Along Came a Spyware

from the June 2003 Newsletter
by Rob Zorn

Many experts are now saying that spyware (also known as adware) is the next scourge of the Internet. Its the "next frontier of nastiness," according to Marquis Grove of Security News Portal, an online security news site. Awareness about Spam and viruses is higher these days than it has ever been, and the amount of filtering and anti-virus software now in use is having a positive impact on these problems.

What people are not all that aware of is the recent increase in the number of sneaky little programs that find their way onto your computer and report information about you and your surfing habits back to some corporation or coterie of market analysts somewhere. This is exactly what spyware is and does. Basically, spyware is any software that uses your internet connection without your knowledge or clear permission to send information across the net. Sometimes these "marketers" just collect information to build statistical overviews of net use for their own development projects. While this may not do you any direct harm, it is still information theft and it's hard to think of a situation where one could feel comfortable with this process.

In other cases, and this is the type that seems to be on the rise, information about you is analysed to better know what pop-up ads are best to send your way. The spyware program will update itself with pop-up ads specially designed for you and the sort of things your surfing habits reveal you to be interested in, and can even fling these up at you at times when you're not online! Spyware can also play with your settings. In some cases it can disable your Zone Alarm firewall, and it is frequently responsible for changing the default homepage setting in your browser and repeatedly changing it back no matter how many times you try and correct the problem yourself. Sometimes the spyware even captures and records your keystrokes!

By using your connection to make its "calls home," of course, the spyware is also slowing down your normal surfing. Imagine the effect upon your Internet speed if you have several of these nasties operating in stealth mode each time you are online.  

This sort of problem certainly seems to be increasing. In the last few weeks a number of customers have contacted me about problems with pop-ups or homepage setting changes, and in each case, getting rid of the spyware solved the problem. According to a December 2002 report from research firm GartnerG2, more than 20 million people now have spyware tangling up their machines.

How does one become infected with Spyware?

/images/0306gatorsetup.jpg (19046 bytes)
Want to download some "wonderful" software?
0306gatoreula.jpg (23606 bytes)
The Gator EULA

Most commonly, Spyware comes bundled with other software that is, or appears to be, more legitimate. Some famous examples include Real Networks who make Real Player and, according to Steve Gibson of Gibson Research Corporation, were "reportedly caught red-handed secretly profiling their users' listening habits." Another recent example is the popular Kazaa peer-to-peer program used by millions around the world to share MP3s. An article from the Contra Costa Times by Doug Bedell describes how Kazaa partnered with Brilliant Digital, a software company which provided the spyware program that is quietly installed with Kazaa. It's quite alarming when you consider that over 60 million people around the world have installed Kazaa. Maybe you or someone who uses your computer has even installed it on your computer!

It has to be said, though, that in almost all cases, spyware makes it onto your computer with your unwitting permission. You'll be surfing away, intent on viewing whatever you're after, or finding some piece of information you need. Suddenly a box pops up like the one pictured here asking whether you want to download and install some "wonderful little piece of software." Usually, the product will look quite inviting - an enhancement to your computer's clock, or something that will supposedly speed up your connection, or whatever. Sometimes the box pretends to be offering you a software enhancement that will allow you to view their web site better. I suspect this is often the online equivalent of the "impulse buy." You decide the offer sounds pretty good, and it's free after all, so you go ahead and download it.

As the product starts to install itself, it will usually present you with what's known as a EULA - or End User License Agreement. EULAs are basically the fine print, and most people don't bother to read them very carefully. One even suspects they are often deliberately written in a lengthy manner that is difficult to decipher just so that people will give up before they spot what they're really about to agree to. Once you've clicked that you accept the EULA, the program installs, and begins reporting the sorts of things you do online back to its mother ship. In almost all cases, people infected with this sort of spyware don't even realise this is happening.

One of the most famous of these sorts of outfits is Gator. You can read their website where they explain exactly what they do at www.gator.com. They're quite open about it and because of this, they are doing nothing illegal. However, it is doubtful that many people really understand that Gator will to use their Internet connection to report on their online movements. All it takes is for this sort of thing to happen a few times, and suddenly you find that your internet connection is slow as a week full of exams. No wonder! Your Internet connection is being used up by all the spyware you have installed.

Another "helpful" thing that Spyware may do is pop ads up at you all the time. Again, Gator represents a great example. At their web site you can read about why your company should choose to advertise via their services. It's because their software tracks what sorts of sites each consumer goes to, and then throws ads at them that are tailored to their interests. The spyware continually updates itself with a store of pop-up ads (again using your connection speed and time) and can even throw these up at you while you're offline! No wonder so many people are complaining about pop-up ads these days!

There are other types of spyware, of course. Eblaster, for example is specifically designed for snooping on your children or spouse. It copies to you any e-mails sent, and all of the keystrokes of your target. Of course that sort of software has its uses, but is also open to a lot of abuse. It's not really the sort of thing we're discussing here though, as it is deliberately installed by somebody in full knowledge.

How does one know whether or not they've been infected?

There are, of course, the telltale signs as mentioned above. Is your computer running like a dog? Is your connection really slow these days yet you can remember a time when it was a lot faster? Are you suffering from a more ridiculous amount of pop-up ads than usual? Note here that many web sites employ pop-ups. Just because you get a few here and there doesn't mean your computer has become infested with spyware. If an ad pops up at you while you are offline, though, you almost certainly do have some spyware conducting its nefarious business behind the scenes.

By far the best way to tell, though, is to run a spyware removal tool. These won't do any harm if your machine is clean, and if you are infected, the removal tool will usually report back what it found and what it removed for you.

Using Spyware Removal Tools

0306spybot.jpg (4459 bytes)There are several spyware removal tools available, and a couple are even free. Spybot Search and Destroy is available for free download at http://security.kolla.de/ and gets pretty good media reviews. The writer wants nothing more than that you say a prayer for him and his girlfriend, though there is a EULA to read and agree to before you run the program. As EULAs go, though, it is short, easy to follow, and fair.

It would be a good idea to read the quick tutorial once you have downloaded and installed Spybot Search and Destroy (roughly 3.5 MB in size). Open the program, click the Check for Problems button, and you're away. Spybot will search your system for almost 6000 pieces of spyware. It will then report all that it found in a list. The list is pretty good. You can click on each item to see what the piece of spyware is, who made it, and what it is designed to do.

Click the Fix Selected Problems button, and it will go and take care of as many of the problems as it can for you. Note that you may need to restart before it can finish getting rid of them all. An update button also features when you first start the program so you can get the latest spyware definitions just like with an anti-virus program. It is recommended that you run Spybot Search and Destroy once per week, and update it before you do.

One thing I really liked about Spybot Search and Destroy was its nifty little "immunise" feature that purports to block your machine from being infected by 185 possible future intrusions. However, as yet I am not able to test how effective this process is.

0306adaware.jpg (4139 bytes)Ad-aware is another free spyware removal program that gets good media reviews. This program's homepage is at http://lavasoft.element5.com/software/adaware/ and you can find download links at nearby locations there too. The program is smaller (just under 1.5MB) and sleeker in its design. Again the install procedure asks you to agree to EULA, and again, the EULA appears to be reasonable and fair. This one has a Scan Now button over to the left. Click that and you'll be asked to specify the drives if you don't want to go with the default settings (and default settings are probably fine). Once it has done its work it will present you with a list very similar to the one produced by Spybot Search and Destroy.  You then click the Quarantine and Fix button, and off it goes cleaning your system of spyware.  Ad-aware is less forthcoming with information about the nasties it has found than Spybot Search and Destroy

I was reasonably impressed with both programs and am reluctant to recommend one over the other. Each seemed to find stuff that the other didn't, and between the two of them, all spyware was removed from my system (and most of what was there just consisted of tracking cookies). I guess the best thing to do would be to start with one of them. If it does a reasonable job, then fine. If it says it can't remove some things (and each program admits that it may present you with the occasional false alarm) then try the other one. If I had to go with one, I'd probably suggest Ad-aware but really only because it is less of a download and because I found its aesthetic look and feel to be so pleasing.

I would seriously recommend that customers run one of these programs. I think many will be surprised at what is found on their machines. By all reports, these programs are trustworthy and pretty effective, but, of course, I have to put a disclaimer in here too. Advice is given in good faith and with best intentions, but you install and run software at your own risk.

If you'd like to read more about spyware, here are a couple of helpful articles:

Check Your Viral Load for Bugs by Michelle Delio

Popular Software May be Monitoring Your Habits by Doug Bedell