Jim Lynch

CSC 451 Computer Networks

Spyware And Adware Programs And Their Removal

  1. Introduction.
    1. There are three terms that we are going to deal with here, adware, spyware, and malware. The first term, adware, is a very specific business model. When it was found that cookies could be manipulated a whole new industry was spawned. That is the ability to target advertisements based on an individuals browsing habits. New software to improve this targeting was disparagingly referred to as spyware. These advertising concerns became very aggressive about collecting data, and in so doing so they became abusive. Meanwhile, the use of the word spyware became contentious. Some people started using the term malware to discuss the most abusive forms, but as it all started with the adware business model, most people call it spyware.
    2. As Andrew Tanebaum explains in Computer Networks, cookies have been exploited to track web usage. Vendors place adds on web pages but instead of placing a jpeg or a gif, they insert the url to a graphics object on an ad-server. The image comes back with a cookie and a unique id. That id designates a specific Web page. If a partner cookie already exists it adds the unique ID to an existing list. Now there is a list of Web pages visited.
    3. Marketing people now know what interests you have and can use this information to target the ads they place on your computer. Some complain that this monitoring is an invasion of privacy.
  2. Adware / Spyware.
    1. Adware is any software which displays or delivers advertising material to a computer.
    2. Originally it was bundled with shareware or freeware. Instead of the user paying for the software the advertising did.
    3. Usually there is a tracking program that monitors the users Web activities by reading directly from the browser. As cookies can't be dispensed from all Web pages this is more powerful than tracking with cookies. It can also be construed as an even larger invasion of privacy.
    4. This was all supposed to be spelled out in the license agreements. Unfortunately these were often long winded and possibly misleading. A common complaint on the current license agreements for pop-ups is that there are pages of mind numbing legalese about copyright, distribution, disassembly, reverse-engineering, disclaimers of fitness for particular purposes, etc. etc. Buried some where in there is a line like "may include software that will occasionally notify you of important news". Some say that is misleading.
    5. As users started removing the adware / spyware that came with their freeware, the writers of these programs started burying them deeper and deeper into the system. They became harder to find and even harder remove. They have been know to modify system files so as to disable parts of the system when they were removed.
    6. In November 1999 the game "Elf Bowling" made its way around the Internet. The elves went out on strike at Christmas so you and Santa go bowling. Instead of bowling pins you knock down elves. The game was cute. This is probably the first big use of stealthy spyware. There was no end user license agreement. The only documentation gave the rules for playing the game. There was no clue that the program also monitored the computers Web activities and reported back to it creator Nsoft. It was close to a year before any one figured it out.
    7. Gator (now called Claria) is pop-up advertising software. It monitors your Web browsing so as to target the ads it pops-up on user computers. In 2003 "PC Pitstop" referred to this as spyware. Gator (now called Claria) sued. If the end user agreed to the license agreement it wasn't spying. PC Pitstop was forced to stop calling it spyware. When adware / spyware became a real problem the anti-virus companies like Symantec and McAfee did not get involved because of the litigation issue.
    8. The original "Trojan Horse" looked like something good and valuable. In reality it was bad for the residents of Troy. Adware/Spyware markets itself as good and valuable. Listen to this ad for Bonzi Buddy. By the way the target audience is children:
      1. He will explore the Internet with you as your very own friend and sidekick! He can talk, walk, joke, browse, search, e-mail, and download like no other friend you've ever had! He even has the ability to compare prices on the product you love and help you save money! Best of all, he's FREE!
      2. When your child is done using the computer and you are at the controls, the program is monitoring your use even if you aren't using Bonzi Buddy.
    9. Each time an adware program is loaded, it runs separately from all other programs. If their are two pop-up programs on your computer you will get twice as many pop-ups. In 2004 AOL did a study. They found that if a computer has any spyware at all typically it has dozens of different pieces installed. Users are like that. Now we have spyware infestations. Some computers had so many pop-ups they became inoperable. I know of people who have bought new computers for exactly this reason.
    10. Next is drive-by downloads. There are two versions.
      1. A vulnerability in a browser is exploited. When you visit a Web page a script automatically uploads a file to your computer. So far this has only happened in Internet Explorer and Microsoft has released a patch. (Stay current with your updates.)
      2. On a suspect Web sight a pop-up box will ask if you want to download the program. There are two options in the box, Yes and No. Both buttons upload and install the program.
    11. Adwarereport.com points out that
      spyware exists as an independent, executable program on your system, and has the capability to do anything any program can do, including monitor keystrokes, arbitrarily scan files on your hard drive, snoop other applications such as word-processors and chat programs, read your cookies, change your default home page, interface with your default Web browser to determine what Web sites you are visiting, and monitor various aspects of your behavior, "phoning home" from time to time to report this information back to...
      These are things spyware programs have already been shown to do.
    12. In order for adware / spyware to communicate there has to be a communication channel. If you don't know about it, it is a back door to your computer. Fire walls protect against this.
    13. Spyware has been know to disable fire walls, anti-virus software programs, and change browser security settings.
    14. Spyware has been know to operate with two programs in tandem. If you delete one the other reinstalls it.
    15. Porno sights have used worms in e-mail attachments to spread adware/software. A word about porno sights. The United States has laws against pornography. Consequently, many porno sights are not physicaly in the U.S. Where they are located, they don't necessarily have laws like you and I have. They can put anything they want on their sights. Cleaning out a bank account in the U.S. is not necessarily against their laws.
    16. A friend called me from Lompoc about 4 months ago. He had been to a porn sight and now none of the icons came up on his lap top display. Those icons are the only way he can use the computer. I made him bring it down to me. He was at a porno sight and he requested something and the sight started a program to get his credit card number so they could charge him. He tried to say "No" but that was not an option. He ended up turning the computer off. When he next restarted it, before the icons loaded it tried to dial out and finish the transaction. As the modem wasn't plugged in the computer froze and wouldn't let his icons come up. Of course it wants to call something in Lompoc and we're in Torrance so I'm not putting that on my bill, so we won't give it a line to dial out on. But it gets worse. When you boot up, eventually you get the back ground screen, then the bar on the bottom with the "Start" button, then the icons. Not only didn't this thing freeze the computer before it got to the icons, it didn't get to the bar on the bottom. There was no "Start" button. I couldn't get into the computer and I couldn't use any thing on it. After about half an hour I remembered Cntl-Alt-Del and the task manager. I found the processes and killed them, then the computer completed booting up. I searched for the executables that ran the processes and deleted them, rebooted and it worked. It took a while but I fixed the computer. A week later he called to tell me it came back and the computer was just as I had found it. He said he hadn't been to any porn sights it just came back on it's own. He was giving up and was going to reformat the hard drive. He wondered what did he needed to know first. I made sure he had all the start up disks and all the drivers that computer needed. We gave up on saving his data.
    17. A spyware module has been known to spoof a Windows system process so that it does not appear on the Windows End Task dialogue. Targetsoft modifies the Winsock files. If you delete the spyware infection it will interrupt normal network usage. This is "root kit" stuff.
    18. As root kits have been introduced I better explain what they are.
      1. History. In the 80's hackers rewrote the ls, ps, and netstat commands for Unix machines. If they could get them installed on a computer they would conceal their activities. There was a file on the computer. In it were lists files, processes, and network connections. The ls command would not list anything in that file. Neither would ps or netstat. Other than that, ls, ps, and netstat seemed to work normally. Hackers could put files on your computer and run them and you couldn't tell. As ls, ps, and netstat looked and acted like something you knew and trusted, they acquired the name "Trojan Horses". When packaged together they were referred to as "root kits". They usually used a secret port to communicate with a foreign host, or a "back door". Ever since, system administrators have been writing tools to locate and eradicate them, and hackers have been modifying their programs to defeat the new tools.
      2. The current root kits for Windows hide directory listings and registry keys and log all key board activity. If hackers get it on your computer, they can do anything they want. They can monitor your use of financial accounts, user names, and passwords.
      3. The current state of root kits is that you must load and install them. You can be tricked into downloading them but they can't get there without your assistance.
    19. Now to something completely different, a word in favor of adware companies. Advertising can pay for the development of a software program. Most advertising companies are above board. Advertisers who cause a lot of problems make their customers look bad. Most of them have been fired by the big corporations. Big corporations are looking for advertising to move their product not give them a black eye. Still, there are some who are overly greedy and will stoop to any low to make a buck.
  3. Anti-Spyware Software
    1. You can obtain anti-spyware programs much like anti-virus software. Unfortunately the industry is a little bit different. It also opened up a few new cans of worms.
      1. Originally a few volunteers wrote anti-adware/spyware programs that worked like anti-virus programs. Then it became big business. There was actually a window of opportunity here. Because Claria had gone after PC Pitstop, no anti-virus company would get involved. Whole new companies started up over night.
      2. Unfortunately there were multiple spyware programs that didn't do anything. They wanted to be paid but they didn't want to risk litigation. There was another kind of free downloadable anti-spyware, or at least that is the way it was marketed. In actuality, it was a very stealthy adware/spyware program that removed it's competition then hammered you with its ads.
      3. Then back room deals started happening. The purpose of a corporation is to make money for their stock holders. Corporate executives are legally bound to that. Interesting conflicts of interest have come up in this field. Anti-spyware companies have met with adware companies and suddenly stop blocking that companies software. The logic is never explained.
      4. The first part of this year Microsoft bought "Giant Anti-Spyware", renamed it "Windows Anti Spyware beta" and started delivering it for free. That new conflict of interest again. Microsoft sells advertising on it's Web pages and deletes the competition from your computer.
      5. Then in July Microsoft decided Claria (know for litigation) was no longer malicious and they have stopped advising that it be removed. There are also rumors that Microsoft is preparing to buy Claria. Spyware is not necessarily their forte. Claria has a 120TB data base.
    2. Styles.
      1. Like anti-virus, there are two types of anti-spyware. One that scans your computer for known programs, and the one that tries to block them from accessing your computer. Also like anti-virus, you need to keep it updated. They write new spyware all the time.
  4. The New Spyware
    1. By 2005 wikipedia, an online encyclopedia, had changed the definition of spyware.
      1. Spyware covers a broad category of malicious software designed to intercept or take partial control of a computer's operation without the informed consent of that machines's owner or legitimate user. While the term taken literally suggests software that surreptitiously monitors the user, it has come to refer more broadly to software that subverts the computer's operation for the benefit of a third party.
    2. A real bonus for me. I'm supposed to write a 20 page report but I'm running out of material. Adding all these malicious programs into the Spyware category dramatically increased the material I have. Thank you. I am saved.
    3. Computer manufacturers and Internet service providers say that Spyware infection is the most common reason for calling tech support, for Windows machines that is.
    4. In August 2005 Sunbelt Software reported that CoolWebSearch spyware captured and forwarded user names, passwords and bank information when users accessed accounts from their computers. That turned out to be completely fraudulent. What their Web sight claimed was software to find and eliminate the offending software did nothing more than open a back door on your computer. So far no one has found out exactly why.
    5. Dialers use the modem to call 900 numbers and saddle you with a huge phone bill.
    6. Zombie Network are computers that have a foreign operator operating a back door program simultaneously on any number of computers. They can run ads, denial of service attacks, or use them as spam servers.
      1. On November 3, 2005, the FBI arrested Jeanson Ancheta, 20, of Downey. He was running a botnet of 400,000 machines. Usually he posted ads on those computers but they were also used them as spam proxies. The reason they got him, many of those machines were owned by the department of defense. Since 9/11 you can't hack government computers.
      2. A few years ago a kid from Russia had 20,000 zombie computers around the world. He black mailed gambling sights. If they didn't send him $25,000 he would have his entire network access them continuously for an entire weekend. That put them out of business for the weekend, but worse, if their customers couldn't access them, they took their business else where and never came back. Many sights paid. Even Microsoft has been taken down by denial of service attacks.
    7. A vulnerability Windows used to have was buffer overflow. A buffer overflow was not an error so Windows didn't handle it. It just wrote over the next memory cell. Hackers could access a url and then try to access a really long file name. If the buffer overflowed they could plant a program. I give the phone company an extra $30 a month for a static IP. I have an apache web server on a Linux box, behind a fire wall in my living room ( From 5:32 PM on May 4, 2005 to 5:33 AM on May 6, 36 hours, there were 160 attempts to overflow the buffers on my web server.
    8. Viruses and Worms.
      1. The main purpose of these is to open a back door to your computer. Typically they come as e-mails attachments. They set up a private communication port for this program, then go through e-mail address lists and attempt to send the program to every one on the list. They are getting very good at disabling anti-virus software and network security settings.
      2. On December 1, 2005, every 13th e-mail on the Internet was the Sober.Z worm. That means that it infected a lot of computers.
    9. Spam is e-mail from fictitious people you've never heard of who are sending you something you never asked for. Usually advertisements but often viruses and worms. If it all came from a few places every one could block those domains. Therefore, they use viruses and worms to convert as many computers as possible into spam servers. Now spam comes from all over.
      1. A commentary on spam. Commerce drives the economy of this nation. Advertising drives commerce. Based on that the courts originally allowed telemarketing. Spam was considered an extension of that and therefore couldn't be touched. It wasn't until politicians heard enough flack from their constituency about telemarketing that the rules changed. It has only been recently that there has been a crack down on spammers. At one time most of the e-mail traffic in the world was spam. Today it's only a little bit better.
    10. Key loggers note and log every keystroke made and at some point that information is uploaded to a foreign machine. Some have been reported that only activate if you visit certain Web sights. We are talking about cleaning out your bank account.
    11. October of 2005 it was determined that Sony BMG had put root kits in an "AutoRun" folder on their music CD's. That meant that if you played their CD on your computer it put the root kit on that computer. The purpose was a "Digital Rights Management" copy protection program. Their root kit program looked like all others. There was a file. In that file was a list. Windows would not report anything on that list. Explorer wouldn't see them, dir, task manager, or netstat. It was invisible. If I send out a virus that checks for the Sony BMG files, and I find it, and I set up a communication channel, I can set up a porno sight on your computer.
  5. Here are some of the things you can do to protect yourself against these adware/spyware.
    1. Don't operate in the administrator mode. There are system write protections that only the administrator has. Also, the registry can only be changed in the admin mode.
    2. Stay away from suspect web pages. They will try to trick you into downloading suspect software.
    3. Don't download suspect software.
    4. Use fire walls.
    5. Switch to Fire Fox. 85% of the computers today are using the IE browser. That is the browser hackers focus on. If you keep IE make sure you stay up-to-date on the security patches. Although some Web sites use ActiveX, consider disabling it.
    6. Block the ad server. Adware companies distribute thousands of ads. For efficiency, they use adware servers. Those servers have domain names. The html code will have something like
      <img src="http://ad-server.com/ad1002563.jpg">.
      To display that ad, the browser needs to get the IP for "ad-server.com". The first place it looks is the "hosts" file on your computer. If there is nothing there the browser goes to DNS to get the IP. If you set the IP of the ad server to your computer the ads will simply be blank and it will save bandwidth. The "hosts" file are
      1. Windows 3.x, 95, 98, Me: windows\hosts
      2. Windows NT, 2000, XP: winnt\system32\drivers\etc\hosts
      3. Macintosh: HD:System Folder:Preferences:Hosts
      4. Linux, Unix: /etc/hosts
      If you are trying to block www.ad-server.com the line to put in is www.ad-server.com
      The trick here is to find the domain name of the ad server.
    7. Use anti-virus and anti-spyware.
      1. The best free ones are Microsoft Anti Spyware, Lavasoft AdAware, Spybot S%D.
  6. How to locate and remove them.
    1. Viruses
      1. If you get a virus, research the current viruses and their symptoms. When you find your symptoms, Goggle that virus. Usually about the third listing will have instructions to manually remove the virus.
    2. Adware / Spyware
      1. Trash app exorcism --- from http://www.cexx.org/startup.htm
        1. Look in the "Startup Folder". See if there are any adware programs in there. If so, remove the short cut and the program. If you are not sure, make a "Startup Temp" directory and move the short cut there. Restart the computer.
        2. Locate the file c:\windows\wininit.ini and win.ini. Adware programs will start with "load=" or "run=". You can delete these lines and the files they refer to. If you are not sure place a semi-colon (;) before the offending line. Restart the computer.
        3. In the registry editor search for Runonce or Runservices. This will get you to about the right location in the registry. Look in the assorted Run* folders for the trash you are looking for. Delete the file and the registry entry. Search for the next batch of Run folders and check there also. You will need to search all parts of the registry. Don't forget to reboot.
      2. Go online to www.cexx.org. Although it hasn't been updated in a while it has a very thorough list of adware / spyware, the symptoms, and how to eradicate them.
      3. As some of the programs are running, trying to delete certain files will give error messages. Before you can remove then you will have to make changes in the registry to something like "ms12568794532652.exe", then reboot the computer and then delete the files. Other times you will have to start in Dos mode to delete the files.
      4. Run anti-spyware with your anti-virus program.
  7. Some examples of spyware.
    1. Bonzi Buddy. A purple gorilla that talks to kids. This isn't a text program, you need a sound card.
    2. Gator (now called Claria) will help you fill out forms and remember passwords. It will also transmits your web usage then displays pop-ups based on your interests.
    3. CoolWebSearch. Redirects Web traffic to it's Web sights, displays pop-ups, rewrites search engine results and hosts files. Only works in IE.
    4. Internet Optimizer. Redirects IE error pages to it's advertising. If you click on a broken link you will never realize what is going on.
    5. 180 Solutions. Displays pop-ups.
    6. Win Tools. A drive by that adds tool bars to IE.
    7. TSADBOT. Delivers 640 x 480 pop-ups. Has a root kit to trick "netstat" and "Task Manager". Comes with PKZIP.