secure911-microsoft antispyware-coolwww

[bill]

As a technician I am observing that there is a "super
stealth mode" that the lastest variants of coolwww will
exploit. Microsoft seems to refuse to provide a fix for
the bugs that exploit this know weakness in XP. I am
tired of wiping computers because Micorsoft will not
develop a fix.
Microsoft Antispyware will only do 65 to 70% of the known
bugs. I think the "super stealth mode" is something that
Microsoft does not want to admit exists.
So my question to the mighty Microsoft is:
If you want us to promote the new product, make it be
able to remove the lastest coolwww and similar variants
that exploit this "super stealth weakness" that xp has.
Otherwise be clear, "this product will only remove some
things, the other more advanced parasitic software will
require good old fashion wiping. We are sorry but to
develop a product that fixes all of xp issues will be
against corporate policy.
thank you, microsoft"

 

[Ron Chamberlin]

Hi Bill,

< I am tired of wiping computers because Micorsoft will not develop a fix.>
Perhaps a career change is necessary? Have you signed up at Monster.com?
Really, this is a Beta prodcut. It is not yet finished nor complete.

So my question to the mighty Microsoft is: If you want us to promote the
new product, make it be
able to remove the lastest coolwww and similar variants that exploit this
"super stealth weakness" that xp has.>

It's a work in progress.

<We are sorry but to develop a product that fixes all of xp issues will be
against corporate policy.>
I believe this product is specializing in the area of AntiSpyware. Correct
me if I'm wrong.

Ron Chamberlin
MS-MVP

 

[John]

Please provide more information on the "super" stealth mode exploit - I have
not heard of it.
Links, please.

 

[A McGuire]

Mary Landesman did a test on various AS products - where did you get your
statistics from? Are you counting cookies as spyware? I'm curious to find
out more regarding your situation

Mary Landesman did a review on Spyware that is a bit more thorough than what
you may be finding:

"I tested MS AntiSpyware's ability to detect and remove the active
components of several apps commonly designated adware/spyware, including:
180 Solutions, Avenue Media, BargainBuddy, BonziBuddy, Claria,
CoolWebSearch, Cydoor, Dashbar, Exact Searchbar, Hotbar, Huntbar (WinTools),
Internet Optimizer, IST.SlotchBar, NEO, Troj_StartPage, WebSearch,
WhenUSearch, WinTools, Xrenoder, and Zango Search Assistant.

In my tests, MS AntiSpyware removed 91% of all active/startup components
compared to Ad-Aware at 65% and Spybot at 55%. I also broke it down by
category; MS AntiSpyware removed/corrected:

96% of processes running in memory
67% of start/search page modifications
100% of BHO/Toolbars
95% of startup vectors
100% of other (buttons/menu items, etc)

You can read my full review at:
http://antivirus.about.com/od/antivirussoftwarereviews/a/msantispy.htm

For those who don't want to be bothered with the ads, the most important
part of my review has already been posted in this message.

These tests were performed last Thursday and Friday, when the beta1 was
first released. There has since been a definition update - I've not yet
tested the effectiveness of that update.
-- Mary"

 

[Bill Sanderson]

Have you been at least attempting to submit tools, suspected spyware reports
from the infected machines?

Have you tested whether scanning in safe mode eliminates this particular
CoolWebSearch variant?

Microsoft Antispyware does clean some CoolwebSearch variants. I know of
nothing about the behavior of CoolWebSearch that would take it off the list
of apps to be removed by Microsoft Antispyware--so I'd bet that Microsoft is
just as anxious to achieve this result as you are.

Do you need pointers to other CoolWebSearch tools--CWShredder, for example?
Given that you have something in place that the automated functions of the
tool doesn't handle, have you tried using the System Explorers, for example,
to see whether you can spot and block the startup items involved?

 

[Bill]

Yes I read many reviews and use many tools, I am simply
observing that certain bugs exploit xp in a way that goes
beyond hidden mode. I have not figured out how undo this
beyond hidden mode on a active os. The bugs will show up
most times when the hd is on a bench machine. But when I
am in the field ... I have forgotten that I have a
knoppix disk, maybe in the field I'll try that and see if
the super hidden bugs show up. Otherwise I am seeking an
explanation about this xp vulnerablity.
And in my opinion, the removers need to be able to handle
the newest and badest. This ain't gator.

 

[Bill Sanderson]

Some of the newer bugs are more akin to root kits than to traditional
viruses or spyware.

Root kits are not easy to detect--something like Barts PE or Knoppix are one
route, working via a network connection from another machine is another--but
not simple or safe to set up.

Here's a KB article about one such critter:

http://support.microsoft.com/default.aspx?scid=kb;en-us;894278

Someone who drew attention to this article remarked something like--"as with
burglars--it's only the dumb ones who get caught"--i.e. if the root kit had
been more carefully programmed and didn't cause the crash, it would not be
detected.

This is a trojan--it didn't come in the door uninvited, but once invited, it
hides--fortunately not well enough. The real-time protection of Microsoft
Antispyware should give an alert when such a critter attempts to install.
As to whether it can detect it in place--well, it does manage this one,
anyway.

I don't think such bugs are very common--but they are along the lines of
what you are asking about.

 

[Bill]

I'm no expert, just a field tech
I do what I can
The mighty beast has its problems
We deal


http://windowssecrets.com/050127/

 

[Bill Sanderson]

That's a good article--lots of questions here would be answered if folks had
read that.

Sysinternals has a new tool to detect root kits, but it gives a raw result
which requires interpretation. And, a number of factors confound the
tool-among them Services for Macintosh on servers, and some antivirus
products.