CoolWebSearch (also known as CWS) first appeared in May 2003 and is well known as a malicious keylogging^[1] program which installs itself on Windows based computers.

Effects

CoolWebSearch has numerous effects when it is successfully installed on a users computer. The program can change an infected computer’s web browser homepage to coolwebsearch.com, and although originally thought to only work on Internet Explorer, recent variants affect Firefox as well as others. It can also create pop-up ads that redirect to other websites including pornography sites, collect private information about users and slow the speed of infected computers. Coolwebsearch uses innovative techniques to evade detection and removal, and as such many common spyware removal programs fail to properly remove the software.

All versions of CoolWebSearch are installed by ‘driveby’, in which a computer browsing a webpage automatically installs CWS. CWS itself attempts to evade others by not labelling its ads, not providing an EULA, not providing any data about itself and not having a website. Certain variants insert links on random text, leading to advertiser websites. The webmasters haven’t any control over this. Other attempts to travel to websites are redirected to false search engines used to install more malware and carrying ads. CWS also adds bookmarks to pornography and gambling sites on the desktop and in the Bookmarks folder. Certain versions attempt to edit users’ trusted sites and twist security settings as well as battle back against removal programs. The CWS.Look2Me variant also hooks into the Windows XP logon system and tracks visited websites as well as downloading further malware. Other variants are named for the effects they have, such as msconfig, Msoffice, Mupdate, Msinfo and Svchost32.

Creators

The website coolwebsearch.com claims that they are not responsible for the browser hijacking. ^[2] They run an affiliate program which pays affiliates to direct others to their site which has paid advertising links. Interestingly coolwebsearch.com’s terms of service use the laws of Quebec, whilst their DNS registration lists an address in the British Virgin Islands, whilst their web server appears to be run by HyperCommunications in Massachusetts. CoolWebSearch is also linked to CoolWebSearch.org and appears to be related to webcoolsearch.com.

In August 5, 2005 Sunbelt Software reported to the FBI that similar keylogging software forms part of a massive spyware ring that collects “chat sessions, user names, passwords, bank information, etc…eBay accounts…highly personal information”. ^{[3] [4]})

“About:blank” is the generic name for different variants (CWS.Hiddendll, se.dll, CWS.Homesearch) which hijacks the browser, causes pop ups and reduces computer speed. This is one of the most common but hardest variants to remove. ^[5]

Removal

There are programs such as CWShredder and McAfee’s Beta Command-Line Scanner which can be used to remove the vast majority of CoolWebSearch variants from infected computers. The Windows’ System Restore can reportedly remove some, but possibly not all, variants of CoolWebSearch.

Some variants will create a randomly named .dll file into winlogon.exe, which cannot be unloaded and has to be deleted upon reboot. The same variants will also inject a file named “guard.tmp” into rundll32.exe which can be removed. Rundll32.exe will also run a CoolWebSearch .dll upon boot with these variants.

CoolWebSearch has been reported to download other spywares such as Apropos Media, DyFuCa, Look2Me and TargetSavers.

Variants

1. CWS.Aboutblank
2. CWS.Addclass
3. CWS.Alfasearch
4. CWS.Bootconf
5. CWS.Cassandra
6. CWS.Control
7. CWS.Ctfmon32
8. CWS.Datanotary
9. CWS.Dnsrelay
10. CWS.Dreplace
11. CWS.Gonnasearch
12. CWS.Googlems
13. CWS.Hiddendll
14. CWS.Homesearch
15. CWS.Loadbat
16. CWS.Msconfd
17. CWS.Msconfig
18. CWS.Msinfo
19. CWS.Msoffice
20. CWS.Msspi
21. CWS.Mupdate
22. CWS.Oemsyspnp
23. CWS.Olehelp
24. CWS.Oslogo
25. CWS.Qttasks
26. CWS.Q-url3
27. CWS.Realyellowpage
28. CWS.Searchx
29. CWS.Smartfinder
30. CWS.Smartsearch
31. CWS.Sounddrv
32. CWS.Svchost32
33. CWS.Svcinit
34. CWS.Systeminit
35. CWS.Systime
36. CWS.Tapicfg
37. CWS.Therealsearch
38. CWS.Vrape
39. CWS.Xmlmimefilter
40. CWS.Xplugin
41. CWS.Xxxvideo
42. CWS.Yexe
43. CWS.Winproc32
44. CWS.Winres
45. CWS.Xmlmimefilter
46. CWS.Aboutblank
47. CWS.Systeminit
48. CWS.Sounddrv
49. CWS.Searchx
50. CWS.Realyellowpage
51. CWS.SysTime
52. CWS.HomeSearch
53. CWS.Look2Me
54. CWS.MSFind
55. CWS.Cassandra

Affiliate variants

1. CWS.Aff.iedll
2. CWS.Aff.Madfinder
3. CWS.Aff.Tooncomics
4. CWS.Aff.Winshow

Links and References

1. ↑ Alex Eckelberry (2005). Identity Theft? What to do?. SunBeltBLOG. Mountain View: Google. URL accessed on October 16, 2005.
2. ↑ The term about:blank when presented as a web address (URI) is interpreted by most modern web browsers as a command to render a blank HTML page.
3. theinternetpatrol.com
4. trendmicro.com
5. cwsshredder.net

This article is licensed under the GNU Free Documentation License. It uses material from the Wikipedia.

LOP, or Live Online Portal, is an adware component that is installed on computers.

Lop.com is a web site owned by C2Media (NOTE: C2 Media is the name of a totally unrelated company from C2Media LTD which owns LOP.com). It is a pay-per-click search portal where other websites will pay for each click to their sites via LOP. This was never a bad idea, but a method they used to get people to their site was to install an adware component on people’s computers which would advertise their site through pop-ups. The installer could turn the user’s web browser into a device with a links to lop.com.

Older variants of LOP were quite predictable and installed Browser Helper Objects and startup entries with known names. Lately, LOP variants have been using random English words strung together in a phrase as their executable names and have been placing these executables in the user’s application data directory. For example, there are LOP variants which call their file “meal dog house bone.exe”.

LOP can usually be easily removed using Ad-Aware and Spybot S&D (as well as various other spyware removal programs). You may also ask the support forums below for help on how to remove LOP.

Known programs that bundle LOP

• Patchou’s Messenger Plus

References

• Healan, M. (2004). Lop.com. Retrieved Jun. 13, 2005, from SpywareInfo Web site: http://www.spywareinfo.com/articles/lop/.
• Clover, A. (n.d.). lop. Retrieved Jun. 13, 2005, from doxdesk.com Web site: http://www.doxdesk.com/parasite/lop.html.

Links

• LOP Information Website
• SpywareInfo Forums
• TomCoyote Forums
• BFC Computer Help
• Security and Malware Board

Anti-spyware programs often report Web advertisers’ HTTP cookies as spyware. Web sites (including advertisers) set cookies — small pieces of data rather than software—to track Web-browsing activity: for instance to maintain a “shopping cart” for an online store or to maintain consistent user settings on a search engine.

Only the Web site that sets a cookie can access it. In the case of cookies associated with advertisements, the user generally does not intend to visit the Web site which sets the cookies, but gets redirected to a cookie-setting third-party site referenced by a banner ad image. Some Web browsers and privacy tools offer to reject cookies from sites other than the one that the user requested.

Advertisers use cookies to track people’s browsing among various sites carrying ads from the same firm and thus to build up a marketing profile of the person or family using the computer. For this reason many users object to such cookies, and anti-spyware programs offer to remove them.

This guide is licensed under the GNU Free Documentation License. It uses material from the Wikipedia.

Magic Lantern is a keystroke logging program developed by the Federal Bureau of Investigation. Magic Lantern was first reported in a column by Bob Sullivan of MSNBC on 20 November 2001 [1], also by Ted Birdis of the Associated Press (Ted Birdis, Washington Post, 11/22/01 “FBI Develops Eavesdropping Tools”).

Unlike previous keystroke logger programs used by the FBI, Magic Lantern can reportedly be installed remotely, via an email attachment or “by exploiting common operating system vulnerabilities.” It has been variously described as a virus and a Trojan horse. It is not known how the program might store or communicate the recorded keystrokes.

In response to a Freedom of Information Act request filed in 2000 by the Electronic Privacy Information Center, the FBI released a series of unclassified documents relating to Carnivore, which included the “Enhanced Carnivore Project Plan.” Sullivan’s confidential source said that redacted portions of that document mention “Cyber Knight,”

“. . . a database that sorts and matches data gathered using various Carnivore-like methods from e-mail, chat rooms, instant messages, and Internet phone calls. It also matches files with captured encryption keys.”

Spokesmen for the FBI soon confirmed the existence of a program called Magic Lantern, denied that it had been deployed, and declined to comment further. [2]

The public disclosure of the existence of Magic Lantern sparked a debate as to whether anti-virus companies could or should detect the FBI’s keystroke logger. Birdis reported that at least some anti-virus companies, including Network Associates, maker of McAffee anti-virus products, had contacted the FBI following the press reports about Magic Lantern, to ensure its anti-virus software would not detect the program. [3] Network Associates issued a statement denying this kind of cooperation with U.S. legal authorities within a week, fueling speculation as to which anti-virus products might or might not detect government trojans. [4]

Links

• EPIC site
• Carnivore questions

• [5] First press story about Magic Lantern, CNBC 20 November 2001
• [6] Early wire report (AP) 21 November 2001
• [7] AP story about Magic Lantern 22 November 2001
• [8] San Francisco Chronicle 28 November 2001
• [9] Wired article 29 November 2001
• [10] Villiage Voice 24 May 2002

References

Amanda So and Christopher Woo. “The Case for Magic Lantern: September 11 Highlights the Need for Increased surveillance” Harvard Journal of Law and Technology. v15 p521. (about the legal framework surrounding the use of keystroke loggers in law enforcement)

This guide is licensed under the GNU Free Documentation License. It uses material from the Wikipedia.

Keystroke logging (often called keylogging) is a diagnostic used in software development that captures the user’s keystrokes. It can be useful to determine sources of error in computer systems. Such systems are also highly useful for law enforcement and espionage—for instance, providing a means to obtain passwords or encryption keys and thus bypassing other security measures. However, keyloggers are widely available on the internet and can be used by anyone for the same purposes.

Keystroke logging can be achieved by both hardware and software means. Commercially available systems include devices which are attached to the keyboard cable (and thus are instantly installable, but visible if the user makes a thorough inspection) and also devices which can be installed in keyboards (and are thus invisible, but require some basic knowledge of soldering to install). Writing software applications for keylogging is trivial, and like any computer program can be distributed as a trojan horse or as part of a virus or worm. It is also said that using an onscreen keyboard is a way to combat these, as it only requires clicks of the mouse. That is, however, false information, because a keyboard event message must be sent to the external target program to type text. Every software keylogger can log the text typed with an onscreen keyboard.

What is not trivial however, is installing a keystroke logger without getting caught and downloading data that has been logged without being traced. An attacker that manually connects to a host machine to download logged keystrokes risks being traced. A Trojan that sends keylogged data to a fixed e-mail address or IP address risks exposing the attacker.

Young and Yung devised several methods for solving this problem and presented them in their 1997 IEEE Security & Privacy paper [YY97] (their paper from ’96 touches on it as well). They presented a deniable password snatching attack in which the keystroke logging Trojan is installed using a virus (or worm). An attacker that is caught with the virus or worm can claim to be a victim. The cryptotrojan asymmetrically encrypts the pilfered login/password pairs using the public key of the Trojan author and covertly broadcasts the resulting ciphertext. They mentioned that the ciphertext can be steganographically encoded and posted to a public bulletin board (e.g., Usenet). They also mentioned having the cryptotrojan unconditionally write the asymmetric ciphertexts to the last few unused sectors of every writable disk that is inserted into the machine. The sectors remain marked as “unused”. Nowadays this can done using a USB token. So, the Trojan author may be one of dozens or even thousands of people that are given the stolen information. Only the Trojan author can decrypt the ciphertext because only the author knows the needed private decryption key. This attack is from the field known as Cryptovirology.

The FBI used a keystroke logger to obtain the PGP pass phrase of Nicodemo Scarfo, Jr.. He plead guilty to running an illegal gambling operation in 2002. (“Mobster’s son pleads guilty of gambling; computer spying helped seal case” Asssociated Press, 1 Mar 2002) The FBI has also reportedly developed a trojan-horse-delivered keylogger program known as Magic Lantern.

References

[YY97] A. Young, M. Yung, “Deniable Password Snatching: On the Possibility of Evasive Electronic Espionage,” IEEE Symposium on Security & Privacy, pages 224-235, May 4-7, 1997.

Links

• Keylogging Hardware and software keylogging methods.
• BBC article about Keycatcher, a hardware keylogger

This guide is licensed under the GNU Free Documentation License. It uses material from the Wikipedia.

Using a virtual machine (such as a pre-built Browser Appliance for VMWare Player) can inhibit infection by spyware, malware, and viruses. Virtual machines provide seperate environments, so if spyware enters the virtual environment, the host computer remains unaffected. One can also use snapshots to remove one’s private information, transporting the snapshot of the VM.

This environment resembles a sandbox. It has drawbacks in that it uses more memory (compared to a standalone browser) and it uses a lot of disk space.

Security practices

To deter spyware, computer users have found a number of techniques useful in addition to installing anti-spyware software.

Many system operators install a web browser other than Microsoft’s Internet Explorer (IE), such as Opera or Mozilla Firefox – though such web browsers have also suffered from some security vulnerabilities. Not a single browser ranks as safe, because in the case of spyware the security comes with the person who uses the browser.

Some Internet Service Providers — particularly colleges and universities — have taken a different approach to blocking spyware: they use their network firewalls and web proxies to block access to Web sites known to install spyware. On March 31, 2005, Cornell University’s Information Technology department released a report detailing the behavior of one particular piece of proxy-based spyware, Marketscore, and the steps the university took to intercept it. ^[1] Many other educational institutions have taken similar steps against Marketscore and other spyware. Spyware programs which redirect network traffic cause greater technical-support problems than programs which merely display ads or monitor users’ behavior, and so may attract institutional attention more readily.

Spyware may get installed via certain shareware programs offered for download. Downloading programs only from reputable sources can provide some protection from this source of attack. One site, CleanSoftware.org, founded as an alternative to other popular Windows software sites, offers only software verified not to contain “nasties” such as spyware. Recently, C|Net revamped its download directory: it has stated that it will only keep files that pass inspection by Ad-Aware and Spyware Doctor.

References

1. ↑ Schuster, Steve. “Blocking Marketscore: Why Cornell Did It“. Cornell University, Office of Information Technologies. March 31, 2005.

This guide is licensed under the GNU Free Documentation License. It uses material from the Wikipedia.

Lavasoft’s Ad-Aware, one of a few reliable commercial anti-spyware programs, scans the hard drive of a clean Windows XP system.

Many programmers and some commercial firms have released products designed to remove or block spyware. Steve Gibson’s OptOut, mentioned above, pioneered a growing category. Programs such as Lavasoft’s Ad-Aware SE and Patrick Kolla’s Spybot – Search & Destroy rapidly gained popularity as effective tools to remove, and in some cases intercept, spyware programs. More recently Microsoft acquired the GIANT Anti-Spyware software, rebadging it as Windows AntiSpyware beta and releasing it as a free download for Windows XP, Windows 2000, and Windows 2003 users. In early spring, 2006, Microsoft renamed the beta software to as “Windows Defender”, currently “beta 2.” The renamed software for now exists as a time-limited beta test product that will expire (beta 1 in July 2006, and beta 2 in December, 2006). Microsoft has also announced that the product will ship (for free) with Windows Vista. Other well-known anti-spyware products include Webroot Spy Sweeper, PC Tools’ Spyware Doctor, ParetoLogic’s XoftSpy, and Sunbelt’s CounterSpy (which uses a forked codebase from the GIANT Anti-Spyware product).

Major anti-virus firms such as Symantec, McAfee and Sophos have come later to the table, adding anti-spyware features to their existing anti-virus products. Early on, anti-virus firms expressed reluctance to add anti-spyware functions, citing lawsuits brought by spyware authors against the authors of web sites and programs which described their products as “spyware”. However, recent versions of these major firms’ home and business anti-virus products do include anti-spyware functions, albeit treated differently from viruses. Symantec Anti-Virus, for instance, categorizes spyware programs as “extended threats” and now offers real-time protection from them (as it does for viruses).

Real-time protection blocks spyware in the process of installing itself. Here, Windows AntiSpyware blocks an instance of the AlwaysUpdateNews spyware.

Anti-spyware programs can combat spyware in two ways:

1. real-time protection, which prevents the installation of spyware
2. detection and removal of spyware.

Writers of anti-spyware programs usually find detection and removal simpler, and many more programs have become available which do so. Such programs inspect the contents of the Windows registry, the operating system files, and installed programs, and remove files and entries which match a list of known spyware components. Real-time protection from spyware works identically to real-time anti-virus protection: the software scans incoming network data and disk files at download time, and blocks the activity of components known to represent spyware. In some cases, it may also intercept attempts to install start-up items or to modify browser settings.

Earlier versions of anti-spyware programs focused chiefly on detection and removal. Javacool Software’s SpywareBlaster, one of the first to offer real-time protection, blocked the installation of ActiveX-based and other spyware programs. To date, other programs such as Ad-Aware and Windows AntiSpyware now combine the two approaches, while SpywareBlaster remains focused on real-time protection.

Like most anti-virus software, many anti-spyware/adware tools require a frequently-updated database of threats. As new spyware programs are released, anti-spyware developers discover and evaluate them, making “signatures” or “definitions” which allow the software to detect and remove the spyware. As a result, anti-spyware software is of limited usefulness without a regular source of updates. Some vendors provide a subscription-based update service, while others provide updates gratis. Updates may be installed automatically on a schedule or before doing a scan, or may be done manually. Not all programs rely on updated definitions. Some programs rely partly (for instance Windows Defender) or entirely (BillP’s WinPatrol, and certainly others) on historical observation. They watch certain configuration parameters (such as the Windows registry or browser configuration) and report any change to the user, without judgment or recomendation. Their chief advantage is that they do not rely on updated definitions. Even with a subscription, a “critical mass” of other users have to have, and report a problem before the new definition is characterized and propagated. The disadvantage is that they can offer no guidance. The user is left to determine “what did I just do, and is this configuration change appropriate?”

If a spyware program is not blocked and manages to get itself installed, it may resist attempts to terminate or uninstall it. Some programs work in pairs: when an anti-spyware scanner (or the user) terminates one running process, the other one respawns the killed program. Likewise, some spyware will detect attempts to remove registry keys and immediately add them again. Usually, booting the infected computer in safe mode allows an anti-spyware program a better chance of removing persistent spyware.

Malicious programmers have released a large number of fake anti-spyware programs, and widely distributed Web banner ads now spuriously warn users that their computers have been infected with spyware, directing them to purchase programs which do not actually remove spyware — or worse, may add more spyware of their own. ^{[1] [2]}

The recent proliferation of fake or spoofed antivirus products has occasioned some concern. Such products often bill themselves as antispyware, antivirus, or registry cleaners, and sometimes feature popups prompting users to install them.

Known offenders include:

SpyAxe
AntiVirus Gold
SpywareStrike
SpyFalcon
WorldAntiSpy
WinFixer
SpyTrooper
Spy Sheriff
SpyBan
SpyWiper
PAL Spyware Remover
Spyware Stormer
PSGuard

On 2006-01-26, Microsoft and the Washington state attorney general filed suit against Secure Computer for its Spyware Cleaner product. [1]

References

1. ↑ Roberts, Paul F. “Spyware-Removal Program Tagged as a Trap“. eWeek. May 26, 2005.
2. ↑ Howes, Eric L. “The Spyware Warrior List of Rogue/Suspect Anti-Spyware Products & Web Sites“. Retrieved July 10, 2005.

This guide is licensed under the GNU Free Documentation License. It uses material from the Wikipedia.

Gaining unauthorized access to a computer is illegal, under computer crime laws such as the United States Computer Fraud and Abuse Act. Since the owners of computers infected with spyware generally claim that they never authorized the installation, a prima facie reading would suggest that the promulgation of spyware would count as a criminal act. Law enforcement has often pursued the authors of other malware programs, such as viruses. Nonetheless, few prosecutions of writers of spyware have occurred, and many such producers operate openly as aboveboard businesses. Some have, however, faced lawsuits.

Spyware producers primarily argue in defense of the legality of their acts that, contrary to the users’ claims, users do in fact give consent to the installation of their spyware. Spyware that comes bundled with shareware applications may appear, for instance, described in the legalese text of an end-user license agreement (EULA). Many users habitually ignore these purported contracts, but spyware companies such as Claria claim that these demonstrate that users have consented to the installation of their software.

Despite the ubiquity of EULAs and of clickwrap agreements, relatively little case law has resulted from their use. It has been established in most common law jurisdictions that a clickwrap agreements can be a binding contract in certain circumstances. This does not however mean that every clickwrap agreement is a contract or that every term in a clickwrap contract is enforceable. It seems highly likely that many of the purported contract terms presented in clickwrap agreements would be dismissed in most jurisdictions as being contrary to public policy. Many spyware clickwrap agreements appear intentionally ambiguous and excessive in length, with key contract terms made inconspicuous. These are all grounds on which similar agreements have been rejected as contracts of adhesion.

Nor can a contract possibly exist in the case of spyware installed by surreptitious means, such as in a drive-by download where the user receives no opportunity to either agree to or refuse the contract terms.

Some jurisdictions, including the U.S. states of Iowa [1] and Washington [2], have passed laws criminalizing some forms of spyware. Such laws make it illegal for anyone other than the owner or operator of a computer to install software that alters Web-browser settings, monitors keystrokes, or disables computer-security software.

New York Attorney General Eliot Spitzer has pursued spyware companies for fraudulent installation of software. [9] In a suit brought in 2005 by Spitzer, the California firm Intermix Media, Inc. ended up settling by agreeing to pay $7.5 million and to stop distributing spyware. Intermix’s spyware spread via drive-by download, and deliberately installed itself in ways that made it difficult to remove. ^[1]

Another spyware behavior has attracted lawsuits: the replacement of Web advertisements. In June 2002, a number of large Web publishers sued Claria for replacing advertisements, but settled out of court. Other spyware apart from Claria’s also replaces advertisements, thus diverting revenue from the ad-bearing Web site to the spyware author.

One legal issue not yet pursued involves whether courts can hold advertisers responsible for spyware which displays their ads. In many cases, the companies whose advertisements appear in spyware pop-ups do not directly do business with the spyware firm. Rather, the advertised company contracts with an advertising agency, which in turn contracts with an online subcontractor who gets paid by the number of “impressions” or appearances of the advertisement. Some major firms such as Dell Computer and Mercedes-Benz have “fired” advertising agencies which have run their ads in spyware. ^[2]

In a sort of turnabout, a few spyware companies have threatened websites which have posted descriptions of their products. In 2003, Gator (now known as Claria) filed suit against the website PC Pitstop for describing the Gator program as “spyware”. ^[3] PC Pitstop settled, agreeing not to use the word “spyware”, but continues to publish descriptions of the harmful behavior of the Gator/Claria software. [3]

References

1. ↑ Gormley, Michael. “Intermix Media Inc. says it is settling spyware lawsuit with N.Y. attorney general“. Yahoo! News. June 15, 2005.
2. ↑ Gormley, Michael. “Major advertisers caught in spyware net“. Business Week. June 24, 2005.
3. ↑ Festa, Paul. “See you later, anti-Gators?“. News.com. October 22, 2003.

This guide is licensed under the GNU Free Documentation License. It uses material from the Wikipedia.

A few examples of common spyware programs may serve to illustrate the diversity of behaviors found in these attacks.

• Caveat: As with computer viruses, researchers give names to spyware programs which frequently do not relate to any names that the spyware-writers use. Researchers may group programs into “families” based not on shared program code, but on common behaviors, or by “following the money” or apparent financial or business connections. For instance, a number of the spyware programs distributed by Claria are collectively known as “Gator”. Likewise, programs which are frequently installed together may be described as parts of the same spyware package, even if they function separately.
• CoolWebSearch, a group of programs, installs through the exploitation of Internet Explorer vulnerabilities. The programs direct traffic to advertisements on Web sites including coolwebsearch.com. To this end, they display pop-up ads, rewrite search engine results, and alter the infected computer’s hosts file to direct DNS lookups to these sites. ^[1]

• Internet Optimizer, also known as DyFuCa, redirects Internet Explorer error pages to advertising. When users follow a broken link or enter an erroneous URL, they see a page of advertisements. However, because password-protected Web sites (HTTP Basic authentication) use the same mechanism as HTTP errors, Internet Optimizer makes it impossible for the user to access password-protected sites. ^[1]

• 80 Solutions transmits extensive information to advertisers about the Web sites which users visit. It also alters HTTP requests for affiliate advertisements linked from a Web site, so that the advertisements make unearned profit for the 180 Solutions company. It opens pop-up ads that cover over the Web sites of competing companies. [5]

• HuntBar, aka WinTools or Adware.Websearch, is a small family of spyware programs distributed by Traffic Syndicate. ^[1] It is installed by ActiveX drive-by download at affiliate Web sites, or by advertisements displayed by other spyware programs—an example of how spyware can install more spyware. These programs add toolbars to Internet Explorer, track Web browsing behavior, redirect affiliate references, and display advertisements.

References

1. ↑ ^{a b c} “Parasite information database“. Doxdesk.com. Retrieved July 10, 2005.

This guide is licensed under the GNU Free Documentation License. It uses material from the Wikipedia.

Anti-spyware programs often report Web advertisers’ HTTP cookies as spyware. Web sites (including advertisers) set cookies — small pieces of data rather than software—to track Web-browsing activity: for instance to maintain a “shopping cart” for an online store or to maintain consistent user settings on a search engine.

Only the Web site that sets a cookie can access it. In the case of cookies associated with advertisements, the user generally does not intend to visit the Web site which sets the cookies, but gets redirected to a cookie-setting third-party site referenced by a banner ad image. Some Web browsers and privacy tools offer to reject cookies from sites other than the one that the user requested.

Advertisers use cookies to track people’s browsing among various sites carrying ads from the same firm and thus to build up a marketing profile of the person or family using the computer. For this reason many users object to such cookies, and anti-spyware programs offer to remove them.

This guide is licensed under the GNU Free Documentation License. It uses material from the Wikipedia.