Spyware Focus Part 2
In the previous part we talked about what forms of spyware exist and how spyware can be contracted. Now we’ll talk about how to prevent spyware from entering our systems and in cases where it has already sneaked onto the PC detail what should be done to remove it. Throughout the material we’ll discuss what settings can be tweaked in order to increase the overall spyware protection of a computer, plus briefly touch upon the use of dedicated spyware-neutralizing software.
Symptoms of an infection
There are several symptoms of possible spyware activity on a computer. Your computer start up time may have increased significantly, it may appear to run more slowly or you can see network traffic even with all programs closed (this last one is the most reliable indicator, though software updates – notably Windows Update – can also be responsible). The modification of your browser’s default startup page, search page hijacking, numerous pop-up windows with unrelated content appearing, unsolicited new toolbars, unknown browser Favorites entries and extra desktop icons all suggest that spyware or adware is the likely culprit.
A couple of free utilities like Process Explorer (http://www.sysinternals.com/Utilities/ProcessExplorer.html) and Port Explorer (http://www.diamondcs.com.au/portexplorer/) will help spot suspicious programs on your computer and give you a hint whether spyware is indeed present on your PC.
Unfortunately, spyware makers go to great lengths to prevent their products from being removed (even blocking access to major security websites) and with particular types (CoolWebSeach and ISTBar being notable here), further steps may be needed to completely clean your system. In such cases, it is recommended to download (but don’t run yet!) a copy of HijackThis! (available from numerous download mirrors including http://tomcoyote.com/hjt/ and http://aumha.org/freeware/freeware.php with a brief tutorial at http://aumha.org/a/hjttutor.php) and visit one of the forums listed in the Alliance of Security Analysis Professionals page (http://asap.maddoktor2.com/). Check the forum instructions about using HijackThis (not all accept HJT logs) and posting results and follow these to receive advice on what needs to be done. Be aware that HJT analysis does require time and skill so only post on one forum and do follow all instructions given.
In the worst case (where a rootkit is used to modify Windows itself to hide the spyware) it may be necessary to reformat and reinstall Windows – this should be a last resort since it will result in the loss of all data on the system but if this is the only option, then
- make a copy of important data (documents, photos, passwords, software registration details);
- make a copy of your security software – if your Outpost licence is still valid, include a fresh download of Outpost also;
- print out documentation on doing a fresh install (since you will be able to access the Internet with that PC until the process is finished) – for Windows XP, instructions can be found at http://www.microsoft.com/windowsxp/using/setup/expert/honeycutt_02october07.mspx
- install and configure your security software;
- connect to the Internet and update Windows.
Finally, if a keylogger (a program that monitors keys typed in order to find passwords) was reported by any of the previous programs then contact any sites where you have password access – especially online banking and share-trading sites – to inform them that your account may have been compromised. This needs to be done swiftly to avoid possible financial loss (banks may refuse to compensate you for fraud if spyware on your system was responsible).
An insecure web browser is the most likely avenue for spyware infection. Visiting a spyware-distributing web site with one can automatically trigger a spyware install (see http://www.benedelman.org/ for several examples). Users of Windows XP should apply Service Pack 2 (http://www.microsoft.com/downloads/details.aspx?FamilyID=049c9dbe-3b8e-4f30-8245-9e
368d3cdb5a&DisplayLang=en) and then download all subsequent security fixes from Microsoft through Windows Update service (windowsupdate.microsoft.com) to make sure they are not susceptible to numerous Windows security flaws (this also applies to other Windows versions). Internet Explorer users should, at a minimum, set their browser security level to Medium and then turn “Run ActiveX controls and plug-ins” setting in IE to “Prompt” in order to prevent the automatic execution of webpage content that may try to install spyware. This modification may cause numerous confirmation windows popping up on websites using ActiveX – to alleviate this IE users can use a filter (such as Outpost’s Active Content filter) to Block ActiveX by default. Where a site you trust requires ActiveX to function, an exclusion entry can be created to permit this that site.
Many people are adopting other browsers as a means to bolster overall system security and to protect themselves from spyware. These browsers sometimes won’t work with Microsoft services (like Windows Update, which demands the use of Internet Explorer and ActiveX) and IE-specific web pages, but for the majority of sites, they offer usability and performance enhancements over IE (commonly quoted ones being tabbed browsing, fast search engine access, more control of webpage display and better standards-compliance). The good thing with those browsers is that they are better equipped to resist spyware and get updated more often than Internet Explorer – for a security comparison, check the list of vulnerabilities reported by Secunia for Internet Explorer 6 (http://secunia.com/product/11/) compared to Firefox (http://secunia.com/product/4227/) or Opera (http://secunia.com/product/4932/).
http://www.mozilla.org/products/firefox) and Opera (http://www.opera.com) are gaining popularity and both are free (Opera did use to be ad-supported but has removed these in version 8.50).
It is also important to take basic security precautions when browsing the Net: you should never download and, most importantly, execute files obtained from doubtful sources – especially file-sharing networks, Internet Relay Chat, Usenet or “warez” websites. When visiting unknown or suspicious sites, adjust browser security setting to maximum (i.e. “Restricted Sites” in IE). Spam is one popular method of inciting people to visit a malware website (one tactic has been to include a message about a high-value credit-card transaction that will be charged to you unless you click a link). Be extremely cautious about such emails – and never use Internet Explorer to investigate any links (since they are likely to use recently-discovered and therefore unfixed vulnerabilities in IE).
Spyware defense using specialized software
Prevention is better than cure with spyware. If spyware gets installed on the system, it is extremely hard to manually remove it, so it is best to ensure that spyware-detection and removal software is always present on a PC (anti-virus software can in many cases detect general malware when it enters your system, but tends to perform less well in cleaning existing infections). A firewall and an antispyware scanner can provide sufficient protection against infection (especially if the firewall offering filtering of web pages, like Outpost’s Active Content plugin). A properly configured firewall will detect (and allow you to block) any attempts by spyware to communicate over the Internet (it will still need to be removed, but the most serious damage is done by spyware that successfully sends private information to its distributor), while a good antispyware program will detect spyware in memory or on disk and remove it. Version 3.0 of Outpost Firewall PRO combines the functionality of both these security products and under one hood can provide comprehensive protection against spyware.
Spyware is a dangerous, escalating and increasingly complex problem that should be fought on multiple fronts. One of them entails correctly setting up system security settings and the other one depends on the right choice of security software. We at Agnitum strive to ensure that you are equipped with the best resources to forever stay protected against spyware.
Posted in Security Insight