PCCITIZEN.com - SAFE COMPUTING/HOME NETWORKING/COMPUTING TIPS/CLEANUP-FIXUP-ADDUP
ALL ABOUT ....SPYWARE....
One of the biggest concerns of 2003 and now into 2004 and 2005 is the amount of uninvited guests that users find on their PCs. This uninvited software ranges from mildly annoying, to really annoying, to downright dangerous to the individual user, and to the Internet in general. Many public service websites have sprung up to address these concerns, much as the antivirus writers did in previous years. The unsecure methods practiced by Windows programmers have come home to roost with the users. It is just simply too easy to get uninvited guests using a Windows OS. There are too many Windows security holes which spyware/virus/scumware writers can exploit. Windows has closed these holes almost as fast as they are found, but the onus is on the individual user to keep the PC patched. And he is not keeping up! XP SP2 is a giant sep towards securing the Windows OS, but be aware that the security provisions in XP will NOT be backhauled into Win9X/ME/Win2K!!
Many users still do not "get it," and only after they are fed up with the way their PC is performing do they come to learn and realize that it is the spyware/virus/scumware that is causing all their problems. Indeed, most of this software can operate "below the radar" for many users. Only when the PC starts doing outrageous things does the user even suspect that "this is not normal."
This web site is dedicated to informing users about the dangers of not practicing "safe computing," both for themselves, and ultimately for the entire Internet. On this page I discuss some of the classes of spyware, and on succeeding pages I discuss measures to prevent and avoid this scourge in the future.
"Spyware" is software that finds personal information on your computer and transmits it to some place in the Internet without your knowledge. It is typically not the product you install itself, but small add-ons, that you may or may not disable during install. In most cases, the EULA ("End User License Agreement") has a few lines telling you about privacy matters, but typically most users don't read the complete EULA and never know they got spyware on their system.
"Adware" is similar to spyware, but does not transmit personal information. Instead, aggregated usage information is collected. Adware is also often a side-effect of spyware, as both monitor you for a sole purpose - delivering you advertisement that is tailored to your habits. Another kind that is detected under the spyware category are tracking cookies. Cookies are used all over the Internet in useful and less useful places. Advertisement companies often set cookies whenever your browser loads a banner from them. In that case and if that cookie contains a GUID (user ID), the company gets notice about every site you visit that contains their ads.
"Parasite" is "unsolicited commercial software" - that is, a program that gets installed on your computer which you never asked for, and which does something you probably don't want it to, for someone else's profit. The parasite problem has grown enormously recently, and many millions of computers are affected. Unsolicited commercial software can typically plague you with unwanted advertising - "adware." It watches everything you do on-line and send information back to marketing companies - "spyware." It adds advertising links to web pages, for which the author does not get paid, and redirect the payments from affiliate-fee schemes to the makers of the software (such software is sometimes called "scumware." It sets browser home page and search settings to point to the makers' sites (generally loaded with advertising), and prevents you changing it back - "homepage hijackers." It makes your modem (analog or ISDN) call premium-rate phone numbers - "dialers." It leaves security holes allowing the makers of the software - or, in particularly bad cases, anyone at all - to download and run software on your machine. It degrades system performance and cause errors thanks to being badly-written; it provides no uninstall feature, and it puts its code in unexpected and hidden places to make it difficult to remove. All known parasites are only compatible with Windows, and some only affect the Internet Explorer browser.
"Phishing" and "rootkits" are new exploits which are coming to dominate malware. NEVER reply to an email which wants your to "verify" account info of some site!!
Go here to learn some good information about scumware. Check out the "websurfer" section in the middle. It is unbelievable how detestable some of these practices are, and to what lengths these people go to to infect your computer and keep it infected.
There are three ways unsolicited commercial software can make its way on to your machine. Some freeware programs are "bundled" with parasites, which are installed at the same time. The P2P file-sharing programs are notorious for this; in particular, iMesh and Grokster come with countless unwanted add-ons. Often if you are careful to read the small print when you install the software it will warn you about this, and it is sometimes possible to opt out. So always skim the license agreement (EULA...) when you install and don't just click Next. If you don't believe the P2P activities are a problem, check this out - half of all this stuff is loaded with spyware/scumware/virus/trojans!
Many parasites also load using Internet Explorer's ActiveX installation option. When a web page includes a link to an ActiveX program, a window will appear asking if the user wishes to execute it. If 'Yes' is clicked (or if IE security settings are set lower than normal so that it never even asks), the software is allowed to run and can do anything at all on your computer, including installing parasites. For this reason, you should never click "Yes" to a "Do you wish to download and install..." prompt unless you are 100% sure you trust the publisher of the software, which might not be the publisher of the web site you are viewing - read the dialog box very carefully. Sometimes sites (or pop-up ads) try to fool you into clicking "Yes" by stating that the software is necessary to view the site, or opening endless error windows if you click "No", or claiming that the digital certificate on the code means it is safe. It means no such thing. "Microsoft Authenticode", signed by companies like Verisign, means only that the company that wrote the software is the same as the company whose name appears on the download prompt - nothing more. Some of the really sleazy parasites, particularly homepage-hijackers and dialers, execute by exploiting security holes in Internet Explorer, ways of getting code to run that are not supposed to be possible, but are due to mistakes in the browser code. You can do your best to guard against this by ensuring you have the latest updates and patches from Microsoft. Still, there are usually a handful of security holes that have not yet been corrected, so you can never be 100% sure you are safe.
One way of reducing your risk of exploitation is to go to Tools->Internet Options->Security and set the security level for the Internet Zone to "High". (If no slider is visible, click "Default" level to make it appear first.) Then set the security level for the Trusted Zone to "Medium" and add the sites you use and trust to this zone; you may need to do this quite often as many badly-designed sites just won't work in high-security mode. An alternative solution for the last two problems is just to use a different web browser for everyday browsing, and Internet Explorer only for sites you trust that stubbornly refuse to work with other browsers. Why doesn't my anti-virus software detect this? Technically, most unsolicited commercial software isn't viral: it doesn't spread from computer to computer, it just installs and runs on one system. That doesn't mean it's not harmful, but anti-virus software does not attempt to detect all software that could be harmful. Whether it should is a tricky argument that ends up being a question of where you draw the line.
Actually some anti-virus programs do detect some of the parasites, but not nearly all, and not all versions of them. Parasites that install using IE security holes are more likely to be targeted by the anti-virus software vendors, but the selection of targets seems for the most part to be pretty arbitrary. For this reason there are now a number of anti-parasite packages around that work as a complement to anti-virus software.
Programs that automatically scan and detect spyware in real time, in the same manner that anti-virus programs perform the real time task, are not generally available. Spyware can wind up on your system in perfectly "legal" ways that it is not possible for any program to anticipate. You may visit web sites, or download programs that appear perfectly legal, but one of the "benefits" of that activity is that you actually acquire an unanticipated guest program that qualifies as "spyware." This happens many times if you just click the "I accept" button or do a "normal" install instead of a "custom" install. If you cannot bring yourself to decline free programs en masse, one of the best defenses is to watch for the opportunity to do a "custom install." If the program gives you the opportunity to do a custom install, you should always take it. There is no telling what kind of goodies that program is trying to install on your system. They (the more reputable ones - if there is such a thing) may actually give you the option to opt out of a lot of those programs.
Update May 2005: The real time antispyware programs are finally starting to showup. Microsoft even has bought a vendor and will be introducing their own product. Go here and follow the discussion.
The install of Real Player is one of the most notorious in this respect. Please be sure to do a custom install of Real Player, and turn off those dozen or so agents that it starts [unless you want them of course.... :-). Many of the free programs don't even give you the opportunity to turn off some of these agents. The free programs to watch out for are the p2p servers such as Kazaa, Morpheus, the download assistants such as smartdownload, netzip, and many of the games that are offered up!
"Spyware" is software that gets installed on your PC, collects various information about you, your PC, your Internet surfing habits, and maybe some other stuff you really don't want exposed. Basically, this stuff comes with a lot of the freeware people are installing, especially some of the point to point (p2p) software such as Kazaa, Morpheus, and others. I have found many of the MP3s and screensavers and games also have included spyware. Basically all the free stuff is liable to have this stuff in it. If you really really want to install some piece of freeware, just head on over to www.google.com and do a search on the piece of freeware you really really want to install. You can read all about that stuff, and maybe get a clue as to the dangers of it, or maybe there is a spyware-free version of it! Even Realplayer has a lot of spyware. If you are very careful and choose the "custom" install instead of the express install when you install these goodies, you ....may... be able to avoid some of the spyware. In other cases it is not possible, the spyware is simply installed. Some of the names that will really byte you these days are "Xupiter," "Cydoor," "bonzi," "gator," and there are many others. If you see these names, get rid of them!!! Run ad-aware thoroughly and often! If you have an older OS such as Win95/Win98 and you have not kept it up to date, and you do not have an up to date antivirus program running, you are more than likely to have some serious spyware installed on your PC. In fact it is very difficult to avoid all this spyware, they are sort of like germs which you catch and carry around with you - some of them may harm you or slow you down, but they typically don't stop you altogether. Viruses can be much more harmful to you, both in real life and in PCs, so there is antivirus software widely used. Antispyware software is not as widely used......yet.
You really need to install an antispyware software on your PC, and have it execute at every startup as a minimum. And run the full spyware scan every week or so - pretty much like antivirus programs. It is probably not necessary to have the antispyware running in real time like the antivirus programs, at least not yet. There are no good options for this at this time. You can also keep track of spyware by running a personal firewall. One of the most useful actions of a personal firewall like Zone Alarm is to trap all outgoing communication attempts, including all the spyware agents attempting to "report home."
Not all spyware is nefarious, it simply is software that collects "marketing information." All those pop up adds you get on your PC could be targeted based upon some of the marketing information collected about you. Some people don't mind this, others resent the intrusion into their lives. You have to make your own decision. But your PC can really bog down with all this spyware software that may be running on your PC! That is perhaps its biggest problem right now.
None of this software really qualifies as viruses, so your anti virus protection software is not really prepared to fend this stuff off. After all, you are the one who installed it, didn't you. Did you just click "accept" on that policy the last time you installed that free game or demo software?? You should definitely do custom installs and at least have some chance of seeing what gets installed on your PC.
"Trojans" can be considered particularly vicious scumware that has pretty much taken over your PC, at least in the background, and may be instructed to perform Internet terrorism, such as DOS attacks. There is more and more software which can be used to check for these. I tend to think of this as a losing battle. If you have a trojan on your PC, you have already lost the battle for the soul of your PC, and you just as well start over!
The latest trojans that get installed on user PCs perform SPAMMing. Yes, that is right. International criminal elements now routinely collect lists of compromised PCs, and sell their resources to unscrupulous spammers and phishers to propagate their trash.
"Rootkits" are becoming an increasing problem. There are very few tools which will detect these at the pesent time!!
The Spybot Search and Destroy help pages have a particularly good discussion of spyware/adware/scumware. Some of this discussion is borrowed from them. (thank you!). This site has a good discussion of trojans and worms. Check out the FAQ. Here is another good site discussing scumware/trojans. DSLreports has a particularly good FAQ on testing for scumware/trojans.
The best way to handle spyware is to install a spyware removal tool, such as ad-aware. You can configure it to run at startup of your PC, and you can also run it in exhaustive mode as well as quick check mode. Ad-aware has a good track record, the basic software is free. Like Zonealarm, there is an advanced version which allows a lot more control, including pop-up protection. Be sure you click on the "check for upgrade" every time you run the full scan - it is like updating your antivirus software. Too bad it is not setup automatically - the next version likely will be.
I have included a couple of articles in-line here to discuss the problems of spyware. They are great reading, and I hope the authors don't mind too much. I still consider this stuff a public service, and I hope these authors do also. Please scan them to get a feel for what is going on out there.....
1. Jerry Pournelle Article
Jerry Pournelle, from his column in the September 2002 www.byte.com magazine has a great story about spyware removal. Jerry's articles every week are some of the best reading on the Internet, offering a wide range of advise on PCs and home computing.:
Spyware and the Virus Panic
Roberta has two systems that share a keyboard, mouse, and video monitor through a Belkin KVM switch. The one she uses most is called "Seattle;" it's a Pentium III 550 with 128 MB of memory running Windows 98. I keep insisting this isn't very much machine and offering to replace it, but she says it's good enough for what she does, and she's used to it. She mostly uses it for web browsing and e-mail, and I suppose she's right: Except for startup times—long if you are used to Windows XP, not so long if you use Windows 2000—nothing she does is limited by the processor speed.
Everything changed a couple of weeks ago. She reported that the machine wasn't working at all. It wouldn't even finish booting up before she started getting error messages, and when she went to open Outlook 2000 the machine would just sit there, trundling away with nothing happening. It was pretty grim, and shutting down and rebooting did no good at all.
"So what was happening for the last week before it locked up?" I asked. "Was it getting slower and slower?"
And indeed it had. It had also begun to accumulate a plethora of really disgusting pornographic web sites that would pop up uninvited whenever she opened Internet Explorer. "It's enough to gag you. With a long handled spoon," she said.
I took this as an opportunity to set up a new system for her, and began work on a 2-GHz Pentium 4 with a gigabyte of memory and a 60-GB hard drive. Seattle was working well enough that I could use the network to transfer files over to the new system.
I set up the new machine to run Windows 2000. Doing that taught me a lot about the User Account system on Windows 2000, and we'll come back to that later. Meanwhile, I was able to set up the new machine for her, except for the Pretty Good Privacy and the authentication system for accepting credit-card orders for her reading program (see www.readingtlc.com). I knew I could transfer those, because I had done it before, even if I have forgotten how.
Of course, the authentication system wants to work through a direct dialup modem rather than through the local network and out through the satellite; "Seattle" knows how to do that, using the LAN for Outlook and Internet Explorer, but using the direct dial modem when she wants to authenticate credit-card orders. I vaguely remembered that it had been a bit tricky to get that working properly.
To find out how I'd set Seattle up to use the LAN for one kind of communication and the US Robotics modem for another, I needed to get Seattle running well enough to let me have a look: That was one sick machine. I could reach it through the LAN by never logging in on Seattle at all, but when we tried to log on, the machine didn't want to tell me anything. It just wanted to sit there and complain.
So. While I was prepared to drain the swamp by setting her up with a new machine, I first had to fight the alligators. First thing, then, was to bring up Seattle in Safe Mode, and run Norton Anti-Virus. All that did was reassure us: It didn't detect any actual virus or Trojan running or resident on the hard drive. Next, I fired up StartUp Manager to see just what programs were running on startup. There were a lot of them. The version of StartUp Manager I have is pretty old; there's a much later one on the web site. On the other hand, the one already on her machine works just fine; I used it to turn off everything nonessential including Windows Critical Updates, the various Norton utilities, Silicon Prairie's memory manager, and other stuff. When I rebooted I didn't get all the error messages as before, and I was actually able to get control of the system. Sort of.
It was still clogged up, and opening Internet Explorer got a pornographic popup window, reminding me that I have to put Popup Stopper on Roberta's machine. I also noted that the disk was filling up with junk, and most of the 128-MB of system memory were used up running processes not connected to any programs that StartUp Manager could find. Next step, then, was Internet Explorer/Tools/Internet Options, and delete all the cookies and temporary Internet files. There were a lot of them: Roberta didn't remember ever doing this in the year or two this machine had been operating. The same tool let us clear the history.
This got rid of some of the garbage, but not all. Moreover, there was an enormous— 700 MB—file called index.dat in the Internet Explorer Temp Files directory. It's associated with the Internet browsing history of the machine, and that file can't be deleted by Windows Explorer or Norton Windows Commander. It just sits there getting bigger and bigger. Since this was a Windows 98 machine, I rebooted it in DOS, and used Norton Commander to erase that index.dat file. That gave us a lot more disk space.
Now when we brought up Seattle, it was operating well enough that we could log in. It was still very sluggish, but operating well enough that I was able to download aaw.exe from Lavasoft. That's the installation file for a freeware program called Ad-aware, and if you don't have it on your Windows system, go get it right now, install it, and run it. We installed Ad-aware and let it scan both the registry and the hard drives on Seattle. It found 31 processes that shouldn't have been there. There was Gator, which is a web tracker. There were five different web browser hijack programs (which were the cause of the rain of pornographic spam). Three spyware programs. Every one of those was trying to run in background, and the result was that her system was so clogged up with this junk that it wouldn't run.
I let Ad-aware delete all of those from both memory and disk drives and rebooted—and Seattle was running just fine. In fact, the system is running so well that Roberta wants to keep it, and won't let me replace it with the new Pentium 4 I'd built up for her. Moreover, we cleaned so much junk off her hard drive that she's got plenty of disk space.
We tried to reconstruct just how she'd got into the pornographic hell. Part of the problem is that if you're doing educational research, you visit a lot of web sites, and many of them aren't what they seem to be. Then things really got acute when she did a Google search on "Barbizon," which is the brand name of a slip she wanted to replace. It turns out that a lot of porn sites have the name Barbizon associated with them. She may also have been led to a couple of porn sites through similarity of names; once you get to one of those places, it instantly attaches itself to you with spyware, Gator, browser hijackers, popups, and a whole host of weapons, and if they all run at once, they can overwhelm the system—as they had Roberta's.
My associates tell me that the first moral of this story is to get rid of Internet Explorer and go to Opera or Mozilla, opening IE only when necessary. Not only do these work, but they have text zooming features that make it easier to read small print. I can't say that's a bad idea, but Roberta isn't interested at all, and as for me, I do a lot of silly things so you don't have to: I'll keep Internet Explorer, if only to be able to tell Microsoft what's wrong this time.
The second moral of this story is, get Ad-aware and use it early and often. I just went down and ran it on Seattle again tonight: It found 4 processes that shouldn't have been there, two of them web hijackers. I also ran it on Regina, my web surfing machine, and while the registry was clean, it found a Doubleclick cookie had snuck in. Note that Norton Anti-Virus didn't find these things, because technically, they are neither viruses nor Trojans.
I think Norton ought to consider adding an Ad-aware function to their anti-virus software. After all, these may not technically be Trojans, but they are definitely hostile attacks and constitute a Denial of Service attack on your system, and I'd think the people infecting our systems with this junk should be liable to both civil and criminal penalties under any sane legal system. (This is clearly not a "drag chute" we want, is it?) Alas, much of this is associated with web commerce, and is protected in the same way that spamming is protected. The Direct Mail Association has a lot more clout with our Congressional Finest than you or I. Fortunately, Ad-aware doesn't take long to run, and is pretty good at clearing out this cruft.
Thirdly, if you run Internet Explorer, go through and clear out the temporary internet files at reasonable intervals, and if you're running Windows 98, boot up in DOS and clear out the Temporary Internet Files index.dat file while you are at it. (There may be other index.dat files associated with other programs, so be sure to kill only the proper one.) In Windows 2000 you can boot up in Safe Mode, log in as Administrator, and delete the huge index.dat files from the search window. In Windows 2000 those don't grow nearly as fast as they do in Windows 98 systems, but I got rid of them anyway, and I haven't missed them at all.
Run Ad-aware often, and periodically clean up your Temporary Internet Files including index.dat. Your system will run better for it.
One caution: I advise cleaning up by hand, using Error Scan and other such programs, rather than the disk cleanup utility built into Windows. That one can take literally hours and eat up all the CPU time: A real drag chute. If you decide to run it, run it overnight.
2. Excerpt from Jerry Pournelle column 270 Jan 2003
3. Yahoo spying on its users
Here is a post from the bellsouth.net.support.adsl newsgroup, 1-17-2003, showing how even yahoo spys on its users. This is pervasive stuff!
I received this email today form a YahooGroups Users. Please pass
the word to your friends.
Copyright John D Loop Wednesday October 26, 2005