« Understanding Task Manager Part 2
Disk Drive Maintenance »

Dealing with Spyware

Last weekend, between 8,000 and 10,000 websites, mostly in Italy, were hijacked and used to host a malware package called MPack. Using several exploits, MPack silently infects any visitors to compromised sites. Attacks like these have been getting more frequent, with a larger number of legitimate sites getting used to spread malware.

It’s very important to understand one thing: avoiding the seedy side of the Internet is no guarantee that you will not get spyware.

There’s a lot of ways you can protect yourself, but you have to be careful as some spyware masquerades as anti-spyware tools.

Prevention

Prevention is always the best option for a lot of things, spyware included. You can prevent virtually every malware package out there by creating a regular user account and using that account to surf the Internet and read email. If you need to transfer files between your administrator and regular user account, just put them in the Shared Documents folder in My Computer. In Vista, if you can put up with it, User Account Control (UAC) is a decent compromise.

Unfortunately there are a lot of things you aren’t allowed to do as a regular user, like set the system time, install programs or certain hardware, change system settings, and so on. With Fast User Switching, this is less of an annoyance but it can still be a pain. If you decide this route isn’t for you, then a more complicated approach is in order.

The first thing to realize is the primary avenues of attack for spyware are infected websites and email. If you use a major webmail provider like Gmail or Yahoo mail, you’ll stand a better chance against spyware getting through. But if you use Outlook or Outlook Express (or Windows Mail in Vista) you are putting yourself at a greater risk. The same applies to IE, particularly IE6 on XP (IE7 on Vista is safer as it is prevented from making changes to the system).

Even if you replace these programs with safer alternatives, such as Mozilla Firefox, Thunderbird (for email) or Opera (another lesser known browser), the problem remains that your administrator account can install spyware that you may never be able to get rid of. There is a free tool that allows you to limit what these programs can do called DropMyRights, available here. When you install it, you should put it in C:\DropMyRights and install it so everyone can use it. Then you can change all of your browser, mail and file sharing program icons as follows:

  1. Right-click on the icon and select Properties.
  2. In the General tab, insert C:\DropMyRights\DropMyRights.exe in the Target: field before the path to the program (be sure to leave a space).
  3. Change the Run: dropdown box to Minimized.
  4. Click on the Change Icon… button, browse to the program’s executable (which is usually under C:\Program Files\\ or C:\Program Files\) and choose the appropriate icon. This keeps the icon from changing to a generic icon.

Again, this comes with some annoyances - you won’t be able to install anything directly from the browser, you’ll have to download it first and then install it. But it is easier than using a regular user account.

If you aren’t installing automatic updates, you really need to. In fact, some exploits are reverse-engineered from updates released by Microsoft, so as soon as updates are available, the clock is ticking, if the update itself wasn’t in response to an already known exploit. In the Control Panel, double-click Automatic Updates and set it to install automatically. If you are using a regular user account, you won’t be able to change this setting or install updates, so you’ll need to switch to your administrator account to change the setting, and log in periodically to install any new updates.

A healthy dose of paranoia is also a good prevention measure. Treat the Internet as you would the bad part of town where you live and don’t trust every website you run into or every email you read.

Detection

It used to be that spyware infections were obvious - slow performance, lots of popups, a home page that you could never change back, etc. While that still happens, the trend in spyware has been toward more silent infections - after all, if you’ve got spyware, you’ll try to clean it off. If you don’t know you have it, then you won’t.

The next best method for detecting spyware is getting anti-spyware software from a reputable vendor. There are even some free anti-spyware tools out there that will scan and remove most spyware infections. However, spyware authors are constantly writing new spyware programs (some of which can subvert anti-virus and anti-spyware programs!) and the anti-spyware companies are constantly playing catch up, so these programs may miss some infections.

Fortunately, there’s another way to determine if you are infected. If you haven’t already, read my blog posts on process pruning and Understanding Task Manager Part 1 to prepare for these next steps:

  1. Trim down the number of processes that run at startup to as few as possible, particularly any instant messengers, file sharing programs, Adobe products and Java update.
  2. Turn off Automatic Updates temporarily (don’t forget to turn them back on!).
  3. Add the PID column in Task Manager.
  4. Restart your computer and log in.
  5. As soon as you can, go to Start -> Run…, enter cmd /c netstat -ano > desktop\netstat.txt and hit Enter.
  6. Start Task Manager and switch to the Processes tab.
  7. Open the netstat.txt file and look for any connections where the Foreign Address doesn’t start with one of these numbers:
    1. 0
    2. 127
    3. 192.168
    4. 172.16 - 172.31
    5. 10
  8. Check out the PID in netstat.txt with the ones in Task Manager. If you see an executable you don’t recognize, type it into Google and see what it is.

Cleanup

If it’s just a regular program or something you forgot to clean up, then you can breathe easy. If you find out it’s spyware, try running some more anti-spyware tools. Your search may also contain some removal methods. If you don’t find the executable in Google, and the anti-spyware programs you try don’t find anything, then you are really in trouble. It’s time to start backing up your data and a couple last-ditch efforts.

First, download and install these two programs: RootkitRevealer and HijackThis. You’ll need to log in as an administrator to run them. The first thing you should do is run RootkitRevealer (unzip it to a desktop folder). Check out the help file first to get an idea of what rootkits are and then run the program. Again, Google is your friend for checking out anything that RootkitRevealer finds. If you determine that you have a rootkit, there may be some way to remove it, but if not, you’ll have to re-install Windows. Good thing all your data is backed up, right?

If RootkitRevealer doesn’t find anything, it’s time to try HijackThis. Run the installer and make sure you allow it to put an icon on the desktop. Double-click the HijackThis icon and click on Open online HijackThis QuickStart. Follow the instructions on the site - there are also very useful links for cleaning up some nasty infections.

This entry was posted on Saturday, June 23rd, 2007 at 6:03 pm and is filed under Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply