July 6, 2005 - (HOSTSEARCH.COM) - SpyCop today announced that malware, including surveillance spy software, is taking advantage of holes in the Windows NT/XP security structure to avoid detection and prevent removal. Users are increasingly finding that once malware is detected on their system, it may be nearly impossible to remove without specialized tools.
The most recent exploit involves malware intercepting API calls to prevent their files from being visible to Windows Explorer and security products, including virus and spyware scanners. Application Programming Interfaces (APIs) are what Windows programs use to interact with the system. Allowing a program to intercept these calls and return bad data is a huge security risk and enables a program to gain unparalleled control over the system. The most commonly intercepted APIs are FindFirstFile, FindNextFile and ReadFile. When a security program goes to scan a drive, it will skip the malware files because, according to Windows, they don't exist. This means that security programs must have their own special file searching routines, independant from the generic Windows API. Unfortunately, almost all Windows APIs are vulnerable, making it more difficult than ever for a user to keep their system secure.
It is important for users to have the most recent versions of their security programs installed and up-to-date on their PCs. "The SpyCop Surveillance Detection product is constantly updated and improved to permit detection of spy programs using these API interception strategies", explains SpyCop Founder Grey McKenzie. "We strongly advise all consumers to keep their firewalls, virus scanners, malware scanners and Windows service packs up to date and configured properly."
