Spyware – Part I

Part I



Nowadays, information technology like Internet plays a very important role in people’s daily lives. In this Internet era, individuals or companies do their business online, and people communicate with each other through any means of modern networking technology. Particularly people like to download all kind of free stuff from the Internet. They fill their hard disks with music, videos, screensavers, and other computer programs.


However, technology is just like a double-edged sword. Threats come with these downloads. It is no aggravation of statement that as long as computers are connected to the Internet, there’s every chance of being threaten by different malicious software like virus and worm. Those computers without enough protection are much vulnerable to the attacks from these malwares. Spyware is just one of those malwares. It is bundled with the legitimate applications, or embedded in the web pages and email messages. As soon as a Spyware infected computer is connected to the Internet, the online activities of that computer could be watched.


Now Spyware is everywhere. According an Online Safety Survey by America Online and the National Cyber-Security Alliance performed in December 2005 (cited in Schwartz 2006, 3), it shows that around 60% of all personal computers are currently infected by the Spyware, and over 80% of infected users did not know that the Spyware was existed on their machines. It should be drawn much attention that 92% of infected users confessed they did not grant the permission to any party to install the software on their machines.


“Spyware” has evolved into the cyber era as the most dangerous, damaging and menacing technological appliance in current history (MOTION, Inc. 2006). Elgin and Grow (2006) describes Spyware as a plot to hijack people’s computers: “they watch you surf the web; they plague you with pop-up ads; then they cripple your hard drive”. They are not joking. The threats are so real that anyone could be the potential victim of Spyware. A Brazilian gang broke into hundreds of accounts at six different banks and stole millions of dollars. The gang harvested those victims’ account numbers and passwords by infecting their computers with spyware (Ducklin 2006, 22). Ironically, some computer users, who have been aware of the threats brought by spyware, live in fear of spyware, and if they receive a legitimate-looking warning email or a warning banner on the web page they could easily follow the link to buy the advertised clean-up software.


And now, the war to Spyware has just begun.


2 Spyware Overview

2.1 History


The word Spyware was first used in a Usenet post in October 1995, and the author of that article was joking about Microsoft’s business model which can be concluded that some features of Windows were designed to spy on users’ general computing behavior(Lininger and Vines 2005). Trivially, there are a few different opinions about the year that the word appeared, some said it was in1994 (Wikipedia 2006b), but others think it should be in 1996 (MOTION, Inc 2006).


It is commonly accepted that the term was formally adopted in a press release by the founder of Zone Labs for the company’s new product – Zone Alarm Personal Firewall in early 2000 (Wikipedia 2006b). Since then the term has its current meaning we know today that they do certain bad things on users’ computers.


Controversially, “Elf Bowling” is believed the first Spyware application. It was introduced to numerous Internet users as a popular Christmas game in 1999 (MOTION, Inc. 2006) and freely available on the Internet. “Elf Bowling” was regarded as Spyware because it can post user’s high score back to the scoreboard at the NVision website (RelicMan 2005). However, the creators of the program denied these “Spyware” allegations (Hcward 2005). No matter what, it provided the Internet users the first (or similar) experience with Spyware.


Gradually, the word “Spyware” started to hit in the mass media instantly, and people began to find ways to fight against Spyware. In 2000 the first anti-spyware application OptOut was released by Steve Gibson. Significantly, OptOut could be termed as the pioneer of anti-spyware applications in the Spyware history (MOTION, Inc. 2006).




According to the first anti-spyware creator Steve Gibson (2005), “Spyware is ANY SOFTWARE which employs a user’s Internet connection in the background without their knowledge or explicit permission”.


Launching Internet connection is a behavior that most Spyware will truly do, but lots of legitimate software also tries to connect to Internet to validate the user’s licensing information or get the software update information without telling the user.


In this report, Spyware is defined as any computer technology that aids in gathering information from a person or organization and utilizes the Internet connection secretly without anyone’s knowledge or explicit permission.


Simply speaking, Spyware can secretly track or records personal or organizational information and sent back to a remote server designated by the creator.


2.3Who is spying


The people who could be the ones spying:

  • Online attacker
  • Crime makers
  • Advertisers
  • Marketing organizations
  • Law enforcement
  • Employers
  • Parents
  • Spouse


for the following purpose:

  • Advertising and Marketing
  • Employees Monitoring
  • Family Member Monitoring
  • Criminal Cracking
  • Information Stealing


An online attacker could be any individual who is hiding in somewhere on the Internet spying the victims remotely, and the targets could be randomly chosen. The attacker may just do it for fun or practising hacking-skills. In contrast, crime makers would have clearer goal and their goal is money. They steal people’s Internet banking accounts number and passwords. They also could be someone being trusted like an insider of an organization, and they are spying their victims deliberately to get what they want. To the online attackers and the crime makers, the only purpose of using spyware is to collect any confidential information interest them.


The advertisers employ Spyware for target advertising to sell or propagate their products in low cost. Similarly, marketing agencies would gather customers’ information for analysis. They all like to know about customers’ shopping habits and figure out the consumers’ shopping patterns to have much effective advertising and marketing strategies.


Cracking the crime and guarding the safety of the public would be the best explanation for police and law enforcement officers to use spyware on suspects to gather evidences during investigations.


Companies or governments install spyware in their employees’ computers to monitor their activities and work performance. Sometimes, the parents would like to know about what their kids do in the computers to prevent them surfing the inappropriate websites. Also in some other cases, one party of a couple feels betrayed and may want to collect the evidences of an affair.


2.4What are Spyware looking for


Generally, spyware tries to collect the following information:

  • Private information. Usually it is for user profiling, spyware gathers information like people’ name, email address, contacts book and so on.
  • Demographic information.
  • Internet usage. It is the information like online shopping habits, browsing habits, and keywords in search queries. Those are very valuable to the advertisers and data mining agencies.
  • Hardware information on the computer system
  • Software information on the computer system
  • Financial information. It is any information related with money like user’s credit card details, and internet banking username and password.
  • Confidential information. It could be any password for the websites, email account, instant messenger account and so on.
  • Business secret.
  • Evidence.


2.5The Hidden Menace


To gather all the information it needs, spyware can capture keystrokes, screenshots, web form data, typed urls and Windows Protected Store data. It also can scan the hard disks to locate some other sensitive data. In order to disguise or hide itself, spyware usually change system and registry settings, and make it hard to be found and removed using some advanced techniques.


Except the legal usage of spyware by law enforcement, its running on computers could be an enormous threat to the Internet users. It is often attached with legitimate programs that allow it to easily pass through firewalls uncontested, so there is absolutely no knowledge of the kinds of data being transmitted to its mother ship (Naraine 2004). And it dose not has the patterns that the virus usually have, so it would not be detected and removed by the anti-virus tools which are equipped in many computers.


The threats of spyware could be:


  • Frequent annoyance and disturbance
  • Privacy violation
  • Damage to legitimate software
  • Computer resource hijacking
  • Computer resource exhaustion
  • Degradation in computer performance
  • Computer taken-over by Trojan
  • Financial loss, like identity theft and credit card fraud
  • Sensitive information disclosure
  • Eventually reducing confidence of online safety (US-CERT 2005, 1)


The consequences of being infected by spyware ranges from private information disclosure, unwanted pop-up ads, browser hijacking to more dangerous security breaches and being installed backdoors for hackers. Even knowing the above dark sides of the spyware and running programs carefully, it will still find ways to get in Internet users’ computer systems. Everything from the web seem unsafe now because of the fear of spyware, any mistake click or just unwittingly accessing a Window Metafile could causes users in trouble. To one-third of Internet users having been afflicted by spyware (cited in Gutner 2004), the quiet life of using computer could be totally ruined.


Not only personal users, but also the companies and organizations are struggling with spyware around the world. spyware menace “is costing businesses millions” because the need for spyware identification and remove will drive the spending by enterprises upwards from $12 million in 2003 to $305 million in 2008” (Comms Business 2005). A recent IDC survey listed spyware as the fourth-greatest threat to a company’s enterprise network security after interviewing over 600 organisations (Comms Business 2005). No wonder a security expert warns that spyware would be an even bigger headache for enterprises than viruses (Naraine 2004).


3 Spyware General Infomration

3.1 Spyware Types


Spyware is also known as adware, nastyware, crapware, sneakware, stealthware, snoopware, trackware, thiefware, scumware and a host of other sordid names. According its distinct purposes and technological natures, the latest ofen-used spyware can be classified as the following types:

  • Adware
  • Software Keyloggers
  • Trojan horses
  • Malicious Browser Helper Object
  • Fake anti-spyware
  • Web bugs
  • Tracking Cookies



Adware is the most common type of spyware (Sunbelt Software 2004, 1). It is the main source of most pop-up windows that contains the advertisers’ advertising banners. Ads also can be embedded with user interface (UI) of freeware, for example it may be placed on toolbars of the applications.


Generally, all “ad-supported” software is spyware (Bleeping Computer 2004), because advert servers can have the IP address of computer system where Adware is hosted, and they know the times users run the program. Now some spyware vendors like 180 Solutions uses some really complicated techniques to redirect affiliate links to major online merchants such as eBay and Dell, so through this effectively hijacking the commissions that the affiliates would have expected to earn in the process (Lininger and Vines 2005).


The threat of Adware is that it is capable to do more than just advertising, because it can be modified to include code to track a person’s Internet usage and personal information, or even worse to record user’s keystroke.


The Claria Corporation (formerly the Gator Corporation) is one of the largest adware organizations; others include DoubleClick, WhenU.com, Radiate, 180 Solutions, and Web3000 Ad Network (Sunbelt Software 2004, 1).


Software Key loggers

As it is advertised, key logger can record everything that is entered from the keyboard. After a key logger is installed and activated in a computer system, all the keystrokes can be captured such as the typed passwords, pin numbers, conversations through instant messenger, email content and so on. The keystrokes can be logged into a local file in the hard drive, and maybe be opened by the user of the key logger or sent back to a remote server in a later time.


Trojan Horses

Trojan horses are able to perform certain operations or execute certain code in users’ computer system when it receives commands from the controller. So the security door for the attacker could be opened by the insider – Trojan horse.


Usually it is unseparated part of some software utilities and tools which is free for download and distribution. If the Trojan horse is removed by anti-spyware tool from the computer system, then the main program is no longer able to work. Some very popular peer-to-peer file sharing applications always contain at least one tracking function – Stalking Horse and Adware for ad-serving networks beside Trojan (Bleeping Computer 2004). Kazaa is one of those programs that it would enable user PCs to operate as part of the planned Altnet grid-computing network (Lawton 2002, 15).


Malicious Browser Helper Object (Browser Hijackers)

A Browser Helper Object (HBO) is a component of Windows Internet Explorer web browser. From a technical aspect, it is a COM, a DLL which is add-on of Internet Explorer. It is designed to be allowed by third-parties to expand and improve the features the functionalities of IE browser. Usually many helpful third-party toolbars is created using this technique such as Google toolbar and Yahoo toolbar.


After a toolbar is attached to IE browser, it has access to all the events and properties of the browsing session. Due to the nature of this component of Windows, the toolbar can have full control over the IE. So some malicious BHOs can direct user to some designated websites, and it also can hijack the IE browser to collect a series of information like browsing histories and send them back to advertisers and marketing agencies to extract surfing habits for the purposes of targeted advertising.


Since it is part of legitimate program IE browser, the sending information operation could not be blocked by any firewall, and it also would not be noticed by the user.


Fake Anti-Spyware

In the reality, sometimes bad guys disguised themselves as someone trustworthy to cover up their crimes. It is same in the Internet. A lot of supposed “Anti Spyware” software is, in fact, spyware. They claim that they can help to remove spyware, and actually they just trick the users to purchase from them or open the gates for them. The fake anti-spyware could be any possible type of spyware discussed so far. A few known bogus anti-spyware applications are SpyAxe, SpySheriff and spyware Cleaner.


Web Bugs

Web bug is a 1×1 invisible gif or jpeg placed on web pages or in email messages to facilitate third-party tracking of users and collection of statistics. Unlike regular pictures files, these tiny objects are not meant to be seen. They only exist so that web advertisers can deposit cookies on users’ computers to track their activities and continually enhance and refine user profile. Due to its unique nature of being invisible and having ability of starting an http request, this is a perfect method for the websites statistics and visitors tracking companies to do their business.


Tracking Cookies

A cookie (HTTP cookie, or Web cookie), just a small file on the computer, is used to allow a web server to be able to recognise the previous visits by the browser, and the server could personalise the site for the user. So cookie is able to record a various of information like what site is visited, what time user visit the sites and what user do on the sites.


A tracking cookie is any of these cookies “that is shared among two or more web pages for the purpose of tracking a user’s surfing history” (CA 2006). This cookie file records where the users surf the web on behalf of Internet advertising companies that later use the information for their own business purposes (Mossberg 2005). A cookie itself is not spyware, but it can be used by advertisers and marketing agencies to contain some specific information from users due to its nature. Then the tracking cookie is considered a form of spyware.


3.2Spyware Installation Methods


The installation of spyware frequently involves Microsoft Windows and Microsoft’s Internet Explorer (IE). Windows is most spyware writers’ favourite operation system platform. As the most popular Web browser, and with an unfortunate history of security problems, Internet Exploerer has become the hottest target (Wikipedia 2006b). Furthermore, it attracts attacks because of its deep integration with the system and its scripting ability. If IE is compromised, the door to treasury is opened. Additionally, “legitimate” looking plug-ins of Internet Explorer in the form of browser helper objects can control a whole browsing session, and modify the browser’s behaviour or to redirect traffic.


The techniques that spyware vendors use to install spyware on innocent people’s computer are tricks, misleading prompt-ups, and knowledge of security holes and system kernel. Basically, the computers get infected by spyware in following common ways:

  • Bundles
  • Security exploits
  • Misleading ActiveX Popups



Spyware often is bundled with music CDs, popular free games, beautiful screen savers, adorable desktop toys, helpful computer utilities and some other free hot stuff. So normally there will be two separate installation processes controlled by the freeware installer, one for the main program, and the last installation is for spyware. Users usually believe that all the installations are necessary for running the desired program, and would not take time to read through the End User License Agreement (EULA) and just simply accept it. Then spyware is let in.


Security Exploits

Those Internet related computer applications like web browser and Java runtime environment that can execute code or run instructions on the local machine all have chances of being attacked by the malicious code from the remote server as long as there are security weaknesses existing.


When a web page, which a “Spyware bomb” is buried in, is open by a browser having security holes, the bomb is triggered and browser is forced to download the spyware and install it on unwitting user’s computer system. The bomb is that well-known “drive-by download” technique. The similar scenarios can happen on any other Internet-based applications with bugs.


Another recent discovered serious security exploit is resided in Windows Metafile (WMF) which can allow code be executed when it is accessed. For example, when the IE users try to open a web page containing such WMF files, their computer could be attacked. A journalist, Brian Krebs (2006) reported that a myspace.com was put an online banner advertisement which used that WMF security flaw to infect more than a million users with spyware.


Misleading ActiveX Popups

ActiveX is a technology that can help other computer applications running within a web browser, particularly for Microsoft Windows Internet Explorer. It has a long history of helping to distribute spyware, of course, because it is used by the spyware distributors in a bad way.


The older version of IE would prompt up a dialog box to ask for users’ interaction when it encounters certain html tags like APPLET, EMBED, or OBJECT if that ActiveX has not been installed in the system yet. Other browser such Netscape, Opera and Mozilla do not support ActiveX by default.


The misleading ActiveX popups trick users into clicking yes button on the dialog box by using very confusing and misleading words which make user to believe that “click yes” is necessary to continue viewing the website or the installation can protect their systems. The latest version IE has improvement in this aspect and users would not see the prompt up but an installation alert. Even though, risk is still there.


4 Technological Aspects of Spyware

4.1 Spyware Related Terminologies

4.1.1 Global Unique Identifier (GUID)

A Global Unique Identifier is 128-bit number that can be generated based on the network interface card’s MAC address, and used to identify a computer, a user or a file. It is often contained in a cookie for tracking purposes.


4.1.2Drive-by download

A drive-by download is generally regarded as a process that a program is downloaded and installed in Internet users’ computers without their consent and knowledge, while they are viewing web pages or html-formatted emails. That can happen when the security bugs in web browsers, email clients or operating systems are exploited deliberately. It is a common method used by website owners in spyware’s distribution.


4.1.3Digital Rights Management (DRM)

Digital Rights Management is any technology used by copyright owners to control access to the intellectual property like music, movies, documents and software. Free Software Foundation (2006) suggests using ‘Digital Restrictions Management’ for the acronym DRM instead. Spyware and rootkit tool can be installed on computer system with the help DRM technology, and rootkit helps spyware to hide. For example, when listening to a music CD on computer, spyware could have been installed since DRM is transparent to user.


4.1.4 Toolbar

Toolbar has a narrow meaning when it is related with spyware. It is a toolbar-type plug-in of a web browser for adding the functionalities and accelerating the access of the web sites. Most popular and hot websites providing searching service have their own different toolbars. Technically, they are all spyware, having the spyware “properties”. A Microsoft Windows Internet Explorer toolbar is usually implemented using a Browser Helper Object.


4.1.5 Rootkit

Rootkit is a term applied to computer tool sets or techniques that can help hiding the computer system processes, files and settings (Wikipedia 2006a). If spyware utilizes an advanced enough rootkit, it can avoid the detection of anti-spyware applications, and also make its uninstallation difficult.


4.2Windows Spyware Techniques

The techniques used by spyware are not complicated. Basically, the techniques used by Windows’ spyware could be:

  • System bugs exploiting
  • System APIs hooking
  • System DLLs injecting or replacing (Birdman 2005, 12)
  • System drivers or kernel modules incorporating


These techniques are not only used by spyware but also many other illegitimate or legitimate applications such as virus, rootkit, firewall and anti-spyware tool. They all require the spyware writers having the inside-out knowledge of windows programming and Internet networking protocols. A more sophisticated spyware demands higher programming skills in system driver and kernel layer where assembler language programming might be intensively involved.


There are always unclosed doors for spyware authors because of the unpatched systems and undiscovered security bugs. In spite of many security features provided by the web browser Mozilla Firefox, 655 defects and 71 potential security vulnerabilities were found from the release (Harrison 2006).


Hooking is an import programming technique for monitoring the system events. Many desktop applications utilize this technique to extend Windows functionalities, for example, a screen reader may be able to capture the text contents of any windows and controls by hooking the TextOut /ExtTextOut /DrawText APIs. Similarly, spyware put hooks into system, waiting for the certain events (key-typing, web browser’s execution and internet access) which could trigger the hooks to work. Mr. Levin (2005, 4) showed in his talk that the new features of Winsock 2 include a Layered Service Provider architecture which provides “powerful hooking functionality enabling interception, eavesdropping or rerouting of almost all IP based traffic in windows platforms”. Hooking can also used for hiding.


Instead hooking something, waiting for being called as normal system functions is another option for the spyware writers. Spyware hide itself into legitimate system DLLs by injecting the spying code in. Alternately, the original system DLLs could be replaced entirely with modified spyware ones.


Some advanced spyware can incorporate themselves in system driver layer as part of the kernel modules. In fact, this technique could also uses hooking to intercept all kinds of user operations, but the spyware is located much deeply in the Windows system that means it has higher system privileges, and looks more legitimate. Therefore, it can make the uninstallation much difficult, and hide itself without being detected. For instance, if spyware has the privilege of raw socket access, basically it can bypass most firewalls because the raw socket is portless (Birdman 2005, 5).


4.3 A Simple Spyware Experiment

4.3.1 Aim

The aim of this experiment is trying to simulate the process of collecting the “user browsing habits” using web bug and tracking cookie.


4.3.2 Experiment Design

All the steps in this experiment is conducted in a local machine, they are:

  • Assign different host names to the local machine
  • Start a web server,
  • Implant a web bug in a web page (static page, HTML format). The web bug should make web browser try to fetch an image from a designated address, which will initialize a remote http request if the image source is from a different domain name.
  • The “remote” server should response to the request, and some useful information then can be retrieved.
  • The possible retrieved information will be inserted in the database
  • If the information is recorded, the experiment is successful. Otherwise the experiment fails, and the experiment design needs to be improved to be able to track users’ behavior.


4.3.3 Experiment Preparations

  • Clear all the cookies of the browser for the experiment
  • Create a Microsoft Access database for storing the visitor’s information
  • Create a ODBC DSN for java’s database connection


4.3.4 Experiment Result

The experiment result came out as expected: the web bug could trigger a setting cookie process; tracking cookie used by a third party (www.spyware.com) was able to store the visitor’s information. The more detailed experiment description is provided in Appendix A: A Web Bug Experiment. Since this property of web bug, the cookie can be set in any platform where cookie is supported and allowed.


Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *