1) Generically, adware (spelled all lower case) is any software application in which advertising banners are displayed while the program is running. The authors of these applications include additional code that delivers the ads, which can be viewed through pop-up windows or through a bar that appears on a computer screen. The justification for adware is that it helps recover programming development cost and helps to hold down the cost for the user.
Adware has been criticized because it usually includes code that tracks a user's personal information and passes it on to third parties, without the user's authorization or knowledge. This practice has been dubbed spyware and has prompted an outcry from computer security and privacy advocates, including the Electronic Privacy Information Center.
Noted privacy software expert Steve Gibson of Gibson Research explains: "Spyware is any software (that) employs a user's Internet connection in the background (the so-called 'backchannel') without their knowledge or explicit permission. Silent background use of an Internet 'backchannel' connection must be preceded by a complete and truthful disclosure of proposed backchannel usage, followed by the receipt of explicit, informed consent for such use. Any software communicating across the Internet absent of these elements is guilty of information theft and is properly and rightfully termed: Spyware."
A number of software applications, including Ad-Aware and OptOut (by Gibson's company), are available as freeware to help computer users search for and remove suspected spyware programs.
2) AdWare is also a registered trademark that belongs to AdWare Systems, Inc. AdWare Systems builds accounting and media buying systems for the advertising industry and has no connection to pop-up advertising, spyware, or other invasive forms of online advertising.
Adware or advertising-supported software is any software package which automatically plays, displays, or downloads advertising material to a computer after the software is installed on it or while the application is being used.
Adware helps some developers recover programming development costs, and it may allow the software to be provided to the user of the application free of charge or at a reduced price: due to the advertising, the programmer may still profit from the wide use of their work, motivating them to write, maintain, and upgrade the software product.
Some adware is also shareware, as such it may be used as term of distinction used to differentiate between types of shareware software. What differentiates adware from other shareware is that it is primarily advertising supported. Users may also be given the option to pay for a "registered" or "licensed" copy, which typically does away with the advertisements. Other types of shareware include demoware, nagware, crippleware, freeware, loyaltyware, and even spyware.
Adware is pretty easily to remove, all you need to do is get a free adware remover for example: Adware SE personal edition
There are concerns about adware because it often takes the form of spyware, in which information about the user's activity is tracked, reported, and often re-sold, often without the knowledge or consent of the user. Of even greater concern is malware, which may interfere with the function of other software applications, in order to force users to visit a particular web site.
It is not uncommon for people to confuse "adware" with "spyware" and "malware", especially since these concepts overlap. For example, if one user installs "adware" on a computer, and consents to a tracking feature, the "adware" become "spyware" when another user visits that computer, and interacts with and is tracked by the "adware" without their consent.
Spyware has prompted an outcry from computer security and privacy advocates, including the Electronic Privacy Information Center [1]. Often, spyware applications send the user's browsing habits to an adserving company, which then targets adverts at the user based on their interests. Kazaa and eXeem are popular programs which incorporate software of this type.
Adware programs other than spyware do not invisibly collect and upload this activity record or personal information when the user of the computer has not expected or approved of the transfer, but some vendors of adware maintain that their application which does this is not also spyware, due to disclosure of program activities: for example, a product vendor may indicate that since somewhere in the product's Terms of Use, there is a clause that third-party software will be included that may collect and may report on computer use, that this Terms of Use disclosure means the product is just adware.
A number of software applications are available to help computer users search for and modify adware programs to block the presentation of advertisements and to remove spyware modules. To avoid a backlash, as with the advertising industry in general, creators of adware must balance their attempts to generate revenue with users' desire to be left alone.
Particular adware programsAdware or advertising-supported software is any software application in which advertisements are displayed while the program is running. These applications include additional code that displays the ads in pop-up windows or through a bar that appears on a computer screen. Adware helps recover programming development costs, and helps to hold down the price of the application for the user (even making it free of charge)-and, of course, it can give programmers a profit, which helps to motivate them to write, maintain, and upgrade valuable software.
Some adware is also shareware, in that users are given the option to pay for a "registered" or "licensed" copy, which typically does away with the advertisements.
Some adware programs have been criticized for occasionally including code that tracks a user's personal information and passes it on to third parties, without the user's authorization or knowledge. This practice has been dubbed spyware and has prompted an outcry from computer security and privacy advocates, including the Electronic Privacy Information Center [1] (http://www.epic.org). Other adware programs do not track a user's personal information.
A number of software applications are available to help computer users search for and modify adware programs to block the presentation of advertisements and to remove spyware modules. To avoid a backlash, as with the advertising industry in general, creators of adware must balance their attempts to generate revenue with users' desire to be left alone.
Eudora-Email client
Opera-Web browser
DivX-Video codec
Kazaa-Filesharing program, also contains spyware
iMesh-Filesharing program, also contains spyware
The most common adware currently found on the net as of August 2004 are:
1. Gain
2. Claria
3. Game Spy Arcade
4. Hotbar
5. Ezula
6. BonziBuddy
7. WeatherCast
8. LinkGrabber 99
9. TopPicks
10. Cydoor
The easiest and most reliable method for blocking unwanted ads is to install a worthy adware removal tool. Adware Report tests and reviews popular tools every month (click here for a side-by-side spyware removal chart).
Next, if you're already using an adware removal tool, you should ensure that you have the latest update. Adware companies are very active right now and are releasing new versions constantly. If your product is more than a week or two out of date, you likely have new adware installed on your computer.
The next method is a bit more advanced. It involves editing an important system file and also requires some technical know-how. If that's you, read on.
Adware companies make their money by distributing thousands upon thousands of ads on the internet. It's a fair amount of work to put advertising on the net, so to do it with any kind of volume whatsoever, most companies rely on "Ad Servers". The adware on your computer usually pulls ads from these ad servers. If it doesn't find any, it won't work. So one technique for blocking adware is to block your computer from accessing the ad server. By doing so, you block adware companies from transferring their ads to your computer...!
Unfortunately, this is not a perfect solution. The Adware still exists on your computer, and so it will continue to consume memory, disk storage, and time. However, you won't be seeing those ads anymore, so if other methods don't work, this is a good failsafe.
Here's how it works. The hosts file on your computer contains a list of domain names (for example, www.doubleclick.com) and IP addresses. Normally, your browser will first check the hosts file to resolve a domain name. If it doesn't find it on the local list (99.9% of the time), it will then resolve it using something called DNS lookup. The trick here is to first figure out the domain name of the ad server you want to block, and then map it to your local computer. Because your computer doesn't have an ad server, the adware installed won't work!
How to block over 1,100 internet advertisers, step-by-step
Step 1: find your hosts file:
Windows 3.x, 95, 98, Me: windows\hosts
Windows NT, 2000, XP: WINNT\system32\drivers\etc\hosts
Macintosh: Mac System Folder or Preferences folder. (eg., Macintosh HD:System Folder:Preferences:Hosts)
Linux, Unix: /etc/hosts
Step 2: Backup your hosts file, just in case you make a mistake. If you can't access the internet after making changes to the host file, just restore the old version.
Step 3: Update your hosts file by pointing unwanted ad servers to your local machine. This is done by adding lines to your hosts file in the following format:
127.0.0.1 www.EvilAdwareCompany.com
Here is a ready-made hosts list with over 1,100 advertisers. You can copy its contents into your hosts file and immediately start blocking advertisers!
Step 4: Try visiting the site of one of the entries in your hosts file. You should get a "page not found" error. If not, try rebooting your PC and then try again.
The following links are valuable and provide further information about Adware:
Andrew Raff's introductory article about Adware.
Cexx.org - large list of Adware, spyware, and other parasites. Includes removal instructions for many of them. Large list, but doesn't appear to have been updated in awhile.
Introduction to Homepage hijacking programs, one of the leading sources of computer frustrations.
DoxDesk - another nice source of adware and spyware descriptions, along with common adware blocking instructions.
ScumWare.com - this site tracks "scumware" applications.
OmniKnow encyclopedia entry on Adware
Spyware is any technology that aids in gathering information about a person or organization without their knowledge. On the Internet (where it is sometimes called a spybot or tracking software), spyware is programming that is put in someone's computer to secretly gather information about the user and relay it to advertisers or other interested parties. Spyware can get in a computer as a software virus or as the result of installing a new program.
Data collecting programs that are installed with the user's knowledge are not, properly speaking, spyware, if the user fully understands what data is being collected and with whom it is being shared. However, spyware is often installed without the user's consent, as a drive-by download, or as the result of clicking some option in a deceptive pop-up window. Software designed to serve advertising, known as adware, can usually be thought of as spyware as well because it almost invariably includes components for tracking and reporting user information. However, marketing firms object to having their products called "spyware." As a result, McAfee (the Internet security company) and others now refer to such applications as "potentially unwanted programs" (PUP).
The cookie is a well-known mechanism for storing information about an Internet user on their own computer. If a Web site stores information about you in a cookie that you don't know about, the cookie can be considered a form of spyware. Spyware is part of an overall public concern about privacy on the Internet.
Many Internet users were introduced to spyware in 1999, when a popular freeware game called "Elf Bowling" came bundled with tracking software.
If you have unwanted programs loading and bugging you at startup, here's how to get rid of them.
Trash App Exorcism Tutorial for Windows
Trash Apps infesting your StartUp folder
When "trash" programs run themselves at start-up, they typically do it by placing a shortcut to themselves into your Windows StartUp folder, usually located at c:\Windows\Start Menu\Programs\StartUp\. (If you can't find its entry there, skip down to the next paragraph.) Usually deleting the StartUp shortcut and the program it points to is enough to make it stop bothering you.
EVIL APPS: Particularly nettlesome programs will keep re-installing themselves into your StartUp folder no matter how many times you delete them! This is where a dummy executable comes in handy. Replace the trash app with the dummy executable (copy over the unwanted app), leaving the StartUp entry intact. This will usually trick the installer into thinking it's installed! As an added measure, make the dummy executable read-only. Viola, the trash app is history!
Trash Apps infesting your win.ini file
Some trash apps, particularly those that fancy themselves device drivers (censorware apps like to do this) will put references to themselves in your system's win.ini file. They are loaded by a line in this file starting with either "load=" or "run=", similar to the following:
load="C:\Trash\App\junkprogram.exe"
To take care of this,open your win.ini file (normally located at C:\Windows\win.ini) in Notepad or another text editor, and delete the line starting with load= or run= that loads your trash app. They are usually near the beginning of the file. Restart the computer, and the app will not load on startup anymore.
If you don't want to actually delete the entry (e.g. if you are trying to determine which of several entries is the trash app), you can instead place a semicolon (;) at the beginning of the offending line. This will make Windows ignore it while giving you the ability to restore it later.
Note: Don't delete anything if you don't know what it is. It may sometimes be a legitimate program, or a device driver used by your system.
Trash Apps infesting
your Registry
Been all through your StartUp folder and win.ini and couldn't find it? Sometimes a particularly nasty trash app will install a reference to itself, not in your StartUp folder (where you'd expect to find it), but in your system Registry, where even brave men fear to tread. So, if a trash app is running at start-up, and it's not in your StartUp folder or win.ini, it's in your Registry. Here's how to get rid of it:
1) Open REGEDIT. It should have been installed when you installed Windows. You can most easily do this by clicking Start > Run, and entering REGEDIT in the box. (Click OK). The Registry Editor window will appear.
If you have used Registry Editor before and are comfortable with it, skip the following paragraph. If you are a newbie or you've never used REGEDIT before, read on--standard warnings and stuff.
You may have heard somewhere that editing the Registry is dangerous. Incidentally, this is why so many makers of trash apps place the start-up information here-- many users have never heard of the Registry, let alone edited it. The Registry is an important part of your system, so don't go randomly changing stuff in there if you don't know what you are doing--this is how problems happen, and this is why people tell you that you shouldn't go messing with your Registry. Carefully follow the instructions below and it will be a very safe process. Randomly mess around and change/delete stuff, and you may end up reinstalling Windows--which isn't much fun.
2) Once in Registry Editor, press the F3 key to bring up the Find dialogue. Type "RunServices" in the box. This probably won't find your trash app, but it will bring us to about the right location in the Registry. When the Find completes, you should have a folder named RunServices highlighted in the left pane, with several similar-sounding folders (Run, RunOnce, etc.) listed nearby. Click on the first one, "Run". The righthand pane will list the applications that run at start-up. Under "Name" will be the program names, and under "Data" will be the path and filename of the program.
Look carefully at the list and see if you find the program that is annoying you. If you find it, highlight it and use Edit > Delete to remove it. If you don't see it, cycle through the other nearby Run-like folders (there may be several) and look for them there. Be careful not to delete anything unless you are sure it is your trash app.
If you have looked through all the visible "Run"-like folders and *still* haven't found the trash app, press F3 again to find the next RunServices folder, and repeat the steps above. On some Windows setups, particularly where several people share the same machine, there will be several of each Run folder. Continue in this manner until you receive a message such as "Finished searching through the registry." You should have found it by now!
3) Close Registry Editor. The next time you restart your computer, the trash app will not bother you!
Why Trash Apps?
It's the newest fad. Programs that have one goal and one goal only: To forcibly install themselves on your computer, intentionally making themselves hard to find and harder to eliminate, and annoy you every time you start your computer. Why do these programs subversively install themselves into your computer's Startup files so they continually pester you, over and over, every time you reboot? Ususally as some form of promotion or advertising--it will either install a program that somehow makes someone else money when you use it, or install some kind of stub that will beg you and beg you and beg you to install such a program. Some good examples:
Some even worse examples are TSADBOT and similar ad-delivery programs (their sole purpose is to worm their way onto your computer and assault you with paid advertising all day!), and trojan horses such as NetBus and Back Orifice.
Spyware is a generic term typically describing software whose purpose is to collect demographic and usage information from your computer, usually for advertising purposes. The term is also used to describe software that 'sneaks' onto the system or performs other activities hidden to the user. Spyware apps are usually bundled as a hidden component in mis-labeled "freeware" and shareware applications 1 downloaded from the Internet--a spyware module may be active on your computer at this moment without your knowledge. These modules are almost always installed on the system secretively, suggesting that spyware companies know how users feel about such software and figure that the best/only way to ensure its widespread use is to prevent the end-user from discovering it.
Consumer Privacy Implications
Advertising-supported software,
if done properly, is a unique and viable business model in which software
developers can make money without requiring the end-user to pay for the
software. However, the key words are if done properly, which is
often not the case. While it may come as no surprise that adware uses your
'Net connection to download ads, you would have good reason to be concerned
about the large amounts of data flowing in the other direction.
Several adware applications have been known to secretly snoop around areas
of your computer they don't belong, including your browser history.
As much as current spyware modules do to steal away users' privacy, they have the potential to to even more. Spyware exists as an independent, executable program on your system, and has the capability to do anything any program can do, including monitor keystrokes, arbitrarily scan files on your hard drive, snoop other applications such as word-processors and chat programs, read your cookies, change your default homepage, interface with your default Web browser to determine what Web sites you are visiting, and monitor various aspect of your behaviour, "phoning home" from time to time to report this information back to the spyware's author. It can even notify the spyware company of any attempts to modify or remove it from the system. All the information obtained by the spyware can be used by the spyware author for marketing purposes, or sold to other companies for a profit.
In short, spyware can spy on any aspect of your computer use, and is not limited in the ways Web sites are when it comes to gathering personal data. While a Web site can gather limited demographic and statistical data automatically provided by the Web browser and Internet protocols, and read cookies set by its own domain, spyware can "see" and disclose any data on, entering or exiting your computer. This information can then be used for just about any purpose, even sold to the highest bidder!
User-Hostile Behaviour
Many adware apps install
separate advertising components on your system, that run--downloading ads
and wasting system resources--even if you're not using the software that
installed them. Often, these components remain installed and continue to
perform their unsightly duties even after the associated app has been
uninstalled! Some adware companies have even gone so far as to create
"Advertising Trojan Horses", virus-like software programs that stealthily
install themselves on your computer to perform unwanted advertising functions
and violate your privacy whether you've installed the advertising-supported
software or not. Advertising trojans make clandestine connections to
adservers behind your back, consume precious network bandwidth and may
compromise the security of your data. The latest versions of these "ad-viruses"
operate in full stealth and are nearly impossible to detect without
advanced knowledge of the system environment. These include the TimeSink/Conducent
TSADBOT
and the Aureate advertising trojans. One
spyware module has been known to spoof a Windows system process so
that it cannot be terminated and does not appear on Windows' End Task (Ctrl-Alt-Del)
dialogue.
Spyware modules have been implicated in computer problems including system slowdown, Illegal Operation errors, browser crashes, and even the "Blue Screen Of Death". While normal system stability has usually returned when the interfering spyware modules were deleted, one spyware product in particular will disable your Internet access if you try to delete it!
Potential Violations of
Child Protection Laws
Most spyware-infested software
is targeted toward adults. However, the user that sits down at the computer
can be of any age, and the spyware modules have no good way of knowing
who is at the machine and what legal protections are provided to him or
her. In particular, laws in the United States prohibit the collection of
personal information from children under 13 without the written permission
of a parent or guardian. However, most spyware does not make any provisions
for users whom they are not legally permitted to collect data from, a huge
potential problem when it comes to laws such as the U.S. Child Online Privacy
Protection Act (COPPA).
Security Issues
Again, since a spyware program
is an independent executable program residing on your PC, it will have all
the privileges of the user that installed it. On the majority of single-user
systems, including Windows 95 and 98, these privileges allow software to read,
write and delete files, download and install other software, change the default
homepage, interrogate other devices attached to the system, or even format
the hard drive. While multi-user systems such as Windows NT can limit the
spyware's abilities somewhat, it can still do anything the user who installed
it can--a scary thought indeed if an application containing spyware was unknowingly
installed by someone with Administrator privileges.
Some spyware modules include a number of insecure features, including so-called AutoInstall or AutoUpdate functions that can secretly download and install ANY arbitrary program on the user's system. This opens the door for further abuse of the system by malicious crackers or additional spyware programs! In particular, competent security experts including Gibson Research Corp. have proven how simple it is for a malicious user to hijack this capability to upload and run ANY program on a user's system!
Software License (dis)Agreement
Some aspects of spyware
activity are legally questionable. While software installing a spyware
module should disclose this fact to the user and offer the option of refusing,
any such disclosure is often buried in a long and densely-worded License
Agreement, slipped in among page after page of mind-numbing legal jargon
on such topics as copyright, distribution, disassembly, reverse-engineering,
government and restricted rights, disclaimer of fitness for a particular
purpose, and similar topics of little relevance to the average user2.
Additionally, the actual spyware notice is often written in such a roundabout,
flowery and disingenuous manner that a reasonable user would have no reason
to take special interest in it3.
To most users, a phrase such as "may include software that will occasionally
notify you of important news" is NOT equivalent to "will place a
stealthy Trojan Horse on your system that you can't get rid of, which will
collect information about you and send it to us, and allow us to bother
you with targeted advertisements all day". Once the spyware has been
"disclosed" and the spyware company can argue that the user has "agreed"
with it by continuing beyond the License Agreement, it is much more immune
from potential lawsuits from users who accepted the license and installed
the software, blissfully unaware of the spy that would now be living
on their computers. Some spyware companies do not mention the spyware at
all, often pointing the finger at the company whose software utilizes it
for not disclosing it. (How convenient!)
1 While the most common culprits are shareware and "freeware" apps, paid-for commercial software has been known to contain spyware as well.
2 The majority of a software License Agreement refers to government users, corporations, distributors and software hackers. It can be safely assumed that a majority of users have no interest in disassembling their software, porting it to other operating systems or hardware architectures, or other such activities extensively droned on about in the License Agreement.
3 See Steve Gibson's explanation and example of "Fine Print Funny Business": http://grc.com/oo/fineprint.htm . (Note that the example Steve gives eventually does, albeit in dense wording, disclose what's going on. Be aware that many spyware agreements are even less forthcoming about the nature of their software!)
"All trademarks are hereby acknowledged as the property of their respective owners." So don't even THINK about suing me :)
So you've probably heard about spyware and all the problems it can cause with your computer, but did you know that even with an anti-spyware tool installed, your computer is still exposed to hackers, trojans, and viruses that can steal your financial information, hijack your email, or even destroy your hard drive?
Anti-spyware tools protect you against only a few types of malicious software programs and privacy attacks. For complete security, you'll want a complete set of antivirus, firewall, and antispam programs.
Learn more about these different types of internet security programs and how they protect you below.
Antivirus
The most obvious threat to your computer's health is a computer virus. Viruses are usually delivered through email attachments or corrupted downloads, such as are typically found on file sharing networks. Once on your PC, a virus can destroy your operating system, corrupt your hard drive, use your email client to send spam, delete your personal files, or in rare cases, even physically destroy your hard drive. Once a virus runs on your computer, it can quickly spread to infect others.
Antivirus software is designed to protect you against the harmful effects of viruses. This software runs in the background and continually checks for virus activity. It will also scan your hard drive on a regular basis to detect and repair infected files.
Antispam
Anyone with an email address today has probably received spam emails, and lots of it. For the most part, spam emails are annoying and a waste of time, but they can sometimes be a threat to your computer.
If you happen to open an email with an infected attachment, you can inadvertently install a virus on your computer. While a good antivirus program will protect you against this possibility, it won't necessarily protect you against attachments that install trojan horses or activity monitoring software on your computer. These types of invaders allow outsiders to copy data, activate webcams and microphones, capture keystrokes, log IM and browsing sessions, and access personal files. While a random hacker would have little use for much of this data (other than perhaps credit card information), there are commercial programs available that jealous spouses or paranoid employers can use to monitor your activities.
For the most part, antivirus programs do little to protect you against these programs. Anti-spam software can stop an email attack, but unfortunately, they can be installed in a variety of other ways. This is where firewall software comes in.
(Note: we've performed some testing of anti-spam software which you can access via the menus on the left.)
Firewalls
Ultimately, for an invader to gain access to your PC they must be able to communicate with it. Firewall software closes the doors by which outside invaders may enter your PC, keeping you a bit safer.
Of course, not all malicious software is installed anonymously. It can also be installed unknowingly through bundled software or knowingly through activity monitoring software. This is why good firewall software also polices outgoing activity and stops unknown software from communicating with the outside world.
While this will most likely cripple an invading software program, there are no guarantees. Spyware makers are getting smarter all the time, and some spyware programs can contact the outside world by hijacking the communication channels of known programs such as browsers. In any case, a firewall program won't stop a spyware program from running and slowing down your computer. So here's where the final piece of the puzzle comes in: Antispyware.
For more information on firewalls, read our article "Firewalls: What They Are and Why You Need One" or navigate here for firewall product reviews.
Antispyware
Antispyware products help to secure your computer and make it run faster by finding and disabling malicious spyware programs and trojan horses. Once these programs are removed, they no longer consume system resources. A lighter load on your computer means all your other programs will run faster.
It's important to know that antispyware programs won't protect you against viruses, guard your email, or prevent unauthorized access to your PC. This is why you need all four programs for a complete solution.
For more information on antispyware programs, check out the articles on the left or click here for spyware product reviews.
We've just uploaded our review of "Spyware Cleaner" by Secure Computer, LLC. This one looks like a scam...
An Entertaining and Insightful Peek Into The Anti-Spyware Industry
So you've found this site (and most likely a few others) and after all the reading, you may still be left wondering what is the "best" anti-spyware program? What exactly should I be running on my computer to get it (and keep it) running like new?
After over 18 months of continuous testing of different anti-spyware programs, I feel compelled to deliver some bad news: There is no such thing as a perfect spyware remover. There is no magic bullet.
With that out of the way, here's the good news: You can get your computer running well again with just a modest amount of effort. I'm going to show you how while I spare you of product pitches and other marketing BS. And maybe you'll be modestly entertained along the way. Let's get started.
The Reality of the Anti-Spyware Industry
Before you make any decisions and buy any software, there are a couple of things you need to know.
First, there are different camps in the anti-spyware business. First, there are the people who write spyware programs (the bad guys). Then, of course, there are the people who write anti-spyware programs (the good guys).
Second, the good guys aren't always so good. In the beginning of the spyware wars, there was just AdAware and Spybot, the two best programs at the time. Both of them were volunteer efforts led by people who took offense at the invasive software that spied on people's surfing habits and slowed their computers down. But they were soon joined by other companies who saw the profit potential in this market. Some of these companies (like Webroot, Aluria, and PC Tools) produced great products and invested their profits in R&D. Other companies (who will remain unnamed) sold software that ran the range from doesn't work to actively lies about what you have installed so you'll buy it. Sadly, there are dozens and dozens of these companies still operating (despite the FTC shutting some of them down). And some of them have really, really great marketing.
Third, the bad guys are getting smart. Really smart. Spyware is their livelihood, and they have every intent of making every dime they can from this business. They pay programmers to write sneakier software. They hire the best marketers to put a new face on their companies. And they hire the best lawyers to shut people (like me) who name names.
(Speaking of, I've been on the receiving end of legal action more from the "good guys" than the "bad guys". I've learned that everyone will use every means at their disposal to prevent the truth from getting out, if it isn't in their best interest.)
Finally, and here's where it gets really tricky, you need to know that there is a lot of behind-closed-doors discussions between the good guys and the bad guys. Sometimes they actively work together. Sometimes they just conveniently look the other way. But believe me, the bottom line is that both camps have a lot to gain and a lot to lose.
What Does This Mean?
It means three things:
1. You may pay good money for a slick looking product that does nothing.
2. You have to be careful who you give your money to. You might not get it back.
3. You can't rely on a single program to protect your computer.
The first two should be obvious by now. But the third is worth some more discussion.
Why You Can't Rely on a Single Spyware Remover
I've run hundreds of tests and one thing I've learned: no program removes 100% of spyware.
A simple solution would be to run multiple anti-spyware programs. But realistically, you can't run too many. First, you may end up paying for those programs, which is kind of a waste. Second, the cure might leave you worse off than the illness.
Why? Well, one reason why spyware is so bad is because it slows down your PC. All of those programs each consume a little bit of memory, a little bit of CPU, a little bit of bandwidth. Running spyware programs does exactly the same thing. The difference is that an anti-spyware program will consume far more CPU, bandwidth, and memory than just about any spyware invader. The technical term for this is "resource contention". You can actually slow your computer down to a crawl by running just a few spyware removers at once.
I've found the magic number is two. Two good programs are all you need. I recommend you pick one commercial product, and one free product.
Why Choose a Commercial Product?
For-profit companies generally do a much better job of writing spyware removal programs. There are many reasons (chief among them being that for-profit companies can afford to hire armies of spyware researchers) but some people will argue with me until they're blue in the face, so I will just leave it as an empirical statement: after running hundreds of tests, commercial products do a lot better than free ones.
Another indisputable point in favor of commercial companies however, is that they can provide you with real customer support. Not just a forum manned with rude (and sometimes clueless) developers. A real phone # with a real person on the other end. Some of us really like having that option available.
The Down Side of Commercial Products
For-profit companies are legally obligated to maximize shareholder return (ie: make money). This can lead to some interesting conflicts of interest. I have first-hand knowledge that "back room" agreements take place all the time between the spyware makers and the spyware removers. The problem is that these agreements are difficult to prove and not usually discussed. For example, if a software program you're running suddenly stops detecting a certain spyware program, will you really notice? Probably not. And it could end up putting thousands of dollars a month in the pockets of the vendor. Ethics aside, it does happen and it's probably happening at ___(insert favorite anti-spyware company name here) ___.
Why Choose a Non-Commercial Product
For the very opposite reason, you might find yourself in the freeware camp. Now I know you aren't one of those who naively claim that corporate software companies are all evil and that the free software products are hands-down better than commercial versions. But those people are all over the net, and from the hours they must spend posting, you might think that there are more of them than there really are. But in reality, there's a few bad apples out there in the freeware camp, just like there are in the commercial camp.
So here's the real deal: Non-commercial companies are generally free from the commercial ties to spyware companies.
"Generally" is the operative word here. Case in point, earlier this year (2005) it was announced that Aluria (an anti-spyware company) and WhenU (a spyware company) had forged a partnership and that Aluria would no longer remove WhenU. This was cited as the worst sort of evil by the fundamentalist freeware camp. Yet when it later came out that Lavasoft (makers of AdAware, the symbol of all that is good and holy among the anti-corporate netheads) had come to a similar agreement, there wasn't quite the same uproar.
Despite this, I more or less agree that it's not a bad idea to run an freeware anti-spyware program on your computer.
What Stinks About Non-Commercial Software
Two things detract from non-commercial products:
1. They just don't work as well : companies that give their software away for free depend on volunteer work, which generally isn't available in the same quantity as paid development.
2. Poor Support : If you run into a problem, you're on your own. Support costs money.
So What Should I Do Already?
If you've read this far, then my recommendations will make a lot of sense to you:
First, use two spyware removers. Using just one will probably leave you with gaps in coverage, while running three provides little extra protection and will just slow your computer down.
Second, make one of those programs a commercial product. Not only will you get better (although not perfect) protection, you'll get customer support in case anything goes wrong. Good products are sold by Aluria, PC Tools, and Webroot . Click here for our latest testing results.
Third, make one of those programs a non-commercial product. You'll have some reassurance that commercial ties aren't compromising your protection and perhaps the satisfaction of putting a smile on a developer's face somewhere. There are three primary options: Microsoft Antispyware, Lavasoft AdAware, and Spybot S&D. Hands down, you should use Microsoft Antispyware : it's a much better product that the other two. And even though Microsoft isn't a non-profit, the program is free and it's very good.
Some of the largest names on the Internet have come together to crack down on the spread of adware and spyware through piggybacking hidden software along with legitimate downloads.
The companies, which include Yahoo!, AOL, Verizon and CNet Networks - which operates the large downloads.com software library - have agreed to establish industry standards for monitoring and enforcing good behaviour on sites which offer downloadable software.
A new code of practice maintained by the Truste independent online trust body will mean that sites that offer downloads will have to state clearly if the download contains adware or trackware. In addition, the site must inform the user of the types of advertising that will be displayed, any personal information that will be tracked and collected. The site should also warn of any change in the user settings. Finally, the user must have to opt in with their permission before the download can begin.
Once the software is installed, the publisher must offer an easy uninstall procedure with clear instructions. Any ads have to be labelled with the name of the adware program. Any publisher who wants to take part in the programme will have to maintain separate advertising inventory for users of certified applications.
It is thought unlikely that the spyware companies are going to be leaping for joy at these new guidelines. To enforce compliance, the major portals involved in the Trusted Download Program will publish a 'whitelist' of certified applications. Any application that is not on the whitelist risks being ..errr..blacklisted by the portals that will severely restrict their reach.
However, many spyware applications will not go through legitimate high profile sources as they propagate p2p networks, warez and pornography sites. The portals can claim they have banished spyware from their own servers even if it continues to flourish elsewhere.
Truste says the programme is expected to launch in beta form early in the New Year.
We just took a trip to CompUSA and came back with a ton of new products, including Cosmi's Spyware Killer Pro and a stack of DVD Copying utilities. Look for more reviews in the next two weeks!
by Wendy Davis, Friday, Oct 28, 2005 6:01 AM EST
MORE THAN SIX MONTHS AFTER it formed, an anti-spyware group headed by the Center for Democracy and Technology, the Anti-Spyware Coalition, released guidelines Thursday designed to assess how to evaluate spyware and other potentially unwanted software programs. The group's guidelines carry no legal weight, but might be influential with some members--like Aluria and Lavasoft--that manufacture anti-spyware removal software.
The proposed standards don't spell out whether any particular product should be classified as harmful, but instead provide various risk factors--a laundry list of traits of software programs, with each trait assessed for its degree of risk.
"The risk factors have general weights (high, medium, and low) that help show the relative impact to the user," states the document. "Although all behaviors can be problematic if unauthorized, certain ones tend to have a greater impact and are treated with more severity than others."
When programs serve pop-up ads, one of the key indicators of potential harm is whether the pop-ups "are clearly attributed to the source program," according to the guidelines.
The guidelines also look at factors that could indicate whether consumers have consented to the programs. For instance, in the case of bundled programs, one factor is whether consumers have opted-in to receive the bundled software (considered a high indication of consent) or whether consumers' only notification about bundled software came in an end-user license agreement (considered a low indication of consumer consent).
Similarly, the easier a program is to remove, the more likely it is that the consumer has consented to the program, according to the guidelines.
The organization is accepting comments on the guidelines through Nov. 27.
Spyware covers a broad category of malicious software designed to intercept or take partial control of a computer's operation without the informed consent of that machine's owner or legitimate user. While the term taken literally suggests software that surreptitiously monitors the user, it has come to refer more broadly to software that subverts the computer's operation for the benefit of a third party.
Spyware differs from viruses and worms in that it does not usually self-replicate. Like many recent viruses, however, spyware - by design - exploits infected computers for commercial gain. Typical tactics furthering this goal include delivery of unsolicited pop-up advertisements; theft of personal information (including financial information such as credit card numbers); monitoring of Web-browsing activity for marketing purposes; or routing of HTTP requests to advertising sites.
As of 2005, pundits have often characterized spyware as the pre-eminent security threat for computers running Microsoft Windows operating systems. Some malware on the Linux and Mac OS X platforms has behavior similar to Windows spyware, but to date has not become anywhere near as widespread.
Contents |
The first recorded use of the term spyware occurred on October 16, 1995 in a Usenet post that poked fun at Microsoft's business model. Spyware later came to refer to espionage equipment such as tiny cameras. However, in early 2000 the founder of Zone Labs, Gregor Freund, used the term in a press release for the ZoneAlarm Personal Firewall.[2] Since then, computer-users have used the term in its current sense. 1999 also saw the introduction of the first popular freeware program to include built-in spyware: a humorous and popular game called "Elf Bowling" spread across the Internet in November 1999, and many users learned with surprise that the program actually transmitted user information back to the game's creator, Nsoft.
In early 2000, Steve Gibson of Gibson Research realized that advertising software had been installed on his system, and he suspected that the software was stealing his personal information. After analyzing the software he determined that they were adware components from the companies Aureate (later Radiate) and Conducent. He eventually rescinded his claim that the ad software collected information without the user's knowledge, but still chastised the ad companies for covertly installing the spyware and making it difficult to remove.
As a result of his analysis in 2000, Gibson released the first anti-spyware program, OptOut, and many more software antidotes have appeared since then.[3] International Charter now offers software developers a Spyware-Free Certification program.[4]
According to an October 2004 study by America Online and the National Cyber-Security Alliance, 80% of surveyed users' computers had some form of spyware, with an average of 93 spyware components per computer. 89% of surveyed users with spyware reported that they did not know of its presence, and 95% reported that they had not given permission for it to be installed.[5]
The term adware frequently refers to any software which displays advertisements, whether or not it does so with the user's consent. Programs such as the Eudora mail client display advertisements as an alternative to shareware registration fees. These classify as "adware" in the sense of advertising-supported software, but not as spyware. They do not operate surreptitiously or mislead the user.
Many of the programs frequently classified as spyware function as adware in a different sense: their chief observed behavior consists of displaying advertising. Claria Corporation's Gator Software provides an example of this sort of program. Visited Web sites frequently install Gator on client machines in a surreptitious manner, and it directs revenue to the installing site and to Claria by displaying advertisements to the user. The user's experience is that their computer begins displaying a large number of pop-up advertisements.
Other spyware behaviors, such as reporting on websites the user visits, frequently accompany the displaying of advertisements. Monitoring web activity aims at building up a marketing profile on users in order to sell "targeted" advertisement impressions. The prevalence of spyware has cast suspicion upon other programs that track Web browsing, even for statistical or research purposes. Some observers describe the Alexa Toolbar, an Internet Explorer plug-in published by Amazon.com, as spyware (and some anti-spyware programs report it as such) although many users choose to install it.
Spyware does not directly spread in the manner of a computer virus or worm: generally, an infected system does not attempt to transmit the infection to other computers. Instead, spyware gets on a system through deception of the user or through exploitation of software vulnerabilities.
The most direct route by which spyware can get on a computer involves the user installing it. However, users are unlikely to install software if they know that it may disrupt their working environment and compromise their privacy. So many spyware programs deceive the user, either by piggybacking on a piece of desirable software, or by tricking the user to do something that installs the software without realizing it.
Classically, a Trojan horse, by definition, smuggles in something dangerous in the guise of something desirable. Some spyware programs get spread in just this manner. The distributor of spyware presents the program as a useful utility -- for instance as a "Web accelerator" or as a helpful software agent. Users download and install the software, only to find out later that it can cause harm. For example, Bonzi Buddy, a spyware program targeted at children, claims that:
Spyware can also come bundled with shareware or other downloadable software, as well as music CDs. The user downloads a program--for instance, a music program or a file-trading utility--and installs it; the installer additionally installs the spyware. Although the desirable software itself may do no harm, the bundled spyware does. In some cases, spyware authors have paid shareware authors to bundle spyware with their software, as with the Gator spyware now marketed by Claria. In other cases, spyware authors have repackaged desirable software with installers that add spyware.
A third way of distributing spyware involves tricking users by manipulating security features designed to prevent unwanted installations. The security features of the design of the Internet Explorer Web browser militate AGAINST allowing Web sites to initiate an unwanted download. Instead, a user action, such as clicking on a link, must normally trigger a download. However, links can prove deceptive: for instance, a pop-up ad may appear like a standard Windows dialog box. The box contains a message such as "Would you like to optimize your Internet access?" with links which look like buttons reading Yes and No. No matter which "button" the user presses, a download starts, placing the spyware on the user's system. Later versions of Internet Explorer offer fewer avenues for this attack.
Some spyware authors infect a system by attacking security holes in the Web browser or in other software. When the user navigates to a Web page controlled by the spyware author, the page contains code which attacks the browser and forces the download and install of spyware. The spyware author would also have some extensive knowledge of commercially-available anti-virus and firewall software. This has become known as a "drive-by download", by analogy to drive-by shootings which leave the user as a hapless bystander. Common browser exploits target security vulnerabilities in Internet Explorer and in the Microsoft Java runtime. Given that Internet Explorer remains the most widely-used browser and that many users neglect to update to more secure versions of their software, Internet Explorer provides an attractive entry point for the less scrupulous advertiser or computer-hacker.
Internet Explorer also serves as a point of attachment for spyware programs which install themselves as Browser Helper Object plugins.
In a few cases, a worm or virus has delivered a payload of spyware. For instance, some attackers used the W32.Spybot.Worm worm to install spyware that popped up pornographic ads on the infected system's screen.[7] By directing traffic to ads set up to channel funds to the spyware authors, they can profit even by such clearly illegal behavior.
Windows-based computers can rapidly accumulate a great many spyware components. Users frequently notice unwanted behavior and degradation of system performance. A spyware infestation can create significant unwanted CPU activity, disk usage, and network traffic -- slowing down legitimate uses of these resources. Stability issues -- application or system crashes -- are also common. Spyware which interferes with the networking software commonly causes difficulty connecting to the Internet.
Spyware infection is the most common reason that Windows users seek technical support -- whether from computer manufacturers, Internet service providers, or other sources. In many cases, the user has no awareness of spyware and assumes that the system performance, stability, and/or connectivity issues relate to hardware, to Windows installation problems, or to a virus. Some owners of badly infected systems resort to buying an entire new computer system because the existing system "has become too slow". For badly infected systems, a clean reinstall may be required to restore the system to a working order--—a time-consuming project even for experienced users.
Only rarely does a single piece of software render a computer unusable. Rather, a computer rarely has only one infection. As the 2004 AOL study noted, if a computer has any spyware at all, it typically has dozens of different pieces installed. The cumulative effect, and the interactions between spyware components, typically cause the stereotypical symptoms reported by users--a computer which slows to a crawl, overwhelmed by the many parasitic processes running on it. Moreover, some types of spyware disable software firewalls and anti-virus software, and reduce browser security settings, opening the system to further opportunistic infections, much like an immune deficiency disease. There are also documented cases where a spyware program disabled other spyware programs created by the competitors.
Some other types of spyware (Targetsoft, for example) modify system files to make themselves harder to remove. (Targetsoft modifies the Winsock (Windows Sockets) files. The deletion of the spyware-infected file "inetadpt.dll" will interrupt normal networking usage.) Unlike many other operating systems, a typical Windows user has administrator-level privileges on the system, mostly for the sake of convenience. Any program run by the said user, intentionally or not, has completely unrestricted access to the entire system.
Spyware, along with other threats, has led some former Windows users to move to other platforms such as Linux or Apple Macintosh.
Many spyware programs reveal themselves visibly by displaying advertisements. Some programs simply display pop-up ads on a regular basis -- for instance, one every several minutes, or one when the user opens a new browser window. Others display ads in response to specific sites that the user visits. Spyware operators present this feature as desirable to advertisers, who may buy ad placement in pop-ups displayed when the user visits a particular site. It is also one of the purposes for which spyware programs gather information on user behavior.
Pop-up advertisements lead to some of users' most common complaints about spyware. The first is simply that the computer can become overwhelmed downloading or displaying ads. An infected computer rarely has only one spyware component installed -- they more often number in the dozens [8] -- and so while a single program might display ads only infrequently, the cumulative effect is overwhelming.
Many users complain about irritating or offensive advertisements as well. As with many banner ads, many spyware advertisements are animated, flickering banners designed to catch the eye -- that is, they are highly visually distracting. Pop-up ads for pornography are often displayed indiscriminately, including when children are using the computer -- possibly in violation of laws on the subject.
A further issue in the case of some spyware programs has to do with the replacement of banner ads on viewed web sites. Spyware which acts as a web proxy or a Browser Helper Object can replace references to a site's own advertisements (which fund the site) with advertisements which instead fund the spyware operator. This cuts into the margins of advertising-funded Web sites.
A few spyware vendors, notably WhenU and 180 Solutions, have written what the New York Times has dubbed "stealware", and what spyware-researcher Ben Edelman terms affiliate fraud, also known as click fraud. These redirect the payment of affiliate marketing revenues from the legitimate affiliate to the spyware vendor.
Affiliate marketing networks work by tracking users who follow an advertisement from an "affiliate" and subsequently purchase something from the advertised Web site. Online merchants such as eBay and Dell are among the larger companies which use affiliate marketing. In order for affiliate marketing to work, the affiliate places a tag such as a cookie or a session variable on the user's request, which the merchant associates with any purchases made. The affiliate then receives a small commission.
Spyware which attacks affiliate networks does so by placing the spyware operator's affiliate tag on the user's activity -- replacing any other tag, if there is one. This harms just about everyone involved in the transaction other than the spyware operator. The user is harmed by having their choices thwarted. A legitimate affiliate is harmed by having their earned income redirected to the spyware operator. Affiliate marketing networks are harmed by the degradation of their reputation. Vendors are harmed by having to pay out affiliate revenues to an "affiliate" who did not earn them according to contract. [9]
Affiliate fraud is a violation of the terms of service of most affiliate marketing networks. As a result, spyware operators such as WhenU and 180 Solutions have been terminated from affiliate networks including LinkShare and ShareSale.
In one case, spyware has been closely associated with identity theft. [10] In August 2005, researchers from security software firm Sunbelt Software believed that the makers of the common CoolWebSearch spyware had used it to transmit "chat sessions, user names, passwords, bank information, etc." [11], but it turned out that "it actually is its own sophisticated criminal little trojan that’s independent of CWS." [12] This case is currently under investigation by the FBI.
Spyware-makers may perpetrate another sort of fraud with dialer program spyware: wire fraud. Dialers cause a computer with a modem to dial up a long-distance telephone number instead of the usual ISP. Connecting to the number in question involves long-distance or overseas charges, this can result in massive telephone bills, which the user must either pay or contest with the telephone company. Dialers are somewhat less effective today, now that fewer Internet users use modems.
Most copy-protection schemes, while they do serve a legitimate purpose of attempting to prevent piracy, also behave similarly to spyware programs. Some digital rights management technologies (such as Sony's XCP) actually use trojan-horse tactics to verify a user as the rightful owner of the media in question.
Anti-spyware programs often report Web advertisers' HTTP cookies as spyware. Cookies are not software of any sort—they are variables set by Web sites (including advertisers) which can be used to track Web-browsing activity, for instance to maintain a "shopping cart" for an online store or to maintain consistent user settings on a search engine.
Cookies can only be accessed by the Web site that sets them. In the case of cookies associated with advertisements, this is generally not the Web site that the user intended to visit, but a third-party site referenced by a banner ad image. Some Web browsers and privacy tools offer to reject cookies from sites other than the one that the user requested.
Advertisers use cookies to track people's browsing among various sites carrying ads from the same firm and thus to build up a marketing profile of the person or family using the computer. It is for this reason that many users object to such cookies, and that anti-spyware programs offer to remove them.
A few examples of common spyware programs may serve to illustrate the diversity of behaviors found in these attacks.
Caveat: As with computer viruses, researchers give names to spyware programs which frequently do not relate to any names that the spyware-writers use. Researchers may group programs into "families" based not on shared program code, but on common behaviors, or by "following the money" or apparent financial or business connections. For instance, a number of the spyware programs distributed by Claria are collectively known as "Gator". Likewise, programs which are frequently installed together may be described as parts of the same spyware package, even if they function separately.
CoolWebSearch, a group of programs, installs through the exploitation of Internet Explorer vulnerabilities. The programs direct traffic to advertisements on Web sites including coolwebsearch.com. To this end, they display pop-up ads, rewrite search engine results, and alter the infected computer's hosts file to direct DNS lookups to these sites. [13]
Internet Optimizer, also known as DyFuCa, redirects Internet Explorer error pages to advertising. When users follow a broken link or enter an erroneous URL, they see a page of advertisements. However, because password-protected Web sites (HTTP Basic authentication) use the same mechanism as HTTP errors, Internet Optimizer makes it impossible for the user to access password-protected sites. [14]
180 Solutions transmits extensive information to advertisers about the Web sites which users visit. It also alters HTTP requests for affiliate advertisements linked from a Web site, so that the advertisements make unearned profit for the 180 Solutions company. It opens pop-up ads that cover over the Web sites of competing companies. [15]
HuntBar, aka WinTools or Adware.Websearch, is a small family of spyware programs distributed by Traffic Syndicate. [16] It is installed by ActiveX drive-by download at affiliate Web sites, or by advertisements displayed by other spyware programs -- an example of how spyware can install more spyware. These programs add toolbars to Internet Explorer, track Web browsing behavior, redirect affiliate references, and display advertisements.
Gaining unauthorized access to a computer is illegal, under computer crime laws such as the United States Computer Fraud and Abuse Act. Since the owners of computers infected with spyware generally claim that they never authorized the installation, a prima facie reading would suggest that the promulgation of spyware would count as a criminal act. Law enforcement has often pursued the authors of other malware programs, such as viruses. Nonetheless, few prosecutions of writers of spyware have occurred, and many such producers operate openly as aboveboard businesses. Some have, however, faced lawsuits.
Spyware producers primarily argue in defense of the legality of their acts that, contrary to the users' claims, users do in fact give consent to the installation of their spyware. Spyware that comes bundled with shareware applications may appear, for instance, described in the legalese text of an end-user license agreement (EULA). Many users habitually ignore these purported contracts, but spyware companies such as Claria claim that these demonstrate that users have consented to the installation of their software.
Despite the ubiquity of EULAs and of clickwrap agreements, relatively little case law has resulted from their use. It has been established in most common law jurisdictions that a clickwrap agreements can be a binding contract in certain circumstances. This does not however mean that every clickwrap agreement is a contract or that every term in a clickwrap contract is enforceable. It seems highly likely that many of the purported contract terms presented in clickwrap agreements would be dismissed in most jurisdictions as being contrary to public policy. Many spyware clickwrap agreements appear intentionally ambiguous and excessive in length, with key contract terms made inconspicuous. These are all grounds on which similar agreements have been rejected as contracts of adhesion.
Nor can a contract possibly exist in the case of spyware installed by surreptitious means, such as in a drive-by download where the user receives no opportunity to either agree to or refuse the contract terms.
Some spyware EULAs characterize the removal of spyware once installed as "illegal". Such claims mislead, since by definition breach of contract involves civil, not criminal law; and breach of contract, by definition, does not involve illegality. Such notices may themselves class as criminal, however, if found to make a deliberately false statement for the purpose of material gain - a common-law definition of fraud.
Some jurisdictions, such as the U.S. state of Washington, have passed laws criminalizing some forms of spyware. [17] The Washington law makes it illegal for anyone other than the owner or operator of a computer to install software that alters Web-browser settings, monitors keystrokes, or disables computer-security software.
New York Attorney General Eliot Spitzer has pursued spyware companies for fraudulent installation of software.[18] In a suit brought in 2005 by Spitzer, the California firm Intermix Media, Inc. ended up settling by agreeing to pay $7.5 million and to stop distributing spyware. Intermix's spyware spread via drive-by download, and deliberately installed itself in ways that made it difficult to remove.[19]
Another spyware behavior has attracted lawsuits: the replacement of Web advertisements. In June 2002, a number of large Web publishers sued Claria for replacing advertisements, but settled out of court. Other spyware apart from Claria's also replaces advertisements, thus diverting revenue from the ad-bearing Web site to the spyware author.
One legal issue not yet pursued involves whether courts can hold advertisers responsible for spyware which displays their ads. In many cases, the companies whose advertisements appear in spyware pop-ups do not directly do business with the spyware firm. Rather, the advertised company contracts with an advertising agency, which in turn contracts with an online subcontractor who gets paid by the number of "impressions" or appearances of the advertisement. Some major firms such as Dell Computer and Mercedes-Benz have "fired" advertising agencies which have run their ads in spyware.[20]
In a sort of turnabout, a few spyware companies have threatened websites which have posted descriptions of their products. In 2003, Gator (now known as Claria) filed suit against the website PC Pitstop for describing the Gator program as "spyware".[21] PC Pitstop settled, agreeing not to use the word "spyware", but continues to publish descriptions of the harmful behavior of the Gator/Claria software. [22]
As the spyware threat has worsened, a number of techniques have emerged to counteract it. These include programs designed to remove or to block spyware, as well as various user practices which reduce the chance of getting spyware on a system.
Nonetheless, spyware remains a costly problem. When a large number of pieces of spyware have infected a Windows computer, the only remedy may involve backing up user data, and fully reinstalling the operating system.
Many programmers and commercial firms have released products designed to remove or block spyware. Steve Gibson's OptOut, mentioned above, pioneered a growing category. Programs such as Lavasoft's Ad-Aware SE and Patrick Kolla's Spybot - Search & Destroy rapidly gained popularity as effective tools to remove, and in some cases intercept, spyware programs. More recently Microsoft acquired the GIANT Anti-Spyware software, rebadging it as Windows AntiSpyware beta and releasing it as a free download for Windows XP, Windows 2000, and Windows 2003 users. The Windows AntiSpyware Beta, a time-limited beta test product, will expire at the end of July 2006. Microsoft has also announced that the product will ship (for free) under the name of "Windows Defender", but has not provided a target release date for the final version. Other well-known anti-spyware products include Webroot Spy Sweeper, PC Tools' Spyware Doctor, and Sunbelt's CounterSpy (which uses the same scanning engine as Windows AntiSpyware beta).
Major anti-virus firms such as Symantec, McAfee and Sophos have come later to the table, adding anti-spyware features to their existing anti-virus products. Early on, anti-virus firms expressed reluctance to add anti-spyware functions, citing lawsuits brought by spyware authors against the authors of web sites and programs which described their products as "spyware". However, recent versions of these major firms' home and business anti-virus products do include anti-spyware functions, albeit treated differently from viruses. Symantec Anti-Virus, for instance, categorizes spyware programs as "extended threats" and does not offer real-time protection from them as it does for viruses.
Anti-spyware programs can combat spyware in two ways: real-time protection, which prevents spyware from being installed, and scanning and removal of spyware. Scanning and removal is usually simpler, and so many more programs have become available which do so. The program inspects the contents of the Windows registry, the operating system files, and installed programs, and removes files and entries which match a list of known spyware components. Real-time protection from spyware works identically to real-time anti-virus protection: the software scans incoming network data and disk files at download time, and blocks the activity of components known to represent spyware. In some cases, it may also intercept attempts to install start-up items or to modify browser settings.
Earlier versions of anti-spyware programs focused chiefly on scanning and removal. Javacool Software's SpywareBlaster, one of the first to offer real-time protection, blocked the installation of ActiveX-based and other spyware programs. To date, other programs such as Ad-Aware and Windows AntiSpyware now combine the two approaches, while SpywareBlaster remains focused on real-time protection.
Like most anti-virus software, anti-spyware software requires a frequently-updated database of threats. As new spyware programs are released, anti-spyware developers discover and evaluate them, making "signatures" or "definitions" which allow the software to detect and remove the spyware. As a result, anti-spyware software is of limited usefulness without a regular source of updates. Some vendors provide a subscription-based update service, while others provide updates gratis. Updates may be installed automatically on a schedule or before doing a scan, or may be done manually.
If a spyware program is not blocked and manages to get itself installed, it may resist attempts to terminate or uninstall it. Some programs work in pairs: when an anti-spyware scanner (or the user) terminates one running process, the other one respawns the killed program. Likewise, some spyware will detect attempts to remove registry keys and immediately add them again. Usually, booting the infected computer in safe mode allows an anti-spyware program a better chance of removing persistent spyware.
Malicious programmers have released a large number of fake anti-spyware programs, and widely distributed Web banner ads now spuriously warn users that their computers have been infected with spyware, directing them to purchase programs which do not actually remove spyware—or worse, may add more spyware of their own.[23] [24]
To deter spyware, computer users have found a number of techniques useful in addition to installing anti-spyware software.
Many systems install a web browser other than Microsoft's Internet Explorer (IE), such as Opera or Mozilla Firefox. While other web browsers have also had security vulnerabilities, Internet Explorer has contributed to the spyware problem in two ways:
Many users of non-IE browsers on Windows report that they have switched from IE because of security concerns, including concerns about spyware. [25]
Internet Explorer users can improve security by keeping up-to-date on security patches, and by altering settings in the browser — particularly those disabling scripting technologies such as ActiveX. (However, Web sites that make use of ActiveX will not work in this scenario.) The version of IE which comes with Windows XP Service Pack 2 also has substantially-improved security defaults, although spyware infections can still occur.
Some Internet sites — particularly colleges and universities — have taken a different approach to blocking spyware: they use their network firewalls and web proxies to block access to Web sites known to install spyware. On March 31, 2005, Cornell University's Information Technology department released a report detailing the behavior of one particular piece of proxy-based spyware, Marketscore, and the steps the university took to intercept it.[26] Many other educational institutions have taken similar steps against Marketscore and other spyware. Spyware programs which redirect network traffic cause greater technical-support problems than programs which merely display ads or monitor users' behavior, and so may attract institutional attention more readily.
Spyware may get installed via certain shareware programs offered for download. Downloading programs only from reputable sources can provide some protection from this source of attack. One site, CleanSoftware.org, founded as an alternative to other popular Windows software sites, offers only software verified not to contain "nasties" such as spyware. Recently, C|Net revamped its download directory: it has stated that it will only keep files that pass inspection by Ad-Aware and Spyware Doctor.
In a small number of cases, firms have distributed audio compact discs with spyware that activates when the disc finds itself in a computer with autorun enabled. Sony's Extended Copy Protection, uncovered in October 2005, has provided the most widespread and infamous example to date.
Malware (a portmanteau of "malicious software") is a type of software designed to take over and/ or damage a computer user's operating system, without his or her knowledge or approval. Once installed, it is often very difficult to remove, and depending on the severity of the program installed, its handiwork can range in degree from the slightly annoying (such as unwanted pop up ads while a user is performing regular computing tasks on or offline), to irreparable damage requiring the reformatting of one's hard drive, since much of malware is poorly written. Examples of malware include viruses and trojan horses.
Malware should not be confused with defective software, that is, software which is intended for a legitimate purpose but has errors or bugs.
Contents |
Over the years, people have written malicious software for a number of different purposes.
Many early infectious programs, including the Internet Worm and a number of MS-DOS viruses, were written as experiments or pranks -- generally intended to be harmless or merely annoying, rather than to cause serious damage. Young programmers, learning about the possibility of viruses and the techniques used to write them, might write one just to prove that they can do it, or to see how far it could spread.
A slightly more hostile intent can be found in programs designed to vandalize or cause data loss. Many DOS viruses were designed to destroy files on a hard disk, or to corrupt the filesystem by writing junk data. Network-borne worms such as the Code Red worm or Ramen worm fall into the same category. Designed to vandalize Web pages, these worms may seem like an online equivalent of graffiti tagging, with the author's name or affinity group appearing everywhere the worm goes.
Revenge is sometimes a motive to write malicious software. A programmer or system administrator about to be fired from a job may leave behind backdoors or software "time bombs" that will allow them to damage the former employer's systems or destroy their own earlier work.
However, since the rise of widespread broadband Internet access, a greater portion of malicious software has been focused strictly on a profit motive. For instance, since 2003, the majority of widespread viruses and worms have been designed to take control of users' computers for black-market exploitation. Infected "zombie computers" are used to send email spam, to host contraband data such as child pornography, or to engage in distributed denial-of-service attacks as a form of extortion.
Another strictly for-profit category of malware has emerged in spyware -- programs designed to monitor users' Web browsing, display unsolicited advertisements, and redirect affiliate marketing revenues to the spyware creator.
Two common types of malware are viruses and worms. These types of programs have in common that they are both able to self-replicate; they can spread (possibly modified) copies of themselves. Not every program that copies itself is a virus or worm; for instance, backup software may copy itself to other media as part of a system backup. To be classified as a virus or worm, at least some of these copies have to be able to replicate themselves too, such that the virus or worm can propagate itself. The difference between a virus and a worm is that a worm operates more or less independently of other files, whereas a virus depends on hosts to spread itself.
Viruses have used many sorts of hosts. When computer viruses first originated, common targets were executable files that are part of application programs and the boot sectors of floppy disks. Recently, viruses have embedded themselves in e-mail as Email attachments, depending on a curious user opening the viral attachment, and even more recently files transmitted through peer to peer (P2P) softwares have been a major culprit in the propagation of viruses. In the case of executable files, the infection routine of the virus arranges that when the host code is executed, the viral code gets executed as well. Normally, the host program keeps functioning after it is infected by the virus. Some viruses overwrite other programs with copies of themselves which destroys them altogether. Viruses can spread across computers when the software or document they've attached themselves to is transferred from one computer to the other.
Because viruses were historically the first to appear, the term "virus" is often applied, especially in the popular media, to all sorts of malware. Modern anti-viral software strengthen this broader sense of the term as their operation is never limited to viruses.
Computer worms are similar to viruses but are stand-alone software and thus do not require host files (or other types of host code) to spread themselves. They do modify their host operating system, however, at least to the extent that they are started as part of the boot process. To spread, worms either exploit some vulnerability of the target system or use some kind of social engineering to trick users into executing them.
A third, uncommon, type of self-replicating malware is the wabbit. Unlike viruses, wabbits do not infect host programs or documents. Unlike worms, wabbits do not use network functionality in order to spread to other computers. Instead, a wabbit repeatedly replicates itself on a local computer. Wabbits can be programmed to have (malicious) side-effects, in addition to the direct consequences of their quick self-replication. An example of a simple wabbit is a fork bomb.
A trojan horse program is a harmful piece of software that is disguised as legitimate software. Trojan horses cannot replicate themselves, in contrast to viruses or worms. A trojan horse can be deliberately attached to otherwise useful software by a programmer, or it can be spread by tricking users into believing that it is useful. To complicate matters, some trojan horses can spread or activate other malware, such as viruses. These programs are called 'droppers'. A common aftermath is the Trojan attracting a large amount of adware/spyware, causing lots of popups and web browser instability.
A backdoor is a piece of software that allows access to the computer system bypassing the normal authentication procedures. Based on how they work and spread, there are two groups of backdoors. The first group works much like a Trojan, i.e., they are manually inserted into another piece of software, executed via their host software and spread by their host software being installed. The second group works more like a worm in that they get executed as part of the boot process and are usually spread by worms carrying them as their payload. The term Ratware has arisen to describe backdoor malware that turns computers into zombies for sending spam. The installed software can also be used for anonymizing traffic, brute force cracking of passwords and encryptions, and distributed denial of service attacks (DDoS).
Spyware is a piece of software that collects and sends information (such as browsing patterns in the more benign cases or credit card numbers in more malicious cases) about users or, more precisely, the results of their computer activity, typically without explicit notification. They usually work and spread like Trojan horses. The category of spyware is sometimes taken to include adware of the less-forthcoming sort.
A keylogger is software that copies a computer user's keystrokes to a file, which it may send to a security cracker (called a hacker by most people) at a later time. Often the keylogger will only "awaken" when a computer user connects to a secure website, such as a bank. It then logs the keystrokes, which may include account numbers, PINs and passwords, before they are encrypted by the secure website.
A dialer is a program that either replaces the phone number in a modem's dial-up connection with a long-distance number, often out of the country, in order to run up phone charges on pay-per-dial numbers, or dials out at night to send keylogger or other information to a security cracker.
A browser hijacker is any program designed to alter a computer user's browser settings. These changes can sometimes come in the form of new web sites added to the user's bookmarks; the replacement of his or her home page to one set by the author; or, in the worst case scenario, the browser actually being redirected to various URLs of the author's choosing when certain addresses are typed or found in a search engine results page.
An exploit is a piece of software that attacks a particular security vulnerability. Exploits are not necessarily malicious in intent — they are often devised by security researchers as a way of demonstrating that a vulnerability exists. However, they are a common component of malicious programs such as network worms.
A rootkit is software inserted onto a computer system after an attacker has gained control of the system. Rootkits often include functions to hide the traces of the attack, as by deleting log entries or cloaking the attacker's processes. Rootkits may also include backdoors, allowing the attacker to easily regain access later; or exploit software to attack other systems. Because they often hook into the operating system at the kernel level to hide their presence rootkits can be very hard to detect.
Malware typically contains a payload with one or more undesirable functions.
Some viruses, particularly early ones, display political or ideological messages when activated. In some cases, they are programmed to activate on a date selected by the author. They may also delete files or take other action.
Some malware deletes files or formats disks. Occasionally, particular types of files, such as MP3 have been targeted. Some defendants in trials involving pornography have claimed that material found on their computers was placed there by malware.
It is the conventional wisdom of many computer users that malware works by invasively sneaking onto their systems. However, in reality, nothing could be further from the truth. In fact, more often than not, victims of an infestation will have unwittingly brought the infection on themselves, as malware is designed to take advantage of the carelessness or laxness of those who don't take enough steps to secure their computers against attacks.
Unfortunately, cleaning an operating system that has been infected by malware is no longer as simple as it used to be. Malware has become increasingly more difficult to clean, as no one anti-virus or spyware can successfully catch everything that has been installed on a computer. In fact, it is not unusual to resort to an arsenal of security products, online scanners, and anti-spyware/ virus software to make sure everything has been properly removed.