Introduction
Along with viruses, one of the biggest threats to
computer users on the Internet today is malware. It can hijack your
browser, redirect your search attempts, serve up nasty pop-up ads,
track what web sites you visit, and generally screw things up.
Malware programs are usually poorly-programmed and can cause your
computer to become unbearably slow and unstable in addition to all
the other havoc they wreak.
Many of them will reinstall themselves even after
you think you have removed them, or hide themselves deep within
Windows, making them very difficult to clean. This guide will detail
the different varieties of malware along with basic preventive
measures. We will examine the removal process and review a set of
spyware removers. Although also considered to be malware, programs
such as viruses, worms, trojans, and everything else generally
detected by anti-virus software will not be discussed here, and the
use of the word malware will only explicitly refer to software that
fits in the categories listed below.
You can get infected by malware in several ways.
Malware often comes bundled with other programs (Kazaa, iMesh, and
other file sharing programs seem to be the biggest bundlers). These
malware programs usually pop-up ads, sending revenue from the ads to
the program's authors. Others are installed from websites,
pretending to be software needed to view the website. Still others,
most notably some of the CoolWebSearch variants, install themselves
through holes in Internet Explorer like a virus would, requiring you
to do nothing but visit the wrong web page to get infected.
The vast majority, however, must be installed by
the user. Unfortunately, getting infected with malware is usually
much easier than getting rid of it, and once you get malware on your
computer it tends to multiply.
Will anti-virus programs
protect against malware?
Anti-virus companies are only beginning to pay
attention to malware. Aside from some of the latest versions (many
include the malware scanner in the Internet security portion of
their suites), most anti-virus programs have little to no
protection. Those anti-virus programs that do protect are generally
not as thorough as a dedicated malware remover. However, some
especially virulent malware that malware scanners may miss will be
removed by anti-virus programs, so it is generally a good idea to
run a virus scan as well. Some of the anti-virus vendors' delay may
be caused by worries they will get sued if they start labeling
programs spyware, adware, etc., which has already happened.
For example, in a case against Dell which tried to help customers
remove infections from their machines by recommending software to
remove them was actually illegal since malware is copyright
protected once inside a machine since a user 'deceptively'
acknowledges the install.
Types of malware
Although there is no official breakdown, malware
can be divided into several broad categories of malware: adware,
spyware, hijackers, toolbars, and dialers. Many, if not most malware
programs will fit into more than one category. It is very common for
people to use the words adware, spyware, and malware
interchangeably. Most products that call themselves spyware or
adware removers will actually remove all types of malware.
Adware
Adware is the class of programs that place advertisements on your
screen. These may be in the form of pop-ups, pop-unders,
advertisements embedded in programs, advertisements placed on top of
ads in web sites, or any other way the authors can think of showing
you an ad. The pop-ups generally will not be stopped by pop-up
stoppers, and often are not dependent on your having Internet
Explorer open. They may show up when you are playing a game, writing
a document, listening to music, or anything else. Should you be
surfing, the advertisements will often be related to the web page
you are viewing.
Spyware
Programs classified as spyware send information about you and
your computer to somebody else. Some spyware simply relays the
addresses of sites you visit or terms you search for to a server
somewhere. Others may send back information you type into forms in
Internet Explorer or the names of files you download. Still others
search your hard drive and report back what programs you have
installed, contents of your e-mail client's address book (usually to
be sold to spammers), or any other information about or on your
computer – things such as your name, browser history, login names
and passwords, credit card numbers, and your phone number and
address.
Spyware often works in conjunction with toolbars.
It may also use a program that is always running in the background
to collect data, or it may integrate itself into Internet Explorer,
allowing it to run undetected whenever Internet Explorer is open.
Hijackers
Hijackers take control of various parts of your web browser,
including your home page, search pages, and search bar. They may
also redirect you to certain sites should you mistype an address or
prevent you from going to a website they would rather you not, such
as sites that combat malware. Some will even redirect you to their
own search engine when you attempt a search. Hijackers almost
exclusively target Internet Explorer.
Toolbars
Toolbars plug into Internet Explorer and provide additional
functionality such as search forms or pop-up blockers. The Google
and Yahoo! toolbars are probably the most common legitimate
examples, and malware toolbars often attempt to emulate their
functionality and look. Malware toolbars almost always include
characteristics of the other malware categories, which is usually
what gets it classified as malware. Any toolbar that is installed
through underhanded means falls into the category of malware.
Dialers
Dialers are programs that set up your modem connection to
connect to a 1-900 number. This provides the number's owner with
revenue while leaving you with a large phone bill. There are some
legitimate uses for dialers, such as for people who do not have
access to credit cards. Most dialers, however, are installed quietly
and attempt to do their dirty work without being detected.
Examples of malware
GAIN
One of the
oldest and best known examples of malware is from the company Claria,
which changed its name from Gator in 2003. Unlike most malware
creators, Claria is a legitimate corporation with several big name
advertisers and offices in both the United States and Europe. Claria
is the maker of Gator Advertising and Information Network Publishing
(or just GAIN), which actually consists of two programs that run in
the background and work together. One program pops up ads while the
other collects personal information. GAIN is typically bundled with
other programs, including several published by Claria.
As far as malware is concerned, GAIN at first
glance looks to be a well-behaved program. As can be in the above
examples, all GAIN ads are usually clearly marked as such. Also
included with GAIN is a utility that will display which program or
programs it was bundled with, and thus require its presence, as
shown below.
Unfortunately, GAIN does not come with an
uninstaller of its own. One must use the uninstaller used by the
program GAIN came bundled with and hope it does a thorough job.
A closer look at GAIN reveals more troubling
features of the program. The first trouble signs come from the GAIN
Privacy Statement (the privacy statement from the latest GAIN
version, 6.0, is used here). From the privacy policy, we learn GAIN
is doing a bit more than simply serving ads. These other functions
cause GAIN to cross categories and also fall into the realm of
spyware.
From the statement, we learn that Claria likely
is not only getting money from advertisements, but they are also
gathering information that they can then sell to other entities.
Claria also anonymously collects information it finds on the user's
computer, including their zip code, first name, software that is
installed, even what password they use for eWallet, a program Claria
distributes. They do not stop there, however.
We also associate the anonymous information we collect
with a particular computer through a randomly generated
anonymous ID number
In short, Claria maintains a database with
profiles of each machine on which GAIN has been installed. Each
profile has all the information mentioned before, along with
anything they can infer from that data. Claria doesn't simply store
this information away, but also shares some of it with third
parties:
We share certain anonymous information we collect in
aggregated form with some of our partners and prospective
partners... Our partners may use this anonymous aggregated
information to improve their services, and may, in some cases,
share this anonymous aggregated information with third parties
such as their customers.
Keep in mind that, as intrusive as Claria's data
collection policies may sound, Claria is still a corporation with a
public image to worry about. It is an easy target for lawsuits
should Claria attempt something that goes against their user
agreements (whether such agreements are legally binding is largely
untested).
The larger problem comes from the vast majority
of spyware programs are created by groups or individuals who will
have no problem stealing whatever data they can from you, and they
will not keep it anonymous or private. Most spyware creators
do not have a valid website, much less any sort of user agreement or
privacy statement they are obliged to keep.
webHancer
webHancer is a spyware application that is
commonly bundled with other programs. Upon installation, it starts a
program that runs in the background. This program, according to
webHancer's Privacy
Policy, collects details of your surfring, such as the URL, page
size, page load time, page completion state, and network delay time
of the sites you visit. Looking at their
products
page, it is obvious they are going to sell the information gathered
to other entities, as they attempt to answer questions like "What
other sites are my customers visiting? Before? After? Where are they
buying?" webHancer claims to have their program installed on
millions of desktops, and it's likely that most of those running the
program have no idea what it's doing.
While browsing the Internet for several minutes
with Kerio Personal Firewall installed (we'll discuss firewalls
later), I was constantly being alerted that webHancer was attempting
to access the Internet, always while a page was loading or
immediately after it was finished loading. This didn't happen on
every page, and there did not seem to be any real relationship
between what web site I was viewing and when webHancer would attempt
to connect (it went crazy while I was loading Slashdot, for example,
but was quiet when I went to Ars).
Because of its deep hooks into Windows, webHancer
has been known to leave the computer without working networking
after being uninstalled (to fix this, the company suggests
installing and uninstalling webHancer again) and may cause errors in
other programs.
ISTBar
ISTBar is a combination toolbar and hijacker. It
installs a toolbar with search functions provided by slotch.com, a
web portal. The toolbar also has links to various web sites and a
list of "TopSearches," which include such classic keywords as
"Britney Spears," "Blackjack," and "Loans." ISTBar also sets your
home page to www.slotch.com (which is infested with pop-up ads) and
adds its own search sidebar to replace the default one.
ISTBar includes the ability to download and
install other software. Among the processes started by ISTBar is a
hijacker that redirects you to internet-optimizer.com when you enter
a bad URL This sends the link you attempted to retrieve to internet-optimizer.com
in the process.
More malware
searchWWW
searchWWW is a malware program that is installed
by the widely-used cjb.net redirection service. As a bonus,
searchWWW has a hijacker component as well adware. The adware
portion, once installed, will occasionally pop up ad windows. If we
let the program run for a while, a collection of different popups
will appear, including one that correctly warns that "AdWare" and "SpyWare"
are installed on the computer.
In terms of adware, searchWWW is fairly benign.
Many other adware programs are much more aggressive in popping up
windows and embed themselves much deeper into Windows.
The searchWWW malware also has a hijacker
component. Upon being installed, it changes both your Internet
Explorer home page and the search bar. Your home page is changed to
http://www.searchwww.com, and your search sidebar altered as well.
Instead of the default, you get a rather minimalistic replacement
that uses searchWWW.com's very poor engine.
HuntBar/WinTools
HuntBar looks like a fairly typical toolbar.
After installation, a toolbar appears with the usual staples: a
search box, pop-up blocker, word highlighter, and even skin support.
Many of its functions work through websearch.com, which gets its
results from other sites. For example, web search results come from
Yahoo, only with a dozen sponsored links above the results, while
the maps come from Mapquest.
HuntBar also hijacks the search bar. This also
uses websearch.com. The full address of every site you visit is sent
to the server, along with a unique ID, adding a spyware component to
Huntbar. The toolbar can also install updates or any other code the
server may send it.
What makes HuntBar especially difficult to remove
is that, along with the toolbar, three processes are installed, one
of which is a service. Should you attempt to remove any part of
HuntBar, these processes will simply replace the files or reset the
settings. They will also restart each other should one of them be
killed.
AccessPlugin
AccessPlugin is a somewhat legitimate dialer, as
it actually needs you to set it up. However, nowhere on the web site
it was downloaded from was there any mention of what this program
actually does, only that it would allow you to view the site. In the
terms and conditions pictured below you can see it mentions it costs
$49.95 for a month. It would be very simple for somewhat to miss
that, as most people do not read the fine print.
I decided not to let it try and continue as I did
not have a modem (and if I did, I wouldn't want to risk getting a
hefty bill).
Most dialers will come from adult web sites and
will advertise themselves as having to be downloaded in order to
access a certain site, or as a "viewer." However, the install
process does not give any warning of the program's true
functionality, and they will often attempt to dial as soon as
possible. Dialers are often detectable only by looking for the
running process.
Windows Messenger Service
Although not a program downloaded to your
computer and thus not really considered adware, Windows Messenger
Service can be an annoyance easily dealt with. Some people may have
noticed text messages popping up on their displays trying to sell
something (often a program that will stop the messages from popping
up). These may appear any number of times a day.
Such messages come through a little known part of
Windows called the Messenger Service. This is not the same as the
Internet Messaging (IM) program. The vast majority of users do not
need this on.
Turning it off is rather straightforward: if
you're running Windows 2000, go to Control Panel >> Administrative
Tools >> Services. Scroll down and highlight "Messenger."
Right-click the highlighted line, select "Properties," and click the
"STOP" button. Then select "Disable" or "Manual" in the Startup Type
scroll bar. Click OK and you're all set.
For Windows XP Home: Control Panel >> Performance
and Maintenance, then click Administrative Tools. Double click
"Services," scroll down and highlight "Messenger." Then right-click
the highlighted line, choose "Properties," and click the "Stop"
button. Similar to 2000, Select "Disable" or "Manual" in the Startup
Type scroll bar, click OK, and you're done. The process for XP Pro
is identical except that you go straight to "Administrative Tools"
from the Control Panel. Windows Messenger Service is now disabled by
default with Windows XP SP2.
The importance of a
clean machine
Keeping your computer clean of malware is important for several
reasons.
First and foremost, malware programs are a
security risk. One can never be certain what information these
programs are collecting about you from your computer. They
potentially could have your name, physical address, e-mail address,
credit card number, web site history, passwords, and any other
information you have on your PC. The malware authors could use the
information themselves or pass it on to others.
Second, malware programs are usually poorly
written. They may be unstable, use up the majority of your PC's of
resources, or simply slow the computer to a crawl. If you have
several malware programs installed, they will often conflict with
each other and cause even more problems. Even the fastest computer
can be brought to its knees with only a handful of malware programs
installed.
Third, any sort of adware will bombard you with
advertisements. In addition to the familiar pop-ups and pop-unders,
some adware will replace ads on a web site with their own. You do
not even need to be surfing the 'Net to get pop-ups, as they will
show up at any random time. They often contain adult content,
advertise questionable products (including rogue malware removers),
or link to scams and other questionable sites.
As mentioned before, malware programs are usually
very poorly written and are thus likely to have security holes on
top of their "features" which can report your personal information
to the authors. Such holes could allow unauthorized access to your
system.
Many malware programs also have the ability to
update themselves, which not only means they can add new — possibly
more dangerous — functionality any time, they can also run any other
code sent to them by the author (or if there is poor security,
anybody).
Malware prevention
The easiest way to deal with malware is to not get it in the
first place. A little bit of common sense helps, but experience goes
a lot farther. Experienced computer users, like it or not, hopefully
possess the common sense that will let them avert potential
disasters.
This edge can be acquired. The distinction is largely one of
attitude, one which for lack of a better term I'll call "skeptical
computing." We can examine this attitude and see how it reacts to
common sources of trouble.
Skeptical computing breaks down into two parts. The first is
having a minimum level of expectations for the working state of
their computers. Operating systems for personal computers are
extremely stable and reliable. Computers are no longer the
cantankerous contraptions they were with Windows 9x or earlier
versions of Mac OS. It's not acceptable to have a computer that runs
at a snail's pace with advertisements flying up left and right. If
things aren't working as they should, you can find a fix, whether
through Google,
anonymous forums, or
your friendly neighborhood guru.
The second component of skeptical computing is maintaining a
skeptical attitude while browsing the internet. If something looks
too good to be true, it probably is. Any "hot deals" had better come
from a trusted source. If a warning starts flashing on your
computer, look closely to see if it's a legitimate message from
Windows or just an animated image in a web browser.
Drive-by-Downloads
Internet Explorer can prompt users to download
software that gets automatically installed on computers. The
intention is that programs, such as Flash, that certain web pages
depend on for viewing, can be seamlessly loaded so the user's
browsing experience isn't interrupted. However, many malware
developers take advantage of this process to foist their wares on
unsuspecting users. Let's look at two examples, one legitimate and
one malicious:
It's important to separate the generic form
filler from the content provided by the program in each case. The
item on the left identifies itself as "Windows Update," the other
"IE Plugin - Once you agree to the License Terms and Privacy Policy
- click YES to CONTINUE." The program on the right is imploring you
to click yes, not Internet Explorer. It also doesn't really tell you
what the program is. Disregarding the second half of its name, it
just identifies itself as "IE Plugin." It's not clear where it came
from or what it would do if you installed it. This is one major
tip-off.
Both products identify their supposed (remember,
be skeptical) publisher. The one on the left is from "Microsoft
Windows Publisher," the right from "CLICK YES TO CONTINUE." What
would a program gain from obscuring its origin, especially by
inserting a message in its place that suggests that clicking yes is
your only option?
The last unique piece of information is the group
that verified the publisher's identity. This bit doesn't tell you
very much in either case. Both sound legitimate. However, weighing
what else we know, it's safe to say that the program on the right is
bad news. The program on the left looks trustworthy.
While our deductions were accurate in both cases,
you should also consider what you were doing when you received the
prompt. The left prompt appeared while browsing Windows Update, the
right prompt showed up on a warez site. It's quite reasonable to
expect that OS updates would require something to be installed. When
you're looking at something seamy or of questionable legality, you
should be on the lookout for possible malware.
It should be noted that drive-by download prompts
have changed in Windows XP SP2. The new design stops controls when
new dialogs pop up and forces you to think more about what you're
about to download. Let's look at what heppens when Flash wants to
install itself.
Unlike in prior versions of Windows, a dialog box
is not the first thing to appear. Instead, a brief message appears
in the toolbar, similar to IE's built-in pop-up blocker. It informs
you that the page wants to install an ActiveX Control. The
information, program name, and publisher are exactly the same.
When you click on the message, you can either
allow the installation, or seek further help ("What's the Risk?").
The help is a generic section of IE's help page informing you of the
risks associated with installing ActiveX controls. If you choose to
install, you then see a dialog similar to the one we looked at
before:
Its appearance is more streamlined, plus it gives
you an additional option. You can tell it to always deny the
installation of controls from any given publisher. Definitely useful
for users who frequently get asked to install particular pieces of
malware, or just those who have a vendetta against Flash.
Bundlers
Much malware, especially adware, comes bundled
with other programs. P2P software is a common source of bundled
adware. The following message comes up while installing iMesh:
You can't say the program isn't honest. It lets
you know it's ad-supported, which pieces of adware get installed,
and what you agree to in the process. Messages about required
programs for displaying ads should set off warning sirens in your
head. That information alone should be enough to make you stop
installation.
Additional
preventive measures
Beyond skeptical computing, there are other
preventive measures you can take to secure your computer. Verify
that your Internet Explorer security settings are set correctly. To
do this, open up Internet Explorer and go to the Tools menu. Click
on "Internet Options." Go to the Security tab and click on the globe
labeled "Internet." Then click the "Custom Level" button. Make sure
"Download signed ActiveX controls" is set to "Prompt" (if you think
you have everything installed that you need, you can set this to
"Disable" for extra security), "Download unsigned ActiveX controls"
is set to "Disable," and "Initialize and script ActiveX controls not
marked as safe" is set to "Disable."
Updating Windows
Another easy and very important step is to update
Windows. Some malware uses holes in Internet Explorer and Windows to
install themselves without you knowing. There are many viruses which
exploit Windows in similar ways, so it's important to either enable
Automatic Update or regularly visit
Windows Update.
Users of Windows XP should make sure they have
Service Pack 2 installed. It includes many improvements that should
make it much more difficult for malware to infect your computer,
including a basic firewall (more on these below). Before installing
a major update such as a Service Pack, it is recommended that you
back up any critical data. Also make sure that your system is free
of malware before installing SP2. Malware can interact with the
installation process in undesirable ways. You can get SP2 through
Automatic Updates or Windows Update.
Users of Windows 98 or ME should upgrade if at
all possible to Windows XP. XP is a much more stable and reliable
OS, not to mention more secure. Those who can't upgrade should be
extra vigilant about system updates. Not only are the security holes
in 98 and ME more well-known by malware developers, but those
versions of Windows are less proactive about getting users to
update.
Firewalls
One way of being warned that malware has infected
your machine is by using a software firewall (this also works well
for viruses too). Should malware get past your defenses and infect
your computer, a software firewall will notify you if it tries to
"dial home" (unfortunately, this will probably not work for malware
that integrates itself into Internet Explorer). When a software
firewall catches a program trying to make a connection, it will
alert you, give you the name of the program, and ask if you want to
block it from the Internet.
When using this software, apply skepticism in the
same way you would when looking at a drive-by-download. When you
receive a prompt from your firewall, scrutinize the program
requesting access. Have you seen it before? Do you remember
installing it? Does its function appear generic or otherwise
ambiguous?
Software firewall warnings will aid in finding
and removing the malware, as they give you the exact location of the
process. They are especially important if you are not behind a
hardware firewall. Firewalls do not know the difference between what
is good and what is bad, so they will ask you about legitimate
programs as well as illegitimate ones (many come with a whitelist of
commonly-used programs that need the Internet, however).
If you do not know what a program is, usually a
web search on it will tell you if it is something that should be
accessing the Internet or not. Unfortunately, Windows XP's built-in
firewall (users of any previous Windows versions have no firewall
protection at all built in) does not monitor traffic leaving your
computer, just traffic that is entering it, so Windows XP users may
wish to download a stronger third-party solution.
This screenshot shows an alert from the Windows
XP SP2 firewall. It is informing you that iMesh is attempting to
receive a connection (in other words, it wants to act like a server
rather than a client). Since chances are you chose to install iMesh
on your computer, it would be acceptable to let it carry out its
normal functions.
Two popular free firewalls are
