SolutionBase: Use these techniques to fight back against spyware

Spyware is a growing annoyance for users and organizations. With these techniques, you can help get spyware under control.

It never ceases to amaze me just how hostile the Internet really is. As if fighting with things like spam, pop-ups, and viruses wasn’t enough, keeping spyware off of users' computers has practically turned into a full-time job. The reason why keeping spyware at bay is such an ordeal is because there are so many different types of spyware, and because spyware authors go to great lengths to ensure that you won’t be able to get rid of the various spyware modules. Using these techniques, you can get spyware under control in your organization.

What is spyware?

In case you didn’t already know, spyware is a generic term usually applied to what I like to call “browser parasites.” In most cases, spyware gets installed onto your computer without your knowledge when you visit a malicious Web site. In a way, spyware is actually sneakier than most viruses because most e-mail viruses get sent to you and don’t actually activate unless you open an infected attachment.

Most spyware modules install without you having to do anything other than visit a malicious Web site. Furthermore, visiting such a site is easier to do than you might realize. How many times have you accidentally mistyped the name of a common site into your browser and unintentionally landed on another site? Often sites that capitalize on common misspellings of popular site names are the most notorious for distributing spyware.

So what does a spyware module do once it’s installed onto your system? It varies because there are many different types of spyware. Some spyware modules monitor your browsing habits so that they can flood your computer with pop-up ads based on the types of sites that you visit. Others look for things like credit card numbers and transmit them to some unknown destination across the Internet. Still other spyware modules hijack Internet Explorer, resetting the home page and filling your Favorites list with Web sites of the author’s choosing.

Why is spyware so hard to get rid of?

So far, you have seen that spyware has virus-like qualities, so you might be wondering what makes spyware so much more difficult to get rid of than a virus? Traditionally, controlling spyware just hasn’t been as much of an issue as controlling viruses. Think about it for a second. Almost everyone has some sort of antivirus program installed, but how many non-IT people do you know that have programs installed for preventing spyware?

Although a lot of the antivirus manufacturers are starting to scan for spyware along with viruses, in most cases, the only way to really get rid of spyware is to use an anti-spyware program, such as Lavasoft’s Ad-Aware, shown in Figure A.

Figure A

Ad-Aware does a good job of getting rid of spyware and is free for personal use.

In case you aren’t familiar with Ad-Aware, it is, in my opinion, one of the better utilities for cleansing your computer of spyware. One of the best things about it, though, is that it is completely free for personal use. You can download the personal version of Ad-Aware from Lavasoft's Web site. Lavasoft also makes a professional version that will continuously monitor your PC for spyware.

If Ad-Aware works so well, you might be wondering why I don’t just end this article right now and save you some reading. It’s true that Ad-Aware works very well when it comes to removing spyware. The problem is that, depending on the type of spyware that’s infecting your system, your system may not work correctly once the spyware has been removed. This problem is not specific to Ad-Aware, but is common among spyware removal programs.

When spyware breaks Windows

Typically, when spyware removal breaks Windows, the symptoms look a lot like a DNS error. You might be able to ping a favorite Web site by IP address, but not by DNS name. When you attempt to access the site, Internet Explorer typically displays a message stating that the page cannot be displayed.

To understand why Windows might malfunction once spyware has been removed, you need to understand a little bit about the way that Windows attaches your computer to the Internet. As you probably know, computers communicate across the Internet through the use of the TCP/IP protocol. Windows implements TCP/IP through a mechanism called Winsock.

Winsock, however, is not made up of a single file. Instead, Winsock takes a layered approach to implementing TCP/IP in a chain-like fashion. If you were to remove a file from the chain, Winsock would cease to function properly and Internet communications would be either handicapped or completely disabled.

Some spyware modules exploit Winsock. There are certain benefits to doing this. First of all, the spyware module appears to be part of the operating system and therefore is more difficult to detect than other types of spyware. Second, if the spyware module is hooked into the Winsock chain then it makes it extremely easy for the module to monitor all Internet- (and network-) based communications. Finally, if a spyware module can trick Windows into thinking that the module is a part of the operating system, then the module will not be limited to the permissions granted to the machine’s current user. In most situations, the operating system and its subcomponents have full permissions over the machine.

Here’s where things get tricky, though. Imagine that a spyware module has infiltrated the operating system and has hooked itself into the Winsock chain. Now imagine that you ran a spyware removal program that was able to detect and remove the module, but now the Winsock chain is broken and Internet access does not work. In a situation like this, it would seem as though you should be able simply to reinstall Windows over the existing copy, and that in doing so, you would replace any missing files, thus relinking the Winsock chain in the process. Unfortunately this technique doesn’t work, and here’s why.

Microsoft designed Windows to be upgradeable and adaptable. Therefore, the components included in the Winsock chain are not hard-coded into Windows. Instead they are called through the system’s registry. Any time that you reinstall Windows over an existing copy, the Setup program will refresh the system files, but it will make every effort to preserve any customizations that have been made to the registry. This means that if a spyware module was designed to sit in between two normal Winsock components, then the registry may still try to call the spyware module even though the spyware module has been removed and Windows has been reinstalled.

The only way to really fix the problem is to rebuild the Winsock chain and correct the Winsock-related entries within the registry. Keep in mind that editing the registry is dangerous because an incorrect modification can destroy Windows and/or your applications. I therefore recommend that you perform a full system backup prior to attempting the procedure that I am about to show you.

To manually rebuild Winsock, locate and delete the following registry keys:



After removing these keys, you must close the registry editor and reboot the machine. When you reboot the machine, Windows will look for the registry keys that you have deleted. When it does not find them, it will recreate them from scratch, thus correcting the registry problem.

After the machine reboots, you must reinstall the TCP/IP protocol. To do so, right-click on the machine’s network connection and select the Properties command from the resulting shortcut menu. This reveals the connection’s Properties sheet. Now, click the Install button, select Protocol, and click Add. Next, click the Have Disk button and when prompted, enter C:\Windows\inf (where C:\Windows is the path to your Windows directory). Select the Internet Protocol (TCP/IP) option from the list of available protocols and click OK. Reboot the computer to complete the operation.

Although this procedure will fix the Winsock problem, there is an easier way to get the job done. Someone has created a free utility called Winsock Fix that automates the procedure. Keep in mind, though, that the utility still works by modifying the registry, so it’s a good idea to back up your system prior to running it. You can download Winsock Fix from DSLReports.

Software restriction policies

One way that you can fight spyware is to use a little-known Windows XP security feature called a software restriction policy. Software restriction policies were originally designed to help administrators to keep unauthorized software, such as games, off of network workstations. In some cases though, a software restriction policy can be very effective in the fight against spyware.

The catch with using software restriction policies is that although there are several different ways to set them up, for all practical purposes, you need to know what software it is that you are trying to block. For example, you can’t just configure the software restriction policies to keep games off of a workstation, but you can specify which games should be blocked, assuming that you know the name of one or more of the files that make up the games. It works the same way for fighting spyware. You need to know the name of the files used by a spyware module before you can block it.

So, you can’t use software restriction policies as a catch-all solution to spyware because new spyware modules come out every day, and many actually use system files (which can’t be restricted). The policies are effective, though, against some of the more well-known types of spyware.

A good example of this is Gator Corporation, which recently changed its name to Claria Corporation. I’m not going to outright refer to the Gator software as spyware, because recently Claria has been filing libel suites against anyone who does; however, Claria's software does have that reputation.

In case you aren’t familiar with the Gator software, here’s how it works. Gator is an electronic wallet. It keeps track of your personal information so that any time you are asked to fill out a form on the Web, Gator automatically fills in as much of the information as it can automatically. It sounds nice in theory, but in exchange for this convenience, Gator requires you to allow Claria to monitor your Web browsing habits and display targeted pop up ads on your PC through the Gator Advertising Network (sometimes referred to as GAIN).

One thing that separates Gator from other types of spyware is that they actually disclose upfront that they will be monitoring your Web surfing habits and displaying ads on your system. Although they do disclose this information, the Gator installer tends to pester and entice users into installing it. Fortunately, you can block Gator through the use of software restriction policies.

There are several different versions of Gator floating around, but if you create a software restriction policy that blocks the files FSG.EXE, FSG_3202.EXE, and TRICKLER.EXE, you can prevent users from infesting workstations with Gator.

To create a Gator-blocking software restriction policy in Windows XP, open the Control Panel and click the Performance And Maintenance link, followed by the Administrative Tools link. Next, double-click the Local Security policy icon to open the Group Policy Editor.

When the editor opens, navigate to Security Settings | Software Restriction Policies | Additional Rules. Right-click on the Additional Rules container and select the New Path Rule option from the resulting shortcut menu. When you do, you will see the New Path Rule dialog box. Enter %SYSTEMROOT%\FSG.EXE into the Path box. Make sure that the Security Level option is set to Disallowed, and enter a description indicating that you are preventing Gator. Click OK and repeat the procedure for the FSG_3202.EXE and TRICKLER.EXE files. The new software restriction policies will look something like what you see in Figure B.

Figure B

Some spyware can be prevented by using software restriction policies.

Using a firewall to prevent spyware

During one of my more recent spyware removal endeavors, a user asked me how it was possible for her to computer to become infected with spyware when she had a firewall. The truth is that a firewall will do very little to prevent a spyware infection. Keep in mind that most of the time when an infection occurs, it’s because you visited a malicious Web site. The malicious code is usually passed through TCP port 80, along with the site’s other HTML code. Since Port 80 is the standard port used for browsing the Web, a firewall isn’t about to prevent traffic from flowing across this port.

Just because your firewall doesn’t usually prevent a spyware infestation doesn’t mean that it is useless in the war against spyware though. Think about it for a moment. The main function of spyware is to transmit information about you or your browsing habits to someone else. Even if your firewall can’t prevent spyware from getting into your PC, it can prevent potentially sensitive information from being sent back to the person who wrote the spyware module. Just configure your firewall to restrict outbound traffic. Normally, a default firewall configuration will consider all outbound traffic to be safe. I recommend restricting all outbound traffic except for on a few ports. For example, you will probably want to keep the ports used for HTTP, POP3, and SMTP open.

When all else fails, check the database

Although most of this article has focused on spyware infestations that occur by accidentally stumbling onto a malicious Web site, malicious Web sites are definitely not the only source of spyware. Anyone who has ever visited knows that there are thousands of different applications freely available for download. Although most free applications are exactly what they claim to be, there are applications available for download that will secretly install spyware onto your machine when you install the application.

So how do you know whether or not an application is safe? You could read the application’s license agreement or terms of use, but such documents can be tough to understand and not all purveyors of spyware actually disclose their practices. A better solution is to simply ask someone who knows. The Spychecker Web site contains a database of applications known to have spyware attached. If you are considering installing a questionable application, try searching for the application in the Spy Checker database to see if it contains spyware. You can see an example of this in Figure C.

Figure C

Spy Checker offers a free database of applications containing spyware.