Computer user or not, just about everyone would have at least heard of computer viruses and worms. Nasties such as "I love you", My Doom and Blaster made it into the mainstream media - you would most likely remember the names because they, and the associated arrests were stories on the evening news. Nowadays Melb PC dial-up users would rarely see a worm or virus in e-mail to their Melb PC account due to the performance of our on-server antivirus filtering. In fact you probably see more e-mail notifications incorrectly indicating that you've sent a virus or worm, due to worm faking or spoofing the from: address. Of course it is vital that we maintain your own antivirus software, as e-mail is only one of the routes by which viruses and worms arrive. In my view a firewall is also a necessity, particularly for Windows XP users.

Unfortunately the malicious software or malware doesn't stop there. There are diallers that cause Internet dumping and can run up huge phone bills (PC Update, May 2004), spyware, adware, "foistware", hijackers, trojans and key loggers. These cover a wide range of overlapping activities, from damaging or stealing data on your system to enabling your system to be controlled as a "zombie". From logging your keystrokes to collect passwords and credit card numbers, to logging your Internet activity for advertising purposes such as directed pop-ups. From forcing your browser to certain search sites and altering your home page, to redirecting your browser to unwanted or undesirable sites. They can make it appear as though you've lost control of your computer by being incredibly difficult to remove.

Obviously this is a subject far too extensive to cover in any real depth in a short article. So I'll discuss general concepts, cover a few specifics and indicate some tools you can use to help protect yourself and hopefully be able to clean out an infested system. The vast majority of malware is targeted at Microsoft Windows and won't run on other Operating Systems (OSs) such as Linux or MacOS, so problems discussed here and suggested software solutions will focus on Windows. That said, the general concepts discussed here are platform independent and make for good safe computing practice no matter which OS you use.

Definitions (vague or otherwise)

adware: software designed to serve advertising to your computer
 
foistware: software forced onto your system without your consent

hijacker: software that alters browser settings to direct you to specified sites

key logger: software that records keyboard keystrokes and reports them - primarily to collect usernames, passwords and credit card numbers.

spyware: software designed to collect information about a user

trojan: software that arrives as part of other software or disguised as something else and is installed surreptitiously on your system.

General Signs

General signs of an infestation are many and varied and may indicate a number of different things, not all harmful or malicious so don't panic immediately. Things such as your computer appearing to run slower than previously (indicating a greater number of processes running), unexplained modem or download/upload activity (indicating unknown data transfer), pop-up windows appearing at odd times or when you are offline (indicating installed software is generating them), your homepage has been altered and can't be changed back or your browser is being directed to strange search pages or porn sites (indicating your browser settings have been changed). This list is by no means exhaustive but gives an indication of things to watch for - there are literally thousands of examples of malicious software over and above viruses and worms.

How Do I Get It?

There are a number of ways spyware and adware can be acquired. It can be intentionally installed as a known part of software - for instance the ads associated with the free versions of the Eudora e-mail client and the Opera browser or if you voluntarily enable a reporting function in software such as the Google Toolbar. Please note these examples are definitely not malicious and have no nefarious intent, but they do fall within a broad definition of adware or spyware. You can unintentionally install it as part of a program that doesn't tell you it has the function, or is a separate piece of independent software bundled with something you've installed, again without fully acknowledging the existence or purpose of the bundled spy/adware. The peer-to-peer software Kazaa is a prime example of both types - older versions came with the spy/adware bundled and newer versions have it integrated into Kazaa itself. Check when installing software to see if by default it has options like reporting selected.

Lastly it can be foisted on you by things such as worms, both by e-mail and directly from the Internet, malicious ActiveX components that can download and install software via your browser, being "hacked" or by exploitation of insecurities in software such as browser, e-mail client or firewall.

How Do I Avoid It?

Update, update, update! Just as (hopefully) you check for updates of your antivirus software, you also need to do the same for your operating system (Microsoft Windows, Linux, MacOS, etc), firewall, browser, e-mail client and any other security related software. Such updates are often called "patches" and installing them is known as "patching". New faults are continually being found - they can be exploited by people with malicious intent to damage your computer system or your data, or to enable them to use your computer system for their own purposes.

Use Windows Update to regularly check for and install critical updates to Windows and other Microsoft components such as Internet Explorer (IE) noting that even if you don't routinely use IE you are still vulnerable to the faults in it. As much adware and spyware relies on IE to get a foothold and given the current unpatched security issues with IE now would be a good time to consider an alternate browser. Firefox  http://www.mozilla.org or Opera http://www.opera.com are good alternatives.

Install and use a software firewall as this will help prevent inbound connection attempts to your system direct from the Internet and may notify you of outbound connection attempts (such as "calling home") by any malicious software that you manage to "catch". With the increasing number of users permanently connected to the Internet (cable or ADSL for instance) it is becoming more common for threats to arrive by direct connection - the Blaster and Slammer worms are prominent examples that exploited weaknesses in Windows XP.

Properly patched and firewall protected systems are at greatly reduced risk of being exploited or of subsequently exploiting other systems. At least use Windows XP's built-in firewall, or acquire additional software - examples of free firewalls are Kerio Personal Firewall http://www. kerio.com and Sygate Personal Firewall http://smb.sygate.com. If you use broadband your modem may have built-in firewall capability. Set your browser security settings to as high a level as you reasonably can and disable ActiveX except for necessary sites such as Windows Updates. Be cautious with unsolicited e-mail -not only could it carry a worm or virus but any links contained therein could direct you to sites that attempt to download malicious software - especially if your browser isn't configured correctly and/or your operating system not fully updated (patched).

When installing software consider the safety of the source. Is it from a major company or well known provider? Or is it a "crack" from some dodgy site? This may seem a little paranoid, but there are no guarantees from either source so treat anything you install as potentially dangerous, it's just a matter of degree. Read the installation agreement or at least look through it as it may indicate you're giving permission for the software to report information back to another party. You might be prepared to provide a certain amount of information in exchange for free use of the software, but does it really indicate what information is collected and for what purpose? Are you giving permission for additional software to be installed for which you may have no knowledge of its use or purpose? Can you opt out of providing or agreeing to provide information? If not, then it's probably time to look for an alternative.

An Example

Probably the most prominent example of adware and spyware included with a product is Kazaa peer-to-peer software. While it's now more upfront about what is being installed with it, you still don't really know what you're getting.

On the surface it has an attractive interface and provides a useful function - file sharing. It even comes bundled with antivirus software - a trial version. The killer is the software that you need to accept and agree will be installed with Kazaa on your system, for it to work. The "extras" provide pop-up ads and the like that "pay" for the Kazaa service. They also collect data on users' browsing habits to enable provision of "targeted" ads based on this data. Considering that you don't actually know what else is going on in the background, Kazaa doesn't sound such a good deal any more. There seems a real possibility the intention is to use computer systems with Kazaa installed as parts of a vast distributed computing network, without the user having any real say, because you've already agreed to allow it when Kazaa was installed. Sounds less and less inviting and quite possibly more than a little scary.

Of note during Kazaa installation was antivirus software being triggered numerous times due to several downloader type trojans and the number of unknown IP addresses it contacted. That certainly caught my attention.
 

Protection and Removal Tools

Fortunately for the general computer user there are tools available to find and remove spyware and adware from a system, usually with minimal fuss and effort. They don't always work and some spy/adware is particularly clever, stubborn and difficult to remove. The best free software available for this job is Ad-Aware and Spybot Search & Destroy. There is also Hijack This! which needs an expert guiding hand to be used effectively. All of these programs alter the Windows registry so must be used with caution and the understanding that damage to your system is always a possibility. That said, the risk of damaging your system is small in comparison with the potential damage done by spyware.
 

A more specific tool is Cool Web Shredder (CWShredder). It removes browser hijackings by the CoolWebSearch family of hijackers which are particularly devious and difficult to remove manually.
BHODemon is another useful control tool. Browser Helper Objects (BHOs) add functionality to Internet Explorer such as Adobe Acrobat Reader and Google Toolbar. However others are not so benign and BHODemon helps identify and disable these.

Be aware that there are quite a few bogus products that claim to remove spyware but in fact don't - they install more, so be careful in your choice of software.
 

Reprinted from the August 2004 issue of PC Update, the magazine of Melbourne PC User Group, Australia

[ About Melbourne PC User Group ]