PDA

View Full Version : Why does SPYBOT continue to remain vulnerable to HIJACKING?



MISS CHIEVOUS
2007-11-17, 23:25
Hi, I'd like firstly to thank SPYBOT for being such a WONDERFUL program. Please don't interpret my remarks as an attack on the authors of this powerful software; I'm just trying to understand why the program remains vulnerable to hijacking. Also, let's acknowledge one fact before we discuss this: SPYBOT is in the business of cleaning up that most notoriously buggy of web browsers --> Microsoft's INTERNET EXPLORER. If I have any anger at my present infected circumstance, Microsoft owns it. SPYBOT didn't create a browser with the unique characteristic of being the World's Welcoming Committee for every species of malware conceivable, Microsoft did. I'd have to be truly mean to criticize SPYBOT for making every effort to clean up a miss it didn't create in the first place. I curse this browser. I only continue to be suffered to use it because, like a cruel joke upon me, it happens to do the best job of rendering my Adobe Acrobat PDF's to look exactly as they are supposed to look. I have no need to upgrade my OS, and so am stuck in the global Hell that Microsoft sends all of us to by not allowing IEx 7 to be backward compatible with Windows 2000. I think that puts the proper perspective on this thread; here's why I'm posting:

Many years ago I used SPYBOT but had to discontinue using it because of a persistent issue the program had with attracting mischief to my Explorer version 6.x. Then, as now, I'm on Windows 2000 Pro, fully service packed, rolled-up and regularly patched. The immediate presence of SPYBOT on my computer coincided with the hijacking of (you guessed it) Explorer 6. I would download only the latest version of SPYBOT, install it to a new build, Immunize, select my properties, and only then upgrade the program. SPYBOT would find the malware, fix it, and immunize me against it . . . and the next day the malware would be right back. I had to install HIJACK THIS to remove it.

So some years later I am disappointed to find that the same thing has happened with a new install. The Trojan I am infected with is the Win32.Small.afk Trojan, which alters your IEx start page to a site in China named nb4f.com.cn, and delivers the following love note to you upon attempting to access IEx's Options:

This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator.It installs to the registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\Userinitand scripts a file called lwisys16_071115.dll to run, as follows:

C:\WINNT\system32\inf\svchost.exe C:\WINNT\system32\lwisys16_071115.dll startI assume complete responsibility for the unforgivable oversight of not disabling SCRIPTING in IEx before first installing & updating SPYBOT. This oversight on my part invited the first line of mischief, and it was entirely preventable.

Having said that, I was alarmed that after immunizing myself through SPYBOT this Trojan came right back. Growing increasingly desperate, I ran AVG FREE Anti-Virus . . . which (if anyone doubts what SPYBOT is up against) couldn't even find this Trojan in the first place.

So I did a little research on USENET and discovered that another person had this same issue about a year ago with IEx 6 and its notorious patches and service packs. The gentleman was advised to run HIJACK THIS to fix the Trojan. He did so, but it kept coming back. Having ascertained that my only other reliable fix for a persistent HIJACK attempt -- HIJACK THIS -- was apparently, itself, cracked, I was alarmed to next read -- even at this late date -- a poster who wrote words to the effect that "one of the most popular programs to expose yourself to an IEx HIJACK is SPYBOT."

I haven't downloaded/installed HIJACK THIS because I anticipate having the same experience as this other gentleman. I'll ask this with all the humility I can summon: If neither SPYBOT nor HIJACK THIS can get rid of this Trojan permanently, does this mean I need to completely reinstall my computer?

MISS CHIEVOUS

turnips
2007-11-19, 13:11
erm. that was a long post. but very detailed. ^_~

just curious, why did you use IE if you knew it sucks?

..

MISS CHIEVOUS
2007-11-21, 19:09
Because I had to render some PDF's off of some websites, and as I explained above :rolleyes: IEx does a better job of this than any other browser I've used (most particularly Firefox).

I finally rid myself of this Trojan by just restoring my entire C drive from the (daily) backups I make of the both the drive and the system state through Windows 2000.

But the question remains: Why can't SPYBOT close these vulnerabilities that it exposes the user to every time they update SPYBOT? I ask it in all seriousness: Is this just something that SPYBOT cannot code itself around? Something that cannot ever be permanently fixed?

MC

Yodama
2007-11-22, 08:28
"one of the most popular programs to expose yourself to an IEx HIJACK is SPYBOT."

could you give us a link to the source of this statement? It appears to be someones personal opinion unless it is backed by justified explanation on how Spybot S&D lowers the security.




But the question remains: Why can't SPYBOT close these vulnerabilities that it exposes the user to every time they update SPYBOT? I ask it in all seriousness: Is this just something that SPYBOT cannot code itself around? Something that cannot ever be permanently fixed?
MC

Which vulnerablities are you refering to? Connection to the internet? Sadly but true, a connection to the internet always causes risks to a computer, especially for a Microsoft Windows based computer.
Spybot S&D has 2 ways in which it can be updated, the first one is the integrated updater and the second is the manual update (http://www.spybotupdates.com/updates/files/spybotsd_includes.exe). The manual update has the advantage that you can download it with a safe/uninfected computer using your favorite webbrowser and then copy it to the computer where Spybot S&D is installed. That way a possibly infected computer does not need to connect to the internet for Spybot S&D updates.

Antiproton
2007-11-23, 18:54
You seem particularly concerned about security and integrity... and yet you use IE6 on Windows 2000. For someone who makes daily backups of their HD's, I'm surprised at this. If IE6 is the only browser that can accomplish a specific task (which I'm far from believing), then it would probably behoove you to have a sandbox Virtual Machine that is specifically for this purpose.

There is a modicum of personal responsibility inherent in the acquisition and removal of spyware, virii, et. al; it is impossible for developers to account for every possible corner case, especially for people who are using antiquated software with known security vulnerabilities.

eaglehorse
2007-11-24, 14:16
If neither SPYBOT nor HIJACK THIS can get rid of this Trojan permanently, does this mean I need to completely reinstall my computer? HJT(HijackThis) is a detection software and only has limited capability for fixing certain entries not the infecton. Here ( Edit. Removed link ) is a tutorial on HJT. :angel:

tashi
2007-11-24, 18:41
Anyone contemplating the use of HJT at this site is directed here:
"BEFORE you POST"(READ this Procedure before Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

Cheers.

MISS CHIEVOUS
2007-11-30, 00:11
So I did a little research on USENET and discovered that another person had this same issue about a year ago with IEx 6 and its notorious patches and service packs. The gentleman was advised to run HIJACK THIS to fix the Trojan. He did so, but it kept coming back. Having ascertained that my only other reliable fix for a persistent HIJACK attempt -- HIJACK THIS -- was apparently, itself, cracked, I was alarmed to next read -- even at this late date -- a poster who wrote words to the effect that "one of the most popular programs to expose yourself to an IEx HIJACK is SPYBOT."


could you give us a link to the source of this statement? It appears to be someones personal opinion unless it is backed by justified explanation on how Spybot S&D lowers the security.

Which vulnerablities are you refering to? Connection to the internet? Sadly but true, a connection to the internet always causes risks to a computer, especially for a Microsoft Windows based computer.
Spybot S&D has 2 ways in which it can be updated, the first one is the integrated updater and the second is the manual update (http://www.spybotupdates.com/updates/files/spybotsd_includes.exe). The manual update has the advantage that you can download it with a safe/uninfected computer using your favorite webbrowser and then copy it to the computer where Spybot S&D is installed. That way a possibly infected computer does not need to connect to the internet for Spybot S&D updates.

Hi Yodama! I'll be more than happy to hunt down that post. I'm pretty sure it was on Usenet, but it may have been a legitimate website. I could kick myself for not writing down the source — and really, it's unfair of me to quote it . . . and then not provide the source.

Give me some time and I'll try to find it for you.

I lost my computer a few days after posting this thread (never use ACRONIS backup software! never! it so perfectly mutilated my boot partition as to render it unrecoverable UGH) so needless to say I can't easily access my tracks from the week prior, but I'll try to locate it and provide it.

:heart: MISS CHIEVOUS :heart:

MISS CHIEVOUS
2007-11-30, 00:16
You seem particularly concerned about security and integrity... and yet you use IE6 on Windows 2000. For someone who makes daily backups of their HD's, I'm surprised at this. If IE6 is the only browser that can accomplish a specific task (which I'm far from believing), then it would probably behoove you to have a sandbox Virtual Machine that is specifically for this purpose.

I'm sorry Antiproton but . . . are you being facetious? or is this a legitimate technology?

However frivolous you may consider my motives, I repeat my assertion: Microsoft's IEx does a better job at rendering PDF's than Firefox. Doubtless because it's loose enough to drive a forklift through tsk. ;)

A link please. Unless this was just a joke. I'd like nothing better than to never have to open IEx ever again.

MC

tomdkat
2007-12-01, 04:27
However frivolous you may consider my motives, I repeat my assertion: Microsoft's IEx does a better job at rendering PDF's than Firefox. Doubtless because it's loose enough to drive a forklift through tsk. ;)
You don't use the Adobe Acrobat Reader browser plugin to view PDFs? If not, why not?

I didn't even know IE could render PDFs natively (without a plugin of any kind).

Peace...

MISS CHIEVOUS
2007-12-01, 19:14
You don't use the Adobe Acrobat Reader browser plugin to view PDFs? If not, why not?
Because I have Adobe Acrobat Professional 7. ;)

MC