Keith Dunlap had never even heard of Cool-search.net. But one day last December, as he opened the browser on his home PC, the site filled his display.
The browser's Internet Options window showed his home page had been changed to the arcane address t.rack.cc/hp.php. Dunlap, a researcher at the Wood Science & Technology Institute in Corvallis, Oregon, reentered his old one. But when the system rebooted, his browser jumped to Superbookmark.com, another site he didn't know. Sure enough, that mysterious home page setting was back. He rebooted again, and his browser jumped to a third unwanted site: Real-Yellow-Page.com. Obviously, something was lurking on his PC, and he feared it was tracking his behavior.
Dunlap had already installed PepiMK Software's Spybot Search & Destroy 1.2 (reviewed in this story), a tool designed to detect and remove this sort of sinister software. Spybot's engine, he discovered, had been turned off. "I don't know if the spyware was to blame," Dunlap says. "But Spybot's immunization tools were no longer running." Even when he turned it on, Spybot detected no spyware-related files. Dunlap manually removed all references to t.rack.cc/hp.php in the Windows Registry. He rebooted, and they came back.
Dunlap's machine was infected with CoolWebSearch, one of many spyware applications threatening the world's computing devices—a late-breaking Trojan horse so nasty that only one app we tested, Lavasoft's Ad-aware Plus 6, could find it—and none could remove it. There is, however, a standalone app called CWShredder (available at www.spywareinfo.com) that can get rid of CoolWebSearch.
Spyware apps sneak onto your machine when you download many file-sharing services, open infected e-mails, or click on dubious Internet pop-up ads. They can manipulate your system, record your habits, and steal your passwords and credit card numbers. Depending on their degree of aggressiveness, they can steal your privacy or even your identity. And they can be terribly difficult to remove.
< back
78,000 Ways to Spy
According to PestPatrol, which sells its own spyware remover, more than 78,000 spyware programs are on the loose. These include adware applications, which track browsing habits and serve up ads; key loggers, which record keystrokes (passwords and credit card numbers, anyone?); and Trojan horses, which provide hackers unfettered access to your PC. In the past year, PestPatrol uncovered more than 500 new Trojan horses, 500 new key loggers, and 1,287 new adware apps. In fact, Webroot Software, maker of Spy Sweeper 2.2, estimates that 80 percent of PCs are infected—and that's not including less malevolent types of spyware, such as tracking cookies. The problem is so prevalent that major utility vendors McAfee and Symantec are getting into the act. McAfee's results are already good; Symantec's are less so in this first round.
Chances are your machine is hosting spyware. If you've recently installed a free file-sharing service like Grokster or Kazaa, there's no doubt about it; such services are almost always tied to several pieces of adware. You may not realize that when you accepted your file sharer's licensing agreement, you also agreed to download, install, and run this adware. (For exceptions, see "Spyware-Free P2P—for Free".)
Even if you avoid sharing infected files, there are risks everywhere. Sometimes, Web sites or e-mail will dupe you into downloading malicious code. "You may see a message that plays off your fears, telling you that your system is vulnerable and giving you a link to a patch," says Pete Lindstrom, director of Pennsylvania-based research firm Spire Security. When you click on the link, you're often installing spyware. Other times, spyware can infest your system when you simply visit a Web page or open an e-mail. Keith Dunlap believes he was the victim of such a "drive-by download."
Note: Every year, we receive indignant calls, e-mails, and letters from adware makers and distributors claiming that their apps are not spyware. At PC Magazine, we maintain that any application that tracks your behavior without your knowledge and consent is spyware. And no, a clause buried in a privacy policy that 99 percent of users never read isn't enough to avoid the spyware appellation.
At the very least, spyware brings inconvenience. Like CoolWebSearch, the program that infested Keith Dunlap's PC, many of these tools hijack your home page. They add sites to your browser's Favorites menu. They launch unwanted windows. Taking up CPU cycles, they slow system performance and even make your PC less stable. (For more signs that you're infected, see "11 Signs of Spyware".)
But none of this is as troubling as what these programs do behind the scenes. Many seemingly innocuous adware applications track the sites you visit, with alarming accuracy. "Some spyware actually changes your DNS records so that all your Web requests go through someone else's servers," says Bruce Hughes, director of malicious-code research at ICSA Labs, the investigative arm of a security corporation called TruSecure.
The nastiest applications, including key loggers and Trojan horses, grab more valuable information. In February 2003, employees at AOL downloaded a Trojan horse that pillaged the company's customer database. In July, a 25-year-old from Queens pleaded guilty to installing key loggers on computers at Kinko's stores in Manhattan, stealing over 450 online banking passwords. And in October, hackers used key loggers at Valve Software to pilfer the source code for Half-Life 2, one of the company's best-known computer games.
These apps go beyond simple spying and actually facilitate identity theft. If you don't find that worrisome, reread the story, "Identity Theft: What, Me Worry?" How can you remove spyware from your system and prevent further infection? It's not easy.
Immortalware
In 2003, according to PestPatrol vice president of product development Roger Thompson, there was a huge increase in the number of burrower programs—apps that dig so deeply into an OS that they can't be found or removed without major surgery. Some hide behind ordinary Windows filenames. Others install as "layered service providers," so that quick deletion disables your Internet connection. Still others create multiple copies of themselves across an OS; if one is removed, the others keep running. "About six months ago, we knew of only 6 burrowers," Thompson says. "Now there are more than 40." And there are dozens of other apps that include ticklers—mini-programs that reinstall deleted files. You can't protect yourself from spyware like this without tools specifically designed to find and remove it.
Antispyware tools operate like antivirus software: They find and remove only the programs their developers have already identified. And many spyware programs try to disable the tools that hunt them. Wise users install more than one antispyware engine (though having several configured for real-time blocking may cause problems). Even the best tools don't find all spyware. At the very least, it can be extremely frustrating when spyware causes your system to run badly or slowly or hijacks things like home page or search functions. And when you consider how much personal information your computer contains, how much someone could learn about you by virtually peering over your shoulder as you work or surf the Web, spyware should make you very worried indeed.
Copyright © 2004 Ziff Davis Media Inc. All Rights Reserved. Originally appearing in PC Magazine.
