Skip to comments.An investigation into anti-spyware
Posted on 01/04/2006 9:56:58 AM PST by ShadowAce
A report by Mark Russinovich has raised serious concerns about the seedier side of anti-spyware. He investigated a number of programs that claimed to be spyware removal tools, and found that some of them not only do a poor job of detecting spyware, but may in fact be hazards themselves.
Spyware has become big business in recent years, bringing in as much as US$1.6 billion in 2004. As spyware proliferates, the market for anti-spyware also grows, and many products such as Ad-Aware and Spybot Search and Destroy have arisen to combat this threat.
However, it appears that some programs are now attempting to straddle both sides of the fence. Many of these are advertised by familiar banner ads that mimic Windows error dialog boxes, and say things like "Your computer may be infected. To scan, click 'Yes' below." The entire banner, however, is hotlinked to a website which instructs the user to download and run an alleged anti-spyware program.
When several of these programs were tested on a clean, freshly-installed Windows XP partition, they erroneously reported several Windows components (such as cookies left by MSN.com and the Windows Remote Desktop Service control) as being spyware. The program offered to clean these "infections" after the user had entered his or her credit card data to unlock the full functionality of the software.
A closer examination showed signs that this so-called anti-spyware package was in fact exhibiting many of the same behaviors as the spyware it claimed to be fighting against. When viewed in Process Explorer, the processes associated with these programs have no company name or description, no digital signature to confirm their authenticity, are compressed to prevent easy tracking, and often mimic internal Windows system process names.
Who are these companies that are producing fake anti-spyware packages? Domain traces on the websites they promote lead to a confusing trail:
Not surprisingly, the SpySheriff website reveals little about the company behind it. A Whois of the domain points to Popandopulos Ltd in Greece as the owner, but the associated email address is email@example.com, which is a Russia-based domain. List.ru appears to be an ISP from its Whois information, so it's doubtful that the Spysheriff domain registration is accurate.
So how does one guard against these digital mimics, who pretend to be treasure chests but turn into snapping horrors? A list of the worst offenders has been compiled:
Ultimately, however, the responsibility for identifying the fake software lies with the end user. However, as the spyware companies get more and more tricky and insidious, this becomes an increasingly difficult task. Hopefully, the upgraded and bundled Microsoft Anti-Spyware that will ship with Windows Vista will help mitigate the problem.
The 'cure' is worse than the disease.
Bump! Good post.
I don't trust any spyware.
My home computer was infested with Spy Axe just this past weekend. It took me a better part of the day to rid myself of it.
Make sure all your virus software is up to date!!!
Don't let this happen to you!
Basic computer security: don't click on pop-ups or ads for anything. Better yet, use Google toolbar or other pop-up and ad blocker, or go to Firefox or another browser.
My current Internet security package:
Bazooka Scanner (free)
Lavasoft Ad-Aware SE (free)
Microsoft Antispyware Beta (free)
Spybot Search and Destroy (free)
Spyware Blaster (free)
Norton Internet Security ($50/year, but can probably be nearly matched with free antivirus and the Windows firewall)
Mozilla Firefox w/Adblock and other extensions - set to ask before accepting cookies (free)
Hardware firewall and WPA-encrypted, secured Wi-Fi network ($40)
Having the common sense not to visit websites such as www.pr0n-n-w4r3z.ru :-p
Set everything to update and execute overnight once a week, but I almost never find anything that's gotten through in the first place. As an added benefit, along with some other optimization stuff, my computer boots and runs applications about twice as fast as it did when it was brand new.
"...erroneously reported several Windows components (such as cookies left by MSN.com and the Windows Remote Desktop Service control) as being spyware."
Maybe -- maybe not.
What is THAT?
Those are all fake antispyware. And there's nothing new about spyware programs clamoring for you to install them so they can "defend" your computer, or viruses posing as antiviruses.
Turbopilot's list is pretty good.
Spybot Search & Destroy
AdMuncher (shareware, but highly recommended)
I stopped using SpywareGuard because it seemed to soak up too much memory, but my experience may not be typical.
PC "out of the box" and it has a cookie on it? Seems this dog CAN hunt. Any cookie that gets written to a PC like this IS probably spyware anyway.
Wi-Fi is a local wireless networking standard. It allows you to buy a cheap router for your home and access the internet or your home network without being tied to a desk or wall cable. It's also the type of internet connection you'll see people using in places like Starbucks and restaurants that advertise free wireless internet. Most new laptops have built-in Wi-Fi cards, but you can get the cards for older laptops as well as desktops.
As far as the security, most people will buy a router (as I said, they can be had for $40, if not cheaper), plug it into their cable or DSL modem, and be online instantly. This is fine, except anyone else with a computer can also get onto their new, unsecured Wi-Fi network (and read their data, if they're malicious). Some people living in apartment complexes don't pay for high-speed internet connections, because they can surf the internet through any of several Wi-Fi networks in the building set up by people who don't know how to secure them.
Mine's secured in the following way: it doesn't broadcast the SSID, which is the name of the network, so you have to know the name in advance to access it. It uses MAC address filtering, which means I tell the router in advance which computers may use the network, and only those computers can get access. And I use WPA encryption, a more secure tool than the standard WEP encryption, to secure the data I send back and forth. All these items are available with any router and are easy to set up, but they're turned off by default, so in almost any residential area you have your choice of free high-speed internet connections to leech off of :-p
The mircosoft product is crap. It keeps telling me Firefox is spyware. LOL.
Best common sense policy: don't respond to unsolicited solicitations, by phone, by person or by puter (snail mail is still OK.) But then, common sense is dead in the U.S., isn't it?
Ping for later
I use all of these as well, and have been relying on Firefox as my primary browser for almost two years on my work PC, laptop and home PC with no problems whatsoever. However, I have to use IE for our web-based company data collection/display program, and recently I acquired a daily popup of WinFixer and Virtumonde.exe. I checked the Symantec website and found that Virtumonde frequently latches onto Windows updates and its appearance coincided with a recent update. I was able to get rid of it with MS antispyware, but WinFixer has been a tougher nut to crack, still appearing occasionally but not daily as it did before. Any suggestions? It's only on my work PC which is on the company network.
bump for publicity
Just replaced my Sygate Firewall/Avast/Ad-Aware & Spybot lashup on a Windows 2000 Pro system with Earthlink Protection Control. (Mainly because Symantec bought Sygate and promptly dropped support for my firewall down the toilet.)
System is so smooth and transparent it's almost eerie, uses maybe twenty minutes per WEEK for detailed scans (instead of the former half hour or so on every startup) and just plain kicks butt. Only problem I've had is that one of my hot links looked suspicious to Earthlink, and it took some time to get the sharp teeth untangled from the remains.
It's doing a SUPERB job for me. (But I check it, just to be sure.)
Spybot installed a process on my PC that appeared to be monitoring all mouse activity. I couldn't disable it without completely uninstalling it. It significantly delayed my response time. Adaware solved my problems.
Ummm.. to Microsoft, it is!
Earthlink is doing a good job for me after I finally downloaded their latest spyware definitions. I also use Ad-ware. Their virus protection seems top notch also.
Six pieces of software running just to protect you from deficiencies of the OS. It's really sad if you think about it.
There's an ad: "Get Mac or Linux so you don't have to install, learn and run so many programs that you really don't want anyway."
Hey! Are you dissing my home page? ;-)
Funny. I thought you were making fun of the fact that so many of those types of posts/email/IM scams are written by folk that don't speak english natively. ;-)
I'm very careful when surfing, and have not had any spyware in awhile. However, my wife downloaded a game last night, and now we have SpyAxe and Spy Sheriff on our computer, as well as 2 viruses (W32.Beovens and W32.Puper). I posted my Hijack This! logfile to spywareinfo.com, but they are inundated with requests, and it will take a few days to get a reply, so I guess I'll be working on the computer all day today on my day off to try to get this crap off my machine.
Has anyone used SpySweeper? Is it worth it? Spywareinfo.com has it for $19.95 (ends today), and I was considering buying it.