All Web-based spyware is dependent on being able to use features and security vulnerabilities within a Web browser to infect a computer. Part of the reason that spyware is difficult to defend against is that the features used to infect a computer are often the same as those used by legitimate software to enhance functionality. The first step in defense is to understand how spyware and malware work.

The life of spyware can be split into the following three stages:

• Exploitation: Occurs when a malicious Web site exploits a feature or security vulnerability in your browser and gains enough access to your computer to start causing problems. It's an unfortunate fact that Web browsers, especially Microsoft Internet Explorer, have plenty of security flaws in them.
• Infection: When the payload (the part of the spyware that actually does the damage) is downloaded to your computer via the security hole created in stage one.
• Operation: Takes place as the spyware completes its tasks, such as displaying toolbars, sending Web browsing information to its creators, or dialing premium-rate phone numbers.

Misuse of Features

All Web-based spyware is dependant on being able to exploit features and security vulnerabilities within a Web browser to infect a computer; without the features and flaws, infection isn't possible. One of the most common methods of attack is through ActiveX controls. These are small programs downloaded to your computer to provide special functionality not available through basic HTML (Hypertext Markup Language) script, such as a Web-based interactive pie chart creator. However, because these are executable programs whose purpose is to extend the functionality of the Web browser, the developers of these controls have extensive access to the internals of both Windows and the Web browser.

Similarly, the active scripting functionality within Internet Explorer is a two-edged sword. Many security vulnerabilities have been found within both the ActiveX management system and the active scripting system, and the access these systems are granted by default makes it extremely easy for a malicious Web site to infect a computer. Internet Explorer Security Zones, a topic covered later in the course, are supposed to prevent these types of security issues, but unfortunately, even this system has been proven unsecure.

Browser Helpers

Once spyware has exploited a security vulnerability, the payload is installed on the victim's computer and usually hijacks Web browser functions. The most common hijack technique is to use a BHO (Browser Helper Object). A BHO is a DLL (Dynamic Link Library, a special type of executable file) that has complete control over Internet Explorer, allowing it to monitor and change anything it wants.

When Internet Explorer starts, it looks through the Registry for all installed BHOs, and loads each one in turn. Although this may seem perfect for little other than spyware, it's actually an extremely useful plug-in system. Download managers and other utilities, such as FlashGet or GetRight, use BHOs to seamlessly integrate their functions with Internet Explorer to enhance its functionality. Although BHOs are commonly associated with toolbars and visible functionality changes, there's no requirement for this -- it's perfectly possible for a BHO to be installed and never announce its presence. Perfect for spyware.