Viruses which affect Microsoft Antispyware

[Bill Sanderson]

No new viruses to report, but there's a Microsoft KB article which I wasn't
aware of--see the next to last item:

http://securityresponse.symantec.com/avcenter/venc/data/pwsteal.bankash.a.html
(Febuary 10th, 2005)

http://securityresponse.symantec.com/avcenter/venc/data/pwsteal.bankash.b.html
(March 3rd, 2005)

http://securityresponse.symantec.com/avcenter/venc/data/trojan.bankash.c.html
(March 4th, 2005)

http://securityresponse.symantec.com/avcenter/venc/data/pwsteal.bankash.d.html
(March 15th, 2005)

http://www.sarc.com/avcenter/venc/data/trojan.killav.e.html (February 15,
2005)

http://support.microsoft.com/default.aspx?scid=kb;en-us;894269

http://securityresponse.symantec.com/avcenter/venc/data/[email protected](March
13, 2005)

 

[Engel]

Hello Bill

Thanks for the tips and links.

Engel

-----Original Message-----
No new viruses to report, but there's a Microsoft KB article which I wasn't
aware of--see the next to last item:

http://securityresponse.symantec.com/avcenter/venc/data/pw steal.bankash.a.html
(Febuary 10th, 2005)

http://securityresponse.symantec.com/avcenter/venc/data/pw steal.bankash.b.html
(March 3rd, 2005)

http://securityresponse.symantec.com/avcenter/venc/data/tr ojan.bankash.c.html
(March 4th, 2005)

http://securityresponse.symantec.com/avcenter/venc/data/pw steal.bankash.d.html
(March 15th, 2005)

http://www.sarc.com/avcenter/venc/data/trojan.killav.e.htm l (February 15,
2005)

http://support.microsoft.com/default.aspx?scid=kb;en- us;894269
(e-mail address removed)(March
13, 2005)


--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm


.

 

[Guest]

yea this is why microsoft antispyare need some extra
protection on there software to prevent kelvir viruses,
some new viruses, copycats virus that try's to shut down
microsoft antispyare. they should add some extra layer of
protection to msas so it cannot be shutdown by viruses.

 

[Segovia]

yea this is why microsoft antispyare need some extra
protection on there software to prevent kelvir viruses,
some new viruses, copycats virus that try's to shut down
microsoft antispyare. they should add some extra layer of
protection to msas so it cannot be shutdown by viruses.

In my mind that is the responsibility of your anti-virus software - to
prevent the execution of ANY virus. If viruses are executed on your
machine, the LEAST of your worries is that MSAS might be shutdown?

 

[Bill Sanderson]

Additionally - unless most users are in the habit of letting their Microsoft
Antispyware icon hide, my feeling is that a virus which provides such an
obvious direct clue about its presence--as removing the icon for an
antivirus or antispyware product--is not very competent. When I see a
machine missing this icon, a virus is the first thing I look for, after
checking the icon settings.

 

[Bigbruva]

The Antispyware team might look at the work Sysinternals has just done in
the update to their RootkitRevealer tool
(http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml)
This update uses a random name for its scanning process image name, so it is
much harder to target directly.
This is easier for a one time scan to do than a constantly running detection
process (like that of gcasserv.exe), but maybe an approach like this might
help minimize the number of successful attacks against this tool.

Thoughts?

BB

 

[Bill Sanderson]

I saw that update--nice work on their part. One difficulty of such behavior
is that, for a constantly running utility--this makes you look very much
like a virus--how will the HijackThis folks tell who's what? I s'pose they
could pick a name like MWAS3417 and randomize the numbers, but then spyware
or viruses could probably manage to parse that without too much trouble.

I'm certainly not up on the best current techniques that might be used to
avoid the kinds of attacks already evidenced by this set of bugs--I'd love
to know more about it but suspect this is the kind of detail that won't be
published.

 

[Bigbruva]

Yes this was exactly the issue I was thinking of however I came to the
conclusion that it is better to have a running (anonymous) process than a
shut down (known) process.
However I understand this is probably a little too simplistic and once you
get into the details of trying to implement this on millions of computers it
will probably not work :-(

How to be obscure to an attack while at the same time transparent to the
user...hmmmm...brain fodder ;-)

BB

I saw that update--nice work on their part. One difficulty of such
behavior is that, for a constantly running utility--this makes you look
very much like a virus--how will the HijackThis folks tell who's what? I
s'pose they could pick a name like MWAS3417 and randomize the numbers, but
then spyware or viruses could probably manage to parse that without too
much trouble.

I'm certainly not up on the best current techniques that might be used to
avoid the kinds of attacks already evidenced by this set of bugs--I'd love
to know more about it but suspect this is the kind of detail that won't be
published.