A message from Aaron Hulett -Lavasoft Chief Research Officer

QUOTE
A message from Aaron Hulett -Lavasoft Chief Research Officer
The Spyware of Today


By Aaron Hulett - Chief Research Officer

First off, let me say, “Thank you.” I’ve been with Lavasoft for a little over a year now, and it’s been quite a journey. I’m honored to have your trust in not just Lavasoft, but me as well, with your spyware removal needs. Thank you for your continued support of myself, and our company.

For those that know me from the forums prior to working for Lavasoft, I’ve been at the anti-spyware game for some time, by offering assistance at the forums, and even providing a download mirror for Ad-Aware in the past. Back then, and even back a year ago, the spyware world was completely different that what it is today. In the past, spyware was easily found and removed. It’s not so easy today, though. Spyware authors now exploit some of the harshest methods seen in this field just to keep spyware on systems even after multiple removal attempts. Some even take advantage of sections of the Microsoft Windows Operating System designed to keep systems stable, such as the VX2 variants that are not removable without our VX2 Cleaner plug-in. And it continues getting worse.

I’ve said before that the best line of defence is knowledge. One of the past articles I wrote was about how to prevent infection, but those were different times. Remember, in the world of technology, things change fast, and I think it’s time that everyone be brought up to speed on the world of spyware, how it’s changed, and what we’re doing about it. As you’ve come to expect, this will all be explained in ways that are easy to understand. But I must warn you, as you may have seen if you glanced quickly through this newsletter’s contents, this is quite lengthy. I do strongly urge you to read it all, and if you have any questions on anything in here, please post them at our forums. They’re available at http://www.lavasoftsupport.com.

Subscribers to The Eye were given a sneak preview of the next version of Ad-Aware. It focused on the use of Alternate Data Streams (ADS) as a methodology to prevent easy detection and removal, and Ad-Aware SE’s ability to detect and remove them (“Ad-Aware to Provide Protection Against NTFS Alternate Data Streams” | October 15, 2003). At that point in time, ADS scanning was the latest method, and thankfully, extremely unused, even today. Of course, this scanning technology remains in place, but there’s far more to things now than there was back in October.

Now, many have rotating filenames, or rotating registry information, making some of the other anti-spyware tools ineffective. Of course, Ad-Aware 6, which you have now, is already capable of detecting these. This is because Ad-Aware 6 uses file signatures as its detection basis, and not filename recognition like some other anti spyware programs out there. It identifies the file, regardless of filename. It’s similar to if a person wears a mask, but if you talk to them for a while, you eventually figure out who they are. The same goes for files. Their filenames may be randomly made, but it still has the same file contents, which is how we get around the filename problem other face.

While file signatures remain a great method of finding spyware, that’s not enough anymore. New versions of spyware, called variants, appear daily. A variant is something that does the same thing as something seen before, but the files are changed such that their file signature is different. In this case, let’s compare this to getting a room painted professionally. The first painter arrives, and begins painting the room. You learn who this person is, and see what they are doing. Then, a new person arrives. While a completely new person, the same task is performed. Both now paint the room. The same holds true for spyware. Multiple variants exist that perform the same task, but each variant’s files are slightly different from one another. This difference is enough to cause current file signatures to not work from variant to variant, and therefore the signatures must be updated with the new variant information. We’ve been adding this file sig nature information, of course. I’m sure you’ve noticed our high volume of reference file updates. But it’s time for a new approach. And guess what? It’s coming. You’ll find out more about this when Ad-Aware SE is released in the very near future. I’ll give you some information on its status in a bit, as I’m sure many are curious as to what’s going on with it.

Concerning how spyware installs in the first place, spyware authors have found new vehicles for doing so. Long gone are the days of surfing the Internet without worry of infection, as this isn’t the case anymore. Utilizing security holes in web browsers, spyware now enters and installs itself, often without any sign of such activity until it’s too late and you’re fully infected. Some spyware even downloads and installs other spyware, compounding the problem. Users of Ad-Watch already have protection from many of these things, but there are some additional steps that you can perform to help prevent spyware infection.

I’ve said this before (“Reliving The Past, One Worm At a Time” | February 1, 2004), and here it is again. You need to install software patches. Still running Microsoft Internet Explorer 5? Didn’t install that latest security patch? You’re at a very high risk, not only from spyware, but from viruses, Trojans, worms, and hackers looking to exploit your system. You need to update your system. If you’re in a business, talk with the personnel that handle computer maintenance, or if you’re in a smaller workplace, your supervisor or manger, and insist that systems be updated properly.

Here’s a big mistake I’m seeing a lot lately. “Just use another browser, and you’ll be fine.” Wrong! While it is true that using one browser may help prevent against the use of security holes in another browser, chances are that the browser you’re using also has its own security holes. Of course, you’ve patched them, right?

A very ugly method some variants are using more and more is what I usually call “hitching a ride.” The Browser Helper Object function of Microsoft Internet Explorer, a way for things such as toolbars and other additional features that users want in their web browser, has been used for some time by spyware to take advantage of this function and instead monitor surfing habits or cause popup advertisements. This idea has expanded beyond this function, and spyware programs are increasingly using other programs to install themselves to work with another program, where they install a module onto another program, and can go undetected. Why? An immediate benefit is the bypassing of some firewalls.

Here’s how this happens. The spyware module, now hiding out in something trusted by your firewall, such as explorer.exe as an example, makes a call to the Internet for some purpose. This leads to one of two firewall reactions; it could recognize explorer.exe as a trusted application, and therefore allow the communication to occur, or it may realize that a module is using a trusted application, and prompt for the communication’s authorization. With this latter case, if you’re not watching close enough, you may inadvertently authorize the connection, thinking it’s for something you recognize, when it’s really the spyware module requesting the connection. Of course, how your firewall responds depends on what firewall you’re using, and its configuration. This new method of infection is something that Ad-Aware SE of course will address much further than Ad-Aware 6 Build 181 does now, and as before, details about this ability will b e provided at Ad-Aware SE’s release. Until then, watch your firewall with a closer eye to make sure that suspicious connections aren’t taking place, and run Ad-Aware scan as usual, to ensure your system is all clear.

As if this isn’t enough yet, for a little over a month now, a new style of infection is flying around from CoolWebSearch. With its latest series of variants, it installs multiple files on a system, but one file, the center of the infection, is hidden. Not just hidden by the file attribute, but hidden where special software is required to even find it. I’ll admit, I had to dig for a little bit through my “bag of trusty tools” to find the hidden file from the two variants I’ve seen so far, but while some effort is needed in part from the user to allow Ad-Aware 6 Build 181to remove this pesky file, Ad-Aware SE will have things covered.

And now for the ultimate disaster: the series of VX2 variants that remain a monstrosity in the anti spyware community to remove, right up until our plug-in hit the scene. This awful series of variants perform the worst I’ve seen. They lock into a Windows process such that their removal is practically impossible. This style of infection only works on the Microsoft Windows 2000 and Windows XP Operating Systems, since they’re the only two that really carry the vehicle it uses to latch itself in as it does. The Microsoft Windows NT Operating System does, also, but it’s different enough that the method used to latch in is ineffective. The Microsoft Windows 98 and Millennium Edition Operating Systems don’t have it at all, but a different method, although not quite as sophisticated, is used to prevent removal. Unlike the other topics I discussed, I have no tips on how to take care of this, other than to suggest not getting it in the first place. It all comes back to Safe Computing Practices, which I’ve mentioned in the past. While Ad-Watch does monitor for known installers of this beast, all it takes is a new variant, and that short period of time between its release and our updated definitions, to have it install on a system. Keep definitions updated, and use caution concerning what you download and run.

So how does it work? Well, I don’t want to give too much away. I like that we’re the only one in town that can deal with this thing on multiple operating systems, with the multiple variants that exist which infect systems this way, but here’s a basic description of how it works. It’s a combination of what I’ve explained earlier, which is why I saved this for last. It latches onto a system process, calls out to the Internet for what it wants, throws popup advertisements, and installs even more programs on an infected system.

There’s more. The process it latches onto is protected. If that process were to close, the system would become unstable. Therefore, Windows won’t let you close it. This is just perfect for this variant, because you can’t close the variant, either. Normally you could terminate a module with the right tool, but this variant removes the access rights you need to do that with. And then to compound the problem, the location where it places information to ensure it runs when you start your computer is extremely monitored. If this information is removed, it promptly replaces it. This information, of course, is randomized, so you can’t search for a specific entry, but you have to really look it over to see if it was placed by this series of variants. The VX2 Cleaner plug-in will continue to remain our vehicle for removing this series of variants, since it can be rapidly adjusted to keep pace with the countermeasures that are placed to prevent its rem oval, including the countermeasures designed to prevent our plug-in from working at all, which were placed into a new variant shortly after our plug-in’s release.

So why is this all happening? Why all the new changes and methods? Showing advertisements can generate business. Learning usage information can help with marketing. This all has money attached to it. It’s an easy way to make money, and unfortunately, there are some that value making money over your computer system’s stability and usability. If this spyware can’t remain installed, then the spyware authors can’t make money. So they update their spyware to resist detection. We update Ad-Aware, both the program and the reference file, so that we find and remove these new versions. They update again. Then we do. It’s a vicious cycle that isn’t avoidable. We continue to update definitions and to develop more sophisticated and technically advanced detection and removal methods, such as what Ad-Aware SE will have in it compared to what Ad-Aware 6 Build 181 has, but in the end, this cat-and-mouse game will continue.

I think that covers how things are going out there. Give it time; there’ll be more methods, new ways, and trickier variants. Fortunately, Ad-Aware SE is just shy of being authorized for release and is prepared to meet the world of spyware head-on. Our internal testing is practically finished, but to make sure things are working properly, even though it has curved our release plans a bit to a later date than we expected, we’ve hired a Quality Assurance company to review Ad-Aware SE and provide additional testing, which is currently taking place, to make sure Ad-Aware SE is ready to take on the important task of protecting your systems. As of right now, we’re looking at August 15, 2004 as our release date, but this of course is subject to change.

We know everyone’s interested, so here’s a rough idea of the changes coming to Ad-Aware SE, beyond those I hinted at earlier. Remember, though, that feature availability may depend on which version of Ad-Aware SE is used, and that last-minute decisions could change what actually makes it into the release version, but this is where things stand now. The user interface changes are complete, with a possible small revision here and there as needed, and the new information screens to allow for different perspectives on scan results, and other information, are integrated and working as planned. The ADS scanning ability you have read about is complete and integrated. To allow for users to better understand their purpose, we’re renaming our reference files to definition files. As a result of new compression methods we’ve developed, definition file updates will contain the same amount of information but yet be half the size as they are now, allowi ng for faster updates with less bandwidth, aiding those with slower connections or measured Internet access.

Didn’t update your definition file recently? No problem. Ad-Aware will remind you, and you can even adjust if and when that occurs. Homepage settings can also be stored, allowing for users with hijacked homepages to restore the settings they want, instead of default settings used by Internet Explorer. Along with the restoration of the /silent ability, Ad-Aware can be told to only scan disks, scan memory, run a full scan, smart scan, ADS scan, or custom scan, and even provide a status report about the installed location to a logfile, along with many other new command line parameters.

There’s a lot of great information on the Internet, and many great technologies that take advantage of its reach around the globe. Here I am sitting at my desk in Michigan, USA, writing this article. In about an hour, I’m going to email this to our editor back at the home office in Sweden, about 4100 miles (about 6600 km) away from me, and it will only take a few seconds to get there. Then she’ll make final revisions, and when ready, send this to over a hundred thousand subscribers, all around the world, and that will happen during the course of a few hours. You may use the Internet to email friends and family, pay bills, or maybe order pizza. At the same time, countless people are going to somehow wind up with spyware on their system, which arrived via a web browser security hole, or as a file that arrived in an email, or some other means, that travelled over the same wires that I used, and we at Lavasoft used, to allow you to read what I have written here in this article, and what you use daily to connect yourself to friends and tasks. Just be careful during your Internet travels. Fail to exercise caution, and to educate yourself, and you never know where you might wind up, or the aftereffects that may follow.

Back to top


More News about Ad-Aware SE Soon!


A special issue of The Eye dedicated to Ad-Aware SE will be sent out soon! Stay tuned for screenshots and information about what's new in Ad-Aware SE! And don't forget to sign up to our Release Notification mailing list. Receive information about updates, new plug-ins AND of course the release of Ad-Aware SE!


You can also subscribe at http://www.lavasoftnews.com/cgi-bin/mojo/mojo.cgi?f=s&l=release.