The Spyware Who Loved Me

Uncle AndrewUncle Andrew
Filed under: @ 10:58 pm

I thought it was going to be just another typical day at work….and indeed, in some ways it was. More often than I really prefer it seems as though my work day starts with me feeling perfectly in control and ends with me feeling like my leg’s caught in a bear trap.

For those not already familiar with me (yeah, right, like anyone besides my immediate family is reading this. Hi Mom!), I am the graphic, prepress and Web designer for a gourmet and medicinal mushroom company. I am also the de facto Information Technology Dude (aka Nerd In Residence) for our company, mainly because I know a lot more about computers than anyone else currently employed there. I know a lot less than many other people—including many in my circle of friends—and I know far, far less than should be known by the guy left in charge of the computer network of a smallish-yet-poised-for-greatness company.

It started when Loren, our accountant, asked me to come take a look at her computer. “It’s giving me a weird error message,” she said, “and it’s been doing it a lot lately.”

I sat at her desk and looked at the “message”.

“Actually, this isn’t a message from Windows at all,” I told her. “It’s a browser window. You can tell because of the border around the window. This is a Web page being sent to you by some company, trying to scam you into clicking on it so they can direct you to their Web site, or install spyware on your computer, or something like that.” I clicked the “Close Window” box in the top right corner of the window and got up out of her chair. “You can ignore those, just don’t click on anything inside the window.”

She thanked me, then, as I was walking away she said, “But what about this window? I didn’t even have Internet Explorer open this time.”

I peered around her desk at the screen, where a jauntily-colored ad for some sort of scooter hovered above her QuickBooks window.

Oh, Frankenberries.

“Well now,” I ventured, my voice cracking jut a bit, “that probably means you have some sort of spyware on your computer. We’re going to have to do something about that.” I got back in her chair and logged in as Administrator and began doing some preliminaries: threw an adhost-blocked Hosts file on her system, cleared her Internet cache, and ran a free spyware-checking utility from Pest Patrol.

Tucked in among the usual collection of adware, invasive cookies and browser redirectors was a program called “System Spy”, which Pest Patrol identified as a “Keystroke Logger”.

Oh, double Frankenberries.

I immediately sprung into action and picked up a demo of Pest Patrol’s corporate edition (which, by the way, is a really slick piece of ‘ware. If you’re in the market for a server-deployable anti-spyware tool, I’d vouch for this one) and ran scans on every workstation on our network. Every computer had at least a couple of pieces of malware. One had 51 of them.

And every single one had a copy of System Spy running on it.

Triple, fourple and fiveple Frankenberries. With horseradish.

While I exorcised our network, I Googled the living shit out the term “System Spy”. turns out it’s actually a commercial product, intended for use by employers who want to keep track of the computer activities of their employees. Creepy, but basically legit. So how the hell did it get on every computer on our network? I was the only person with sufficient access and knowledge to do this, and last I checked, I hadn’t decided to sink my own company. Obviously, some compromised machine with Administrator access—probably, God help us all, the server—was distributing the program all over the network.

Though I think I’ve tracked down and squished every instance of System Spy, I still have no goddamn idea when, where or how it managed to piggyback onto our system. Not even the all-knowing all-seeing Interweb has been much help. While many sites identify System Spy as (duh) spyware, nowhere could I find any reference to someone using it as the base for a piece of malware capable of deploying itself to multiple workstations over a mixed 2000/XP Pro network. The original program doesn’t work that way (Hell, the original program isn’t even supposed to work on Windows NT-based operating systems, only 95, 98 and ME), and while a script could doubtless be written that would do so, youda thunk it would have been done enough times to rate some mention online.

I’m in way over my head, and it depresses me, mostly because the welfare of our entire company might rest on my skill base (and don’t think that idea doesn’t leave me in a puddle of my own urine). Being the best at something in a small group of people is already somewhat gritty balm for the ego. Add to that the prospect that your best was still far, far less than was needed and you can be left with quite a stomachache.

Not that anyone is blaming me. I mean, it would be pretty weird for my boss to point his finger at me and say, “Dammit Andrew, as a graphic designer you should have KNOWN we were going to have network security problems and taken steps to prevent them!” I’m only as good as the products I have at my disposal, which up to now have been pretty meager. We are now running Pest Patrol, and barring some revelation or catastrophe will doubtless purchase the full package when our demo expires. Like most folks, once the digital equines have fled the outbuilding, we slammed the door on those suckers.

Fortunately, I have some very smart people I can fall back on to help to identify and neutralize the problem. I just wish I was one of them.

Sometimes Real Life Gets In The Way Of My Virtual One….And Vice Versa

Uncle AndrewUncle Andrew
Filed under: @ 8:42 am

So much for posting every day. Between work and the release of Half-Life 2, I’ve kind of fallen behind on my blogging duties.

The answer? Why, feed you folks content from someone else’s site, of course! This is an oldie but a goodie. Anyone who ever owned, played with or seriously considered striking up a caring long-term relationship with an Atari 2600 game system will love this little number from Golden Shower.

Click here to go to the movie. Requires Apple’s QuickTime Player to view. Enjoy!

All portions of this site are © Andrew Lenzer, all rights reserved, unless otherwise noted.