/ 24 July 2003

Spyware, scumware and Absa

You’ve no doubt heard of the Absa accounts that were breached by hackers. The media have made much of internet banking being compromised and the term ‘spyware’ is being used a lot.

This morning I listened to an Absa spokesperson talking on radio, referring in a jumbled way to ”spyware, keyloggers, trojans and viruses” and then quickly following up with damage control, saying fuzzy warm things like ”providing customers have up-to-date anti-virus software, they should be safe”.

Unfortunately though, the Absa spokesperson doesn’t know what he’s talking about as most anti-virus software won’t find half of the programs that constitute spyware. So if you’re a PC user, and/or use the net for internet banking, read on and I’ll give you some conceptual info, background and point you towards some downloadable programs to sniff over your PC.

So-called spyware gets into your PC usually by one of the following routes: Bundled and installed along with another program you’ve downloaded, installed via a webpage that you’ve visited, or installed via a program sent to you through e-mail.

By now, most spyware is fairly standard and technically legal. What happens as you browse online, is that various webpages and companies create an automatic download for a small file (and sometimes folders) to be made to your pc without you knowing, and every time you’re online, these files send info about where you’re going online, back to the manufacturers website. They call this data mining, but the users who clean out the files themselves tend to call these unwanted things scumware.

There’s a debate over what actually constitutes spyware. Cookies for instance, are tiny text files that sites put onto your computer when you move from page to page online, and some of them tend to be tracking where you came from prior to getting to that page — or where you’re going to next. (This information is sent back to the company controlling the website you visited.) Look in your c:/windows/cookies folder to see up to hundreds of these seemingly innocent text files, each marked from a website you visited, and each containing a piece of information about you.

To purists, these text files are spyware — yet they’re covertly part of basic internet operation. But the only time you actually need them is when you’re logging into a site that needs to know who you are for real — like banking sites, or the Amazon-type online retailer commercial sites. Everywhere else, it’s just plain snooping on the part of the webpage owners.

There are a number of tools to block these cookies from getting anywhere near your PC — do a search on www.tucows.com for cookies — to find a range of cookie killing applications. Remember though, you need these ‘cookies’ in order to log in to secure sites — anywhere else — its snooping by webpage owners, regardless of what they say. If they’re gathering statistical information for their own usage (data mining) let them rather employ a secretary to phone me, so I can hang up on them.

Now the problem with this back and forth activity occurring without you knowing, is that, firstly, it’s an invasion of your privacy — and second, given that most of us are using modems, and compared to the US — we struggle along with very little bandwidth. So the idea of hundreds of files using up that precious bandwidth in order to tell Company X just where we came from is not acceptable.

The next form of spyware, comes hidden within other programs. For example — one of the most well known and notorious spyware/Trojan files is contained inside a popular file-sharing program called Kazaa. The trojan is called BDE — and the file (when it senses you’re online) tells its manufacturer that you’re online, and then offers up a portion of your PC’s processor power to be used for whatever the company needs. And this is legal. (This can be bypassed however, by using a hacked version of Kazaa, called Kazaa-Lite.)

But this is a radical example of spyware or legal Trojan activity. Usually things are a lot more subtle. (After an average session online, I tend to have to clean out anything up to 200-300 cookies, and three or four spyware files. If you’ve never downloaded an application to specifically target spyware, the odds are good that your PC is filled with different kinds of programs which antivirus software won’t find because spyware, supposedly, aren’t viruses).

Another problem with certain webpages themselves, is that Java script is being run. This is delivering programming code into your PC, and your PC then quietly accepts the new information or instructions. So you want to keep a casual eye on making sure that, even though you may turn down the pop-up window offering you the chance to DOWNLOAD FREE GIRLS PIX NOW!, there’s still activity going on below the surface, and potentially dangerous code is coming into your PC, depending on what the webpage maker planned.

An overt example of this in action is the popping up of new pages, which open without you asking. The spyware that’s installed can range from standard ‘send info back to HQ’ through to loading a new Internet Explorer page and to quietly changing your default homepage. This last one you’ll only notice when you hit Home on your browser, and instead of, for instance, www.yahoo.com emerging, you suddenly seem to be going to some other page.

This last ‘exploit’ is called a browser hijacker and is fairly standard as a simple example of control being taken from you online. Once you’ve landed at the new page, depending on further Java scripts and confirmation dialogue boxes, you can end up having sent even more information about yourself to the owner of that page, before you’ve managed to close it.

I use a tool called Zero Popup, to eliminate the extra pages which spring up when cruising the wilder areas of the net. There are a number of programs to block the running of unwanted Java code on your PC: Do a search on popup at www.tucows.com as a starting point. You can turn Java off in your browser, but then this may prevent you from accessing a number of regular sites online, including the supposedly secure sites. It’s a case of damned if you do, damned if you don’t.

Again, this last spyware approach may have installed software and folders on your PC, and most antivirus software won’t see it.

Often the half-trojan-half-spyware files will create folders in your PC from which to operate. These files sit and wait until you’re online before beginning to chatter back and forth with their HQ, and then auto-downloading adverts or pictures to display at you, seemingly from nowhere. That’s if they’re legal. If they’re not, they will do other, far nastier things.

Another form of spyware is a dialer, which comes in a few flavours. Most notably, they disconnect you from your ISP and reconnect you to a long distance number. Usually this is too obvious; it’s rather hard not to notice that you’ve disconnected and reconnected. Generally though, what were diallers in the past have now become the browser hijacker-type of program. Sometimes with code designed to grab info from pre-selected areas of your PC and deliver it to a Dr Evil somewhere on the Net.

The old days of viruses being simply programs that changed a few system files and/or delivered a silly message have progressed into something a lot more complex. Especially seeing as there’s a blurring between the concepts of legal spyware and illegal trojan viruses. Advertisers online are pouring files into your PC all the time, usually without you noticing.

This is one of the problems with mass conformity of PC’s and PC users. It becomes very easy to create a program and tell it that when someone clicks on it to ‘Go to HERE on the user’s computer and copy these files and send them to [email protected]

There are standard places where Windows puts your passwords, and where you store your documents and pictures by default. So without much effort, I could gather most of the passwords you use online, browse through all the documents you were recently reading and look at all the pictures you’ve looked at. The hackers have to disguise the program somehow, to make you run it. Or else use stupid mistakes in Windows itself, so that the program runs itself. Enter the trojan.

A Trojan, by broad definition, is a program that pretends to be something it isn’t, and while you click away on it, it installs other programs onto your PC. These programs can range from the minor irritating exploit of changing your homepage to xxxanimals.com through to actual viruses which begin deleting or corrupting your windows files. These viruses or other attacks can either be set to happen immediately, or at some point in the future, when you think everything’s fine. But some of these trojans are legal — and they come from advertisers. And here’s where the problem starts. If you make all trojan-like programs illegal, then advertisers will start whining. And so the many Dr Evil clones online quietly continue, enjoying the chaos and the ignorance of net users who’s PC’s are being invaded on all fronts.

Now these spywares and trojans are separate from keyloggers which are a genre on their own. Keyloggers are simple programs which record the strokes on the keyboard done by the victim. The usual use of these is in network situations, where computers are being used by groups, such as in an office, in order to grab a co-workers password. The program stores the words and letters in a text file, and then sends them off to a predefined e-mail address.

It’s interesting that Absa say they’re ”following leads in the case”, and at the same time mentioning keyloggers because all they have to do, if it was simply a keylogger, is to use a program to dissemble the keylogger (a hex editor, for instance) and then look for the bit in the raw programming code that says ‘send this victims info to [email protected]’ and they’ve got their criminal.

But they’re not appearing to do this.

So either Absa’s forensic people aren’t very good (which I doubt is the case) or Absa itself is trying to do damage control and use the ignorance of the public to gloss over a problem they’ve chosen not to tell the truth about.

In order for a keylogger to be run on a PC, it needs to get there first. Duh. So if a number of people are affected in one geographic area according to news reports, in the Belville area in the Cape, then it’s fairly simple to solve. There’s no way that different people in the same area all happened to go to the same hackers webpage and get infected. So it came in the mail. It shouldn’t take more than an hour to work out where from, or how someone knew all the e-mail addresses of these people from the same area.

And Absa have by turns been using the phrase spyware, viruses and keyloggers as if they are all the same thing. But they’re not.

Furthermore, most ISPs run antivirus software to screen e-mail before it’s passed onto users. If users were sent files which ‘recorded their info and sent it back to the hacker’ according to Absa, then it’s bizarre for them to be recommend running antivirus software.

Just on the off-chance that you don’t know about the simplest way for someone to send you a trojan in the mail, let me explain that there’s an incredibly simple flaw in Windows which allows for the auto-running of any program which arrives in your e-mail inbox. Let’s assume you’re running Outlook Express for your e-mail, as many of you do. If you’ve never bothered going to the toolbar at the top of the page, choosing VIEW, then LAYOUT and then turning OFF the preview pane feature, I can send you programs that will begin running as you open the mail. You probably won’t even notice that I’m doing it.

With the ‘preview pane’ feature turned off, you can see (because of that paperclip icon) that I’m sending an attachment of some kind along with my friendly e-mail.

Furthermore, thanks to Microsoft’s ‘all eggs in one basket approach’, if you’re able to receive e-mail showing html pages — webpages, in other words — I can quietly slide in various Java programs (scripts) into your PC, as well as (if you’re online) providing a hacker a nice big doorway straight into your computer.

A useful tip is to try to avoid ever just clicking on what appears to be simply an html ‘link’ in an e-mail — rather cut and paste it into a browser and observe what happens, otherwise you could be auto-installing something without knowing it.

You need to get away from the idea that everything on your PC should be in one nice bundle. So having any personal details in your browser, like your e-mail address for instance, means that whenever a webpage hijacks your browser, it can scrape out all the data you have stored there and send it off.

If you’re doing anything with your computer that someone else might be interested in, then you’re probably already being observed without you being aware of it. I’ve browsed through many local companies’ office computers in the past, just to see if I could. And although the security levels have increased over the last year or two, the average home user is still effectively unprotected as far as any form of security goes.

Now Microsoft likes the idea of users using their browser as Everything. From media player to a mail program and a Usenet reader. However, it’s just too much information stored in one place. It’s much safer to have separate applications for each aspect of the net — like Free Agent for Usenet (newsgroups), Outlook Express or Eudora (e-mail) and Internet Explorer, Netscape or Opera (for webpages).

Another layer of security which costs nothing, but will let you know every time someone on the internet is looking at your PC, is a firewall. It sounds complicated but it’s just a little program that fits between your PC and the internet, and which checks that everything going in and out of your PC is what you want.

So while browsing, if you happen to see that some file called ‘naked.exe’ seems to be sending something from your PC to somewhere else, you can close it down. Without a firewall program, alerting you to the information going out of your PC, you won’t even know that anything’s going on. Again, browse Tucows for firewall — or try a simple and reputable firewall program like Zone Alarm.

One of the biggest misconceptions that Absa and the media seem to be spreading is that antivirus software will remove trojans and spyware. They won’t. The last time I checked using Symantec’s Norton AV, it failed to detect a number of spyware files, which other spyware-removers found.

Now I know you’re lazy — I am too — but you’re simply not going to get one product that’ll fix ALL your problems with one push of a button. You need a range of products, and you also need to get into the routine of running one after the another until your PC is clean – after every session online.

If you want to see what your PC is hiding – download the working demo versions of the following four must-have applications from the net, and run them:

First up is a product called BPS Spyware Remover They’re up to version 7 now. And although it considers cookies as spyware (and thus infected files), don’t let this scare you. You can set it to ignore cookies. BPS is one of the best spyware removers available. Run it and see what it finds on your PC.

Next in line is Ad Aware which also hunts for spyware, data-mining files, scumware and anything else that might be compromising your PC’s security — this will find things which slip through BPS’s net.

After that is Pest Patrol . This find even more files — including, if you’re an occasionally naughty PC user, nagging you if it finds any cracks on your HD. ‘Cracks’ are programs to generate fake serial numbers for software. Trojans and viruses sometimes get onto PC’s via this method.

And finally, last but by no means least, there’s the fourth product that again catches whatever the previous three haven’t. It’s called The Cleaner.

It’s not sufficient to get merely one of these programs, as none of them seem to catch all of the different genres of files. So downloading them all and getting into the habit of running them one after the other, at odd times, can provide you with a lot of fun, as you discover just how much spying is being done on you as you browse online.

If you don’t have these programs, then you’re relatively unprotected from a range of evil files which aren’t ‘viruses’ in the strictest sense, but which technically can do just as much damage. These four applications above, in conjunction with a decent firewall program, as well as whatever antivirus software takes your fancy, ought to provide you (as a home/casual user) with a lot more security than what you had before. Which, to be honest, isn’t much security at all.

It’s odd how no one is mentioning any provisions of the Electronics Bill which brought into service a wide range of undemocratic laws, under the guise of protecting consumers online. Where’s that protection now?

As for security, I didn’t mention the many forensic tools available to sift through users’ data-packets, or Tempest technology (which decodes the electromagnetic radiation off users PC’s and captures info), and now more than ever, it might be interesting to read the online collection of e-mails by South African National Intelligence Agents looking for trojan viruses to put on local users computers. Go read as real local spies go looking for spyware to use.

I should point out though, that Absa referring to and blaming, in alarmingly general terms, viruses spyware and keyloggers, and by way of vague reassurance, suggesting that the public upgrade their antivirus software to protect themselves, is bizarre and strangely simplistic. Like trying to close a certain barnyard door after the horse has gone, perhaps?

Ian Fraser is a playwright, author, comedian, conspiracy nut, old-time radio collector and self-confessed data-junkie. Winner of numerous Vita and Amstel Awards, he’s been an Internet addict and games-fanatic since around 1995, when the Internet began to make much more sense than theatre.