New Reviews Underway...

We just took a trip to CompUSA and came back with a ton of new products, including Cosmi's Spyware Killer Pro and a stack of DVD Copying utilities. Look for more reviews in the next two weeks!

October 28, 2005

Anti-Spyware Group Pushes Guidelines

by Wendy Davis, Friday, Oct 28, 2005 6:01 AM EST

MORE THAN SIX MONTHS AFTER it formed, an anti-spyware group headed by the Center for Democracy and Technology, the Anti-Spyware Coalition, released guidelines Thursday designed to assess how to evaluate spyware and other potentially unwanted software programs. The group's guidelines carry no legal weight, but might be influential with some members--like Aluria and Lavasoft--that manufacture anti-spyware removal software.

The proposed standards don't spell out whether any particular product should be classified as harmful, but instead provide various risk factors--a laundry list of traits of software programs, with each trait assessed for its degree of risk.

"The risk factors have general weights (high, medium, and low) that help show the relative impact to the user," states the document. "Although all behaviors can be problematic if unauthorized, certain ones tend to have a greater impact and are treated with more severity than others."

When programs serve pop-up ads, one of the key indicators of potential harm is whether the pop-ups "are clearly attributed to the source program," according to the guidelines.

The guidelines also look at factors that could indicate whether consumers have consented to the programs. For instance, in the case of bundled programs, one factor is whether consumers have opted-in to receive the bundled software (considered a high indication of consent) or whether consumers' only notification about bundled software came in an end-user license agreement (considered a low indication of consumer consent).

Similarly, the easier a program is to remove, the more likely it is that the consumer has consented to the program, according to the guidelines.

The organization is accepting comments on the guidelines through Nov. 27.

Spyware

From Wikipedia, the free encyclopedia.

Spyware covers a broad category of malicious software designed to intercept or take partial control of a computer's operation without the informed consent of that machine's owner or legitimate user. While the term taken literally suggests software that surreptitiously monitors the user, it has come to refer more broadly to software that subverts the computer's operation for the benefit of a third party.

Spyware differs from viruses and worms in that it does not usually self-replicate. Like many recent viruses, however, spyware - by design - exploits infected computers for commercial gain. Typical tactics furthering this goal include delivery of unsolicited pop-up advertisements; theft of personal information (including financial information such as credit card numbers); monitoring of Web-browsing activity for marketing purposes; or routing of HTTP requests to advertising sites.

As of 2005, pundits have often characterized spyware as the pre-eminent security threat for computers running Microsoft Windows operating systems. Some malware on the Linux and Mac OS X platforms has behavior similar to Windows spyware, but to date has not become anywhere near as widespread.

History and development

The first recorded use of the term spyware occurred on October 16, 1995 in a Usenet post that poked fun at Microsoft's business model. Spyware later came to refer to espionage equipment such as tiny cameras. However, in early 2000 the founder of Zone Labs, Gregor Freund, used the term in a press release for the ZoneAlarm Personal Firewall.^[2] Since then, computer-users have used the term in its current sense. 1999 also saw the introduction of the first popular freeware program to include built-in spyware: a humorous and popular game called "Elf Bowling" spread across the Internet in November 1999, and many users learned with surprise that the program actually transmitted user information back to the game's creator, Nsoft.

In early 2000, Steve Gibson of Gibson Research realized that advertising software had been installed on his system, and he suspected that the software was stealing his personal information. After analyzing the software he determined that they were adware components from the companies Aureate (later Radiate) and Conducent. He eventually rescinded his claim that the ad software collected information without the user's knowledge, but still chastised the ad companies for covertly installing the spyware and making it difficult to remove.

As a result of his analysis in 2000, Gibson released the first anti-spyware program, OptOut, and many more software antidotes have appeared since then.^[3] International Charter now offers software developers a Spyware-Free Certification program.^[4]

According to an October 2004 study by America Online and the National Cyber-Security Alliance, 80% of surveyed users' computers had some form of spyware, with an average of 93 spyware components per computer. 89% of surveyed users with spyware reported that they did not know of its presence, and 95% reported that they had not given permission for it to be installed.^[5]

Spyware, "adware", and tracking

The term adware frequently refers to any software which displays advertisements, whether or not it does so with the user's consent. Programs such as the Eudora mail client display advertisements as an alternative to shareware registration fees. These classify as "adware" in the sense of advertising-supported software, but not as spyware. They do not operate surreptitiously or mislead the user.

Many of the programs frequently classified as spyware function as adware in a different sense: their chief observed behavior consists of displaying advertising. Claria Corporation's Gator Software provides an example of this sort of program. Visited Web sites frequently install Gator on client machines in a surreptitious manner, and it directs revenue to the installing site and to Claria by displaying advertisements to the user. The user's experience is that their computer begins displaying a large number of pop-up advertisements.

Other spyware behaviors, such as reporting on websites the user visits, frequently accompany the displaying of advertisements. Monitoring web activity aims at building up a marketing profile on users in order to sell "targeted" advertisement impressions. The prevalence of spyware has cast suspicion upon other programs that track Web browsing, even for statistical or research purposes. Some observers describe the Alexa Toolbar, an Internet Explorer plug-in published by Amazon.com, as spyware (and some anti-spyware programs report it as such) although many users choose to install it.

Routes of infection

Spyware does not directly spread in the manner of a computer virus or worm: generally, an infected system does not attempt to transmit the infection to other computers. Instead, spyware gets on a system through deception of the user or through exploitation of software vulnerabilities.

The most direct route by which spyware can get on a computer involves the user installing it. However, users are unlikely to install software if they know that it may disrupt their working environment and compromise their privacy. So many spyware programs deceive the user, either by piggybacking on a piece of desirable software, or by tricking the user to do something that installs the software without realizing it.

Classically, a Trojan horse, by definition, smuggles in something dangerous in the guise of something desirable. Some spyware programs get spread in just this manner. The distributor of spyware presents the program as a useful utility -- for instance as a "Web accelerator" or as a helpful software agent. Users download and install the software, only to find out later that it can cause harm. For example, Bonzi Buddy, a spyware program targeted at children, claims that:

He will explore the Internet with you as your very own friend and sidekick! He can talk, walk, joke, browse, search, e-mail, and download like no other friend you've ever had! He even has the ability to compare prices on the products you love and help you save money! Best of all, he's FREE! ^[6]

The BearShare file-trading program is "supported" by WhenU spyware. In order to install BearShare, users must agree to install "the SAVE! bundle" from WhenU. The installer provides only a tiny window in which to read the lengthy license agreement. Although the installer claims otherwise, the software transmits users' browsing activity to WhenU servers.^[1]

Spyware can also come bundled with shareware or other downloadable software, as well as music CDs. The user downloads a program--for instance, a music program or a file-trading utility--and installs it; the installer additionally installs the spyware. Although the desirable software itself may do no harm, the bundled spyware does. In some cases, spyware authors have paid shareware authors to bundle spyware with their software, as with the Gator spyware now marketed by Claria. In other cases, spyware authors have repackaged desirable software with installers that add spyware.

A third way of distributing spyware involves tricking users by manipulating security features designed to prevent unwanted installations. The security features of the design of the Internet Explorer Web browser militate AGAINST allowing Web sites to initiate an unwanted download. Instead, a user action, such as clicking on a link, must normally trigger a download. However, links can prove deceptive: for instance, a pop-up ad may appear like a standard Windows dialog box. The box contains a message such as "Would you like to optimize your Internet access?" with links which look like buttons reading Yes and No. No matter which "button" the user presses, a download starts, placing the spyware on the user's system. Later versions of Internet Explorer offer fewer avenues for this attack.

Some spyware authors infect a system by attacking security holes in the Web browser or in other software. When the user navigates to a Web page controlled by the spyware author, the page contains code which attacks the browser and forces the download and install of spyware. The spyware author would also have some extensive knowledge of commercially-available anti-virus and firewall software. This has become known as a "drive-by download", by analogy to drive-by shootings which leave the user as a hapless bystander. Common browser exploits target security vulnerabilities in Internet Explorer and in the Microsoft Java runtime. Given that Internet Explorer remains the most widely-used browser and that many users neglect to update to more secure versions of their software, Internet Explorer provides an attractive entry point for the less scrupulous advertiser or computer-hacker.

Internet Explorer also serves as a point of attachment for spyware programs which install themselves as Browser Helper Object plugins.

In a few cases, a worm or virus has delivered a payload of spyware. For instance, some attackers used the W32.Spybot.Worm worm to install spyware that popped up pornographic ads on the infected system's screen.^[7] By directing traffic to ads set up to channel funds to the spyware authors, they can profit even by such clearly illegal behavior.

Effects and behaviors

Windows-based computers can rapidly accumulate a great many spyware components. Users frequently notice unwanted behavior and degradation of system performance. A spyware infestation can create significant unwanted CPU activity, disk usage, and network traffic -- slowing down legitimate uses of these resources. Stability issues -- application or system crashes -- are also common. Spyware which interferes with the networking software commonly causes difficulty connecting to the Internet.

Spyware infection is the most common reason that Windows users seek technical support -- whether from computer manufacturers, Internet service providers, or other sources. In many cases, the user has no awareness of spyware and assumes that the system performance, stability, and/or connectivity issues relate to hardware, to Windows installation problems, or to a virus. Some owners of badly infected systems resort to buying an entire new computer system because the existing system "has become too slow". For badly infected systems, a clean reinstall may be required to restore the system to a working order--—a time-consuming project even for experienced users.

Only rarely does a single piece of software render a computer unusable. Rather, a computer rarely has only one infection. As the 2004 AOL study noted, if a computer has any spyware at all, it typically has dozens of different pieces installed. The cumulative effect, and the interactions between spyware components, typically cause the stereotypical symptoms reported by users--a computer which slows to a crawl, overwhelmed by the many parasitic processes running on it. Moreover, some types of spyware disable software firewalls and anti-virus software, and reduce browser security settings, opening the system to further opportunistic infections, much like an immune deficiency disease. There are also documented cases where a spyware program disabled other spyware programs created by the competitors.

Some other types of spyware (Targetsoft, for example) modify system files to make themselves harder to remove. (Targetsoft modifies the Winsock (Windows Sockets) files. The deletion of the spyware-infected file "inetadpt.dll" will interrupt normal networking usage.) Unlike many other operating systems, a typical Windows user has administrator-level privileges on the system, mostly for the sake of convenience. Any program run by the said user, intentionally or not, has completely unrestricted access to the entire system.

Spyware, along with other threats, has led some former Windows users to move to other platforms such as Linux or Apple Macintosh.

Advertisements

Many spyware programs reveal themselves visibly by displaying advertisements. Some programs simply display pop-up ads on a regular basis -- for instance, one every several minutes, or one when the user opens a new browser window. Others display ads in response to specific sites that the user visits. Spyware operators present this feature as desirable to advertisers, who may buy ad placement in pop-ups displayed when the user visits a particular site. It is also one of the purposes for which spyware programs gather information on user behavior.

Pop-up advertisements lead to some of users' most common complaints about spyware. The first is simply that the computer can become overwhelmed downloading or displaying ads. An infected computer rarely has only one spyware component installed -- they more often number in the dozens ^[8] -- and so while a single program might display ads only infrequently, the cumulative effect is overwhelming.

Many users complain about irritating or offensive advertisements as well. As with many banner ads, many spyware advertisements are animated, flickering banners designed to catch the eye -- that is, they are highly visually distracting. Pop-up ads for pornography are often displayed indiscriminately, including when children are using the computer -- possibly in violation of laws on the subject.

A further issue in the case of some spyware programs has to do with the replacement of banner ads on viewed web sites. Spyware which acts as a web proxy or a Browser Helper Object can replace references to a site's own advertisements (which fund the site) with advertisements which instead fund the spyware operator. This cuts into the margins of advertising-funded Web sites.

"Stealware" and affiliate fraud

A few spyware vendors, notably WhenU and 180 Solutions, have written what the New York Times has dubbed "stealware", and what spyware-researcher Ben Edelman terms affiliate fraud, also known as click fraud. These redirect the payment of affiliate marketing revenues from the legitimate affiliate to the spyware vendor.

Affiliate marketing networks work by tracking users who follow an advertisement from an "affiliate" and subsequently purchase something from the advertised Web site. Online merchants such as eBay and Dell are among the larger companies which use affiliate marketing. In order for affiliate marketing to work, the affiliate places a tag such as a cookie or a session variable on the user's request, which the merchant associates with any purchases made. The affiliate then receives a small commission.

Spyware which attacks affiliate networks does so by placing the spyware operator's affiliate tag on the user's activity -- replacing any other tag, if there is one. This harms just about everyone involved in the transaction other than the spyware operator. The user is harmed by having their choices thwarted. A legitimate affiliate is harmed by having their earned income redirected to the spyware operator. Affiliate marketing networks are harmed by the degradation of their reputation. Vendors are harmed by having to pay out affiliate revenues to an "affiliate" who did not earn them according to contract. [9]

Affiliate fraud is a violation of the terms of service of most affiliate marketing networks. As a result, spyware operators such as WhenU and 180 Solutions have been terminated from affiliate networks including LinkShare and ShareSale.

Identity theft and fraud

In one case, spyware has been closely associated with identity theft. ^[10] In August 2005, researchers from security software firm Sunbelt Software believed that the makers of the common CoolWebSearch spyware had used it to transmit "chat sessions, user names, passwords, bank information, etc." [11], but it turned out that "it actually is its own sophisticated criminal little trojan that’s independent of CWS." [12] This case is currently under investigation by the FBI.

Spyware-makers may perpetrate another sort of fraud with dialer program spyware: wire fraud. Dialers cause a computer with a modem to dial up a long-distance telephone number instead of the usual ISP. Connecting to the number in question involves long-distance or overseas charges, this can result in massive telephone bills, which the user must either pay or contest with the telephone company. Dialers are somewhat less effective today, now that fewer Internet users use modems.

Digital rights management

Most copy-protection schemes, while they do serve a legitimate purpose of attempting to prevent piracy, also behave similarly to spyware programs. Some digital rights management technologies (such as Sony's XCP) actually use trojan-horse tactics to verify a user as the rightful owner of the media in question.

Spyware and cookies

Anti-spyware programs often report Web advertisers' HTTP cookies as spyware. Cookies are not software of any sort—they are variables set by Web sites (including advertisers) which can be used to track Web-browsing activity, for instance to maintain a "shopping cart" for an online store or to maintain consistent user settings on a search engine.

Cookies can only be accessed by the Web site that sets them. In the case of cookies associated with advertisements, this is generally not the Web site that the user intended to visit, but a third-party site referenced by a banner ad image. Some Web browsers and privacy tools offer to reject cookies from sites other than the one that the user requested.

Advertisers use cookies to track people's browsing among various sites carrying ads from the same firm and thus to build up a marketing profile of the person or family using the computer. It is for this reason that many users object to such cookies, and that anti-spyware programs offer to remove them.

Typical examples of spyware

A few examples of common spyware programs may serve to illustrate the diversity of behaviors found in these attacks.

Caveat: As with computer viruses, researchers give names to spyware programs which frequently do not relate to any names that the spyware-writers use. Researchers may group programs into "families" based not on shared program code, but on common behaviors, or by "following the money" or apparent financial or business connections. For instance, a number of the spyware programs distributed by Claria are collectively known as "Gator". Likewise, programs which are frequently installed together may be described as parts of the same spyware package, even if they function separately.

CoolWebSearch, a group of programs, installs through the exploitation of Internet Explorer vulnerabilities. The programs direct traffic to advertisements on Web sites including coolwebsearch.com. To this end, they display pop-up ads, rewrite search engine results, and alter the infected computer's hosts file to direct DNS lookups to these sites. ^[13]

Internet Optimizer, also known as DyFuCa, redirects Internet Explorer error pages to advertising. When users follow a broken link or enter an erroneous URL, they see a page of advertisements. However, because password-protected Web sites (HTTP Basic authentication) use the same mechanism as HTTP errors, Internet Optimizer makes it impossible for the user to access password-protected sites. ^[14]

180 Solutions transmits extensive information to advertisers about the Web sites which users visit. It also alters HTTP requests for affiliate advertisements linked from a Web site, so that the advertisements make unearned profit for the 180 Solutions company. It opens pop-up ads that cover over the Web sites of competing companies. [15]

HuntBar, aka WinTools or Adware.Websearch, is a small family of spyware programs distributed by Traffic Syndicate. ^[16] It is installed by ActiveX drive-by download at affiliate Web sites, or by advertisements displayed by other spyware programs -- an example of how spyware can install more spyware. These programs add toolbars to Internet Explorer, track Web browsing behavior, redirect affiliate references, and display advertisements.

User consent and legality

Gaining unauthorized access to a computer is illegal, under computer crime laws such as the United States Computer Fraud and Abuse Act. Since the owners of computers infected with spyware generally claim that they never authorized the installation, a prima facie reading would suggest that the promulgation of spyware would count as a criminal act. Law enforcement has often pursued the authors of other malware programs, such as viruses. Nonetheless, few prosecutions of writers of spyware have occurred, and many such producers operate openly as aboveboard businesses. Some have, however, faced lawsuits.

Spyware producers primarily argue in defense of the legality of their acts that, contrary to the users' claims, users do in fact give consent to the installation of their spyware. Spyware that comes bundled with shareware applications may appear, for instance, described in the legalese text of an end-user license agreement (EULA). Many users habitually ignore these purported contracts, but spyware companies such as Claria claim that these demonstrate that users have consented to the installation of their software.

Despite the ubiquity of EULAs and of clickwrap agreements, relatively little case law has resulted from their use. It has been established in most common law jurisdictions that a clickwrap agreements can be a binding contract in certain circumstances. This does not however mean that every clickwrap agreement is a contract or that every term in a clickwrap contract is enforceable. It seems highly likely that many of the purported contract terms presented in clickwrap agreements would be dismissed in most jurisdictions as being contrary to public policy. Many spyware clickwrap agreements appear intentionally ambiguous and excessive in length, with key contract terms made inconspicuous. These are all grounds on which similar agreements have been rejected as contracts of adhesion.

Nor can a contract possibly exist in the case of spyware installed by surreptitious means, such as in a drive-by download where the user receives no opportunity to either agree to or refuse the contract terms.

Some spyware EULAs characterize the removal of spyware once installed as "illegal". Such claims mislead, since by definition breach of contract involves civil, not criminal law; and breach of contract, by definition, does not involve illegality. Such notices may themselves class as criminal, however, if found to make a deliberately false statement for the purpose of material gain - a common-law definition of fraud.

Some jurisdictions, such as the U.S. state of Washington, have passed laws criminalizing some forms of spyware. [17] The Washington law makes it illegal for anyone other than the owner or operator of a computer to install software that alters Web-browser settings, monitors keystrokes, or disables computer-security software.

New York Attorney General Eliot Spitzer has pursued spyware companies for fraudulent installation of software.^[18] In a suit brought in 2005 by Spitzer, the California firm Intermix Media, Inc. ended up settling by agreeing to pay $7.5 million and to stop distributing spyware. Intermix's spyware spread via drive-by download, and deliberately installed itself in ways that made it difficult to remove.^[19]

Another spyware behavior has attracted lawsuits: the replacement of Web advertisements. In June 2002, a number of large Web publishers sued Claria for replacing advertisements, but settled out of court. Other spyware apart from Claria's also replaces advertisements, thus diverting revenue from the ad-bearing Web site to the spyware author.

One legal issue not yet pursued involves whether courts can hold advertisers responsible for spyware which displays their ads. In many cases, the companies whose advertisements appear in spyware pop-ups do not directly do business with the spyware firm. Rather, the advertised company contracts with an advertising agency, which in turn contracts with an online subcontractor who gets paid by the number of "impressions" or appearances of the advertisement. Some major firms such as Dell Computer and Mercedes-Benz have "fired" advertising agencies which have run their ads in spyware.^[20]

In a sort of turnabout, a few spyware companies have threatened websites which have posted descriptions of their products. In 2003, Gator (now known as Claria) filed suit against the website PC Pitstop for describing the Gator program as "spyware".^[21] PC Pitstop settled, agreeing not to use the word "spyware", but continues to publish descriptions of the harmful behavior of the Gator/Claria software. [22]

Remedies and prevention

As the spyware threat has worsened, a number of techniques have emerged to counteract it. These include programs designed to remove or to block spyware, as well as various user practices which reduce the chance of getting spyware on a system.

Nonetheless, spyware remains a costly problem. When a large number of pieces of spyware have infected a Windows computer, the only remedy may involve backing up user data, and fully reinstalling the operating system.

Lavasoft's Ad-Aware, one of a few reliable commercial anti-spyware programs, scans the hard drive of a clean Windows XP system.

Anti-spyware programs

Many programmers and commercial firms have released products designed to remove or block spyware. Steve Gibson's OptOut, mentioned above, pioneered a growing category. Programs such as Lavasoft's Ad-Aware SE and Patrick Kolla's Spybot - Search & Destroy rapidly gained popularity as effective tools to remove, and in some cases intercept, spyware programs. More recently Microsoft acquired the GIANT Anti-Spyware software, rebadging it as Windows AntiSpyware beta and releasing it as a free download for Windows XP, Windows 2000, and Windows 2003 users. The Windows AntiSpyware Beta, a time-limited beta test product, will expire at the end of July 2006. Microsoft has also announced that the product will ship (for free) under the name of "Windows Defender", but has not provided a target release date for the final version. Other well-known anti-spyware products include Webroot Spy Sweeper, PC Tools' Spyware Doctor, and Sunbelt's CounterSpy (which uses the same scanning engine as Windows AntiSpyware beta).

Major anti-virus firms such as Symantec, McAfee and Sophos have come later to the table, adding anti-spyware features to their existing anti-virus products. Early on, anti-virus firms expressed reluctance to add anti-spyware functions, citing lawsuits brought by spyware authors against the authors of web sites and programs which described their products as "spyware". However, recent versions of these major firms' home and business anti-virus products do include anti-spyware functions, albeit treated differently from viruses. Symantec Anti-Virus, for instance, categorizes spyware programs as "extended threats" and does not offer real-time protection from them as it does for viruses.

Real-time protection blocks spyware in the process of installing itself. Here, Windows AntiSpyware blocks an instance of the AlwaysUpdateNews spyware.

Anti-spyware programs can combat spyware in two ways: real-time protection, which prevents spyware from being installed, and scanning and removal of spyware. Scanning and removal is usually simpler, and so many more programs have become available which do so. The program inspects the contents of the Windows registry, the operating system files, and installed programs, and removes files and entries which match a list of known spyware components. Real-time protection from spyware works identically to real-time anti-virus protection: the software scans incoming network data and disk files at download time, and blocks the activity of components known to represent spyware. In some cases, it may also intercept attempts to install start-up items or to modify browser settings.

Earlier versions of anti-spyware programs focused chiefly on scanning and removal. Javacool Software's SpywareBlaster, one of the first to offer real-time protection, blocked the installation of ActiveX-based and other spyware programs. To date, other programs such as Ad-Aware and Windows AntiSpyware now combine the two approaches, while SpywareBlaster remains focused on real-time protection.

Like most anti-virus software, anti-spyware software requires a frequently-updated database of threats. As new spyware programs are released, anti-spyware developers discover and evaluate them, making "signatures" or "definitions" which allow the software to detect and remove the spyware. As a result, anti-spyware software is of limited usefulness without a regular source of updates. Some vendors provide a subscription-based update service, while others provide updates gratis. Updates may be installed automatically on a schedule or before doing a scan, or may be done manually.

If a spyware program is not blocked and manages to get itself installed, it may resist attempts to terminate or uninstall it. Some programs work in pairs: when an anti-spyware scanner (or the user) terminates one running process, the other one respawns the killed program. Likewise, some spyware will detect attempts to remove registry keys and immediately add them again. Usually, booting the infected computer in safe mode allows an anti-spyware program a better chance of removing persistent spyware.

Malicious programmers have released a large number of fake anti-spyware programs, and widely distributed Web banner ads now spuriously warn users that their computers have been infected with spyware, directing them to purchase programs which do not actually remove spyware—or worse, may add more spyware of their own.^{[23] [24]}

Security practices

To deter spyware, computer users have found a number of techniques useful in addition to installing anti-spyware software.

Many systems install a web browser other than Microsoft's Internet Explorer (IE), such as Opera or Mozilla Firefox. While other web browsers have also had security vulnerabilities, Internet Explorer has contributed to the spyware problem in two ways:

1. many spyware programs hook themselves into IE's functionality (as a Browser Helper Object or a toolbar);
2. malicious Web advertisers have frequently used security holes in Internet Explorer to force the browser to download spyware.

Many users of non-IE browsers on Windows report that they have switched from IE because of security concerns, including concerns about spyware. [25]

Internet Explorer users can improve security by keeping up-to-date on security patches, and by altering settings in the browser — particularly those disabling scripting technologies such as ActiveX. (However, Web sites that make use of ActiveX will not work in this scenario.) The version of IE which comes with Windows XP Service Pack 2 also has substantially-improved security defaults, although spyware infections can still occur.

Some Internet sites — particularly colleges and universities — have taken a different approach to blocking spyware: they use their network firewalls and web proxies to block access to Web sites known to install spyware. On March 31, 2005, Cornell University's Information Technology department released a report detailing the behavior of one particular piece of proxy-based spyware, Marketscore, and the steps the university took to intercept it.^[26] Many other educational institutions have taken similar steps against Marketscore and other spyware. Spyware programs which redirect network traffic cause greater technical-support problems than programs which merely display ads or monitor users' behavior, and so may attract institutional attention more readily.

Spyware may get installed via certain shareware programs offered for download. Downloading programs only from reputable sources can provide some protection from this source of attack. One site, CleanSoftware.org, founded as an alternative to other popular Windows software sites, offers only software verified not to contain "nasties" such as spyware. Recently, C|Net revamped its download directory: it has stated that it will only keep files that pass inspection by Ad-Aware and Spyware Doctor.

Notable programs distributed with spyware

• Bearshare ^[27]
• Bonzi Buddy ^[28]
• DivX (except for the paid version, and the 'standard' version without the encoder. DivX announced removal of GAIN software from version 5.2) ^[29]
• Dope Wars ^[30]
• Download Accelerator Pro ^[31]
• ErrorGuard ^[32]
• FlashGet (free version) ^[33]
• Grokster ^[34]
• Kazaa ^[35]
• RadLight ^[36]
• WeatherBug ^[37]
• WildTangent ^[38]

In a small number of cases, firms have distributed audio compact discs with spyware that activates when the disc finds itself in a computer with autorun enabled. Sony's Extended Copy Protection, uncovered in October 2005, has provided the most widespread and infamous example to date.

Notable programs formerly distributed with spyware

• AOL Instant Messenger ^[39]
• EDonkey2000 ^[40]
• LimeWire (all versions other than the non-Windows versions, the paid versions, and the free versions after 3.9.3) ^[41]

See also

• Adware
• Computer security audit
• Exploit
• Keystroke logging
• Malware
• Stopping e-mail abuse
• Category:Spyware removal -- Programs that find and remove spyware

Malware (a portmanteau of "malicious software") is a type of software designed to take over and/ or damage a computer user's operating system, without his or her knowledge or approval. Once installed, it is often very difficult to remove, and depending on the severity of the program installed, its handiwork can range in degree from the slightly annoying (such as unwanted pop up ads while a user is performing regular computing tasks on or offline), to irreparable damage requiring the reformatting of one's hard drive, since much of malware is poorly written. Examples of malware include viruses and trojan horses.

Malware should not be confused with defective software, that is, software which is intended for a legitimate purpose but has errors or bugs.

Goals

Over the years, people have written malicious software for a number of different purposes.

Many early infectious programs, including the Internet Worm and a number of MS-DOS viruses, were written as experiments or pranks -- generally intended to be harmless or merely annoying, rather than to cause serious damage. Young programmers, learning about the possibility of viruses and the techniques used to write them, might write one just to prove that they can do it, or to see how far it could spread.

A slightly more hostile intent can be found in programs designed to vandalize or cause data loss. Many DOS viruses were designed to destroy files on a hard disk, or to corrupt the filesystem by writing junk data. Network-borne worms such as the Code Red worm or Ramen worm fall into the same category. Designed to vandalize Web pages, these worms may seem like an online equivalent of graffiti tagging, with the author's name or affinity group appearing everywhere the worm goes.

Revenge is sometimes a motive to write malicious software. A programmer or system administrator about to be fired from a job may leave behind backdoors or software "time bombs" that will allow them to damage the former employer's systems or destroy their own earlier work.

However, since the rise of widespread broadband Internet access, a greater portion of malicious software has been focused strictly on a profit motive. For instance, since 2003, the majority of widespread viruses and worms have been designed to take control of users' computers for black-market exploitation. Infected "zombie computers" are used to send email spam, to host contraband data such as child pornography, or to engage in distributed denial-of-service attacks as a form of extortion.

Another strictly for-profit category of malware has emerged in spyware -- programs designed to monitor users' Web browsing, display unsolicited advertisements, and redirect affiliate marketing revenues to the spyware creator.

Types of malicious software

Two common types of malware are viruses and worms. These types of programs have in common that they are both able to self-replicate; they can spread (possibly modified) copies of themselves. Not every program that copies itself is a virus or worm; for instance, backup software may copy itself to other media as part of a system backup. To be classified as a virus or worm, at least some of these copies have to be able to replicate themselves too, such that the virus or worm can propagate itself. The difference between a virus and a worm is that a worm operates more or less independently of other files, whereas a virus depends on hosts to spread itself.

Virus

Viruses have used many sorts of hosts. When computer viruses first originated, common targets were executable files that are part of application programs and the boot sectors of floppy disks. Recently, viruses have embedded themselves in e-mail as Email attachments, depending on a curious user opening the viral attachment, and even more recently files transmitted through peer to peer (P2P) softwares have been a major culprit in the propagation of viruses. In the case of executable files, the infection routine of the virus arranges that when the host code is executed, the viral code gets executed as well. Normally, the host program keeps functioning after it is infected by the virus. Some viruses overwrite other programs with copies of themselves which destroys them altogether. Viruses can spread across computers when the software or document they've attached themselves to is transferred from one computer to the other.

Because viruses were historically the first to appear, the term "virus" is often applied, especially in the popular media, to all sorts of malware. Modern anti-viral software strengthen this broader sense of the term as their operation is never limited to viruses.

Worms

Computer worms are similar to viruses but are stand-alone software and thus do not require host files (or other types of host code) to spread themselves. They do modify their host operating system, however, at least to the extent that they are started as part of the boot process. To spread, worms either exploit some vulnerability of the target system or use some kind of social engineering to trick users into executing them.

Wabbit

A third, uncommon, type of self-replicating malware is the wabbit. Unlike viruses, wabbits do not infect host programs or documents. Unlike worms, wabbits do not use network functionality in order to spread to other computers. Instead, a wabbit repeatedly replicates itself on a local computer. Wabbits can be programmed to have (malicious) side-effects, in addition to the direct consequences of their quick self-replication. An example of a simple wabbit is a fork bomb.

Trojan

A trojan horse program is a harmful piece of software that is disguised as legitimate software. Trojan horses cannot replicate themselves, in contrast to viruses or worms. A trojan horse can be deliberately attached to otherwise useful software by a programmer, or it can be spread by tricking users into believing that it is useful. To complicate matters, some trojan horses can spread or activate other malware, such as viruses. These programs are called 'droppers'. A common aftermath is the Trojan attracting a large amount of adware/spyware, causing lots of popups and web browser instability.

Backdoor

A backdoor is a piece of software that allows access to the computer system bypassing the normal authentication procedures. Based on how they work and spread, there are two groups of backdoors. The first group works much like a Trojan, i.e., they are manually inserted into another piece of software, executed via their host software and spread by their host software being installed. The second group works more like a worm in that they get executed as part of the boot process and are usually spread by worms carrying them as their payload. The term Ratware has arisen to describe backdoor malware that turns computers into zombies for sending spam. The installed software can also be used for anonymizing traffic, brute force cracking of passwords and encryptions, and distributed denial of service attacks (DDoS).

Spyware

Spyware is a piece of software that collects and sends information (such as browsing patterns in the more benign cases or credit card numbers in more malicious cases) about users or, more precisely, the results of their computer activity, typically without explicit notification. They usually work and spread like Trojan horses. The category of spyware is sometimes taken to include adware of the less-forthcoming sort.

Key Logger

A keylogger is software that copies a computer user's keystrokes to a file, which it may send to a security cracker (called a hacker by most people) at a later time. Often the keylogger will only "awaken" when a computer user connects to a secure website, such as a bank. It then logs the keystrokes, which may include account numbers, PINs and passwords, before they are encrypted by the secure website.

Dialers

A dialer is a program that either replaces the phone number in a modem's dial-up connection with a long-distance number, often out of the country, in order to run up phone charges on pay-per-dial numbers, or dials out at night to send keylogger or other information to a security cracker.

Browser Hijacker

A browser hijacker is any program designed to alter a computer user's browser settings. These changes can sometimes come in the form of new web sites added to the user's bookmarks; the replacement of his or her home page to one set by the author; or, in the worst case scenario, the browser actually being redirected to various URLs of the author's choosing when certain addresses are typed or found in a search engine results page.

Malware Tools and Aids

Exploit

An exploit is a piece of software that attacks a particular security vulnerability. Exploits are not necessarily malicious in intent — they are often devised by security researchers as a way of demonstrating that a vulnerability exists. However, they are a common component of malicious programs such as network worms.

Rootkit

A rootkit is software inserted onto a computer system after an attacker has gained control of the system. Rootkits often include functions to hide the traces of the attack, as by deleting log entries or cloaking the attacker's processes. Rootkits may also include backdoors, allowing the attacker to easily regain access later; or exploit software to attack other systems. Because they often hook into the operating system at the kernel level to hide their presence rootkits can be very hard to detect.

Aims of Malware

Malware typically contains a payload with one or more undesirable functions.

Ideological payloads

Some viruses, particularly early ones, display political or ideological messages when activated. In some cases, they are programmed to activate on a date selected by the author. They may also delete files or take other action.

Destructive or damaging payloads

Some malware deletes files or formats disks. Occasionally, particular types of files, such as MP3 have been targeted. Some defendants in trials involving pornography have claimed that material found on their computers was placed there by malware.

Malware Transmission and Bad Computing/ Surfing Habits

It is the conventional wisdom of many computer users that malware works by invasively sneaking onto their systems. However, in reality, nothing could be further from the truth. In fact, more often than not, victims of an infestation will have unwittingly brought the infection on themselves, as malware is designed to take advantage of the carelessness or laxness of those who don't take enough steps to secure their computers against attacks.

Examples

• Downloading files from P2P programs
• Visiting certain web sites of an illicit nature (such as warez and pornography)
• Opening emails from unknown sources, particularly those that contain attachments
• Not installing security programs, such as spyware and adware detection; a firewall; or an anti-virus program
• Not updating security software on a continuous basis
• Installing software without properly checking whether it contains adware or spyware
• Clicking on dialog boxes on various web sites requesting that you download certain programs
• Not properly setting one's browser security settings high enough
• Playing music CDs on a computer when they are equipped with intrusive copy protection schemes which install things on your system

Curing an infection

Unfortunately, cleaning an operating system that has been infected by malware is no longer as simple as it used to be. Malware has become increasingly more difficult to clean, as no one anti-virus or spyware can successfully catch everything that has been installed on a computer. In fact, it is not unusual to resort to an arsenal of security products, online scanners, and anti-spyware/ virus software to make sure everything has been properly removed.

External links

• Malware: what it is and how to prevent it
• Magoo's Guide to Eliminating Spyware -- Information on how to get rid of spyware and keep it from coming back
• Antisource.com - Malware Analysis
• CastleCops Free support in computer malware removal.
• Spyware Warrior -- Free resources and help for removing all types of Malware
• "Ten steps to Malware prevention" -- Systematic tutorials on Spyware removal and prevention.
• Computer Tech Support -- Free online knowledge base for everything from hardware problems to virus fixes.