[dba-Tech] Virus trying to get in...

Jim Lawrence accessd at shaw.ca
Sat May 23 22:57:44 CDT 2009 

Well thank you Bill... Jim

-----Original Message-----
From: dba-tech-bounces at databaseadvisors.com
[mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of Bill Patten
Sent: Saturday, May 23, 2009 11:40 AM
To: Discussion of Hardware and Software issues
Subject: Re: [dba-Tech] Virus trying to get in...

Jim,

Great reply, instead of the usual "this sucks and that doesn't" stuff an 
explanation that answers the question, at least in my eyes with a fairly 
unbiased description.


Thanks


Bill
----- Original Message ----- 
From: "Jim Lawrence" <accessd at shaw.ca>
To: "'Discussion of Hardware and Software issues'" 
<dba-tech at databaseadvisors.com>
Sent: Saturday, May 23, 2009 10:44 AM
Subject: Re: [dba-Tech] Virus trying to get in...


I must admit that my knowledge is not totally first hand. A fellow who works
predominantly with Servers and Linux type systems in particular, but also
works with Windows products gave me his understanding of the relationship.

On those Linux/Unix systems, unless you as an operator, you specifically
enter the root/administrator password, before an application can have access
to any root functions. Even then the Kernel and core functions are locked
down completely.

Windows has an odd layered system, in which, if certain applications,
request it, they get access to the 'system' layer, which is only slightly
below full administration rights. From there any app, offending or otherwise
has access to root directories like the 'windows' and sub-system and to the
registry. Maybe there are restrictions but a rogue application can do
incredible damage from this position. Finally, if the rogue app ever
achieves root access it can go directly after the Windows kernel.

The Windows system layer was created with the best of intensions, to allow
easy updates, confirmation of licensing and attempting to separate the user
from any of the complex back-end processes.

One of Windows strengths and weaknesses is in its design and its corporate
nature. Windows is a proprietary product much of its functionality is hidden
so when a problem with the OS occurs there is only one source for the final
solution. Much of the designing efforts are spent at guaranteeing that the
product is not pirated or copied, that all advancements are carefully
copywrited and that it has complete control over its creation and direction.
At 17 billions dollar in receipts last year, it is a very viable corporate
entity but it can not be all seeing and given the expanding complexity of
the computer world the company has less ability to set trends or direction.

The Linux world is a very loose group of products. It is more like a cottage
industry than a company where it is estimated that 3 to 4 million people
work on its evolving design. The product is mostly open-source so hiding a
process (or some kind of virus) is nearly impossible. Most of the new
inventions in the computer industry have their source from this pool. It is
estimated that the profits from this industry are somewhere at 10 Trillion
world wide and growing at a phenomenal rate.

Comparing the two paradigms show a stark contrast. One is a tightly
controlled corporate entity and the other is wild capitalistic/socialistic
frontier where only the best survive and wild innovation is rampant.

Both entities have there place and I utilize both in every day business but
I spend as much time removing Windows viruses as I spend doing other system
support. The job is system support is made doubly complex when a system
failure can be either deliberate or a setup issue... you can never know
which or it could be both.

Jim



-----Original Message-----
From: dba-tech-bounces at databaseadvisors.com
[mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of Rocky Smolin
Sent: Friday, May 22, 2009 9:08 PM
To: 'Discussion of Hardware and Software issues'
Subject: Re: [dba-Tech] Virus trying to get in...

Why would it never happen on a Linux/BSD system?  Because they're not
targeting it?  OR because Linux/BSD doesn't have vulnerabilities to viruses
or Trojans?

Rocky


-----Original Message-----
From: dba-tech-bounces at databaseadvisors.com
[mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of Jim Lawrence
Sent: Friday, May 22, 2009 8:27 PM
To: 'Discussion of Hardware and Software issues'
Subject: [dba-Tech] Virus trying to get in...

Hi All:

Has anyone experienced the 'Spyware Protect 2009' trojan/virus? It had
started on a client's site but according to the following link it was not
fully installed:
http://www.xp-vista.com/spyware-removal/spyware-protect-2009-removal

A client sort of caught it part way through the insertion process along with
the oline protection software, 'Windows OneCare' and the installation did
not complete. The core of 'Spyware Protect 2009' app would keep prompting to
be installed. (Something like a vampire that will not come in unless
invited?)

Hopefully I have got rid of it as the prompting app is a thing called
sysguard.exe, hidden, read-protected and stashed in the Windows directory
(It has to be deleted from the command prompt when in 'safe mode') and it is
activated through a standard entry in the registry:
HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Run/Sysguard.exe

How the code got in I have no idea, though one site suggested it may have
come through some codec pacted in a graphic file. The original source is
supposed to be out of Russia but it is appearing up everwhere.

Considering the desktop was running run-time-protection, windows firewall,
had all the current updates, the client was running it only in user mode and
it switched to running at 'system' level; it just goes to show weak the
system and all the protection really is... this would never happen on a
Linix/BSD system.

Sorry to sound grumpy but it took two hours to uncover and remove and I was
late for supper... and the client was very grumpy while I had to stay cool
and calm.

Jim

_______________________________________________
dba-Tech mailing list
dba-Tech at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/dba-tech
Website: http://www.databaseadvisors.com

_______________________________________________
dba-Tech mailing list
dba-Tech at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/dba-tech
Website: http://www.databaseadvisors.com

_______________________________________________
dba-Tech mailing list
dba-Tech at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/dba-tech
Website: http://www.databaseadvisors.com

_______________________________________________
dba-Tech mailing list
dba-Tech at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/dba-tech
Website: http://www.databaseadvisors.com

More information about the dba-Tech mailing list