Most ingenious spyware ever seen

[SkyHog]

The other post made me think of this, and a story I wanted to share about the most irritatingly ingenious way of screwing me up I've ever seen.

The scenario:

I would go to webpages that would work fine. Suddenly, pages like google would go to "http://www.pron.com" or whatever. I figured spyware. Completely cleaned out the spyware. Still happened, but increasingly, it happened more and more. Maybe a virus? Nope, completely clean. What could it be?

The answer:

ARGH...this till upsets me to even tell the story. After like 4 months of just dealing with it, I was about to reinstall windows. I was writing a program for my boss that would connect automatically using PC-Anywhere (because he was a fan, not I). In doing so, I wanted to make it connect to ip address x.x.x.x by simply connecting to "BOB." I had it write to the file c:\winnt\system32\drivers\etc\hosts.

After writing to the file, I opened it to see if the entry worked correctly. "What the heck??" I thought to myself. There was about 1,000,000 entries in the file. Each one redirecting common websites like google to porn. I cleared out the file, and guess what? Problem solved.

I'm red hot right now. This was like 4 years ago.

 

[Let'sgoflying!]

I had it write to the file c:\winnt\system32\drivers\etc\hosts.
After writing to the file, I opened it to see if the entry worked correctly. "What the heck??" I thought to myself. There was about 1,000,000 entries

I did a search under "system 32".
I got three results;

one with about 50 ".dll" files
one with about 1000 ".dll" and ".exe" files and another
one with two files; "SMSS.exe" and "NTDLL.DLL"

Can I discard all of them?

 

[SkyHog]

I did a search under "system 32".
I got three results;

one with about 50 ".dll" files
one with about 1000 ".dll" and ".exe" files and another
one with two files; "SMSS.exe" and "NTDLL.DLL"

Can I discard all of them?

Whoa!!!! No!!!

I don't suggest deleting anything out of that folder unless you know what you're deleting.

 

[poadeleted3]

Spy sotries? Must be John LeCarre.

 

[fgcason]

I don't suggest deleting anything out of that folder unless you know what you're deleting.

Just out of curiousity, is there a list of programs somewhere for what is on windows? Something convinent like an xls sheet with program name, directory filesize, brief description of what it does and preferably a short explanation of why it's there it's general behavior.

Windows has literally hundreds of files and some you can figure out, the bazillion others are just plain mysteries unless you want to spend way too much time messing with it and hunting google.

 

[Brian Austin]

Just out of curiousity, is there a list of programs somewhere for what is on windows? Something convinent like an xls sheet with program name, directory filesize, brief description of what it does and preferably a short explanation of why it's there it's general behavior.

Windows has literally hundreds of files and some you can figure out, the bazillion others are just plain mysteries unless you want to spend way too much time messing with it and hunting google.

I've never seen such a list but there are Tasklist directories to see what's running on your system. I use these two primarily (but would be interested in seeing if others have different links):

http://www.tasklist.org/

http://www.answersthatwork.com/Tasklist_pages/tasklist.htm

You can access the Task Manager to see what's running by hitting Ctrl-Alt-Del when you're logged in and selecting Task Manager. The processes tab is what you want to review and compare to the above lists.

 

[pete177]

Windows maintains it's own list and can revert to a pre-extisting state. Problem is that with the older windows os's you'll lose everything not windows to restore. I use xp home which has a restore function that will restore your pc to a more recent state. Very handy program. I've used it several times to revert to previous state after trying out various video and sound drivers. Any time you make a change you create a restore point and if it doesnt work you just revert. XP is like $99 now...well worth it, I think.

Pete

 

[fgcason]

I've never seen such a list but there are Tasklist directories to see what's running on your system.

I use those regularly to keep an eye on my system. I know how many things are running in my taskmgr and what doesn't look right and generally know how to keep things in line.

Sometimes I just look in the system directories out of curiosity and see pages and pages of mystery dll/exe files and say WTF??? then leave before I hurt myself. I'm not exactly computer illiterate (pile of off the shelf components, wire, solder and machine code - BTDT), I just not interested in that stuff like I use to be and 3 hours of searching for a wishy washy answer for one tiny irrelevant thing is annoying.
Microsoft or preferably someone else should write a sensible book sometime like the old DOS systems use to have. A oversimplifed example: Anyone remember a book called Beneath Apple DOS for the Apple II series computers? They literally took the files and programs and went through the entire system block by block. When you closed the last page of the book, you understood the system completely. Windows is more complex but the basic concept is a good one. I'd pay good money for a variation of that book for WinXP.


P.S. Here's a site I found a while back that I haven't done much with yet but it looks like it has great potential:

http://www.sysinternals.com/ntw2k/utilities.shtml
This looks interesting:
http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml

 

[mikea]

I did a search under "system 32".
I got three results;

one with about 50 ".dll" files
one with about 1000 ".dll" and ".exe" files and another
one with two files; "SMSS.exe" and "NTDLL.DLL"

Can I discard all of them?

That directory contains your entire operating system, well, the part that Microsoft "innovated" when they copied the BSD UNIX TCP/IP stack, so I would say you shouldn't delete stuff.

You could look at the hosts file to see what in it. It should have all the lines beginning with #, meaning it's commented out.

 

[corjulo]

The most ingenious spyware written will be the one that can get past Apple OSX. Almost 20 years of computers at home and never once a virus, spyware,worm or trojan horse. :dance:

 

[fgcason]

one with two files; "SMSS.exe" and "NTDLL.DLL"

Can I discard all of them?

Don't mess with SMSS.exe or you'll likely hurt yourself.
http://www.answersthatwork.com/Tasklist_pages/tasklist_s.htm
Search for "smss" -- yadda yadda.. "An integral part of the operating system, leave alone." Note that there is a version of it that you do not want on your system though.

dll files are something I don't really understand. I just don't have the patience to mess with systems anymore in general.

I use this to do initial searches for programs in my tasklist:
http://www.answersthatwork.com/Tasklist_pages/tasklist.htm
It's not a complete list but it's close enough to give you a good idea of what's going on in general. After you play with it a while you can tell at a glance if your tasklist has something new added. If something is odd at any point, you can research it further.

 

[wbarnhill]

The most ingenious spyware written will be the one that can get past Apple OSX. Almost 20 years of computers at home and never once a virus, spyware,worm or trojan horse. :dance:

The more pervasive the OS becomes in the market, the more you will see the baddies writing things for that OS. OS X isn't that large in the market, so you don't see things.. but I'm sure you can find a bugtraq for OS X and write your own stuff if you want to see it that badly.

 

[Flyboy]

I have to clean employee computers about once a month of this crap.

Keep track of dll dates.
Watch your hosts files.
Run all the tools regulalry.
Stay away from them shrimps sites.

One machine was infected so bad I had to disconnect it from the network because as soon as I deleted one a trojan called home and reinstalled it.

 

[Let'sgoflying!]

What is a .dll file?

The main problem the average user has is finding, recognizing and knowing how to get rid of the bad stuff. I guess we rely on the AV software to do the housekeeping for us.

 

[Greebo]

DLL = Dynamic Link Library. DLL's are binary executable files which are modular so that main programs can load them at runtime to access shared functionality rather than having to build that functionality into the actual exe file.

Without DLLs, most EXE's would be 20 times larger than they are now.