Security Watch

Microsoft AntiSpyware Makes its Debut

Not a spectacular entry, but it's a start.

• By Russ Cooper
• 01/10/2005

Experiences with Microsoft AntiSpyware have been varied so far. I've read comments stating it discovered spyware that other products had missed, while an equal number of comments say it misses things others discover.

My personal experience was lukewarm. I had no spyware other than things I know I had downloaded (like WinPCap), but AntiSpyware seemed to be somewhat ignorant of Microsoft's own products. It told me that my Microsoft Windows Update Control Engine was an unknown ActiveX, as was the Microsoft Windows Genuine Advantage Validation control. GoogleActivate.dll, used in the Google Toolbar, is also listed as being an unknown ActiveX, yet the Google Toolbar itself is a known toolbar with no known security or privacy issues. It also initially suspected its own ShellExecute hook.

A scan on my P4 with 1GB RAM took 38 minutes, scanning more than 100,000 files and nearly 10,000 Registry locations. That wouldn't be a problem if it weren't for some annoying popups the spyware feels are necessary to inform me that it's running. Performance numbers are not usually fair for beta products, but this was a fully functional piece of software before Microsoft bought it.

Another new tool is expected from Microsoft this week, something long overdue. Redmond's upcoming Malicious Software Removal tool is expected to provide a single interface to the problem of removing malicious software. MS Blaster, SQL Slammer, myDoom, and their ilk use a hole in a Microsoft product to install themselves on a system, then become difficult to remove as they often hook into the mechanisms commonly used to delete such things, in order to intercept attempts at removal. Such tools, created individually for some of the more widespread and difficult to remove malware, have typically been released first by concerned individuals. Anti-virus vendors follow quickly with their own tools, and Microsoft has lagged behind. It's often been several weeks before Microsoft has made a tool available.

Take the GDI+ vulnerability, for example. Microsoft was relatively slow in releasing the detection tool, but worse was that it couldn't offer a single click patch which would update all versions of the vulnerability GDI+ .DLL that had been installed.

I hope the Malicious Software Removal tool provides a single, consistent interface to the removal of widespread malware that abuses Microsoft vulnerabilities. Who knows, we may even see this tool as a mechanism for making difficult updates, like the GDI+ update, easier in the future.

On the worm/virus front, it's been surprisingly quiet lately, almost ominous. There was a flurry of discussion regarding a possible WINS worm due to a spike in WINS port 42 traffic. Since the vulnerability is only found in WINS servers, not WINS clients, and since they are few and far between, we quickly surmised that one or more of the current bots had included the recently published exploit and started scanning for it. Anyone with such a bot already installed would then emit the attack packets.

A bot is any piece of software which makes a victim system behave like a robot. Once the software is executed, it causes the system to take instructions from the bot owner. This is typically done via an IRC channel. The bot, when started, registers itself to the bot owner as part of that person's botHerd. A botHerd is simply the name given to a group of similar bots under the control of a single owner, or group of owners. By establishing an outbound connection to the bot IRC channel, bots can bypass many firewalls or similar controls where outbound traffic is, unfortunately, typically allowed.

Bots are notorious for quickly implementing new vulnerability exploit code, and since the botHerd owners have an established base of attacking systems, the attack can easily look like a worm. An instruction is issued in the controlling IRC channel and the bots dutifully update themselves with whatever new attacks the bot owner has coded. Then they'll typically resume their activities, be it spamming, attacking or whatever the owner desires.