cobolhacker.com

Just another day at the computer shop! In this episode Bob has a chance encounter with a truly evil, bleeding-edge adware trojan.

An arriving computer presents with sluggishness, strange search pages when surfing, seemingly unstoppable porno popups – yada, yada, yada. It’s an adware infection. It’s owner is understandably not impressed.

The poor computer is a Compaq Celeron 2.0 GHz with only 120MB of RAM (video controller on the Intel 845 chipset gets the other 8MB) so it’s not like it has a lot of juice to start with. Booting XP Home with the base set of services is worth around a 90MB Commit Charge. On machine like this one this process should take about 30 seconds after the POST is complete.

Since this computer also has Norton Anti-Virus and some HP printer installed we can add another 128MB and another 30 seconds to the boot time. These two aren’t companies who make slim software.

But this computer takes around 4 minutes to present a responsive desktop. And even after it gets there it is slow. A quick check of the Task Manager reveals that the machine’s memory consumption is approaching 300MB or so. It is the adware — probably the fat and stupid n-Case — eating up all kinds of memory and processor cycles. And that’s without the machine being hooked up to the Internet.

I start by analyzing msconfig to look for spurious startup processes, including some of the extra junk that legitimate applications put there (HP is bad for this). Another trick I do is run the anti-spyware tool Hijackthis and look for various browser hijack codes. On this machine there are a lot of hijacks. About 16 pages worth of hijacks and other sneakiness. N-case is in there alright, but I also recognize some of it as CoolWebSearch. Well — this just got interesting.

CoolWebSearch, or CWS as it is known, is an increasingly common adware/spyware system. Some of my other favourites include VX2.BetterInternet, n-Case, SearchLOP, Hotbar, and a rude little one called VirtualBouncer. VirtualBouncer is hilarious. They actually want you to pay them to uninstall it. Yeaaah right.

But CWS is ranks among the most pernicious adware systems ever conceived. It’s as evasive as it is mutable in form. The some 40 variants of CWS have it all — hostile Browser Helper Objects, bogus favourites, interception and alteration of DNS functions in Windows, replacement of system files, self-installing scripts. Some of the variants create a hostile CSS page then make it the default in IE; others alter your HOSTS file to redirect URLs from where the should go to nasty pop-up-laden porno portals. Some launch multiple processes, re-spawning one another as they are terminated; while others deploy with random filenames to evade detection. All of them adjust your homepage or favourites to display their endless selection of pornography and generic drug ads. So varied and prolific is the CWS family that there is an entire website devoted to its study. Complex sure, but it ain’t so tough. I’ve eradicated CWS before. Did it just the other day, in fact.

Most CWS variants are installed from hostile web sites surreptitiously by exploiting a vulnerability in the Microsoft Virtual Machine. Staying on top of your Windows Critical Updates can avoid this problem, but sadly a majority of users either can’t be bothered or don’t know that they should be bothered. And even though the computer has a current, updated copy of Norton Anti-Virus 2003, it did nothing about the deployment of CWS or any of the other adware because versions of NAV 2003 and earlier apparrently don’t see adware as a threat. I’m guessing this is because a lot of freeware available on the Internet comes bundled with adware built in and won’t work without it. So the anti-virus program allowed the infection to happen, unchecked.

After I’ve got an idea of what I’m dealing with, I note that the machine is still usable, albeit slow. Since I’m in normal mode already I start installing anti-adware tools from CDROM. I go to the Add/Remove Programs applet to run any of the uninstallers offered by the adware programs. Not all adware tries to resist removal. Adware systems like Gator, Brilliant Digital and Newdotnet can be more or less removed by running their uninstaller. Doesn’t mean I trust them to do so completely, but this process can reduce the registry and hard drive clutter caused by these programs. One of the little beggars, I think it’s SearchBar, begs me not to remove it: “But I’m not Spyware! I do good things for you!” it pleads. But no mercy is shown. I turn off all of those undesirable startup processes by running msconfig and by cleaning up Run, RunServices, etc… in the registry. I also empty Internet Explorer’s cache, and delete all the files in the various temp folders that Windows keeps. For some reason I’ve never figured out, Windows 2000 and XP keep separate temp folders for each user account, as well as a temp folder in the the %systemroot% folder like Win9x does. Viruses and adware love to hide in the temp folders. They can also hide in the System Restore folder too, it has to be turned off as well. Never did find the thing to be that useful anyway.

Following a reboot I see what I have left. It is helpful here to operate in Normal Mode rather than Safe Mode to see who still wants to reside in memory. If necessary I can reboot to Safe Mode afterwards. A couple of the more stalwart ones like VX2 have returned. I start killing them off using the process viewer in 2000/XP. In Windows 9x you can use the old school tools wintop and pview (these allow you to terminate processes just as effectively, if not more so). It’s helpful if they are not running when the anti-adware tools encounter them. I also make note of their filenames, so if they evade detection I can delete them from safe mode.

With any severe spyware infection it is helpful to use multiple anti-adware tools — variants are developed so quickly that no one tool can be expected to catch them all. We tend to use Ad-Aware 6.181 and Spybot 1.3, in part because both programs can be updated without being connected to the net. Both programs are run one after another to catch and delete as much as they can. Their detection reports are brimming with adware crap. Ad-aware catalogs over 200 Cookies alone. It goes well. Spybot fails to kill a registry key of leading to HKCR/Interfaces, but I am able to erase the key using regedit. From the command prompt I erase a couple of leftover folders.

Evil suckers like CoolWebSearch are so invasive that there is a special tool called CWShredder you can run to quickly get rid of most of the variants. It finds the remnants of two different CWS versions. They are sterilized, heh. I finish off by running Hijackthis to find any remaining hijacks, BHOs, and other stupidity. I accidentlly remove some RealNetworks browser junk too. Darn. Guess I’ll have to replace it with RealAlternative later.

In the end, every startup call, every process, every BHO, redirect and link in Normal mode has to be identified and accounted for. Since most adware systems hide in the SYSTEM or SYSTEM32 folders it can be difficult to distinguish them from legitimate processes. Many have filenames which look like they might be legitimate. Some hacktools install themselves as services in 2K/XP — I haven’t seen this behavior in adware yet, but it never hurts to check, as Msconfig does not show you what services are set to start automatically. There are numerous utilities and websites you can check to determine if a service or process is a normal one. Wintasks is pretty decent. Any undesirable process that resists removal must be deleted; sometimes in safe mode, and sometimes using a utility called Killbox which can catalog and delete files before the regular startup sequence is initiated.

When the dust settles the machine is nice and clean. I have cut down the startup processes and got this fairly weak machine’s startup time down to under 90 seconds. I turn on it’s firewall and hook it up to the net to check the work. The about:blank homepage comes up the way it should — no porno, no viagra ads, no funny search pages. Adware – HA! I direct the browser to http://windowsupdate.microsoft.com to get the updates to prevent this kind of thing from happening again.

But then, about halfway through the download, I look up from doing something else and notice that a group of popup windows have appeared. I launch another instance of IE and the start page has changed to some unknown search portal even though the address bar still says about:blank. I check the Internet Properties but the start page has not been changed. Nor the HOSTS file. I check the process viewer — nothing. But when I check hijackthis I notice that some of the hijack codes I got rid of last time have returned. I must have missed something and the little bastard has redeployed the main adware application on this computer right in front of my very eyes. But what, and how. . . ?

Continued next week!

[part 2]