An Introduction to Spyware, and Why You Should Be Concerned
by Patrick G. Salsbury (salsbury at sculptors dot com)
November 4, 2003
Doc URL: http://reality.sculptors.com/~salsbury/Articles/spyware-intro.txt


Have you seen "Spybot - Search & Destroy" yet? It's WAY cool... 

This started out as a quick note to just a couple of friends, but I realized
while writing it (and while scanning my own machine) that it is useful info
for many folks who might not think about security, (or even know where to
start!) so I've fleshed it out a bit. I've tried to give some more generally
useful info, since most people currently on the Net use Windows, and we all
suffer the effects of poor security.  (...Most often, from other people's
infected computers!) The most recent version will always be available at the
Doc URL listed above.

The other day, I was helping a friend (who's not usually very proactive
when it comes to security) debug his computer from all the freaky
ad popups and cruft that was making his XP machine act (to me) extremely
bizarrely: It was slow, especially when trying to change configuration
settings, even though it's a relatively new computer (last year) that's
probably 4-6 times faster than just about any computer I own. You
could also hear the disk grinding away most of the time, even though he had
lots of disk space and lots of RAM, and a fast DSL connection. His browser
(IE) home page was pointing somewhere he didn't want, and changing it
didn't stick. It kept returning to that same page after I rebooted the
system.

Perhaps the MOST bizarre (and frustrating) thing were all the pop-up
windows. You could literally NOT TOUCH A SINGLE THING and just watch new
windows open themselves up every 10-20 seconds, with lots of annoying
flashy ads for online gaming, adult sites, and scary-sounding warnings
about how his system might contain "spyware", coupled with offers for
programs to detect said spyware.

I had warned him that some of the ads for anti-spyware software were often
themselves spyware, but I hadn't really done much spyware research, other
than reading a few news stories, so I didn't have much more advice than
that. I'm much more educated now, and learning more as I go. For example,
many of those anti-spyware ads really *ARE* spyware, which detect and
remove some spyware on your system while simultaneously installing their
*own* monitor programs on your machine! Some of them even go so far as to
detect and disable REAL anti-spyware software, so that they won't be
discovered!

He said "I don't have anything to hide. They can look at my computer if
they want." (Ominous sounding, right? Like "famous last words" perhaps?
Read on...) If you know me, you can imagine my response. :-) I told him how
they could use cookies to track his browsing, report info about him or in
files on his machine to unknown sites/people on the Net, and even install
"key-loggers" to grab his passwords or other private info. He said that he
didn't even *have* a credit card, and that if they *really* wanted to know
what porn sites he went to, they were welcome to that info. :-)

While I applauded his "no fear, no shame" attitude, I also felt that some
of it was a bit naive and that perhaps he just didn't fully understand the
possible ramifications. I pointed out that since he had a nice, fast DSL
connection, and a fast computer, he made a good target. Even if he didn't
think his personal activities were valuable, his *resources* are extremely
valuable to system-crackers, who employ machines by the thousands to
conduct massive attacks or to send out millions of pieces of spam. 

People often make this mistake. They think that their desktop PC, often
used only for email/browsing/games/etc., - coupled with their own lack of
knowledge about computers - somehow makes them uninteresting to crackers,
when just the opposite is often true: A modern, fast machine sitting on a
fat DSL or cable pipe is a juicy target. *Especially* if the owner doesn't
know a lot about security, or just doesn't care.  They might secretly make
his machine into a node on one or more "stealth" peer-to-peer networks and
use his machine and fast link without his knowledge or permission. Your
machine becomes a  great vector for launching further attacks on more
valuable targets, or to send out lots of spam without being held
accountable/traceable, to launch "Distributed Denial-Of-Service" (DDOS)
attacks on other sites, to swap illegal files (yes, perhaps even the
dreaded child pornography!), etc. 

Aside from the the system-cracker aspect, any marketing people who would
choose to use something like spyware to track your movements and habits, or
to serve you ever more (and tastier!) ads are obviously not looking out for
your best interests. I don't fully grok this almost-fetishistic tracking of
complete strangers, but it's quite prevalent. (Then again, I don't grok why
so many strangers Out There want to enlarge my penis, but there seem to be
a lot of *them*, too! ...Weirdos. ;^)  )

Anyway, since I didn't then know much about spyware, I figured this was
just a simple browser config problem. I re-installed the Guidescope ad- and
cookie-blocking software (which I also highly recommend, see
http://guidescope.com/), which I had set up for him before, but it was lost
during a system-crash and restore to an earlier state. But even with
Guidescope running and merrily blocking ads and cookies, we still saw the
popups. More research showed me how to turn off the Active X and Active
Scripting things in IE, but we *still* saw them. 

I also installed the Mozilla (http://mozilla.org/) browser for him, as 
another alternative to IE, should he want to use it. Aside from cool
features like tabbed browsing, it also has better control over pop-ups,
although even this didn't get rid of all of them.

By now, many hours had passed.

Using up-to-date data files, we performed a full virus scan of his system.
We found 6 trojan-horse programs (which are known for installing other
programs and opening ports on your computer to allow further infections),
but even after those were fixed up, we still saw the popups, his browser
home page was being changed back after reboots, etc. 

I also installed/configured a personal firewall package that had come with
his PC, but which he hadn't set up. That quickly identified things on his
PC that were trying to get out, as well as showed all the things out on the
Net that were trying to contact his machine. Some of these were valid, some
weren't...  However, it pointed me in the right direction, revealing a
bunch of unknown *.exe programs running on his task list. Many of these
didn't show up in the start-up menu, so I wasn't sure what they were. A
quick Google search on a few of their names showed me that some were
standard Windows system files...and some were spyware. :-(

By now we were heading toward dawn, and he had sacked out. I had thought that
with the virus scan, firewall, etc., that I might be nearing completion and
could go home. No such luck. And after finding out that his machine was
infected with spyware, I would have felt bad just leaving it in that state.
It'd be like telling a friend with the Flu that you *wouldn't* go to the
store for them to get some medicine, and they were just going to have to
suffer.

So...back to the web for another 3-4 hours of research... Google is great
for this, because I could find not only the names of lots of allegedly
anti-spyware programs, but could also cross-reference what others were
saying about it, not just relying on the website's ad copy. (There were
MANY different sites claiming to be anti-spyware. They all claimed to be
the best one, most updated, most thorough, yada-yada...) However, doing a
Google search for the program name plus the words "spyware" and "warning"
often turned up a whole different set of pages where people had posted
warnings about the program in question, revealing that it was also spyware,
and detailing how it worked to invade your privacy. 

Eventually, this cross-referencing technique (and several hours pouring
through dozens of sites with lots of educational info) gave me three good
candidates that (according to general consensus) didn't seem to contain
spyware in them and didn't charge money for the apparent "privilege" of
getting control of the computer back by removing any infections. Many of
the programs that turned out to be "wolves in sheep's clothing", as well as
some legitimate anti-spyware tools would offer "free trials" and "free
scans" of your machine, but would eventually hit you up with a
"registration/activation/subscription fee" or a "Pro/Commercial/Full
Version" that would actually remove (some of) the spyware that was
detected. Classic bait-and-switch behavior. Very crappy. 

As it turns out, I went with "Spybot - Search & Destroy" and was so
impressed with it that I never even tried the other two programs I had
installed. However, Spybot detected the other detectors and helpfully
warned me about possible conflicts with them. (Since Spybot backs up
infected files before fixing your system, the other programs may detect the
original spyware in those backup files, and may then raise a false alarm
for spyware that's actually already in quarantine.) Spybot - S&D is
completely free, and there's a place where you can make donations if you
feel his work is Helpful and Good(tm). 

I first had Spybot update its data files, and it jumped from ~5800 known
problems to scan for up to more than 10,400 known problems! I then ran a
scan on his system and it found *288* different files scattered across the
drive with known spyware, adware, hijackers, trojans, etc. 

All of these were missed by the up-to-date Virus scanner program. (Which is
very good, but apparently virus scanners are NOT the proper tools for
detecting spyware at this time.)

Some of the detected programs were disguised as useful little apps to do
things you might actually want, like time-sync your computer precisely with
the Atomic Clock, add useful search bars and tools to IE or your desktop,
give you some sort of cute little animated "helper" character on your
desktop that tells jokes, dances, strips naked, or whatever thing it is
that they use to hook you and get you to install it. Some apps will fetch
you current info about weather, movies and events in your local area.  Yet
while they were performing these useful or entertaining functions on my
friend's computer, they were also secretly installing other programs,
reporting his computer usage out to who-knows-where, and all sorts of other
computer security nightmares. 

The initial scan found 288 known problems, including descriptions of what
they were, where to find more info, and even the Privacy Statements from
the websites of many of the spyware authors, (and what's vague or seemingly
wrong with the wording which allows them to sneak around it while *seeming*
like they're concerned about protecting your privacy). It was able to
quickly fix them, making backups along the way in case you later found
something that went wrong and needed to recover the spyware file, for some
reason. 

After that initial scan, I turned on scanning for things like user-tracking
wares, cookies, registry anomalies, etc., and it brought another 116 things
to my attention. It has functions to immunize against future attempts by
known problems, and even has a listing of all the programs that will get
started by your system at boot, regardless of whether (or not) they show up
in the start-up menus, System Tray, or whatever.

I just installed it today on our Win98 machine, (which I don't use for
email, and have disabled Outlook Express so that it doesn't even KNOW about
servers to connect to, just in case it ever gets infected in the future)
and it just found 49 problems. (Eek!) Which prompted a lot more research on
my part and the writing of this essay. Some of the problems Spybot - S&D
found included usage-tracking cookies, the "Brilliant Digital" software,
which apparently made my computer into a node in their stealth P2P network
(although since I'm behind a slow dialup line and a firewall, I suspect
that was not terribly useful to them), and even an old security hole in IE
from Feb, 2002 that allows a properly crafted web page to run arbitrary
commands on the Windows system *without* Active Scripting or ActiveX.
Apparently, this has never been fixed by Microsoft, since I keep the
machine current with "Windows Update" (and just checked again today).
(*SIGH* - Have I mentioned recently how bad Windows is? People think I'm
just prejudiced with my rants, but I really DO have reasons why I dislike
it so much! :-)  ) 

When I turned on the additional usage-tracking scans, Spybot - S&D found
another 80 things to bring to my attention, which aren't "critical", but
stuff to review and decide if I want around or not, like the 87 cookies IE
has decided to store despite my cookie-blocker tools, various logs, files
I've recently opened, and the like. 

I have been quite proud to have never had a virus on that machine, which
we've had for about 5 years. But now I see that there are other threats,
and other vectors, such as Instant Messaging, nasty web pages, and these
"helpful" free applets from websites that secretly install other things on
my computer. Simply not using this machine for email has worked pretty
well, but things keep evolving...

Some stats, links, and resources:

I've also installed "SpywareBlaster", which was recommended in the "Spybot -
S&D" configuration menus. It has an interesting method of blocking ActiveX
programs from running or even installing. And it doesn't need to be kept
running on your system in order to protect it. And from the SpywareBlaster
FAQ, I found these helpful links (the first URL at Wilders.org is the home of
the SpywareBlaster program, for those interested):

-------------------------------------------------------------------------------
#9) I'm new to this "spyware" stuff. Where can I get more information?

-There are many places online that provide excellent information on
spyware/adware. A short list of links to get you started is included below
(copy and paste these links into your browser):
*Wilders.org --> http://www.wilders.org
*SpywareInfo --> http://www.spywareinfo.com
*Doxdesk.com --> http://www.doxdesk.com
-------------------------------------------------------------------------------

Another good introductory-level article by Stan G. Kain is at
http://magic-city-news.com/article_364.shtml and has more info about spyware
threats, and info about SpywareBlaster and its sibling program SpywareGuard,
which sits resident in memory (like Norton Antivirus or the like) and scans
programs you download to provide constant protection. I've installed both
SpywareBlaster and SpywareGuard, and recommend them:

http://www.wilderssecurity.net/spywareblaster.html
http://www.wilderssecurity.net/spywareguard.html

I've also discovered that Spybot - S&D has a "Resident" function in the
Advanced mode configuration (under "Tools") which will allow it to sit
resident in memory to keep scanning programs as you download them, but I'm not
yet sure if there's a way to enable this at boot time, ot if it stays in
memory after exiting the main Spybot S&D console.


Email as a class is definitely still the #1 malicious-code vector in the
world, and I think Outlook Express may still the #1 malicious-code vector
PROGRAM in the world, due to a combination of factors that add up to danger: 

	1) its default inclusion with Windows & IE, (so everyone has it,
whether they use it or not)
	2) the automatic configuration wizards, which try to set it up to
talk to your mail servers when you first configure your browser or some
other programs, (so that even if you use a completely different program for
email, it's still there and able talk to the world, and to start sending
out worms, viruses, or spam whenever some malicious program asks it to.)
	3) the automated address-collecting functions, (so that if you *do*
use it for email, by default it keeps a database of the email addresses of all
your friends, family, co-workers, and anyone else who has ever contacted you
via email. (Including all those spammers with their faked addresses!) 
	4) all the other security problems inherent in the underlying Windows
system.

So, simply disabling Outlook Express and using *ANY* other email program is
probably the single most effective thing you can do to protect yourself
from (some) internet threats. (The next best thing is probably to not click
on attachments in email...but you know that, right?  :-)  ) I get hundreds
of emails with virus/worm attachments each week, but they don't work on
Linux, so they're merely humorous, not scary. 

(Please also note that "Spybot - Search & Destroy" should not be confused with
the "SpyBot" peer-to-peer worm that I just discovered while researching
this article. Info at: http://www.viruslist.com/eng/viruslist.html?id=60639)

The VirusList.com site is worth exploring, as it seems to be a
clearinghouse of good info. It claims to be "the biggest virus
encyclopedia" and also has virus news, updates and calendar info, as well
as a monthly "Top 20" list of the 20 most widespread threats.

Interestingly, Internet worms are the most prevalent type of malicious
program, at 90.76% for October, 2003 (70.94% of *that* was just from the
"Swen" Internet worm!) Ironically, "Swen" disguises itself as a "Microsoft
Internet Update Pack" and pretends to go through a whole patch/install
procedure (complete with graphics and all)...before taking a big dump all
over your hard drive and spreading itself to everyone you know. True
"virus" programs were only 2.77% of the October threat, and Trojans like
the ones that hammered my friend's machine were more than twice as
prevalent as viruses (6.46%) and comprised 9 of the "Top 20"
threats.  See http://www.viruslist.com/ for the latest rundown, 

Spyware is relatively new technology, and most antivirus programs don't
detect them. (As I've been finding out.) Check out the Spybot website (or
its mirrors) and look at the FAQs and other info: 

		http://www.safer-networking.org/

And don't just take my word for it! Here's a great testimonial I found
from Chris Pirillo at TechTV:

http://www.techtv.com/callforhelp/freefile/story/0,24330,3416693,00.html

  "Spybot -- Search & Destroy
  If you're tired of hearing me recommend this free file, too bad. It works.
  Spybot -- Search & Destroy effectively detects spyware, adware, key
  loggers, Internet dialers, browser hijackers, and even some trojans. Are
  you getting charged $200 a month for phone calls to the Cayman Islands? Get
  this free file. Do you have to reset your homepage every time you open
  Internet Explorer. Download this free file. Do you.... You get the picture."


I give "Spybot - Search & Destroy" 2 thumbs up, and intend to tell my
family, friends, and anyone else who is either forced into (or still
insists on) using a Windows operating system, with all of its ridiculous
security holes. (65,000+ known viruses and counting! And roughly another
250 new ones each month...  Collect the whole set! :-)  ) 

I'm not about to say "mail this to everyone you know", but I'm certain that
you can probably think of a few people who might need this tool more than
others. :-) If you use Windows, you owe yourself a scan. However, you're 
liable to be frightened by what you discover.

One parting caveat, though: In my zeal to turn on all the advanced
automation features, I managed to wedge Spybot into a state where it would
seem to start at boot but wouldn't let me in to change any settings or
interact with it. I couldn't restore, maximize or close it. All I could do
was kill it from the Task Manager. 

As per the Support FAQ #023 at:
http://www.safer-networking.org/index.php?lang=en&page=knowledgebase/faq/faq023 
removing this file:

'C:\WINDOWS\Application Data\Spybot - Search & Destroy\Configuration.ini' 

fixed that problem and reset things to the default values. (Merely
rebooting or uninstalling and reinstalling didn't fix it, because that file
lives in a directory you must delete by hand, since that's where all your
backup files live. See FAQ #027.) The 'Spybot - S&D' author plans to make
some changes in the next release (1.2.1) to prevent such no-interaction
instances from happening. 

So don't be too gung-ho too soon!  :-) Take it easy when switching on
automation options, and take the time to read through the help files and
web site.  They've got lots of good info. 

-- 
Pat
	   ___________________Think For Yourself____________________
	 Patrick G. Salsbury - http://reality.sculptors.com/~salsbury/
      Interested in learning or teaching about the future? Check out the
    future-studies mailing list at http://reality.sculptors.com/lists.html
	   ---------------------------------------------------------
      "Once you have the knowledge about making something better, and you
 have the ability to do it, then you have the responsibility." - Sanford Mazel