The single, all-encompassing term “spyware” is more or less a misnomer, for there are a number of different kinds of software that engage in data harvesting and come under the broad, umbrella-like term “spyware”. Spyware can be loosely associated with viruses; Trojans and Worms being the closest relative to viruses, but there is a fine line of difference. Viruses are typically self-replicating. They can copy themselves and spread from computer to computer through security holes and exploits, as well as relying on a user’s poor security habits to quietly slip in to an unguarded system. Spyware usually relies on a user’s ignorance and credulity to infect a system and does not engage in replication. So, in effect, the first and best form of prevention is awareness.
Adware, or advertising-supported software, is basically software that displays advertisements on your computer. Adware by itself does not threaten privacy or security. It is not usually written with the intent to vandalize computer systems or the Internet. Fundamentally, there were three major influences that led the push behind the development of adware: the failure of selling small, low-priced software in retail packages, the rise of peer-to-peer apps, and the rise of cost-per-click advertising.
Adware helps offset development and maintenance costs of software or website hosting, and in turn, can help provide software and website hosting free of charge. It can even help turn a profit when software or websites are provided free of charge to users and supported by ads. Ad supported software is one of the forms of “shareware”.
Certain forms of adware sometimes go overboard and stray into the realm of spyware. They collect personal information and pass it on to third parties without the expressed consent or knowledge of the user in the hopes of providing more specific ad targeting.
A BHO, or Browser Helper Object, can be a useful little browser plug-in module, when used legitimately. For instance, the Microsoft Word plug-in that allows Internet Explorer to read .doc (a.k.a. Word Document) files within their browser is a BHO. The same goes for Adobe Acrobat’s plug-in for PDF files. Google Toolbar is also another example of a BHO, but in this case, it is attached to IE’s UI, so it can be used directly by the user.
Because of the free roaming privileges BHOs are allotted within IE, some forms of spyware are installed into IE as BHOs, and can perform a number of tasks. This can include a keylogger (which usually activates when some sort of HTTP financial service is detected, intending to collect credit card numbers, usernames and passwords), and can record a user’s browsing habits and send the recorded data off to third parties.
Browser Hijackers can include malicious BHOs, as well as go to change various settings within Internet browsers (usually directed at Microsoft Internet Explorer). These altered settings can cause your homepage to change, add bookmarks, create pop-ups faster than they can be closed, and redirect addresses that users may type in (especially if typed without the www. preface.) All of these browser alterations usually end up directing the user to sites containing pornography, warez, game cheats, or any other “underground” material.
One of the most common browser hijack methods used is to add entries to the hosts file. So, instead of sending servers to the localhost black hole, certain web addresses are redirected to servers that you probably would not want to go on your own.
The results of browser hijacking most often lead to non-technical problems, which include accessing inappropriate sites at work, straining personal relationships, and/or coming under scrutiny (and possibly as far as being arrested) for possession of illegal material. Browser hijackers are often one of the hardest forms of malware to deal with, on both technical and non-technical standpoints.
Barnacles are data collection and/or advertisement producing software that are often bundled along side larger software packages, and are usually installed with the user’s unwitting consent. Consent is usually gained through hard-to-read license agreements, or ActiveX pop-ups.
Barnacles are made to be difficult to uninstall, often intentionally using confusing or counterintuitive uninstallation wizards to prevent the removal of the spyware software. Sometimes, uninstallation requires the user to fill out an online form, but depending on the shape that the system is in (with other forms of spyware possibly installed), this may not always be possible.
Barnacles often exhibit the same system degradation symptoms as other forms of spyware, however barnacles often target the Layered Service Provider (basically this is a protocol called winsock, which defines how software accesses network services, such as TCP/IP) to redirect data from a system’s TCP/IP stack (a set of protocols that defines how data is sent over the Internet). When this form of barnacle is removed, it usually corrupts Internet protocols, thus requiring a reinstallation of the TCP/IP stack.
This form of malware is only applicable to dialup or ISDN Internet connections. Some of these dialers include scripts to disable the modem’s connection sounds, so you can’t tell if and when it may be dialing out. Users on broadband connections may still get dialers installed on their system, but dialing a phone number is not possible on broadband networks because they are not composed of regular phone numbers.
There are two basic methods that dialers operate under. The first is via security holes in Windows Operating Systems. They either use the Windows dialer, another legitimate third party dialer, such as one included with AOL, or someone’s own malware dialer. The other method entices the user with promises of special content only if they call the number listed, which usually appears on sites providing pornography, warez, game cheats, or any other “shady” activity.
Any of these dialing methods may rack up a significant phone bill. This money usually lines the pocket of the person or organization providing the malware. 900 numbers, a.k.a. premium rate numbers, are most often used, and can generally cost up to $4 per minute, with the call usually lasting about 10 minutes.
Keyloggers are either small programs or small hardware devices that mainly do one thing- record any and all keystrokes that may be typed in by a user. In the case of espionage, a device is used to capture keystrokes by placing it at the end of a keyboard cable, whereas another kind can be soldered right into the keyboard’s circuit board.
In terms of spyware, keyloggers can be distributed and installed on a computer system by means of a Trojan, virus or worm.
Interestingly enough, the prefix for this term in both the French and Spanish languages translates to “bad”. No argument here about that description. It has also been stated that the term has been shorted from the word “malicious” and combined with the word “software”. Either way, malware is software that intentionally causes harm on a computer system. Malware should not be confused with faulty software containing bugs; for bugs, no matter what the problem may be, are not intentional.
It is difficult to specifically classify malware, since other types of spyware tend to overlap with it. Viruses, trojans and worms all fall into this category.
A less common form of malware that doesn’t really fall under any other categories and engages in self-replication is referred to as a “wabbit”. It doesn’t self-replicate from system to system, but rather, uses a simple recursion algorithm to replicate itself indefinitely to clog up system resources until the system is rebooted. Any first year application programmer has the ability to create one.
Overlapping with the extreme form of adware, spyware is more engaged in unethical and explicitly illegal purposes. These activities can include spying on a user’s surfing habits for marketing purposes, as well as anything else coming under the heading of “spyware”, where each activity is explained under the associated form of spyware in this article.
Unprotected Windows-based computers can rapidly accumulate a surprising about of spyware components. Awareness, tighter system security and establishing a practice of more cautionary browsing habits can help alleviate the problem.
Spyware is not known to cause outright system destruction or replication, unlike a virus infection, but it functions more as parasite that sucks up system resources. In most cases, the user is not at all aware that spyware is installed, and assumes that it is the hardware that is no longer up to par. Usually executing at startup, spyware runs in the background, sometimes causing a huge drop in performance, system stability (crashes, lock-ups and hangs), and available bandwidth on Internet connections (because it is flooded to capacity). These results are mainly unintended by-products of having a large amount of spyware flood a computer system. The direct damage caused in this respect is merely incidental (discounting the result of privacy invasion). However, some forms of spyware integrate themselves into certain operating system files and can cause a mired set of problems if the files are purged outright. This makes it even more difficult and time-consuming task to completely clean a computer system and have everything in fine working order afterwards.
Users who are not aware of the cause of all these problems sometimes ditch their infected computer and go out and buy a new one. That is a waste of money, as well as a waste of perfectly good computer. Either awareness or a visit to a PC technician can help take care of a spyware-infested system. Spyware has caused more visits to PC technicians than any other problem in the last couple of years, and it continues to grow.
A Trojan, or rather its full name, “Trojan Horse” is an allusion to the epic tale of the ancient city of Troy and the Greek’s Trojan Horse. In the siege of Troy, the Greeks left a large wooden horse outside the city. The Trojans were convinced that it was a gift, and brought the horse within the safety of the city walls. What the Trojans didn’t know was that horse was hollow, and hidden inside were a small number of Greek soldiers. After nightfall, they snuck out of the horse and opened the city gates of Troy, allowing the Greek army to enter and pillage the city.
Trojan horse programs work in much the same way; they may appear useful or interesting at first glance to an unsuspecting user, but like the Greek’s Trojan Horse, it is certainly not the case. A Trojan is a form of malware that cannot engage in self-replication, but can be harmful when executed. A Trojan can be deliberately attached to otherwise useful software, distributed on its own posing as useful software, or can be spread through a variety of download methods over the Internet (i.e. email, IM, and file sharing) by tricking users to open it. Note that Trojans cannot spread by their own accord, they must be “invited” into systems, per say. They rely on unsuspecting users to pass them around. If the Trojan poses as a harmless joke or screensaver, for example, the idea is that unsuspecting users will pass it along to their friends. It’s yet another reason to ignore those chain emails with “re: re: re:” in the subject header.
To further complicate matters, some Trojans can spread or initialize other forms of malware. When used in this fashion, they are referred to as “droppers”. Other common features of a Trojan can include (but are not limited to) file deletion, subtle to major file corruption, spying activities, and data theft. Last but not least, Trojans can install backdoors in systems in order to turn them into zombie computers, which can perform any one or even many of the tasks just listed, as well as email spamming and DoS or DDoS attacks.
The name “worm” was taken from a 1970′s Sci-Fi novel, The Shockwave Rider by John Brunner. While working on a research paper on experiments in distributed computing, researchers noted similarities between their software and the program described in the novel, and thus adopted the term.
A worm is a form of malware that is similar to both a virus and a Trojan. It’s similar to a virus in that it engages in self-replication, and is somewhat similar to a Trojan in that it can be, and usually is, a completely self-contained program. Unlike a Trojan, a worm does not need to be executed by the user; it can execute and jump around from system to system on its own accord because of its ability to self-replicate. It can clog up systems, as well as networks, and bring both to their knees. Other features can include file deletion, email spamming (with or without file attachments), and DoS or DDoS attacks. Like Trojans, worms can install backdoors in systems in order to turn them into zombie computers, which can perform any one, even many, of the tasks just listed.
For a brief time, programmers attempted to use worms as useful system patching tools to plug security holes and other various vulnerabilities. This, however, ultimately backfired. These types of worms often clogged up networks more effectively than intentionally malicious worms, as well as doing their work on systems without the user’s explicit consent. In the course of applying these patches, systems suffered from sudden and unexpected reboots, thus effectively causing data loss in open or unsaved files, as well as causing connection problems with the rebooting of a server. Today, the potential legitimate uses of worms are now the talk of computer science and AI theory.
Other Terms To Know
These are terms that aren’t directly related to spyware, but have been mentioned briefly and will be mentioned later on. They’re good to know within the general scheme of things, for general awareness.
This contains an ActiveX Control, which is most often downloaded and executed through a web browser, and can have full reign over Windows Operating Systems. Because ActiveX Controls have such free access in Windows systems, there is a huge risk that the software being installed can be almost any form of spyware or malware.
This is where all temporary webpage data is stored. All files that are downloaded within your browser end up here, which can include: html, php, cgi, jpg, gif, bmp, png, wma, txt, etc.
(Denial of Service Attack) An attack on a computer system or network that overloads all available resources, which causes a loss of network connectivity by consuming all available bandwidth, or an overload of computational resources in a computer system (flooding the RAM, maxing out the CPU, or filling the hard drive), which often leads to lockups and freezes.
(Distributed Denial of Service Attack) This attack is very similar to a regular DoS attack, but in this case, the attack is made from multiple sources; usually from zombie computers.
(Java Virtual Machine) A cross-platform execution environment. It allows programming, program execution and computer connectivity compatibility between Operating System platforms by means of a virtual machine (computer).
(Media Access Control address) This is a unique identification address used in hardware that connects to a network (ie, a modem or Ethernet card).
(Microsoft System Configuration Utility) This utility handles startup tasks. Most often when it is referenced, it implies that the user should look at the “Startup” tab. To access it, simply go to Start > Run, type msconfig and hit enter. This utility is not included on Windows 2000 systems, so it will have to be manually installed.
Put simply, they are fraudulent acts committed online. It is an attempt to get a user to reveal their passwords, credit card information, or any other personal information via deceptive practices (usually by email).
UI – (User Interface)
This can be text based or graphical based. GUI (Graphical User Interface) is the term most people are familiar with seeing.
Similar to a worm, but needs to be inserted into a file or program in order to execute and propagate. They are not self-contained.
Illegal/pirated software; software that has been distributed freely without being paid for and/or does not have a valid individual software license.
A computer with an Internet connection (most often broadband) that has one or many hidden software programs or backdoors that have been installed by a third party. This software can allow the computer to be remotely controlled. Zombie uses include conducting DDoS attacks, email spamming, warez file hosting and malware distribution. This can all be accomplished while not revealing the attacker’s true identity and laying blame on the computer’s owner. This can sometimes lead to an ISP shutting down the Internet connection and/or blacklisting the connection or MAC address.
The PCMech.com weekly newsletter has been running strong for over 8 years. Sign up to get tech news, updates and exclusive content - right in your inbox. Also get (several) free gifts.