Toivo Talikka

Total Data Pty Ltd

Computer system installation, support and IT management consultancy

Forestville NSW Australia        tel 0410 532 923       email toivo@totaldata.biz

Spyware And Adware

Detecting Spyware

Increased popularity of the Internet in the early 1990's saw the appearance of computer viruses, which forced us to protect personal computers and file servers by installing antivirus products with regular update service of new virus signatures. However, until recently antivirus products have been powerless against the wave of ad-sponsored programs and spy software, "adware" and "spyware", which were not detected by traditional applications. Recent (2004-2005) versions of antivirus software and internet security bundles already include anti spyware functionality. Often the anti spyware application has been sourced from specialist companies, for example Norman Virus Control and F-Secure Anti-Virus contain technology from Lavasoft, the Swedish manufacturer of Ad-Aware (Nordic co-operation at its best, I reckon). In February 2005 Microsoft published a beta version of their Windows AntiSpyware, acquired from Giant Company Software Inc.. Microsoft's free Windows AntiSpyware supports versions of Windows starting from Windows 2000.

Online Scans

Remarkably, some companies offer an online scan to detect and remove spyware. However, I would be worried to relinquish control of one of my main business tools, the PC, to an online scan of any kind, unless I knew the company or the individual and the motive behind the scheme. A U.S. company has already been in the limelight for selling their application through pop-up advertisements, then falsely finding spyware with their online scan and, as a result, selling a fraudulent product, unable to remove any spyware. And, at the other end of the scale, some applications claiming to remove or prevent spyware have installed numerous adware and spyware pests without permission.

Sponsored Advertisements

In 2004 I had enabled advertising on the sidebar of this web page, and the reader was likely to see advertisements from some of the web sites mentioned in SpyWareWarrior's list of rogue software. I have since removed advertisements from this page, worried about what might happen if the reader installs suspect applications with embedded spyware.

Dangers Of Spyware

Apart from IT professionals and power users, few people realise the dangers of spyware. The article "Internet Connection Misuse & Abuse", written by Steve Gibson in 2002, explains how spyware threatens our privacy. Microsoft's definition of spyware and avoidance instructions from early 2004 can be found in an article by Jerry Honeycutt.

Helper Objects and Friends

An innocent looking add-on function like a search toolbar in your internet browser, a free desktop calendar application or a local temperature indicator in the system tray may look useful and handy, but they are more than likely to download a suite of other pest application and collect information about all the websites you visit and - surprise surprise! - send all the details about your browsing habits to a host server in the outer fringes of the internet.

The chances are that the pop-up advertisements displayed by your internet browser and even the sites you visit have been carefully selected, based on your past browsing history and preferences. Few people realise the dangers of spyware until they get caught in a web (excuse the pun :-) ) of computer problems, starting from slowness of internet access, annoyance caused by frequent browser popup advertisements and ending up in regular crashes of the operating system.

Trialware And P2P

A common source for spyware is freeware and trialware downloaded from suspect web sites. Sadly, sites purporting to sell anti-spyware products may lead you by the nose - see the details about rogue and suspect anti spyware sites from www.spywarewarrior.com. Another source for spyware are peer-to-peer (P2P) filesharing applications, as the article "Comparison of Unwanted Applications Installed by P2P Applications" by Ben Edelman shows.

Prevention Better Than Cure

If you download software, read the terms and conditions before you install anything - there are a couple of examples from marketing companies later on in this article. However, a lot can be done to protect your PC from inadvertent software installations - Internet Explorer advanced and security settings in particular can be tuned to provide more safety, as shown in the article written by Mike Healan. One strategy I often mention and practice myself is to use the open source browser Mozilla and Mozilla Mail, and recently the latest Firefox and Thunderbird. I have set up the junk mail controls and hidden the message pane, to stop the preview of the last message.

Browser and Messenger Pop-Ups

Browser popups have been our constant companions for some time. Browser popups are often installed by 'drive-by download' if we visit web sites which have resorted to dubious methods in generating income to their owner. Whichever browser you use, Internet Explorer, Mozilla or others, make sure you use the latest version with security updates. And have a look at the section "How To Prevent And Remove Spyware" below.

In 2003 one of the new pests that emerged from the Internet was the appearance of pop-up windows through the Messenger service in Windows. The problem is described in Microsoft's Knowledge Base article 330904. If there is a way to intrude into your PC, the wily hacker will find it...

It took some time before we had good news about popups. According to a news item from BBC on 10 August 2004, a US company has been banned from using Windows Messenger to bombard computer users with pop-up advertisements. And on 12 August 2004 the Australian Federal Government announced it is planning to review the laws about spyware, according to Australian IT.

Malware

The more sinister side of the adware/spyware issue is malware, software designed to exploit you for financial gain, in other words, its purpose is to rob you. Malware and Trojan horse programs record user names and passwords we type in to log on to web sites, plus also credit card numbers and other personal information we store in our personal computer. This information is then forwarded to servers in the Internet without our knowledge and made available to persons unknown for illegal purposes.

The effects of spyware in an office environment are difficult to detect, if there are no strict internet policies which are implemented through firewall implementations, filter rules and ongoing monitoring of exceptions. If the internet firewall has not been set up to allow only the minimum packet types to access the internet, any malware program can initiate a session with their zombie master server in the internet and get away with it. Because of the cost of the setup and maintenance of such firewall implementations, the usual method is to scan the PCs with a spyware detection and removal tools once the symptoms appear: problems with the internet access, browser popup windows appearing in increasing numbers and the PC slowing down and showing unexplained errors. And if you are unlucky, your credit card statement shows unexplained debits posted from the other side of the world.

Rootkits

When more sophisticated spyware applications take over the PCs, the applications themselves and the processes they run inside the PC have become more difficult for ordinary PC users and even power users to detect. The authors of spyware and Trojans want on purpose to hide their program files and processes from users who inspect the directories and list of processes in Task Manager. These ideas originated from the Unix and Linux world where the superuser (Administrator in Windows terms) is called root, therefore these devious applications are commonly known as rootkits.

Because of their insidious hiding methods rootkits are notoriously difficult to detect and get rid of. There are a number of applications which specialise in detecting rootkits, like the RootkitRevealer from Sysinternals. When you run RootkitRevealer, it generates a randomly named copy of itself to avoid detection by malware processes. As you can see, it is an all-out war there in the nooks and crannies of the CPU and the memory.

It is becoming common for anti-virus software to have the capability to prevent the infection by known rootkits. F-Secure has a Beta version of their BlackLight product, using rootkit elimination technology, available free of charge. Blacklight will be part of the F-Secure Internet Security 2006 suite.

Therefore, when you select an anti-virus product, make sure you type in the word 'rootkit' into the search option in the software manufacturer's website and see that you get satisfactory results.

How to Prevent and Remove Spyware

What can one do, in addition to making sure that all the critical Windows updates have been done? Prevention is better than cure - the article Prevent Browser Hijacking by Mike Healan explains how you can avoid trouble with browser hijacks and other annoyances, especially in Internet Explorer. Among other things, apart from abandoning Internet Explorer altogether, you should modify its settings to prevent automatic program installations. If the damage has already been done and your browser home page or the search engine has been hijacked, you can of course try to fix the problem, if you still have access to the internet and manage to find a document explaining how to clear a browser hijack.

Spyware removal tools develop continuously out of necessity: new exploits are published on daily basis by spyware authors. In 2003 I knew only Lavasoft's Ad-aware, but now my arsenal consists of the following tools:

Tip: when you run spyware removal tools especially on older PCs, you may want to temporarily disable the on-access antivirus product, to speed up the scanning of the hard drive. But remember to activate the antivirus product afterwards!

Spyware often changes the browser homepage to an unwanted search engine page or even a porn site. Sometimes the controls in the homepage update window are greyed out and you cannot change the homepage back to what it was. Once I had this problem with the home page on a client PC, but luckily I managed to find the SpywareBlaster tool which allowed me to fix the homepage setting. The main function of SpywareBlaster is to protect the registry settings so that spyware cannot make malicious changes.

Marketing and Privacy

Product marketing in the Internet is still in its Wild West stage - marketeers try to get you to visit the sponsoring sites by dubious means, to say the least. One of the techniques used by marketing companies is 'drive-by download'. After the parasite software application has been installed in your PC without your knowledge, the application runs in the background and targets you with advertisements, based on the types of web sites you previously visited. Personally, the last thing I want is an automated shopping assistant following the trail of my mouse clicks on the web.

WARNING Before going to the web sites promoting applications bundled with spyware, please make sure all the crucial Windows updates have been done and that you set up your internet browser to maximum security settings, prevent automatic software installations and block ActiveX. For details, see the article written by Mike Healan.

Example 1: take a look at the Terms of Use and Privacy Statement from the Hotbar site www.hotbar.com, especially sections (a) (i)...(iii) in the Disclaimer of Warranties.

Example 2: The Claria Corporation classifies itself as 'the leader in online behavioral marketing'. The average computer user overlooks the fine print and has no idea what information he/she allows the web site owner to collect from the PC as a compensation for running a 'free' application like The Precision Time.

Interesting reading, isn't it? No wonder Claria, or The Gator Corporation, as it used to be called until recently, had their day in court. The gory details are available from Ben Edelman's website, which contains several research papers showing conclusively what spyware programs really do. The site also reports about the relevant legistlation in the U.S.

Latest Threats

Spyware does not only limit itself to guiding your browser output but some specific spyware, mainly associated with the companies WhenU or 180affiliates, even robs web site owners of their income as affiliates of software manufacturers, as shown by Edelman.

The latest developments in the U.S., at the time of writing this in March 2005, are more frequent, as Edelman puts it, "Threats Against Spyware Removers, Detectors and Critics".

Useful Links


Made With Cascading Style Sheets Valid CSS! Valid XHTML 1.1!