Spyware: How it Works? Anton Chuvakin, Ph.D.

Spyware is a new strand of malicious software (or malware), annoying and robbing the computer users all over the world. This article deals with this threat.

Security is a rapidly changing field of human endeavor. Threats we face literally change every day; moreover, many security professionals consider the rate of change to be accelerating. On top of that, to be able to stay in touch with such ever-changing reality, one has to evolve with the space as well. Thus, even though I hope that this document will be useful for to my readers, please keep in mind that is was possibly written years ago. Also, keep in mind that some of the URL might have gone 404, please Google around.
“Spyware”: so many spies, so little time! In fact, even the definition of this computer scourge is extremely fuzzy. So, what is spyware? The best definition out there is given by Wikipedia: “Spyware is a broad category of malicious software intended to intercept or take partial control of a computer's operation without the user's informed consent.” Thus, spyware come to mean not only the “software that spies on you”, but also the one that performs other kinds of abuses and annoyances, outside the traditional virus and worm world. For example, displaying unwanted ads is a primary purpose of “adware”, which is often categorized as a type of spyware. In fact, some people even extend the definition to cover browser cookies, a relatively innocuous pieces of text used by websites for user tracking. One angle missed by the above definition is that while folks are known to launch viruses “just for fun”, spyware is usually written for somebody’s direct monetary benefit, often in the form of good old cash. This aspect might hold a key to such dramatic rise of spyware. Spyware emerged in recent years to “entertain” the computer users (isn’t it just about everybody, nowadays?) in addition to viruses and worms, two well-known types of computer “nasties”. Such emergence coincided with a sea change in the world of mainstream computer attackers that shifted their focus from “having fun at somebody else’s expense” to “making money at somebody else’s expense”. Spyware, along with spam, “phishing” (email “social engineering” attacks aimed to stealing credentials) and “pharming” (DNS attacks aimed at attracting users to malicious websites), is one of the most noticeable computer threats of the day. We did say “the most noticeable”, although spyware is often engineered to be hard to find, hard to notice, hard to pay attention to (e.g. hidden in a lengthy license) and, obviously, hard to remove. Thus, spyware evolved in the same timeframe with e-commerce and online banking. As business use of the Internet was growing up, so was the “business abuse”. How Spyware Works {HEADING} The world of spyware is extremely broad and the mechanism of its operation can range from mundane social engineering ruse by means of a lengthy license (along the lines of “bla-bla-bla-bla for 3 pages followed by … and we will also steal your cookies and browser history for ‘marketing purposes’ or whatever we consider to be it”) to a “zero-day” (i.e. previously unpublished) exploits launched against the victim’s Internet Explorer by malicious or compromised websites. Here are some of the commonly identified types of spyware:


Browser objects (IE hacks, ActiveX controls, malicious toolbars, etc) Bots and rootkits (allow others to control your system remotely) Keyloggers (record your keystrokes looking for sensitive info) Bundled parasite software (miscellaneous nuisance) Adware (run on the system or in the browser and display advertisements)

Let’s look at some common spyware specimen. As reported by commercial anti-spyware company Sunbelt software (http://research.sunbelt-software.com/index.cfm) those spyware programs were common in September 2005: Claria.DashBar, AvenueMedia.DyFuCA, IST.SlotchBar, ABetterInternet, IST.ISTbar and others. Most of the above are “adware” specimen (they display ads which can potentially generate revenue for the software creator) and do not spy on the victim, but others (such as IST.ISTbar malicious browser toolbar, which actually collects web usage information and may install other, more harmful spyware on the user’s system) How Spyware Spreads {SUBHEADING} There are many mechanisms for spreading spyware, employed by their creators. Some common methods are: 1. Installed by other spyware (unlike viruses and worms, spyware rarely treads alone; some machines analyzed by the anti-spyware vendors were found to have hundreds of spyware specimen) 2. Installed by malicious web sites through flaws in Internet Explorer (so calle ‘drive-by downloads”) 3. Bundled with “free” or sponsored applications (unfortunately, with permission of the application creators) Below we cover some of the things all computer users should do to lower the risk of “catching spyware”. Spyware’s Impact on Your PC {SUBHEADING} Overall, what can spyware do on your system? For that, we will refer to “Microsoft 10 Immutable Laws of Security” http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx While it might be ironic, that such laws are formulated by the makers of the most common spyware platform – Windows, they do provide vital insight into security. In this case, law #1 proclaims: “If a bad guy can persuade you to run his program on your computer, it's not your computer anymore”. Thus, the above question becomes “what can spyware do on their machine?” The answer to this one is really easy: everything that its creator wants. Common changes due to spyware include registry changes, browser configuration and settings modification, new program installation, as well as using your system for whatever else needed. In other words, spyware, when installed and running, can do everything you can do on your system (and sometimes more). Thus, the direct damage suffered by you might be: Loss Direct financial loss Types of spyware Keylogger Scenario Somebody steals your online banking passwords and transfers the money to his account abroad A machine running dozens or more types of spyware will

Slow system performance


Display unwanted content

Browser objects, other

Loss of privacy

Browser plug-ins

slow down to a crawl A website can install a malicious toolbar that will show popup ads and objectionable web content All web personal history collected and potentially exposed

Protecting Yourself {HEADING} Now that the evils of spyware are understood, let’s use the well-known security mantra “prevention/detection/response” to focus on what you can do to:

• • •

Prevent spyware from happening to you Detect that it might be sneaking by the defenses After it happens anyway, respond by cleaning your systems

First, while many hope that an antivirus solution will take care of spyware, the answer is a resounding “no”. This anti-spyware and anti-virus software review http://www.pcmag.com/article2/0,1759,1829282,00.asp indicates that anti-virus solutions still do not do a good job in fending off hordes of spies, compared by the standalone anti-spy defenses. Many anti-spyware products (both freeware and commercial) have feature to block (prevention), scan for (detection) and remove the offending program (response) Fortunately though, there are several simple things every computer user should do to lower the risk of spyware infection (prevention measures in the above classification): 1. Keep their Windows systems up-to-date by using Microsoft Update (http://update.microsoft.com), which will update both your Windows and MS Office software. Installing Windows XP SP2 (Service Pack) is also important. 2. Restrict some of the Internet Explorer settings (refer to Google for the tips) or use Firefox, which significantly decreases the chance of spyware infestation Here are some of the important settings to tweak: block popups using Windows XP SP2 popup blocker or other solution , limit or block ActiveX controls, limit file downloads via the IE settings panel 3. Use anti-virus and anti-spyware tools; and frequently update them using their own automated update mechanism The best free programs to use are Spybot Search and Destroy (http://www.safer-networking.org/en/download/), Adaware (http://www.lavasoftusa.com/software/adaware) and Windows Anti-Spyware (http://www.microsoft.com/athome/security/spyware/software/default.mspx, to be renamed as Windows Defender later this year). Most anti-virus vendors, such as Symantec, McAfee, Trendmicro are launching their own anti-spyware solutions. However, standalone antispyware companies, such as Webroot (www.webroot.com) and Sunbelt Software (www.sunbelt-software.com) still outperform them. Also, make sure that you not only run the anti-spyware software, but also use it to perform spyware scans on a periodic basis, just like you do with an anti-virus software. 4. While many reviews of commercial anti-spyware products exist 5. Use a personal firewall with outbound protection; it might notify you when the spyware that sneaked in tries to “extrude” the stolen information to its “mothership” It is important to note that at the time of this writing Windows built-in Firewall doesn’t offer this protection and other free (such as ZoneAlarm from CheckjPoint) or paid (such as Norton or McAfee) software solutions need to be used

6. Only use software obtained from trusted sources. For those needing a more specific
suggestion, downloading from a random site from the Internet or receiving it from a “friend” you just met online does not count as such. If you see your system acting suspiciously, you need to confirm that spyware is the factor to blame. Since there are so many parts of the system that can be modified by spyware, the best way for users to detect spyware is to run free anti-spyware tools mentioned above. For better results run multiple tools, since recent tool surveys indicated that no commercial or free tool will detect all spyware specimen. Some of the tools will also attempts to clean spyware traces, which brings us to the next item: response to spyware infections. As far as responding to a spyware infection, the only guaranteed 100% effective measure a user can take is to rebuild a system. Only this will guarantee removal of all traces of malicious software from a system. On a typical Windows system there are numerous places where a piece of malicious code might reside. In a more real-world situation where that is not possible or not desirable to rebuild the entire systems, try looking for spyware removal tools, sometime published by anti-spyware and anti-virus vendors. All of the above anti-spyware solutions provide this functionality and will clean the spyware traces with varying degrees of efficiency (often depending on the type of a malicious program). Same applies to the anti-virus tools with anti-spyware defenses. However, note that the latter category is more likely to leave the risk alone and just warn the user about its presense. Microsoft, that now is one of the anti-spyware vendors due to recent acquisition, often publishes standalone removal tools for various malware. We Microsoft's Malicious Software Removal Tool(see http://www.microsoft.com/security/malwareremove/default.mspx for details) that is updated monthly can be downloaded to your system via Automatic Updates or the above link. It can be run online from the above link (via an ActiveX control). Removing the complicated spyware, such as a driver-based keylogger, manually will often render the system inoperable and should only be undertaken by those intimately familiar with their system internals. On the other hand, instructions for removing simpler specimen, such as adware, are often published online and can be followed by anybody who maintains their own PC. To conclude, we will try to peak in our crystal ball, a necessary tool for an enlightened security professional. What's next for spyware? Will spyware bother us for years to come? It sure looks likely; there is no reason why the spyware creators will stop since – guess what – it pays there bills and there is no clear way to make such practices “prohibitively expensive” for its evil creators…

This is an updated author bio, added to the paper at the time of reposting in 2011. Dr. Anton Chuvakin (www.chuvakin.org) is a recognized security expert in the field of log management and PCI DSS compliance. Anton leads his security consulting practice www.securitywarriorconsulting.com, focusing on logging, SIEM, security strategy and compliance for security vendors and Fortune 500 organizations. He is an author of books "Security Warrior" and "PCI Compliance" (www.pcicompliancebook.info) and a contributor to "Know Your Enemy II", "Information Security Management Handbook"; and now working on a book about system logs. Anton has published dozens of papers on log management, correlation, data analysis, PCI DSS,

security management (see list www.info-secure.org). His blog www.securitywarrior.org is one of the most popular in the industry. In addition, Anton teaches classes (including his own SANS class on log management) and presents at many security conferences across the world; he recently addressed audiences in United States, UK, Singapore, Spain, Russia and other countries. He works on emerging security standards and serves on advisory boards of several security start-ups. Dr. Anton Chuvakin was formerly a Director of PCI Compliance Solutions at Qualys. Previously, Anton worked at LogLogic as a Chief Logging Evangelist, tasked with educating the world about the importance of logging for security, compliance and operations. Before LogLogic, Anton was employed by a security vendor in a strategic product management role. Anton earned his Ph.D. degree from Stony Brook University.

Sign up to vote on this title
UsefulNot useful

Master Your Semester with Scribd & The New York Times

Special offer: Get 4 months of Scribd and The New York Times for just $1.87 per week!

Master Your Semester with a Special Offer from Scribd & The New York Times