Spyware Topics

• Windows

Related Images

Source

Source

del.icio.us Tags

• spyware
• wikipedia
• malware
• security
• adware
• lists
• howto
• csmanz3
• internet
• issue
• training
• internetbehaviour
• kjf
• spywareclass
• virus'n'worm
• ucp
• graziadio_bsm490
• computer

Spyware, Spyware

The combination of user naivet towards malware and the assumption by Internet Explorer that all ActiveX components are benign, led, in part, to the massive spread of spyware. Many spyware components would also make use of flaws in Javascript, Internet Explorer and Windows to install without user knowledge or permission.

If so, they will be automatically restored. This ensures that the spyware will execute when the operating system is booted even if some (or most) of the registry links are removed.

The prevalence of spyware has cast suspicion upon other programs that track Web browsing, even for statistical or research purposes. Some observers describe the Alexa Toolbar, an Internet Explorer plug-in published by Amazon.com, as spyware, and some anti-spyware programs such as Ad-Aware report it as such. Many of these adware distributing companies are backed by millions of dollars of adware-generating revenues.

This presents a dilemma for proprietors of anti-spyware products whose removal tools may inadvertently disable wanted programs.For example, recent test results show that bundled software (WhenUSave) is ignored by popular anti-spyware program Ad-Aware, (but removed as spyware by most scanners) because it is part of the popular (but recently decommissioned) eDonkey client.

Since they tend not to install software if they know that it will disrupt their working environment and compromise their privacy, spyware deceives users, either by piggybacking on a piece of desirable software such as Kazaa, or by tricking them into installing it (the Trojan horse method). Some "rogue" anti-spyware programs masquerade as security software, while being spyware themselves.

In some cases, spyware authors have paid shareware authors to bundle spyware with their software. In other cases, spyware authors have repackaged desirable freeware with installers that add spyware.

The box contains a message such as "Would you like to optimize your Internet access?" with links which look like buttons reading Yes and No . No matter which "button" the user presses, a download starts, placing the spyware on the user's system. Later versions of Internet Explorer offer fewer avenues for this attack.

Users frequently notice unwanted behavior and degradation of system performance. A spyware infestation can create significant unwanted CPU activity, disk usage, and network traffic, all of which slow the computer down. Stability issues, such as application, system not turning on, and system-wide crashes, are also common. Spyware, which interferes with networking software commonly causes difficulty connecting to the Internet.

As a 2004 AOL study noted, if a computer has any spyware at all, it typically has dozens of different pieces installed.

Targetsoft modifies the "Winsock" Windows Sockets files. The deletion of the spyware-infected file "inetadpt.dll" will interrupt normal networking usage. Unlike users of many other operating systems, a typical Windows user has administrative privileges, mostly for convenience. Because of this, any program the user runs (intentionally or not) has unrestricted access to the system too. Spyware, along with other threats, has led some Windows users to move to other platforms such as Linux or Apple Macintosh, which are significantly less susceptible to malware.

It is also one of the purposes for which spyware programs gather information on user behavior.

As a result, spyware operators such as 180 Solutions have been terminated from affiliate networks including LinkShare and ShareSale.

Programs may be grouped into "families" based not on shared program code, but on common behaviors, or by "following the money" of apparent financial or business connections. For instance, a number of the spyware programs distributed by Claria are collectively known as "Gator". Likewise, programs which are frequently installed together may be described as parts of the same spyware package, even if they function separately.

Many users habitually ignore these purported contracts, but spyware companies such as Claria claim these demonstrate that users have consented.

The law articles which have been violated are art. 4.1 of the Dutch telecommunications law; the fines have been given based on art. 15.4 taken together with art. 15.10. A part of these fines has to be paid by the directors of these companies in their own person, i.e. not from the accounts of their companies, but from their personal fortunes. OPTA, "Besluit van het college van de Onafhankelijke Post en Telecommunicatie Autoriteit op grond van artikel 15.4 juncto artikel 15.10 van de Telecommunicatiewet tot oplegging van boetes ter zake van overtredingen van het gestelde bij of krachtens de Telecommunicatiewet" from 5 november 2007, http://opta.nl/download/202311+boete+verspreiding+ongewenste+software.pdf Since a protest procedure has been taken, the fines will have to be paid after a Dutch law court will take a decision in this case. The culprits maintain that the evidence for violating the two law articles has been obtained illegally. The names of the directors and the names of the companies have not been revealed, since it is not clear that OPTA is allowed to make such information public. According to H. Moll and E. Schouten, "Limburgse ICT-baas blijkt spywarekoning" , in NRC Handelsblad, 21 december 2007, the companies are: ECS International, Worldtostart and Media Highway International. The directors are: Arjan de Raaf and Peter Emonds. Their accomplice having the nickname "Akill" has been arrested in Hamilton, New Zealand, for being the manager of a huge network of zombie computers.

Because many spyware and adware are installed as a result of browser exploits or user error, using security software (some of which are antispyware, though many are not) to sandbox browsers can also be effective to help restrict any damage done.

As a result, anti-spyware software is of limited usefulness without a regular source of updates. Some vendors provide a subscription-based update service, while others provide updates free. Updates may be installed automatically on a schedule or before doing a scan, or may be done manually.

The user is left to determine "what did I just do, and is this configuration change appropriate?" Windows Defender's Spynet attempts to alleviate this through offering a community to share information, which helps guide both users, who can look at decisions made by others, and analysts, who can spot fast-spreading spyware. A popular generic spyware removal tool used by those with a certain degree of expertise is HijackThis, which scans certain areas of the Windows OS where spyware often resides and presents a list with items to delete manually. As most of the items are legitimate windows files/registry entries it is advised for those who are less knowledgeable on this subject to post a HijackThis log on the numerous antispyware sites and let the experts decide what to delete.

Some programs work in pairs: when an anti-spyware scanner (or the user) terminates one running process, the other one respawns the killed program. Likewise, some spyware will detect attempts to remove registry keys and immediately add them again. Usually, booting the infected computer in safe mode allows an anti-spyware program a better chance of removing persistent spyware. Killing the process tree can also work.

Newer spyware programs also have specific countermeasures against well known anti-malware products and may prevent them from running or being installed, or even uninstall them. An example of one that uses all three methods is Gromozon, a new breed of malware. It uses alternate data streams to hide. A rootkit hides it even from alternate data streams scanners and actively stops popular rootkit scanners from running.

Downloading programs only from reputable sources can provide some protection from this source of attack. Recently, CNet revamped its download directory: it has stated that it will only keep files that pass inspection by Ad-Aware and Spyware Doctor.

This can be done in various ways such as using your anti-virus software, or simply disconnecting your computer from all internet activities. This will make whoever is in control of the virus unable to have any control of your computer. The second step to removing the spyware is to locate it and remove it, manually or by virus protection software. Also, stay away from websites that have potential threats to your computer.

Source: Wikipedia > Spyware