|
|
There are many anti-spyware solutions out there, some developed by accredited anti-virus vendors and others that, well, aren't developed by such organizations. In lieu of a big name, if consumers are searching for a quality product, they may turn to other sources of information to help break a tie. For instance, they may consider testimonials from 3rd parties or awards the product has earned. A word of caution here: test out your potential product before buying it, no matter what people say. The product discussed in this article was included in the Editor's Choice and Best of the Year 2005 listings by PC Magazine. It comes "highly recommended" by CNET and is a PC Authority and PC Pro Labs Winner (though nothing says what contest is being won). Even the user reviews are decent, with the most common dissatisfaction being that the software isn't free and that it only detects spyware (the licensed version does removal). If these users ever do end up buying a license, they quickly would have somthing else to complain about. This event occurred while doing a security audit for a client. Wishing to review some log files, I navigated to the anti-spyware program's logging console (there were no logs kept) and quarantine. The quarantine had 3 items which were detected as dangerous:
The challenge here was that the program does not give any details on the potential infection. It does not say if System Soap refers to a harmless plain text cookie from systemsoap.com or if it was a nasty executable. Futhermore, there were no options to restore the files to a designated location, and the program uses a proprietary encoding scheme to prevent other applications from accessing content in the quarantine (which is good for security, but difficult for analysis). The administrators wisely decided to not restore the quarantined items to their original locations since the host machine runs production services. This technique has been used before, but in order to restore the quarantined files, I downloaded and installed the spyware program on a VMware machine. Then the quarantine database file was copied over from the suspect machine to the analysis machine, which would allow restoration to take place. Some monitoring tools were used in order to determine what was added to the filesystem during the restore process. Here is what turned up: C:\WINDOWS\system32\dllcache\tapicfg.exe (one of the CWS) C:\WINDOWS\system32\tapicfg.exe (one of the CWS) C:\Documents and Settings\censored\Recent\key.txt.lnk (the System Soap) An md5sum comparison of the two executables acknowledged that not only do these files share the same name, but they really are the exact same file. We then executed the program in our VM environment by double clicking it with file system, registry, and socket monitors capturing all activity. This produced few results, which indicated that perhaps the program requires particular arguments to function properly. We ran it on command line for another viewpoint: C:\Documents and Settings\Michael\Desktop>tapicfg.exe To get help, try "tapicfg help". C:\Documents and Settings\Michael\Desktop>tapicfg.exe help Description: Creates, removes, shows, or registers default TAPI application directory partitions. Syntax: tapicfg [command] [optional parameters] This verifies our assumption and shows that tapicfg.exe is not malicious in nature after all - it's just a TAPI configuration utility. The spyware program's detection of this file was a false positive. We confirmed this with 24 high profile malware scanners (using VirusTotal). Additionally, the key.txt.lnk file is completely benign as well. This a shortcut (.lnk = link) to E:\backups\key.txt - a plain text file containing the program's own registration key. |
|
