Top 10 tricks causing spyware epidemic

Top 10 tricks causing spyware epidemic

Summary: Spyware tricks have become increasingly devious, making spyware and adware stick to machines longer, more difficult to remove and sometimes impossible to see with ordinary methods. In the spyware tricks series I wrote about seeing installations with multiple resuscitators, increasing numbers of randomly named files, even randomly named folders.

SHARE:
TOPICS: Malware
33

Spyware tricks have become increasingly devious, making spyware and adware stick to machines longer, more difficult to remove and sometimes impossible to see with ordinary methods. In the spyware tricks series I wrote about seeing installations with multiple resuscitators, increasing numbers of randomly named files, even randomly named folders. Internet Explorer security settings are being changed by spyware and hosts files are being hijacked. We've recently seen installations of keyloggers and spam bots along with your garden variety of adware. Now add rootkits to that list.  Let's look back at the top 10 tricks of 2005...

10. Spyware spread through Windows Media files as described by Ben Edelman, Eric Howes and Ed Bott in January.  The Windows Media Player flaw that allowed the exploit involved DRM and has since been patched by Microsoft.

9.  Adware companies hide their dirty work using rootkit technology, examples Enternet Media's Elitetoolbar and ContextPlus' Apropos and PeopleonPage.

8.  Internet Explorer infected through Firefox as documented by Paperghost, aka Chris Boyd. This story stirred up quite a bit of controversy.  The real culprit was a Java-based malware installer, which did, in fact, infect the machine while browsing with Firefox.

7.  Direct Revenue unleashed Aurora, see Got Aurora? Nail.exe? for details and more here about the massive impact of the Aurora software, including a file named nail.exe, which kept spyware help forums and HijackThis experts busy for months and generated an unprecedented number of comments including threats of violence against Direct Revenue on my Spyware Warrior blog.

6.  Spam bots, keyloggers, kiddie porn connect with major adware companies -- 180solutions, Direct Revenue, SurfSidekick, BullsEye Network and ShopAtHomeSelect installed in conjunction with a spam zombie and rogue anti-spyware program, all of which started from a child porn site and were installed through an exploit as illustrated at SunbeltBLOG and Spyware Warrior.

5.  Spazbox domain installs massive spyware/adware -- using IRC as documented by Paperghost and Spyware Warrior (complete with video), dissected by Wayne Porter here and again here.

4.  Anti-spyware spread by spyware and trojans, details here about super rogues PSGuard, Razespyware, SpySheriff, Spy Trooper, WorldAntiSpy and more recently SpyAxe here.

3.  Direct Revenue adware distributed through BitTorrent, (or more aurora and nail.exe) exposed by Paperghost and told by eWeek.

2.  AIM worm carries backdoor, rootkit and adware, found to be powered by world wide bot net with ties to the Middle East.  See write up from CNET, Paperghost's analysis and FaceTime's press release.

And now, drum roll please, the top spyware trick of 2005...

1.  Sony BMG infects users with DRM rootkit originally reported by Mark Russinovich at SysInternals. The fallout of this debacle continues with artists revolting and plenty of legal action against Sony BMG in the works.

Topic: Malware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

33 comments
Log in or register to join the discussion
  • What a year!

    Well, that was a fun old time, wasn't it? Can't wait for 2006.....
    paperghost
  • nasty spyware

    Yes, tis the end of year with recaps of various items. We really need some one to document and keep us posted, especially those of us that are not real swift on spies, etc.. Thanks
    ggagnon@...
  • No mention of WinFixer??

    I can't believe winfixer was not listed in your spyware epidemic.
    I have even heard there is a class action lawsuit over winfixer!
    meersr
    • good point

      Winfixer is indeed bad, but it's usually installed along with a lot of other adware/spyware through an exploit. It would fall into number 4 in this list, but it's not actually an anti-spyware program, either.

      I haven't heard about a class action lawsuit. If you have a link, let me know because I'd like to get more info on it.
      Suzi_z
  • Outstanding article.

    A great little article to remind everyone out there that spyware is rampant and even well protected machines are likely to have some degre of infection. The common rule of kepping two or three antispyware programs ready for use is a good one as I have never seen one that didnt leave something for anotherone to pick up. Lets keep the firewalls upand the AV real time protection going and you should have something running in real time like Microsoft Antispyware thats going to alert you about registry changes and the such.
    I was oh so pleased to see Sony declared the big weinner, as its absolutly criminal that a major company like Sony hasnt gotten the message that spyware is spyware, and rootkits are rootkits and non of them are welcome or helpful under any circumstance. In our society there are certain things that we just do not do, or allow others to do, no matter what their motivations may be, and instaling spyware of anykind on my machine for any purpose is not something I want. For any reason.
    Cayble
    • Outstanding Article

      Seems to me that the major offender here didn't even get a drive-by mention...Good ole' Uncle Sam a.k.a. BIG BROTHER. That's the SPY KING we need most to concern ourselves with...as it sets the tone and the example that all the other riff-raff gleefully follow. If it's ok for the NSA...then what's next? I shudder to think of the Orwellian Future in store for us all.
      michaelleo@...
      • Yes, true enough...

        Point well made considering recent revelations, good ol' unc' sam still up to his naughty tricks. But, that kind of is the thing though, its been an awful long time since unc' Sam hasnt been pulling naughty tricks of one kind or another so its hardly a revelation anymore. On the other hand, when we see the old boy with his hand in the cooke jar once again, just because we have come to expect it, dosnt mean he shouldnt get a good slap for his trouble. Point well made.
        Cayble
  • Best Article ever written!!!

    Honestly, it is. Let's just pretend that the only systems on earth
    are Windows ones, and it's beyond reproach.

    When is the check coming from MS?
    bpick_z
    • Another fanatic

      Why is it that these type have to utter their mindless rants just because either the system THEY use is not mentioned or if it IS mentioned as having a problem they have to get all bent out of shape about it? Fx and Mozilla users are notorious for this. The article is about SPYWARE....NOT your system! GET WITH THE PROGRAM!
      golowenow
      • Message has been deleted.

        piperdown
    • ? What are you on about?

      If you are another Linux Lover come to slay the mighty XP dragon, I suggest you look a little further through zDnet.. http://blogs.zdnet.com/Ou/index.php?p=140&tag=nl.e550
      Cayble
      • ? What are *you* on about ?

        Someone tested a who's-ever-heard-of-it Linux release and found it slow, then found it necessary to handicap a mainstream Linux release with superfluous virus software to establish a "fair" comparison to Winduhs XP on the grounds that:

        "In fairness, desktop Linux would also require anti-virus if it ever reached mainstream status with more than a 20% market share on the desktop, but I'll have to leave that debate for another day so we can get on with the results."

        This is utter nonsense, of course. The whinging refrain that Linux and other UNIX systems are ignored by virus and trojan writers on the grounds of smaller market share overlooks the objective fact that virus writers could do immeasureably greater damage to world-wide net operations if they successfully breeched Linux and other UNIX installations.

        As of year 2000, the "root servers themselves all use some variant of the Unix operating system, however both the hardware base and the vendors' Unix variants are relatively diverse: of the 13 root servers, there are 7 different hardware platforms running 8 different operating system versions from 5 different vendors."

        http://www.icann.org/committees/dns-root/y2k-statement.htm

        That these various *nix systems -- and most others -- suffer few actual (rather than merely theoretical) exploits at the hands of hackers is a testament to the relative difficulty of achieving success, and in spite of the fact that such success against root servers would wreak havoc on the entire network, which is in no way core-dependent on Winduhs boxes. Thank heaven!
        code_flogger
        • Here we go. Lets Rock.

          Ok Guy. You asked for it, your going to get it. I?m wickedly tiered of listening to people who are supposed to be experts who don?t know how to read, and you clearly do not know how to read. Your unreal prejudice towards Windows operating systems has blinded you to reality and if you do not want to listen, then tune out right now because I have more then a little bit to say.
          Normally I would let bygones be bygones but you clearly have a chip on your shoulder that needs to be cleared off in a great big hurry and I guess little old me who likely know only a tiny percentage of what you don?t is the person who is going to do it.
          First of all lets start by shredding your poorly thought out post to pieces. I think we should start from the beginning, as in the first words you wrote.
          ?Someone tested a who's-ever-heard-of-it Linux release and found it slow?. That?s the first nonsensical thing you wrote. ?Someone tested???? That someone, albeit, someone who is generally perceived as a windows sympathizer, is in fact a trusted zdnet writer by the name of George Ou, and if you don?t care for his review, that?s fine, but he?s not just a someone. He is in fact a very experienced authority.
          Secondly, lets move on to a further point in the very same sentence. ?Who's-ever-heard-of-it Linux release..?. Well, there?s where we know you don?t know how to read. Sorry chum. If you think you?re a Linux expert better go back and get you credentials checked as you apparently don?t know squat. First off, if you actually read Georges post, like people who understand English would you might have seen the line he wrote.. ?I decided to investigate further and ask you, the reader, what Linux distribution would represent desktop Linux better.? Followed by, ?I've decided that the best candidate for testing Linux desktop performance against Windows XP Professional would be SUSE Linux (the free OpenSUSE version), since it is a mainstream distribution and preload optimized in its default configuration.?
          Just incase you think George is a liar, this is the return you get from Google on SUSE Linux; ?Results 1 - 10 of about 17,900,000 for SUSE Linux (0.06 seconds)?.
          Look it up pal. Its easy, even for newbies. Facts are facts, it is a very very long way from a ?Who's-ever-heard-of-it Linux release..?. A simple quick check would have shown you that some water has passed under the bridge since the last time you walked over it.
          Lets move on to the next sentence you actually wrote yourself, in reference that Linux will need anti-virus if it reaches a wide enough distribution to become a target; ?This is utter nonsense, of course.? Oh! Of course, and we will just take your word for it. NOT.
          The fact is, even if you do not want to hear it, all those in the know are just waiting for the big hit on Linux, and they know its coming, they know how Linux works and they still think its coming and they have invested money in Linux antivirus software and are simply waiting for the big rush. Look it up. http://www.vnunet.com/vnunet/news/2125189/antivirus-vendors-await-major-linux-worm.
          http://www.e-zest.net/linux-server-antivirus.htm
          http://www.desktoplinux.com/articles/AT3307459975.html
          And don?t bother whining to me about the sheer lack of Linux viruses out there, we all know that, at least those of us who ?BOTHER TO READ? , the current number are not the problem George was referring too, he was considering the slim possibility that Linux will ever be useful enough that it will be a target on the radar screen, but unless Linux makes some wild improvements, that?s never going to happen so you may be correct.
          Even as you go back to focusing on the flaws in windows, which we all know about, for those of us who ?BOTHER TO READ?, you ignore the fact the test was a clear win for XP and even the other Linux Lovers agree, but at least many of them offered sensible explanations as to why Linux is slower, which may be reasonable for those who still want Linux. Your post was weak, and provided nothing of any significance what so ever to factually counter Georges article.
          Cayble
          • Not defending anyone here, but...

            You said:
            [begin quote]
            ?Who's-ever-heard-of-it Linux release..?. Well, there?s where we know you don?t know how to read. Sorry chum. If you think you?re a Linux expert better go back and get you credentials checked as you apparently don?t know squat. First off, if you actually read Georges post, like people who understand English would you might have seen the line he wrote.. ?I decided to investigate further and ask you, the reader, what Linux distribution would represent desktop Linux better.? Followed by, ?I've decided that the best candidate for testing Linux desktop performance against Windows XP Professional would be SUSE Linux (the free OpenSUSE version), since it is a mainstream distribution and preload optimized in its default configuration.?
            Just incase you think George is a liar, this is the return you get from Google on SUSE Linux; ?Results 1 - 10 of about 17,900,000 for SUSE Linux (0.06 seconds)?.
            Look it up pal. Its easy, even for newbies. Facts are facts, it is a very very long way from a ?Who's-ever-heard-of-it Linux release..?. A simple quick check would have shown you that some water has passed under the bridge since the last time you walked over it.
            [end quote]

            Unhappily, the "who's-ever-heard-of-it-Linux release" to which the original poster was referring was *Linspire 5.0* not SuSE. Not so many have heard as much about Linspire, so, at this time, it could be considered a more marginal distribution (that's the correct word, *not* "release"). (Sorry to quote so much, but your logical thread took a while to unravel, as it were.)

            You further said:
            [begin quote]
            Lets move on to the next sentence you actually wrote yourself, in reference that Linux will need anti-virus if it reaches a wide enough distribution to become a target; ?This is utter nonsense, of course.? Oh! Of course, and we will just take your word for it. NOT.
            [end quote]

            I have to agree with you here. It is foolish not to load anti-virus software on any machine in an heterogenous network environment. To fail to do that would be to allow a *nix machine (which might not be affected by any virii written for Windows) to act as a *carrier* and infect other machines on the network. There are, however, better antivirus products than the ones selected for this "test".

            You go on to say:

            [begin quote]
            The fact is, even if you do not want to hear it, all those in the know are just waiting for the big hit on Linux, and they know its coming, they know how Linux works and they still think its coming and they have invested money in Linux antivirus software and are simply waiting for the big rush. Look it up. http://www.vnunet.com/vnunet/news/2125189/antivirus-vendors-await-major-linux-worm.
            http://www.e-zest.net/linux-server-antivirus.htm
            http://www.desktoplinux.com/articles/AT3307459975.html
            [end quote]

            They'll probably go on waiting for a while, too. For one, the way *nix systems are organized tends to limit the spread of virii or worms across more than the currently infect user's home directory. Of course, if the root user were infected, c'est la guerre. This is precisely why those who do write *nix malwares spend a lot of their time trying to escalate priveleges.

            I will go and read your links, though, just to see what commonly held perceptions on the subject are looking like right now. Thanks.

            Here's what you said that really begins to bother me:

            [begin quote]
            And don?t bother whining to me about the sheer lack of Linux viruses out there, we all know that, at least those of us who ?BOTHER TO READ? , the current number are not the problem George was referring too, he was considering the slim possibility that Linux will ever be useful enough that it will be a target on the radar screen, but unless Linux makes some wild improvements, that?s never going to happen so you may be correct.
            [end quote]

            Um, excuse me, but I don't recall Mr. Ou stating anything about any lack of usefulness of Linux in his original article. In fact, he is now dual-booting SuSE to investigate it further. That seems to suggest, at least to me, that he finds it potentially very useful?

            Lest you forget it, might I also remind you that Linux is already of great use to anyone who uses the web? It is also of great use to anyone who wants to build embedded systems, or a customized, DRM-free music/multimedia system, or any of a number of other useful applications. The world doesn't begin and end with Microsoft Office, and WinXP y'know.

            The rest of your post leaves me in no doubt as to your leanings - you're a Microsoftie. As such, I can't expect you to understand or to ever explore this matter for yourself - after all, you have experts who'll gladly do it for you. Let's see if you're really willing to think critically.

            To my mind there is only one fair way to stage a "shootout": get two teams together, one for Linux, and one for WinXP Pro (don't compare Linux to XP Home... that would be like comparing a Nissan Sentra to a Bradley Fighting Vehicle). Let these two teams have two identical, OS-neutral hardware platforms. Let them optimize the software until they are satisfied with its state of efficiency and speed. Finally, let them face off against each other on a mutually agreed-upon set of tests/benchmarks and see what happens. You up for that, home-boy? If you are, maybe we could suggest that some of the folks at OSDL and Microsoft get together for a little one-on-one?

            Happy holidays to all - Christmas, Channukah, Kwanzaa, whatever. Be safe out there, and enjoy!
            horusfalcon
          • Your right. Sorry...

            I was just over reacting, I know it, sholdnt have done it, and I agree, Linux is quite a useful OS, not for me, but I know its a good system and certainly a cost effective solution with security currently significantly above what XP can provide. Much thanks for a reasonable response to a rather overstated post I made. I just get tired of reading statements even more over blown then that last post I made.
            Cayble
  • The Blue "E" is Evil

    It continues to amaze me that people still use IE given all the problems caused by its security issues. The average user does not have the time or inclination to understand computer secrity. So why use somethign with such a lousy track record in the first place?

    While other browsers are not perfect either, they are not anywhere as closely bound to the OS, and as such damage is more likely to be much less pervasive.

    Or better yet, switch to a different operating system altogether. Mac OSX or Linux, while also not perfect, tend to be far less vulnerable, and Linux especially tends to release patches with days, if not hours, after the vulnerability is discovered. And this will make the windows users jealous: You almost NEVER have to reboot.
    piperdown
    • piperdown...

      You need to pipe down and understand that this is NOT an OS problem!!! I refer you to my MAIN post.:|
      Betelgeuse58
      • WHAT main post???

        Unless you're posting under another ID - I'm not seeing your "main post" so not sure what it is you're talking about.

        And, aside from "evil people in the world who write this shite", which there will always be, one solution is to run software which is less vulnerable in the first place. So, at its root, it IS an OS problem first, and a browser problem second.

        Funny how none of my mac or linux boxen have spyware issues... Perhaps you could 'splain that one, Lucy. However, not being infallible myself, perhaps you can correct me and cite some piece of linux or mac spyware. Granted there have been various rootkit exploits, but the ratio between them and the stuff we're talking about on windows is statistically nil. But perhaps you can show me the error in my perception.
        piperdown
        • OK Sorry - found the post. BUT btljooz you're still wrong :)

          BUT!!!

          If the vulnerability didn't exist in the first place we wouldn't be having this conversation, would we? Sorry but I feel you're putting the cart waaaaay before the horse here.

          If A) you're worried about the RIAA and others getting their greedy little paws on your systems, and B) have no compunction about circumventing their copy protection schemes you CAN get yourself a FREE knoppix or umbuntu CD and burn to your heart's content.

          BTW, still wating for your response.

          All I hear is crickets.
          piperdown
      • Well most would agree with piperdown

        I am sure your bill gates using and alias? The whole spyware thing is mostly targeted at M$ using their there products has proven to be hazardous to your security. I don't use IE and therefore have not been infected this whole year. I fix computers for clients. I find one common denominator: NO FIREFOX. I reinstall their OS with some nice proggies and FF make IE nearly impossible to get at and don't see them again. Unless they have kids that use Kazzaa and install viruses (I believe to be "RIAA"-dist viruses). I use Linux whenever I can but due to lack of support amongst software vendors I can't stay long. I have seen a new twist in the sophistication of software being developed for Linux like OOo2.0 and FF but still have a ways to go for graphics. I like a proggie called pixel a Photoshop type Linux proggie but they want 35.00 for a beta version and I see promise but it is very shaky you can get it and test it works in windows but honestly is not worth the asking price. and gimp is not even the same league.
        IceTheNet@...