Spyware, Adware and Malware, the hidden
programs on your computer
Are
you annoyed with the pop-up ads while trying to access web sites on the
internet? Have you had your browser
hijacked while surfing the internet or have your search attempts redirected? If
so, you are a victim of Adware or Malware.
Just as bad is Spyware, as it hides on your computer, recording how many
times you visit a particular website or what types of websites were you
visiting.
Just what are
Spyware, Adware and Malware? Well, Spyware is a data collection program
that secretly gathers information about you and relays it to advertisers and
other interested parties. You can unknowingly install Spyware by installing a
new freeware or shareware (e.g., KaZaA, iMesh, WeatherBug). Many Spyware
programs are intended to track your Internet browsing habits, such as
frequented sites and favorite downloads, then, provide advertising companies
with marketing data.
Adware
is a software application that can display advertising banners while the program
is running. Ad delivery systems are most
often integrated into free applications as a way for developers to recover
costs or generate revenue. Adware can be obnoxious in that it performs
"drive-by downloads". Drive-by downloads are accomplished by
providing a misleading dialogue box or other methods of stealth installation.
Malware, along with viruses, are some of the biggest threats
to computer users on the Internet today. It can hijack your browser, redirect
your search attempts, serve up nasty pop-up ads, track what web sites you
visit. Malware programs are usually poorly-programmed and can cause your
computer to become unbearably slow and unstable in addition to all the other
havoc they wreak.
How do you know if youre infected? Watch out for poor
system resources, running out of memory, lots of hard disk activity or a screen
that flickers. If after you've downloaded music, visited a website that uses
cookies, or installed anything claiming to be "free", and you start
getting those annoying pop-up ads on your screen, you've been infected with
Spyware and/or Adware! If your computer
starts to act sluggish, do strange things when trying to run some software or maybe
dial out on its own, you have Malware.
Usually, most infected computers have a combination of Spyware, Adware
and Malware.
How to cure your computer of these
infections? Ad-Aware and Spybot are detection
and removal software utilities designed for Windows based computers. This software can be downloaded from their
respective websites: http://www.lavasoftusa.com/software/adaware/ and http://www.safer-networking.org/en/download/
. There are other sources for software
and more recently the makers of Anti-Virus software have included some features
of Spyware/Adware removal. Its not
unusual to have found anywhere from 50 to over 1000 pieces of infection on a
computer. No one software does it all and the best
solution would be Anti-Virus software in combination with Ad-Aware or
Spybot. Running the detection software more than once
would be advisable when it is first installed, because it could miss some
instances of a Spyware. It would be prudent
to run the detection software periodically to maintain a Spyware free
computer.
What to watch out for when on the
internet. Some web site can be infected unknowingly, but for the
most part the offending ones seem to be the music sites, pornographic sites, free
download sites, and sites that have a lot of diverse advertising. Some Weblogs are beginning to propagate
malicious software downloads that can alter browser settings, track users and
serve pop-up ads. Cookies are a very small text file placed on your hard drive
by a Web Page server. It can only be read by the server that gave it to you.
Limiting
cookies from unfamiliar websites is a generally recommended practice.
The most important consideration should
be the security of your data. Spyware,
Adware and Malware are not just a nuisance but like Viruss they are a real
threat to your computer.
REFERNCES:
Spyware
From Wikipedia, the free
encyclopedia.
Strictly defined, spyware consists of computer software
that gathers and reports information about a computer user without the user's
knowledge or consent. More broadly, the term spyware can refer to a wide range of related malware products which fall outside the
strict definition of spyware.
These products perform many different functions, including the delivery of
unsolicited advertising (pop-up ads in particular), harvesting private
information, re-routing page requests to fraudulently claim commercial site
referral fees, and installing stealth phone dialers.
Categories
Spyware as a category overlaps with
adware. The more unethical forms
of adware tend to coalesce with
spyware. Malware uses spyware for explicitly illegal
purposes. Exceptionally, many web browser toolbars may count as spyware. On the other hand, adware may simply load ads from a
server and display them while a user runs a program, with the user's permission;
the software developer gets ad revenue, and the user gets to use the program
free of charge. In these cases, adware may function ethically. If the software
collects personal information without the user's permission (a list of websites
visited, for example, or a log of keystrokes), it may become spyware.
Data collecting programs installed
with the user's knowledge do not, technically speaking, constitute spyware, provided the user fully
understands what data they collect and with whom they share it. However, a
growing number of legitimate software titles install secondary programs to
collect data or distribute advertisement content without properly informing the
user about the real nature of those programs. These barnacles can drastically
impair system performance, and frequently abuse network resources. In addition
to slowing down throughput, they often have design features which make them
difficult or impossible to remove from the system.
History
The first recorded use of the term
spyware occurred on
In 2000, Steve Gibson of Gibson
Research released the first ever anti-spyware program, OptOut, in response to the growth of spyware, and many more software
antidotes have appeared since then. More recently Microsoft
(http://www.microsoft.com) has released an anti-spyware program and the International Charter now
offers software developers a Spyware-Free Certification
(http://www.icharter.org/certification/software/spyware_free/index.html) programme.
According to a study
(http://www.net-security.org/press.php?id=1973) by the National Cyber-Security
Alliance, spyware has affected
90% of home PCs.
Spyware and viruses
Spyware can closely resemble
computer viruses, but with some important differences. Many spyware programs install without the user's
knowledge or consent. In both cases, system instability commonly results.
A virus, however, replicates
itself: it spreads copies of itself to other computers if it can (self
replicating viruses are called worms). Spyware generally does not
self-replicate. Whereas a virus relies on users with poor security habits in
order to spread, and spreads so far as possible in an unobtrusive way (in order
to avoid detection and removal), spyware usually relies on persuading ignorant or
credulous users to download and install itself by offering some kind of bait.
For example, one typical spyware
program targeted at children, Bonzi Buddy, claims that:
He will explore the Internet with
you as your very own friend and sidekick! He can talk, walk, joke, browse,
search, e-mail, and download like no other friend you've ever had! He even has
the ability to compare prices on the products you love and help you save money!
Best of all, he's FREE! [1] (http://www.bonzi.com/bonzibuddy/bonzimail.asp)
A typical piece of spyware installs itself in such a way
that it starts every time the computer boots up (using CPU cycles and RAM, and
reducing stability), and runs at all times, monitoring Internet usage and
delivering targeted advertising to the affected system. It does not, however,
attempt to replicate onto other computers it functions as a parasite but not
as an infection. [2] (http://www.spywareguide.com/product_show.php?id=512)
A virus generally aims to carry a
payload of some kind. This may do some damage to the user's system (such as, for
example, deleting certain files), may make the machine vulnerable to further
attacks by opening up a "back door", or may put the machine under the control of
malicious third parties for the purposes of spamming or denial-of-service
attacks. The virus will in almost every case also seek to replicate itself onto
other computers. In other words, it functions not only as a parasite, but
as an infection as well. A parasite
is an software
that lives in or on the operating system of a host computer at the expense of that host.
The damage caused by spyware, in contrast, usually occurs
incidentally to the primary function of the program. Spyware generally does not
damage the user's data files; indeed (apart from the intentional privacy
invasion and bandwidth theft), the overwhelming majority of the harm inflicted
by spyware comes about simply as
an unintended by-product of the data-gathering or other primary purpose.
A virus does deliberate damage (to
system software, or data, or both); spyware does accidental damage (usually only to the
system software). In general, neither one
can damage the computer hardware itself (but see CIH virus). Certain
special circumstances aside, in the worst case the user will need to reformat
the hard drive, reinstall the operating system and restore from backups. This
can prove expensive in terms of repair costs, lost time and productivity.
Instances have occurred of owners of badly spyware-infected systems purchasing entire new
computers in the belief that an existing system "has become too slow."
Technicians who hear complaints about a computer "slowing down" (as opposed to
"becoming outdated") should probably suspect spyware.
Consequences
Windows-based computers, whether
used by children or by adults, can sometimes rapidly accumulate a great many
spyware components. The
consequences of a moderate to severe spyware infection (privacy issues aside) generally
include a substantial loss of system performance (over 50% in extreme cases),
and major stability issues (crashes and hangs). Difficulty in connecting to the
Internet also commonly occurs as some spyware (perhaps inadvertently) modifies the DLLs
needed for connectivity.
As of 2004, spyware infection causes more visits to professional
computer repairers than any other single cause. In more than half of these
cases, the user has no awareness of spyware and initially assumes that the system
performance, stability, and/or connectivity issues relate to hardware, Windows
installation problems, or a virus. (On the other hand, older versions of Windows
itself, as well as CPU undercooling, can manifest spyware-like symptoms, specifically including
instability or slowness.)
Some spyware products have additional consequences.
Stealth dialers may attempt to connect directly to a particular telephone number
rather than to a user's own intended ISP: where connecting to the number in
question involves long-distance or overseas charges, this can result in massive
telephone bills which the user has no choice but to pay.
A few spyware vendors, notably 180 Solutions, have written
what the New York Times has dubbed "stealware" spyware applications that redirect affiliate links
to major online merchants such as eBay and Dell, effectively hijacking the
commissions that the affiliates would have expected to earn in the process. [3]
(http://www.benedelman.org/spyware/180-affiliates/)
Some other types of spyware (Targetsoft, for example) even go to the extent of
modifying system files to make themselves harder to remove. (Targetsoft modifies the Winsock (Windows Sockets)
files. The deletion of the spyware-infected file "inetadpt.dll" will interrupt
normal networking usage.)
Installation
Spyware normally installs itself
through one of three methods:
1. The spyware component comes bundled with an otherwise
apparently useful program. The makers of such packages usually make them
available for download free of charge, so as to encourage wide uptake of the
spyware component. This applies
especially with file-sharing clients such as Kazaa and earlier versions of Bearshare. (To address this concern, and to
discourage the U.S. Congress from regulating the P2P "industry", P2P United
formed to promise informed consent and easy removal. Kazaa does not form part of P2P United. -- Note
furthermore that anti-spyware
removers generally do not remove spyware applications from their databases because of
such changes. Lavasoft has come
under criticism from some on its support forums for reaching agreements with
former vendors of spyware to be
removed from their database. Lavasoft representatives say they remove spyware if it no longer meets their
inclusion criteria.)
2. The spyware takes advantage of security flaws in
Internet Explorer.
3. Internet Explorer can also install
spyware on your computer either
via a drive-by download with or without any prompt. A drive-by download takes
advantage of easy installation via an ActiveX control (or several ActiveX
components) with or without a prompt, depending on security settings within
Internet Explorer.
Spyware can also install itself on
a computer via a virus or an e-mail trojan
program, but this does not commonly occur.
An HTTP cookie, a well-known
mechanism for storing information about Internet users on their own computers,
often stores an individual identification number for subsequent recognition of a
website visitor. However, the existence of cookies and their use generally does
not hide from users, who can also disallow access to cookie information.
Nevertheless, to the extent that a Web site uses a cookie identifier (ID) to
build a profile about the user, who does not know what information accumulates
in this profile, the cookie mechanism could count as a form of spyware. For example, a search engine
website could assign an individual ID code to a user the first time he or she
visits and store all search terms in a database with this ID as a key on all
subsequent visits (until the expiry or deletion of the cookie). The search
engine could use this data to select advertisements to display to that user, or
could legally or illegally transmit derived information to third
parties.
Granting permission for web-based
applications to integrate into one's system can also load spyware. These Browser Helper Objects known as
Browser Hijackers embed themselves as part of a web browser.
Spyware usually installs itself by
some stealthy means. User agreements for software may make references (sometimes
vague) to allowing the issuing company of the software to record users' Internet
usage and website surfing. Some software vendors allow the option of buying the
same product without this overhead.
Solutions
To avoid spyware issues altogether, networked computer users
should refrain from installing any piece of software that seems too good to be
true, such as bogus "free" music downloads and the like. To remedy spyware problems completely (albeit
temporarily), the following advice for users of Microsoft Windows may apply:
CAUTION! For advanced users only!
If the computer's performance has degraded to such a state that that computer no
longer functions usefully and reliably, the user may have to consider the option
of a clean install. Novice users should avoid this solution; and the more
experienced should only consider it when a problem has become so severe that the
Windows-based PC has essentially become non-functional. Please note that one
must have a complete back up of one's data along with all the setup disks that
came with one's PC. A clean install means erasing all the data from ones hard
drives, formatting, and re-installing the operating system. Only advanced users
or a computer technician should attempt this remedy.
Use of automatic updates (on
Windows systems), antivirus, and other software upgrades will help to protect
systems. Software bugs and exploits remaining in older software leave computers
vulnerable, because malefactors rapidly learn how to exploit unpatched systems.
Users of Windows-related operating
systems who wish to stay protected should install Windows XP SP2 along with all
the latest security updates and hotfixes available via Windows Update. As suggested
below, Windows Antispyware may
greatly reduce the chances of having system performance lag; Windows-users can
download this program free of charge as of March 2005, and some believe this
situation will continue. Microsoft-users who do not want to invest in Windows XP
can secure older Windows versions (98, ME and 2K) by keeping patches up-to-date
and by regularly scanning for spyware. If possible, users of Windows 95 should
replace their operating system even in a home environment as it has
stability and other concerns aside from spyware.
A number of software applications
exist to help computer users search for and remove spyware programs. (See sections Spyware Removal
Programs and External links below.) Some programs purge a system of spyware, only to install their own.
As some spyware takes advantage of Internet Explorer
vulnerabilities, using a less vulnerable browser such as Mozilla Firefox or Opera may also help.
Disabling ActiveX in Internet
Explorer will prevent some infections. However, websites that make use of
ActiveX will not work in this scenario.
Currently-known spyware does not specifically target non-Windows
systems, such as those running Mac OS or Linux. However, such systems can store
browser cookies. Changing security settings may make installing spyware on a Linux system impossible.
As such, it seems plausible that no economic incentive to create spyware for non-Windows systems may
exist in the forseeable
future.
An important factor in dampening
the spread of spyware involves
knowing, as an end-user, the actual need for new software. A rational, cold,
observation will lead in many cases to the genuine conclusion that one does not
need a certain piece of new software, thus preventing at once even the
potentiality of a problem spreading. This difficult solution requires some
thinking and some knowledge. When one wishes to install a new program (in
particular one available free of charge) it makes sense to use a search engine
to see if this program has a reputation for bundling spyware. Some programs,such as AOL Instant Messenger, have
debatable components that one can be uncheck at the time of installing the
program; it pays not to rush through the installer.
Technical solutions to problems
such as spyware may inherently
contain flaws. Indeed, what a tool considers as acceptable may differ from what
the end user wants. Take the example of signed software. Signature recognition
implies that the corporation providing the operating system somehow knows the
software considered suitable for installation, independently of what the user
actually considers acceptable. No system actually knows nor can automate such a
decision. Nor can cryptography verify the innocuous nature of a program; at
most, it can verify the identity of the program's author.
Definitive solutions to spyware issues seem unlikely, because
the problems do not lend themselves to a fully rational approach. Also,
governments internationally have yet to grasp the importance of spyware and to pass laws to counter its
spread. The problem seems likely to grow until they do so.
Enterprise-level anti-virus
products (such as Symantec, McAfee, Trend Micro, etc.) have lagged in responding
to the threat of spyware.
Possible reasons for this include:
* Differences between spyware and viruses
o End-users usually install
spyware themselves, even though
they may have no idea of the consequences of their actions
o Spyware may inform
end-users, albeit in hidden legal jargon, what it will do. Organisations manufacturing and spreading spyware can use this escape clause -
"Well, we told the user what our software would do, and they installed it
anyway"
* The difficulty of defining
spyware
o Defining spyware can pose problems because spyware can come bundled with
legitimate programs that a user agrees to install
* Legal Issues
o Viruses usually originate
with individuals. However, spyware originates from companies, often from
companies with large teams of programmers. They also employ effective legal
teams. Companies which produce spyware can sue makers of anti-spyware software for listing their product(s) as
spyware. This makes the matter of
scanning for and cleaning spyware
off of machines different than in the anti-virus world, as virus writers operate
anonymously outside the law and would reveal their identity by suing.
Some software-makers have started
to respond to the perceived spyware threat. Webroot Software's Spy Sweeper and Lavasoft's Ad-aware both have
enterprise product versions that offer a level of protection similar to that
offered by anti-virus companies. Many providers have started to offer products
in this area, but the market still resembles the wild west and the early days of the Internet -
standards and commercial winners-and-losers have yet to emerge.
Pestpatrol, now owned by CA, publishes a series of standards for
evaluating spyware vendors, which
even it does not, by any objective standard, meet. These include a high rate of
detection, high speed, and complete removal based on "lab" tests where the
evaluator compares the image before spyware installation to the image after spyware installation, determines the
differences determined and completely reverses the installation. CA arguably
defined the category of "enterprise antispyware", and allows administrators to remove
things not traditionally seen as spyware, including diagnostic tools capable of
aiding malicious functions, and file sharing programs. Because of consumer
backlash, many antispyware
programs do not remove the "host" software of buggy spyware and adware like CA does.
Legal situation in the United
States of America
The
New York Attorney General Eliot
Spitzer on
Lawsuits by Spyware purveyors
In recent years, some spyware corporations have filed
lawsuits demanding that web site owners not refer to their programs as spyware. Claria Corporation, for example, has tried this
SLAPP tactic.
Known spyware
The following (incomplete) list of
spyware programs classifies them
by their effects:
Generating pop-ups:
* 180 Solutions
* DirectRevenue
* lop.com (advertising, pop ups,
security risk, tries to dial out at random)
Generating pop-ups, damaging and/or
slowing computers:
* Bonzi Buddy
* Cydoor
* Gator, made by the Claria Corporation (Advertising, pop
ups, privacy violation, significant security risk, partially disables firewalls,
some stability issues. Gator has a reputation as difficult to remove once
installed.)
* New.net (security risk,
stability issues, common cause of inability to connect)
* ShopAtHomeSearch
Hijacking browsers:
* CoolWebSearch - a well-known browser hijacker; some
variants have a reputation for damaging the TCP stack when forcibly
uninstalled
* Euniverse
* Xupiter
Committing fraud:
* XXXDial
Stealing information:
* Back Orifice (arguably better
categorized as a Trojan Horse,
since its open source code militates against secrecy and -- unlike most spyware -- it has no commercial motive.
Also has legitimate uses such as
remote administration.)
Masquerading as a spyware-remover:
* SpyKiller
* Complete list here:
http://www.spywarewarrior.com/rogue_anti-spyware.htm
* list of Corrupt antispyware
(http://www.2-spyware.com/corrupt-anti-spyware) software with evidence of
corruption
Miscellaneous:
* Internet Optimizer
(Advertising, fake alert messages, possible privacy violation, security
risk)
* MarketScore (Claims to speed up Internet
connections: serious privacy violation, loss of Internet connection on some
systems)
* CnsMin (Made in
Known programs bundling adware
* Kazaa
* Bearshare
* DivX (except for the paid version, and the
'standard' version without the encoder)
* WeatherBug
* Atomic clock sync
* Bonzi Buddy
* Limewire (Non-pro)
* Wildtangent
* AOL Instant Messenger
* Gator
* MSN Messenger
* ErrorGuard
* FlashGet
* Download Accelerator Pro
* Grokster
* Dope Wars (The game)
* Flash Get (Free Version)
* Note: Also any related P2P
networking software may also contain some type of known spyware. Users should read software licenses
carefully.
See also
* Adware
* Computer barnacle
* Exploit
* Keystroke logging
* Malware
* Stopping e-mail abuse
External
links
Software
* Lavasoft Ad-Aware SE Personal
(http://www.lavasoftusa.com/support/download/#free) (Freeware Version)
* Aluria Software spyware removal (http://www.aluriasoftware.com)
Personal and business antispyware
* HijackThis (http://merijn.org) (mirrors: 1
(http://spywareinfo.com/~merijn) 2 (http://209.133.47.200/~merijn/) 3
(http://ftp.officefive.org.uk/sites/www.spywareinfo.com/~merijn/) 4
(http://www.richardthelionhearted.com/~merijn)) offers utilities to remove
several spyware problems which
Ad-Aware or Spybot Search & Destroy cannot currently fix.
* Hitman Pro
(http://www.hitmanpro.nl) A bundle of related spyware removal software, in Dutch.
* Microsoft Anti-Spyware
(http://www.microsoft.com/athome/security/spyware/software/default.mspx)
(Still in beta as of April 2005)
* PestPatrol [5] (http://www.pestpatrol.com/)
* Spybot - Search & Destroy
[6] (http://www.safer-networking.org)
* Spyware Doctor [7]
(http://www.pctools.com/spyware-doctor/)
* Spy Sweeper
* Spyware Blaster - Stops many
spyware programs from running
[[8] (http://www.javacoolsoftware.com/spywareblaster.html)]
* X-RayPC Process Analyzer Analyzes processes for spyware [[9]
(http://www.x-raypc.com)
Communities
* Security Forums HijackThis Logs // Malware Removal
Forum (http://www.security-forums.com/forum/viewforum.php?f=48) Spyware and
malware removal forum
* TomCoyote.org
(http://www.forums.tomcoyote.org) Spyware removal help forum, and classroom to teach removal
techniques
* Google Spyware Removal Group
(http://groups-beta.google.com/group/spyware-removal)
* Bleeping Computer Spyware
Removal Tutorials (http://www.bleepingcomputer.com/forums/tutecat38.html)
tutorials for HijackThis, Spybot,
and Ad-Aware.
* Geeks To Go (http://www.geekstogo.com/forum)
Hijack assistance and malware
removal forum.
* Spywareinfo Forums
(http://forums.spywareinfo.com/index.php) help for removing adware, spyware and malware.
* ProcessLibrary.com
(http://www.processlibrary.com) site providing users with detailed information
on every single running process.
Guides
* Spyware/AdWare/Malware FAQ and Removal Guide
(http://www.io.com/~cwagner/spyware/)
* doxdesk.com parasite database
(http://www.doxdesk.com/parasite/) Removal instructions for most common spyware/adware/malware parasites.
* Computer Security
(http://www.boredguru.com/modules/articles/index.php?storytopic=16) Tips and
tricks for manually removing common trojans, adware and spyware.
* Rogue AntiSpyware List
(http://www.spywarewarrior.com/rogue_anti-spyware.htm) list of spyware removal programs to avoid
* Spyware removal
(http://www.2-spyware.com/) List of Corrupt Anti-spyware tools, manual spyware, adware removal instructions.
* Spyware Guide
(http://www.spywareguide.com) searchable database of known spyware and adware
Prevention
* Financial investors who support
spyware
(http://www.benedelman.org/spyware/investors/) A list of investment firms which support large scale
spyware companies
* How Spyware And The Weapons Against It Are Evolving
(http://www.windowsecurity.com/articles/Spyware-Evolving.html) Article
discussing why the spyware
problem has grown and possible remedies
* Spyware Prevention and Removal
(http://www.pcreview.co.uk/articles/Internet/Spyware_and_Adware_Removal/) How to prevent Spyware and Adware, and a
guide to removing it should the worst happen
* Spyware Prevention
(http://www.freespywareremoval.info/prevention/) Proactively preventing spyware.
* Dealing with unwanted spyware and parasites
(http://mvps.org/winhelp2002/unwanted.htm)
* The Spyware Inferno
(http://news.com.com/2010-1032-5307831.html) - article on the rise of spyware, with a hierarchical list of
different kinds of spyware based
on levels of danger
WINDOWS SECURITY THREATS TIPS
Adware, rootkits and worms: Translating malware speak
Kurt Dillard, Microsoft
The following tip is the first in a
series about recent developments in malicious software (malware), by Microsoft's Kurt Dillard. Part one
below will translate common malware lingo. Subsequent tips will detail two
particularly vicious types of malware -- rootkits and spyware -- and offer countermeasures to help you
immediately lower your risk of being afflicted with them. Also watch for Kurt's
webcast, Detecting and removing rootkits in Windows, premiering May 10 at
--------------------------------------------------------------------------------
Do you know your malware lingo? Even if you think you do, you may
want to scan this tip. Some authors define malware terms differently from others. To benefit
the most from this tips series, you will want to be sure you understand exactly
what I mean when I use these malware terms.
These definitions are derived from
Microsoft's Security Glossary. They are consistent with most industry expert
definitions, but you may find some resources that differ. I will describe the
words in abstract terms, but, in reality, many types of malware demonstrate the behaviors of two or more
malware classes, which I will
detail in later tips.
Malware, also called malicious
software, is designed to be deliberately harmful when executed by an attacker.
Viruses, worms and spyware are
all examples of malware.
Virus
Viruses copy themselves from
computer to computer by automatically attaching to host programs. For a virus to
propagate, the victimized user usually has to take some action, like opening an
infected e-mail attachment or executing an infected program.
Worm
Worms are similar to viruses in
that they are self-propagating malware, but rather than attach themselves to files,
they automatically infect remote computers through network connections by
exploiting security vulnerabilities.
Adware and spyware
Adware and spyware can be difficult to distinguish, but it is
important that you understand the differences. Adware software is included with
other software that delivers various forms of advertising, such as pop-up ads.
It may also direct specific ads to users based on the personal information it
collects. When users install the primary software, they agree to have the adware run on their computers. It is
possible to uninstall or disable the adware, but typically doing so also disables the
primary software. For instance, Kazaa is a free file-sharing application that is
financed by bundling in adware
like Cydoor.
Spyware, unlike adware, is software that collects personal
information without the user's permission. Some forms of spyware deliver advertising, while others collect
interesting data, such as usernames, passwords or account numbers, and forward
them to the spyware creators.
Datview.exe, as another example, is a keystroke logger (marketed as Invisible
KeyLogger Stealth) that may be
legitimately used by a law officer monitoring a suspected criminal, but would be
considered spyware if a private
individual installs it on another person's computer.
Some adware behaves a lot like spyware. For example, the previously mentioned Cydoor software is described by some
industry experts as spyware
because it cannot be easily removed. Other adware forces the user to pay a fee to purchase a
removal tool. Which category these frustrating programs fall under depends on
who you talk to. So far, at least one adware operator has begun suing people who label its
programs as malware. (CastleCops, NetRN,
Trojan horses
The previous list of programs might
also be described by some as Trojan horses: programs that appear to be useful or
harmless but include hidden code designed to exploit or damage systems.
Rootkits
Most forms of malware tend to be noisy: Their behavior draws
attention to them because they often damage files or consume system resources.
On the other hand, rootkits are
designed to stay hidden. The name 'rootkit' refers to its origin in Unix-based
operating systems, where the most powerful account is referred to as 'root.' An
attacker first compromises a system through a security vulnerability, such as a missing patch or
a weak password, and installs his collection ('kit') of tools, which will
facilitate his ongoing use of the compromised system. Rootkits are stealthy and non-destructive, providing
backdoors for ongoing remote access to Windows systems.
Attackers have various motivations
for using rootkits to retain
access to previously compromised computers. They may want to use the compromised
computer to:
Collect private information from
victims, such as credit card numbers or usernames and passwords.
Host a collection of pirated
software and digital media that they are selling to other people.
Stage a more complex attack against
other people or organizations.
Typically they hide themselves and
other programs, and provide false information to the legitimate owners of the
computer. We will take a closer look at rootkits in the next tip in this series and in my
upcoming webcast, Detecting and removing rootkits in Windows.
About the author: Kurt Dillard is a
program manager with Microsoft Solutions for Security. He has collaborated on
many solutions published by this team, including "Windows Server 2003 Security
Guide" and "Threats and Countermeasures: Security Settings in Windows Server
2003 and Windows XP". He has also co-authored two books on computer software and
operating systems.
What is a rootkit?
By Kurt Dillard, Microsoft
The name of the malware category rootkits comes from the Unix-based operating
systems' most powerful account -- the "root" -- which has capabilities similar
to the built-in Administrator account in Windows.
Years ago, an attacker who
compromised a computer would gain root privileges and install his collection of
applications and utilities, known as a "kit," on the compromised system. The
rootkit provided the attacker
with capabilities like ongoing remote access to the compromised system, an FTP
daemon for hosting pirated software or an IRC daemon for hosting illicit chat
channels shared by the attacker with his cohorts.
The first public Windows rootkit, NT Rootkit, was published in 1999 by Greg Hoglund, an author of computer security
books. He is also the owner of www.rootkit.com, a Web site for sharing
information about creating, detecting, removing and protecting systems against
rootkits.
Typically, rootkits do not exploit operating system flaws, but
rather their extensibility. Windows, for example, is modular, flexible and
designed as an easy platform upon which to build powerful applications. Rootkits created for Windows take
advantage of these same features by extending and altering the operating system
with their own suite of useful behaviors -- useful, that is, to the attacker.
How does an attacker install a
rootkit?
In order for an attacker to install
a rootkit on a system, he must
somehow compromise it and gain administrator privileges. He will attempt to
accomplish this in a variety of ways. He can:
Trick a user into executing
malicious code that's embedded in what appears to be a benign download from the
Web, such as a game, screensaver or file sharing utility.
Figure out an easy-to-guess
password.
Take advantage of a missing
security hotfix.
Exploit a poorly configured system.
Install his rootkit once he gains control of the system.
What are user-mode vs. kernel-mode rootkits?
The concealment aspect is what
distinguishes rootkits from other
types of malware, and it's what
makes them so difficult to detect and remove. Rootkits can provide the attacker with a backdoor
for future attacks, launch and hide other applications, and gather sensitive
data to be collected by the attacker at a later time.
Today's common rootkits usually run in user mode with
administrative privileges. Breaking the integrity of the trusted computing base,
they alter the security subsystem and display false information to legitimate
administrators of the compromised computer. They intercept system calls and
filter output application programming interfaces (APIs) to, for example, hide
processes, files, system drivers, network ports, registry keys and paths, and
system services.
There are many user-mode rootkits available, including HE4Hook,
Vanquish, Aphex and currently the
most widespread, Hacker Defender. Each of these rootkits is persistent in that its files must be
copied to the target operating system's hard drive and launched automatically
each time the system boots.
The drawback to user-mode rootkits is that they can be detected
by code running in kernel mode. What is a rootkit author to do about that? He loads his kit
into the kernel of course! That, however, is easier said than done.
It is exceedingly difficult to
create a kernel-mode rootkit that
remains hidden because, should your code crash, Windows will bluescreen. Kernel-mode rootkits tend to cause many system crashes, and this
is often how Microsoft support personnel determine that their systems have been
victimized.
FU is a non-persistent kernel-mode
rootkit that is very difficult to
detect. Since it is not persistent, no files are stored on the compromised
system. Since it is a kernel-mode rootkit, it is very hard to detect. On the other
hand, rebooting the system will remove it, forcing the attacker to compromise
the target all over again.
Unfortunately, other types of malware, besides rootkits, are hidden. Attackers hide keystroke
loggers and other types of spyware using the same methods as some of the rootkits described earlier. A few
months ago, my colleagues assisted a very unhappy customer whose company's
computers were crashing frequently. The underlying cause was a piece of spyware trying to hide itself as a
kernel-mode rootkit.
About the author: Kurt Dillard is a
program manager with Microsoft Solutions for Security. He has collaborated on
many solutions published by this team, including "Windows Server 2003 Security
Guide" and "Threats and Countermeasures: Security Settings in Windows Server
2003 and Windows XP". He has also co-authored two books on computer software and
operating systems.
How can I detect and remove rootkits from Windows?
Detection and removal is still
frustrating. Aside from a few established rootkit detection tools, including VICE,
Patchfinder2 and klister, many
tools were written by the same people who created rootkits. I don't know about you, but I have a hard
time entrusting malware authors
to clean up compromised computers.
However, several things happened in
February to shine the spotlight on rootkits and prompt the creation of new detection
tools. Beyond Fear author Bruce Schneier's rootkit mention in his blog and a presentation Mike Danseglio and I gave on Windows rootkits at the RSA Conference received a
surprisingly extensive amount of press. Since then, security vendors Sysinternals and F-Secure Corp. have
released standalone tools for their existing security suites to deal with rootkits. Microsoft has also added
rootkit detection and removal to
its Microsoft Malicious Software Removal tool, which it updates monthly.
Unfortunately, each time an
existing tool is updated or a new tool is released, many rootkit authors update their malware to avoid detection. This results in an ongoing cat and mouse game that
leaves systems administrators and computer users victimized.
All of this may sound terribly
depressing, but there are effective measures you can implement to minimize the
risk of being afflicted by rootkits or spyware. You should already be taking the following
steps to secure your organization against this type of malware:
Maintain up-to-date antivirus and
antispyware software.
Deploy network and host-based
firewalls.
Stay current on patches for
operating systems and applications.
Harden the operating system.
Use strong authentication.
Never use software from sources you
don't trust.
We will explore a defense-in-depth
approach to protecting your computers and networks in a later article in this
series. In the meantime, check out Strider, a Microsoft research project for
maintaining system integrity.