The Spyware Inferno

An anonymous reader writes "Ever thought there should be a scale for quantifying the evil Spyware does? In an editorial article at news.com.com, a Silicon Valley Venture Capitalist uses the levels of hell in Dante's Inferno to do just that. The article also goes into depth on how vendors, and Claria in particular, make money - of particular interest, 31% of Claria's revenue came through Overture. This may explain why Yahoo took so long to list Claria as Adware in its anti-spyware toolbar."

Remember Kids...

[romper]

Claria is Gator is Spyware.

Re:Remember Kids...

[sik0fewl]

.. is apparently a good way to make cash.

I think people should be forced to take classes or seminars before using the Internet, teaching them how *not* to be fooled to install adware and spyware. They should also be told not to use Internet Explorer.

Of course, with this seminar, everyone would get a free software CD with Claria included.

Re:Remember Kids...

[bjohnson]

Because Apple "eats their own dog food"?

None of this crap targets Macs, or Mac browsers, so it's entirely possible that they haven't even noticed how much of a problem it is, or ever heard of the company.

The only reason I ever notice spyware is when I have to clean it out of yet another luser's system.

Spyware Schmyware. I use Firefox on OS X.

Problem solved.

Where do you draw the line?

[VAXGeek]

What's the difference between advertising supported software which gathers marketing demographics and spyware?

Sweet sweet kickbacks to Yahoo, that's what.

Re:Where do you draw the line?

[saintp]

When was the last time you read an EULA in full? What about your grandma? Name the last EULA she read in full.

Disclosure really doesn't matter when "NiftyFreeWebApp" buries the fact that it requires the sacrifice of your firstborn on page 972 of a EULA written in obfuscated legalese.

Re:Where do you draw the line?

[saintp]

I'm aware of this. I use Opera (and love it!), used NetZero for the brief time that it was free, and other ad-supported software. Most of those practice true disclosure: You're getting a service in exchange for your eyes. And I'm fine with that.

But if someone is hawking something like EUniverse or Claria, then they're not going to be upfront and forthcoming about it, because their service isn't valuable enough. Opera is (or was; Firefox is gaining ground) a nice enough browser that I'm willing to put up with some ads, so I accept the EULA precisely because they're upfront about being ad-supported.

In contrast, no one would ever install a 404-redirect program if they knew what it would do up front. Instead, somewhere in the EULA is a paragraph explaining in euphemism a mile deep that the app hijacks your browser.

I'm not anti-ad-supported software; I think it allows some outstanding software to get into the world for free. (Obviously I'd prefer they GPL'd Opera, but I'll take what I can get.) I'm saying that forcing disclosure is basically masturbatory.

Cliche

[dmayle]

It's like the old detective cliche, follow the money. The problem with both spyware/adware, and spam, is that they're profitable. Beating this stuff with technological measures alone is never going to be easy. If we really want something done, we've got to find ways to make sure these people and/or companies can't make money doing it...

Re:Cliche

[kneecarrot]

Well, I've been watching the spam lately and to my eyes it looks like technology is slowly making spam less profitable. Spam filters are becoming so effective that spammers are being forced to litter their messages with nonsense words and mispellings. These nonsense words and mispellings make the receiver of the spam less likely to purchase anything. And so (hopefully) the cycle will continue.

lol...

[jmrobinson]

she called us "the slashdot crowd."

but...down to business
All right...who told her we would actually get off our asses and burn someone at the stake?

No...

I am a windows developer of a small program with about 4000 users. Without spyware I would not be in business, since most people crack my s/w and dont pay after the trial.

Thanks to spyware, I am still make a living.

Re:No...

Thanks to spyware, I am still make a living.

Well, at least I can see why you didn't become a writer.

Re:No...

[syn3rg]

And thanks to you, I'm making pretty good cash cleaning up these systems that you infect ^H^H^H^H install.

IDS's

[kc0re]

I run IDS's for about 9 different Class C's and a handful of Class B subnets out there. I would say Gator, (to include all of it's baddies, stuff like, PrecisionTime and PrecisionDate), are about 60% of the signatures that alert on those IDS's. Not much I can do about it except report to the SA's which in turn choose to ignore me or run with it, but malware in general is becoming more of a prevalent problem. And frankly it's annoying.

It's not just the shady companies

[gbulmash]

Besides spyware, what annoys me is "user agents". Quicktime, RealPlayer, and Winamp all have little TSR's that load at start-up and eat megabytes of memory for "quality assurance" and "ease of use" purposes. I don't know how many times I've tried to disable qttask.exe or realsched.exe in my start up only to have it come back unexpectedly. Winamp's is easy to disable at setup, but Quicktime and Real require you to dig.

I don't say they're delivering ads or sending back personally identifiable info to their manufacturers, but they are using my resources without giving me what I consider to be any perceptible advantage.

If we're going to legislate spyware, these user agents need to be considered and the law needs to require Apple and Real to provide better notice of them and make them easier to shut down permanently.

- Greg

Re:It's not just the shady companies

[VAXGeek]

Removing the Quicktime task is really pretty simple.

1) Find qttask.exe
2) Rename or delete.

Disable Real's SmartCenter by right-clicking on the real icon in your system tray (bottom right hand corner of the Windows screen) and select Disable Smartcenter.

Hardly "digging".

Re:It's not just the shady companies

[throughthewire]

I had to grin when you referred to the tray programs as TSRs. You've been doing this awhile, eh?

One little utility I find helpful is Mike Lin's StartupMonitor. It hollers at you whenever something (AIM, Real, Quicktime, etc.) attempts to register an executable to run at startup, and allows you to approve (or more to the point, deny) the attempt. Useful and educational!

Re:It's not just the shady companies

[pdh11]

I don't say they're delivering ads or sending back personally identifiable info to their manufacturers, but they are using my resources without giving me what I consider to be any perceptible advantage.

Rio Music Manager has one, too, and the reason we put it there is because there are certain things that Rio Music Manager needs to do (such as send custom USB commands to portables) which can't be done by an unprivileged user under Windows. So at install time -- assuming it's installed by an administrator -- the service gets run with admin privileges, and then later, when unprivileged Rio Music Manager runs, it can send custom USB commands via the service.

On Linux it's probably just "chmod 660 /dev/sdwhatever ; chgrp portable /dev/sdwhatever" and adding people to group portable, but on Windows it's not so easy. Not all background tasks are necessarily malicious.

Peter

Re:It's not just the shady companies

[Octos]

Uhhhh. Did anybody in this thread bother to check the program preferences?

In Quicktime preferences: uncheck "Quick Time system tray icon" and it will never come back.

I haven't messed with Real player in a long time, but I recall a similar option being available if you right-click the tray icon, possibly in a preference panel.

I'm sorry it's so easy.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Helpful tools

[zokum]

We all know spyware is a fucking waste of both resources and internet bandwidth, please do everyone a favour and install either Ad Aware from http://www.lavasoft.de/ or Spybot Search & Destroy from http://www.spybot.info/.

If you happen to run an OS where these aren't supported (everything but win*) just ignore this post :-).

Kill their Revenue Stream

Seriously, as more places try to "legitimize" their revenue by branching out what they do, it'll take longer for most companies to sit back and say "we can't do this because of your questionable business model."

Yahoo took long enough, but they finally did.

What users need to do is continue to keep writing in and boycotting companies that use spyware affiliated services until they stop supporting them. Overture be damned, it's still ultimately a spyware thing. After all, it's just another way to collect information and track users. When Doubleclick decided to combine all the information... I'm sure you Slashdotters remember the response it got. Privacy is a big issue and until more companies in the playing field like Yahoo get the idea... it's going to continue being a problem.

Spyware is certainly more aggressive at this point, but ever since I installed Adaware and started using more of the extensions available for Mozilla/FireFox, it hasn't been something I've even remotely come across... unless I'm helping to clean up a friend or client's oversaturated box. I'm just wondering at this point why some of these spyware apps haven't been classified as viruses yet... they certainly act in a very similar manner: Installing without knowledge, announcement or permission... phoning home without knowledge, announcement or permission. Spreading without... ah, fook it, you get the idea. I'm just preaching to the chior here. A lot more questions than answers despite knowing exactly what is going on here. This is exactly why we shouldn't be supporting services that are running legitimately despite having that slight (or underhanded) spyware connection.

My Spyware Experience

[BlueOtto]

As the Intern/Pc Support Help Desk guy at my work, I'd estimate that about half of the problems here are a result of spyware. However, I have a process that works MOST of the time to totally eliminate it it from a computer. It takes time (usually around 30 minutes), but being totally thorough makes sure that one piece doesn't get left behind and bring everything else back. This is what I do:

-Run AdAware and Spybot Search and Destroy (get latest updates!)
-Run CWS Shredder
-Run HiJackThis and locate all curious entries and remove them
-Run msconfig.exe and clear all suspicious or even borderline suspicious entries from startup
-Check running processes for suspicious entries (doing this a lot makes you familiar with what is good and not good. Stuff like WhatsUp.exe -- usually bad. Or WJLHOWPDMNW.exe)
-Try to kill the processes, and then locate and delete those files. If you cannot delete them or end the processes, write them down and boot into safe mode to delete those files
-Finally, check Program Files for suspicious folders. That's where much of spyware hides. Apoint2K and and search bars and anything else are BAD!

... which should be on the FRONT PAGE!

[arhar]

I think every time Claria is mentioned, it should be mentioned on the same page - hell, in the same sentence that Claria IS Gator, and their company name, names of everyone connected to the company, their significant others, and descendants down to the fifth generation, should be recorded in human history as worthless scum and vilified forever.

Re:... which should be on the FRONT PAGE!

[romper]

No wonder the author of TFA said us Slashdotters think authors/supporters of spyware "should be burned at the stake". :)

Black hole them

[router_ninja]

it's a work around, and it's not pretty, but black hole the traffic before it hits the segment you have your ids's on (if possible). Example of known spyware destination ips (google): 4.4.23.227 4.8.104.90 4.18.162.102 4.21.117.158 4.36.44.3 4.38.98.140 4.43.44.32 4.43.44.128 4.65.105.109 12.14.172.204 12.29.97.96 12.30.241.70 12.30.241.74 12.30.241.106 12.30.241.242 12.36.78.54 12.37.62.0 12.39.105.80 12.47.196.49 12.98.204.163 12.99.231.36 12.129.72.201 12.129.198.41 12.129.201.99 12.129.204.6 12.129.204.99 12.129.204.107 12.129.204.122 12.129.204.125 12.129.204.158 12.129.204.160 12.129.204.183 12.129.204.197 12.129.204.204 12.129.204.208 12.129.204.219 12.129.205.102 12.129.205.105 12.129.205.120 12.129.205.162 12.129.205.167 12.129.205.171 12.129.205.206 12.129.205.220 12.129.211.125 12.129.225.165 12.129.229.191 12.129.248.48 12.129.248.128 12.130.12.30 12.130.12.106 12.130.91.7 12.145.139.160 12.148.21.23 12.148.209.196 12.153.20.152 12.153.20.157 12.158.80.10 12.168.32.90 12.168.33.58 12.168.33.194 24.1.248.148 24.3.113.25 24.7.145.249 24.27.205.221 24.30.8.185 24.42.211.66 24.57.164.38 24.57.240.53 24.58.172.230 24.71.18.34 24.72.3.189 24.90.4.150 24.90.243.203 24.101.203.184 24.104.40.39 24.104.40.52 24.106.94.101 24.108.132.26 24.125.77.118 24.126.133.124 24.141.149.114 24.151.184.187 24.173.79.235 24.207.243.16 24.218.47.171 24.222.112.75 24.229.80.135 24.235.212.163 24.242.151.203 38.113.1.80 38.113.1.111 38.113.1.151 38.113.1.155 38.113.1.159 38.113.3.122 38.113.193.6 38.113.198.80 38.113.198.132 38.113.198.136 38.113.198.176 38.113.198.235 38.113.199.63 38.113.204.182 38.114.129.148 38.117.144.27 38.117.144.30 38.117.144.50 38.117.144.162 38.117.174.2 38.117.174.20 38.118.144.180 38.119.65.135 38.119.65.137 38.170.72.194 61.8.3.212 61.16.133.250 61.43.30.91 61.78.61.223 61.115.205.23 61.129.67.141 61.129.67.149 61.129.67.151 61.129.69.190 61.135.131.23 61.135.131.31 61.135.131.36 61.135.131.39 61.135.131.42 61.135.131.128 61.135.131.174 61.135.131.237 61.139.65.222 61.145.75.227 61.145.75.233 61.149.2.221 61.152.251.25 61.177.222.222 61.213.156.128 62.13.25.201 62.13.25.209 62.23.124.88 62.23.137.170 62.26.219.11 62.27.21.101 62.27.59.227 62.27.59.245 62.39.85.0 62.39.108.98 62.39.122.20 62.56.244.55 62.57.74.14 62.58.2.5 62.65.34.64 62.65.36.136 62.65.252.93 62.65.252.226 62.69.162.144 62.69.162.171 62.75.193.84 62.93.224.242 62.96.181.197 62.97.109.50 62.101.246.77 62.104.23.56 62.115.254.26 62.118.240.27 62.118.248.72 62.118.251.0 62.119.21.132 62.119.21.135 62.119.21.150 62.119.21.157 62.119.133.10 62.119.133.11 62.121.105.75 62.146.24.251 62.146.222.65 62.148.166.3 62.149.0.12 62.149.0.140 62.149.36.64 62.150.129.118 62.153.59.95 62.160.32.0 62.161.184.96 62.172.199.20 62.178.238.135 62.181.185.37 62.181.185.44 62.189.43.224 62.189.74.144 62.189.244.232 62.193.206.144 62.210.139.48 62.210.164.83 62.212.117.198 62.219.114.145 62.233.196.72 etc. etc. etc.

Re:Separating Linux users from Windows users

[Evangelion]

I know it's elitist to say this, but what happens is that Windows users will make the tradeoff of malware to allow them to steal music and other content. They don't protest, because deep down they know what they're doing is wrong.

Not really.

Being both a Linux user and a Windows user, I don't tolerate any kind of adware or spyware either.

The typical windows user:

* Does not understand that AdWare/Spyware/Malware is acutally on thier computer
* Does not understand how AdWare/Spyware/Malware gets on thier computer in the first place.
* When they realize it's on thier computer, they will often belive it's nessecary for software to function. (I tried cleaning up my sister-in-laws Win98 PC, and she immediately blamed me for screwing it up the first time something didn't work the same way -- that's the only real anecdote I have, as I stay the bloody hell away from that kind of job).
* Assuming they realize that it's on thier computer, and they realize they don't have to live with it, then they can get rid of it. Once. But being able to get rid of it by getting a friend to install AdAware and Spybot S&D in no way affects thier ability to detect it on thier computer, or realize that something might be installing it.

Comparing Windows to Linux in this regard is just ignorant. There are is basically no Malware/Spyware programs on linux (I know there's some Adware out there, but I can't imagine it being terribly successful). And Linux users as a whole are self-selecting in this regard, and are used to having to live without software that they'd like to use.

That, and there are several pieces of very popular Adware (MSN Messenger for example) that are sufficiently useful to outweigh the cons of it being Adware.

So, really, the windows users who put up with this garbage simply because they don't know any better and trust the companies when they claim this garbage is nessecary, or that they choose to put up with the Adware to use a program that they want to use.

I also find it ironic that you're saying piracy is a tradeoff for running adware, when any person who is going to pirate things won't think anything of cracking adware to get rid of ads...

BTW, if you think Linux users don't pirate media, you're on fucking crack :)

PDF document listing the 9 circles of spyware hell

[5amTheButcher]

Here's the link - now, what in that made it necessary to be distributed as a PDF, and not as an HTML/XML document? The proliferation of PDFs for information that can be displayed consistantly in other, more compact and less processor hungry formats, is frankly disturbing.

TSR?? makes sense

[gosand]

I had to grin when you referred to the tray programs as TSRs. You've been doing this awhile, eh?

From everything2.com:

TSR: an acronym from the words Testosterone Sterilized (female) Rat. A TSR manifests the persistent estrus syndrome. Lacking ovulatory cycles, she is sterile. The condition is induced experimentally by injections of testosterone prior to the age of eleven days. The first five days of life are the most sensitive or critical ones. Smaller doses are then effective. The effect is life-long.

So TSRs are sterilized vermin with teeth but no balls. Sounds about right.

Recovering from Spyware.

[Alien54]

Spyware removal can be a pain. Here is a repost of something I posted earlier, along with some added details

He went down the merry path of trying to rescue the system in order to keep customer data intact. The story is typical of someone who is entering the fray without have their tools prepared in advance. The solution always looks easier than it really is.

In his case, he needed

• a CD with all of the relevent tools and updates
• a windows boot disk with CD support
• an understanding of the windows command line in order to copy a subset of these tools to a convenient folder on the hard drive from the CD
• The knowledge to run these tools from Safe mode, and how to get there in the first place
• Include in the subset of tools one that can fix the broken LSP setup.

  [LSP or Layered Service Provider is a piece of software that can be inserted into the Windows TCP/IP handler like a link in a chain. However, due to bugs in the LSP software or deletion of the software, this chain can get broken, rendering the user unable to access the Internet. Spyware is good at this, and some cleaners leave a broken LSP behind.

  With the correct tool, the fix takes seconds. Without the tool, you need to uninstall and re-install the winsocket, or else the same with the entire network support. Otherwise you fall into the trap this poor bloke got into.]

tips - I deal with this stuff all of the time. The best data on this stuff can be found in articles at spywareinfo.net - the forums are not bad either, although spywarewarrior.com also has good forums. also good to have is this list of known rogue spyware cleaners [spywarewarrior.com], along with this list of Anti-Spyware Orphans & Outcasts [spywarewarrior.com]

My current recommended free antivirus is Avast! Home Edition [avast.com], which is very low maintenance for the home user, and requires registration for the free license. It also protect a number of common Instant Messenger clients, as well as several common P2P clients. It is better than AVG in my opinion, and detects many trojans as well as spyware.

You can get a system that is so hosed that it will not boot, not even into safe mode, even under XP. The solution there to remove the hard drive, drop it into an external drive enclosure, and hook it up to another system where you can use scanning software to do a basic clean so you can boot in the original configuration. Once it boots you can install cleaners from safe mode, and then run cleaners from inside every user account. Note that you still need to run the clean from inside each user account because otherwise things will hide in the seperate user folders.

Re: the LSP chain break -- HijackThis can sometimes fix it. Otherwise, Spybot can fix it. Xblock will also fix it. [xblock is an excellent first pass cleaner, with a freeware version available). (Spybot second, AdAware third)I always use more than one scanner, and scan multiple times.] Immunisers such as SpywareBlaster are also nice. All of these packages are mentioned at spywareinfo.com, which sometimes goes under due to DDOS problems from people who do not like the services they provide. (insert obligatory plug for someone to help them out, one way or another.)

Copyright => Spyware

[Philip+Dorrell]

The copyright system says that the only way you can expect to receive substantial revenue from your efforts to create useful content is to prevent free access to your content. If you provide your content in the most useful form, to the largest number of people who might find it useful, your income is guaranteed to be arbitrarily close to $0.

Spyware/adware is a natural response to this problem. Closed source is less useful than open source to users of software, but the intellectual property regime says it is a better business model, precisely because customers don't know what is in the software. Spyware just takes this principle to its logical conclusion: if it is good for the customer not to know what is in their software, let's exploit this ignorance to the maximum extent possible.

This will gradually kill the market for individual developers of mass-market software. Previously you had to convince your customers that it is worth the effort to download and try out your software, and then you had to convince them to pay you for it if they liked it, even though it is dead easy for them to not pay you and to keep on using the software anyway. Now you also have the hopeless task of convincing your customers that someone they have never heard of is not a spyware author.

It's much worse than people think. (Rant)

[Decclan+Macmanus]

First let me explain what I do for a living. I am a computer technician for a Networking company that handles law firms, doctor offices and such. Each of these places will have anywhere from 5 to 100 computers in their office. I would say I am forced to clean machines of spyware, malware, adware and viruses about 90% of my work orders. I have become proficient in doing so with all the practice I've had. These office employees of my clients just download everything they see. They answer yes to every question that get asked on a website. They do not read it and wouldn't understand it if they did. I am talking about EULA agreements of course. The legalese subtly hides the subject of the agreement that even the lawyers at these law firms cannot decipher it. I've done some testing on how easy it is to get infected with spyware and viruses without the consumer's awareness. I connected a freshly installed Windows XP machine to a broadband connection with no firewall in place and no spyware or virus detection programs in place. I surfed well known websites that millions of people search everyday for about five minutes. I then installed Spybot 1.3, Adaware 6.0 and Hijackthis onto the machine. In those five minutes of unprotected internet browsing the computer had over five different spyware programs installed including: VX2 Better Internet, a CoolWebSearch varient, New.net varient and some a couple of tracking cookies. This was five minutes of browsing mind you and I got three of the worse programs in their genre. I have recently found out that New.net actually has bundle parterships with several big companys including Earthlink, Net Zero and Juno. New.net has actually threatened or sued spyware removal companys like Spybot and Adaware. Spybot backed down from them and removed any New.net detection from their program. Lavasoft who makes Adaware is fightning back in court against New.net. New.net claims these companys are giving a bad name to their software by saying they are malware programs that collect data or supply ads to the end-user. New.net says it does not do that but I know first hand they are lying. I had a machine that was infected with New.net that caused AD popups, totally screwed the clients network connections. And these companys are legal businesses!! All I know is the government needs to step in and regulate these companys. The invasion of privacy they do on our computers is no different from a voyeur peeping in your house window or somebody tapping your phone or reading your mail without your knowledge. And yes Microsoft operating systems are the easy targets because a good portion of the world and mostly home users use Microsoft OS's. Mac and Linux people think they are safe but that will change. The more people use those machines the more spyware and viruses will surface. There already is some spyware programs for the Macintosh and a couple of viruses. The best thing for the home user to do is takes steps in protecting your computer. Use a good firewall, Keep your Windows updated, Use a different browser (I use Firefox) than Internet Explorer. Have a good antivirus program installed and updated everyday. New viruses are discovered nearly everyday. Use programs like Spybot, Ad-aware and Spyblaster( (protects against bad Active X downloads.) Take the time to actually learn to use these programs fully. Spybot has some extra tools that are great. HijackThis is great but you need to know what you are looking at. If you see a EULA agreement pop-up on your screen take the time to read it and also look up the company or software you are trying to install on Google.com and do some research on what people say about their programs. Pestpatrol.com is also a great site for learning about these malicous programs. The spyware developers are getting smarter as well. There are some spyware programs that run in the background but do not show a process in Taskmanager. Some variants regenerate themselves even after removal (usually by some leftover registry entries called "tricklers" or install programs that are hiding in your Te