[wplug] Windows - Is this happening to you too?

Bill Moran wmoran at potentialtech.com
Sat May 29 10:29:51 EDT 2004 

Robert E. Coutch wrote:
> Hi all,
> 
> I'm sooooooo glad I'm running Linux.
> 
> I've have been innundated with Windows 98 PC's lately with pretty much the 
> same problem.
> 
> They all have ads, toolbars and other unsolicited software installed.

Yup.  Saw an article somewhere where Earthlink took a survey and found
28 adware program on each PC on _average_.  Keep in mind, that's _average_,
so some must have had many, many more to offset the some that had few or
none!

> After spending DAYS working on the problem here's what I have found.
> 
> Spy-bot, Adaware, and virus checkers do not cure the problem.
> 
> Adaware finds most of the problems and removes them but then they reappear 
> after reboot. Even after cleaning up the registry and other startup files.

The various ad removers can fix some of them, but not all.

> The folks who write this crapware to infect Windows PC's are getting better at 
> their craft.  It's no longer enough to clean out a few registry keys and 
> remove a few program files off the hard drive.

They're not really getting any better:
http://www.comedia.com/hot/jargon-4.2.3/html/The-Meaning-of-Hack.html
See the last example, it's probably where these copycats got most of their
ideas.

> It seems they have started using dll files that look like normal system files 
> to load the unwanted software.  Some of these dll's look like part of the 
> printing subsystem but are actually downloading and installing toolbars, 
> search links and so on.

I've seen this one.  The only way to tell them apart is that the .dlls are in
the wrong directory.
I've also seen where they use random filenames, and change the name on every
reboot, which means you can't look the problem up on the 'net, because the
symptoms aren't consistent.
And I've even seen dual-processes that restart each other when killed, and
rewrite the registry on shutdown.  Very hard to fix.

To make it worse, I have yet to see any antivirus product that protects
against adware.  I guess the AV folks are afraid that some adware maker will
find a way to sue them if they label their adware a "virus".

If you ask me, the adware is _just_ as bad as any virus, only worse.

> So far I've only seen this on PC's running Windows 98.
> I want to know if anyone has seen this sort of nonsense going on with other 
> versions of Windows.

Yes.  On Windows XP professional.

> None of the tools I've found have the ability to fully remove and block this 
> stuff. Does anyone have any suggestions that I should try.

Nope.  We're looking at a whole new field of expertise if you ask me.  One that
I'm qualified to do, but have no desire to do.  And one that's not appreciated
either.  I just had a client leave me for another provider because I charged
him for two hours to clean one of these things off.  I seriously doubt if
anyone else would have been able to do it any faster.

> I've been cleaning out the registry by hand one suspicious class id at a time.
> This is a very looooong and tricky process. 

Yup.

> The wife is actually considering switching to Linux because while her machine 
> was down, she used mine.  She's also considering a Mac.

Mac is very nice.  If you're looking around, try FreeBSD as well ;)

> I don't think my paying clients will even consider going Linux or Mac but I 
> don't want to recommend they "upgrade" to XP unless I can be sure this is not 
> happening (yet) with that version of Windows.

Doesn't help much.  XP is vulnerable to most of these as well (but not all).
Plus, just to reduce the infection rate you have to set up proper security,
which means your clients won't be able to install software without logging out
and logging back in ... in my experience, most clients won't tolerate this.

> Can any of you help me or point me in the right direction?

Unfortunately, no.

This is a case where people expect you and I to fix this for free.  What you
can do to reduce the incidence:
1) Use XP or 2000 Pro
2) Set up properly restricted user accounts.  This is a problem, because most
    crappy software will crash or fail to start when run under a properly
    restricted user account (welcome to hell, pick one "I get adware" or
    "my important programs won't work")
3) Set up IE and OE to be very paranoid
even better ...
4) Remove IE/OE and replace it with Mozilla, which has less attack routes
5) In a business environment, put in a packet filtering system that blocks all
    internet traffic except what is absolutely required for business.
6) Replace Windows with Linux, BSD, or Mac
7) Educate users to not install every damn thing that a popup asks you to
    install!

-- 
Bill Moran
Potential Technologies
http://www.potentialtech.com

More information about the wplug mailing list