Liudvikas Bukys

My home PC running Windows 2000 is finally free of Look2Me spyware.
It’s very aggressive at staying alive.
It creates an ever-changing series of DLL files.
Removing or changing its registry entries causes it to immediately rewrite them.

As I noted last week, my first symptom was unwanted outgoing connections “phone home” connections caught by ZoneAlarm, resulting in eventual loss of TCP connectivity within about 20 minutes.

The tools at sysinternals
were very helpful in seeing exactly what was going on, specificly the process monitor, registry monitor, and network connection monitor.

The removal instructions that finally worked were found at at the bottom of
VX2Finder.
Removal required VX2Finder, regedit/regedt32 (significant key has name along the lines of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Guardian*), and Windows Safe Mode.
Once you search for the right things it looks like there are a few ways to skin this cat.

I know, I’ve been “rooted” on a weak platform, and I should stop whining and do something about being less vulnerable.

The purveyors of this are as criminal as the virus-releasers. Their damage is diffuse so they are under the radar for now.

The fact that the present solution to this is cottage-industry homegrown hacks surprises me; I’d think that the anti-virus industry would be on this. It’s evidence that they’re running further behind than ever before.

Along the way I ran across the funny remark by Rob Leathern (one of the comments attached to
a John Battelle article:

Looking at the top downloads at download.com is always interesting – typically two-thirds are adware/spyware-bundling music/video download programs, the other third are spyware removers.

I think the proportions are reversed now.

Keith Pleas: “Brutal” Architecture is an instant classic, about the newly-constructed Seattle Public Library, plus understated and apt commentary on software architecture.

[via Jon Udell]

My home Windows 2000 machine is infested with Look2Me spyware.
Who knows which of our family of five attached this IE “shell extension” nuisance.
Now the question is: how I get rid of it? None of the published instructions has worked.
The vendor’s uninstaller doesn’t. (Of course it’s overly kind to call a producer of
unwanted intrusive privacy violation software a “vendor”.)
The manual uninstall directions haven’t worked either.
I know it’s still there because ZoneAlarm shows it trying to phone home.

Look2Me interacts really badly with ZoneAlarm, because while ZoneAlarm can and will prevent the frequent attempts by winlogon and rundll32 to contact 69.20.20.161 port 80, it does cause some kind of resource exhaustion that prevents any new TCP session from being establshed 20 minutes or so after a reboot.

Anybody with fresh ideas for uninstall, let me know. I suspect that people will be asking me for help for years to come as they find this page while searching for winlogon, rundll32, ZoneAlarm, or 69.20.20.161.

This all happened on a machine up-to-date with patches.
Patches and reactive measures such as virus patterns don’t change the fact that Windows is a bad platform, for even casual use.
The barriers against mischief are just too low – defense without depth.

Yahoo publishes its DomainKeys specification.
FAQ at Yahoo! Anti-Spam Resource Center – DomainKeys.

I must say that I share Justin Mason’s distrust and disdain for software patents.
What the heck is patentable among these ideas anyway? They seem like obvious applications of digital signatures and DNS publication.
The most generous interpretation is that these might be defensive patents, and that for all intents, the IETF-required license is good enough.

Is this or SPF
likely to take the world by storm?
Either one permits senders to publish records that permit receivers to make some authentication judgments.

Well, deployment by senders is a bit more work (sign those messages) for DK than for SPF. But SPF breaks what has been considered normal forwarding behavior, in a way that the sender has no control over except by saying “put up with it” or by turning off SPF.

Deployment by receivers has no particular downside for either scheme — you’re basically implementing sender-requested filtering, and who can complain about that?

Of course, initially, rather than trying to subvert either scheme, spammers will avoid both. Is it possible that the world will shift so much that just being a non-DK domain will count against the sender? I do think it’s possible. At which point, yes, spammers adopt the technology but subvert it with throwaway domains and proxy zombies with access to signing servers.
You can’t avoid reputation systems in the end,
trusted third parties, (some even having good incentives to rate
accurately and respond quickly), blacklists, etc.

Amit Klein:
HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics

[via joatBlog: Web Attacks]

• San Diego State University, February 2004:
  

  While investigating a computer server sending spam e-mail messages, the Information Technology Security Office at San Diego State University discovered computer intruders had circumvented departmental server security and gained illegal access to a file server in the Office of Financial Aid and Scholarships.
  
  …
  
  We recognize that identity theft has become one of the fastest growing
  crimes in the nation and SDSU is making every effort to ensure that Social
  Security information is not unnecessarily exposed. In late March, the
  University will implement an alternative ID system using a new nine-digit ID
  number called
  "Red ID".

  [via [Interesting-People] Bad year for San Diego Universities so far]

• University of California, San Diego, May 2004:

  The University of California, San Diego is notifying past and present students, applicants, and some staff and faculty that unauthorized intruders have broken into four computers in the UCSD Business & Financial Services Department, computers which housed approximately 380,000 records of personal data including names, social security numbers, and drivers license numbers.

  [via [Interesting-People] UCSD Computer Security Incident Alert]

Microsoft Shelves NGSCB Project As NX Moves To Center Stage

A lot of decisions have yet to be made,” said Mario Juarez, product manager in Microsoft’s Security and Technology Business Unit. “We’re going to come out later this year with a complete story.”

followed by hedging:
Microsoft: ‘Palladium’ Is Still Alive and Kicking

Juarez said Microsoft is not providing any of its NGSCB bits as part of the new Longhorn pre-alpha release that it is distributing this week to WinHEC attendees. But he denied that this means that the company is exorcising NGSCB from the product. Instead, he said that the NGSCB team decided that the driver developers at the show wouldn’t be the right targets for this code.

Update 2004/05/19: Real details from Microsoft pointed to by Dana Epp