Article by Jonathan Read.
Spyware and malware are at plague proportions, and your network might be full of spyware-infected machines that use up bandwidth, slow everything down, and cost you time and money. Jonathan Read shows you where spyware originates, how you can educate network users, and how to stop spyware. This is a must-read for all system administrators and anyone who uses the Internet.
The dot-com crashes of the late 90s brought about a revolution in Internet advertising. Banner advertising companies were going broke because Internet users were getting sick of those annoying animated gifs. People would just ignore these advertisements. Or—worse still—the emergence of firewall software such as WRQ's AtGuard actually blocked banner advertisements, which rendered them useless. Hackers realized that they could make easy money with proxy clicking programs, which also led to the demise of many of the pay-per-click advertisers.
Advertisers realized that if they wanted to still make money online, they would have to change tactics. Many advertisers turned to affiliate programs, in which publishers would get paid for actual sales made, not just for a click on a banner. The other advertisers thought of new ways to advertise; they found a way that would allow them to advertise products without even having a website or servers serving advertisements. This is how spyware emerged.
At first, spyware was bundled into freeware and shareware applications, but word quickly spread around the Internet about this new threat, so advertisers had to resort to dirty tricks. Many spyware developers now use hacker exploits to install spyware onto computers.
If you use any of the popular operating systems, chances are you will have spyware. It is probably safe to say that most home users have lots of spyware on their computers. This spyware is just sitting there, quietly informing advertisers about your music-listening habits, your web-browsing habits, or your favorite programs. If you are unlucky, you will be infected with a nastier spyware application such as a porn dialer.
NOTE
Porn dialers are programs that ring up sex lines, usually overseas. The phone bills from porn dialers can be huge; last month, my elderly neighbors received a phone bill for more than 8000 dollars, all from a porn dialer ringing up a European number from a New Zealand-based address.
Browser hijacking is a common way for spyware programs to get you to visit their website. If your home page keeps changing to an advertisers' web page, no matter how many times you have set your favorite home page, you definitely have spyware. More often than not, you will also see pop-up windows appearing in your browser, even if you are offline!! Although these windows might advertise mundane products, you might also be flooded with tacky porn sites. A very good tool for dealing with browser hijacks is a program called HijackThis, which you can find here, along with instructions on how to use it.
Spyware not only invades your privacy, it also causes stability issues with most operating systems. Spyware coders don't really care how sloppy their coding is. Why would they? They are only after your money. Poor coding leads to spyware damaging a user's system; sometimes only visiting a site that has spyware exploits embedded into the HTML can bring your system to a crawl. Most anti-virus applications do not recognize spyware, so removing spyware from an infected machine can be difficult. If a novice attempts the removal, it can even be dangerous to the system because registry editing is always involved.
As more legitimate companies move toward bundling spyware with their software, it is very important that all computer users start to use spyware scanners. Spyware scanners are a relatively new phenomenon; there are a lot of spyware cleaners around, but not all are reputable. Companies that also make spyware have even made some spyware cleaners!!! I'm sure that if virus coders started making anti-virus products, the industry would be concerned.
Some of the best scanners are freeware. If you download a scanner and it detects a heap of spyware and then pops up a link to purchase the software to clean the spyware, it could be just a scam. The best freeware scanners include the following:
Spybot-S&D and Ad-aware
If you make any major changes to your system, you should first consult a good search engine (Google) to see what it has to say about the problem. Removing spyware with anti-spyware software should be straightforward, but it is better to be safe than sorry.
Prevention is often the best medicine, and choosing a non-Microsoft browser can significantly reduce your chances of being infected with spyware from Internet exploits. Blocking ActiveX scripting and Java scripting can also add extra security to your system. Most good firewalls will block malicious coding; investing in a good firewall is a great idea. Always keep up-to-date with the latest Windows updates.
Detecting Spyware Processes In MS Windows-Based Machines
It is important to use a good process monitor. Windows 9x machines do not come with any process-monitoring software as such, and I recommend using a third-party application on all Windows operating systems to manage system processes (these include XP/NT/2000, and so on). Wintasks Pro is probably one of the best process monitors available today. The makers of Wintasks Pro have set up a process library that enables system admins to make informed decisions when ascertaining whether a process is malicious or not. This process library can be viewed here.
Malware
Malware will often inject itself into legitimate processes. It is an advanced infection technique and is very difficult, but not impossible, to remove. Process injection has become very popular in the malware world. Many remote access trojans use this form of infection because it can evade rule-based firewalls. Spyware makers also have begun to use this technique. Injecting into the Internet Explorer process will often allow the spyware Internet access; a lot of rule-based firewall applications will not see the malware; they will see the trusted application Internet Explorer and will allow communication.
System Safety Monitor is a freeware program that helps system admins protect against malware code injection.
NOTE
"System Safety Monitor (SSM) is an application-firewalling tool (it is not a 'firewall' in traditional understanding, so there shouldn't be any conflicts with your network firewalls). SSM controls which programs are running on your computer and what they are doing. For example, SSM can prevent so-called 'DLL Injection'. Also, SSM will notify you whenever a program you want to start was modified. In addition, SSM can constantly check your registry and alert you, when an important modification was made."
there is lots more here:
http://www.informit.com/articles/article.asp?p=174140&seqNum=1
Spyware and malware are at plague proportions, and your network might be full of spyware-infected machines that use up bandwidth, slow everything down, and cost you time and money. Jonathan Read shows you where spyware originates, how you can educate network users, and how to stop spyware. This is a must-read for all system administrators and anyone who uses the Internet.
The dot-com crashes of the late 90s brought about a revolution in Internet advertising. Banner advertising companies were going broke because Internet users were getting sick of those annoying animated gifs. People would just ignore these advertisements. Or—worse still—the emergence of firewall software such as WRQ's AtGuard actually blocked banner advertisements, which rendered them useless. Hackers realized that they could make easy money with proxy clicking programs, which also led to the demise of many of the pay-per-click advertisers.
Advertisers realized that if they wanted to still make money online, they would have to change tactics. Many advertisers turned to affiliate programs, in which publishers would get paid for actual sales made, not just for a click on a banner. The other advertisers thought of new ways to advertise; they found a way that would allow them to advertise products without even having a website or servers serving advertisements. This is how spyware emerged.
At first, spyware was bundled into freeware and shareware applications, but word quickly spread around the Internet about this new threat, so advertisers had to resort to dirty tricks. Many spyware developers now use hacker exploits to install spyware onto computers.
If you use any of the popular operating systems, chances are you will have spyware. It is probably safe to say that most home users have lots of spyware on their computers. This spyware is just sitting there, quietly informing advertisers about your music-listening habits, your web-browsing habits, or your favorite programs. If you are unlucky, you will be infected with a nastier spyware application such as a porn dialer.
NOTE
Porn dialers are programs that ring up sex lines, usually overseas. The phone bills from porn dialers can be huge; last month, my elderly neighbors received a phone bill for more than 8000 dollars, all from a porn dialer ringing up a European number from a New Zealand-based address.
Browser hijacking is a common way for spyware programs to get you to visit their website. If your home page keeps changing to an advertisers' web page, no matter how many times you have set your favorite home page, you definitely have spyware. More often than not, you will also see pop-up windows appearing in your browser, even if you are offline!! Although these windows might advertise mundane products, you might also be flooded with tacky porn sites. A very good tool for dealing with browser hijacks is a program called HijackThis, which you can find here, along with instructions on how to use it.
Spyware not only invades your privacy, it also causes stability issues with most operating systems. Spyware coders don't really care how sloppy their coding is. Why would they? They are only after your money. Poor coding leads to spyware damaging a user's system; sometimes only visiting a site that has spyware exploits embedded into the HTML can bring your system to a crawl. Most anti-virus applications do not recognize spyware, so removing spyware from an infected machine can be difficult. If a novice attempts the removal, it can even be dangerous to the system because registry editing is always involved.
As more legitimate companies move toward bundling spyware with their software, it is very important that all computer users start to use spyware scanners. Spyware scanners are a relatively new phenomenon; there are a lot of spyware cleaners around, but not all are reputable. Companies that also make spyware have even made some spyware cleaners!!! I'm sure that if virus coders started making anti-virus products, the industry would be concerned.
Some of the best scanners are freeware. If you download a scanner and it detects a heap of spyware and then pops up a link to purchase the software to clean the spyware, it could be just a scam. The best freeware scanners include the following:
Spybot-S&D and Ad-aware
If you make any major changes to your system, you should first consult a good search engine (Google) to see what it has to say about the problem. Removing spyware with anti-spyware software should be straightforward, but it is better to be safe than sorry.
Prevention is often the best medicine, and choosing a non-Microsoft browser can significantly reduce your chances of being infected with spyware from Internet exploits. Blocking ActiveX scripting and Java scripting can also add extra security to your system. Most good firewalls will block malicious coding; investing in a good firewall is a great idea. Always keep up-to-date with the latest Windows updates.
Detecting Spyware Processes In MS Windows-Based Machines
It is important to use a good process monitor. Windows 9x machines do not come with any process-monitoring software as such, and I recommend using a third-party application on all Windows operating systems to manage system processes (these include XP/NT/2000, and so on). Wintasks Pro is probably one of the best process monitors available today. The makers of Wintasks Pro have set up a process library that enables system admins to make informed decisions when ascertaining whether a process is malicious or not. This process library can be viewed here.
Malware
Malware will often inject itself into legitimate processes. It is an advanced infection technique and is very difficult, but not impossible, to remove. Process injection has become very popular in the malware world. Many remote access trojans use this form of infection because it can evade rule-based firewalls. Spyware makers also have begun to use this technique. Injecting into the Internet Explorer process will often allow the spyware Internet access; a lot of rule-based firewall applications will not see the malware; they will see the trusted application Internet Explorer and will allow communication.
System Safety Monitor is a freeware program that helps system admins protect against malware code injection.
NOTE
"System Safety Monitor (SSM) is an application-firewalling tool (it is not a 'firewall' in traditional understanding, so there shouldn't be any conflicts with your network firewalls). SSM controls which programs are running on your computer and what they are doing. For example, SSM can prevent so-called 'DLL Injection'. Also, SSM will notify you whenever a program you want to start was modified. In addition, SSM can constantly check your registry and alert you, when an important modification was made."
there is lots more here:
http://www.informit.com/articles/article.asp?p=174140&seqNum=1
