Windows Defender is a Microsoft program that is designed to remove, prevent the appearance of spyware modules or put them in quarantine. It is built into the Vista operating system and is available for download free of charge when using licensed Windows Server 2003 and XP. This application is not only a system scanner, like…
Spyware ( spyware , spyware ) is a program that is secretly installed on a computer to collect information about the configuration of a computer, user, user activity without the consent of the latter. Also can perform other actions: changing settings, installing programs without the user’s knowledge, redirecting user actions. At the moment there are many definitions and interpretations of the term spyware. The organization ” Anti-Spyware Coalition “, which includes many large producers of anti-spyware and antivirus software, defines it as a monitoring software product installed and used without proper notification of the user, his consent and control by the user.
- The violator ( English user violator )
- user who unauthorized access to information.
- Unauthorized access to information ( English unauthorized access to information )
- Access to information carried out in violation of the rules of access control.
- The rules of access control ( English access mediation rules )
- part of the security policy that regulates the rules for access of users and processes to passive objects.
- Information Security Policy ( English information security policy )
- a set of laws, rules, restrictions, recommendations, instructions, etc., regulating the processing of information.
Features of the operation
Spyware can perform a wide range of tasks, for example:
- collect information on Internet usage habits and the most frequently visited sites ( tracking program );
- remember keystrokes on the keyboard ( keyloggers ) and record screenshots (screen scraper) and in the future send information to the creator of spyware;
- unauthorized and remote control of the computer (remote control software) – backdoors , botnets , droneware;
- Install additional programs on the user’s computer;
- used for unauthorized analysis of the state of security systems (security analysis software) – port scanners and vulnerabilities and password crackers;
- change the parameters of the operating system (system modifying software) – rootkits , hijackers, etc. – which results in a decrease in the speed of connection to the Internet or the loss of the connection as such, the opening of other home pages or the removal of certain programs;
- redirect the activity of browsers , which entails visiting websites blindly with the risk of infection with viruses .
History and development
According to AOL and the National Cyber-Security Alliance from 2005, 61% of respondents had some form of spyware, of which 92% of users did not know about the presence of spyware on their machines, and 91% reported that they did not give permission to install spyware.
By 2006, spyware had become one of the prevalent security threats to computer systems using Windows . Computers in which Internet Explorer serves as the main browser are partially vulnerable, not because Internet Explorer is most widely used, but because its tight integration with Windows allows spyware to access key OS hosts.
The Windows registry contains many partitions, which after modifying the key values allow the program to be executed automatically when the OS boots. Spyware can use this template to avoid attempts to uninstall and uninstall.
Spyware usually attach itself from each location in the registry, allowing execution. Once launched, spyware monitors periodically whether one of these links has been removed. If so, it is automatically restored. This ensures that spyware will be executed at boot time, even if some (or most) links in the autorun registry are removed.
The difference from other types of programs
“Adware” is a program that demonstrates advertising with or without the user’s consent. Such programs are not spyware, but can act secretly.
Many adware are spyware for other reasons: they show commercial screensavers based on the results of spyware activity on the user’s computer. Examples: Gator Software from Claria Corporation and Exact Advertising from BargainBuddy. When visiting some websites, Gator can be installed in a secret way, the revenue from the pop-up window display gets to the site and Claria Corporation .
The widespread use of spyware casts a shadow of suspicion on other programs that track visits to pages of websites for research and statistics purposes. Some browsers describe the Alexa Toolbar ( plug-in for Internet Explorer ) as spyware and a number of anti-spyware programs, such as Ad-Aware , classify it as spyware.This is due to the increasing frequency of detection of applications designed to track undocumented audit functions, collect and transmit user information. Very revealing in this respect are the developments of Carrier IQ designed for the transmission of metrics from mobile devices to telecom operators, but in reality they have an intermediary in the form of a mobile MSIP intelligence platform, as well as the facts collected by the researcher Trevor Eckhart of collecting user information (keystrokes of the mobile device, etc.), which received wide coverage in the media.
Viruses and worms
Spyware and some adware are similar to viruses in that they are malicious in nature.
Similarly, programs that come bundled with free programs with advertising support are spyware (since when uninstalling only the “parent” program is deleted, and the advertising module remains). However, users voluntarily download and install these programs. This presents a dilemma for the creators of anti-spyware , whose removal tools can irrevocably lead to the ineffectiveness of the programs the user needs. For example, recent test results showed that the complete programWhenUSave is ignored by Ad-Aware (but it is removed as spyware by most scanners ), because it is part of the popular eDonkey client . To solve this problem, Anti-Spyware Coalition is working to build a common opinion within the anti-spyware industry regarding what is acceptable behavior of the program.
Unlike viruses and network worms , spyware usually does not self-propagate. Like many modern viruses, spyware is introduced into the computer primarily for commercial purposes (demonstration of advertising pop-up windows , theft of personal information, for example, credit card numbers ), tracking the habit of visitingwebsites or redirecting an address request in the browser to advertising or pornographic sites ).
Anti-spyware often marks cookies as spyware. Although cookies are not always malicious in nature, many users object to third parties using their personal information, as well as disk space, in their business interests, so many anti-spyware offer to delete cookies .
Scope of use
Among the possible applications of “potentially unwanted technologies” are both legal and fraudulent.
- Tracking Software (tracking software) is widely and perfectly legal for monitoring personal computers.
- Adware can be openly included in the free and shareware software . The user agrees to view the advertisement in order to have any additional opportunity (for example – to use this program for free). In this case, the availability of the program to display advertising must be explicitly prescribed in the end-user agreement (EULA ).
- Remote monitoring and control programs can be used for remote technical support or access to own resources that are located on a remote computer.
- Dialer ( dialers ) can give an opportunity to get access to the resources necessary to the user (eg – dial-up to ISP to connect to the Internet).
- Programs for system modification can also be used for personalization, which is desirable for the user.
- Automatic download programs can be used to automatically download application updates and OS updates .
- Programs for analyzing the state of the security system are used to study the security of computer systems and for other perfectly legitimate purposes.
- Passive tracking technologies can be useful for personalizing web pages that a user visits.
Digital copyright protection
Some copy protection technologies are spyware. In 2005, it was discovered that Sony BMG Music Entertainment used rootkits in its XCP copy protection technology .Like spyware, they were not only difficult to detect and uninstall, but also they were so poorly written that most attempts to remove them resulted in the computerfailing to function.
Starting from April 25, 2006 , the application from Windows Genuine Advantage Notifications ( Microsoft ) was installed on many computers as a “critical security update. ” While the main purpose of this deliberately uninstallable application was to confirm that a copy of Windows on the machine was acquired and installed legally, it also installed a program that was accused of daily “home calls”, like spyware. This application could be uninstalled using the RemoveWGA program .
Founders of spyware can commit fraud on telephone lines using programs like ” Dialer “. The dialer can reconfigure the dial-up modem for expensive phone numbers instead of the regular ISP . The connection with these non-credible numbers goes through international or intercontinental tariffs, which results in prohibitive amounts in telephone bills. The dialer is inefficient on computers without a modem or connected to a telephone line.
Spyware is used to covertly monitor the electronic activity of partners in intimate relationships, usually to disclose cases of infidelity. At least one of the software packages, Loverspy , was specifically designed for such purposes.
Below are the common spyware, which demonstrate a variety of behaviors. Note that, just like for viruses , for researchers, spyware gave names that may differ from those that their creators came up with. Spyware can be grouped into families based not on common software code , but on similar behavior. For example, a number of programs distributed by Claria Corporation are known collectively as Gator . Similarly, programs that are often installed together can be described as part of a single package of spyware, even if they function separately.
- CoolWebSearch . A group of programs that exploit vulnerabilities in Internet Explorer . Redirects traffic to ads on websites , including coolwebsearch.com .Provides pop-up advertising windows, rewrites the results of search queries, and modifies the hosts file of the infected computer to redirect DNS to thesewebsites .
- HuntBar , also WinTools or Adware.Websearch . It is installed together with ActiveX downloads from partner sites or via pop-up windows issued by other spyware (an example of how one spyware can install even more spyware). These programs add toolbars to Internet Explorer, track the habit of visiting websites , redirect affiliate links, and produce pop-up ads.
- Internet Optimizer , also known as DyFuCa . Redirects pages with errors to advertising in Internet Explorer. When a user enters a non-working link or types an incorrect URL , he sees an advertisement page. However, since password – protected Web sites ( HTTP Basic authentication ) use the same mechanism asHTTP errors , Internet Optimizer makes it impossible for the user to access websites with password protection. Internet Optimizer is classified as Browser Helper Object and is downloaded whenever Internet Explorer starts. Internet Optimizer is not delayed by firewalls and antivirus programs , since it is considered as a legitimate part of the application. Internet Optimizer is also classified as a downloader , that is, a program that can download, install and run other programs without the user’s knowledge.
- Zango (formerly 180 Solutions ). Passes detailed information to advertisers about web pages visited by the user. It also changes the HTTP- requests from links tothe websites of partner advertisers, which, in turn, provide an opportunity for unfair profits for 180 Solutions . Opens pop-up windows that overlap the web pages of competing companies.
- Trojan.Zlob (English) or just Zlob . It is downloaded to the computer via the ActiveX codec and reports to the server information such as search history, websitesyou visited, and even keystrokes. Recently[ When? ] it turned out that Zlob is able to cancel router installations .
Contrary to consumer claims, spyware manufacturers state that users actually agree to the installation. Spyware, supplied with the distribution , can be mentioned in the business vocabulary of the user agreement (EULA). Many habitually ignore the reading and understanding of the meaning of this document and just click the “Agree” button.
Until now, the judiciary has not decided whether advertisers are responsible for spyware showing their ads. In many cases, companies whose products appear in advertisements initiated by spyware do not do business directly with the spyware manufacturer. Rather, they conclude a contract with an advertising agency , which, in turn, contracts with a third party who is paid for the number of “floats”. Some leading companies such as Dell , Mercedes-Benz have terminated contracts with their advertising agencies that used spyware for advertising purposes.
In 2003, Gator (now Claria Corporation ) sued the PC Pitstop website for describing their products as spyware. PC Pitstop agreed not to use the term spyware, but continued to describe the damage caused by Gator products . As a result of the precedent, other anti-virus and anti-spyware companies use other terms to denote such products, such as “potentially unwanted programs” or ” grayware “.
Methods of treatment and prevention
If the threat from spyware becomes more than intrusive, there are a number of methods to deal with them. Among them are programs designed to remove or block the introduction of spyware, as well as various user tips aimed at reducing the likelihood of spyware getting into the system.
However, spyware remains an expensive problem. When a significant number of spyware elements infected the OS , the only way is to save user data files and completely reinstall the OS.
Measures to prevent infection
- Using browsers other than Internet Explorer – Opera , Mozilla Firefox , etc. Although there is no completely secure browser, Internet Explorer presents a greater risk of infection due to its extensive user base.
- Use firewalls and proxy servers to block access to sites known as spyware distributors.
- Using a hosts file that prevents the computer from connecting to sites known as spyware distributors. However, spyware can easily bypass this type of protection if it connects to a remote host by an IP address , rather than by a domain name .
- Downloading programs only from trusted sources (preferably from the manufacturer’s websites ), as some spyware can be embedded in program distributions .
- Use of antivirus programs with the most “fresh” virus databases.
Programs such as Ad-Aware (free for non-commercial use, additional services paid) from Lavasoft and Spyware Doctor from PC Tools (free scanning, removal of spyware paid) have rapidly gained popularity as effective removal tools and, in some cases, obstacles to the introduction of spyware. In 2004, Microsoft acquiredGIANT AntiSpyware , renaming it Windows AntiSpyware beta and releasing it as a free download for registered users of Windows XP and Windows Server 2003 . In2006, Microsoft renamed the beta version of Windows Defender, which was released for free download (for registered users) since October 2006 and is included as a standard tool in Windows Vista .
Some other anti-spyware:
Many antivirus companies (for example, Symantec , McAfee and Sophos ) later came to the decision to add the anti-spyware feature to existing antivirus products.Soon many expressed their reluctance to add anti-spyware, citing items of lawsuits from spyware authors to website owners and programs describing their product as spyware. However, recent versions of antivirus products for home and business from these leading firms still include the anti-spyware feature, although the approach differs from that of viruses: for example, Symantec AV uses the name “advanced threats” and offers real-time protection time. ZoneLabs also released its anti-spyware program. This outlines the tendency of antivirus companies to take directed actions with respect to spyware.
Anti-spyware programs can combat spyware in two ways.
- Provide protection in real time , preventing the installation of spyware on your computer . Similarly, anti-virus access scanners work.
- Identify and remove spyware that has already managed to infiltrate the system. This type of anti-spyware is much simpler and more popular. In such programs you can set the schedule for scanning and cleaning. The registry, the Windows folder and the installed programs are scanned, followed by a report on the detected threats, allowing you to choose what you want to delete.
Early versions of anti-spyware were aimed primarily at finding and removing them. SpywareBlaster from Javacool Software was one of the first to offer protection in real time, blocking the installation based on ActiveX and other spyware.
Like anti-virus programs, anti-spyware requires regular updating of the database. As soon as new spyware samples are released, anti-spyware developers detect and evaluate them, creating signatures that allow the program to find and remove threats. Thus, from anti-spyware without a source of regular updates, the benefits are few. Some vendors provide service upgrade services after registration, while others allow you to update for free. Updates can be installed automatically on a schedule, either before scanning, or manually.
If spyware was not locked and was able to install, it will resist attempts to stop the startup or uninstall. Some spyware work in pairs: when an anti-spyware scanner or a user interrupts one running process, another revives the “killable” program. In the same way, some spyware determine the attempt to delete the registry keys and immediately add them again. Usually running an infected OS in safe mode allows anti-spyware to be more likely to remove “stubborn” spyware.
A new generation of spyware (a good example is Look2Me from NicTechNetworks ) is launched, hiding among critical system processes and is launched even in a safe mode. If there is no process that can be safely interrupted, then spyware is much harder to detect and remove. Sometimes they even leave no sign of existence on the disk.
The newest spyware has special countermeasures against known anti-virus programs and can prevent them from running or installing, or even uninstalling them. An example of spyware using all three methods is Gromozon . In order to remain invisible, it uses a variable data stream. The built-in rootkit hides it even from variable-thread scanners and actively restrains the launch of known rootkits.
Malicious programmers release a significant amount of fake anti-spyware, and widespread pop-ups warn you “how much your computers are infected” by offering to buy products that remove spyware (which do not, and in the worst case can add more spyware). This kind of programs (for example, Titan Shield ), often install aTrojan to download a trial version.
The main goal of the manufacturers of these products is to sell their product. Windows dialog boxes with the message “WARNING! Your computer is infected with spyware! Buy … (name of the program) to remove it! “ Typically, clicking the OK button on the dialog box redirects the browser to the porn site. Sometimes, even pressing the top X button to close the window can lead to the same effect or even activate the installation. Pressing Alt + F4 can bypass this trick. Some programs, like SpyAxe , automatically download the trial version without any user intervention.
Often there are reports of the results of the “scan” and the number of detected threats, which should convince the user of the need to install this program.
Almost all known anti-spyware detect the presence of fake programs that have already been installed on your system. Those that are installed with the Trojan , many anti-spyware can “delay” even before the attempt to implement. However, often removing aggressive anti-spyware anti-spyware of a new generation requires the use of tools such as HijackThis combined with a manual removal technique, since it may take some time before anti-spyware manufacturers investigate new emerging threats and automate their detection and removal process. However, the use of HijackThis without the help of a specialist can lead to the accidental removal of really necessary Windows components, which can lead to a system failure as a whole. Therefore it is recommended to resort to the help of consultants on thematic forums.
The rapidly growing number of false or fraudulent antivirus products has caused serious concern. Such products often impersonate anti-spyware, antivirus or registry cleaners and sometimes issue pop-up windows with an offer of installation.
Users are advised not to install any free programs that claim they are anti-spyware, if there is not enough evidence that this program is legitimate.
Some famous representatives of fake anti-spyware: