My Recent Spyware Experience


A few months ago a neighbor (the mother of the family) asked me to take a look at their computer running Windows XP. It had slowed noticeably, and they had a nasty case of “pesky popups.” But to make matters worse, they had discovered a stash of really nasty porn on the machine. The real killer is their son is only six years old, and he was the one being fingered for the crime.


The first thing I did was take look at the machine, and sure enough it was choc full o’ p0rn, and popups where aplenty. Actually, that was the second thing I did, the first thing I did was accept a glass of very nice Washington merlot :) – not bad for $8 a bottle :))


Then I ran netstat on the box to see if there were any funky connections to the machine. I asked the mother if she had friends in Russia and Brazil. She said, “No” and I replied, “Well that’s bad, because someone in Russia and Brazil likes you!” There were two connections open to the machine, one each from the aforementioned countries.


I noted the IP addresses and then emailed the abuse aliases at the ISPs from my laptop. I know the machines may not be the owned by the perps, but the machines might be 0wned by the perps, so I let the ISPs know anyway.


At this point I enabled the firewall and rebooted the machine to shutdown any connections.


We had just released the beta of Microsoft AntiSpyware, and I had it along with Windows XP SP2 and Port Reporter on a USB thumbdrive. So I loaded the anti-spyware onto the machine and ran it – sure enough the tool removed a number of instances of malware.


I then accepted a second glass of merlot, and installed Windows XP SP2 and the Port Reporter. You’ll see why I installed Port Reporter in a moment.


Once that was done, I sat the mother down, and said (this is almost verbatim), “You’re the mother, this is your home computer, and this is under your control and no-one else’s. Not your kids and not your husband. Because if this, you’re the only admin on the box, all software is installed by you and no-one else. Oh, and at night, hit the standby key, bad guys can’t get to a machine that’s not running.” She nodded agreeably (like she had an option!) I then removed all the users, except her from the admin group.


That was about three months ago.


I visited the home the other day to see how things were going; they’ve seen no pop-ups, and no “weird stuff” whatsoever.


I then looked at the Port Reporter output to see if there were any odd outbound connections, there were none. I looked at installed software, nothing funky. I re-ran Microsoft AntiSpyware beta, again, nothing. I also ran RootkitRevealer 1.32 from sysinternals.com, and saw nothing out of the ordinary. 


So I consider the machine clean.


I looked at the firewall log, and it looks like the machine is still seeing attacks! Of course, I expect that, but here’s an important point, attacks happen and attacks will always happen, the real issue is the attacks are not leading to compromises with these defenses in place.


So here are my tips for protecting unmanaged home computers:


1) Install Windows XP SP2.
2) Make sure the firewall is on!
3) Enable AutoUpdates.
4) Make the mother take ownership of the machine. This means she’s the only one that knows the admin account password and every software install goes through her.
5) Make all other users non-admins.
6) Force use of strong passwords. By strong, I don’t mean “stupidly long”, I mean “not simple.”
7) Install an anti-spyware tool; in this case, I used the Microsoft beta offering.
8) Hit Standby when you’re done with the computer at night.


In short: a little technology and a little education is all it takes to stay safe.


PS: Oh, if your wondering what the relationship is between the connections to Russia and Brazil and the porn, is this machine was being used to store porn for these folks. The son is exonerated!


Big thanks to Aaron Margosis and Peter Torr for their comments.

Comments (5)

  1. Kelly Jones says:

    Hi Michael,

    My brother had a similar incident recently. I won’t bore you with the war story, but the immediate problem was fixed by: a.) downloading our anti-spyware tool and b.) installing SP2. The real benefit I discovered from helping walk my brother through the problem was that his family is now using their computer again. The pop-ups and lord knows what else had become bad enough that they had quit using their computer. He was *very* happy that a few simple downloads from Microsoft could fix the problem. I had been somewhat ignorant to the real impact that malware was having on ordinary users and eventually, Microsoft’s bottom line; maybe because I always have had some sort of firewall and kept my family’s systems updated. Anyways, kudos to you security folks for pushing the security initiative.

    -Kelly

  2. AC says:

    Of course, it was "only a family computer" so your main assumptions have been:

    – You’ll come again, so you don’t have to solve the problem 100% at once.

    – Even if some software that makes outgoing connections remains there after the first visit, it’s not so important, you’ll see it in the logs on the second visit (and the hacker is probably not too clever/persistent to clear the logs).

    Now imagine that you have had just a little stronger goal: to be able to claim after the first visit that the computer is safe. Boy, you’d have had much more work – installing the operating system and all the software on the machine from the CDs again. Only then SP2 etc.

    And the people haven’t had anything bad, they just used the computer with the default configuration, as Microsoft made it.

    By the way, the mother probably still surfs/reads e-mails as admin. One her accidental "yes" instead of "no" on some dialog and the problems start again. And for the CD in the tray, when she’s logged, the "Autorun" is executed as admin too.

    MS should really, among other things, organize things so that only the system software must be installed as admin, and all the games and "normal" software ("Office" kind of stuff) can be both installed and run under restricted account. Even things like database servers shouldn’t need administrator rights to be installed for single user.

    Deep in the OS, the protection mechanisms always existed, they were just not used by the rest of MS and developers.

  3. Mendy Werne says:

    Spyware can be a pain….try DriveShield PLUS by Centurion Technologies. This product write-protects your hard drive and spyware and other malicous programs can’t even penetrate your hard drive and it erases unwanted or unintended changes when the computer is rebooted – restoring it to the desired state.

    Check it out at

    http://www.centuriontech.com/dsplus-about.htm

  4. Kevin Remde says:

    Wow… Michael, this is almost word-for-word the same experience I’ve had with many of my neighbors. Minor difference in the wine (a bottle of a California Merlot offered as payment).. but other than that, it’s scary what people DON’T know, and how easy it is for such control of machines to be taken. You and I and most if not all of our coworkers are doing great things in our neighborhoods by offering such assistance whenever we can – if only to educate our neighbors, friends, and families about the list of tips you mentioned.

    Great posting!