Business-like, isn't he?


 

 




CyberSafety: Spyware


by Alan Zisman (c) 2003, 2005 

Fairly often, people I know complain that their computer is running slowly. Typically, the next thing they say is "Maybe it's got a virus". That's easily checked-- for instance, on Symantec's online virus checking service: http://www.symantec.com/securitycheck/. (For more or combating viruses see my companion-piece to this tutorial).

More often than not, however, their computer checks-out virus-free. More likely, without being aware of it, their computer has somewhere between several and many spyware and adware programs running in the background, each taking a chunk of computer resources, resulting in the feeling that it's harder and harder to get anything done on their computer. Late in 2004, Dell, for example, noted that they're getting 70,000 calls a week about computer performance and odd behaviour that is probably spyware related.

(And that's not all-- as the name suggests, the various spyware programs are probably 'calling home', reporting back personal information, at a minimum where you've browsed on the Net).

What is spyware?
According to ZDNet's Robert Vamosi, "Also known as "adware," this hidden software program transmits user information via the Internet to advertisers in exchange for free downloaded software." (http://www.zdnet.com/products/stories/reviews/0,4161,2612053,00.html) In many ways, it's the intersection of our desire to get stuff for free over the Internet, and many software publisher's desire to get paid anyways. (Note that there remain many great programs and services available on the Net that are truly free-- no strings attached. But not everything that claims to be free is actually a good deal). Many of the most-often downloaded programs actually includes spyware.

Like commercial-TV, some downloaded programs display ads on screen. Some, like the popular Opera browser or Eudora email program, give users the option to use a free, ad-displaying version or to purchase an ad-free version. More problematic are programs that don't give potential users notice that they will be getting ads with that program. As well, many ad-supported programs install modules that run in the background, logging websites you visit, and reporting these back. This information may be used to tailor the ads you see to match your interests, as indicated by where you surf. Or this information may be spread around for other demographic research purposes. At the same time, other information about you or your computer may be sent out without your knowledge or consent.

Generally, when you are installing your downloaded software, you will be asked to read and agree to an End User License Agreement (generally referred to as a Eula). In most cases, you're notified that information will be collected and sent deep in the legaleese of the Eula-- but few users actually take the time to read through these documents. However, because of this, software publishers are able to claim that you consented to the installation of their spyware.

In some cases, you can end up with spyware installed on your computer without knowingly installing anything-- simply clicking on an online ad for Comet Cursor or BonziBuddy may install software on your system. BonziBuddy can be installed by ads that pretend to be system error messages.

Some distinguish between spyware (bad) and adware (less bad). "Spyware, which may piggyback on another downloaded program, often operates in the background, sending information back to a remote site and displaying pop-up ads tailored to the user's online habits, or harvesting e-mail addresses to sell to spammers. Adware is similar but more benign, or at least better encased in euphemism; its defenders say that it is something that consumers consciously agree to download. More insidious programs, perhaps better described as annoyware, redirect the computer's browser to pornographic Web sites, often to pump up those sites' traffic figures or commandeer the machine's modem to dial 900 numbers at the computer owner's expense.... Yet the line between informed consent and na´ve clicking can be thin. Although Gator requires permission from users before it is downloaded, people often have no recollection of having agreed to its terms." (New York Times article: "Heart of Darkness, on a Desktop" September 4, 2003: http://www.nytimes.com/2003/09/04/technology/circuits/04lurk.html?ex=1064499244&ei=1&en=0066cf458f70567f  (free registration needed to view)). In October 2003, Gator filed suit against PC Pitstop for calling Gator 'spyware'; in response, PC Pitstop pulled a number of pages critical of Gator from its website (http://news.com.com/2100-1032-5095051.html?part=dht&tag=ntop)

This practice of companies labelled spyware filing suit against anti-spyware software vendors is becoming increasing common. (See Robert Vamosi's "Who You Callin' Spyware, Spyware? (March 15 2005): http://reviews.cnet.com/4520-3513_7-5759896-1.html?tag=nl.e501 )

In July 2005, a broadly-based industry group formulated a definition of spyware, at least in part to help clarify proposed US legislation. The Anti-Spyware Coalition said (http://www.wired.com/news/privacy/0,1848,68167,00.html): spyware impairs "users' control over material changes that affect their user experience, privacy or system security; use of their system resources, including what programs are installed on their computers; or collection, use and distribution of their personal or otherwise sensitive information..."

How common is spyware?

An April 2004 BBC report (http://news.bbc.co.uk/1/hi/technology/3633167.stm) suggested that spyware was very prevalent amongst home PCs... according to the report, the US Internet service provider Earthlink said it found an average of 28 spyware programs on over one million PCs scanned in early 2004(!) The 29+ million spyware programs found were mostly ad-ware, but they also discovered some 300,000 system monitors and Trojans, which could steal personal information from the infected computers.

In the Fall of 2004, AOL and the National Cyber Security Alliance surveyed 329 Americans; on average they had been online for over six years-- not Internet novices. Afterwards, they had technicians check over their systems; 80% had some sort of spyware infections. (Reported in PC Magazine: February 02, 2005: http://www.pcmag.com/article2/0,1759,1755221,00.asp ).

Why is spyware bad?
Many users have installed and used spyware-installing software, and don't seem to find that a problem. After all, many of us have supermarket club cards or air mileage cards, both of which promise us benefits in exchange for passing on information about our shopping habits. On one level, spyware reporting on our Web surfing habits isn't much different.

But aside from questions about whether I want my computer reporting on my Web surfing, spyware can cause other problems. I've already mentioned that each spyware program lurking in the background saps a bit of your computer's resources-- using up some memory and CPU time. Uploading information without your consent eats away at your Internet bandwidth, which can be especially problematic for dialup subscribers. The DSSAgent program installed by Mattel and Broderbund with some of their children's and educational titles (some versions of the popular Where in the World is Carmen Sandiego, for instance) can cause serious network congestion with rapidly repeated DNS queries as it pulls down its ads.

Not only that, poorly-designed spyware programs can cause operating system and browser crashes! BonziBuddy spyware, which reports on browsing habits has been implicated in system slowdowns and so-called blue screen of death system crashes.

And in many cases, uninstalling the downloaded free program may still leave the spyware installed, still lurking in the background reporting on you, even when the program it's designed to work with is long gone.

Computer columnist John Dvorak suggested in December 2004 (http://www.pcmag.com/article2/0,1759,1744126,00.asp) that spyware is installed for four primary uses: market research, employee and spousal monitoring, identity and credit card theft, and to turn your computer into a 'spambot', distributing spam to other users.

What are the names of often-installed spyware?
Among the many spyware 'brands', you may find these installed without your knowledge on your system. Click on the links for more information, or search for their names on Google or other search engine:

    • Aureate/Radiate: installed by many ad-supported programs. Monitors browsing habits. Can remain even if the main application is uninstalled. Can cause instability and crashes. http://www.accs-net.com/smallfish/radiate.htm

    • Bonzi: most often installed on its own by clicking a disguised web-ad; can slow systems down or even cause crashes: http://www.accs-net.com/smallfish/bonzi.htm
    • BDE/Brilliant: installed with KaZaa; causes instability and crashes. Removing it causes KaZaa to fail to work; install KaZaa Lite instead
    • Comet Cursor: installed by clicking on Web ads and links, included with some RealPlayer versions. http://www.accs-net.com/smallfish/comet.htm
    • Cydoor is installed with KaZaa, among others. It serves ads within its applications, and collects demographic information. http://www.accs-net.com/smallfish/cydoor.htm
    • DSSAgent was installed by Broderbund and Mattel in educational and children's programs (typically sold on CD, not downloaded). It can cause network congestion. http://www.accs-net.com/smallfish/mattel.htm
    • Other names to watch out for include: Aveo/Help Express, CommonName/CNBabe, DownloadWare/ClipGenie, eAcceleration, EasyInstall, eZula/TopText, Gator/GAIN, HotBar, Lop, Network Essentials, OnFlow, PromulGate/DelFin, SaveNow, SideStep, TimeSink/Conducent, TwistedHumor/Winad, VX2/Transponder, webHancer, Web3000, WurldMedia, and Xupiter Toolbar. Doubtless the list will grow over time.
Check the Spyware Guide: http://www.spywareguide.com/index.php for up to date information on spyware applications (and anti-spyware software). It listed 277 (!) different spyware programs when I checked in August 2003.

Also take a look at the late-2005 Top 10 Tricks Causing Spyware Epidemic: http://blogs.zdnet.com/Spyware/?p=729&tag=nl.e539

What can you do?

    • Read Eulas carefully, and think about what rights and information you may be asked to give away in exchange for a so-called free program or service. Consider whether what you're going to get is worth the hidden cost. Assume that any application that displays ads when you're not online is probably also sending information about you 'back home'.
    • If you are using Internet Explorer, check its options (click the Tools menu, then Internet Options.) Go to the Security tab and make sure it is set to Medium or above; the Low setting will allow files to be downloaded without your knowledge.
    • Look for spyware-free or ad-free alternatives. Consider using the paid-versions of programs like Eudora, Opera, Limewire, or Bearshare to avoid the ads and the reporting back. If you (or children or teens in your home) are users of the wildly-popular KaZaa file-sharing application, replace it with the spyware-free KaZaa Lite Resurrection (http://www.versiontracker.com/dyn/moreinfo/win/34640. Note that popular peer-to-peer file-sharing programs (often used for getting MP3 music files over the Net) are big sources of spyware. Along with KaZaa Lite, Shareaza (http://www.shareaza.com) is another spyware free file-sharing program.

    • (Be aware, when using KaZaa K++ that you may get notification that 'A newer version of KaZaa is available' each time the program starts. If you click to get the newer version, you will be replacing KaZaa Lite with the spyware-version. Also note that the earlier KaZaa Lite installs a fake Cydoor.dll file (The newer version doesn't do this...), which is not spyware, but may be identified by some spyware removal programs. Don't let such programs remove it!)
      If you have Kazaa installed, you might want to try Diet K which removes the spyware from an existing installation of standard KaZaa. http://www.versiontracker.com/dyn/moreinfo/win/28492 )
    • Some download sites try to mention whether listed programs use ad-supported spyware. Once again, read the fine-print and decide how badly you want or need such applications.
    • Install a software firewall such as ZoneAlarm which can block spyware from 'phoning home' without your knowledge. This won't remove the spyware, which will still be gobbling system resources, but it will stop the spying. More on firewalls in my tutorial on that subject.
    • Open the Windows Add-Remove Software control panel, and check for unfamiliar applications (especially with names like the ones listed above). You'll find some spyware such as CometCursor this way.
    • Run MSCONFIG, the downloadable StartUp Control Panel, or Startup Cop Pro (see my Know Your PC tutorial for more information), looking for spyware being loaded at startup. You may, for instance, see the DSSAgent that way.
    • Install and run software to scan your system for spyware, and with your permission, remove spyware that it finds (see below). Note that removing spyware often makes the related application stop working. 
    • You can prevent other users of your PC from installing the most popular 'file-sharing' applications such as Kazaa with the free File Sharing Sentinel: http://www.akidthaine.com/
Spyware removal software

There's an ongoing battle between spyware and spyware removers. At one point, for example, one spyware program searched for popular spyware remover AdAware (from http://www.lavasoft.de/), and if found, removed it from users' systems. The next version of AdAware resisted that tactic.

The April 22, 2003 issue of PC Magazine reviewed 9 spyware removal applications: http://www.pcmag.com/article2/0,4149,981135,00.asp
Their editor's choice, SpyBot Search and Destroy is free (and spyware-free). The author, Patrick M. Kolla, requests donations; if you find this program useful, consider donating to him, to encourage him to continue developing it: http://security.kolla.de/

It offers an easy mode and an advanced mode, scans your system for spyware and adware, (including relatively harmless ad-related browser cookies), provides a list of what it finds, offers further information about most individual items, and allows you to remove all of them with one click, or to pick and choose what to remove. It notes that removing the spyware often makes the related application stop working, and that in many cases, the best way to remove adware or spyware is to pay for shareware programs.

(Note that if you search for Spybot Search and Destroy it may be difficult to locate; a number of less-effective but more expensive anti-spyware applications have been setting up their web pages so they show up in search engines as a result of searches for Spybot. Moreover, while Patrick Kolla, Spybot's developer, has registered the web address safer-networking.org, browsing by mistake to safer-networking.com will get you yet another anti-spyware program-- not Spybot. The software sold at safer-networking.com, Spykiller, is included in a list of 'Rogue/Suspect Anti-Spyware Products at http://www.spywarewarrior.com/rogue_anti-spyware.htm -- products they describe as of 'unkown, questionable, or dubious value'. These would include products advertised by web popups claiming your computer may be infected with spyware. Some even install their own spyware!).

The free AdAware was previously the spy-removal program of choice; as of the time of writing (early 2003), it had fallen behind SpyBot in its ability to detect and remove the current crop of spyware. However, it may be worth downloading and using along with SpyBot; each may find spyware missed by the other. In any case, keep both up to date by always using the latest version.(In fact, by early 2005, AdAware was much improved. I again recommend it).

In late 2004, Microsoft purchased spyware developer Giant; in early 2005 they released a free beta version of Microsoft AntiSpyware. It's well worth the download (http://www.microsoft.com/downloads/details.aspx?FamilyID=321cd7a2-6a57-4c57-a8bd-dbf62eda9671&displaylang=en) and recently, MS announced that it will continue to be free beyond July 2005. (Windows 2000 and XP only).

The Spyware Guide website (http://www.spywareguide.com/index.php) has a free online spyware scanner.

The March 2 2004 issue of PC Magazine updated their Spyware review (http://www.pcmag.com/article2/0,4149,1524223,00.asp). This year, they most liked Spy Sweeper (http://www.webroot.com/) which is available in a paid version (US$30 per year) with automatic downloading of spyware definitions, or a free version which lacks that feature. They felt that the free Spybot Search and Destroy and the spyware-removal component of McAfee Internet Security were also strong contenders.

In its December 2004 issue, (http://www.pcworld.com/news/article/0,aid,118362,00.asp) PC World tested a number of commercial anti-spyware applications that advertised themselves with online popup ads. Their conclusion: none were as effective as the free SpyBot, and two of the applications tested actually installed spyware! Their conclusion: avoid  popups or bogus Windows system messages that suggest your system may be infected and offering to scan for spyware. The scans are often faked, and the software their peddling is ineffective at best.

PC Magazine (November 8 2005) reviewed three free antispyware programs: AdAware, Spybot, and Microsoft Antispyware. Their conclusion: install all three but only configure Microsoft's for real-time blocking.
http://www.pcmag.com/article2/0,1895,1865515,00.asp

Adware distributors have started lobbying antispyware applications (and in some cases taking them to court) complaining when their applications are labelled 'malware'. In some cases, they have been successful in getting some antispyware applications to downgrade their recommendations. See for instance, Wired Magazine's Dec 2005 article "And Don't Call It Spyware" http://www.wired.com/wired/archive/13.12/spyware.html

Another disturbing trend: 'Rogue Antispyware' -- products of unknown or dubious value being marketed for spyware protection. (See: http://blogs.zdnet.com/Spyware/index.php?p=727&tag=nl.e539) Be cautious about any antispyware product you see being marketed online, particularly through web page popups. Google the product name (along with the word 'review') to see what is being said about it before buying. In fact, be cautious before download and installing, even if it's apparently free... some apparent antispyware applications have even installed spyware! Spyware Warrior's Rogue/Suspect Spyware list (http://www.spywarewarrior.com/rogue_anti-spyware.htm) lists over 240 products.

In late 2005, spyware researcher Mark Russinovich reported on a number of so-called anti-spyware products that not only do a poor job of spyware removal but may actually be hazardous. (See: http://arstechnica.com/news.ars/post/20060103-5887.html) Elsewhere, a 10-worst list of would-be anti-spyware products was compiled, listing:

10. Spyware Bomber
9. SlimShield
8. WinAntiVirus and its companion WinAntiSpyware 2005
7. SpywareNo and its clone SpyDemolisher
6. Razespyware
5. Spy Trooper
4. WorldAntiSpy
3. PSGuard
2. SpySheriff
1. SpyAxe

(Dis)Honorable mention goes to VirtualBouncer aka AdDestoyer.

(http://blogs.zdnet.com/Spyware/?p=727)

Do not install unknown anti-spyware applications. At this time, I recommend Ad-Aware , Spybot Search and Destroy, Webroot Spy Sweeper, Microsoft Anti-Spyware, and the anti-spyware component of the Zone Alarm Internet Security Suite.

Key Loggers and Trojan Horses
The April 22 2003 PC Magazine cover story on spyware (Spyware: It's lurking on your machine:http://www.pcmag.com/article2/0,4149,978170,00.asp) includes keyloggers such as NetObserve and WinWhatWhere and Trojans such as BackOriface or NetBus as spyware, because they can be used to report out about your computer without your knowledge and consent. While a potential problem, I don't group them in with adware/spyware. Typically keyloggers are installed on your computer by employers or family members who want to know how the computer is being used. Trojans like NetBus are frequently spread about by teens over instant messaging or chat networks, getting unsuspecting peers to install these programs that let them take remote control over your computer.

Some antivirus software will pick up the trojans when scanning your system for viruses.

Since most spyware, keyloggers and trojan horses set themselves to startup automatically, another useful utility can be a Startup Monitor-- a program that lets you know when something has added itself to your computer and set itself to startup automatically. If it's something you meant to do, you can allow it-- but if it's happening without your permission, you can block it. Check out the free StartUp Monitor: http://www.mlin.net/StartupMonitor.shtml 

Pop-up web ads
Not spyware, but frequently annoying are pop-up (or pop-under) ads when you are browsing the Net. Several alternative browsers, including Opera (ad-ware or paid versions), Netscape, and the free open-source Mozilla and Mozilla Firebird include options to turn off pop-up windows. This is not currently a feature in the most-often-used Internet Explorer. A number of downloadable programs are available for IE users, to control pop-up ads. My favourite is the free (not adware!) PopUpManager from http://www.endpopups.com. Sometimes, you actually want a popup window-- some are not ads. If you click on a link and nothing happens, PopUpManager lets you right-click on its little bar (which turns from green to red when it stops a popup window) and allow the popup.

You may also be getting pop up ads when you're not using your browser... they may be coming in through MSN Messenger. (They say "Messenger Service in the window's title bar). You can defend yourself against them using the free Messenger Utility: http://www.heavy-horse.com/products/messenger/messenger.html or Shoot the Messenger: (http://grc.com/stm/ShootTheMessenger.htm)

Other annoying popups are the result of the sorts of spyware discussed above. Removing the spyware should eliminate these popups.

Homework:

  • Check the Add-Remove Programs control panel and either MSCONFIG or the Startup Control Panel, looking for names that appear in this tutorial's spyware list. If you find any, click the links for more information, or enter the name in a Google search to find out more about them. Decide whether you want to remove each (or uncheck them in MSCONFIG, etc).
  • If KaZaa is installed on your computer, remove it (using the Add-Remove control panel) and download and install the spyware-free KaZaa Lite Resurrection.
  • If you are running any ad-supported software programs, think whether you really want them (enough to allow them to display ads and spy on you!), and consider paying for an ad-free version.
  • Download and install SpyBot Search and Destroy, Let it scan your system. Do not let it simply remove all spyware found unless you are prepared for some installed applications to stop working; decide for yourself whether or not to let the program remove each item found. (Remember, if you've installed the older spyware-free KaZaa Lite, don't remove the fake Cydoor.dll file).
  • Install PopUpManager.

Further Reading:

The CyberSafety course includes the following modules:

Introduction
Know your PC
Computer Viruses
Email and Spam
Firewalls
Spyware
Networks and wireless issues

Links
 
Or cut to the chase with 7 Steps to Internet Security

(Last updated 3 January 2006)



Google

Search WWWSearch www.zisman.ca

Alan Zisman is a Vancouver educator, writer, and computer specialist. He can be reached at E-mail Alan