Liudvikas Bukys

My home PC running Windows 2000 is finally free of Look2Me spyware.
It’s very aggressive at staying alive.
It creates an ever-changing series of DLL files.
Removing or changing its registry entries causes it to immediately rewrite them.

As I noted last week, my first symptom was unwanted outgoing connections “phone home” connections caught by ZoneAlarm, resulting in eventual loss of TCP connectivity within about 20 minutes.

The tools at sysinternals
were very helpful in seeing exactly what was going on, specificly the process monitor, registry monitor, and network connection monitor.

The removal instructions that finally worked were found at at the bottom of
VX2Finder.
Removal required VX2Finder, regedit/regedt32 (significant key has name along the lines of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Guardian*), and Windows Safe Mode.
Once you search for the right things it looks like there are a few ways to skin this cat.

I know, I’ve been “rooted” on a weak platform, and I should stop whining and do something about being less vulnerable.

The purveyors of this are as criminal as the virus-releasers. Their damage is diffuse so they are under the radar for now.

The fact that the present solution to this is cottage-industry homegrown hacks surprises me; I’d think that the anti-virus industry would be on this. It’s evidence that they’re running further behind than ever before.

Along the way I ran across the funny remark by Rob Leathern (one of the comments attached to
a John Battelle article:

Looking at the top downloads at download.com is always interesting – typically two-thirds are adware/spyware-bundling music/video download programs, the other third are spyware removers.

I think the proportions are reversed now.

My home Windows 2000 machine is infested with Look2Me spyware.
Who knows which of our family of five attached this IE “shell extension” nuisance.
Now the question is: how I get rid of it? None of the published instructions has worked.
The vendor’s uninstaller doesn’t. (Of course it’s overly kind to call a producer of
unwanted intrusive privacy violation software a “vendor”.)
The manual uninstall directions haven’t worked either.
I know it’s still there because ZoneAlarm shows it trying to phone home.

Look2Me interacts really badly with ZoneAlarm, because while ZoneAlarm can and will prevent the frequent attempts by winlogon and rundll32 to contact 69.20.20.161 port 80, it does cause some kind of resource exhaustion that prevents any new TCP session from being establshed 20 minutes or so after a reboot.

Anybody with fresh ideas for uninstall, let me know. I suspect that people will be asking me for help for years to come as they find this page while searching for winlogon, rundll32, ZoneAlarm, or 69.20.20.161.

This all happened on a machine up-to-date with patches.
Patches and reactive measures such as virus patterns don’t change the fact that Windows is a bad platform, for even casual use.
The barriers against mischief are just too low – defense without depth.

Amit Klein:
HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics

[via joatBlog: Web Attacks]

Microsoft Shelves NGSCB Project As NX Moves To Center Stage

A lot of decisions have yet to be made,” said Mario Juarez, product manager in Microsoft’s Security and Technology Business Unit. “We’re going to come out later this year with a complete story.”

followed by hedging:
Microsoft: ‘Palladium’ Is Still Alive and Kicking

Juarez said Microsoft is not providing any of its NGSCB bits as part of the new Longhorn pre-alpha release that it is distributing this week to WinHEC attendees. But he denied that this means that the company is exorcising NGSCB from the product. Instead, he said that the NGSCB team decided that the driver developers at the show wouldn’t be the right targets for this code.

Update 2004/05/19: Real details from Microsoft pointed to by Dana Epp

The funniest spoof I read today was Avi Rubin’s new job as Diebold’s Chief Security Officer.

Also quite entertaining was the announcement of
XCP, the XML-based drop-in replacement for TCP.

Glutter: All Typepad Sites Banned in China

Shannon and Moore:
The Spread of the Witty Worm:

Witty infected only about a tenth as many hosts than the next smallest widespread Internet worm. Where SQL Slammer infected between 75,000 and 100,000 computers, the vulnerable population of the Witty worm was only about 12,000 computers. Although researchers have long predicted that a fast-probing worm could infect a small population very quickly, Witty is the first worm to demonstrate this capability. While Witty took 30 minutes longer than SQL Slammer to infect its vulnerable population, both worms spread far faster than human intervention could stop them. In the past, users of software that is not ubiquitously deployed have considered themselves relatively safe from most network-based pathogens. Witty demonstrates that a remotely accessible bug in any minimally popular piece of software can be successfully exploited by an automated attack.

Jon Udell tries his hand at S/MIME signature forgery,
revealing that PKI is not a panacea.

A digital signature proves something. The proof is strong but the something is weak (if it just demonstrates that you clicked a few things to get a persona certificate).

So if you need to prove something stronger, then you put limits on what digitally-signed content you’re willing to accept.
This can go in at least two directions (not mutually exclusive):

• higher-class certificates (where certificate authorities demand more proof, and encode that fact in the certificate). But higher quality means harder to get and less actual deployment. And higher quality means more attractive target for theft of keys.
• reputation systems. Of course, building robust reputation systems is not easy. Users may wish to have multiple sources of reputation information to fit their own definitions of good and bad behavior and how fast those judgments are made. It replays the whole DNS blacklist deployment. Some reputation systems may seem arbitrary and capricious. Others may be too slow or too tolerant. They are all lawsuit targets. Will there be too many to choose from?

For message classification, there is a predisposition to disparage machine learning and content inspection as too
probabilistic and uncertain, while viewing signatures as certain and reliable. It is not so, the uncertainty or trust is not eliminated, it’s just at a different level.

Tim Bray explores the mess related to escaping HTML/XML information:

The policy ideally should be, I think, that all data in the Your Code block has to be known to be escaped or known to be unescaped. That is to say, you always do escaping on the data at the pointy end of the input arrows, or you never do it.

I think always-unescaped is a little better, since some of those output arrows might not be XML or HTML, but probably they all are; so always-escaped is certainly viable.

and then it gets worse, as treatment of HTML in RSS aggregators varies.

The same problem presents itself in cross-site scripting and code injection attacks.
It’s the bane of macro language beginners too, whether it’s shell or troff.

Fred Avolio’s Weblog: Security Redux succinctly summarizes how many aspects of the security discussion are not new, but resurface because of ignorance of the field.