PGTS Humble Blog
Thread: Microsoft (Decline Of)
|Gerry Patterson. The world's most humble blogger|
|Mission Accomplished -- George Bush, 2003.|
Windows 10 - Cheap At half The Price
Chronogical Blog Entries:
Date: Sat, 10 Dec 2016 14:48:22 +1100
Could the end times be near? The signs are inauspicious dear reader. We have a reality TV clown about to assume the office of President of The United States. Microsoft have got serious about their user security. And your humble blogger endorses one of the their products. Yes, dear reader your blogger found himself using Windows on a laptop. Even though your blogger regularly uses Windows in the workplace, colleagues will be aware that he had a strict policy of wall-to-wall Ubuntu clients on the humble network (PGTS). This is because of the superior security model that Ubuntu clients employ. Well if it is not the end times ... Perhaps it is the end of civilisation as we know it?
Recently your blogger had to start using a Windows 7 laptop. Your blogger initially approached the device with some caution ... Well founded, as it turned out ... It may not come as a big surprise that the laptop had, in fact, been infected with "malware" ... It's a long story ... But the short version is the previous owner had downloaded several "free" programs and had been using an "Administrator" account to conduct routine activities.
Now without going into the long version of the story, your blogger really did have a pressing need to use a Windows client, and so reluctantly decided to remove the malware. ... How hard could it be? ... Read on for a brief summary of this mini saga ...
The Windows 7 laptop had obviously been hacked. Searches were automatically redirected to www-searching.com. And Windows Update would not work.
Quite a bit of the advice about such malware suggests that one should "uninstall" the unwanted software. However your blogger was not all that enthusiastic about using an uninstall process which could possibly have been provided or poisoned by the supplier of the malware, and instead opted for manual deletion.
This was quite challenging because there were numerous points where malicious software had been injected into the system:
Suspicious looking executables. These were mostly in AppData/Local and in "Program Files (x86)". But some of them were in isolated folders. It's possible to find these with a search using the forfiles command with the /D and /S options, searching for "*.exe" and ".dll" and redirecting the output to a plain text file and studying it carefully.
- Hacked /etc/hosts.
Something had hacked /etc/hosts with this line:
Suspicious looking registry entries. There were large numbers of registry entries that were suspicious and obviously hacked. If the correct settings were obvious they were corrected. Otherwise a google search would usually reveal the correct settings. The registry in this laptop had numerous versions of network configurations that had been introduced and or hacked with the following primary and secondary DNS:
nameserver 220.127.116.11 nameserver 18.104.22.168And there were many registry keys with www-searching.com and their product called "Search Tool" (More about them later)
Suspicious looking programs in startup folder. There were numerous programs in "startup" ... Most of them seemed unnecessary or dubious. As a remedial action, all of them were disabled or removed.
Suspicious looking scheduled tasks. There were multiple scheduled tasks that would launch at startup and/or login and/or regular intervals. Many of them ran executables and .js scripts (which helped identify more suspicious executables). Several of these mentioned the infamous "search tool"
Suspicious looking services. There were several unknown services. Google searches usually confirmed that they were potential adware.
Browser configuration hacked Configuration settings in all browsers, especially preferred search engine had been hacked. This was tedious. Because each browser has its own specific set of instructions (lots of Googling for configuration settings here). The desktop icons for all browsers had also been hacked with www-searching.com parameters, passed on the command line for launching the icon. This meant that clicking on the icon took the browser directly to the Malware owner's site, rather than starting up the browser cleanly.
The cleanup process was long and tedious ... For security reasons, Internet searches and downloads (where necessary) were conducted on a separate (Ubuntu) workstation ... Eventually tired and bleary-eyed, your humble blogger managed to wrest back control of the browsers and Windows update was working again. A large number of updates were downloaded and everything worked with one exception (which worryingly was a security update --- More about this later)
After this your blogger decided to upgrade to Windows 10, since there were rumours of a new release of "Windows Defender", an upgraded version of an anti-spyware product that had been released earlier for Windows 7. However when Windows Defender was deployed (after the W10 update) it would only scan. Windows Defender would not enter "real-time protection" mode because it reported that there was another anti-virus program handling security.
This seemed odd (and troubling) since all Anti-Virus products including a suspicious looking one called "OneSystemCare" (almost certainly malware), had been removed prior to the W10 update. The update had retained existing apps and data. A Google search revealed that Windows Defender would not run if it detected "remnants" of a previous anti-virus program that had been "manually" removed.
This was when your blogger made another disturbing discovery ... Existing accounts had been cleaned up, but when a new local account was added, the browsers were all hacked with the www-searching.com malware. A search of the drive with findstr revealed that there were several files that stored default settings that would be used in the initial setup of browsers when the Desktop was created on first login. The hack had corrupted initial settings for Firefox and Chrome, but Edge was not affected. Either because the authors had not caught up with Edge at the time the malware was created, or because Microsoft had since improved the security of Edge. (Although on reflection ... The most likely reason is that Edge was installed with W10)
At this stage it seemd a complete cleanup process could easily take several more hours and even then there was no guarantee that Windows defender would work ... It might still think that there was something (remnants?) already handling Anti-virus activities. It seemed to be an opportune to time to "Call in the heat". Your blogger went googling for Windows anti-virus software. Naturally there was a huge amount on offer. Windows, quite deservedly, is famous for malware and there was a lot on offer ... But a lot of it looked to be almost as nasty as the malware that your blogger wanted to get rid of. A close inspection of the websites for any "free" anti-virus product left your humble blogger feeling quite uneasy. The premium products looked much better ... But generally after starting off with generous cheap offers, most of them ended up being in the vicinity of $40 AUS per year. And there was still the niggling doubt that the anti-virus products might have the same problems that Windows Defender seemed to be having. (Although there is a good chance that third party products would be less coy about blowing away remnants of another Anti-virus product?)
Perhaps a strategic response rather than a tactical one was required? There was an Advanced Startup option which offered to re-install Windows. A lot of this seems to be a work-in-progress, so the location of the option may change as Microsoft improve on it. At the time it seemed like an excellent option ... A pre-emptive strike that would nuke everything ... True to its word ... The advanced startup option completely erased the disk, all accounts and all non-Microsoft programs, downloading and re-installing a brand new default windows 10 operating system with no apps and no data ... Very impressive! The basic network settings for the default user had been preserved but there was good reason to be confident that they were ok.
The first program your blogger enabled on his now clean brand new windows 10 system was "Windows Defender".
Windows Defender seems to behave much like premium anti-virus programs (which will probably make many of them concerned about their future business model). Windows Defender downloads signatures regularly (from windows updates). If real time protection is "on" (highly recommended), you must confirm that it is ok to make any modifications and if you are not already running as an Administrator (highly recommended that you do not) then you must enter the administrator password in order to carry out the modification. This is in the fact the default behavious of "proper" operating systems (such as Mac OS and Ubuntu).
All in all, Windows 10 (with the Anniversary Update) is a truly remarkable Microsoft Operating System. Remarkable because it is the first time in Microsoft's long sad history that they seem to have taken their customer's security seriously. Up until now all we have had is more BS about how security is the responsibility of the user ... Blah, blah ... While malware author's have feasted on the bloated body of unnecessary frills, eye-candy and strategic corporate BS ... And the anti-virus industry has flourished along with a shadowy under-world of faux anti-malware providers that are in all probability installing more malware ... Windows 10 appears like a light at the end of a long tunnel ... Let's just hope that is not the headlight of an oncoming train!
The Windows 10 interface is pared-down, minimalist and despite the amount of back-chat to Microsoft (for security and advertising) it is quite responsive. The browser that Microsoft supply, Edge, seems to be a browser that, apart from a little too much advertising, does not appear to try any (obvious) "dirty tricks" and complies with generally accepted web standards. The OS itself is a genuine 64-bit, genuine multi-user OS. There are many improvements in security, most of them long over-due ... And now at last Microsoft have produced their own Anti-Virus (AV) product. Your blogger expects considerable FUD from shills spruiking the benefits of third party AV products. But despite such in-house endorsements, competing with a product embedded in the OS, getting almost daily updates from the company that created the OS, seems like a big challenge for the AV industry. ... Already the price of some of the premium AV products has decreased dramatically. This will probably precipitate a race to the bottom that will shake out the entire industry.
Microsoft getting serious about security was a necessary pre-condition to them taking charge (and responsibility?) of the new multi-device platform that they wish to roll out. It only took 30 years, dear reader ... Was it worth the wait?
It also seems that this is paying off. W10 has established itself well in the domestic market and is clearly leading W8 (no surprises there). However W7 now has such a well established base in the big end of town that it may hang on to its market leader spot for some time. Also the big business corporate sector has shown itself to be very slow to change (many of them are still ridding themselves of XP and Server 2003). From the point of view of profits, it seems easy enough to appreciate Microsoft's decision to withdraw the "free upgrade" option for W7 and W8 users ... But from a strategic point of view it remains puzzling why Microsoft don't bite the bullet and just offer (especially W8) users an ongoing, no strings, free upgrade path to W10. W8 will not make significant gains in the big end of town and while it remains in the marketplace it just reminds consumers of why Microsoft has a poor reputation.
Those of you who know your humble blogger well will probably gasp in astonishment at the next sentence ... Your blogger, after cutting himself a large slice of humble pie and sitting in the corner and choking a little on said hard cold slice, will admit that Windows 10 might be an acceptable choice for someone contemplating a new computer. Provided you followed certain precautions (more about this in a subsequent blog), Windows 10 could be considered in the same class as real operating systems like Ubuntu, or Mac OS.
Who Are These Guys Anyway?
But this left your blogger wondering how a bunch of neer-do-wells like those who run www-searching.com can do so with impunity. This criminal enterprise is well resourced and there is evidence in Google of activity in their current form, going back to January, 2015. And there is there some evidence that the model they use goes back to October 2012. It's not as though they are hiding their light under a bushel ... They are hanging out their shingle proudly and a google search will take you straight there (albeit Firefox does show search results with several inauspicious matches on the first page). WARNING: If you use an older Windows computer that does not have a legitimate up-to date anti malware app then you should not go anywhere near this site! ... Or maybe it doesn't matter? Your computer may be so wormy and infected by now that it won't really matter? ... Nevertheless despite this nefarious activity, www-searching.com are still up on the net using a server farm hosted by Amazon Web Services (AWS). They use multiple DNS entries which cycle through different IP addresses on a regular basis. Your blogger went to check the site for the DNS hosting service for AWS (MarkMonitor.com), and observed the following slick flashing slogans slipping past on the screen.
Smart brands protect their revenues online. Over half the Fortune 100 rely on MarkMonitor
Bottom line, an online brand protection strategy delivers measurable ROI
Great brands trust us to help them fight online counterfeiting and piracy
Now you can have visibility into the Dark Web. Introducing MarkMonitor Dark Web and Cyber Intelligence
The last one brought a wry smile to your bloggers humble lips ... Yes, AWS is indeed giving unwary Windows users a very thorough introduction to the Dark Web by hosting the www-searching.com scumbags. But after all this time, what is their excuse? Is it ignorance or do they just not care? ... As long as they get their money?
There are also serious questions about the domain privacyprotect.org which has registered the www-searching.com domain. They state that they will not respond to mail sent to their purported registered address: PO Box 16, Nobby Beach, QLD 4218 (Australia). This seems suspicious enough. However the fact that they use their very own dubious services to register their own identity is circuitous, self-referential and would be laughable if it wasn't so clearly shady and most likely a front for scammers and criminals.
The address in Queensland was originally started up by an organisation called HotSnail, which offers an email forwarding service. Each account number should be quoted before the PO box number. When ordinary mail arrives, if the account number is valid, HotSnail will then scan and forward it to the account holder via email. HotSnail do have a valid address, and the owner claims that privacyprotect.org no longer have a valid account with HotSmail ... Which means that the address listed in the registry entry for privacyprotect.org is not just shady ... It is false.
Digging a little deeper into this cesspit reveals that privacyprotect.org is registered by an organisation called publicdomainregistry.com (PDR), with a genuine whois entry and an official looking website. So there are questions here for AWS and the (supposed legitimate) registrant PDR ... Why do they both continue to be complicit in the hosting of www-searching.com? And while they might claim that they are not responsible for the content provided by the organisations they provide services for, surely they have some duty to make sure that the details provided by the registered party are true and accurate? Also it seems that Google and Mozilla are not really doing much ... While it is true that the problem is entirely a Microsoft problem and the response from Microsoft although welcome has been glacial, this particular malware targets Chrome and Firefox browsers, and both Google and Firefox could have done more to counter the growth of www-searching.com and their scammer buddies.
While it is good to see Microsoft finally making genuine endeavours to improve the security of their operating system, nothing has been done about the brazen deployment of the malware platform and the fake identities they used to to register their organisation. Your blogger must confess that, once again, another wry smile crossed his face when he discovered that now after several years of egregious malware deployment, there may be some scrutiny of these organisations, not because of their criminal activities in the area of computer exploits, but because there are hints that extreme Islamic groups may be using the fake DNS entry service to hide their identities.
Plus ca change, plus c'est la meme chose