F-Secure: Sometimes Those Error Messages Actually Mean Something

["Fergie" <fergdawg () netzero net>]

Check this out.

Via F-Secure.

[snip]

Removing spyware from a computer is becoming an increasingly difficult task. Look2Me, a displayer of pop-up 
advertisements, is a good example of a persistent malware application that just won't go away. It uses some interesting 
techniques to remain installed.

Look2Me hooks into the winlogon process as a notification package. If the user tries to unregister the notification 
package, it is immediately reinstated. Look2Me also removes the administrator group's debug privileges and thereby 
disables the user from interfering. This, along with some other tricks, makes manual removal close to impossible.

The removal of the debug privileges has resulted in some BlackLight support calls for us. And so, even though it 
doesn't have any rootkit functions, the SeDebugPrivilege error inadvertently turns our BlackLight tool into a Look2Me 
detector!

[snip]

More:
http://www.f-secure.com/weblog/#00000863

- ferg


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg () netzero net or fergdawg () sbcglobal net
 ferg's tech blog: http://fergdawg.blogspot.com/


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.