[LUAU] Does this shock you?

Thu Jul 8 13:17:19 PDT 2004

My apologies.  I was very excited yesterday to see what seemed like so
many infections.  Further research has led me to revise my "list."  I
searched for each service on the security response page from Norton
Antivirus, and did not read the details thoroughly enough.

In our rush to correct me, I fear that we do overlook the seriousness of
some of these infections.  I should illuminate that this lab is for
pre-teens.  They will type anything just to download the coolest and
best-branded web game, even private info.  Keyloggers, IRC Bots,
password crackers are serious for users of this age.

The list is revised below.  I appreciate the thoughtful responses, and
the Task List link you sent, Jeff, was fantastic.  It is my duty to
alleviate some of the well-founded concerns expressed.  I regret that in
my haste I completely obfuscated just how sustainable, secure, and
supported HOSEF's installations are.  My zeal left a whift of fanaticism
that, I assure you, is not how we operate or have operated with any of
our recipients.  Were are not bringers of FUD, and my zeal was
restricted to the OSS community.

Jeff Mings wrote:

...
 >
 > Windoze OSes are frustratingly difficult to keep free of viri,
 > especially if you run Outlook or Internet Exploder. However, when
 > educating others about its problems, we have to be careful to remain
 > objective.

Very true.  What you can be certain of is that we are always objective.
  There is no way to discern this from my note, but the education here
has been going on for several months.  We have a 12 station thin client
lab in the Weinberg Teen Center.  Two managers have asked for and
received stand-alones running Mandrake 9.2.  One of the computers in the
Windows lab was replaced with Mandrake 9.2 months ago.

I do two workshops a week there, and I stop in almost daily.  In one
workshop I have the kids repairing, building, and testing the computers
we in turn to give to others.  They are good.  In the second workshop we
mess with software.  I try to trick them into using applications good
for school.  More importantly, I am teaching the most eager ones how to
support common problems.  At no point have I told them they are using
OSS.  They just know that it works.

One of the managers had no computer.  She went to the Windows lab to
access those machines.  We gave her a printer and a PIII running
Mandrake 9.2.  I updated it and told her to come into the teen center
for our classes if she needed to learn how to use it, or to ask me
questions as I come and go.  The next day her Desktops were individually
customized and full of the Microsoft Office document icons from her many
floppies.  She does not know what Linux is, she just know that it works.

Tim Newsham wrote:

 > the URL descriptions dont match these programs.  They're standard
 > windows services (registry, security subsystem, win32 subsystem,
 > session manager).

Thanks.  You are correct.  My claim was premature.  Two of the four you
mentioned, though, could be hijacked and still require more examination
to be certain.  See their descriptions below.

 > I agree that linux can be an effective desktop in school settings.
 > I'm not sure I buy your argument though that virus infection is
 > a good reason to run linux.  From a pragmatic point of view it
 > is true -- viruses tend to target win32, and running something
 > other than win32 will reduce your exposure there.  From a technical
 > point of view though, there is no inherent technical advantage
 > here.

Viruses alone are really just an annoyance.  Keystroke loggers, IRC
bots, and password crackers are.  This is a pre-teen lab.  I failed to
mention this, but the whole idea of keeping private information to their
selves is not intuitive or even convenient.  I do disagree about the
technical advantage; I definitely believe that OSS is technically
superior.  There is just always that pesky human involved.

 >
 > Linux systems do have flaws as well, and they may well be
 > exploited to your detriment, although most likely not by
 > a virus or worm.  If the system is operated properly, most
 > users will be using low-privilege accounts and the entire
 > system wont be at risk.  The same holds true for win32.  If
 > they run windows xp, 2000 or 2k3 and disallow the average
 > user from logging in as the administrator, the system will
 > be much less vulnerable and more manageable.

Most true and very well worth pointing out.  Yes, the architecture of
OSS like Linux, if properly operated, is inherently more safe and of
course the same security is easily achievable by responsible MGMT of
one's Windows computer.  Problem is, unprivileged accounts are not the
default choice in Windows, and since most people expect to be able to
download and install their stuff, the majority of labs I have seen give
everyone this power.

--scott

The Revised and Better Researched List

Bad

FF.EXE

http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.rirc.html
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RANDEX.AB

"Description:

This malware is both a worm and a backdoor.

It propagates into machines on the same network using a long-list of
user names and passwords. Its propagation routine allows it to copy
itself into machines running Windows NT, 2000, and XP that have weak
passwords.

(Note: Weak passwords are often ordinary words or easily crackable,
non-alphanumeric strings that do not use special and mixed case
characters. Passwords with fewer than eight characters are also
considered weak.)

It acts as a backdoor and listens for commands from remote users. It
joins an Internet Relay Chat server via port 6667 to receive these
commands and allow remote users virtual control over infected systems.

This malware runs on Windows 95, 98, ME, NT, 2000, and XP. However, it
can only propagate into machines running Windows NT, 2000, and XP"

msbb.exe

http://securityresponse.symantec.com/avcenter/venc/data/adware.ncase.html
http://www.liutilities.com/products/wintaskspro/processlibrary/msbb/

"There is nothing good we can say about MSBB.  Internet browsers slowing
down to a crawl is the most common complaint, but we have also seen
random "MSBB has encountered an error and will close", or MSBB trying to
start the dial-up connection for those connecting to the Internet via
modem, not to mention the extremely irritating random pop-up ads"

WSup.exe

http://securityresponse.symantec.com/avcenter/venc/data/adware.huntbar.html

"Adware.Huntbar installs itself as a Browser Helper Object and redirects
search requests. Adware.Huntbar also gathers information on Web-browsing
habits."

WToolsA.exe

http://securityresponse.symantec.com/avcenter/venc/data/adware.huntbar.html

"Adware.Huntbar installs itself as a Browser Helper Object and redirects
search requests. Adware.Huntbar also gathers information on Web-browsing
habits."

wupdater.exe

http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.polybot.html
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_SDBOT.CJ

 From trend micro

"This destructive backdoor removes shared files in shared folders. It
opens random ports and connects to a specific IRC server, where it
listens for commands from a remote user that it can process on the
machine. It enables the remote user to carryout the following malicious
tasks:

     * Join a specified IRC chat room
     * Send messages to a specified IRC chat room
     * Log keystrokes
     * Open/close CD tray
     * Enable FTP download/upload
     * Execute files
     * Perform DoS (denial of service) attack (through ping or SYN floods)

This memory-resident malware runs on Windows NT, 2000 and XP."

CMESys.exe

http://www.liutilities.com/products/wintaskspro/processlibrary/cmesys/

"Gator GAIN, adware that is installed by certain free software and is
advertising spyware that runs in the background and displays
advertisements. The identified process is a security risk and can
compromise your personal privacy"

Not inherently Bad, But Some Questions and Need for Research Remain

ctfmon

http://answersthatwork.com/Tasklist_pages/tasklist_c.htm

"CTFMon comes with Microsoft Office XP and Windows XP – it activates the
Alternative User Input Text Input Processor (TIP) and the Microsoft
Office XP Language Bar.   As long as the  Text Services & Speech  are
enabled in the Control Panel, this program will force itself back into
your list of background programs."

lsass.exe

http://answersthatwork.com/Tasklist_pages/tasklist_l.htm

"If the full path to this program as shown in  The Ultimate
Troubleshooter  is  not   C:\WinNT\System32\LSASS.exe  (Windows 2000)
or   C:\Windows\System32\LSASS.exe  (Windows XP, 2003),  then you have
the  W32.Nimos.Worm  virus or some other virus."

smss.exe

http://answersthatwork.com/Tasklist_pages/tasklist_s.htm

"Windows NT4/2000/XP/2003 only.  SMSS is the Session Manager SubSystem.
  SMSS’s purpose is to start, manage, and delete user sessions (or client
sessions under Terminal Server).  Under Terminal Server the management
part includes dealing with the different subsystems (OS/2, Win32, POSIX)
which a client session may wish to run"

csrss.exe

http://answersthatwork.com/Tasklist_pages/tasklist_c.htm

"An integral part of the operating system, leave alone.
You have the   Trojan.Gutta   or   W32.Netsky.AB at mm   virus if you have
Windows 95/98/ME or if the full path to this program is  either
C:\Windows\csrss.exe  or  C:\WinNT\csrss.exe."

regsvc.exe

http://answersthatwork.com/Tasklist_pages/tasklist_r.htm

"While it is not always required, the Remote Registry Service will
eventually be used at some stage in the life of most Windows 2000
Servers/Advanced Servers.  This process should therefore be left alone."

mspmspsv.exe

http://answersthatwork.com/Tasklist_pages/tasklist_m.htm

"Microsoft’s WMDM PMSP Service, aka Windows Media Device Manager
Pre-Message Security Protocol Service.  From our tests this service only
appears in the Task List if you have done a Windows Update and updated
Windows Media Player with the 26-Jun-2002 Security Update Q320920.  This
services enables Windows Media Player to support the SDMI protocol
(Secure Digital Music Initiative) when copying CDs or packaging
copyrighted downloaded music to SDMI compliant music players and storage
devices."

VPTray.exe

http://answersthatwork.com/Tasklist_pages/tasklist_v.htm

"Unlike with other Norton AntiVirus products, there are significant
problems with the VPTRAY process which comes with the Corporate Edition,
from the inability of Windows to start due to timing problems associated
with VPTRAY, 100% CPU usage by VPTRAY, and other problems.  Since you
can access all Norton AntiVirus features through "Start \ Programs", if
you experience Windows start-up problems, performance problems, or
crashes which you have difficulty tracking, then disable VPTRAY with
The Ultimate Troubleshooter."

WKufind.exe

http://answersthatwork.com/Tasklist_pages/tasklist_w.htm

"Microsoft Works 2002 PictureIt! update detector.  Another auto-update
feature that you should turn off !  If you are not convinced, then this
from a Microsoft document should convince you :  "You may notice that
when this feature runs your computer may freeze or the program may try
to update itself....  You may also notice that the computer will try to
dial your Internet Service Provider, connect to the Internet, and
download any updates."