Here is an article
that talks about Spyware Countermeasures...
http://faculty.ncwc.edu/toconnor/426/426lect15.htm
SPYWARE AND COUNTERMEASURES
There are many desktop spyware (also called snoopware) products that allow tracking a user's PC habits. Such desktop monitoring programs have been around for years. Originally, their use was confined to large-scale businesses that worried about employee misuse of employer-paid Internet access or worker productivity. In recent years, however, less costly products have found their way into home and small-business use. For example, such products include Insight ($100 from Trisys), WinWhatWhere Investigator ($99); and EBlaster or Spector ($99 from SpectorSoft). Although each program operates slightly differently, they all do a remarkable job at secretly recording keystroke activity on a computer.
A Quick Note About Law -- the courts have consistently ruled that employees do not have absolute privacy rights when using an employer's computer equipment. Therefore, it is perfectly all right to someone in your company, representing management, to install spyware on your machine. If the purpose or intent is malicious, however, as in identity theft, then it's a matter that needs to be reported to the FTC's hotline.
Spector is perhaps the most powerful and common spyware. It adds several files to the C:\Windows\System directory, including mswnsrvx.cnt, mswnsrvx.exe, mswnsrvx.hlp, shmswnmp.dll, and shmswnrc.dll (all of these are hidden files). The easiest way to determine whether you are under surveillance by Spector is to check for the C:\Windows\System\WebExt directory, which contains files with names like "4F0BF6D8.TPS." There may also be a master log file called "_MSFILEA.TXT", which shows when each capture file starts. The WebExt directory isn't hidden, but it can be changed to another name to make it harder to detect.
EBlaster is recognizable by its main program file, which is 468KB URLMKPL.DLL, in the Windows/System folder. Also added are msskfzwin.dll, msskfzwin.ocx, and winmsskfzwin.drv. EBlaster must send e-mail outbound to report on you. Severing your network connection will only cause reporting to be delayed.
Insight is pretty easy to detect. The standard installation procedure leaves an entry in the Install/Uninstall control panel labeled "INSIGHT Client." Insight also uses several .dll files that all start with the characters isgt, including isgtCBHO.dll, isgtCLHK.dll, and isgtCLNT.exe. The default is to place them in the C:\isgt directory, although someone wily can easily conceal them elsewhere, like in the systems folder.
WinWhatWhere provides the ability to change the name of the executable files involved. This makes it harder to detect the program by doing simple directory investigation. When unmodified, the files to look for are Windows/System/aa81232.exe, Windows/System/sem.exe, W3i.exe, W3ihist.exe, and W3isetup.exe. The data is captured in a file with a name like "zw83.dat" ("zw81.dat," "zw82.dat," and so on).
PROGRAMS OTHER THAN KEYSTROKE MONITORS
ADWARE EAVESDROPPING:
Many websites rely upon the display of banner ads to
generate revenue. Adware programs, such as GoZilla, RealPlayer, PkZip, and
GetRight also contain a small applet that interacts with the company's servers
behind your back. The applet sends new ads by tracking how you surf, what you've
seen, and what you've clicked on. They are known as tracking
applets.
If your only concern is Web surfing security, an obvious countermeasure to being snooped is to use Netscape, which does not report the page being visited. Another approach is to use Anonymizers, which allow surfing anonymously. Yet another sophisticated solution is to make a copy of the executable file for one's browser, and rename it to something like "WinWord.exe" (while putting the duplicate in the same directory the browser app is in). By launching the duplicate, this spoofs most tracking applets into thinking you are word processing instead of surfing.
Fortunately, there are other countermeasure programs. Tools like AdAware and ZoneAlarm do a good job, as well as more expensive solutions, like CommView, which block Adware eavesdropping almost totally.
COOKIES:
There's are many misconceptions about cookies. Most are
annoying rather than malicious. The definition of a cookie
is a data file written to your hard drive by a Web server that identifies you to
a site. Cookies are very common on the Web. When you visit a site that
sets cookies, commands embedded in the page cause your browser to contact the
site's server in ways not normally expected. Information contained in your
browser about your recent travels on the web, for example, are sent to the
site's server. For example, say you just came from a site where you entered a
password or gave out your credit card information to purchase something. A
cookie at the next site you visit might collect that information. Not all
cookies do this, but the fact that they can scare most people. Different
browsers store cookies in different places: Netscape Navigator maintains a file
called cookies.txt that contains all cookie records. Internet Explorer
stores its cookies in the C:\windows\cookies directory as well as the Internet
cache.
Cookies come in two varieties: session cookies and persistent cookies. Session cookies clear out after you close the browser (end the session) and often are used by "shopping carts" at online stores to keep track of items you want to buy. Persistent cookies are set by news sites, banner ad companies, and others who want to know when you return. These files reside on your hard drive after you leave the site. Both types of cookie files contain the URL or domain name of the site you visited and some internal codes that indicate which pages you visited. Persistent cookies record the last time you visited the site and how many times you've been there. They usually contain a code that becomes your unique identifier, which lets a site know that you've been there before. Some cookies can contain personal information, such as a name or e-mail address, but only if you've given that information to the Web site. Contrary to popular rumor, cookies can't "steal" your name or e-mail address if you don't give it out. A complete FAQ, the latest news, and countermeasure programs which you can download to manage or delete cookies are available at Cookie Central.
FIREWALL LEAKS:
Firewalls are personal or corporate security programs that
block unauthorized communications or unapproved applications by detecting names
or choice of ports. Most companies that produce Antivirus programs, like Norton
or McAfee, also make firewalls. Sysgate is another well-known firewall
manufacturer. The purpose of installing a firewall is to prevent viruses and
trojans which get placed on a computer via downloading or installing an
application that requires a regular connection to the Internet; programs that do
their own live updates, for example.
Firewall programs need to be regularly patched. One of the most common patches involves rule fingerprinting, which uses a secure hash algorithm that makes a firewall rule work for a specific application but not for any other. The standard default configuration of automatic rule creation is dangerous. Windows NT and 2000 systems are more secure because they use full path validation, which means an application's firewall rule is tied to the application's exact directory path. LeakTest and other programs determine if firewalls are secure. Most people, even system administrators, don't fully understand firewalls, so therefore patches or updates are rarely installed.
E-MAIL WIRETAPPING:
Few e-mail programs are immune from wiretapping. The most
common e-mail programs are extremely vulnerable, like Microsoft Outlook, Outlook
Express, and Netscape. Eudora, Hotmail, and AOL are more difficult to tap.
The most common vulnerability occurs with HTML e-mail -- messages with animated
images or color in them. Such messages may contain dozens of lines of hidden
JavaScript code that allow someone to secretly monitor any messages you send out
later, especially those that require you forward the original HTML e-mail on to
somebody, or send on an attachment. Javascript and, of course, HTML e-mail must
be enabled for this to happen. This technique is called the Reaper
exploit and has been around since 1998. Microsoft has long had an Outlook
Security Patch for it, but few people have downloaded it.
Other exploits are known simply as web bugs, and are undetectable bits of code planted in e-mail, web pages, graphics, and banner ads, mostly by advertisers. Once you view or open a web bugl, a hidden receipt immediately wings its way back to the senders. The bug also lets the senders determine your e-mail address and track you if you surf their site. To see a web bug in action, visit http://mackraz.com/trickybit/readreceipt/. To understand how web bugs work and see who the top 100 advertisers are, visit Web Bug Report.
PENTIUM III CHIP PROCESSORS:
Pentium III computers have a built-in vulnerability where the
chip's processor serial number (PSN) can be used to uncover your surfing habits.
This was the technique the FBI wanted to exploit in their clipper
chip proposal. The PSN is a computer's unique identifier. If the computer
isn't a Pentium III, it either doesn't have a PSN or Intel had it turned off at
the factory. You can turn your PSN on or off via the hardware setup screen, but
the method differs from one PC to another. On most PIII systems, you get to this
screen by holding down Insert, Delete, or Control-F1 at the
beginning of the boot-up process. Search the options to find the PSN off switch.
If PSN is disabled in the BIOS settings, you can't re-enable it. If it is
enabled, you can use Intel's PSN program to toggle it off and one. Pentium 4
processors do not have serial numbers, so it's therefore not a concern with
anything other than Pentium III's.
BUGGY SOFTWARE:
Glitches and bugs in software are one thing; security flaws
are another. The latter leaves a machine open to attack, but most software
developers have a way of downplaying a flaw into a bug into a glitch. Over 35
security flaws exist in Windows 98, and the Windows browser product, Internet
Explorer has 69 security flaws. Microsoft calls these glitches or bugs, claiming
they don't ship anything with a security flaw. The U.S. Navy, however,
which controls its nuclear submarines with Windows NT, has found numerous
security holes. In 1997 a missile cruiser was rendered dead in the water because
of a data-calculation bug in NT. There are approximately 164 holes in Windows
NT, predecessor to Windows 2000 and Windows XP Professional. NT has so many
holes that hackers say NT stands for "nice try."
Every piece of software ever developed has always had, and always will have, bugs. Computers, software, and the Internet are getting so interconnected that insecurities are mounting faster than the ability to find them. Vendors, spurred by competition and the consumer cry for more features, bloat their wares with extras, and rush to get the product on the shelf. Computer Science programs in college don't emphasize computer security as much as they should when educating programmers. As lines of code increase, so do bugs. There is no industry standard for an acceptable number of bugs, but an often-quoted figure is one bug per 10,000 lines of code--a lot of bugs when you consider that Windows 2000 reportedly contains 40 million lines of code.
Security flaws proliferate when programs designed for different purposes are combined--for example, Microsoft Word macros and e-mail. Macros are pieces of code that automate specific tasks, and are a great idea, but can become dangerous when combined with e-mail. Click on an e-mail attachment containing a malicious macro, and it can reformat your hard drive. Macros, as well as Java and ActiveX are easily abused by someone with evil intent.
Bug hunters find and publicize holes that vendors miss. They include a range of people: security researchers; system administrators; academics; and crackers, who reverse-engineer a program specifically to find its flaws. These people are known as white-hat hackers, since they find and publicize holes with no intent to wreak havoc on systems (as opposed to black-hat hackers, whose intent is malicious). Their aim is to force vendors to fix holes, but software makers are slow to learn from mistakes. Buffer overflows, for example, are the poster child of security flaws. They were discovered in the 1960s and first used to attack computers in the 1970s. Here we are 40 years later, and buffer overflows are the most common security problem. And they're an easy problem to fix.
HOSTILE APPS:
A few frequently downloaded user programs come bundled with
spyware that the user rarely knows about. For example, the trojan
ClickTillUWin comes bundled with many file-swapping apps. During install,
you see what appears to be choices for advertising banners that come with free
software, and even if the user chooses not to install, the trojan installs
installs itself anyway.
iMesh is a program that allows the swapping of music, image, and video files, but it also includes apps that let third parties deliver advertisements, steal info, slap graphics on the web site you're viewing, and even tweak your system settings. KaZaa is a popular peer-to-peer audio file-swapping program, but it manages your desktop settings, and is suspected of containing a trojan. AOL Instant Messenger (or AIM) has a worm in it that a 19-year old Utah college student revealed in early 2001, and it's unclear if the company fixed the product or not. Limewire is another file-sharing program (like Grokster) that contains the "Clicktilluwin" trojan that surreptitiously sends your personal privacy information to another Web address while you are file swapping. Another spyware trojan "W32.DIDer" comes packaged with many peer-to-peer networking programs. Pretty much all the programs that replaced Napster contain spyware.
COUNTERMEASURES
1. Check the computer's folder system for changes. Regularly use a backup program that generates a report detailing files that have been changed, particularly any files changes involving .dll or .exe files.
2. Look for alterations in the Registry. Tools, like Registry Edit or Registry Tool, exist in order to check for changes and produce reports over time.
3. Watch out for odd file names that have "hidden" property checked. Spyware programs generally use deceptive file names and almost always activate the hidden file property feature. To inspect for this, select the Show All Files option under the View menu in the Windows desktop or in Windows Explorer. Especially look for any files with shaded icons. Be careful what you delete, however. A good way to figure out what a cryptic .dll or .exe file name means is to type it into a search engine and go look at the links that come back.
4. Always use an Antivirus program. Such a tool will at least prevent a hacker from introducing the spyware via e-mail or the execution of infected software.
5. Do a check on what is running on the computer by pressing Ctrl-Alt-Delete simultaneously. A dialog box will list all currently running programs. Look for programs that contain suspicious or unfamiliar names. Write the program's name down on paper. After you've closed the box, select Start, Find, Files or Folders. In the Named field, enter the name of the program followed by .exe, such as dbserver.exe. In the Look In field, select Local hard drives, then click Find Now. If the file's in C:\Program Files\Microsoft Office, chances are it's part of Office. If a file search doesn't turn up a program, or if it's in a common dumping-ground folder like C:\Windows\System, turn programs on and off. Select Start, Run, type msconfig, and press Enter. Click the Startup tab for a list of all programs that load at boot-up. Find out what's loading a particular program by unchecking options and rebooting until you can identify the malefactor. Some programs you'll typically find are: Explorer and systray: Basic parts of Windows that should always be up; Findfast and osa: Parts of Microsoft Office 97 (but not of Office 2000). If you don't want them, you can get rid of them by removing Microsoft Find Fast and Office Startup from the Start, Programs, Startup menu; and Rnaap: which is part of Windows. Examining the Microsoft Knowledge Base is probably the best way to find out what these programs do.
6. Disable File Sharing since file sharing lets networked computers pass documents back and forth, but also lets strangers steal files from your PC over the Net. Consider enabling file sharing only when you need to give someone access to files, and then disable it afterward. And use password protection for shared files so that only the person you designate can read them. To disable file sharing, go to Start, Settings, Control Panel, Network, Configuration, File and Print Sharing. Make sure the option boxes are not checked and then click OK.
7. Adjust the security in Internet Explorer or Netscape Navigator. You can change IE's security via its sliding bar (depending on your version of IE), or you can choose specific functions to control. To use the sliding bar, go to Tools, Internet Options, Security. Select Internet Zone, click Default Level, and move the bar from Low to Medium or High. Low provides almost no protection from Web hazards; Medium disables many scripts but allows cookies; and High disables virtually all scripts and cookies. To set specific functions, select Custom Level and set controls one by one. Be warned: This is more complex. In Netscape, choose Edit, Preferences, and then Advanced in the Category window.
8. Configure Outlook and Outlook Express since Outlook allows you to disable macros in e-mail attachments or to let some macros through--such as those that are digitally "signed" by trusted sources. You can also have Outlook adopt the security options you define in IE. In Outlook Express, you can set e-mail security levels based only on the settings you've chosen for IE's Internet and Trusted Sites Zones. To allow Outlook to let only trusted macros through, go to Tools, Macro, Security and click High. Then, to ensure that Outlook is using your IE security settings, click Tools, Options, Security. You should see the Internet Zone icon in the Secure Content list box. While you're at it, click on Attachment Security and make sure it's also set to High.
9. Display File Extensions since many viruses have an extension or double extension to their file name, such as .vbs (Visual Basic Script), or the double file extension, as in AnnaKournikova.jpg.vbs. But the default setting in Windows hides them, so you're tricked into opening a malicious attachment. Display full file extensions in Windows Explorer by clicking Tools, Folder Options. Select View and check Show all files (in Windows 9 x) or Show hidden files and folders (in Windows 2000 and Me). Some extensions are visible only with a Registry tweak. Also, get in the habit of before opening any attachment, right-click the message in your in-box and click View Attachments (but don't click the attachment). If the file has two extensions, it's probably up to no good. If the extension is .bat, .com, .exe, .lnk, or .pif, it is an executable file and may attack your system.
10. Install the latest patches from software vendors. Windows 98 needs service packs and critical updates. Windows 98 Second Edition doesn't need the pack. Windows Me needs patches to fix flaws in how it works with other Microsoft applications. Windows 2000 needs service packs and patches to fix the Java Virtual Machine. Windows XP needs to have its Passport service fixed. Outlook Express needs a patch for fix a hole in how it handles business cards. Outlook needs a patch so that malicious e-mail does not reformat the hard drive. Browsers like Internet Explorer and Netscape need patches. Patches are needed for almost all Office products, the most vulnerable (in rank order) being Excel (10 flaws), Word (9 flaws), PowerPoint (5 flaws), and Access (3 flaws).
11. Use a CMOS password and consider a cover lock for the computer. With the exception of Windows 2000, the Windows password only prevents people from logging on as you. If you want real security, enable the password feature built into your system's CMOS setup program. To activate your CMOS password, enter your PC's CMOS setup program by pressing the appropriate key as your system boots up. (This is often the <Delete> or <F1> key. Watch the monitor during boot-up; it usually announces the proper key.) Scan the menu choices for 'Security', 'User Password', or something similar. When prompted, enter your password of choice. If you lose your password, check your system or motherboard manual for instructions on how to reset it. The motherboard may have a password-reset jumper directly on the board. If not, look for a CMOS-reset jumper, which will clear all of your CMOS settings, including the password. Write down your current settings on a piece of paper first so you'll be able to reenter them easily. Your CMOS setup program's 'Restore Default Settings' function may not return your PC to its original state, since manufacturers sometimes make their own adjustments to the CMOS. If your PC has no CMOS-reset jumpers--or if you can't find any documentation that identifies them--try clearing the CMOS settings by removing the small battery on the motherboard that powers your CMOS. You may have to keep the battery disconnected for more than an hour to erase the settings. If the battery is soldered on, take your system to a repair shop.
INTERNET RESOURCES
Adware, Spyware, and other Unwanted Malware
Removal
IDG.net - Practical IT advice, including Internet
Security Downloads
PCworld.com - visit their Privacy section
Privacy Foundation -
link to Bugnosis, the web bug detector
Scumware: A New Threat -
programs like KaZaa
Securityfocus.com - Security Focus
magazine that tracks vulnerabilities
Senator
Edward's Spyware Control Act
SpyChecker - a program to check if
something has spyware in it
ZDNet What is Spyware?
PRINTED RESOURCES
Chiang, Larry and Detweiler, Gerri. (2001). Internet Marketing Secrets.
NY: Triple Option.
Garfinkel, Simson et al. (2001). Web Security. NY: O'Reilly.
Gauntlett, Andrew and Dewan, Sheena (Eds.) (1999). Net Spies. NY: Frog. [sample
pages]
Shapiro, Carl and Varian, Hal. (1998). Information Rules. Cambridge:
HarvardUPress.
Last updated: 01/06/04
Syllabus for JUS 426
MegaLinks in Criminal
Justice