Wednesday, October 12, 2005

Spyware and Adware: A Warrior's Guide

In a recent discussion with Symantec Corporation, I learned that Symantec found itself forced to start dealing with spyware and adware simply because users of Symantec antivirus programs really couldn't tell the difference between a system infected with malware (virus, Trojan, worm, and so forth) and a system infested with adware or spyware. In fact, I was told that for the past 3 months, nearly one out of every five calls for help to Symantec ended up involving spyware or adware rather than malware.
Before you feel sorry for those poor ignorant folks who can't tell the difference, stop and think about the most common symptoms. As it happens, some forms of spyware or adware can present the same sorts of telltales that malware can—namely diminished performance, system instability that can be occasional or more constant, mysterious appearance of new processes, Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) ports opened for no apparent reason, and so forth. However, other symptoms of adware or spyware—such as increased pop-up ads, or changes to default home pages or search engines—seldom occur from malware, if ever.
These days, malware experts recognize that certain threats should rightly be called blended, in that they combine virus, worm, and sometimes even Trojan characteristics within a single executable. But in some cases, the same is true for spyware, in that it may include Trojan characteristics (reporting of data gathered or harvested from user machines has to occur somehow, and some such software uses Internet Relay Chat [IRC] or other instant messaging services, or may simply open specific ports to signal its readiness to serve up information on demand; other types are more aggressive and include back doors or clients designed for unadvertised and unauthorized remote access). Likewise, some adware also includes mechanisms to transfer ads to user machines so that they can be displayed even when a PC isn't logged on to the Internet (and boy, can that ever give you a case of the creeps the first time that happens)!
The boundaries between malware, adware, and spyware are getting harder to draw cleanly, so we can't help but observe that Symantec isn't the only vendor with a well-known set of anti-virus tools (not to mention other personal and organizational security offerings) that is taking steps to exclude adware and spyware using its protective shielding—there's an increasing trend among the major players to make antispyware/anti-adware part of their offerings, and to include such functionality in their bundled products as covered in Appendix A. But where a sense of urgency and importance in protecting one's PC from malware is pretty well understood and established, protecting oneself against adware, spyware, and other forms of unwanted software and content is really just starting to take hold. In fact, in a July 2004 report from Trend Micro (makers of PC-Cillin, another well-known antivirus package with growing antispyware and anti-adware coverage) includes this chilling statement: "Reports now show that nearly one in three computers are infected with a Trojan horse or system monitor planted by spyware. These hidden software programs gather and transmit information about a person or organization via the Internet without their knowledge." According to definitions presented earlier in this book, it's hard to say what's spyware and what's malware because of these capabilities—it's really both!
Microsoft's Protect Your PC Web page fails to make this case. Although the company clearly recognizes the importance of patching a PC's operating system (and especially, of keeping up with security updates), strongly recommends the use of a firewall, and stresses use of up-to-date antivirus software, it omits mention of any need to protect PCs against adware, spyware, spam, and other forms of unwanted software and content. I'd argue that the company's more protective security defaults in Windows XP Service Pack 2 (SP2), along with the pop-up blocker in Internet Explorer (IE) and the more capable Windows Firewall, signify Microsoft's growing sensitivity to such matters. But the company's failure to mention adware or spyware does not mean you needn't worry about its potential impact on your PC, or that you shouldn't add some kind of antispyware and anti-adware software to your personal PC security arsenal.

What Are Spyware and Adware, Really?
You've already seen formal definitions for these terms earlier in this book, but their essence is that both types of software enter a system uninvited and often without soliciting permission. Whereas adware may sometimes claim it's been granted permission because of terms and conditions buried somewhere in fine print in a multipage software license or end user license agreement—you know, the ones where you click "I agree" without necessarily reading all the fine print—most experts agree that claims of full and open disclosure as a result are not credible or terribly ethical. Spyware seldom seeks to cloak itself in respectability, but some kinds of spyware—especially browser cookies designed to profile visitors who return to a Web site—may also be granted user permission through licenses or usage agreements. What's different about spyware as compared to adware is that it gathers information about users so it can report it to a third party. What's different about adware as compared to spyware is that it seeks to create conduits for sending or displaying advertisements (and may also collect user information to better target ad selection based on user preferences, sites visited, items purchased, and so forth) as a primary objective.
How would you classify an item of software with the following characteristics?
• Shows up uninvited, and attempts to foil various potential means of detection (antivirus, antispyware/anti-adware, and sometimes even firewall software). Does everything it can to stay hidden and remain undetected. These are characteristic of spyware, adware, and malware alike.
• Scans all files on the computer on which it resides (especially e-mail messages, documents, text files, and other sources of personal information), harvesting names, addresses, phone numbers, social security numbers, bank account information, credit card numbers and other related data, and so forth). Stores all of this information in some covert manner, possibly encrypted. This is a typical characteristic of more malicious forms of spyware.
• When some time or data collection threshold is passed, opens a "safe" port on the infected computer and uploads all harvested data to a server elsewhere on the Internet. As soon as the upload concludes, the open ports are closed and the software goes back into hiding. Alternatively, the software could create an e-mail message, and then use a client e-mail package to send it or employ its own built-in Simple Mail Transfer Protocol (SMTP) engine. This opens a back door to communicate private, confidential information without a user's knowledge or consent and is characteristic of spyware and some Trojans.
First, it's important to state that, as I write this chapter, no known malware or spyware exhibits this exact collection of characteristics. Security experts also believe that malware is changing from a hobbyist or "mountain climber" mentality (those who do things for fun, or because they can or want to prove they can) to more of a professional criminal mentality. Now that repeated exploits have demonstrated how vulnerable common operating systems and applications can be, professional criminals can't help but recognize serious opportunities to practice identity theft and use that information to steal money from unsuspecting Internet users. Many American households carry $20,000 or more in combined lines of credit and unused credit card balances; without careful fraud detection and alerting from card issuers, those same households might have to wait until their next statement to realize they've been victimized. Right now, the code to do all of the things described in the preceding list already exists in bits and pieces, so now new technology is needed to stitch them together and create a single program with all those characteristics.
Facing a threat of this nature, who cares if it's spyware or a Trojan? In fact, it's a blended threat and one with economic consequences of enormously grave proportions. Although I'm aware of nothing like this in the wild just yet, it's probably just a matter of time before something indeed comes along.
Why Install Antispyware/Anti-Adware?
Financial Armageddon aside, less damaging forms of spyware and adware have their own downsides. From the standpoint of simple irritation (or user's rights), nobody likes to see an unwanted piece of software changing home page selections, resetting search engines, or installing unwanted toolbars, ad engines, or other things designed to enhance somebody else's opportunities to take advantage of your Internet access. Likewise, because some adware or spyware causes system performance to degrade, or makes systems unstable, it's simply got to go. In Chapter 4, you should have gotten the sense that manual removal of spyware or adware can be time-consuming, tedious, and sometimes downright difficult. Because that's increasingly the case as new forms of adware and spyware are discovered, I believe installing antispyware/anti-adware software is both appropriate and effective.
Remember also that there are two ways in which antispyware/anti-adware software is designed to be used:
• Scanning, detection, and removal—This uses the software to systematically examine a system's memory, important data structures, and files to look for traces of spyware or adware. During the scanning process, all such identifications are logged and then reported to the PC's user. Users can decide on a wholesale or a per-item basis which items they might wish to keep or remove, after which the software handles cleanup and removal activities automatically for all selected items.
• Real-time detection and blocking—This requires that antispyware/anti-adware software be running all the time, and that it be allowed to inspect all incoming data on a PC—instant messages, file transfers, e-mail, Web pages (and active content), and so forth. If the antispyware/anti-adware software sees something it recognizes as malign, it can block it from entry and either alert the user or write a log entry to a file. If it sees something suspicious (or potentially risky, like a change to your Windows Startup Items), it can warn the user of a pending change or arrival and require the user to grant explicit permission before it will be allowed to proceed.
At this point, it's entirely reasonable to ask: "Where does antispyware/anti-adware software get the information it needs to recognize known items?" and "How does antispyware/anti-adware decide what represents suspicious behavior?" The answers both come from deep inspection and analysis of known instances of spyware and adware, as does the answer to another important question: "Given some known spyware or adware item, how does antispyware/anti-adware know how to clean up after it and remove all traces of its existence?"
In an important sense, all antispyware/anti-adware software consists of four important parts:
• Software that monitors system activity and is able to intercept certain types of activity or data transfer that might contain spyware or adware. This means inspecting incoming data and alerting users about specific types of behavior associated with adware or spyware (changing search or home page defaults, adding toolbars or Startup Items, and so forth). This maps to the blocking function that requires antispyware/anti-adware software always to be running in the background.
• A database of telltale filenames, Registry keys, and other information it can use to profile known spyware to compare against observed characteristics on some particular system, or in data seeking entry into a system. This kind of information is generally called a definition or a signature because it helps to identify specific items of adware, spyware, or other unwanted software. This database maps to the scanning and identification function whereby antispyware/anti-adware software inspects all files, memory, the Windows Registry, and anywhere else such software might leave telltale traces behind.
• A database of cleanup activities associated with specific adware or spyware items, so that once they're recognized, cleanup and removal can be automated and users relieved of that responsibility and effort. Should a scan ever report signs of infection, this makes it relatively easy to initiate cleanup and removal operations.
• A reporting tool that can gather information about a system that shows symptoms of infestation, but where no known spyware or adware can be identified. (The software can also use the same facility to report bugs or other failures about itself as well.) Although users can refuse to share such data with software developers or vendors, this is a valuable means of data-gathering when new forms of adware or spyware are encountered in the wild, and provides important clues (and can often lead directly to the offending software) that will help in the creation of spyware or adware definitions and cleanup/removal tools to counter them.
Hopefully, it's obvious why any scan should be preceded by a download of the latest software updates and any new adware or spyware definitions: the latest and greatest software and databases will maximize chances of detecting and cleaning up after something new.
Scanning for Adware and Spyware
Assume you've installed antispyware/anti-adware software on your computer (if this assumption is incorrect, you might want to jump ahead to the "Top Antispyware/Anti-Adware Picks," section, where you can read about candidates for and the processes involved in installing this kind of software on your PC). After such software is installed, you should use it immediately to scan for possible spyware or adware infestation. This guarantees a clean start for your system going forward (or will help you clean up and restore your system to a more or less pristine state).
This usually means digging into program menus and finding out how to use a program's scanning capabilities. Let's take a look at how you'd do this with Spybot-Search & Destroy (as I wrote this chapter Version 1.3 had just been released; the relevance of this description will vary as version numbers change, but it should still give you an idea about what's involved in this effort). Here are the opening steps involved in scanning and starting a repair (I'll describe the rest verbally, because system restarts make it nearly impossible to capture screen shots during that process):

1. Launch Spybot-Search & Destroy. I did so by clicking Start@@>All Programs@@>Spybot-Search & Destroy (menu heading)@@>Spybot-Search & Destroy (program name). You can also click Start@@>Run, type %ProgramFiles%/Spybot - Search & Destroy/SpybotSD.exe in the Open dialog box, and click OK. This produces the screen shown in Figure 7-1 .
Note%ProgramFiles% is a runtime variable that translates into the root directory where Windows XP puts programs by default. On an unaltered installation that's usually C:\Program Files.
2. In keeping with best usage practices, click the Search for Updates button next. This will automatically look for, download, and install any software or definitions that have been added since the last time updates were checked.

3. To scan a system, click the Check for problems button. The program begins scanning the system on which it's running, showing a progress bar at the bottom of a window. When the scanning process completes, you'll see a screen like the one shown in Figure 7-2 , which lists an issue with a DSO exploit as the only problem discovered.
NoteThis vulnerability actually refers to potential vulnerabilities in Internet Explorer that relate to default Security Zone settings. Apparently, they're not fixed in the version of IE that ships with Windows XP SP2 because Spybot-Search & Destroy discovered them in a clean, unused installation. That said, the fix is minor, entirely automatic, and prevents a vulnerability that permits code to execute without requesting permission and without using Active Scripting or ActiveX. For more information on this common problem, see

4. At this point, you can clear any items you're not sure about (or you might even want to visit your favorite search engine and read up on problems by name to help you decide what to do). In most cases, however, it's entirely safe to leave everything selected and then click the Fix Selected Problems button to let the software do its thing. That's because Spybot–Search & Destroy saves backup copies of any items it removes, and you can always use the Recovery item in the left pane to restore something if your system gets flaky afterward. For the same reason, the software creates a System Restore point before it starts fixing any items, so you can always get back to where you started even if your system won't boot; this notification screen appears in Figure 7-3 .
After this point, the software goes through cleanup and removal operations for each of the problems it attempts to fix. For DSO Exploit, this meant agreeing to permit the program (and the system) to shut down and restart. On that next startup (because Spybot-Search & Destroy inserted itself into the Run Once Registry key), the program ran before normal program loads completed, so it could undertake cleanup operations on files that would otherwise be loaded into memory and therefore more difficult to remove. According to documentation I found on this problem (see the preceding Note), the program rewrites some Registry entries that must be handled during startup. I experienced no problems from these changes and have observed outstanding results from everyday use of this software.
Notice that Spybot-Search & Destroy handles all the messy details that can make manual removal and cleanup so much work, right down to creating restore points and inserting itself into the Windows startup sequence. (This is why you had to boot in Safe Mode to conduct manual repairs, because handling keyboard input requires that bootup be completed.) I believe that automated repair is usually better than manual, because it takes all the precautions that human users in a hurry may sometimes be tempted to skip, and because it is presumably tested very thoroughly to make sure it's working (and safe for most systems) before it's released to the public.
Before I move to the next section and talk about blocking spyware and adware, we'd like to make one more valuable point about regular system scans. Our point provides the answer to this question: "If you scan immediately after installing antispyware/anti-adware software, and keep that software updated, why are regular scans necessary?" Remember that there's always a time lag between discovery of spyware or adware in the wild and corresponding definitions and cleanup and removal routines. If you should get infested on Tuesday with something new, and download a new set of definitions and cleanup and removal routines on Friday, chances are pretty good that a Friday scan will also detect and repair that infestation. When it comes to spyware and adware, blocking is not always 100 percent effective, so regular scanning (and clean-up, when necessary) is absolutely essential!
The Online AlternativeIf you'd rather not install antispyware/anti-adware software on your system right away (or at all), you can still take advantage of numerous excellent scanning services online. I'll give you a list of URLs for such sites right after I explain why I don't consider this to be an entirely satisfactory alternative to installing this kind of software on your PC. It's because, for whatever reason, there don't seem to be any online scanning services that also offer cleanup and repair. Sure, they can find the stuff, but they don't seem to be inclined to fix it (probably for the very good reason that such software has incredible power to do harm as well as good, and most people aren't comfortable turning that level of system control over to a Web site). Keep this caveat in mind as you scan this short list of quality online spyware scanners (all of them download software to your system to do their jobs, by the way, but most of them remove all traces of same when they finish):• PestPatrol's PestScan does an excellent job of ferreting out and reporting on spyware and adware (• Spy Audit-This is the scanning part of Webroot's excellent Spy Sweeper product, or something very close to it (• XBlock's X-Cleaner is no longer available on their own site, but you can still access and use their tool through (
For still more alternatives, visit your favorite search engine and use something like free online spyware scan as a search string. You'll be amazed at the number of offerings that pop up!

Blocking Spyware and Adware
In the previous chapter, I explained that pop-up blockers work by inspecting incoming Hypertext Markup Language (HTML), Extensible Markup Language (XML), JavaScript, and other markup or code to look for evidence of pop-up advertisements. If such evidence appears, the browser is instructed not to open a new Window; if no such evidence is found, it's allowed to proceed. Blocking spyware and adware can be a bit trickier because there' s more, and more complex, code to read and decipher and because, in far too many cases, users deliberately (but usually neither consciously nor willingly) initiate the downloads without knowing that adware, spyware, or malware elements may lurk within their contents.
This is where recognition by element name (especially items like filenames, DLL names, or Registry keys and values) can usually permit identification to occur before requests to write such elements are allowed to go through. This works fine for known items of spyware and adware, because they have already been analyzed, profiled, and their telltale characteristics recorded and enshrined in various databases. But what about new spyware or adware that hasn't yet been dissected or cataloged?
That's why certain characteristic behaviors are often flagged for alerts by antispyware/anti-adware programs. Thus, when you install legitimate Windows programs that add to the Windows Startup Items, you'll be queried just to make sure those changes are on the up-and-up. They can't proceed until you give your permission, on the theory that you'll be expecting this interaction when you're installing wanted software, and warned about potential problems when unwanted software is trying to install itself. The same drill applies to default home page and search engine settings: if you jump into IE and change these settings for yourself after you've installed antispyware/anti-adware software, you'll have to approve those changes with the built-in monitor before they'll "take" for good.
Although this involves a little more activity and some possible minor inconvenience, I think it's worth it for the added sense of security this protection provides. In fact, you don't need to become at all concerned until such a dialog pops up without a good reason! At that point, some investigation—including updates to your software, and a scan for adware and spyware—is probably a good idea.
In the next section, I present some leading antispyware/anti-adware products. But with this market sector currently exploding, be aware that new products show up almost on a daily basis. Also check with your current antivirus vendor to see what they might have to offer in this space. Nearly all of the major antivirus players, such as Symantec, McAfee, Trend Micro, FRISK, and so forth, have recently begun to offer, or soon plan to offer, antispyware/anti-adware products, and to include such coverage in their current offerings or product suites.

No comments: