home	internet security menu

---

 

Spyware Prevention Guide

Understanding what you're up against is half the battle when dealing with online security threats.

---

Topic links:

multiple whammies

succumbing to social engineering

multi-layered defence

safe practices

search & destroy

stop 'em starting

blurring the line

 

Of the roughly six and a half billion people in the world, nearly one in six use the Internet. Geographically, you rub shoulders with a minuscule percentage of that number, but once online, everyone of them is a near neighbour.

That's one of the reasons for the Internet's enormous potential. It's also why it's so unsafe.

Most of your Internet neighbours are average folk... in the way any of us is average. Some of them, though, are decidedly dodgy characters: some belong to organised crime gangs, others are independently criminal; a select group are given to vandalism and indiscriminate acts of destruction; while a distressingly sizeable number have a surplus of greed over ethics.

It's this disreputable bunch which is responsible for a wave of computing woes: viruses and security hacks, spam, phishing and spyware.

It's the latter part of that wave which has contributed most to a nasty decline in our Net neighbourhood. Viruses are unpleasant, malicious and, at times, destructive; spam is invasive and offensive; phishing and spyware, though, are deliberately criminal.

Multiple whammies

The real problem is that such distinctions are no longer meaningful. The latest wave of threats uses multiple methods of attack – spyware installed via a phishing email delivered by spam, for example – in what's known as a blended threat.

The Fizzer worm is a good example of just such a combo package. This worm spread as an email attachment. When opened, the attachment installed a keylogger into the Windows system folder plus a second file designed to reassemble the virus. When activated, the virus attempted to disable anti-virus software, searched for email addresses in a variety of places on the infected system, and emailed itself to all those addresses using a fake ("spoofed") return address. Fizzer also searched for the peer-to-peer file sharing software, Kazaa; if it was installed, Fizzer infected all files in the Kazaa shared folder. As a final kicker, if it found AOL Instant Messenger on the system, Fizzer created a new user identity and logged on to a chat room using that identity, listening for further commands.

adware v. spyware: what's the diff?

Adware is software which: displays ads on your computer; keeps track of non-personally-identifying activity in order to serve you targetted ads; requests your permission to be installed and clearly identifies its scope and activities; provides a standard uninstallation routine which completely removes all traces of the software. Adware-supported versions of shareware are often offered as an alternative to paying for the software. Spyware is software which: surreptitiously monitors and reports activity on your computer; fails to disclose its full purpose and activities, or obfuscates its purpose and activities in order to get you to install it. uses tricks to get you to install it. has no uninstallation routine, or fails to uninstall fully, leaving part of the software operational. Many self-proclaimed adware programs clearly fall into the spyware camp. For example, Claria's GAIN network (formerly known as Gator), as bundled with Kazaa, has a 52-screen, 5924-word licence agreement obviously designed to make users stop reading well before they come across important conditions buried deep within the licence. That puts it in the spyware camp, no matter what Claria claims. At its most innocuous, spyware is used to target ads and lure you to specific Web sites; at its most malicious, it gathers your personal information, which the author then uses to steal from you.

Defending against such multiple whammies requires a lot more than merely keeping your anti-virus software up to date, and things get even more complex when you throw spam, phishing and more recent spyware innovations into the mix. These threats seek to exploit human weaknesses as well as technological ones.

Succumbing to social engineering

If you've ever clicked a link in an email asking you to update your banking password, you've succumbed to one of these "social engineering" exploits. Or perhaps you've responded to a "warning" box on a Web site saying your system has been scanned and found to be infected. It's the same rotten deal. The new scams play on your trust and fear – or your desire for a good deal – just as much as they play on technological vulnerabilities.

Can't find a way to close a suspicious pop-up on the Web? Bring up the Task Manager by pressing Ctrl+Alt+Del, click the Processes tab, click your browser in the list and click End Process.

In addition to this combination assault, spyware is constantly evolving, constantly mutating. Each time anti-spyware vendors defuse one trick in the spyware makers' arsenal, up pops a new wrinkle designed to foil the defences. For every thousand spyware programs identified by anti-spyware software, another dozen sneak by undetected. And all it takes is one truly malicious piece of spyware to compromise your security or even your identity.

A multi-layered defence

Given the ever-changing nature of the spyware onslaught and its exploitation of human foibles, a passive defence built around anti-virus and anti-spyware software is not sufficient. You need to add informed vigilance to the mix.

Official looking "warning" boxes on Web sites are commonly used by spyware and adware makers alike to trick you into downloading software. Note, whether you click the Next or Cancel button on this dialog, it performs the same action. (Click the image to see a full-size screenshot.)

So how, exactly, do you stay on top of the spyware menace? The following guidelines will give you the upper hand. Although the list may look formidable, chances are you already use many of these tools and practices. Even if you don't, it doesn't take long to integrate them into your computing routine, and many of the daily chores are easy to automate.

• Use a multi-layered defence. Anti-spyware software alone is not enough. Use it in conjunction with anti-virus software, a spam blocker, and a firewall. The latter is particularly useful for spotting and stopping the sort of Internet activity which is a telltale of spyware infestation. The firewall included with Windows is not adequate, as it only monitors incoming activity, and not outgoing "phone-home" spyware traffic.
  
• Don't use one anti-spyware program; use a handful of them. There's no single anti-spyware program capable of detecting more than about 80 percent of spyware. In fact, the dismal truth is there's currently no known combination of anti-spyware programs which provide a 100 percent defence. Still, by using an assortment of reputable anti-spyware tools you can limit your exposure enormously.
  
• Run scans every day, and after any high-risk activity, such as using peer-to-peer file swapping. Of course, you're better off not engaging in such high-risk activity at all.
  
• Update anti-spyware and anti-virus software daily.
  
• Enable real-time anti-spyware monitoring, so infestations may be stopped before they take root.
  
• Pay for your protection. Yes, you can download free anti-spyware software, but it's worth paying for better protection and it's worth making the anti-spyware business a profitable one. For example, the freeware version of Ad-Aware fails to detect many of the programs sniffed out by the commercial Ad-Aware Pro. Similarly, by making a donation to freeware authors such as the makers of Spybot Search & Destroy, you support anti-spyware efforts.
  
• Get your anti-spyware software from a reputable vendor. Never, ever download anti-spyware programs advertised via spam. Much of this software installs spyware on your system.

geekgirl's recommended anti-spyware

Looking for good anti-spyware? I recommend a combination of at least three of the following: Ad-Aware (preferably the Plus or Pro versions) CounterSpy Pest Patrol Spybot Search & Destroy (donationware) SpySweeper Spyware Doctor

• Use a non-Internet-Explorer-based browser, such as Firefox or Opera. Internet Explorer continues to prove more susceptible to spyware attacks than any other browser, due to its support for ActiveX scripting and its tight integration with the operating system.

strange bedfellows

Aluria and WhenU? Microsoft and Claria? When anti-spyware vendors get into bed with adware makers, alarm bells sound. Aluria, the maker of Spyware Eliminator, last year certified WhenU's adware as "free from malicious spyware". More recently, Microsoft AntiSpyware placed Claria on its "ignore" list, shifting it from the "quarantine" list where it had formerly been placed. Microsoft's action preceded a flurry of speculation that the company was about to buy Claria. So, are WhenU and Claria adware or spyware? Spyware expert, Ben Edelman, clearly believes both are guilty of conduct unbefitting the term "adware". Certainly, there's enough doubt to make us think twice before recommending these two otherwise good anti-spyware programs. Still' I've found Microsoft AntiSpyware (and the new version, known as Windows Defender) so good, I suggest you install and use it, but make sure you team it up with at least a couple of the other recommended programs.

Safe practices

With the right software tools in place, your spyware defences are half complete. Remember, no combination of anti-spyware programs can detect and root out all spyware infections, so to secure your system you – and everyone who uses your computer – must adopt safe computing practices.

Downloads

• Establish a download policy for your household or workplace. This is especially important if young people share the computer as game and file sharing sites are major sources of spyware.
• Banish peer-to-peer file sharing completely. Or, if that will cause a revolution in your household, banish it to a non-networked, standalone computer which contains no financial or other personal information. Do not use this computer to access financial Web sites or other sites which require a log-in or store account details. Treat this computer as a pariah.
• Before downloading, read the software licence (EULA) in its entirety.

Email

• Never click links in spam.
• Never buy spam-advertised products.
• Never click links to financial institutions or log-in sites; instead, open your browser manually and type the address in directly, or use a previously saved bookmark for the site.
• Establish a Web-based email account and use it for all non-critical email. Do not download this mail to your local machine, view it online.
• Never open attachments from unknown sources.
• Scan attachments from known sources for viruses before you open them.

Browsers

• Always read links and dialog boxes carefully before you click online.
• Never click the Close or Cancel link in a pop-up. Often these links are coded to install spyware.
• Close pop-ups using the X in the top right-hand corner, or click the window's title-bar and press Alt+F4.
• If a  pop-up has no apparent way to close it, use Ctrl+Alt+Del to terminate your browser. If you're using Internet Explorer, this will have the unfortunate side effect of restarting the Windows Explorer as well (another reason for not using Explorer).
• Watch how questions are phrased online. Frequently, they are phrased in a way which makes it hard to work out how to avoid signing up for something, or a series of No, No, No responses will precede a question which requires a Yes to avoid accidental sign up.
• Set your browser to kill pop-ups. Most browsers display a notice when they block a pop-up, so you can always allow a specific pop-up if it's on a trusted site.
• Check for updates to your browser each week.
• Regularly check security settings of your browser, to ensure they have not been changed. For example, check that IE's Trusted Sites list contains only those sites you have added.
• Look for the https:// prefix (note the 's' on the end) in the Web address, indicating a secure site, before entering sensitive information online.
• Watch for subtle changes in the way a site appears. If it doesn't look right, close your browser.
• Patch all browsers on your system, not just the one you use as the default. One recent attack used a flaw in Firefox's Java plug-in to worm its way into Internet Explorer and from there to launch pop-ups. Remember that Internet Explorer is integrated into Windows in all sorts of ways, so you must patch it even if you don't use it. IE is used by Messenger, Outlook Express, Digital Imaging Studio and many other programs even if you have chosen another browser as your default.
• Use Microsoft Update to keep Windows patched.

Search & Destroy

If you're new to anti-spyware software, you'll find most of these programs work in a similar fashion, even if they have markedly different looks. Using any anti-spyware program involves a three-step process: update the spyware definitions; scan your system; delete or quarantine any spyware infections.

Most anti-spyware programs categorise threats according to the degree of risk. You can always make your own assessment by searching for the threat name on sites such as spywareinfo.com or spywarewarrior.com.

Here's how to do a spyware scan using Spybot Search & Destroy – a donationware tool that's well worth using:

1. Open Spybot, click the Mode menu and select Default Mode.
2. Click the Search For Updates button on the right and download any updates available.
3. Click the Search And Destroy button on the left and then click Check For Problems.
4. Once the scan completes, Spybot will display a list of spyware and suspect software. If you're not sure whether you wish to delete a particular item, remove the tick beside its name; tick all items you want to remove.
5. Once you've made your selections, click Fix Selected Problems. Spybot will create a recovery point before it proceeds; if a problem develops after you've disinfected your system, you can use Spybot's Recovery option to roll your system back to its former state. In some cases, you may have to reboot your computer for Spybot to root out the worst of the problems. If you must reboot, Spybot will load with Windows, do its work, and then let Windows continue booting.

Keep in mind, if you have willingly downloaded a program that includes adware, then using an anti-spyware tool to remove the adware is likely to disable the original program as well. If you no longer want that program, you should use Add Or Remove Programs in the Control Panel to uninstall it, and check for a separate uninstallation routine for the accompanying adware.

geekgirl.tip: how to spot an infection

Is your system infected with spyware? Some common signs of infection are: An increasingly sluggish response from your computer. Browser windows opening automatically when you start Windows. Pop-up windows appearing constantly when you're online. Your browser's home page or default search engine being changed. Frequent browser and program crashes. New toolbars or bookmarks appearing in your browser. Sites added to your browser's Trusted Sites or exceptions list. Unpredictable browser behaviour. Blocked access to sites, especially anti-virus or anti-spyware sites. New programs in the system tray.

Stop 'em starting

Good spyware defences are all very well, but what if you're already infected? Using a combination of anti-spyware programs should root out most of the spyware on your system, but some of this stuff is infuriatingly persistent.

A lot of really vicious spyware constantly reinfects your system by loading each time Windows starts. There are several ways you can prevent programs from loading at startup; the simplest of these methods won't stop persistent spyware but they will help you eliminate some of those annoying non-spyware programs – such as Windows Messenger – which insist on loading themselves into the taskbar tray.

Method 1: Use the program's own options. Many programs include an option to load when Windows starts. For programs in the tray, right-click and look for a Preferences, Options or Settings option. Sometimes you must dig a little to locate these options. For example, to disable Windows Messenger, right-click its icon and choose Open, click Tools Menu -> Options -> Preferences tab and untick Run Windows Messenger When Windows Starts.

Method 2: Remove programs from the Startup group. Click Start -> All Programs -> Startup and then right-click any program you wish to remove and choose Delete from the pop-up menu.

Method 3: Stop programs loading via the registry and configuration files. This is the approach to take when the other two fail. Many programs won't show up at all using the first two methods, but using a tool such as the Microsoft System Configuration Utility (msconfig), you can get rid of all but the most persistent freeloaders.

Msconfig is not a particularly informative tool, so consider using Startup Inspector, instead. It lets you inspect each and every program loaded at startup. Click its Consult button, and suspicious programs are highlighted; click the Rating column header to sort programs by their status. Startup Inspector includes a descriptive database of startup items, so you can quickly determine which are legit and which are suspect. Its companion program, Startup Monitor, alerts you instantly any program tries to add itself to the startup list.

Using this third method, you'll be able to clobber the startup components of RealPlayer, QuickTime and a number of other invasive programs as well as many spyware apps.

If you're plagued by a persistent spyware infection, specially targetted anti-spyware such as CWS Shredder, BHODemon and Toolbar Cop may help you stamp it out.

The most pernicious spyware will require the more drastic measures I cover in the accompanying article, Advanced Spyware Defence. (I'll be putting this online soon...)

geekgirl.tip: avoid rogue anti-spyware

One really nasty trick of spyware makers is the creation of fake anti-spyware programs. Such programs abound and are aggressively marketed through "affiliate" sites which spring up all over the Net. The programs and the Web sites often sport names that are very similar to those of legitimate products and Web sites. These rogue programs either don't work at all, work poorly, make false positive identifications in order to encourage you to buy them, or steal code from legitimate anti-spyware programs. Many of them actually install spyware on your system or deliver you to sites which install spyware. To avoid such software, pick one of my recommended anti-spyware programs and make sure you download this software from the listed Web site; or get your software from another reputable source. You'll find a frequently updated list of rogue anti-spyware at Eric Howes' Spyware Warrior site.

The blurring of the line

Purveyors of adware are keen to distance their programs from spyware, but their own actions blur the line between the two and raise legitimate concerns about the purity of their intentions.

Take, for example, the Yahoo! Toolbar. It may well be nothing more than adware, but its installation routine displays the 250-line licence in a 3-line high, unresizable window. Could it be the company doesn't want you to read it?

geekgirl.tip

To read licences displayed in small, unresizable windows, click and drag over the licence text, press Ctr+C, switch to your word processor and press Ctrl+V to paste the text into a document where you can view it clearly.

The search for something for nothing may get you more than you bargained for. File sharing programs such as Kazaa, BearShare, Limewire and Grokster all install adware or spyware on your system and then make themselves hard to remove. Even if you cancel Kazaa's installation before it has time to complete, the program leaves its traces on your computer. Incomplete uninstallations are hallmarks of adware and spyware.

Supposedly legitimate programs such as RealPlayer and QuickTime insist on loading at Windows startup, without offering an option to disable this behaviour. You'll need to use a startup utility, such as Startup Inspector, to keep them under control.

© 2006  Rose Vines

---

top

home

internet security menu