New Software-01

[Conflow]

NEW SOFTWARE-01

Microsoft Anti-SpyWare Program.

Forum Members may be interested in the new ''Microsoft Anti-SpyWare Program" Beta1.1.

This 'New Program' is to say the least, extremely powerful, and is 'REAL TIME ACTIVE' which

means that it is always in 'Scan Mode' running in the background whether you are On-Line

or simply running PTE or playing CD-Disc Presentations from 3rd parties.

The System monitors all 'Start-Up Programs' and 'Running Processes' and all 'Import/Export'

activities. It also contains a very powerful 'Browser Hi-Jacker' Scanner and Repair utility and

'Activities Track Eraser'. It contains 59 System Agents and over 100 Real Time Checkers and

comes complete with extensive Help Files. It Scans ALL FILES in your PC, and makes a note of

what is safe and what's not - it is intelligent.

It does not interfer with Norton Anti-Virus-

The Beta 1.1 Version expires in July and will be replaced with a new version-

Available from:- www.microsoft.com/athome/security/spyware/product

Here in our Workshop we have been using it for the past 3 weeks - it really does work well !

Brian.Conflow.

[boxig]

Brian,

Thank you for this information.

Does it check any file we run ? And if so, does it slows down in anyway our work, delaying the Open file till check is finished ?

Granot

[Conflow]

Hi Granot,

Long time no hear from ! - To answer you the best I can, as follows:-

a)

I have been running the Program for nearly 3 weeks and this is the way it's developing:-

Initially I ran a complete System Scan which took nearly 20 minutes - it seemed to be a

very long time, but considering that it's intelligent it was simply learning the 'PC Profile'

and identifying 'areas'of vulnerability and identifying other 'areas' which are very secure.

Since then it does not interfer with any 'Scanned Running Programs nor Utilities'.

c)

It has a 'built in Library' of secure Program ID's such as Norton, Adobe, Quicktime, Real Player

and all the other Standard programs we use every day. It does not interfer with these but it

still seems to keeps an eye on them.

e)

It also scans 'Your Own Programs' and lets you know whether they are 'Risky' or 'Secure'

and then tags them after gaining 'Your Personal Permission'. Only after clearing them will it

allow the 'Classes Roots Identifiers' on to the 'File of Types Library' - that's clever.

f)

It Scans ALL INCOMING TRAFFIC ON THE PC for 'alias & unknown scripts' and further

compares these to the PCs' Systems Libraries and its own Filter Identifiers and System Agents.

If it see something comparable to ~multiplier scripts or capture scripts~ it stops them dead.

g)

Other AntiSpyware Programs simply compare the 'incoming traffic' to a pre-installed Library of

known Trojans,Parasites,Worms etc; This thing actually 'examines the Imports' for scripts and

routines known to access the Microsoft Code vulnerabilities. It seems to me that with the aid

of the Giant Corporation they have computer analysed every known and unknown method of

breaking into Microsoft Code and when one looks at C++ and VirtualC++ there are only so many

ways of doing that, and this blocks out those routes.

At least it's going in the right direction, being offensive instead of being benign defensive !

h)

When downloading it seems to create a 'Holding Folder' where everything is routed through

whilst being Scanned. So by the time the download ceases nearly 80% of the File has been

scanned and then a 'pop-up' tells you ~Program X is awaiting a Scan Completion ~ this takes

less than 2/3 seconds. It also seems to work 'hand-in-hand' with Norton,that doesn't surprise

me, because for the past few years Microsoft have been in consultation with all the leading

vendors of Anti-Spyware.

j)

It's my personal opinion that eventually the Program is going to cost money and the vendors

who participated in the Research will probably sell 'cut-down' versions of it to Joe Public -

I could be wrong in that assumption.

k)

In the 3 weeks Ihave been using it, it has trapped scripts I never heard of and 3 versions of

W32Netsky.B and to be sure its' doing the job I have post-scanned with 'XoftSpy' - Nothing !

l)

Unfortunately it won't work with '95 nor '98 and seems to be restricted to XP and 2000 for the

time being.

Comfort Zone

It's nice to know that there are 2 Live/Real Time Scanners in operation Norton and Microsoft

both of which are complimentary.

That's my experience so far, and so far so good, only time will tell.

Regards,

Brian.Conflow.

[LumenLux]

It's nice to know that there are 2 Live/Real Time Scanners in operation Norton and Microsoft

both of which are complimentary.

Thank you Brian. Good info for many of us.

Which "Norton" are you refering to? I run a commercial set of Norton on this machine, but don't know whether it includes what you are citing as the complimentary routine.

[bharkins]

Brian - do you know if the program will run with browsers other than IE6, i.e., Firefox, Opera, etc?

Bill

[Conflow]

In Reply to you Guys

Firstly,I have to say that I am not an expert on Internet Technology so I will have to reply

in my own words:-

Unknown to most people every 'Microsoft Operating System' has a Window Default setting

that is generic to Microsoft and is their patent and has become the centre of International

Litigation,viz:-

Within the Kernel of the OP.System and part of it, lives a routine to initiate "connection" to

the Internet. It used to be called IE4.0, I don't know what it is now. This has nothing to do

with your 'Browser nor Search Page' it's simply a Windows feature and can be identified as

C:\windows\inf\iereset. It's a default.inf setting that is 'reset' to accomodate your current

Browser choice. Your choice of Browser is usually registered in the Windows 'Winsock File'

Furthermore Windows has a Library of acceptable Browsers but New Browsers can be added

once they fulfill certain criteria acceptable to the Windows System.

Examples:- Internet Explorer - Opera - Netscape - Firefox and there are a few more -

I don't know what the List is, but I do know that this New Program scans all 'New Browsers'

in "Real Time" live back to Microsoft and they are accepted or rejected. So I now know that

claims of "Independent Browsers" devoid of any association to IE6.0 is in essence true but

misleading because they ALL eventually have to use the 'core' Windows Default Device.

I am sure Microsoft can provide a List of such acceptable Browsers.

Regarding Norton, I am sure that ALL Norton Program Code must be 100% compatible with the

New Win Program irrespective of Norton Versions - it wouldn't make sense otherwise.

As far as I can determine, the central core issue of this New Program is to protect the integrity

of the 'Windows Default.Inf' routine from attacks arriving thro' the Winsock File System.

This provides a method of stacking-up Service Providers in a routine called 'Layered Service Providers'

or LSP's.

Hijackers and Hackers can implant 'Alias Browsers' and 'Search Pages' and god knows what

into the Windsock System which multiply into the legitimate 'Service Providers Stack' and park

themselves (hidden or otherwise) within or behind the Browsers & Search Pages. It's true to

say that these things arrive usually embedded in Legitimate Traffic - that's the problem !

These 'parasites' get in by the simple expediency of 'aliasing' a legitimate DLL or by importing

a 'XXX.txt File' or thro' rogue Cookies and sometimes thro' Key Registration Text or thro' an infected

Jpeg or Exe. Yes, you can implant code in Jpegs and other 'Image Files'.

What interested me about this new program is it's ability to detect 'Multiplier,Deletion and Erosion Code'

and 'Split-Exes' which can be reassembled within the PC ready to start their dirty work.

Lets not forget that this 'New Win Program' is doing its work IN REAL TIME ON LINE

These matters are well covered in the Application & Help Folders provided with the Program.

I hope this helps,

Brian.Conflow.

[bharkins]

Well, if you're not an Internet technologist, I don't know what is!

I downloaded the program and will give it try in FireFox.

Bill

[paulnewsom]

Thanks for pointing out the spyware.

I have used Spybot regularly for over a year. However, after downloading the Microsoft Antispyware it found spyware which Spybot did not locate. Microsoft seems to do a pretty thorough job in locating these "diseases"

Many thanks

Paul

[boxig]

Brian,

So by the time the download ceases nearly 80% of the File has been scanned and then a 'pop-up' tells you Program X is awaiting a Scan Completion  this takes less than 2/3 seconds.

Does this check only on downloads or on every file opened ?

If on every file opened:

Does this check runs everytime when the file is run ?

If not, how does it knows the file was not changed ?

If yes, does this means I have to wait each time I run a file ?

Thanks

Granot

[Conflow]

Granot,

MAS = Means Microsoft AntiSpyware

I don't know the Microsoft Code Algorithms but I can tell you that the MAS System is part of

a "very quite revolution" going on inside Microsoft itself. Its part of a very New Platform for

controlling 'PC Operation Systems' and 'Software Management' and 'Security Systems' and

effective Program Management and an awful lot more besides.

The New System goes under the Title:- "The Microsoft Dot.Net Framework System"

It effectively allows the XP and 2000 Operating Systems to have the same Security and Mangement

algorithms as a 'Commercial Lan Server System' with full Administrator Rights parked at YOUR fingertips.

Up to now only one other System allowed these rights "Apple Mac" - thats also the reason why

Apple were the de-facto PC for Commercial Business.

The Microsoft System works on the Norton principle of the: ~ 'SARC Algorithm' ~

This means:- Submit & Receive Confirmation. Up to now that tended to be a manual procedure

adopted by AV Companies, now Microsoft have made it a fully automated process due in part to the

proliferation of Broadband.

Granot - Now to answer your specific Questions:-

Simple explaination:- After the 'Primary System Scan' it gives a 'check-sum' to every File on your PC.

Now a PCs' workload is either:- 'Imported' or 'Internal' or 'Exported' and the Dot.Net System can

distinguish what catagory you are working in.

Obviously if you are writing Program Code this is an 'Internal Function' and the check-sum will change

as your work progresses. The MAS System allows for this with silent background scanning and updating.

If one attempts to write 'malicious code' it will stop them immediately and prevent Transmission of this code. From your working point of view (should it arise) - it will warn you of any potentially dangerous or

compromising code, that's a bonus - otherwise MAS stays silent.

You could turn-off the MAS System but then the Dot.Net System will take over and put a stop to it.

~This is the future PC being tried now ~ Its taking giant steps in the right direction.

So it doesn't interfer with 'work in hand' nor interfer with Legitimate Transmissions and as a bonus other

Dot.Net PC's will recognise your Dot.Net System. Other non-Dot.Net Windows Systems can also recognise

a Dot.Net PC as can the Apple PC's...... Unfortunately its a bit beyond '95 and '98.

Another bonus which I have observed is that PTE Productions seem to run a lot smoother and if you 'Re-Load' PTE it automatically inserts the prior purchased 'Key Code' into the Program - that's Dot.Net.

I will elaborate on the Dot.Net Framework later on - but for now its a matter of 'suck-it and see' how the

MAS Antispyware works.

Brian.Conflow.

[boxig]

Thanks Brian.

[Ken Cox]

Granot

with the mess you went through last year and the time it took Brian to pull you out of it why would you even think of not installing it or something similar?

ken

[Conflow]

Granot & Ken,

Ken, many thanks for the support and that wise comment to Granot-

Here is a Story:-

On the 15th March just gone bye - We at Conflow got "wiped out' with a particularily viscious

'Coolwebsearch parasite which also carried a nasty Trojan'. We lost our 3 x '98se Computers

and a 2000 Portable. When I say 'Finito" I mean just that, it was all over - utter distruction of

the Operating Systems and 8 hard days work to re-establishing the PC's which have now been taken off the Internet for security reasons.

Thank God we had all our Engineering Folders 'backed-up' on CD-Roms, if not we were out of

Business.

Here is the Laugh

We were standing behind our own 'Micro-Server' with a '3Comm-Hardware Firewall' running

the latest Norton 'On-Line Live' and the top AS.Scanner, F-Plot, with XoftSpy as our back-up.

The Server & Firewall survived, Norton & F-Plot were utterly destroyed, XoftSpy survived.

And how did we get infected ?

Through our 'AltaVista Search Page' connected to a known 'Certified Banking Web Server'

It sounds impossible or so we thought, until we examined the "wreckage" and found out

that the Trojan was a 'split-exe' which came in 2 parts - each by itself harmless, but when combined, generated 26 x Dll's with Alpha Codes from A~Z and 10 numeric multipliers under each letter. You may remember the recent "Software Bank Attacks" in March - that's it, and

it's still going on, and if you check with MS & Norton they have no answer once you're infected

barring a total Hard Disc re-format. The Alpha-Numeric DLL's are used to identify confidential

data under the guise of pushing 'New Web Search Pages' at you - very clever indeed.

So Granot you tell me....Just how secure are your known Secure Connections ????

Anybody can get your PC.ID Number from a simple EMail and don't forget that there are people

out there with 'Automatic Key Loggers' waiting for you to connect to something worthwhile !!

As far as I am concerned we at Conflow can't 'take those risks' anymore, neither should you if you value your Software Business.

Brian.Conflow.

[Conflow]

Granot & Ken,

Ken, many thanks for the support and that wise comment to Granot-

Here is a Story:-

On the 15th March just gone bye - We at Conflow got "wiped out' with a particularily viscious

'Coolwebsearch parasite which also carried a nasty Trojan'. We lost our 3 x '98se Computers

and a 2000 Portable. When I say 'Finito" I mean just that, it was all over - utter distruction of

the Operating Systems and 8 hard days work to re-establishing the PC's which now have been

taken off theInternet.

Thank God we had all our Engineering Folders 'backed-up' on CD-Roms, if not we were out of

Business.

Here is the Laugh

We were standing behind our own 'Micro-Server' with a '3Comm-Hardware Firewall' running

the latest Norton 'On-Line Live' and the top AS.Scanner, F-Plot, with XoftSpy as our back-up.

And how did we get infected ?

Through our 'AltaVista Search Page' connected to a known 'Certified Banking Web Server' but

little did we know that someone had been using an 'Automatic Key Logger' which just sat there

waiting for such a fortuitous connection - the rest is History.

When we examined the wreckage we found a 'split-exe' which was loaded in 2 parts each being

quite innocent until re-combined whereafter it downloaded 26 DLL's in Alpha Codes from A~Z with

10 sub-dll's per letter. The intent being to garner confidential data whilst purporting to sponsor

a series of 'New Search Pages. This is the same 'bug' that attacked the Banks in early March.

If you try to remove the 'multiplier' you remove the Win\inf\reset and the Ensoniq Loader of the

98 Op.System. The sad part being that neither MS nor Norton have an answer to this except a

complete HD-Reformat once you are infected. The operative word's "Once Infected".

So Granot you tell me.....Just how secure are your known Downloader Web Sites....?

We at Conflow can no longer 'take those risks' and if you value your Software Enterprise may I

suggest that you review your Security Set-Up.....Things have changed in the past year.

Brian.Conflow.

[Conflow]

Apology,

Sorry about that, I have just spotted that my 'Un-Edited' Post has appeared out of no where together with

the 'Edited' Post which was the only Post viewable at 6:20 pm.

I had noticed earlier today that the 'Invision Board' was acting up somewhat in not accepting corrected Edits -

I guess that 'Invisions Server' must have been overstretched at that time.

Brian.Conflow.

[boxig]

Brian, you are right. Why should other think like me.

[alrobin]

Just a little more fuel for this thread: the other day I installed the new MS spyware beta, and then first ran my existing "Ad-Aware SE" program, and cleaned out several implants. Then I ran the new MS "AntiSpyware" program and identified one more interloper ("aureate").

Today I ran the new MS program first, and then, just for kicks, ran "AdAware". This time MS "AntiSpyware" found zero spies and "AdAware" found two! ("2o7.net", and "doubleclick.net").

Is there a difference between "spyware" and "adware"?

[Conflow]

Hello Al,

Yes, to answer your question "Adware -v- SpyWare"-

There is a major difference between the two algorithms,viz:-

1)

Proper Adware (prease note the word proper) is quite legitimate and above board

and is an acceptable Commercial means of advertising your wares,although it can be

annoying when it reaches the "spam" stage, ie:...Its on the borderline of acceptability.

2)..AD-WARE

Is usually involked by a 'planted cookie' which tells a remote Server that you are on line

and its sends you an Advertisment from a very legitimate Company such as AdAware,

Norton, Google, and Yahoo - the latter can be a borderline nuisance.

These can be identified by 'double click' -'alexa' and other such like Cookies.

These Cookies are normally 1kB in size (by convention) and can identify themselves.

3)..SPAM

When 'Remote Servers' get paid for every 'hit' they make, that's 'Spam' and in this case

if you attempt to remove the Cookie whilst 'On-Line' it replacates itself and calls other

Servers to take over the task. Now you become infested with the 'vermin' which leaves your

PC wide open for less innocent 'import' activities. This is no normal Cookie of 1kB which

can usually identify itself.

This 'Spam Cookie' is always less than 1kB, usually 470~680 Bytes and it mimics a normal

Cookie, but in fact, it is 'script code' - it's intelligent and Hi-Risk.

4)..SPYWARE

This comes in several 'Formats' and it's entire design intent is to 'garner' confidential and

private information about you and your 'On-Line' activities without your permission.

This 'data' is sold on to others who are NOT LEGITIMATE and will use the 'data' for their

own ends....That's 'STAGE 1' Following from Stage-1 others raise the stakes to Stage-2

where their activities become downright CRIMINAL, in that they use 'Automatic Key-Loggers'

to gain access with your 'data' to Commercial & Banking Establishments having 'garnered'

Pass-Codes and Identity Codes and Credit-Card details from your 'data'.

This is SpyWare. Red Flag Time/Dangerous to any PC.

Brian.Conflow.

PS.

I made up a List some time ago about these various activities and if some one would like

to Host it somewhere, I would be happy to oblige.

[alrobin]

Thanks, Brian, for a thorough, informative summary of all the vermin, good and bad!

[Conflow]

GRANOT

In answer to your Post No: 981-

Granot, you ask such a big question with so many threads in such a small space that should

I attempt to answer you, I would be here till next week!!!! ~ No can do ~

All your questions are answered on the Microsoft Website, in the 'Program Download Section'

under the 'Microsoft Beta 1.1 AntiSpyware Utility'. You can read the whole (multipage) Paper

for yourself. You're not obliged to download anything from this Site

As to how they 'Invaded' my '98s' - I have already answered that - They used a 'Keylogger'

to monitor my activities, and if you think you personally are secure in that respect, you have

my sympathy. As for your '98 Friend he is extremely lucky and I wish him well and the same

to yourself.

As to Details of How was it done ?

Granot, this is a 'Public Forum' and you as a Software Writer must appreciate that it would be

naive and totally irresponsible of me, to....'describe in detail'... how it was done.

With respect to Igor and my fellow Forum Collegues, I must decline your 'Invitation'....

Brian.Conflow.