Technical Guide Part 1

Technical Guide to  Spyware/AdWare/Malware

 

FAQ and Removal Guide

 

Introduction

 

When people talk about "spyware", most of the time they're talking about a whole range of malicious software, and not just software that actually spies on you. They usually mean anything that's installed on your PC without your knowledge or permission, and which has unwanted effects. The technical term for most of these things is usually "browser parasites", since most of them interact with Internet Explorer in some way, but in this document I'm going to call them by the catch-all term malware.

 

 

"Parasite" is a shorthand term for unsolicited commercial software -- that is, a program that gets installed on your computer which you never asked for, and which does something you probably don't want it to, for someone else's profit.

 

The parasite problem has grown enormously recently, and many millions of computers are affected. Unsolicited commercial software can typically:

plague you with unwanted advertising ("adware");

 

watch everything you do on-line and send information back to marketing companies ("spyware");

 

add advertising links to web pages, for which the author does not get paid, and redirect the payments from affiliate-fee schemes to the makers of the software (such software is sometimes called "scumware");

 

set browser home page and search settings to point to the makers' sites (generally loaded with advertising), and prevent you changing it back ("homepage hijackers");

 

make your modem (analogue or ISDN) call premium-rate phone numbers ("dialers");

 

leave security holes allowing the makers of the software (or, in particularly bad cases, anyone at all) to download and run software on your machine;

degrade system performance and cause errors thanks to being badly-written;

provide no uninstall feature, and put its code in unexpected and hidden places to make it difficult to remove

 

 

 

 

Also note that we're only talking about Windows here.

 

Step 1: How did this crap get on my computer in the first place?

 

There's basically two "vectors" for malware to get onto your PC: piggybacking on other applications, and "drive-by" installs through Internet Explorer.

 

Piggybacking and Bundling

There are two kinds of "ad-supported" applications. The benign kind has an advertising system built into itself, that shows you advertising while the application is running, and which has no effect on the system when the application is not. The banner ads in the unregistered versions of Eudora and Opera fall into this category.

 

The other kind of ad-supported application installs a separate advertising system onto your computer, that runs all the time whether the ad-supported application is running or not. These advertising systems have names like CyDoor, Gator (who have renamed themselves "Claria" to hide their tracks), TopText, etc. Sometimes the application will warn you about the bundled advertising system, sometimes they will not. Sometimes uninstalling the application will get rid of the bundled advertising system, usually it will not.

 

These advertising systems will show pop-up ads, sometimes when you're not even browsing. Some of them will change the banner ads or links on web pages. Often, they are self-updating, and will sometimes install other advertising systems, or alter your system's security settings to allow for easier drive-by installs. (See below.) They are classic browser parasites.

 

Common piggyback sources of advertising malware are most popular file-sharing applications that aren't open-source (including Kazaa, iMesh, LimeWire, Morpheus, WinMX, Xolox, Grokster, and others), the free version of DivX Pro (which installs Gator), GoZilla (which has a veritable raft of crap), InternetWasher (ditto), and many "free" applications found on sites like download.com.

 

Most add-on toolbars for Internet Explorer are malware sources. This includes (but is not limited to) MySearchBar, DashBar, Xupiter, HotBar, UCMore, and many others. The Google and Yahoo toolbars are safe.

 

There is another class of application which might be considered "ad-supported", if there was any functionality other than the advertising. Things like DownloadWare/NetworkEssentials, Comet Cursor, Bonzi Buddy, the Gator/GAIN "applications" (DashBar, PrecisionTime, DateManager, and eWallet), Internet Optimizer, and the infamous eAcceleration package (including "Stop Sign") are like this. They masquerade as useful applications, but provide no substantial functionality and are merely a ruse to get their advertising software onto your computer.

 

The latest and most dangerous trend is "anti-spyware" software that's actually just another source of malware. For example, Google searches for some of the common anti-malware software packages will turn up "sponsored links" (in other words, advertisements) for malicious software, linked to those keywords. This document will cover the packages that are known to be safe, and the ones that are known to be dangerous.

 

To sum up: pay attention to what you're downloading and installing. If it's free, there may be a reason for that.

 

AOL Instant Messenger v5.5.x

 

The most recent version of AIM (5.5.3591) will optionally install two pieces of software which are flagged by many spyware scanners (Weatherbug and WildTangent) and will stealthily install another (Viewpoint Media Player).

 

The WildTangent package is optionally installed to support the "AIM Games" site, and the Viewpoint package is automatically installed to drive AIM's advertising systems (since the Viewpoint player allows for full-screen movies and 3D effects outside of the controlling application). Both of these packages are flagged by anti-spyware software because they have very poor privacy policies, and are known to collect the hardware information of their users.

 

The Weatherbug software is known to be adware when installed separately. It is not known if the AOL-customized version that comes with AIM v5.5.x is also adware, or whether it relies on the advertising systems built into AIM.

 

AIM functions normally if you don't install with the Wild Tangent or Weatherbug packages, and uninstalling the Viewpoint Media Player from the Add/Remove Programs section of the Control Panel will not affect its operation either. AIM will not reinstall those items unless it is upgraded. The old v4.8 of AIM (which does not have these extra packages) can be downloaded here for the time being, for those who don't want to deal with the issue at all.

 

Drive-By Installs

The second (and harder to deal with) method for acquiring malware is through "drive-by" software installs in Internet Explorer. IE supports a technology called "ActiveX", which allows website creators to embed small programs in their sites (called "ActiveX controls"), which can then call larger programs (such as software installers). Theoretically, there are safeguards to prevent unauthorized code from being run on your machine when you visit a website; you should normally see a dialog box asking you if you want to install and run a given ActiveX control. When this technology is used correctly, it lets you install software like Macromedia Flash or Apple QuickTime from a website without having to download a separate installer. It's also the technology that drives Windows Update.

 

Unfortunately, there are problems with the implementation of ActiveX. The problems boil down to this:

 

Security holes in some versions of Internet Explorer that can be exploited by malicious website creators to install ActiveX controls without prompting

 

One malicious application can change the security settings on Internet Explorer so that all ActiveX controls (including malware) can auto-install without prompting

 

Deceptive popups can lead uninformed users to install malicious applications, believing them to be important system updates, or software required to view a site

 

This means that a system with either an out-of-date version of Internet Explorer, or with incorrect security settings, can be infected with a huge amount of malware just by visiting a single website. And even a correctly-configured and up-to-date system can be infected if a user makes a single incorrect choice on the wrong website.

 

In addition to the problems with ActiveX, there are also other many other security holes in Internet Explorer that can be exploited to install malware. These include bugs in IE's handling of MIME types, in the Microsoft Java implementation, and in Microsoft's scripting languages. Many of these security holes have not been fixed, even in the most current versions of Internet Explorer. Exploits using these bugs are much rarer than ActiveX exploits, and are often only usable in specific circumstances, but are still a problem.

 

There are also sites that try a very simple trick: they begin an automatic download of an installer (usually an EXE file), in the hopes that the user will either instinctively or accidentally hit "Open" instead of "Cancel". If the user hits "Save", then they'll have the installer sitting on their desktop or in their download directory, and they might accidentally run it later. This kind of attack isn't limited to Internet Explorer, and the only real defense against this sort of thing is to watch out for it.

 

 .