What is SpyWare?

SpyWare is a generic term for a number of programs that you would never put on your computer deliberately, but which get there somehow anyway, typically by action of a popup or by clicking on something on a Web site. SpyWare consists of several different varieties, ranging from innocuous but annoying, to downright dangerous. There are nearly 475,000 different SpyWare, hijacker, MalWare, AdWare, and other similar programs and variants of those programs, presently found on the Internet today, and the number is growing daily.

Adware is software that gets put on your computer by a popup, or as a result of installing something else that you think might have some value, such as shopping, better Internet search capability, or music or file sharing. Some spyware or adware merely tracks where you go on the Internet, then reports this back to a marketing company. It extracts your e-mail address from your e-mail program, and this, along with your browser history, allows the marketing company to send you spam e-mails regarding products or services that they think that they or their clients might have a chance of selling you. Some adware can also open up backdoor ports on your machine to allow popup ads to be sent from the marketer and to appear on your machine. If you're getting a lot of popups, likely there is at least one spyware program lurking on your computer. Common programs that install adware are Kazaa, P2P networking, Bonzi Buddy, LimeWire, BearShare, etc. Some sites also require you to install special software in order to take advantage of special features of their site. We don't include sites that require recognized programs such as Flash, QuickTime, etc. but rather sites that require that you install some software to view their site. Many "adult" sites fall into this category. Take note that we’ve recently seen many pages on FaceBook, YouTube, etc. that will tell you that “You need the latest version of Flash” or “You need to update your QuickTime Player” in order to view the video. If you need to update anything, DO NOT do it from the link they provide, as it’s most likely SpyWare that’s actually going onto your machine. Go to the provider of that software, and download it directly. If the page then STILL says that you need to update something, then likely it’s a fraud and should be avoided.

Spyware includes Key Stroke Loggers, and other programs that report more than just your internet browsing habits to a third party. It is possible for a dishonest third party to install a keystroke logger on your machine, then to extract a keystroke log from a file kept on your machine by the spyware program, and get your username and password for online banking, shopping, auction sites, etc. in this manner. Even if your bank, shopping site, or auction site uses secure encryption, it is possible to extract your userid and password, as the extraction is done BEFORE the information is passed across the Internet connection. If you've noticed that your computer is very slow, it is possible that you have SpyWare on your machine.

Browser Hijackers are programs that attach to your Internet Browser, such as Internet Explorer, or AOL, and prevent your computer from going to certain Web sites, or force your Internet Browser to only use certain search sites, etc. A common example of this type of program is CoolWebSearch, which forces your browser search page to change to something different than the default. Browser Hijackers can also change your start page, your home page, or direct you to pornographic or other inappropriate sites. This is done because the people who create these programs are charging a fee to the sites that they direct you to, and preventing you from seeing other sites that don't pay them money. Some of these hijackers also can disable certain parts of the protocols that your computer uses to communicate on the Internet, making it impossible to access the Internet after the hijacker is removed, because removing the hijacker may not restore the protocol layers that have been tampered with, leaving no way for those protocols to communicate. This is why PREVENTION is generally better than REMOVAL.

There are also other hijackers called Zombies. These load themselves into your machine via a backdoor of some sort, often placed there by a program that you’ve downloaded, then they just wait for instructions from a machine someplace out there on the Internet. When they get their instructions, they will then execute whatever they are told by their “Master”, including sending out spam e-mails, or participating in a Denial of Service attack on another computer someplace. If your computer is running slowly, it is possible that it has been infected by such a program.

Another type of MalWare worth mentioning, although it is not strictly a SpyWare program, is a background dialer. These are installed by many pornographic sites, although we have seen them elsewhere. They can be present even if you do not use your dialup modem to access the Internet - as a matter of fact, they are common. What these programs do is to silence the modem's speaker, then dial a 900 number or other pay service, and keep connected to it as long as you are accessing a particular site. We recently had an incident where a client received a $1500.00 telephone bill for dialing 900 numbers, that was traced to a visitor who was accessing questionable sites on their computer. Whenever the site was accessed, the 900 number was dialed, and the charges started mounting up.

Rootkits are programs that are designed to take control at the most basic or fundamental level of your machine, at the “root” in Unix terms, of the machine. Typically, these can be installed by, or in concert with, Trojan Horse programs, i.e. programs that look like something safe to run, perhaps a screen saver, but actually contain malware inside. Rootkits act in such a manner as to obscure their presence from the rest of the system, by evading standard OS security mechanisms. They may hide running processes from the Operating System, or hide files or system dependencies from the system. They often modify essential parts of the Operating System, and removal of a Rootkit may be exceptionally difficult or impossible without re-installation of the entire Operating System. A Rootkit is also often crafted in such a manner as to prevent installation of AntiVirus or AntiMalware programs, so as to escape detection.

Trojan Horse and Easter Egg programs are a type of MalWare that is designed to install other programs on your machine. Typically, a Trojan Horse is a program that purports to do something useful, but contains code inside it that installs other MalWare. An Easter Egg is a file, such a movie or music file, that when accessed, proceeds to execute MalWare code or install MalWare. Typical examples of this may be shared music or movie files from unknown sources. If you don’t know where a file came from (such as if it came via an anonymous file sharing or peer-to-peer application), it could likely be an Easter Egg.

What can I do about it?

You should have a good anti-SpyWare program on your machine. The best that we've found is SpyBot Search and Destroy. CAUTION: There are a LOT of other programs with the word SpyBot in their name, that are NOT SpyBot Search and Destroy. The genuine SpyBot Search and Destroy is FREE from PepiMK Software, and can be downloaded from www.zdnet.com, or www.saferNetworking.org You also should have a good AntiVirus program. We recommend Norton AntiVirus. It is also important to check to make sure that both your AntiSpyWare and AntiVirus programs are up-to-date, as there are new threats being released daily, as the miscreants that produce them find that we have implemented ways of combating them. Also, if you are running Windows XP Service Pack 2 or 3, or Windows Vista, you can get Microsoft Windows Defender for free from Microsoft’s website www.microsoft.com . If you are NOT running XP Service Pack 2 or 3, or Vista Service Pack 1, you should be. Windows Defender is automatically part of all versions of Windows Vista, but you still have to make sure that it is turned on in order for it to function.

Finally, it is important to PREVENT SpyWare as much as possible. Don't click on things you don't know. If you get a popup telling you that you have SpyWare on your machine, and offering a free SpyWare scan, chances are that the "free scan" is a scam to install SpyWare on your machine. Often, these popups will come up, and tell you that you have SpyWare whether you actually do or not. They then entice you to download their “free” AntiSpyWare program, which “scans” your machine, finds imaginary SpyWare, then tells you that to get rid of it, you have to pay for their paid version, which can run upwards of $50.00. Sometimes, they also INSTALL SpyWare or worse on your machine, and essentially blackmail you into paying them for the removal. Offers of Free Screensavers, Free Instant Message icons, etc. are also likely to be laden with SpyWare or worse. If you get a popup offering you a "free" ANYTHING just for clicking, what you're probably getting is "free" SpyWare!! Similarly, offers for a “free Internet Speed Test”, or something that will speed up your Internet browser, lead to better Web searching, save you money on coupons, etc. are also likely covers for SpyWare.

Lately, we’ve been seeing a new breed of SpyWare installer, which comes with code that executes on hijacked Websites, typically on FaceBook (the KoobFace worm is one example), YouTube, and similar social networking sites. These will either entice you to install some software in order to view a video, play a game, etc. and put SpyWare on your machine in the process. Remember, just as a flu shot can’t protect you from poisoning yourself, similarly, AntiVirus or AntiSpyware can’t protect you from putting something on your machine that you have specifically allowed to be downloaded and installed.

Sometimes you have to be really careful to avoid installing something without knowing it. We've seen cases where the "EXIT" button on a popup would install SpyWare! Use the X button in the upper right hand corner, and make sure that it's really the X button, and not just another button, positioned similarly, that does not close the window, but installs something instead. We recently saw a case of a popup that a client had where the popup offered a $50.00 gift certificate if you clicked on a button with your opinion of whether the President is doing a good job. Whether you clicked YES or NO, you got the spyware, and nobody ever got the gift certificate. Adult sites, casino gambling sites, etc. are also a good way to get SpyWare without knowing about it until it’s too late. Lately, we’ve also seen SpyWare targeted at children, with sites such as Zwinky.com being a good example. They offer stuff that will entice children into downloading their material, much of which is SpyWare. The key here is to KNOW what your children are doing on the machine. We also recommend that children NOT have Administrative accounts on Windows machines. Limited accounts are sufficient to do anything that a child should be doing with a machine, and if they need to install software, parental supervision is a good idea, especially if it’s on the same machine that their parents use to do the family budgeting, online banking, taxes, and the like. Better yet is to keep your children off the machine if it is used for banking, taxes, business record keeping, and similar uses.

As far as getting “free” AntiSpyWare or AntiVirus software, look at it this way: If you were sitting in the Mall parking lot, and some teenage kid walked up to you and told you that he could make your car go 200 MPH, get 75 MPG, and be invisible to police radar, but all you have to do is to let him do some stuff to it, then weld the hood shut so you can't see what he did, and you have to leave the keys in the ignition always, would you do it? Probably not, so why let someone do that to your computer? As a general rule, with the exceptions noted above, the best that most free software is worth is exactly what you pay for it – nothing!

Another thing you can do is to make sure your Windows OS is up to date. All currently supported versions of Windows (presently, these include Windows 2000, XP, and all versions of Vista) are subject to periodic updates from Microsoft. As Microsoft finds vulnerabilities in Windows, Internet Explorer, and Outlook Express, they issue patches in the form of Windows Updates. Some of these are merely Recommended, others are Critical or Security Updates. It is important that all Critical and Security Updates be installed as they are released. Beware, however, of popups or e-mails that may come up to tell you that Microsoft has released some update, and then direct you someplace other than Microsoft to get your "update" (which is probably SpyWare of some sort). We generally set up Windows Update to inform us of the updates, but then go to the Microsoft Windows Update Web site directly to obtain the updates, to make sure that they are really from Microsoft. Note that some Browser Hijackers are capable of redirecting your browser to sites other than Microsoft, or making your computer incapable of connecting to Windows Update. If this happens, you've got a problem that may require professional intervention to restore the proper operation of your machine..

SpyWare, once installed, can be extremely difficult to remove. Many SpyWare purveyors have an interest in keeping their stuff on your machine, and will go to great lengths to prevent its removal, by keeping processes going in the background that check for the presence of their program, and if it is not found, will re-install it or re-start it. Merely removing the program that put the SpyWare on the machine in the first place is normally not enough - Removing Kazaa, for example, removes the Kazaa program itself, but leaves all of the SpyWare and AdWare intact on the machine. Likewise, removing the SpyWare may not close the ports that the SpyWare opens; WeatherBug is a good example of the sort of program that opens ports on the machine, and while it performs a useful purpose, so does a doggy door in your house - until a skunk finds it and wanders in. There are programs out there called “doorknob rattlers” that are constantly looking for open ports, and when they are found, the programs enter to do their dirty deeds.

One other thing to take note of - Sometimes we get clients who say "But so-and-so is running this program, and it hasn't caused any problems, and Such-and-such is running this other program and not having any problems.". While this may be true, sometimes programs that run fine on their own can interact with other software. Think of it this way - You can eat a tuna-fish sandwich for lunch, and you can have an ice-cream sandwich for dessert - but if you try a tuna-fish ice-cream sandwich, you're likely to get a tummyache. Some programs just don't get along with other programs!

How did I get SpyWare on my Machine? What can I do to prevent it?

Gambling sites, and pornography sites are some of the most frequent purveyors of SpyWare. If you have accessed such sites, chances are, those Web sites have installed SpyWare on your system. This includes “free” sites for Bingo or Poker. If in doubt, run SpyBot S&D, or, if you have Windows XP or Vista, run Windows Defender. Links to those programs are available from our Website at www.z-waresys.com or directly from Microsoft and www.SaferNetworking.org.

Music and File Sharing Software, such as Kazaa, eZula, LimeWire, BearShare, or other Peer-to-Peer networking or file sharing software is a frequent vehicle for SpyWare to sneak into your system. First of all, the use of Peer-to-Peer software that allows you to share “free” music is generally illegal under Federal copyright laws. This does not include sites like iTunes, or the new Napster program, where you pay for music that you download from a central server, this refers to so-called Peer-to-Peer networking, where you get music or video from other users. These programs commonly install “back doors” into your system so that other users can get to the files you’re sharing. These same “back doors” are used by worms, Trojan Horses, and other nefarious programs to enter your system. Even if the software itself does not contain SpyWare, it’s a weak point in the security of your system that is commonly exploited by those who would put SpyWare on your system. There exist out on the Web, programs called “doorknob rattlers”, which, just as a burglar in your neighborhood, go around “rattling the doorknobs” looking for unlocked ways into your computer. By keeping those back doors closed and locked down, these programs will just do their damage to someone else’s computer, because they can’t get into yours easilyl. In addition, there are some nasty inclusions in some of the music that’s being shared. These inclusions, called “Easter Eggs”, can cause your system to malfunction, or worse.

I hear from clients who say “But those sharing programs get me free music”. Sure, they might, but they also might get your machine poisoned or infected with SpyWare, Viruses, or worse. If you were going to the store to buy a soda, and someone were out in the parking lot giving away soda instead, but you knew that one in one thousand bottles of what he was giving away was poisoned, would you take the free stuff or pay for the stuff you know is OK? I think the answer is obvious to this question.

Did you get a PopUp telling you that you have SpyWare on your machine? How do the people who sent the PopUp know that you’ve got SpyWare? This is a common trick to get you to download and run some purported anti-SpyWare program that may actually put SpyWare (or WORSE) on your machine. Programs like “SpyWare Stormer, SpySheriff, SpyAxe, and SpyCop and similar programs that are commonly installed when you click on the links in those pop-ups actually may contain SpyWare – though they may kill some SpyWare, they also install SpyWare of their own. The same goes for pop-ups or e-mails telling you that Microsoft has issued some critical update for your system. If in doubt, don’t click on the pop-up, instead go to the Microsoft Windows Update Web site to download the update. Many times, these are not Microsoft updates at all, but rather ways to get you to install things you don’t want. There are also programs out there that purport to be AntiSpam or AntiVirus programs. WinAntiVirusPro 2009, which can be downloaded from the Web, is one good example. This is NOT an anti-virus program, but actually CONTAINS a Trojan Horse that allows the author of the software free and complete access to your machine for whatever purpose they wish.

If you’ve gotten a pop-up or an e-mail asking you to “vote” on some issue like whether you like chocolate or vanilla ice-cream, you may be consenting to the installation of SpyWare on your machine just by “voting”. Your vote doesn’t count for anything other than to allow the people who sent the e-mail or pop-up to put something you don’t want on your machine.

If you’ve gotten an ad, a pop-up, or an e-mail telling you that by installing some software, you can search the internet faster, that your machine will run faster, or claiming to “clean out” your machine, you can almost bet that it’s SpyWare or something like that. Many of these programs let you search faster by limiting your search options to only sites that pay them money, by hijacking your browser so that you can’t go anyplace but where they want you to go, or by limiting Domain Name Services or some other critical component of your Web browser. If there were something that would make your machine faster, Microsoft would have included it in Windows to begin with. If there were something that would allow you to search the Internet faster without limiting your searches, it would be in there. Microsoft isn’t stupid…greedy, perhaps, but not stupid.

Did you get an e-mail, popup, or advertisement offering you Smiley Faces for your e-mail or Instant Messenger, a screen saver, or free ring tones? Chances are, when you accept the offer, you’ll not only get the “freebie”, but in addition, SpyWare or other junk on your machine. Nothing is for free; there are strings attached, and often the strings are SpyWare.

Finally, it’s not enough to have anti-SpyWare software on your machine, you have to use it, and use it wisely. Run SpyBot Search and Destroy at least once a week, and keep it updated. Run Windows Defender, including the resident protection portion, and don’t just dismiss the warnings that you get – READ THEM, and take intelligent action. Make sure that you have virus protection, and KEEP IT UPDATED. Keep the subscriptions to the virus definitions current, and make sure that the protection is actually enabled (there are some viruses that can sneak in and disable updating and even the protection itself). We recommend Symantec Norton AntiVirus.

AOL’s AntiSpyWare protection, the free AntiVirus that you get from AOL, and similar places generally are worth just about what you pay for them – nothing. They appear to us to be crippled versions of commercial AntiVirus software that have been modified to allow those who pay AOL a fee to get past them. This is just our opinion, but it’s been borne out by numerous instances where we’ve scanned systems that have been shown as “clean” by AOL’s software, yet we find SpyWare and other garbage on the machine. Once the rather simple methods that those programs use to bypass AOL’s AntiSpyWare are figured out, many other SpyWare programs use those methods to install SpyWare on your machine. AOL won’t block those methods because they have been paid money to let programs using those methods pass. Better to pay and get real protection than to have to pay later to have junk removed from your machine.

Another way one can get SpyWare or Trojan Horses on your machine is to go to sites that provide “cracks” for games or the like. Sites that provide illegal “pirated” copies of otherwise legal software often are infected, either deliberately or accidentally, by various forms of SpyWare. If you need software, buy a legitimate copy from a legitimate retailer, don’t “crack” it, or use “warez” from some unknown source. Many online gaming sites are similarly infected, because there is no telling where their contents came from. If you are going to do online gaming, it is doubly important that your SpyWare and AntiVirus programs are up-to-date. Any time that your AntiSpyWare or AntiVirus program warns you that it is preventing the download of something from a site, listen to what it says, and exercise good sense as to what you’re downloading.

Another good reason to keep your AntiVirus and Anti-SpyWare software up to date is that we are increasingly finding sites on the Web that have been hijacked to put SpyWare, and in some cases, viruses, on your machine directly. These are sites that are, or were, legitimate sites, and have been compromised because their owners did not take proper precautions to keep hijackers from damaging their sites. When an unprotected machine accesses these sites, the site loads garbage onto the machine, and the machine is then infected. We’ve seen Real Estate, Auction, and other similar sites hijacked like this, with some of the worst offenders being individual pages on FaceBook, MySpace, and other similar social networking sites. These sites have their place, and the owners and operators of these sites do their best to keep rogue garbageware off their sites, but nothing is perfect. Even if you have AntiVirus and AntiSpyWare software on your machine, it HAS to be kept up-to-date, or your machine is at risk.

This page last updated 09/08/09 at 14:28:00
This page is copyright 2004-2009 by Z-Ware Systems, with all worldwide, and for that matter, interplanetary, rights reserved!