This section of our learning guide focuses on a tried and true malware adversary: Spyware. Find information on spyware and adware detection, keyloggers and their destructive capabilities, bots, proper spyware removal tactics and antispyware tools. Also, be sure to visit our Windows Security Clinic for information on troubleshooting spyware infections.
Table of contents
Spyware is any technology that aids in gathering information about a person or organization without their knowledge. On the Internet (where it is sometimes called a spybot or tracking software), spyware is programming that is put into someone's computer to secretly gather information about the user and relay it to advertisers or other interested parties. Spyware can get in a computer as a computer virus or as the result of installing a new program.
Spyware is often installed without the user's consent, as a drive-by download, or as the result of clicking some option in a deceptive pop-up window. Adware, software designed to serve advertising, can usually be thought of as spyware as well because it almost invariably includes components for tracking and reporting user information.
While spyware is no longer necessarily at the forefront of the malware realm, it can still be quite a nuisance. Keyloggers, for example, relay what you type to a hacker who has installed a program on your system without your knowing. This can result in anything from lost user account passwords to credit card information. A bot can use one of your machines or servers as a hub to distribute other forms of malicious software.
Recognize your malware
Spyware and adware are two types of software that some people find hard to distinguish.
To make matters more confusing, there are many pieces of malware that merge characteristics of both spyware and adware. The distinction between the "wares" is important to businesses that make money distributing adware because they generally don't like to be associated with the "dark side." Some adware vendors are even suing anyone who calls their programs malware or spyware.
The distinguishing characteristic of spyware is that it makes undesirable changes to your computer as it collects data about your computing activities. Using that data, spyware can perform any number of tasks:
- Deliver targeted advertising
- Forward sensitive data such as user names, passwords and account numbers to the spyware
- Perform unauthorized financial transactions involving the user's bank, credit card or
- If the computer has a modem connected to a telephone line, the spyware operator may connect with expensive pay-per-access numbers leaving the unsuspecting user with the charges
Adware is software that displays advertising such as pop-ups and banner ads. Some collect personal information so the ads can target and be customized for the user. Adware typically is installed in conjunction with some other free software that the user actually wants. When downloading or installing the free application, the user also agrees to allow the adware to run. Legitimate products let the user uninstall or disable the adware, but doing so typically disables the primary software.
The term keystroke logger, or keylogger for short, has come to be associated primarily with its use as an unauthorized or malicious tool installed to secretly capture all of the keystrokes typed on a compromised machine. The reality is that, like many malicious hacker tools, keystroke logging has its roots as an administrative and diagnostic tool. Unfortunately, some of the most helpful tools and utilities can end up being used for evil.
A keylogger is a hardware product or software utility that records every keystroke typed on the computer. It may simply log the keystrokes and require someone to manually retrieve the data, or it could be designed to automatically send the accumulated keylogger data to an e-mail address.
The most common delivery method for this type of malware infection is through spyware or rootkits. Malicious Web sites can use known system exploits or poor active scripting security to automatically install the keylogger utility when users visit them. When installed secretly by a spyware utility or other malware, the keylogger can be used to capture user names, passwords, account numbers, social security numbers or any other personal or sensitive information that you type into your keyboard.
A bot (sometimes referred to as a zombie) is a type of malicious software that can infect Windows servers or workstations and can be used for propagating spam, distributing denial of service attacks and other criminal hacker shenanigans. Spy bots have not had the media exposure that viruses and rootkits have had. But times are changing. Research reports and malware vendor marketing hype are growing and spy bot infections and bot removal are starting to be taken seriously.
Spyware responsibilities: From user to admin
Defending your system from spyware is a process that has many layers. Some roles are performed by users and some by the administrator. These bits of advice begin with the basics and move on to more advanced practices.
Use a spyware scanner/screener
You won't be protected against spyware and adware unless you install an appropriate antispyware package (see TopTenReviews Inc.'s Anti-Spyware ratings on that software genre for pointers). The first such package you install on your machine generally also works just like antivirus software. It will not only run at regular intervals and scan your machine, but it will also check all incoming files, messages, Web pages and so forth to look for and block spyware, adware and other malware from taking up residence on your machine. For that reason, the screening function is very important because it provides real-time protection against potential infestation by malicious software.
Run one or more back-up scans weekly
Recent studies show that, unlike antivirus packages (many of which routinely achieve 100% effectiveness ratings in the virus handling department, as demonstrated by the Virus Bulletin 100% award), no single antispyware package can correctly identify or block all known spyware (not to mention new, unknown spyware).
Thus, best practices dictate that you install at least two antispyware packages on all machines. Use one for real-time screening and regular scans; use the other once a week as a backup scanner to catch spyware and adware that the other may miss.
Use a rootkit detector
Although rootkits often work and run by themselves (and are no less dangerous in that mode), they are increasingly incorporated into spyware and viruses by clever hackers. They may even be combined with Trojans to enable what they learn to be reported to remote locations across a network or the Internet. They allow keyloggers to capture account info, passwords and other sensitive data.
The real problem with rootkits is that most antivirus or antispyware tools can't detect them. A special class of tool, called a rootkit detector, is required to ferret out such malware. What's worse is that no automated clean-up tools yet exist to get rid of rootkits, so the only cure for an infestation is to wipe the drives clean and reinstall your system (and then restore your data files and software from a known clean backup).
You can also try using the Windows System Configuration Utility as an unexpected spyware tool. Although the System Configuration Utility has been around since Windows ME, and it was never really intended as a security tool, some experts have found it to be particularly effective in the war against spyware.
Clean up spyware with the Windows Security Clinic
No one is safe from spyware -- particularly not naïve users who are quick to click pop-up boxes and installation prompts, entertain spam offers or surf malicious Web sites.
The best preventative measure is probably to educate end-users about spyware, but for many, it's already too late and spyware issues are running rampant on Windows workstations. To help you identify, troubleshoot different types and clean up spyware infections, check out the Windows Security Clinic on spyware removal. We'll present several end-user complaints followed by diagnoses and possible courses of action to take from three Windows security experts. You'll find that each expert has a unique solution to each problem -- so be sure to consider them all when troubleshooting your own spyware issues.
This was first published in July 2007