Spyware & Adwareby Dominique Fruchtmanwww.firstname.lastname@example.org SPYWARE What is it? Why is it bad? How do I get rid of it? How do I keep it off? www.pchelp911.com/files/startcop.zip
Bad News • Corrupt hard drive, damaged operating system • Exposure of private information • Stolen usernames and passwords • Identity theft Spyware and adware finds you when you... • Visit web sites or open spam, automatically installing on your machine without you knowing • Visit a web site and it assigns you a tracking cookie • Share music, files or photos with other users • Install programs without fully reading license agreements
Spyware Stats & Symptoms 9 out of 10 Internet-connected PCs are infected with spyware and adware • A recent study found an average of 26 spyware and adware traces per scan. • Increased pop-up ads • Slow computer performance • Unexplained home page change • Mysterious web search results
Strictly defined, spyware consists of computersoftware that gathers and reports information about a computer user without the user's knowledge or consent. More broadly, the term spyware can refer to a wide range of related malware products which fall outside the strict definition of spyware. These products perform many different functions, including the delivery of unrequested advertising (pop-up ads in particular), harvesting private information, re-routing page requests to fraudulently claim commercial site referral fees, and installing stealth phone dialers. SpywareDefined
Spyware as a category overlaps with adware. Many web browser toolbars may count as spyware. Adware load ads from a server and displays them while you run a program, with your permission Software developer gets ad revenue User gets to use the program free of charge. In these cases, adware functions ethically. If the software collects personal information without permission (a list of websites visited, for example, or a log of keystrokes), it may become spyware. Spyware vs. Adware
Programs installed with your knowledge do not constitute spyware Some legit software installs additional programs to collect data or distribute ads These barnacles can: Drastically impair system performance Abuse network resources Slow throughput/impede internet speed Difficult or impossible to remove Spyware Barnacles
Spyware vs. Virus Both: • Install without the user's knowledge or consent • Cause system instability A Virus: • Replicates itself, spreading copies to other computers • Relies on users with poor security habits in order to spread Spyware: • Does not replicate • Relies on persuading ignorant users to download and install by offering some kind of bait (such as freeware)
Appears harmless, even fun A common spyware program targeted at children, Bonzi Buddy, claims that: He will explore the Internet with you as your very own friend and sidekick! He can talk, walk, joke, browse, search, e-mail, and download like no other friend you've ever had! He even has the ability to compare prices on the products you love and help you save money! Best of all, he's FREE!
Spyware does… • Start every time the computer boots up • Uses CPU cycles and RAM • Reduces system stability • Runs at all times • Cannot be shut down • Monitors Internet usage • Delivers targeted ads • Does not replicate onto other computers • Functions as a parasite but not as an infection
A Virus goes beyond • A virus carries a payload • May damage user's system (deleting files) • May make PC more vulnerable to further attacks by opening up a "back door“ • May put the machine under the control of malicious third parties for spamming or denial-of-service attacks. • Replicates itself onto other computers. • Functions not only as a parasite, but as an infection as well.
Spyware Damage • Spyware does not damage the data files • Intentionally invades your privacy • Steals bandwidth • Can cause users to reformat the hard drive • Can cause users to reinstall the operating system • Can prove expensive in terms of anti-spyware programs
Rapid Accumulation Windows-based computers rapidly accumulate spyware components Spyware infection (privacy issues aside) include: • Substantial loss of system performance – more than 50% in extreme cases • Major stability issues – crashes and hangs • Difficulty in connecting to the Internet • Spyware (often inadvertently), modifies DLLs needed for connectivity
Monetary Consequences • Spyware infection requires professional help more than any other single cause • No user awareness of spyware • User assumes system performance, stability, and/or connectivity issues relate to hardware, Windows installation problems, or a virus
Additional Consequences • Stealth dialers attempt to connect directly to a particular telephone number rather than to a user's own intended ISP • The number in question involves long-distance or overseas charges • Results in massive telephone bills
Windows System Files • Targetsoft, for example, modifies system files to make themselves harder to remove • Targetsoft modifies the Winsock (Windows Sockets) files. • If you delete the spyware-infected file "inetadpt.dll“, it will interrupt normal network usage
How Spyware Sneaks In • The spyware component comes bundled with an otherwise apparently useful program • Programs are free, to encourage the wide uptake of the spyware component • This applies especially with file-sharing clients such as Kazaa, and other P2P applications • Xolox.com is one of the few that is Spyware-free
Internet Explorer • Spyware takes advantage of security flaws in Internet Explorer. • Internet Explorer installs Spyware via a drive-by download with or without a prompt. • A drive-by download takes advantage of easy installation via an ActiveX control or components
Cookies • An HTTP cookie can count as Spyware. • A search engine website could assign an ID code to a user the first time he/she visits • It stores all search strings in a database with this ID as a key • It can use this data to select advertisements to display to that user • It can also transmit derived information to third parties.
Inadvertently Installing Spyware • Granting permission for web-based applications to integrate into one's system can also load spyware. These Browser Helper Objects — known as Browser Hijackers — embed themselves as part of a web browser. • Spyware usually installs itself by some stealthy means. User agreements for software may make references (sometimes vague) to allowing the issuing company of the software to record users' Internet usage and website surfing. Some software vendors allow the option of buying the same product without this overhead.
Drastic Measures Clean Install of Windows • Only consider it when a problem has become so severe that the PC has become non-functional • You must have a complete back up of your data along with all the setup disks • A clean install means erasing all the data from your hard drives, formatting, and re-installing the operating system • Always install the latest updates/Service Packs • Only advanced users or a computer technician should attempt this remedy
The Best Cure: Microsoft to the Rescue • “Windows Antispyware” may be the best shot at repairing system performance lag • You download this program free of charge as of March 2005 • If you choose not to invest in Windows XP must look for other remedies, but look at the relative cost
Combating Spyware • Spyware Removal Programs – buy one • Rarely, some free purge a system of spyware, only to install their own • Spyware takes advantage of Internet Explorer vulnerabilities • Disabling ActiveX in Internet Explorer will prevent some infections. However, websites that make use of ActiveX will no longer work • Better than that, use a less vulnerable browser such as Mozilla Firefox (www.getfirefox.com)
Non-Windows PCs are safer • Currently-known spyware does not specifically target non-Windows systems, such as those running Mac OS or Linux • Most people online use Windows; there is little financial incentive to bother with Mac and Linux
More Prevention • When you install a free program, use a search engine to see if this program has a reputation for bundling spyware • AOL Instant Messenger, has debatable components that can be unchecked at the time of installation • It pays not to rush through the installer
Why doesn’t Virus software help? Anti-virus products (Norton, McAfee, Trend Micro have lagged in responding to the threat of spyware because: • Differences between spyware and viruses • Spyware may inform end-users, albeit in hidden legal jargon, what it will do. Spyware originators use this escape clause - "Well, we told the user what our software would do, and they installed it anyway" • The difficulty of defining spyware • Some spyware comes bundled with legitimate programs that a user agrees to install – removing the Spyware could disable the program
How is a Virus different? • Viruses usually originate with individuals. • Spyware originates from companies • Spyware employs effective legal teams • Spyware can sue makers of anti-spyware software for listing their product(s) as spyware • This makes scanning for and cleaning spyware different from the anti-virus world • Virus writers operate anonymously outside the law and would reveal their identity by suing
Incomplete Spyware List, classified by effect Generating pop-ups: 180 Solutions DirectRevenue lop.com (advertising, pop ups, security risk, tries to dial out at random) Generating pop-ups, damaging and/or slowing computers: Bonzi Buddy Cydoor Gator, Claria Corporation (Ads, pop ups, privacy violation, significant security risk, partially disables firewalls, stability issues, hard to remove) New.net (security risk, stability issues, common cause of inability to connect) ShopAtHomeSearch Hijacking browsers: CoolWebSearch - a well-known browser hijacker; some variants have a reputation for damaging the TCP stack when forcibly uninstalled Euniverse Xupiter
Spyware, cont’d Committing Fraud: XXXDial Stealing information: Back Orifice (arguably better categorized as a Trojan Horse, since its open source code militates against secrecy and -- unlike most spyware -- it has no commercial motive. Also has legitimate uses such as remote administration.) Masquarading as a Spyware remover: SpyKiller Complete list here: http://www.spywarewarrior.com/rogue_anti-spyware.htm
Spyware, cont’d • Miscellaneous: • (Advertising, fake alert messages, possible privacy violation, security risk) • MarketScore (Claims to speed up Internet connections: serious privacy violation, loss of Internet connection on some systems) • CnsMin (Made in China; privacy violation. Preset in many Japanese PCs as JWord!) • Known programs bundling adware: • Kazaa • Bearshare • DivX (except for the paid version, and the 'standard' version without the encoder)
External Links External links Lavasoft Ad-Aware SE Personal (http://www.lavasoftusa.com/support/download/#free) — (Freeware Version) Aluria Software spyware removal (http://www.aluriasoftware.com) — Personal and business antispyware HijackThis (http://merijn.org) (mirrors: 1 (http://spywareinfo.com/~merijn) 2 (http://184.108.40.206/~merijn/) 3 (http://ftp.officefive.org.uk/sites/www.spywareinfo.com/~merijn/) 4 (http://www.richardthelionhearted.com/~merijn)) — offers utilities to remove several spyware problems which Ad-Aware or Spybot Search & Destroy cannot currently fix. Hitman Pro (http://www.hitmanpro.nl) — A bundle of related spyware removal software, in Dutch. Microsoft Anti-Spyware (http://www.microsoft.com/athome/security/spyware/software/default.mspx) — (Still in beta as of April 2005) PestPatrol (http://www.pestpatrol.com/) Spybot - Search & Destroy (http://www.safer-networking.org) Spyware Doctor (http://www.pctools.com/spyware-doctor/) Spy Toaster (http://www.spytoaster.com/) Spy Sweeper
Communities www.forums.tomcoyote.org — Spyware removal help forum, and classroom to teach removal techniques Google Spyware Removal Group (http://groups-beta.google.com/group/spyware-removal) Bleeping Computer Spyware Removal Tutorials (http://www.bleepingcomputer.com/forums/tutecat38.html) — tutorials for HijackThis, Spybot, and Ad-Aware. Geeks To Go (http://www.geekstogo.com/forum) — Hijack assistance and malware removal forum. Spywareinfo Forums (http://forums.spywareinfo.com/index.php) — help for removing adware, spyware and malware. SpywareWarrior (http://spywarewarrior.com/index.php) — forum that came under fire (http://www.netrn.net/archives2/000539.html) in May 2004 for posting information about a spyware company.
Guides Spyware/AdWare/Malware FAQ and Removal Guide (http://www.io.com/~cwagner/spyware/) doxdesk.com parasite database (http://www.doxdesk.com/parasite/) — Removal instructions for most common spyware/adware/malware parasites. Computer Security (http://www.boredguru.com/modules/articles/index.php?storytopic=16) — Tips and tricks for manually removing common trojans, adware and spyware. Rogue AntiSpyware List (http://www.spywarewarrior.com/rogue_anti-spyware.htm) — list of spyware removal programs to avoid Prevention: Financial investors who support spyware (http://www.benedelman.org/spyware/investors/) A list of investment firms which support large scale spyware companies. Spyware Prevention and Removal (http://www.pcreview.co.uk/articles/Internet/Spyware_and_Adware_Removal/) How to prevent Spyware and Adware, and a guide to removing it should the worst happen. Spyware Prevention (http://www.freespywareremoval.info/prevention/) Proactively preventing spyware. Dealing with unwanted spyware and parasites (http://mvps.org/winhelp2002/unwanted.htm). The Spyware Inferno (http://news.com.com/2010-1032-5307831.html) - article on the rise of spyware, with a hierarchical list of different kinds of spyware based on levels of danger.
Bottom Line • Use Windows XP, Service Pack 2 • Use Mozilla Firefox instad of IE • Regularly scan your PC with AntiSpyware • Be cautious of downloads • Read the EULA carefully • Remember: Spyware arrives quickly – if you notice a sudden change in system performance, run a scan immediately