Microsoft AntiSpyware Makes its Debut
Not a spectacular entry, but it's a start.
Last Thursday, Microsoft
released the first beta
of its AntiSpyware
software. Acquired recently from
, Microsoft AntiSpyware is a huge step
forward for Microsoft. Not since Windows for Workgroups has Microsoft offered
such a tool. Hopefully it will be free with Longhorn, Microsoft's next desktop
Experiences with Microsoft AntiSpyware have been varied so far. I've read comments
stating it discovered spyware that other products had missed, while an equal
number of comments say it misses things others discover.
My personal experience was lukewarm. I had no spyware other than things I know
I had downloaded (like WinPCap), but AntiSpyware seemed to be somewhat ignorant
of Microsoft's own products. It told me that my Microsoft Windows Update Control
Engine was an unknown ActiveX, as was the Microsoft Windows Genuine Advantage
Validation control. GoogleActivate.dll, used in the Google Toolbar, is also
listed as being an unknown ActiveX, yet the Google Toolbar itself is a known
toolbar with no known security or privacy issues. It also initially suspected
its own ShellExecute hook.
column was originally published in our weekly Security Watch
newsletter. To subscribe, click here.
A scan on my P4 with 1GB RAM took 38 minutes, scanning more than 100,000 files
and nearly 10,000 Registry locations. That wouldn't be a problem if it weren't
for some annoying popups the spyware feels are necessary to inform me that it's
running. Performance numbers are not usually fair for beta products, but this
was a fully functional piece of software before Microsoft bought it.
Another new tool is expected from Microsoft this week, something long overdue.
Redmond's upcoming Malicious Software Removal tool
is expected to provide a single interface to the problem of removing malicious
software. MS Blaster, SQL Slammer, myDoom, and their ilk use a hole in a Microsoft
product to install themselves on a system, then become difficult to remove as
they often hook into the mechanisms commonly used to delete such things, in
order to intercept attempts at removal. Such tools, created individually for
some of the more widespread and difficult to remove malware, have typically
been released first by concerned individuals. Anti-virus vendors follow quickly
with their own tools, and Microsoft has lagged behind. It's often been several
weeks before Microsoft has made a tool available.
Take the GDI+ vulnerability, for example. Microsoft
was relatively slow in releasing the detection tool, but worse was that it couldn't
offer a single click patch which would update all versions of the vulnerability
GDI+ .DLL that had been installed.
I hope the Malicious Software Removal tool provides a single, consistent interface
to the removal of widespread malware that abuses Microsoft vulnerabilities.
Who knows, we may even see this tool as a mechanism for making difficult updates,
like the GDI+ update, easier in the future.
On the worm/virus front, it's been surprisingly quiet lately, almost ominous.
There was a flurry of discussion regarding a possible WINS
worm due to a spike in WINS port 42 traffic. Since the vulnerability is only
found in WINS servers, not WINS clients, and since they are few and far between,
we quickly surmised that one or more of the current bots had included the recently
published exploit and started scanning for it. Anyone with such a bot
already installed would then emit the attack packets.
A bot is any piece of software which makes a victim
system behave like a robot. Once the software is executed, it causes the system
to take instructions from the bot owner. This is typically done via an IRC
channel. The bot, when started, registers itself to the bot owner as
part of that person's botHerd. A botHerd is simply
the name given to a group of similar bots under the control of a single owner,
or group of owners. By establishing an outbound connection to the bot IRC channel,
bots can bypass many firewalls or similar controls where outbound traffic is,
unfortunately, typically allowed.
Bots are notorious for quickly implementing new vulnerability exploit code,
and since the botHerd owners have an established base of attacking systems,
the attack can easily look like a worm. An instruction is issued in the controlling
IRC channel and the bots dutifully update themselves with whatever new attacks
the bot owner has coded. Then they'll typically resume their activities, be
it spamming, attacking or whatever the owner desires.
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.