|
Finding spyware is not all that difficult. It is sometimes difficult
to distinguish one spyware program from another. Often they will
display very similar behavior. What makes it most difficult is that
it is very common for one spyware program to install another. Some
programs entire purpose is to do just that. One example of this
is Downloader.Vxgame. This downloader seems to be continuously updating.
Its entire purpose is to download and install different spyware
programs.
I found a new unwanted program on my test PC recently after a visit
to a nefarious website installed Downloader.Vxgame which caused
a series of automated downloads. This new item, “Trojan.Update32”
did not show itself right away. After removing the known spyware
items installed by Downloader.Vxgame, the PC appeared to be running
normally. After a few minutes though, it was evident that the PC
was running slower than normal. An inspection of the network activity
showed that the PC was still infected. There was quite a bit of
unsolicited network activity going on even without any web browsers
windows open:
All of this activity could bring a dialup connection to a crawl.
After a bit the program started downloading advertisements. Some
of these were very annoying windows that would launch new browser
windows as soon as the first was closed. Quite of few of these windows
were loading advertisements which with pornographic content and
more than one or two of them were not in English:
After inspecting the network activity that was happening in the
background, it appeared that the infection was doing more than just
downloading advertisements. It made several connections to the same
domain and sent lists of the files found on the computers root folder.
It also seemed to maintain two or three connections active at all
time even once all the browser windows were closed. Here’s
an example from an execution of the windows utility netstat:
An interesting aspect of Trojan.Update32 is that it hides its main
file in random folders that already exist on the PC. Most malicious
programs will hide their files among the windows or windows system
files on the PC. Running this program twice on clean installations
of windows revealed that it would randomly select an existing folder
in the program files directory and insert its file there to avoid
arousing suspicion by creating a new folder.
c:\program files\beyond compare 2\
wintofs32.dll
Directory of C:\Program Files\INAC\Anti Spyware\
wintofs32.dll
It would launch itself on reboot by creating a registry entry under
the delay load key using the name of the program in which folder
it had inserted itself. In this way, when a user looks in the registry
at the different points where objects can be loaded, he or she will
see the name of the program that the user already has installed
on their PC.
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"BC 2"="{24B2B197-D6D3-2290-7E3D-1F81BE3D36E1}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"INAC ASAP"="{52AA77E3-97C4-5707-C3BC-DD3E85B64B4F}"
After an update of Spyware Nuker it was as easy as running a deep
scan to remove this item. It’s a challenge, but we work day
in and day out to make sure all of the new malicious programs can
be removed from our customer’s PCs.
|
