Spyware, Adware and Malware, the hidden programs on your computer
Are you annoyed with the pop-up ads while trying to access web sites on the internet? Have you had your browser hijacked while surfing the internet or have your search attempts redirected? If so, you are a victim of Adware or Malware. Just as bad is Spyware, as it hides on your computer, recording how many times you visit a particular website or what types of websites were you visiting.
Just what are Spyware, Adware and Malware? Well, Spyware is a data collection program that secretly gathers information about you and relays it to advertisers and other interested parties. You can unknowingly install Spyware by installing a new freeware or shareware (e.g., KaZaA, iMesh, WeatherBug). Many Spyware programs are intended to track your Internet browsing habits, such as frequented sites and favorite downloads, then, provide advertising companies with marketing data.
Adware is a software application that can display advertising banners while the program is running. Ad delivery systems are most often integrated into free applications as a way for developers to recover costs or generate revenue. Adware can be obnoxious in that it performs "drive-by downloads". Drive-by downloads are accomplished by providing a misleading dialogue box or other methods of stealth installation.
Malware, along with viruses, are some of the biggest threats to computer users on the Internet today. It can hijack your browser, redirect your search attempts, serve up nasty pop-up ads, track what web sites you visit. Malware programs are usually poorly-programmed and can cause your computer to become unbearably slow and unstable in addition to all the other havoc they wreak.
How to cure your computer of these infections? Ad-Aware and Spybot are detection and removal software utilities designed for Windows based computers. This software can be downloaded from their respective websites: http://www.lavasoftusa.com/software/adaware/ and http://www.safer-networking.org/en/download/ . There are other sources for software and more recently the makers of Anti-Virus software have included some features of Spyware/Adware removal. Its not unusual to have found anywhere from 50 to over 1000 pieces of infection on a computer. No one software does it all and the best solution would be Anti-Virus software in combination with Ad-Aware or Spybot. Running the detection software more than once would be advisable when it is first installed, because it could miss some instances of a Spyware. It would be prudent to run the detection software periodically to maintain a Spyware free computer.
What to watch out for when on the internet. Some web site can be infected unknowingly, but for the most part the offending ones seem to be the music sites, pornographic sites, free download sites, and sites that have a lot of diverse advertising. Some Weblogs are beginning to propagate malicious software downloads that can alter browser settings, track users and serve pop-up ads. Cookies are a very small text file placed on your hard drive by a Web Page server. It can only be read by the server that gave it to you.
Limiting cookies from unfamiliar websites is a generally recommended practice.
The most important consideration should be the security of your data. Spyware, Adware and Malware are not just a nuisance but like Viruss they are a real threat to your computer.
Spyware From Wikipedia, the free encyclopedia.
Strictly defined, spyware consists of computer software that gathers and reports information about a computer user without the user's knowledge or consent. More broadly, the term spyware can refer to a wide range of related malware products which fall outside the strict definition of spyware. These products perform many different functions, including the delivery of unsolicited advertising (pop-up ads in particular), harvesting private information, re-routing page requests to fraudulently claim commercial site referral fees, and installing stealth phone dialers.
Spyware as a category overlaps with adware. The more unethical forms of adware tend to coalesce with spyware. Malware uses spyware for explicitly illegal purposes. Exceptionally, many web browser toolbars may count as spyware. On the other hand, adware may simply load ads from a server and display them while a user runs a program, with the user's permission; the software developer gets ad revenue, and the user gets to use the program free of charge. In these cases, adware may function ethically. If the software collects personal information without the user's permission (a list of websites visited, for example, or a log of keystrokes), it may become spyware.
Data collecting programs installed with the user's knowledge do not, technically speaking, constitute spyware, provided the user fully understands what data they collect and with whom they share it. However, a growing number of legitimate software titles install secondary programs to collect data or distribute advertisement content without properly informing the user about the real nature of those programs. These barnacles can drastically impair system performance, and frequently abuse network resources. In addition to slowing down throughput, they often have design features which make them difficult or impossible to remove from the system.
The first recorded use of the term
spyware occurred on
In 2000, Steve Gibson of Gibson Research released the first ever anti-spyware program, OptOut, in response to the growth of spyware, and many more software antidotes have appeared since then. More recently Microsoft (http://www.microsoft.com) has released an anti-spyware program and the International Charter now offers software developers a Spyware-Free Certification (http://www.icharter.org/certification/software/spyware_free/index.html) programme.
According to a study (http://www.net-security.org/press.php?id=1973) by the National Cyber-Security Alliance, spyware has affected 90% of home PCs.
Spyware and viruses
Spyware can closely resemble computer viruses, but with some important differences. Many spyware programs install without the user's knowledge or consent. In both cases, system instability commonly results.
A virus, however, replicates itself: it spreads copies of itself to other computers if it can (self replicating viruses are called worms). Spyware generally does not self-replicate. Whereas a virus relies on users with poor security habits in order to spread, and spreads so far as possible in an unobtrusive way (in order to avoid detection and removal), spyware usually relies on persuading ignorant or credulous users to download and install itself by offering some kind of bait. For example, one typical spyware program targeted at children, Bonzi Buddy, claims that:
He will explore the Internet with you as your very own friend and sidekick! He can talk, walk, joke, browse, search, e-mail, and download like no other friend you've ever had! He even has the ability to compare prices on the products you love and help you save money! Best of all, he's FREE!  (http://www.bonzi.com/bonzibuddy/bonzimail.asp)
A typical piece of spyware installs itself in such a way that it starts every time the computer boots up (using CPU cycles and RAM, and reducing stability), and runs at all times, monitoring Internet usage and delivering targeted advertising to the affected system. It does not, however, attempt to replicate onto other computers it functions as a parasite but not as an infection.  (http://www.spywareguide.com/product_show.php?id=512)
A virus generally aims to carry a payload of some kind. This may do some damage to the user's system (such as, for example, deleting certain files), may make the machine vulnerable to further attacks by opening up a "back door", or may put the machine under the control of malicious third parties for the purposes of spamming or denial-of-service attacks. The virus will in almost every case also seek to replicate itself onto other computers. In other words, it functions not only as a parasite, but as an infection as well. A parasite is an software that lives in or on the operating system of a host computer at the expense of that host.
The damage caused by spyware, in contrast, usually occurs incidentally to the primary function of the program. Spyware generally does not damage the user's data files; indeed (apart from the intentional privacy invasion and bandwidth theft), the overwhelming majority of the harm inflicted by spyware comes about simply as an unintended by-product of the data-gathering or other primary purpose.
A virus does deliberate damage (to system software, or data, or both); spyware does accidental damage (usually only to the system software). In general, neither one can damage the computer hardware itself (but see CIH virus). Certain special circumstances aside, in the worst case the user will need to reformat the hard drive, reinstall the operating system and restore from backups. This can prove expensive in terms of repair costs, lost time and productivity. Instances have occurred of owners of badly spyware-infected systems purchasing entire new computers in the belief that an existing system "has become too slow." Technicians who hear complaints about a computer "slowing down" (as opposed to "becoming outdated") should probably suspect spyware.
Windows-based computers, whether used by children or by adults, can sometimes rapidly accumulate a great many spyware components. The consequences of a moderate to severe spyware infection (privacy issues aside) generally include a substantial loss of system performance (over 50% in extreme cases), and major stability issues (crashes and hangs). Difficulty in connecting to the Internet also commonly occurs as some spyware (perhaps inadvertently) modifies the DLLs needed for connectivity.
As of 2004, spyware infection causes more visits to professional computer repairers than any other single cause. In more than half of these cases, the user has no awareness of spyware and initially assumes that the system performance, stability, and/or connectivity issues relate to hardware, Windows installation problems, or a virus. (On the other hand, older versions of Windows itself, as well as CPU undercooling, can manifest spyware-like symptoms, specifically including instability or slowness.)
Some spyware products have additional consequences. Stealth dialers may attempt to connect directly to a particular telephone number rather than to a user's own intended ISP: where connecting to the number in question involves long-distance or overseas charges, this can result in massive telephone bills which the user has no choice but to pay.
A few spyware vendors, notably 180 Solutions, have written what the New York Times has dubbed "stealware" spyware applications that redirect affiliate links to major online merchants such as eBay and Dell, effectively hijacking the commissions that the affiliates would have expected to earn in the process.  (http://www.benedelman.org/spyware/180-affiliates/)
Some other types of spyware (Targetsoft, for example) even go to the extent of modifying system files to make themselves harder to remove. (Targetsoft modifies the Winsock (Windows Sockets) files. The deletion of the spyware-infected file "inetadpt.dll" will interrupt normal networking usage.)
Spyware normally installs itself through one of three methods:
1. The spyware component comes bundled with an otherwise apparently useful program. The makers of such packages usually make them available for download free of charge, so as to encourage wide uptake of the spyware component. This applies especially with file-sharing clients such as Kazaa and earlier versions of Bearshare. (To address this concern, and to discourage the U.S. Congress from regulating the P2P "industry", P2P United formed to promise informed consent and easy removal. Kazaa does not form part of P2P United. -- Note furthermore that anti-spyware removers generally do not remove spyware applications from their databases because of such changes. Lavasoft has come under criticism from some on its support forums for reaching agreements with former vendors of spyware to be removed from their database. Lavasoft representatives say they remove spyware if it no longer meets their inclusion criteria.)
2. The spyware takes advantage of security flaws in Internet Explorer.
3. Internet Explorer can also install spyware on your computer either via a drive-by download with or without any prompt. A drive-by download takes advantage of easy installation via an ActiveX control (or several ActiveX components) with or without a prompt, depending on security settings within Internet Explorer.
Spyware can also install itself on a computer via a virus or an e-mail trojan program, but this does not commonly occur.
An HTTP cookie, a well-known mechanism for storing information about Internet users on their own computers, often stores an individual identification number for subsequent recognition of a website visitor. However, the existence of cookies and their use generally does not hide from users, who can also disallow access to cookie information. Nevertheless, to the extent that a Web site uses a cookie identifier (ID) to build a profile about the user, who does not know what information accumulates in this profile, the cookie mechanism could count as a form of spyware. For example, a search engine website could assign an individual ID code to a user the first time he or she visits and store all search terms in a database with this ID as a key on all subsequent visits (until the expiry or deletion of the cookie). The search engine could use this data to select advertisements to display to that user, or could legally or illegally transmit derived information to third parties.
Granting permission for web-based applications to integrate into one's system can also load spyware. These Browser Helper Objects known as Browser Hijackers embed themselves as part of a web browser.
Spyware usually installs itself by some stealthy means. User agreements for software may make references (sometimes vague) to allowing the issuing company of the software to record users' Internet usage and website surfing. Some software vendors allow the option of buying the same product without this overhead.
To avoid spyware issues altogether, networked computer users should refrain from installing any piece of software that seems too good to be true, such as bogus "free" music downloads and the like. To remedy spyware problems completely (albeit temporarily), the following advice for users of Microsoft Windows may apply:
CAUTION! For advanced users only! If the computer's performance has degraded to such a state that that computer no longer functions usefully and reliably, the user may have to consider the option of a clean install. Novice users should avoid this solution; and the more experienced should only consider it when a problem has become so severe that the Windows-based PC has essentially become non-functional. Please note that one must have a complete back up of one's data along with all the setup disks that came with one's PC. A clean install means erasing all the data from ones hard drives, formatting, and re-installing the operating system. Only advanced users or a computer technician should attempt this remedy.
Use of automatic updates (on Windows systems), antivirus, and other software upgrades will help to protect systems. Software bugs and exploits remaining in older software leave computers vulnerable, because malefactors rapidly learn how to exploit unpatched systems.
Users of Windows-related operating systems who wish to stay protected should install Windows XP SP2 along with all the latest security updates and hotfixes available via Windows Update. As suggested below, Windows Antispyware may greatly reduce the chances of having system performance lag; Windows-users can download this program free of charge as of March 2005, and some believe this situation will continue. Microsoft-users who do not want to invest in Windows XP can secure older Windows versions (98, ME and 2K) by keeping patches up-to-date and by regularly scanning for spyware. If possible, users of Windows 95 should replace their operating system even in a home environment as it has stability and other concerns aside from spyware.
A number of software applications exist to help computer users search for and remove spyware programs. (See sections Spyware Removal Programs and External links below.) Some programs purge a system of spyware, only to install their own.
As some spyware takes advantage of Internet Explorer vulnerabilities, using a less vulnerable browser such as Mozilla Firefox or Opera may also help.
Disabling ActiveX in Internet Explorer will prevent some infections. However, websites that make use of ActiveX will not work in this scenario.
Currently-known spyware does not specifically target non-Windows systems, such as those running Mac OS or Linux. However, such systems can store browser cookies. Changing security settings may make installing spyware on a Linux system impossible. As such, it seems plausible that no economic incentive to create spyware for non-Windows systems may exist in the forseeable future.
An important factor in dampening the spread of spyware involves knowing, as an end-user, the actual need for new software. A rational, cold, observation will lead in many cases to the genuine conclusion that one does not need a certain piece of new software, thus preventing at once even the potentiality of a problem spreading. This difficult solution requires some thinking and some knowledge. When one wishes to install a new program (in particular one available free of charge) it makes sense to use a search engine to see if this program has a reputation for bundling spyware. Some programs,such as AOL Instant Messenger, have debatable components that one can be uncheck at the time of installing the program; it pays not to rush through the installer.
Technical solutions to problems such as spyware may inherently contain flaws. Indeed, what a tool considers as acceptable may differ from what the end user wants. Take the example of signed software. Signature recognition implies that the corporation providing the operating system somehow knows the software considered suitable for installation, independently of what the user actually considers acceptable. No system actually knows nor can automate such a decision. Nor can cryptography verify the innocuous nature of a program; at most, it can verify the identity of the program's author.
Definitive solutions to spyware issues seem unlikely, because the problems do not lend themselves to a fully rational approach. Also, governments internationally have yet to grasp the importance of spyware and to pass laws to counter its spread. The problem seems likely to grow until they do so.
Enterprise-level anti-virus products (such as Symantec, McAfee, Trend Micro, etc.) have lagged in responding to the threat of spyware. Possible reasons for this include:
* Differences between spyware and viruses
o End-users usually install spyware themselves, even though they may have no idea of the consequences of their actions
o Spyware may inform end-users, albeit in hidden legal jargon, what it will do. Organisations manufacturing and spreading spyware can use this escape clause - "Well, we told the user what our software would do, and they installed it anyway"
* The difficulty of defining spyware
o Defining spyware can pose problems because spyware can come bundled with legitimate programs that a user agrees to install
* Legal Issues
o Viruses usually originate with individuals. However, spyware originates from companies, often from companies with large teams of programmers. They also employ effective legal teams. Companies which produce spyware can sue makers of anti-spyware software for listing their product(s) as spyware. This makes the matter of scanning for and cleaning spyware off of machines different than in the anti-virus world, as virus writers operate anonymously outside the law and would reveal their identity by suing.
Some software-makers have started to respond to the perceived spyware threat. Webroot Software's Spy Sweeper and Lavasoft's Ad-aware both have enterprise product versions that offer a level of protection similar to that offered by anti-virus companies. Many providers have started to offer products in this area, but the market still resembles the wild west and the early days of the Internet - standards and commercial winners-and-losers have yet to emerge.
Pestpatrol, now owned by CA, publishes a series of standards for evaluating spyware vendors, which even it does not, by any objective standard, meet. These include a high rate of detection, high speed, and complete removal based on "lab" tests where the evaluator compares the image before spyware installation to the image after spyware installation, determines the differences determined and completely reverses the installation. CA arguably defined the category of "enterprise antispyware", and allows administrators to remove things not traditionally seen as spyware, including diagnostic tools capable of aiding malicious functions, and file sharing programs. Because of consumer backlash, many antispyware programs do not remove the "host" software of buggy spyware and adware like CA does.
Legal situation in the United States of America
New York Attorney General Eliot
Lawsuits by Spyware purveyors
In recent years, some spyware corporations have filed lawsuits demanding that web site owners not refer to their programs as spyware. Claria Corporation, for example, has tried this SLAPP tactic.
The following (incomplete) list of spyware programs classifies them by their effects:
* 180 Solutions
* lop.com (advertising, pop ups, security risk, tries to dial out at random)
Generating pop-ups, damaging and/or slowing computers:
* Bonzi Buddy
* Gator, made by the Claria Corporation (Advertising, pop ups, privacy violation, significant security risk, partially disables firewalls, some stability issues. Gator has a reputation as difficult to remove once installed.)
* New.net (security risk, stability issues, common cause of inability to connect)
* CoolWebSearch - a well-known browser hijacker; some variants have a reputation for damaging the TCP stack when forcibly uninstalled
* Back Orifice (arguably better categorized as a Trojan Horse, since its open source code militates against secrecy and -- unlike most spyware -- it has no commercial motive. Also has legitimate uses such as remote administration.)
Masquerading as a spyware-remover:
* Complete list here: http://www.spywarewarrior.com/rogue_anti-spyware.htm
* list of Corrupt antispyware (http://www.2-spyware.com/corrupt-anti-spyware) software with evidence of corruption
* Internet Optimizer (Advertising, fake alert messages, possible privacy violation, security risk)
* MarketScore (Claims to speed up Internet connections: serious privacy violation, loss of Internet connection on some systems)
* CnsMin (Made in
Known programs bundling adware
* DivX (except for the paid version, and the 'standard' version without the encoder)
* Atomic clock sync
* Bonzi Buddy
* Limewire (Non-pro)
* AOL Instant Messenger
* MSN Messenger
* Download Accelerator Pro
* Dope Wars (The game)
* Flash Get (Free Version)
* Note: Also any related P2P networking software may also contain some type of known spyware. Users should read software licenses carefully.
* Computer barnacle
* Keystroke logging
* Stopping e-mail abuse
* Lavasoft Ad-Aware SE Personal (http://www.lavasoftusa.com/support/download/#free) (Freeware Version)
* Aluria Software spyware removal (http://www.aluriasoftware.com) Personal and business antispyware
* HijackThis (http://merijn.org) (mirrors: 1 (http://spywareinfo.com/~merijn) 2 (http://18.104.22.168/~merijn/) 3 (http://ftp.officefive.org.uk/sites/www.spywareinfo.com/~merijn/) 4 (http://www.richardthelionhearted.com/~merijn)) offers utilities to remove several spyware problems which Ad-Aware or Spybot Search & Destroy cannot currently fix.
* Hitman Pro (http://www.hitmanpro.nl) A bundle of related spyware removal software, in Dutch.
* Microsoft Anti-Spyware (http://www.microsoft.com/athome/security/spyware/software/default.mspx) (Still in beta as of April 2005)
* PestPatrol  (http://www.pestpatrol.com/)
* Spybot - Search & Destroy  (http://www.safer-networking.org)
* Spyware Doctor  (http://www.pctools.com/spyware-doctor/)
* Spy Sweeper
* Spyware Blaster - Stops many spyware programs from running [ (http://www.javacoolsoftware.com/spywareblaster.html)]
* X-RayPC Process Analyzer Analyzes processes for spyware [ (http://www.x-raypc.com)
* Security Forums HijackThis Logs // Malware Removal Forum (http://www.security-forums.com/forum/viewforum.php?f=48) Spyware and malware removal forum
* TomCoyote.org (http://www.forums.tomcoyote.org) Spyware removal help forum, and classroom to teach removal techniques
* Google Spyware Removal Group (http://groups-beta.google.com/group/spyware-removal)
* Bleeping Computer Spyware Removal Tutorials (http://www.bleepingcomputer.com/forums/tutecat38.html) tutorials for HijackThis, Spybot, and Ad-Aware.
* Geeks To Go (http://www.geekstogo.com/forum) Hijack assistance and malware removal forum.
* Spywareinfo Forums (http://forums.spywareinfo.com/index.php) help for removing adware, spyware and malware.
* ProcessLibrary.com (http://www.processlibrary.com) site providing users with detailed information on every single running process.
* Spyware/AdWare/Malware FAQ and Removal Guide (http://www.io.com/~cwagner/spyware/)
* doxdesk.com parasite database (http://www.doxdesk.com/parasite/) Removal instructions for most common spyware/adware/malware parasites.
* Computer Security (http://www.boredguru.com/modules/articles/index.php?storytopic=16) Tips and tricks for manually removing common trojans, adware and spyware.
* Rogue AntiSpyware List (http://www.spywarewarrior.com/rogue_anti-spyware.htm) list of spyware removal programs to avoid
* Spyware removal (http://www.2-spyware.com/) List of Corrupt Anti-spyware tools, manual spyware, adware removal instructions.
* Spyware Guide (http://www.spywareguide.com) searchable database of known spyware and adware
* Financial investors who support spyware (http://www.benedelman.org/spyware/investors/) A list of investment firms which support large scale spyware companies
* How Spyware And The Weapons Against It Are Evolving (http://www.windowsecurity.com/articles/Spyware-Evolving.html) Article discussing why the spyware problem has grown and possible remedies
* Spyware Prevention and Removal (http://www.pcreview.co.uk/articles/Internet/Spyware_and_Adware_Removal/) How to prevent Spyware and Adware, and a guide to removing it should the worst happen
* Spyware Prevention (http://www.freespywareremoval.info/prevention/) Proactively preventing spyware.
* Dealing with unwanted spyware and parasites (http://mvps.org/winhelp2002/unwanted.htm)
* The Spyware Inferno (http://news.com.com/2010-1032-5307831.html) - article on the rise of spyware, with a hierarchical list of different kinds of spyware based on levels of danger
WINDOWS SECURITY THREATS TIPS
Adware, rootkits and worms: Translating malware speak Kurt Dillard, Microsoft
The following tip is the first in a series about recent developments in malicious software (malware), by Microsoft's Kurt Dillard. Part one below will translate common malware lingo. Subsequent tips will detail two particularly vicious types of malware -- rootkits and spyware -- and offer countermeasures to help you immediately lower your risk of being afflicted with them. Also watch for Kurt's webcast, Detecting and removing rootkits in Windows, premiering May 10 at .
Do you know your malware lingo? Even if you think you do, you may want to scan this tip. Some authors define malware terms differently from others. To benefit the most from this tips series, you will want to be sure you understand exactly what I mean when I use these malware terms.
These definitions are derived from Microsoft's Security Glossary. They are consistent with most industry expert definitions, but you may find some resources that differ. I will describe the words in abstract terms, but, in reality, many types of malware demonstrate the behaviors of two or more malware classes, which I will detail in later tips.
Malware, also called malicious software, is designed to be deliberately harmful when executed by an attacker. Viruses, worms and spyware are all examples of malware.
Viruses copy themselves from computer to computer by automatically attaching to host programs. For a virus to propagate, the victimized user usually has to take some action, like opening an infected e-mail attachment or executing an infected program.
Worms are similar to viruses in that they are self-propagating malware, but rather than attach themselves to files, they automatically infect remote computers through network connections by exploiting security vulnerabilities.
Adware and spyware
Adware and spyware can be difficult to distinguish, but it is important that you understand the differences. Adware software is included with other software that delivers various forms of advertising, such as pop-up ads. It may also direct specific ads to users based on the personal information it collects. When users install the primary software, they agree to have the adware run on their computers. It is possible to uninstall or disable the adware, but typically doing so also disables the primary software. For instance, Kazaa is a free file-sharing application that is financed by bundling in adware like Cydoor.
Spyware, unlike adware, is software that collects personal information without the user's permission. Some forms of spyware deliver advertising, while others collect interesting data, such as usernames, passwords or account numbers, and forward them to the spyware creators. Datview.exe, as another example, is a keystroke logger (marketed as Invisible KeyLogger Stealth) that may be legitimately used by a law officer monitoring a suspected criminal, but would be considered spyware if a private individual installs it on another person's computer.
Some adware behaves a lot like spyware. For example, the previously mentioned Cydoor software is described by some
industry experts as spyware
because it cannot be easily removed. Other adware forces the user to pay a fee to purchase a
removal tool. Which category these frustrating programs fall under depends on
who you talk to. So far, at least one adware operator has begun suing people who label its
programs as malware. (CastleCops, NetRN,
The previous list of programs might also be described by some as Trojan horses: programs that appear to be useful or harmless but include hidden code designed to exploit or damage systems.
Most forms of malware tend to be noisy: Their behavior draws attention to them because they often damage files or consume system resources. On the other hand, rootkits are designed to stay hidden. The name 'rootkit' refers to its origin in Unix-based operating systems, where the most powerful account is referred to as 'root.' An attacker first compromises a system through a security vulnerability, such as a missing patch or a weak password, and installs his collection ('kit') of tools, which will facilitate his ongoing use of the compromised system. Rootkits are stealthy and non-destructive, providing backdoors for ongoing remote access to Windows systems.
Attackers have various motivations for using rootkits to retain access to previously compromised computers. They may want to use the compromised computer to:
Collect private information from victims, such as credit card numbers or usernames and passwords.
Host a collection of pirated software and digital media that they are selling to other people.
Stage a more complex attack against other people or organizations.
Typically they hide themselves and other programs, and provide false information to the legitimate owners of the computer. We will take a closer look at rootkits in the next tip in this series and in my upcoming webcast, Detecting and removing rootkits in Windows.
About the author: Kurt Dillard is a program manager with Microsoft Solutions for Security. He has collaborated on many solutions published by this team, including "Windows Server 2003 Security Guide" and "Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP". He has also co-authored two books on computer software and operating systems.
What is a rootkit?
By Kurt Dillard, Microsoft
The name of the malware category rootkits comes from the Unix-based operating systems' most powerful account -- the "root" -- which has capabilities similar to the built-in Administrator account in Windows.
Years ago, an attacker who compromised a computer would gain root privileges and install his collection of applications and utilities, known as a "kit," on the compromised system. The rootkit provided the attacker with capabilities like ongoing remote access to the compromised system, an FTP daemon for hosting pirated software or an IRC daemon for hosting illicit chat channels shared by the attacker with his cohorts.
The first public Windows rootkit, NT Rootkit, was published in 1999 by Greg Hoglund, an author of computer security books. He is also the owner of www.rootkit.com, a Web site for sharing information about creating, detecting, removing and protecting systems against rootkits.
Typically, rootkits do not exploit operating system flaws, but rather their extensibility. Windows, for example, is modular, flexible and designed as an easy platform upon which to build powerful applications. Rootkits created for Windows take advantage of these same features by extending and altering the operating system with their own suite of useful behaviors -- useful, that is, to the attacker.
How does an attacker install a rootkit?
In order for an attacker to install a rootkit on a system, he must somehow compromise it and gain administrator privileges. He will attempt to accomplish this in a variety of ways. He can:
Trick a user into executing malicious code that's embedded in what appears to be a benign download from the Web, such as a game, screensaver or file sharing utility.
Figure out an easy-to-guess password.
Take advantage of a missing security hotfix.
Exploit a poorly configured system.
Install his rootkit once he gains control of the system.
What are user-mode vs. kernel-mode rootkits?
The concealment aspect is what distinguishes rootkits from other types of malware, and it's what makes them so difficult to detect and remove. Rootkits can provide the attacker with a backdoor for future attacks, launch and hide other applications, and gather sensitive data to be collected by the attacker at a later time.
Today's common rootkits usually run in user mode with administrative privileges. Breaking the integrity of the trusted computing base, they alter the security subsystem and display false information to legitimate administrators of the compromised computer. They intercept system calls and filter output application programming interfaces (APIs) to, for example, hide processes, files, system drivers, network ports, registry keys and paths, and system services.
There are many user-mode rootkits available, including HE4Hook, Vanquish, Aphex and currently the most widespread, Hacker Defender. Each of these rootkits is persistent in that its files must be copied to the target operating system's hard drive and launched automatically each time the system boots.
The drawback to user-mode rootkits is that they can be detected by code running in kernel mode. What is a rootkit author to do about that? He loads his kit into the kernel of course! That, however, is easier said than done.
It is exceedingly difficult to create a kernel-mode rootkit that remains hidden because, should your code crash, Windows will bluescreen. Kernel-mode rootkits tend to cause many system crashes, and this is often how Microsoft support personnel determine that their systems have been victimized.
FU is a non-persistent kernel-mode rootkit that is very difficult to detect. Since it is not persistent, no files are stored on the compromised system. Since it is a kernel-mode rootkit, it is very hard to detect. On the other hand, rebooting the system will remove it, forcing the attacker to compromise the target all over again.
Unfortunately, other types of malware, besides rootkits, are hidden. Attackers hide keystroke loggers and other types of spyware using the same methods as some of the rootkits described earlier. A few months ago, my colleagues assisted a very unhappy customer whose company's computers were crashing frequently. The underlying cause was a piece of spyware trying to hide itself as a kernel-mode rootkit.
About the author: Kurt Dillard is a program manager with Microsoft Solutions for Security. He has collaborated on many solutions published by this team, including "Windows Server 2003 Security Guide" and "Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP". He has also co-authored two books on computer software and operating systems.
How can I detect and remove rootkits from Windows?
Detection and removal is still frustrating. Aside from a few established rootkit detection tools, including VICE, Patchfinder2 and klister, many tools were written by the same people who created rootkits. I don't know about you, but I have a hard time entrusting malware authors to clean up compromised computers.
However, several things happened in February to shine the spotlight on rootkits and prompt the creation of new detection tools. Beyond Fear author Bruce Schneier's rootkit mention in his blog and a presentation Mike Danseglio and I gave on Windows rootkits at the RSA Conference received a surprisingly extensive amount of press. Since then, security vendors Sysinternals and F-Secure Corp. have released standalone tools for their existing security suites to deal with rootkits. Microsoft has also added rootkit detection and removal to its Microsoft Malicious Software Removal tool, which it updates monthly.
Unfortunately, each time an existing tool is updated or a new tool is released, many rootkit authors update their malware to avoid detection. This results in an ongoing cat and mouse game that leaves systems administrators and computer users victimized.
All of this may sound terribly depressing, but there are effective measures you can implement to minimize the risk of being afflicted by rootkits or spyware. You should already be taking the following steps to secure your organization against this type of malware:
Maintain up-to-date antivirus and antispyware software.
Deploy network and host-based firewalls.
Stay current on patches for operating systems and applications.
Harden the operating system.
Use strong authentication.
Never use software from sources you don't trust.
We will explore a defense-in-depth approach to protecting your computers and networks in a later article in this series. In the meantime, check out Strider, a Microsoft research project for maintaining system integrity.