Jump to content


Photo

Announcement: A New Way To Fight Malware


  • Please log in to reply
35 replies to this topic

#1 robotgenius

robotgenius

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 05 June 2006 - 09:23 PM

Hello All-

I am announcing a new free product from http://robotgenius.net, and hereby would like to request permission to instruct users on the forum on the suitable uses of this product in helping them with their own malware problems. The product "Spyberus" is an anti-malware tool based on a new paradigm. Unlike scanning engines or HijackThis, Spyberus works by silently observing all file creations and registry activity that occur on your machine, and storing all of this data in a database. Uninstalling malware is performed by following the trail of file creation back to the point of infection, often revealing the initial URL that the software was installed from (legit installs, buffer overflow exploits, ActiveX components, etc.). Software removal in this fashion is very thorough, and in our local tests have been almost 100% effective in removing adware.

Although Spyberus works best when preinstalled, it is also a very effective tool in helping clean up pre-infected machines. We provide a tool that will identify the creator of popups, which the user can then delete from the filesystem. If reinstalled, we catch who did it, and iterating in this way can fully delete all malware. Similarly, if malware reinstalls after a scanning engine has been run, we catch the missed background processes that are responsible for the reinstall.

Spyberus also provides a bunch of handy tools that help in the deletion process. The "take control" button kills all running software on a system, therefore allowing the user to delete files and registry keys without background processes constantly reinstalling. A driver component acts as an "internal process firewall" by blocking "dll injection" attacks by malware, insuring that malware can be removed from RAM. The "popup id" button mentioned above can not only identify the file responsible for the popup, but can point to the software package and download url that the file came from. In our upcoming release, we will protect against unauthorized driver installations.

Best of all, Spyberus allows you to turn the tables and "spy" on the bad guys. Our UI works in real time and intuitively allows you to view product installations file by file as they appear on your system. Packages that claim to have uninstalled themselves can be revealed as lying, and a quick "package properties" view can summarize any hazardous parts of the installation such as hosts file changes.

RobotGenius is an 8 person Oakland, CA based venture backed startup. We are a small but hardworking team with developers from Berkeley, Stanford and Yale who have persistently researched PC security over the past year and devised techniques that we believe will eventually eradicate malware. The RobotGenius founders previously founded SafeWeb, Inc, an SSL VPN appliance provider that was acquired by Symantec in 2003. For more details or contact information you can read about us on our website at http://robotgenius.net.

We are giving our product away for free, and follow the Google philosophy that if it is useful, the money will come in. We will also soon be offering large scale enterprise tools that will allow one system administrator to monitor and control installation and malware removal on multiple PCs. Spyberus is still in beta (albeit very mature), and version 1.0 will be coming out within the month.

We look forward to any feedback, good or bad.

#2 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,526 posts

Posted 06 June 2006 - 05:53 AM

robotgenius,

I asked you to post a description of your product and ask permission to post a link to it... Instead you posted an extensive ad with two links to the product... I am going to leave this here for now, but I want to say that your zeal to promote your product is borderline SPAM...
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"

#3 robotgenius

robotgenius

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 06 June 2006 - 05:27 PM

        Sorry if the above message seemed like a spam, it definitely wasn't my intent.  And sorry about including links, I just thought the purpose for this posting was to let the open forum know a bit about us (that we are a legit group, not malware ourselves) and give the more experienced crowd a chance to determine if our product would be a useful tool in the fight against malware.

        Granted, I did spend some time polishing off the message before I sent it out (I am proud of the product), but I am not sure how I could have described the features any differently in order to not sound like an ad.

#4 hornet777

hornet777

    Forum Deity

  • Full Member
  • PipPipPipPipPip
  • 607 posts

Posted 06 June 2006 - 07:25 PM

sounds like a uber-HIPS system
After all is invested in correctness, then how does it stand with truth?

#5 jahewi

jahewi

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 12 June 2006 - 01:02 AM

Hi all,

I hope RobotGenius can explain the following inconsistancy in their own words ....

Here, in their first message, RobotGenius says:

We are giving our product away for free, and follow the Google philosophy that if it is useful, the money will come in.


However, in their FAQ it's clearly stated that Spyberus won't be free, ones version 1.0 is released.

Is Spyberus free? How much does it cost?

Currently, we are in a public beta period, and you can use Spyberus for free. However, this version will expire when we work all the bugs out, and in order to receive the release version and receive updates you will have to pay.

We have not yet determined what pricing model to use. We can definitely tell you it will cost a lot less than Adobe Photoshop, and will probably be in line with what you would expect to pay for an anti-virus or anti-spyware application.



Spyberus, please enlighten us ....


Jan :)

#6 robotgenius

robotgenius

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 12 June 2006 - 01:22 PM

Hi all,

I hope RobotGenius can explain the following inconsistancy in their own words ....

Here, in their first message, RobotGenius says:

We are giving our product away for free, and follow the Google philosophy that if it is useful, the money will come in.


However, in their FAQ it's clearly stated that Spyberus won't be free, ones version 1.0 is released.

Is Spyberus free? How much does it cost?

Currently, we are in a public beta period, and you can use Spyberus for free. However, this version will expire when we work all the bugs out, and in order to receive the release version and receive updates you will have to pay.

We have not yet determined what pricing model to use. We can definitely tell you it will cost a lot less than Adobe Photoshop, and will probably be in line with what you would expect to pay for an anti-virus or anti-spyware application.



Spyberus, please enlighten us ....


Jan :)



Hello-

You are correct, there is an inconsistency in what is shown in the posting and in the website; In fact, the website is incorrect, and the wording is a relic of an internal debate about this issue. The issue is completely settled and we will be making the correspondings website changes soon, in a more general overhaul that we have been planning, probably within the week.

If you check again in a few days, the issue will be resolved.

#7 jahewi

jahewi

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 12 June 2006 - 04:59 PM

Hi robotgenius,

Thank you for clearing that up :D

I've been testing Spyberus, last few days.
As a new member of SWI, i don't know if this topic is a topic in wich we can start a discussion, so ..... as soon as your support-forum official opens, i'll have some questions ... ;) :p


Jan :)

#8 Thunder

Thunder

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 677 posts

Posted 13 June 2006 - 06:47 AM

Looking forward to that, Jan ^_^
Whatever happens, make believe it was intended to ...
-------------------------------------------------------------------------
A donation to this site to help us help you, is most appreciated

#9 Indrid_Cold

Indrid_Cold

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 7,070 posts

Posted 14 June 2006 - 12:07 AM

Hi jahewi
You are certainly welcome to post any questions here and robotgenius is of course welcome to answer them.
Hope is not a method.

If I have helped in some way, please consider donating to SpywareInfo's crusade against Malware See Here

Member of ASAP since 2004 Alliance of Security Analysis Professionals
Member of UNITE since 2006 United Network of Instructors and Trained Eliminators

Fight back Malware Complaints

#10 jahewi

jahewi

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 15 June 2006 - 01:35 AM

Thx a lot, Indrid_Cold :)


Let me start with a compliment ;)
Spyberus looks okay, is fast and (as far as i have been testing it) does what robotgenius says it does -- When Spyberus is installed, it keeps track of any software that is installed on the computer.

But, one of my main concerns is that, even when i'm considering the fact that Spyberus is still in a Beta-stage, i'm afraid that it can do as much harm to a computer as f.e. HijackThis, in the hands of inexperienced users.
In case of a malware-infection, most of the computer-owners won't know which programs (or parts of ...) to remove.
Even if they do know, it can create quite a mess (wich happened to me with a test of messenger+ 3 and it's 'sponsors')

Still, RobotGenius is promoting it as the solution for all malware-removal.
I'm very curious to how robotgenius thinks about this ...

Secondly, as mentioned above, i have tested with a number of malware-infections and clean programs.
In the right list, you can view registry-items and files/folders.
As we all know, a lot of programs not only install new files/folders and registry-items, but also alter or even delete excisting ones.
It is absolutely unclear if they are new, altered or even removed ...

For a first 'round of questions', i think this is enough for now :D


Kind regards,
jahewi :)

#11 robotgenius

robotgenius

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 15 June 2006 - 03:02 PM

Hi Jahewi-

Thanks for the comments. We are a small team (we are just 7 guys), and this type of feedback is exactly the type of thing we need right now to make this product as useful as possible.

I had some comments on some of your points....

But, one of my main concerns is that, even when i'm considering the fact that Spyberus is still in a Beta-stage, i'm afraid that it can do as much harm to a computer as f.e. HijackThis, in the hands of inexperienced users.


It is definitely true that the Spyberus beta is initially targeted towards more sophisticated users (than most scanning engines), but it is also much more powerful. Our long term goal is to make this product usable by anyone, and even the 1.0 version (which will be coming out within the month) moves in this direction.

For now I want to point out that the “uninstall package” button on the right of the Spyberus window is a much safer way to remove adware from your machine than directly deleting files and registry keys. Much goes on behind the scenes when you press this button, including the running of registered uninstallers and system checks to make sure that critical items aren't removed but placed in the default state. We also restore web home pages, wallpaper, the browser search page, etc to their pre-infection state, and let you know which software would have resisted removal. This button should always fully remove the selected software from your system and restore the system to a functional state (if you have found an example where this wasn't the case, please let us know, this is a bug that needs to be fixed).

In the 1.0 version we will be replacing the detailed file/registry key view on the right side of the display by a more human readable description of the key points (ie- what desktop items, menu items, browser plugins, etc. were added). Full list of files will still be available, but not so prominently.



Secondly, as mentioned above, i have tested with a number of malware-infections and clean programs.
In the right list, you can view registry-items and files/folders.
As we all know, a lot of programs not only install new files/folders and registry-items, but also alter or even delete excisting ones.
It is absolutely unclear if they are new, altered or even removed ...


Malware definitely does this nasty trick. With the beta version of Spyberus installed, malware is forbidden from changing or deleting any critical OS system file (with the exception of Microsoft updates). We also do record modifications to existing registry keys performed by anyone., and in certain cases save to our database the original values. We intend to extend this to support the protection of third party (non-Microsoft) software files in the future, thus fully sandboxing software installations (sort of like running in a VM but without the overhead).

We also stop any attempt of malware to attack currently running in-memory software (dll injections), so that the bad guys can not hijack good software and have them perform their evil bidding.

#12 jahewi

jahewi

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 16 June 2006 - 04:08 AM

Hi robotgenius,

First of all (in general), i hope my English (wich is not my native language) is not to bad and that anyone, who reads these posts and find mistakes, will just ignore them :oops:

Hi Jahewi-

Thanks for the comments. We are a small team (we are just 7 guys), and this type of feedback is exactly the type of thing we need right now to make this product as useful as possible.

I'll keep testing and diggin' ;) ... and ask questions, offcourse :D

I had some comments on some of your points....


But, one of my main concerns is that, even when i'm considering the fact that Spyberus is still in a Beta-stage, i'm afraid that it can do as much harm to a computer as f.e. HijackThis, in the hands of inexperienced users.


It is definitely true that the Spyberus beta is initially targeted towards more sophisticated users (than most scanning engines), but it is also much more powerful. Our long term goal is to make this product usable by anyone, and even the 1.0 version (which will be coming out within the month) moves in this direction.

I've been reading the robotgenius-site, aswell as a number of your blogs.
As i understand, your planning to build a database of programs, wich will be used by Spyberus to identify the bad ones.

For now I want to point out that the “uninstall package” button on the right of the Spyberus window is a much safer way to remove adware from your machine than directly deleting files and registry keys. Much goes on behind the scenes when you press this button, including the running of registered uninstallers and system checks to make sure that critical items aren't removed but placed in the default state. We also restore web home pages, wallpaper, the browser search page, etc to their pre-infection state, and let you know which software would have resisted removal. This button should always fully remove the selected software from your system and restore the system to a functional state (if you have found an example where this wasn't the case, please let us know, this is a bug that needs to be fixed).

Most of my tests upto now are going okay, but i tested with some clean programs and some malware-installations, wich can be removed easily, by Spyberus :)
However, i have tried to install Messenger+ 3 (including the sponsors).
I installed it with both Spyberus and Inctrl running.
The installation failed terribly, because i got an error from Messenger+ 3, saying that it could not hook itself into Explorer (although i'm convinced that it is the 2nd LOP-sponsor, wich tried that and failed ;)).
After ignoring and finishing the installation, Windows Explorer is useless. It constantly shuts down with a error-message.
In Spyberus, there was only 1 sponsor. I removed it and messenger + 3 aswell, but it didn't solve the problems.
However -- Using a small selfmade Files-viewer, i found out there the second sponsor was there, afterall!
The second thing, i noticed using APM, was that, whenever i opened a Explorer-Window, a iexplore.exe-proces was started aswell :scratchhead: Then, CPU-usage peaked and the Explorer-Window closed. The iexplore-proces, however, remained.

I'm not sure, what caused the problems in the first place.
My guess is that Spyberus and InCtrl5 somehow collided.
I wasn't prepared for these kind of problems, so i had to reinstall the testcomputer and loose probably valuable information about this incident.
The weekend, i'll start over again, with a freshly installed computer and all the necessary tools on the desktop :D
Also, i want to do some tests with 'on_the_fly'-installation of malware and rogue scanners by malicious websites.

In the 1.0 version we will be replacing the detailed file/registry key view on the right side of the display by a more human readable description of the key points (ie- what desktop items, menu items, browser plugins, etc. were added). Full list of files will still be available, but not so prominently.





Secondly, as mentioned above, i have tested with a number of malware-infections and clean programs.
In the right list, you can view registry-items and files/folders.
As we all know, a lot of programs not only install new files/folders and registry-items, but also alter or even delete excisting ones.
It is absolutely unclear if they are new, altered or even removed ...


Malware definitely does this nasty trick. With the beta version of Spyberus installed, malware is forbidden from changing or deleting any critical OS system file (with the exception of Microsoft updates). We also do record modifications to existing registry keys performed by anyone., and in certain cases save to our database the original values. We intend to extend this to support the protection of third party (non-Microsoft) software files in the future, thus fully sandboxing software installations (sort of like running in a VM but without the overhead).

We also stop any attempt of malware to attack currently running in-memory software (dll injections), so that the bad guys can not hijack good software and have them perform their evil bidding.

In both cases, my question is, if Spyberus is able to distingues malware from legitimate or does it just block changing/deleting System-files and DLL-injection in (almost) any case.

One last point, at this moment;
Using APM, i discovered that almost every running process has an extra module from Spyberus in it, called RGIEmon.dll
Offcourse, i'm very curious what it is for ...
However, what i don't understand is, that if Spyberus is not automaticly loaded at startup, the RGIEmon.dll-file is still a module in almost every process


jan :)

#13 robotgenius

robotgenius

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 16 June 2006 - 07:47 PM

Hello again-


I love the questions! Keep them coming.


I've been reading the robotgenius-site, aswell as a number of your blogs.
As i understand, your planning to build a database of programs, wich will be used by Spyberus to identify the bad ones.


In both cases, my question is, if Spyberus is able to distingues malware from legitimate or does it just
block changing/deleting System-files and DLL-injection in (almost) any case.


I put these two quotes together because the answer is related. In the beta we are blocking universally and without warning, with the exception of software in the whitelist (tools->Spyberus options->whitelists). You can see a list of what was blocked after the fact in tools->security alerts. In version 1.0 (coming out within the month) this will all change, as I describe in the next paragraph.

As mentioned above, we have built a testbed to automatically download and install executables from across the web, and have a script that identifies which software is good and bad. So far we have tested tens of thousands of executables, with the goal to cover as much of the web as possible. Version 1.0 of Spyberus will work on a permission based model; Known good executables will be silently allowed full permission to perform dll injections, driver installs, etc (so Sysinternals, debuggers, mouse drivers will work properly). If other programs attempt any of these invasions, we will be prompting the user with a warning message that lets them allow the behavior. In our current testing, most of these remaining warnings do indicate malware is present.

Our goal originally was to avoid presenting popup warnings completely, as we have observed that most users don't understand them, tire of them, and just start clicking yes to everything. At the same time, we learned with the beta that just silently blocking can be occasionally cause troubles (much less often than you might think, but a problem nevertheless). We think the compromise in version 1.0 strikes the correct balance, where prompting is infrequent and usually signifies malware activity.



Most of my tests upto now are going okay, but i tested with some clean programs and some malware-installations, wich can be removed easily, by Spyberus :)
However, i have tried to install Messenger+ 3 (including the sponsors).
I installed it with both Spyberus and Inctrl running.
The installation failed terribly, because i got an error from Messenger+ 3, saying that it could not hook itself into Explorer (although i'm convinced that it is the 2nd LOP-sponsor, wich tried that and failed ;)).
After ignoring and finishing the installation, Windows Explorer is useless. It constantly shuts down with a error-message.
In Spyberus, there was only 1 sponsor. I removed it and messenger + 3 aswell, but it didn't solve the problems.
However -- Using a small selfmade Files-viewer, i found out there the second sponsor was there, afterall!
The second thing, i noticed using APM, was that, whenever i opened a Explorer-Window, a iexplore.exe-proces was started aswell :scratchhead: Then, CPU-usage peaked and the Explorer-Window closed. The iexplore-proces, however, remained.




Thanks for the detailed bug report. We were able to reproduce the problem here and have started to diagnose it. There seem to be two unrelated problems with this install. The missing package is still an open question (the guy who works on that code is out for the weekend, so I won't learn more until next week).
As far as explorer crashing is concerned, we have diagnosed the problem coming from messenger+3. The problem stems from a failed dll injection hijack attempt against explorer. For those interested in the details, this particular dll injection consists of writing code into the memory space of explorer using OpenProcess with write access, followed by CreateRemoteThread. Since we block dll injections, the code injection fails, but messenger+3 still attempts the CreateRemoteThread. Of course explorer, whose new thread is running at a place in memory with corrupt data, crashes. Because messenger+3 persistently attempts to hijack explorer, it crashes every time you attempt to start it. We have some ideas on modifications to our dll injection blocking that can avoid this possibility in the future.
Note that if you press the “take control” button in Spyberus you do shut down all malware including the process that keeps trying to hijack explorer, and you can start explorer at this point using “task manager->file->new task (run)” (we verified this). Unfortunately we haven't determined the cause of the missing package yet, so the fix isn't done.


One last point, at this moment;
Using APM, i discovered that almost every running process has an extra module from Spyberus in it, called RGIEmon.dll
Offcourse, i'm very curious what it is for ...
However, what i don't understand is, that if Spyberus is not automaticly loaded at startup, the RGIEmon.dll-file is still a module in almost every process

Almost all of the Spyberus shield is written in a driver, but we have yet to figure out how to implement popup id fully in kernel space. We include this dll to watch for a loophole case that allows software to create popups but attribute the creation to other software. Our long term goal is to move this functionality into the driver, where it will be slightly more secure.

As for why this dll is always present, the answer is that we always need to watch for any new popup to be able to later blame to the creator. Even though the front end may be stopped at some given point, it might be started later and we might need to know who created any popup.

#14 jahewi

jahewi

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 17 June 2006 - 02:36 PM

Hi again :D

Okay, today i tried Spyberus as the only 'security' on my testcomputer and wend surfing ...
I know Spyberus will not actively protect my computer, but then -- i wanted a extremely infected computer and then see how well Spyberus removes them -- so i wasn't very carefull ... :rolleyes:

This morning, i wend on a search for a Windows XP-key :rolleyes: :lol:
I done this 3 times -- and three times my testcomputer, in no time, was completely overtaken by malware so badly that it shutdown by itself and couldn't startup again -- It started up normally, in every mode i tried, and then shut down again :weep:
So i re-installed the computer 3 times -- but had no results.

This evening, i tried again, but a bit more carefully :lol:
I surfed and made logs (hijackthis, startup and silent runners) and screenshots.

About one and half hour ago, i thought "Okay, i have enough (WebHancer, OIN, several on-the-fly-downloaded rogue scanners (WinAntivirus, ErrorSafe etc.), several hijackers and nameless Trojans.
So, as i planned, i started using Spyberus to remove the bad guys.
2 OIN-infections were removed without a problem. Spyberus said that there were some minor traces left, but there were no traces left in the Hijackthis-log --- and no more popups. :p
Then, i removed the WebHancer-infection (still constantly making screenshots and logs).
It seemed to go well, but Spyberus warned that it had left some parts of WebHancer in place.
In the HijackThis-log, i saw that WebHancer was still Hijacking the LSP.
I though that maybe the computer had to regain control over the LSP again ... so i did.

The computer booted just partly, shut down again and restarted.
But this time, it didn't recognized the harddisk anymore :techsupport:
It said "Boot Disk Failure" and stopped.
In the BIOS, my 40Gb harddisk is now auto-recognized as a 92Gb Disk :scratchhead:

So -- for now, my tests of any kind are over.
Unfortunately i was not able to determin if Spyberus is a great new approach to malware-removal, or a concept that needs a lot of work before it is safe.


I will not lie.
First of all i must honestly say that it's absolutely unclear to me, at this moment, what the cause of this mess is.
It looks like a harddisk-failure, although the disk is only about a year old and didn't have any problems, before.
I will see that tomorrow or lateron this week. Ofcourse i will post my findings here.
If the data from my last tests is retrievable, i'll upload them to my site, so anyone can see what happened, up untill the computer gave in.

I like Spyberus and the idea behind it on how to remove malware -- that's why i started my tests in the first place ;)
However, looking back at all the problems and strange occurances, i really don't trust the program, as it is at this point in time.

I really hope that the guys of robotgenius will be able to make Spyberus a great analyzer/monitor/scanner!


Kindest regards,
Jan :)

#15 robotgenius

robotgenius

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 19 June 2006 - 01:26 PM

Hello-


Hi again :D

Okay, today i tried Spyberus as the only 'security' on my testcomputer and wend surfing ...
I know Spyberus will not actively protect my computer, but then -- i wanted a extremely infected computer and then see how well Spyberus removes them -- so i wasn't very carefull ... :rolleyes:

This morning, i wend on a search for a Windows XP-key :rolleyes: :lol:
I done this 3 times -- and three times my testcomputer, in no time, was completely overtaken by malware so badly that it shutdown by itself and couldn't startup again -- It started up normally, in every mode i tried, and then shut down again :weep:
So i re-installed the computer 3 times -- but had no results.


Sorry for the troubles, as a beta there are still issues that we are working out. We are definitely commited to plugging any remaining holes that exist around the product. This sounds like it might be a particularly nasty one.

Is there any chance you might be able to get us a copy of the executable that caused the problem (you can email it to support@robotgenius.net)? Or if that isn't possible, could you point us to where we can download it on the web. As you can imagine, I am quite keen on seeing what happened, and learning whether our (not yet released) 1.0 also has a problem.

#16 davemon

davemon

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 21 June 2006 - 04:55 AM

robotgenius, this software appears to be the same as Norton Goback. It does the same thing. Perhaps you take it a step further in targeting "bad" software installations, but Goback is the same approach and this appears to be a takeoff on the same idea. Goback keeps track of every installation since a certain point or points which you determine yourself, and you can "goback" to those points and uninstall whatever screwed you up. I think your software will allow you to pick and choose where Goback may not, but the idea is the same and you are presenting this software as if it's some new form of thinking, which is isn't. Windows recovery points are a crude form of the same thing for that matter.

Edited by davemon, 21 June 2006 - 04:56 AM.

Davemon

#17 robotgenius

robotgenius

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 21 June 2006 - 03:51 PM

Hello-

You are correct in pointing out similarities between Goback and even Windows Recovery, and I could even add to the list (Ghost and cvs). Like us, all of these programs record information that allows you to roll back to a previous point in time. To go even one step further, we also share similarities with products such as Google Desktop, which silently watches for the creation of new files and indexes all new content allowing for quick future searches. (It was in part the example of Google Desktop that inspired us to create this new technology).

That being said, I want to make it clear that RobotGenius definitely brings something new to the anti-malware scene. Our rollback functionality (which is only one of the tools we provide), rather than providing version control, is interested in the causal history of the filesystem (ie in determining the ultimate source of any file or registry key created). Say for instance, you turn on your computer today and find a new (and sleazy) link on your desktop to, say, a porn site. With Spyberus installed, you can follow the trail back to its origins, for instance:

1.Porn Link was installed by c:\stuff\createPornLink.exe
2.createPornLink.exe was created by c:\windows\system32\qqf.exe
3.qqf.exe was created by c:\Program Files\games\fungame.exe
4.fungame.exe was installed when you visited site http://freegames.com

Similar functionality exists to determine the original cause of a popup, home page change, etc. As simple as this sounds, most of our development effort has gone towards disambiguation algorithms and not towards the code that records new files (which is actually pretty cookie cutter technology these days). The other products mentioned wouldn't let you discovery *where* (i.e., web site, IP address) a file or infection originated.

Because we keep a database of all files from a particular install, rollback is simple and complete.

Goback (or Windows Recovery or Ghost or cvs) are mainly interested in version control. With Goback you can point to a particular file and ask the system to restore it to the version saved yesterday. If version control is what you want, Spyberus is not the product for you. However for different types of problems Spyberus is definitely the correct tool.

If you need a secure uninstaller, Spyberus may be what you need. Not only do we allow for very selective uninstallations (based on software installations vs whole system restores), but we perform numerous tasks behind the scenes that counter typical malware tricks like forced file locking, reinstalltions on the fly, etc. Also, because we specifically do not store detailed version control information, our database is tiny compared to GoBack (typically 1-5MB vs the suggested 10% of hard drive space), can be updated continuously rather than at specific intervals, and does not slow down the system (we are actually much faster than even Google Desktop).

Our ultimate goal is more of a sandboxing approach, in fact, sort of like a lightweight VMWare. With our causal filesystem database, the product can associate any file with the initial url from which the software was installed, and it will be able to base access control across the software package as a whole. Nasty system changes like driver installation and keyboard logging can be locked down by default, but trusted packages can be given greater permissions. That way if your new downloaded screensaver tries to snoop on keystrokes, you will be warned and and can fully uninstall the product. Version 1.0 (coming soon) will move in this direction, but because we are a relatively new security product it is too early to claim perfection (windows is a very complicated environment), I hesitate to tout these aspects of the product yet. For the next few months it is more accurate for me to claim that we are a strong compliment to the existing and less than perfect anti-malware products out there, that can be used to spy on what each installed software packages is doing to your computer.



robotgenius, this software appears to be the same as Norton Goback. It does the same thing. Perhaps you take it a step further in targeting "bad" software installations, but Goback is the same approach and this appears to be a takeoff on the same idea. Goback keeps track of every installation since a certain point or points which you determine yourself, and you can "goback" to those points and uninstall whatever screwed you up. I think your software will allow you to pick and choose where Goback may not, but the idea is the same and you are presenting this software as if it's some new form of thinking, which is isn't. Windows recovery points are a crude form of the same thing for that matter.



#18 jahewi

jahewi

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 22 June 2006 - 08:23 AM

Hi Robotgenius,

Sorry for my late respons, but i was too busy, last few days.

Sorry for the troubles, as a beta there are still issues that we are working out.

No need to be sorry.
If i don't want the trouble, i shouldn't be testing ;)

We are definitely commited to plugging any remaining holes that exist around the product. This sounds like it might be a particularly nasty one.

As far as i could see, there was nothing too nasty, at the time ... i kept track of that constantly.

Is there any chance you might be able to get us a copy of the executable that caused the problem (you can email it to support@robotgenius.net)? Or if that isn't possible, could you point us to where we can download it on the web. As you can imagine, I am quite keen on seeing what happened, and learning whether our (not yet released) 1.0 also has a problem.

Yes, i understand and i hope i can help you ...
The disk was pretty messed up (but not completely wrecked, as i thought at first) and in fact should be low-level formatted.
In stead of doing that, i have taken it to my regular computer-shop, told them what happened and asked them to take a look at it.
Maybe, if we're lucky, there is still data on it that can be salvaged?
If not, i can only put on mail what i remember ... :blush:

However, i know that the harddisk gave up, at the moment that i had removed 2 OIN variants and Webhancer, using Spyberus.
In the HijackThis-log, i made as a check, i saw that Webhancer was still there, hijacking the LSP.
Although there were still malware-issues left, i rebooted to see if maybe then the Webhancer-infection would be gone ...
All this is already in my previous post ;)

Let's hope my computer-shop has good news.
I'll keep you informed!


Jan :)

#19 robotgenius

robotgenius

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 22 June 2006 - 06:19 PM

Hello-


We are definitely commited to plugging any remaining holes that exist around the product. This sounds like it might be a particularly nasty one.

As far as i could see, there was nothing too nasty, at the time ... i kept track of that constantly.


Again, if we were the cause of the crash, sorry. I said that this is very nasty malware because I've never seen anything like this type of crash before, and we have literally installed tens of thousands of programs on machines without ever seeing such a thing happen. In the very early days (well before beta) there were some some crashes, many of them interestingly were related to the LSP, but none that trashed a harddrive, and we (believe we) fixed those long ago.

If not, i can only put on mail what i remember ...

However, i know that the harddisk gave up, at the moment that i had removed 2 OIN variants and Webhancer, using Spyberus.
In the HijackThis-log, i made as a check, i saw that Webhancer was still there, hijacking the LSP.
Although there were still malware-issues left, i rebooted to see if maybe then the Webhancer-infection would be gone ...


Given that the data isn't currently available, would it be possible to get the urls or peer to peer program you used to get the software. If you don't want to publically post the address of a known bad guy,
you can also email me (support@robotgenius.net).

By the way, we figured out what messenger + 3 was doing to evade us. These guys were using and advanced trick. We block one type of dll injection in our software using a standard technique, but they had found a loophole around this. They then hijacked a system process and used it to install their stuff in a way that would go unnoticed (we actually caught the install in our database, but did not display it because the installation was performed by a part of the OS that we considered exempt). Windows is a complicated OS, and it is a long road to patch up each and every hole in the system. Thanks for the feedback that allowed us to find and protect against one more exploit that the bad guys could have used to get around us.

#20 jahewi

jahewi

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 23 June 2006 - 01:27 AM

Hi!

Hello-



We are definitely commited to plugging any remaining holes that exist around the product. This sounds like it might be a particularly nasty one.

As far as i could see, there was nothing too nasty, at the time ... i kept track of that constantly.


Again, if we were the cause of the crash, sorry. I said that this is very nasty malware because I've never seen anything like this type of crash before, and we have literally installed tens of thousands of programs on machines without ever seeing such a thing happen. In the very early days (well before beta) there were some some crashes, many of them interestingly were related to the LSP, but none that trashed a harddrive, and we (believe we) fixed those long ago.

LSP-hijacks obviously are quite difficult to remove ... ;)
Not only the hijacker has to be removed, but also the LSP itself has to be restored to it's old state ...
Like you, i really can't imagine how it could the cause of the crash ... that's why i said, that i don't know what caused the crash.
I think, however, that it's someting to 'keep in mind', so to speak.

By the way, i can pick up the harddisk from the shop ... it's working again, but there was no recoverable data on it.


If not, i can only put on mail what i remember ...

However, i know that the harddisk gave up, at the moment that i had removed 2 OIN variants and Webhancer, using Spyberus.
In the HijackThis-log, i made as a check, i saw that Webhancer was still there, hijacking the LSP.
Although there were still malware-issues left, i rebooted to see if maybe then the Webhancer-infection would be gone ...


Given that the data isn't currently available, would it be possible to get the urls or peer to peer program you used to get the software.

I can get the URL's, but i need to be home for that (i'm at work now) ;)
So, tonight, i'll reinstall the testcomputer and retrace my steps, one by one.

If you don't want to publically post the address of a known bad guy,
you can also email me (support@robotgenius.net).

I wouldn't want to cause someone's computer to be infected, by posting infection-URL's on a open forum or website.
I will mail the URL's to you and post them, together with other data and screenshots, on a hidden page of my site.
Offcourse, anyone who wants to look at the page, can have it's URL.

By the way, we figured out what messenger + 3 was doing to evade us. These guys were using and advanced trick. We block one type of dll injection in our software using a standard technique, but they had found a loophole around this. They then hijacked a system process and used it to install their stuff in a way that would go unnoticed (we actually caught the install in our database, but did not display it because the installation was performed by a part of the OS that we considered exempt). Windows is a complicated OS, and it is a long road to patch up each and every hole in the system. Thanks for the feedback that allowed us to find and protect against one more exploit that the bad guys could have used to get around us.

That's Great! Way to go. Another one bites the dust :p
You're absolutely right about Windows. It's complicated and almost impossible to keep save and work with at the same time.
With new malware being made, on a daily base, and new security-holes being found very regularly, i guess you'll be patching and updating for the rest of Spyberus' life ...

I like testing stuff, although this is the first time that it's so extensive ... i love it ;D
... and i'm very happy that it helps you!


Jan :)

#21 jahewi

jahewi

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 23 June 2006 - 02:56 AM

I was thinking about Spyberus and the way it removes items ... and i have a small question about that:

As Spyberus will usually be working side by side with other malware-removing software, what will happen, if some malware-program installs on the computer and is removed by a malware-scanner?
Will Spyberus be aware of the fact that the program isn't there anymore?

Or, to put it differently, what happens if someone tries to let Spyberus remove a program, wich isn't on the computer anymore?


Jan :)

#22 robotgenius

robotgenius

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 23 June 2006 - 05:02 PM

LSP-hijacks obviously are quite difficult to remove ... ;)
Not only the hijacker has to be removed, but also the LSP itself has to be restored to it's old state ...


Yeah, that is something we also had to learn the hard way here way back after we started putting together the product. We actually do restore the LSP if anything is removed from it automatically in the background, so there haven't been issues for a while.

By the way, i can pick up the harddisk from the shop ... it's working again, but there was no recoverable data on it.


That is too bad. Sorry. It also would have been much easier to detect the cause of the problem with the installation database.

I will mail the URL's to you and post them, together with other data and screenshots, on a hidden page of my site.
Offcourse, anyone who wants to look at the page, can have it's URL.


Great, I will watch for them.

With new malware being made, on a daily base, and new security-holes being found very regularly, i guess you'll be patching and updating for the rest of Spyberus' life ...


I am optimistic about the approach though and believe that in the long run we will iron out the problems and end malware with it. Of course all writers of security products say the same thing, so I don't expect anyone to fully believe it until we can prove it.... We will be working hard in the next few months to get to this point, I expect some busy work ahead.


I like testing stuff, although this is the first time that it's so extensive ... i love it ;D
... and i'm very happy that it helps you!


It really does help us a lot.

#23 robotgenius

robotgenius

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 23 June 2006 - 05:30 PM

I was thinking about Spyberus and the way it removes items ... and i have a small question about that:

As Spyberus will usually be working side by side with other malware-removing software, what will happen, if some malware-program installs on the computer and is removed by a malware-scanner?
Will Spyberus be aware of the fact that the program isn't there anymore?

Or, to put it differently, what happens if someone tries to let Spyberus remove a program, wich isn't on the computer anymore?


Jan :)



That depends on whether the software was really removed from the system or not. If a program is really fully uninstalled from the system to the file, it will automatically be removed from our database (we watch for file deletions as well as creations, and automatically update to keep synchronized with the system). The thing is, software rarely does fully uninstall itself from the system, in fact many would probably be surprised to see how rarely software really does fully delete itself from the system when you uninstall it, even the good guys. One demo I like to show involves installing Google Toolbar, uninstalling it, and then using Spyberus to show them how much stuff is left behind on the system. Spyberus allows you to fully remove all this remaining clutter from your system.

This all applies to self registered uninstallers as well as third party uninstallers like anti-malware scanning engines.... Full uninstallations automatically update, and with partial uninstallations we allow for the removal of remaining clutter. If fact, in cases where Spyberus is installed after the malware infection, we recommend that the user run us together with a scanning engine. If the scanning engine works, great, but if not, and the adware reinstalls itself, we catch the reinstallation and the user can use us to remove the installed as well as installing malware.

#24 jahewi

jahewi

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 24 June 2006 - 11:16 AM


I will mail the URL's to you and post them, together with other data and screenshots, on a hidden page of my site.
Offcourse, anyone who wants to look at the page, can have it's URL.


Great, I will watch for them.

I tried, this morning, to retrace the steps, but i didn't succeed :(
I'll try again, as soon as the test-computer is available again ;D

I did get a nice, fairly new, wareout-infection (the rogue malware-scanner Kill & Clean) though, wich knocked out Spyberus :oops:
But this time, everything went well and i made a webpage with the results.
Because it has some dangerous url's and info, i don't think it's a good idea to post the url here, so i have sent it's url to you by PM.
Anyone who is interested, will get the url aswell. Just sent me a pm.


With new malware being made, on a daily base, and new security-holes being found very regularly, i guess you'll be patching and updating for the rest of Spyberus' life ...

I am optimistic about the approach though and believe that in the long run we will iron out the problems and end malware with it. Of course all writers of security products say the same thing, so I don't expect anyone to fully believe it until we can prove it.... We will be working hard in the next few months to get to this point, I expect some busy work ahead.

Well, i have to be honest, again ...
I can't share your optimisme, at this moment ... Untill now, all Spyberus did, is give me trouble or, as in my last test, break down.
But i absolutely hope that these are just 'child-sicknesses', and that you will be able to make Spyberus a solid malware-scanner.


Jan :)

#25 robotgenius

robotgenius

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 27 June 2006 - 07:16 PM

Hello-

Sorry for the delay in responding, I've been on the road for meetings for the past couple of days. Thanks for the info, it is what we need to see what was up. I will post more here once I have more info.

Thanks!


I tried, this morning, to retrace the steps, but i didn't succeed :(
I'll try again, as soon as the test-computer is available again ;D

I did get a nice, fairly new, wareout-infection (the rogue malware-scanner Kill & Clean) though, wich knocked out Spyberus :oops:
But this time, everything went well and i made a webpage with the results.
Because it has some dangerous url's and info, i don't think it's a good idea to post the url here, so i have sent it's url to you by PM.
Anyone who is interested, will get the url aswell. Just sent me a pm.



#26 jahewi

jahewi

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 28 June 2006 - 02:51 AM

Hi,

Hello-

Sorry for the delay in responding, I've been on the road for meetings for the past couple of days.

That's absolutely no problem. We all have our duties in 'real life' ;)

Thanks for the info, it is what we need to see what was up. I will post more here once I have more info.

That's great :D
I will backup those parts of the test-system, wich could be helpfull in the future, and start with cleaning in a few hours, when i'm done with my real-life work. ;)
I'm very curious if removing the malware will 'cure' Spyberus.

After that, i will start a new testing-round.


Jan :)

#27 Swandog46

Swandog46

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 10,190 posts

Posted 29 June 2006 - 08:57 PM

robotgenius,

I just want to say that I have been following this thread with interest. I finally had a chance to sit down and test Spyberus today, and I am impressed with the idea. I had varying degrees of success removing different infections I installed (all after Spyberus) -- it removed simple infections fine, and Qoologic too (that was a surprise), but --- no surprise, it had difficulty touching rootkit-type infections either because they were persistent (winik, for example) or hidden (pe386, or HackerDefender, for example). It clearly has some issues that need to be worked out, but I am very intrigued by the idea. It did an excellent job recording and tracing system activity especially for simple or mundane problems, which is really its purpose (not to deal with persistent rootkits). No crashes. Well done! :thumbsup:

#28 jahewi

jahewi

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 02 July 2006 - 01:21 PM

Hi Swandog46,

That was more or less my conclusion, as well.
It's great to have someone with about the same results. :thumbsup:

However, as you know, i experienced problems, when there are many different infections on the computer ...
did you test that as well?

I did 2 more test-rounds, this week, ... with less infections and much less problems (none whatsoever ...)
I'll upload the results (screenshots, logs etc.) to my site.


Jan :)

#29 Swandog46

Swandog46

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 10,190 posts

Posted 02 July 2006 - 04:25 PM

However, as you know, i experienced problems, when there are many different infections on the computer ...
did you test that as well?

Not really --- not enough time. I didn't "stress test" per se.

#30 robotgenius

robotgenius

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 03 July 2006 - 02:04 PM

Hello Swandog46 and hi again jahewi-

It is good to see more testing against the product. Sorry I haven't been responsive over the last few days as we are in a push to get the next release out. We are really on a drive here to knock out all known bugs right now, including any issues brought up on this thread (actually, as of right now our internal version is able to handle all the websites mentioned above).

You are both correct, one of the largest problems we are facing is the low level rootkit stuff (this will definitely always be a problem to handle for any anti-malware product). The way we handle this in the upcoming release will be to warn the user on the fly when something invasive (like an unsigned driver) is being placed on the system, allowing them to stop it. We will be automatically exempting known good sites from these warnings to keep the message count minimal (multiple overly cautionary warnings usually causes apathy followed by blanket approval by users).

I will post here when the next version comes out, and I'll be eager to hear how well it fares!

#31 jahewi

jahewi

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 04 July 2006 - 06:12 AM

Hi, :D

Hello Swandog46 and hi again jahewi-

It is good to see more testing against the product. Sorry I haven't been responsive over the last few days as we are in a push to get the next release out. We are really on a drive here to knock out all known bugs right now, including any issues brought up on this thread (actually, as of right now our internal version is able to handle all the websites mentioned above).

I'm looking forward to this new version :p

The last few days, i have really have been missing one function in Spyberus, wich could be very handy ... a possibility to generate a report ... as far as i know, Spyberus doesn't have one.
For instance, I think it would be great if a user could save a report on a certain package.

You are both correct, one of the largest problems we are facing is the low level rootkit stuff (this will definitely always be a problem to handle for any anti-malware product). The way we handle this in the upcoming release will be to warn the user on the fly when something invasive (like an unsigned driver) is being placed on the system, allowing them to stop it. We will be automatically exempting known good sites from these warnings to keep the message count minimal (multiple overly cautionary warnings usually causes apathy followed by blanket approval by users).

I have the feeling that, besides with rootkits, Spyberus is having trouble with keeping track of malware, wich changes it's filenames regularly, like some trojans do ....

I will post here when the next version comes out, and I'll be eager to hear how well it fares!

In the mean time, i have put results of 2 more tests, i did last weekend, on my site, here and here.

I have done a thirth one, but the report isn't finished, yet ... however, i put a lot more stress on the system and unfortunately, Spyberus broke down, during reboot, just before cleaning.
It's error-message was:
The transaction file version is not compatible with this version of Spyberus

The rest of it will be on the net tonight ;)


Jan :)

#32 jahewi

jahewi

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 05 July 2006 - 02:11 AM

Hi,

The report from the last test on july 2nd is uploaded to this page


Jan :)

#33 robotgenius

robotgenius

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 06 July 2006 - 04:48 PM

The last few days, i have really have been missing one function in Spyberus, wich could be very handy ... a possibility to generate a report ... as far as i know, Spyberus doesn't have one.
For instance, I think it would be great if a user could save a report on a certain package.


Ironically this is going to be a feature in the next release, albeit a hidden feature. If you just want to see a summary right now describing the main features installed by a package, you can right click the package name and choose properties (you can't save the report to the hard drive with that version however).

In the mean time, i have put results of 2 more tests, i did last weekend, on my site, here and here.


Just curious, what was the url of the stuff on the first test?

thanks, and talk with you soon.

#34 nargd

nargd

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 28 July 2006 - 03:27 PM

I would not use this piece of software. I downloaded it onto my computer and installed it. It did not start up properly after reboot and disabled Norton Ghost and Roboform. I am running WinXP SP2 on a new HP dual Pentium 930, 2GB RAM, 350 GB HD, all patches installed yada, yada, yada. When I tried to uninstall this program using the Add/Remove applet, I received a message that I had to use the Add/Remove applet. But . . . that is what I was using?!?!?!?!? I fired off an email to support@robotgenius.net, but that email was returned to me as the email address doesn't exist. :rant:
There once was a bat named Splat. The reason Splat was named Splat was because he always smacked into windows. Anyway this story starts where Splat goes on vacation but forgets his dentures. Anywho he . . .

#35 robotgenius

robotgenius

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 04 August 2006 - 04:24 PM

Hello-

I've been communicating with nargd in email over the last couple of days to help him fix this issue, but I thought I should comment here to address this. We definitely apologize for anything that our software might have done to harm a computer it has been installed on, and we will immediately work with anyone to help fix any problems. Our main goal right now is to iron out any remaining bugs of this sort so that we can move from beta to official release, and therefore are thankful to anyone who helps us by bringing such issue to our attention.

First, I am confused as to why an email to support@robotgenius.net would have bounced. We continually receive feedback at this address, and this is the first time anyone has complained about this. Let me clarify that support@robotgenius.net is definitely a working email address and has been since our website went live. After nargd mentioned that his email bounced, I sent test emails from two different accounts and they went through (we have since received other feedback on this address also).

About the product failure, it initially looks to me like there was some sort of incompatibility between our product and others installed on that computer, although we have been unable to reproduce the problem locally to verify this. One way malware can try to remain in control of a system is to disable or corrupt anti-malware products, so we (like many other anti-malware products) do protect against uninstallation and unauthorized control by third party products. In this particular case, it looks like our protection shield is for some reason accidentally viewing the other parts of the Robotgenius product as third party (probably because of a failed installation as a result of an interaction with other software on the system), and therefore refusing to communicate with these other parts or even uninstall when instructed.

Prior to this incident we thought that this was not possible, and we are working to figure out how it happened, but if this ever does happen to anyone, the solution is to boot into recovery console and type

"disable RGProtect"

or alternatively just delete the shield altogether

del “c:\program files\robot genius\spyberus\rgprotect.sys”

after this, all protection is turned off, and you should be able to uninstall the product either through the registered installer or by directly deleting files. Note, you should only do this if you are about to uninstall, as we are unable to protect you against malware once the shields are removed.

Sorry for the trouble!




I would not use this piece of software. I downloaded it onto my computer and installed it. It did not start up properly after reboot and disabled Norton Ghost and Roboform. I am running WinXP SP2 on a new HP dual Pentium 930, 2GB RAM, 350 GB HD, all patches installed yada, yada, yada. When I tried to uninstall this program using the Add/Remove applet, I received a message that I had to use the Add/Remove applet. But . . . that is what I was using?!?!?!?!? I fired off an email to support@robotgenius.net, but that email was returned to me as the email address doesn't exist. :rant:



#36 nargd

nargd

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 14 August 2006 - 12:19 PM

I have since removed this program with help from robotgenius. But I still would not recommend a program that is obviously in the alpha stage of development. :techsupport:

Edited by nargd, 14 August 2006 - 12:22 PM.

There once was a bat named Splat. The reason Splat was named Splat was because he always smacked into windows. Anyway this story starts where Splat goes on vacation but forgets his dentures. Anywho he . . .




Member of UNITE
Support SpywareInfo Forum - click the button