Beta Issues?

[Guest]

Is it because this thing is still in beta that SpyWare Doctore and NoAdware
will detect close to a hundred instances including a few files they list as
"severe threats" while MS AntiSpyware does a full scan and comes up with
nothing! I was very happy to hear Micorsoft developing this for their users,
but 80 (at least) to 0 (comparing not one but two other spyware programs) on
detection even for a beta is pretty bad isn't it? So thanks Micorsoft for
developing your own program for your customers to use in Windows and it looks
very friendly and promising, but what gives?... these weren't all cookies.

 

[Bill Sanderson]

Frankly, I trust Microsoft Antispywares detections more than I do Spyware
Doctor or NoAdware. "Severe threat" is a pretty loaded term to apply to,
for example., a cookie.

Objective reviews by independent reviewers have, in the past, ranked
Microsoft Antispyware in the top ranks of antispyware programs. I have no
doubt that the beta2 product, when available, will continue to be ranked
highly.

If you are finding actual executable spyware on your systems that Microsoft
Antispyware is missing, and these other programs are finding--something is
indeed wrong--with real-time protection, at least. Can you give some
examples of the non-cookie items, with complete details of exactly what is
found?

 

[Howard Brazee]

Frankly, I trust Microsoft Antispywares detections more than I do Spyware
Doctor or NoAdware. "Severe threat" is a pretty loaded term to apply to,
for example., a cookie.

It could be. But the major beta issue I have is lack of good
documentation.

When it keeps asking me what to do about some unnamed program in my
startup folder, the choices aren't clear what they do, so I checked
the web and found the description of those choices simply repeated the
same words used in the dialog box. Not at all helpful.

And then when I discovered it kept putting back in a duplicate of a
shortcut that was in my startup folder, I could not find documentation
telling me how to change this.


Maybe it's working correctly, maybe it isn't. We should be able to
find out by reading documentation how it's supposed to work.

 

[Guest]

NoAdware - Items Found.. Registry: 44, Cookies: 53, Files: 19 (Total 116)

Examples (taken from program output but "reformatted" to fit here):

Item:
Searchit/SearchitBar
Location:
HKEY_CLASSES_ROOT\\softomate.ietRegKey
Type :
RegKey
Danger:
Dangerous

Item:
Starware
Location:
C:\Documents and Settings\Owner\Local Settings\Temporary Internet
Files\Content.IE5\GBM547Gv\cmdatatagutils[1].js
Type:
File
Danger:
Severe

SpyWare Doctor - 200 Items found (Alot of these were just labeled "known bad
sites" though)

Examples:

Infection Name:
Known Bad Sites
Location:
C:\Documents and Settings\Owner\Local Settings\Temporary Internet
Files\Content.IE5\CHWDQNC1\PRScript[2].dll
Risk:
High

Infection Name:
Affiliated with Browser Hijackers
Location:
C:\Documents and Settings\Owner\Local Settings\Temporary Internet
Files\Content.IE5\KHERKH6N\index[2].htm
Risk:
Elevated

Infection Name:
First 4 Internet Rootkit
Location:
C:\WINDOWS\system32\$sys$filesystem\aries.sys
Risk:
Elevated

Not sure if this is helpful as to what you're looking for, but they are some
examples from the output of those programs. I realize the filter criterea may
be different on your program and that it might not include all the non
critical threats these other programs pick up on, but it seemed to me
(admittedly a non expert) that there were at least a few that were important
as those other programs deemed them anyway. I ran those two programs first
and didn't expect the same results with the MS program, but for it to come up
with absolutely nothing shocked me and seemed like something wasn't right in
comparison... anyway maybe I need to better understand how your program is
filtering things, I'll try to read more on that, but perhaps you could
explain as well. Thanks for your timely response and service in looking into
this.

Darrel

 

[Cal]

Isn't the First 4 Rootkit what gets dumped on a user's machine if
they play a Sony produced music CD (it's a DRM thing)? Isn't
that something that Mark Russinovich wrote about?

If you google you'll find all kinds of hits about sony's dirty
drm practices.

It doesn't make it good that a) there is a rootkit on your
system, or b) that MSAS didn't see it. It's just not the kind of
rootkit we think of when we think of malware. This one you paid
for. ; )

--


-callahan

NoAdware - Items Found.. Registry: 44, Cookies: 53, Files: 19 (Total 116)

Examples (taken from program output but "reformatted" to fit here):

Item:
Searchit/SearchitBar
Location:
HKEY_CLASSES_ROOT\\softomate.ietRegKey
Type :
RegKey
Danger:
Dangerous

Item:
Starware
Location:
C:\Documents and Settings\Owner\Local Settings\Temporary Internet
Files\Content.IE5\GBM547Gv\cmdatatagutils[1].js
Type:
File
Danger:
Severe

SpyWare Doctor - 200 Items found (Alot of these were just labeled "known bad
sites" though)

Examples:

Infection Name:
Known Bad Sites
Location:
C:\Documents and Settings\Owner\Local Settings\Temporary Internet
Files\Content.IE5\CHWDQNC1\PRScript[2].dll
Risk:
High

Infection Name:
Affiliated with Browser Hijackers
Location:
C:\Documents and Settings\Owner\Local Settings\Temporary Internet
Files\Content.IE5\KHERKH6N\index[2].htm
Risk:
Elevated

Infection Name:
First 4 Internet Rootkit
Location:
C:\WINDOWS\system32\$sys$filesystem\aries.sys
Risk:
Elevated

Not sure if this is helpful as to what you're looking for, but they are some
examples from the output of those programs. I realize the filter criterea may
be different on your program and that it might not include all the non
critical threats these other programs pick up on, but it seemed to me
(admittedly a non expert) that there were at least a few that were important
as those other programs deemed them anyway. I ran those two programs first
and didn't expect the same results with the MS program, but for it to come up
with absolutely nothing shocked me and seemed like something wasn't right in
comparison... anyway maybe I need to better understand how your program is
filtering things, I'll try to read more on that, but perhaps you could
explain as well. Thanks for your timely response and service in looking into
this.

Darrel

If you are finding actual executable spyware on your systems that Microsoft
Antispyware is missing, and these other programs are finding--something is
indeed wrong--with real-time protection, at least. Can you give some
examples of the non-cookie items, with complete details of exactly what is
found?

 

[Bill Sanderson]

I don't know enough about the underlying details to say much about this
list.

I'm very interested in that last item listed, though--it has been very much
discussed in these groups--particularly the .Announcements group, in the
last week:

the first4internet rootkit--aires.sys

In my opinion, Microsoft Antispyware should detect this and offer to remove
it.

To learn more about this one, read:

http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html

and succeeding articles:

http://www.sysinternals.com/Blog/


FWIW, here's what Microsoft has to say about what they target and why:
http://www.microsoft.com/athome/security/spyware/software/isv/analysis.mspx

--

NoAdware - Items Found.. Registry: 44, Cookies: 53, Files: 19 (Total 116)

Examples (taken from program output but "reformatted" to fit here):

Item:
Searchit/SearchitBar
Location:
HKEY_CLASSES_ROOT\\softomate.ietRegKey
Type :
RegKey
Danger:
Dangerous

Item:
Starware
Location:
C:\Documents and Settings\Owner\Local Settings\Temporary Internet
Files\Content.IE5\GBM547Gv\cmdatatagutils[1].js
Type:
File
Danger:
Severe

SpyWare Doctor - 200 Items found (Alot of these were just labeled "known
bad
sites" though)

Examples:

Infection Name:
Known Bad Sites
Location:
C:\Documents and Settings\Owner\Local Settings\Temporary Internet
Files\Content.IE5\CHWDQNC1\PRScript[2].dll
Risk:
High

Infection Name:
Affiliated with Browser Hijackers
Location:
C:\Documents and Settings\Owner\Local Settings\Temporary Internet
Files\Content.IE5\KHERKH6N\index[2].htm
Risk:
Elevated

Infection Name:
First 4 Internet Rootkit
Location:
C:\WINDOWS\system32\$sys$filesystem\aries.sys
Risk:
Elevated

Not sure if this is helpful as to what you're looking for, but they are
some
examples from the output of those programs. I realize the filter criterea
may
be different on your program and that it might not include all the non
critical threats these other programs pick up on, but it seemed to me
(admittedly a non expert) that there were at least a few that were
important
as those other programs deemed them anyway. I ran those two programs first
and didn't expect the same results with the MS program, but for it to come
up
with absolutely nothing shocked me and seemed like something wasn't right
in
comparison... anyway maybe I need to better understand how your program is
filtering things, I'll try to read more on that, but perhaps you could
explain as well. Thanks for your timely response and service in looking
into
this.

Darrel

If you are finding actual executable spyware on your systems that
Microsoft
Antispyware is missing, and these other programs are finding--something
is
indeed wrong--with real-time protection, at least. Can you give some
examples of the non-cookie items, with complete details of exactly what
is
found?

 

[Bill Sanderson]

You've got this right. I'm hoping Darrell might stick with us through a few
definition cycles to see whether this critter gets detected by Microsoft
Antispyware--I'll be interested to see.

This is definitely a highly sensitive area. In other messages in these
groups, or others, it has been pointed out that the DMCA - Digital
Millennium Copyright Act--makes it illegal to interfere with or remove copy
protection. One could construe removing Sony's rootkit as that--removing a
copy protection mechanism.
--

Isn't the First 4 Rootkit what gets dumped on a user's machine if
they play a Sony produced music CD (it's a DRM thing)? Isn't
that something that Mark Russinovich wrote about?

If you google you'll find all kinds of hits about sony's dirty
drm practices.

It doesn't make it good that a) there is a rootkit on your
system, or b) that MSAS didn't see it. It's just not the kind of
rootkit we think of when we think of malware. This one you paid
for. ; )

--


-callahan

NoAdware - Items Found.. Registry: 44, Cookies: 53, Files: 19 (Total 116)

Examples (taken from program output but "reformatted" to fit here):

Item:
Searchit/SearchitBar
Location:
HKEY_CLASSES_ROOT\\softomate.ietRegKey
Type :
RegKey
Danger:
Dangerous

Item:
Starware
Location:
C:\Documents and Settings\Owner\Local Settings\Temporary Internet
Files\Content.IE5\GBM547Gv\cmdatatagutils[1].js
Type:
File
Danger:
Severe

SpyWare Doctor - 200 Items found (Alot of these were just labeled "known bad
sites" though)

Examples:

Infection Name:
Known Bad Sites
Location:
C:\Documents and Settings\Owner\Local Settings\Temporary Internet
Files\Content.IE5\CHWDQNC1\PRScript[2].dll
Risk:
High

Infection Name:
Affiliated with Browser Hijackers
Location:
C:\Documents and Settings\Owner\Local Settings\Temporary Internet
Files\Content.IE5\KHERKH6N\index[2].htm
Risk:
Elevated

Infection Name:
First 4 Internet Rootkit
Location:
C:\WINDOWS\system32\$sys$filesystem\aries.sys
Risk:
Elevated

Not sure if this is helpful as to what you're looking for, but they are some
examples from the output of those programs. I realize the filter criterea may
be different on your program and that it might not include all the non
critical threats these other programs pick up on, but it seemed to me
(admittedly a non expert) that there were at least a few that were important
as those other programs deemed them anyway. I ran those two programs first
and didn't expect the same results with the MS program, but for it to come up
with absolutely nothing shocked me and seemed like something wasn't right in
comparison... anyway maybe I need to better understand how your program is
filtering things, I'll try to read more on that, but perhaps you could
explain as well. Thanks for your timely response and service in looking into
this.

Darrel

If you are finding actual executable spyware on your systems that Microsoft
Antispyware is missing, and these other programs are finding--something is
indeed wrong--with real-time protection, at least. Can you give some
examples of the non-cookie items, with complete details of exactly what is
found?

 

[Bill Sanderson]

According to The Register
(http://www.theregister.com/2005/11/10/sony_drm_trojan/) the first
trojan taking advantage of Sony's rootkit is out.

I haven't looked into this in detail--i.e. I don't know what the means of
initial infection is--but this news makes removing this critter a higher
priority.

--

NoAdware - Items Found.. Registry: 44, Cookies: 53, Files: 19 (Total 116)

Examples (taken from program output but "reformatted" to fit here):

Item:
Searchit/SearchitBar
Location:
HKEY_CLASSES_ROOT\\softomate.ietRegKey
Type :
RegKey
Danger:
Dangerous

Item:
Starware
Location:
C:\Documents and Settings\Owner\Local Settings\Temporary Internet
Files\Content.IE5\GBM547Gv\cmdatatagutils[1].js
Type:
File
Danger:
Severe

SpyWare Doctor - 200 Items found (Alot of these were just labeled "known
bad
sites" though)

Examples:

Infection Name:
Known Bad Sites
Location:
C:\Documents and Settings\Owner\Local Settings\Temporary Internet
Files\Content.IE5\CHWDQNC1\PRScript[2].dll
Risk:
High

Infection Name:
Affiliated with Browser Hijackers
Location:
C:\Documents and Settings\Owner\Local Settings\Temporary Internet
Files\Content.IE5\KHERKH6N\index[2].htm
Risk:
Elevated

Infection Name:
First 4 Internet Rootkit
Location:
C:\WINDOWS\system32\$sys$filesystem\aries.sys
Risk:
Elevated

Not sure if this is helpful as to what you're looking for, but they are
some
examples from the output of those programs. I realize the filter criterea
may
be different on your program and that it might not include all the non
critical threats these other programs pick up on, but it seemed to me
(admittedly a non expert) that there were at least a few that were
important
as those other programs deemed them anyway. I ran those two programs first
and didn't expect the same results with the MS program, but for it to come
up
with absolutely nothing shocked me and seemed like something wasn't right
in
comparison... anyway maybe I need to better understand how your program is
filtering things, I'll try to read more on that, but perhaps you could
explain as well. Thanks for your timely response and service in looking
into
this.

Darrel

If you are finding actual executable spyware on your systems that
Microsoft
Antispyware is missing, and these other programs are finding--something
is
indeed wrong--with real-time protection, at least. Can you give some
examples of the non-cookie items, with complete details of exactly what
is
found?

 

[Guest]

Yes, didn't even know about this issue until you guys mentioned it in reply,
then this morning on usatoday
(http://www.usatoday.com/tech/news/2005-11-09-sony-usat_x.htm) ... what a
coincidence : ) Anwyay, I see that I got this through my SwitchFoot CD ...
which defintiely made me ticked as I had to install their software just to
get the songs on my PC. In the report it says security experts say Sony can
use it for consumer tracking, but Sony says it doesn't collect information
and is only there for copy protection...which is it? Even if Sony is honest
in that, the fact that it can be exploited, as you show below, is even worse.
Now Sony has a lawsuit on their hands as well. Copyprotection and consumer
freedom... the battle continues. I find it quite amussing how a vast amount
of film and music atrists don't want to be morally responsible in expressing
themselves, yet then turn around and expect the consumer base, which feeds on
their entertainment, to be morally responsible in how they handle their
products. Hmm...could it be that one should pracitce some responsibility in
the type of material they produce and promote in the first place? Well,
that's another thread for another place. : ) Thanks for the info and previous
links.

Darrel

According to The Register
(http://www.theregister.com/2005/11/10/sony_drm_trojan/) the first
trojan taking advantage of Sony's rootkit is out.

I haven't looked into this in detail--i.e. I don't know what the means of
initial infection is--but this news makes removing this critter a higher
priority.

--

NoAdware - Items Found.. Registry: 44, Cookies: 53, Files: 19 (Total 116)

Examples (taken from program output but "reformatted" to fit here):

Item:
Searchit/SearchitBar
Location:
HKEY_CLASSES_ROOT\\softomate.ietRegKey
Type :
RegKey
Danger:
Dangerous

Item:
Starware
Location:
C:\Documents and Settings\Owner\Local Settings\Temporary Internet
Files\Content.IE5\GBM547Gv\cmdatatagutils[1].js
Type:
File
Danger:
Severe

SpyWare Doctor - 200 Items found (Alot of these were just labeled "known
bad
sites" though)

Examples:

Infection Name:
Known Bad Sites
Location:
C:\Documents and Settings\Owner\Local Settings\Temporary Internet
Files\Content.IE5\CHWDQNC1\PRScript[2].dll
Risk:
High

Infection Name:
Affiliated with Browser Hijackers
Location:
C:\Documents and Settings\Owner\Local Settings\Temporary Internet
Files\Content.IE5\KHERKH6N\index[2].htm
Risk:
Elevated

Infection Name:
First 4 Internet Rootkit
Location:
C:\WINDOWS\system32\$sys$filesystem\aries.sys
Risk:
Elevated

Not sure if this is helpful as to what you're looking for, but they are
some
examples from the output of those programs. I realize the filter criterea
may
be different on your program and that it might not include all the non
critical threats these other programs pick up on, but it seemed to me
(admittedly a non expert) that there were at least a few that were
important
as those other programs deemed them anyway. I ran those two programs first
and didn't expect the same results with the MS program, but for it to come
up
with absolutely nothing shocked me and seemed like something wasn't right
in
comparison... anyway maybe I need to better understand how your program is
filtering things, I'll try to read more on that, but perhaps you could
explain as well. Thanks for your timely response and service in looking
into
this.

Darrel

If you are finding actual executable spyware on your systems that
Microsoft
Antispyware is missing, and these other programs are finding--something
is
indeed wrong--with real-time protection, at least. Can you give some
examples of the non-cookie items, with complete details of exactly what
is
found?

 

[Guest]

Items found in the registry don't always mean that you have an infection.
Many scanners will detect "infections" when they detect things in the
registry, even if the app that it referrs to is no longer installed.

Alan

NoAdware - Items Found.. Registry: 44, Cookies: 53, Files: 19 (Total 116)

Examples (taken from program output but "reformatted" to fit here):

Item:
Searchit/SearchitBar
Location:
HKEY_CLASSES_ROOT\\softomate.ietRegKey
Type :
RegKey
Danger:
Dangerous

Item:
Starware
Location:
C:\Documents and Settings\Owner\Local Settings\Temporary Internet
Files\Content.IE5\GBM547Gv\cmdatatagutils[1].js
Type:
File
Danger:
Severe

SpyWare Doctor - 200 Items found (Alot of these were just labeled "known bad
sites" though)

Examples:

Infection Name:
Known Bad Sites
Location:
C:\Documents and Settings\Owner\Local Settings\Temporary Internet
Files\Content.IE5\CHWDQNC1\PRScript[2].dll
Risk:
High

Infection Name:
Affiliated with Browser Hijackers
Location:
C:\Documents and Settings\Owner\Local Settings\Temporary Internet
Files\Content.IE5\KHERKH6N\index[2].htm
Risk:
Elevated

Infection Name:
First 4 Internet Rootkit
Location:
C:\WINDOWS\system32\$sys$filesystem\aries.sys
Risk:
Elevated

Not sure if this is helpful as to what you're looking for, but they are some
examples from the output of those programs. I realize the filter criterea may
be different on your program and that it might not include all the non
critical threats these other programs pick up on, but it seemed to me
(admittedly a non expert) that there were at least a few that were important
as those other programs deemed them anyway. I ran those two programs first
and didn't expect the same results with the MS program, but for it to come up
with absolutely nothing shocked me and seemed like something wasn't right in
comparison... anyway maybe I need to better understand how your program is
filtering things, I'll try to read more on that, but perhaps you could
explain as well. Thanks for your timely response and service in looking into
this.

Darrel

If you are finding actual executable spyware on your systems that Microsoft
Antispyware is missing, and these other programs are finding--something is
indeed wrong--with real-time protection, at least. Can you give some
examples of the non-cookie items, with complete details of exactly what is
found?

 

[Bill Sanderson]

Darrell - If you want to remove this critter, Sophos has a tool to do the
job:

http://www.sophos.com/support/disinfection/rkprf.html

I'd sure be interested to know from others when any Microsoft provided tools
either detect or detect and remove this code, though.

Historically, they haven't announced what's covered and what isn't in
Microsoft Antispyware, so real reports from the field are all we have to go
by.

--

Yes, didn't even know about this issue until you guys mentioned it in
reply,
then this morning on usatoday
(http://www.usatoday.com/tech/news/2005-11-09-sony-usat_x.htm) ... what a
coincidence : ) Anwyay, I see that I got this through my SwitchFoot CD ...
which defintiely made me ticked as I had to install their software just to
get the songs on my PC. In the report it says security experts say Sony
can
use it for consumer tracking, but Sony says it doesn't collect information
and is only there for copy protection...which is it? Even if Sony is
honest
in that, the fact that it can be exploited, as you show below, is even
worse.
Now Sony has a lawsuit on their hands as well. Copyprotection and consumer
freedom... the battle continues. I find it quite amussing how a vast
amount
of film and music atrists don't want to be morally responsible in
expressing
themselves, yet then turn around and expect the consumer base, which feeds
on
their entertainment, to be morally responsible in how they handle their
products. Hmm...could it be that one should pracitce some responsibility
in
the type of material they produce and promote in the first place? Well,
that's another thread for another place. : ) Thanks for the info and
previous
links.

Darrel

According to The Register
(http://www.theregister.com/2005/11/10/sony_drm_trojan/) the first
trojan taking advantage of Sony's rootkit is out.

I haven't looked into this in detail--i.e. I don't know what the means of
initial infection is--but this news makes removing this critter a higher
priority.

--

NoAdware - Items Found.. Registry: 44, Cookies: 53, Files: 19 (Total
116)

Examples (taken from program output but "reformatted" to fit here):

Item:
Searchit/SearchitBar
Location:
HKEY_CLASSES_ROOT\\softomate.ietRegKey
Type :
RegKey
Danger:
Dangerous

Item:
Starware
Location:
C:\Documents and Settings\Owner\Local Settings\Temporary Internet
Files\Content.IE5\GBM547Gv\cmdatatagutils[1].js
Type:
File
Danger:
Severe

SpyWare Doctor - 200 Items found (Alot of these were just labeled
"known
bad
sites" though)

Examples:

Infection Name:
Known Bad Sites
Location:
C:\Documents and Settings\Owner\Local Settings\Temporary Internet
Files\Content.IE5\CHWDQNC1\PRScript[2].dll
Risk:
High

Infection Name:
Affiliated with Browser Hijackers
Location:
C:\Documents and Settings\Owner\Local Settings\Temporary Internet
Files\Content.IE5\KHERKH6N\index[2].htm
Risk:
Elevated

Infection Name:
First 4 Internet Rootkit
Location:
C:\WINDOWS\system32\$sys$filesystem\aries.sys
Risk:
Elevated

Not sure if this is helpful as to what you're looking for, but they are
some
examples from the output of those programs. I realize the filter
criterea
may
be different on your program and that it might not include all the non
critical threats these other programs pick up on, but it seemed to me
(admittedly a non expert) that there were at least a few that were
important
as those other programs deemed them anyway. I ran those two programs
first
and didn't expect the same results with the MS program, but for it to
come
up
with absolutely nothing shocked me and seemed like something wasn't
right
in
comparison... anyway maybe I need to better understand how your program
is
filtering things, I'll try to read more on that, but perhaps you could
explain as well. Thanks for your timely response and service in looking
into
this.

Darrel

:

If you are finding actual executable spyware on your systems that
Microsoft
Antispyware is missing, and these other programs are
finding--something
is
indeed wrong--with real-time protection, at least. Can you give some
examples of the non-cookie items, with complete details of exactly
what
is
found?

 

[Guest]

Bill,

I use Sophos at work and it picked up on it after a recent update. I had
already used your link and dloaded the program... computer is now free of it.
Thanks for the help. I've now scanned two computers at work with MSAS and
came up with nothing on both.. will do a few more. We must be really "well
behaved" and fortunate in our interent use here, according to MS anyway.

Darrel

 

[Guest]

Bill,

I should add to my last post that it is not that I want to find malware or
spyware when I do these scans, just that the second work computer I scanned
has been running every week for at least a couple of years with plenty of net
use and no previous spyware scans to my knowledge...and with a user who
wouldn't be inclined to check for these things anyway. So I continue to be
amazed that MSAS finds nothing, happy that it doesn't, but just a bit
skeptical. ; )

Darrel

Darrell - If you want to remove this critter, Sophos has a tool to do the
job:

http://www.sophos.com/support/disinfection/rkprf.html

I'd sure be interested to know from others when any Microsoft provided tools
either detect or detect and remove this code, though.

Historically, they haven't announced what's covered and what isn't in
Microsoft Antispyware, so real reports from the field are all we have to go
by.

--

Yes, didn't even know about this issue until you guys mentioned it in
reply,
then this morning on usatoday
(http://www.usatoday.com/tech/news/2005-11-09-sony-usat_x.htm) ... what a
coincidence : ) Anwyay, I see that I got this through my SwitchFoot CD ...
which defintiely made me ticked as I had to install their software just to
get the songs on my PC. In the report it says security experts say Sony
can
use it for consumer tracking, but Sony says it doesn't collect information
and is only there for copy protection...which is it? Even if Sony is
honest
in that, the fact that it can be exploited, as you show below, is even
worse.
Now Sony has a lawsuit on their hands as well. Copyprotection and consumer
freedom... the battle continues. I find it quite amussing how a vast
amount
of film and music atrists don't want to be morally responsible in
expressing
themselves, yet then turn around and expect the consumer base, which feeds
on
their entertainment, to be morally responsible in how they handle their
products. Hmm...could it be that one should pracitce some responsibility
in
the type of material they produce and promote in the first place? Well,
that's another thread for another place. : ) Thanks for the info and
previous
links.

Darrel

According to The Register
(http://www.theregister.com/2005/11/10/sony_drm_trojan/) the first
trojan taking advantage of Sony's rootkit is out.

I haven't looked into this in detail--i.e. I don't know what the means of
initial infection is--but this news makes removing this critter a higher
priority.

--

NoAdware - Items Found.. Registry: 44, Cookies: 53, Files: 19 (Total
116)

Examples (taken from program output but "reformatted" to fit here):

Item:
Searchit/SearchitBar
Location:
HKEY_CLASSES_ROOT\\softomate.ietRegKey
Type :
RegKey
Danger:
Dangerous

Item:
Starware
Location:
C:\Documents and Settings\Owner\Local Settings\Temporary Internet
Files\Content.IE5\GBM547Gv\cmdatatagutils[1].js
Type:
File
Danger:
Severe

SpyWare Doctor - 200 Items found (Alot of these were just labeled
"known
bad
sites" though)

Examples:

Infection Name:
Known Bad Sites
Location:
C:\Documents and Settings\Owner\Local Settings\Temporary Internet
Files\Content.IE5\CHWDQNC1\PRScript[2].dll
Risk:
High

Infection Name:
Affiliated with Browser Hijackers
Location:
C:\Documents and Settings\Owner\Local Settings\Temporary Internet
Files\Content.IE5\KHERKH6N\index[2].htm
Risk:
Elevated

Infection Name:
First 4 Internet Rootkit
Location:
C:\WINDOWS\system32\$sys$filesystem\aries.sys
Risk:
Elevated

Not sure if this is helpful as to what you're looking for, but they are
some
examples from the output of those programs. I realize the filter
criterea
may
be different on your program and that it might not include all the non
critical threats these other programs pick up on, but it seemed to me
(admittedly a non expert) that there were at least a few that were
important
as those other programs deemed them anyway. I ran those two programs
first
and didn't expect the same results with the MS program, but for it to
come
up
with absolutely nothing shocked me and seemed like something wasn't
right
in
comparison... anyway maybe I need to better understand how your program
is
filtering things, I'll try to read more on that, but perhaps you could
explain as well. Thanks for your timely response and service in looking
into
this.

Darrel

:

If you are finding actual executable spyware on your systems that
Microsoft
Antispyware is missing, and these other programs are
finding--something
is
indeed wrong--with real-time protection, at least. Can you give some
examples of the non-cookie items, with complete details of exactly
what
is
found?

 

[Frank Saunders, MS-MVP OE]

Bill,

I should add to my last post that it is not that I want to find
malware or spyware when I do these scans, just that the second work
computer I scanned has been running every week for at least a couple
of years with plenty of net use and no previous spyware scans to my
knowledge...and with a user who wouldn't be inclined to check for
these things anyway. So I continue to be amazed that MSAS finds
nothing, happy that it doesn't, but just a bit skeptical. ; )

Darrel

It depends mostly on where the browsing went and what was downloaded.

--
Frank Saunders, MS-MVP OE
Please respond in Newsgroup. Do not send email
http://www.fjsmjs.com
Protect your PC
http://www.microsoft.com/security/protect/

 

[Bill Sanderson]

Microsoft has now announced that they will detect and remove the Sony DRM
code in:

Microsoft Antispyware (probably the next definition update)

http://safety.live.com (online version of Microsoft Antivirus, which is a
part of Windows OneCare Live, and Microsoft Client Protection--both beta
desktop protection suite products--one oriented towards home use, the other
towards business networks.)
and
the Malicious Software Removal tool--this is the tool revised monthly (or as
needed) and issued via AutoUpdate each month with the monthy security
patches, if any.

http://www.microsoft.com/security/malwareremove/default.mspx

I've the same experience you do on most corporate desktops. However, there
are a few that I run into that are really infested--so it appears to be up
to individual habits and behaviors--and the folks I work with are not into
"bad" stuff--probably just music related sites.

--

 

[Bill Sanderson]

I wouldn't be skeptical. You might try following up with Ewido for a solid
second opinion. I don't know whether Ewido does cookies--I've never
actually used it--but I don't think Microsoft Antispyware is missing the
really bad stuff.

I know that's how this thread started--and looking back at your list of what
was found, the Aires rootkit was the real baddie--and I'll admit it is
taking Microsoft a good while to catch up to Spyware Doctor on that
detection. There are a couple of other items--the javascript bit and the
..dll file that look dangerous as well, but these may be just bits and
pieces--and it may not make sense to call these out to the user if the other
pieces necessary to actually execute the code aren't present.

I think that at present, there appear to be other apps whose detections are
ahead of Microsoft Antispyware. I think it is likely that by the time
Windows Defender appears, it will have caught up, though.

--

Bill,

I should add to my last post that it is not that I want to find malware or
spyware when I do these scans, just that the second work computer I
scanned
has been running every week for at least a couple of years with plenty of
net
use and no previous spyware scans to my knowledge...and with a user who
wouldn't be inclined to check for these things anyway. So I continue to be
amazed that MSAS finds nothing, happy that it doesn't, but just a bit
skeptical. ; )

Darrel

Darrell - If you want to remove this critter, Sophos has a tool to do the
job:

http://www.sophos.com/support/disinfection/rkprf.html

I'd sure be interested to know from others when any Microsoft provided
tools
either detect or detect and remove this code, though.

Historically, they haven't announced what's covered and what isn't in
Microsoft Antispyware, so real reports from the field are all we have to
go
by.

--

Yes, didn't even know about this issue until you guys mentioned it in
reply,
then this morning on usatoday
(http://www.usatoday.com/tech/news/2005-11-09-sony-usat_x.htm) ... what
a
coincidence : ) Anwyay, I see that I got this through my SwitchFoot CD
...
which defintiely made me ticked as I had to install their software just
to
get the songs on my PC. In the report it says security experts say Sony
can
use it for consumer tracking, but Sony says it doesn't collect
information
and is only there for copy protection...which is it? Even if Sony is
honest
in that, the fact that it can be exploited, as you show below, is even
worse.
Now Sony has a lawsuit on their hands as well. Copyprotection and
consumer
freedom... the battle continues. I find it quite amussing how a vast
amount
of film and music atrists don't want to be morally responsible in
expressing
themselves, yet then turn around and expect the consumer base, which
feeds
on
their entertainment, to be morally responsible in how they handle their
products. Hmm...could it be that one should pracitce some
responsibility
in
the type of material they produce and promote in the first place? Well,
that's another thread for another place. : ) Thanks for the info and
previous
links.

Darrel

:

According to The Register
(http://www.theregister.com/2005/11/10/sony_drm_trojan/) the first
trojan taking advantage of Sony's rootkit is out.

I haven't looked into this in detail--i.e. I don't know what the means
of
initial infection is--but this news makes removing this critter a
higher
priority.

--

NoAdware - Items Found.. Registry: 44, Cookies: 53, Files: 19 (Total
116)

Examples (taken from program output but "reformatted" to fit here):

Item:
Searchit/SearchitBar
Location:
HKEY_CLASSES_ROOT\\softomate.ietRegKey
Type :
RegKey
Danger:
Dangerous

Item:
Starware
Location:
C:\Documents and Settings\Owner\Local Settings\Temporary Internet
Files\Content.IE5\GBM547Gv\cmdatatagutils[1].js
Type:
File
Danger:
Severe

SpyWare Doctor - 200 Items found (Alot of these were just labeled
"known
bad
sites" though)

Examples:

Infection Name:
Known Bad Sites
Location:
C:\Documents and Settings\Owner\Local Settings\Temporary Internet
Files\Content.IE5\CHWDQNC1\PRScript[2].dll
Risk:
High

Infection Name:
Affiliated with Browser Hijackers
Location:
C:\Documents and Settings\Owner\Local Settings\Temporary Internet
Files\Content.IE5\KHERKH6N\index[2].htm
Risk:
Elevated

Infection Name:
First 4 Internet Rootkit
Location:
C:\WINDOWS\system32\$sys$filesystem\aries.sys
Risk:
Elevated

Not sure if this is helpful as to what you're looking for, but they
are
some
examples from the output of those programs. I realize the filter
criterea
may
be different on your program and that it might not include all the
non
critical threats these other programs pick up on, but it seemed to
me
(admittedly a non expert) that there were at least a few that were
important
as those other programs deemed them anyway. I ran those two programs
first
and didn't expect the same results with the MS program, but for it
to
come
up
with absolutely nothing shocked me and seemed like something wasn't
right
in
comparison... anyway maybe I need to better understand how your
program
is
filtering things, I'll try to read more on that, but perhaps you
could
explain as well. Thanks for your timely response and service in
looking
into
this.

Darrel

:

If you are finding actual executable spyware on your systems that
Microsoft
Antispyware is missing, and these other programs are
finding--something
is
indeed wrong--with real-time protection, at least. Can you give
some
examples of the non-cookie items, with complete details of exactly
what
is
found?

 

[Dave M]

Bill,
Your, probably the best in here to pose this to. MSAS Beta1 doesn't detect
rootkits and doesn't remove rootkits in it's current configuration, so why
should we expect this to change with just the next definition update? I know Ms
has a group working on this, (forget the name) but without a code update to
..615, I don't understand how you can say that. Maybe I'm missing something?
Sure it was announced, but right now it's vaporware.

 

[Dave M]

Microsoft AntiSpy removes Sony DRM Rootkit
[Via Mark Harrison]

From the Microsoft Anti-Malware Engineering Team blog ...

We have analyzed this software ( Sony DRM Rootkit ), and have determined that in
order to help protect our customers we will add a detection and removal
signature for the rootkit component of the XCP software to the Windows
AntiSpyware beta, which is currently used by millions of users.

posted on Monday, November 14, 2005 12:33 PM by Stefan_Gossner

I asked Stefan when this would show up in this Beta1/Beta2. Let's see if
there's a response, if so I'll post it.

 

[Bill Sanderson]

Darrel - I don't know if you are still reading this, but it would be wise to
visit this page:

http://www.freedom-to-tinker.com/

and use their "codesupport detection page" link to check on whether you've
got a problem which is worse than the original DRM code....



--

 

[Bill Sanderson]

They do, in fact, detect some rootkit-like malware. It is hard to give an
example of this, 'cause at this point the detection/cleaning list isn't
published, but I believe this is true.

I don't think this is true, generalized, rootkit detection, such as
RootKitRevealer or BlackLight does--I'm not sure how it is done--but the
blog entry was very clear--they believe they can do this with Microsoft
Antispyware. The Malicious Software Removal tool, of course, has targetted
rootkits from the start, and removes several families of them.

If you've read the more recent news on this stuff it's growing bigger by the
minute. One estimate that I've seen mentions half a million networks with
machines with this software on them.

When this software is detected by Microsoft, there will be quite a bit of
consternation. This will be a big event--accidents will happen, corporate
machines will be scrubbed--there will likely be a large fuss, no matter how
well this is handled by the various vendors involved.

I hope that they succeed in handling it very well indeed. We'll see.

--