The Spyware Weekly Newsletter is distributed every week to 20,000 subscribers and read online by hundreds of thousands of visitors. Click here to subscribe. Please read our Terms of Use for quoting guidelines.This edition of the Spyware Weekly Newsletter is archived permanently at http://www.spywareinfo.net/oct1,2005.

Wherever the term "adware" is used, it is referring to a category of software, not to any particular company or product.

The contents of this newsletter is commentary. It should not be mistaken for unbiased, objective journalism.

Permalink | Top

• Stealth Mode Malware
• PCTools - Privacy Guardian
• Voyeuristic Camera Operators Busted
• Colleges and Computers
• SWI Server Acting Flakey
• Headlines

Permalink | Top

Makers of antispyware and antivirus programs, pay attention to this article.

An ugly trend is developing in the world of antispyware. It is my belief that, very soon, all current tools and methods used to detect and remove malware will become obsolete. Very soon, malware will be able to load at start up and run on the computer without being detected by any existing scanner.

It is starting to happen already. More and more often, browser hijackers today use rootkit technology to protect themselves. I have run into it myself on my test computer and it was all I could do to remove it.

A rootkit-protected hijacker uses any of various methods to alter how Windows operates. Once the rootkit is operational, it is able to monitor system queries and filter out anything that mentions itself. For instance, let's say that file abcxyz.exe hijacks all browser home and search settings, keeps them from being changed back and pops up advertisements every 90 seconds. If it is protected by a rootkit and you open the folder containing the file, the rootkit will prevent Windows Explorer from displaying the file. If you open the Task Manager, abcxyz.exe will not be shown as a memory process.

This is how it works today and it gives us plenty of trouble when trying to help someone fix it. However, the tools we use today allow us to spot the existence of abcxyz.exe. It has to load when the computer starts, so HijackThis will show us the registry entry that causes it to be loaded. We can find the infection. We just have a hard time explaining to someone how to find it and remove it.

I see trouble ahead. It is only a matter of time before some miscreant designs a better rootkit. I believe that rather than simply hiding a file from Windows Explorer and the Task Manager, future rootkits will be able to provide malware designers with true stealth mode.

Imagine this for a moment. A flaw is discovered in Internet Explorer which allows any piece of software to be executed. Exploiting this flaw, the installer for a truly clever malware is downloaded and executed. The first thing that happens is the installation of an advanced rootkit. This rootkit injects itself directly into the Windows kernel, bypassing all higher-level functions.

A registry entry is written which loads abcxyz.exe as a Windows Service. A service will load whether anyone is logged onto the computer or not and is more difficult to remove than a program installed normally. The abcxyz.exe file is loaded into memory. Every 90 seconds afterward, ads begin to pop up. Realizing that something is wrong, the user goes looking for the culprit. This is where he is going to run into trouble in the near future.

The first thing he does is to perform a scan with his antispyware program. All antispyware programs look for spyware in the same manner. They search the hard drive looking for files known to belong to malware. They ask Windows for a list of processes running in memory, then look to see if any of those are bad guys. They look at the registry to see what is loading at start up and to check for toolbars or BHOs installed into Internet Explorer. This is where they are going to fail when confronted with an advanced rootkit and a stealthed malware.

The rootkit is sitting in memory, monitoring every system query that passes through the kernel. When the antispyware scanner asks Windows for a list of running processes, the rootkit filters out abcxyz.exe. When the scanner asks for a listing of files, it filters it out again. When the scanner is looking at the registry, the rootkit filters out the entry that shows abcxyz.exe loading as a service. Seeing nothing suspicious, the antispyware scanner reports that all is well.

The user goes to our message board and asks for help. He is told to download HijackThis, run a scan and post the contents of his log file. He does this and waits for a response.

The advantage of HijackThis over antispyware scanners is that anything not installed as part of Windows will be shown, whether it is malware or not. However, it depends on Windows to give it this information. With the advanced rootkit running at the kernel level, no information about the malware is passed onto HijackThis. The user's log file will be perfectly clean.

This is the threat we soon will be facing. No matter how good a scanner may be, it depends on receiving accurate information from Windows to detect malware. With the advanced rootkit running, Windows is made to lie. Windows itself cannot be trusted to deliver accurate information about the contents of memory or of the hard drive. The malware is running in true stealth mode. Ask Saddam how well his air defenses fared against US Air Force stealth fighters and you see the problem. Or, more accurately, you don't see it.

So, if Windows cannot be trusted to provide the information we need, how are we going to track down malware? The answer to this, thankfully, is very simple. You need to look at the hard drive from another operating system.

No, I am not saying that the poor user has to set up his computer to dual boot Linux and Windows. There is a small program out there called BartPE that already does exactly what we need.

What is BartPE and PE Builder?

Bart's PE Builder helps you build a "BartPE" (Bart Preinstalled Environment) bootable Windows CD-Rom or DVD from the original Windows XP or Windows Server 2003 installation/setup CD, very suitable for PC maintenance tasks.

It will give you a complete Win32 environment with network support, a graphical user interface (800x600) and FAT/NTFS/CDFS filesystem support. Very handy for burn-in testing systems with no OS, rescuing files to a network share, virus scan and so on.

Run BartPE, along with a plug-in that allows BartPE to load any registry hive found on a hard drive, and we are back in business. With BartPE running, you are not using the infected copy of Windows which sits on the hard drive. That means that any scanner used to search the hard drive will be receiving accurate information. Now, when our user runs his spyware scanner or HijackThis, the rootkit will not be able to hide itself or the malware.

So, this is my message to the antispyware and antivirus vendors out there: you need to rewrite your scanner programs to provide the ability to run in a "non-Windows environment". Your scanners need to have the ability to edit the file system and load the registry without Windows itself having been loaded. Pretty soon, you will not be able to depend on Windows giving your scanners accurate enough information to be of any use.

BartPE can be licensed for commercial use. Or you can build something similar yourself. BartPE basically is just an offshoot of the Windows Preinstallation Environment. Someone already in the business of writing software should have no problem creating a custom version of the Windows PE.

When your software is installed, you simply prompt the user to insert a CD, DVD or flash drive and copy the files needed to run the "non-Windows environment", as well as your scanner. You even might be able to boot it up right from the hard drive, the same way disk imaging and partitioning software do. Scanning in this way can be an additional option, right next to "Quick Scan" and "Full Scan".

I am going to be playing with BartPE in the near future to see how well it works with HijackThis and some of the other tools regularly used at the SpywareInfo forums. We may well end up having to ask people to download BartPE and run HijackThis from outside of Windows. Before much longer, that may be the only way to find the more clever malware out there.

Permalink | Top

Program: Privacy Guardian
Author: PC Tools
Platform: Windows 95, 98, ME, 2K, XP
Purchase Privacy Guardian: $19.95 (Normally $29.95. Discount applied automatically until Oct 6, 2005.) http://www.pctools.com/privacy-guardian/purchase/?ref=afl_spywareinfo

Purchase Spyware Doctor: $19.95 (Normally $29.95. Discount applied automatically until Oct 6, 2005.) http://www.pctools.com/spyware-doctor/purchase/?ref=afl_spywareinfo

Purchase both programs: $39.90 (Normally $59.90. Discount applied automatically until Oct 6, 2005.) http://www.spywareinfo.com/rd/pctools092305

Everything you do on your computer leaves a trail. When you surf to a web site, you leave behind internet cache, address bar history, web site visit history and cookies. When you open a document, Windows saves the filename into the registry. When you run certain programs, Windows saves a file into a temporary folder and sometimes does not delete it afterward.

You could spend an hour rummaging through your computer deleting your browser cache, cookies, temp files, address bar history and even those nearly impossible to delete index.dat files. You don't have to waste all that time and energy. Privacy Guardian makes doing these tasks quick and easy.

Privacy Guardian cleans all of these items with the click of a couple of buttons. You can choose which cookies to save so that you don't lose the ones you want to keep. Windows usually protects the index.dat file from being altered, so usually that forces you to reboot the computer in order to delete it. When Privacy Guardian deletes the index.dat files, it simply unloads the Windows graphical shell. That means you don't need to reboot.

In addition to erasing common Windows tracks, Privacy Guardian also includes plug-ins for common non-Microsoft programs which leave usage tracks, such as Netscape, Adobe Acrobat, popular download accelerator products and many more. If a plug-in is written for a program not included in the third party list, it can be downloaded with Privacy Guardian's update feature.

Privacy Guardian includes a file shredder function. If you drag files into the shredder window, they will be overwritten a number of times before finally being deleted. Privacy Guardian uses the US Department of Defense standard (DoD 5220.22-M), rendering them unrecoverable by standard file recovery methods.

Privacy Guardian is published by PC Tools, who also publishes Spyware Doctor. We have worked out a discount for this week which gives you $10.00 off of each program. You can buy either of them for $10.00 off, or buy both of them together and receive a $20.00 discount off the price. You can read my review of Spyware Doctor for information about that program.

The discount should be applied automatically when using the links above. You will see the discount applied when you click the green purchase button. If this is not the case, try using the coupon code SPYWAREINFO. If you have any problems with the ordering page or with the coupon code (SPYWAREINFO), please email Catherine http://www.spywareinfo.com/email2.php.

Anyone buying as a corporate customer and needing many copies of this program, please contact Catherine.

Permalink | Top

Four operators of surveillance cameras located in Atlantic City's Caesars casino have been busted for misusing the cameras. They were discovered to be focusing the cameras at the body parts of various women inside the casinos. The four men have been fired and faced a hearing in Atlantic City on September 27. The Caesars casino will pay a $185,000 fine to the New Jersey Casino Control Commission.

It is a well-known fact that modern casinos cover every square inch of the gaming tables with video surveillance equipment. This cuts down on cheating, both by players and employees. A particularly clever person can defeat the cameras but it is not easy. The cameras are capable of showing an entire section of the room or of zooming all the way in to read the wording of individual chips in a player's stack, in full color and with crystal clarity.

It should be an obvious fact that a bored security guard is likely to ogle women. Give him the controls of a video camera and the sense that no one is looking over his shoulder and guess what is likely to happen. This sort of thing has happened before.

Two years ago, I learned that an Alabama State Policeman redirected traffic monitoring cameras and swung them around at the sidewalk to zoom in on young women walking in and out of bars late one night. That policeman turned the entire city of Tuscaloosa into peeping toms, as the video feed of those cameras was broadcast live on a local cable access station.

Joe Robinson, director of the Tuscaloosa Transportation Department, the agency that "owns" the cameras, was outraged. After the incident, he took steps to lock Alabama State Troopers out of the camera control systems.

Although it is outrageous that a policeman would misuse a traffic camera in such a way, it is not the most outrageous part of the incident. To this day (as far as I have been able to determine), the Alabama State Police have refused to reprimand that trooper in any way. In fact, they won't name the trooper or even admit that he did anything wrong.

Tuscaloosa almost has a sensible system. While the police are able to use cameras to monitor the public, the public is able to monitor the police while they do it. It is far more embarrassing to be caught peeping into somebody's window than it is to discover someone has been peeping into your's.

Tuscaloosa's system failed because there was no process to punish someone caught abusing it. When this trooper was caught, absolutely nothing was done to punish him. The State Police should have been compelled to release his name and to take disciplinary action against him.

This is no different from an officer turning on lights and sirens to get through traffic quicker because he wants to get home in time to watch the football game. It was an abuse of authority and access and the trooper should have been punished for it.

Permalink | Top

It happens at the end of every Summer. College students moving onto campus to begin the school year bring with them an assortment of personal possessions: stereos, clothes, books, video games, cell phones and, of course, their computers. Without fail, the computers that many of these students plug into the college network are absolutely infested with all manner of malware.

The speed of the internet connection available to most colleges and universities is mind-boggling. Many colleges have more bandwidth available to them than a small ISP. When students arrive with their computers, any spyware, virus or worm infecting those computers suddenly find themselves with access to a massive internet connection. If you have ever wondered why the amount of spam and viruses tends to surge in August and September, wonder no more.

These days, the most common reason for creating a virus is to use it to send out spam. The virus will install an email server and a backdoor trojan. Whoever created it then can send it a copy of an advertisement and use the virus to distribute it. This allows the spammer to avoid the cost and risk of using his own internet connection to spam millions of people.

Tufts University found itself blacklisted by AOL last week. All of those students plugged in their infected computers and suddenly the spam poured out across the internet. After receiving numerous spam complaints from their users, AOL blacklisted the range of IP addresses used by Tufts University. Now Tufts is attempting to be put on AOL's whitelist in order to avoid becoming blacklisted again.

Personally, I feel that it would be a mistake for AOL to whitelist Tufts. AOL had a legitimate reason to block the range of IP addresses used by Tufts. Those IP addresses were being used to send out spam, a lot of spam. Rather than trying to have themselves put on a whitelist, Tufts should try to fix the problem instead.

There are two problems at Tufts. The first problem is that they allow students to plug into their network without requiring them to install an antivirus. That should be common sense. Students bring infected machines to school with them. They shouldn't activate the internet access for a student until after he or she has installed and updated an antivirus program.

The second problem is that Tufts has left open port 25. Whenever information is sent out over a network using TCP/IP, it must use a specific port number. In the case of sending email, the port is number 25. Most email servers will not accept email on any other port. If the provider of the internet connection closes port 25, any spam-spewing virus is simply out of luck.

I used to be against the idea of ISPs blocking port 25. There are plenty of legitimate reasons for someone to send out email using their own servers. However, I have been forced to change my opinion of that, as the spam problem has become worse. Spammers have shifted distribution away from a single email server and instead use viruses to do their dirty work.

Now my opinion is that all ISPs should close port 25, unless a customer specifically requests that it be opened for their account. If they all did that, much of the spam problem would go away. Or spammers would be forced to find another distribution method anyway.

If Tufts, and all other colleges and universities, were to take those two steps, they wouldn't need to be whitelisted. The problem wouldn't exist. While they are in a situation where their network is being used to send massive amounts of spam, they should not be whitelisted. Until they correct the problem, any mail coming from their network should be blocked. So I hope that AOL rejects Tufts request to be whitelisted until they fix their problems.

Permalink | Top

Depending on how often you visit the site, you might have noticed that sometimes it hasn't been there lately. The server seems to simply die every so often the last few months, requiring a reboot. It started out doing it once every week or so. Now it's to the point that it needs to be rebooted every few days.

Obviously something is wrong, since Linux servers normally don't need to be rebooted for anything short of a kernel update. My web host has put a monitoring program on the server that checks its status every five minutes. Hopefully they will figure out the problem. At first glance, it looks like one of the RAM sticks might be going bad.

Permalink | Top

SpywareInfo has a new(ish) feature, listing news headlines relevant to spyware, privacy and safely using the computer. There is a saying that "all politics are local". It seems that this also applies to the internet. It is a close community in that problems can spread from anywhere. If you see a local story that you think deserves attention, please let us know. Use this mail form, tell us some details and we will follow the story.

This Spywareinfo News Section is updated every day - and several times during the day. It is a section of Spywareinfo that we hope will keep you informed on a daily basis - and keep your internet time a bit safer. Go have a look.