What is spyware ?
Spyware is Internet jargon for Advertising Supported software (Adware). It is a way for shareware authors to make money from a product, other than by selling it to the users. technically it is a software which spies on you it spy over your music habits(just like google is spying on your searching habits),bank accounts etc.......
History of spyware
well we heard spyware word in 1995 October, t popped up on Usenet (a distributed Internet discussion system in which users post e-mail like messages) in an article aimed at Microsoft’s business model.It re-appeared in a news release for a personal firewall product in early 2000, marking the beginning of the modern usage of the word.then since there they are affecting our PC’s
SPYWARE INFECTION DETECTION
- Your computer slowing down to a crawl.
- Porn sites popping up in your browser when you are surfing the net
- Your computer mysteriously dials up phone numbers during the middle of the night,normally to expensive porn chat lines leaving you with a huge bill.
- When you enter a search into your search bar, a new and unfamiliar site handles the search.
- New sites are added to your favorites list without you adding them
- Your homepage has been hijacked and even though you remove the new site it keeps coming back
- You get pop up adverts that address you by your name, even when your computer isn’t connected to the internet
- Porn sites popping up in your browser when you are surfing the net
- Your computer mysteriously dials up phone numbers during the middle of the night,normally to expensive porn chat lines leaving you with a huge bill.
- When you enter a search into your search bar, a new and unfamiliar site handles the search.
- New sites are added to your favorites list without you adding them
- Your homepage has been hijacked and even though you remove the new site it keeps coming back
- You get pop up adverts that address you by your name, even when your computer isn’t connected to the internet
CHOOSING RIGHT SPYWARE SCANNER
Some of the best scanners are freeware, so if you download a scanner and it detects a heap of spyware then pops up a link to purchase the software to clean the spyware then it could be just a scam. The best freeware scanners include:
-Spybot S&D:
-Spybot S&D:
It is important that if you make any major changes to your system that you first consult a good search engine (google.com) too see what it has to say about the problem. Removing spyware with anti spyware software should be straight forward, but it is best to be safe then sorry. Prevention is often the best medicine, and choosing a non MS browser can significantly reduce your chances of being infected with spyware from internet exploits. Blocking
active-x scripting and java scripting can also add extra security to your system. Most good firewalls will block malicious coding; investing in a good firewall would be a greatidea. Always keep up to date with the latest windows updates.
active-x scripting and java scripting can also add extra security to your system. Most good firewalls will block malicious coding; investing in a good firewall would be a greatidea. Always keep up to date with the latest windows updates.
SITES TO AVOID
Free porn sites; avoid these at all costs. There normally is a reason these are free, and more often then not its because you end up infected with a porn dialer.
Warez and cracks: This is dodgy anyway; the webmasters who run these sites don’t care too much about ethics. You will find 95 percent of these sites have spyware embedded into their html code somewhere.
Mp3 sites and P2P software: These are well known to be sources of spyware, many of the big named P2P and file sharing programs come bundled with spyware so if you must use these programs then check on the internet before installing
DETECTING SPYWARE IN WINDOWS
System admins need to pay careful attention for spyware processes that may have infected machines on their network. An infected machine cannot only pose a security risk from remote intruders; it can also mean that that particular area of the network may need auditing to strengthen security.
It is important to use a good process monitor, Windows 9x machines do not come with any process monitoring software as such, and I recommend using a third party application on all MS Windows operating systems to manage system processes (this includes XP/NT/2000 etc). Wintasks Pro is probably one of the best process monitors available today. The makers ofWintasks pro have set up a process library allowing system admins to make informed decisions when ascertaining whether a process is malicious or not. This
process library can be viewed here
System admins need to pay careful attention for spyware processes that may have infected machines on their network. An infected machine cannot only pose a security risk from remote intruders; it can also mean that that particular area of the network may need auditing to strengthen security.
It is important to use a good process monitor, Windows 9x machines do not come with any process monitoring software as such, and I recommend using a third party application on all MS Windows operating systems to manage system processes (this includes XP/NT/2000 etc). Wintasks Pro is probably one of the best process monitors available today. The makers ofWintasks pro have set up a process library allowing system admins to make informed decisions when ascertaining whether a process is malicious or not. This
process library can be viewed here
http://www.liutilities.com/products/wintaskspro/processlibrary/
Malware will often inject itself into legitimate processes, this is an advanced infection technique and is very difficult, but not impossible, to remove. Process injection has become very popular in the malware world. Many remote access trojans use this form of infection as it can evade rule-based firewalls. Spyware makers have begun to use this technique also. Injecting into the internet explorer process will often allow the spyware internet access; a lot of rule based firewall applications will not see the malware, only the trusted application IE and will allow communication.
Malware will often inject itself into legitimate processes, this is an advanced infection technique and is very difficult, but not impossible, to remove. Process injection has become very popular in the malware world. Many remote access trojans use this form of infection as it can evade rule-based firewalls. Spyware makers have begun to use this technique also. Injecting into the internet explorer process will often allow the spyware internet access; a lot of rule based firewall applications will not see the malware, only the trusted application IE and will allow communication.
System SafetyMonitor is a freeware program that will help system admins protect against malware code injection. “System Safety Monitor (SSM) is an application firewalling tool (it is not a “firewall” in traditional understanding, so there shouldn’t be any conflicts with your network firewalls). SSM controls which programs are running on your computer and what they are doing. For example, SSM can prevent so called “DLL Injection”. Also, SSM will notify you whenever a program you want to start was modified. In addition, SSM can constantly check your registry and alert you, when an important modification was made.”
Spyware in autostart (windows)
Autostart folder
All items in the autostart folder will autostart
Win.ini
[windows]
load=malware.exe
run=malware.exe
All items in the autostart folder will autostart
Win.ini
[windows]
load=malware.exe
run=malware.exe
System.ini
[boot]
Shell=Explorer.exe malware.exe
Autoexec.bat
c:\malware.exe
[boot]
Shell=Explorer.exe malware.exe
Autoexec.bat
c:\malware.exe
Registry Shell open
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shellopencommand]
A key with the value “%1 %*”, will be executed each time you execute a .exe file.
“malware.exe %1 %*”
Alternate Registry Keys
[HKEY_CLASSES_ROOT\.exe] @=”myexefile”]
“malware.exe %1 %*”
Alternate Registry Keys
[HKEY_CLASSES_ROOT\.exe] @=”myexefile”]
[HKEY_LOCAL_MACHINE\Software\CLASSES\myexefile\shellopencommand\@="malwaree.exe %1 %*"]
winstart.bat
A batch file that autostarts with windows
Main Registry
winstart.bat
A batch file that autostarts with windows
Main Registry
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsCurrentVersion\Run]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_CURRENT_USER\Software\Microsoft\WindowsCurrentVersion\Run]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices]
DEFENCE
Configuring Internet Explorer for your Network Users
The following settings is the bare minimum that all IE users should have. If you are a system administrator, it is your job to make sure that the network users at least have these settings enabled.Close all running instances of Internet Explorer and Outlook Express (use a process monitor if you cannot close these)
Control Panel > Internet Options > Click on the “Security” tab
Choose the “Internet” icon, and click “Custom Level”
- “Download signed ActiveX scripts” choose: Prompt
- “Download unsigned ActiveX scripts choose: Disable
- “Initialize and script ActiveX not marked as safe” choose: Disable
- “Installation of Desktop items” choose: Prompt
- “Launching programs and files in a IFRAME” choose: Prompt
NEXT, Click on the “Content” tab, Click the “Publishers” button choose then click “Remove” any unknowns, click Ok
Finally, Click the advanced tab, untick “Install on demand (other)”, and click Apply or
Ok
The following settings is the bare minimum that all IE users should have. If you are a system administrator, it is your job to make sure that the network users at least have these settings enabled.Close all running instances of Internet Explorer and Outlook Express (use a process monitor if you cannot close these)
Control Panel > Internet Options > Click on the “Security” tab
Choose the “Internet” icon, and click “Custom Level”
- “Download signed ActiveX scripts” choose: Prompt
- “Download unsigned ActiveX scripts choose: Disable
- “Initialize and script ActiveX not marked as safe” choose: Disable
- “Installation of Desktop items” choose: Prompt
- “Launching programs and files in a IFRAME” choose: Prompt
NEXT, Click on the “Content” tab, Click the “Publishers” button choose then click “Remove” any unknowns, click Ok
Finally, Click the advanced tab, untick “Install on demand (other)”, and click Apply or
Ok
Using A Hosts File to Block Spyware Infected Hosts
A simple yet effective way of blocking spyware-infected servers is to add them to a host file. Creating a host file is straightforward. Open up a text editor and at the very top of the text file type:
A simple yet effective way of blocking spyware-infected servers is to add them to a host file. Creating a host file is straightforward. Open up a text editor and at the very top of the text file type:
127.0.0.1 Localhost
Now you can add the spyware-infected hosts underneath like this
127.0.0.1 abc.com
Now you can add the spyware-infected hosts underneath like this
127.0.0.1 abc.com
127.0.0.2 xyz.com
127.0.0.3 123.com
Once a good list of adware servers has been made, save the file as hosts (not hosts.txt just hosts). Place this file in the appropriate directory:
Windows XP
C:\WINDOWS\SYSTEM32\DRIVERS\ETC
C:\WINDOWS\SYSTEM32\DRIVERS\ETC
Windows 2K
C:\WINNT\SYSTEM32\DRIVERS\ETC
C:\WINNT\SYSTEM32\DRIVERS\ETC
Win 98\ME
C:\WINDOWS
C:\WINDOWS
When a computer tries to go to the malware-infected server, the hosts file will block it, instead of going to the intended server, the server address will point locally rendering the spyware useless (or blocking spyware from infecting the computer from a remote location). You can download an excellent hosts file here
http://www.mvps.org/winhelp2002/hosts.txt;
it has a huge database of spyware, malware and parasitic servers and will become a valuable asset in any system admins arsenal of protection.....
http://www.mvps.org/winhelp2002/hosts.txt;
it has a huge database of spyware, malware and parasitic servers and will become a valuable asset in any system admins arsenal of protection.....
No comments:
Post a Comment