Top 10 tricks causing spyware epidemic
Spyware tricks have become increasingly devious, making spyware and adware stick to machines longer, more difficult to remove and sometimes impossible to see with ordinary methods. In the spyware tricks series I wrote about seeing installations with multiple resuscitators, increasing numbers of randomly named files, even randomly named folders. Internet Explorer security settings are being changed by spyware and hosts files are being hijacked. We've recently seen installations of keyloggers and spam bots along with your garden variety of adware. Now add rootkits to that list. Let's look back at the top 10 tricks of 2005...
10. Spyware spread through Windows Media files as described by Ben Edelman, Eric Howes and Ed Bott in January. The Windows Media Player flaw that allowed the exploit involved DRM and has since been patched by Microsoft.
9. Adware companies hide their dirty work using rootkit technology, examples Enternet Media's Elitetoolbar and ContextPlus' Apropos and PeopleonPage.
8. Internet Explorer infected through Firefox as documented by Paperghost, aka Chris Boyd. This story stirred up quite a bit of controversy. The real culprit was a Java-based malware installer, which did, in fact, infect the machine while browsing with Firefox.
7. Direct Revenue unleashed Aurora, see Got Aurora? Nail.exe? for details and more here about the massive impact of the Aurora software, including a file named nail.exe, which kept spyware help forums and HijackThis experts busy for months and generated an unprecedented number of comments including threats of violence against Direct Revenue on my Spyware Warrior blog.
6. Spam bots, keyloggers, kiddie porn connect with major adware companies -- 180solutions, Direct Revenue, SurfSidekick, BullsEye Network and ShopAtHomeSelect installed in conjunction with a spam zombie and rogue anti-spyware program, all of which started from a child porn site and were installed through an exploit as illustrated at SunbeltBLOG and Spyware Warrior.
5. Spazbox domain installs massive spyware/adware -- using IRC as documented by Paperghost and Spyware Warrior (complete with video), dissected by Wayne Porter here and again here.
4. Anti-spyware spread by spyware and trojans, details here about super rogues PSGuard, Razespyware, SpySheriff, Spy Trooper, WorldAntiSpy and more recently SpyAxe here.
3. Direct Revenue adware distributed through BitTorrent, (or more aurora and nail.exe) exposed by Paperghost and told by eWeek.
2. AIM worm carries backdoor, rootkit and adware, found to be powered by world wide bot net with ties to the Middle East. See write up from CNET, Paperghost's analysis and FaceTime's press release.
And now, drum roll please, the top spyware trick of 2005...
1. Sony BMG infects users with DRM rootkit originally reported by Mark Russinovich at SysInternals. The fallout of this debacle continues with artists revolting and plenty of legal action against Sony BMG in the works.