Gadzooks, my computer has the pox!

Your machine is running slow, IE is taking you to porn sites instead of your normal home page or your PC has become unstable. All signs of possible viral infection. In the past the most straightforward way to determine if a PC was infected was to run an antivirus scanner, with up to date signature files Unfortunately over the last year or so, this has become less useful. Typical problems include flagging infected files but offer no immediate way of deleting or disinfecting them. Spyware, adware and malware, short for malicious software, do not conform to the traditional definition of a virus, a program that replicates. Methods of handling these problems were not included in previous antivirus applications.

A virus is not necessarily designed to harm a computer only to exploit it to replicate whereas malware is designed to damage the operating system. It is perhaps a moot point as any of these items can also be defined as “stuff I don’t want on my computer”.

The dot-com crashes of the late 90s brought about a revolution in Internet advertising. Banner advertising companies were going broke because Internet users were getting sick of those annoying animated gifs. People would just ignore these advertisements. Or worse still, the emergence of firewall software actually blocked banner advertisements, which rendered them useless. Hackers realized that they could make easy money with proxy clicking programs, which also led to the demise of many of the pay-per-click advertisers.

Advertisers realized that if they wanted to still make money online, they would have to change tactics. Many advertisers turned to affiliate programs, in which publishers would get paid for actual sales made, not just for a click on a banner. Other advertisers thought of new ways to advertise; they found a way that would allow them to advertise products without even having a website or servers serving advertisements. This is how spyware emerged.

At first, spyware was bundled into freeware and shareware applications, but word quickly spread around the Internet about this new threat, so advertisers had to resort to dirty tricks. Many spyware developers now use hacker exploits to install spyware onto computers. If you use any of the popular operating systems, chances are you will have spyware. It is probably safe to say that most home users have lots of spyware on their computers. This spyware is just sitting there, quietly informing advertisers about your music-listening habits, your web-browsing habits, or your favourite programs. If you are unlucky, you will be infected with a nastier spyware application such as a porn dialer.

Porn dialers are programs that ring up sex lines, usually overseas. The phone bills from porn dialers can be huge. A document expanding on this topic and offering some suggestions on protecting your computer is available at:  http://www.piac.ca/modemhijacking.pdf .

Browser hijacking is a common way for spyware programs to get you to visit their website. If your home page keeps changing to an advertisers' web page, no matter how many times you have set your favourite home page, you definitely have spyware. More often than not, you will also see pop-up windows appearing in your browser, even if you are offline. Although these windows might advertise mundane products, you might also be flooded with tacky porn sites

Malware will often inject itself into legitimate processes. It is an advanced infection technique and is very difficult, if not impossible, to remove. Process injection has become very popular in the malware world. Many remote access trojans use this form of infection because it can evade rule based firewalls. Spyware makers also have begun to use this technique. Injecting into the Internet Explorer process will often allow the spyware Internet access; a lot of rule-based firewall applications will not see the malware; they will see the trusted application Internet Explorer and will allow communication.

As more legitimate companies move toward bundling spyware with their software, it is very important that all computer users start to use spyware scanners. Spyware scanners are a relatively new phenomenon; there are a lot of spyware cleaners around, but not all are reputable. Companies that also make spyware have even made some spyware cleaners which will remove other companies spyware replacing them with their own version.

Spyware not only invades your privacy, it also causes stability issues with most operating systems. Spyware coders don't really care how sloppy their coding is. Poor coding leads to spyware damaging a user's system. Sometimes only visiting a site that has spyware exploits embedded into the HTML can bring your system to a crawl. Current antivirus applications can recognize spyware, but removing spyware from an infected machine can be difficult. If a novice attempts the removal, it can even further destabilise the system as registry editing is always involved.

How Can I Tell If I Have Spyware?

Not all symptoms are easy to diagnose, but the easy symptoms to recognize include the following:

Your computer is slowing down to a crawl.

Porn sites are popping up in your browser when you are surfing the Net.

Your computer mysteriously dials up phone numbers during the middle of the night—normally to expensive porn chat lines—leaving you with a huge bill.

When you enter a search term into your search bar, a new and unfamiliar site handles the search.

New sites are added to your Favourites list without your adding them.

Your home page has been hijacked, and the new site keeps coming back even if you remove it.

You get pop-up advertisements that address you by your name, even when your computer isn't connected to the Internet.

Prevention is often the best medicine, and choosing a non-Microsoft browser can significantly reduce your chances of being infected with spyware from Internet exploits. Blocking ActiveX scripting and Java scripting can also add extra security to your system. Always keep up-to-date with the latest Windows updates.

Sites to Avoid

Free Porn Sites. Avoid these sites at all costs. There normally is a reason these are free; probably it's because you end up infected with a porn dialer.

Warez and Crack Sites. The webmasters who run these sites don't care too much about ethics. You will find that a large percentage of these sites have spyware embedded into their HTML code.

Mp3 Sites and P2P Software. These sites are well-known to be sources of spyware; many of the big-name P2P and file-sharing programs come bundled with spyware, so check on the Internet before installing these programs if you must use them.

Now what?

Start with a spyware scanner. Some of the best scanners are freeware. If you download a scanner and it detects a heap of spyware and then pops up a link to purchase the software to clean the spyware, it could be just a scam. The best freeware scanners include the following:

Spybot-S&D <http://www.safer-networking.org>

Ad-aware <http://www.lavasoftusa.com>

The reality is, if these scanners detect more than 30 files, the time to properly fix the problem would be best spent on a fresh load of the operating system. Using the above tools to alleviate the problem will give you time to backup your critical data in preparation for a fresh load.

With MS Windows XP a fresh load and bringing the system up to date, at this writing SP2, along with the critical updates from Microsoft and installing current antivirus software that also detects spyware will protect your machine from current treats. To protect from emerging threats it is important to keep both Windows and the antivirus program up to date.

Michael Neill

Uxbridge Computer Solutions
May 2005