2. TSN Install Spyware!
• “According to a new report from EarthLink and Webroot Software,
there's an average of almost 28 spyware programs running on each
computer. More serious, Trojan horse or system monitoring
programs were found on more than 30 percent of all systems
scanned, raising fears of identity theft.
• “The report presents the results of scans of over 1 million Internet-
connected computers. Many of the 29 million spyware programs that
were found were harmless "adware" programs that display
advertising banners or track Web surfing behaviors. However, the
companies also found more than 300,000 instances of programs
that are capable of stealing personal information or providing
unauthorized access to computers, the companies say.”—Paul
Roberts (PCWorld)
3. Spyware Attack Vectors
"I LOVE GATOR!
It is the GREATEST!
I love how it remembers and fills in all of my passwords at the
various websites that I visit. And of course I also love how it fills
in the forms for me. I also love GATOR because it is very easy to
use. I learned how to use it in seconds. GATOR RULES!"
Thanks,
DF
Las Vegas, Nevada
4. What Else Does Gator Do?
• Gator (iegator.dll and others)
Gator is the main software, which autocompletes Web forms [which is completely
unnecessary]...
• OfferCompanion
This is the advertising spyware module. It is responsible for spying on your Web browsing
habits, downloading and displaying pop-up ads, and transmitting (personal?)
information to Gator.
• Trickler (fsg.exe, fsg-ag.exe, fsg*.exe)
Trickler is an "install stub", a small program that is installed with the application you
really wanted. (Gator almost always appears on your system due to installing OTHER
software, and not the installer available from Gator's website.) When installed,
Trickler inserts a Run key in your Registry so that it is silently and automatically
loaded every time you start your computer. Trickler runs hidden and very slowly
downloads the rest of Gator/OfferCompanion onto your system. It is suggested that
this "trickling" activity is intended to slip under the user's radar, the steady, low usage
of bandwidth going unnoticed (cexx.org).
5. Attack Vectors [cont]
Antivirus company Symantec last week reported the presence of
"spyware" bundled with Grokster and Limewire, two popular
file-swapping downloads. The code evidently does not damage
computers, but it surreptitiously sends personal information
such as user ID names and the Internet address of computers to
another Web address.
Advertising software called "Clicktilluwin" that comes bundled with
the file-swapping programs carries a program called
"W32.DIDer," which Symantec has classified as a Trojan horse--
a piece of code that takes over parts of a person's computer
unseen in order to carry out its own instructions. (news.com)
6. Attack Vectors [cont]
From: Unsuspecting Person [unsuspecting@comcast.net]
RE: Spyware - Virtual Bouncer - installed on PC as trial - getting
more popup ads than ever - unable to remove software from PC
I mistakenly allowed spyware/virtual bouncer to install its
software on my computer on a trial basis to remove popup ads
and detect parasites. Before the trial was over, I seemed to be
get more popup ads than ever...I decided not to purchase the
software.
Despite numerous attempts to remove the software from my
computer, it finds its way back when I log on to my computer,
reminding me to register and purchase the software. It's now
acting like a parasite that I was trying to remove!!!!
I've contacted the computer [company] several times but no one
there has offered any real solution to address my issue.
7. So... What To Do
(Preemptive)?
1. Cultivate an attitude of distrust!
2. Know that Nothing is Free!
3. Unless you’re willing to read the entire
license agreement very carefully, Do Not
Install Freeware!
4. Beware of the peer-to-peer services.
They’ve got to make $$ somehow!
10. I Failed to “Shalt Notted”
What do I do Now?
1. Blood Sacrifice is still probably avoidable…
2. Start | All Programs (XP) or Programs (Win2k)|
Spybot Search & Destroy.
3. If this does not exist, double-click on My Computer &
navigate to T:Spybotspybotsd1.3.exe. Follow the
prompts to install Spybot.
11. I Failed to “Shalt
Notted”[cont]!
4. Update Spybot by clicking on ‘Search For Updates’:
12. I Failed to “Shalt
Notted”[cont]!
5. Now ‘Check for problems’. [Note: This can take a while
as there are about 17,000 bad boys out there now...]
14. I Failed to “Shalt
Notted”[cont]!
5. Now ‘Fix Selected Problems’. [Note: This might render
some of your ‘freeware’ inoperable...]
6. If some of the malware is ‘resident’ in your operating
system’s memory (i.e., it is running at the time),
Spybot will not be able to fix this issue, and you may
continue to get popups and general system instability.
7. For this you will need to call me.
15. Conclusion
• Freeware is seldom Free (unless you are using Linux...)
• If it is not worth it to you to read the entire license
agreement (maybe 10-15 minutes), it is definitely not
worth my 60+ minutes trying to get all the spyware off
afterwards!
• If you wish to install something, call me first and I will
check it out!
• Otherwise, Choose X or No or Cancel!
• And if you don’t, yes, odds are we will remain friends
afterward...
17. Mailing Tactics
• Interesting Attachments
– AnnaKournikova.jpg.vbs
• Interesting Subjects
– New bonus in your cash account
– [Fwd: look] ;-)
• Good Samaritan Abuse
– Please Help me with Script!!
– Leukemia: Please Forward
18. Mailing Tactics [Cont]
• Panic Attack
IMPORTANT, URGENT - ALL SEEING EYE VIRUS! PASS
THIS ON TO ANYONE YOU HAVE AN E-MAIL
ADDRESS FOR. If you receive an email titled "We Are
Watching You!" DO NOT OPEN IT! It will erase
everything on your hard drive. This information was
announced yesterday morning from IBM, FBI and
Microsoft states that this is a very dangerous and
malicious virus, much worse than the "I Love You," virus
and that there is NO remedy for it at this time.
20. What are they Appealing To?
El Mejor Sexo.pif
KaZaA Antivirus Era 2003.exe
UnTouChabLeS KoRn.scr
New Morpheus Edition 2003.exe
Deftones Live in concert.scr
Xbox Emulator V2.1.exe
Play2 All Tricks BoX.pif
Gatorade Screen Saver.scr
THE EMINEM SHOW.pif
21. And What Else Do They Do...
1. Scan your entire hard drive and any network
drives for email addresses
2. Intentionally corrupt common document types
(Excel, Word, etc.).
3. Disable virus protection & prevent liveupdates.
4. Disable Personal Firewalls
5. Copy themselves all over your hard drive.
6. Render an operating system unusable.
22. So What Do We Do?
• First, Be Aware of What I do:
– Every Night at 11:00 PM I have a server go out
& get the latest virus updates. Every machine
in the building will get these definitions within
the hour.
– The Bottom Line: Your Protection is Current!
– If a really bad virus appears on the radar
screen, I will send out an alert email.
23. Nonetheless...
Inevitably there will be a gap between the creation of a
virus, its identification when out in the wild, and the
creation of a filter to detect it.
• Therefore, se precisa que:
– Never (and Never does mean Never) open an
attachment unless you are explicitly expecting the
exact attachment from the exact individual who has
sent it to you. *And the Extension (.pdf, .xls, .doc)
must match the kind of file you are expecting!
24. Nonetheless [continued]...
• Se precisa que: [cont]
– We never open ANY attachment that ends in:
• .com
• .exe
• .pif
• .vbs
• .scr
– In our own emails we explicitly identify the
attachment we are intentionally sending (i.e., “I have
attached an excel/word/pdf document detailing...”).
This is known as “good netiquette”.
25. Nonetheless [continued]...
• Also, though this is lamentable, our
instinct must be one of distrust!
• “Unless it is a Known Good, it must be considered
to be bad.”
• Distrust all executables.
• Be aware that all filesharing services are delivery
mechanisms for many modern viruses.
26. Conclusion
• Never open the unknown attachment,
even when it is coming from an associate.
• Do not forward the hoax (they always ask
you to do just this!). If forward you must,
forward it to me first!!
• All executables (.exe, .com, .pif, .vbs) are
to be distrusted! Absolutely!
27. Various “Shalts”
• TS Save onto the “S” Drive.
• TS keep critical data in more than one
place (particularly if one of the places is a
floppy, or, worse yet, a zip disk).
• TS “stop” USB flash drives before
removing them.
• TS Lock your computer when you leave it
for prolonged amounts of time [ctrl-alt-del |
enter].