Spyware

Introduction Spyware has been around for many years, yet today it remains one of the most unresolved and pervasive problems for computer users. Added to that is the fact that there’s no unified definition of what spyware really is: some experts define it solely as a predatory program that spies on a computer user and sends out harvested intelligence to its creators while others believe that spyware is any form of software that installs itself surreptitiously and creates any inconvenience to computer users.

But all experts, independent of their views, generally agree that spyware is an unwelcome program that should be kept off a computer. More often spyware is considered malware, which literally is any software with malicious intent.

What Forms Exist

Essentially, spyware can be classified into seven separate groups based on the underlying technology that it employs.

1. Tracking Software
Used to track computer activity and locations the user visits. Also used to gather sensitive information from a computer and communicate it to remote parties not authorized to receive it. Examples include narrow-termed Spyware (agents that divulge sensitive computer data, spy on computer user), Screen Capturers (software that records images displayed on a computer screen and later transmits them to outsiders), Keyloggers (software that records and transmits keyboard strokes, mouse clicks and movements) and Tracking Cookies (plain text files placed within the system that personalize the display of ads, record user web page transitions and report buying habits to advertisers).

2. Advertisement-displaying software
Used to show ads, generate banner clicks and ultimately sell the advertised merchandise. May display unrelated pop-up windows, ad banners, substitute default homepages with those linked to a specific product or service, hijack search pages and add more buttons, toolbars and menu items to a web browser. All these programs slow down computer performance, consume additional bandwidth, distract the user and serve as an avenue to more serious computer sabotage in the future.

3. Remote access and administration software
Used to facilitate remote access to the system. Also allows intruders to control remote computers—run arbitrary programs and access files, stage coordinated attacks on other computers or web servers via the commandeered computers, send spam on behalf of an owner of a seized machine, or perform any other activity that a legitimate owner is entitled to do. Examples of such software include Backdoors, Zombieware, Botnets and Controlware.

4. System modifiers
Make illegal modifications to the existing software and thus undermine the normal functioning of a computer. Can decrease the level of security on the host system and introduce additional spyware. Modifiers rate as one of the most extreme forms of spyware and feature categories such as Rootkits and Hijackers.

5. Unauthorized dial-up software
Dials long-distance phone numbers and subjects a victim to exorbitant call charges. Also connects to unauthorized ISPs (Internet Service Providers).

6. Hacker utilities
Used to probe the network or a computer for deficiencies in its protection and to analyze the level of security on a target machine. Can perform port scans, stage pilot intrusion attacks and prepare the ground for the upcoming real attacks.

7. Automatic download software
Used to download additional spyware, restore the already removed one and generate redundant traffic expenses. Examples are Tricklers and Restorers.

Although seven separate categories are enumerated, spyware rarely exists in a pure isolated form. More often spyware shares features and uses the principles of several groups to better protect, promote and more firmly establish itself on a compromised PC.

Possible Attack Routes

Spyware may infiltrate our computers using a multitude of possible ways, which are briefly outlined hereunder:

1. Through drive-by downloads and by exploiting deficient protection of web browsers.
Many Internet browsers exist today and the most widely used is undoubtedly the Internet Explorer browser that comes bundled with Windows. By default, it is configured to run small programs, called scripts, within its context. Those scripts are sometimes embedded into a web page and are configured to run automatically once a user accesses a specific section of a web site. Alongside the benign, legitimate scripts that add functionality, content or animation to a visited page, malevolent scripts lurk on unscrupulous web sites. These scripts are created to compromise a computer, infect it with the subsequently downloaded spyware and siphon confidential information from it. The most disturbing fact is that this hookup with a damaging, dangerous script occurs automatically, in a clandestine manner. Once the sly script initiates and later downloads the “affiliated” pest onto the computer, the drive-by download has taken place.

2. By erroneously downloading spyware from the Internet, perceiving it as useful software.
Many programs found on the Internet today advertise themselves as useful, cool, handy, and so on. But several of them may actually prove to be malicious and lead to spyware infection. Users should be wary of what they download from the Internet and install only trusted, credible applications. Ironically enough, a number of programs that pose as spyware removers are nothing more than spyware themselves.

3. By opening a spyware-containing email attachment.
There’s really not much to say about it — attachments should be verified for legitimacy prior to opening them. Email from unknown or unexpected senders should be approached with extra caution — it is easy to infect a computer just by viewing a picture in a preview pane of an email client. Spammed emails should be trashed immediately — there’s no use studying what kind of attachment accompanies it.

4. By downloading spyware bundled with a legitimate program.
As a cross-promotion, various legitimate programs may include parts of most innocuous ad-displaying spyware within their installation package. Many file-sharing software, browser enhancement tools such as extra toolbars or emotion icon animations (smileys), instant messengers, loads of tiny online games and entertainment programs employ such techniques. Users first should get some details on the program they are about to install, read vendor information and pay special attention to corresponding keywords contained in EULAs (End-User License Agreements) that would suggest whether some form of extraneous program actually accompanies the main program.

5. By exploiting security holes in installed software.
Every day new critical vulnerabilities that allow attackers unrestricted access to affected systems are announced in major applications and operating systems. By exploiting them, an attacker could gain complete control and do whatever he or she wishes—take away files, run arbitrary programs, commit financial fraud and steal identity information.

Nobody’s perfect and as long as people continue to write programs there are going to be mistakes. The good news is that users can substantially limit their exposure to potential vulnerability exploitation if they update the software they use with the latest patches available from software manufacturers once the problem becomes publicly known.

6. Infecting while working with Instant Messengers, Internet Relay Chat programs.
Files exchanged with these programs can contain spyware. Never open files received from unknown or unexpected sources.

Summary and What’s Next - Page 2

In the present document we’ve seen what types of spyware exist and through which means it can be contracted. In the next edition, we’ll talk about ways to combat spyware threats and what the computer security industry has on tap.

Source : This article originally appeared in Agnitum - Security Insight
Copyright © 2006, Agnitum