CSC 451 Computer Networks
Spyware And Adware Programs And Their Removal
- There are three terms that we are going to deal with here, adware, spyware, and malware.
The first term, adware, is a very specific business model. When it was found that cookies
could be manipulated a whole new industry was spawned. That is the ability to target
advertisements based on an individuals browsing habits. New software to improve this
targeting was disparagingly referred to as spyware. These advertising concerns became very
aggressive about collecting data, and in so doing so they became abusive. Meanwhile, the
use of the word spyware became contentious. Some people started using the term malware
to discuss the most abusive forms, but as it all started with the adware business model, most
people call it spyware.
- As Andrew Tanebaum explains in Computer Networks, cookies have been exploited to track
web usage. Vendors place adds on web pages but instead of placing a jpeg or a gif, they
insert the url to a graphics object on an ad-server. The image comes back with a cookie and
a unique id. That id designates a specific Web page. If a partner cookie already exists it adds
the unique ID to an existing list. Now there is a list of Web pages visited.
- Marketing people now know what interests you have and can use this information to target
the ads they place on your computer. Some complain that this monitoring is an invasion of
- Adware / Spyware.
- Adware is any software which displays or delivers advertising material to a computer.
- Originally it was bundled with shareware or freeware. Instead of the user paying for the
software the advertising did.
- Usually there is a tracking program that monitors the users Web activities by reading directly
from the browser. As cookies can't be dispensed from all Web pages this is more powerful
than tracking with cookies. It can also be construed as an even larger invasion of privacy.
- This was all supposed to be spelled out in the license agreements. Unfortunately these were
often long winded and possibly misleading. A common complaint on the current license
agreements for pop-ups is that there are pages of mind numbing legalese about copyright,
distribution, disassembly, reverse-engineering, disclaimers of fitness for particular
purposes, etc. etc. Buried some where in there is a line like "may include software that will
occasionally notify you of important news". Some say that is misleading.
- As users started removing the adware / spyware that came with their freeware, the writers of
these programs started burying them deeper and deeper into the system. They became harder
to find and even harder remove. They have been know to modify system files so as to disable
parts of the system when they were removed.
- In November 1999 the game "Elf Bowling" made its way around the Internet. The elves went
out on strike at Christmas so you and Santa go bowling. Instead of bowling pins you knock
down elves. The game was cute. This is probably the first big use of stealthy spyware. There
was no end user license agreement. The only documentation gave the rules for playing the
game. There was no clue that the program also monitored the computers Web activities and
reported back to it creator Nsoft. It was close to a year before any one figured it out.
- Gator (now called Claria) is pop-up advertising software. It monitors your Web browsing
so as to target the ads it pops-up on user computers. In 2003 "PC Pitstop" referred to this
as spyware. Gator (now called Claria) sued. If the end user agreed to the license agreement
it wasn't spying. PC Pitstop was forced to stop calling it spyware. When adware / spyware
became a real problem the anti-virus companies like Symantec and McAfee did not get
involved because of the litigation issue.
- The original "Trojan Horse" looked like something good and valuable. In reality it was bad
for the residents of Troy. Adware/Spyware markets itself as good and valuable. Listen to
this ad for Bonzi Buddy. By the way the target audience is children:
- He will explore the Internet with you as your very own friend and sidekick! He can
talk, walk, joke, browse, search, e-mail, and download like no other friend you've ever
had! He even has the ability to compare prices on the product you love and help you
save money! Best of all, he's FREE!
- When your child is done using the computer and you are at the controls, the program
is monitoring your use even if you aren't using Bonzi Buddy.
- Each time an adware program is loaded, it runs separately from all other programs. If their
are two pop-up programs on your computer you will get twice as many pop-ups. In 2004
AOL did a study. They found that if a computer has any spyware at all typically it has dozens
of different pieces installed. Users are like that. Now we have spyware infestations. Some
computers had so many pop-ups they became inoperable. I know of people who have bought
new computers for exactly this reason.
- Next is drive-by downloads. There are two versions.
- A vulnerability in a browser is exploited. When you visit a Web page a script
automatically uploads a file to your computer. So far this has only happened in Internet
Explorer and Microsoft has released a patch. (Stay current with your updates.)
- On a suspect Web sight a pop-up box will ask if you want to download the program.
There are two options in the box, Yes and No. Both buttons upload and install the program.
- Adwarereport.com points out that
spyware exists as an independent, executable program
on your system, and has the capability to do anything any program can do, including
monitor keystrokes, arbitrarily scan files on your hard drive, snoop other applications such
as word-processors and chat programs, read your cookies, change your default home page,
interface with your default Web browser to determine what Web sites you are visiting, and
monitor various aspects of your behavior, "phoning home" from time to time to report this
information back to...
These are things spyware programs have already been shown to do.
- In order for adware / spyware to communicate there has to be a communication channel. If
you don't know about it, it is a back door to your computer. Fire walls protect against this.
- Spyware has been know to disable fire walls, anti-virus software programs, and change
browser security settings.
- Spyware has been know to operate with two programs in tandem. If you delete one the
other reinstalls it.
- Porno sights have used worms in e-mail attachments to spread adware/software. A word
about porno sights. The United States has laws against pornography. Consequently, many
porno sights are not physicaly in the U.S. Where they are located, they don't necessarily have
laws like you and I have. They can put anything they want on their sights. Cleaning out a
bank account in the U.S. is not necessarily against their laws.
- A friend called me from Lompoc about 4 months ago. He had been to a porn sight and now
none of the icons came up on his lap top display. Those icons are the only way he can use the
computer. I made him bring it down to me. He was at a porno sight and he requested
something and the sight started a program to get his credit card number so they could charge
him. He tried to say "No" but that was not an option. He ended up turning the computer off.
When he next restarted it, before the icons loaded it tried to dial out and finish the
transaction. As the modem wasn't plugged in the computer froze and wouldn't let his icons
come up. Of course it wants to call something in Lompoc and we're in Torrance so I'm not
putting that on my bill, so we won't give it a line to dial out on. But it gets worse. When you
boot up, eventually you get the back ground screen, then the bar on the bottom with the
"Start" button, then the icons. Not only didn't this thing freeze the computer before it got to
the icons, it didn't get to the bar on the bottom. There was no "Start" button. I couldn't get
into the computer and I couldn't use any thing on it. After about half an hour I remembered
Cntl-Alt-Del and the task manager. I found the processes and killed them, then the computer
completed booting up. I searched for the executables that ran the processes and deleted them,
rebooted and it worked. It took a while but I fixed the computer. A week later he called to
tell me it came back and the computer was just as I had found it. He said he hadn't been to
any porn sights it just came back on it's own. He was giving up and was going to reformat
the hard drive. He wondered what did he needed to know first. I made sure he had all the
start up disks and all the drivers that computer needed. We gave up on saving his data.
- A spyware module has been known to spoof a Windows system process so that it does not
appear on the Windows End Task dialogue. Targetsoft modifies the Winsock files. If you
delete the spyware infection it will interrupt normal network usage. This is "root kit" stuff.
- As root kits have been introduced I better explain what they are.
- History. In the 80's hackers rewrote the ls, ps, and netstat commands for Unix
machines. If they could get them installed on a computer they would conceal their
activities. There was a file on the computer. In it were lists files, processes, and network
connections. The ls command would not list anything in that file. Neither would ps or netstat.
Other than that, ls, ps, and netstat seemed to work normally. Hackers could put files on your
computer and run them and you couldn't tell. As ls, ps, and netstat looked and acted like
something you knew and trusted, they acquired the name "Trojan Horses". When packaged
together they were referred to as "root kits". They usually used a secret port to
communicate with a foreign host, or a "back door". Ever since, system administrators
have been writing tools to locate and eradicate them, and hackers have been modifying
their programs to defeat the new tools.
- The current root kits for Windows hide directory listings and registry keys and log all
key board activity. If hackers get it on your computer, they can do anything they want.
They can monitor your use of financial accounts, user names, and passwords.
- The current state of root kits is that you must load and install them. You can be tricked
into downloading them but they can't get there without your assistance.
- Now to something completely different, a word in favor of adware companies. Advertising
can pay for the development of a software program. Most advertising companies are above
board. Advertisers who cause a lot of problems make their customers look bad. Most of them
have been fired by the big corporations. Big corporations are looking for advertising to move
their product not give them a black eye. Still, there are some who are overly greedy and will
stoop to any low to make a buck.
- Anti-Spyware Software
- You can obtain anti-spyware programs much like anti-virus software. Unfortunately the
industry is a little bit different. It also opened up a few new cans of worms.
- Originally a few volunteers wrote anti-adware/spyware programs that worked like
anti-virus programs. Then it became big business. There was actually a window of
opportunity here. Because Claria had gone after PC Pitstop, no anti-virus company
would get involved. Whole new companies started up over night.
- Unfortunately there were multiple spyware programs that didn't do anything. They
wanted to be paid but they didn't want to risk litigation. There was another kind of free
downloadable anti-spyware, or at least that is the way it was marketed. In actuality, it
was a very stealthy adware/spyware program that removed it's competition then
hammered you with its ads.
- Then back room deals started happening. The purpose of a corporation is to make
money for their stock holders. Corporate executives are legally bound to that.
Interesting conflicts of interest have come up in this field. Anti-spyware companies
have met with adware companies and suddenly stop blocking that companies software.
The logic is never explained.
- The first part of this year Microsoft bought "Giant Anti-Spyware", renamed it
"Windows Anti Spyware beta" and started delivering it for free. That new conflict of
interest again. Microsoft sells advertising on it's Web pages and deletes the
competition from your computer.
- Then in July Microsoft decided Claria (know for litigation) was no longer malicious
and they have stopped advising that it be removed. There are also rumors that
Microsoft is preparing to buy Claria. Spyware is not necessarily their forte.
Claria has a 120TB data base.
- Like anti-virus, there are two types of anti-spyware. One that scans your computer for
known programs, and the one that tries to block them from accessing your computer.
Also like anti-virus, you need to keep it updated. They write new spyware all the time.
- The New Spyware
- By 2005 wikipedia, an online encyclopedia, had changed the definition of spyware.
- Spyware covers a broad category of malicious software designed to intercept or take
partial control of a computer's operation without the informed consent of that
machines's owner or legitimate user. While the term taken literally suggests software
that surreptitiously monitors the user, it has come to refer more broadly to software
that subverts the computer's operation for the benefit of a third party.
- A real bonus for me. I'm supposed to write a 20 page report but I'm running out of material.
Adding all these malicious programs into the Spyware category dramatically increased the
material I have. Thank you. I am saved.
- Computer manufacturers and Internet service providers say that Spyware infection is the
most common reason for calling tech support, for Windows machines that is.
- In August 2005 Sunbelt Software reported that CoolWebSearch spyware captured and
forwarded user names, passwords and bank information when users accessed accounts from
their computers. That turned out to be completely fraudulent. What their Web sight claimed
was software to find and eliminate the offending software did nothing more than open a
back door on your computer. So far no one has found out exactly why.
- Dialers use the modem to call 900 numbers and saddle you with a huge phone bill.
- Zombie Network are computers that have a foreign operator operating a back door program
simultaneously on any number of computers. They can run ads, denial of service attacks, or
use them as spam servers.
- On November 3, 2005, the FBI arrested Jeanson Ancheta, 20, of Downey. He was
running a botnet of 400,000 machines. Usually he posted ads on those computers but
they were also used them as spam proxies. The reason they got him, many of those
machines were owned by the department of defense. Since 9/11 you can't hack
- A few years ago a kid from Russia had 20,000 zombie computers around the world.
He black mailed gambling sights. If they didn't send him $25,000 he would have his
entire network access them continuously for an entire weekend. That put them out of
business for the weekend, but worse, if their customers couldn't access them, they took
their business else where and never came back. Many sights paid. Even Microsoft has
been taken down by denial of service attacks.
- A vulnerability Windows used to have was buffer overflow. A buffer overflow was not an
error so Windows didn't handle it. It just wrote over the next memory cell. Hackers could
access a url and then try to access a really long file name. If the buffer overflowed they
could plant a program. I give the phone company an extra $30 a month for a static IP. I
have an apache web server on a Linux box, behind a fire wall in my living room
(http://18.104.22.168). From 5:32 PM on May 4, 2005 to 5:33 AM on May 6, 36 hours, there
were 160 attempts to overflow the buffers on my web server.
- Viruses and Worms.
- The main purpose of these is to open a back door to your computer. Typically they
come as e-mails attachments. They set up a private communication port for this
program, then go through e-mail address lists and attempt to send the program to every
one on the list. They are getting very good at disabling anti-virus software and network
- On December 1, 2005, every 13th e-mail on the Internet was the Sober.Z worm. That
means that it infected a lot of computers.
- Spam is e-mail from fictitious people you've never heard of who are sending you something
you never asked for. Usually advertisements but often viruses and worms. If it all came from
a few places every one could block those domains. Therefore, they use viruses and worms
to convert as many computers as possible into spam servers. Now spam comes from all over.
- A commentary on spam. Commerce drives the economy of this nation. Advertising
drives commerce. Based on that the courts originally allowed telemarketing. Spam was
considered an extension of that and therefore couldn't be touched. It wasn't until
politicians heard enough flack from their constituency about telemarketing that the
rules changed. It has only been recently that there has been a crack down on spammers.
At one time most of the e-mail traffic in the world was spam. Today it's only a little
- Key loggers note and log every keystroke made and at some point that information is
uploaded to a foreign machine. Some have been reported that only activate if you visit certain
Web sights. We are talking about cleaning out your bank account.
- October of 2005 it was determined that Sony BMG had put root kits in an "AutoRun" folder
on their music CD's. That meant that if you played their CD on your computer it put the
root kit on that computer. The purpose was a "Digital Rights Management" copy protection
program. Their root kit program looked like all others. There was a file. In that file was a
list. Windows would not report anything on that list. Explorer wouldn't see them, dir, task
manager, or netstat. It was invisible. If I send out a virus that checks for the Sony BMG files,
and I find it, and I set up a communication channel, I can set up a porno sight on your
- Here are some of the things you can do to protect yourself against these adware/spyware.
- Don't operate in the administrator mode. There are system write protections that only the
administrator has. Also, the registry can only be changed in the admin mode.
- Stay away from suspect web pages. They will try to trick you into downloading suspect
- Don't download suspect software.
- Use fire walls.
- Switch to Fire Fox. 85% of the computers today are using the IE browser. That is the browser
hackers focus on. If you keep IE make sure you stay up-to-date on the security patches.
Although some Web sites use ActiveX, consider disabling it.
- Block the ad server. Adware companies distribute thousands of ads. For efficiency, they use
adware servers. Those servers have domain names. The html code will have something like
To display that ad, the browser needs to get the IP for "ad-server.com". The first place
it looks is the "hosts" file on your computer. If there is nothing there the browser goes
to DNS to get the IP. If you set the IP of the ad server to your computer the ads will
simply be blank and it will save bandwidth. The "hosts" file are
If you are trying to block www.ad-server.com the line to put in is
- Windows 3.x, 95, 98, Me: windows\hosts
- Windows NT, 2000, XP: winnt\system32\drivers\etc\hosts
- Macintosh: HD:System Folder:Preferences:Hosts
- Linux, Unix: /etc/hosts
The trick here is to find the domain name of the ad server.
- Use anti-virus and anti-spyware.
- The best free ones are Microsoft Anti Spyware, Lavasoft AdAware, Spybot S%D.
- How to locate and remove them.
- If you get a virus, research the current viruses and their symptoms. When you find your
symptoms, Goggle that virus. Usually about the third listing will have instructions to
manually remove the virus.
- Adware / Spyware
- Trash app exorcism --- from http://www.cexx.org/startup.htm
- Look in the "Startup Folder". See if there are any adware programs in there. If so,
remove the short cut and the program. If you are not sure, make a "Startup Temp"
directory and move the short cut there. Restart the computer.
- Locate the file c:\windows\wininit.ini and win.ini. Adware programs will start with
"load=" or "run=". You can delete these lines and the files they refer to. If you are not
sure place a semi-colon (;) before the offending line. Restart the computer.
- In the registry editor search for Runonce or Runservices. This will get you to about the
right location in the registry. Look in the assorted Run* folders for the trash you are
looking for. Delete the file and the registry entry. Search for the next batch of Run
folders and check there also. You will need to search all parts of the registry. Don't
forget to reboot.
- Go online to www.cexx.org. Although it hasn't been updated in a while it has a very
thorough list of adware / spyware, the symptoms, and how to eradicate them.
- As some of the programs are running, trying to delete certain files will give error
messages. Before you can remove then you will have to make changes in the registry
to something like "ms12568794532652.exe", then reboot the computer and then delete the files.
Other times you will have to start in Dos mode to delete the files.
- Run anti-spyware with your anti-virus program.
- Some examples of spyware.
- Bonzi Buddy. A purple gorilla that talks to kids. This isn't a text program, you need a
- Gator (now called Claria) will help you fill out forms and remember passwords. It will also
transmits your web usage then displays pop-ups based on your interests.
- CoolWebSearch. Redirects Web traffic to it's Web sights, displays pop-ups, rewrites search
engine results and hosts files. Only works in IE.
- Internet Optimizer. Redirects IE error pages to it's advertising. If you click on a broken link
you will never realize what is going on.
- 180 Solutions. Displays pop-ups.
- Win Tools. A drive by that adds tool bars to IE.
- TSADBOT. Delivers 640 x 480 pop-ups. Has a root kit to trick "netstat" and "Task
Manager". Comes with PKZIP.