The Spyware Who Loved Me

Uncle AndrewUncle Andrew
Filed under: @ 10:58 pm

I thought it was going to be just another typical day at work….and indeed, in some ways it was. More often than I really prefer it seems as though my work day starts with me feeling perfectly in control and ends with me feeling like my leg’s caught in a bear trap.

For those not already familiar with me (yeah, right, like anyone besides my immediate family is reading this. Hi Mom!), I am the graphic, prepress and Web designer for a gourmet and medicinal mushroom company. I am also the de facto Information Technology Dude (aka Nerd In Residence) for our company, mainly because I know a lot more about computers than anyone else currently employed there. I know a lot less than many other people—including many in my circle of friends—and I know far, far less than should be known by the guy left in charge of the computer network of a smallish-yet-poised-for-greatness company.

It started when Loren, our accountant, asked me to come take a look at her computer. “It’s giving me a weird error message,” she said, “and it’s been doing it a lot lately.”

I sat at her desk and looked at the “message”.

“Actually, this isn’t a message from Windows at all,” I told her. “It’s a browser window. You can tell because of the border around the window. This is a Web page being sent to you by some company, trying to scam you into clicking on it so they can direct you to their Web site, or install spyware on your computer, or something like that.” I clicked the “Close Window” box in the top right corner of the window and got up out of her chair. “You can ignore those, just don’t click on anything inside the window.”

She thanked me, then, as I was walking away she said, “But what about this window? I didn’t even have Internet Explorer open this time.”

I peered around her desk at the screen, where a jauntily-colored ad for some sort of scooter hovered above her QuickBooks window.

Oh, Frankenberries.

“Well now,” I ventured, my voice cracking jut a bit, “that probably means you have some sort of spyware on your computer. We’re going to have to do something about that.” I got back in her chair and logged in as Administrator and began doing some preliminaries: threw an adhost-blocked Hosts file on her system, cleared her Internet cache, and ran a free spyware-checking utility from Pest Patrol.

Tucked in among the usual collection of adware, invasive cookies and browser redirectors was a program called “System Spy”, which Pest Patrol identified as a “Keystroke Logger”.

Oh, double Frankenberries.

I immediately sprung into action and picked up a demo of Pest Patrol’s corporate edition (which, by the way, is a really slick piece of ‘ware. If you’re in the market for a server-deployable anti-spyware tool, I’d vouch for this one) and ran scans on every workstation on our network. Every computer had at least a couple of pieces of malware. One had 51 of them.

And every single one had a copy of System Spy running on it.

Triple, fourple and fiveple Frankenberries. With horseradish.

While I exorcised our network, I Googled the living shit out the term “System Spy”. turns out it’s actually a commercial product, intended for use by employers who want to keep track of the computer activities of their employees. Creepy, but basically legit. So how the hell did it get on every computer on our network? I was the only person with sufficient access and knowledge to do this, and last I checked, I hadn’t decided to sink my own company. Obviously, some compromised machine with Administrator access—probably, God help us all, the server—was distributing the program all over the network.

Though I think I’ve tracked down and squished every instance of System Spy, I still have no goddamn idea when, where or how it managed to piggyback onto our system. Not even the all-knowing all-seeing Interweb has been much help. While many sites identify System Spy as (duh) spyware, nowhere could I find any reference to someone using it as the base for a piece of malware capable of deploying itself to multiple workstations over a mixed 2000/XP Pro network. The original program doesn’t work that way (Hell, the original program isn’t even supposed to work on Windows NT-based operating systems, only 95, 98 and ME), and while a script could doubtless be written that would do so, youda thunk it would have been done enough times to rate some mention online.

I’m in way over my head, and it depresses me, mostly because the welfare of our entire company might rest on my skill base (and don’t think that idea doesn’t leave me in a puddle of my own urine). Being the best at something in a small group of people is already somewhat gritty balm for the ego. Add to that the prospect that your best was still far, far less than was needed and you can be left with quite a stomachache.

Not that anyone is blaming me. I mean, it would be pretty weird for my boss to point his finger at me and say, “Dammit Andrew, as a graphic designer you should have KNOWN we were going to have network security problems and taken steps to prevent them!” I’m only as good as the products I have at my disposal, which up to now have been pretty meager. We are now running Pest Patrol, and barring some revelation or catastrophe will doubtless purchase the full package when our demo expires. Like most folks, once the digital equines have fled the outbuilding, we slammed the door on those suckers.

Fortunately, I have some very smart people I can fall back on to help to identify and neutralize the problem. I just wish I was one of them.

3 Responses to “The Spyware Who Loved Me”

  1. Tricia SB Says:

    Things like that are so frightening. What really bugs me is that it’s so incredibly easy to get spyware crap on our computers, and such a pain in the butt to find and remove them. I’m a web girl, not a systems girl, but I find it hard to believe that there isn’t something that hardware and/or software makers could do to reduce the ability of these programs to swoop in and do their dirty business.

    Which reminds me, there was a piece on BoingBoing this week about how the holiday season means that people of our generation go home to remove viruses and spyware for our families’ computers. Apparently, there’s a dicussion on Slashdot about which clean-up programs you should burn onto a CD to be prepared for the inevitable requests.

  2. Uncle Andrew Says:

    Hey Trish! I saw that Slashdot article too. I’m really quite enamoured of Pest Patrol, though it’s quite obvious that no single application will do the job. I’m thinking a delicious combination of Pest Patrol and Ad Aware. I also migrated our whole office over to FireFox, which ought to help.

  3. Tricia SB Says:

    Joe & I have installed Firefox on our home machines, but I don’t consider us fully “migrated” yet, since Windows keeps opening IE automatically in certain cases (clicking on links in email, etc.). Did you find a workaround for that in your office?

    Another thing I really want to do is get rid of Outlook to avoid the security problems there, but I’m not thrilled with the alternatives. I sync my Palm Pilot to Outlook for tons of scheduling (deadlines, meetings, etc.). I haven’t seen an alternative mail app with a scheduling function I can sync with the Palm. Ditching Outlook will probably mean replacing it with two separate apps: one for mail/contacts, and Palm Desktop for scheduling. Maybe if I dawdle long enough, one of the alternative mail apps will pull it together.

    By the way, in the current Action Figure Diary (#19), you can just barely see one of those little metal lizard-things you gave us on on the wall in the background of panels 4 & 5. I just noticed it today.

All portions of this site are © Andrew Lenzer, all rights reserved, unless otherwise noted.