Spyware slips through the patches

A handful of malware programs wreak havoc on a fully patched Windows XP system

Neither users nor even IT admins may fully grasp what impact this spyware and adware could have on individual systems -- even fully patched ones.

InfoWorld decided to install some of the most popular spyware and adware programs to assess just how damaging they could be. First, I set up a fully patched Windows XP Professional SP2 client honeypot with various in-band and out-of-band monitoring tools. Next, I installed free games found on various Web sites, including zango.com and yahoogamez.com. I also installed some free p-to-p programs known for installing unwanted programs, including BearShare.

In short, I put my honeypot in harm’s way. Although Windows in its default state should prevent a lot of spyware and adware from being loaded, if the user intentionally installs untrusted executables, even the latest patches won’t help.

To be fair, almost all of the programs installed contained information stating their “behind-the-scenes” intent, but this was only apparent if you took the time to read the licensing agreement or Web site FAQ.

Not surprisingly, what I found was no less disturbing. A single installed “free” program, PokerParty, installed dozens of other programs. Many of those programs existed only to download other programs, which downloaded other programs -- all from varying Web sites.

Analyzing one program, TopRebater, I found over 200 different download links. Connecting directly to those links often just downloaded a list of hundreds of other new links. Perhaps most distressing was the fact that many of these links seemed to point to compromised home-user computers.

The downloaded malware came in as executables, compiled help files, HTML applications, files disguised as graphics that were really executables, encoded Web pages, and scripts. Several of the programs attempted to exploit known vulnerabilities in Windows and Internet Explorer, and one was designed for Mozilla Firefox. Most of the vulnerabilities were patched but not all.

As expected, these programs made dozens of system modifications, including adding to the Windows Registry key, modifying files, dropping new malware executables, sending e-mail, starting hidden and encrypted IRC messaging, installing new desktop icons, and stealing personal information.

Other programs, such as NTLogonCapture and ActMon, found in freeware games, also looked for password files, recorded them, and sent them to remote locations. Several of the programs installed key-logging Trojans.

Click for larger view.

IE was a heavy target. Malware modified its toolbar and search capability, installed pop-up ads, and enforced new home pages. One of the most interesting techniques modified the browser such that keywords typed into the browser or appearing on Web sites would cause a screen capture to be taken.

Lesson learned: Even your fully patched computers can be compromised if end-users are allowed to install untrusted software or visit untrusted Internet locations.