“At our site, we use a number of techniques to detect malware infestation on our Windows XP-based PCs. One of these is the monitoring of auto-run locations in the Windows registry, because most malware installs itself to run automatically at system startup or logon time.

The other day our system called out a piece of auto-running software in the user account of a visitor to our site, who was on loan to us for a week from a UK government institution. I assumed it was yet another minor piece of drive-by malware from a Web site, took our usual first-level action (remove registry entry, delete software) and assumed that would be that.”

Next day, the software was back. I took a closer look. It had installed a directory called “Whale Communications” in the “Program Files” directory, containing a .EXE file and numerous DLLs. I carefully checked the registry of the PC, re-deleted the software (this required killing Internet Explorer on the PC), and waited. Within an hour, it was back.

Now, when we get to this point, one of two things is usually going on; either the user is hitting a particular porn/warez/game site very hard, or the malware uses some fairly classy techniques to keep itself installed. So I disabled the user’s account, rebooted the PC, and waited for the phone to
ring.

Well, it turns out that all he was doing was reading his home office e-mail. His organisation uses a “key-ring” code generator gadget which requires code to be running on the client PC. So their remote e-mail portal detects whether this code is present, and if not, the browser automagically
downloads it to the PC and installs it to auto-run.

Slightly shocked at the rudeness (not to mention unreliability) of this approach, I called the organisation’s IT department. My suggestion that it might not be a good idea to work this way was greeted with very little comprehension. Apparently, their in-house culture is that anyone is allowed
to download anything they like, and nobody had given much thought to whether different rules might apply elsewhere (at our site, we can potentially have people physically removed from the building in such cases).

I pointed out that there are plenty of challenge-response solutions out there which are entirely Web-based and don’t require what, in many jurisdictions, would be regarded as vandalism or hacking of the PC being used, but the response was “well, this is the first time we’ve heard about
this problem”.

So the risks are multiple, ranging from being unable to get to your e-mail from any Internet cafe’ as promised, if said Internet cafe’ runs an OS for which the client software isn’t available and/or has download blocking in operation, through to potential expulsion from the country or imprisonment
(I don’t like to think what might have happened had the person in question been using a computer in a US federal government office or one in several countries which I could name).”

---

Filed under: Security - @ June 15, 2007 12:06 pm