Spyware
Content
Spyware is a type of malware that can be installed on computers, and which collects small pieces of information about users without their knowledge. The presence of spyware is typically hidden from the user, and can be difficult to detect. Typically, spyware is secretly installed on the user's FROM PORN SITES. Sometimes, however, spywares such as keyloggers are installed by the owner of a shared, corporate, or public computer on purpose in order to secretly monitor other users. While the term spyware suggests software that secretly monitors the user's computing, the functions of spyware extend well beyond simple monitoring. Spyware programs can collect various types of personal information, such as Internet surfing habits and sites that have been visited, but can also interfere with user control of the computer in other ways, such as installing additional software and redirecting Web browser activity. Spyware is known to change computer settings, resulting in slow connection speeds, different home pages, and/or loss of Internet connection or functionality of other programs. In an attempt to increase the understanding of spyware, a more formal classification of its included software types is provided by the term privacy-invasive software. In response to the emergence of spyware, a small industry has sprung up dealing in anti-spyware software. Running anti-spyware software has become a widely recognized element of computer security practices for computers, especially those running Microsoft Windows. A number of jurisdictions have passed anti-spyware laws, which usually target any software that is surreptitiously installed to control a user's computer. Spyware is Internet jargon for Advertising Supported software (Adware). It is a way for shareware authors to make money from a product, other than by selling it to the users. There are several large media companies that offer them to place banner ads in their products in exchange for a portion of the revenue from banner sales. This way, you don't have to pay for the software and the developers are still getting paid. If you find the banners annoying, there is usually an option to remove them, by paying the regular licensing fee. Why is it called "Spyware" ? While this may be a great concept, the downside is that the advertising companies also install additional tracking software on your system, which is continuously "calling home", using your Internet connection and reports statistical data to the "mothership". While according to the privacy policies of the companies, there will be no sensitive or identifying data collected from your system and you shall remain anonymous, it still remains the fact, that you have a "live" server sitting on your PC that is sending information about you and your surfing habits to a remote location..... Are all Adware products "Spyware"? No, but the majority are. There are also products that do display advertising but do not install any tracking mechanism on your system. These products are not indexed in our database. Is Spyware illegal? Even though the name may indicate so, Spyware is not an illegal type of software in any way. However there are certain issues that a privacy oriented user may object to and therefore prefer not to use the product. This usually involves the tracking and sending of data and statistics via a server installed on the user's PC and the use of your Internet connection in the background. What's the hype about? While legitimate adware companies will disclose the nature of data that is collected and transmitted in their privacy statement (linked from our database), there is almost no way for the user to actually control what data is being sent. The fact is that the technology is in theory capable of sending much more than just banner statistics - and this is why many people feel uncomfortable with the idea. On the other hand... Millions of people are using advertising supported "spyware" products and could not
care less about the privacy hype..., in fact some "Spyware" programs are among the most popular downloads on the Internet. Real spyware... There are also many PC surveillance tools that allow a user to monitor all kinds of activity on a computer, ranging from keystroke capture, snapshots, email logging, chat logging and just about everything else. These tools are often designed for parents, businesses and similar environments, but can be easily abused if they are installed on your computer without your knowledge. These tools are perfectly legal in most places, but, just like an ordinary tape recorder, if they are abused, they can seriously violate your privacy. History and development The first recorded use of the term spyware occurred on 16 October 1995 in a Usenet post that poked fun at Microsoft's business model.[1] Spyware at first denoted software meant for espionage purposes. However, in early 2000 the founder of Zone Labs, Gregor Freund, used the term in a press release for the ZoneAlarm Personal Firewall.[2] Since then, "spyware" has taken on its present sense.[2] According to a 2005 study by AOL and the National Cyber-Security Alliance, 61 percent of surveyed users' computers were infected with form of spyware. 92 percent of surveyed users with spyware reported that they did not know of its presence, and 91 percent reported that they had not given permission for the installation of the spyware.[3] As of 2006, spyware has become one of the preeminent security threats to computer systems running Microsoft Windows operating systems. Computers on which Internet Explorer (IE) is the primary browser are particularly vulnerable to such attacks, not only because IE is the most widely-used,[4] but because its tight integration with Windows allows spyware access to crucial parts of the operating system.[4][5] Before Internet Explorer 6 SP2 was released as part of Windows XP Service Pack 2, the browser would automatically display an installation window for any ActiveX component that a website wanted to install. The combination of user naivety concerning malware, and the assumption by Internet Explorer that all ActiveX components are benign, led, in part, to the massive spread of spyware. Many spyware components would also make use of exploits in Javascript, Internet Explorer and Windows to install without user knowledge or permission. The Windows Registry contains multiple sections where modification of key values allows software to be executed automatically when the operating system boots. Spyware can exploit this design to circumvent attempts at removal. The spyware typically will link itself from each location in the registry that allows execution. Once running, the spyware will periodically check if any of these links are removed. If so, they will be automatically restored. This ensures that the spyware will execute when the operating system is booted, even if some (or most) of the registry links are removed. Comparison- Spyware, adware and tracking The term adware frequently refers to any software which displays advertisements, whether or not the user has consented. Programs such as the Eudora mail client display advertisements as an alternative to shareware registration fees. These may be classified as "adware", in the sense of advertising-supported software, but not as spyware. Adware in this form does not operate surreptitiously or mislead the user, and provides the user with a specific service. Most adware is spyware in a different sense than "advertising-supported software": it displays advertisements related to what it finds from spying on users. Gator Software from Claria Corporation (formerly GATOR) and Exact Advertising's BargainBuddy are examples. Visited Web sites frequently install Gator on client machines in a surreptitious manner, and it directs revenue to the installing site and to Claria by displaying advertisements to the user. The user is shown many pop-up advertisements. Other spyware behavior, such as reporting on websites the user visits, occurs in the background. The data is used for "targeted" advertisement impressions. The prevalence of spyware has cast suspicion on other programs that track Web browsing, even for statistical or research purposes. Some observers describe the Alexa Toolbar, an Internet
Explorer plug-in published by Amazon.com, as spyware, and some anti-spyware programs such as Ad-Aware report it as such. Many of these adware-distributing companies are backed by millions of dollars of adware-generating revenues. Adware and spyware are similar to viruses in that they can be considered malicious in nature. People are profiting from misleading adware, sometimes known as scareware, such as Antivirus 2009. Similarly, software bundled with free, advertising-supported programs acts as spyware (and, if removed, disables the 'parent' program), yet people are willing to download it. This presents a dilemma for proprietors of anti-spyware products whose removal tools may inadvertently disable wanted programs. For example, WhenUSave is ignored by popular anti-spyware program Ad-Aware (but removed as spyware by most scanners) because it is part of the popular (but recently decommissioned) eDonkey client.[6] To address this dilemma, the Anti-Spyware Coalition was formed to establish and document best practices regarding acceptable software behavior.[2] However, the AntiSpyware Coalition website does not appear to have been updated since late 2008. Spyware, viruses and worms Unlike viruses and worms, spyware does not usually self-replicate. Like many recent viruses, however, spyware—by design—exploits infected computers for commercial gain. Typical tactics include delivery of unsolicited pop-up advertisements, theft of personal information (including financial information such as credit card numbers), monitoring of Web-browsing activity for marketing purposes, and routing of HTTP requests to advertising sites. However, spyware can be dropped as a payload by a worm. Routes of infection
Malicious websites attempt to install spyware on readers' computers. Spyware does not directly spread in the manner of a computer virus or worm: generally, an infected system does not attempt to transmit the infection to other computers. Instead, spyware gets on a system through deception of the user or through exploitation of software vulnerabilities. Most spyware is installed without users' knowledge. Since they tend not to install software if they know that it will disrupt their working environment and compromise their privacy, spyware deceives users, either by piggybacking on a piece of desirable software such as Kazaa, or by tricking them into installing it (the Trojan horse method). Some "rogue" spyware programs masquerade as security software. The distributor of spyware usually presents the program as a useful utility—for instance as a "Web accelerator" or as a helpful software agent. Users download and install the software without immediately suspecting that it could cause harm. For example, Bonzi Buddy, a program bundled with spyware[7] and targeted at children, claims that: He will explore the Internet with you as your very own friend and sidekick! He can talk, walk, joke, browse, search, e-mail, and download like no other friend you've ever had! He even has the ability to compare prices on the products you love and help you save money! Best of all, he's FREE![8]
Spyware can also come bundled with other software. The user downloads a program and installs it, and the installer additionally installs the spyware. Although the desirable software itself may do no harm, the bundled spyware does. In some cases, spyware authors have paid shareware authors to bundle spyware with their software. In other cases, spyware authors have repackaged desirable freeware with installers that slipstream spyware. Some spyware authors infect a system through security holes in the Web browser or in other software. When the user navigates to a Web page controlled by the spyware author, the page contains code which attacks the browser and forces the download and installation of spyware. The spyware author would also have some extensive knowledge of commercially-available anti-virus and firewall software. This has become known as a "drive-by download", which leaves the user a hapless bystander to the attack. Common browser exploits target security vulnerabilities in Internet Explorer and in the Sun Microsystems Java runtime. The installation of spyware frequently involves Internet Explorer. Its popularity and history of security issues have made it the most frequent target. Its deep integration with the Windows environment and scriptability make it an obvious point of attack into Windows. Internet Explorer also serves as a point of attachment for spyware in the form of Browser Helper Objects, which modify the browser's behavior to add toolbars or to redirect traffic. In a few cases, a worm or virus has delivered a spyware payload. Some attackers used the Spybot worm to install spyware that put pornographic pop-ups on the infected system's screen.[9] By directing traffic to ads set up to channel funds to the spyware authors, they profit personally. Effects and behaviors A spyware program is rarely alone on a computer: an affected machine usually has multiple infections. Users frequently notice unwanted behavior and degradation of system performance. A spyware infestation can create significant unwanted CPU activity, disk usage, and network traffic. Stability issues, such as applications freezing, failure to boot, and system-wide crashes, are also common. Spyware, which interferes with networking software, commonly causes difficulty connecting to the Internet. In some infections, the spyware is not even evident. Users assume in those situations that the performance issues relate to faulty hardware, Windows installation problems, or another infection. Some owners of badly infected systems resort to contacting technical support experts, or even buying a new computer because the existing system "has become too slow". Badly infected systems may require a clean reinstallation of all their software in order to return to full functionality. Only rarely does a single piece of software render a computer unusable. Rather, a computer is likely to have multiple infections. The cumulative effect, and the interactions between spyware components, causes the symptoms commonly reported by users: a computer, which slows to a crawl, overwhelmed by the many parasitic processes running on it. Moreover, some types of spyware disable software firewalls and anti-virus software, and/or reduce browser security settings, thus opening the system to further opportunistic infections, much like an immune deficiency disease. Some spyware disables or even removes competing spyware programs, on the grounds that more spyware-related annoyances make it even more likely that users will take action to remove the programs. One spyware maker, Avenue Media, even sued a competitor, Direct Revenue, over this; the two later settled with an agreement not to disable each others' products.[10] Some other types of spyware use rootkit like techniques to prevent detection, and thus removal. Targetsoft, for instance, modifies the "Winsock" Windows Sockets files. The deletion of the spyware-infected file "inetadpt.dll" will interrupt normal networking usage. A typical Windows user has administrative privileges, mostly for convenience. Because of this, any program the user runs (intentionally or not) has unrestricted access to the system. As with other operating systems, Windows users too are able to follow the principle of least privilege and use non-administrator least user access accounts, or to
reduce the privileges of specific vulnerable Internet-facing processes such as Internet Explorer (through the use of tools such as DropMyRights). However, as this is not a default configuration, few users do this. In Windows Vista, by default, a computer administrator runs everything under limited user privileges. When a program requires administrative privileges, Vista will prompt the user with an allow/deny pop-up (see User Account Control). This improves on the design used by previous versions of Windows. Advertisements Many spyware programs display advertisements. Some programs simply display pop-up ads on a regular basis; for instance, one every several minutes, or one when the user opens a new browser window. Others display ads in response to the user visiting specific sites. Spyware operators present this feature as desirable to advertisers, who may buy ad placement in pop-ups displayed when the user visits a particular site. It is also one of the purposes for which spyware programs gather information on user behavior. Many users complain about irritating or offensive advertisements as well. As with many banner ads, spyware advertisements often use animation or flickering banners, which can be visually distracting and annoying to users. Pop-up ads for pornography often display indiscriminately. Links to these sites may be added to the browser window, history or search function. When children are the users, this could possibly violate antipornography laws in some jurisdictions. A number of spyware programs break the boundaries of illegality; variations of “Zlob.Trojan” and “Trojan-Downloader.Win32.INService” have been known to show undesirable child pornography, key gens, cracks and illegal software pop-up ads, which violate child pornography and copyright laws.[11][12][13][14] A further issue in the case of some spyware programs concerns the replacement of banner ads on viewed web sites. Spyware that acts as a web proxy or a Browser Helper Object can replace references to a site's own advertisements (which fund the site) with advertisements that instead fund the spyware operator. This cuts into the margins of advertising-funded Web sites. "Stealware" and affiliate fraud A few spyware vendors, notably 180 Solutions, have written what the New York Times has dubbed "stealware", and what spyware researcher Ben Edelman terms affiliate fraud, a form of click fraud. Stealware diverts the payment of affiliate marketing revenues from the legitimate affiliate to the spyware vendor. Spyware which attacks affiliate networks places the spyware operator's affiliate tag on the user's activity — replacing any other tag, if there is one. The spyware operator is the only party that gains from this. The user has their choices thwarted, a legitimate affiliate loses revenue, networks' reputations are injured, and vendors are harmed by having to pay out affiliate revenues to an "affiliate" who is not party to a contract.[15] Affiliate fraud is a violation of the terms of service of most affiliate marketing networks. As a result, spyware operators such as 180 Solutions have been terminated from affiliate networks including LinkShare and ShareSale.[citation needed] Identity theft and fraud In one case, spyware has been closely associated with identity theft.[16] In August 2005, researchers from security software firm Sunbelt Software suspected the creators of the common CoolWebSearch spyware had used it to transmit "chat sessions, user names, passwords, bank information, etc.";[17] however it turned out that "it actually (was) its own sophisticated criminal little trojan that's independent of CWS."[18] This case is currently under investigation by the FBI. The Federal Trade Commission estimates that 27.3 million Americans have been victims of identity theft, and that financial losses from identity theft totaled nearly $48 billion for businesses and financial institutions and at least $5 billion in out-of-pocket expenses for individuals.[19]
Spyware-makers may commit wire fraud with dialer program spyware. These can reset a modem to dial up a premium-rate telephone number instead of the usual ISP. Connecting to these suspicious numbers involves long-distance or overseas charges which invariably result in high call costs. Dialers are ineffective on computers that do not have a modem, or are not connected to a telephone line, and are now very rare due to the decline in use of dial-up internet access. Digital rights management Some copy-protection technologies have borrowed from spyware. In 2005, Sony BMG Music Entertainment was found to be using rootkits in its XCP digital rights management technology[20] Like spyware, not only was it difficult to detect and uninstall, it was so poorly written that most efforts to remove it could have rendered computers unable to function. Texas Attorney General Greg Abbott filed suit,[21] and three separate class-action suits were filed.[22] Sony BMG later provided a workaround on its website to help users remove it.[23] Beginning on 25 April 2006, Microsoft's Windows Genuine Advantage Notifications application[24] was installed on most Windows PCs as a "critical security update". While the main purpose of this deliberately uninstallable application is to ensure the copy of Windows on the machine was lawfully purchased and installed, it also installs software that has been accused of "phoning home" on a daily basis, like spyware.[25][26] It can be removed with the RemoveWGA tool. Personal relationships Spyware has been used to surreptitiously monitor electronic activities of partners in intimate relationships, generally to uncover evidence of infidelity. At least one software package, Loverspy, was specifically marketed for this purpose. Depending on local laws regarding communal/marital property, observing a partner's online activity without their consent may be illegal; the author of Loverspy and several users of the product were indicted in California in 2005 on charges of wiretapping and various computer crimes.[27] [edit] Browser cookies Anti-spyware programs often report Web advertisers' HTTP cookies, the small text files that track browsing activity, as spyware. While they are not always inherently malicious, many users object to third parties using space on their personal computers for their business purposes, and many anti-spyware programs offer to remove them.[28] [edit] Examples These common spyware programs illustrate the diversity of behaviors found in these attacks. Note that as with computer viruses, researchers give names to spyware programs which may not be used by their creators. Programs may be grouped into "families" based not on shared program code, but on common behaviors, or by "following the money" of apparent financial or business connections. For instance, a number of the spyware programs distributed by Claria are collectively known as "Gator". Likewise, programs that are frequently installed together may be described as parts of the same spyware package, even if they function separately. • CoolWebSearch, a group of programs, takes advantage of Internet Explorer vulnerabilities. The package directs traffic to advertisements on Web sites including coolwebsearch.com. It displays pop-up ads, rewrites search engine results, and alters the infected computer's hosts file to direct DNS lookups to these sites.[29] Internet Optimizer, also known as DyFuCa, redirects Internet Explorer error pages to advertising. When users follow a broken link or enter an erroneous URL, they see a page of advertisements. However, because password-protected Web sites (HTTP Basic authentication) use the same mechanism as HTTP errors, Internet Optimizer makes it impossible for the user to access password-protected sites.[30] HuntBar, aka WinTools or Adware.Websearch, was installed by an ActiveX driveby download at affiliate Web sites, or by advertisements displayed by other spyware programs—an example of how spyware can install more spyware. These programs add toolbars to IE, track aggregate browsing behavior, redirect affiliate references, and display advertisements.[31][32]
•
•
•
Movieland, also known as Moviepass.tv and Popcorn.net, is a movie download service that has been the subject of thousands of complaints to the Federal Trade Commission (FTC), the Washington State Attorney General's Office, the Better Business Bureau, and other agencies. Consumers complained they were held hostage by a cycle of oversized pop-up windows demanding payment of at least $29.95, claiming that they had signed up for a three-day free trial but had not cancelled before the trial period was over, and were thus obligated to pay.[33][34] The FTC filed a complaint, since settled, against Movieland and eleven other defendants charging them with having "engaged in a nationwide scheme to use deception and coercion to extract payments from consumers."[35] WeatherStudio has a plugin that displays a window-panel near the bottom of a browser window. The official website notes that it is easy to remove (uninstall) WeatherStudio from a computer, using its own uninstall-program, such as under C:\Program Files\WeatherStudio.[36] Once WeatherStudio is removed, a browser returns to the prior display appearance, without the need to modify the browser settings. Zango (formerly 180 Solutions) transmits detailed information to advertisers about the Web sites which users visit. It also alters HTTP requests for affiliate advertisements linked from a Web site, so that the advertisements make unearned profit for the 180 Solutions company. It opens pop-up ads that cover over the Web sites of competing companies (as seen in their [Zango End User License Agreement]).[15] Zlob trojan, or just Zlob, downloads itself to a computer via an ActiveX codec and reports information back to Control Server[citation needed]. Some information can be the search-history, the Websites visited, and even keystrokes.[citation needed] More recently, Zlob has been known to hijack routers set to defaults.[37]
•
•
•
[edit] Legal issues [edit] Criminal law Unauthorized access to a computer is illegal under computer crime laws, such as the U.S. Computer Fraud and Abuse Act, the U.K.'s Computer Misuse Act, and similar laws in other countries. Since owners of computers infected with spyware generally claim that they never authorized the installation, a prima facie reading would suggest that the promulgation of spyware would count as a criminal act. Law enforcement has often pursued the authors of other malware, particularly viruses. However, few spyware developers have been prosecuted, and many operate openly as strictly legitimate businesses, though some have faced lawsuits.[38][39] Spyware producers argue that, contrary to the users' claims, users do in fact give consent to installations. Spyware that comes bundled with shareware applications may be described in the legalese text of an end-user license agreement (EULA). Many users habitually ignore these purported contracts, but spyware companies such as Claria say these demonstrate that users have consented. Despite the ubiquity of EULAs and of "clickwrap" agreements, under which a single click can be taken as consent to the entire text, relatively little caselaw has resulted from their use. It has been established in most common law jurisdictions that a clickwrap agreement can be a binding contract in certain circumstances.[40] This does not, however, mean that every such agreement is a contract, or that every term in one is enforceable. Some jurisdictions, including the U.S. states of Iowa[41] and Washington,[42] have passed laws criminalizing some forms of spyware. Such laws make it illegal for anyone other than the owner or operator of a computer to install software that alters Web-browser settings, monitors keystrokes, or disables computer-security software. In the United States, lawmakers introduced a bill in 2005 entitled the Internet Spyware Prevention Act, which would imprison creators of spyware.[43] [edit] Administrative sanctions [edit] US FTC actions
The US Federal Trade Commission has sued Internet marketing organizations under the "unfairness doctrine" [44] to make them stop infecting consumers’ PCs with spyware. In one case, that against Seismic Entertainment Productions, the FTC accused the defendants of developing a program that seized control of PCs nationwide, infected them with spyware and other malicious software, bombarded them with a barrage of pop-up advertising for Seismic’s clients, exposed the PCs to security risks, and caused them to malfunction, slow down, and, at times, crash. Seismic then offered to sell the victims an “antispyware” program to fix the computers, and stop the popups and other problems that Seismic had caused. On November 21, 2006, a settlement was entered in federal court under which a $1.75 million judgment was imposed in one case and $1.86 million in another, but the defendants were insolvent[45] In a second case, brought against CyberSpy Software LLC, the FTC charged that CyberSpy marketed and sold "RemoteSpy" keylogger spyware to clients who would then secretly monitor unsuspecting consumers’ computers. According to the FTC, Cyberspy touted RemoteSpy as a “100% undetectable” way to “Spy on Anyone. From Anywhere.” The FTC has obtained a temporary order prohibiting the defendants from selling the software and disconnecting from the Internet any of their servers that collect, store, or provide access to information that this software has gathered. The case is still in its preliminary stages. A complaint filed by the Electronic Privacy Information Center (EPIC) brought the RemoteSpy software to the FTC’s attention.[46] [edit] Netherlands OPTA An administrative fine, the first of its kind in Europe, has been issued by the Independent Authority of Posts and Telecommunications (OPTA) from the Netherlands. It applied fines in total value of Euro 1,000,000 for infecting 22 million computers. The spyware concerned is called DollarRevenue. The law articles that have been violated are art. 4.1 of the Decision on universal service providers and on the interests of end users; the fines have been issued based on art. 15.4 taken together with art. 15.10 of the Dutch telecommunications law. A part of these fines has to be paid personally by the directors of these companies, i.e. not from the accounts of their companies, but from their personal fortunes.[47] Since an appeal has been lodged, the fines will have to be paid only after a Dutch law court makes a decision in this case. The culprits maintain that the evidence for violating the two law articles has been obtained illegally. The names of the directors and the names of the companies have not been revealed, since it is not clear that OPTA is allowed to make such information public.[48] [edit] Civil law Former New York State Attorney General and former Governor of New York Eliot Spitzer has pursued spyware companies for fraudulent installation of software.[49] In a suit brought in 2005 by Spitzer, the California firm Intermix Media, Inc. ended up settling, by agreeing to pay US$7.5 million and to stop distributing spyware.[50] The hijacking of Web advertisements has also led to litigation. In June 2002, a number of large Web publishers sued Claria for replacing advertisements, but settled out of court. Courts have not yet had to decide whether advertisers can be held liable for spyware that displays their ads. In many cases, the companies whose advertisements appear in spyware pop-ups do not directly do business with the spyware firm. Rather, they have contracted with an advertising agency, which in turn contracts with an online subcontractor who gets paid by the number of "impressions" or appearances of the advertisement. Some major firms such as Dell Computer and Mercedes-Benz have sacked advertising agencies that have run their ads in spyware.[51] [edit] Libel suits by spyware developers Litigation has gone both ways. Since "spyware" has become a common pejorative, some makers have filed libel and defamation actions when their products have been so described. In 2003, Gator (now known as Claria) filed suit against the website PC Pitstop for describing its program as "spyware".[52] PC Pitstop settled, agreeing not to use the word "spyware", but continues to describe harm caused by the Gator/Claria software.[53] As a result, other anti-spyware and anti-virus companies have also used other terms such as "potentially unwanted programs" or greyware to denote these products.
[edit] WebcamGate Main article: Robbins v. Lower Merion School District In the 2010 WebcamGate case, plaintiffs charged two suburban Philadelphia high schools secretly spied on students by surreptitiously and remotely activating webcams embedded in school-issued laptops the students were using at home, and therefore infringed on their privacy rights. The school loaded each student's computer with LANrev's remote activation tracking software. This included the now-discontinued "TheftTrack". While TheftTrack was not enabled by default on the software, the program allowed the school district to elect to activate it, and to choose which of the TheftTrack surveillance options the school wanted to enable.[54] TheftTrack allowed school district employees to secretly remotely activate a tiny webcam embedded in the student's laptop, above the laptop's screen. That allowed school officials to secretly take photos through the webcam, of whatever was in front of it and in its line of sight, and send the photos to the school's server. The LANrev software disabled the webcams for all other uses (e.g., students were unable to use Photo Booth or video chat), so most students mistakenly believed their webcams did not work at all. In addition to webcam surveillance, TheftTrack allowed school officials to take screenshots, and send them to the school's server. In addition, LANrev allowed school officials to take snapshots of instant messages, web browsing, music playlists, and written compositions. The schools admitted to secretly snapping over 66,000 webshots and screenshots, including webcam shots of students in their bedrooms.[54][55] [edit] Remedies and prevention As the spyware threat has worsened, a number of techniques have emerged to counteract it. These include programs designed to remove or to block spyware, as well as various user practices which reduce the chance of getting spyware on a system. Nonetheless, spyware remains a costly problem. When a large number of pieces of spyware have infected a Windows computer, the only remedy may involve backing up user data, and fully reinstalling the operating system. For instance, some versions of Vundo cannot be completely removed by Symantec, Microsoft, PC Tools, and others because it infects rootkit, Internet Explorer, and Windows' lsass.exe (Local Security Authority Subsystem Service) with a randomly-filenamed dll (dynamic link library). [edit] Anti-spyware programs See also: Category:Spyware removal Many programmers and some commercial firms have released products dedicated to remove or block spyware. Steve Gibson's OptOut pioneered a growing category. Programs such as PC Tools' Spyware Doctor, Lavasoft's Ad-Aware SE (free scans for non-commercial users, must pay for other features) and Patrick Kolla's Spybot - Search & Destroy (all features free for non-commercial use) rapidly gained popularity as effective tools to remove, and in some cases intercept, spyware programs. On December 16, 2004, Microsoft acquired the GIANT AntiSpyware software,[56] rebranding it as Windows AntiSpyware beta and releasing it as a free download for Genuine Windows XP and Windows 2003 users. In 2006, Microsoft renamed the beta software to Windows Defender (free), and it was released as a free download in October 2006 and is included as standard with Windows Vista as well as Windows 7. Major anti-virus firms such as Symantec, PC Tools, McAfee and Sophos have come later to the table, adding anti-spyware features to their existing anti-virus products. Early on, anti-virus firms expressed reluctance to add anti-spyware functions, citing lawsuits brought by spyware authors against the authors of web sites and programs which described their products as "spyware". However, recent versions of these major firms' home and business anti-virus products do include anti-spyware functions, albeit treated differently from viruses. Symantec Anti-Virus, for instance, categorizes spyware programs as "extended threats" and now offers real-time protection from them (as it does for viruses). In June 2006, the anti-virus company Grisoft, creator of AVG Anti-Virus, acquired antispyware firm Ewido Networks, re-labeling their Ewido anti-spyware program as AVG Anti-Spyware Professional Edition. AVG also used this product to add an integrated anti-
spyware solution to some versions of the AVG Anti-Virus family of products, and a freeware AVG Anti-Spyware Free Edition available for private and non-commercial use. This shows a trend by anti virus companies to launch a dedicated solution to spyware and malware. Zone Labs, creator of Zone Alarm firewall have also released an antispyware program. Anti-spyware programs can combat spyware in two ways: 1. They can provide real time protection against the installation of spyware software on the computer. This type of spyware protection works the same way as that of anti-virus protection in that the anti-spyware software scans all incoming network data for spyware software and blocks any threats it comes across. 2. Anti-spyware software programs can be used solely for detection and removal of spyware software that has already been installed onto the computer. This type of spyware protection is normally much easier to use and more popular. With this spyware protection software the user can schedule weekly, daily, or monthly scans of the computer to detect and remove any spyware software that have been installed on the computer. This type of anti-spyware software scans the contents of the windows registry, operating system files, and installed programs on the computer and will provide a list of any threats found, allowing the user to choose what to delete and what to keep. Such programs inspect the contents of the Windows registry, the operating system files, and installed programs, and remove files and entries which match a list of known spyware components. Real-time protection from spyware works identically to real-time anti-virus protection: the software scans disk files at download time, and blocks the activity of components known to represent spyware. In some cases, it may also intercept attempts to install start-up items or to modify browser settings. Because many spyware and adware are installed as a result of browser exploits or user error, using security software (some of which are antispyware, though many are not) to sandbox browsers can also be effective to help restrict any damage done. Earlier versions of anti-spyware programs focused chiefly on detection and removal. Javacool Software's SpywareBlaster, one of the first to offer real-time protection, blocked the installation of ActiveX-based and other spyware programs. Like most anti-virus software, many anti-spyware/adware tools require a frequentlyupdated database of threats. As new spyware programs are released, anti-spyware developers discover and evaluate them, making "signatures" or "definitions" which allow the software to detect and remove the spyware. As a result, anti-spyware software is of limited usefulness without a regular source of updates. Some vendors provide a subscription-based update service, while others provide updates free. Updates may be installed automatically on a schedule or before doing a scan, or may be done manually. Not all programs rely on updated definitions. Some programs rely partly (for instance many antispyware programs such as Windows Defender, Spybot's TeaTimer and Spysweeper) or fully (programs falling under the class of HIPS such as BillP's WinPatrol) on historical observation. They watch certain configuration parameters (such as certain portions of the Windows registry or browser configuration) and report any change to the user, without judgment or recommendation. While they do not rely on updated definitions, which may allow them to spot newer spyware, they can offer no guidance. The user is left to determine "what did I just do, and is this configuration change appropriate?" Windows Defender's SpyNet attempts to alleviate this through offering a community to share information, which helps guide both users, who can look at decisions made by others, and analysts, who can spot fast-spreading spyware. A popular generic spyware removal tool used by those with a certain degree of expertise is HijackThis, which scans certain areas of the Windows OS where spyware often resides and presents a list with items to delete manually. As most of the items are legitimate windows files/registry entries it is advised for those who are less knowledgeable on this subject to post a
HijackThis log on the numerous antispyware sites and let the experts decide what to delete. If a spyware program is not blocked and manages to get itself installed, it may resist attempts to terminate or uninstall it. Some programs work in pairs: when an antispyware scanner (or the user) terminates one running process, the other one respawns the killed program. Likewise, some spyware will detect attempts to remove registry keys and immediately add them again. Usually, booting the infected computer in safe mode allows an anti-spyware program a better chance of removing persistent spyware. Killing the process tree may also work. A new breed of spyware (Look2Me spyware by NicTechNetworks is a good example) hides inside system-critical processes and start up even in safe mode, see rootkit. With no process to terminate they are harder to detect and remove. Sometimes they do not even leave any on-disk signatures. Rootkit technology is also seeing increasing use,[57] as is the use of NTFS alternate data streams. Newer spyware programs also have specific countermeasures against well known anti-malware products and may prevent them from running or being installed, or even uninstall them. An example of one that uses all three methods is Gromozon, a new breed of malware. It uses alternate data streams to hide. A rootkit hides it even from alternate data streams scanners and actively stops popular rootkit scanners from running. [edit] Security practices To detect spyware, computer users have found several practices useful in addition to installing anti-spyware programs. Many system operators install a web browser other than IE, such as Opera, Google Chrome or Mozilla Firefox. Though no browser is completely safe, Internet Explorer is at a greater risk for spyware infection due to its large user base as well as vulnerabilities such as ActiveX.[citation needed] Some ISPs—particularly colleges and universities—have taken a different approach to blocking spyware: they use their network firewalls and web proxies to block access to Web sites known to install spyware. On March 31, 2005, Cornell University's Information Technology department released a report detailing the behavior of one particular piece of proxy-based spyware, Marketscore, and the steps the university took to intercept it. [58] Many other educational institutions have taken similar steps. Spyware programs which redirect network traffic cause greater technical-support problems than programs which merely display ads or monitor users' behavior, and so may more readily attract institutional attention.[citation needed] Some users install a large hosts file which prevents the user's computer from connecting to known spyware-related web addresses. However, by connecting to the numeric IP address, rather than the domain name, spyware may bypass this sort of protection. Spyware may get installed via certain shareware programs offered for download. Downloading programs only from reputable sources can provide some protection from this source of attack. Recently, CNet revamped its download directory: it has stated that it will only keep files that pass inspection by Ad-Aware and Spyware Doctor.[citation
needed]
The first step to removing spyware is to put a computer on "lockdown". This can be done in various ways, such as using anti-virus software or simply disconnecting the computer from the internet. Disconnecting the internet prevents controllers of the spyware from being able to remotely control or access the computer. The second step to removing the spyware is to locate it and remove it, manually or through use of credible anti-spyware software. During and after lockdown, potentially threatening websites should be avoided. [edit] Programs distributed with spyware • • • Bonzi Buddy[59] Dope Wars[60] EDonkey2000[61]
• • • • • • • • • •
Grokster[62] Kazaa[63] Morpheus[61] RadLight[64] WeatherBug[65] WildTangent[66][67] AOL Instant Messenger[66] (AOL Instant Messenger still packages Viewpoint Media Player, and WildTangent) DivX[68] FlashGet[69][70][71][72][73][74] magicJack[75]
[edit] Programs formerly distributed with spyware
[edit] Rogue anti-spyware programs See also: List of fake anti-spyware programs and Rogue software Malicious programmers have released a large number of rogue (fake) anti-spyware programs, and widely distributed Web banner ads now spuriously warn users that their computers have been infected with spyware, directing them to purchase programs which do not actually remove spyware—or else, may add more spyware of their own.[76]
[77]
The recent[update] proliferation of fake or spoofed antivirus products has occasioned some concern. Such products often bill themselves as antispyware, antivirus, or registry cleaners, and sometimes feature popups prompting users to install them. This software is called rogue software. It is recommended that users do not install any freeware claiming to be anti-spyware unless it is verified to be legitimate. Some known offenders include: • • • • • • • • • • • • • • • • • • • • • AntiVirus 360 Antivirus 2008 Antivirus 2009 AntiVirus Gold ContraVirus MacSweeper Pest Trap PSGuard Spy Wiper Spydawn Spylocked Spysheriff SpyShredder Spyware Quake SpywareStrike UltimateCleaner WinAntiVirus Pro 2006 Windows Police Pro WinFixer[78] WorldAntiSpy XP Security
Fake antivirus products constitute 15 percent of all malware.[79] On January 26, 2006, Microsoft and the Washington state attorney general filed suit against Secure Computer for its Spyware Cleaner product.[80] On December 4, 2006, the Washington attorney general announced that Secure Computer had paid $1 million to settle with the state. As of that date, Microsoft's case against Secure Computer remained pending.[81] How Spyware Works Has your computer ever become so slow that you can fix yourself a snack in the time it takes your word processor to open? Perhaps spyware is to blame. Spyware is a category of computer programs that attach themselves to your operating system in nefarious ways. They can suck the life out of your computer's processing power. They're designed to track your Internet habits, nag you with unwanted sales offers or generate traffic for their host Web site. According to some estimates, more than 80 percent of all personal computers are infected with some kind of spyware [source: FaceTime Communications]. But before you chuck your computer out the window and move to a desert island, you might want to read on. In this article we'll explain how spyware gets installed on your computer, what it does there and how you can get rid of it. Some people mistake spyware for a computer virus. A computer virus is a piece of code designed to replicate itself as many times as possible, spreading from one host computer to any other computers connected to it. It usually has a payload that may damage your personal files or even your operating system. Spyware, on the other hand, generally isn't designed to damage your computer. Spyware is defined broadly as any program that gets into your computer without your permission and hides in the background while it makes unwanted changes to your user experience. The damage it does is more a by-product of its main mission, which is to serve you targeted advertisements or make your browser display certain sites or search results. At present, most spyware targets only the Windows operating system. Some of the more notorious spyware threats include Trymedia, Nuvens, Estalive, Hotbar and New.Net.Domain.Plugin [source: CA]. Malware: Computing's Dirty Dozen It seems that no sooner do you feel safe turning on your computer than you hear on the news about a new kind of internet security threat. Usually, the security threat is some kind of malware (though the term "security threat" no doubt sells more newspapers). What is malware? Malware is exactly what its name implies: mal (meaning bad, in the sense of malignant or malicious rather than just poorly done) + ware (short for software). More specifically, malware is software that does not benefit the computer's owner, and may even harm it, and so is purely parasitic. The Many Faces of Malware 1. Viruses. The malware that's on the news so much, even your grandmother knows what it is. You probably already have heard plenty about why this kind of software is bad for you, so there's no need to belabor the point. 2. Worms. Slight variation on viruses. The difference between viruses and worms is that viruses hide inside the files of real computer programs (for instance, the macros in Word or the VBScript in many other Microsoft applications), while worms do not infect a file or program, but rather stand on their own. 3. Wabbits. Be honest: had you ever even heard of wabbits before (outside of Warner Bros. cartoons)? According to Wikipedia, wabbits are in fact rare, and it's not hard to see why: they don't do anything to spread to other machines. A wabbit, like a virus, replicates itself, but it does not have any instructions to email itself or pass itself through a computer network in order to infect other machines. The least ambitious of
all malware, it is content simply to focus on utterly devastating a single machine. 4. Trojans. Arguably the most dangerous kind of malware, at least from a social standpoint. While Trojans rarely destroy computers or even files, that's only because they have bigger targets: your financial information, your computer's system resources, and sometimes even massive denial-of-service attack launched by having thousands of computers all try to connect to a web server at the same time. 5. Spyware. In another instance of creative software naming, spyware is software that spies on you, often tracking your internet activities in order to serve you advertising. (Yes, it's possible to be both adware and spyware at the same time.) 6. Backdoors. Backdoors are much the same as Trojans or worms, except that they do something different: they open a "backdoor" onto a computer, providing a network connection for hackers or other malware to enter or for viruses or sp@m to be sent out through. 7. Exploits. Exploits attack specific security vulnerabilities. You know how Microsoft is always announcing new updates for its operating system? Often enough the updates are really trying to close the security hole targeted in a newly discovered exploit. 8. Rootkit. The malware most likely to have a human touch, rootkits are installed by crackers (bad hackers) on other people's computers. The rootkit is designed to camouflage itself in a system's core processes so as to go undetected. It is the hardest of all malware to detect and therefore to remöve; many experts recommend completely wiping your hard drive and reinstalling everything fresh. 9. Keyloggers. No prïze for guessing what this software does: yes, it logs your keystrokes, i.e., what you type. Typically, the malware kind of keyloggers (as opposed to keyloggers deliberately installed by their owners to use in diagnosing computer problems) are out to log sensitive information such as passwords and financial details. 10. Dialers. Dialers dial telephone numbers via your computer's modem. Like keyloggers, they're only malware if you don't want them. Dialers either dial expensive premium-rate telephone numbers, often located in small countries far from the host computer; or, they dial a hacker's machine to transmit stolen data. 11. URL injectors. This software "injects" a given URL in place of certain URLs when you try to visit them in your browser. Usually, the injected URL is an affïliate link to the target URL. An affïliate link is a special link used to track the traffïc an affïliate (advertiser) has sent to the original website, so that the original website can pay commissions on any salës from that traffïc. 12. Adware. The least dangerous and most lucrative malware (lucrative for its distributors, that is). Adware displays ads on your computer. The Wikipedia entry on malware does not give adware its own category even though adware is commonly called malware. As Wikipedia notes, adware is often a subset of spyware. The implication is that if the user chooses to allow adware on his or her machine, it's not really malware, which is the defense that most adware companies take. In reality, however, the choice to install adware is usually a lëgal farce involving placing a mention of the adware somewhere in the installation materials, and often only in the licensing agreement, which hardly anyone reads. Are you ready to take on this dirty dozen? Don't go it alone. Make sure you have at least one each of antivirus and antispyware. Definitions and A Brief Introduction to the Dangers of Malware 1. Introduction. The ever increasing use of the Internet means more and more computers can be accessed by others through file transfers, e-mails and websites, leaving them susceptible to infection from an increasing number of viruses, Trojan Horses, worms,
adware, spyware, etc. These terms can be very confusing as each one is different in characteristics and will cause different problems or damage to your computer. People will tend to be more on the lookout for these threats if they understand what they are and their potential dangers. This article attempts to clarify the meaning of each of these terms. After reading this article it is strongly suggested that you visit www.bestvalueonline.biz/clearspyware.html for further information on how to protect your PC against this dangerous class of software. Your bank account and identity are ultimately at risk if you do not take action.
2. Malware Many normal computer users are still unfamiliar with the term ‘malware” and most never use it. Instead, "computer virus" is incorrectly used, even in the media to describe all kinds of malware, though not all malware are viruses. Rather than being defined by any particular features, software is considered malware if the perceived intent of the creator is to cause damage. Malware includes computer viruses, worms, trojan horses, most rootkits, spyware, dishonest adware, and other malicious and unwanted software. In law, malware is sometimes known as a computer contaminant, for instance in the legal codes of California, West Virginia, and several other American states. Malware is software designed to infiltrate or damage a computer system without the owner's informed consent. It is a shortened combination of the words malicious and software. The expression is a general term used by professionals in the computer industry to cover a variety of hostile, intrusive, or annoying software or program code. Malware should not be confused with defective software, that is, software which has a legitimate purpose but contains harmful bugs. 3. Trojan Horse or Trojan In the context of computing and software, a ‘Trojan horse’, or simply ‘Trojan’, is a piece of software which appears to perform a certain action but in fact performs another such as a computer virus. Contrary to popular belief, this action, usually encoded in a hidden payload, may or may not be actually malicious, but Trojan horses are notorious today for their use in the installation of backdoor programs. Simply put, a Trojan horse is not necessarily a computer virus. Unlike such malware, it does not propagate by selfreplication but relies heavily on the exploitation of an end-user. Therefore, a computer worm or virus may be a Trojan horse. The term is derived from the classical story of the Trojan Horse. 4. Computer Worms A ’computer worm’ is a self-replicating computer program. It uses a network to send copies of itself to other nodes (computer terminals on the network) and it may do so without any user intervention. Unlike a virus, it does not need to attach itself to an existing program. Worms almost always cause harm to the network, if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer. 5. Computer Virus A computer virus is a computer program that can copy itself and infect a computer without permission or knowledge of the user. The term "virus" is also commonly used, albeit erroneously, to refer to many different types of malware and adware programs. The original virus may modify the copies, or the copies may modify themselves, as occurs in a metamorphic virus. A virus can only spread from one computer to another
when its host is taken to the uninfected computer, for instance by a user sending it over a network or the Internet, or by carrying it on a removable medium such as a floppy disk, CD, or USB drive. Viruses can also spread to other computers by infecting files on a network file system or a file system that is accessed by another computer. Viruses are sometimes confused with computer worms and Trojan horses. A worm can spread itself to other computers without needing to be transferred as part of a host, and a Trojan horse is a file that appears harmless. Worms and Trojans may cause harm to a computer system's hosted data, functional performance, or networking throughput, when executed. In general, a worm does not actually harm either the system's hardware or software, while at least in theory a Trojan's payload may be capable of almost any type of harm if executed. Some can't be seen when the program is not running, but as soon as the infected code is run, the virus kicks in. That is why it is so hard for people to find viruses themselves and why they have to use spyware programs and registry processors. Most personal computers are now connected to the Internet and to local area networks, facilitating the spread of malicious code. Today's viruses may also take advantage of network services such as the World Wide Web, e-mail, Instant Messaging and file sharing systems to spread, blurring the line between viruses and worms. Furthermore, some sources use an alternative terminology in which a virus is any form of selfreplicating malware. Some viruses are programmed to damage the computer by damaging programs, deleting files, or reformatting the hard disk. Others are not designed to do any damage, but simply replicate themselves and perhaps make their presence known by presenting text, video, or audio messages. Even these benign viruses can create problems for the computer user. They typically take up computer memory used by legitimate programs. As a result, they often cause erratic behaviour and can result in system crashes. In addition, many viruses are bug-ridden, and these bugs may lead to system crashes and data loss. Many CID programs are programs that have been downloaded by the user and pop up every so often. This results in slowing down of the computer, but it is also very difficult to find and stop the problem. 6. Spyware ‘Spyware’ is computer software that is installed surreptitiously on a personal computer to intercept or take partial control over the user's interaction with the computer, without the user's informed consent. While the term spyware suggests software that secretly monitors the user's behaviour, the functions of spyware extend well beyond simple monitoring. Spyware programs can collect various types of personal information, such as Internet surfing habit, sites that have been visited, but can also interfere with user control of the computer in other ways, such as installing additional software, redirecting Web browser activity, accessing websites blindly that will cause more harmful viruses, or diverting advertising revenue to a third party. Spyware can even change computer settings, resulting in slow connection speeds, different home pages, and loss of Internet or other programs. In an attempt to increase the understanding of spyware, a more formal classification of its included software types is captured under the term privacy-invasive software. In response to the emergence of spyware, a whole industry has sprung up dealing in anti-spyware software. Running anti-spyware software has become a widely recognized element of computer security best practices for Microsoft Windows desktop computers. A number of jurisdictions have passed anti-spyware laws, which usually target any software that is surreptitiously installed to control a user's computer. Threats vary from the systematic capture of everyday events (e.g., what online sites that are visited or what items that are purchased from online stores) to the mass marketing based on the retrieval of personal information (spam offers and telemarketing calls are more
common than ever) to the distribution of information on lethal technologies used for, e.g., acts of terror. Today, software-based privacy-invasions occur in numerous aspects of Internet usage. Spyware programs set to collect and distribute user information secretly download and execute on users’ workstations. Adware displays advertisements and other commercial content often based upon personal information retrieved by spyware programs. System monitors record various actions on computer systems. Keyloggers record users’ keystrokes in order to monitor user behaviour. Self-replicating malware downloads and spreads disorder in systems and networks. Data-harvesting software programmed to gather e-mail addresses have become conventional features of the Internet, which among other things results in that spam e-mail messages fill networks and computers with unsolicited commercial content. With those threats in mind, we hereby define privacy-invasive software as a category of software that ignores users’ right to be let alone and that is distributed with a specific intent, often of a commercial nature, which negatively affect[s] its users. In this context, ignoring users’ right to be let alone means that the software is unsolicited and that it does not permit users to determine for themselves when, how and to what extent personally identifiable data is gathered, stored or processed by the software. Distributed means that it has entered the computer systems of users from (often unknown) servers placed on the Internet infrastructure. Often of a commercial nature means that the software (regardless of type or quality) is used as a tool in some sort of a commercial plan to gain revenues. 7. Adware ‘Adware’ or advertising-supported software is any software package which automatically plays, displays, or downloads advertising material to a computer after the software is installed on it or while the application is being used. Some types of adware are also spyware and can be classified as privacy-invasive software. Adware is software with advertising functions integrated into or bundled with a program. It is usually seen by the developer as a way to recover development costs, and in some cases it may allow the program to be provided to the user free of charge or at a reduced price. The advertising income may allow or motivate the developer to continue to develop, maintain and upgrade the software product. Some adware is also shareware, and so the word may be used as term of distinction to differentiate between types of shareware software. What differentiates adware from other shareware is that it is primarily advertising-supported. Users may also be given the option to pay for a "registered" or "licensed" copy to do away with the advertisements. Adware can also download and install PUPs to your computer. 8. Rootkit A ’rootkit’ is a program (or combination of several programs) designed to take fundamental control (in Unix terms "root" access, in Windows terms "Administrator" (access) of a computer system, without authorization by the system's owners and legitimate managers. Access to the hardware (i.e, the reset switch) is rarely required as a rootkit is intended to seize control of the operating system running on the hardware. Typically, rootkits act to obscure their presence on the system through subversion or evasion of standard operating system security mechanisms. Often, they are also Trojans as well, thus fooling users into believing they are safe to run on their systems. Techniques used to accomplish this can include concealing running processes from monitoring programs, or hiding files or system data from the operating system. Rootkits may have originated as regular, though emergency, applications, intended to take control of an unresponsive system, but in recent years have been largely malware to help intruders gain access to systems while avoiding detection. Rootkits exist for a variety of operating systems, such as Microsoft Windows, Mac OS X[2] [3] , Linux and Solaris. Rootkits often modify parts of the operating system or install themselves as
drivers or kernel modules, depending on the internal details of an operating system's mechanisms. 9. Conclusion In this article the terms malware, Trojans or Trojan Horses, Worms, Computer Virus, Spyware, Adware and Rootkits were defined. It is hoped that a better understanding of these terms will result in people becoming more aware of the dangers they are exposed to every day and that they will install the appropriate software to protect themselves from the damage that can be done.
Categories of Malware
1. Introduction Popular treatments of malware are characterised by a vast amount of confusion. Over 20 years after viruses became well-understood and worms erupted into public discussions, it's high time that much more order was brought to the field. The need for much greater clarity extends beyond the broad public arena. Malware is becoming an increasingly serious public policy issue. To counter this, innovations are necessary in technical, organisational and regulatory measures, and coordination must be achieved among organisations in the public and private sectors. Meaningful discussions depend on mutual understanding, and hence a stable and commonlyagreed language is a pre-requisite to progress being made. This paper proposes a terminological framework within which analysis and discussion can be undertaken. Its purpose is to distinguish the various categories of malware in such a manner as to support the evaluation of alternative policy measures that might be effective in combatting them. The paper works within the conventional information technology (IT) security model, as depicted in Exhibit 1. Threatening events, which are specific instances of generic threats, impinge on vulnerabilities, resulting in harm. Safeguards are used in an endeavour to protect against threats and detect and address vulnerabilities. Safeguards may focus on deterrence, prevention, detection or investigation of the threats or events, or amelioration of the harm. Security is a condition in which harm does not arise, because threats and vulnerabilities are effectively countered by safeguards. The paper's scope generally does not extend to attack mechanisms, such as vulnerability scanners, port scanners and password testers, nor to tools used in intermediary devices on the Internet, such as packet sniffers. Exhibit 1: The Conventional IT Security Model
Various forms of malware have emerged over time, as both IT infrastructure and attacks on it have become progressively more complex and sophisticated. The first form in which malware appeared was referred to as a 'virus', a term borrowed from biology in 1983. The form itself, however, can be recognised in phenomena that first appeared as far back as 1971. The notion arrived in the public arena when viruses were transmitted by floppy disk among Apple micro-computers in 1981. Major infections first appeared during the late 1980s on what were then called 'IBM PCs'. Even at that time, some virus transmission was occurring over networks rather than via disks, but networks only became the dominant means of transmission after Internet accessibility became widespread from the mid-1990s (Solomon 1993). Until about 2000, viruses remained the dominant form of malware. Indeed the term 'virus' was initially used for any form of what is referred to in this paper as malware, and in popular literature that habit is still apparent. During the early years of the new century, however, independent programs called worms, propagating over networks, and primarily over the Internet, became the more common form (Chen & Robert 2004). Sample short descriptions of a virus and a worm are provided in Appendix 1. Fuller expositions of the nature of viruses and worms are in texts such as Skoudis (2003), Erbschloe (2005), Szor (2005) and Aycock (2006). Both viruses and worms are threats which need to exploit vulnerabilities in order to propagate, and in order to perform whatever their function may be. Vulnerabilities exist in all operating systems, in all systems software, and in all applications. During the relevant period, the most widespread systems software family by far was the succession of Microsoft Windows products. On workstations that used that operating system, the Microsoft Office suite of applications was very common. Further, until the early 2000s, Microsoft's quality control over security vulnerabilities was lamentable. For this combination of reasons, Microsoft products have both harboured a vast array of vulnerabilities, and been the primary target for malware writers. As late as 2004, (Chen & Robert 2004) reported that "the vast majority of Windows PCs are vulnerable to new outbreaks". Although Microsoft's quality control has been improved, its products are also much more complex, and hence a wide array of vulnerabilities still exists, and more regularly emerge. The terms 'virus' and 'worm' distinguish forms that malware takes. Those terms do not provide an indication at any level of detail about what 'vector', or means of distribution,
any given item of malware may use. Similarly, those terms do not provide any information about the nature of the function that the malware performs, usefully referred to as its 'payload'. A range of terms has come into use to describe particular categories of payload. The following section will distinguish among such categories of malware as trojans, spyware, bots, rootkits and web-based attacks. In addition to the literature cited in the body of this paper, a range of resources listed at the end of the paper were considered during the analysis and compilation of the definitions. In Clarke & Maurushat (2007), the distinction between vectors and payloads was used in conducting an analysis of the security of consumer devices, particularly in the context of mobile payments. This paper extends that approach to include the manner of invocation of deployed malware. It then shows how the various forms of malware can be readily categorised using those three dimensions, and demonstrates the advantages that the categorisation offers. Some of the confusion in the popular literature arises from the conflation of 'undesired content' issues (such as spam) and 'malbehaviour' (such as spamming and phishing) with 'undesired software' (malware). The paper accordingly commences by distinguishing those three topic-areas. It then introduces and applies the vector, payload and invocation dimensions, in order to deliver a set of operational definitions of the primary categories of malware. The discussion is summarised in a glossary.
2. Foundational Concepts It is important to disentangle malware from related notions. Firstly, undesired software is a special case of undesired content more generally. Secondly, malware may come to be on a device as a result of the manipulation of human behaviour. This section outlines each of these ideas, and in the third sub-section an operational definition of malware is developed, appropriate to the purpose of the undertaking. 2.1 Undesired Content By undesired content is meant here data that exists on a device which the person controlling the device did not intend to be there. It includes spam, email-attachments pushed to the device (including unrequested promotional material and pornography), unexpected content arriving on the device as a result of requests submitted in webbrowsers (including advertisements), and unsolicited material arriving through P2P networks. The term also encompasses software. Undesired content comes to be on a device by means of a 'vector' that delivers a 'payload'. These terms will be discussed in the following sections. 2.2 Malbehaviour The term `social engineering' is applied to ways of enveigling users into providing the vector whereby undesired content reaches their device. A common example is 'phishing'. A message is presented to a user, commonly by email, but in principle using any form of messaging. The message encourages the person to divulge important information, e.g. by replying to the email, or (in recent times, more commonly) by going to what presents as though it were the web-site of a trusted party such as a bank, and then providing an authenticator such as a password or PIN. An even more longstanding example of malbehaviour is incitement to users to download and execute software. It is particularly challenging to devise countermeasures against this reticulation method, because there have to be channels for downloading software to machines, and malware-providers can easily mimic the actions of trusted providers of legitimate software. A recently-popular form of social engineering is the 'botnet herder' technique of luring a person into downloading and executing malware by means of some form of chat or instant messaging (IM) service (i.e. a service provided by particular protocols and associated client- and server-software that support human-real-time / synchronous communication). 2.3 Malware
From the perspective of the discussion in the preceding sub-sections, malware is a particular category of undesired content, and generally comes to be on a device as a result of some form of malbehaviour. The term 'malware' is widely used as the generic term for a considerable family of software and techniques that are implemented by means of software. Malware results, may result, or is intended to result in some deleterious consequence. A wide diversity of forms is encompassed, including viruses, worms, trojans, spyware, bots, rootkits and web-based attacks. In security terms, items of malware are threats, and need to be distinguished from vulnerabilities; but differentiating between the two is not always simple. An example of a category that can be either a vulnerability or a threat is a 'backdoor'. This is a means whereby access is gained to a user-account on a device, bypassing safeguards. It may be an inherent vulnerability (such as a stillavailable default user-account with high privileges and an obvious username/password pair such as SYSTEM/SYSTEM - as was once the case with the DEC VMS operating system). Alternatively, it may be a threat, in the form of a known way in which some other vulnerability can be exploited to create such a user-account, whose details are known only to the attacker. A variety of proposals have been made for categorising malware. For example, Alcock (2006) distinguishes malware along three dimensions: 1. self-replicating malware, which creates new copies of itself; 2. its population growth rate; and 3. Parasitic malware, which depends on some other executable code in order to exist. The overlapping nature of Alcock's categories is typical of the clumsiness of so many of the attempts to develop a workable taxonomy. As the following paragraphs will demonstrate, several challenges arise in establishing operational definitions of both malware and particular forms of malware. The explanations provided in popular literatures, and even those in the refereed literature, are of little use to a study intended to support technical management and the design of regulatory measures. The remainder of this section considers the factors that may need to be reflected in a definition,and then proposes an operational definition of malware. The subsequent section proposes a means of categorising particular forms of malware. Most malware (including worms, trojans, spyware, bots, rootkits and web-based attacks) takes the form of an independent executable program. A virus, on the other hand, is a segment of code inserted into a host program. It is not handled by the device's operating system as an independent executable, but rather performs its function when the host program is loaded and executed. Malware may not be delivered in directly executable code expressed in the target device's machine-language, but may be in a high-level language that requires a compiler or an interpreter, or a mid-level language that requires a run-time interpreter (Clarke 1991). Some environments have serious vulnerabilities, in that code may be automatically accepted and invoked. For example, for many years, the default on a range of Microsoft products when they were shipped was to immediately execute VBScript code that they received. Further, the code may be a fragment within an otherwise inert document-file. Some utilities, such as word processors and spread sheet modellers, enable small code fragments or 'macros' to be embedded within the documents produced using them. These macros may be used as a means of transferring malware between devices. Microsoft's Office suite is dominant in this arena, and has long suffered, and continues to suffer a range of vulnerabilities in this area. Unlike executable files, macros are expressed in a high-level language and depend on an interpreter. As a result, they are potentially 'cross-platform' viruses, i.e. they are not specific to an operating system, processor-chip, or machine-language, but rather can run in any environment for which the appropriate interpreter has been delivered. Most forms of malware (including many instances of viruses, worms, trojans, spyware, bots and rootkits) are stored on the device and need to be expressly invoked in
order to perform their function, whereas others (particularly web-based attacks) are received and executed without prior storage. Most malware is not intentionally loaded, and is not intentionally invoked, by a user of the device. That applies to viruses, worms, some spyware, bots, rootkits and web-based attacks. On the other hand, a trojan is software that claims to (and may well) perform a desired function; but also performs some other undesired function that the person who installs it on the device was not aware of at the time. Some spyware may also have this feature. Malware generally performs a function that is harmful. In most cases, the harm is to some interest of the user of the device, or of the person responsible for it. The harm may take such forms as deletion of data, modification of data, and disclosure of data. In other cases, the target of the harm may be some other person. This most commonly arises from bots, which are used for relaying spam and running distributed denial of service attacks. A useful definition of malware must also, however, encompass instances in which no harm is intended (e.g. because the software is a proof-of-concept or demonstration), or no harm is done (e.g. because the software is inoperable on the device in question, as occurs when a specifically Windows executable reaches a device that does not run a Windows operating system), or the item remains latent (i.e. on the device but never invoked). Most malware is intentionally harmful. On the other hand, some is intentionally beneficial (such as a worm designed to counter the negative impact of a harmful worm); and some is not intended to perform any harmful function, but only to demonstrate 'proof of concept', or enable measurement of the rate of dissemination arising from a particular design feature. A more broadly inclusive definition risks extending to software that causes harm as a result of programming errors rather than malicious intent. One benefit of this approach, however, is that it avoids the legally and practically difficult problem of inferring intent (particularly where the perpetrator is unknown). Another benefit is that it recognises low-quality software as a threat. In order to encompass the intended range of items, and to reflect the complexities discussed above, the following operational definition is proposed: Malware is: • • • software, or a software component or feature, that comes by some means to be invoked by a device, and that on invocation, has an effect that is: ○ ○ unintended by the person responsible for the device, and potentially harmful to an interest of that or some other person
The following section considers three aspects or dimensions of differentiation among the various categories of malware, and develops from that a definition of each category.
3. A Categorisation of Malware Forms Malware uses a 'vector' to deliver a 'payload' which performs a function that is harmful to some party and which is 'invoked' by some means. This section discusses a number of categories of malware at a sufficient depth to enable them to be categorised according to these three dimensions. The final sub-section provides a tabular summary. Appendix 2 consolidates into glossary form the definitions developed in the analysis that follows. 3.1 The Vector The term 'vector' refers to the means whereby undesired content comes to be on a device. The term 'vector' encompasses both the act of transmission and the techniques whereby the transmission occurs. It encompasses two broad sub-categories: • copying from portable storage directly-connected to the device, such as a diskette, CD, DVD or solid-state electronic 'drive'; and
•
transmission or download from another device on a local area network, or from a device on a remote network.
In the case of transmission or download from a separate device, a variety of subcategories arise, in particular: • File transfer. This may be achieved using software that implements a standard protocol such as FTP, or a proprietary protocol, provided that the protocol is implemented on both devices. The file may be 'pulled' (i.e. initiated by the recipient) or 'pushed' (i.e. initiated by the party whose device already has a copy of the file); Email. This may become a vector for malware because: ○ ○ ○ ○ ○ • a lax (or possibly malicious) software supplier enables the client-software to automatically execute code in an email-attachment; a lax (or possibly malicious) user changes the settings in the client to autoexecute code in an email-attachment; a lax (or possibly malicious) user manually invokes the contents of an email-attachment; a previous successful attack enables the client-software to automatically execute code in an email-attachment; the email message may apply social engineering techniques to enveigle a user into downloading a file via some other channel; by similar means to those described above for email, although in this case the capability to 'pull' a file down may be provided within the same service; using social engineering techniques to enveigle a user into downloading a file;
•
chat / instant messaging services: ○
•
bulletin boards / newsgroups: ○
•
the Web (which for these purposes can be regarded as a particularly rich and sophisticated form of bulletin board): ○ ○ using social engineering techniques to enveigle a user into requesting that their browser download a file; using a variety of features of HTTP, HTML, Javascript, server-side capabilities and associated protocols and standards, to cause a file to be downloaded to the user's device, based on a user-performed trigger that did not represent either an intentional request or an informed response to a request for consent;
•
P2P networks (whose nature is, for these purposes, that of a distributed bulletin board): ○ ○ using social engineering techniques to enveigle a user into downloading a file; Using features that cause a file to be downloaded to the user's device, based on a user-performed trigger that did not represent either an intentional request or informed response to a request for consent.
Devices running the various versions of Windows operating systems are especially rich in vulnerabilities that make these vectors attractive to attackers. As indicated earlier, there is a longstanding (but recently much-reduced) problem of highly permissive default parameter-settings, and a norm of wide-ranging permissions granted to useraccounts. That problem is compounded by a feature of Microsoft's architecture for server interactions with networked clients, which has had a variety of names, but is usefully referred to as 'ActiveX controls'. Microsoft's design inherently provides code that arrives at the client with access to the entire device. This is quite different from the
much less insecure approach adopted by alternatives such as Java and (with qualifications) ECMAscript/Javascript, which are limited to a 'sandbox'. The definitions of most categories of malware do not limit the vector used, although many categories may be usefully qualified by a vector-descriptor in order to identify a sub-category; hence, for example, an 'email virus'. A special case is so-called 'drive-by download'. The term refers generally to downloads that a user authorises unwittingly; but it is sometimes used specifically within the context of the Web; and it is sometimes used specifically for exploits on devices using Microsoft Windows that take advantage of the inbuilt vulnerability that ActiveX controls represent (Howes 2004). 3.2 The Payload The term 'payload' was originally used in the U.K. in about 1930, to refer to the carriage capacity of aircraft. In IT, from about the 1970s, it distinguishes the content of a communication from the means whereby it is delivered, including the addressing information. In the case of spam, for example, the payload is the text of the message itself, and/or the contents of an attachment to the message. The contents of an attachment can be in any form, including text, formatted text such as HTML, image, sound, video, executable code and invokable code that is not directly executable, including invokable code within HTML, in such forms as Javascript and VBscript. In the case of malware, the payload is the active code that is delivered to the target device in order to perform some function or functions. The scope of the payload may include functions ancillary to the ultimate purpose, such as means of obscuring the existence or operation of the malware. However, the scope usually excludes code whose function is to cause the malware to replicate itself. A considerable number of functions might be performed by malware. The following list of categories has been devised in order to reflect known functions and specialist terms, but also to be wide enough to cover other likely applications: • Operations on data. These include: ○ data creation, such as insertion of data into control files in order to establish a new user account, or insertion of an entry into the list of programs that are to be executed when the device is started up or closed down; data deletion, or directory-entry deletion (which causes the still-existent data to become unfindable); data modification, such as: changes to security-settings for files or user-accounts; Changes to parameter-settings. These may be designed to open up a vulnerability on the device, or obscure the operation of the malware from monitoring and investigation software. For example, a utility or application such as an email-client, a chat or instant messaging client, or a web-browser, may be set to auto-execute code that it receives; changes to port-settings. These can also be used to open up a vulnerable channel on the device, which an attacker can exploit; a general term for malware that performs this function is 'spyware'. Like most malware functions, this is only likely to be effective if performed surreptitiously; a sub-category of spyware is recognised, called a 'keystroke logger', which captures the user's keystrokes (particularly when entering security-sensitive data such as passwords or credit card details); a concept that overlaps with spyware is 'adware', which (usually surreptitiously) gathers data about a user's behaviour as a basis for selecting among possible advertisements to display to that user;
○ ○
○
data capture:
○
data disclosure. Some spyware (usually surreptitiously) transmits the data it has captured to a remote location, or facilitates access to it by an unauthorised user installation of software, or modifications to software, for such purposes as: establishing a new 'backdoor', which as discussed above is a means for gaining access to a user-account on a device by bypassing safeguards; installing a 'rootkit', which obscures the operation of malware from monitoring and investigation software;
•
operations on software, e.g.: ○
○ ○
modifications to anti-malware software to reduce its effectiveness; modifications to malware already installed on the device, possibly in order to sustain the malware's ability to avoid detection and continue to perform its function;
•
the downloading of files, perhaps content, but typically software or software fragments, from a remote location such as an FTP site, a web-site or a bulletin board or newsgroup. Three important uses of this technique are: ○ to download applications that are too large to propagate as worms. An important example is remote administration tools (RATs), or at least the instances of them intended for use in attacks, such as BackOrifice; to adapt the malware payload; and to detect a triggering event, e.g. to synchronise a botnet (which is defined in the following sub-section), and thereby enabling spam-relaying or a distributed denial of service attack.
○ ○
One commonly-used term in the malware arena has been omitted from the above list. The reason is that the term 'trojan' is subject to a wide variety of undisciplined usages. The common element in the various senses of the term is that a trojan appears to the user to perform one function, and may do so, but is designed to perform an additional function that the user is not aware of. This is a particularly easy confidence trick to use, because legitimate and illegitimate invitations to download and to run software are essentially indistinguishable from one another. The offer of anti-virus software is a particular favourite technique used by attackers. In relation to the transmission vector, the two primary flavours of the term are: • in its restrictive form, a trojan is malware that reaches a device as a result of intentional downloading or installation by an authorised user as a result of a social engineering exploit; or in its less restrictive form, the vector used is not relevant, i.e. any vector will do.
•
In relation to the payload, the two primary flavours of the term can be represented as follows: • in its restrictive form, the extra functionality of the malware is specifically the facilitation of unauthorised remote access to the device. This is also called a 'remote control trojan', or (more appropriately) a 'remote access trojan' or 'backdoor trojan'; or in its less restrictive form, the extra functionality is simply potentially harmful to an interest of some person, i.e. any payload will do.
•
The analysis in this paper adopts the following terms and definitions, on the grounds that these two categories are valuable tools in security analysis and benefit from a term to describe them, whereas the others are already satisfactorily covered by other established terms: • a 'trojan', in the general sense, is defined by its vector rather than by its payload. The vector is intentional downloading or installation by an authorised
user, as a result of a social engineering exploit that involves convincing the user that the software is beneficial; and • a 'backdoor trojan' is defined by its payload as well as its vector. The payload is a means of facilitating remote access to the device.
3.3 Invocation The notion of 'invocation' is used to refer to the causing of the code to run in the target device. The generic 'invoke' is preferred to 'execute' because of the many forms in which code may be delivered. In particular, the code may be native to the instructionset of the target device, or it may in a form that requires a compiler, an interpreter or a run-time interpreter. The term 'invoke' also encompasses embedded code, such as macros within word processing and spreadsheet documents. The device's operating system may include some safeguards against the unauthorised invocation of programs, such as specific permissions associated with each useraccount, which limit the software that can be run from that account and/or the data that can be accessed from it. Effective malware needs to be able to circumvent or subvert such safeguards. The following is a summary of key ways in which malware can be invoked: • by an explicit and probably intentional action of an authorised user of the device: ○ ○ • using something that forms part of the device, such as a keyboard and/or mouse; or remotely, through a user-account;
by an implicit and possibly unintentional action of an authorised user of the device. Important examples include: ○ ○ the invocation of a macro, by opening a document that contains it, such as a Word document or Excel spreadsheet; a 'website application attack'. This involves a request from a webbrowser triggering the delivery of malware to the device on which the webbrowser is running. This may be achieved in several ways: the malware may be delivered directly by the web-server. This may be: under instruction by the web-server manager; or through a connivance by another party;
the malware may be delivered indirectly by an invocation by the web-server of a component from another site. In this case, either or both of the invocation and the delivery may be either: under instruction by the web-server manager; or through a connivance by another party;
•
by an action of some person other than an authorised user of the device: ○ ○ using something that forms part of the device, such as a keyboard and/or mouse; or remotely, through a user-account. This may be achieved through the use of existing user-accounts on the device, including those whose passwords are the same as the username, are obvious (e.g. 'password' or, famously, 'SYSTEM') or are null; or through the prior, surreptitious creation of a useraccount and password known to the attacker; remotely, using a 'bot'. A bot is any malware that is capable of being invoked remotely in order to perform a particular function. Typical functions include emailing spam and distrubuted denial of service (DDOS) attacks. A device on which a bot is installed is referred to as a 'zombie'. A set of devices on which bots are installed is referred to as a 'botnet'. A
○
person who can exercise control over a botnet is referred to as a 'botnet master' or herder; • by automated invocation of the software. A common example is by achieving the insertion of a call to the program into the start-up or close-down routines, such that it is invoked every time the device is initialised or shut down; as a result of a request by the device to a remote device, which results in software being downloaded and executed. A primary example of this is a request from a web-browser to a web-server for the file that is stored at a particular URL. If this file contains software (in a form such as Javascript, Java code or a Microsoft ActiveX 'control', i.e. program), then the software will be automatically executed on arrival at the consumer device, unless settings in the device block its execution, or make its execution dependent on the user providing express approval. Code expressed in Java, and with qualifications Javascript, may be limited to a 'sandbox'. Code in an ActiveX control cannot; by the action of a remote device. This is a 'push' mechanism, as distinct from the 'pull' mechanism described in the previous bullet-point. An example of this is a file attached to an email, which is automatically received and stored, without any action by the user other than the periodic down-loading of the contents of the mailbox, and which may (depending on the settings in the email clientsoftware) be automatically invoked; by the action of instructions in some other software running on the device. Examples include: ○ ○ a timed action (e.g. 'run this backup program at midnight each evening'); auto-updates, e.g. of systems software or application software already installed on the device, or of data used by installed software, such as virus signatures.
•
•
•
The above categories can be grouped in several ways. One involves distinguishing between local invocation within the device, and invocation triggered remotely by an action by an attacker. An item of malware, when invoked, may perform its function(s) and then terminate. Alternatively, it may remain memory-resident and active. A further variant is that it may remain memory-resident, but dormant, pending some trigger. Such software is commonly referred to as a 'daemon' or in Microsoft environments a 'Windows service'. A daemon is capable of performing functions that a one-time program is not, such as taking advantage of ephemeral data or a communications channel that is only open briefly.
4. Conclusions Clarity of language is crucial to understanding an analysis. This paper has documented an approach to the categorisation of malware, which enables each particular kind of malware to be defined in terms of the vector it uses, the payload it carries, or the the manner in which it is invoked. The use of the definitions proposed in this paper should significantly reduce the ambiguity of statements that use the dozen or so relevant terms. Beyond overcoming mere ambiguity, this should result in fewer accidental generalisations whose scope needs to be qualified. It should also have the effect of guiding conversations and analyses towards appropriate inferences. The ultimate purpose of a carefully formulated set of definitions set within a theoretical framework is the more effective design of safeguards. At a technical level, benefits include more reliable recognition of malware, and the avoidance of false-positives. Organisational measures should be enhanced through clearer communication as part of awareness, education and itions can also be used to ensure effective legal measures such as definitions of malware-related crimes.
care less about the privacy hype..., in fact some "Spyware" programs are among the most popular downloads on the Internet. Real spyware... There are also many PC surveillance tools that allow a user to monitor all kinds of activity on a computer, ranging from keystroke capture, snapshots, email logging, chat logging and just about everything else. These tools are often designed for parents, businesses and similar environments, but can be easily abused if they are installed on your computer without your knowledge. These tools are perfectly legal in most places, but, just like an ordinary tape recorder, if they are abused, they can seriously violate your privacy. History and development The first recorded use of the term spyware occurred on 16 October 1995 in a Usenet post that poked fun at Microsoft's business model.[1] Spyware at first denoted software meant for espionage purposes. However, in early 2000 the founder of Zone Labs, Gregor Freund, used the term in a press release for the ZoneAlarm Personal Firewall.[2] Since then, "spyware" has taken on its present sense.[2] According to a 2005 study by AOL and the National Cyber-Security Alliance, 61 percent of surveyed users' computers were infected with form of spyware. 92 percent of surveyed users with spyware reported that they did not know of its presence, and 91 percent reported that they had not given permission for the installation of the spyware.[3] As of 2006, spyware has become one of the preeminent security threats to computer systems running Microsoft Windows operating systems. Computers on which Internet Explorer (IE) is the primary browser are particularly vulnerable to such attacks, not only because IE is the most widely-used,[4] but because its tight integration with Windows allows spyware access to crucial parts of the operating system.[4][5] Before Internet Explorer 6 SP2 was released as part of Windows XP Service Pack 2, the browser would automatically display an installation window for any ActiveX component that a website wanted to install. The combination of user naivety concerning malware, and the assumption by Internet Explorer that all ActiveX components are benign, led, in part, to the massive spread of spyware. Many spyware components would also make use of exploits in Javascript, Internet Explorer and Windows to install without user knowledge or permission. The Windows Registry contains multiple sections where modification of key values allows software to be executed automatically when the operating system boots. Spyware can exploit this design to circumvent attempts at removal. The spyware typically will link itself from each location in the registry that allows execution. Once running, the spyware will periodically check if any of these links are removed. If so, they will be automatically restored. This ensures that the spyware will execute when the operating system is booted, even if some (or most) of the registry links are removed. Comparison- Spyware, adware and tracking The term adware frequently refers to any software which displays advertisements, whether or not the user has consented. Programs such as the Eudora mail client display advertisements as an alternative to shareware registration fees. These may be classified as "adware", in the sense of advertising-supported software, but not as spyware. Adware in this form does not operate surreptitiously or mislead the user, and provides the user with a specific service. Most adware is spyware in a different sense than "advertising-supported software": it displays advertisements related to what it finds from spying on users. Gator Software from Claria Corporation (formerly GATOR) and Exact Advertising's BargainBuddy are examples. Visited Web sites frequently install Gator on client machines in a surreptitious manner, and it directs revenue to the installing site and to Claria by displaying advertisements to the user. The user is shown many pop-up advertisements. Other spyware behavior, such as reporting on websites the user visits, occurs in the background. The data is used for "targeted" advertisement impressions. The prevalence of spyware has cast suspicion on other programs that track Web browsing, even for statistical or research purposes. Some observers describe the Alexa Toolbar, an Internet
Explorer plug-in published by Amazon.com, as spyware, and some anti-spyware programs such as Ad-Aware report it as such. Many of these adware-distributing companies are backed by millions of dollars of adware-generating revenues. Adware and spyware are similar to viruses in that they can be considered malicious in nature. People are profiting from misleading adware, sometimes known as scareware, such as Antivirus 2009. Similarly, software bundled with free, advertising-supported programs acts as spyware (and, if removed, disables the 'parent' program), yet people are willing to download it. This presents a dilemma for proprietors of anti-spyware products whose removal tools may inadvertently disable wanted programs. For example, WhenUSave is ignored by popular anti-spyware program Ad-Aware (but removed as spyware by most scanners) because it is part of the popular (but recently decommissioned) eDonkey client.[6] To address this dilemma, the Anti-Spyware Coalition was formed to establish and document best practices regarding acceptable software behavior.[2] However, the AntiSpyware Coalition website does not appear to have been updated since late 2008. Spyware, viruses and worms Unlike viruses and worms, spyware does not usually self-replicate. Like many recent viruses, however, spyware—by design—exploits infected computers for commercial gain. Typical tactics include delivery of unsolicited pop-up advertisements, theft of personal information (including financial information such as credit card numbers), monitoring of Web-browsing activity for marketing purposes, and routing of HTTP requests to advertising sites. However, spyware can be dropped as a payload by a worm. Routes of infection
Malicious websites attempt to install spyware on readers' computers. Spyware does not directly spread in the manner of a computer virus or worm: generally, an infected system does not attempt to transmit the infection to other computers. Instead, spyware gets on a system through deception of the user or through exploitation of software vulnerabilities. Most spyware is installed without users' knowledge. Since they tend not to install software if they know that it will disrupt their working environment and compromise their privacy, spyware deceives users, either by piggybacking on a piece of desirable software such as Kazaa, or by tricking them into installing it (the Trojan horse method). Some "rogue" spyware programs masquerade as security software. The distributor of spyware usually presents the program as a useful utility—for instance as a "Web accelerator" or as a helpful software agent. Users download and install the software without immediately suspecting that it could cause harm. For example, Bonzi Buddy, a program bundled with spyware[7] and targeted at children, claims that: He will explore the Internet with you as your very own friend and sidekick! He can talk, walk, joke, browse, search, e-mail, and download like no other friend you've ever had! He even has the ability to compare prices on the products you love and help you save money! Best of all, he's FREE![8]
Spyware can also come bundled with other software. The user downloads a program and installs it, and the installer additionally installs the spyware. Although the desirable software itself may do no harm, the bundled spyware does. In some cases, spyware authors have paid shareware authors to bundle spyware with their software. In other cases, spyware authors have repackaged desirable freeware with installers that slipstream spyware. Some spyware authors infect a system through security holes in the Web browser or in other software. When the user navigates to a Web page controlled by the spyware author, the page contains code which attacks the browser and forces the download and installation of spyware. The spyware author would also have some extensive knowledge of commercially-available anti-virus and firewall software. This has become known as a "drive-by download", which leaves the user a hapless bystander to the attack. Common browser exploits target security vulnerabilities in Internet Explorer and in the Sun Microsystems Java runtime. The installation of spyware frequently involves Internet Explorer. Its popularity and history of security issues have made it the most frequent target. Its deep integration with the Windows environment and scriptability make it an obvious point of attack into Windows. Internet Explorer also serves as a point of attachment for spyware in the form of Browser Helper Objects, which modify the browser's behavior to add toolbars or to redirect traffic. In a few cases, a worm or virus has delivered a spyware payload. Some attackers used the Spybot worm to install spyware that put pornographic pop-ups on the infected system's screen.[9] By directing traffic to ads set up to channel funds to the spyware authors, they profit personally. Effects and behaviors A spyware program is rarely alone on a computer: an affected machine usually has multiple infections. Users frequently notice unwanted behavior and degradation of system performance. A spyware infestation can create significant unwanted CPU activity, disk usage, and network traffic. Stability issues, such as applications freezing, failure to boot, and system-wide crashes, are also common. Spyware, which interferes with networking software, commonly causes difficulty connecting to the Internet. In some infections, the spyware is not even evident. Users assume in those situations that the performance issues relate to faulty hardware, Windows installation problems, or another infection. Some owners of badly infected systems resort to contacting technical support experts, or even buying a new computer because the existing system "has become too slow". Badly infected systems may require a clean reinstallation of all their software in order to return to full functionality. Only rarely does a single piece of software render a computer unusable. Rather, a computer is likely to have multiple infections. The cumulative effect, and the interactions between spyware components, causes the symptoms commonly reported by users: a computer, which slows to a crawl, overwhelmed by the many parasitic processes running on it. Moreover, some types of spyware disable software firewalls and anti-virus software, and/or reduce browser security settings, thus opening the system to further opportunistic infections, much like an immune deficiency disease. Some spyware disables or even removes competing spyware programs, on the grounds that more spyware-related annoyances make it even more likely that users will take action to remove the programs. One spyware maker, Avenue Media, even sued a competitor, Direct Revenue, over this; the two later settled with an agreement not to disable each others' products.[10] Some other types of spyware use rootkit like techniques to prevent detection, and thus removal. Targetsoft, for instance, modifies the "Winsock" Windows Sockets files. The deletion of the spyware-infected file "inetadpt.dll" will interrupt normal networking usage. A typical Windows user has administrative privileges, mostly for convenience. Because of this, any program the user runs (intentionally or not) has unrestricted access to the system. As with other operating systems, Windows users too are able to follow the principle of least privilege and use non-administrator least user access accounts, or to
reduce the privileges of specific vulnerable Internet-facing processes such as Internet Explorer (through the use of tools such as DropMyRights). However, as this is not a default configuration, few users do this. In Windows Vista, by default, a computer administrator runs everything under limited user privileges. When a program requires administrative privileges, Vista will prompt the user with an allow/deny pop-up (see User Account Control). This improves on the design used by previous versions of Windows. Advertisements Many spyware programs display advertisements. Some programs simply display pop-up ads on a regular basis; for instance, one every several minutes, or one when the user opens a new browser window. Others display ads in response to the user visiting specific sites. Spyware operators present this feature as desirable to advertisers, who may buy ad placement in pop-ups displayed when the user visits a particular site. It is also one of the purposes for which spyware programs gather information on user behavior. Many users complain about irritating or offensive advertisements as well. As with many banner ads, spyware advertisements often use animation or flickering banners, which can be visually distracting and annoying to users. Pop-up ads for pornography often display indiscriminately. Links to these sites may be added to the browser window, history or search function. When children are the users, this could possibly violate antipornography laws in some jurisdictions. A number of spyware programs break the boundaries of illegality; variations of “Zlob.Trojan” and “Trojan-Downloader.Win32.INService” have been known to show undesirable child pornography, key gens, cracks and illegal software pop-up ads, which violate child pornography and copyright laws.[11][12][13][14] A further issue in the case of some spyware programs concerns the replacement of banner ads on viewed web sites. Spyware that acts as a web proxy or a Browser Helper Object can replace references to a site's own advertisements (which fund the site) with advertisements that instead fund the spyware operator. This cuts into the margins of advertising-funded Web sites. "Stealware" and affiliate fraud A few spyware vendors, notably 180 Solutions, have written what the New York Times has dubbed "stealware", and what spyware researcher Ben Edelman terms affiliate fraud, a form of click fraud. Stealware diverts the payment of affiliate marketing revenues from the legitimate affiliate to the spyware vendor. Spyware which attacks affiliate networks places the spyware operator's affiliate tag on the user's activity — replacing any other tag, if there is one. The spyware operator is the only party that gains from this. The user has their choices thwarted, a legitimate affiliate loses revenue, networks' reputations are injured, and vendors are harmed by having to pay out affiliate revenues to an "affiliate" who is not party to a contract.[15] Affiliate fraud is a violation of the terms of service of most affiliate marketing networks. As a result, spyware operators such as 180 Solutions have been terminated from affiliate networks including LinkShare and ShareSale.[citation needed] Identity theft and fraud In one case, spyware has been closely associated with identity theft.[16] In August 2005, researchers from security software firm Sunbelt Software suspected the creators of the common CoolWebSearch spyware had used it to transmit "chat sessions, user names, passwords, bank information, etc.";[17] however it turned out that "it actually (was) its own sophisticated criminal little trojan that's independent of CWS."[18] This case is currently under investigation by the FBI. The Federal Trade Commission estimates that 27.3 million Americans have been victims of identity theft, and that financial losses from identity theft totaled nearly $48 billion for businesses and financial institutions and at least $5 billion in out-of-pocket expenses for individuals.[19]
Spyware-makers may commit wire fraud with dialer program spyware. These can reset a modem to dial up a premium-rate telephone number instead of the usual ISP. Connecting to these suspicious numbers involves long-distance or overseas charges which invariably result in high call costs. Dialers are ineffective on computers that do not have a modem, or are not connected to a telephone line, and are now very rare due to the decline in use of dial-up internet access. Digital rights management Some copy-protection technologies have borrowed from spyware. In 2005, Sony BMG Music Entertainment was found to be using rootkits in its XCP digital rights management technology[20] Like spyware, not only was it difficult to detect and uninstall, it was so poorly written that most efforts to remove it could have rendered computers unable to function. Texas Attorney General Greg Abbott filed suit,[21] and three separate class-action suits were filed.[22] Sony BMG later provided a workaround on its website to help users remove it.[23] Beginning on 25 April 2006, Microsoft's Windows Genuine Advantage Notifications application[24] was installed on most Windows PCs as a "critical security update". While the main purpose of this deliberately uninstallable application is to ensure the copy of Windows on the machine was lawfully purchased and installed, it also installs software that has been accused of "phoning home" on a daily basis, like spyware.[25][26] It can be removed with the RemoveWGA tool. Personal relationships Spyware has been used to surreptitiously monitor electronic activities of partners in intimate relationships, generally to uncover evidence of infidelity. At least one software package, Loverspy, was specifically marketed for this purpose. Depending on local laws regarding communal/marital property, observing a partner's online activity without their consent may be illegal; the author of Loverspy and several users of the product were indicted in California in 2005 on charges of wiretapping and various computer crimes.[27] [edit] Browser cookies Anti-spyware programs often report Web advertisers' HTTP cookies, the small text files that track browsing activity, as spyware. While they are not always inherently malicious, many users object to third parties using space on their personal computers for their business purposes, and many anti-spyware programs offer to remove them.[28] [edit] Examples These common spyware programs illustrate the diversity of behaviors found in these attacks. Note that as with computer viruses, researchers give names to spyware programs which may not be used by their creators. Programs may be grouped into "families" based not on shared program code, but on common behaviors, or by "following the money" of apparent financial or business connections. For instance, a number of the spyware programs distributed by Claria are collectively known as "Gator". Likewise, programs that are frequently installed together may be described as parts of the same spyware package, even if they function separately. • CoolWebSearch, a group of programs, takes advantage of Internet Explorer vulnerabilities. The package directs traffic to advertisements on Web sites including coolwebsearch.com. It displays pop-up ads, rewrites search engine results, and alters the infected computer's hosts file to direct DNS lookups to these sites.[29] Internet Optimizer, also known as DyFuCa, redirects Internet Explorer error pages to advertising. When users follow a broken link or enter an erroneous URL, they see a page of advertisements. However, because password-protected Web sites (HTTP Basic authentication) use the same mechanism as HTTP errors, Internet Optimizer makes it impossible for the user to access password-protected sites.[30] HuntBar, aka WinTools or Adware.Websearch, was installed by an ActiveX driveby download at affiliate Web sites, or by advertisements displayed by other spyware programs—an example of how spyware can install more spyware. These programs add toolbars to IE, track aggregate browsing behavior, redirect affiliate references, and display advertisements.[31][32]
•
•
•
Movieland, also known as Moviepass.tv and Popcorn.net, is a movie download service that has been the subject of thousands of complaints to the Federal Trade Commission (FTC), the Washington State Attorney General's Office, the Better Business Bureau, and other agencies. Consumers complained they were held hostage by a cycle of oversized pop-up windows demanding payment of at least $29.95, claiming that they had signed up for a three-day free trial but had not cancelled before the trial period was over, and were thus obligated to pay.[33][34] The FTC filed a complaint, since settled, against Movieland and eleven other defendants charging them with having "engaged in a nationwide scheme to use deception and coercion to extract payments from consumers."[35] WeatherStudio has a plugin that displays a window-panel near the bottom of a browser window. The official website notes that it is easy to remove (uninstall) WeatherStudio from a computer, using its own uninstall-program, such as under C:\Program Files\WeatherStudio.[36] Once WeatherStudio is removed, a browser returns to the prior display appearance, without the need to modify the browser settings. Zango (formerly 180 Solutions) transmits detailed information to advertisers about the Web sites which users visit. It also alters HTTP requests for affiliate advertisements linked from a Web site, so that the advertisements make unearned profit for the 180 Solutions company. It opens pop-up ads that cover over the Web sites of competing companies (as seen in their [Zango End User License Agreement]).[15] Zlob trojan, or just Zlob, downloads itself to a computer via an ActiveX codec and reports information back to Control Server[citation needed]. Some information can be the search-history, the Websites visited, and even keystrokes.[citation needed] More recently, Zlob has been known to hijack routers set to defaults.[37]
•
•
•
[edit] Legal issues [edit] Criminal law Unauthorized access to a computer is illegal under computer crime laws, such as the U.S. Computer Fraud and Abuse Act, the U.K.'s Computer Misuse Act, and similar laws in other countries. Since owners of computers infected with spyware generally claim that they never authorized the installation, a prima facie reading would suggest that the promulgation of spyware would count as a criminal act. Law enforcement has often pursued the authors of other malware, particularly viruses. However, few spyware developers have been prosecuted, and many operate openly as strictly legitimate businesses, though some have faced lawsuits.[38][39] Spyware producers argue that, contrary to the users' claims, users do in fact give consent to installations. Spyware that comes bundled with shareware applications may be described in the legalese text of an end-user license agreement (EULA). Many users habitually ignore these purported contracts, but spyware companies such as Claria say these demonstrate that users have consented. Despite the ubiquity of EULAs and of "clickwrap" agreements, under which a single click can be taken as consent to the entire text, relatively little caselaw has resulted from their use. It has been established in most common law jurisdictions that a clickwrap agreement can be a binding contract in certain circumstances.[40] This does not, however, mean that every such agreement is a contract, or that every term in one is enforceable. Some jurisdictions, including the U.S. states of Iowa[41] and Washington,[42] have passed laws criminalizing some forms of spyware. Such laws make it illegal for anyone other than the owner or operator of a computer to install software that alters Web-browser settings, monitors keystrokes, or disables computer-security software. In the United States, lawmakers introduced a bill in 2005 entitled the Internet Spyware Prevention Act, which would imprison creators of spyware.[43] [edit] Administrative sanctions [edit] US FTC actions
The US Federal Trade Commission has sued Internet marketing organizations under the "unfairness doctrine" [44] to make them stop infecting consumers’ PCs with spyware. In one case, that against Seismic Entertainment Productions, the FTC accused the defendants of developing a program that seized control of PCs nationwide, infected them with spyware and other malicious software, bombarded them with a barrage of pop-up advertising for Seismic’s clients, exposed the PCs to security risks, and caused them to malfunction, slow down, and, at times, crash. Seismic then offered to sell the victims an “antispyware” program to fix the computers, and stop the popups and other problems that Seismic had caused. On November 21, 2006, a settlement was entered in federal court under which a $1.75 million judgment was imposed in one case and $1.86 million in another, but the defendants were insolvent[45] In a second case, brought against CyberSpy Software LLC, the FTC charged that CyberSpy marketed and sold "RemoteSpy" keylogger spyware to clients who would then secretly monitor unsuspecting consumers’ computers. According to the FTC, Cyberspy touted RemoteSpy as a “100% undetectable” way to “Spy on Anyone. From Anywhere.” The FTC has obtained a temporary order prohibiting the defendants from selling the software and disconnecting from the Internet any of their servers that collect, store, or provide access to information that this software has gathered. The case is still in its preliminary stages. A complaint filed by the Electronic Privacy Information Center (EPIC) brought the RemoteSpy software to the FTC’s attention.[46] [edit] Netherlands OPTA An administrative fine, the first of its kind in Europe, has been issued by the Independent Authority of Posts and Telecommunications (OPTA) from the Netherlands. It applied fines in total value of Euro 1,000,000 for infecting 22 million computers. The spyware concerned is called DollarRevenue. The law articles that have been violated are art. 4.1 of the Decision on universal service providers and on the interests of end users; the fines have been issued based on art. 15.4 taken together with art. 15.10 of the Dutch telecommunications law. A part of these fines has to be paid personally by the directors of these companies, i.e. not from the accounts of their companies, but from their personal fortunes.[47] Since an appeal has been lodged, the fines will have to be paid only after a Dutch law court makes a decision in this case. The culprits maintain that the evidence for violating the two law articles has been obtained illegally. The names of the directors and the names of the companies have not been revealed, since it is not clear that OPTA is allowed to make such information public.[48] [edit] Civil law Former New York State Attorney General and former Governor of New York Eliot Spitzer has pursued spyware companies for fraudulent installation of software.[49] In a suit brought in 2005 by Spitzer, the California firm Intermix Media, Inc. ended up settling, by agreeing to pay US$7.5 million and to stop distributing spyware.[50] The hijacking of Web advertisements has also led to litigation. In June 2002, a number of large Web publishers sued Claria for replacing advertisements, but settled out of court. Courts have not yet had to decide whether advertisers can be held liable for spyware that displays their ads. In many cases, the companies whose advertisements appear in spyware pop-ups do not directly do business with the spyware firm. Rather, they have contracted with an advertising agency, which in turn contracts with an online subcontractor who gets paid by the number of "impressions" or appearances of the advertisement. Some major firms such as Dell Computer and Mercedes-Benz have sacked advertising agencies that have run their ads in spyware.[51] [edit] Libel suits by spyware developers Litigation has gone both ways. Since "spyware" has become a common pejorative, some makers have filed libel and defamation actions when their products have been so described. In 2003, Gator (now known as Claria) filed suit against the website PC Pitstop for describing its program as "spyware".[52] PC Pitstop settled, agreeing not to use the word "spyware", but continues to describe harm caused by the Gator/Claria software.[53] As a result, other anti-spyware and anti-virus companies have also used other terms such as "potentially unwanted programs" or greyware to denote these products.
[edit] WebcamGate Main article: Robbins v. Lower Merion School District In the 2010 WebcamGate case, plaintiffs charged two suburban Philadelphia high schools secretly spied on students by surreptitiously and remotely activating webcams embedded in school-issued laptops the students were using at home, and therefore infringed on their privacy rights. The school loaded each student's computer with LANrev's remote activation tracking software. This included the now-discontinued "TheftTrack". While TheftTrack was not enabled by default on the software, the program allowed the school district to elect to activate it, and to choose which of the TheftTrack surveillance options the school wanted to enable.[54] TheftTrack allowed school district employees to secretly remotely activate a tiny webcam embedded in the student's laptop, above the laptop's screen. That allowed school officials to secretly take photos through the webcam, of whatever was in front of it and in its line of sight, and send the photos to the school's server. The LANrev software disabled the webcams for all other uses (e.g., students were unable to use Photo Booth or video chat), so most students mistakenly believed their webcams did not work at all. In addition to webcam surveillance, TheftTrack allowed school officials to take screenshots, and send them to the school's server. In addition, LANrev allowed school officials to take snapshots of instant messages, web browsing, music playlists, and written compositions. The schools admitted to secretly snapping over 66,000 webshots and screenshots, including webcam shots of students in their bedrooms.[54][55] [edit] Remedies and prevention As the spyware threat has worsened, a number of techniques have emerged to counteract it. These include programs designed to remove or to block spyware, as well as various user practices which reduce the chance of getting spyware on a system. Nonetheless, spyware remains a costly problem. When a large number of pieces of spyware have infected a Windows computer, the only remedy may involve backing up user data, and fully reinstalling the operating system. For instance, some versions of Vundo cannot be completely removed by Symantec, Microsoft, PC Tools, and others because it infects rootkit, Internet Explorer, and Windows' lsass.exe (Local Security Authority Subsystem Service) with a randomly-filenamed dll (dynamic link library). [edit] Anti-spyware programs See also: Category:Spyware removal Many programmers and some commercial firms have released products dedicated to remove or block spyware. Steve Gibson's OptOut pioneered a growing category. Programs such as PC Tools' Spyware Doctor, Lavasoft's Ad-Aware SE (free scans for non-commercial users, must pay for other features) and Patrick Kolla's Spybot - Search & Destroy (all features free for non-commercial use) rapidly gained popularity as effective tools to remove, and in some cases intercept, spyware programs. On December 16, 2004, Microsoft acquired the GIANT AntiSpyware software,[56] rebranding it as Windows AntiSpyware beta and releasing it as a free download for Genuine Windows XP and Windows 2003 users. In 2006, Microsoft renamed the beta software to Windows Defender (free), and it was released as a free download in October 2006 and is included as standard with Windows Vista as well as Windows 7. Major anti-virus firms such as Symantec, PC Tools, McAfee and Sophos have come later to the table, adding anti-spyware features to their existing anti-virus products. Early on, anti-virus firms expressed reluctance to add anti-spyware functions, citing lawsuits brought by spyware authors against the authors of web sites and programs which described their products as "spyware". However, recent versions of these major firms' home and business anti-virus products do include anti-spyware functions, albeit treated differently from viruses. Symantec Anti-Virus, for instance, categorizes spyware programs as "extended threats" and now offers real-time protection from them (as it does for viruses). In June 2006, the anti-virus company Grisoft, creator of AVG Anti-Virus, acquired antispyware firm Ewido Networks, re-labeling their Ewido anti-spyware program as AVG Anti-Spyware Professional Edition. AVG also used this product to add an integrated anti-
spyware solution to some versions of the AVG Anti-Virus family of products, and a freeware AVG Anti-Spyware Free Edition available for private and non-commercial use. This shows a trend by anti virus companies to launch a dedicated solution to spyware and malware. Zone Labs, creator of Zone Alarm firewall have also released an antispyware program. Anti-spyware programs can combat spyware in two ways: 1. They can provide real time protection against the installation of spyware software on the computer. This type of spyware protection works the same way as that of anti-virus protection in that the anti-spyware software scans all incoming network data for spyware software and blocks any threats it comes across. 2. Anti-spyware software programs can be used solely for detection and removal of spyware software that has already been installed onto the computer. This type of spyware protection is normally much easier to use and more popular. With this spyware protection software the user can schedule weekly, daily, or monthly scans of the computer to detect and remove any spyware software that have been installed on the computer. This type of anti-spyware software scans the contents of the windows registry, operating system files, and installed programs on the computer and will provide a list of any threats found, allowing the user to choose what to delete and what to keep. Such programs inspect the contents of the Windows registry, the operating system files, and installed programs, and remove files and entries which match a list of known spyware components. Real-time protection from spyware works identically to real-time anti-virus protection: the software scans disk files at download time, and blocks the activity of components known to represent spyware. In some cases, it may also intercept attempts to install start-up items or to modify browser settings. Because many spyware and adware are installed as a result of browser exploits or user error, using security software (some of which are antispyware, though many are not) to sandbox browsers can also be effective to help restrict any damage done. Earlier versions of anti-spyware programs focused chiefly on detection and removal. Javacool Software's SpywareBlaster, one of the first to offer real-time protection, blocked the installation of ActiveX-based and other spyware programs. Like most anti-virus software, many anti-spyware/adware tools require a frequentlyupdated database of threats. As new spyware programs are released, anti-spyware developers discover and evaluate them, making "signatures" or "definitions" which allow the software to detect and remove the spyware. As a result, anti-spyware software is of limited usefulness without a regular source of updates. Some vendors provide a subscription-based update service, while others provide updates free. Updates may be installed automatically on a schedule or before doing a scan, or may be done manually. Not all programs rely on updated definitions. Some programs rely partly (for instance many antispyware programs such as Windows Defender, Spybot's TeaTimer and Spysweeper) or fully (programs falling under the class of HIPS such as BillP's WinPatrol) on historical observation. They watch certain configuration parameters (such as certain portions of the Windows registry or browser configuration) and report any change to the user, without judgment or recommendation. While they do not rely on updated definitions, which may allow them to spot newer spyware, they can offer no guidance. The user is left to determine "what did I just do, and is this configuration change appropriate?" Windows Defender's SpyNet attempts to alleviate this through offering a community to share information, which helps guide both users, who can look at decisions made by others, and analysts, who can spot fast-spreading spyware. A popular generic spyware removal tool used by those with a certain degree of expertise is HijackThis, which scans certain areas of the Windows OS where spyware often resides and presents a list with items to delete manually. As most of the items are legitimate windows files/registry entries it is advised for those who are less knowledgeable on this subject to post a
HijackThis log on the numerous antispyware sites and let the experts decide what to delete. If a spyware program is not blocked and manages to get itself installed, it may resist attempts to terminate or uninstall it. Some programs work in pairs: when an antispyware scanner (or the user) terminates one running process, the other one respawns the killed program. Likewise, some spyware will detect attempts to remove registry keys and immediately add them again. Usually, booting the infected computer in safe mode allows an anti-spyware program a better chance of removing persistent spyware. Killing the process tree may also work. A new breed of spyware (Look2Me spyware by NicTechNetworks is a good example) hides inside system-critical processes and start up even in safe mode, see rootkit. With no process to terminate they are harder to detect and remove. Sometimes they do not even leave any on-disk signatures. Rootkit technology is also seeing increasing use,[57] as is the use of NTFS alternate data streams. Newer spyware programs also have specific countermeasures against well known anti-malware products and may prevent them from running or being installed, or even uninstall them. An example of one that uses all three methods is Gromozon, a new breed of malware. It uses alternate data streams to hide. A rootkit hides it even from alternate data streams scanners and actively stops popular rootkit scanners from running. [edit] Security practices To detect spyware, computer users have found several practices useful in addition to installing anti-spyware programs. Many system operators install a web browser other than IE, such as Opera, Google Chrome or Mozilla Firefox. Though no browser is completely safe, Internet Explorer is at a greater risk for spyware infection due to its large user base as well as vulnerabilities such as ActiveX.[citation needed] Some ISPs—particularly colleges and universities—have taken a different approach to blocking spyware: they use their network firewalls and web proxies to block access to Web sites known to install spyware. On March 31, 2005, Cornell University's Information Technology department released a report detailing the behavior of one particular piece of proxy-based spyware, Marketscore, and the steps the university took to intercept it. [58] Many other educational institutions have taken similar steps. Spyware programs which redirect network traffic cause greater technical-support problems than programs which merely display ads or monitor users' behavior, and so may more readily attract institutional attention.[citation needed] Some users install a large hosts file which prevents the user's computer from connecting to known spyware-related web addresses. However, by connecting to the numeric IP address, rather than the domain name, spyware may bypass this sort of protection. Spyware may get installed via certain shareware programs offered for download. Downloading programs only from reputable sources can provide some protection from this source of attack. Recently, CNet revamped its download directory: it has stated that it will only keep files that pass inspection by Ad-Aware and Spyware Doctor.[citation
needed]
The first step to removing spyware is to put a computer on "lockdown". This can be done in various ways, such as using anti-virus software or simply disconnecting the computer from the internet. Disconnecting the internet prevents controllers of the spyware from being able to remotely control or access the computer. The second step to removing the spyware is to locate it and remove it, manually or through use of credible anti-spyware software. During and after lockdown, potentially threatening websites should be avoided. [edit] Programs distributed with spyware • • • Bonzi Buddy[59] Dope Wars[60] EDonkey2000[61]
• • • • • • • • • •
Grokster[62] Kazaa[63] Morpheus[61] RadLight[64] WeatherBug[65] WildTangent[66][67] AOL Instant Messenger[66] (AOL Instant Messenger still packages Viewpoint Media Player, and WildTangent) DivX[68] FlashGet[69][70][71][72][73][74] magicJack[75]
[edit] Programs formerly distributed with spyware
[edit] Rogue anti-spyware programs See also: List of fake anti-spyware programs and Rogue software Malicious programmers have released a large number of rogue (fake) anti-spyware programs, and widely distributed Web banner ads now spuriously warn users that their computers have been infected with spyware, directing them to purchase programs which do not actually remove spyware—or else, may add more spyware of their own.[76]
[77]
The recent[update] proliferation of fake or spoofed antivirus products has occasioned some concern. Such products often bill themselves as antispyware, antivirus, or registry cleaners, and sometimes feature popups prompting users to install them. This software is called rogue software. It is recommended that users do not install any freeware claiming to be anti-spyware unless it is verified to be legitimate. Some known offenders include: • • • • • • • • • • • • • • • • • • • • • AntiVirus 360 Antivirus 2008 Antivirus 2009 AntiVirus Gold ContraVirus MacSweeper Pest Trap PSGuard Spy Wiper Spydawn Spylocked Spysheriff SpyShredder Spyware Quake SpywareStrike UltimateCleaner WinAntiVirus Pro 2006 Windows Police Pro WinFixer[78] WorldAntiSpy XP Security
Fake antivirus products constitute 15 percent of all malware.[79] On January 26, 2006, Microsoft and the Washington state attorney general filed suit against Secure Computer for its Spyware Cleaner product.[80] On December 4, 2006, the Washington attorney general announced that Secure Computer had paid $1 million to settle with the state. As of that date, Microsoft's case against Secure Computer remained pending.[81] How Spyware Works Has your computer ever become so slow that you can fix yourself a snack in the time it takes your word processor to open? Perhaps spyware is to blame. Spyware is a category of computer programs that attach themselves to your operating system in nefarious ways. They can suck the life out of your computer's processing power. They're designed to track your Internet habits, nag you with unwanted sales offers or generate traffic for their host Web site. According to some estimates, more than 80 percent of all personal computers are infected with some kind of spyware [source: FaceTime Communications]. But before you chuck your computer out the window and move to a desert island, you might want to read on. In this article we'll explain how spyware gets installed on your computer, what it does there and how you can get rid of it. Some people mistake spyware for a computer virus. A computer virus is a piece of code designed to replicate itself as many times as possible, spreading from one host computer to any other computers connected to it. It usually has a payload that may damage your personal files or even your operating system. Spyware, on the other hand, generally isn't designed to damage your computer. Spyware is defined broadly as any program that gets into your computer without your permission and hides in the background while it makes unwanted changes to your user experience. The damage it does is more a by-product of its main mission, which is to serve you targeted advertisements or make your browser display certain sites or search results. At present, most spyware targets only the Windows operating system. Some of the more notorious spyware threats include Trymedia, Nuvens, Estalive, Hotbar and New.Net.Domain.Plugin [source: CA]. Malware: Computing's Dirty Dozen It seems that no sooner do you feel safe turning on your computer than you hear on the news about a new kind of internet security threat. Usually, the security threat is some kind of malware (though the term "security threat" no doubt sells more newspapers). What is malware? Malware is exactly what its name implies: mal (meaning bad, in the sense of malignant or malicious rather than just poorly done) + ware (short for software). More specifically, malware is software that does not benefit the computer's owner, and may even harm it, and so is purely parasitic. The Many Faces of Malware 1. Viruses. The malware that's on the news so much, even your grandmother knows what it is. You probably already have heard plenty about why this kind of software is bad for you, so there's no need to belabor the point. 2. Worms. Slight variation on viruses. The difference between viruses and worms is that viruses hide inside the files of real computer programs (for instance, the macros in Word or the VBScript in many other Microsoft applications), while worms do not infect a file or program, but rather stand on their own. 3. Wabbits. Be honest: had you ever even heard of wabbits before (outside of Warner Bros. cartoons)? According to Wikipedia, wabbits are in fact rare, and it's not hard to see why: they don't do anything to spread to other machines. A wabbit, like a virus, replicates itself, but it does not have any instructions to email itself or pass itself through a computer network in order to infect other machines. The least ambitious of
all malware, it is content simply to focus on utterly devastating a single machine. 4. Trojans. Arguably the most dangerous kind of malware, at least from a social standpoint. While Trojans rarely destroy computers or even files, that's only because they have bigger targets: your financial information, your computer's system resources, and sometimes even massive denial-of-service attack launched by having thousands of computers all try to connect to a web server at the same time. 5. Spyware. In another instance of creative software naming, spyware is software that spies on you, often tracking your internet activities in order to serve you advertising. (Yes, it's possible to be both adware and spyware at the same time.) 6. Backdoors. Backdoors are much the same as Trojans or worms, except that they do something different: they open a "backdoor" onto a computer, providing a network connection for hackers or other malware to enter or for viruses or sp@m to be sent out through. 7. Exploits. Exploits attack specific security vulnerabilities. You know how Microsoft is always announcing new updates for its operating system? Often enough the updates are really trying to close the security hole targeted in a newly discovered exploit. 8. Rootkit. The malware most likely to have a human touch, rootkits are installed by crackers (bad hackers) on other people's computers. The rootkit is designed to camouflage itself in a system's core processes so as to go undetected. It is the hardest of all malware to detect and therefore to remöve; many experts recommend completely wiping your hard drive and reinstalling everything fresh. 9. Keyloggers. No prïze for guessing what this software does: yes, it logs your keystrokes, i.e., what you type. Typically, the malware kind of keyloggers (as opposed to keyloggers deliberately installed by their owners to use in diagnosing computer problems) are out to log sensitive information such as passwords and financial details. 10. Dialers. Dialers dial telephone numbers via your computer's modem. Like keyloggers, they're only malware if you don't want them. Dialers either dial expensive premium-rate telephone numbers, often located in small countries far from the host computer; or, they dial a hacker's machine to transmit stolen data. 11. URL injectors. This software "injects" a given URL in place of certain URLs when you try to visit them in your browser. Usually, the injected URL is an affïliate link to the target URL. An affïliate link is a special link used to track the traffïc an affïliate (advertiser) has sent to the original website, so that the original website can pay commissions on any salës from that traffïc. 12. Adware. The least dangerous and most lucrative malware (lucrative for its distributors, that is). Adware displays ads on your computer. The Wikipedia entry on malware does not give adware its own category even though adware is commonly called malware. As Wikipedia notes, adware is often a subset of spyware. The implication is that if the user chooses to allow adware on his or her machine, it's not really malware, which is the defense that most adware companies take. In reality, however, the choice to install adware is usually a lëgal farce involving placing a mention of the adware somewhere in the installation materials, and often only in the licensing agreement, which hardly anyone reads. Are you ready to take on this dirty dozen? Don't go it alone. Make sure you have at least one each of antivirus and antispyware. Definitions and A Brief Introduction to the Dangers of Malware 1. Introduction. The ever increasing use of the Internet means more and more computers can be accessed by others through file transfers, e-mails and websites, leaving them susceptible to infection from an increasing number of viruses, Trojan Horses, worms,
adware, spyware, etc. These terms can be very confusing as each one is different in characteristics and will cause different problems or damage to your computer. People will tend to be more on the lookout for these threats if they understand what they are and their potential dangers. This article attempts to clarify the meaning of each of these terms. After reading this article it is strongly suggested that you visit www.bestvalueonline.biz/clearspyware.html for further information on how to protect your PC against this dangerous class of software. Your bank account and identity are ultimately at risk if you do not take action.
2. Malware Many normal computer users are still unfamiliar with the term ‘malware” and most never use it. Instead, "computer virus" is incorrectly used, even in the media to describe all kinds of malware, though not all malware are viruses. Rather than being defined by any particular features, software is considered malware if the perceived intent of the creator is to cause damage. Malware includes computer viruses, worms, trojan horses, most rootkits, spyware, dishonest adware, and other malicious and unwanted software. In law, malware is sometimes known as a computer contaminant, for instance in the legal codes of California, West Virginia, and several other American states. Malware is software designed to infiltrate or damage a computer system without the owner's informed consent. It is a shortened combination of the words malicious and software. The expression is a general term used by professionals in the computer industry to cover a variety of hostile, intrusive, or annoying software or program code. Malware should not be confused with defective software, that is, software which has a legitimate purpose but contains harmful bugs. 3. Trojan Horse or Trojan In the context of computing and software, a ‘Trojan horse’, or simply ‘Trojan’, is a piece of software which appears to perform a certain action but in fact performs another such as a computer virus. Contrary to popular belief, this action, usually encoded in a hidden payload, may or may not be actually malicious, but Trojan horses are notorious today for their use in the installation of backdoor programs. Simply put, a Trojan horse is not necessarily a computer virus. Unlike such malware, it does not propagate by selfreplication but relies heavily on the exploitation of an end-user. Therefore, a computer worm or virus may be a Trojan horse. The term is derived from the classical story of the Trojan Horse. 4. Computer Worms A ’computer worm’ is a self-replicating computer program. It uses a network to send copies of itself to other nodes (computer terminals on the network) and it may do so without any user intervention. Unlike a virus, it does not need to attach itself to an existing program. Worms almost always cause harm to the network, if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer. 5. Computer Virus A computer virus is a computer program that can copy itself and infect a computer without permission or knowledge of the user. The term "virus" is also commonly used, albeit erroneously, to refer to many different types of malware and adware programs. The original virus may modify the copies, or the copies may modify themselves, as occurs in a metamorphic virus. A virus can only spread from one computer to another
when its host is taken to the uninfected computer, for instance by a user sending it over a network or the Internet, or by carrying it on a removable medium such as a floppy disk, CD, or USB drive. Viruses can also spread to other computers by infecting files on a network file system or a file system that is accessed by another computer. Viruses are sometimes confused with computer worms and Trojan horses. A worm can spread itself to other computers without needing to be transferred as part of a host, and a Trojan horse is a file that appears harmless. Worms and Trojans may cause harm to a computer system's hosted data, functional performance, or networking throughput, when executed. In general, a worm does not actually harm either the system's hardware or software, while at least in theory a Trojan's payload may be capable of almost any type of harm if executed. Some can't be seen when the program is not running, but as soon as the infected code is run, the virus kicks in. That is why it is so hard for people to find viruses themselves and why they have to use spyware programs and registry processors. Most personal computers are now connected to the Internet and to local area networks, facilitating the spread of malicious code. Today's viruses may also take advantage of network services such as the World Wide Web, e-mail, Instant Messaging and file sharing systems to spread, blurring the line between viruses and worms. Furthermore, some sources use an alternative terminology in which a virus is any form of selfreplicating malware. Some viruses are programmed to damage the computer by damaging programs, deleting files, or reformatting the hard disk. Others are not designed to do any damage, but simply replicate themselves and perhaps make their presence known by presenting text, video, or audio messages. Even these benign viruses can create problems for the computer user. They typically take up computer memory used by legitimate programs. As a result, they often cause erratic behaviour and can result in system crashes. In addition, many viruses are bug-ridden, and these bugs may lead to system crashes and data loss. Many CID programs are programs that have been downloaded by the user and pop up every so often. This results in slowing down of the computer, but it is also very difficult to find and stop the problem. 6. Spyware ‘Spyware’ is computer software that is installed surreptitiously on a personal computer to intercept or take partial control over the user's interaction with the computer, without the user's informed consent. While the term spyware suggests software that secretly monitors the user's behaviour, the functions of spyware extend well beyond simple monitoring. Spyware programs can collect various types of personal information, such as Internet surfing habit, sites that have been visited, but can also interfere with user control of the computer in other ways, such as installing additional software, redirecting Web browser activity, accessing websites blindly that will cause more harmful viruses, or diverting advertising revenue to a third party. Spyware can even change computer settings, resulting in slow connection speeds, different home pages, and loss of Internet or other programs. In an attempt to increase the understanding of spyware, a more formal classification of its included software types is captured under the term privacy-invasive software. In response to the emergence of spyware, a whole industry has sprung up dealing in anti-spyware software. Running anti-spyware software has become a widely recognized element of computer security best practices for Microsoft Windows desktop computers. A number of jurisdictions have passed anti-spyware laws, which usually target any software that is surreptitiously installed to control a user's computer. Threats vary from the systematic capture of everyday events (e.g., what online sites that are visited or what items that are purchased from online stores) to the mass marketing based on the retrieval of personal information (spam offers and telemarketing calls are more
common than ever) to the distribution of information on lethal technologies used for, e.g., acts of terror. Today, software-based privacy-invasions occur in numerous aspects of Internet usage. Spyware programs set to collect and distribute user information secretly download and execute on users’ workstations. Adware displays advertisements and other commercial content often based upon personal information retrieved by spyware programs. System monitors record various actions on computer systems. Keyloggers record users’ keystrokes in order to monitor user behaviour. Self-replicating malware downloads and spreads disorder in systems and networks. Data-harvesting software programmed to gather e-mail addresses have become conventional features of the Internet, which among other things results in that spam e-mail messages fill networks and computers with unsolicited commercial content. With those threats in mind, we hereby define privacy-invasive software as a category of software that ignores users’ right to be let alone and that is distributed with a specific intent, often of a commercial nature, which negatively affect[s] its users. In this context, ignoring users’ right to be let alone means that the software is unsolicited and that it does not permit users to determine for themselves when, how and to what extent personally identifiable data is gathered, stored or processed by the software. Distributed means that it has entered the computer systems of users from (often unknown) servers placed on the Internet infrastructure. Often of a commercial nature means that the software (regardless of type or quality) is used as a tool in some sort of a commercial plan to gain revenues. 7. Adware ‘Adware’ or advertising-supported software is any software package which automatically plays, displays, or downloads advertising material to a computer after the software is installed on it or while the application is being used. Some types of adware are also spyware and can be classified as privacy-invasive software. Adware is software with advertising functions integrated into or bundled with a program. It is usually seen by the developer as a way to recover development costs, and in some cases it may allow the program to be provided to the user free of charge or at a reduced price. The advertising income may allow or motivate the developer to continue to develop, maintain and upgrade the software product. Some adware is also shareware, and so the word may be used as term of distinction to differentiate between types of shareware software. What differentiates adware from other shareware is that it is primarily advertising-supported. Users may also be given the option to pay for a "registered" or "licensed" copy to do away with the advertisements. Adware can also download and install PUPs to your computer. 8. Rootkit A ’rootkit’ is a program (or combination of several programs) designed to take fundamental control (in Unix terms "root" access, in Windows terms "Administrator" (access) of a computer system, without authorization by the system's owners and legitimate managers. Access to the hardware (i.e, the reset switch) is rarely required as a rootkit is intended to seize control of the operating system running on the hardware. Typically, rootkits act to obscure their presence on the system through subversion or evasion of standard operating system security mechanisms. Often, they are also Trojans as well, thus fooling users into believing they are safe to run on their systems. Techniques used to accomplish this can include concealing running processes from monitoring programs, or hiding files or system data from the operating system. Rootkits may have originated as regular, though emergency, applications, intended to take control of an unresponsive system, but in recent years have been largely malware to help intruders gain access to systems while avoiding detection. Rootkits exist for a variety of operating systems, such as Microsoft Windows, Mac OS X[2] [3] , Linux and Solaris. Rootkits often modify parts of the operating system or install themselves as
drivers or kernel modules, depending on the internal details of an operating system's mechanisms. 9. Conclusion In this article the terms malware, Trojans or Trojan Horses, Worms, Computer Virus, Spyware, Adware and Rootkits were defined. It is hoped that a better understanding of these terms will result in people becoming more aware of the dangers they are exposed to every day and that they will install the appropriate software to protect themselves from the damage that can be done.
Categories of Malware
1. Introduction Popular treatments of malware are characterised by a vast amount of confusion. Over 20 years after viruses became well-understood and worms erupted into public discussions, it's high time that much more order was brought to the field. The need for much greater clarity extends beyond the broad public arena. Malware is becoming an increasingly serious public policy issue. To counter this, innovations are necessary in technical, organisational and regulatory measures, and coordination must be achieved among organisations in the public and private sectors. Meaningful discussions depend on mutual understanding, and hence a stable and commonlyagreed language is a pre-requisite to progress being made. This paper proposes a terminological framework within which analysis and discussion can be undertaken. Its purpose is to distinguish the various categories of malware in such a manner as to support the evaluation of alternative policy measures that might be effective in combatting them. The paper works within the conventional information technology (IT) security model, as depicted in Exhibit 1. Threatening events, which are specific instances of generic threats, impinge on vulnerabilities, resulting in harm. Safeguards are used in an endeavour to protect against threats and detect and address vulnerabilities. Safeguards may focus on deterrence, prevention, detection or investigation of the threats or events, or amelioration of the harm. Security is a condition in which harm does not arise, because threats and vulnerabilities are effectively countered by safeguards. The paper's scope generally does not extend to attack mechanisms, such as vulnerability scanners, port scanners and password testers, nor to tools used in intermediary devices on the Internet, such as packet sniffers. Exhibit 1: The Conventional IT Security Model
Various forms of malware have emerged over time, as both IT infrastructure and attacks on it have become progressively more complex and sophisticated. The first form in which malware appeared was referred to as a 'virus', a term borrowed from biology in 1983. The form itself, however, can be recognised in phenomena that first appeared as far back as 1971. The notion arrived in the public arena when viruses were transmitted by floppy disk among Apple micro-computers in 1981. Major infections first appeared during the late 1980s on what were then called 'IBM PCs'. Even at that time, some virus transmission was occurring over networks rather than via disks, but networks only became the dominant means of transmission after Internet accessibility became widespread from the mid-1990s (Solomon 1993). Until about 2000, viruses remained the dominant form of malware. Indeed the term 'virus' was initially used for any form of what is referred to in this paper as malware, and in popular literature that habit is still apparent. During the early years of the new century, however, independent programs called worms, propagating over networks, and primarily over the Internet, became the more common form (Chen & Robert 2004). Sample short descriptions of a virus and a worm are provided in Appendix 1. Fuller expositions of the nature of viruses and worms are in texts such as Skoudis (2003), Erbschloe (2005), Szor (2005) and Aycock (2006). Both viruses and worms are threats which need to exploit vulnerabilities in order to propagate, and in order to perform whatever their function may be. Vulnerabilities exist in all operating systems, in all systems software, and in all applications. During the relevant period, the most widespread systems software family by far was the succession of Microsoft Windows products. On workstations that used that operating system, the Microsoft Office suite of applications was very common. Further, until the early 2000s, Microsoft's quality control over security vulnerabilities was lamentable. For this combination of reasons, Microsoft products have both harboured a vast array of vulnerabilities, and been the primary target for malware writers. As late as 2004, (Chen & Robert 2004) reported that "the vast majority of Windows PCs are vulnerable to new outbreaks". Although Microsoft's quality control has been improved, its products are also much more complex, and hence a wide array of vulnerabilities still exists, and more regularly emerge. The terms 'virus' and 'worm' distinguish forms that malware takes. Those terms do not provide an indication at any level of detail about what 'vector', or means of distribution,
any given item of malware may use. Similarly, those terms do not provide any information about the nature of the function that the malware performs, usefully referred to as its 'payload'. A range of terms has come into use to describe particular categories of payload. The following section will distinguish among such categories of malware as trojans, spyware, bots, rootkits and web-based attacks. In addition to the literature cited in the body of this paper, a range of resources listed at the end of the paper were considered during the analysis and compilation of the definitions. In Clarke & Maurushat (2007), the distinction between vectors and payloads was used in conducting an analysis of the security of consumer devices, particularly in the context of mobile payments. This paper extends that approach to include the manner of invocation of deployed malware. It then shows how the various forms of malware can be readily categorised using those three dimensions, and demonstrates the advantages that the categorisation offers. Some of the confusion in the popular literature arises from the conflation of 'undesired content' issues (such as spam) and 'malbehaviour' (such as spamming and phishing) with 'undesired software' (malware). The paper accordingly commences by distinguishing those three topic-areas. It then introduces and applies the vector, payload and invocation dimensions, in order to deliver a set of operational definitions of the primary categories of malware. The discussion is summarised in a glossary.
2. Foundational Concepts It is important to disentangle malware from related notions. Firstly, undesired software is a special case of undesired content more generally. Secondly, malware may come to be on a device as a result of the manipulation of human behaviour. This section outlines each of these ideas, and in the third sub-section an operational definition of malware is developed, appropriate to the purpose of the undertaking. 2.1 Undesired Content By undesired content is meant here data that exists on a device which the person controlling the device did not intend to be there. It includes spam, email-attachments pushed to the device (including unrequested promotional material and pornography), unexpected content arriving on the device as a result of requests submitted in webbrowsers (including advertisements), and unsolicited material arriving through P2P networks. The term also encompasses software. Undesired content comes to be on a device by means of a 'vector' that delivers a 'payload'. These terms will be discussed in the following sections. 2.2 Malbehaviour The term `social engineering' is applied to ways of enveigling users into providing the vector whereby undesired content reaches their device. A common example is 'phishing'. A message is presented to a user, commonly by email, but in principle using any form of messaging. The message encourages the person to divulge important information, e.g. by replying to the email, or (in recent times, more commonly) by going to what presents as though it were the web-site of a trusted party such as a bank, and then providing an authenticator such as a password or PIN. An even more longstanding example of malbehaviour is incitement to users to download and execute software. It is particularly challenging to devise countermeasures against this reticulation method, because there have to be channels for downloading software to machines, and malware-providers can easily mimic the actions of trusted providers of legitimate software. A recently-popular form of social engineering is the 'botnet herder' technique of luring a person into downloading and executing malware by means of some form of chat or instant messaging (IM) service (i.e. a service provided by particular protocols and associated client- and server-software that support human-real-time / synchronous communication). 2.3 Malware
From the perspective of the discussion in the preceding sub-sections, malware is a particular category of undesired content, and generally comes to be on a device as a result of some form of malbehaviour. The term 'malware' is widely used as the generic term for a considerable family of software and techniques that are implemented by means of software. Malware results, may result, or is intended to result in some deleterious consequence. A wide diversity of forms is encompassed, including viruses, worms, trojans, spyware, bots, rootkits and web-based attacks. In security terms, items of malware are threats, and need to be distinguished from vulnerabilities; but differentiating between the two is not always simple. An example of a category that can be either a vulnerability or a threat is a 'backdoor'. This is a means whereby access is gained to a user-account on a device, bypassing safeguards. It may be an inherent vulnerability (such as a stillavailable default user-account with high privileges and an obvious username/password pair such as SYSTEM/SYSTEM - as was once the case with the DEC VMS operating system). Alternatively, it may be a threat, in the form of a known way in which some other vulnerability can be exploited to create such a user-account, whose details are known only to the attacker. A variety of proposals have been made for categorising malware. For example, Alcock (2006) distinguishes malware along three dimensions: 1. self-replicating malware, which creates new copies of itself; 2. its population growth rate; and 3. Parasitic malware, which depends on some other executable code in order to exist. The overlapping nature of Alcock's categories is typical of the clumsiness of so many of the attempts to develop a workable taxonomy. As the following paragraphs will demonstrate, several challenges arise in establishing operational definitions of both malware and particular forms of malware. The explanations provided in popular literatures, and even those in the refereed literature, are of little use to a study intended to support technical management and the design of regulatory measures. The remainder of this section considers the factors that may need to be reflected in a definition,and then proposes an operational definition of malware. The subsequent section proposes a means of categorising particular forms of malware. Most malware (including worms, trojans, spyware, bots, rootkits and web-based attacks) takes the form of an independent executable program. A virus, on the other hand, is a segment of code inserted into a host program. It is not handled by the device's operating system as an independent executable, but rather performs its function when the host program is loaded and executed. Malware may not be delivered in directly executable code expressed in the target device's machine-language, but may be in a high-level language that requires a compiler or an interpreter, or a mid-level language that requires a run-time interpreter (Clarke 1991). Some environments have serious vulnerabilities, in that code may be automatically accepted and invoked. For example, for many years, the default on a range of Microsoft products when they were shipped was to immediately execute VBScript code that they received. Further, the code may be a fragment within an otherwise inert document-file. Some utilities, such as word processors and spread sheet modellers, enable small code fragments or 'macros' to be embedded within the documents produced using them. These macros may be used as a means of transferring malware between devices. Microsoft's Office suite is dominant in this arena, and has long suffered, and continues to suffer a range of vulnerabilities in this area. Unlike executable files, macros are expressed in a high-level language and depend on an interpreter. As a result, they are potentially 'cross-platform' viruses, i.e. they are not specific to an operating system, processor-chip, or machine-language, but rather can run in any environment for which the appropriate interpreter has been delivered. Most forms of malware (including many instances of viruses, worms, trojans, spyware, bots and rootkits) are stored on the device and need to be expressly invoked in
order to perform their function, whereas others (particularly web-based attacks) are received and executed without prior storage. Most malware is not intentionally loaded, and is not intentionally invoked, by a user of the device. That applies to viruses, worms, some spyware, bots, rootkits and web-based attacks. On the other hand, a trojan is software that claims to (and may well) perform a desired function; but also performs some other undesired function that the person who installs it on the device was not aware of at the time. Some spyware may also have this feature. Malware generally performs a function that is harmful. In most cases, the harm is to some interest of the user of the device, or of the person responsible for it. The harm may take such forms as deletion of data, modification of data, and disclosure of data. In other cases, the target of the harm may be some other person. This most commonly arises from bots, which are used for relaying spam and running distributed denial of service attacks. A useful definition of malware must also, however, encompass instances in which no harm is intended (e.g. because the software is a proof-of-concept or demonstration), or no harm is done (e.g. because the software is inoperable on the device in question, as occurs when a specifically Windows executable reaches a device that does not run a Windows operating system), or the item remains latent (i.e. on the device but never invoked). Most malware is intentionally harmful. On the other hand, some is intentionally beneficial (such as a worm designed to counter the negative impact of a harmful worm); and some is not intended to perform any harmful function, but only to demonstrate 'proof of concept', or enable measurement of the rate of dissemination arising from a particular design feature. A more broadly inclusive definition risks extending to software that causes harm as a result of programming errors rather than malicious intent. One benefit of this approach, however, is that it avoids the legally and practically difficult problem of inferring intent (particularly where the perpetrator is unknown). Another benefit is that it recognises low-quality software as a threat. In order to encompass the intended range of items, and to reflect the complexities discussed above, the following operational definition is proposed: Malware is: • • • software, or a software component or feature, that comes by some means to be invoked by a device, and that on invocation, has an effect that is: ○ ○ unintended by the person responsible for the device, and potentially harmful to an interest of that or some other person
The following section considers three aspects or dimensions of differentiation among the various categories of malware, and develops from that a definition of each category.
3. A Categorisation of Malware Forms Malware uses a 'vector' to deliver a 'payload' which performs a function that is harmful to some party and which is 'invoked' by some means. This section discusses a number of categories of malware at a sufficient depth to enable them to be categorised according to these three dimensions. The final sub-section provides a tabular summary. Appendix 2 consolidates into glossary form the definitions developed in the analysis that follows. 3.1 The Vector The term 'vector' refers to the means whereby undesired content comes to be on a device. The term 'vector' encompasses both the act of transmission and the techniques whereby the transmission occurs. It encompasses two broad sub-categories: • copying from portable storage directly-connected to the device, such as a diskette, CD, DVD or solid-state electronic 'drive'; and
•
transmission or download from another device on a local area network, or from a device on a remote network.
In the case of transmission or download from a separate device, a variety of subcategories arise, in particular: • File transfer. This may be achieved using software that implements a standard protocol such as FTP, or a proprietary protocol, provided that the protocol is implemented on both devices. The file may be 'pulled' (i.e. initiated by the recipient) or 'pushed' (i.e. initiated by the party whose device already has a copy of the file); Email. This may become a vector for malware because: ○ ○ ○ ○ ○ • a lax (or possibly malicious) software supplier enables the client-software to automatically execute code in an email-attachment; a lax (or possibly malicious) user changes the settings in the client to autoexecute code in an email-attachment; a lax (or possibly malicious) user manually invokes the contents of an email-attachment; a previous successful attack enables the client-software to automatically execute code in an email-attachment; the email message may apply social engineering techniques to enveigle a user into downloading a file via some other channel; by similar means to those described above for email, although in this case the capability to 'pull' a file down may be provided within the same service; using social engineering techniques to enveigle a user into downloading a file;
•
chat / instant messaging services: ○
•
bulletin boards / newsgroups: ○
•
the Web (which for these purposes can be regarded as a particularly rich and sophisticated form of bulletin board): ○ ○ using social engineering techniques to enveigle a user into requesting that their browser download a file; using a variety of features of HTTP, HTML, Javascript, server-side capabilities and associated protocols and standards, to cause a file to be downloaded to the user's device, based on a user-performed trigger that did not represent either an intentional request or an informed response to a request for consent;
•
P2P networks (whose nature is, for these purposes, that of a distributed bulletin board): ○ ○ using social engineering techniques to enveigle a user into downloading a file; Using features that cause a file to be downloaded to the user's device, based on a user-performed trigger that did not represent either an intentional request or informed response to a request for consent.
Devices running the various versions of Windows operating systems are especially rich in vulnerabilities that make these vectors attractive to attackers. As indicated earlier, there is a longstanding (but recently much-reduced) problem of highly permissive default parameter-settings, and a norm of wide-ranging permissions granted to useraccounts. That problem is compounded by a feature of Microsoft's architecture for server interactions with networked clients, which has had a variety of names, but is usefully referred to as 'ActiveX controls'. Microsoft's design inherently provides code that arrives at the client with access to the entire device. This is quite different from the
much less insecure approach adopted by alternatives such as Java and (with qualifications) ECMAscript/Javascript, which are limited to a 'sandbox'. The definitions of most categories of malware do not limit the vector used, although many categories may be usefully qualified by a vector-descriptor in order to identify a sub-category; hence, for example, an 'email virus'. A special case is so-called 'drive-by download'. The term refers generally to downloads that a user authorises unwittingly; but it is sometimes used specifically within the context of the Web; and it is sometimes used specifically for exploits on devices using Microsoft Windows that take advantage of the inbuilt vulnerability that ActiveX controls represent (Howes 2004). 3.2 The Payload The term 'payload' was originally used in the U.K. in about 1930, to refer to the carriage capacity of aircraft. In IT, from about the 1970s, it distinguishes the content of a communication from the means whereby it is delivered, including the addressing information. In the case of spam, for example, the payload is the text of the message itself, and/or the contents of an attachment to the message. The contents of an attachment can be in any form, including text, formatted text such as HTML, image, sound, video, executable code and invokable code that is not directly executable, including invokable code within HTML, in such forms as Javascript and VBscript. In the case of malware, the payload is the active code that is delivered to the target device in order to perform some function or functions. The scope of the payload may include functions ancillary to the ultimate purpose, such as means of obscuring the existence or operation of the malware. However, the scope usually excludes code whose function is to cause the malware to replicate itself. A considerable number of functions might be performed by malware. The following list of categories has been devised in order to reflect known functions and specialist terms, but also to be wide enough to cover other likely applications: • Operations on data. These include: ○ data creation, such as insertion of data into control files in order to establish a new user account, or insertion of an entry into the list of programs that are to be executed when the device is started up or closed down; data deletion, or directory-entry deletion (which causes the still-existent data to become unfindable); data modification, such as: changes to security-settings for files or user-accounts; Changes to parameter-settings. These may be designed to open up a vulnerability on the device, or obscure the operation of the malware from monitoring and investigation software. For example, a utility or application such as an email-client, a chat or instant messaging client, or a web-browser, may be set to auto-execute code that it receives; changes to port-settings. These can also be used to open up a vulnerable channel on the device, which an attacker can exploit; a general term for malware that performs this function is 'spyware'. Like most malware functions, this is only likely to be effective if performed surreptitiously; a sub-category of spyware is recognised, called a 'keystroke logger', which captures the user's keystrokes (particularly when entering security-sensitive data such as passwords or credit card details); a concept that overlaps with spyware is 'adware', which (usually surreptitiously) gathers data about a user's behaviour as a basis for selecting among possible advertisements to display to that user;
○ ○
○
data capture:
○
data disclosure. Some spyware (usually surreptitiously) transmits the data it has captured to a remote location, or facilitates access to it by an unauthorised user installation of software, or modifications to software, for such purposes as: establishing a new 'backdoor', which as discussed above is a means for gaining access to a user-account on a device by bypassing safeguards; installing a 'rootkit', which obscures the operation of malware from monitoring and investigation software;
•
operations on software, e.g.: ○
○ ○
modifications to anti-malware software to reduce its effectiveness; modifications to malware already installed on the device, possibly in order to sustain the malware's ability to avoid detection and continue to perform its function;
•
the downloading of files, perhaps content, but typically software or software fragments, from a remote location such as an FTP site, a web-site or a bulletin board or newsgroup. Three important uses of this technique are: ○ to download applications that are too large to propagate as worms. An important example is remote administration tools (RATs), or at least the instances of them intended for use in attacks, such as BackOrifice; to adapt the malware payload; and to detect a triggering event, e.g. to synchronise a botnet (which is defined in the following sub-section), and thereby enabling spam-relaying or a distributed denial of service attack.
○ ○
One commonly-used term in the malware arena has been omitted from the above list. The reason is that the term 'trojan' is subject to a wide variety of undisciplined usages. The common element in the various senses of the term is that a trojan appears to the user to perform one function, and may do so, but is designed to perform an additional function that the user is not aware of. This is a particularly easy confidence trick to use, because legitimate and illegitimate invitations to download and to run software are essentially indistinguishable from one another. The offer of anti-virus software is a particular favourite technique used by attackers. In relation to the transmission vector, the two primary flavours of the term are: • in its restrictive form, a trojan is malware that reaches a device as a result of intentional downloading or installation by an authorised user as a result of a social engineering exploit; or in its less restrictive form, the vector used is not relevant, i.e. any vector will do.
•
In relation to the payload, the two primary flavours of the term can be represented as follows: • in its restrictive form, the extra functionality of the malware is specifically the facilitation of unauthorised remote access to the device. This is also called a 'remote control trojan', or (more appropriately) a 'remote access trojan' or 'backdoor trojan'; or in its less restrictive form, the extra functionality is simply potentially harmful to an interest of some person, i.e. any payload will do.
•
The analysis in this paper adopts the following terms and definitions, on the grounds that these two categories are valuable tools in security analysis and benefit from a term to describe them, whereas the others are already satisfactorily covered by other established terms: • a 'trojan', in the general sense, is defined by its vector rather than by its payload. The vector is intentional downloading or installation by an authorised
user, as a result of a social engineering exploit that involves convincing the user that the software is beneficial; and • a 'backdoor trojan' is defined by its payload as well as its vector. The payload is a means of facilitating remote access to the device.
3.3 Invocation The notion of 'invocation' is used to refer to the causing of the code to run in the target device. The generic 'invoke' is preferred to 'execute' because of the many forms in which code may be delivered. In particular, the code may be native to the instructionset of the target device, or it may in a form that requires a compiler, an interpreter or a run-time interpreter. The term 'invoke' also encompasses embedded code, such as macros within word processing and spreadsheet documents. The device's operating system may include some safeguards against the unauthorised invocation of programs, such as specific permissions associated with each useraccount, which limit the software that can be run from that account and/or the data that can be accessed from it. Effective malware needs to be able to circumvent or subvert such safeguards. The following is a summary of key ways in which malware can be invoked: • by an explicit and probably intentional action of an authorised user of the device: ○ ○ • using something that forms part of the device, such as a keyboard and/or mouse; or remotely, through a user-account;
by an implicit and possibly unintentional action of an authorised user of the device. Important examples include: ○ ○ the invocation of a macro, by opening a document that contains it, such as a Word document or Excel spreadsheet; a 'website application attack'. This involves a request from a webbrowser triggering the delivery of malware to the device on which the webbrowser is running. This may be achieved in several ways: the malware may be delivered directly by the web-server. This may be: under instruction by the web-server manager; or through a connivance by another party;
the malware may be delivered indirectly by an invocation by the web-server of a component from another site. In this case, either or both of the invocation and the delivery may be either: under instruction by the web-server manager; or through a connivance by another party;
•
by an action of some person other than an authorised user of the device: ○ ○ using something that forms part of the device, such as a keyboard and/or mouse; or remotely, through a user-account. This may be achieved through the use of existing user-accounts on the device, including those whose passwords are the same as the username, are obvious (e.g. 'password' or, famously, 'SYSTEM') or are null; or through the prior, surreptitious creation of a useraccount and password known to the attacker; remotely, using a 'bot'. A bot is any malware that is capable of being invoked remotely in order to perform a particular function. Typical functions include emailing spam and distrubuted denial of service (DDOS) attacks. A device on which a bot is installed is referred to as a 'zombie'. A set of devices on which bots are installed is referred to as a 'botnet'. A
○
person who can exercise control over a botnet is referred to as a 'botnet master' or herder; • by automated invocation of the software. A common example is by achieving the insertion of a call to the program into the start-up or close-down routines, such that it is invoked every time the device is initialised or shut down; as a result of a request by the device to a remote device, which results in software being downloaded and executed. A primary example of this is a request from a web-browser to a web-server for the file that is stored at a particular URL. If this file contains software (in a form such as Javascript, Java code or a Microsoft ActiveX 'control', i.e. program), then the software will be automatically executed on arrival at the consumer device, unless settings in the device block its execution, or make its execution dependent on the user providing express approval. Code expressed in Java, and with qualifications Javascript, may be limited to a 'sandbox'. Code in an ActiveX control cannot; by the action of a remote device. This is a 'push' mechanism, as distinct from the 'pull' mechanism described in the previous bullet-point. An example of this is a file attached to an email, which is automatically received and stored, without any action by the user other than the periodic down-loading of the contents of the mailbox, and which may (depending on the settings in the email clientsoftware) be automatically invoked; by the action of instructions in some other software running on the device. Examples include: ○ ○ a timed action (e.g. 'run this backup program at midnight each evening'); auto-updates, e.g. of systems software or application software already installed on the device, or of data used by installed software, such as virus signatures.
•
•
•
The above categories can be grouped in several ways. One involves distinguishing between local invocation within the device, and invocation triggered remotely by an action by an attacker. An item of malware, when invoked, may perform its function(s) and then terminate. Alternatively, it may remain memory-resident and active. A further variant is that it may remain memory-resident, but dormant, pending some trigger. Such software is commonly referred to as a 'daemon' or in Microsoft environments a 'Windows service'. A daemon is capable of performing functions that a one-time program is not, such as taking advantage of ephemeral data or a communications channel that is only open briefly.
4. Conclusions Clarity of language is crucial to understanding an analysis. This paper has documented an approach to the categorisation of malware, which enables each particular kind of malware to be defined in terms of the vector it uses, the payload it carries, or the the manner in which it is invoked. The use of the definitions proposed in this paper should significantly reduce the ambiguity of statements that use the dozen or so relevant terms. Beyond overcoming mere ambiguity, this should result in fewer accidental generalisations whose scope needs to be qualified. It should also have the effect of guiding conversations and analyses towards appropriate inferences. The ultimate purpose of a carefully formulated set of definitions set within a theoretical framework is the more effective design of safeguards. At a technical level, benefits include more reliable recognition of malware, and the avoidance of false-positives. Organisational measures should be enhanced through clearer communication as part of awareness, education and itions can also be used to ensure effective legal measures such as definitions of malware-related crimes.
