerabilities is simply the trade off made for that accessability. I agree, in general. yes, it is trade off of _easy to use_, but not only. Many of this things are trade off of _MS do not want competition so they keep many undocumented backholes allowing them to have a benefits vs competitors. IE which makes search instead of reporting 'Name not found' is a good example. Yes, I agree, I see a distinction too. I just want to show, that it is not so simple to determine (distinction) and it is not very productive even to try doing it - it is much more important to (1) protect the system, and (2) increase competition having more different systems, and (3) use standards, instead of proprietary extentions... MS has a monopoly, it's true, but the reason for that monopoly is not entirely because of unfair business practices, it also has a lot to do with their original design mission. That was and still is, to make their OS as easy to use as possible. You and I may know how to use linux, but up until a Yes, and they did it 'too easy to use' so they have a drawbackl in form of viruses, vorms, pests and pets - what a surprise... If it was 5 years ago, they already went out of the market because of competition (from others who did not dop it so easy to use but kept systems without a pets and pests). Unfortunately, thie years are over. couple of years ago, this was just too complex an operating system for the average home user. That much of the MS code is undocumented, is probably a I am not talking about the code; I am talking about API's. This is spurious logic. You are suggesting that Mac is a more secure I do not know - it was a question. of choice, there are innumerable flaws that beg exploitation. The only reason MS is consistantly the subject of attack, and not Mac, is not because I am not sure - new Mac OS is much more consistent inside than MS. How script (which must run inside the sandbox) can install spyware, or change my home page, or see my address book (except if I confirmed administrative password after I was asked about)? Any small difference can play a dramatic role here - when working in Unix, I always login as 'alex' with 'user' permissions - because I can make myself admin temporary by running 'sudo -s' or 'su -'; in Windoze, I must login as an administrator from the very beginning, so I do it - as a result, script can install startup time software in MS but can not in my Unix (just a simple example). And so on. I am not trying to analyze MS vs Unix vs MAC here, but it is obvious that MS have a very serious design caveats, and there is a chance (a chance only) that other systems have not. Again I think it comes down to choice. I have navigated to a website because I have made a choice to view its content and services, I did not
Re: Spyware becomes increasingly malicious
-:) Excellent! == - Declare that using IE is illegal. This literally takes an act of congress. And, it would be almost impossible to enforce. Anyway, let's pretend for a moment that congress does outlaw IE _and_ can enforce it, it still does not do us much good: whoever will replace Microsoft on the marketplace will quickly become very much like Microsoft because the market demands it. We (citizens of the world) have Microsoft because, short of wanting Microsoft itself we collectively wanted what Microsoft makes the way they make it, which comes at a price. - Make IE safe. The nature of the beast is that it can't be: it would require a tremendous reduction in features, which in turn will drive the market towards a more featured browser, which will be unsafe. Kind of the same argument as above. - In exchange for his life, appoint Saddam Hussein to rid us of spyware writers. As he's on a roll, let's put spammers in the deal, too. The guy has a proven track record, problem is most of us live in a society that oppose his methods, so this does not fly. - Hire a large number of the brilliant minds that read this list to write a counter-spyware solution that target the spyware writers. This does not fly either, because the battlefield is not level: we would target a limited and hard-to-find group of hijacking experts, that in turn have the entire world population of dumb users and unsecure browsers to play with. So, as it appears to me we can't solve for good hunger in the world, peace in the middle east, and the spyware problem. John Underhill wrote: So the question remains, what do we do about it? Save for legislative and/or legal action (that we do not do here), I'm afraid that the only thing we can do in here is to blackhole, and do it right. I don't like it much, but I have not heard any other suggestions so far. Michel.
Problems with private justice (was Re: Spyware becomes increasingly malicious)
I guess the big question is, is there anyone (other than those profiting directly from CWS) that would complain if a provider were to do such a thing... looks like a psi-net pink contract inherited by cogent. but since the psi-cogent rollup was an asset sale rather than a corporate merger, cogent probably isn't bound by that contract. somebody needs to get on the phone, i guess. This is a problem with implementing private justice. Do you have all the facts? The CWS trojans are not downloaded from the Cool Web Search site. Could this be a Joe job by someone who doesn't like the owners of Cool Web Search? The owners of the Cool Web Search company deny they are the creators nor affiliated with the creaters of the CWS trojans. Maybe they are lying. Maybe other Joe jobs have lied too. Blocking or de-peering the service provider for Cool Web Search will not prevent you from being infected with CWS trojans any more than blocking or de-peering the service provider for Google will prevent you from being infected with Google trojans, or blocking and de-peering the service provider of Paypal will prevent people from sending you mail offering to update your Paypal account information, or blocking and de-peering SCO would prevent people from being infected with viruses which attacked the SCO web site. I don't have all the facts. Maybe someone else does.
RE: Spyware becomes increasingly malicious
William Warren wrote: I second that. The version I saw required a third party registry editor and booting up into the recovery console from an XP cd (safe mode didn't cut it) just to remove a hidden dll. Which is why I made the executive decision to re-image instead of trying to fix, as unfortunately a new variant requires spending more time learning it, which is not worth it. :-( What I don't understand is how exploiting bugs in a program (internet explorer) to install software without the consent or even acknowledgement from the owner/user is legal behavior. me puts the devil's advocate suit on There is a grey area between being legal and not being illegal. Compare to the junk fax issue: it was not legal either (as it spent the recipient's money without authorization) but it did take special legislation to make it specifically illegal. If you were to go to court it would not be a slam dunk by any means; it is going to take more nuisance that there has been so far for the legal system to do something about it. Trouble is, it does not prevent you from using the computer, mostly. Michel.
RE: Spyware becomes increasingly malicious
David Schwartz One wrong turn probing it can render a machine unusable until it's reloaded. Ah, I'm not the only one it appears. In the meantime, let's at least blackhole all their IPs on our networks. Does any of the regular lists keeps try of this and already blacklists? Michel.
RE: Problems with private justice (was Re: Spyware becomes increasingly malicious)
oops I just realized that I incorrectly quoted William Warren instead of Brian Battle in my previous post. Sorry guys, cut/paste casualty. /oops Sean Donelan wrote: Could this be a Joe job by someone who doesn't like the owners of Cool Web Search? The owners of the Cool Web Search company deny they are the creators nor affiliated with the creaters of the CWS trojans. Maybe they are lying. Maybe other Joe jobs have lied too. Good points. I don't have all the facts. Maybe someone else does. Yep, the guys that write the Trojans :-D As Brian says: Brian Battle wrote: The authors of these coolwebsearch variants are extremely intelligent programmers with far more understanding of the bowels of the windows platform than your average script kiddies. The problem I have is not with understanding of the bowels, but with the ability to produce bowel movements. Michel.
Re: Problems with private justice (was Re: Spyware becomes increasingly malicious)
LOL..not a problem..:) Michel Py wrote: oops I just realized that I incorrectly quoted William Warren instead of Brian Battle in my previous post. Sorry guys, cut/paste casualty. /oops Sean Donelan wrote: Could this be a Joe job by someone who doesn't like the owners of Cool Web Search? The owners of the Cool Web Search company deny they are the creators nor affiliated with the creaters of the CWS trojans. Maybe they are lying. Maybe other Joe jobs have lied too. Good points. I don't have all the facts. Maybe someone else does. Yep, the guys that write the Trojans :-D As Brian says: Brian Battle wrote: The authors of these coolwebsearch variants are extremely intelligent programmers with far more understanding of the bowels of the windows platform than your average script kiddies. The problem I have is not with understanding of the bowels, but with the ability to produce bowel movements. Michel. -- My Foundation verse: Isa 54:17 No weapon that is formed against thee shall prosper; and every tongue that shall rise against thee in judgment thou shalt condemn. This is the heritage of the servants of the LORD, and their righteousness is of me, saith the LORD. -- carpe ductum -- Grab the tape
Re: Spyware becomes increasingly malicious
The authors of these coolwebsearch variants are extremely intelligent programmers with far more understanding of the bowels of the windows platform than your average script kiddies. If you get hit with the version I saw, it's no 10 minute piece of cake. It makes spywire more dangerous than viruses, which are written (in 99.99% cases) by more younger and less experienced persons (and without good QA, good project management etc). What I don't understand is how exploiting bugs in a program (internet explorer) to install software without the consent or even acknowledgement from the owner/user is legal behavior. To me, it's just like someone abusing It is not a bug; it is specially designed IE feature. MS always was proud of their full automation - install on demand, update automatically, add new software to start at a startup without need to be system admin, etc etc... As a result, we have a field full of bugs, pests, pets, spiders, spies and so on... They have _exactly_ what they designed. No one even bored to ask me 'do you want to allow this registry change' , because 'MS believe that their users are lamers so everything must be automated from the beginning to the end'... It is another weak side of MS design (first one is complexity) and other side of MS agriculture (first one is monoculture easily infected by mortal infection). I do not blame MS, but what about spyware on MAC-s - is it so easy to write and install spyware there? a bug in bind, and installing a rootkit, which last time It is a difference. This was a bug. Bind have not undocumented features. MS have millions of undocumented features, and (because they never opened their OS and never published full specs) every developer play a game 'find a feature before competitors and use it'. As a result, someone finds features which was not designed but just 'happened' -:). Anyway, this are a features, not a bugs. This is 100% legal at this point (and even if it is not legal, who bored about it outside of USA? No anyone!). I checked, could end up getting someone in legal troubles. For another hastily-thought-out analogy, it's like someone breaking into your house and reprogramming your cable box to keep changing the channel to the home shopping club every 30 seconds. -Brian
Re: Spyware becomes increasingly malicious
On Mon, 12 Jul 2004 12:37:37 EDT, Hannigan, Martin [EMAIL PROTECTED] said: alt with at the browser level in MS Security Bulletin MS03-011. I have a hard time blaming MS for everything since in most cases of these things they do react. How do they force the users to update? Could they implement a switch that says no update, no working browser? At least for IE? Scob was dealt with via the hammer, this could be too. At some point, one needs to say I've pounded enough nails, it's time to look at alternate fasteners... pgpqqRbzw4Pd4.pgp Description: PGP signature
Re: Spyware becomes increasingly malicious
Brian Battle wrote: For another hastily-thought-out analogy, it's like someone breaking into your house and reprogramming your cable box to keep changing the channel to the home shopping club every 30 seconds. That would be the result of the broadcast bit. Pete
RE: Spyware becomes increasingly malicious
Alexei Roudnev wrote: It is not a bug; it is specially designed IE feature. MS always was proud of their full automation - install on demand, update automatically, add new software to start at a startup without need to be system admin, etc etc... As a result, we have a field full of bugs, pests, pets, spiders, spies and so on... They have _exactly_ what they designed. No one even bored to ask me 'do you want to allow this registry change' , because 'MS believe that their users are lamers so everything must be automated from the beginning to the end'... Most of the lastest versions appear to install themselves using the ByteCode Verifier vulnerability in the Microsoft Virtual Machine. Fully patched systems don't get the stuff installed. I'm sure the authors are working on newer injection methods Though the blame might be placed on Microsoft for having a flaw in their code, this wasn't part of any IE feature. You can read more about this exploitable bug (not feature) at http://www.microsoft.com/technet/security/bulletin/MS03-011.mspx I do not blame MS, but what about spyware on MAC-s - is it so easy to write and install spyware there? I don't really want to get into the argument of why people choose microsoft products to attack, but if someone was going to choose a product to attack, from which they were going to try and make the most money/impact off of, do you think they would choose the product with the largest user base? I think that's the case here. It would be a poor business decision not to, and these people are definetly out to make as much money as they can off of these exploits. This is 100% legal at this point (and even if it is not legal, who bored about it outside of USA? No anyone!). It really shouldn't be legal. It is someone gaining unauthorized access to computer systems and altering data on those machines. Not to mention that people are profiting from these intrusions. -Brian
Re: Spyware becomes increasingly malicious
RKJ Date: Mon, 12 Jul 2004 01:43:50 -0300
RKJ From: Rubens Kuhl Jr.
RKJ Try booting into safe mode before running software to detect
RKJ or remove spyware; some of them fight to survive if they are
Also use msconfig to disable non-critical extras. Some of us
have manually ripped out ActiveX controls and BHOs care of
regedit... but, alas, malware often has made enough registry and
other system changes that the system is left unstable or
inoperable.
CVs archives of { { system file MD5/SHA1 hashes } and { registry
dumps } }, anyone?
Eddy
--
EverQuick Internet - http://www.everquick.net/
A division of Brotsman Dreger, Inc. - http://www.brotsman.com/
Bandwidth, consulting, e-commerce, hosting, and network building
Phone: +1 785 865 5885 Lawrence and [inter]national
Phone: +1 316 794 8922 Wichita
_
DO NOT send mail to the following addresses:
[EMAIL PROTECTED] -*- [EMAIL PROTECTED] -*- [EMAIL PROTECTED]
Sending mail to spambait addresses is a great way to get blocked.
Re: Spyware becomes increasingly malicious
coolwebsearch has become more and more sneaky..so bad that
development of cws shredder has been abandoned by its
developerEither serious lock down you ie(which with CWS is
not going to help) or use something other than ie.
Edward B. Dreger wrote:
RKJ Date: Mon, 12 Jul 2004 01:43:50 -0300
RKJ From: Rubens Kuhl Jr.
RKJ Try booting into safe mode before running software to detect
RKJ or remove spyware; some of them fight to survive if they are
Also use msconfig to disable non-critical extras. Some of us
have manually ripped out ActiveX controls and BHOs care of
regedit... but, alas, malware often has made enough registry and
other system changes that the system is left unstable or
inoperable.
CVs archives of { { system file MD5/SHA1 hashes } and { registry
dumps } }, anyone?
Eddy
--
EverQuick Internet - http://www.everquick.net/
A division of Brotsman Dreger, Inc. - http://www.brotsman.com/
Bandwidth, consulting, e-commerce, hosting, and network building
Phone: +1 785 865 5885 Lawrence and [inter]national
Phone: +1 316 794 8922 Wichita
_
DO NOT send mail to the following addresses:
[EMAIL PROTECTED] -*- [EMAIL PROTECTED] -*- [EMAIL PROTECTED]
Sending mail to spambait addresses is a great way to get blocked.
--
My Foundation verse:
Isa 54:17 No weapon that is formed against thee shall prosper;
and every tongue that shall rise against thee in judgment thou
shalt condemn. This is the heritage of the servants of the LORD,
and their righteousness is of me, saith the LORD.
-- carpe ductum -- Grab the tape
Re: Spyware becomes increasingly malicious
- Original Message - From: William Warren [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, July 12, 2004 10:04 PM Subject: Re: Spyware becomes increasingly malicious coolwebsearch has become more and more sneaky..so bad that development of cws shredder has been abandoned by its developerEither serious lock down you ie(which with CWS is not going to help) or use something other than ie. Are you honestly serious? I came up against it for the first time only about 3 days ago and I got rid of it in 10 minutes! I can see how it would be a problem for a newbie but it shouldn't be anything more than 10 minutes work for anyone here with Windows experience. Greg.
Re: Spyware becomes increasingly malicious
- Original Message - From: Michel Py [EMAIL PROTECTED] To: Sean Donelan [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Monday, July 12, 2004 1:24 PM Subject: RE: Spyware becomes increasingly malicious Indeed. Lately, I have not been able to clean a very annoying piece of crud named CoolWebSearch. Look I am not attempting to be flippant but do yourself a favour and download HiJackThis and check out the registry entries that show up. It is quite obvious how to remove it the moment you do that. As I said in my last letter, it is all of 10 minutes' work if that. I cant even remember what the damned registry entries were, now but it all comes in via SmilyeyCentral (possibly other progs) so anyone annoyed by CoolWebSearch has to block installation of that program. Greg.
Re: Spyware becomes increasingly malicious
On Mon, 12 Jul 2004, William Warren wrote: coolwebsearch has become more and more sneaky..so bad that development of cws shredder has been abandoned by its developerEither serious lock down you ie(which with CWS is not going to help) or use something other than ie. http://www.securityfocus.com/news/8998 Jun 28 2004 7:38AM US CERT (the US Computer Emergency Readiness Team), is advising people to ditch Internet Explorer and use a different browser after the latest security vulnerability in the software was exposed http://www.eweek.com/article2/0,1759,1622344,00.asp July 12, 2004 In the wake of last week's revelation of a security hole in Mozilla that allows the execution of arbitrary programs on the client system a philosophical debate has emerged: Is this a bug in Mozilla or a bug in Windows? -- William Leibzon Elan Networks [EMAIL PROTECTED]
RE: Spyware becomes increasingly malicious
William Warren wrote: coolwebsearch has become more and more sneaky..so bad that development of cws shredder has been abandoned by its developer The smart computer does not exist (if it did, we would not have a job, would we? ;-) Either serious lock down you ie (which with CWS is not going to help) or use something other than ie. No argument here. Gregh wrote: Are you honestly serious? I came up against it for the first time only about 3 days ago and I got rid of it in 10 minutes! I can see how it would be a problem for a newbie but it shouldn't be anything more than 10 minutes work for anyone here with Windows experience. There are dozen of variants, obviously you've seen only one. Michel.
Re: Spyware becomes increasingly malicious
On Mon, Jul 12, 2004 at 04:18:34PM +, Paul Vixie wrote: somebody, probably sean, mentioned scaling earlier in this thread. coolwebsearch has become more and more sneaky.. so bad that development of cws shredder has been abandoned by its developer.. ... the first time only about 3 days ago and I got rid of it in 10 minutes! I can see how it would be a problem for a newbie but it shouldn't be anything more than 10 minutes work for anyone here with Windows experience. ... There are dozen of variants, obviously you've seen only one. so, this bit of spyware (which was resistant to ad-aware as of last week, though ad-aware seems to publish a new definition file every day now) relies on a web site, and that web site relies on the spyware for its traffic and eyeballs, and the spyware and website are owned/operated/published by the same company. the website does not move around, it's at a fixed location. the scaling issue, please: why does that company still have an internet connection? or, to put it less mildly: why does that company's provider still have an upstream? or, to put it in terms you can all understand: why does that provider's upstream still have bgp peers? if you give people the means to hurt you, and they do it, and you take no action except to continue giving them the means to hurt you, and they take no action except to keep hurting you, then one of the ways you can describe the situation is it isn't scaling well. http://www.webhelper4u.com/CWS/cwsoriginial.html These folks? Looks like it's all Cogent. Surely someone has contacted Cogent about this? network:ID:NET-42FA4A8019 network:Network-Name:NET-42FA4A8019 network:IP-Network:66.250.74.128/25 network:Org-Name:HyperSpace Communications network:Street-Address: 74 West Street network:City:Waltham network:State:MA network:Postal-Code:02451 network:Country-Code:US network:Tech-Contact:ZC108-ARIN -- Richard A Steenbergen [EMAIL PROTECTED] http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
RE: Spyware becomes increasingly malicious
Paul Vixie wrote: or, to put it in terms you can all understand: why does that provider's upstream still have bgp peers? Maybe said upstream does not want to deal with TROs and legal issues? CWS is not illegal as of today. if you give people the means to hurt you, and they do it, and you take no action except to continue giving them the means to hurt you, and they take no action except to keep hurting you, then one of the ways you can describe the situation is it isn't scaling well. Could not agree more. Michel.
RE: Spyware becomes increasingly malicious
This appears to have been dealt with at the browser level in MS Security Bulletin MS03-011. I have a hard time blaming MS for everything since in most cases of these things they do react. How do they force the users to update? Could they implement a switch that says no update, no working browser? At least for IE? Scob was dealt with via the hammer, this could be too. There's 39 variants at the moment: http://www.spywareinfo.com/~merijn/cwschronicles.html The difficulty in cleaning is due to the variants: http://www.spywareinfo.com/~merijn/cwschronicles.html#cwshredder Disclaimer: That site looks/feels credible, but I did just a little correlation. Thanks. ARIN: The IP number for their website is allocated to cogent, but not SWIP'd. Apparent last mile: 16 p6-0.core01.jfk02.atlas.cogentco.com (66.28.4.82) 107.092 ms 104.713 ms 107.080 ms 17 p5-0.core01.jfk01.atlas.cogentco.com (66.28.4.9) 108.177 ms 108.023 ms 109.115 ms 18 g49.ba01.b001362-1.jfk01.atlas.cogentco.com (66.28.66.42) 106.147 ms 105.769 ms 109.537 ms 19 HyperSpace_Communications.demarc.cogentco.com (66.250.5.30) 110.872 ms 108.745 ms 106.978 ms 20 66.250.74.150 (66.250.74.150) 107.939 ms 108.364 ms 104.599 ms Apparent Registration: domain: coolwebsearch.com status: production organization: InterWeb Solutions Inc owner:InterWeb Solutions Inc email:[EMAIL PROTECTED] address: P.O. Box 362 address: Road Town city: Tortola postal-code: 65113 country: IO admin-c: [EMAIL PROTECTED] tech-c: [EMAIL PROTECTED] billing-c:[EMAIL PROTECTED] nserver: ns1.maximumhost.com nserver: ns2.rosexxxgarden.com registrar:JORE-1 created: 2001-06-01 04:51:34 UTC JORE-1 modified: 2004-03-17 14:59:02 UTC JORE-1 expires: 2007-05-31 22:51:23 UTC source: joker.com -M -- Martin Hannigan (c) 617-388-2663 VeriSign, Inc. (w) 703-948-7018 Network Engineer IV Operations Infrastructure [EMAIL PROTECTED] coolwebsearch: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Paul Vixie Sent: Monday, July 12, 2004 12:19 PM To: [EMAIL PROTECTED] Subject: Re: Spyware becomes increasingly malicious somebody, probably sean, mentioned scaling earlier in this thread. coolwebsearch has become more and more sneaky.. so bad that development of cws shredder has been abandoned by its developer.. ... the first time only about 3 days ago and I got rid of it in 10 minutes! I can see how it would be a problem for a newbie but it shouldn't be anything more than 10 minutes work for anyone here with Windows experience. ... There are dozen of variants, obviously you've seen only one. so, this bit of spyware (which was resistant to ad-aware as of last week, though ad-aware seems to publish a new definition file every day now) relies on a web site, and that web site relies on the spyware for its traffic and eyeballs, and the spyware and website are owned/operated/published by the same company. the website does not move around, it's at a fixed location. the scaling issue, please: why does that company still have an internet connection? or, to put it less mildly: why does that company's provider still have an upstream? or, to put it in terms you can all understand: why does that provider's upstream still have bgp peers? if you give people the means to hurt you, and they do it, and you take no action except to continue giving them the means to hurt you, and they take no action except to keep hurting you, then one of the ways you can describe the situation is it isn't scaling well. -- Paul Vixie
Re: Spyware becomes increasingly malicious
On 7/12/04 12:33 PM, Michel Py [EMAIL PROTECTED] wrote: Paul Vixie wrote: or, to put it in terms you can all understand: why does that provider's upstream still have bgp peers? Maybe said upstream does not want to deal with TROs and legal issues? CWS is not illegal as of today. CWS isn't illegal. On the other hand, there is no legal exposure from depeering providers who take on these customers. TRO's and such would only come into effect if the provider's peers failed to observe the contractually obligated notice period (30-60 days, normally). Some peering contracts specify that behaviors that endanger a network or its users allow for immediate disconnection. Its a bit of a stretch to invoke this for a spyware site. Depeering has been threatened as an anti-spam measure - it is reasonable effective. This hasn't been extended to spyware, as it doesn't get the same level of press. If you contact a provider who is hosting malware, and they refuse to remove it or disconnect the hoster, you could always try contacting their peers and cc:ing the offending provider. End-user networks (DSL, Cable, dial-up), are particularly sensitive to software that might harm their users. if you give people the means to hurt you, and they do it, and you take no action except to continue giving them the means to hurt you, and they take no action except to keep hurting you, then one of the ways you can describe the situation is it isn't scaling well. Could not agree more. Michel. -- Daniel Golding Network and Telecommunications Strategies Burton Group
RE: Spyware becomes increasingly malicious
On 7/12/04 12:33 PM, Michel Py [EMAIL PROTECTED] wrote: Some peering contracts specify that behaviors that endanger a network or its users allow for immediate disconnection. Its a bit of a stretch to invoke this for a spyware site. I think you could find a few experts that could argue that malware in general, and CWS in specific, has no reached the point where it is entirely reasonable to classify it as endangering the users of the network. Anyone who has dealt with a variant of CWS for which a remover was not available will tell you how much trouble it causes, rendering systems unusable until you find the magic combination, reimage the system, or wait until someone else figures out the variant. One wrong turn probing it can render a machine unusable until it's reloaded. In the meantime, let's at least blackhole all their IPs on our networks. One way to reduce malware is to reduce the benefits of creating and distributing it. Another way is to find the people benefiting and stringing them up in the town square. DS
Re: Spyware becomes increasingly malicious
I think depeering is a bit over the top for this situation, but I wouldn't blink at nullrouting the prefix in question at my cores... :) I guess the big question is, is there anyone (other than those profiting directly from CWS) that would complain if a provider were to do such a thing... -C On Jul 12, 2004, at 1:34 PM, Daniel Golding wrote: On 7/12/04 12:33 PM, Michel Py [EMAIL PROTECTED] wrote: Paul Vixie wrote: or, to put it in terms you can all understand: why does that provider's upstream still have bgp peers? Maybe said upstream does not want to deal with TROs and legal issues? CWS is not illegal as of today. CWS isn't illegal. On the other hand, there is no legal exposure from depeering providers who take on these customers. TRO's and such would only come into effect if the provider's peers failed to observe the contractually obligated notice period (30-60 days, normally). Some peering contracts specify that behaviors that endanger a network or its users allow for immediate disconnection. Its a bit of a stretch to invoke this for a spyware site. Depeering has been threatened as an anti-spam measure - it is reasonable effective. This hasn't been extended to spyware, as it doesn't get the same level of press. If you contact a provider who is hosting malware, and they refuse to remove it or disconnect the hoster, you could always try contacting their peers and cc:ing the offending provider. End-user networks (DSL, Cable, dial-up), are particularly sensitive to software that might harm their users. if you give people the means to hurt you, and they do it, and you take no action except to continue giving them the means to hurt you, and they take no action except to keep hurting you, then one of the ways you can describe the situation is it isn't scaling well. Could not agree more. Michel. -- Daniel Golding Network and Telecommunications Strategies Burton Group PGP.sig Description: This is a digitally signed message part
Re: Spyware becomes increasingly malicious
On Mon, 12 Jul 2004, Richard A Steenbergen wrote: http://www.webhelper4u.com/CWS/cwsoriginial.html These folks? Looks like it's all Cogent. Surely someone has contacted Cogent about this? I'm sure someone has. The real question should be, does cogent care? http://www.spamhaus.org/sbl/listings.lasso?isp=cogentco.com Magic 8-ball: all signs point to no
Re: Spyware becomes increasingly malicious
On Jul 12, 2004, at 11:20 AM, Christopher Woodfield wrote: I think depeering is a bit over the top for this situation, but I wouldn't blink at nullrouting the prefix in question at my cores... :) I guess the big question is, is there anyone (other than those profiting directly from CWS) that would complain if a provider were to do such a thing... If (your network == your organization) then maybe it's okay, otherwise I wouldn't consider it. If your customers demand it then that's something different and as a provider you can choose to provide this sort of filtering for your customer. It's the old: I don't want some plumber deciding what can come down my pipe argument. -davidu
Re: Spyware becomes increasingly malicious
I think depeering is a bit over the top for this situation, ... if their customer was sucking blood from your customer, and if your peer was taking a cut of the proceeds, would the issues be any clearer? I guess the big question is, is there anyone (other than those profiting directly from CWS) that would complain if a provider were to do such a thing... looks like a psi-net pink contract inherited by cogent. but since the psi-cogent rollup was an asset sale rather than a corporate merger, cogent probably isn't bound by that contract. somebody needs to get on the phone, i guess.
Re: Spyware becomes increasingly malicious
- Original Message - From: Michel Py [EMAIL PROTECTED] To: Gregh [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Tuesday, July 13, 2004 12:41 AM Subject: RE: Spyware becomes increasingly malicious Gregh wrote: Are you honestly serious? I came up against it for the first time only about 3 days ago and I got rid of it in 10 minutes! I can see how it would be a problem for a newbie but it shouldn't be anything more than 10 minutes work for anyone here with Windows experience. There are dozen of variants, obviously you've seen only one. Obviously. If I can get rid of it easily *I* am the one who is wrong! All I did was the job. How about you read what I wrote. It really IS that easy. Greg.
Re: Spyware becomes increasingly malicious
not all the variants are that easy..how about doing a google on coolwebsearch..scumware.com has a good writeup as well as spywareinfo.com...the newer variants are not that easy Gregh wrote: - Original Message - From: Michel Py [EMAIL PROTECTED] To: Gregh [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Tuesday, July 13, 2004 12:41 AM Subject: RE: Spyware becomes increasingly malicious Gregh wrote: Are you honestly serious? I came up against it for the first time only about 3 days ago and I got rid of it in 10 minutes! I can see how it would be a problem for a newbie but it shouldn't be anything more than 10 minutes work for anyone here with Windows experience. There are dozen of variants, obviously you've seen only one. Obviously. If I can get rid of it easily *I* am the one who is wrong! All I did was the job. How about you read what I wrote. It really IS that easy. Greg. -- My Foundation verse: Isa 54:17 No weapon that is formed against thee shall prosper; and every tongue that shall rise against thee in judgment thou shalt condemn. This is the heritage of the servants of the LORD, and their righteousness is of me, saith the LORD. -- carpe ductum -- Grab the tape
RE: Spyware becomes increasingly malicious
William Warren wrote: not all the variants are that easy..how about doing a google on coolwebsearch..scumware.com has a good writeup as well as spywareinfo.com...the newer variants are not that easy I second that. The version I saw required a third party registry editor and booting up into the recovery console from an XP cd (safe mode didn't cut it) just to remove a hidden dll. Had it not been for the forums out there at http://forums.spywareinfo.com and the cwsshredder, which got most, but not all, of the cruft installed by this piece of bastard software, my grandmother's computer would still be popping up those tens of pages of garbage randomly. The authors of these coolwebsearch variants are extremely intelligent programmers with far more understanding of the bowels of the windows platform than your average script kiddies. If you get hit with the version I saw, it's no 10 minute piece of cake. What I don't understand is how exploiting bugs in a program (internet explorer) to install software without the consent or even acknowledgement from the owner/user is legal behavior. To me, it's just like someone abusing a bug in bind, and installing a rootkit, which last time I checked, could end up getting someone in legal troubles. For another hastily-thought-out analogy, it's like someone breaking into your house and reprogramming your cable box to keep changing the channel to the home shopping club every 30 seconds. -Brian
RE: Spyware becomes increasingly malicious
Sean Donelan wrote: Spyware isn't the best term for what is happening, but it is quickly exceeding (or contributing) to all the other problems associated with the online (not just Internet) world. Indeed. Lately, I have not been able to clean a very annoying piece of crud named CoolWebSearch. Spybot will not always detect and never remove; Ad-aware will likely detect but not remove either. None of the other crapware removers I have tried could clean the machine either. I have instructed helpdesk not to waste any time with it and systematically re-image the infected PC :-( Fortunately, re-imaging a PC is now a matter of minutes. Michel.
RE: Spyware becomes increasingly malicious
On Sun, 11 Jul 2004 20:24:19 -0700, Michel Py wrote: None of the other crapware removers I have tried could clean the machine either. Try Bazooka spyware detector from http://www.kephyr.com/. This detected for me a bunch of malware neither Spybot nor Adaware caught. Jeffrey Race
Re: Spyware becomes increasingly malicious
- Original Message - From: Michel Py [EMAIL PROTECTED] To: Sean Donelan [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Sunday, July 11, 2004 5:24 PM Subject: RE: Spyware becomes increasingly malicious Indeed. Lately, I have not been able to clean a very annoying piece of crud named CoolWebSearch. Spybot will not always detect and never remove; Ad-aware will likely detect but not remove either. None of the other crapware removers I have tried could clean the machine either. You're right...it can be a sob to remove. CWShredder has worked well for me. http://www.spywareinfo.com/~merijn/cwschronicles.html --Michael
RE: Spyware becomes increasingly malicious
Michael Painter wrote: You're right...it can be a sob to remove. CWShredder has worked well for me. http://www.spywareinfo.com/~merijn/cwschronicles.html First thing I tried after Ad-aware and Spybot, no go :-( In some cases, the only way out of it is HiJackthis (http://www.spychecker.com/program/hijackthis.html) which unfortunately requires a somehow skilled tech and lots of time, with no guarantee. I ruled it out for financial reasons: eventually a skilled tech will indeed be able to clean the machine, but the bottom line is not favorable in a mid-size or large corporate environment: it takes a lot less time and money to send a grease monkey reload the machine and send L2 tech to put back user settings. Not elegant nor smart, but works. Michel.
Re: Spyware becomes increasingly malicious
Try booting into safe mode before running software to detect or remove spyware; some of them fight to survive if they are running, dunno if it is the case with CoolWebSearch. Rubens - Original Message - From: Michel Py [EMAIL PROTECTED] To: Sean Donelan [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Monday, July 12, 2004 12:24 AM Subject: RE: Spyware becomes increasingly malicious Sean Donelan wrote: Spyware isn't the best term for what is happening, but it is quickly exceeding (or contributing) to all the other problems associated with the online (not just Internet) world. Indeed. Lately, I have not been able to clean a very annoying piece of crud named CoolWebSearch. Spybot will not always detect and never remove; Ad-aware will likely detect but not remove either. None of the other crapware removers I have tried could clean the machine either. I have instructed helpdesk not to waste any time with it and systematically re-image the infected PC :-( Fortunately, re-imaging a PC is now a matter of minutes. Michel.
RE: Spyware becomes increasingly malicious
Rubens Kuhl Jr. wrote: Try booting into safe mode before running software to detect or remove spyware; some of them fight to survive if they are running, dunno if it is the case with CoolWebSearch. Tried that too, does not help with CWS. Michel.
