Recently in Spyware Category

I'm not a big fan of spyware tools that insist that tracking cookies are spyware. Sure, you probably don't want them, but they're not nearly as much of a threat as spyware. Webroot Software, makes of anti-spyware software, reckon that the average PC in the UK has 18 instances of spyware on it, and that 55% of all UK computers have a spyware infection. At least, that's the impression this BBC article gives.

But El Reg has another article which goes into the statistics in more detail. Counting all forms of spyware, including tracking cookies, would put each machine at 18 infections. Disregard cookies, and that figure is only 4.5. Still quite high, but not nearly as headline-grabbing.

Really, cookies are not spyware.

Here's some good news: Download.com is no longer listing programs that contain bundled spyware. All programs will now be tested for spyware using a couple of commercial tools (as well as being checked for viruses) and any that fail the tests will not be listed.

This is a very good move. On the one hand, it protects customers by reducing the risk of infection (although they do still wisely recommend that you install your own antispyware protection). But it also sends a message to software developers that spyware is not wanted and that you will have a harder time distributing your product if you include it.

It now means that products like Messenger Plus, Kazaa and Gator eWallet are no longer listed on the site. Others, like Morpheus and iMesh, made changes to their programs to comply with the new rules and so are still listed, sans spyware.

Ben Edelman dedicates quite a bit of his time to investigating spyware - recently Limewire comissioned him to research into what spyware was installed by its competitors programs (Limewire is now spyware-free).

His latest study looks into the advertisers whose adverts are shown in the spyware application eXact. The advertisers are either directly or indirectly supporting the spyware revenue model - if there were no advertisers willing to use spyware then the problem would go away; the same with popup advertising, although part of that also falls on content producers.

What is worrying is the number of big, reputable companies whose adverts appear in eXact. These include:

• Air France
• Apple Computer
• Cingular
• Dell
• Expedia
• Netflix

It is possible that these companies are not dealing with eXact directly, but that affiliates, who receive comission from each sale, are. Either way, these companies should not be funding malicious software which damages consumer's machines, and if the problem does lie with their affiliates then their affiliate accounts should be terminated. I'm particularly ashamed that Apple is in on this.

Ben also points out that Thomas Cook recently started advertising with Claria, the company formally known as Gator. Which therefore means that Thomas Cook won't be getting my custom.

Ben Edelman explains how VeriSign could stop drive-by spyware. Most 'drive-by' spyware installs using ActiveX in Internet Explorer, however, all ActiveX controls need to be digitally signed for IE to allow them to be installed. As Ed Bott mentions, around 95% of digital certificates are issued by VeriSign, and to use the certificates for spyware-related activity is against their terms of usage.

Therefore, if VeriSign were to reject suspicious applications for digital certificates, and revoke certificates being used improperly, much of the spyware out there right now would be severely crippled. While MS has made lots of improvements to the ActiveX installation prompts it is still possible to use social engineering to get users to install parasitic components - this would stop the dialogs from even appearing. And not everyone can use Windows XP SP2.

Ed has listed contact details of some senior people at VeriSign that you can contact in the hope that they may consider enforcing their terms of usage. This could potentially prevent a lot of spyware from getting installed without users realising.

On a related note, when are we going to have 'signed' extensions for Firefox?

The first beta of Microsoft's long awaited anti-spyware tool is now available as a free download.

I downloaded it and had a quick play around. Here are my first impressions:

Pros:

• Very easy to use
• Simple, attractive interface
• Catered for both inexperienced and more competent users well, by explaining problems but also including specific details like infected files and registry keys
• Lots of features, moreso than Ad-Aware and on a par with Spybot Search & Destroy
• Fast

Cons

• Interface is a little more complicated than it could be
• False positives - I got three, one due to an incompatibility with SpywareBlaster, and the other two due to Shareaza which it thought to be parts of eDonkey and Grokster (which both bundle adware).
• ...not much else, really.

Based on these first impressions, I'd say that I'm very impressed with this beta release. I'm not about to replace Ad-Aware and Spybot with this, rather it'll become a third weapon in my anti-spyware arsenal. Microsoft have a good product here, in my opinion.

My housemate's computer has got so badly infested with spyware that was beyond the reach of Ad-Aware and Spybot Search & Destroy that he's bought a copy of Spyware Doctor, a shareware application. It seems to have done the trick, and got rid of an especially annoying one that apparently downloaded film trailers and would play them while he was asleep, thus waking him up and wasting our bandwidth.

To put this into context, it's been nearly 10 years since my housemate bought a piece of software that wasn't prebundled with his machine. And this is a machine that has XP SP2 with the firewall turned on and an anti-virus program.

Via Meredith is this Wired News article about people who don't mind spyware. To summarise, users claim that spyware is either a necessity to allow for free software:

But some users of iMesh didn't seem to be troubled by the actions of Marketscore. Users at iMesh forums chided those who complained, posting messages stating that "without spyware there's no such thing as free software."

Or, the spyware offers features that are useful to them:

"The users knew they had the application on their computers, and they knew exactly what it did," said Mullaney. "They said they'd opted to install it on their computers because they wanted the eWallet application that stores passwords and credit card numbers, entering them into web forms with one click. The users said you have to get the adware if you want the eWallet."

Oh dear. Those arguments would be valid if there were indeed no alternatives, but, alas there are. Take the first example - putting up with spyware so that one can use iMesh. Why not dump iMesh and use another free P2P client which doesn't contain spyware? eMule and Shareaza are both very good, WinMX is adequate and I've yet to find a spyware-infested BitTorrent client.

And as for programs like Gator, most web browsers will remember details for you and there are programs like Roboform that can do the job too.

No user should have to put up with spyware. If a program insists on installing spyware before you can use it, then it's time to find a new program. There are alternatives out there.

Was de-spyware-ifying a computer today and hit upon 'Windows TaskAd' - a nasty piece of work which Spybot Search & Destroy doesn't yet detect (even with beta detections). Thankfully it is uninstallable, which is fortunate because it has two tasks which work in tandem to stop you from closing it down - a trick that is becoming all too common nowadays (I had a similar problem with WinTools in August which also used a service in XP). The uninstaller was pretty cheeky though - here's something like the 'dialogue' I had with it:

• Me: *clicks uninstall*
• TaskAd: Are you sure?
• Me: Yes.
• TaskAd: Are you really sure? Uninstalling me could stop some of your programs from working...
• Me: Yes, I'm sure... (there were no programs installed that rely on it)
• TaskAd: Uninstalling me will take away targeted adverts that may be of interest to you. Do you still want these adverts?

And this is the cheeky part - you have to click "no" rather than "yes" as before. I'm wondering how many people, having clicked "yes" twice, will click it a third time and then end up not uninstalling the program.

Thankfully the uninstaller did work and remove the thing from the machine. Said machine, which was running Windows XP SP1, has now been upgraded to SP2.

There's a feature of Spybot Search & Destroy that I've only just noticed but is potentially very useful. To get it to work properly, you must first:

1. Download the latest updates, in particular the 'Startup entries' update
2. Go to Mode and enabled Advanced Mode
3. Expand Tools and select System Startup

This will list all programs which run on system startup. If you've done a scan and removal with Spybot, then there shouldn't be any spyware here, but there will be a panel on the right-hand side which tells you what each app does. It's pretty comprehensive - it recognised the apps used for the hotkeys on my keyboard (which alas I need to be able to lower the brightness when on batteries) and some other obscure applications. Disabling a couple of helper apps for my graphics chip, along with Apple's annoying QuickTime applet and Sun's annoying Java updater, led to a saving of around 10MB of memory. Admittedly this machine has 512MB of physical memory plus a swap file so there isn't exactly much of an improvement bar slightly a slightly shorter boot-up time, but on older machines I can imagine there'd be a noticable boost to performance.

Have a play yourself - you may well improve your system's performance. Though I would create a restore point first as if you disable something important then your system really won't like you.

For some reason the CD for Windows 2000, which I thought was unusable, seemd to work fine when upgrading from 98 to 2000. So the server is now running on W2K and the internet actually works - unfortunately, right now we can't get ICS working so only this computer can use it. File and Print sharing seems to work okay though, for some reason. Nevermind, after SP4 was installed and the option was turned back on everything works fine.

Anyway, somehow in the time it took to install SP4 on here, the machine got infected with some kind of spyware which pops up seemingly random adverts every 30 seconds or so. The fact that it happened so quickly is one that I found immensely scary.

In any case, the system is getting the usual treatment, with all the necessary critical updates being installed and a thorough clean with Spybot on the way. But if a system like this can get infected so quickly then something is seriously wrong.

Yesterday, I posted about a prompt to install a dialer program and how I thought it was caused by a popup shown by Radio Times. It wasn't, and I therefore retract any negative comments I made about the site.

What did cause it was something much more sinister - the WinTools spyware. This is one of the worst kinds of spyware you can have as it's near impossible to remove manually. I used these instructions, which included booting into Safe Mode and then removing its registry entries manually to prevent it from starting up. The program registers itself as a service in Windows 2000 and XP and has 2 executables - if you close one then the other executable starts the program again, so the only way to get rid of it is to stop the program running in the first place. And if you try to remove its startup entries it just recreates them. So Safe Mode, where the program is never started, is the only way to get rid of it. While I can cope with removing this sort of thing myself, it is well beyond the capabilities of the average user.

This sort of program really goes beyond being spyware. In my mind, the way it prevents the user from removing it from their own computer makes this a virus. And that should be illegal.

Today I had probably my first run in with a dialer. These are programs which either ask to be installed as an ActiveX control, or just forcibly install themselves using flaws in Internet Explorer. Once installed, they silence your modem's speaker, disconnect you and then redial to another number, which is usually premium rate and often offshore too. Often, the first someone knows about them is when their phone bill arrives at the end of the month.

This happened on a housemate's computer - I've managed to avoid them myself because I've always been security-conscious, and having not used IE as my main browser for the best part of two years must have helped too.

The scary thing is that I'm unsure what specifically triggered it - I fired up IE and then navigated to Windows Update, and then it appeared. KaZaA Lite K++ was running in the background. The machine had all but the most recent critical updates (automatic updates had been turned on) and was only lacking a few 'recommended' and driver updates. In any case, I'll be running the 'usual suspects' (Ad-Aware, Spybot S&D and latterly SpywareBlaster) over it.

Update: According to ICSTIS, the UK premium rate watchdog, the company running that number is under investigation for possible breaking of the industry code of conduct. Hmmm.

What was worse is that when you clicked No, it popped up a JavaScript alert that told you to click 'Yes', then reopened the dialog. There was no way to get rid of the dialog short of closing IE or clicking 'Yes' and installing the program. Thankfully, Windows XP SP2 fixes this. And in any case, the modem isn't attached to a phone line other than through an ADSL modem so it wouldn't have made any difference.

On a related note, if any of you are running Windows XP, please turn on Automatic Updates. Service Pack 2 is coming soon (finally!) and by switching this on you will be guaranteed to get it when it comes out.

My housemate brought home a laptop from someone he works with, asking if I could remove the Sasser worm from it. Well, it turns out Sasser worm wasn't on there - MS's tool turned up blank, but IE was crashing regularly and strange toolbars had appeared.

Since this wasn't my laptop, rather than setting it up for our network I burned a CD with Spybot, Ad-Aware, SpywareBlaster, CWShredder and HijackThis, along with the latest Ad-Aware reference file. I ran Ad-Aware first because it had the most recent definitions and it found... wait for it... 785 suspect items. Now while a number of those were cookies, it's still the worst spyware infestation I've seen. No wonder IE was crashing so much.

Spybot S&D found a further 70 items, again mostly cookies but also a BHO that Ad-Aware missed. I'll also run CWShredder and HijackThis to be fully sure.

I'm still unsure about one thing though. The machine had Kazaa, and I'll have removed the spyware that kept it running. So, do I:

1. Uninstall it, and say that it's evil and that he should try something else
2. Uninstall it and replace it with Kazaa lite
3. Reinstall it

Your thoughts please.

While I've heard about the spyware problem getting gradually worse over time, I was still suprised and somewhat shocked by the news that the average computer has 28 items of spyware on it (also at The Register). This weekend, I want everyone who reads this to do the following:

1. Download Ad-Aware or Spybot Search & Destroy if you haven't already.
2. Update it with the latest detections.
3. Do a full scan of all of your systems.
4. Go to Windows Update and download and install all of the critical updates for your computer (although note that there may be issues with the latest patch under Windows 2000)
5. Update your virus scanner and do a full scan. What do you mean you don't have one?!? Get one! They're free!
6. Visit Microsoft's Protect Your PC portal to find out any more information.

According to Andy, the latest MSN Messenger Plus! has spyware. And, according to SpywareInfo.com, it is the Lop.com component, which is one of the most difficult to detect and remove. As such, I now withdraw my recommendation for this product and will alter all pages on this site which promote it to reflect this.

I'm sorry, but I cannot endorse programs which take over peoples' computers and invade their privacy like this.

Anyone who has used the internet for any amount of time will have probably encountered Gator. Some of you will also know that Gator is a spyware app, and is hated by many due to its apparent ability to install itself without your permission. But why is it really so evil?

The UK magazine PC Plus has come up with an article explaining just what this parasite does and why it's bad. Some of the reasons are not directly obvious either, but make sense. It has the potential to be a very serious security threat, if you allow it to remember things like your credit card details or your bank account, for example.

I've never had Gator on any of my computers, mainly because I don't need it (systems like IE's AutoComplete or Mozilla's Form Manager work well enough for me), but also because I don't want my personal data being made available to some faceless corporation in another country (where data protection laws aren't so strict), or worse to some virus writer or script kiddy who decided it'd be fun to upload a trojan to my machine.

Note: to remove Gator from your system, use Spybot S&D. It will also help you protect your computer from being 'infected' in future.

Over the Christmas break, SpywareInfo caused a storm when it suddenly advised against using Ad-Aware to remove spyware. Most people, including me, switched to Spybot Search & Destroy.

While I was impressed with the range of options, its speed and the wide range of issues it brought up, when I first tried to clean my system with it, back in December, it crashed. So today, I decided to give it a second chance.

Many of you will (hopefully) be using Lavasoft Ad-Aware to remove spyware from your computer. Well, you may wish to change.

SpywareInfo.com have published a newsletter article encouraging people to switch to a different utility, due to the arrogant attitudes of Lavasoft staff, the fact that no updates have been made in over 3 months and that the next version is nearly a month late.

The article does offer alternatives, including the free Spybot S&D, which is what I'm about to start using. An update for this was only released a few days ago, so it's still current.

I'm a WinMX user, and I'm generally pleased with the program. I'm surprised more people don't use it.

It's biggest selling point, for me, is a lack of spyware (despite what has been claimed on the LavaSoft Boards, notice the lack of replies). According to SlashDot, KaZaA, Morpheus and LimeWire are now hijacking affiliate links to Amazon (and other sites), so that the commission from the purchase goes to the program makers instead of the site which provided the link.

As the SlashDot article points out, this means that you could be browsing the site of a charity, which then asks you to buy something to help support them. You think the money's going to them, but no. Instead, it's lining the pockets of a P2P software developer.

The worst bit? Merely uninstalling the P2P program does not remove the piece of malware responsible for munging the affiliate links - that remains on your computer.

Although Ad-Aware has just been updated I don't know whether it removes this evil component, so I suggest that if you use KaZaA, either don't upgrade or monitor your system very carefully.

(also covered by New York Times and International Herald Tribune)

Someone on the ODP forum pointed me to this SlashDot article. Spyware is bad enough, but now we have spyware that disables the programs that you can use to remove spyware - namely Ad-Aware. The maker of the program even had the cheek to reply, justifying his company's decision. I replied too.