General discussion

Locked

Do you need some Spyware/Malware help?

By TheMessenger ·
Because of the frantic threads created around the latest Spyware/Malware discussion, and the number of emails that I got requesting help in listing ways to block malware from installing, I decided to start this thread. Use it to list information about ways you have found to stop known spyware/malware from installing or to list resources in removing unwanted software. This thread is not a sounding board for Anti-MS "rah-rah". Those are opinions and the facts are that we all are getting paid to support MS software. Let's discuss how to make our jobs easier dealing with it, not "it would be a better world if..." conversations.
With that said, here is some information that I can share.....

Background: 3500+ workstations. 18 different hardware models. 90 remote locations on 256K or slower WAN links. All PC's are XP SP1. Rolling out SP2 currently.
I have engineered a controlled environment where most (95%+) users do not have admin rights. I am using a single image between all hardware platforms, meaning that I have been able to keep a consistent OS load on all computers which makes management and updates simple. I use a software delivery system (SMS) to deliver patches and software. I use Active Directory Group Policy and file permissions to limit a pc?s local administrator from being able to have full control of a computer. (Local policy can be used but once configured it applies to every user who logs in). With the above environment, we have had only 3 spyware infections in 12 months.

How it works:
I block spyware and malware from being able to install. The first thing that you need to do this is a list of files, folders, and registry keys that are used by spyware/malware exclusively.
How I created this list was pretty simple and sort of fun (in a twisted way I suppose). I ran a PC in an isolated environment that had internet access. This can be a VLAN, Virtual PC, or just dial-up (UGH!), but I would recommend keeping it off your production network. I then looked for web reviews of spyware blockers and websites that had lists of the most prevalent and dangerous spyware and malware. The fun was then trying to get the spyware installed (It is amazing how detailed the EULAs are getting now). Once I got the computer infected enough that it stopped working, I then booted to safe mode and started reverse-engineering the installs.
I then copied the exact folder structure and files to a ?source? folder along with exporting registry keys that I identified. Move that off the computer to another location so that you can review it. Parsing through that information may take about an hour, but you should be able to identify the highest level regkeys, folders, or files that, if blocked, will prevent the spyware from working.
It may take a few times at doing this process to successfully get a list of all software.
With that information, the following is the simplest way to stop infections without policy or scanning software:
In FAT32, create a text file named the same as the spyware's/malware's folder name. Remove the extension and mark the file as read only. When the spyware tries to create a folder, it will error out. While this will work also in NTFS, I recommend using the ability of assigning permissions to folders and registry keys to more effectively block spyware/malware.
Here is some information about my policy outputs and the folders I am blocking. This can be done may ways and this is only one, but I think it is effective and has less impact on the workstation resources versus running a local scanning client.


Group Policy Management
StandardComputer Software Restrictions
Data collected on: 3/17/2005 9:57:56 AM hide all

Computer Configuration (Enabled)
Windows Settings
Security Settings
Software Restriction Policies/Security Levels
Policy Setting

Software Restriction Policies/Additional Ruleshide
Hash Ruleshide
(1.0.3.2)
File hash 8C6333BCA9D358CEC6AEA85B61762565:137728:32771
Security level Disallowed
Description MALWARE - IBIS Toolbar
Date last modified 11/15/2004 3:47:08 PM

(1.0.7.14)
File hash 11B112EB1B0F089E3095047A886A979F:498688:32771
Security level Disallowed
Description MALWARE - IBIS Toolbar
Date last modified 11/15/2004 3:46:58 PM

(1.0.7.14)
File hash 11B112EB1B0F089E3095047A886A979F:498688:32771
Security level Disallowed
Description MALWARE - IBIS Toolbar
Date last modified 11/15/2004 3:46:48 PM

(2.1.0.0)
File hash 475D7D91787FC5F24D0025561DEC9FED:827376:32771
Security level Disallowed
Description MALWARE - GAIN DashBar Installer
Date last modified 11/15/2004 3:34:42 PM

(2.1.1.1193)
File hash EF42E89287AB1038ABC75372C07E7C27:558592:32771
Security level Disallowed
Description MALWARE - IBIS Toolbar
Date last modified 11/15/2004 3:46:25 PM

(2.1.1.1193)
File hash EF42E89287AB1038ABC75372C07E7C27:558592:32771
Security level Disallowed
Description MALWARE - IBIS Toolbar
Date last modified 11/15/2004 3:46:17 PM

(2.1.1.6)
File hash 10631BF83BCE57B9283F3B7B8E121863:193536:32771
Security level Disallowed
Description MALWARE - IBIS Toolbar
Date last modified 11/15/2004 3:46:38 PM

(3.0.1.0)
File hash C811D231D68D33124FDE081E7D13B7E2:688104:32771
Security level Disallowed
Description MALWARE - GAIN PrecisionTime Installer
Date last modified 11/15/2004 3:36:33 PM

Download.exe; 49 KB; 11/15/2004 1:41:19 PM
File hash D38DC616CB1E01880EBF1AC9C80F7851:49152:32771
Security level Disallowed
Description MALWARE - DealHelper
Date last modified 11/15/2004 3:47:47 PM

Fun Web Products History Swatter; History Swatter; FunWebProducts.com; f3schmon.exe (1.0.0.47)
File hash C0EE620D0B59ACA4B0EECD9D2EABAFD9:65536:32771
Security level Disallowed
Description MALWARE - iWON Software
Date last modified 11/15/2004 3:45:05 PM

ide21201.vxd; 5 KB; 11/15/2004 1:40:01 PM
File hash EEBCE32039CDD922F541F346B9018ED6:4720:32771
Security level Disallowed
Description MALWARE - WinAD virtual device driver
Date last modified 11/18/2004 1:23:47 PM

IExploreSkins.exe; 7 KB; 3/19/2004 4:21:54 AM
File hash C3C549AC942AAABFE9D7DBBC29EF08EE:6656:32771
Security level Disallowed
Description MALWARE - IBIS Toolbar
Date last modified 11/15/2004 3:46:05 PM

loader2 ActiveX Control Module; loader2 ActiveX Control Module; loader2.OCX (1.0.0.20)
File hash 0D5D3A178411C9D23CC4D33C7575AE39:62672:32771
Security level Disallowed
Description MALWARE - browser hijacker
Date last modified 11/15/2004 3:56:33 PM

MediaMotor25.exe; 9 KB; 11/15/2004 1:41:30 PM
File hash 42CC5AD668F2F61B83047EE6647E38F9:8544:32771
Security level Disallowed
Description MALWARE - MediaMotor Software
Date last modified 11/15/2004 3:43:20 PM

Popular Screensavers; Popular Screensavers; FunWebProducts.com; f3PSSavr.scr (1.0.2.0)
File hash 7F9361A12B2DFEBEC6C22B52446E3CF8:28672:32771
Security level Disallowed
Description MALWARE - iWON Software
Date last modified 11/15/2004 3:43:45 PM

Search Assistant; Search Assistant; 180solutions, Inc.; (5.12.13.0)
File hash 97D1792F15D0A1F1701002885CFBD981:282624:32771
Security level Disallowed
Description MALWARE - 180solutions, Inc. - Search Assistant
Date last modified 11/15/2004 3:33:25 PM

WinAdTools.exe; 25 KB; 11/15/2004 1:40:01 PM
File hash 4A6186BF553C4C209AC09E6403739D0F:25088:32771
Security level Disallowed
Description MALWARE - WindUpdates Software
Date last modified 11/15/2004 3:42:40 PM

WinRatchet.exe; 18 KB; 11/15/2004 1:40:00 PM
File hash A2825D02AB1A37E0289CD1B2245D377B:18035:32771
Security level Disallowed
Description MALWARE - WindUpdates Software
Date last modified 11/15/2004 3:42:55 PM


Path Ruleshide
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%
Security Level Unrestricted
Description
Date last modified 11/15/2004 3:27:43 PM

%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\*.exe
Security Level Unrestricted
Description
Date last modified 11/15/2004 3:27:43 PM

%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\System32\*.exe
Security Level Unrestricted
Description
Date last modified 11/15/2004 3:27:43 PM

%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%
Security Level Unrestricted
Description
Date last modified 11/15/2004 3:27:43 PM

C:\Program Files\Comet
Security Level Disallowed
Description Comet Systems Software
Date last modified 11/15/2004 3:32:29 PM

C:\Program Files\Common Files\CMEII
Security Level Disallowed
Description MALWARE - GAIN, Claria Networks Software
Date last modified 11/15/2004 3:39:06 PM

C:\Program Files\Common Files\GMT
Security Level Disallowed
Description MALWARE - GAIN Gator
Date last modified 11/15/2004 3:38:53 PM

C:\Program Files\Common Files\WinTools
Security Level Disallowed
Description MALWARE - IBIS Toolbar
Date last modified 11/18/2004 1:14:02 PM

C:\Program Files\DashBar
Security Level Disallowed
Description MALWARE - GAIN DashBar Software
Date last modified 11/15/2004 3:40:42 PM

C:\Program Files\E2G
Security Level Disallowed
Description DATA MINER - e2Give
Date last modified 11/18/2004 1:16:37 PM

C:\Program Files\FunWebProducts
Security Level Disallowed
Description MALWARE - iWON Software
Date last modified 11/15/2004 3:39:56 PM

C:\Program Files\Gator.com
Security Level Disallowed
Description MALWARE - GAIN, GATOR
Date last modified 11/15/2004 4:01:57 PM

C:\Program Files\MyWebSearch
Security Level Disallowed
Description MALWARE - MyWebSearch
Date last modified 11/15/2004 3:38:30 PM

C:\Program Files\PrecisionTime
Security Level Disallowed
Description MALWARE - GAIN PrecisionTime Software
Date last modified 11/15/2004 3:40:54 PM

C:\Program Files\Toolbar
Security Level Disallowed
Description MALWARE - IBIS Toolbar
Date last modified 11/18/2004 1:18:16 PM

C:\Program Files\Windows AdTools
Security Level Disallowed
Description MALWARE - WindUpdates Software
Date last modified 11/15/2004 3:42:01 PM


User Configuration (Enabled)
No settings defined.

This conversation is currently closed to new comments.

23 total posts (Page 1 of 3)   01 | 02 | 03   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Re: Do you need some Spyware/Malware help?

by Info-Safety, LLC In reply to Do you need some Spyware/ ...

Very interesting approach. This looks similar to what Javacool Software LLC did with Spywareblaster. Obviously, your approach scales much better to a large enterprise like yours. Just out of curiosity, about how much time did/do you take to develop and maintain this info?

BTW, Spysweeper now contains 73,925 spyware fingerprints.

Keep up the good work!

Craig Herberg

Collapse -

Time

by TheMessenger In reply to Re: Do you need some Spyw ...

I think it took more time to type up the above thread ... Just kidding.
I would say it took about a day total. A few hours getting infected and backing the data up. About an hour documenting my findings. About an hour putting them into policy.
I have only had to go through this process once after that and only picked up a few small changes.

This process will not get every spyware or malware application, only the worst. This would not be affective for me if the users did not also have restrictions in place for creating new folders in the root of C:, C:\windows, or C:\program files. They also do not have the ability to create registry keys at the root of HKLM\Classes or HKLM\Software.

Collapse -

Spyware

by Info-Safety, LLC In reply to Time

"This process will not get every spyware or malware application, only the worst. This would not be affective for me if the users did not also have restrictions in place for creating new folders in the root of C:, C:\windows, or C:\program files. They also do not have the ability to create registry keys at the root of HKLM\Classes or HKLM\Software."

Thanks. I think the above is the key. Also, if you can use a script to regularly clean out their temp folders, it will keep them from getting "constipated."

Craig Herberg

Collapse -

Thanks

by black_eyed_pea In reply to Do you need some Spyware/ ...

Thank you. I hope you plan to update your post as needed with new keys and folders to block.

Collapse -

Updates

by TheMessenger In reply to Thanks

I hope that everyone else updates this post. Although I started it, each tech only sees a small amount of the complete aspect of spyware. Together we should be able to create a pretty good listing of information

Collapse -

Article

by BFilmFan In reply to Do you need some Spyware/ ...

That should be reposted as an article. Really good information and technique. I, sir, am jealous! :)

Collapse -

Better than my approach

by Roger99a In reply to Do you need some Spyware/ ...

When I find a spyware infected machine I run a check on the proxy logs to see what sites their machines have been calling to and block them. It probably doesn't stop as much spyware as your method, but it stops quite a bit and prevents it from updating or communicating with their evil masters. All that you did, that's pretty clever.

Collapse -

Neato!

by CuteElf In reply to Better than my approach

Now, since you started a ball rolling on spyware, regkeys etc..
Is there a way to get a db from a utility and just upload that to your settings?

Could someone, say, dl AdAware, crack it, take the needed info out and use it?
Or is that as much of effort as you have done?

I thought you would have used DeepFreeze on the user's pc's, but, users like to save things. People really get territorial bout their stuff!

Collapse -

Regkeys, etc

by Info-Safety, LLC In reply to Neato!

Javacool Software LLC has Spywareblaster, which accomplishes what you want legally. This is freeware.

Craig Herberg

Collapse -

Import settings

by Roger99a In reply to Neato!

Seems to me you can import settings from IE into the Active Directory as part of a Group Policy. That would allow you to use Spybot's immunization settings throughout the enterprise.

Back to Networks Forum
23 total posts (Page 1 of 3)   01 | 02 | 03   Next

Related Discussions

Related Forums