Anti-spyware programs often report Web advertisers’ HTTP cookies as spyware. Web sites (including advertisers) set cookies — small pieces of data rather than software—to track Web-browsing activity: for instance to maintain a “shopping cart” for an online store or to maintain consistent user settings on a search engine.

Only the Web site that sets a cookie can access it. In the case of cookies associated with advertisements, the user generally does not intend to visit the Web site which sets the cookies, but gets redirected to a cookie-setting third-party site referenced by a banner ad image. Some Web browsers and privacy tools offer to reject cookies from sites other than the one that the user requested.

Advertisers use cookies to track people’s browsing among various sites carrying ads from the same firm and thus to build up a marketing profile of the person or family using the computer. For this reason many users object to such cookies, and anti-spyware programs offer to remove them.

This guide is licensed under the GNU Free Documentation License. It uses material from the Wikipedia.

Using a virtual machine (such as a pre-built Browser Appliance for VMWare Player) can inhibit infection by spyware, malware, and viruses. Virtual machines provide seperate environments, so if spyware enters the virtual environment, the host computer remains unaffected. One can also use snapshots to remove one’s private information, transporting the snapshot of the VM.

This environment resembles a sandbox. It has drawbacks in that it uses more memory (compared to a standalone browser) and it uses a lot of disk space.

Security practices

To deter spyware, computer users have found a number of techniques useful in addition to installing anti-spyware software.

Many system operators install a web browser other than Microsoft’s Internet Explorer (IE), such as Opera or Mozilla Firefox – though such web browsers have also suffered from some security vulnerabilities. Not a single browser ranks as safe, because in the case of spyware the security comes with the person who uses the browser.

Some Internet Service Providers — particularly colleges and universities — have taken a different approach to blocking spyware: they use their network firewalls and web proxies to block access to Web sites known to install spyware. On March 31, 2005, Cornell University’s Information Technology department released a report detailing the behavior of one particular piece of proxy-based spyware, Marketscore, and the steps the university took to intercept it. ^[1] Many other educational institutions have taken similar steps against Marketscore and other spyware. Spyware programs which redirect network traffic cause greater technical-support problems than programs which merely display ads or monitor users’ behavior, and so may attract institutional attention more readily.

Spyware may get installed via certain shareware programs offered for download. Downloading programs only from reputable sources can provide some protection from this source of attack. One site, CleanSoftware.org, founded as an alternative to other popular Windows software sites, offers only software verified not to contain “nasties” such as spyware. Recently, C|Net revamped its download directory: it has stated that it will only keep files that pass inspection by Ad-Aware and Spyware Doctor.

References

1. ↑ Schuster, Steve. “Blocking Marketscore: Why Cornell Did It“. Cornell University, Office of Information Technologies. March 31, 2005.

This guide is licensed under the GNU Free Documentation License. It uses material from the Wikipedia.

Lavasoft’s Ad-Aware, one of a few reliable commercial anti-spyware programs, scans the hard drive of a clean Windows XP system.

Many programmers and some commercial firms have released products designed to remove or block spyware. Steve Gibson’s OptOut, mentioned above, pioneered a growing category. Programs such as Lavasoft’s Ad-Aware SE and Patrick Kolla’s Spybot – Search & Destroy rapidly gained popularity as effective tools to remove, and in some cases intercept, spyware programs. More recently Microsoft acquired the GIANT Anti-Spyware software, rebadging it as Windows AntiSpyware beta and releasing it as a free download for Windows XP, Windows 2000, and Windows 2003 users. In early spring, 2006, Microsoft renamed the beta software to as “Windows Defender”, currently “beta 2.” The renamed software for now exists as a time-limited beta test product that will expire (beta 1 in July 2006, and beta 2 in December, 2006). Microsoft has also announced that the product will ship (for free) with Windows Vista. Other well-known anti-spyware products include Webroot Spy Sweeper, PC Tools’ Spyware Doctor, ParetoLogic’s XoftSpy, and Sunbelt’s CounterSpy (which uses a forked codebase from the GIANT Anti-Spyware product).

Major anti-virus firms such as Symantec, McAfee and Sophos have come later to the table, adding anti-spyware features to their existing anti-virus products. Early on, anti-virus firms expressed reluctance to add anti-spyware functions, citing lawsuits brought by spyware authors against the authors of web sites and programs which described their products as “spyware”. However, recent versions of these major firms’ home and business anti-virus products do include anti-spyware functions, albeit treated differently from viruses. Symantec Anti-Virus, for instance, categorizes spyware programs as “extended threats” and now offers real-time protection from them (as it does for viruses).

Real-time protection blocks spyware in the process of installing itself. Here, Windows AntiSpyware blocks an instance of the AlwaysUpdateNews spyware.

Anti-spyware programs can combat spyware in two ways:

1. real-time protection, which prevents the installation of spyware
2. detection and removal of spyware.

Writers of anti-spyware programs usually find detection and removal simpler, and many more programs have become available which do so. Such programs inspect the contents of the Windows registry, the operating system files, and installed programs, and remove files and entries which match a list of known spyware components. Real-time protection from spyware works identically to real-time anti-virus protection: the software scans incoming network data and disk files at download time, and blocks the activity of components known to represent spyware. In some cases, it may also intercept attempts to install start-up items or to modify browser settings.

Earlier versions of anti-spyware programs focused chiefly on detection and removal. Javacool Software’s SpywareBlaster, one of the first to offer real-time protection, blocked the installation of ActiveX-based and other spyware programs. To date, other programs such as Ad-Aware and Windows AntiSpyware now combine the two approaches, while SpywareBlaster remains focused on real-time protection.

Like most anti-virus software, many anti-spyware/adware tools require a frequently-updated database of threats. As new spyware programs are released, anti-spyware developers discover and evaluate them, making “signatures” or “definitions” which allow the software to detect and remove the spyware. As a result, anti-spyware software is of limited usefulness without a regular source of updates. Some vendors provide a subscription-based update service, while others provide updates gratis. Updates may be installed automatically on a schedule or before doing a scan, or may be done manually. Not all programs rely on updated definitions. Some programs rely partly (for instance Windows Defender) or entirely (BillP’s WinPatrol, and certainly others) on historical observation. They watch certain configuration parameters (such as the Windows registry or browser configuration) and report any change to the user, without judgment or recomendation. Their chief advantage is that they do not rely on updated definitions. Even with a subscription, a “critical mass” of other users have to have, and report a problem before the new definition is characterized and propagated. The disadvantage is that they can offer no guidance. The user is left to determine “what did I just do, and is this configuration change appropriate?”

If a spyware program is not blocked and manages to get itself installed, it may resist attempts to terminate or uninstall it. Some programs work in pairs: when an anti-spyware scanner (or the user) terminates one running process, the other one respawns the killed program. Likewise, some spyware will detect attempts to remove registry keys and immediately add them again. Usually, booting the infected computer in safe mode allows an anti-spyware program a better chance of removing persistent spyware.

Malicious programmers have released a large number of fake anti-spyware programs, and widely distributed Web banner ads now spuriously warn users that their computers have been infected with spyware, directing them to purchase programs which do not actually remove spyware — or worse, may add more spyware of their own. ^{[1] [2]}

The recent proliferation of fake or spoofed antivirus products has occasioned some concern. Such products often bill themselves as antispyware, antivirus, or registry cleaners, and sometimes feature popups prompting users to install them.

Known offenders include:

SpyAxe
AntiVirus Gold
SpywareStrike
SpyFalcon
WorldAntiSpy
WinFixer
SpyTrooper
Spy Sheriff
SpyBan
SpyWiper
PAL Spyware Remover
Spyware Stormer
PSGuard

On 2006-01-26, Microsoft and the Washington state attorney general filed suit against Secure Computer for its Spyware Cleaner product. [1]

References

1. ↑ Roberts, Paul F. “Spyware-Removal Program Tagged as a Trap“. eWeek. May 26, 2005.
2. ↑ Howes, Eric L. “The Spyware Warrior List of Rogue/Suspect Anti-Spyware Products & Web Sites“. Retrieved July 10, 2005.

This guide is licensed under the GNU Free Documentation License. It uses material from the Wikipedia.

Gaining unauthorized access to a computer is illegal, under computer crime laws such as the United States Computer Fraud and Abuse Act. Since the owners of computers infected with spyware generally claim that they never authorized the installation, a prima facie reading would suggest that the promulgation of spyware would count as a criminal act. Law enforcement has often pursued the authors of other malware programs, such as viruses. Nonetheless, few prosecutions of writers of spyware have occurred, and many such producers operate openly as aboveboard businesses. Some have, however, faced lawsuits.

Spyware producers primarily argue in defense of the legality of their acts that, contrary to the users’ claims, users do in fact give consent to the installation of their spyware. Spyware that comes bundled with shareware applications may appear, for instance, described in the legalese text of an end-user license agreement (EULA). Many users habitually ignore these purported contracts, but spyware companies such as Claria claim that these demonstrate that users have consented to the installation of their software.

Despite the ubiquity of EULAs and of clickwrap agreements, relatively little case law has resulted from their use. It has been established in most common law jurisdictions that a clickwrap agreements can be a binding contract in certain circumstances. This does not however mean that every clickwrap agreement is a contract or that every term in a clickwrap contract is enforceable. It seems highly likely that many of the purported contract terms presented in clickwrap agreements would be dismissed in most jurisdictions as being contrary to public policy. Many spyware clickwrap agreements appear intentionally ambiguous and excessive in length, with key contract terms made inconspicuous. These are all grounds on which similar agreements have been rejected as contracts of adhesion.

Nor can a contract possibly exist in the case of spyware installed by surreptitious means, such as in a drive-by download where the user receives no opportunity to either agree to or refuse the contract terms.

Some jurisdictions, including the U.S. states of Iowa [1] and Washington [2], have passed laws criminalizing some forms of spyware. Such laws make it illegal for anyone other than the owner or operator of a computer to install software that alters Web-browser settings, monitors keystrokes, or disables computer-security software.

New York Attorney General Eliot Spitzer has pursued spyware companies for fraudulent installation of software. [9] In a suit brought in 2005 by Spitzer, the California firm Intermix Media, Inc. ended up settling by agreeing to pay $7.5 million and to stop distributing spyware. Intermix’s spyware spread via drive-by download, and deliberately installed itself in ways that made it difficult to remove. ^[1]

Another spyware behavior has attracted lawsuits: the replacement of Web advertisements. In June 2002, a number of large Web publishers sued Claria for replacing advertisements, but settled out of court. Other spyware apart from Claria’s also replaces advertisements, thus diverting revenue from the ad-bearing Web site to the spyware author.

One legal issue not yet pursued involves whether courts can hold advertisers responsible for spyware which displays their ads. In many cases, the companies whose advertisements appear in spyware pop-ups do not directly do business with the spyware firm. Rather, the advertised company contracts with an advertising agency, which in turn contracts with an online subcontractor who gets paid by the number of “impressions” or appearances of the advertisement. Some major firms such as Dell Computer and Mercedes-Benz have “fired” advertising agencies which have run their ads in spyware. ^[2]

In a sort of turnabout, a few spyware companies have threatened websites which have posted descriptions of their products. In 2003, Gator (now known as Claria) filed suit against the website PC Pitstop for describing the Gator program as “spyware”. ^[3] PC Pitstop settled, agreeing not to use the word “spyware”, but continues to publish descriptions of the harmful behavior of the Gator/Claria software. [3]

References

1. ↑ Gormley, Michael. “Intermix Media Inc. says it is settling spyware lawsuit with N.Y. attorney general“. Yahoo! News. June 15, 2005.
2. ↑ Gormley, Michael. “Major advertisers caught in spyware net“. Business Week. June 24, 2005.
3. ↑ Festa, Paul. “See you later, anti-Gators?“. News.com. October 22, 2003.

This guide is licensed under the GNU Free Documentation License. It uses material from the Wikipedia.

A few examples of common spyware programs may serve to illustrate the diversity of behaviors found in these attacks.

• Caveat: As with computer viruses, researchers give names to spyware programs which frequently do not relate to any names that the spyware-writers use. Researchers may group programs into “families” based not on shared program code, but on common behaviors, or by “following the money” or apparent financial or business connections. For instance, a number of the spyware programs distributed by Claria are collectively known as “Gator”. Likewise, programs which are frequently installed together may be described as parts of the same spyware package, even if they function separately.
• CoolWebSearch, a group of programs, installs through the exploitation of Internet Explorer vulnerabilities. The programs direct traffic to advertisements on Web sites including coolwebsearch.com. To this end, they display pop-up ads, rewrite search engine results, and alter the infected computer’s hosts file to direct DNS lookups to these sites. ^[1]

• Internet Optimizer, also known as DyFuCa, redirects Internet Explorer error pages to advertising. When users follow a broken link or enter an erroneous URL, they see a page of advertisements. However, because password-protected Web sites (HTTP Basic authentication) use the same mechanism as HTTP errors, Internet Optimizer makes it impossible for the user to access password-protected sites. ^[1]

• 180 Solutions transmits extensive information to advertisers about the Web sites which users visit. It also alters HTTP requests for affiliate advertisements linked from a Web site, so that the advertisements make unearned profit for the 180 Solutions company. It opens pop-up ads that cover over the Web sites of competing companies. [5]

• HuntBar, aka WinTools or Adware.Websearch, is a small family of spyware programs distributed by Traffic Syndicate. ^[1] It is installed by ActiveX drive-by download at affiliate Web sites, or by advertisements displayed by other spyware programs—an example of how spyware can install more spyware. These programs add toolbars to Internet Explorer, track Web browsing behavior, redirect affiliate references, and display advertisements.

References

1. ↑ ^{a b c} “Parasite information database“. Doxdesk.com. Retrieved July 10, 2005.

This guide is licensed under the GNU Free Documentation License. It uses material from the Wikipedia.

Anti-spyware programs often report Web advertisers’ HTTP cookies as spyware. Web sites (including advertisers) set cookies — small pieces of data rather than software—to track Web-browsing activity: for instance to maintain a “shopping cart” for an online store or to maintain consistent user settings on a search engine.

Only the Web site that sets a cookie can access it. In the case of cookies associated with advertisements, the user generally does not intend to visit the Web site which sets the cookies, but gets redirected to a cookie-setting third-party site referenced by a banner ad image. Some Web browsers and privacy tools offer to reject cookies from sites other than the one that the user requested.

Advertisers use cookies to track people’s browsing among various sites carrying ads from the same firm and thus to build up a marketing profile of the person or family using the computer. For this reason many users object to such cookies, and anti-spyware programs offer to remove them.

This guide is licensed under the GNU Free Documentation License. It uses material from the Wikipedia.

WinFixer is closely related to Aurora Network’s Nail.exe hijacker/spyware program. In worst case scenarios, it may embed itself in Internet Explorer and become part of the program, thus being nearly impossible to remove. The program is also closely related to the Vundo and Virtumonde viruses. [3] – Note: The database entry for the Virtumonde trojan and WinFixer itself are down as of late February 2006), however, a great number of forum members on on-line technical support forums and blogs believe that WinFixer is associated with the Vundo trojan.

Program Name

Although purely speculative, it seems fairly obvious that the name WinFixer is derived from the old Microsoft Windows abbreviation “Win” joined with the word fixer, thus implying Win(dows) Fixer. Because of the name association with the operating system, a hypothetical situation could occur in which a user may possibly think that they are downloading a Windows related program, when, in fact, they are not.

This guide is licensed under the GNU Free Documentation License. It uses material from the Wikipedia.

One case has closely associated spyware with identity theft. ^[1] In August 2005, researchers from security software firm Sunbelt Software believed that the makers of the common CoolWebSearch spyware had used it to transmit “chat sessions, user names, passwords, bank information, etc.” [1], but it turned out that “it actually is its own sophisticated criminal little trojan that’s independent of CWS.” [2] This case is currently under investigation by the FBI.

Spyware has pricipally become associated with identity theft in that keyloggers get routinely packaged within spyware. John Bambenek, who researches information security, estimates that identity-thieves have stolen over $24 billion US dollars worth of account information in the United States alone [3] .

Spyware-makers may perpetrate another sort of fraud with dialer program spyware: wire fraud. Dialers cause a computer with a modem to dial up a long-distance telephone number instead of the usual ISP. Connecting to the number in question involves long-distance or overseas charges, this can result in massive telephone bills, which the user must either pay or contest with the telephone company. Dialers are somewhat less effective today, now that fewer Internet users use dialup modems.

Digital rights management

Some copy-protection schemes, while they do serve the purpose of attempting to prevent piracy, also behave similarly to spyware programs. Some digital rights management technologies (such as Sony’s XCP) actually use trojan-horse tactics to verify a user as the rightful owner of the media in question.

References

1. ↑ Ecker, Clint (2005). Massive spyware-based identity theft ring uncovered. August 5, 2005.

This guide is licensed under the GNU Free Documentation License. It uses material from the Wikipedia.

Many spyware programs reveal themselves visibly by displaying advertisements. Some programs simply display pop-up ads on a regular basis—for instance, one every several minutes, or one when the user opens a new browser window. Others display ads in response to specific sites that the user visits. Spyware operators present this feature as desirable to advertisers, who may buy ad placement in pop-ups displayed when the user visits a particular site. It is also one of the purposes for which spyware programs gather information on user behavior.

Pop-up advertisements lead to some of users’ most common complaints about spyware. A computer can become overwhelmed downloading or displaying ads. An infected computer rarely has only one spyware component installed—they more often number in the dozens ^[1]—and so while a single program might display ads only infrequently, the cumulative effect becomes overwhelming.

Many users complain about irritating or offensive advertisements as well. As with many banner ads, many spyware advertisements use animation or flickering banners designed to catch the eye—thus they become highly visually distracting. Pop-up ads for pornography often display indiscriminately, including when children use the computer—possibly in violation of anti-pornography laws.

A further issue in the case of some spyware programs has to do with the replacement of banner ads on viewed web sites. Spyware that acts as a web proxy or a Browser Helper Object can replace references to a site’s own advertisements (which fund the site) with advertisements that instead fund the spyware operator. This cuts into the margins of advertising-funded Web sites.

References

1. ↑ ^{a b} “AOL/NCSA Online Safety Study“. America Online & The National Cyber Security Alliance. October 2004.

This guide is licensed under the GNU Free Documentation License. It uses material from the Wikipedia.

Need an webmaster? Click HERE