If you believe the stories, the Internet is not a safe place. At every click, you run the risk of your computer being silently coerced into giving up passwords, credit card details, and private documents. You hardly dare visit a new Web site for fear of being targeted by this malicious software. Fortunately, the reality is somewhat different, and in this course, you'll learn the truth behind spyware.

This course covers concepts and topics in depth that are capable of causing damage to your computer. Be sure to read the course and follow instructions with care, especially where malicious software is being discussed!

First of all, it's important to understand that the term spyware is often used as a generic catchall category that lumps together a number of distinctly different software traits. A perfectly normal application can easily be classified as spyware because of a single function it performs, when in reality, the function in question is legitimate. For example, the File menu in Microsoft Word; when you click it, a list of the most recent documents the application used to access is visible at the bottom of the menu.

This type of functionality is called a usage tracker and is harmless; in fact, it enhances your experience and productivity. However, if a hidden application running on your computer without your knowledge silently tracks every document you open, and then stores this information for later use, it's considered malicious.

You'll find out about spam, the other part of this course title, in the second half of this course.

Web site cookies are an interesting extension of usage tracking; not only do they allow Web sites to provide personalized interfaces such as user accounts, but they also allow in-depth tracking of Web browsing behavior. Adware works on a similar principle and is also generally harmless, although often irritating. You've probably seen some shareware or freeware applications that, instead of having limited functionality to encourage you to register, display context sensitive advertisements in a window. It's common for shareware applications to use adware techniques to earn their creators some money through advert syndication, especially P2P (Peer to Peer) clients such as Kazaa or eDonkey, shown in Figure 1-1.

Figure 1-1: The eDonkey P2P client displays tracking advertisements in the toolbar.

Adware

There are a number of privacy concerns with adware, mainly because the advertisements displayed within the application are retrieved from a remote server on the Internet. As each advertisement is requested, the remote server logs your computer's IP (Internet Protocol) address and the time of the request, as well as other details. If you use the application over a period of time, the owners of the remote server can easily do the following:

• Build a picture of your usage of the application.
• Note the times you're most likely to be at the computer.
• Note the length of time you use the application.
• Note what you like doing when you use the application.

P2P Clients

P2P clients are also often the source of less innocent, true spyware. In this case, the term spyware is used to refer to a specific type of malicious application rather than as a generic term. A common technique with many of these clients is to silently include a spyware application within the installation process. The Kazaa P2P client is notorious for doing this and includes (among other things) an application called Gator.

Gator is also a Trojan application that masquerades as a legitimate and useful program when, in reality, it's anything but. It integrates itself into the operating system and monitors which Web sites are viewed and which applications are accessed. This information is used to display pop-up advertisements directly on your desktop, containing supposed special offers for products that might interest you. One of the most concerning "features" of Gator is its ability to store commonly used information for Web page forms. This is great if you want to save yourself from repeatedly entering your name and e-mail address, but not so good when Gator remembers your credit card number and gives it to Web sites without your consent.

Malware

Finally, and most seriously, there's an application category known as malware. This is software specifically designed to invade your computer, hijack normal operating system and application functions, and actively prevent you from removing it. The only difference between malware and a generic virus is that malware generally makes itself known through its visibly destructive actions. Some well-known examples of malware include the C2.Lop program, and the infamous CWS (CoolWebSearch). Some variants of CWS actually invade the Microsoft Windows networking subsystem, integrating themselves with the operating system, which makes them difficult to remove.

This course concentrates on spyware and malware; the two types of malicious software that are most important to you. CWS is covered in more detail in Lesson 2.

At first glance, the spyware issues may seem quite obvious and easy to avoid. Unfortunately, the hallmark of really good spyware is that you don't know you're about to become a victim until it's too late. As mentioned, although spyware is commonly associated with malicious Web sites, it quite regularly gets bundled with legitimate software by less than scrupulous developers. And just to really push the point home, many software developers include a clause in their EULA (End-User License Agreement) that prevents you removing the spyware if you want to continue to use the application. The eDonkey P2P client is just one example of this.

Although spyware tied to applications is relatively easy to avoid or disable, Web-based spyware is a whole different game, as discussed in the following sections.

Browser Hijacking

Web-based spyware usually targets security vulnerabilities within Web browsers to install itself and modify the browser's functionality. This is commonly referred to as browser hijacking. The most basic form of hijacking is home page hijacking. As the name implies, a Web site author can use JavaScript functions to set a browser's home page to any Web site he selects. Although this may seem pointless and nothing more than a minor inconvenience, if the new home page is full of syndicated advertising banners, the author can quickly generate a lot of money from hijacking Web browsers. If you're unlucky, the new home page is a malware download site that infects your computer.

This is probably the most marked difference between spyware and viruses: Whereas virus writers have to remain anonymous on threat of prosecution, spyware authors actively publicize and financially benefit from their malicious actions. The money they earn allows them to hire expert programmers to create more sophisticated spyware, perpetuating the cycle. There are a number of companies that actually provide spyware development services, and will create custom spyware applications to your specifications. It's a very thin legal line, but companies continue to try and follow it.

Spyware Categories

Economics drives the entire spyware industry, so it's no wonder that its creators want to make spyware as hard to remove and avoid as possible. The vast majority of Web-based spyware falls into one of three categories:

• Toolbar hijacks: The most common types. They place a custom toolbar within your Web browser that displays advertisements and tracks your Web browsing.
• Functionality hijacks: Prevents your Web browser and operating system from functioning normally. In some cases, they pop up application windows and advertisements on your desktop at random.
• Dialer applications: Forces your computer to dial premium rate and international phone numbers at random times.

It's often a fine line between spyware and legitimate software, because many spyware applications include useful functions. A good example of this is Alexa, which monitors the Web pages as you browse and displays links and advertisements related to the page content. Some users may find this a handy way to find related products and information, whereas others may consider it annoying and an invasion of privacy. Alexa is owned by Amazon.com, which does give it some legitimacy.

All Web-based spyware is dependent on being able to use features and security vulnerabilities within a Web browser to infect a computer. Part of the reason that spyware is difficult to defend against is that the features used to infect a computer are often the same as those used by legitimate software to enhance functionality. The first step in defense is to understand how spyware and malware work.

The life of spyware can be split into the following three stages:

• Exploitation: Occurs when a malicious Web site exploits a feature or security vulnerability in your browser and gains enough access to your computer to start causing problems. It's an unfortunate fact that Web browsers, especially Microsoft Internet Explorer, have plenty of security flaws in them.
• Infection: When the payload (the part of the spyware that actually does the damage) is downloaded to your computer via the security hole created in stage one.
• Operation: Takes place as the spyware completes its tasks, such as displaying toolbars, sending Web browsing information to its creators, or dialing premium-rate phone numbers.

Misuse of Features

All Web-based spyware is dependant on being able to exploit features and security vulnerabilities within a Web browser to infect a computer; without the features and flaws, infection isn't possible. One of the most common methods of attack is through ActiveX controls. These are small programs downloaded to your computer to provide special functionality not available through basic HTML (Hypertext Markup Language) script, such as a Web-based interactive pie chart creator. However, because these are executable programs whose purpose is to extend the functionality of the Web browser, the developers of these controls have extensive access to the internals of both Windows and the Web browser.

Similarly, the active scripting functionality within Internet Explorer is a two-edged sword. Many security vulnerabilities have been found within both the ActiveX management system and the active scripting system, and the access these systems are granted by default makes it extremely easy for a malicious Web site to infect a computer. Internet Explorer Security Zones, a topic covered later in the course, are supposed to prevent these types of security issues, but unfortunately, even this system has been proven unsecure.

Browser Helpers

Once spyware has exploited a security vulnerability, the payload is installed on the victim's computer and usually hijacks Web browser functions. The most common hijack technique is to use a BHO (Browser Helper Object). A BHO is a DLL (Dynamic Link Library, a special type of executable file) that has complete control over Internet Explorer, allowing it to monitor and change anything it wants.

When Internet Explorer starts, it looks through the Registry for all installed BHOs, and loads each one in turn. Although this may seem perfect for little other than spyware, it's actually an extremely useful plug-in system. Download managers and other utilities, such as FlashGet or GetRight, use BHOs to seamlessly integrate their functions with Internet Explorer to enhance its functionality. Although BHOs are commonly associated with toolbars and visible functionality changes, there's no requirement for this -- it's perfectly possible for a BHO to be installed and never announce its presence. Perfect for spyware.

Windows Vista is available in many different editions, each one uniquely equipped and priced. Most of these editions are also available in either 32-bit or 64-bit versions, depending on the type of CPU you have. (Most PCs use the 32-bit version; however, if you have a new computer with a 64-bit processor, select a 64-bit version.)

The available editions are:

• Windows Vista Starter: The most basic edition, available only in emerging markets (mostly Asia and South America) and only in the 32-bit version. It allows only three applications or windows to be open at the same time and connects to the Internet but not a network.
• Windows Vista Home Basic: The simplest and least expensive edition of Windows available to the U.S. home market, aimed at the general consumer who doesn't have complex graphics or game-playing needs. It doesn't support the Aero interface. It includes Windows Firewall and Security Center, wireless networking, parental controls, home networking support, and all the basics that a home user would need.

In Europe, Windows Vista Home Basic N is offered, which is identical to Home Basic except it lacks Windows Media Player and related functionality. The same goes for the Business edition; in Europe it is Vista Business N, and it also lacks the Media Player.

• Windows Vista Home Premium: This edition supports everything the Home Basic edition does and adds Windows Media Center capabilities, such as DVD authoring and advanced photo management. It also includes some additional networking features, such as offline folders, PC to PC sync, and Tablet PC features.
• Windows Vista Business: This edition lacks some of the multimedia capabilities from Home Premium but adds business features such as the ability to connect to a domain-based network, remote desktop, encrypted file system, and support for non-Microsoft networking protocols such as NetWare.
• Windows Vista Enterprise: This is the same as Vista Business except it adds support tools useful in large networks such as Virtual PC, a multi-language user interface, and BitLocker disk encryption. It's available only via volume licensing to companies.
• Windows Vista Ultimate: This edition contains every available feature in all other editions, plus Windows Ultimate Extras (add-on features that have not yet been announced as of this writing).

For a side-by-side comparison of all Windows Vista editions, visit the Windows Vista Choose an Edition Web page.

Upgrade Versus Full Version

Most editions are available either in a full install version (for PCs with no previous version of Windows) or an upgrade edition. An upgrade edition requires that you already own Windows 2000 or Windows XP (and still have it installed on your PC or have the installation CD for it).

Buying an upgrade edition doesn't preclude doing a clean installation of Windows (as described in the next section). You can use the upgrade edition for a clean installation; however, you'll be prompted at some point in the setup process to insert a CD containing a valid previous version, for verification purposes.

Next, learn about the differences between new installation of Windows Vista and in-place upgrades.

Other types of hijacking exploit the tight links between Internet Explorer and Windows. It's common for spyware to use Windows policies to force the computer to act a certain way; for example, to change the Internet Explorer home page, and then set a policy to prevent you from changing back. This type of hijacking can be very difficult to reverse because it uses the Windows security system. In other words, to remove it, you actually fight Microsoft's security mechanisms!

Spyware can also use the multiple ways Windows knows to automatically start an application on boot, ensuring that the spyware is always running. Once running on a victim computer, many types of spyware actively seek out antispyware tools and attempt to disable them. They also manipulate the Windows networking system to prevent the unfortunate user from even downloading antispyware tools. Many of these programs are deliberately named to sound like legitimate operating system files, for example svchost32.exe; the legitimate Windows program is named svchost.exe and deleting the wrong one can cause serious damage.

Trojan Web Pages

One problem that's becoming more widespread is the use of Trojan Web page techniques to keep a computer infected. Newer versions of Windows, such as Microsoft Windows XP and Microsoft Windows Server 2003, use custom Web page interfaces to provide access to operating system functions. If spyware infects these pages, no matter how many times you delete the spyware-related executable files and Registry entries that appear, every time you access the infected management page, the spyware reinfects your computer. This is a technique used by the CWS malware.

Although this may seem like a desperate situation, things aren't as bad as they sound. Although spyware is annoying, a security risk, and in some cases very difficult to get rid of, all is not lost. It's your computer and you have overall control over it. You can remove most of the spyware and malware either manually or with an automated tool. Best of all, most spyware is very well known and removal techniques have been studied in depth by antispyware researchers. If you do have spyware, it's not the end of the world.

Moving On

In this lesson, you learned the important underlying theory behind spyware, its concepts, and terminology. Not all spyware is equal; techniques from simple toolbars to deeply integrated phone dialer systems are used.

Before diving into the technical aspect of spyware, it's important to make sure you understand the topics covered in this lesson, so be sure to do the assignment and take the quiz. Don't forget to visit the Message Board to discuss spyware issues with your fellow students and instructor.

In Lesson 2, you'll learn how to locate and remove spyware, no matter how hidden and secretive it may be. You'll also learn how to proactively protect against spyware and understand how antispyware researchers reverse engineer and remove new spyware.