Invisible Malware Install 65MB Large

Paperghost writes "Words fail me with this one - don't have the .NET framework on your PC to utilise the adware maker's technology? No problem, they'll download it for you without you knowing. The problem is that it's a sixty-five megabyte install." From the article: "...the size of the .NET framework to download can vary drastically depending on what extras you have - don't forget the service packs, SP1 is an extra 10 or so MB in size. But I'm actually understating the amount of space used when installed, as .NET can total up to 100MB."

NewDotNet

[Zorilla]

This reminds me of a couple years ago when many piece of software came bundled with spyware called NewDotNet that claimed to be "needed for next generation internet applications" - just around the same time MS started pushing .NET

I remember uninstalling it from a bunch of machines because people asked, "Do I need this?" Yes....

dialup

[Anonymous Coward]

This strikes me as woefully ineffective for anyone using dialup. Will the program force them to stay connected until the download finishes?

Good!

[mwa]

Now I know how to install it without clicking "I agree". So we'll be seeing some benchmark results on .NET real soon now, right?

Re:Ok, but...

[WalterGR]

Excellent question. Is this a browser vulnerability? Or is the installer in question the one you get by going to the BroadcastPC download page [broadcastpc.tv] and clicking the big "Download BroadcastPC" link?

While it seems that the installer downloads the .net Framework redistributable without informing the user, I see nothing to suggest that *BroadcastPC* is installed without the user being aware.

65MB is nothing!

[kaleco]

BT Internet recently doubled the downstream rate on most of their broadband accounts, and after looking at the spyware penetration on some friends' Windows machines, 65MB malware seems completely plausible.

Re:omfg

[mike5904]

Well, to be honest I'm not sure I would. I actually downloaded the .NET SDK the other day, and although it did make my web browsing a little (not unusably) slower, it only took about 3 minutes. Also, a lot of people this is targeting probably are used to having a bunch of malware on their computers, so the disk activity from the installer or the slowdown of their internet connection might seem normal to them. If the viru^H^H^H^Hmalware authors really wanted to be covert about it, they could just have it wait for the mouse and keyboard to be idle for a few minutes, and start then, and if activity resumed, just throttle the download.

Re:zerg

[defishguy]

The long and short of it is probably yes. The Windows Installer runs in the system context and not the user context when the client is a part of an AD domain.

Running the Windows Installer in the system context is the only way that the directory can manage software on the client.

Kudos to MS for another brilliant design!

Re:awesome

[spektr]

OMG, y0 n00b, just include affiliates.microsoft.com in sources.list and do aptitude update && yes y to hell with it|aptitude distupgrade.

Not necessarily

[jesterzog]

Now I know how to install it without clicking "I agree". So we'll be seeing some benchmark results on .NET real soon now, right?

Just make sure you read every line of the agreement for whatever application installs the spyware. If they're being cautious, they probably have a line similar to "We might install the .NET framework on your behalf, and therefore you must read and agree with all of the Microsoft .NET framework terms of service outlined at [url]", right next to the statement about how they're going to install spyware on your PC.

This isn't to say that any of it would necessarily hold up if tested in court, and it doesn't mean that Microsoft wouldn't have "issues" with the spyware distributor for bypassing the display of their license to the user installing the software. But if you're the sort of person who cares about clicking 'I agree' at all, then you should probably consider this, too.

whoever wrote this article

[dogfull]

sure left some questions unanswered.

1.
In what way does the malware use the VM? Can it collect data from within the VM (thus making it a security hole in .NET), or does it run as a normal process and use the VM for displaying data?

2.
Is this possible to happen behind a firewall, of say, SP2? I've heard of malware that slips through it, though I haven't encountered it (I run slack 10 :)). But I'm concerned since my family runs windows, and I'll be the one to clean it. I'm sure I'm not the only /.'er who feels this way.

Cheers

Re:.NET security

[Anonymous Coward]

Yes because "sending data" is only possible with the .NET framework or a .NET language.

It's funny how the zealots are ranting about FUD and lies, when you see (not only about this article) on ./ that they have no problems embracing the same tactics.

Re:Symbiotic viruses

[BlueFashoo]

Don't forget the endosymbiotic bacteria. How amazing is it that we have the descendents of some proteobacteria (mitochondira) living within our cells. They're built just like a eubacteria, have their own DNA, and 16s RNA analysis places them very close to a similar free living bactera. The same can be said about the chloroplasts in plants, except they are similar to the oxygenic photoautotrophic cyanobacteria. A few simple eukaryotic organisms do exist without mitochondria, but the vast of eukaryotic organsisms do have them. We don't merely share a common ancestor with microbial life, we are dependant upon them for our very existence.

Re:NewDotNet

[rs79]

"Just what is running on most websites that use those, anyway, I wonder?"

Do you always criticize things you don't know anything about? Although I can't say new.net was a shining example of alt.tld-ness.

But, to answer your question, no spam, for one thing. No malware, no viruses. Just people cooperating. And yes there is content that you can't see using the legacy root.

With djbdns and Bind-PE/Treewalk offering alt.dns optins there's now enough people using them that I'm seriously thinking about rejecting all mail not from alt.tlds. It'e been a slice, but I'm sick of the crap. You want to talk to me? Here's how you do that. Your choice.

At one point 2 of the ICANN board members used alternate roots. Now they're all lawyers and other slime, the techies didn't last.

Re:65 MB without the user knowing?

[shawb]

It's a difference in semantics. You are saying that the Installer is 23MB, while the article is saying the hard drive had 65 Megs less on it afterwards, which makes sense as the installer program would be uncompressed and likely not even automatically deleted from the hard drive after the install completes, using up disk space. In fact the article even states that the download is 23 megs.

But the slashdot post was worded poorly, IMO. Install is often mistaken for Installer. I read it that way at first and then wondered why the article said that 23 Meg was downloaded. Gave me a moment of confusion.

Re:NewDotNet

[Anonymous Coward]

NewNet spyware and scumbag phish sites did incalcuable damage to the noble idea of alternate roots. As an altroot fan, you should be outraged.