|
The Many Faces of
Spyware
If there's one
thing you should know about spyware, it's that
no two spyware programs are exactly alike.
However, many of them do share the same
characteristics, making it possible to
categorize the various spyware applications. To
help you understand the differences between the
various types of spyware, we are providing
descriptions of the different spyware
categories.
On TV there are commercials. On a computer,
there is adware, programs that advertise for
things unrelated to the featured site.
Given this definition, it's not hard to
realize there is benign or even (arguably) good
adware. These programs manifest as advertising
blocks on certain websites that allow that
domain to be free for the host and/or the
service to be free for the user.
Some adware is just as benign, but its
instillation skirts an ethical borderline. These
adware programs will come bundled with other
software but won't state their presence upfront.
Sometimes the agreement to post ads will not
appear in the download wizard, and sometimes it
will only appear buried in the End User License
Agreement (the long I Accept contract that few
read in full or not at all.)
Finally, there is adware that is undoubtedly
malware. This variety is installed unwittingly
by a user or comes secretly bundled to another
program. The secretive nature of this adware
thus gets it categorized as a type of Trojan.
These are the most notorious. They do things as
invasive as hijacking browser windows to
steering you to websites or unspecified
homepages. The most well known of this type is
the classic popup, an unrequested ad that
flashes over other windows. Not only are these
types of adware frustrating, due to the
unscrupulousness of their installation, these
programs often don't come alone and are
accompanied by other forms of spyware that
monitor your web use.
|
|
 |
Backdoors are a particularly dangerous form
of Trojan. Once a backdoor is installed on a
computer, it allows another user (called a
master) to monitor the actions of a computer as
well as install a remote access utility. This is
a utility that allows access to the computer,
its files and commands, and thus the ability to
control these things. Remote access is something
that system administrators and tech supporters
use legally to help set up and repair systems on
your computer. Like people using a remote
control, these people can access your computer
via LAN or the Internet from across town or
across the country. A backdoor allows a master
to illegally monitor and even control your
computer the same way without asking your
permission. Consequently a master can
- view confidential information
- execute malicious codes
- launch programs
- send / receive date via the Internet
- delete files and other data
- display notifications
- reboot the system
This means that a
single backdoor can facilitate tasks which are
usually accomplished by several smaller Trojans.
And since masters do not want you to know they
are there, they will often be discreet, stealing
information without your knowledge. Since many
backdoors are not visible in the log of active
programs, they are hard to detect.
As their name implies Browser Helper Objects
(BHOs) assist a web browser (usually Windows
Internet Explorer) in doing some specialized
tasks. For example, the plug-in that allows IE
to open an Adobe PDF is a BHO, as is the Google
Toolbar for IE. But just as with most legitimate
programs, illegitimate versions exist as well.
Since BHOs have an unlimited access to the
Internet Explorer event model, some malicious
programmers have made malware that uses this
feature to their advantage. Some BHOs, such as
the MyWay Search Bar, would track user
activities and then sell that information to 3rd
parties. More insidious BHOs are capable of
installing Trojans that work in tandem.
Download.ject was a famous attack that
downloaded a keylogger into the user's computer
and then used a BHO to detect whenever a user
accessed a secure site. With the keylogger they
could track keystrokes to determine what
passwords were being entered.
|
|
|
Commercial RAT (or Remote Administration
Tool) is not always a bad thing, but when a
commercial RAT product is used to remotely
administer a user's computer without that user's
consent or knowledge, it can turn into an ugly
situation. If a commercial RAT program is
installed on your system and controlled by an
unscrupulous hacker, he or she can shut down
programs, delete files and steal all of the
information on your hard drive. Commercial RAT
attacks may very well be one of the most
dangerous spyware risks lurking on the Web.
Data miners are programs that collect data
from your computer (such as email addresses, web
searches, etc.) and then transmits the data to a
third party. Some cookies are data miners, but
many cookies are harmless. The cookies that act
as data miners can be considered Spyware
applications.
Initially the word dialer referred to any
programs in a computer that allowed an analog
dial-up modem to connect to a phone line. Such
programs are necessary for all non-broadband
Internet use. However, the word today usually
refers to a specific type of fraud that uses a
dialer to connect a user to a premium number
(equivalent to a 1-900 number) at outrageous
cost.
Sometimes the dialer will advertise access to
a multitude of special contents. These could
include illegal MP3 downloads, pornography, or
illegal hacking materials. The most insidious
dialer programs though, look for security holes
in the settings of a user's OS and change the
dial-up numbers to premium numbers without
telling the user. These unscrupulous dialer
dealers will often have agreements with these
premium sites to take a percentage of the
profit.
A downloader does exactly what its name
implies. This program is a the part of the
Trojan that actually downloads the malicious
software onto a user's computer. From there, the
downloader either launches the malware or
registers it in the local operating system
requirements so that it will automatically run
at a specified time or after a specified action.
Sometimes the locations and names of the malware
being downloaded are sent from an unseen
website, but sometimes they are actually encoded
into the downloader itself.
|
|
|
Email Worms, like all worms, an email worm is
a self-propagating (self replicating) program.
This one, logically, is contracted via email.
These are perhaps the most recognizable form of
malware since almost anyone with an email
address has come across their fair share of
bogus emails, many of which contain harmful
programs. Not too long ago people began to be
very concerned about opening email attachments.
These worms were the reason. Like any malicious
software, this worm is a program and can only
function if it is executed, so it took an active
gesture from a user, such as opening the
attachment, to install itself on a computer.
There are, however, some more complicated email
worms that can install themselves by being laced
into the html rendering of an email's body.
Thus, just reading the email puts the user at
some risk, especially if the email client
(programs like Microsoft Outlook) had a viewing
pane that showed the email if it was simply
highlighted in the inbox. Fortunately, most
modern email clients offer plain text rendering
of their emails, so it cannot harbor malicious
code. Worm makers are wily though, and recently
email worms have made a resurgence thanks to a
process dubbed social engineering, a method that
employs more trickery than coding muscle to get
a user to install the worm. Scams such as
phishing are particularly successful in getting
unsuspecting users to divulge vital information
and open themselves up to these worms. For the
most part, email today is much safer than it
used to be, but good rules of caution are still
needed. Don't open attachments from
people/organizations you do not know and be wary
of official looking emails that ask for vital
information (such as account numbers or credit
card numbers). No reputable organization ever
asks for these via email, only on their secure
sites. And remember, when in doubt, pick up the
phone and ask.
|
|
|
A firewall killer is a malware program
designed to disable a PC's firewall security. In
addition to disabling firewalls, these programs
are also known to disable anti-virus and
anti-spyware programs and some even have the
ability to delete anti-spyware and anti-virus
definitions. In some instances, a user can tell
that a firewall killer has affected their system
due to the fact that the security programs will
appear disabled; however, some firewall killers
have advanced to the point where they can
completely disarm a computer's security while
making it appear that the firewall and other
security programs are still fully operational.
Because of this, the only way to ensure absence
of a firewall killer is with advanced
anti-malware technology.
A flooder can be an Internet nightmare. These
programs transmit damaging amounts of data to
networks in hopes of overloading and crashing
the Internet connection.
Browser hijackers are another type of spyware
that you need to concern yourself with. These
programs can hijack and change your Internet
settings such as your homepage and your search
page. If your homepage has ever changed without
you initiating it, you have been the victim of a
browser hijacking.
A keylogger is a program installed on a
user's computer that logs the keystrokes that
user enters. Obviously these strokes can be read
by a 3rd party and can divulge passwords, credit
card numbers or even vital information such as
Social Security Numbers.
Most keyloggers are bundled with other
malware and can be among the programs installed
by Trojan- Downloaders or Trojan-Droppers. Since
a keylogger is certainly something a malware
programmer wouldn't want you to know about, it
is classified as a Trojan as well.
Malware is perhaps the most inclusive label
for all malicious software. From the Latin
malus, mala which means literally bad, evil, or
wrong, the name references any type of program
that is designed to damage other software or
functions without the user's consent. Hence
viruses, worms, Trojans, backdoors, rootkits,
logic bombs, etc. all fit under this category.
In addition, programs that are not malicious in
themselves but aid in the creation of malicious
software are also considered malware since they
indirectly accomplish the same thing.
|
|
|
"P2P" stands for "Peer to Peer" and P2P
networks are what many computer users use to
share files and programs. Unfortunately, while
P2P networks offer consumers the ability to
share programs and files with each other, there
are also an unfathomable number of spyware and
malware programs bundled into the downloads
found on these networks. From viruses to
keyloggers, P2P users have found themselves
victim to many spyware attacks after a
seemingly-innocent download experience.
| Potentially Unwanted
Applications |
| |
|
Potentially Unwanted Applications (PUAs) are
applications that have no known risks to your
computer, but are generally included as bundles
with popular applications and sometimes new
computers.
Rogue anti-spyware is exactly what it sounds
like "Anti-Spyware" programs gone bad. Some
rogue anti-spyware programs are simply
anti-spyware products that just don't work like
they should while other rogue anti-spyware
programs are more ominous in nature and actually
act as spyware on the systems they are supposed
to be protecting. Because it's hard to tell
rogue anti-spyware from the real thing, it's
critical that you only download and use trusted
anti-spyware products.
|
|
|
A rootkit is a series of programs used by
hackers to cover the fact that they are
manipulating files in the system. The term
derives from a method used to attack Unix
servers. In order to achieve administrative
access, hackers would gain access to a
lower-level user account (either through a
cracked password or other vulnerability) and
then collect privileges until they achieved root
(administrative) rights. The kit itself is a set
of smaller programs designed to put up a
smokescreen while hackers work. By installing a
kernel module or replacing system files or
system libraries, they can make it seem as if
nothing is wrong. Nowadays, this smokescreen is
used on Windows based systems as well. The
process is made easier since most Windows users
have administrative accounts on their home
computers. And even though administrative access
is not called root access on Windows systems,
the method of infection is the same so the name
has carried over.
|
|
|
Spyware is a term that encompasses a broad
range of undesirable programs that may infect
your computer. If a program invades your privacy
by allowing someone else to eavesdrop on your
computer activity, it falls into the Spyware
category. Some examples of Spyware include
keyloggers and tracking cookies. Almost every
single computer connected to the Web has been or
will be attacked by Spyware of some form. The
only way to protect yourself and your privacy is
to run a comprehensive anti-spyware program on
your system at all times.
|
|
|
It is a frequent misconception that a cookie
is a program. It is not and therefore is
incapable of executing any actions, malicious or
otherwise. A cookie is a simple pack of data,
often a simple text file, that a server sends to
a user's browser and that the browser then sends
back to the server when that server is accessed.
What that means is that certain servers can
store a cookie on your computer and when you
return to their website, it will recognize you
and welcome you to your Homepage. Deleting the
cookie does not hurt your computer. It only
means that the website doesn't recognize you.
So what's the big deal? Potentially a cookie
can aid in the tracking of web activity. These
so called tracking cookies may not monitor your
presence at one site, but at multiple sites and
how often you visit them. If malicious web hosts
want to target advertising at you personally,
they will probably use cookies to figure out
what you look at. Also, by monitoring the web
sites you visit cookies can tell these hosts
things such as where you bank and shop.
Removing cookies never hurts as they can be
resent, but the majority of cookies are
harmless. However disabling cookies in your
browser can cause many legitimate web sites to
work incorrectly as many shopping carts rely on
cookies to keep track of what's in your cart and
what you've updated.
These are most commonly referred to as
Trojans and are a type of malware categorized by
their secrecy in installation. Believe it or
not, many viruses used to announce their
presence, damaging files or interrupting system
functionality with boldness. Today, the
multitude of malware programmers want to not be
seen or heard. The ideal is that they can spy on
you, monitor your web activity, snoop in your
vital information, steal account numbers and
hijack system operations without your ever
knowing it.
Like Odysseus' strategy to conquer Troy by
building a giant horse, filling it with
soldiers, and then presenting it as a gift to
the king, a malicious Trojan invades through
secrecy. These are programs that have many
variations but all of which intend to do
malicious activity on your computer without your
being any the wiser. Most often Trojan writers
accomplish this by bundling their software to
other legitimate programs that a user installs
without ever realizing there are armed enemies
inside.
|
|
|
This is a family of Trojans that redirects an
infected computer to some location on the
Internet, usually a specified web site. It can
do this in two ways. One is by sending direct
commands to the Internet browser (programs like
Internet Explorer or Netscape) and telling it
where to go. The other is by replacing certain
system files where URLs are stored, such as the
hosts file. The reasons why Trojan-Clickers are
used can range from benign (the desire to raise
a web-site's hit count for advertising purposes)
to malicious (the desire to organize a DoS
attack on a particular website or server) to
subversive (the desire to lead the victim
machine to a website that will then infect it
with more malware).
|
|
|
This is a family of Trojans designed to
install malicious software on a user's computer
without being detected. The name comes from the
program's ability to drop one or many payloads
(usually other Trojans) into various files while
the user is unaware. Sometimes the Trojan
Dropper will do this without any notification
and sometimes it will display a false error
message about and archived file or operating
system. This serves the purpose to distracting
the users and making them think that, if the
computer is acting strangely, it's a glitch in
the software or OS. The dropper itself has all
of the code necessary to install and execute the
smaller programs that it drops. These Trojans
are also notorious for including at least one
hoax payload. This is a benign and often
functioning media application, such as a joke
generator, music file, video file, graphic or
even a game. These too distract the users and
make them think that the file they downloaded is
legitimate when really it's a mask for malware
that can be redirecting browsers, launching
popups or gathering vital data. Furthermore,
because of the hoax payload, the hackers can
successfully fool some spyware detectors, making
them overlook hidden files thinking they're
harmless.
|
|
|
This family of Trojans are proxy servers that
are install themselves on victim computers and
allow anonymous access to the Internet. Spammers
often use Trojan Proxies in order to help
propagate their junk email. Spammers won't use
their own bandwidth when they can use yours and
potentially that of your email contacts. The
proxy server turns your computer into a
launching platform for Internet material,
usually email. Today it's a fairly common
practice for coders to infect many machines with
Trojan Proxies and then sell the proxy access to
unscrupulous spamming agencies. Not only is this
attack an invasion of privacy and a nuisance to
your email contacts, it also has the potential
to involve your computer in malicious, or even
illegal, activity.
|
|
|
Perhaps the most well known and popularized
form of Malware, the virus is a code that
executes any malicious intent in a victim
machine. Usually a virus's general objective is
to infiltrate vital resources, exposing vital
data to theft or attack, or to execute a
specified program once the user fulfills a
specific sequence of actions. A virus differs
from a worm in that it does not propagate via a
LAN or the Internet. Instead it is usually an
infection on a host program, file or disk.
Viruses can only activate if a user (wittingly
or unwittingly) accesses the infected material
and launches the malicious code. Hence viruses
usually spread by
- Being launched from an infected file on a
network resource accessed by other users
- Being launched from an infected email
attachment
- Being launched from an infected storage
media (such as a floppy disk, cd, or flash
drive).
|
|
|
Worms are malicious programs that propagate
themselves via the Internet and LANs. Unlike a
virus, a worm does not have to infect the host
program. Hence any legitimate programs that
carry worms aren't necessarily compromised by
them and can work independently. As a result,
worms can spread easily by means of email
attachments, instant message attachments, FTP
file shares and P2P file shares. This is why P2P
resources such as Kazaa or LimeWire are so
potentially dangerous. But all of these methods
convey media that can potentially harbor worms.
As their name suggests, these parasites are best
categorized by their tendency to reproduce
themselves rapidly, frequently, and in multiple
locations. This makes them more difficult for
removal programs to find and remove them. Once
they spread to as many computers as possible
they do a variety of tasks that include opening
up vital data to theft, launching popups and
other advertising (adware), hijacking browsers,
and spying on user activities (spyware).
The only way to ensure that you
are protected from these various spyware threats
is through the use of a comprehensive
anti-spyware product like AntiSpyware? 2009.
Install AntiSpyware? 2009 right now to see
exactly which spyware threats you are already
infected with and to reduce your risk of future
infestations.
Supplementary Resources
Anti
Virus Rants
Kasperky's
Viruslist.com - General Malware Types
Kasperky's
Viruslist.com - Specific Malware
Types
| 
