Spyware and Annoyanceware Alerts

Introduction

There's a whole class of software that we'll call "Annoyanceware" for the purposes of this article. It includes so-called "spyware" titles that surreptitiously send data on your browsing habits (and/or other personal details) to others; there's also a wide variety of advertisement-ware that produces unwanted pop-ups, pop-unders, dialogs and other intrusive advertisements on your desktop -- sometimes, even depositing unwanted icons in your Start menu, on your desktop or in your Startup folder!

Andrew Clover of Doxware describes them as "dodgy programs out there that may get installed on users' computers without their knowledge or consent." Many applications described as 'freeware', notes Clover, come infested with parasitic software that latches onto the web browser, provides little or no benefit to the user and can:

• Plague the user with unwanted advertising ('adware');
• Add advertising links to web pages, for which the author does not get paid, and hijack affiliate-program payments ('scumware');
• Watch everything the user does on-line and send information back to marketing companies ('spyware');
• Leave security holes whereby arbitrary code can be executed on the user's computer (typically this is used to allow the program to update itself); if the software does not make proper use of cryptographic authentication, it could be possible for hackers as well as the responsible company to execute arbitrary code;
• Degrade system performance and cause errors thanks to being badly-written.

"So be careful what you install," cautions Clover, "you may be getting more than you bargained for!" In this article, we'll look at some of the biggest offenders, and some of the tools and techniques you can use to combat these annoyances.

Part 1: Auto-installers

Under some circumstances, software may automatically install itself on your system. We've seen this happen on Windows PCs running Internet 6.0 (build 2600), even when running anti-virus software such as Norton AntiVirus 2002 with Script blocking enabled.

The McAfee website describes how the infamous GoHip ActiveX plugin works, while http://www.doxdesk.com/parasite/ details the parasitic behavior of relatively new "SmartPops" such as NetworkEssentials and the closely related DownloadWare. Elsewhere, Salon calls an ad campaign by IntelliTech Web Solutions and a a booby-trapped site called KoolKatalog the pop-up ad campaign from hell. Typically, one or more pop-up or pop-under ads appears. When these ads are closed, a dialog box for BonziBuddy, GoHip or a similar piece of annoyanceware is displayed. This dialog may have a fake user interface that manages to fool you into clicking on it. Once this is done, the software installation procedure begins. We've seen ads for "Vegas Palms Casino" and BonziBuddy appear -- without clicking on any sort of "I approve" dialog box! -- on the desktop, in your Start menu and even in the Startup folder where, if you don't remove them, the installer will restart the next time you reboot your computer.

Some even add a fake uninstaller option in your Add/Remove Programs control panel that, instead of removing the program, launches it instead! Auto-installing annoyances aren't just showing up in the dark corners of the Net, either. We've seen these pesty programs on once-reputable websites such as MSNBC and Wired.com.

The license agreement for an auto-installer that appeared on a Wired article in May 2002 reads, "You acknowledge that the "NetSource101" Program includes added software and technology which allows Lions Pride Enterprises, Inc. to provide advertising content directly to your computer. By installing, downloading, copying, updating or otherwise using the "NetSource101" Program , you specifically agree to include the noted software and technology through which Lions Pride Enterprises, Inc., its subsidiaries, affiliates, partners, divisions, and clients provide advertising content to your computer. You acknowledge that you desire to receive advertising content, if any, from Lions Pride Enterprises, Inc., its subsidiaries, affiliates, partners, divisions, and clients. You acknowledge that you desire to receive advertising content as a condition to using the "NetSource101" Program." The program is launched by a website suitably called "leadgreed.com." It, like most other auto-installers we've seen, exploit the fact that Verisifn and Thawte security certificates are accepted as known certificate sources by default Windows installations.

Ad-aware, etc. Until recently, we recommended Ad-Aware (free from www.lavasoft.de) as the most effective way to rid your system of these pests. However, Spyware Weekly in Dec. 2002 published a report warning users of Lavasoft's Ad-aware that the software, which hasn't been updated since Sept. 21, 2002, now misses several common pieces of spyware, some of which can damage Windows system files if removed improperly.

Lavasoft says an update to the free version of Ad-aware isn't coming until version 6.0's release in February 2003, leading some former Ad-aware fans to seek other tools, such as the free Spybot Search and Destroy or Bullet Proof Soft's Spyware/Adware Remover 5.0. Our current favorite product in this category is SpyBot Search and Destroy. We've run it through its paces on several spyware-infested machines and, so far, the results are encouraging.

We witnessed no damage to programs other than those such as Kazaa and Morpheus, which may refuse to run if their spyware components are removed, and both scanning and cleanup operations were speedy and simple. Like Ad-aware, it appears to be fairly careful about deleting useful registry keys (we even tried deleting all the found keys and suffered no apparent ill effects), and it seems to find more entries than Lavasoft's program.

The other reviews we have seen seem to confirm our own experiences that it is stable and trouble-free. English users can safely uncheck all the foreign languages appearing in the installation dialog. Running it as a double-checker for Ad-aware isn't a bad idea, either, as Ad-aware is known to miss some items that SpyBot will catch, and the reverse may be true, as well. Get it at http://beam.to/spybotsd

Archived Reports (2001)

Nov. 27: PC World offers a Consumer Alert article on the Stealth Ad Invasion, noting annoyances and intrusive tricks from Ezula and Gator, among others.

Nov. 27: A good description of the brodcast.net (DSSAGENT) Advertising Spyware agent is provided at CEXX.org. It includes information on how to remove it, and names some of the Broderbund programs that surreptitiously install it.

Aug. 5: Betanews.com reports that the NewDotNet and SaveNow components of Global DiVX Player 1.9.0 are spyware at its worst. Manually deleting the DLL can cause you to lose all Internet access! Read more. [Updated Nov. 23, 2002] For further details on how to delete new.net safely, without losing all internet access, visit cexx.org.

Aug. 2: Growing criticism of what some are calling spyware tactics has led Vancouver, BC-based Totally Hip Software to drop an online authentication scheme similar to that employed by Microsoft in its forthcoming Windows XP software. The decision, says Totally Hip CEO David Dicaire, is intended to "to assure our current and future customers that we do indeed have their best interests in mind." The company had recently accused Macintouch.com of helping to promote piracy by detailing how the authentication scheme works and how to block "a bunch of data about your system and registration info" that users have discovered is sent every time you start up LiveStage Pro 3.0. LiveStage Pro is a multimedia authoring application for PC and Mac. Read more....

How to Check for Spyware Ad-Aware is a free utility from www.lavasoft.de or lavasoftusa.com that allows you to check for and, if necessary, remove "spyware," including the notorious Aureate/Radiate "spy" files that surreptitiously transmit cookies revealing your browsing habits to unscrupulous web advertisers. It's free -- and trouble free. Recommended.