Hakin9 - Hard Core IT Security Magazine

Access:

» Spyware infection methods

Related categories: Security | Spyware

Christiaan Beek
Viewed: 9086 | Article date: 2006-03-10 17:05:34

Such programs like spyware are usually bundled as a hidden component or downloaded from the Internet unwillingly. They install and run without user knowledge. Christiaan presents what methods such programs use to infect Windows systems and how can one protect oneself against them.

About the author

Christiaan Beek has been working for several years in the security field. Working for national and international companies, he gained a lot of knowledege about hacking techniques, virus technology and intrusion detection. Currently he is working as a security consultant/ethical hacker for a Dutch company Getronics. His free time is spend with his family, reading and analysing/reverse engineering the output of his malware honeypots.

The primary purpose of spyware is to collect demographic and usage information, but sometimes also private data. Such programs are usually bundled as a hidden component or downloaded from the Internet unwillingly. They install and run without user knowledge. What's worst, most antivirus packages ignore them. Let's see what methods such programs use to infect Windows systems and how can one protect oneself against them.

Recent results from a research by known organizations like CSI/FBI show that almost 80 percent of computer systems are infected by spyware. The amount of spyware is still growing due to the fact that authors of spyware are using more and more new technology skills. As it is a very lucrative business, organised crime invests in people and technology. For organisations, it's difficult to protect against this threat. On the one hand, they have to implement a solution that will prevent infection, but on the other, this solution must also be capable of cleaning already infected computer systems.

What you will learn...

what techniques are used by spyware for infection,
how to discover infection, remove the threat and protect against it in the future.

What you should know...

you should be familiar with HTML/Javascript,
you should have some programming experience.

Let's have a closer look at techniques that spyware currently uses for infecting Windows systems. With each technique discribed, we'll also mention solutions to detect and avoid infection and to remove the threat. This article should not be treated as a complete compendium on spyware, but rather a look at few interesting techniques that were developed with the invention of spyware for its own purposes, and at manual methods of protection against those techniques, as automated tools are not always able to help the users in this respect.

Spyware species

Pop-ups

Pop-ups are used to trick the user to click on them. They can be contained on websites, in e-mail, attached to other software or can have a form of toolbars installed as plug-ins for Internet Explorer. Lots of peer-to-peer software contains such software. For example KaZaA includes GAIN (Gator) and Cydoor. GAIN monitors surfing habits and downloads advertisements from the Internet, presenting them in KaZaA. Cydoor downloads a big list of URLs during KaZaA installation and shows these URLs later, when you're browsing the Internet.

Another type of pop-up spyware uses the Messenger service in Windows and shows text advertisements (see Figure 1). Windows NT/XP/200x users can easily avoid this by disabling the Messenger service.

Dialers

Dialers usually secretly change the dial-up connection settings, so that instead of calling a local Internet provider, the user's call is routed to a very expensive international connection. They are most often used as a payment method for accessing websites with game and adult content. When installing browsers, usually user consent is required (see Figure 2).

Browser hijackers

Browser hijackers change the browser settings without user permission. Usually the home page and search page locations are affected, but often bookmarks are added as well. An example of a nasty collection of browser hijackers is ISTbar. It installs Tinybar tollbar, but can also install other parasites, some of them showing porn pop-ups.

Spying cookies

Cookies, most often legitimately used to enable user identification when returning to a website, can also be exploited as spyware. Some websites use cookies to track surfing habits. These are most often third party cookies - cookies sent not by the website one is viewing (often via advertising banners). Luckily, cookies are not dangerous - they cannot be used to spread other code.

A company like DoubleClick runs banners from its own servers and uses these servers to set and read cookies. This way, DoubleClick is able to detect, which customers are visiting which websites where their banners are served.

Figure 1. A typical Messenger pop-up add

Page: 1 2 3

Buy article		Buy subscription

Standard price: 2€/$3		Standard price: 25€/$30
Buy article for as little as (2€/$3) each allow access to individual articles.		Buy a full access to our Hakin9 archive portal. You will be able to read the articles from all archive issues from year 2005 and 2006. For just 25€/$30 you get unrestricted access to the entire website for the whole year.