BLOG

The Matrix Unloaded

According to Alexa.com, the Internet website ranking service, on July 11, 2005, Fastclick.com, an advertising Web server, was the eighth most popular English language website in the world, one place behind Amazon.com and two ahead of AOL.1 Chances are you’ve never heard of Fastclick. It’s not bookmarked in your Internet “favorites.” Nevertheless, odds are you have visited it, perhaps a lot, without ever knowing it.

The Nature of Spyware

My first schooling in the stealthy underworld of computer spyware came a few years ago at the hands of the master cyber-criminal herself, Carmen Sandiego.2 Having had my eyes opened by Steve Gibson’s “Shields Up!!” website3 to the vulnerability of an always-on Internet connection, I downloaded the free version of ZoneAlarm, which is software that creates a “firewall” between your computer and the rest of the world. The goal was to protect me from hackers who might attempt to access my PC from the outside.

I configured ZoneAlarm so that any attempt to breach its firewall, either incoming or outgoing, launched a pop-up dialog box that asked if I wanted to authorize access once, always, or never. I knew, of course, that several of my own computer programs—Web browsers, e-mail clients, and the like—would require Internet access and cheerfully clicked “always,” granting them permanent passage through the firewall. At first, this proved to be a pain in the mouse. However, it also became a consciousness-raising lesson in just how many programs routinely require Internet access to perform vital functions, such as checking for and downloading program updates.

Weeks later, believing I had finally stamped the firewall passport of every Internet-enabled program on my PC, I was naturally intrigued when ZoneAlarm alerted me that DSS Agent, a program I had never heard of, was requesting safe passage through the firewall from inside my computer. I “Googled” DSSAgent and, a few seconds later,was reading an account of a virtually identical experience on Salon.com.4 Simson Garfinkel, a columnist for Salon Technology,was high over the Atlantic working on his laptop when DSSAgent attempted to go online. Probing the program, Garfinkel discovered that this mystery file had been loaded into the Windows directory when his daughter had installed a children’s software program distributed by Broderbund, a company owned by Mattel Interactive.

Recalling that my children had recently reinstalled “Where in the World is Carmen Sandiego,” another Broderbund product, the mystery was quickly solved. Carmen Sandiego herself was attempting to use a backchannel5 Internet connection to phone home to the Mattel Interactive mother ship. If not for ZoneAlarm, she would have succeeded, completely undetected.

Mattel vehemently denies that its DSSAgent, which it calls “Brodcast Technology,” is spyware. Nevertheless, under a firestorm from outraged parents,Mattel voluntarily discontinued this “product enhancement,” and made a free removal tool available on its website.6 Whether or not DSSAgent was gen uine spyware, Carmen Sandiego taught me the seven truths I needed to know about real spyware:

  1. Spyware is sneaky.We do not intentionally install spyware to spy on ourselves. It typically arrives unadvertised and unannounced, wrapped in a cloak of computing invisibility. Although DSSAgent was installed by commercial software for which I paid full freight, this is an aberration. More often, spyware arrives bundled with freeware or shareware that a user voluntarily downloads from the Internet, or it arrives completely unbidden simply when the user has the misfortune to visit certain websites—the so-called “driveby download.”
  2. Once installed, spyware does its best to remain hidden and is only detectable by the use of anti-spyware programs—in this instance, the firewall software that detected Carmen’s attempts to “open channel D.”
  3. Spyware is unwanted and unwelcome.
  4. Spyware takes up hard drive space, although usually not much. It does, however, have a knack for not playing nice with other software, which can result in sudden, seemingly inexplicable, system instability and/or slowness.
  5. Spyware sucks up your Internet bandwidth7 every time it tries to phone home, reducing, at least marginally, overall Internet speed.
  6. While primarily propagated by the Internet, the Internet also is spyware’s biggest bane because it is the greatest source of information and downloadable tools for the eradication and defense against it.
  7. Detecting, destroying, and defending against spyware will require a small, ongoing investment of the user’s time.

“Ghost in the Machine”: Defining Spyware

Defining what constitutes spyware is as elusive as Carmen Sandiego herself. Indeed, the very slipperiness of a universally accepted definition of “spyware” has emboldened Gator,8 a distributor of some of the most annoying “foistware”9  on the planet, to undertake a novel public relations campaign of suing those who would dare to refer to its pernicious pop-up adware as spyware10. Gator.com’s public-education-through-SLAPPsuit-litigation11 campaign may be criticized on a myriad of levels.

However, it does have a twisted point: a broad variety of software and malware12 has been indiscriminately lumped under the heading “spyware.” An entire field guide might be written, devoted to nothing but the classification of malware, including spyware (in fact, several have).13 Such an assay is beyond the scope and purpose of this article—a primer on how to detect, destroy, and avoid the spyware matrix. Given the constantly changing nature of this matrix, the Internet remains the best source of current information. Nevertheless, some introduction to the taxonomy of spyware is essential and, therefore, is included in the accompanying sidebar entitled “Spyware Lexicon.”

Regardless of how classified, for purposes of this article, “spyware” is any program having all or most of the following characteristics:

  • It is unwittingly installed by the user, who would not install it if its true nature were fairly and conspicuously disclosed.
  • It resides on the user’s hard drive, consuming permanent storage space.
  • It loads itself into random access memory (“RAM”), consuming active computer memory.
  • It makes use of an Internet connection, typically a backchannel connection, thereby consuming the user’s bandwidth.
  • Except in the case of adware, it attempts to conceal itself and its location in the user’s computer, often burrowing deep inside the Windows’ registry.14
  • It is often difficult and time-consuming to remove. Many spyware programs have hidden reinstall programs that
  • automatically reload the spyware matrix on deletion, rendering conventional removal techniques (such as Windows
  • “Add or Remove Programs” utility) a Sisyphean endeavor. When an uninstall program exists, it is often ineffective or bogus, and the spyware quickly reinstalls itself.
  • It collects data that may or may not be resold and combines with other personal information on the open market,15 regardless of any website’s so-called “privacy policy.”

“The Spy Who Came in From the Cold”: Where Spyware Comes From

Spyware is like mononucleosis (the “kissing disease”); to avoid getting it, it helps to know where you are likely to pick it up. Like “mono,” the spyware contagion is usually contracted while one is having a good time and not thinking very clearly. Also like mono, in most cases, users unwittingly invite spyware to be installed on their computers while having a good time. In the modern online experience,“having a good time” means thinking one is getting something for nothing, such as free software, free music files, free games, or a spiffy little free utility that reports local weather conditions. As the officially designated computer guru in my family, I am called in whenever my siblings’ PCs resolve themselves into an electronic blob of goo or have otherwise begun behaving erratically. In the last few years, more often than not, spyware has been the culprit.

Take, for example, my nephew Henry’s laptop, a veritable forensic laboratory in which to study where spyware comes from. Henry is a typical young college student who likes music, computer games, following sports, and pursuing other pastimes online. In the process of installing file-sharing programs, like Kazaa and Gozilla, and downloading electronic games—all “freeware” in the sense that no actual currency is requested from the user—he has been “Gatored” (see “Adware” in accompanying sidebar entitled “Spyware Lexicon”) more times than an animal control officer in the Everglades. I’m the one periodically called in to drain the swamp.

Even in the age of the Internet, there is still no free lunch. True “freeware” is increasingly rare. Usually, someone is paying for the “free” goodies. In the case of invited spyware, that someone is often an adware company, such as Gator/Claria, WhenU, DirectRevenue, or 180Solutions. The adware company pays authors of the desirable software to allow their spyware to “piggyback” on the installation of the desired and promoted program, which functions as a Trojan (as in “Trojan horse”).

In virtually every instance of invited spyware, buried in the click-through license agreement is a proper legal consent to install the spyware, typically adware. By “buried,” I do not mean to suggest that the so-called freeware distributors are employing fine print or other chicanery of a bygone paper era, although euphemisms and legalese employed in such end-user license agreements (“EULAs”)16 provide an endless source of mirth to techno-geek lawyers who actually read and understand them. No such legal legerdemain is necessary, because no one besides spyware watchdogs ever bothers to read clickthrough licenses. A license could disclose the following:

By installing this software you also authorize us to install RAM and bandwidth-sucking kludgeware that will invade your privacy, constantly annoy you with pop-up, pop-over, and pop-under advertisements, make your life a living hell, and reinstall itself upon any attempt to delete it . . . All of this can be accomplished with complete confidence that the only question on the mind of most users will be: “How do I activate the ‘I Accept’ button?” In our analogy, this behavior equates to “not thinking very clearly.”

Not to pick on my nephew Henry, my daughter Samantha is our house’s resident spyware magnet.A young teen, Samantha loves programs like “WeatherBug” (a utility that provides local weather conditions and alerts in a pop-up window), joke and fan websites, and instant messenger and e-mail enhancements, such as Comet Cursor (a palette of cute mouse cursors), and IM emoticons (little faces that show different emotions to let the recipient of the message know if you’re kidding, annoyed, or happy). Inevitably, piggybacked on “WeatherBug” is the spyware bug, all completely and lawfully invited.17 Many of these spyware programs install new browser toolbars—prime, above-the- fold real estate in a Web browser, through which most of the Internet is experienced and, thus, through which the user’s experience is best monitored.

Truly stealthy spyware—the kind that arrives both undetected and uninvited—exists, but is rarer than the invited variety. Ignoring keystroke recorders intentionally installed to spy on employees, spouses, and lovers, uninvited spyware is usually found in seamier back alleys, dens of Internet iniquity purveying the promise of free sex, free commercial software, or other forbidden pleasures. This spyware payload is silently delivered merely by viewing a Web page that uses hidden code, such as ActiveX, to launch the infestation, commonly referred to as a “drive-by download.”A lthough reputable adware purveyors occasionally include uninstall programs that actually permanently uninstall their products, spyware that arrives by driveby download never does.

“I Spy”: Detecting Spyware

Except in the case of truly stealthy spyware, detecting spyware is not difficult. Just look for one or more of the following symptoms:

  • A new icon appears in the Windows “tray” (the area in thelower right of your screen) or on your desktop that you don’t recognize.
  • A new toolbar that you do not recall installing, appears in your Internet browser, often promising new search capabilities. New programs appear in the Windows Start/Programs/ Startup menu.
  • Your Internet browser now inexplicably opens to a new home page.
  • Your computer or Internet connection begins running more slowly.
  • Your computer begins to generate error messages.
  • Computer programs that had been stable begin crashing.
  • Your firewall software asks if you want to let an unknown program have Internet access.
  • Your Internet connection is active (as indicated by modem activity), even though you are not currently using any program that accesses the Internet.
  • You receive a $430 telephone bill showing multiple calls made to “900” numbers you never dialed.
  • In the case of adware, pop-up advertisements begin sprouting like weeds.
  • Your browser has seemingly become infested with a poltergeist who randomly redirects it to Web pages where you did not command it to go. The poltergeist may also randomly pop up your browser to an advertisement when you weren’t browsing the Internet, but just typing in Word.

Spyware lexicon

For purposes of this article, the malware (a contraction of “malicious” and “software”) commonly called “spyware” may be classified into five broad categories:

Adware

Although there are many subspecies, adware generally tracks the user’s Internet browsing and pops up context-sensitive and annoying advertisements or discount coupons in response to the material being browsed. Gator/Claria is a common adware program. Its goal, in part, is to present timely enticements to shop at its advertising customers’ places of Internet business. For example, while browsing Amazon.com, Gator software might present an online discount to purchase the same item at Barnes & Noble’s website. This point-of-sale intervention technique is, in fact, widely referred to by e-tailers as “being Gatored.” 

Whether Gator/Claria and similar software is properly classified as true “spyware,” it is undeniably adware. Adware does not necessarily upload or disclose user information to anyone, because such disclosure is not necessary to fulfill its commercial purpose. It does meet several of the criteria for spyware in that it arrives stealthily, consumes bandwidth, and is difficult to remove. Some adware, however, is considerably more invasive, collecting and reporting MAC (network card) addresses and Windows product IDs. It also examines software running on a user’s computer (including other spyware and anti-spyware programs) and tracks visited websites.

Keystroke Recorders and Other Data Miners

The most insidious of all spyware, keystroke recorders, are capable of recording all of the user’s computing activities: e-mail, instant messaging, document creation, financial data, and passwords. Other spyware more selectively mines personal data, such as credit-card numbers, passwords, and Social Security numbers. Perhaps the truest “spyware,”
the application for identity theft or simple larceny, is obvious.

Browser-Jackers

This type of malware, often a type of adware, reconfigures the user’s browser by, for example, redirecting the start-up page to a new location. This malware can install unwanted toolbars or integrate pop-up advertising windows for unbidden redirection to other websites. Browserjacking malware is particularly pernicious and difficult to remove. Most, however, can be quickly removed using the free HijackThis utility.

Cookies

Internet “cookies”—small bits of Internet code installed by various websites—provide so many legitimate, useful functions, such as remembering passwords or a user’s favorite website options, that they should not be categorically labeled spyware. Undeniably, however, many cookies track and report user browsing habits (the so-called “cookie crumb trail” or “mouse droppings”). Using collaborative database technology, cookies are the foot soldiers used to compile an impressive dossier of a user’s tastes, Internet habits, and personal identifying information. Fortunately, modern anti-spyware has learned to tell the difference between the good cookie baby and the spyware cookie bath water.

Auto-Dialers

This type of malware silently and repeatedly uses the victim’s computer modem to dial phone numbers, such as long-distance or “900” numbers, resulting in large phone bills for the unwary user and large profits for the authors of these “Trojan” programs. More than anything, the increasing prevalence of cable modems and DSL connections is lessening the auto-dialer threat. Broadband users who use a fax modem from time to time, however, remain vulnerable. Those using a modem or fax modem can eliminate all risk from auto-dialers by simply unplugging the phone cord when the modem is not in use.

Spy vs. Spy”: Destroying Spyware

In the fast moving “Spy vs. Spy” game,writing a paper guide to spyware eradication is a fool’s errand. Fortunately, several online Web resources exist that collectively provide timely and helpful advice and tools in the ongoing project of draining the spyware swamp (see accompanying sidebar entitled “Spy vs. Spy”). However, a few time-tested general observations may be made:

  • The symptoms of a spyware infestation usually become manifest over time to a reasonably sentient being. Nevertheless, isolating and destroying spyware requires electronic countermeasures. Rifling through each file on an 80+ gig hard drive, or worse, bushwhacking through the dense undergrowth of the Windows registry without an experienced guide is neither practical nor wise.
  • The more stealthy the spyware, the more difficult the extermination. A moderately competent user with readily available tools can eliminate most spyware. However, if you’ve logged as much time hand-editing the Windows registry as you have piloting the space shuttle—or if a recommended cure is simply out of your personal computing comfort zone—call your local computer wizard to help you.
  • Ironically, some of the best anti-spyware, such as Hijack, this, is genuine freeware.

Counter-Espionage: Defending Against Spyware

As with computer viruses, a little preventative care with the goal of avoiding the problem will be rewarded by hours not spent eradicating an infected PC or cleaning up the detritus of a successful identity theft. In addition to the resources listed in the accompanying sidebars, here are some timeless tips:

  • Read, but do not trust, software license agreements and website privacy policies.
  • Install a firewall, and initially configure it to detect all outgoing as well as incoming Internet communications. Provide access only to programs you have positively identified. When in doubt, Google the name of the program seeking access.
  • Unplug your fax modem when not in use.
  • Set your browser security to medium or higher and deactivate ActiveX and other Web controls.18 In Microsoft’s Internet Explorer (“IE”) Web browser, these settings are found at Tools/Internet Options/Security.
  • Surf anonymously,using a service such as Anonymizer.com or The-Cloak.com.19
  • Create at least one Web-based “SPAM & spy” e-mail account and use it for websites that require registration and other marketers that solicit your e-mail address. Create this e-mail account from a public computer to avoid having your own computer’s MAC address traceable to the e-mail account.
  • Download only from trusted websites.
  • Delete SPAM without reading and never click on a link in a SPAM message.
  • Never close a dialog box with “agree”; use the red X (in the upper right-hand corner of the window) instead.
  • Be particularly wary of pop-under windows, simulated computer system “warnings,” and anything that requests your consent to download or install a program.
  • Turn off tracking features of toolbars and programs, such as are found in Windows’ Media Player, RealPlayer and other media players (but enable the automatic lookup of CD titles and tracks).
  • Consider configuring your browser to reject cookies, although there are many useful cookie-enabled features used by legitimate websites. Cookie manager programs exist, but create another layer of computer administration overhead.
  • A regular anti-spyware sweep with a program such as Ad-Aware will root out the bad cookies.
  • Consider using an alternative browser, such as Mozilla’s Firefox. Spyware authors write for the broadest audience, and currently that is users of Microsoft’s Internet Explorer. Legitimate websites are optimized for IE too, however, so don’t delete IE Explorer. You may need it to access some websites or website functions.
  • Install reputable anti-spyware programs and update and use them regularly.

With regard to this last tip, two caveats: First, no single antispyware program is effective at detecting or eradicating all spyware. As in treating any pernicious disease, two or three antispyware programs used in combination as a chemo-electro cocktail are much more effective. Second, because of the attention spyware and identity theft have received in the popular press, a number of ineffective and/or unscrupulous anti-spyware “solutions” exist20 and are heavily promoted on the Web, ironically, often through pop-up ads.

Fortunately, several trustworthy and effective anti-spyware programs are available.Many anti-virus program stalwarts have incorporated anti-spyware programs into robust, integrated software “Internet security suites,” which combine antivirus, anti-spyware, firewall, and other privacy/security tools—for example, Trend Micro’s PC-cillin Internet Security 2005, Symantec’s Norton Internet Security 2005, and McAfee’s Internet Security Suite. The “best of breed” in the anti-spywarespecific field currently include Ad-Aware,HijackThis, Spyware Doctor, Spybot Search and Destroy, and Boulder’s own Webroot Spy Sweeper.A few excellent anti-spyware programs are actual freeware, and almost all legitimate commercial products offer a free trial period to test their capabilities and ease of use.

Conclusion

A July 2005 study by the Pew Internet and American Life Project21 found that American Internet users are wising up to the ways of the Web spies, having received their own schooling on the info-autobahn. One in five users has experienced a browser-jacking.22 Twenty-five percent reported that new programs or icons they did not install suddenly appeared on their desktop or in their Windows tray; fifty-one percent said their computers started freezing or crashing.

Significantly, the report shows that savvy users are changing their habits. Eighty-one percent have stopped opening email attachments unless they are sure they are safe. Nearly half (48 percent) now avoid websites they fear may load unwanted programs on their PCs.Twenty-five percent have abandoned downloading music and video files from peer-to-peer networks, and nearly one in five (18 percent) have changed Web browsers. Perhaps most revealing, more than half (54 percent) of the respondents said they have started reading EULAs before clicking “I accept.”23

Spyware is unlikely to disappear from the worldwide Webscape anytime soon; there is simply too much money at stake. However, would-be victims who condition themselves to be vigilant and deploy electronic countermeasures are considerably less likely to be “shagged” by these particular spies.

Notes

  1. Internet advertisers DoubleClick ranked 19th and Gator, 29th.
  2. The “Where in the World is Carmen Sandiego” game is one of the best-selling computer games of its age.
  3. See https://grc.com/x/ne.dll?bh0bkyd2.With the user’s permission, “Shields Up!!” tests your computer for potential vulnerability to outside hacking.Steve Gibson’s site is an incredibly useful, free public service, one that every lawyer should visit.
  4. See http://dir.salon.com/tech/col/garf/2000/06/15/brodcast/index. html. 2005 Technology and Law Practice 129, The Colorado Lawyer / September 2005 / Vol. 34, No. 9 / 129
  5. It accesses the Internet in the background, so the PC user is unaware that this is happening.
  6. See http://support.learningco.com/brodcastpatch.asp.
  7. In common parlance,“bandwidth” is the amount of data that can be transmitted in a fixed amount of time. For example, your modem communicates at a maximum speed of 56 kbps (kilobytes per second); DSL generally transmits at 256 kbps—1.5 MBps (megabytes per second); and cable modems typically transmit in the 1.5–6 MBps range. DSL and cable modems have higher bandwidth than a modem and thus transmit data faster.When spyware uses part of your bandwidth, it slows down the data transmission rate for data you want to transmit.
  8. Branded the poster-child for odious adware, in 2003 Gator changed its name to Claria.
  9. Software that is foisted on you.
  10. See generally Festa,“See You Later, anti-Gators?” CNet News.com (Oct. 22, 2003), http://news.com.com/2100-1032_3-5095051.html. The complaint and other pleadings are available at http://www.benedelman.org/spyware/threats/gator-pcpitstop-1.pdf.
  11. SLAPP stands for Strategic Lawsuits Against Public Participation.
  12. “Malware,” a contraction of “malicious” and “software,” is used to describe several types of software that are malicious by design, including viruses,Trojan programs, and spyware.
  13. A few of the author’s favorite guides include:Wagner, Spyware/ AdWare/Malware FAQ and Removal Guide, available at http://www.io.com/~cwagner/spyware; The Spyware Warrior, available at http://spywarewarrior.com; Microsoft’s Security at Home, available at http:// www.microsoft.com/athome/security/spyware/default.mspx;Welcome to PC Hell, available at http://www.pchell.com; and Baratz and McLaughlin, Malware:What It is and How to Prevent It, available at http://arstechnica.com/articles/paedia/malware.ars?80224.
  14. Since Windows 95, the registry has been the primary repository of operating system information, such as what hardware is attached, what system options have been selected, and what programs run on start-up.
  15. A company’s “privacy policy,” a self-imposed restriction on the sale or sharing of data collected,may be only as good as its solvency. Toysmart.com, a Disney-backed company, had such a policy and was even a member of TRUSTe, an Internet privacy watchdog. However, when Toysmart became bankrupt, the company sought to sell a significant asset: its list of customer names. Only concerted action by the Federal Trade Commission, a phalanx of state attorneys, federal legislators, and angry consumers avoided a showdown. See Sandoval, “Judge OKs Destruction of Toysmart List,” CNet News.com (Jan 31, 2001), available at http://news.com.com/2100-1017-251893.html?legacy=cnet.
  16. The author’s current favorite is a provision of DirectRevenue’s EULA that allows its adware to seek and destroy other companies’ adware, which might interfere with DirectRevenue’s own delivery of odious pop-ups: [Y]ou further understand and agree, by installing the Software, that BetterInternet and/or the Software may, without any further prior notice to you, remove, disable or render inoperative other adware programs resident on your computer. . . . See Direct Revenue Deletes Competitors from Users’ Disks (Dec. 7, 2004; updated Feb. 8, 2005), available at http://www.benedelman.org/news/ 120704-1.html.
  17. Except, of course, that Samantha is not 18 years old, and therefore lacks the ability to enter into an enforceable contract. Because they are guileless regarding the “dark side” of the Web, purveyors of spyware seem to pander to and prey on the tastes and temptations of youthful computer users.
  18. Some very useful programs require ActiveX to be enabled to run, but typically will alert the user to the fact that ActiveX must be enabled to use them if it has been disabled.
  19. These websites act as electronic proxies, concealing the user’s true computing identity when surfing the Web.
  20. See Howes, The Spyware Warrior List of Rogue/Suspect Anti-Spyware Products & Web Sites, available at http://www.spywarewarrior.com/rogue_anti-spyware.htm#products.
  21. Fox, Spyware: The Threat of Unwanted Software Programs is Changing the Way People Use the Internet (July 6, 2005), available at http://www.pewinternet.org/pdfs/PIP_Spyware_Report_July_05.pdf.
  22. Where the browser start page is changed to a website you did not select.
  23. Supra, note 21.

Please contact Charles Luce at charles.luce@moyewhite.com 


Charles F. Luce, Jr.

Originally published in The Colorado Bar Association Business Newsletter.

ABOUT THE AUTHOR
Keep reading

What's the Matter with Metadata?

05/20/2007