WIXLIB

22PA R T 1INTERNET SECURITYC H A P T E R3How Spyware andAnti-Spyware Work

23THESEdays, the biggest danger you face when you go onto the Internet might be spyware—a type ofmalicious software that can invade your privacy and wreak havoc on your PC. Spyware is a relatively newphenomenon; it does not have a long history as do viruses, Trojans, and worms.Spyware is an umbrella name for many types of malicious programs, but these kinds of programs have several things in common. First, all of them, one way or another, spy on your behavior. They may watch whichweb pages you visit and report that information to a server or person, or they might track your web searches.They may even allow people to record every keystroke you make or open a back door into your computer sohackers can later take control of your PC when they want.The second thing they have in common is that they install either without your knowledge or by trickingyou. One common way they get on your PC is when you install a piece of software, such as file-sharing software. When you install that software, spyware often comes along for a ride and installs itself without yourknowledge or misleads you about what the program actually does.Although some spyware is created for purely malicious reasons, other kinds are created as part of moneymaking schemes. One kind of spyware swarms your PC with dozens of pop-up ads, some of which you’ll mostlikely click to close. But every time you click, the spyware purveyor makes money because he has a businessarrangement with a merchant or website to drive traffic to it.There is a fine line between spyware and what is called adware. They work similarly, but with adware,you download a piece of software that you can use for free, such as a weather program. In return, the adwarewatches your surfing habits and sends that information to a server, which then delivers ads to you based onyour behavior. The ads are displayed only inside the weather program and don’t appear when you don’t useit. Spyware, by way of contrast, watches you all the time and displays ads whenever you surf the Web or areconnected to the Internet.Spyware can do more than just spy on you. It can do damage to your computer as well. Some spywareinundates your computer with blizzards of pop-up ads—in some instances so many that it takes away all yoursystem resources and your PC grinds to a halt. This makes your computer unusable.Because there is money to be made from surfing, spyware isn’t going away any time soon. But as you’ll seein this chapter, anti-spyware can combat it, so there are ways to keep yourself safe and protect your privacy.

24PA R T 1INTERNET SECURITYHow Spyware Invades Your PC12Spyware sits in the background of your computer,watches which websites you visit, and then reports onyour activities. Based on those activities, targeted adsare delivered to you. But first, the spyware has to getonto your computer. Often, you get spyware by downloading a free program or clicking a pop-up ad.Spyware comes along for the ride without you knowingit. When you install the program you’ve chosen, spyware is installed as well, without your knowledge.Spyware often runs whenever you turn on your computer, even when theprogram upon which it ridesis not running. It watchesyour web activities and tracksevery website you visit.3At regular intervals, the spyware phones home, reportingto the spyware website whichsites you’ve visited.

CHAPTER 34H O W S P Y WA R E A N D A N T I - S P Y WA R E W O R K25Based on the sites you’vevisited, the spyware websitecreates a profile about yoursurfing activities.5Based on that profile, the website delivers targeted ads to you. The ads appearwhenever you run the program on which the spyware piggybacked onto yoursystem. When you delete the program on which the spyware piggybacked ontoyour system, the spyware typically does not get deleted. It keeps watchingyour surfing activities and reporting on them, although it can’t deliver adsbased on that information because the program on which it was piggybackedhas been deleted. To delete the spyware, you need a special spyware detectorand killer, such as Ad-Aware from www.lavasoft.com.

26PA R T 1INTERNET SECURITYHow Spyware MorphsItself to Escape Detection123One of the most insidious kinds of spywareis polymorphic spyware, which uses a variety of tactics to evade detection andremoval, including the ability to constantlychange its filename and location.Cool Web Search andAbout: Blank are two homepage–hijacking pieces ofshareware that morph anduse other techniques toevade detection and deletion. Programs like thesecan install themselves tomultiple locations on a harddisk.When a piece of anti-spyware detectsand kills the files in one of the locations, the spyware spawns a new copyof itself at another location and runsfrom there.

CHAPTER 3H O W S P Y WA R E A N D A N T I - S P Y WA R E W O R K427In some instances, the spyware can injectitself into a process running on a PC. Whenthe main spyware program is deleted, thecopy that has injected itself into a processspawns another copy of itself.5Some of the spyware runssilently in the background,doing no damage. However, itspawns a program that doesthe actual damage. Antispyware detects the programdoing the damage but not thesilent spyware. The silent spyware then spawns a newdestructive program, with a different filename and differentsize so it is not recognizable.6Some spyware hides itselfby burrowing into your computer’s Registry, which contains basic instructions forhow your computer shouldwork. It is able to hide thoseentries—not only from antispyware programs, but alsofrom Registry editors thatcan normally see everythingin the Registry. In this way, itcannot be seen or detected.

28PA R T 1INTERNET SECURITYHow Spyware InvadesYour Privacy12There are many different types of spyware that invade your privacy in manydifferent ways. One type monitors allyour surfing habits and reports on thosehabits to a server on the Internet. Thatserver may deliver ads to you based onyour surfing habits, or it could sell theinformation to other companies.A particularly privacy-invadingtype of spyware is called a keylogger. (For more informationabout keyloggers, see “HowKeyloggers Work,” later in thischapter.) Keyloggers recordevery keystroke you make andsend that information to ahacker, who can then steal allyour passwords, logins, andother information.3Some spyware installs other malicioussoftware on your system. For example,some spyware installs a Trojan on yourPC, which allows a hacker to take complete control of your PCs and files as ifshe were sitting at the keyboard. (Formore details about Trojans, see Chapter 7,“How Zombies and Trojan Horses AttackYou—and How to Protect Against Them.”)

CHAPTER 345H O W S P Y WA R E A N D A N T I - S P Y WA R E W O R KSome spyware monitors your Internet searching activity and reports that activity toservers, which can then keep track of your interests and deliver ads to you based onthem or create profiles of you and sell that information to other companies.Spyware is not only a danger to individuals—it can be extremely dangerous for corporations as well. Spyware can crawl into anindividual’s computer and then infect all theother computers and servers on a corporatenetwork, gathering not only personal information, but also corporate information.29

30PA R T 1INTERNET SECURITYHow Home Page andSearch Page Hijackers Work12Home page hijackers and search pagehijackers infect your computer in thesame way that any spyware does, suchas by downloading a file, with thehijacker coming along for the ride.A home page hijacker changes yourbrowser’s start page so that wheneveryou launch your browser, you go tothe new start page rather than to theone you want.3Typically, the new home page yougo to includes many pop-up ads andmay inundate your PC with so manyads that your system becomesunstable and unusable. The hijackermakes money because he is paid todeliver pop-up ads, so the more adshe can deliver, the more he is paid.

CHAPTER 3H O W S P Y WA R E A N D A N T I - S P Y WA R E W O R K431A search page hijacker changes your normal search engine to a newone. When you do a search from your browser, that search is sent to thenew search engine, not to your normal one. The search engine oftendelivers pop-ups in the same way as a home page hijacker does.Some home page hijackers intercept every search you perform. Forexample, if you visit Google and do a search there, the hijacker sendsthe search to the new search engine, not Google, and then inundatesyou with pop-ups.5Some home page hijackers and searchpage hijackers are very difficult toeradicate. When you change yourbrowser settings to go back to yournormal search and home page, theymight change them back again. Theycan do this by putting themselves inyour startup folder and starting upevery time you turn on your PC.6Some home page hijackers andsearch page hijackers disguise themselves as browser add-ins (calledbrowser helper objects [BHOs]) ortoolbars. So you think that the toolbar is performing a useful function,but in fact, it is hijacking your homepage and search page.

32PA R T 1INTERNET SECURITYHow Dialers Work21The dialer looks into the systemand checks for the presence of amodem connected to the phonenetwork.A spyware dialer isinstalled in the same wayas other pieces of spywareare—for example, whenyou download a free pieceof software or click a popup ad.3When it finds a modem connected to a phonenetwork, it surreptitiously dials a 900 phonenumber, which charges 4 or more perminute. It keeps the call connected for at least10 minutes—running up a 40 bill for a singlephone call. In some instances, the dialer alertsyou that it is dialing but does not say that it isdialing a 900 number and only says it is dialing to provide you with a unique service.

CHAPTER 34H O W S P Y WA R E A N D A N T I - S P Y WA R E W O R KEven if you see that the dialeris calling a phone numberand click the Cancel button,the call goes through anyway.5You then receive a telecommunications bill for the cost of the dialingand have to fight against the bill totry to prove that you didn’t makethe payment.6Because people are increasinglyconnecting to the Internet via DSLor cable modem lines via Ethernetcables, dialers are not as commonas they used to be. A dialer cannotmake calls via Ethernet cables overa DSL or cable modem connection.33

34PA R T 1INTERNET SECURITYHow KeyloggersWork1A keylogger is installed in the same wayas other pieces of spyware are—forexample, when you download a freepiece of software or click a pop-up ad.23The .dll file sits silently in thebackground, recording all thekeystrokes you make.A keylogger is often installed in two parts: a.exe file and a .dll file. When the computerstarts, the .exe file automatically launches.The .exe file then launches the .dll file,which does most of the work.

CHAPTER 34H O W S P Y WA R E A N D A N T I - S P Y WA R E W O R KIn some instances, thekeystrokes are sentdirectly to an attacker.56In other instances, the keystrokes are saved in a file thatis sent at regular intervals tothe attacker.The attacker examines the keystrokes,looking for passwords, logins, andother information she can use—forexample, to log in to your bank tosteal money or to steal your identity.35