In Lesson 1, you learned the mechanisms spyware and malware uses to infect computers and carry out tasks. After spyware has installed itself, there are three distinct investigative steps to resolve the problem:

• Location: Sometimes computers misbehave at random for reasons other than spyware. Installing new drivers, running a new application, or even getting a virus can cause a computer to misbehave. All of these are problems that need resolving, but spyware diagnosis techniques won't help. Therefore, the first step in defeating spyware is to actually locate it and confirm it's spyware.
• Diagnosis: You've located a suspicious Registry entry or an unusual executable file, but how do you know what to do next? Just like viruses or normal applications, every piece of spyware is different. Before moving on to the next stage, it's essential to discover exactly which piece of spyware has infected your computer.
• Removal: After you know the type of spyware affecting your computer, you can begin the removal process. Whether you use an automated removal application or decide to remove it manually, the process is made far easier by knowing exactly which type of spyware you're working with.

Locate the problem, diagnose it, and then remove or treat it -- almost the same process a doctor would use to treat a disease! You learn more about how to do this throughout this lesson.

Has Your Computer Ever Been Infected?

That's a good question: How do you know if you're already a victim? In most cases, the results are obvious:

• Browser toolbars and other BHOs appear.
• Your browser home page is changed.
• You can't access your Web browser configuration settings.

In these cases, you immediately realize there's a problem, and move to the diagnosis stage.

Some spyware is not so obvious and easy to spot. On the whole, your operating system and Web browser may appear to work correctly, but random advertisements appear as you browse and Web sites you used to be able to get to are no longer accessible. Some spyware is downright sneaky and may give absolutely no indication at all that it's installed. Your only clue may be that your computer is running a little slower than it used to, and files don't download quite as fast. It's time to locate the culprit.

The easiest way to locate hidden spyware is to investigate the mechanisms spyware uses to hide and do its work. As covered in Lesson 1, a lot of spyware communicates back to its creators via the Internet. An easy way to verify communication is occurring is to view all of the current, active network connections on your computer using Active Ports. Active Ports is an essential tool that lists all incoming and outgoing connections for all the active network connections, such as your Internet dial-up or broadband connection.

Before continuing, make sure you exit all open applications on your computer and wait for at least one minute. Doing this makes the data you're about to see easier to decipher.

The Active Ports window in Figure 2-1 is split into a number of columns, the most important of which are:

• Process: Lists the filenames of all programs that currently have active network connections.
• Path: Lists the exact location of each process.
• Remote IP: Lists the IP address of the server to which the process is connected.
• State: Shows whether the process is making a connection to the server or waiting to answer an incoming connection request.

Figure 2-1: Active Ports main window.

Enlarge image

Using the output from Active Ports, it's easy to see whether any rogue processes are making network connections. Even more useful is the ability to watch for new connections being made. As an example, open Microsoft Internet Explorer and wait until your home page loads (if your home page is a blank page, browse to a Web site you normally use). Quickly switch back to Active Ports, and you'll see a new entry in the window highlighted in green similar to Figure 2-1. The process name is iexplore.exe, and the IP address of the Web server that hosts your home page also appears in the list. After the page has loaded, a few seconds pass and the Active Ports entries that were highlighted in green turn red. This signifies that the connection is now closing.

Active Ports highlights new connections in bright green, and terminating connections in bright red.

If spyware is present on your computer and is communicating to a remote server, you'd spot it in this list. The best method for investigating this is to close all applications, open one Internet Explorer window, and then watch the Active Ports output for a while. If spyware is communicating with a remote server, it usually gives itself away here.

If you use Norton Antivirus, you may find that Active Ports (and other similar, legitimate tools) are detected as spyware. This is actually a false-positive, and can be safely ignored. These tools are not spyware and do not contain malicious code.

Alternatives to Active Ports

You may find the following tools helpful alternatives to Active Ports (some students taking this class have reported that Active Ports doesn't with Windows ME):

• FPort from Foundstone
• TCPView from Sysinternals

The Sysinternals site has some other very useful utilities on it, including Handle. Handle will show you exactly which processes are opening what files on your system. (Note: The Handle link is for Win2k and XP only. There is a Windows 95/98 specific section on the left hand side of the Sysinternals page.)

Microsoft Windows itself will quite often seem to make network connections at random. The only way to separate these legitimate connections from malicious, spyware connections is through experience. You'll learn some useful tips later in this lesson.

Another favorite spyware trick is to fill up your hosts file with invalid entries for valid Web sites. When you type a URL (Uniform Resource Locator) into your Web browser, such as http://www.cnet.com, the Windows network stack uses various methods to resolve the FQDN (Fully Qualified Domain Name, for example www.cnet.com) into an IP address.

The first method Windows uses is to interrogate the hosts' file. This is a plain-text file, shown in Figure 2-2, stored deep within the Windows directory structure that contains a list of FQDNs and the IP addresses to which they resolve.

If you use Windows NT or 2000, the hosts file is named "hosts" and can be found in c:\winnt\system32\drivers\etc. If you use Windows XP, it can be found in c:\windows\system32\drivers\etc. For Windows 98 and ME, it's in the c:\Windows directory.

Figure 2-2: Windows hosts file.

If spyware adds the FQDN of a Web site to your hosts file along with an incorrect IP address, you cannot access that Web site. This could be a real problem if the Web site in question is www.download.com, and you need to download a spyware removal tool. Under normal circumstances, a hosts' file has one 127.0.0.1 entry as in Figure 2-2; if yours has a lot of entries for Web sites, something suspicious may be going on.

Locating Bad Processes

If spyware is running, it will invariably show up as a process on your computer. Fortunately, the filenames and Registry keys used by all but the newest spyware are well known -- thanks to the efforts of antispyware researchers. A quick way to determine whether any spyware processes are running is to view the current task list through Windows Task Manager, as in Figure 2-3.

Figure 2-3: Processes in Windows Task Manager.

As mentioned previously, the only sure-fire way to know if a rogue process is on your system is to gain experience in which processes are harmless and common. If you do spot a suspicious process, make a note of the process name and use the End Task button to kill it. Next, use the Windows Search function to locate the file on your hard drive. Don't delete it immediately though -- it may be an innocent system file!

Windows ME is a hybrid operating system that Microsoft acknowledged has many flaws. One annoyance is that it lacks a proper task manager. There are lots of third-party, free task manager utilities available on Download.com; it's just a matter of finding one you prefer! Security Task Manager has already been reviewed by CNET.

The next step in the process is to make a final diagnosis. Although it's an interesting exercise to read up about specific types of spyware and try to manually diagnose the problem, this can get very time consuming. Fortunately, there are plenty of great antispyware utilities available, most of them free. Antispyware tools are a growth industry and new, commercial applications are appearing all the time, just like antivirus software. This lesson covers the best of breed: Spybot Search & Destroy and HijackThis.

Spybot is an all-purpose antispyware tool, and has been voted both CNET Best Anti-Spyware utility and one of the CNET Top 10 programs on Download.com. It can fix both Web browser-based spyware and application-based spyware, as well as remove usage tracks from applications and immunize your computer against future infection. To install, just download the setup application and follow the wizard steps. Make sure you select Yes when Spybot asks whether it should perform an online update -- this ensures the data files used to detect spyware are up to date.

When Spybot loads, the front screen has three main options available:

• Check for Problems
• Recovery
• Search for Updates

Click Check for Problems to get Spybot started on scanning your computer; you may be unpleasantly surprised at what it finds! When the scanning process is complete, Spybot displays a list of all the spyware it found. Figure 2-4 shows some scan results.

Figure 2-4: Spybot scan results.

Enlarge image

If you do even a small amount of Web browsing or have a few common applications installed, your scan results will probably look quite similar to Figure 2-4. The central window contains a list of all the spyware categories found. Click one and the right (yellow) window displays any known information about the item.

You may notice a "DSO Exploit" entry in your scan results. This is a known bug in the current version of Spybot, and can be safely ignored. The Spybot team have promised to fix it in the next release!

As in Figure 2-4, Spybot highlights some items in green and some in red. The green items are usage trackers, so look at those first. Pick any green item in your list, and click the + symbol to its left to expand the item. A list of all the usage tracks relating to this item appears underneath, showing the exact Registry keys that do the tracking. You may be surprised at exactly what some applications store usage tracks of! If you're sharing your computer and want to maintain your privacy, deleting these values is a good idea. The green items aren't serious spyware risks, so leave them unchecked.

Next, locate a red item and expand it. If your computer is truly spyware-free, all of your red items will be tracking cookies. Tracking cookies are interesting examples of the issues with adware systems. You've probably never visited the Web sites that show up as storing tracking cookies on your computer. However, you've probably visited other Web sites that use advertisement syndication from these listed Web sites; therefore, your browsing history is being tracked.

Tracking through Advertisements

What's very concerning is when different Web sites use the same advertisement syndication system, enabling the advertisement syndicate owner to track your browsing to completely unrelated and different Web sites. As a simple example, imagine that you browse to a pet shop Web site, followed by a dog owner information Web site, and finally to a dog food vendor's Web site. If all those Web sites use the same advertisement syndication system, someone can very quickly figure out that you own a dog! Apply the same process to visiting a credit card company, a loan company, and a debt management organization and the consequence of tracking through advertisements becomes more concerning.

If the worst has happened and you're infected with spyware or malware, Spybot shows these items too. Make a note of any items listed that aren't tracking cookies and keep it safe. Before you move on to the next stage, you need to perform some Web browser specific checks using HijackThis, as discussed in the following section.

HijackThis is an interesting antispyware tool in that instead of attempting to detect rogue applications as Spybot does, it targets the methods used by spyware to infect a computer. This means that it will find and list absolutely every program using these methods, regardless of legitimacy. As you learned in Lesson 1, spyware often uses the same features and flaws that legitimate applications use to provide their functionality. This makes HijackThis an extremely powerful tool, but one that can easily cause irreparable damage.

To reiterate an absolutely critical point, HijackThis locates and allows you to delete absolutely anything it believes is using a feature that spyware may use. Items listed by HijackThis are very often not spyware! Do not, under any circumstances, use it to fix or remove any items you're not absolutely sure about.

HijackThis is distributed as a single executable inside a Zip file. To run the tool, just extract HijackThis.exe from the Zip and run it as normal. Although the user interface isn't as intuitive as some applications, it's fairly easy to get to grips with. Click Scan to generate a report similar to the one in Figure 2-5.

Figure 2-5: HijackThis scan report.

Enlarge image

It's not as user friendly as Spybot, but the information is invaluable. The HijackThis window should look similar to Figure 2-4, although you may not have as many items listed. You'll notice that each item has a letter and number preceding it. Each of these codes has a different meaning; if you click Info, a window opens that explains the meaning of each code.

Interpreting the scan results is a complex task, which is why you're warned to "save a log file and show it to knowledgeable folks." Fortunately you're going to learn how! Here are some of the common item codes, and what they mean:

• R0: Default browser Web pages. If Internet Explorer is loading the wrong page for the home page or search page, these are the items to check. If a proxy server has been configured, it will be listed here too.
• O1: If a bad page appears whenever you mistype a Web site address, this item tells you whether your hosts' file has been hijacked.
• O2: A list of all the BHOs installed on your system. You should check all O2 items very carefully each time you run HijackThis to ensure you know exactly which applications have registered BHOs. In Figure 2-4, you can see Adobe Acrobat, Spybot, and Compuware Devpartner are listed, which are all legitimate applications.
• O3: A list of all the Internet Explorer registered toolbars. If you have a toolbar you didn't install, it shows up in this list.
• O4: A list of all the executables that start when Windows boots and when you log in. Many legitimate applications use cryptic filenames, so be sure to search the Web to check what each executable is before deleting anything.
• O5, O6, and O7: hese codes relate to the use of Windows policies to force certain behaviors, for example to disable the Internet Options applet in Control Panel. If you find that you can't access certain configuration options, these are the codes to check.
• O13: If you can access Web sites correctly when prefixing the site address with http:// but omitting that prefix causes a bad page to load, this is the code to look for.
• O18: These items are all the protocols and filters installed on your computer. Some spyware integrates itself using a filter so that it can capture and analyze every Web page you visit. If any items appear under O18, be sure to investigate them.

HijackThis has a fairly comprehensive explanation system for all of its codes. To access it, click Info. Locate the code you want to learn more about and highlight the entire line of text. Click Info on selected item, and a message box appears with some further details. The information message box for BHOs is shown in Figure 2-6.

Figure 2-6: Further info on BHOs.

Enlarge image

Now that you've completed your investigation and have a list of suspicious items, it's time to move on to the research and removal stages.

Although Spybot may have given you a list of the spyware it found, you shouldn't just jump straight in and remove it. Some spyware masquerades as a different type of spyware, and incorrect detection doesn't result in correct removal. The mantra for this stage is search, search, search again, and search a little bit more to be sure.

An hour spent searching at this point can save hours of frustration and problems later. There are too many types of spyware and malware that will actively try to damage your system if removed incorrectly, so make sure you know what you're dealing with.

With automated tools such as Spybot and HijackThis, removal of spyware is generally as simple as selecting the Fix option. There's one piece of spyware that does merit a special mention due to its nastiness: CWS. Variants of this malware integrate deep inside Windows, making removal very difficult. If you're unfortunate enough to be infected by this menace, a great tool called CoolWebShredder can generally fix the problems.

As the saying goes, prevention is better than a cure, and that's certainly the case where spyware is involved. There are some simple steps you can take to minimize the risk of spyware infection.

Web Browser Security

Although Internet Explorer zones aren't a reliable security mechanism, they do provide some protection. Place the Web sites you know and trust into the Trusted Sites zone, and increase the security on the Internet zone. Internet Explorer uses the Internet zone for any Web site that isn't listed in one of the other zones; therefore, its security settings apply to the majority of sites you visit. As a minimum, make sure all the ActiveX and Active Scripting features are disabled. If practical, consider switching to another Web browser such as Firefox.

Although Internet Explorer is probably the worst culprit, all Web browsers have security flaws so it's essential you stay up to date with security patches.

Personal Firewalls

Apart from being essential, if you're directly connected to the Internet, a personal firewall can act as an early warning system against spyware that communicates home. Earlier in this lesson, you used Active Ports to monitor network connections; most personal firewalls do this in the background and alert you when a process tries to connect to a remote computer.

There's a huge selection of personal firewall software to select from, although the best of breed are generally considered to be ZoneAlarm and Kerio Personal Firewall (formerly known as Tiny Personal Firewall).

Update Your Antivirus Software

Although antivirus software isn't designed to catch spyware, most desktop packages catch the methods spyware uses to infect your computer. This mainly happens through the Web browser cache -- when your browser downloads a Web page and stores it on disk, antivirus software intercepts the page as it's stored and analyzes it for viruses. Many JavaScript security exploits are categorized as viruses, so your antivirus software can also act as a warning system. GriSoft AVG is an excellent free antivirus suite.

Immunization

Spybot can immunize your system against spyware. By setting various Registry keys and creating dummy files, Spybot immunization can fool a significant amount of spyware into thinking it's already installed, preventing it from really infecting your computer. Spybot also includes a BHO that watches Web page requests within Internet Explorer. If it detects an attempt to load a known adware-based usage tracker, it will prompt you whether you want to allow it to continue.

Make Backups

Making regular backups of your system is a good idea anyway, but has the added advantage of letting you restore a previous, spyware free configuration in case your computer gets infected. Windows XP Restore Points are also perfect for rolling back to a clean version of your system. In Windows XP, select Start > All Programs > Accessories > System Tools > System Restore, and then follow the instructions. CNET's Backup roundup provides an excellent review of the available options.

Use a Proxy Server

Although this won't prevent some types of spyware from infecting your system, most proxy servers can scan content before downloading it. This lets them trap malicious Web pages and usage trackers before they reach your computer. As an added bonus, all your Web browsing will appear to come from the IP address of the proxy server -- considering most proxy servers provide access to hundreds of users, usage tracking systems will be mostly avoided. There are plenty of anonymous proxy servers available for your browsing use.

Spyware is a nasty trend that needs to be stopped immediately, but it does have an upside. One of the most interesting and challenging areas of research is trapping, analyzing, and defeating new spyware. We all rely on the dedication of the people who do this work for free, making it possible for everyone else to remove and avoid spyware.

Becoming an expert in reverse engineering is a long and difficult path, requiring the mastery of many different skills. The best reverse engineers can usually program in two or three different programming languages, including assembly, as well as know the hardware and operating system inside out. Although the individual skills can be difficult to master, the process is simple to follow.

Most researchers start with a dedicated computer that has a basic installation of Windows, as well as a few common antispyware tools. They then take a snapshot of the operating system using a setup wizard creation tool (for example, Masai Editor), and then deliberately infect the computer with the spyware target. The setup tool is run again, and produces a difference file that lists all the changes that occurred since the previous snapshot. This immediately allows the researchers to understand what changes the spyware has made.

The difference file probably contains a number of spyware executables that have been downloaded to the computer during infection. The researchers isolate these files and begin an analysis.

Every Windows executable must follow a very strict file structure, known as the PE Format (Portable Executable Format). This format tells Windows about the size of the file, which resources it contains (for example, icons, bitmaps, or cursors), and most importantly from a researcher's point of view, something called the import table. The import table is a list of all the operating system functions the executable uses; for example, to put a message box on screen, the import table includes the Windows function MessageBoxA. By analyzing the functions listed in the import table, a researcher can quickly determine whether the spyware target communicates over the Internet, writes files to the hard disk, or monitors Web pages as they load.

Next, researchers extract strings from the executable to search for interesting text. If the spyware target writes URLs to the hosts file, the URLs will usually be clearly visible inside the executable file. An excellent string extraction tool is AnalogX TextScan, shown in Figure 2-7.

Figure 2-7: AnalogX TextScan of Spybot Search & Destroy.

After all of the background information has been gathered, researchers begin work on reverse engineering and disassembling the spyware target. Using tools such as Neuron PE Disassembler or Proview Disassembler, the executable target can be converted into assembly language source code. Using a live debugger such as OllyDebug and the assembly source code, known as the dead listing, a researcher can follow the logic of the spyware target and understand exactly how it works.

Antivirus companies such as Symantec and Network Associates use these same techniques to reverse engineer viruses and produce antivirus software. As you can probably imagine, these skills take years of study and dedication to master!

Moving On

This lesson dug deep into the world of spyware, showing you how to detect, remove, and defeat spyware using your skills combined with automated tools. You learned that the most important part of spyware removal is research, and that jumping straight in can often cause further problems. You learned about Spybot and HijackThis antispyware tools in depth, along with some best practices to avoid infection in the first place.

Before you move on, do the assignment and take the quiz for this lesson! Your fellow students and instructor are always available on the Message Board to discuss technical spyware issues, so stop by.

In Lesson 3, you'll dive into the world of spam and malicious e-mail to see how spam and spyware are closely related, and how much of spyware theory is applicable to spam, too. You'll learn exactly how spammers target and track the e-mail sent to their victims, even to the point of knowing when e-mail is deleted or forwarded on to another person.