- 26 October, 2007 16:20
In the age of broadband, spyware has become as insidious a threat as viruses. Though often not as malicious or dangerous as a virus, spyware is much more widespread. Ever since the infamous "Elf Bowling" game that installed spyware on hundreds of thousands of PCs worldwide, spyware has been a major problem. Today, the National Cyber-Security Alliance has estimated that spyware infects more than 90 per cent of home PCs.
Anti-spyware is the solution to this problem. It is software that is designed to find and remove troublesome spyware from a PC.
What is spyware?
What is spyware?
The term spyware is actually a catchall used to cover a range of evils, including those that do not technically meet the definition of spyware. It refers to applications installed on your PC that in some way negatively affect your computing experience, suck up computing resources or potentially present privacy and security risks. Spyware ranges from the merely annoying to the potentially devastating. It's most common incarnations include:
Adware: This is software that delivers unsolicited advertising to your PC. Sometimes that advertising is "targeted" based on the information provided by spyware.
Hijackers and malware: These are applications that force your PC to do something undesirable. The most benevolent of such programs might change your homepage or install a "Browser helper object" (BHO) that annoyingly adds a bar to the Internet Explorer interface with links to a vendor's Web site. The worst such applications might use your PC to visit Web sites to generate hits on pay-per-click ads, dial 1800 numbers using your modem or even offer up your PC's processing power for use in distributed applications.
Spyware: Perhaps the most insidious form, a true spyware application is a program that in some way monitors your activity while you use your PC, and transmits that information back to the spyware software creator. Some might monitor which Web sites you visit (usually to deliver targeted advertising to your system), record information you type into online forms (including, for instance, credit card numbers) or log your keystrokes when you're using the PC.
In its worst forms, spyware closely resembles viruses, so much so that the distinction between the two is often hard to make. The key distinction is that while viruses are usually purely malicious, spyware most often has some purpose -- to track your activities, force feed you advertising, change your browser activates and so on.
Unlike viruses, spyware is also often, in a sense, legitimate. Spyware is nearly always bundled with free software, and frequently the purveyors of that free software see the presence of spyware on your system as the "price" for using that software. For instance, a free FTP program might come bundled with Aureate, an adware package. When you install the FTP program, Aureate software is installed along with it. Aureate then pays the FTP software supplier.
Whether the software vendor tells you that it's installing the spyware is another matter. Many software vendors are quite up-front about it, informing you that the software being installed is part of the requirements of the licence agreement. Some even tell you that the bundled spyware is beneficial to you. Other spyware-bundlers, however, bury the information about bundled spyware deep within the software licence agreement (which they know nobody reads), or fail to tell you about it at all.
A considerable majority of PCs connected to the Internet are currently estimated to be infected with some kind of spyware, although many instances of infection may be from low-security risks like cookies. Anything that you can download for free -- and even some things that you pay for -- may have spyware included. In some cases you can get a spyware carrying version at no cost or pay to get a spyware-free version.
Peer to peer (P2P) applications are probably the best known carriers of spyware, perhaps unfairly since many, if not most, of the popular P2P applications do not carry spyware. While these have declined in popularity in recent years, the number of machines affected by spyware built into software like Kazaa is massive.
Here's a quick breakdown of the spyware risk involved in different types of free downloadable applications:
- Very high risk applications include free downloaded screensavers, media players, desktop icons and "smiley" emoticon packages, desktop assistants, digital pets (such as the infamous Bonzi Buddy) and other desktop "enhancements". These are packages that children, in particular, are inclined to download because they're "cute". Quite simply, these programs should be avoided at all costs -- they're nearly guaranteed to carry spyware.
- Medium risk applications carry a moderate to good chance of carrying spyware, although often with these packages its presence is more explicit; that is, they tell you about it when they're installing it. Peer to peer applications (most notably Kazaa, BearShare, Imesh, LimeWire, Grokster and Morpheus), free utility programs (such as FTP clients, firewalls or file managers) and small downloadable games fall into this category.
- Low risk applications include packages from major software vendors such as Microsoft, Adobe, Symantec and the like, along with open source applications hosted at places like SourceForge. While open source applications rarely carry spyware, on some occasions unscrupulous individuals have compiled and re-packaged open source applications with spyware.
By the end of the 90s, the number of spyware packages appearing was starting to get seriously out of hand, so much so that in 2000 Gibson Research released a program called OptOut, designed to uninstall some of the major spyware packages. Soon after, a small European company called Lavasoft started offering software that removed many more of the most common spyware packages bundled with free software. Many users were surprised to find out exactly how much malicious software had been installed on their system with the programs that they had downloaded.
Since Lavasoft introduced Ad-Aware, many other players have gotten into the spyware removal business, and it's now a legitimate software category.
Anti-spyware is very much like a virus remover -- it finds and (usually) removes any spyware installed on a system. Some of the better applications are as polished as the best virus checkers, others are still shaky.
It's only fairly recently that the big antivirus companies have started to get involved in the anti-spyware game. Because most spyware packages are legally, if deceitfully, installed, players like Symantec and McAfee feared legal retribution from spyware companies. Recently, however, as anti-spyware has become such an important utility in the Internet age, the big players have begun to offer anti-spyware solutions as well.
It is also worth noting that in recent times hardware-based solutions have begun to pop up. At this point the only major option is D-Link's SecureSpot range of products, which builds anti-spyware, antivirus and a firewall all into a router, giving you a complete security package with minimum hassle. While this may not be as effective as a combination of anti-spyware software packages, the convenience it offers is definitely a boon.
How anti-spyware works
How anti-spyware works
The techniques that anti-spyware software uses to find and remove spyware are many and varied, but they are generally similar to the systems used to detect and remove viruses.
Some methods of detecting spyware fingerprints include:
- Hard disk scans. The anti-spyware software checks all the files on the PC's hard disk against a database of known spyware packages. The best solutions use a mathematical process called a checksum or hash algorithm to ensure that the files on the hard disk are exactly the same as those noted in the database. The worst anti-spyware uses file and directory names as a detection method, which is a very good way to get false positives and miss spyware that changes names.
- Registry scans. The software looks for modifications made by spyware to Windows configuration files.
- Memory scans. The anti-spyware checks currently running processes for any that match known spyware.
- URL monitoring. The software keeps track of visited Web sites and monitors cookies and executed ActiveX controls, and compares the sites and controls to its internal database of known spyware networks.
If there's a match, the package will be noted and the user given the option to remove the offending software when the scan is completed. If the user chooses to do so, the files, directories and Windows Registry keys will be removed.
Anti-spyware comparison databases need to be updated regularly as new spyware software comes online -- much like antivirus packages have to periodically download new virus definitions. For this reason, paid anti-spyware packages often work on a subscription basis. A subscription to the service gives you the right to update the spyware database when you need to.
What to look for in an anti-spyware package?
What to look for in an anti-spyware package
Nearly all anti-spyware packages have a one-off purchase cost plus regular subscription renewal costs. Stand-alone anti-spyware packages can be purchased online for between US$15 and US$40, and subscription renewals can range from US$10 to US$30 per year.
If you're looking to save money, however, there are some free solutions available -- and unlike many free solutions, they're not at all bad. Lavasoft offers a trimmed down version of Ad-Aware, for instance, called Ad-aware SE Personal Edition, for free. Microsoft is also currently allowing users to download the beta of its anti-spyware tool for free. The best known free anti-spyware software, however, is the excellent Spybot: Search and Destroy, which has more features and a better spyware database than many paid solutions.
Many of the paid applications available will have demonstration versions available for download from the vendor's Web site. We recommend always trying before you buy when it comes to anti-spyware. Not all programs are up to scratch.
Of course the most important feature of an anti-spyware package is its ability to find and remove spyware. How well it does this is heavily dependent on the quality of its detection database and on the scope of detection. The good news is that all of the popular anti-spyware packages have developed quite comprehensive spyware databases, but there is yet no official benchmark for detection rates of anti-spyware packages.
Detection methods are a key quality indicator. An anti-spyware package that supports drive scans, memory scans and registry scans will catch most spyware.
There are important differences in the removal techniques of anti-spyware packages. Most simply immediately delete the offending registry keys, close any processes in memory and delete all the associated files and directories on the hard disk. Some first try to run the Windows uninstall routine for the spyware package. A good package will use a delete-on-reboot system for files that refuse to be deleted during runtime.
It's a good idea to look for anti-spyware with a quarantine and recovery system. A scan may produce false positives, or, more likely, delete spyware that you find you need. Many applications that are bundled with spyware will perform a check to see if the spyware is still installed, and will not function if you have deleted the spyware from your system. If that's the case, you can either choose to live with the spyware or without the desired software. If you choose the former, a recovery system will allow you to restore the spyware to its former glory. (Some anti-spyware software does come with known workarounds for dependency checks, in order to make the software think its associated spyware is still installed when it is not.)
Good anti-spyware also has a white-list system. If you decide to keep a particular piece of spyware on your system, you don't want it setting off alarms every time you perform an anti-spyware scan. A white-list system works like a firewall's allow/disallow system -- you indicate that you've allowed this spyware, and the anti-spyware will not ask again if you want to delete it.
So, the questions to ask about the anti-spyware removal system include:
- Does it remove all files and directories associated with the spyware?
- Does it remove Windows registry keys?
- Does it remove the spyware from the Windows uninstall list?
- Does it offer a reboot option if it can't delete files?
- Does it offer a restoration feature if I want to re-instate the removed software?
- Can I tell it not to detect a given piece of spyware in the future?
- Can I customise what it scans?
Early anti-spyware solutions operated only when the user manually initiated a scan. Recently, however, anti-spyware has begun incorporating real time monitors that can detect spyware the moment it accesses your system.
We recommend looking for anti-spyware that includes an active agent that monitors your PC at all times for spyware intrusions. It should, at the very least, monitor processes currently in memory and watch for changes to the registry and the HOSTS file.
Anti-spyware should also have a scheduling agent that will automatically run full scans at set intervals. If the anti-spyware requires manual scanning, it may end up being too long between scans. Some anti-spyware allows you to schedule a scan on system startup.
It has become more common for anti-spyware to integrate proactive prevention in its routines. Pro-active prevention involves immunising Internet Explorer, in particular, by adding the sites of known spyware purveyors to the banned URL list, blocking known spyware ActiveX Controls from running, and potentially re-configuring the Internet Explorer security settings to prevent spyware applications from running. The software should also contain diagnostic tools that examine installed browser helper objects and ActiveX controls for problems.
Alternatively, home users also have the option of switching to another, more secure browser, such as Mozilla's Firefox, which offers tabbed browsing, popup protection and increased spyware defences. Many infected users will find that the spyware was installed without even downloading a file, rather, it was hidden on the system by a malicious Web site. By protecting yourself while browsing, and being aware of the signs that a Web site is trying to install unauthorised content (such as popup boxes encouraging you to tick "yes") you can go a long way to stopping the spyware threat to your system.
Some key questions to ask in regards to proactive prevention include:
- Does the anti-spyware patch common vulnerabilities?
- Does it block spyware memory processes from initiating?
- Does it block modifications to the startup settings?
- Does it restrict access to (or at least warn about) known dangerous Web sites?
- Does it block dangerous ActiveX controls by setting ActiveX kill bits for known spyware?
- How is the anti-spyware deployed from the administrator to target PCs?
- How is it managed by the administrator -- via a Web browser, proprietary console or other method?
- What kind of information does it provide about clients (such as the current version of the reference database, the last time a scan was run and what has been found on this PC)?
- Can I initiate remote and customised scans on client PCs?
- How easy is it to set global variables, such as update periods?
- Does it allow me to save bandwidth by using a centrally-updated reference file?
- What kind of incidence reporting does it provide, and how does it provide it?
It is a good practice to restart your computer in safe mode before running a scan. Often, if running windows normally, your programs will detect spyware that is currently running and cannot be removed. Safe mode boots up a fresh copy of windows, running just a basic framework, and thus any Spyware detected will be idle and able to be deleted. You will find yourself with a recurring problem if you merely scan from normal mode. You can boot into Safe mode by tapping the F8 key at startup until you are presented with the system menu. Select "Safe mode" and hit Enter. The next time you reboot you will be returned to normal mode.
Another key differentiator for anti-spyware is how it handles updates to the spyware reference database. It's important to look for a package that allows you to schedule automatic updates to the spyware definitions file in order to get the information on the latest threats.
Most paid spyware works on a subscription basis, and one thing to check for is whether the subscription price gets you access to only the updates to the spyware definition database, or whether you can also get updates to the core application as well. In addition, you should look into whether the updates also include new immunisation data (such as new lists of problem Web sites).
Management and administration
Although most anti-spyware available is for personal PC use, enterprise solutions are starting to become more widely available. Enterprise solutions integrate a software distribution and administration system into the anti-spyware package.
Client-server anti-spyware is a relatively new category and still a little rough around the edges, but it's rapidly developing into a category comparable to enterprise antivirus, with similar deployment and management systems.
If you're looking to use a distributed anti-spyware solution, some of the most important things you need to consider are:
Things to avoid
Things to avoid
Spyware can be trickier than viruses to remove. With viruses, you'll generally always want to clean every vestige of the infection from the PC. With spyware, that's not always the case.
This is especially pertinent where removing the spyware means that you don't get to use the associated application anymore. Do I care if I have an adware application if it means I get to continue to use the software I want? Some applications have very good checks on them, and sometimes people are prepared to live with the spyware if it means they can still use the software. Ultimately, this is up to the user.
For this reason a good logging and reporting system in anti-spyware is vital. A log system will keep track of deleted files -- if you have later problems (such as a needed file being deleted), you can go back and track down what happened.
Detailed information about the consequences of your actions is vital in anti-spyware. Some anti-spyware, for instance, provides a list of hundreds, even thousands, of potential spyware offending elements (files, keys, processes and the like) and asks which ones you want to delete. This is not very helpful. The temptation, of course, is to say just remove them all -- which could lead to trouble, since one of the offending elements could be a directory with important documents. Additionally, in some cases spyware will overwrite core system files with modified versions, and the out-and-out deletion of the spyware would often have major consequences for the continued operation of the system.
Look for anti-spyware that provides information about the detected spyware -- its effects, associations and dangers. The major anti-spyware software solutions have become much better at this, often warning about associated software that might cease to function if you choose to remove the spyware. A detailed list of spyware effects is also very useful when determining the risk if you choose to leave the spyware installed.
What is the best combination?
More often than not, a single spyware package will not pick up all the infections on your system. Spyware works on relatively simple premises, and is evolving constantly, which means anti-spyware developers are always one step behind. Thus, it can be better to have a small selection of software which will help cover all your bases. It is important to be thorough, because a single program left undetected can reinstall many of the threats you just spent time removing.
Whilst many of the paid packages can be quite thorough, you can receive very comprehensive system protection through free programs. A great combination is Lavasoft's Ad-aware combined with Merijin's CWShredder and Spybot: Search and Destroy. By running one after the other, starting with Spybot, you should be able to remove most if not all of the threats present on your machine. Spybot also offers a built in system restore option, which creates a restore point for you automatically should you wish to undo your changes.
One final, very powerful free program that can be used as a last resort is Hijackthis. Widely regarded online as one of the best methods of removing spyware that just won't go away, it can also be dangerous to the average user. It runs a scan and lists everything that differs from a clean, spyware free environment. In this way it is great, as it picks up every abnormality on your system, but it will also list friendly changes, such as Internet explorer toolbars, ActiveX plugins and startup programs. Thus, before deleting anything, it is vital you post a log file of your session (Hijackthis will create one) on an appropriate online message board, and experts will reply, advising which entries to delete. This program should only be used as a last resort, but can be very effective when used properly. Be sure to create a system restore point before using. A few message boards where you will receive necessary advice include: