Spyware is a nasty trend that needs to be stopped immediately, but it does have an upside. One of the most interesting and challenging areas of research is trapping, analyzing, and defeating new spyware. We all rely on the dedication of the people who do this work for free, making it possible for everyone else to remove and avoid spyware.

Becoming an expert in reverse engineering is a long and difficult path, requiring the mastery of many different skills. The best reverse engineers can usually program in two or three different programming languages, including assembly, as well as know the hardware and operating system inside out. Although the individual skills can be difficult to master, the process is simple to follow.

Most researchers start with a dedicated computer that has a basic installation of Windows, as well as a few common antispyware tools. They then take a snapshot of the operating system using a setup wizard creation tool (for example, Masai Editor), and then deliberately infect the computer with the spyware target. The setup tool is run again, and produces a difference file that lists all the changes that occurred since the previous snapshot. This immediately allows the researchers to understand what changes the spyware has made.

The difference file probably contains a number of spyware executables that have been downloaded to the computer during infection. The researchers isolate these files and begin an analysis.

Every Windows executable must follow a very strict file structure, known as the PE Format (Portable Executable Format). This format tells Windows about the size of the file, which resources it contains (for example, icons, bitmaps, or cursors), and most importantly from a researcher's point of view, something called the import table. The import table is a list of all the operating system functions the executable uses; for example, to put a message box on screen, the import table includes the Windows function MessageBoxA. By analyzing the functions listed in the import table, a researcher can quickly determine whether the spyware target communicates over the Internet, writes files to the hard disk, or monitors Web pages as they load.

Next, researchers extract strings from the executable to search for interesting text. If the spyware target writes URLs to the hosts file, the URLs will usually be clearly visible inside the executable file. An excellent string extraction tool is AnalogX TextScan, shown in Figure 2-7.

Figure 2-7: AnalogX TextScan of Spybot Search & Destroy.

After all of the background information has been gathered, researchers begin work on reverse engineering and disassembling the spyware target. Using tools such as Neuron PE Disassembler or Proview Disassembler, the executable target can be converted into assembly language source code. Using a live debugger such as OllyDebug and the assembly source code, known as the dead listing, a researcher can follow the logic of the spyware target and understand exactly how it works.

Antivirus companies such as Symantec and Network Associates use these same techniques to reverse engineer viruses and produce antivirus software. As you can probably imagine, these skills take years of study and dedication to master!

Moving On

This lesson dug deep into the world of spyware, showing you how to detect, remove, and defeat spyware using your skills combined with automated tools. You learned that the most important part of spyware removal is research, and that jumping straight in can often cause further problems. You learned about Spybot and HijackThis antispyware tools in depth, along with some best practices to avoid infection in the first place.

Before you move on, do the assignment and take the quiz for this lesson! Your fellow students and instructor are always available on the Message Board to discuss technical spyware issues, so stop by.

In Lesson 3, you'll dive into the world of spam and malicious e-mail to see how spam and spyware are closely related, and how much of spyware theory is applicable to spam, too. You'll learn exactly how spammers target and track the e-mail sent to their victims, even to the point of knowing when e-mail is deleted or forwarded on to another person.