Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

An investigation into anti-spyware
Ars Technica ^ | 3 January 2006 | Jeremy Reimer

Posted on 01/04/2006 9:56:58 AM PST by ShadowAce

A report by Mark Russinovich has raised serious concerns about the seedier side of anti-spyware. He investigated a number of programs that claimed to be spyware removal tools, and found that some of them not only do a poor job of detecting spyware, but may in fact be hazards themselves.

Spyware has become big business in recent years, bringing in as much as US$1.6 billion in 2004. As spyware proliferates, the market for anti-spyware also grows, and many products such as Ad-Aware and Spybot Search and Destroy have arisen to combat this threat.

However, it appears that some programs are now attempting to straddle both sides of the fence. Many of these are advertised by familiar banner ads that mimic Windows error dialog boxes, and say things like "Your computer may be infected. To scan, click 'Yes' below." The entire banner, however, is hotlinked to a website which instructs the user to download and run an alleged anti-spyware program.

When several of these programs were tested on a clean, freshly-installed Windows XP partition, they erroneously reported several Windows components (such as cookies left by MSN.com and the Windows Remote Desktop Service control) as being spyware. The program offered to clean these "infections" after the user had entered his or her credit card data to unlock the full functionality of the software.

A closer examination showed signs that this so-called anti-spyware package was in fact exhibiting many of the same behaviors as the spyware it claimed to be fighting against. When viewed in Process Explorer, the processes associated with these programs have no company name or description, no digital signature to confirm their authenticity, are compressed to prevent easy tracking, and often mimic internal Windows system process names.

Who are these companies that are producing fake anti-spyware packages? Domain traces on the websites they promote lead to a confusing trail:

Not surprisingly, the SpySheriff website reveals little about the company behind it. A Whois of the domain points to Popandopulos Ltd in Greece as the owner, but the associated email address is crystaljones@list.ru, which is a Russia-based domain. List.ru appears to be an ISP from its Whois information, so it's doubtful that the Spysheriff domain registration is accurate.

So how does one guard against these digital mimics, who pretend to be treasure chests but turn into snapping horrors? A list of the worst offenders has been compiled:

Ultimately, however, the responsibility for identifying the fake software lies with the end user. However, as the spyware companies get more and more tricky and insidious, this becomes an increasingly difficult task. Hopefully, the upgraded and bundled Microsoft Anti-Spyware that will ship with Windows Vista will help mitigate the problem.


TOPICS: Technical
KEYWORDS: fakes; firefox; malware; spyware

1 posted on 01/04/2006 9:56:59 AM PST by ShadowAce
[ Post Reply | Private Reply | View Replies]

To: rdb3; chance33_98; Calvinist_Dark_Lord; Bush2000; PenguinWry; GodGunsandGuts; CyberCowboy777; ...

2 posted on 01/04/2006 9:57:14 AM PST by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

The 'cure' is worse than the disease.


3 posted on 01/04/2006 9:59:51 AM PST by Always Right
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

Bump! Good post.


4 posted on 01/04/2006 10:00:30 AM PST by talleyman (Kerry & the Surrender-Donkey Treasoncrats - trashing the troops for 40 years.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Always Right

I don't trust any spyware.


5 posted on 01/04/2006 10:01:10 AM PST by mlc9852
[ Post Reply | Private Reply | To 3 | View Replies]

To: ShadowAce

My home computer was infested with Spy Axe just this past weekend. It took me a better part of the day to rid myself of it.

Make sure all your virus software is up to date!!!

Don't let this happen to you!


6 posted on 01/04/2006 10:13:30 AM PST by proudmilitarymrs
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

Basic computer security: don't click on pop-ups or ads for anything. Better yet, use Google toolbar or other pop-up and ad blocker, or go to Firefox or another browser.

My current Internet security package:
Bazooka Scanner (free)
Lavasoft Ad-Aware SE (free)
Microsoft Antispyware Beta (free)
Spybot Search and Destroy (free)
Spyware Blaster (free)
Norton Internet Security ($50/year, but can probably be nearly matched with free antivirus and the Windows firewall)
Mozilla Firefox w/Adblock and other extensions - set to ask before accepting cookies (free)
Hardware firewall and WPA-encrypted, secured Wi-Fi network ($40)
Having the common sense not to visit websites such as www.pr0n-n-w4r3z.ru :-p

Set everything to update and execute overnight once a week, but I almost never find anything that's gotten through in the first place. As an added benefit, along with some other optimization stuff, my computer boots and runs applications about twice as fast as it did when it was brand new.


7 posted on 01/04/2006 10:14:14 AM PST by Turbopilot (Nothing in the above post is or should be construed as legal research, analysis, or advice.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

"...erroneously reported several Windows components (such as cookies left by MSN.com and the Windows Remote Desktop Service control) as being spyware."

Maybe -- maybe not.


8 posted on 01/04/2006 10:23:02 AM PST by MajorityOfOne
[ Post Reply | Private Reply | To 1 | View Replies]

To: Turbopilot
...."and WPA-encrypted, secured Wi-Fi network ($40)"

What is THAT?

9 posted on 01/04/2006 10:24:19 AM PST by goodnesswins
[ Post Reply | Private Reply | To 7 | View Replies]

To: Turbopilot

www.pr0n-n-w4r3z.ru



Great sight!


10 posted on 01/04/2006 10:27:04 AM PST by Petronski (I love Cyborg!)
[ Post Reply | Private Reply | To 7 | View Replies]

Comment #11 Removed by Moderator

To: Turbopilot
I'm also running Ad-Aware, Spybot and Firefox with Adblock. I also run ZoneAlarm firewall (free edition) which automatically informs you when updates are available. My anti-virus software is AVG Free Edition v.7.0. I highly recommend AVG as an anti-virus application. It too automatically updates itself on almost a daily basis (I'm running a DSL connection). Over a year ago I had a conversation with a Dell representative on a hardware problem I was having. He confided that they too were using AVG on their office PC's. Now, this wasn't a Dell employee but one of those Tech Service people you get when you call a Dell Tech Support hotline, but I found that interesting, nevertheless.

Regardless of a package one has, it's always advisable to update the codecs whenever possible for all the software one runs.
12 posted on 01/04/2006 10:31:33 AM PST by bcsco ("The Constitution is not a suicide pact"...A. Lincoln)
[ Post Reply | Private Reply | To 7 | View Replies]

To: ShadowAce; Turbopilot

Those are all fake antispyware. And there's nothing new about spyware programs clamoring for you to install them so they can "defend" your computer, or viruses posing as antiviruses.

Turbopilot's list is pretty good.

I use:

AdAware
Spybot Search & Destroy
Spyware Blaster
Norton AV
ZoneAlarm (free)
AdMuncher (shareware, but highly recommended)

I stopped using SpywareGuard because it seemed to soak up too much memory, but my experience may not be typical.


13 posted on 01/04/2006 10:33:42 AM PST by Cicero (Marcus Tullius)
[ Post Reply | Private Reply | To 1 | View Replies]

To: MajorityOfOne

PC "out of the box" and it has a cookie on it? Seems this dog CAN hunt. Any cookie that gets written to a PC like this IS probably spyware anyway.


14 posted on 01/04/2006 10:34:17 AM PST by Cletus.D.Yokel (Dagnabit! I dint set my beeber to stune. How will I stop the the chimpeachment now?)
[ Post Reply | Private Reply | To 8 | View Replies]

To: goodnesswins

Wi-Fi is a local wireless networking standard. It allows you to buy a cheap router for your home and access the internet or your home network without being tied to a desk or wall cable. It's also the type of internet connection you'll see people using in places like Starbucks and restaurants that advertise free wireless internet. Most new laptops have built-in Wi-Fi cards, but you can get the cards for older laptops as well as desktops.

As far as the security, most people will buy a router (as I said, they can be had for $40, if not cheaper), plug it into their cable or DSL modem, and be online instantly. This is fine, except anyone else with a computer can also get onto their new, unsecured Wi-Fi network (and read their data, if they're malicious). Some people living in apartment complexes don't pay for high-speed internet connections, because they can surf the internet through any of several Wi-Fi networks in the building set up by people who don't know how to secure them.

Mine's secured in the following way: it doesn't broadcast the SSID, which is the name of the network, so you have to know the name in advance to access it. It uses MAC address filtering, which means I tell the router in advance which computers may use the network, and only those computers can get access. And I use WPA encryption, a more secure tool than the standard WEP encryption, to secure the data I send back and forth. All these items are available with any router and are easy to set up, but they're turned off by default, so in almost any residential area you have your choice of free high-speed internet connections to leech off of :-p


15 posted on 01/04/2006 10:38:10 AM PST by Turbopilot (Nothing in the above post is or should be construed as legal research, analysis, or advice.)
[ Post Reply | Private Reply | To 9 | View Replies]

To: Petronski

Er, "site."


16 posted on 01/04/2006 10:40:19 AM PST by Petronski (I love Cyborg!)
[ Post Reply | Private Reply | To 10 | View Replies]

To: bcsco

The mircosoft product is crap. It keeps telling me Firefox is spyware. LOL.


17 posted on 01/04/2006 10:41:10 AM PST by rintense
[ Post Reply | Private Reply | To 12 | View Replies]

To: ShadowAce

Best common sense policy: don't respond to unsolicited solicitations, by phone, by person or by puter (snail mail is still OK.) But then, common sense is dead in the U.S., isn't it?


18 posted on 01/04/2006 10:45:02 AM PST by Revolting cat! ("In the end, nothing explains anything.")
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

Ping for later


19 posted on 01/04/2006 10:45:39 AM PST by Caramelgal (I don't have a tag line.... I am a tag line. So tag, you are it.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Turbopilot

I use all of these as well, and have been relying on Firefox as my primary browser for almost two years on my work PC, laptop and home PC with no problems whatsoever. However, I have to use IE for our web-based company data collection/display program, and recently I acquired a daily popup of WinFixer and Virtumonde.exe. I checked the Symantec website and found that Virtumonde frequently latches onto Windows updates and its appearance coincided with a recent update. I was able to get rid of it with MS antispyware, but WinFixer has been a tougher nut to crack, still appearing occasionally but not daily as it did before. Any suggestions? It's only on my work PC which is on the company network.


20 posted on 01/04/2006 10:46:00 AM PST by onehipdad (Praying for the enlightenment of dumba$$ liberals everywhere....)
[ Post Reply | Private Reply | To 7 | View Replies]

Hopefully, the upgraded and bundled Microsoft Anti-Spyware that will ship with Windows Vista will help mitigate the problem.

Cute.

21 posted on 01/04/2006 10:51:34 AM PST by D-fendr
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

bump for publicity


22 posted on 01/04/2006 10:54:11 AM PST by VOA
[ Post Reply | Private Reply | To 1 | View Replies]

To: onehipdad
I found the following walkthrough at Bleepingcomputer.com's forums:

How to remove WinFixer and Virtumonde

I haven't gotten hit with WinFixer, so I haven't tried this walkthrough, but in general HijackThis is a great tool if you know how to use it, so I wouldn't be too hesitant to try this. I hope it helps.
23 posted on 01/04/2006 10:56:15 AM PST by Turbopilot (Nothing in the above post is or should be construed as legal research, analysis, or advice.)
[ Post Reply | Private Reply | To 20 | View Replies]

To: quefstar

Just replaced my Sygate Firewall/Avast/Ad-Aware & Spybot lashup on a Windows 2000 Pro system with Earthlink Protection Control. (Mainly because Symantec bought Sygate and promptly dropped support for my firewall down the toilet.)

System is so smooth and transparent it's almost eerie, uses maybe twenty minutes per WEEK for detailed scans (instead of the former half hour or so on every startup) and just plain kicks butt. Only problem I've had is that one of my hot links looked suspicious to Earthlink, and it took some time to get the sharp teeth untangled from the remains.

It's doing a SUPERB job for me. (But I check it, just to be sure.)


24 posted on 01/04/2006 11:14:37 AM PST by Unrepentant VN Vet (I can't really accept a welcome home until the last MIA does.)
[ Post Reply | Private Reply | To 11 | View Replies]

To: rintense
I've never used Microsoft products other than their operating systems and office suites. Their products have so many 'holes' that I've never given their other products any consideration.

I run Windows 2000 and am very happy with it (my PC originally came with Windows ME...was that a piece of junk!). W2000 is the most stable operating system I've used. I've considered at times upgrading to XP but why pay for that when what I have performs so well? I have a Corel version of Linux but have never installed it. Until lately I only had a 20Gb hard drive and didn't want to take up the additional disk space on something I wasn't sure about. Now I have more disk space but am also leery about compatible software. I doubt I'll ever get Linux installed.
25 posted on 01/04/2006 11:25:21 AM PST by bcsco ("The Constitution is not a suicide pact"...A. Lincoln)
[ Post Reply | Private Reply | To 17 | View Replies]

To: ShadowAce

Bookmarked


26 posted on 01/04/2006 11:28:15 AM PST by chaosagent (Remember, no matter how you slice it, forbidden fruit still tastes the sweetest!)
[ Post Reply | Private Reply | To 1 | View Replies]

Comment #27 Removed by Moderator

To: Turbopilot
Good grief! Why don't we just tell the people who make spyware to stop it and make something that people actually desire. Something that enhances computer use. Seems like they'd make money from that, too. If not even more.
28 posted on 01/04/2006 11:42:53 AM PST by A knight without armor
[ Post Reply | Private Reply | To 7 | View Replies]

To: ShadowAce

Spybot installed a process on my PC that appeared to be monitoring all mouse activity. I couldn't disable it without completely uninstalling it. It significantly delayed my response time. Adaware solved my problems.


29 posted on 01/04/2006 11:45:19 AM PST by Real Cynic No More (iLiberals and MSM manipulate the news.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: rintense
It keeps telling me Firefox is spyware.

Ummm.. to Microsoft, it is!

30 posted on 01/04/2006 11:46:33 AM PST by NoCmpromiz (Don't take life too seriously... it's not permanent.)
[ Post Reply | Private Reply | To 17 | View Replies]

To: quefstar

Earthlink is doing a good job for me after I finally downloaded their latest spyware definitions. I also use Ad-ware. Their virus protection seems top notch also.


31 posted on 01/04/2006 12:00:25 PM PST by wolfcreek
[ Post Reply | Private Reply | To 11 | View Replies]

To: Turbopilot

Six pieces of software running just to protect you from deficiencies of the OS. It's really sad if you think about it.

There's an ad: "Get Mac or Linux so you don't have to install, learn and run so many programs that you really don't want anyway."


32 posted on 01/04/2006 12:56:34 PM PST by antiRepublicrat
[ Post Reply | Private Reply | To 7 | View Replies]

To: Turbopilot
Having the common sense not to visit websites such as www.pr0n-n-w4r3z.ru

Hey! Are you dissing my home page? ;-)

33 posted on 01/04/2006 1:58:16 PM PST by steve-b (A desire not to butt into other people's business is eighty percent of all human wisdom)
[ Post Reply | Private Reply | To 7 | View Replies]

To: Pirate21

bookmark


34 posted on 01/04/2006 2:08:10 PM PST by Pirate21 (The liberal media are as sheep clearing the path along which they will be led to the slaughter.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Petronski
Er, "site."

Funny. I thought you were making fun of the fact that so many of those types of posts/email/IM scams are written by folk that don't speak english natively. ;-)

35 posted on 01/04/2006 10:51:23 PM PST by zeugma (Warning: Self-referential object does not reference itself.)
[ Post Reply | Private Reply | To 16 | View Replies]

To: ShadowAce

I'm very careful when surfing, and have not had any spyware in awhile. However, my wife downloaded a game last night, and now we have SpyAxe and Spy Sheriff on our computer, as well as 2 viruses (W32.Beovens and W32.Puper). I posted my Hijack This! logfile to spywareinfo.com, but they are inundated with requests, and it will take a few days to get a reply, so I guess I'll be working on the computer all day today on my day off to try to get this crap off my machine.

Has anyone used SpySweeper? Is it worth it? Spywareinfo.com has it for $19.95 (ends today), and I was considering buying it.


36 posted on 01/05/2006 7:43:21 AM PST by Born Conservative (Chronic Positivity: http://www.livejournal.com/users/jsher/)
[ Post Reply | Private Reply | To 1 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson