How Spyware Works

Spyware doesn’t just install itself by magic — although it can certainly seem that way. Typically, users need to visit a spyware-infested site and take some action to cause a spyware module to be installed. Sometimes just clicking to exit an annoying popup will do it. Knowing when to click — and more important, when not to click --— takes some experience and knowledge.

Knowledge and a few key tools will give you confidence to help keep your systems spyware-secure.

The latest addition to the anti-spyware arsenal is Microsoft AntiSpyware, available for download at the Microsoft AntiSpyware site. (Read a review by Scot Finnie.) I use it, plus Spybot Search and Destroy and Lavasoft Ad-aware.

One of the most powerful weapons in your anti-spyware arsenal is a good regimen of making backups. That way, even if your system is hosed and you have to rebuild everything from the bare metal, you still have recent copies of the data you need.

How Spyware Gets On Your System: Browser PopUps
The chief channel for transmitting spyware is through ActiveX controls conveyed over popup windows. A single click on a window that says “Click Here To Claim Your Surprise Gift” might give you a real surprise, by downloading spyware in the form of an ActiveX control.

ActiveX controls are programs that are transferred across the net and then executed. They can do anything that any computer program can do. Some ActiveX controls are useful software. Some are spyware or other infections.

ActiveX controls are tricky. Some popups contain a big button marked, "Click Here To Close Popup," or some similar text. Clicking on the button might actually activate a hidden ActiveX control that downloads spyware.

Instead of clicking on a "Close Here" button, instead click the X in the browser window, or click on the window titlebar and hit Alt-F4.

Fortunately, your PC can be made ActiveX-safe, even if you’re using Microsoft’s much maligned Internet Explorer. In IE, Click on MSIE’s Tools | Internet Options then hit the Security Tab, select the Internet and then Custom Level. Now select either Prompt or Disable to lock down your system’s ability to install ActiveX controls. If you rely on a Web-based application that uses ActiveX, you’ll want to have the browser prompt you for permission to run ActiveX, or else you’ll be blocked from using that application. Or you can whitelist the particular URL that launches the ActiveX application.

Another option to protect against ActiveX: Pick a different browser, such as Firefox or Opera, that doesn’t run ActiveX.

Opening E-Mail Attachments
Many people foolishly open e-mail attachments sent in spam. Like ActiveX controls, these attachments might be executable files that can do anything: install spyware or a virus, reformatting the hard disk, allow attackers to take over the system and use it as a platform for a denial-of-service attack, or encrypt the entire hard disk. Running unknown binaries leaves the potential victim vulnerable.

Users need to be educated not to open unexpected e-mail attachments.

And you need to institute a good policy of backing up data.

Other Dangers
There are a few other means by which a user can cause their system to be infected with Spyware, including a click on a visited web page that claims to install some browser plug-in or toolbar.

Fortunately, your browser will prompt you if you want to install a toolbar, or a plug-in that allows you to read content. Unless you’re really, really sure you can trust the site – such as Google or Yahoo – follow Nancy Reagan’s advice. Just say "no."

What Can Spyware Do?
Spyware can:

- Install keyboard-sniffing software and look for credit-card and other identifying information, as an aid to identity theft. - Slow your system performance, or lock up the system entirely. - Hijack your browser start page, causing it to be set to some site you never wanted (usually pornographic) - Add a toolbar to Internet Explorer, usually full of spyware and viruses. - Cause frequent Windows Explorer & Internet Explorer crashes. - Launch popup ads (again, usually pornographic). - Install a great deal of adware and trojan software without your consent - Track site visits and report them back to some other site - Prevent access to sites, including anti-spyware sites and common search sites such as Google, Yahoo and MSN

When spyware changes a user’s home page without the user’s permission, it’s considered a "Browser Hijack." Other pages can be hijacked, too, not just the startup page.

For example,a common browser hijacker is called Globe-finder.cc. When installed, it will intercept all calls to the Windows shell and hide itself from being found.

Browser hijacking can be countered using Hijack This, found at the author’s site or the support site. It’s great software, but it’s not for the faint of heart. It cuts a log file of everything your system and browser run as they start up, letting you turn each item on or off. That power can get you into a lot of trouble.

For example: you may have real-time antivirus protection on your system, set to download updates from your vendor’s site each time you power up, and keep your system safe as you flit about the net, opening up files, and email attachments with nary a care in the world.

Then you started using Hijack This and ignorantly (and foolishly!) turned off something you’d been relying on to protect you, such as anti-virus software, a software firewall, or other anti-spyware software components

Turn off the wrong thing, and you might lose Internet access completely. Be careful, and remember to use the backups cut for you by Hijack This.

Before using Hijack This — or making any changes to your basic system configuration — remember the carpenter’s adage: measure twice, cut once. Think twice, at least, before turning off a start-up item. Also, before making system configuration changes, back up your system.

Educate yourself
To get background for this article, I went to SpywareInfo, the premiere anti-spyware site, joined its forums, chatted with some authors of anti-spyware programs, and found a community of people who really hate spyware and have no use for it or its authors. They know their spyware inside and out.

Another good anti-spyware site for Hijack This help Spyware Beware. These are volunteer sites, so patience in getting your vitally important [to you, at least] questions answered is mandatory.

Hijack This is sophisticated software: fully understanding those logs requires a real education. You can start that education at the author’s QuickClassroom Site.

Now you’re armed: You have knowledge and tools. You have to read, learn and judiciously and regularly use those tools in your quest to have spyware free systems for you and your users.

Also, make backups. Did I mention backups before?

Ross M. Greenberg ([email protected])is a freelance technology journalist who wrote several pioneering anti-virus programs, including Flu_Shot, Flu_Shot+ and VirexPC.