The Bay Area's Premier Computer Service Center.

For all your computer needs.

 Spyware and Malware

 

Home
 

Location
 

Contact Us
 

Services
 

Sales
 

Articles
 

Trouble

Ticket

 

Before we get into the meat of this thing, let me begin by saying that Viruses, Trojans, Spyware, Malware, Adware, etc. are bad things that can happen to your computer. Think of them as your computer getting sick. Like other sicknesses, sometimes these computer sicknesses can spread to other computers (that's why they call 'em viruses). If your computer gets sick, it is only right and responsible to get it cured before you go and infect everyone you know, and possibly hundreds of thousands of people you do not know.

Also, like other sicknesses, you can avoid them with due diligence. Avoid sites where pirated material is distributed. Avoid downloading pirated or copyrighted material. Avoid sites with dark or illegal content. Avoid downloading dark or illegal content. Keep your computer(s) well-inoculated with Antivirus and Anti-malware (click here if you can't afford this).

Warning: This is a LONG article.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The following definitions (Spyware and Malware) were taken without shame from Wikipedia (www.wikipedia.com) for your edification; links therein will take you to other Wikipedia definitions. Wikipedia is an excellent source for information but should NEVER be used without verification from other sources, as anyone can upload data to Wikipedia and there it will stay unless repudiated by alternative sources. Articles and sources copied here are protected by the GNU Free Documentation License, and GCITS has made efforts to comply with this license. Please contact us if you notice some breach of this License Agreement; we'd rather be the first to know than the last. Additionally, if you would like to see the following information in its original form, please visit here and here.

GCITS recommends the free Microsoft's Windows Defender, a free application (available for free download here) for free protection from Spyware and Malware. Did we mention that it was free?

Spyware

From Wikipedia, the free encyclopedia

 Jump to: navigation, search

A large number of toolbars, some added by spyware, overwhelm an Internet Explorer session.

Spyware is computer software that is installed surreptitiously on a personal computer to intercept or take partial control over the user's interaction with the computer, without the user's informed consent.

While the term spyware suggests software that secretly monitors the user's behavior, the functions of spyware extend well beyond simple monitoring. Spyware programs can collect various types of personal information, but can also interfere with user control of the computer in other ways, such as installing additional software, redirecting Web browser activity, or diverting advertising revenue to a third party.

In response to the emergence of spyware, a small industry has sprung up dealing in anti-spyware software. Running anti-spyware software has become a widely recognized element of computer security best practices for Microsoft Windows desktop computers. A number of jurisdictions have passed anti-spyware laws, which usually target any software that is surreptitiously installed to control a user's computer.

Contents

[hide]

[edit] History and development

The first recorded use of the term spyware occurred on October 16, 1995 in a Usenet post that poked fun at Microsoft's business model.[1] Spyware at first denoted hardware meant for espionage purposes. However, in early 2000 the founder of Zone Labs, Gregor Freund, used the term in a press release for the ZoneAlarm Personal Firewall.[2] Since then, "spyware" has taken on its present sense. [2] According to a 2005 study by AOL and the National Cyber-Security Alliance, 61% of surveyed users' computers had some form of spyware. 92% of surveyed users with spyware reported that they did not know of its presence, and 91% reported that they had not given permission for the installation of the spyware.[3] As of 2006, spyware has become one of the preeminent security threats to computer systems running Microsoft Windows operating systems. In an estimate based on customer-sent scan logs, Webroot Software, makers of Spy Sweeper, said that 9 out of 10 computers connected to the Internet are infected.[4] Computers where Internet Explorer (IE) is the primary browser are particularly vulnerable to such attacks not only because IE is the most widely-used,[5] but because its tight integration with Windows allows spyware access to crucial parts of the operating system.[6][5] Internet Explorer also enables, by default, the silent (read surreptitious) installation and execution of ActiveX controls under the naive assumption that such powerful executables are benign. The fragile, poorly documented, and arguably undesirable registry offers spyware numerous additional hiding places from which to start automatically and, along with sharing behavior, helps it circumvent attempts at removal.

[edit] Comparison

[edit] Spyware, adware and tracking

The term adware frequently refers to any software which displays advertisements, whether or not the user has consented. Programs such as the Eudora mail client display advertisements as an alternative to shareware registration fees. These classify as "adware" in the sense of advertising-supported software, but not as spyware. Adware in this form does not operate surreptitiously or mislead the user, and provides the user with a specific service.

Most spyware is adware in a different sense: it displays advertising. Claria Corporation's Gator Software and Exact Advertising's BargainBuddy are examples. Visited Web sites frequently install Gator on client machines in a surreptitious manner, and it directs revenue to the installing site and to Claria by displaying advertisements to the user. The user receives many pop-up advertisements.

Other spyware behavior, such as reporting on websites the user visits, occurs in the background. The data is used for "targeted" advertisement impressions. The prevalence of spyware has cast suspicion upon other programs that track Web browsing, even for statistical or research purposes. Some observers describe the Alexa Toolbar, an Internet Explorer plug-in published by Amazon.com, as spyware (and some anti-spyware programs report it as such).[citation needed] Many users, however, choose to install it.[citation needed]

Similarly, software bundled with free, advertising-supported programs such as P2P act as spyware, (and if removed disable the 'parent' program) yet people are willing to download it. This presents a dilemma for proprietors of anti-spyware products whose removal tools may inadvertently disable wanted programs. These recent test results show how a bundled software (WhenUSave) is ignored by popular anti spyware program AdAware, (but removed as spyware by most scanners) because it is part of the popular (but recently decommissioned) Edonkey client. To address this dilemma, the Anti-Spyware Coalition has been working on building consensus within the anti-spyware industry as to what is and isn't acceptable software behavior. To accomplish their goal, this group of anti-spyware companies, academics, and consumer groups have collectively published a series of documents including a definition of spyware, risk model, and best practices document.

[edit] Spyware, virus and worm

Unlike viruses and worms, spyware does not usually self-replicate. Like many recent viruses, however, spyware — by design — exploits infected computers for commercial gain. Typical tactics furthering this goal include delivery of unsolicited pop-up advertisements; theft of personal information (including financial information such as credit card numbers); monitoring of Web-browsing activity for marketing purposes; or routing of HTTP requests to advertising sites.

[edit] Routes of infection

Spyware does not directly spread in the manner of a computer virus or worm: generally, an infected system does not attempt to transmit the infection to other computers. Instead, spyware gets on a system through deception of the user or through exploitation of software vulnerabilities.

Most spyware is installed without users being aware. Since they tend not to install software if they know that it will disrupt their working environment and compromise their privacy, spyware deceives users, either by piggybacking on a piece of desirable software such as Kazaa, or tricking them into installing it (the Trojan horse method). Some "rogue" anti-spyware programs even masquerade as security software.

The distributor of spyware usually presents the program as a useful utility — for instance as a "Web accelerator" or as a helpful software agent. Users download and install the software without immediately suspecting that it could cause harm. For example, Bonzi Buddy, a spyware program targeted at children, claims that:

He will explore the Internet with you as your very own friend and sidekick! He can talk, walk, joke, browse, search, e-mail, and download like no other friend you've ever had! He even has the ability to compare prices on the products you love and help you save money! Best of all, he's FREE![7]

Spyware can also come bundled with shareware or other downloadable software, as well as music CDs. The user downloads a program and installs it, and the installer additionally installs the spyware. Although the desirable software itself may do no harm, the bundled spyware does. In some cases, spyware authors have paid shareware authors to bundle spyware with their software. In other cases, spyware authors have repackaged desirable free software with installers that add spyware.

A third way of distributing spyware involves tricking users by manipulating security features designed to prevent unwanted installations. Internet Explorer prevents websites from initiating an unwanted download. Instead, it requires a user action, such as clicking on a link. However, links can prove deceptive: for instance, a pop-up ad may appear like a standard Windows dialog box. The box contains a message such as "Would you like to optimize your Internet access?" with links which look like buttons reading Yes and No. No matter which "button" the user presses, a download starts, placing the spyware on the user's system. Later versions of Internet Explorer offer fewer avenues for this attack.

Some spyware authors infect a system through security holes in the Web browser or in other software. When the user navigates to a Web page controlled by the spyware author, the page contains code which attacks the browser and forces the download and installation of spyware. The spyware author would also have some extensive knowledge of commercially-available anti-virus and firewall software. This has become known as a "drive-by download", which leaves the user a hapless bystander to the attack. Common browser exploits target security vulnerabilities in Internet Explorer and in the Microsoft Java runtime.

The installation of spyware frequently involves Internet Explorer. Its popularity and history of security issues have made it the most frequent target. Its deep integration with the Windows environment and scriptability make it an obvious point of attack into Windows. Internet Explorer also serves as a point of attachment for spyware in the form of Browser Helper Objects, which modify the browser's behaviour to add toolbars or to redirect traffic.

In a few cases, a worm or virus has delivered a spyware payload. Some attackers used the Spybot worm to install spyware that put pornographic pop-ups on the infected system's screen.[8] By directing traffic to ads set up to channel funds to the spyware authors, they profit personally.

[edit] Effects and behaviors

A spyware program is rarely alone on a computer: an affected machine can rapidly be infected by many other components. Users frequently notice unwanted behavior and degradation of system performance. A spyware infestation can create significant unwanted CPU activity, disk usage, and network traffic, all of which slow the computer down. Stability issues, such as application or system-wide crashes, are also common. Spyware which interferes with networking software commonly causes difficulty connecting to the Internet.

In some infections, the spyware is not even evident. Users assume in those situations that the issues relate to hardware, to Windows installation problems, or a virus. Some owners of badly infected systems resort to contacting technical support experts, or even buying a new computer because the existing system "has become too slow". Badly infected systems may require a clean reinstallation of all their software in order to return to full functionality.

Only rarely does a single piece of software render a computer unusable. Rather, a computer is likely to have multiple infections. As the 2004 AOL study noted, if a computer has any spyware at all, it typically has dozens of different pieces installed. The cumulative effect, and the interactions between spyware components, cause the symptoms commonly reported by users: a computer which slows to a crawl, overwhelmed by the many parasitic processes running on it. Moreover, some types of spyware disable software firewalls and anti-virus software, and/or reduce browser security settings, thus opening the system to further opportunistic infections, much like an immune deficiency disease. Some spyware has disabled or even removed competing spyware programs, on the grounds that more spyware-related annoyances make it even more likely that users will take action to remove the programs. One spyware maker, Avenue Media, even sued a competitor, Direct Revenue, over this; the two later settled with an agreement not to disable each others' products.[9]

Some other types of spyware (Targetsoft, for example) modify system files so they will be harder to remove. Targetsoft modifies the "Winsock" Windows Sockets files. The deletion of the spyware-infected file "inetadpt.dll" will interrupt normal networking usage. Unlike users of many other operating systems, a typical Windows user has administrative privileges, mostly for convenience. Because of this, any program the user runs (intentionally or not) has unrestricted access to the system. Spyware, along with other threats, has led some Windows users to move to other platforms such as Linux or Apple Macintosh, which are less attractive targets for malware. This is because these programs are not granted unrestricted access to the operating system (due to the Unix underpinnings upon which both Linux and Mac OS X are built[citation needed]) though some allege it's mainly due to the far smaller number of machines installed with these operating systems making spyware development potentially less profitable for these platforms.[citation needed]

[edit] Advertisements

Many spyware programs display advertisements. Some programs simply display pop-up ads on a regular basis; for instance, one every several minutes, or one when the user opens a new browser window. Others display ads in response to specific sites that the user visits. Spyware operators present this feature as desirable to advertisers, who may buy ad placement in pop-ups displayed when the user visits a particular site. It is also one of the purposes for which spyware programs gather information on user behavior. Pop-ups are one of users' most common complaints about spyware.[citation needed]

Many users complain about irritating or offensive advertisements as well. As with many banner ads, many spyware advertisements use animation or flickering banners which can be visually distracting and annoying to users. Pop-up ads for pornography often display indiscriminately. When children are the users, this could possibly violate anti-pornography laws in some jurisdictions.

A further issue in the case of some spyware programs has to do with the replacement of banner ads on viewed web sites. Spyware that acts as a web proxy or a Browser Helper Object can replace references to a site's own advertisements (which fund the site) with advertisements that instead fund the spyware operator. This cuts into the margins of advertising-funded Web sites.

 [edit] "Stealware" and affiliate fraud

A few spyware vendors, notably 180 Solutions, have written what the New York Times has dubbed "stealware", and what spyware-researcher Ben Edelman terms affiliate fraud, a form of click fraud. Stealware diverts the payment of affiliate marketing revenues from the legitimate affiliate to the spyware vendor.

Spyware which attacks affiliate networks places the spyware operator's affiliate tag on the user's activity—replacing any other tag, if there is one. The spyware operator is the only party that gains from this. The user has their choices thwarted, a legitimate affiliate loses revenue, Networks' reputations are injured, and vendors are harmed by having to pay out affiliate revenues to an "affiliate" who is not party to a contract.[10]

Affiliate fraud is a violation of the terms of service of most affiliate marketing networks. As a result, spyware operators such as 180 Solutions have been terminated from affiliate networks including LinkShare and ShareSale.[citation needed]

[edit] Identity theft and fraud

In one case, spyware has been closely associated with identity theft.[11] In August 2005, researchers from security software firm Sunbelt Software believed that the makers of the common CoolWebSearch spyware had used it to transmit "chat sessions, user names, passwords, bank information, etc.",[12] but it turned out that "it actually (was) its own sophisticated criminal little trojan that's independent of CWS."[13] This case is currently under investigation by the FBI.

The Federal Trade Commission estimates that 27.3 million Americans have been victims of identity theft, and that financial losses from identity theft totaled nearly $48 billion for businesses and financial institutions and at least $5 billion in out-of-pocket expenses for individuals.[14]

Spyware-makers may commit wire fraud with dialer program spyware. These can reset a modem to dial up a premium-rate telephone number instead of the usual ISP. Connecting to these suspicious numbers involves long-distance or overseas charges which invariably result in high charges. Dialers are ineffective on computers that do not have a modem, or are not connected to a telephone line.

[edit] Digital rights management

Some copy-protection technologies have borrowed from spyware. In 2005, Sony BMG Music Entertainment was found to be using rootkits in its XCP digital rights management technology[15] Like spyware, not only was it difficult to detect and uninstall, it was so poorly written that most efforts to remove it could have rendered computers unable to function. Texas state attorney general Greg Abbott filed suit,[16] and three separate class-action suits were filed.[17] Sony BMG later provided a workaround on its website to help users remove it.[18]

Beginning in April 25, 2006, Microsoft's Windows Genuine Advantage Notifications application[19] install on most Windows PCs as a "critical security update". While the main purpose of this deliberately non-uninstallable application is making sure the copy of Windows on the machine was lawfully purchased and installed, it also installs software that has been accused of "phoning home" on a daily basis, like spyware.[20][21] It can be removed with the RemoveWGA tool.

[edit] Spyware and cookies

Anti-spyware programs often report Web advertisers' HTTP cookies, the small text files that track browsing activity, as spyware. While they are not always inherently malicious, many users object to third parties using space on their personal computers for their business purposes, and so many anti-spyware programs offer to remove them.

[edit] Examples of spyware

These common spyware programs illustrate the diversity of behaviors found in these attacks. Note that as with computer viruses, researchers give names to spyware programs which may not be used by their creators. Programs may be grouped into "families" based not on shared program code, but on common behaviors, or by "following the money" of apparent financial or business connections. For instance, a number of the spyware programs distributed by Claria are collectively known as "Gator". Likewise, programs which are frequently installed together may be described as parts of the same spyware package, even if they function separately.

  • CoolWebSearch, a group of programs, takes advantage of Internet Explorer vulnerabilities. The package directs traffic to advertisements on Web sites including coolwebsearch.com. It displays pop-up ads, rewrites search engine results, and alters the infected computer's hosts file to direct DNS lookups to these sites.[22]
  • Internet Optimizer, also known as DyFuCa, redirects Internet Explorer error pages to advertising. When users follow a broken link or enter an erroneous URL, they see a page of advertisements. However, because password-protected Web sites (HTTP Basic authentication) use the same mechanism as HTTP errors, Internet Optimizer makes it impossible for the user to access password-protected sites.[22]
  • Zango (formerly 180 Solutions) transmits detailed information to advertisers about the Web sites which users visit. It also alters HTTP requests for affiliate advertisements linked from a Web site, so that the advertisements make unearned profit for the 180 Solutions company. It opens pop-up ads that cover over the Web sites of competing companies.[10]
  • HuntBar, aka WinTools or Adware.Websearch, was installed by an ActiveX drive-by download at affiliate Web sites, or by advertisements displayed by other spyware programs — an example of how spyware can install more spyware. These programs add toolbars to IE, track aggregate browsing behavior, redirect affiliate references, and display advertisements.[23][24]
  • Movieland, also known as Moviepass.tv or Popcorn.net, is a movie download service that has been the subject of thousands of complaints to the Federal Trade Commission (FTC), the Washington State Attorney General's Office, the Better Business Bureau, and others by consumers claiming they were held hostage by its repeated pop-up windows and demands for payment.[25] The FTC has filed a complaint against Movieland.com and eleven other defendants (list), charging them with having "engaged in a nationwide scheme to use deception and coercion to extract payments from consumers." The complaint alleges that the software repeatedly opened oversized pop-up windows that could not be closed or minimized, accompanied by music that lasted nearly a minute, demanding payment of at least $29.95 to end the pop-up cycle; and claiming that consumers had signed up for a three-day free trial but did not cancel their membership before the trial period was over, and were thus obligated to pay.[26][27]

[edit] Legal issues related to spyware

[edit] Criminal law

Unauthorized access to a computer is illegal under computer crime laws, such as the U.S. Computer Fraud and Abuse Act, the U.K.'s Computer Misuse Act and similar laws in other countries. Since the owners of computers infected with spyware generally claim that they never authorized the installation, a prima facie reading would suggest that the promulgation of spyware would count as a criminal act. Law enforcement has often pursued the authors of other malware, particularly viruses. However, few spyware developers have been prosecuted, and many operate openly as strictly legitimate businesses, though some have faced lawsuits.[28][29]

Spyware producers argue that, contrary to the users' claims, users do in fact give consent to installations. Spyware that comes bundled with shareware applications may be described in the legalese text of an end-user license agreement (EULA). Many users habitually ignore these purported contracts, but spyware companies such as Claria claim these demonstrate that users have consented.

Despite the ubiquity of EULAs and of "clickwrap" agreements, under which a single click can be taken as consent to the entire text, relatively little case law has resulted from their use. It has been established in most common law jurisdictions that a clickwrap agreement can be a binding contract in certain circumstances.[30] This does not, however, mean that every such agreement is a contract or that every term in one is enforceable.

Some jurisdictions, including the U.S. states of Iowa[31] and Washington,[32] have passed laws criminalizing some forms of spyware. Such laws make it illegal for anyone other than the owner or operator of a computer to install software that alters Web-browser settings, monitors keystrokes, or disables computer-security software.

In the United States, lawmakers introduced a bill in 2005 entitled the Internet Spyware Prevention Act, which would imprison creators of spyware.[33]

[edit] Civil law

Former New York State Attorney General and now current Governor Eliot Spitzer has pursued spyware companies for fraudulent installation of software.[34] In a suit brought in 2005 by Spitzer, the California firm Intermix Media, Inc. ended up settling by agreeing to pay US$7.5 million and to stop distributing spyware.[35]

The hijacking of Web advertisements has also led to litigation. In June 2002, a number of large Web publishers sued Claria for replacing advertisements, but settled out of court.

Courts have not yet had to decide whether advertisers can be held liable for spyware which displays their ads. In many cases, the companies whose advertisements appear in spyware pop-ups do not directly do business with the spyware firm. Rather, they have contracted with an advertising agency, which in turn contracts with an online subcontractor who gets paid by the number of "impressions" or appearances of the advertisement. Some major firms such as Dell Computer and Mercedes-Benz have sacked advertising agencies which have run their ads in spyware.[36]

[edit] Libel suits by spyware developers

Litigation has gone both ways. Since "spyware" has become a common pejorative, some makers have filed libel and defamation actions when their products have been so described. In 2003, Gator (now known as Claria) filed suit against the website PC Pitstop for describing its program as "spyware".[37] PC Pitstop settled, agreeing not to use the word "spyware", but continues to describe harm caused by the Gator/Claria software.[38] As a result, other antispyware and antivirus companies have also used other terms such as "potentially unwanted programs" or greyware to denote these products.

[edit] Remedies and prevention

As the spyware threat has worsened, a number of techniques have emerged to counteract it. These include programs designed to remove or to block spyware, as well as various user practices which reduce the chance of getting spyware on a system.

Nonetheless, spyware remains a costly problem. When a large number of pieces of spyware have infected a Windows computer, the only remedy may involve backing up user data, and fully reinstalling the operating system.

[edit] Anti-spyware programs

Report on scan of an infected system from Lavasoft's Ad-Aware

Many programmers and some commercial firms have released products designed to remove or block spyware. Steve Gibson's OptOut, mentioned above, pioneered a growing category. Programs such as Lavasoft's Ad-Aware SE and Patrick Kolla's Spybot - Search & Destroy rapidly gained popularity as effective tools to remove, and in some cases intercept, spyware programs. More recently Microsoft acquired the GIANT AntiSpyware software, rebranding it as Windows AntiSpyware beta and releasing it as a free download for Windows XP and Windows 2003 users. In early spring, 2006, Microsoft renamed the beta software to Windows Defender, and it was released as a free download in October 2006. Microsoft currently ships the product for free with Windows Vista. Other well-known anti-spyware products include Webroot Spy Sweeper, Trend Micro's Anti-Spyware, PC Tools' Spyware Doctor, and Sunbelt Software's CounterSpy V2. Blue Coat Systems released a gateway anti-spyware solution in 2004.

Major anti-virus firms such as Symantec, McAfee and Sophos have come later to the table, adding anti-spyware features to their existing anti-virus products. Early on, anti-virus firms expressed reluctance to add anti-spyware functions, citing lawsuits brought by spyware authors against the authors of web sites and programs which described their products as "spyware". However, recent versions of these major firms' home and business anti-virus products do include anti-spyware functions, albeit treated differently from viruses. Symantec Anti-Virus, for instance, categorizes spyware programs as "extended threats" and now offers real-time protection from them (as it does for viruses). Recently, the anti virus company Grisoft, creator of AVG anti-virus program, acquired anti-spyware firm Ewido Networks, re-labeling their Ewido anti-spyware program as AVG Anti-Spyware. This shows a trend by anti virus companies to launch a dedicated solution to spyware and malware. Zone Labs, creator of Zone Alarm firewall have also released an anti spyware program.

Microsoft Anti-Spyware, in real-time protection blocks an instance of the AlwaysUpdateNews from being installed.

Microsoft Anti-Spyware, in real-time protection blocks an instance of the AlwaysUpdateNews from being installed.

Anti-spyware programs can combat spyware in two ways:

  • 1. They can provide real time protection against the installation of spyware software on your computer. This type of spyware protection works the same way as that of anti-virus protection in that the anti-spyware software scans all incoming network data for spyware software and blocks any threats it comes across.
  • 2. Anti-spyware software programs can be used solely for detection and removal of spyware software that has already been installed onto your computer. This type of spyware protection is normally much easier to use and more popular. With this spyware protection software you can schedule weekly, daily, or monthly scans of your computer to detect and remove any spyware software that has been installed on your computer. This type of anti-spyware software scans the contents of the windows registry, operating system files, and installed programs on your computer and will provide a list of any threats found, allowing you to choose what you want to delete and what you want to keep.

Such programs inspect the contents of the Windows registry, the operating system files, and installed programs, and remove files and entries which match a list of known spyware components. Real-time protection from spyware works identically to real-time anti-virus protection: the software scans disk files at download time, and blocks the activity of components known to represent spyware. In some cases, it may also intercept attempts to install start-up items or to modify browser settings. Because many spyware and adware are installed as a result of browser exploits or user error, using security software (some of which are antispyware, though many are not) to sandbox browsers can also be effective to help restrict any damage done.

Earlier versions of anti-spyware programs focused chiefly on detection and removal. Javacool Software's SpywareBlaster, one of the first to offer real-time protection, blocked the installation of ActiveX-based and other spyware programs.

Like most anti-virus software, many anti-spyware/adware tools require a frequently-updated database of threats. As new spyware programs are released, anti-spyware developers discover and evaluate them, making "signatures" or "definitions" which allow the software to detect and remove the spyware. As a result, anti-spyware software is of limited usefulness without a regular source of updates. Some vendors provide a subscription-based update service, while others provide updates free. Updates may be installed automatically on a schedule or before doing a scan, or may be done manually.

Not all programs rely on updated definitions. Some programs rely partly (for instance many antispyware programs such as Windows Defender, Spybot's TeaTimer and Spysweeper) or fully (programs falling under the class of Hips such as BillP's WinPatrol), on historical observation. They watch certain configuration parameters (such as certain portions of the Windows registry or browser configuration) and report any change to the user, without judgment or recommendation. While they do not rely on updated definitions, which may allow them to spot newer spyware, they can offer no guidance. The user is left to determine "what did I just do, and is this configuration change appropriate?"

Windows Defender's Spynet attempts to alleviate this through offering a community to share information, which helps guide both users, who can look at decisions made by others, and analysts, who can spot fast-spreading spyware. A popular generic spyware removal tool used by those with a certain degree of expertise is HijackThis, which scans certain areas of the Windows OS where spyware often resides and presents a list with items to delete manually. As most of the items are legitimate windows files/registry entries it is advised for those who are less knowledgeable on this subject to post a HijackThis log on the numerous antispyware sites and let the experts decide what to delete.

If a spyware program is not blocked and manages to get itself installed, it may resist attempts to terminate or uninstall it. Some programs work in pairs: when an anti-spyware scanner (or the user) terminates one running process, the other one respawns the killed program. Likewise, some spyware will detect attempts to remove registry keys and immediately add them again. Usually, booting the infected computer in safe mode allows an anti-spyware program a better chance of removing persistent spyware. Killing the process tree can also work.

A new breed of spyware (Look2Me spyware by NicTechNetworks is a good example) is starting to hide inside system-critical processes and start up even in safe mode. With no process to terminate they are harder to detect and remove. Sometimes they do not even leave any on-disk signatures. Rootkit technology is also seeing increasing use,[39] as is the use of NTFS alternate data streams. Newer spyware programs also have specific countermeasures against well known anti-malware products and may prevent them from running or being installed, or even uninstall them. An example of one that uses all three methods is Gromozon, a new breed of malware. It uses alternate data streams to hide. A rootkit hides it even from alternate data streams scanners and actively stops popular rootkit scanners from running.

Malicious websites attempt to install spyware on readers' computers.

Malicious websites attempt to install spyware on readers' computers.

[edit] Fake anti-spyware programs

Main article: List of fake anti-spyware programs

Malicious programmers have released a large number of fake anti-spyware programs, and widely distributed Web banner ads now spuriously warn users that their computers have been infected with spyware, directing them to purchase programs which do not actually remove spyware — or worse, may add more spyware of their own.[40][41]

The recent proliferation of fake or spoofed antivirus products has occasioned some concern. Such products often bill themselves as antispyware, antivirus, or registry cleaners, and sometimes feature popups prompting users to install them. They are called rogue software.

Known offenders include:

 

On 2006-01-26, Microsoft and the Washington state attorney general filed suit against Secure Computer for its Spyware Cleaner product.[42] On 2006-12-04, the Washington attorney general announced that Secure Computer had paid $1 million to settle with the state. As of that date, Microsoft's case against Secure Computer remained pending.[43]

[edit] Security practices

To deter spyware, computer users have found several practices useful in addition to installing anti-spyware programs.

Many system operators install a web browser other than IE, such as Opera or Mozilla Firefox. Although these have also suffered some security vulnerabilities, their comparatively small market share compared to Internet Explorer makes it uneconomic for hackers to target users on those browsers.[citation needed] Though no browser is completely safe, Internet Explorer is at a greater risk for spyware infection due to its large user base as well as vulnerabilities such as ActiveX.

Some ISPs — particularly colleges and universities — have taken a different approach to blocking spyware: they use their network firewalls and web proxies to block access to Web sites known to install spyware. On March 31, 2005, Cornell University's Information Technology department released a report detailing the behavior of one particular piece of proxy-based spyware, Marketscore, and the steps the university took to intercept it.[44] Many other educational institutions have taken similar steps. Spyware programs which redirect network traffic cause greater technical-support problems than programs which merely display ads or monitor users' behavior, and so may more readily attract institutional attention.[citation needed]

Some users install a large hosts file which prevents the user's computer from connecting to known spyware related web addresses. However, by connecting to the numeric IP address, rather than the domain name, spyware may bypass this sort of protection.

Spyware may get installed via certain shareware programs offered for download. Downloading programs only from reputable sources can provide some protection from this source of attack. Recently, CNet revamped its download directory: it has stated that it will only keep files that pass inspection by Ad-Aware and Spyware Doctor.[citation needed]

[edit] Notable programs distributed with spyware

[edit] Notable programs formerly distributed with spyware

  • AOL Instant Messenger[53] (AOL Instant Messenger still packages Viewpoint Media Player, and WildTangent)
  • DivX (except for the paid version, and the "standard" version without the encoder). DivX announced removal of GAIN software from version 5.2.[54]
  • FlashGet (trial version prior to program being made freeware)[55]

[edit] Notes

  1. ^ Vossen, Roland (attributed); October 21, 1995; Win 95 Source code in c!! posted to rec.games.programmer; retrieved from groups.google.com November 28, 2006.
  2. ^ a b Wienbar, Sharon. "The Spyware Inferno". News.com. August 13, 2004.
  3. ^ "AOL/NCSA Online Safety Study". America Online & The National Cyber Security Alliance. 2005.
  4. ^ Spyware Info and Facts that All Internet Users Must Know
  5. ^ a b "Is It Time to Ditch IE?". Pcworld.com. September 1, 2004
  6. ^ "Analyzing IE At 10: Integration With OS Smart Or Not?". TechWeb Technology News . August 25, 2005.
  7. ^ Bonzi.com. http://www.bonzi.com/bonzibuddy/bonzimail.asp. Retrieved July 10, 2005.
  8. ^ "Security Response: W32.Spybot.Worm". Symantec.com. Retrieved July 10, 2005.
  9. ^ Edelman, Ben; December 7, 2004 (updated February 8, 2005); Direct Revenue Deletes Competitors from Users' Disks; benedelman.com; retrieved November 28, 2006.
  10. ^ a b "The Effect of 180solutions on Affiliate Commissions and Merchants". Benedelman.org. Retrieved November 14, 2006.
  11. ^ Ecker, Clint (2005). Massive spyware-based identity theft ring uncovered. August 5, 2005.
  12. ^ "Massive identity theft ring" at Sunbelt
  13. ^ "Identity Theft? What to do?" at SunBelt
  14. ^ FTC Releases Survey of Identity Theft in U.S. 27.3 Million Victims in Past 5 Years, Billions in Losses for Businesses and Consumers
  15. ^ Russinovich, Mark. "Sony, Rootkits and Digital Rights Management Gone Too Far,", Mark's Blog, October 31, 2005, retrieved November 22, 2006
  16. ^ Press release from the Texas Attorney General's office, November 21, 2005; Attorney General Abbott Brings First Enforcement Action In Nation Against Sony BMG For Spyware Violations; retrieved November 28, 2006.
  17. ^ "Sony sued over copy-protected CDs; Sony BMG is facing three lawsuits over its controversial anti-piracy software", BBC News, November 10, 2005, retrieved November 22, 2006.
  18. ^ Information About XCP Protected CDs, retrieved November 29, 2006.
  19. ^ Microsoft.com - Description of the Windows Genuine Advantage Notifications application, retrieved June 13, 2006
  20. ^ Lauren Weinstein's Blog - Windows XP update may be classified as 'spyware', retrieved June 13, 2006
  21. ^ Microsoft's antipiracy (sic) tool "phones home" daily, retrieved June 13, 2006
  22. ^ a b "Parasite information database". Doxdesk.com. Retrieved July 10, 2005.
  23. ^ CA Spyware Information Center - HuntBar
  24. ^ What is Huntbar or Search Toolbar?
  25. ^ Attorney General McKenna Sues Movieland.com and Associates for Spyware
  26. ^ FTC, Washington Attorney General Sue to Halt Unfair Movieland Downloads
  27. ^ Complaint for Permanent Injunction and Other Equitable Relief (PDF, 25 pages)
  28. ^ "Lawsuit filed against 180solutions". zdnet.com September 13, 2005
  29. ^ "180solutions sues allies over adware". news.com July 28, 2004
  30. ^ Coollawyer; 2001-2006; Privacy Policies, Terms and Conditions, Website Contracts, Website Agreements; coollawyer.com; retrieved November 28, 2006.
  31. ^ "COMPUTER SPYWARE AND MALWARE PROTECTION". nxtsearch.legis.state.ia.us. Retrieved November 14, 2006.
  32. ^ Chapter 19.270 RCW: Computer spyware. apps.leg.wa.gov. Retrieved November 14, 2006
  33. ^ http://www.infoworld.com/article/07/03/16/HNspywarebill_1.html US lawmakers introduce I-Spy bill (Accessed March 24 2007)
  34. ^ "State Sues Major "Spyware" Distributor". Office of New York State Attorney General. April 28, 2005.
  35. ^ Gormley, Michael. "Intermix Media Inc. says it is settling spyware lawsuit with N.Y. attorney general". Yahoo! News. June 15, 2005.
  36. ^ Gormley, Michael. "Major advertisers caught in spyware net". Business Week. June 24, 2005.
  37. ^ Festa, Paul. "See you later, anti-Gators?". News.com. October 22, 2003.
  38. ^ "Gator Information Center". pcpitstop.com November 14, 2005.
  39. ^ Roberts, P.F "Spyware meets Rootkit Stealth". eweek.com. June 20, 2005.
  40. ^ Roberts, Paul F. "Spyware-Removal Program Tagged as a Trap". eWeek. May 26, 2005.
  41. ^ Howes, Eric L. "The Spyware Warrior List of Rogue/Suspect Anti-Spyware Products & Web Sites". Retrieved July 10, 2005.
  42. ^ Antispyware Company Sued Under Spyware Law
  43. ^ Bogus anti-spyware firm fined $1m
  44. ^ Schuster, Steve. "Blocking Marketscore: Why Cornell Did It". Cornell University, Office of Information Technologies. March 31, 2005.
  45. ^ "Symantec Security Response - Adware.Bonzi". Symantec. Retrieved July 27, 2005.
  46. ^ Edelman, Ben (2005). "Claria's Misleading Installation Methods - Dope Wars". Retrieved July 27, 2005
  47. ^ "eTrust Spyware Encyclopedia - ErrorGuard". Computer Associates. Retrieved July 27, 2005.
  48. ^ Edelman, Ben (2004). "Grokster and Claria Take Licenses to New Lows, and Congress Lets Them Do It". Retrieved July 27, 2005
  49. ^ Edelman, Ben (2004). "Claria License Agreement Is Fifty Six Pages Long". Retrieved July 27, 2005.
  50. ^ a b Edelman, Ben (2005). "Comparison of Unwanted Software Installed by P2P Programs". Retrieved July 27, 2005.
  51. ^ "eTrust Spyware Encyclopedia - Radlight 3 PRO". Computer Associates. Retrieved July 27, 2005
  52. ^ "doxdesk.com: database: WeatherBug". Doxdesk.com. Retrieved July 27, 2005.
  53. ^ a b "WildTangent". Sunbelt Software. Retrieved July 27, 2005.
  54. ^ "How Did I Get Gator?". PC Pitstop. Retrieved July 27, 2005.
  55. ^ "eTrust Spyware Encyclopedia - FlashGet". Computer Associates. Retrieved July 27, 2005

[edit] See also

[edit] External links

Guide

Removal

Prevention

Testing and comparison

  • Consumer Search — a third-party ratings and comments on different reviews in other websites, in which the ratings are based on credibility in testing, evaluating and identifying the best Anti-Spyware.

Organizations

Malware

From Wikipedia, the free encyclopedia

 

Jump to: navigation, search

http://upload.wikimedia.org/wikipedia/commons/a/ae/Mergefrom.gif

It has been suggested that Grayware be merged into this article or section. (Discuss)

Malware is software designed to infiltrate or damage a computer system without the owner's informed consent. It is a portmanteau of the words "malicious" and "software". The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code.

Many normal computer users are however still unfamiliar with the term, and most never use it. Instead, "(computer) virus" is used in common parlance and often in the general media to describe all kinds of malware. Another term that has been recently coined for malware is badware, perhaps due to the anti-malware initiative Stopbadware or corruption of the term "malware".

Software is considered malware based on the perceived intent of the creator rather than any particular features. It includes computer viruses, worms, trojan horses, spyware, dishonest adware, and other malicious and unwanted software. In law, malware is sometimes known as a computer contaminant, for instance in the legal codes of California, West Virginia, and several other U.S. states.[1]

Malware should not be confused with defective software, that is, software which has a legitimate purpose but contains harmful bugs.

Contents

[hide]

[edit] Purposes

Many early infectious programs, including the first Internet Worm and a number of MS-DOS viruses, were written as experiments or pranks generally intended to be harmless or merely annoying rather than to cause serious damage. Young programmers learning about viruses and the techniques used to write them might write one to prove that they can do it, or to see how far it could spread. As late as 1999, widespread viruses such as the Melissa virus appear to have been written chiefly as pranks.

A slightly more hostile intent can be found in programs designed to vandalize or cause data loss. Many DOS viruses, and the Windows ExploreZip worm, were designed to destroy files on a hard disk, or to corrupt the filesystem by writing junk data. Network-borne worms such as the 2001 Code Red worm or the Ramen worm fall into the same category. Designed to vandalize web pages, these worms may seem like the online equivalent to graffiti tagging, with the author's alias or affinity group appearing everywhere the worm goes.

However, since the rise of widespread broadband Internet access, more malicious software has been designed for a profit motive. For instance, since 2003, the majority of widespread viruses and worms have been designed to take control of users' computers for black-market exploitation.[citation needed] Infected "zombie computers" are used to send email spam, to host contraband data such as child pornography[2], or to engage in distributed denial-of-service attacks as a form of extortion.

Another strictly for-profit category of malware has emerged in spyware -- programs designed to monitor users' web browsing, display unsolicited advertisements, or redirect affiliate marketing revenues to the spyware creator. Spyware programs do not spread like viruses; they are generally installed by exploiting security holes or are packaged with user-installed software.

[edit] Infectious malware: viruses and worms

The best-known types of malware, viruses and worms, are known for the manner in which they spread, rather than any other particular behavior. Originally, the term computer virus was used for a program which infected other executable software, while a worm transmitted itself over a network to infect other computers. More recently, the words are often used interchangeably.

Today, some draw the distinction between viruses and worms by saying that a virus requires user intervention to spread, whereas a worm spreads automatically.[citation needed] Using this distinction, infections transmitted by email or Microsoft Word documents, which rely on the recipient opening a file to infect the system, would be classified as viruses, not worms.

[edit] Capsule history of viruses and worms

Main articles: Computer virus, computer worm.

Before Internet access became widespread, viruses spread on personal computers by infecting programs or the executable boot sectors of floppy disks. By inserting a copy of itself into the machine code instructions in these executables, a virus causes itself to be run whenever the program is run or the disk is booted. Early computer viruses were written for the Apple II and Macintosh, but they became more widespread with the dominance of the IBM PC and MS-DOS system. Executable-infecting viruses are dependent on users exchanging software or boot floppies, so they spread heavily in computer hobbyist circles.

The first worms, network-borne infectious programs, originated not on personal computers, but on multitasking Unix systems. The first well-known worm was the Internet Worm of 1988, which infected SunOS and VAX BSD systems. Unlike a virus, this worm did not insert itself into other programs. Instead, it exploited security holes in network server programs and started itself running as a separate process. This same behavior is used by today's worms as well.

With the rise of the Microsoft Windows platform in the 1990s, and the flexible macro systems of its applications, it became possible to write infectious code in the macro language of Microsoft Word and similar programs. These macro viruses infect documents and templates rather than applications, but rely on the fact that macros in a Word document are a form of executable code.

Today, worms are most commonly written for the Windows OS, although a small number are also written for Linux and Unix systems. Worms today work in the same basic way as 1988's Internet Worm: they scan the network for computers with vulnerable network services, break in to those computers, and copy themselves over. Worm outbreaks have become a cyclical plague for both home users and businesses, eclipsed recently in terms of damage by spyware.[citation needed]

[edit] Concealment: Trojan horses, rootkits, and backdoors

For a malicious program to accomplish its goals, it must be able to do so without being shut down, or deleted by the user or administrator of the computer it's running on. Concealment can also help get the malware installed in the first place. By disguising a malicious program as something innocuous or desirable, users may be tempted to install it without knowing what it does. This is the technique of the Trojan horse or trojan.

Often attempting to delete malicious software on a computer may activate the software, causing damage and the infection of other files in the computer. Some anti virus programs that fail to stop Malware and Trojans on the computer have a virus chest file. This is an isolated folder where infected files can be stored and protected from usage until they are removed.

Broadly speaking, a Trojan horse is any program that invites the user to run it, but conceals a harmful or malicious payload. The payload may take effect immediately and can lead to many undesirable effects, such as deleting all the user's files, or more commonly it may install further harmful software into the user's system to serve the creator's longer-term goals. Trojan horses known as droppers are used to start off a worm outbreak, by injecting the worm into users' local networks.

One of the most common ways that spyware is distributed is as a Trojan horse, bundled with a piece of desirable software that the user downloads off the Web or a peer-to-peer file-trading network. When the user installs the software, the spyware is installed alongside. Spyware authors who attempt to act legally may include an end-user license agreement which states the behavior of the spyware in loose terms, but with the knowledge that users are unlikely to read or understand it.

Once a malicious program is installed on a system, it is often useful to the creator if it stays concealed. The same is true when a human attacker breaks into a computer directly. Techniques known as rootkits allow this concealment, by modifying the host operating system so that the malware is hidden from the user. Rootkits can prevent a malicious process from being visible in the system's list of processes, or keep its files from being read. Originally, a rootkit was a set of tools installed by a human attacker on a Unix system where the attacker had gained administrator (root) access. Today, the term is used more generally for concealment routines in a malicious program.

A backdoor is a method of bypassing normal authentication procedures. Once a system has been compromised (by one of the above methods, or in some other way), one or more backdoors may be installed, in order to allow the attacker access in the future. The idea has often been floated that many computer manufacturers preinstall backdoors on their systems to provide technical support for customers, but this has never been reliably verified. Crackers typically use backdoors to secure remote access to a computer, while attempting to remain hidden from casual inspection. To install backdoors crackers may use Trojan horses, worms, or other methods.

[edit] Malware for profit: spyware, botnets, loggers, and dialers

During the 1980s and 1990s, it was usually taken for granted that malicious programs were created as a form of vandalism or prank. More recently, the greater share of malware programs have been written with a financial or profit motive in mind. This can be taken as the malware authors' choice to monetize their control over infected systems: to turn that control into a source of revenue.

Since 2003 or so, the most costly form of malware in terms of time and money spent in recovery has been the broad category known as spyware.[citation needed] Spyware programs are commercially produced for the purpose of gathering information about computer users, showing them pop-up ads, or altering web-browser behavior for the financial benefit of the spyware creator. For instance, some spyware programs redirect search engine results to paid advertisements. Others often called "stealware" by the media overwrite affiliate marketing codes so that revenue goes to the spyware creator rather than the intended recipient.

Spyware programs are sometimes installed as Trojan horses of one sort or another. They differ in that their creators present themselves openly as businesses, for instance by selling advertising space on the pop-ups created by the malware. Most such programs present the user with an end-user license agreement which purportedly protects the creator from prosecution under computer contaminant laws. However, spyware EULAs have not yet been upheld in court.

Another way that financially-motivated malware creator can monetize their infections is to directly use the infected computers to do work for the creator. Spammer viruses, such as the Sobig and Mydoom virus families, are commissioned by e-mail spam gangs. The infected computers are used as proxies to send out spam messages. The advantage to spammers of using infected computers is that they are available in large supply (thanks to the virus) and they provide anonymity, protecting the spammer from prosecution. Spammers have also used infected PCs to target anti-spam organizations with distributed denial-of-service attacks.

In order to coordinate the activity of many infected computers, attackers have used coordinating systems known as botnets. In a botnet, the malware or malbot logs in to an Internet Relay Chat channel or other chat system. The attacker can then give instructions to all the infected systems simultaneously. Botnets can also be used to push upgraded malware to the infected systems, keeping them resistant to anti-virus software or other security measures.

Lastly, it is possible for a malware creator to profit by simply stealing from the person whose computer is infected. Some malware programs install a key logger, which copies down the user's keystrokes when entering a password, credit card number, or other information that may be useful to the creator. This is then transmitted to the malware creator automatically, enabling credit card fraud and other theft. Similarly, malware may copy the CD key or password for online games, allowing the creator to steal accounts or virtual items.

Another way of stealing money from the infected PC owner is to take control of the modem and dial an expensive toll call. Dialer (or porn dialer) software dials up a premium-rate telephone number such as a U.S. "900 number" and leave the line open, charging the toll to the infected user.

[edit] Vulnerability to malware

In this context, as throughout, it should be borne in mind that the “system” under attack may be of various types, e.g. a single computer and operating system, a network or an application.

Various factors make a system more vulnerable to malware:

  • Homogeneity – e.g. when all computers in a network run the same OS, if you can break that OS, you can break into any computer running it.
  • Defects – most systems containing errors which may be exploited by malware.
  • Unconfirmed code – code from a floppy disk, CD or USB device may be executed without the user’s agreement.
  • Over-privileged users – some systems allow all users to modify their internal structures.
  • Over-privileged code – most popular systems allow code executed by a user all rights of that user.

An oft-cited cause of vulnerability of networks is homogeneity or software monoculture. In particular, Microsoft Windows has such a large share of the market that concentrating on it will enable a cracker to subvert a large number of systems. Introducing inhomogeneity purely for the sake of robustness would however bring high costs in terms of training and maintenance.

Most systems contain bugs which may be exploited by malware. Typical examples are buffer overruns, in which an interface designed to store data in a small area of memory allows the caller to supply too much, and then overwrites its internal structures. This may used by malware to force the system to execute its code.

Originally, PCs had to be booted from floppy disks, and until recently it was common for this to be the default boot device. This meant that a corrupt floppy disk could subvert the computer during booting, and the same applies to CDs. Although that is now less common, it is still possible to forget that one has changed the default, and rare that a BIOS makes one confirm a boot from removable media.

In some systems, non-administrator users are over-privileged by design, in the sense that they are allowed to modify internal structures of the system. In some environments, users are over-privileged because they have been inappropriately granted administrator or equivalent status. This is a primarily a configuration decision, but on Microsoft Windows systems the default configuration is to over-privilege the user. This situation exists due to decisions made by Microsoft to prioritize compatibility with older systems above security configuration in newer systems[citation needed] and because typical applications were developed without the under-privileged users in mind. As privilege escalation exploits have increased this priority is shifting for the release of Microsoft Windows Vista. As a result, many existing applications that require excess privilege (over-privileged code) may have compatibility problems with Vista. However, Vista's User Account Control feature attempts to remedy applications not designed for under-privileged users through virtualization, acting as a crutch to resolve the privileged access problem inherent in legacy applications.

Malware, running as over-privileged code, can use this privilege to subvert the system. Almost all currently popular operating systems, and also many scripting applications allow code too many privileges, usually in the sense that when a user executes code, the system allows that code all rights of that user. This makes users vulnerable to malware in the form of e-mail attachments, which may or may not be disguised.

Given this state of affairs, users are warned only to open attachments they trust, and to be wary of code received from untrusted sources. It also common for operating systems to be designed so that device drivers need escalated privileges, while they are supplied by more and more hardware manufacturers, some of whom may be unreliable.

[edit] Eliminating over-privileged code

Over-privileged code dates from the time when most programs were either delivered with a computer or written in-house, and repairing it would at a stroke render most anti-virus software almost redundant. It would, however, have appreciable consequences for the user interface and system management.

The system would have to maintain privilege profiles, and know which to apply for each user and program. In the case of newly installed software, an administrator would need to set up default profiles for the new code.

Eliminating vulnerability to rogue device drivers is probably harder than for arbitrary rogue executables. Two techniques, used in VMS, that can help are memory mapping only the registers of the device in question and a system interface associating the driver with interrupts from the device.

Other approaches are:

  • Various forms of virtualization, allowing the code unlimited access only to virtual resources
  • Various forms of sandbox or jail
  • The security functions of Java, in java.security

Such approaches, however, if not fully integrated with the operating system, would reduplicate effort and not be universally applied, both of which would be detrimental to security.

[edit] Academic research on malware: a brief overview

The notion of a self-reproducing computer program can be traced back to 1949 when John von Neumann presented lectures that encompassed the theory and organization of complicated automata.[2] Neumann showed that in theory a program could reproduce itself. This constituted a plausibility result in computability theory. Fred Cohen experimented with computer viruses and confirmed Neumann's postulate. He also investigated other properties of malware (detectability, self-obfuscating programs that used rudimentary encryption that he called "evolutionary", and so on). His doctoral dissertation was on the subject of computer viruses.[3] Cohen's faculty advisor, Leonard Adleman (the A in RSA) presented a rigorous proof that, in the general case, algorithmically determining whether a virus is or is not present is Turing undecidable.[4] This problem must not be mistaken for that of determining, within a broad class of programs, that a virus is not present; this problem differs in that it does not require the ability to recognize all viruses. Adleman's proof is perhaps the deepest result in malware computability theory to date and it relies on Cantor's diagonal argument as well as the halting problem. Ironically, it was later shown by Young and Yung that Adleman's work in cryptography is ideal in constructing a virus that is highly resistant to reverse-engineering by presenting the notion of a cryptovirus.[5] A cryptovirus is a virus that contains and uses a public key. In the cryptoviral extortion attack, the virus hybrid encrypts plaintext data on the victim's machine using the virus writer's public key. In theory the victim must negotiate with the virus writer to get the plaintext back (assuming there are no backups). Analysis of the virus reveals the public key, not the needed private decryption key. This result was the first to show that computational complexity theory can be used to devise malware that is robust against reverse-engineering.

Another growing area of computer virus research is to mathematically model the infection behavior of worms using models such as Lotka-Volterra equations, which has been applied in the study of biological virus. Various virus propagation scenarios have been studied by researchers such as propagation of computer virus, fighting virus with virus like predator codes,[6][7] effectiveness of patching etc.

[edit] Emerging vectors and pathways

[edit] Wikis and Blogs

Innocuous wikis and blogs are not immune to hijacking. It has been reported that the German edition of Wikipedia has recently been used as an attempt to vector infection. Through a form of social engineering, users with ill intent have added links to web pages that contain malicious software with the claim that the web page would provide detections and remedies, when in fact it was a lure to infect.[8]

[edit] Targeted SMTP Threats

Targeted SMTP threats also represent an emerging attack vector through which malware is propagated. As users adapt to widespread spam attacks, cybercriminals distribute crimeware to target one specific organization or industry, often for financial gain.[9]

[edit] See also

[edit] References

  1. ^ [1]
  2. ^ John von Neumann, "Theory of Self-Reproducing Automata", Part 1: Transcripts of lectures given at the University of Illinois, Dec. 1949, Editor: A. W. Burks, University of Illinois, USA, 1966.
  3. ^ Fred Cohen, "Computer Viruses", PhD Thesis, University of Southern California, ASP Press, 1988.
  4. ^ L. M. Adleman, "An Abstract Theory of Computer Viruses", Advances in Cryptology---Crypto '88, LNCS 403, pages 354-374, 1988.
  5. ^ A. Young, M. Yung, "Cryptovirology: Extortion-Based Security Threats and Countermeasures," IEEE Symposium on Security & Privacy, pages 129-141, 1996.
  6. ^ H. Toyoizumi, A. Kara. Predators: Good Will Mobile Codes Combat against Computer Viruses. Proc. of the 2002 New Security Paradigms Workshop, 2002
  7. ^ Zakiya M. Tamimi, Javed I. Khan, Model-Based Analysis of Two Fighting Worms, IEEE/IIU Proc. of ICCCE '06, Kuala Lumpur, Malaysia, May 2006, Vol-I, Page 157-163
  8. ^ Wikipedia Hijacked to Spread Malware
  9. ^ "Protecting Corporate Assets from E-mail Crimeware," Avinti, Inc., p.1

[edit] External links

Look up malware in Wiktionary, the free dictionary.

 

This site proudly designed, created, hosted, staffed, and maintained by GCITS.

All rights reserved.

Terms, Conditions, and Disclaimers