Analysis of Spyware

scubacuda writes "What actually happens when you install adware/spyware/malware? Follow the Bouncing Malware examines what's downloaded, redirected, and obfuscated. A fascinating read. (Part two was postponed in order to cover a new My Doom variant.)"

firefox testimonial

I have been an IE devotee since v4.x came out. I have recently moved over to Firefox in order to stop me having to keep up with all the security problems I started to experience only inthe last couple of months.

Seriously, how hard can it be for MS to write an application as straightforward, yet secure as Firefox.

I downloaded Service pack 2 release candidate and noted a lot of security improvements and features, but in agreeance with with MS whom today released the full Service pack 2, it seems to mainly add 'bars and locks' to your 'doors and windows'. Whereas Firefox seems to be a better neighborhood to live in from the start.

Re:firefox testimonial

[Rosco+P.+Coltrane]

Seriously, how hard can it be for MS to write an application as straightforward, yet secure as Firefox.

Perhaps lots of people, including Microsoft itself, have an interest in perpetuating the myth that software is inherently insecure.

Re:Even Sevens

[FooAtWFU]

What I would like to see is anti-malware that bites back, hard.

Well, you could feed the spyware's controllers some fudged data, but how do you think you're going to get a SETI@Home-like model to "generate the data needed to put these goofs in jail"? Please, explain how repeated computation of fast Fourier transforms will do anything to uncover the spyware's owner. :)

Suppose we managed to get your nice antispyware software to collect data on the spyware's owners. What form do you think that data will take? I'm guessing it would be little more than IP addresses. Perhaps you can convince the authorities to subpeona the ISP for the owners of those addresses, but I doubt it. Good luck.

Spyware Prevention

[Tiberius_Fel]

I've found that all the spyware can be kept down to basically zero if you do what I do (even for Windows users). I use Firefox and not IE (it's interesting to look at how many hits ad-aware gets for tracking cookies etc. with IE)... And speaking of ad-aware, I run it regularly. Honestly, spyware statistics would go way way down if people ran an anti-spyware program now and then. I find in my experience, when you run it for the first time and get 500 - 1500 "objects" found, it wakes the user up as to what sort of crap is on there, and after that they seem to be pretty good about running it themselves.

Re:Spyware Prevention

[MyHair]

(it's interesting to look at how many hits ad-aware gets for tracking cookies etc. with IE)

I don't think Ad-Aware (or other spyware scanners) checks Firefox cookies. I just ran and older version and it only found an Alexa registry entry, but I opened my Firefox cookies.txt and found a doubleclick.net cookie in there.

I'm a Firefox user/fan and IE hater, but Firefox doesn't inherently block tracking cookies, so I had to pick at your example. (Yes, Firefox does allow forcing per-session cookies, but it's not on by default, and it causes problems with remember-my-login cookies.)

Changing subject:

I noticed McAfee and others now have Anti-Spyware products alongside the AntiVirus products in stores. I'm wondering why the distinction between viruses and spyware? Shouldn't scanning for them and removing them involve the exact same process? Why not just include spyware/adware in the definition files?

Yeah, the obvious answer is "to make more money", but that really pisses me off.

Re:malware honeypot?

Wouldn't it be great to see spyware producers suffer legal consequences? Don't think it will happen, though: the political and legal system is too busy protecting the recording and movie industries at the moment.

Re:Even Sevens

[LostCluster]

You're missing a key point. Spyware operators can't be put in jail because they're not breaking any laws simply by publishing spyware. Being scum is not a crime.

A virus gets onto a user's computer through security holes, but malware simply walks through the front door stating their evil intents in a clickwrap TOS that the user usually doesn't read. There's no crime in getting people to agree to something stupid in exchange for a silly little app that runs in the corner of their screen.

Spyware is just another form of a virus

[onyxruby]

How long will it take people to realize that spyware is just another form of a virus? I remember when people used to argue trojans weren't viruses and now people have finally come to accept them as just another form of a virus.

Look, I have worked on systems that have had hundreds of infections, from viruses and spyware. I routinely subject a drive from a machine with spyware to the same checks and controls I do with viruses. I start by removing the victim drive and putting it in a secondary control system. Only then can I properly remove the hooks installed to prevent you from really removing things.

I've seen everything from DLL hooks to putting itself into the system restore file or hidden OEM restore partitions. This way windows itself will *fix* your removal. I've seen where they try to emulate legitimate hotpacks and patches. It's pretty simple really, if a program installs surreptitiously, disguises itself, and takes steps to prevent it's removal - than it is a virus.

Re:Spyware is just another form of a virus

[drinkypoo]

Spyware/Adware is only as much a virus as a worm is. Guess that makes it a worm. Viruses infect other programs, worms propagate themselves as a program. There is a grey area when they hook themselves into assorted libraries, though.

Re:Spyware is just another form of a virus

User: Wow! SuperKaazaMidgetCursor! (I agree.) (I agree.) (I agree.)

Peter Norton: SpyVirus removal complete!

User: Norton broke my SuperKaazaMidgetCursor. No more free MP3s and naked strippers on my desktop WAH! I want my money back!

[The big difference between Anti-Virus and Spyware-Removal programs, is that the former is based on program behavior, and the latter makes value judgements about what is 'good' software or 'bad' software. I don't think any developers want a situation where they have to get their programs certified as "good" by some 3rd party.]

Re:Spyware is just another form of a virus

[WhatAmIDoingHere]

Did you read the post you replied to?

He said: "I've seen everything from DLL hooks to putting itself into the system restore file or hidden OEM restore partitions."

That sounds like it's infecting software. Last I checked, Windows wasn't hardware.

Re:Spyware is just another form of a virus

[Gigantic1]

Wrong. Here are some definitions of a computer virus....

So...you preface your diatribe as shown, and then proceed to tear into the guy's thread for the sake of Semantics.

Please...lighten up. We can all be friends here.

Thanks.

Re:malware honeypot?

[base3]

The state AGs are too busy taking campaign money from the copyright cartel and sending threating letters to "P2P companies" to worry about spyware.

Re:Even Sevens

[MindStalker]

Your implying that spy and malware exist because people want attention. That may be true concerning many viruses, but spy ware is simply about money.

Re:malware honeypot?

[TheHawke]

I do not disagree, and let me reinforce the point. the 'wares take a direct path to customers systems from known sources, unlike virii.
If someone goofs and winds up on a site like the article mentioned, guess what, the customer just hit a malware mine.

It's not like the lovebug bit where it spread like wildfire, at random, the 'wares are more focused and actually show a purpose behind their creation: to retrieve personal information on the user behind the keyboard.

Under Federal and State regulations, this shows Willing Intent to Commit Malice, possible violations of Wiretapping Laws,and is grounds for prosecution to the fullest extent of the Law.

Re:I want an integrated tool!

[blowdart]

You support a large corporate network that allows their users installation rights (face it, most spyware doesn't install unless you have rights to install BHOs, ActiveX controls or other rights)? You work in a large corporation who runs a windows network and doesn't know how to push patches out over AD, or the nicer 3rd party products out there that do it?

What's your ticker symbol, because I don't ever want to buy stock in a company that can't run a network properly.

Re:I want an integrated tool!

Any system where someone properly configures it and keeps an eye on it is ahead of the game, regardless of the operating system.

Re:Even Sevens

[WgT2]

Hmmm. Interesting opening comment:

Society will always generate malcontents and folks with antisocial personality features.

Surely you don't mean to discredit these malcontents' freewill do you? And the suggestion that the have "need" to hurt other people also seems to disown them of their personal responsibility to behave properly dispite if they are malcontent and have antisocial personality "features". I'd rather call the later "choices."

Shheesh! What kind system would any lawful country have if they were to punish their criminals because someone else, i.e. "society," made them choose to be evil, malicious, self-serving, or greedy? Sure, society and it's micro-cosmos might promote these things, but everyone is ultimately responsible for their own decisions. Please, let us not even hint at the contrary.

Thanks,

William

Re:A lot of people don't care

[danila]

We need an open source project to provide this functionality in a spyware-free format. The reality is that people need dancing girls, they need strippers on their desktop, they need other bells and wistles. And they will install them, so I'd rather see them install GNUGirl and GNUBuddy.