Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Security IT

Invisible Malware Install 65MB Large 381 381

Paperghost writes "Words fail me with this one - don't have the .NET framework on your PC to utilise the adware maker's technology? No problem, they'll download it for you without you knowing. The problem is that it's a sixty-five megabyte install." From the article: "...the size of the .NET framework to download can vary drastically depending on what extras you have - don't forget the service packs, SP1 is an extra 10 or so MB in size. But I'm actually understating the amount of space used when installed, as .NET can total up to 100MB."
This discussion has been archived. No new comments can be posted.

Invisible Malware Install 65MB Large

Comments Filter:
  • NewDotNet (Score:5, Interesting)

    by Zorilla (791636) on Saturday March 05, 2005 @06:04PM (#11854958)
    This reminds me of a couple years ago when many piece of software came bundled with spyware called NewDotNet that claimed to be "needed for next generation internet applications" - just around the same time MS started pushing .NET

    I remember uninstalling it from a bunch of machines because people asked, "Do I need this?" Yes....
  • dialup (Score:1, Interesting)

    by Anonymous Coward on Saturday March 05, 2005 @06:06PM (#11854969)
    This strikes me as woefully ineffective for anyone using dialup. Will the program force them to stay connected until the download finishes?
  • Good! (Score:5, Interesting)

    by mwa (26272) on Saturday March 05, 2005 @06:09PM (#11854994)
    Now I know how to install it without clicking "I agree". So we'll be seeing some benchmark results on .NET real soon now, right?
  • Re:Ok, but... (Score:2, Interesting)

    by WalterGR (106787) on Saturday March 05, 2005 @06:28PM (#11855124) Homepage

    Excellent question. Is this a browser vulnerability? Or is the installer in question the one you get by going to the BroadcastPC download page [broadcastpc.tv] and clicking the big "Download BroadcastPC" link?

    While it seems that the installer downloads the .net Framework redistributable without informing the user, I see nothing to suggest that *BroadcastPC* is installed without the user being aware.

  • 65MB is nothing! (Score:5, Interesting)

    by kaleco (801384) <greig.marshall2@b t i n t e rnet.com> on Saturday March 05, 2005 @06:30PM (#11855141)
    BT Internet recently doubled the downstream rate on most of their broadband accounts, and after looking at the spyware penetration on some friends' Windows machines, 65MB malware seems completely plausible.
  • Re:omfg (Score:2, Interesting)

    by mike5904 (831108) on Saturday March 05, 2005 @06:30PM (#11855144)
    Well, to be honest I'm not sure I would. I actually downloaded the .NET SDK the other day, and although it did make my web browsing a little (not unusably) slower, it only took about 3 minutes. Also, a lot of people this is targeting probably are used to having a bunch of malware on their computers, so the disk activity from the installer or the slowdown of their internet connection might seem normal to them. If the viru^H^H^H^Hmalware authors really wanted to be covert about it, they could just have it wait for the mouse and keyboard to be idle for a few minutes, and start then, and if activity resumed, just throttle the download.
  • Re:zerg (Score:4, Interesting)

    by defishguy (649645) on Saturday March 05, 2005 @06:37PM (#11855184) Journal
    The long and short of it is probably yes. The Windows Installer runs in the system context and not the user context when the client is a part of an AD domain.

    Running the Windows Installer in the system context is the only way that the directory can manage software on the client.

    Kudos to MS for another brilliant design!
  • Re:awesome (Score:4, Interesting)

    by spektr (466069) on Saturday March 05, 2005 @06:43PM (#11855233)
    OMG, y0 n00b, just include affiliates.microsoft.com in sources.list and do aptitude update && yes y to hell with it|aptitude distupgrade.
  • Not necessarily (Score:4, Interesting)

    by jesterzog (189797) on Saturday March 05, 2005 @06:51PM (#11855282) Homepage Journal

    Now I know how to install it without clicking "I agree". So we'll be seeing some benchmark results on .NET real soon now, right?

    Just make sure you read every line of the agreement for whatever application installs the spyware. If they're being cautious, they probably have a line similar to "We might install the .NET framework on your behalf, and therefore you must read and agree with all of the Microsoft .NET framework terms of service outlined at [url]", right next to the statement about how they're going to install spyware on your PC.

    This isn't to say that any of it would necessarily hold up if tested in court, and it doesn't mean that Microsoft wouldn't have "issues" with the spyware distributor for bypassing the display of their license to the user installing the software. But if you're the sort of person who cares about clicking 'I agree' at all, then you should probably consider this, too.

  • by dogfull (819023) on Saturday March 05, 2005 @07:16PM (#11855402)
    sure left some questions unanswered.

    1.
    In what way does the malware use the VM? Can it collect data from within the VM (thus making it a security hole in .NET), or does it run as a normal process and use the VM for displaying data?

    2.
    Is this possible to happen behind a firewall, of say, SP2? I've heard of malware that slips through it, though I haven't encountered it (I run slack 10 :)). But I'm concerned since my family runs windows, and I'll be the one to clean it. I'm sure I'm not the only /.'er who feels this way.

    Cheers
  • Re:.NET security (Score:1, Interesting)

    by Anonymous Coward on Saturday March 05, 2005 @08:07PM (#11855720)
    Yes because "sending data" is only possible with the .NET framework or a .NET language.

    It's funny how the zealots are ranting about FUD and lies, when you see (not only about this article) on ./ that they have no problems embracing the same tactics.
  • Re:Symbiotic viruses (Score:2, Interesting)

    by BlueFashoo (463325) on Sunday March 06, 2005 @12:36AM (#11857067)
    Don't forget the endosymbiotic bacteria. How amazing is it that we have the descendents of some proteobacteria (mitochondira) living within our cells. They're built just like a eubacteria, have their own DNA, and 16s RNA analysis places them very close to a similar free living bactera. The same can be said about the chloroplasts in plants, except they are similar to the oxygenic photoautotrophic cyanobacteria. A few simple eukaryotic organisms do exist without mitochondria, but the vast of eukaryotic organsisms do have them. We don't merely share a common ancestor with microbial life, we are dependant upon them for our very existence.
  • Re:NewDotNet (Score:3, Interesting)

    by rs79 (71822) <hostmaster@open-rsc.org> on Sunday March 06, 2005 @12:43AM (#11857091) Homepage
    "Just what is running on most websites that use those, anyway, I wonder?"

    Do you always criticize things you don't know anything about? Although I can't say new.net was a shining example of alt.tld-ness.

    But, to answer your question, no spam, for one thing. No malware, no viruses. Just people cooperating. And yes there is content that you can't see using the legacy root.

    With djbdns and Bind-PE/Treewalk offering alt.dns optins there's now enough people using them that I'm seriously thinking about rejecting all mail not from alt.tlds. It'e been a slice, but I'm sick of the crap. You want to talk to me? Here's how you do that. Your choice.

    At one point 2 of the ICANN board members used alternate roots. Now they're all lawyers and other slime, the techies didn't last.

  • by shawb (16347) on Sunday March 06, 2005 @12:49AM (#11857120)
    It's a difference in semantics. You are saying that the Installer is 23MB, while the article is saying the hard drive had 65 Megs less on it afterwards, which makes sense as the installer program would be uncompressed and likely not even automatically deleted from the hard drive after the install completes, using up disk space. In fact the article even states that the download is 23 megs.

    But the slashdot post was worded poorly, IMO. Install is often mistaken for Installer. I read it that way at first and then wondered why the article said that 23 Meg was downloaded. Gave me a moment of confusion.
  • Re:NewDotNet (Score:1, Interesting)

    by Anonymous Coward on Sunday March 06, 2005 @12:52AM (#11857131)
    NewNet spyware and scumbag phish sites did incalcuable damage to the noble idea of alternate roots. As an altroot fan, you should be outraged.

Machines that have broken down will work perfectly when the repairman arrives.

Working...