The Spyware Weekly Newsletter is distributed every week to 20,000 subscribers and read online by hundreds of thousands of visitors. Click here to subscribe. Please read our Terms of Use for quoting guidelines.This edition of the Spyware Weekly Newsletter is archived permanently at http://www.spywareinfo.net/june10,2005.

Wherever the term "adware" is used, it is referring to a category of software, not to any particular company or product.

The contents of this newsletter is commentary. It should not be mistaken for unbiased, objective journalism.

Permalink | Top

Last week, I wrote about my experiments with a new copy of VMWare and a web site filled with spyware. That experience highlighted a trend that has been growing worse over the last three years. Browser Hijackers are becoming smarter and more resistant to eradication.

When I first started fixing hijacked computers, browser hijackers were simple things. The very first hijacker I ever fixed was an export of a registry entry which changed Internet Explorer's home page. This file was merged silently and reset the browser's home page every time the computer restarted. At the time, I thought that was pretty clever.

Another hijacker tried a different trick. The hijacker file was set to load on start up by altering the system.ini file. When Windows loads, a file or registry entry tells it what graphical shell to use. By default, this is Explorer.exe. By adding the name of the hijacker after Explorer.exe's entry, the hijacker file was loaded at the same time as Explorer. Some hijackers still do this.

All hijackers still find a way to insert a command that tells Windows to load it at start up. This ensures that even if the victim manages to reset their normal settings, the hijack will happen again during the next reboot. There are a surprising number of locations in the registry and certain configuration files that can be used to tell Windows to load something at start up. Some of the newest hijackers load as services and a few even load as device drivers.

At first, it was easy to find and remove these hijackers. They reused the same file names or registry entries and performed the hijack in the same ways. It was a simple matter to obtain copies of these files, make a note of registry entries installed and then hand it all over to the antispyware companies. Shortly thereafter, these hijackers would become targeted by automated scanners and we could stop dealing with it at the message board.

Realizing how easily we were defeating their creations, the hijack creators began trying various methods to protect their parasites. Lop.com embedded a flash program into an HTML page and then set that as the desktop background on the infected machine. Rapidblaster began naming their files randomly. More and more often, hijackers would install a browser helper object (BHO) into Internet Explorer. Hijackers were becoming tougher and more resistant.

We had weeded out the weak and simple hijacks and had unintentionally forced browser hijackers to evolve into something more advanced. Still, we found ways to detect them and provided that information to the antispyware makers.

Then one day, CoolWebSearch opened up for business. Coolwebsearch.com is a pay-per-click "search" portal where all links and search results lead to sites whose owners pay CWS a few cents for every click sent to them. Then they started signing up affiliates and looked the other way as those affiliates used any possible means to hijack browsers to their web sites.

The methods used to force people to these sites were ingenious. One version would load a custom style sheet with javascripting throughout it. Others would install BHOs. Randomly named files would be scattered all over the hard drive and would be loaded from randomly named start up entries in the registry. They would hook into system DLL files to make them harder to force out of memory and delete. Some of them would terminate any memory process belonging to an antispyware program and kill browser windows trying to load sites which dealt with hijacker removal.

It became nearly impossible to find a way to discover these hijackers automatically, so it became harder to provide information to the antispyware companies. For the first time, we started falling behind the hijacker creators.

Today's hijackers are extremely sophisticated. They exploit various flaws in Windows or try to trick people into agreeing to ActiveX installers. Some of them will install what is basically a rootkit for Windows. This is software that runs at a very low level, either utilizing the Windows API or by infecting the Windows kernel. They can filter out references to themselves which otherwise would go to software looking for them, which makes it extremely difficult to find the payload files on the hard drive. This is what I ran into during my little experiment.

Another trick being used now is to load as a Windows service. Services load before anything else does, even before a user logs into his or her account on the computer. These services load a number of other files into memory, the sole purpose of which is to resist all efforts at removing the hijack. Two or three files will be in memory, watching each other and watching the registry and hard drive. If you delete a file or registry entry belonging to the hijack, the memory processes reinstall it immediately. If you boot a file out of memory, its companions reload it. Even booting the computer into safe mode doesn't guarantee that the hijacker won't be loaded.

We still can kill these hijackers. It just takes much longer to investigate them and find out just how they are performing their magic tricks. It takes a significant effort to figure out a new hijacker these days.

Then, once the new hijacker has been examined, the steps needed to remove it are very difficult to automate. Victims have to be handled practically on a case by case basis. Before, we would simply post a set of instructions that all victims of a particular hijack could use. In every infection, the file names and registry entries are different now, so we have to figure out what those are on a particular infected machine. Then the victim has to be walked through a series of operations, some of which are beyond most people. In some cases, the experts can make batch files which terminate Explorer, kill the processes out of memory and mass delete the files and registry entries involved.

So what can we expect in the future? I believe we will see more hijackers which terminate programs such as HijackThis and the other antispyware programs. Probably we will see more cases where attempts to access web sites such as SpywareInfo are blocked. No matter how much of a fight a hijacker puts up, we still can kill every one of them as long as the victim can make their way to the message boards. It makes sense that sooner or later they will make a serious effort at blocking access to sites such as mine.

Beyond that, I really cannot say. They already are performing tricks I never imagined before seeing them myself. So far, no hijack has defeated the experts at the message board. For every hijacker out there, a way has been discovered to remove it. As the browser hijackers keep evolving, we might one day run into a new one that cannot be removed short of a full hard drive format. I am not looking forward to that day.

If you would like to enlist in this constantly escalating war, sign up for SpywareInfo's Boot Camp and learn how to help browser hijacker victims clean up their computers.

Permalink | Top

Program: Spy Sweeper v 4.03
Author: Webroot Software
Platform: Windows 98, ME, NT, 2000, XP
License: $29.95 Only $19.95 for SpywareInfo readers. (Reduced price valid until June 16, 2005)
Purchase: http://www.webroot.com/products/specialsdb.php?code=btwg51&rc=325

Webroot has released a new version of Spy Sweeper and some of the new features are very nice. There are so many things that it protects that I'm just going to list them rather than discuss them.

• Internet Explorer favorites are protected from changes made by malicious web sites.
• Tracking cookies are detected and removed in real time.
• The Internet Explorer search and start pages are protected from being changed automatically.
• The HOSTS file is monitored to detect changes made to it. You also can edit the existing HOSTS file.
• A memory shield detects known spyware as it loads in memory.
• There is a "Spy Installation Shield" which blocks known spyware as it tries to install.
• Files hidden inside of Alternate Data Streams (ADS) are blocked from executed. ADS refers to metadata information that can be embedded within a folder, similar to the ID3 tag in an MP3 file.
• Pop-ups sent through the Windows Messenger service are blocked.
• There is an integrated tool for managing start up entries as well as an active shield that pops up an alert if a program suddenly shows up in a start up location.
• A new item is installed on the menu you see when you right-click on a folder in Explorer. This option allows you to scan that particular folder for spyware files inside of it.

The new scanning engine is a tad swifter than in the past. A quick scan (the option to "sweep only folders where threats are known to reside") completed in just under four minutes on my computer. A full scan however..... I suggest using the built-in scheduler to set it to do that only when you are sleeping or for some other time when you are not using the computer. It took a long time to finish when I ran a full scan.

While scanning, I noticed that it was looking at the modules loaded into memory. I don't mean just processes. I mean that it was scanning every file loaded as a module by every process running in memory to see if it matched a known spyware.

Any items detected after a scan are quarantined before deletion. If something stops working or the computer has a psychotic episode after removing an item, it can be restored. If you are not sure what a detected item is, you can click on its name in the results and go to Webroot's web site to read a description.

Nearly every program you install, legit or otherwise, will try to make itself load when the computer starts and it is very annoying. You would be shocked at how slow a computer can become because far too many programs are loading unnecessarily whenever the computer starts. Spy Sweeper's new startup monitor will alert you when it happens and allow you to block it. You also can disable programs which already are set to load on start up.

This new version of Spy Sweeper is extremely nice. It is very easy to use. It is very thorough. The protective options are very good - far better than the obligatory option of locking the Internet Explorer home page that many other programs provide. The start up monitor and manager are fantastic features. I definitely recommend this new version of Spy Sweeper.

Until June 16, 2005, you can buy Spy Sweeper with a one year subscription to updates for $10.00 off the normal price. If you have any problems with the ordering page, please email Catherine http://www.spywareinfo.com/email2.php.

Permalink | Top

How many times have you heard stories about people discovering credit card receipts, medical records or other confidential records dumped into garbage cans outside of banks, hospitals and other businesses? Loitering near the right dumpster can net an information thief enough private information potentially to steal the identity of thousands of people at once.

As of June 1 of this year, any person or business disposing of a customer's confidential information in such a way that it can be recovered will be guilty of a new federal crime.

Got a nanny? Or a tenant? Then you probably need a paper shredder. Or at least a wood-burning stove.

On Wednesday, a new federal law kicked in requiring those who handle other people's personal information to dispose of the data properly. Recycling the paperwork isn't good enough -- it must be destroyed, the rule says, rendered useless to anyone who might stumble upon it.

Running afoul of this law may lead to a lawsuit from the Federal Trade Commission. If you lose, you will have to pay a fine of up to $2,500. The person whose information was carelessly disposed of also can sue for up to $1,000.

Permalink | Top

The head of Microsoft's antimalware project claims that Windows XP with service pack 2 is 15 times safer than any previous version of Windows. I don't know how he arrived at that figure but I will agree that SP2 is better security-wise.

Many people, myself included, beat up on Microsoft for having flawed, buggy software. However, software flaws aside, the design of Internet Explorer on Windows XP with SP2 is much better than older versions. Barring an exploitable flaw, you have to go out of your way to become infected with malware, through a drive by download.

I experienced this myself during my recent spyware fishing trip. When I went to the infection web site, at first there was nothing but a yellow bar in Internet Explorer, telling me than an ActiveX installation had been blocked. I had to click on it and tell it to allow the installer. Then I saw a more recognizable ActiveX warning, asking if I wanted to allow the installation. I had to click "Yes" to that before anything else happened.

On older versions of Windows, I would have seen the second warning first. A more naive surfer might have confused the warning as a plug-in needed to view the page and agreed to install it. That seems to be the main reason why this method of installing spyware is so popular.

It really is too bad that the security enhancements in IE6 XP2 won't be provided to older versions of Windows. Microsoft refuses to upgrade the downloadable version of Internet Explorer 6 with the newer security enhancements. The improved security is available only to those running Windows XP who install service pack 2. This decision calls into question the truthfulness of every statement ever made by Microsoft about being concerned about security. If they truly were concerned about security, they would release the changes as a browser update, not an operating system update.

According to a Microsoft Developer's blog posting, Internet Explorer 7 won't be available on anything older than XPSP2 either. He explains that the cause for this is the fact that IE7 will rely on code specific to XPSP2 which is "nontrivial to port back to older versions". Perhaps if Microsoft hadn't made MSIE part of the operating system in the first place, they wouldn't be in this mess.

I just read somewhere today that MSIE 7 will run on the system with fewer privileges in order to cut down on the damage it can do when compromised. That will be a welcome change if true. As it is right now, if you can compromise Internet Explorer, you own the machine.

Permalink | Top

I believe I have worked out nearly all of the bugs in the WordPress template that I redesigned for SpywareInfo. All I really need to do now is copy over all of the past articles and past newsletters and it should be ready to go live. There is so much stuff to copy over and it is taking longer than I had expected. Some of the HTML coding used in the early newsletters is atrocious and it takes longer than I would like to copy over an issue. I hope to have all of that finished soon.

My partner, Catherine, suggested adding a news section to the new site. This section will be a collection of links to news articles related to privacy and spyware, sort of like the "Headlines" section included sometimes in this newsletter. We have been posting links to articles there since the beginning of the month. Our goal is to have new material there every day. Go check it out to see the latest headlines from the privacy/spyware world. Just be aware that once I switch the entire site to this new software, that the address will change.

Permalink | Top

I have added a couple of items to the list of file sharing programs which either bundle or do not bundle spyware and adware.

I also updated the BearShare and EDonkey listings. BearShare distributes something called BearShare Lite which the makers claim does not bundle any advertising software. It didn't when I tested it, however the license indicated that it did. I'm not sure how to classify that, so I put it in the "Unknown" section.

It seems that EDonkey was updated later the same day I tested it. When I tested it, it bundled various third party adware programs. Later that same day, another version was released which is completely clean. As of version 1.2 released on June 1, there is no adware bundled into EDonkey. Earlier versions will bundle adware, so if you feel the need to install this program, be careful that you are installing the clean version.

I should have mentioned this last week. Do not save the list that was in last week's newsletter. That list was current (or so I believed) at the moment I sent it out. However, these things change frequently. Always check the actual article to see what is safe and what it not.