Bad News on Scumware.

[mangyDOG]

I don't know about everyone else, but I seem to be spending 80% of my time these days cleaning computers infected with scumware. I got even more depressed after I received my weekly e-mail from WindowsSecrets.com.

Here is an extract:

Howes's tests were conducted before the Microsoft Corp. announced in December that it was purchasing Giant Company Software outright. For that reason, the tests use the version of Giant AntiSpyware that was available in October and not the newer Microsoft beta version that's currently available.

Even so, with Giant's application removing 63% of a PC's adware components, and its nearest competitor, Webroot Spy Sweeper, removing less than 50%, it's clear that Microsoft has a potential winner on its hands.

In the following table, which was reviewed by Howes himself before its publication here, the Adware Fixed column represents the percentage of critical components successfully removed, not just detected, by each product (higher percentages are better). The False Positives column shows the number of benign Windows files that were incorrectly reported by a product as adware (lower numbers are better):

Product Adware Fixed False Pos.
Giant AntiSpyware 63% 0
Webroot Spy Sweeper 48% 0
Ad-Aware SE Personal 47% 0
Pest Patrol 41% 10
SpywareStormer 35% 0
Intermute SpySubtract Pro 34% 0
PC Tools Spyware Doctor 33% 0
Spybot Search & Destroy 33% 0
McAfee AntiSpyware 33% 9
Xblock X-Cleaner Deluxe 31% 1
XoftSpy 27% 3
NoAdware 24% 0
Aluria Spyware Eliminator 23% 3
OmniQuad AntiSpy 16% 1
Spyware COP 15% 0
SpyHunter 15% 1
SpyKiller 2005 15% 2

Howes didn't test the anti-adware programs in the above list against a program called CoolWebSearch (CWS). This little bugger mutates every few days, it seems. CWS actually requires a completely separate anti-adware program, CWShredder, which is constantly evolving along with the nuisance. This is explained in more detail later in this article.

The fact that anti-adware products fail to remove all or even most adware components has been an open secret among security professionals for some time. For this reason, tech writers often say, "You should install two different programs and run both of them for maximum protection."

To test this assertion, I compiled Howes's raw data into a new table showing the removal rate of the best app, Giant AntiSpyware, with every other tested product. According to this analysis, combining Webroot Spy Sweeper with Giant AntiSpyware did the most to remove unwanted components. But the combination of the two apps increased Giant's 63% success rate only 7 percentage points, to 70%:

Giant AntiSpyware plus... Total Adware Fixed
Webroot Spy Sweeper 70%
Ad-Aware SE Personal 69%
PC Tools Spyware Doctor 68%
Pest Patrol 67%
Spybot Search & Destroy 67%
Spyware Stormer 67%
Spyware COP 66%
Aluria Spyware Eliminator 65%
Intermute SpySubtract Pro 65%
NoAdware 65%
XsoftSpy 65%
McAfee AntiSpyware 64%
OmniQuad AntiSpy 64%
SpyHunter 64%
SpyKiller 2005 64%
Xblock X-Cleaner Deluxe 64%

Finally, the computer press often recommends that the two anti-adware products that should be used together are Ad-Aware SE Personal and Spybot Search & Destroy. That preference may have become the conventional wisdom because both of these products have low-end, freeware versions. PC World, PC Magazine, and other publications have recommended this combination as recently as June and August, respectively.

Ad-aware and Spybot may have been a great combo back then. But adware apparently moves much faster than these two companies do. According to Howes's data, the two programs together barely removed half the adware components on an infected PC:

Ad-Aware SE Personal plus... Total Adware Fixed
Spybot Search & Destroy 54%

Here is the full e-mail article: http://windowssecrets.com/pastissues/

Here is the web page on the research details: http://spywarewarrior.com/asw-test-guide.htm


I think this is the scariest part: ...documented almost $140 million in recent investments by Silicon Valley venture capitalists in just four of the largest adware makers.

The problem is only going to get worse... :evil:


Cheers,
mangyDOG

 

[Fushigi]

Here is the full e-mail article: http://windowssecrets.com/pastissues/

Here's the direct link to the article: http://windowssecrets.com/050127/#story1

Yeah, I read Windows Secrets as well (so far I've been cheap & haven't paid but if Brian & gang do more articles like this I'll pony up some $). This was probably the best wake-up call article they've written in a long time. In fact, I forwarded it to my manager & our global IT security team for review as we're pretty standardized on AdAware & Spybot S&D.

I'd encourage everyone to give the article a read, especially those who have to remove spyware from client machines.

You know, Linux or a Macmini looks better every day...

 

[Tea]

And what percentage of these scumware products reqire either:

* Internet Explorer
* File sharing software

to give you a reasonable chance of getting infected in te first place? That's the real question.

 

[Bozo]

Tea: you should also add Instant Messaging from Yahoo and AOL.

Bozo :mrgrn:

 

[Tea]

Ahh, I should be more aware of those. I haven't used IM software since a brief ICQ craze, oh, maybe 5 years ago, and the only time I ever think about it now is when I see the Microsoft IM (whatever it's called, can't remember) splash screen on startup on many of the machines I work on. It's the first thing to go, of course, and I'm afraid that I never give it a thought from that moment on.

Obviously, I should. Are the AOL and Yahoo ones particularly bad? Worse than the other ones?

By the way, we have a short "shoot on sight" list - software that we delete from people's machines without asking, simply as routine good hygiene. Not always in the case of an unrelated job, but always if it's in for anything spyware, virus, or generally software crap related (which is most of the machines we see, these days).

The main two items on the instant delete list are Norton Anti-virus (or any Norton-badged product on Mondays, Fridays, and any other day I'm feeling grumpy), and any form of virus-sharing ... er ... sorry ... file sharing software: Limewire, Kaza, whatever. If it does file sharing, I delete it. We all do: that's official policy as decreed by the Tsar Tannin.

And it's notable that this has caused not the slightest grumbling on the part of the staff, by the way, we all think it's a good idea. We are just waiting for the idea to catch on a bit stronger so that we can extend it to other things as well. For example, we could delete any and all Kodak software, ditto McAffee products, ditto the few remaining Zip drives that actually still function (er .. so far as a Zip drive, or indeed any Iomega product, could be said to "function"), ditto ztupid doors on cases, ditto that bloody 11-year-old of Mrs Jackson's ....

I could delete lots of things!

 

[Buck]

Add to the top of your scumware list: Incredimail. It is free and, not surprisingly, certified as a Microsoft Partner. This stuff is crap! It sucks in spyware like a vacuum cleaner pulls in air.


The last sensible customer I had took pretty good care of her system. But I refer to her as sensible because when she found out that Incredimail was infecting her system with spyware, she dropped that piece of software like a 400-pound ballerina with two buckled knees. Yes, there are reasonable and sane computer users in the world.

Oh, and about instant messaging, MSN IM is linked directly to Outlook Express, IE and Hotmail. That should ring all the necessary alarms.

 

[Groltz]

In recent months I've been asked several times to rid my co-workers' laptops of sh*tware.

Some of these poor machines have been absolutely riddled with it.

On the worst machines I ran Adaware, Spy Sweeper, and Giant in succession followed by a double-check of auto-running components by using Sysinternals Autoruns. I've not heard of any instances where benign items were deleted although I was checking the "items found" lists before proceeding with the deletions.

100% kill rate for that technique.

 

[mubs]

After being free tech support to all my contacts for years, I'm slowly weaning them off. I'm sick of doing it. Most of the last 2 years and earlier this year, this issue sucked up so much of my time. I'm burned out by this crap. Sorry, but now most of them are on their own now. These days I have a one sentence fix for them - disconnect from the Internet!

 

[ddrueding]

I still do a fair amount of "free" fixes for clients that have purchased systems from me, but some of the more PITA clients now get this answer over the phone: "Back up your data, and re-image the system using that DVD I gave you. Did that fix it? Goodbye." After I install a machine, I spend at least an hour getting all their favorite programs and old data up and running. Then I burn a custom Ghost CD (whose licence is part of their purchase price) that will restore the system to there. This DVD is labelled "as delivered" and is the only way I can maintain the systems.

One client in partuclar wanted to fight after I refused to service his system. He refused to switch to firefox and had installed Incredimail (even paid for it!) against my reccomendations. My line was: "You've already dropped your drawers and bent over, what do you expect me to do about it?"

 

[Bozo]

I worked on a computer that had Yahoo IM installed. When you booted it up (it took all of 5 minutes to fully load) there was this small (4"x 6") area on the 17" monitor that was available to use. The rest of the monitor was covered in menu bars, adds, and links to all sorts of junk. It seems that Yahoo just keeps downloading and installing crap evertime you log on. The owner found out what a format does.

Yesterdays mess was a box with Yahoo, Kazaas and AOL on it, among other things. AdAware found over 1300 items of spyware on it. Norton Anti-virus found 46 viruses. This owner also found out what format does after some personal files were save. The scary part is this owner was doing some banking online :eekers:

Bozo :mrgrn:

 

[mangyDOG]

I am also using Ghost images for client machines, which is savng a lot of time in removing scumware. I came across these a few days ago (@ Toms Hardware) http://www.radixprotector.com/index.htm has anyone had any experience with these or similar? If they work as well as advertised they could be the ultimate anti-scumware / virus removal tool.

Cheers,
mangyDOG

 

[jtr1962]

I think this is the scariest part: ...documented almost $140 million in recent investments by Silicon Valley venture capitalists in just four of the largest adware makers.

The problem is only going to get worse... :evil:

Why on Earth would venture capitalists invest in screwing up people's computers? Adware makes machines unstable and slow to the point that they're unusable. What good is trying to sell stuff via adware if the adware renders the PC useless?

I cleaned junkware from my sister's computer 3 times and warned them about staying away from commercial sites. They apparently don't listen because the adware is back again, although I suspect the problem is mostly that her 11-year old daughter can't tell the difference between good and bad sites. Nothing screws up a computer faster than letting a kid use it.

Even if it may not be 100% effective we need legislation against both adware and spam. A few high profile prosecutions where people are fined heavily and/or sent to jail for a long time would go a long way towards fixing the problem. Both junkware and spam are rapidly destroying the utility of both the Interent and of computers. Or alternately, everyone will need one computer just for websurfing and have their machine(s) with important stuff offline.

 

[Tannin]

Even if it may not be 100% effective we need legislation against both adware and spam. A few high profile prosecutions where people are fined heavily and/or sent to jail for a long time would go a long way towards fixing the problem.

Sure, pass legislation if it makes you feel better. It won't do anything much to deal with the problem, of course, but all the legislors can have a nice self-congratularory inner glow. And maybe a few scumbags will get what they deserve, which will give me a nice warm inner glow.

The actual cure - the only actual cure - is to exercise your god-given consumer's right of saying "no". Face facts, it is only Windows that has these problems, and erasing this pox-ridden excuse for an operating system from your system will stop your spyware problems stone dead.

Hell, you can achieve most of the cure simply by avoiding Internet Explorer in all its variants, Kazaa and its clones, and crappy IM programs (i.e., all of them).

 

[Mercutio]

At this point my standard disk images (am I the only person with a Sysprep for every occasion?) have all traces of IE, Outlook, OE, and any messenger software removed or at least as hidden as I can make them. PCs are prepped with Firefox as the default browser, Thunderbird as the default mail client (and profiles already in place for comcast and verizon mail services). I install Adblock. I install Mike's Ad Blocking Hosts File. Everyone gets the "use firefox or you've voided any semblance of a warranty I may provide you" lecture.

Unless the person I am addressing has a lower-than-room-temperature IQ, or they are a trainer for the company I work for (but I repeat myself...), I can probably convince them to switch to Firefox in under 3 minutes.

But I will whitelist Kazaa Lite Resurrection or eMule for those who must do P2P. Those apps are clean, in and of themselves, and KLR at least, filters the most egregious crap (.vbs and .PIF files and the like). Lots of my customers are college kids, after all. They all use IM stuff, too, but I'll be damned if I help them with THAT.

At this point, the soiled merkins (is that shakespearean enough for you, Buck?) who make scumware can infect a PC through Windows Media Player by crafting a certificate for a DRM-laden .WMV file that stealth-installs parasites along with the authentication to view the file. Even worse, I've already seen this particular exploit for myself.

It's just another level of escalation, of course, but for me that is as mind blowing for me in 2005 as finding out that a Word document could erase your hard disk in 1995.

 

[Tea]

this pox-ridden excuse for an operating system ...

Unless the person I am addressing has a lower-than-room-temperature IQ, or they are a trainer for the company I work for (but I repeat myself...

My word, the old stagers have become positively eloquent in their vitriol today. Methinks that this topic has tapped a vital vein of ... um ... something that one of the eloquent ones could describe better than I can.

PS: It may interest you to know, Mercutio, that I have an all-over merkin, except it's a real one, so to speak.

PPS: Incredimail, eh? I should have thought of that. After all, there are two strikes against it: (a) it looks just too happy-feely-smiley face to be entirely honest (remember Bonzo Buddy?), (b) quite a few of my customers really, really like it - you know the type I mean: exactly the type that you jusk know will have 17 new cutsie-pie addons to their desktop everytime you see the machine, and approximately 217 new spyware infections since last Tuesday.

 

[Bozo]

Passing laws is a waste of time. Remember, this is the World Wide Web.

Bozo :mrgrn:

 

[Groltz]

Merc,

Do you have any heavy-duty filter lists for importation into the Firefox Adblock extension?

 

[Mercutio]

I'm pretty much catch-as-catch-can on Adblock filters, actually. Using a hosts file and also only allowing images from originating servers seems to get most things I consider annoying.

 

[Groltz]

Firefox moving into the crosshairs of scumware writers:

http://internet.newsforge.com/print.pl?sid=05/01/31/2121249

 

[Tannin]

A very interesting link, Groltz. Thankyou for posting it.

It raises several matters to ponder.

How vulnerable is Firefox to scumware? Typical media-nerds, they soft-pedal the raw and uncomfortable fact that the vast bulk of the problem isn't market share and it isn't even moronic users (though both these are significant, of course), it's the brain-dead design of Internet Explorer. Internet Explorer and only Internet Explorer has security holes so bad that even I could knock up a respectable spyware application for it without much study. And it has so many of them that there is zero possibility that they will ever be fixed. Microsoft's current attempts to deal with the problem are utterly laughable. The problem is in the design philosophy of the browser, and they won't ever fix that because they are too pig-headed to ever admit that they were wrong - wrong big-time. Unless and until Microsoft admit that they need to replace their browser, not repair it (because it is broken way beyond repair) and consign IE to its only proper role as a dedicated tool to access Windows Update with - the problem will not go away.

The writers ask how much market share is enough to make spyware an attractive prposition for the scum-merchants. Indeed, they spend quite a while pondering that point. But - unless my judgement is a mile out - raw market share is a very poor indication of the usefullness of writing spyware for a platform. What you need, as a spyware vendor, isn't just lots of users, you need lots of stupid users. Let's face it, the average Internet explorer user is a full 15 IQ points behind the average Mozlla user.

Targetting Firefox and Mozilla users is a waste of time.

(As for Opera, Opera is a dead product. Since they f*cked the user interface up big-time in Opera 7.x, they have turned themselves into a product without a purpose or a future. So we can ignore Opera.)

 

[Mercutio]

I've seen malware .XPIs. Firefox prompts and asks if you want to install "eviladware666.xpi" from "XXXcocainewarezandstrippers.com". Puts a big window at the top of your screen, that you have to click on to even click on to find out the site wants to install something.

The moron who has Firefox installed because they can't be trusted with IE won't even know an attempt was made. THe slightly smarter moron will click the "Install Now" button, but won't figure out how to whitelist "xxxcocainewarezandstrippers.com" to get the XPI installed, and I'd guess anyone smart enough to figure out those two things is probably smart enough to understand that they didn't ask to have software installed and that software from "xxxcocainewarezandstrippers.com" is probably not a good thing.

In short I don't think the vulnerability is as great as the IE auto-installing with zero prompting at System level priveleges problem.

 

[time]

Since they f*cked the user interface up big-time in Opera 7.x, they have turned themselves into a product without a purpose or a future.

I agree with you about 7-7.5, but I'm really happy with 7.60/8. I'd exhort you to try it, but that would be like prising a barnacle off with my tongue.

 

[Mercutio]

I've seen malware .XPIs. Firefox prompts and asks if you want to install "eviladware666.xpi" from "XXXcocainewarezandstrippers.com". Puts a big window at the top of your screen, that you have to click on to even click on to find out the site wants to install something.

The moron who has Firefox installed because they can't be trusted with IE won't even know an attempt was made. THe slightly smarter moron will click the "Install Now" button, but won't figure out how to whitelist "xxxcocainewarezandstrippers.com" to get the XPI installed, and I'd guess anyone smart enough to figure out those two things is probably smart enough to understand that they didn't ask to have software installed and that software from "xxxcocainewarezandstrippers.com" is probably not a good thing.

In short I don't think the vulnerability is as great as the IE auto-installing with zero prompting at System level priveleges problem.