Channel 9 Forums - Tech Off - IE8 picked up spyware (too quickly)

Channel 9 Forums - Tech Off - IE8 picked up spyware (too quickly) http://mschnlnine.vo.llnwd.net/d1/Dev/App_Themes/C9/images/feedimage.png Channel 9 Forums - Tech Off - IE8 picked up spyware (too quickly) http://channel9.msdn.com/Forums Channel 9 keeps you up to date with the latest news and behind the scenes info from Microsoft that developers love to keep up with. From LINQ to SilverLight – Watch videos and hear about all the cool technologies coming and the people behind them. http://channel9.msdn.com/Forums en Sat, 25 May 2013 07:58:14 GMT Sat, 25 May 2013 07:58:14 GMT Rev9 5 -5 -1 Tech Off - IE8 picked up spyware (too quickly) I installed IE8 on a Windows XP SP3 computer (new and clean install, fully patched system, running Windows Defender, NOD32 antivirus and windows malicious software removal tool). I used it for about 2 days (with a limited account) and then I ran a SpywareDoctor* scan.

It found a spyware called Spyware.BaiDu!

No warez, porn, file-sharing site was visited and I haven't installed any toolbars or adds-ons.

Any ideas how to avoid such infections?

It'd be interesting to see a test in which somebody visits specifically dangerous sites with IE8 and see how many malware is picked up.

( I won't do it for you... Smiley

I copy here the log file of SpywareDoctor.

Notice that it seems that the spyware modified registry. Again: it was used under a limited account. :-/

( *SpywareDoctor is a software which is included in Google Pack - a collection of essential softwares distributed by Google. )

2009.03.22. 21:34:30:390

Infection was detected on this computer

Threat Name - Spyware.BaiDu

Type - Registry Value

Risk Level - Medium

Infection - HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{77FEF28E-EB96-44FF-B511-3185DEA48697}, BlockType

2009.03.22. 21:34:30:390

Infection was detected on this computer

Threat Name - Spyware.BaiDu

Type - Registry Value

Risk Level - Medium

Infection - HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{77FEF28E-EB96-44FF-B511-3185DEA48697}, CompatibilityFlags

2009.03.22. 21:34:30:390

Infection was detected on this computer

Threat Name - Spyware.BaiDu

Type - Registry Value

Risk Level - Medium

Infection - HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{77FEF28E-EB96-44FF-B511-3185DEA48697}, DllName

2009.03.22. 21:34:30:390

Infection was detected on this computer

Threat Name - Spyware.BaiDu

Type - Registry Value

Risk Level - Medium

Infection - HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{77FEF28E-EB96-44FF-B511-3185DEA48697}, MasterCLSID

2009.03.22. 21:34:30:390

Infection was detected on this computer

Threat Name - Spyware.BaiDu

Type - Registry Value

Risk Level - Medium

Infection - HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{77FEF28E-EB96-44FF-B511-3185DEA48697}, Version

2009.03.22. 21:34:30:390

Infection was detected on this computer

Threat Name - Spyware.BaiDu

Type - Registry Key

Risk Level - Medium

Infection - HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{77FEF28E-EB96-44FF-B511-3185DEA48697}

2009.03.22. 21:34:30:421

Infection was detected on this computer

Threat Name - Spyware.BaiDu

Type - Registry Value

Risk Level - Medium

Infection - HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{B580CF65-E151-49C3-B73F-70B13FCA8E86}, BlockType

2009.03.22. 21:34:30:421

Infection was detected on this computer

Threat Name - Spyware.BaiDu

Type - Registry Value

Risk Level - Medium

Infection - HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{B580CF65-E151-49C3-B73F-70B13FCA8E86}, CompatibilityFlags

2009.03.22. 21:34:30:421

Infection was detected on this computer

Threat Name - Spyware.BaiDu

Type - Registry Value

Risk Level - Medium

Infection - HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{B580CF65-E151-49C3-B73F-70B13FCA8E86}, DllName

2009.03.22. 21:34:30:421

Infection was detected on this computer

Threat Name - Spyware.BaiDu

Type - Registry Value

Risk Level - Medium

Infection - HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{B580CF65-E151-49C3-B73F-70B13FCA8E86}, Version

2009.03.22. 21:34:30:421

Infection was detected on this computer

Threat Name - Spyware.BaiDu

Type - Registry Key

Risk Level - Medium

Infection - HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{B580CF65-E151-49C3-B73F-70B13FCA8E86}

]]> http://channel9.msdn.com/Forums/TechOff/462138-IE8-picked-up-spyware-too-quickly/462138#462138 Mon, 23 Mar 2009 21:07:51 GMT http://channel9.msdn.com/Forums/TechOff/462138-IE8-picked-up-spyware-too-quickly/462138#462138 akopacsi 5 http://channel9.msdn.com/Niners/akopacsi/Discussions/RSS Tech Off - IE8 picked up spyware (too quickly) From the little Google searching I just did (I don't use Spyware Doctor myself), I'm inclined to think that this may be a false positive. The program that PCTools calls Spyware.BaiDu is a BHO, and therefore should be registered in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects, not in \Extension Compatibility\... I think Spyware Doctor may be picking up on Internet Explorer's BHO blacklist or list of compatibility shims.

]]> http://channel9.msdn.com/Forums/TechOff/462138-IE8-picked-up-spyware-too-quickly/3c9f94e7006f4aeba9ac9deb0004aa5c#3c9f94e7006f4aeba9ac9deb0004aa5c Mon, 23 Mar 2009 22:37:43 GMT http://channel9.msdn.com/Forums/TechOff/462138-IE8-picked-up-spyware-too-quickly/3c9f94e7006f4aeba9ac9deb0004aa5c#3c9f94e7006f4aeba9ac9deb0004aa5c JonathonW 5 http://channel9.msdn.com/Niners/CannotResolveSymbol/Discussions/RSS Tech Off - IE8 picked up spyware (too quickly) Hmm, a spyware detector included in Google Pack claims that a Baidu BHO is spyware.

Baidu is a popular search engine in China, more popular than Google China.

There seems to be a conflict of interest here...

]]> http://channel9.msdn.com/Forums/TechOff/462138-IE8-picked-up-spyware-too-quickly/1347a897cebe419084c09deb0004aa83#1347a897cebe419084c09deb0004aa83 Wed, 25 Mar 2009 06:03:02 GMT http://channel9.msdn.com/Forums/TechOff/462138-IE8-picked-up-spyware-too-quickly/1347a897cebe419084c09deb0004aa83#1347a897cebe419084c09deb0004aa83 Joe Chung 5 http://channel9.msdn.com/Niners/joechung/Discussions/RSS Tech Off - IE8 picked up spyware (too quickly)

joechung said:

Hmm, a spyware detector included in Google Pack claims that a Baidu BHO is spyware.

Baidu is a popular search engine in China, more popular than Google China.

There seems to be a conflict of interest here...

What's even more surprising is that it appears that the said spyware detector does a blind scan ignoring the usage of registry keys. Even if that "Extension Compatibility" key is not documented it should be pretty obvious what it does. Besides, if the computer was really infected then shouldn't the dll file be somewhere around?

]]> http://channel9.msdn.com/Forums/TechOff/462138-IE8-picked-up-spyware-too-quickly/7640b8b824c64486a1d39deb0004aaab#7640b8b824c64486a1d39deb0004aaab Wed, 25 Mar 2009 08:48:10 GMT http://channel9.msdn.com/Forums/TechOff/462138-IE8-picked-up-spyware-too-quickly/7640b8b824c64486a1d39deb0004aaab#7640b8b824c64486a1d39deb0004aaab Dexter 5 http://channel9.msdn.com/Niners/Dexter/Discussions/RSS Tech Off - IE8 picked up spyware (too quickly)

joechung said:

Hmm, a spyware detector included in Google Pack claims that a Baidu BHO is spyware.

Baidu is a popular search engine in China, more popular than Google China.

There seems to be a conflict of interest here...

Actually, McAfee detects it too... it's classic adware, installing a useless toolbar and creating unwanted connections to other internet servers (possibly transmitting personal data to those servers).

If you don't see the toolbar, you don't have it installed. Chalk this one up to a poorly-programmed spyware scanner.

]]> http://channel9.msdn.com/Forums/TechOff/462138-IE8-picked-up-spyware-too-quickly/9c7dc42f050e488d8a899deb0004aad3#9c7dc42f050e488d8a899deb0004aad3 Wed, 25 Mar 2009 13:41:50 GMT http://channel9.msdn.com/Forums/TechOff/462138-IE8-picked-up-spyware-too-quickly/9c7dc42f050e488d8a899deb0004aad3#9c7dc42f050e488d8a899deb0004aad3 JonathonW 5 http://channel9.msdn.com/Niners/CannotResolveSymbol/Discussions/RSS