CHAPTER How Spyware and 3 Anti-Spyware Workptgmedia.pearsoncmg.com/images/9780789735539/samplechapter/07897355… · CHAPTER 3 HOW SPYWARE AND ANTI-SPYWARE WORK 33 Even if you see

PART 1 INTERNET SECUR ITY22

C H A P T E R

3How Spyware andAnti-Spyware Work

THESE days, the biggest danger you face when you go onto the Internet might be spyware—a type ofmalicious software that can invade your privacy and wreak havoc on your PC. Spyware is a relatively newphenomenon; it does not have a long history as do viruses, Trojans, and worms.

Spyware is an umbrella name for many types of malicious programs, but these kinds of programs have sev-eral things in common. First, all of them, one way or another, spy on your behavior. They may watch whichweb pages you visit and report that information to a server or person, or they might track your web searches.They may even allow people to record every keystroke you make or open a back door into your computer sohackers can later take control of your PC when they want.

The second thing they have in common is that they install either without your knowledge or by trickingyou. One common way they get on your PC is when you install a piece of software, such as file-sharing soft-ware. When you install that software, spyware often comes along for a ride and installs itself without yourknowledge or misleads you about what the program actually does.

Although some spyware is created for purely malicious reasons, other kinds are created as part of money-making schemes. One kind of spyware swarms your PC with dozens of pop-up ads, some of which you’ll mostlikely click to close. But every time you click, the spyware purveyor makes money because he has a businessarrangement with a merchant or website to drive traffic to it.

There is a fine line between spyware and what is called adware. They work similarly, but with adware,you download a piece of software that you can use for free, such as a weather program. In return, the adwarewatches your surfing habits and sends that information to a server, which then delivers ads to you based onyour behavior. The ads are displayed only inside the weather program and don’t appear when you don’t useit. Spyware, by way of contrast, watches you all the time and displays ads whenever you surf the Web or areconnected to the Internet.

Spyware can do more than just spy on you. It can do damage to your computer as well. Some spywareinundates your computer with blizzards of pop-up ads—in some instances so many that it takes away all yoursystem resources and your PC grinds to a halt. This makes your computer unusable.

Because there is money to be made from surfing, spyware isn’t going away any time soon. But as you’ll seein this chapter, anti-spyware can combat it, so there are ways to keep yourself safe and protect your privacy.

23

How Spyware Invades Your PC


Spyware sits in the background of your computer,watches which websites you visit, and then reports onyour activities. Based on those activities, targeted adsare delivered to you. But first, the spyware has to getonto your computer. Often, you get spyware by down-loading a free program or clicking a pop-up ad.Spyware comes along for the ride without you knowingit. When you install the program you’ve chosen, spy-ware is installed as well, without your knowledge.

1

Spyware often runs when-ever you turn on your com-puter, even when theprogram upon which it ridesis not running. It watchesyour web activities and tracksevery website you visit.

2

At regular intervals, the spy-ware phones home, reportingto the spyware website whichsites you’ve visited.

3

CHAPTER 3 HOW SPYWARE AND ANT I - SPYWARE WORK 25

Based on the sites you’ve visited, the spyware websitecreates a profile about yoursurfing activities.

4

Based on that profile, the website delivers targeted ads to you. The ads appearwhenever you run the program on which the spyware piggybacked onto yoursystem. When you delete the program on which the spyware piggybacked ontoyour system, the spyware typically does not get deleted. It keeps watchingyour surfing activities and reporting on them, although it can’t deliver adsbased on that information because the program on which it was piggybackedhas been deleted. To delete the spyware, you need a special spyware detectorand killer, such as Ad-Aware from www.lavasoft.com.

5

www.lavasoft.com

How Spyware MorphsItself to Escape Detection


One of the most insidious kinds of spywareis polymorphic spyware, which uses a vari-ety of tactics to evade detection andremoval, including the ability to constantlychange its filename and location.

1

Cool Web Search andAbout: Blank are two homepage–hijacking pieces ofshareware that morph anduse other techniques toevade detection and dele-tion. Programs like thesecan install themselves tomultiple locations on a harddisk.

2

When a piece of anti-spyware detectsand kills the files in one of the loca-tions, the spyware spawns a new copyof itself at another location and runsfrom there.

3


In some instances, the spyware can injectitself into a process running on a PC. Whenthe main spyware program is deleted, thecopy that has injected itself into a processspawns another copy of itself.

4

Some of the spyware runssilently in the background,doing no damage. However, itspawns a program that doesthe actual damage. Anti-spyware detects the programdoing the damage but not thesilent spyware. The silent spy-ware then spawns a newdestructive program, with a dif-ferent filename and differentsize so it is not recognizable.

5

Some spyware hides itselfby burrowing into your com-puter’s Registry, which con-tains basic instructions forhow your computer shouldwork. It is able to hide thoseentries—not only from anti-spyware programs, but alsofrom Registry editors thatcan normally see everythingin the Registry. In this way, itcannot be seen or detected.

6

How Spyware InvadesYour Privacy


There are many different types of spy-ware that invade your privacy in manydifferent ways. One type monitors allyour surfing habits and reports on thosehabits to a server on the Internet. Thatserver may deliver ads to you based onyour surfing habits, or it could sell theinformation to other companies.

1

A particularly privacy-invadingtype of spyware is called a key-logger. (For more informationabout keyloggers, see “HowKeyloggers Work,” later in thischapter.) Keyloggers recordevery keystroke you make andsend that information to ahacker, who can then steal allyour passwords, logins, andother information.

2

Some spyware installs other malicioussoftware on your system. For example,some spyware installs a Trojan on yourPC, which allows a hacker to take com-plete control of your PCs and files as ifshe were sitting at the keyboard. (Formore details about Trojans, see Chapter 7,“How Zombies and Trojan Horses AttackYou—and How to Protect Against Them.”)

3


Some spyware monitors your Internet searching activity and reports that activity toservers, which can then keep track of your interests and deliver ads to you based onthem or create profiles of you and sell that information to other companies.

4

Spyware is not only a danger to individuals—it can be extremely dangerous for corpora-tions as well. Spyware can crawl into anindividual’s computer and then infect all theother computers and servers on a corporatenetwork, gathering not only personal informa-tion, but also corporate information.

5

How Home Page andSearch Page Hijackers Work


Home page hijackers and search pagehijackers infect your computer in thesame way that any spyware does, suchas by downloading a file, with thehijacker coming along for the ride.

1

A home page hijacker changes yourbrowser’s start page so that wheneveryou launch your browser, you go tothe new start page rather than to theone you want.

2

Typically, the new home page yougo to includes many pop-up ads andmay inundate your PC with so manyads that your system becomesunstable and unusable. The hijackermakes money because he is paid todeliver pop-up ads, so the more adshe can deliver, the more he is paid.

3


A search page hijacker changes your normal search engine to a newone. When you do a search from your browser, that search is sent to thenew search engine, not to your normal one. The search engine oftendelivers pop-ups in the same way as a home page hijacker does.

Some home page hijackers intercept every search you perform. Forexample, if you visit Google and do a search there, the hijacker sendsthe search to the new search engine, not Google, and then inundatesyou with pop-ups.

4

Some home page hijackers and searchpage hijackers are very difficult toeradicate. When you change yourbrowser settings to go back to yournormal search and home page, theymight change them back again. Theycan do this by putting themselves inyour startup folder and starting upevery time you turn on your PC.

5

Some home page hijackers andsearch page hijackers disguise them-selves as browser add-ins (calledbrowser helper objects [BHOs]) ortoolbars. So you think that the tool-bar is performing a useful function,but in fact, it is hijacking your homepage and search page.

6

How Dialers Work


A spyware dialer isinstalled in the same wayas other pieces of spywareare—for example, whenyou download a free pieceof software or click a pop-up ad.

1

The dialer looks into the systemand checks for the presence of amodem connected to the phonenetwork.

2

When it finds a modem connected to a phonenetwork, it surreptitiously dials a 900 phonenumber, which charges $4 or more perminute. It keeps the call connected for at least10 minutes—running up a $40 bill for a singlephone call. In some instances, the dialer alertsyou that it is dialing but does not say that it isdialing a 900 number and only says it is dial-ing to provide you with a unique service.

3


Even if you see that the dialeris calling a phone numberand click the Cancel button,the call goes through any-way.

4

You then receive a telecommunica-tions bill for the cost of the dialingand have to fight against the bill totry to prove that you didn’t makethe payment.

5

Because people are increasinglyconnecting to the Internet via DSLor cable modem lines via Ethernetcables, dialers are not as commonas they used to be. A dialer cannotmake calls via Ethernet cables overa DSL or cable modem connection.

6

How KeyloggersWork


A keylogger is installed in the same wayas other pieces of spyware are—forexample, when you download a freepiece of software or click a pop-up ad.

1

A keylogger is often installed in two parts: a.exe file and a .dll file. When the computerstarts, the .exe file automatically launches.The .exe file then launches the .dll file,which does most of the work.

2

The .dll file sits silently in thebackground, recording all thekeystrokes you make.

3


In some instances, thekeystrokes are sentdirectly to an attacker.

4

In other instances, the key-strokes are saved in a file thatis sent at regular intervals tothe attacker.

5

The attacker examines the keystrokes,looking for passwords, logins, andother information she can use—forexample, to log in to your bank tosteal money or to steal your identity.

6

How RootkitsWork


A rootkit allows an intruder to gain accessto someone’s PC whenever he wants, with-out being detected. It is made up of aseries of files and tools. It can be installedon a system in a number of ways, some-times in the same way that sharewareis installed. In the most notoriousinstance of a rootkit, Sony surrepti-tiously installed rootkits on tens of thou-sands or more computers by shipping it aspart of software that installed on people’sPCs when they put a Sony music CD intotheir PC’s drive.

1

A rootkit can replace importantcomponents of an operatingsystem with new software. Thenew software disguises itself asthe original files, including thesame file size, creation date,and so on, making it extremelydifficult to detect.

2

A rootkit installs a backdoor dae-mon, or automatic program. Thisbackdoor opens a hole in the sys-tem, allowing the rootkit creatorto crawl in and take control of thePC whenever he wants.

3


Many rootkits also install keyloggers or snif-fers that record all the keystrokes you makeand send that to a hacker. (For more informa-tion about keyloggers, see the illustration“How Keyloggers Work.”)

4

A rootkit can modify a computer’s sys-tem log that tracks all the activity on aPC. The system log normally includesall activity, including malicious activity,so the rootkit modifies the log to hideall traces of itself.

5

Following the SpywareMoney Trail


Many types of spyware make money for spyware cre-ators or users in many different ways. This illustrationshows how a lot of spyware has a money trail thatincludes reputable, well-known websites and merchants.

1

Much spyware is intended to make moneyfrom affiliate programs, in which any user cansign up to make money by delivering ads forthe site or merchant. First, someone whowants to make money from spyware signs upfor an affiliate program with a website or mer-chant. The person gets a code that identifieshim, so he can be paid for every link or click tothe merchant.

2

Some merchants monitor those who sign upfor their affiliate programs, but many do not.Those wanting to make money from spywarelook for merchants who do not do a good jobof policing their affiliate programs.

3

Those wanting to make money from spywareare often not spyware authors. Instead, theymake a deal with a spyware author in whichspyware will include links to the person’s affili-ate program ID. The spyware author shares themoney from the program with the person look-ing to make money from spyware.

4


The person puts the spywareon his website or distributesit in some other way.

5

Someone downloads spyware.The spyware includes links andpop-up ads that link to the mer-chant—and those links and adsinclude the person’s affiliate ID.

6

The merchant counts the linksor clicks associated with theaffiliate ID and pays the personthe amount he is due.

7

The person splits the revenuewith the spyware author.

8

How Anti-Spyware Works


Anti-spyware scans a system in search ofbits of code called signatures that aretelltale signs of a spyware infection.

1

When the anti-spyware finds what itbelieves is a signature, it compares it toits database of signatures, called asignature base. If it finds a match, itknows there is a spyware infection.

2

New spyware is being released all thetime, and existing spyware is oftenupdated. To ensure that it can catch all thelatest infections, anti-spyware regularlydownloads the latest, updated signatures.

In some instances, particular pieces ofspyware don’t leave telltale signatures. Inother instances, spyware constantlymorphs, making detection difficult. Sosome anti-spyware doesn’t search only forsignatures, but looks for telltale suspiciousbehavior as well.

3


When it identifies a piece of spyware, it deletes it. Deleting spyware can be a complex task, requiring the deletionof many files in many directories, mak-ing changes to the Registry, and so on.Because of that, not all anti-spywarecan delete all the spyware it finds. Insome instances, you need to downloada specific program to kill a specificpiece of spyware.

4

Anti-spyware also includes real-time protection. It sits in memoryand watches for signs that spy-ware is being installed to the PCor that a home page or searchpage is being hijacked. It won’tallow the spyware to be installedor the hijacking to take place.

5

Documents

CHAPTER How Spyware and 3 Anti-Spyware Workptgmedia.pearsoncmg.com/images/9780789735539/samplechapter/07897355… · CHAPTER 3 HOW SPYWARE AND ANTI-SPYWARE WORK 33 Even if you see