T
Timothy Clutten
SPYWARE AND AntiSpyware Beta REPORT
Includes:
PART 1 Bugs in MS AntiSpyware Beta Reporting Tool
This report also mentions EXTREME HIGH PRIORITY BUG FIX
that MS must action ASAP.
==========================================================
Introduction
I have over 12 years of computer security experience - yet
I still struggle with getting rid of bugs and Trojans from
my own PC despite using firewalls, antivirus software and
antiSpyware products. I have had Trojans and spyware but as
far as I see that is only what is detectable! I have never
had a virus (as far as I know). I do not work for Microsoft.
I regard Trojans Spyware as more serious than the common
virus or worm. Obviously viruses and worms are used as
spyware too!
You can buy off the shelf spyware to spy on your boss for
example. It is cheap and effective so your boss can do it
to you too. Your boss can catch all your passwords as you
use them, log every application that you run,
read every email that you write and see every window that
pops up. The fact is that if YOU can do it, your enemies
do this to you too for less than $100. This report
includes a short list of some of this spyware (PART 5 only).
The idea that Unknown Trojans and spyware can be detected
by more "generic monitoring" is sound and is used already
to detect new viruses for example.
Part 5 of this report includes a short list of some off the
shelf spyware that AntiSpyware should detect. (I have not
tested it to see if it does detect/block them).
The most important security issue is Microsoft Operating
System authenticity which SHOULD detect or alert users and
Microsoft to UNKNOWN new viruses/Trojans/spyware.
Second most important is Network and system security (i.e.
firewall, anti spyware & anti virus).
It has been a VERY long wait for MS to actually act on
Trojan Horse and Spyware issues. They know their OS best.
All these years Trojans have replaced key operating system
components like TCP/IP drivers, Ethernet drivers, and even
hijack and replace MS OS kernels all going undetected.
(Still going undetected!)
AntiSpyware Beta is a great start - I killed off 2
nasty ones when I first ran it. Unfortunately I know this
is still just the beginning.
MS will need Beta 2 or at least Version 2 Beta 1 within
only just a few months.
Draft Table of Contents (for future reports):
1 Bugs in MS AntiSpyware Beta Reporting Tool
(This is PART 1)
2 Lacking an Upload Spyware Report File Facility
3 Lacking Manual Spyware Definitions Download
4 Inadequate MD5 SHA hashing of core MS Operating System
(ie operating system file and memory image fingerprinting)
5 Known off the shelf spyware and key loggers
(Does MS AntiSpyware detect these?)
6 Detecting "similar" but Unknown Trojan Horses and
spyware (see also section 4)
7 TOTALLY INADEQUATE WINDOWS TASK MANAGER!
8 Spyware as part of MS Operating system especially kernel
and core resource start-up routines.
9 Suspicious TCP and UDP activity especially before MS
Spyware Beta starts or before Firewall Starts
10 Dangers of AntiSpyware from being compromised by Trojan
Horse software.
11 Problems associated with Government Interference Making
spyware part of Microsoft products.
12 Does Existing Spyware uses Cookies for Triggering Actions?
** Entries starting with * or *** are actions or
investigations needing urgent attention - none are low
priority. All actions are priority rated.
PART 1
Bugs in MS AntiSpyware Beta Reporting Tool
=================================
1a) ENTER Bug in Reporting Tool
The Spyware Reporting tool trys to send the report when you
press enter.
The natural thing people do when writing the report is to
press enter several times. Even when the writer knows this
is a nasty bug he / she still presses enter and loses
his/her work!
* Microsoft please fix this annoying ENTER Bug.
HIGH PRIORITY.
1b) In frustration, people gave up and write the report
with an editor because in addition to trying to send, IF
IT FAILS TO SEND IT WIPES YOUR REPORT!
1c) Firewall Setup Instructions for AntiSpyware Beta
Reporting tool:
I set up my firewall to allow it to send reports. I did
this by reading the firewall logs and finding out which exe
was attempting to send. [...\antispyware\msssrt.exe].
I then enabled that exe for the firewall - setting the
protocol as a [download manager] for msssrt.exe
This enables basic FTP and HTTP. Most users are not
knowladgable enough to be in safe control of their
firewall, that include me. So it is important to spell out
the solution.
* Microsoft must tell the user to enable their firewall for
the executable [...\antispyware\msssrt.exe] as a "download
manager"
BEFORE they try it do it. If the report is NOT sent then
the report MUST BE SAVED SO THAT IT IS SENT WHEN THEY GET
CONNECTION. HIGH PRIORITY BUG FIX.
* If the send fails you must NOT wipe the fields. Wipe
report on reboot or with [NEW REPORT] button.
HIGH PRIORITY BUG FIX.
1c) The reporting tool only takes a certain length of text
so the writer must have the option of UPLOADING a file
* MICROSOFT - Please include report file UPLOAD for .doc
and .zip files. Why because if MS does not get good
reports from users, how can MS stop the most hidden
Trojans. VERY HIGH PRIORITY
1d) MS AntiSpyware Beta Reporting tool reports back to MS
your sensitive machine contents without warning the user!
Every process running, every service running, every driver,
every plugin, every protocol handler is sent to Microsoft
without warning when you write a report. This stuff IS
sent WITHOUT WARNING YOU FIRST! It is vital that the FULL
report be displayed to the user BEFORE it is sent with a
disclamer box. Several people use my machine and if they
sent MS a machine report such as this without my consent I
would blow my top at the unauthorised security violation.
The fact is MS is inducing such violations by not saying
what is happening. The reading of the licence and ticking
the "yes" box is NOT an excuse for this because this
applies to the software installer ONLY. Not saying BEFORE
hand what is happening makes it possible for MS to be
accused of spying. Some users actually run top secret
software too, again Microsoft could be sued in these
circumstances. THIS BUG MUST BE REMOVED ASAP. AND ADEQUITE
WARNING GIVEN TO THE USER (NOT JUST THE INSTALLER)!
EXTREME HIGH PRIORITY BUG FIX!
It is vital that BETA 1 be replace by BETA2 with this fix
ASAP it is that serious. The report however is a very good
idea and essential for catching Spyware.
Thank-you.
End of PART 1 - Tim
Includes:
PART 1 Bugs in MS AntiSpyware Beta Reporting Tool
This report also mentions EXTREME HIGH PRIORITY BUG FIX
that MS must action ASAP.
==========================================================
Introduction
I have over 12 years of computer security experience - yet
I still struggle with getting rid of bugs and Trojans from
my own PC despite using firewalls, antivirus software and
antiSpyware products. I have had Trojans and spyware but as
far as I see that is only what is detectable! I have never
had a virus (as far as I know). I do not work for Microsoft.
I regard Trojans Spyware as more serious than the common
virus or worm. Obviously viruses and worms are used as
spyware too!
You can buy off the shelf spyware to spy on your boss for
example. It is cheap and effective so your boss can do it
to you too. Your boss can catch all your passwords as you
use them, log every application that you run,
read every email that you write and see every window that
pops up. The fact is that if YOU can do it, your enemies
do this to you too for less than $100. This report
includes a short list of some of this spyware (PART 5 only).
The idea that Unknown Trojans and spyware can be detected
by more "generic monitoring" is sound and is used already
to detect new viruses for example.
Part 5 of this report includes a short list of some off the
shelf spyware that AntiSpyware should detect. (I have not
tested it to see if it does detect/block them).
The most important security issue is Microsoft Operating
System authenticity which SHOULD detect or alert users and
Microsoft to UNKNOWN new viruses/Trojans/spyware.
Second most important is Network and system security (i.e.
firewall, anti spyware & anti virus).
It has been a VERY long wait for MS to actually act on
Trojan Horse and Spyware issues. They know their OS best.
All these years Trojans have replaced key operating system
components like TCP/IP drivers, Ethernet drivers, and even
hijack and replace MS OS kernels all going undetected.
(Still going undetected!)
AntiSpyware Beta is a great start - I killed off 2
nasty ones when I first ran it. Unfortunately I know this
is still just the beginning.
MS will need Beta 2 or at least Version 2 Beta 1 within
only just a few months.
Draft Table of Contents (for future reports):
1 Bugs in MS AntiSpyware Beta Reporting Tool
(This is PART 1)
2 Lacking an Upload Spyware Report File Facility
3 Lacking Manual Spyware Definitions Download
4 Inadequate MD5 SHA hashing of core MS Operating System
(ie operating system file and memory image fingerprinting)
5 Known off the shelf spyware and key loggers
(Does MS AntiSpyware detect these?)
6 Detecting "similar" but Unknown Trojan Horses and
spyware (see also section 4)
7 TOTALLY INADEQUATE WINDOWS TASK MANAGER!
8 Spyware as part of MS Operating system especially kernel
and core resource start-up routines.
9 Suspicious TCP and UDP activity especially before MS
Spyware Beta starts or before Firewall Starts
10 Dangers of AntiSpyware from being compromised by Trojan
Horse software.
11 Problems associated with Government Interference Making
spyware part of Microsoft products.
12 Does Existing Spyware uses Cookies for Triggering Actions?
** Entries starting with * or *** are actions or
investigations needing urgent attention - none are low
priority. All actions are priority rated.
PART 1
Bugs in MS AntiSpyware Beta Reporting Tool
=================================
1a) ENTER Bug in Reporting Tool
The Spyware Reporting tool trys to send the report when you
press enter.
The natural thing people do when writing the report is to
press enter several times. Even when the writer knows this
is a nasty bug he / she still presses enter and loses
his/her work!
* Microsoft please fix this annoying ENTER Bug.
HIGH PRIORITY.
1b) In frustration, people gave up and write the report
with an editor because in addition to trying to send, IF
IT FAILS TO SEND IT WIPES YOUR REPORT!
1c) Firewall Setup Instructions for AntiSpyware Beta
Reporting tool:
I set up my firewall to allow it to send reports. I did
this by reading the firewall logs and finding out which exe
was attempting to send. [...\antispyware\msssrt.exe].
I then enabled that exe for the firewall - setting the
protocol as a [download manager] for msssrt.exe
This enables basic FTP and HTTP. Most users are not
knowladgable enough to be in safe control of their
firewall, that include me. So it is important to spell out
the solution.
* Microsoft must tell the user to enable their firewall for
the executable [...\antispyware\msssrt.exe] as a "download
manager"
BEFORE they try it do it. If the report is NOT sent then
the report MUST BE SAVED SO THAT IT IS SENT WHEN THEY GET
CONNECTION. HIGH PRIORITY BUG FIX.
* If the send fails you must NOT wipe the fields. Wipe
report on reboot or with [NEW REPORT] button.
HIGH PRIORITY BUG FIX.
1c) The reporting tool only takes a certain length of text
so the writer must have the option of UPLOADING a file
* MICROSOFT - Please include report file UPLOAD for .doc
and .zip files. Why because if MS does not get good
reports from users, how can MS stop the most hidden
Trojans. VERY HIGH PRIORITY
1d) MS AntiSpyware Beta Reporting tool reports back to MS
your sensitive machine contents without warning the user!
Every process running, every service running, every driver,
every plugin, every protocol handler is sent to Microsoft
without warning when you write a report. This stuff IS
sent WITHOUT WARNING YOU FIRST! It is vital that the FULL
report be displayed to the user BEFORE it is sent with a
disclamer box. Several people use my machine and if they
sent MS a machine report such as this without my consent I
would blow my top at the unauthorised security violation.
The fact is MS is inducing such violations by not saying
what is happening. The reading of the licence and ticking
the "yes" box is NOT an excuse for this because this
applies to the software installer ONLY. Not saying BEFORE
hand what is happening makes it possible for MS to be
accused of spying. Some users actually run top secret
software too, again Microsoft could be sued in these
circumstances. THIS BUG MUST BE REMOVED ASAP. AND ADEQUITE
WARNING GIVEN TO THE USER (NOT JUST THE INSTALLER)!
EXTREME HIGH PRIORITY BUG FIX!
It is vital that BETA 1 be replace by BETA2 with this fix
ASAP it is that serious. The report however is a very good
idea and essential for catching Spyware.
Thank-you.
End of PART 1 - Tim