Skip to comments.How Spyware Took The Next-Gen Threat Crown (On The Internet's No #1 Threat Today MUST READ!!!)
Posted on 12/21/2004 2:39:48 AM PST by goldstategop
Spyware used to be defined as applets, cookies or any other method used to collect statistics on your browsing habits. Gone are the days of such a benign interpretation. Spyware has evolved into a problem that surpasses those posed by traditional worms, viruses and Trojans.
Today, these once relatively innocuous apps have evolved from anonymous, and often invisible, traffic statistics gatherers into beasts capable of crippling your PC's performance by installing unwanted toolbars, pop-up ads, desktop icons and many other nuisances.
If that's not bad enough, some Spyware will modify system files, change security zone settings, keylog your sessions, spawn Trojans and change start page settings. Today, the term "spyware" is, in my opinion, synonymous with virus, and as usual, you have been left to deal with this on your own.
How did this happen?
Like many age-old schemes, the desire for easy money has driven spyware development into the darkest corners of the Internet. Unscrupulous individuals use flaws in the Windows operating system in combination with Microsoft's browser, Internet Explorer, to distribute their wares, or more accurately, infect your machine.
Countless types of applications, browser helper objects, cookies and bots are now competing for your finite system resources in order to pitch pop ups, report your internet activity, modify OS settings and steal personal information. Simple site statistics are no longer sufficient to sustain the beast.
Spyware companies are making millions of dollars by evading laws, finding loopholes, exploiting vulnerabilities and making their products resistant to removal. When compared to what we all know as a traditional virus, spyware is much worse because viruses are not nearly as tenacious when it comes to re-propagation or resistance to removal.
This may sound like the work of evil, globally dispersed hacking networks but many spyware developers are operating within U.S. borders without so much as a hiccup from the legal system. Although as of late, the spyware problem has generated some rumblings on Capitol Hill.
Another punch to the gut is that it is very easy to track who is benefiting from your pain. Spyware partners are typically paid on a, 'per installation' basis. This means that there is a unique ID associated with each installation so that the partner can get paid. This information is easily acquired, yet no one is doing anything about it.
To further entertain us, Spyware companies are very shrewd and typically add verbiage on their sites to make you believe that all their software is installed only with your consent. What's even more hilarious is how the worst offenders have anti-spyware animations running on their sites.
If you look closely you would almost believe that you are reading a legitimate EULA when in fact, you're reading deceptive or flat out inaccurate information. Many of them tell you that the apps can be easily uninstalled using the add/remove programs feature in Windows. In my experience, this does not work. In fact, there have been times when I have seen what appears to be a complete uninstall only to find that the Spyware is still operating in the background.
My anti-virus suite will surely help me, won't it?
No. If you look at this from the standpoint of AV providers, there is no financial benefit, thus, there is no motivation to add spyware removal features.
Many of the best removal tools are freely available for download. It does not make sense to attempt to develop something better than people already expect for free. Additionally, it is much harder to keep up with spyware than worms, viruses and Trojans because most of the aforementioned were not designed for financial gain and were typically developed by loose bands of unfunded hacking groups to prove a point.
When compared to the financial forces that are backing spyware, the cost to AV companies to keep up would be astronomical. Without a significant increase in product costs, AV companies cannot allocate resources to battle what has become the new front on the assault of your Internet experience.
I have a personal firewall and I patch my system all the time. Shouldn't I be safe?
Absolutely not. For openers, Microsoft is slow to deliver patches in relation to the speed and efficiency that malware developers disseminate their apps. Statistics show that browsing a single site can yield over a dozen infections.
What's worse is that Browser Helper Objects (BHOs) are invisible to personal firewalls. The traffic is seen as originating from your browser, not the malicious helper. Spyware developers know precisely how personal firewalls behave and their apps are written to take advantage of allowed protocols and applications. Adding insult to injury, spyware uses Microsoft's own zone security model against them by simply placing malicious sites in Internet Explorer's trusted zone.
OK so which spyware removal tool is the best?
There is no single tool out there that can rid you of your troubles. Typically, running two or three different scanners will yield different results. A popular tag team approach to vanquishing the unwelcome code includes installing both Lavasoft's Adaware and Spybot Search and Destroy.
Also, detecting spyware is completely different from removing it.
As of late, spyware makers have started delivering apps that cannot be removed with automated tools so even if you ditch IE in favor of an alternate browser you may still find yourself spending hours trying to remediate infections. Sadly, users end up lost in search engine results and scanning forums hoping to find a remediation process that worked for other poor souls.
In some cases, a complete OS reinstall is quicker than bearing this pain. You may also find yourself victimized by your own desire to remove spyware. Some crooked coders have actually developed what look to be legitimate spyware scanners, which are, in fact, spyware propagators.
What can we do?
Sadly, the funding that's fueling spyware development is far greater than the funding devoted to stopping it. Until the playing field evens out, spyware is going to continue to invade our privacy, steal information and cause financial and personal loss.
For now, the best thing you can do is visit trusted sites and be vigilant about scanning your machine with a variety of anti-spyware tools. Keep in mind that most bona fide removal tools are developed by independent groups of developers and small development firms. Paying for anti-spyware software is not an indicator that you are getting a superior product over free, open source alternatives.
ping for later
Microsoft Anti-Spyware Preview
On December 17, 2004, Microsoft announced the acquisition of an anti-spyware company, surprising many in the industry. The acquisition is notable for two reasons. First, Microsoft had already revealed its intention to get into the anti-spyware market. Second, the company it purchased, Giant Software Company, was largely an unknown in the industry. Largely, that is, except for me. In a rare moment of luck, I'd actually been a fan, customer, and advocate of Giant AntiSpyware, as their anti-spyware solution is logically named, for several months. In fact, I've found it to be far more effective than the industry darlings, Ad-aware and Spybot Search & Destroy. And I've been recommending it to friends and family ever since.
But wait, the luck doesn't end there. While months of experience with Giant Antispyware gives me a unique perspective of this product, I was also lucky enough to interview Giant co-founder Andrew Newman just days before his company was purchased by Microsoft. Newman discussed with me Giant's plans for future versions of the product, including a centrally-managed enterprise version (Figure) that, I suspect, played a large part in Microsoft's interest. Newman explained to me why Giant's approach to tackling spyware is superior to that of the competition, and provided some valuable insight into how spyware can be confronted and defeated.
First, a bit about Giant
Giant Software Company was founded by Ron Franczyk and Andrew Newman in Chicago in November 2000. The pair were both working in corporations and were frustrated by spam and the horrible anti-spam solutions that were available at the time. Rallying around the message "Online Peace of Mind," the two started Giant Software Company with the goal of creating a better anti-spam mousetrap. The resulting product, Giant Spam Inspector, now protects over 2 million email inboxes from spam.
Despite their name, Giant Software Company was never a giant company. It grew from the two cofounders to 11 employees who are today based in Chicago, Atlanta, and New York, and it also sells a pop-up ad blocker and the anti-spyware solution that we're now most interested in. But Giant has been profitable and self-sustaining since its inception, Newman told me, and its products are currently used by almost 1 million customers. That success, he said, has been driven by Giant's community-based approach.
"We decided to leverage the power of community and create an anti-spam community," he said. "Many products are like that now, including Cloudmark and others. But there wasn't anything like that four years ago. We allow the Internet community to help us solve a huge problem, and we build into that system an intelligent approach to anti-spam that combines [traditional anti-spam] rules with heuristics."
About a year ago, Giant began looking into anti-spyware for both consumers and enterprises. Here, the company knew it could use some of its existing anti-spam technology. But it also solidified its community-based approach into a community Web site called Spynet, which helps ensure that Giant customers know about spyware threats before anyone else. Spynet was an immediate success, with over 200,000 contributors in its first month alone.
Why Giant AntiSpyware is better
Because many of the companies that are getting into the anti-spyware market come from an anti-spam background, they tend to bring with them the habits and methods that worked there. That makes some sense, Newman told me, because spyware is essentially an extension of spam, or the technological successor to spam. However, Newman told me that battling spam and spyware are not identical. That's because spyware is typically more pathological and invasive than is spam.
"Windows was developed as a platform, and is extremely extensible, so we can integrate into the system," Newman said. "The problem is, anyone can do that, including malware writers." To effectively fight spyware, he said, you need software that can do more than just look at a file, poll a list of known bad files, and identify it as good or malicious. Spyware often imitates legitimate files, or finds ways of hiding itself on your system. For this reason, Giant AntiSpyware uses logic that is based partially on feedback from Spynet to examine the "genetic fingerprints" of files and determine whether those files are valid. "We can detect variations of files," Newman said. "The way anti-virus works is it looks at strings and patterns in file. This looks at the file as a whole. They're completely different approaches."
Indeed, the signature-based methods used to combat spam are ineffective against spyware, because the methods spyware use to attack your system change so often. Newman said Giant AntiSpyware provides a three-pronged attack on spyware. First, the product can perform spyware scanning and cleaning, as you'd expect. Second, the aforementioned Spynet provides Giant with valuable community contributions. And third, Giant AntiSpyware runs constantly in your system, providing real-time protection from spyware, preventing it from getting a foothold in your system. It's better to prevent an attack from happening than to try and remove malware after it's already infested your system.
"Real-time protection is the key," Newman told me. "Spyware has to integrate into your computer somehow, using a Brower Helper Object or whatever. The real-time protection monitors virtually every single auto start point on your system, detecting changes and notifying you, via a pop-up window, when anything changes." If you're installing an application, for example, you will know to dismiss the pop-up, because you've instituted the changes it's detecting. But if you're browsing the Web (with IE, no doubt), and you receive such a notification, it's time to start paying attention.
In my own admittedly unscientific testing, Giant AntiSpyware has proven notably superior to perennial favorites like Ad-aware and Spybot Search & Destroy. Indeed, I find it interesting that so many reviewers recommend that users install both Ad-aware and Spybot in order to fully protect themselves from spyware. That's because neither seems to be able to remove all of the spyware on any PC I've tested. I've had much better success with Giant AntiSpyware. And I'm not alone: In a Spywarewarrior.com product tests, Giant AntiSpyware came out on top, detecting 111 of 138 possible spyware installs, compared to just 79 for Ad-aware (second place) and 69 for Spybot (fourth place). None of those programs reported any false positives, though another popular product, Pest Patrol, suffered a whopping 10 false positives and found just 55 real spyware installs.
Effectiveness is obviously the most important aspect of any spyware solution, but I'm also a big fan of Giant's user interface, which is far nicer than that of Ad-aware or Spybot, and more Windows-like. Let's take a look.
A look at Giant Antispyware
If you set it up correctly, you'll never see the AntiSpyware application after your first manual spyware scan, because it will sit resident in your system and automatically deal with most spyware attacks, prompting you only with pop-up windows occasionally as needed. However, Giant AntiSpyware, unlike some other spyware solutions, presents a pleasant, easily-navigated user interface that is similar, in some ways, to a Microsoft taskpad or activity center.
There are three main screens. From the Spyware Scan screen, you can initiate a manual spyware scan, set scan options, and view information about prior scans (Figure). If you choose to run a scan now, Giant AntiSpyware can perform a number of scan types, including a deep scan, which scans all files and folders, and a more typical intelligent scan, which will just test common entry points for spyware. When a scan is complete, you can view the scan results (Figure) and then optionally decide what to do with any found spyware (Figure); spyware can be ignored, quarantined, removed (the default), or always ignored.
In the Real-time Protection screen (Figure), you can configure whether the real-time protection feature is active and view the status of Giant AntiSpyware's three agent types (Internet, System, and Application). The Internet Agents prevent applications from modifying or monitoring your Internet connection and settings. The System Agents prevent against threats making unauthorized or hazardous changes to your system, including alerting security permissions. The Application Agents prevent threats from installing, deleting, or modifying Internet Explorer or downloading ActiveX controls, which can contain malicious code.
Currently, these three agent types protect 58 so-called system checkpoints, entry-points in your system where malicious code can be inserted. For example, one typical checkpoint is called process execution. This checkpoint prevents spyware from executing processes (applications or services) on your PC. If an unknown process attempts to execute on your computer, the process will be blocked and you will receive an alert, which lets you remove the process. This is, possibly, the most critical function of this software: It blocks errant software from executing on your system, before it happens.
From the Real-time Protection screen, you can also access information about blocked events, which are changes to your system that you have chosen to block.
The third screen, Advanced Tools (Figure), provides you with links to numerous other functions, including System Explorers, which are system settings that are often hard or impossible to otherwise configure. For example, you may be familiar with the new Manage Add-ons functionality that is included with the Windows XP SP2 version of Internet Explorer; this feature lets you enable or disable Browser Helper Objects and other IE plug-ins. However, the Internet Explorer System Explorer in Giant AntiSpyware also lets you permanently remove such add-ons, which, frankly, is exactly what you need (Figure). There are all kinds of System Explorers in Giant AntiSpyware, and if you're interested in security, you should spend some time here. You can configure such things as which applications run when Windows starts, which ActiveX controls are installed, and which processes are currently running. It's a wonderful set of functionality that Microsoft should bubble up more obviously from within Windows itself.
Other Advanced Tools include System Inoculation, which examines your PC for possible security holes (Figure); Browser Hijack Restore, which helps restore features of IE that have been hijacked by malware (Figure), Tracks Eraser, which can be used to remove the history of your activities in a surprisingly wide range of applications and system services, such as Adobe Acrobat Reader, Microsoft's Windows Common Dialog, the Google Toolbar (Figure); and Secure File Shredder, a wonderful utility that can be used to completely eliminate files from your PC using US Department of Justice (DOJ) recommendations for secure file destruction (Figure). How this product doesn't have the word "suite" in its title is beyond me.
Like a firewall or anti-virus application, Giant AntiSpyware more typically makes itself known by popping up the occasional pop-up window in the lower right corner of your desktop. These pop-ups arrive when the product detects a potential spyware attack, or, by default, when it's completed a spyware scan (you can turn that latter feature off, which I recommend).
Some of the pop-ups are innocuous. For example, you may upgrade a product to a newer version. In such a case, Giant AntiSpyware will typically note that an acceptable application change has occurred and let you get on with your life without having to approve the change (Figure).
Some of the pop-ups, however, warn of more dangerous problems. Perhaps you've navigated to a malicious Web site that is attempting to install some spyware. Or maybe you or an application is attempting a system configuration change with which Giant Spyware is not familiar. In such a case, you're provided with information about the change and prompted to Allow or Block it.
So now that Microsoft has purchased Giant and its anti-spyware solution, attention logically turns toward what the company will do with it. Previously, Microsoft had revealed that it would release an anti-spyware solution in 2005, a year ahead of the mid-2006 release of Longhorn (where its anti-spyware solution was originally set to appear). The company has internal anti-spyware and malware projects, codenamed Strider and GhostBuster, respectively, which would have fulfilled those goals, and sources I've spoken with suggest that Microsoft understands, perhaps better than anyone, how today's malicious spyware is now hooking into Windows systems and intends to rectify that situation.
To date, Giant AntiSpyware has been made available as a yearly subscription fee, and my expectation is that Microsoft will continue using that model. However, that isn't, in my opinion, what the company should do. Instead, I'd like to see Microsoft offer Giant AntiSpyware free to all Windows users, as a benefit of using their OS. Frankly, it is the architectural problems in Windows that lets spyware and other malicious malware infect users' systems, and Microsoft should fix that problem for free. For now, the software giant says it hasn't yet decided on licensing and pricing.
Time will tell, of course. I'll be talking to Microsoft soon about its anti-spyware plans, and the company will ship a public beta of its Giant AntiSpyware-derived anti-spyware solution before the end of January 2005, so I'll be looking at that to see whether it's any different from the product I'm already using. When those events transpire, I'll update this preview as needed. In the meantime, I'm ecstatic that Microsoft purchased Giant. They made the right decision about the anti-spyware solution acquisition. Let's hope the good decision making continues.
I added Prevx
to my toolbox and it has stopped several hundred attempted intrusions. The price is right: free.
I run Pivx's Qwik Fix. It actually hardens Windows at the source by shutting down known vulnerabilities. http://www.pivx.com
Microsoft ain't stupid.
First, they save money with sloppy coding and patching. Then they let users "beta test" released versions (i.e., YOU find the errors, then report them). Then they charge for help. Now they want to sell you anti-spyware to plug the holes in their sloppy code.
For extra protection, install IE Spy-Ad. Its a simple Registry patch that adds thousands of malware sites to the Restricted Zone of Internet Explorer so they can't run any code that could install spyware or otherwise harm your computer. FREE to all users. https://netfiles.uiuc.edu/ehowes/www/main.htm
If they screw up, they should fix it. Until we get Longhorn, we'll have to put up with a patched system.
The last time I scanned with Ad-Aware and Spybot S&D, I ran Earthlink's spyware scanner just out of curiousity and found stuff that was missed by the other two. I got hit with Cool Web about six months ago on my old computer, and it completely took over my machine. Later, after I thought I had it removed and the coast was clear, I was logging into my online banking page. As I was beginning to type the password, my modem hung up, and then started dialing another number that I had never heard of. I immediately shut down the computer. It took several runs of CW Shredder to completely remove this garbage. These people coming up with this stuff are getting much better at it. A lot of them are in former East bloc countries and are out of reach, and their governments are of no help.
Coolweb and its affiliates are in Russia. To keep them disabled, add IE Spyad to your computer. Look here for peace of mind: https://netfiles.uiuc.edu/ehowes/www/main.htm
The BEST solution for getting rid of alot of this stuff is
2) Virus software
3) ad and spy software
4) GET RID OF INTERNET EXPLORER AND MOVE TO FIREFOX
Good Post. Personal experience with this problem. My wife didn't keep up the anti-virus and anti-spyware programs she had on her computer. As much as her daughter and I told her to run scans and update the software, she just didn't take the time to do it. It got to the point finally that the computer basically quit working. I tried running the anti-virus software and it wouldn't even run. In this case I got lucky. Her daughter came over and we finally got the anti-spyware to run and there were thousands of files infected with spyware. Then the anti-virus program would run. When all was said and done we were able to get the computer back up and running but one of my favorite programs will not run on this computer now because at least one file is quarantined and Gateway did not supply the Windows XP disc with the computer when we bought it so that I could reinstall the files I need. My wife did learn a valuable lesson though. She now keeps the anti-virus and anti-spyware definitions up-to-date.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.