Category Archives: Spyware

Free Software Tests for Bot Infections

PineApp has released a free zombie test that can instantly discover whether an organization’s computer network might be an unwitting spamming machine — a “zombie” or “bot” — that can send thousands of infected spam messages to other networks—without its knowledge.

As a global provider of appliance-based solutions for email and network security, PineApp Corporation (http://www.pineapp.com) has created the free diagnostic tool—Zombie Detection System™ (ZDS™)—to determine if a network is infected. Organizations can simply go to http://www.rbltest.com/, enter the IP address and get an instant analysis.

http://www.darkreading.com/document.asp?doc_id=137353

University of British Columbia tracked his ‘theft of time’

The University of B.C. wants the right to keep using “spyware” to monitor its employees’ Internet use.

And the university — which used the software to fire a worker who surfed non-work-related websites for hours a day — has gone to court to challenge an anti-spyware order by B.C.’s privacy commission.

Michel Mandono, an engineering technician in UBC’s botany department, was fired in February 2005 for “repeated theft of time” as well as failure to perform his work, excessive lateness, dishonesty and breach of trust.

http://www.canada.com/theprovince/news/story.html?id=a7dc308c-65ca-42e2-b3ef-c0a7c67869a4

RSA 2007: Spyware cashes in quietly

Spyware is the most rapidly evolving threat on the threat landscape at the moment, and it will continue this way into 2008, said Gerhard Eschelbeck, chief technology officer of Webroot Software, at RSA Europe in London on 23 October.

Spyware is software that covertly gathers information through a user’s internet connection without their knowledge for malicious purposes. “It is financially motivated and it takes advantage of human nature,” said Eschelbeck. Spyware steals system resources, shows unwanted advertisements and re-directs users through false search results and other hijacks.

http://www.computerweekly.com/Articles/2007/10/25/227721/rsa-2007-spyware-cashes-in-quietly.htm

Notorious spyware purveyor shuts down

Less than a year after successfully negotiating a US$1.5 million wrist-slap to to settle charges that it used sneaky tactics to install spyware on millions of computers, DirectRevenue (also known as Best Offers) has shut down operations.

The notorious spyware vendor, reviled for shady installation practices, numerous name changes and the aggressive use of annoying pop-ups to serve contextual ads, has posted this note on its home page.

Best Offers and Direct Revenue have ceased operations. To service legacy consumers we are maintaining this page of uninstall instructions, an uninstall software tool, and an email based support service.

http://blogs.zdnet.com/security/?p=608

The Top 20, fake anti-spyware and anti-malware Tools

In a continuation of the discovery of the RBN’s “Retail Division” one of the most important exploit delivery methods is the fake; anti-spyware and anti-malware for PC hijacking and personal ID theft, this is a source of revenue for the RBN also from a direct sale.

More http://rbnexploit.blogspot.com/2007/10/rbn-top-20-fake-anti-spyware-and-anti.html (with screenshots)

Zango Acquires Smart Shopper For $9 Million: Now More Evil

Everyone’s favorite love-to-hate spyware company Zango has acquired browser based comparison shopping engine Smart Shopper for what we’ve been told by two people related to the company (but unconfirmed directly) for $9 million.

Smart Shopper offers what on the surface appears to be a fairly non-threatening shopping assistant add on for Internet Explorer, however according to a number of sites is really adware that does nothing more than deliver advertisements and is difficult to remove.

Zango has a long history in the spyware business, having faced numerous court challenges over its business tactics whilst attempting to get in on the social networking and social shopping craze.

http://www.techcrunch.com/2007/10/23/zango-acquires-smart-shopper-for-9-million-now-more-evil/ via http://sunbeltblog.blogspot.com/2007/10/zango-buys-smartshopper-price-reported.html

See also:  So what’s the motivation behind Zango’s acquistion of SmartShopper?

Why do you need anti-spyware software?

Spyware – also known as Adware or Parasite.  It is in installed in a system to secretly gather information about the user and relay it to advertisers or other interested parties.  Spyware is usually bundled in a software that are offered as free program or shareware and website service.


Security Issue – A spyware has all privileges of the user who installed it.  Spyware cause conflict with an operating system and applications.  It can slow down the system.  It can delete, read, write, download, install another software, change or edit users’ preferences.  Others can even format the hard-drive!


The above PC and security issue should convince any user already (whether you are a home or enterprise user) that an anti-spyware helps to prevent unwanted application to control or damage your systems.  If it does not convince you read on…


Why do you need anti-spyware software?


  • There is no 100% secure Operating System or browser (software in general) – if you visit security related sites or forums, you’ll learn that everyday (no holidays! no Sunday fun days) a security hole is being discovered and reported.  Most of this security holes can be exploited by many method and one of which is to bypass some security programs and even you’re security, program and operating system settings.  It was reported before so take the chance? 
  • Most freebies or goodies are too good to be true – Ever wonder what is the catch of installing a freeware?  Some program that is free to a user is truly free but not free from spyware.  The above definition of spyware are some of the catch.  Most of the spyware can’t be controlled by the user.  You say no already but it keeps showing or installing itself after you’ve removed it.
  • Anti-virus is not enough – not all anti-virus will prevent installation of spyware! A program that is bundled with spyware can’t be detected by your anti-virus program as “infected with spyware“.  Why? It is because the setup file is not infected.  When the user execute the exe file and agreed with those many license agreements or terms of use of the software during installation, you gave your permissions away in just a snap by allowing the said application to spy on you or gather your private data.  Persistent spyware application does not only spy on you but can caused instability with your programs or system

What others has to say..


  • Spyware is walking a thin line of being classified as a Trojan horse or back-door (link) and currently, the only defense against it is anti-spyware software. ~ SurferBeware
  • Despite its name, the term “spyware” doesn’t refer to something used by undercover operatives, but rather by the advertising industry. In fact, spyware is also known as “adware.” It refers to a category of software that, when installed on your computer, may send you pop-up ads, redirect your browser to certain web sites, or monitor the web sites that you visit. Some extreme, invasive versions of spyware may track exactly what keys you type. ~ US-CERT
  • Spyware has risen to the top of many computer users’ lists as one of the most vexing challenges they face today. Microsoft customers echo analysts, partners, government leaders, and consumer advocacy groups in identifying spyware as a serious problem for the entire PC industry. ~ Microsoft
  • A number of firms currently design and offer so-called “spyware” software — programs that monitor user activities, and transmit user information to remote servers and/or show targeted advertisements. As distinguished from the design model anticipated by whatis.com’s definition of adware (“any software application in which advertising banners are displayed while the program is running”), these spyware programs run continuously and show advertisements specifically responding to the web sites that users visit. Companies making programs in this latter category include Gator (recently renamed Claria), WhenU, and 180Solutions. Other spyware programs include keystroke recorders, screen capture programs, and numerous additional software systems that surreptitiously monitor and/or transmit users’ activities. ~ Benjamin Edelman

What anti-spyware program to use?


There are huge number of anti-spyware in the market.  Most of them are paid software while others are free for personal use with usage limitation.  You should visit Rogue/Suspect Anti-Spyware Products & Web Sites page which is maintained by Eric L. Howes to find which anti-spyware is safe to use which has links to anti-spyware communities.  Check Dozleng.com Internet Security & Others for lists of free anti-spyware.  Visit Microsoft’s website for more information about spyware and how to prevent it.


If you are in doubt whether the antispyware is safe or recommended to use, visit the security-related forums or message boards before installing the program.

Classroom & Bootcamp – HijackThis Logs

I’ve joined Bootcamp and Classroom few weeks ago to learn how to analyze HijackThis logs. 


It was fun to learn how to use the HijackThis tool.  It’s something like “hunting for spywares!”.  The HijackThis is available for everyone but there are some stuff that is available only to Bootcamp and Classroom volunteeers.  Yes, we’ve seen online tutorials on how to understand and use HijackThis but there are more to know if you will join Bootcamp or Classroom. 


HijackThis Experts and Teaching Assistants will guide everyone on what are the first and important items to look for while analyzing the Hijack log because not all “bad” items can be fixed easily by using HijackThis.  Special removal tools is recommended before you will let HijackThis to fix the system.


My very first serious HijackThis client is in ComputerCops.   To my surprise the clients’ system has Netsky worm though it has an antivirus program.  I found it after closely looking at his logs.  When he managed to remove the worm, I proceed in fixing his system with the help of HijackThis.  It’s great to help others in fixing their system but there is sadness…


There are users who has more than 10 spywares installed in their system.  Browsers were hijacked.  Search engine was replaced without their knowledge.  Lots of unknown executable are added in startup.


Two things that made me sad while analyzing HijackThis logs is the fact that there are numbers (huge numbers!) of users that is missing the latest Windows Service Pack.  There are numbers of system that aren’t patched :-(  and we all know that unpatched system is just like leaving your door open.  Some users doesn’t even run an Antivirus program and because of these I think I’ll bite more logs to help them in fixing their system and hopefully educate those who has unpatched system to quickly PATCH after we’ve FIXED the system.

Rid the spies!

Spyware – also known as Adware or Parasite.  It is in installed in a system to secretly gather information about the user and relay it to advertisers or other interested parties.  Spyware is usually bundled in a software that are offered as free program or shareware and website service . 


Security Issue – A spyware has all privileges of the user who installed it.  It can delete, read, write, download, install another software, change or edit users’ preferences.  Others can even format the hard-drive!


Prevention: 


1.  Go to Windows Update website.  Make sure that your system is fully patched.  Install the latest version offered to your system.  Do not use an outdated application.


2.  Configure your browser properly.  Microsoft has detailed information on how to secure your Internet Explorer browser.



Even if you are not using Internet Explorer, you should keep it up-to-date and make sure that all security patches are installed because it is integrated with many applications in your system that automatically run Internet Explorer.  If you are using other browser, check the documentation provided by the vendor on how to secure your browser.  Keep it up-to-date too. 


3.  Configure your e-mail client properly.  It’s best to practise the following in using any e-mail program:


  • Disable Preview Pane
  • Restrict the processing of Scripts by configuring your e-mail program to use Restricted site zone.  (You need to configure Internet Explorer not to run scripts in the Restricted zones)
  • Make sure that your anti-virus program is configured to monitor/scan incoming and outgoing messages (including any attachment)
  • Do not open unexpected attachments
  • Read all messages in plain text that stops HTML spam from downloading images that confirm your e-mail address as valid

If you are using Outlook Express, Microsoft pubished a guide in Using Virus Protection Features in Outlook Express 6


3.  Block Pop-ups.  You can install 3rd party application to block the pop-ups.   If you are using Internet Explorer, Microsoft has info on how to Prevent Pop-up Ad Windows When Browsing with Internet Explorer.  Note:  The Internet Explorer in Windows XP SP2 that is due to released this year has pop-up blocker.


4.  Use a firewall.  Install a personal firewall that will stop or alert you if there is a malicious or suspicious application that are trying to make an outside or incoming communication from/to your system.  If you are using Windows XP, you can simply enable and configure the XPs’ firewall. (Note: Windows XP Firewall will only monitor incoming communication). There many firewall software available, this page has some list of free personal firewall software.


5.  Install the following tools



6.  Use IE-SPYAD that adds a long list of sites and domains associated with known advertisers, marketers, and crapware pushers to the Restricted sites zone of Internet Explorer.   It will:


  • Stop unwanted crapware from being installed behind your
    back via “drive-by-downloads”
  • Prevent the hijacking of your home page and other key
    Internet Explorer settings;
  • Shut down ActiveX, Java, and scripting, all of which can
    be employed to push obnoxious advertising on you and
    compromise your privacy and security;
  • Block cookies, which can be used to monitor and track your
    travels around the Internet;
  • Combat obnoxious script-based popups that clutter your
    screen and force unwanted advertising on you.

You can also use HOST file to block ads, banners, cookies, web bugs, and even most hijackers.  There are number of individuals or group that offer HOST file.  Three of them are from:



Removing Spyware


1.  Go to any of the following site to check if your system has spywares:



2.  Download the following free tools:



3.  Run CWShredder.exe (make sure that no browser or windows is open), click Fix button. Restart the computer.


4.  Run TrendMicros’ Damage Cleanup Engine.  Make sure you’ve read its readme.txt before using it.


5.  Install Microsoft AntiSpyware, Spybot-Search & Destroy and Ad-aware SE (update the programs before running a scan), let the 2 programs fix what it detected as spywares. Run the Ad-aware plug-ins. Reboot the system in between.  If these programs prompt you to run again after a restart, do so.


6.  Use Stinger and avast virus cleaner.  Reboot the system in between.


7.  Visit any of the 4 sites (in item #1) again to check if the system is now clean.


8.  If you suspect that there is still a problem with your system or the system is still acting strange, create a new folder in C: and name it as HijackThis.  Download HijackThis then save it in the new folder that you just created.  Close all open browser then run Hijackthis.exe.  Click ‘Scan’ then click ‘Save Log’ and save it in your desktop.  Go to security forums that offer HijackThis log analysis.  You can see the list of recommended forums in ASAP page.


Special cases:


  • If you loss your internet access (cannot connect to the internet though all settings are correct), use LSP-Fix. You can also use Winsock2 Fix (designed for Windows 98, 98SE, and ME) or WinsockXPFix (direct download) (designed for Windows XP)
  • If you cannot run or use CWShredder, use CWS.SmartKiller 
  • If your browser is hijacked with res://random .dll/random and/or seeing pop-ups when you start your browser, you might want to use About:Buster
  • If you are getting an ‘Unexpected error’ about a missing DLL when running CWShredder or HijackThis, you need the Visual Basic Runtime Libraries available from Microsoft.

Important Note:  There are other spyware/removal tools available from different site.  Do not use them unless you know what are you doing.  Seek advise from the forums listed in ASAP.org before running other removal tools.


Don’t be fooled by fake Spyware removers!