Re: [Full-Disclosure] Cool Web Search

From: Gregh (chows_at_ozemail.com.au)
Date: 07/30/04

  • Next message: andrewg_at_felinemenace.org: "Re: [Full-Disclosure] Re: Automated SSH login attempts?"
    To: "Disclosure Full" <full-disclosure@lists.netsys.com>
    Date: Fri, 30 Jul 2004 23:36:49 +1000
    
    

    ----- Original Message -----
    From: "Andrew Clover" <and-bugtraq@doxdesk.com>
    To: <full-disclosure@lists.netsys.com>
    Sent: Friday, July 30, 2004 9:44 PM
    Subject: Re: [Full-Disclosure] Cool Web Search

    > Gregh <chows@ozemail.com.au> wrote:
    >
    > > It was used by me to list various entries in registry which, when lumped
    > > together like that, show off CWS quite easily. Once they are there,
    removing
    > > them and the progs started by some of them is easy.
    >
    > This is not the case for all variants of CWS. The newer, sneakier
    > variants can rebuild themselves if they detect a program like HijackThis
    > removing their registry entries.

    Sorry but totally and utterly incorrect. You just do NOT understand what I
    have typed. I said that I used HiJackThis to list the entries in a group
    then ticked them manually and then removed them. Along with that, it allowed
    you to identify the exe files that went with it.

    If you dont understand that then I can understand that you dont know how to
    get rid of it but the truth is that this way DOES get rid of it. There are
    at LEAST 5 variants of CWS. I have met them all and beat them all.

    >
    > This is part of a strong trend in unsolicited commercial software,
    > copying survival techniques learned from virus authors. The use of
    > constantly-loaded multiple DLLs and/or processes and/or services that
    > all restart and repair each other if tampering is detected, is becoming
    > widespread (see also CommonName, ClearSearch, TVMedia etc.).

    All easily beaten by using HiJackThis in the way I described. If I can do
    it, anyone with just a small amount of registry knowledge also can.

    >
    > Where there are not short-cut workarounds this means removing the
    > software manually is simply impossible. Currently a trip into Safe Mode

    Absolute and utter rot! I understand YOU may not be able to do it but it CAN
    be done. It is simple logic if you want to look at it another way - whatever
    can be DONE can be UNdone. The way I described works perfectly every time an
    d takes 10 minutes or less to get rid of it though admittedly the first time
    you use HiJackThis it can take longer.

    > can do the trick, by stopping any of the software running, but I'm sure
    > that'll be worked around too eventually. (Rootkit-like spyware?)
    >

    No, you are utterly wrong there, too. I have run Spybot and Adaware in safe
    mode. Spybot sees and removes CWS but it comes back on next boot anyway. You
    have to use HiJackThis to list the registry entries which stand out like a
    sore thumb at that point. If you cant identify incorrect registry entries,
    though, naturally it will elude you!

    Greg.

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: andrewg_at_felinemenace.org: "Re: [Full-Disclosure] Re: Automated SSH login attempts?"