SPYWARE
In the field of computing, the term spyware refers to a broad category of malicious software designed to intercept or take partial control of a computer's operation without the informed consent of that machine's owner or legitimate user. While the term taken literally suggests software that surreptitiously monitors the user, it has come to refer more broadly to software that subverts the computer's operation for the benefit of a third party.
Spyware differs from viruses and worms in that it does not usually self-replicate. Like many recent viruses, however, spyware – by design – exploits infected computers for commercial gain. Typical tactics furthering this goal include delivery of unsolicited pop-up advertisements; theft of personal information (including financial information such as credit card numbers); monitoring of Web-browsing activity for marketing purposes; or routing of HTTP requests to advertising sites.
As of 2005, spyware has become one of the pre-eminent security threats to computer-systems running Microsoft Windows operating-systems (and especially to users of Internet Explorer because of that browser's collaboration with the Windows operating system). Some malware on the Linux and Mac OS X platforms has behaviour similar to Windows spyware, but to date has not become anywhere near as widespread due to their comparatively smaller user base.
History and development
The first recorded use of the term spyware occurred on October 17, 1994 in a Usenet post that poked fun at Microsoft's business model. Spyware later came to refer to espionage equipment such as tiny cameras. However, in early 2000 the founder of Zone Labs, Gregor Freund, used the term in a press release for the ZoneAlarm Personal Firewall. [1] Since then, computer-users have used the term in its current sense.
In early 2000, Steve Gibson of Gibson Research realised that advertising software had been installed on his system, and he suspected that the software was stealing his personal information. After analyzing the software he determined that they were adware components from the companies Aureate (later Radiate) and Conducent. He eventually retracted his claim that the ad software collected information without the user's knowledge, but still chastised the ad companies for covertly installing the spyware and making it difficult to remove.
As a result of his analysis in 2000, Gibson released the first anti-spyware program, OptOut, and many more software-based antidotes have appeared since then. [1] International Charter now offers software developers a Spyware-Free Certification program. [2]
According to a November 2004 study by AOL and the National Cyber-Security Alliance, 80% of surveyed users' computers had some form of spyware, with an average of 93 spyware components per computer. 89% of surveyed users with spyware reported that they did not know of its presence, and 95% reported that they had not given permission for the installation of the spyware. [3]
[edit]
Spyware, "adware", and tracking
The term adware frequently refers to any software which displays advertisements, whether or not it does so with the user's consent. Programs such as the Eudora mail client display advertisements as an alternative to shareware registration fees. These classify as "adware" in the sense of advertising-supported software, but not as spyware. Adware in this form does not operate surreptitiously or mislead the user, and provides the user with a specific service.
Many of the programs frequently classified as spyware function as adware in a different sense: their chief observed behaviour consists of displaying advertising. Claria Corporation's Gator Software and Exact Advertising's BargainBuddy provide examples of this sort of program. Visited Web sites frequently install Gator on client machines in a surreptitious manner, and it directs revenue to the installing site and to Claria by displaying advertisements to the user. The user experiences a large number of pop-up advertisements.
Other spyware behaviours, such as reporting on websites the user visits, frequently accompany the displaying of advertisements. Monitoring web activity aims at building up a marketing profile on users in order to sell "targeted" advertisement impressions. The prevalence of spyware has cast suspicion upon other programs that track Web browsing, even for statistical or research purposes. Some observers describe the Alexa Toolbar, an Internet Explorer plug-in published by Amazon.com, as spyware (and some anti-spyware programs report it as such) although many users choose to install it.
[edit]
Routes of infection
Spyware does not directly spread in the manner of a computer virus or worm: generally, an infected system does not attempt to transmit the infection to other computers. Instead, spyware gets on a system through deception of the user or through exploitation of software vulnerabilities.
The most direct route by which spyware can infect a computer involves the user installing it. However, users tend not to install software if they know that it will disrupt their working environment and compromise their privacy. So many spyware programs deceive the users, either by piggybacking on a piece of desirable software, or by tricking the users to do something that installs the software without them realising. Recently, spyware has come to include "rogue anti-spyware" programs, which masquerade as security software while actually doing damage.
Classically, a Trojan horse, by definition, smuggles in something dangerous in the guise of something desirable. Some spyware programs get spread in just this manner. The distributor of spyware presents the program as a useful utility — for instance as a "Web accelerator" or as a helpful software agent. Users download and install the software without immediately suspecting that it could cause harm. For example, Bonzi Buddy, a spyware program targeted at children, claims that:
He will explore the Internet with you as your very own friend and sidekick! He can talk, walk, joke, browse, search, e-mail, and download like no other friend you've ever had! He even has the ability to compare prices on the products you love and help you save money! Best of all, he's FREE! [4]
The BearShare file-trading program, "supported" by WhenU spyware. In order to install BearShare, users must agree to install "the SAVE! bundle" from WhenU. The installer provides only a tiny window in which to read the lengthy license agreement. Although the installer claims otherwise, the software transmits users' browsing activity to WhenU servers.[5]
Spyware can also come bundled with shareware or other downloadable software, as well as music CDs. The user downloads a program (for instance, a music program or a file-trading utility) and installs it, and the installer additionally installs the spyware. Although the desirable software itself may do no harm, the bundled spyware does. In some cases, spyware authors have paid shareware authors to bundle spyware with their software, as with the Gator spyware now marketed by Claria. In other cases, spyware authors have repackaged desirable free software with installers that add spyware.
A third way of distributing spyware involves tricking users by manipulating security features designed to prevent unwanted installations. The Internet Explorer Web browser, by design, prevents websites from initiating an unwanted download. Instead, a user action (such as clicking on a link) must normally trigger a download. However, links can prove deceptive: for instance, a pop-up ad may appear like a standard Windows dialog box. The box contains a message such as "Would you like to optimise your Internet access?" with links which look like buttons reading Yes and No. No matter which "button" the user presses, a download starts, placing the spyware on the user's system. Later versions of Internet Explorer offer fewer avenues for this attack.
Some spyware authors infect a system by attacking security holes in the Web browser or in other software. When the user navigates to a Web page controlled by the spyware author, the page contains code which attacks the browser and forces the download and install of spyware. The spyware author would also have some extensive knowledge of commercially-available anti-virus and firewall software. This has become known as a "drive-by download", which leaves the user a hapless bystander to the attack. Common browser exploits target security vulnerabilities in Internet Explorer and in the Microsoft Java runtime.
The installation of spyware frequently involves Microsoft's Internet Explorer. As the most popular Web browser, and with an unfortunate history of security issues, it has become the largest target. Its deep integration with the Windows environment and its scriptability make it an obvious point of attack into Microsoft Windows operating systems. Internet Explorer also serves as a point of attachment for spyware in the form of browser helper objects, which modify the browser's behaviour to add toolbars or to redirect traffic.
In a few cases, a worm or virus has delivered a payload of spyware. For instance, some attackers used the W32.Spybot.Worm worm to install spyware that popped up pornographic ads on the infected system's screen. [6] By directing traffic to ads set up to channel funds to the spyware authors, they can profit even by such clearly illegal behaviour.
[edit]
Effects and behaviors
This article or section does not cite its references or sources.
You can help Wikipedia by introducing appropriate citations.
Many Internet Explorer add-on toolbars monitor the user's activity. When installed and run without the user's consent, such add-ons count as spyware. Here multiple toolbars (including both spyware and innocuous ones) overwhelm an Internet Explorer session.A piece of spyware rarely "lives" alone: an affected computer can rapidly become infected with large numbers of spyware components. Users frequently notice unwanted behavior and degradation of system performance. A spyware infestation can create significant unwanted CPU activity, disk usage, and network traffic which thereby slows down legitimate uses of these resources. Stability issues, such as application or system-wide crashes, are also common. Spyware which interferes with networking software commonly causes difficulty connecting to the Internet.
In some cases of spyware infection, the user has no awareness of spyware and assumes that the system performance, stability, and/or connectivity issues relate to hardware, to Microsoft Windows installation problems, or to a virus. Some owners of badly infected systems resort to contacting technical support experts, or even buying an entire new computer system because the existing system "has become too slow." Badly infected systems may require a clean reinstall of all their software in order to restore the system to working order. This can become a time-consuming task, even for experienced users.
Only rarely does a single piece of software render a computer unusable. Rather, a computer rarely has only one infection. As the 2004 AOL study noted, if a computer has any spyware at all, it typically has dozens of different pieces installed. The cumulative effect, and the interactions between spyware components, typically cause the stereotypical symptoms reported by users: a computer which slows to a crawl, overwhelmed by the many parasitic processes running on it. Moreover, some types of spyware disable software firewalls and anti-virus software, and/or reduce browser security settings, thus opening the system to further opportunistic infections, much like an immune deficiency disease. Documented cases have also occurred where a spyware program disabled other spyware programs installed by its competitors.
Some other types of spyware (Targetsoft, for example) modify system files to make themselves harder to remove. (Targetsoft modifies the "Winsock" Windows Sockets files. The deletion of the spyware-infected file "inetadpt.dll" will interrupt normal networking usage.) Unlike users of many other operating systems, a typical Windows user has administrator privileges on the system, mostly for convenience. Because of this, any program which the user runs (intentionally or not) has unrestricted access to the system. Spyware, along with other threats, has led some Windows users to move to other platforms such as Linux or Apple Macintosh, which such malware targets far less frequently.
[edit]
Advertisements
Many spyware programs reveal themselves visibly by displaying advertisements. Some programs simply display pop-up ads on a regular basis; for instance, one every several minutes, or one when the user opens a new browser window. Others display ads in response to specific sites that the user visits. Spyware operators present this feature as desirable to advertisers, who may buy ad placement in pop-ups displayed when the user visits a particular site. It is also one of the purposes for which spyware programs gather information on user behaviour. Hence, pop-up advertisements lead to some of users' most common complaints about spyware.
Many users complain about irritating or offensive advertisements as well. As with many banner ads, many spyware advertisements use animation or flickering banners which are visually distracting and annoying. Pop-up ads for pornography often display indiscriminately, including when children use the computer (possibly in violation of anti-pornography laws).
A further issue in the case of some spyware programs has to do with the replacement of banner ads on viewed web sites. Spyware that acts as a web proxy or a Browser Helper Object can replace references to a site's own advertisements (which fund the site) with advertisements that instead fund the spyware operator. This cuts into the margins of advertising-funded Web sites.
[edit]
"Stealware" and affiliate fraud
A few spyware vendors, notably WhenU and 180 Solutions, have written what the New York Times has dubbed "stealware", and what spyware-researcher Ben Edelman terms affiliate fraud, also known as click fraud. These redirect the payment of affiliate marketing revenues from the legitimate affiliate to the spyware vendor.
Affiliate marketing networks work by tracking users who follow an advertisement from an "affiliate" and subsequently purchase something from the advertised Web site. Online merchants such as eBay and Dell are among the larger companies which use affiliate marketing. In order for affiliate marketing to work, the affiliate places a tag such as a cookie or a session variable on the user's request, which the merchant associates with any purchases made. The affiliate then receives a small commission.
Spyware which attacks affiliate networks does so by placing the spyware operator's affiliate tag on the user's activity—replacing any other tag, if there is one. This harms just about everyone involved in the transaction other than the spyware operator. The user is harmed by having their choices thwarted. A legitimate affiliate is harmed by having their earned income redirected to the spyware operator. Affiliate marketing networks are harmed by the degradation of their reputation. Vendors are harmed by having to pay out affiliate revenues to an "affiliate" who did not earn them through a contractual agreement. [1]
Affiliate fraud is a violation of the terms of service of most affiliate marketing networks. As a result, spyware operators such as WhenU and 180 Solutions have been terminated from affiliate networks including LinkShare and ShareSale.
[edit]
Identity theft and fraud
One case has closely associated spyware with identity theft. [7] In August 2005, researchers from security software firm Sunbelt Software believed that the makers of the common CoolWebSearch spyware had used it to transmit "chat sessions, user names, passwords, bank information, etc." [2], but it turned out that "it actually is its own sophisticated criminal little trojan that’s independent of CWS." [3] This case is currently under investigation by the FBI.
Spyware has principally become associated with identity theft in that keyloggers are routinely packaged with spyware. John Bambenek, who researches information security, estimates that identity thieves have stolen over $24 billion US dollars of account information in the United States alone [4].
Spyware-makers may perpetrate another sort of fraud with dialer program spyware: wire fraud. Dialers cause a computer with a modem to dial up a long-distance telephone number instead of the usual ISP. Connecting to these suspicious numbers involves long-distance or overseas charges which invariably result in massive telephone bills that the user is liable for. Dialers are somewhat less effective today, now that fewer Internet users use dialup modems.[citation needed]
[edit]
Digital rights management
Some copy-protection schemes, while they do serve the purpose of attempting to prevent piracy, also behave similarly to spyware programs. Some digital rights management technologies (such as Sony's XCP) actually use trojan-horse tactics to verify a user as the rightful owner of the media in question.
[edit]
Spyware and cookies
Anti-spyware programs often report Web advertisers' HTTP cookies as spyware. Web sites (including advertisers) set cookies — small pieces of data rather than software—to track Web-browsing activity: for instance to maintain a "shopping cart" for an online store or to maintain consistent user settings on a search engine.
Only the Web site that sets a cookie can access it. In the case of cookies associated with advertisements, the user generally does not intend to visit the Web site which sets the cookies, but gets redirected to a cookie-setting third-party site referenced by a banner ad image. Some Web browsers and privacy tools offer to reject cookies from sites other than the one that the user requested.
Advertisers use cookies to track people's browsing among various sites carrying ads from the same firm and thus to build up a marketing profile of the person or family using the computer. For this reason many users object to such cookies, and anti-spyware programs offer to remove them.
[edit]
Typical examples of spyware
A few examples of common spyware programs may serve to illustrate the diversity of behaviors found in these attacks.
Caveat: As with computer viruses, researchers give names to spyware programs which frequently do not relate to any names that the spyware-writers use. Researchers may group programs into "families" based not on shared program code, but on common behaviours, or by "following the money" of apparent financial or business connections. For instance, a number of the spyware programs distributed by Claria are collectively known as "Gator". Likewise, programs which are frequently installed together may be described as parts of the same spyware package, even if they function separately.
CoolWebSearch, a group of programs, installs through the exploitation of Internet Explorer vulnerabilities. The programs direct traffic to advertisements on Web sites including coolwebsearch.com. To this end, they display pop-up ads, rewrite search engine results, and alter the infected computer's hosts file to direct DNS lookups to these sites. [8]
Internet Optimizer, also known as DyFuCa, redirects Internet Explorer error pages to advertising. When users follow a broken link or enter an erroneous URL, they see a page of advertisements. However, because password-protected Web sites (HTTP Basic authentication) use the same mechanism as HTTP errors, Internet Optimizer makes it impossible for the user to access password-protected sites. [8]
180 Solutions transmits extensive information to advertisers about the Web sites which users visit. It also alters HTTP requests for affiliate advertisements linked from a Web site, so that the advertisements make unearned profit for the 180 Solutions company. It opens pop-up ads that cover over the Web sites of competing companies. [5]
HuntBar, aka WinTools or Adware.Websearch, is a small family of spyware programs distributed by Traffic Syndicate. [8] It is installed by ActiveX drive-by download at affiliate Web sites, or by advertisements displayed by other spyware programs—an example of how spyware can install more spyware. These programs add toolbars to Internet Explorer, track Web browsing behavior, redirect affiliate references, and display advertisements.
[edit]
User consent and legality
Gaining unauthorised access to a computer is illegal under computer crime laws in several global territories, such as the United States Computer Fraud and Abuse Act. Since the owners of computers infected with spyware generally claim that they never authorised the installation, a prima facie reading would suggest that the promulgation of spyware would count as a criminal act. Law enforcement has often pursued the authors of other malware programs, such as viruses. Nonetheless, few prosecutions of writers of spyware have occurred, and many such producers operate openly as aboveboard businesses. Some have, however, faced lawsuits.[citation needed]
Spyware producers primarily argue in defense of the legality of their acts that, contrary to the users' claims, users do in fact give consent to the installation of their spyware. Spyware that comes bundled with shareware applications may appear, for instance, described in the legalese text of an end-user license agreement (EULA). Many users habitually ignore these purported contracts, but spyware companies such as Claria claim that these demonstrate that users have consented to the installation of their software.
Despite the ubiquity of EULAs and of clickwrap agreements, relatively little case law has resulted from their use. It has been established in most common law jurisdictions that a clickwrap agreements can be a binding contract in certain circumstances. This does not however mean that every clickwrap agreement is a contract or that every term in a clickwrap contract is enforceable. It seems highly likely that many of the purported contract terms presented in clickwrap agreements would be dismissed in most jurisdictions as being contrary to public policy. Many spyware clickwrap agreements appear intentionally ambiguous and excessive in length, with key contract terms made inconspicuous. These are all grounds on which similar agreements have been rejected as contracts of adhesion. In Australia, the proprietors of Sharman Newtorks, who own and operate the KaZaa P2P network were sued by the Australian Recording Industry Association for breaching copyright laws as a result of allowing illegal music to be shared and distributed through the KaZaa network. Sharman Networks claimed that the EULA stated that the program was not to be used for illegal activity, however the claim was dismissed on the grounds that the length and ambiguity of the agreement coupled with the fact that few users read it made the agreement inadmissable as a defence.
Nor can a contract possibly exist in the case of spyware installed by surreptitious means, such as in a drive-by download where the user receives no opportunity to either agree to or refuse the contract terms.
Some jurisdictions, including the U.S. states of Iowa [6] and Washington [7], have passed laws criminalizing some forms of spyware. Such laws make it illegal for anyone other than the owner or operator of a computer to install software that alters Web-browser settings, monitors keystrokes, or disables computer-security software.
New York Attorney General Eliot Spitzer has pursued spyware companies for fraudulent installation of software. [9] In a suit brought in 2005 by Spitzer, the California firm Intermix Media, Inc. ended up settling by agreeing to pay US$7.5 million and to stop distributing spyware. Intermix's spyware spread via drive-by download, and deliberately installed itself in ways that made it difficult to remove. [10]
Another spyware behaviour has attracted lawsuits: the replacement of Web advertisements. In June 2002, a number of large Web publishers sued Claria for replacing advertisements, but settled out of court. Other spyware apart from Claria's also replaces advertisements, thus diverting revenue from the ad-bearing Web site to the spyware author.
One legal issue not yet pursued involves whether courts can hold advertisers responsible for spyware which displays their ads. In many cases, the companies whose advertisements appear in spyware pop-ups do not directly do business with the spyware firm. Rather, the advertised company contracts with an advertising agency, which in turn contracts with an online subcontractor who gets paid by the number of "impressions" or appearances of the advertisement. Some major firms such as Dell Computer and Mercedes-Benz have sacked advertising agencies which have run their ads in spyware. [11]
Some spyware companies have threatened websites which have posted descriptions of their products. In 2003, Gator (now known as Claria) filed suit against the website PC Pitstop for describing the Gator program as "spyware". [12] PC Pitstop settled, agreeing not to use the word "spyware", but continues to publish descriptions of the harmful behaviour of the Gator/Claria software. [8]
[edit]
Remedies and prevention
As the spyware threat has worsened, a number of techniques have emerged to counteract it. These include programs designed to remove or to block spyware, as well as various user practices which reduce the chance of getting spyware on a system.
Nonetheless, spyware remains a costly problem. When a large number of pieces of spyware have infected a Windows computer, the only remedy may involve backing up user data, and fully reinstalling the operating system.
[edit]
Anti-spyware programs
Lavasoft's Ad-Aware, one of a few reliable freeware anti-spyware programs, scans the hard drive of a clean Windows XP system.Many programmers and some commercial firms have released products designed to remove or block spyware. Steve Gibson's OptOut, mentioned above, pioneered a growing category. Programs such as Lavasoft's Ad-Aware SE and Patrick Kolla's Spybot - Search & Destroy rapidly gained popularity as effective tools to remove, and in some cases intercept, spyware programs. More recently Microsoft acquired the GIANT AntiSpyware software, rebadging it as Windows AntiSpyware beta and releasing it as a free download for Windows XP, Windows 2000, and Windows 2003 users. In early spring, 2006, Microsoft renamed the beta software to Windows Defender, currently "beta 2." The renamed software for now exists as a time-limited beta test product that will expire (beta 1 in July 2006, and beta 2 in December, 2006). Microsoft has also announced that the product will ship (for free) with Windows Vista. Other well-known anti-spyware products include Webroot Spy Sweeper, PC Tools' Spyware Doctor, ParetoLogic's XoftSpy, and Sunbelt's CounterSpy (which uses a forked codebase from the GIANT Anti-Spyware product).
Major anti-virus firms such as Symantec, McAfee and Sophos have come later to the table, adding anti-spyware features to their existing anti-virus products. Early on, anti-virus firms expressed reluctance to add anti-spyware functions, citing lawsuits brought by spyware authors against the authors of web sites and programs which described their products as "spyware". However, recent versions of these major firms' home and business anti-virus products do include anti-spyware functions, albeit treated differently from viruses. Symantec Anti-Virus, for instance, categorizes spyware programs as "extended threats" and now offers real-time protection from them (as it does for viruses).
Real-time protection blocks spyware in the process of installing itself. Here, Windows AntiSpyware blocks an instance of the AlwaysUpdateNews spyware.Anti-spyware programs can combat spyware in two ways:
real-time protection, which prevents the installation of spyware
detection and removal of spyware.
Writers of anti-spyware programs usually find detection and removal simpler, and many more programs have become available which do so. Such programs inspect the contents of the Windows registry, the operating system files, and installed programs, and remove files and entries which match a list of known spyware components. Real-time protection from spyware works identically to real-time anti-virus protection: the software scans incoming network data and disk files at download time, and blocks the activity of components known to represent spyware. In some cases, it may also intercept attempts to install start-up items or to modify browser settings.
Earlier versions of anti-spyware programs focused chiefly on detection and removal. Javacool Software's SpywareBlaster, one of the first to offer real-time protection, blocked the installation of ActiveX-based and other spyware programs. To date, other programs such as Ad-Aware and Windows AntiSpyware now combine the two approaches, while SpywareBlaster remains focused on real-time protection.
Like most anti-virus software, many anti-spyware/adware tools require a frequently-updated database of threats. As new spyware programs are released, anti-spyware developers discover and evaluate them, making "signatures" or "definitions" which allow the software to detect and remove the spyware. As a result, anti-spyware software is of limited usefulness without a regular source of updates. Some vendors provide a subscription-based update service, while others provide updates gratis. Updates may be installed automatically on a schedule or before doing a scan, or may be done manually. Not all programs rely on updated definitions. Some programs rely partly (for instance Windows Defender) or entirely (BillP's WinPatrol, and certainly others) on historical observation. They watch certain configuration parameters (such as the Windows registry or browser configuration) and report any change to the user, without judgment or recommendation. Their chief advantage is that they do not rely on updated definitions. Even with a subscription, a "critical mass" of other users have to have, and report a problem before the new definition is characterized and propagated. The disadvantage is that they can offer no guidance. The user is left to determine "what did I just do, and is this configuration change appropriate?"
If a spyware program is not blocked and manages to get itself installed, it may resist attempts to terminate or uninstall it. Some programs work in pairs: when an anti-spyware scanner (or the user) terminates one running process, the other one respawns the killed program. Likewise, some spyware will detect attempts to remove registry keys and immediately add them again. Usually, booting the infected computer in safe mode allows an anti-spyware program a better chance of removing persistent spyware.
Malicious programmers have released a large number of fake anti-spyware programs, and widely distributed Web banner ads now spuriously warn users that their computers have been infected with spyware, directing them to purchase programs which do not actually remove spyware — or worse, may add more spyware of their own. [13] [14]
The recent proliferation of fake or spoofed antivirus products has occasioned some concern. Such products often bill themselves as antispyware, antivirus, or registry cleaners, and sometimes feature popups prompting users to install them.
Known offenders include:
SpyAxe
AntiVirus Gold
SpywareStrike
SpyFalcon
WorldAntiSpy
WinFixer
SpyTrooper
Spy Sheriff
SpyBan
SpyWiper
PAL Spyware Remover
Spyware Stormer
PSGuard
AlfaCleaner
On 2006-01-26, Microsoft and the Washington state attorney general filed suit against Secure Computer for its Spyware Cleaner product. [9]
[edit]
Virtual Machines
Using a virtual machine (such as a pre-built Browser Appliance for VMware Player) can inhibit infection by spyware, malware, and viruses. Virtual machines provide separate environments, so if spyware enters the virtual environment, the host computer remains unaffected. One can also use snapshots to remove one's private information, transporting the snapshot of the VM.
This environment resembles a sandbox. It has drawbacks in that it uses more memory (compared to a standalone browser) and it uses a lot of disk space.
[edit]
Security practices
To deter spyware, computer users have found a number of techniques useful in addition to installing anti-spyware software.
Many system operators install a web browser other than Microsoft's Internet Explorer (IE), such as Opera or Mozilla Firefox - though such web browsers have also suffered from some security vulnerabilities. Not a single browser ranks as safe, because in the case of spyware the security comes with the person who uses the browser.
Some Internet Service Providers — particularly colleges and universities — have taken a different approach to blocking spyware: they use their network firewalls and web proxies to block access to Web sites known to install spyware. On March 31, 2005, Cornell University's Information Technology department released a report detailing the behavior of one particular piece of proxy-based spyware, Marketscore, and the steps the university took to intercept it. [15] Many other educational institutions have taken similar steps against Marketscore and other spyware. Spyware programs which redirect network traffic cause greater technical-support problems than programs which merely display ads or monitor users' behavior, and so may attract institutional attention more readily.
Some users install a large hosts file which prevents the users computer from connecting to known spyware related web addresses.
Main article: Hosts file
Spyware may get installed via certain shareware programs offered for download. Downloading programs only from reputable sources can provide some protection from this source of attack. Recently, CNet revamped its download directory: it has stated that it will only keep files that pass inspection by Ad-Aware and Spyware Doctor.
[edit]
Notable programs distributed with spyware
Messenger Plus! (only if you agree to install their "sponsor" program)
Bearshare [16]
Bonzi Buddy [17]
DAEMON Tools (only if you agree to install their "sponsor" program) [18]
DivX (except for the paid version, and the "standard" version without the encoder). DivX announced removal of GAIN software from version 5.2. [19]
Dope Wars [20]
ErrorGuard [21]
FlashGet (free version) [22]
Grokster [23]
Kazaa [24]
Morpheus [25]
RadLight [26]
WeatherBug [27]
Sony's Extended Copy Protection involved the installation of spyware from audio compact discs through autorun. This practice sparked considerable controversy when it was discovered (see 2005 Sony CD copy protection controversy).
[edit]
Notable programs formerly distributed with spyware
AOL Instant Messenger [28] (AOL Instant Messenger still packages Viewpoint Media Player)
EDonkey2000 [25]
LimeWire (all free Windows versions up to 3.9.3) [25]
WildTangent [28]
TROJAN HORSES
In the context of computer software, a Trojan horse is a malicious program that is disguised as or embedded within legitimate software. The term is derived from the classical myth of the Trojan Horse. They may look useful or interesting (or at the very least harmless) to an unsuspecting user, but are actually harmful when executed.
Often the term is shortened to simply trojan, even though this turns the adjective into a noun, reversing the myth (Greeks were gaining malicious access, not Trojans).
There are two common types of Trojan horses. One, is otherwise useful software that has been corrupted by a cracker inserting malicious code that executes while the program is used. Examples include various implementations of weather alerting programs, computer clock setting software, and peer to peer file sharing utilities. The other type is a standalone program that masquerades as something else, like a game or image file, in order to trick the user into some misdirected complicity that is needed to carry out the program's objectives.
Trojan horse programs cannot operate autonomously, in contrast to some other types of malware, like viruses or worms. Just as the Greeks needed the Trojans to bring the horse inside for their plan to work, Trojan horse programs depend on actions by the intended victims. As such, if trojans replicate and even distribute themselves, each new victim must run the program/trojan. Therefore their virulence is of a different nature, depending on successful implementation of social engineering concepts rather than flaws in a computer system's security design or configuration.
Contents [hide]
1 Definition
2 Examples
2.1 Example of a simple Trojan horse
2.2 Example of a somewhat advanced Trojan horse
3 Types of Trojan horses
3.1 Time bombs and logic bombs
3.2 Droppers
4 Precautions against Trojan horses
5 Methods of Infection
6 Well-known trojan horses
7 See also
[edit]
Definition
A Trojan horse program has a useful and desired function, or at least it has the appearance of having such. Trojans use false and fake names to trick users into dismissing the processes. These strategies are often collectively termed social engineering. In most cases the program performs other, undesired functions, but not always. The useful, or seemingly useful, functions serve as camouflage for these undesired functions. A trojan is designed to operate with functions unknown to the victim. The kind of undesired functions are not part of the definition of a Trojan Horse; they can be of any kind, but typically they have malicious intent.
In practice, Trojan Horses in the wild often contain spying functions (such as a packet sniffer) or backdoor functions that allow a computer, unbeknownst to the owner, to be remotely controlled from the network, creating a "zombie computer". Because Trojan horses often have these harmful functions, there often arises the misunderstanding that such functions define a Trojan Horse.
In the context of Computer Security, the term 'Trojan horse' was first used in a seminal report edited/written by J. P Anderson (aka 'The Anderson Report', written approx. 1980) which credits Daniel Edwards for coinage.
The basic difference from computer viruses is: a Trojan horse is technically a normal computer program and does not possess the means to spread itself. Originally Trojan horses were not designed to spread themselves. They relied on fooling people to allow the program to perform actions that they would otherwise not have voluntarily performed.
Trojans and backdoors typically setup a hidden server, from which a hacker with a client can then log on to. They have become polymorphic, process injecting, prevention disabling, easy to use and therefore abuse.
Trojans of recent times also come as Computer Worm payloads. It is important to note that the defining characteristics of Trojans are that they require some user interaction, and cannot function entirely on their own nor can they self-propagate/replicate.
[edit]
Examples
[edit]
Example of a simple Trojan horse
A simple example of a trojan horse would be a program named "pr0n.jpg.exe" claiming to be a pornographic picture file from a website which, when run, instead begins erasing all the files on the computer.
[edit]
Example of a somewhat advanced Trojan horse
On the Microsoft Windows platform, an attacker might attach a Trojan horse with an innocent-looking filename to an email message which entices the recipient into opening the file. The Trojan horse itself would typically be a Windows executable program file, and thus must have an executable filename extension such as .exe, .com, .scr, .bat, or .pif. Since Windows is sometimes configured by default to hide filename extensions from a user, the Trojan horse's is an extension that might be "masked" by giving it a name such as 'Readme.txt.exe'. With file extensions hidden, the user would only see 'Readme.txt' and could mistake it for a harmless text file. Icons can also be chosen to imitate a different file type. When the recipient double-clicks on the attachment, the Trojan horse might superficially do what the user expects it to do (open a text file, for example), so as to keep the victim unaware of its unknown objectives. Meanwhile, it might discreetly modify or delete files, change the configuration of the computer, or even use the computer as a base from which to attack local or other networks - possibly joining many other similarly infected computers as part of a distributed denial-of-service attack.
[edit]
Types of Trojan horses
Trojan horses are almost always designed to do various harmful things, but could be harmless. Examples are
erasing or overwriting data on a computer.
encrypting files in a cryptoviral extortion attack.
corrupting files in a subtle way.
upload and download files.
spreading other malware, such as viruses. In this case the Trojan horse is called a 'dropper' or 'vector'.
setting up networks of zombie computers in order to launch DDoS attacks or send spam.
spying on the user of a computer and covertly reporting data like browsing habits to other people (see the article on spyware).
make screenshots.
logging keystrokes to steal information such as passwords and credit card numbers (also known as a keylogger).
phish for bank or other account details, which can be used for criminal activities.
installing a backdoor on a computer system.
[edit]
Time bombs and logic bombs
"Time bombs" and "logic bombs" are types of trojan horses.
"Time bombs" activate on particular dates and/or times. "Logic bombs" activate on certain conditions met by the computer.
[edit]
Droppers
Droppers perform two tasks at once. A dropper performs a legitimate task but also installs a computer virus or a computer worm on a system or disk at the same time.
[edit]
Precautions against Trojan horses
Trojan horses can be protected against through end user awareness. If a user does not open unusual attachments that arrive unexpectedly, any unopened Trojan horses will not affect the computer. This is true even if you know the sender or recognize the source's address. Even if one expects an attachment, scanning it with updated antivirus software before opening it is prudent. Files downloaded from file-sharing services such as Kazaa or Gnutella are particularly suspicious, because (P2P) file-sharing services are regularly used to spread Trojan horse programs. Besides these sensible precautions, one can also install anti-trojan software, some of which are offered free.
[edit]
Methods of Infection
Infected Programs: The majority of trojan horse infections occur because the user was tricked into running an infected program. This is why you're not supposed to open unexpected attachments on emails -- the program is often a cute animation or a sexy picture, but behind the scenes it infects the computer with a trojan or worm. The infected program doesn't have to arrive via email, though; it can be sent to you in an Instant Message, downloaded from a Web site or by FTP, or even delivered on a CD or floppy disk. (Physical delivery is uncommon, but if you were the specific target of an attack, it would be a fairly reliable way to infect your computer.) Furthermore, an infected program could come from someone who sits down at your computer and loads it manually.
Websites: You can be infected by visiting a rogue website. Internet Explorer is most often targeted by makers of trojans and other pests, because it contains numerous bugs, some of which improperly handle data (such as HTML or images) by executing it as a legitimate program. (Attackers who find such vulnerabilities can then specially craft a bit of malformed data so that it contains a valid program to do their bidding.) The more "features" a web browser has (for example ActiveX objects, and some older versions of Flash or Java), the higher your risk of having security holes that can be exploited by a trojan horse.
Email: If you use Microsoft Outlook, you're vulnerable to many of the same problems that Internet Explorer has, even if you don't use IE directly. The same vulnerabilities exist since Outlook allows email to contain HTML and images (and actually uses much of the same code to process these as Internet Explorer). Furthermore, an infected file can be included as an attachment. In some cases, an infected email will infect your system the moment it is opened in Outlook -- you don't even have to run the infected attachment.
For this reason, using Outlook lowers your security substantially.
Open ports: Computers running their own servers (HTTP, FTP, or SMTP, for example), allowing Windows file sharing, or running programs that provide filesharing capabilities such as Instant Messengers (AOL's AIM, MSN Messenger, etc.) may have vulnerabilities similar to those described above. These programs and services may open a network port giving attackers a means for interacting with these programs from anywhere on the Internet. Vulnerabilities allowing unauthorized remote entry are regularly found in such programs, so they should be avoided or properly secured.
A firewall may be used to limit access to open ports. Firewalls are widely used in practice, and they help to mitigate the problem of remote trojan insertion via open ports, but they are not a totally impenetrable solution, either.
[edit]
Well-known trojan horses
Back Orifice
Back Orifice 2000
Beast Trojan
NetBus
SubSeven