Secutiry Issue

I have observed that, if some one installs a spy software without us knowing
on our computer, its not possible to detect those softwares, as they run on
stealth mode.

Did microsoft think on this matter, as this is a biggest threat to a user if
he/she does not know that some one has installed a spy software on their
computer.

does microsoft have any solution for this kind of scenerio where a user can
detect this kind of softwares if they are running on their computer.

if yes than pls let me know as i am a victim of this scenerio. and lots of
private informations have been stolen which has caused me a huge damage in my
business.

I am using Vista Ultimate which is marketed as the most secured operating
system.

Dharmesh wrote:
> I have observed that, if some one installs a spy software without us knowing
> on our computer, its not possible to detect those softwares, as they run on
> stealth mode.
>
> Did microsoft think on this matter, as this is a biggest threat to a user if
> he/she does not know that some one has installed a spy software on their
> computer.
>
> does microsoft have any solution for this kind of scenerio where a user can
> detect this kind of softwares if they are running on their computer.
>
> if yes than pls let me know as i am a victim of this scenerio. and lots of
> private informations have been stolen which has caused me a huge damage in my
> business.
>
> I am using Vista Ultimate which is marketed as the most secured operating
> system.

No operating system is secure if the user behaves insecurely. If you
leave your door open and invite all sorts of unsavory people to come
play in your living room, it is hardly the house builder's fault. You
are responsible for making sure your business is securely set up and
your users educated, and you apparently didn't do that. Since accidents
will happen, where were your backups? Where was your disaster recovery
strategy?

As for your immediate problem, since you haven't provided any
information about the "spy software" supposedly installed on your system
or how you got it, I can't give you specific removal advice. Here are
general malware removal procedures:

*****
Go through these general malware removal steps systematically -
http://www.elephantboycomputers.com/...moving_Malware

Include scanning with David Lipman's Multi_AV and follow instructions to
do all scans in Safe Mode.

http://www.elephantboycomputers.com/page2.html#Multi-AV - instructions
http://pcdid.com/Multi_AV.htm - download

When all else fails, run HijackThis and post your log in one of the
specialty forums listed at the link above (not here, please).

Not all tools used will work in Vista and you will need to run them
elevated. Since Vista is so new, it will be a while before removal
techniques and tools are developed. If you are unable to remove the
infection by following the general steps, register at one of the
HijackThis forums as suggested.

Standard caveat: If the procedures look too complex - and there is no
shame in admitting this isn't your cup of tea - take the machine to a
professional computer repair shop (not your local version of
BigStoreUSA). Please be aware that not all local shops are skilled at
removing malware and even if they are, your computer may be so infested
that Windows will need to be clean-installed. Have all your data backed
up before you take the machine into a shop.
*****

Obviously your business system is not properly secured or set up. Since
this is a business, the smartest thing you could do is hire a reputable
local professional to come on-site and do it for you. This will not be
your local equivalent of BigComputerStore/GeekSquad.


Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

"Dharmesh" <Dharmesh@discussions.microsoft.com> wrote in message
news:9F7EF74F-6B66-45CA-9745-684090C32037@microsoft.com...
>I have observed that, if some one installs a spy software without us
>knowing
> on our computer, its not possible to detect those softwares, as they run
> on
> stealth mode.

That's not true if you know to use the proper tools and go look for
yourself.

>
> Did microsoft think on this matter, as this is a biggest threat to a user
> if
> he/she does not know that some one has installed a spy software on their
> computer.

The O/S can only do so much. You have to have other tools that will allow
you to go look for yourself as to what's running on the machine and what's
making connections, tools like Active Ports/CurrPorts(CP for Vista), Process
Explorer to look at processes running on your machine that also allows you
to look inside a running process (malware can hide and piggy back off of
other processes), and tcpview, ect, etc, tools being talked about in the
links.

http://preview.tinyurl.com/klw1

http://www.pcworld.com/downloads/fil...scription.html

http://www.microsoft.com/technet/sys...s/default.mspx

CurrPort here

http://www.bestvistadownloads.com/

>
> does microsoft have any solution for this kind of scenerio where a user
> can
> detect this kind of softwares if they are running on their computer.

Yes, see above, becuase you do have to look for yourself from time to time
with the proper tools.

>
> if yes than pls let me know as i am a victim of this scenerio. and lots of
> private informations have been stolen which has caused me a huge damage in
> my
> business.
>
> I am using Vista Ultimate which is marketed as the most secured operating
> system.

No O/S is secure if the user has not done the right things to secure his or
her situation with using a computer when connected to the Internet,
practicing safe hex, instead of click on everything under the Sun. The
compromising software doesn't get there by itself. The user has to
contribute to it in someway. It just doesn't happen by itself.

Someone posted this link about the Vista O/S. I myself don't need it, but it
maybe able to help you to tighten your machine to attack.

http://www.amazon.com/gp/product/047...otectyourwi-20

It's at this point that you need to follow the advice in the link about I
have gotten hacked now what do I do. You need to follow it if you expect to
protect your business information from this point forward.

http://www.microsoft.com/technet/com...mt/sm0504.mspx

Like I said, you yourself or someone using that machine lead to the
compromise,
and it don't take much with the user that has the happy fingers that will
*click*.

http://www.eweek.com/article2/0,1895,2132447,00.asp

You should practice safe hex as much a possible.

http://www.claymania.com/safe-hex.html

On Fri, 29 Jun 2007 11:10:02 -0700, Dharmesh

>I have observed that, if some one installs a spy software without us knowing
>on our computer, its not possible to detect those softwares, as they run on
>stealth mode.

That's the effect, though it's a bit more complicated than "Stealth=1"

>Did microsoft think on this matter, as this is a biggest threat to a user if
>he/she does not know that some one has installed a spy software on their
>computer.

No, they don't seem to have thought it through in the required depth.

The notion is still "Windows is so secure, it won't get infected if
you Do The Right Things. There's no need to worry about how to clean
infected PCs, when they won't ever get infected. If they do, 'just'
wipe and rebuild; that's the only way out".

Even when it should be manifestly obvious that PCs do get infected,
and users are not going to 'just' wipe and rebuild every time they
think they may be infected. Even when bot-netted Windows PCs carry
95% of the world's spam, the clue is... not there.

The problem is much larger than the PCs that are infected, if you
cannot even reliably determine whether a PC *is* infeced. It enlarges
every PC that *may* be infected; must all of these 'just' be wiped and
re-installed, too? How about malware that causes no signs to suggest
its presence, as most are designed to do? Should we wipe *all* PCs
every now and then, just in case? That's the absurd end-point.

>does microsoft have any solution for this kind of scenerio where a user can
>detect this kind of softwares if they are running on their computer.

Only semi-assed tips like "try from Safe Mode" (and then if you point
out that Safe Mode isn't safe because it also runs 3rd-party
integrations, they say "oh it was never intended to be malware-safe").
You can try using rootkit detectors that look for "live" behavior,
which is like poking a stick at a shape to see if it's a tiger, but...

I dunno... it's obvious to me that whatever software runs first, has
the opportunity to smite down anything that tries to run later to
attack it. After all, would you rather be in the warplane taxiing to
take off, or the warplane above dropping bombs? Would you rather be
the crook in the shadows with gun drawn, or the homeowner shining in
torch from a backlit doorway? Get a ^%$n clue, I'd say.

In Win9x, it was OK because you could always boot DOS mode off a
diskette, and run a DOS av from there.

But you can't do that for an OS that forces you to use NTFS, installed
on a HD that is over 137G in size.

What to use as a maintenance OS, from which to operate on your
installation "under anaesthetic" (no embedded malware code running)?

In XP, the emerged standard is Bart PE, an independent development
offered free that works well, but requires the user to have done quite
a bit of how-to research, downloading, etc.

In Vista, MS does at last open up WinPE 2.0 availability to users who
aren't huge OEMs or corporate IT gods; in fact, it's built into your
Vista DVD (if you got one, i.e. weren't a victim of the same big OEMs
for which WinPE was crafted for).

The trouble is, WinPE's been restricted for years of Bart development,
so no-one's written much to work with it. The original WinPE team are
late to the party, still thinking along "WinPE is for Pre-Install OS
setup" tramlines. So getting av tools to work from it is not as easy
as Bart, plus there's no equivalent to the RunScanner plugin for Bart
that allows registry-aware tools to operate as if the HD's inactive
registry hives are in effect. In fact, WinPE lacks Bart's
well-documented mechanisms for plugging in tools.

>if yes than pls let me know as i am a victim of this scenerio. and lots of
>private informations have been stolen which has caused me a huge damage in my
>business.

Nasty. The first things I'd do, is:
- disconnect your PC off all networks and switch it off
- get a spare HD or two
- image the entire HD to one of these HDs
- lock up the original HD in a safe
- try to get "legal wrap" around all of the above (evidence)
- rebuild the system on the 2nd spare HD
- patch and protect this before putting it online
- the 3rd HD is for casual forensic workup
- always clone this 3rd HD before doing anything with it
- keep the original as court evidence

>I am using Vista Ultimate which is marketed as the most secured operating
>system.

Yeah - aren't they all? It may even be true, until the attacks start.

Then again, an OS that gets "owned" 5% of the time instead of 15% of
the time, isn't safe enough if you're one of the 5%.



>-------------------- ----- ---- --- -- - - - -
Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.
>-------------------- ----- ---- --- -- - - - -

Hello friends, thankyou for your reply and also for helping me by giving good
links for the solution.

1 thing i would like to bring in to your notice is that.... its not because
of browsing net i got hacked....

When we are in to business there are many people who try to steal
informations, and there are some nasty programmers out there, who knows how
to get unattended installation done. This kind of installations can be done
just by inserting a flash drive in to your computer and to get this
installation done it takes hardly 2 or 3 minutes, or the installation be
activated on a copy/paste command to or from the external storage devices.

Win Vista has some files called as winhost... than rundll32... which can be
cracked very easily... where a hacker can control your computer even without
you knowing it.

Thats the main reason why i asked for a tool that can show softwares running
in stealth mode or if any files of windows has been cracked. as when a
software runs in stealth mode, a user can not see it in program files or even
in task manager under process.... so how to catch this kind of installed
software.

well i think its microsoft's responsibility to atleast give a tool to
authorized users of their OS to find such spy softwares installed on your
computer. and also to notify any unattended installation is getting done on
to your computer.

"Dharmesh" <Dharmesh@discussions.microsoft.com> wrote in message
news:F963604E-7521-4899-A0DB-EA74787FBE1C@microsoft.com...
> Hello friends, thankyou for your reply and also for helping me by giving
> good
> links for the solution.
>
> 1 thing i would like to bring in to your notice is that.... its not
> because
> of browsing net i got hacked....

Well, it's still in your area after all, it's your machine.

>
> When we are in to business there are many people who try to steal
> informations, and there are some nasty programmers out there, who knows
> how
> to get unattended installation done. This kind of installations can be
> done
> just by inserting a flash drive in to your computer and to get this
> installation done it takes hardly 2 or 3 minutes, or the installation be
> activated on a copy/paste command to or from the external storage
> devices.
>
> Win Vista has some files called as winhost... than rundll32... which can
> be
> cracked very easily... where a hacker can control your computer even
> without
> you knowing it.

True

>
> Thats the main reason why i asked for a tool that can show softwares
> running
> in stealth mode or if any files of windows has been cracked. as when a
> software runs in stealth mode, a user can not see it in program files or
> even
> in task manager under process.... so how to catch this kind of installed
> software.

I gave you the tool called Process Explorer. It will allow you to look
inside of any running process and show what's running with the process the
hidden process, which malware or a rogue process can attach itself to and
execute with a legit process hosting it.

But that tool requires that you go look for yourself and know what you're
looking at.

You can go to PE's Menu/View/Show Lower Pane/Show all DLL's and PE will show
you everything that running or hosted by a process when you click on a
process in the upper pane.

You can right click on a process in the upper pane and go to Properties and
PE will give you more information about a given process and what's running
with the process, like what directory the process is running out of and the
author of the process. You can also do the same thing in the lower pane as
well.

You see, you have to be very aware of what you're looking at when looking
at DLL(s) and whatnot, because someone can make something look very legit
and you heve to question it if you suspect something.

Just about all programs that will be legit sort of speaking are when you can
find mention of those DLL(s)/ programs out on Google for the most part. If
you don't find something using Google, then you have to question what is it.
But that's not 100% using Google either, even if it looks legit, you still
have to question it.

About making something look very legit, take Svchost.exe or Dllhost32.exe, a
person/programmer can name something with those names, and the unspecting
user can miss something like that when it's running, easily.

However, those types of rogue programs will not be running out of the
Windows/System32 directory. They will be running from some other directory.
It's just an example of how slick someone can be if you're not aware of it.

http://preview.tinyurl.com/klw1

There are other techniques of detection you can do yourself that's being
talked about in the link above.


> well i think its microsoft's responsibility to atleast give a tool to
> authorized users of their OS to find such spy softwares installed on your
> computer. and also to notify any unattended installation is getting done
> on
> to your computer.

It's not going to happen. If you leave the machine unattended, not locked
down when you leave it with password protection, not use a strong password,
and you are Admin on the machine, left in this state, then anything can
happen.

It doesn't matter what O/S is being used, MS, Linux, Apple or whatnot, if
you're not doing the things needed to protect yourself.

You now know that this is an issue and you need to start changing your
mindset, because MS is not going to do it for you. It's your business and
your machine, it's not MS's.