Internet Intruders:
Spyware, Adware, Hijackers and Other Pests

Definitions

One of the first definitions of "Spyware" came from Steve Gibson: "any software which employs a user's Internet connection in the background (the so-called "backchannel") without their knowledge or explicit permission. Silent background use of an Internet "backchannel" connection must be preceded by a complete and truthful disclosure of proposed backchannel usage, followed by the receipt of explicit, informed, consent for such use. Any software communicating across the Internet absent these elements is guilty of information theft and is properly and rightfully termed: Spyware."

Today, the word has broadened and shifted in meaning. "Spyware" is an emotionally charged word, and often means different things to different people. Sometimes the term is used to mean Adware, or Browser Helper Object or Hijacker or Trojan, but in all cases, the user of the word is referring to software that they did not intend to introduce to their machine, do not want, and are having trouble removing.

Here are definitions for these common terms.

  • Adware: "Software that brings targeted ads to your computer, after you provide initial consent for this task. Some Adware may hijack the ads of other companies, replacing them with its own. Adware typically will track your browsing habits and report this info to a central ad server."
  • Browser Helper Object (BHO): "A component that Internet Explorer will load whenever it starts, shares IE's memory context, can perform any action on the available windows and modules. A BHO can detect events, create windows to display additional information on a viewed page, monitor messages and actions. Microsoft calls it "a spy we send to infiltrate the browser's land." There are many exploits of this technology which search all pages you view in IE and replace banner advertisements with other ads, monitor and report on your actions, change your home page, etc."
  • Hijacker: "A trojan that may reset your browser's home page and/or search settings to point to other sites. Such sites are sometimes porn sites, often loaded with advertisting. Homepage Hijackers may prevent you from changing your browser's homepage or from visiting a particular site."
  • Spyware: "Any product that employs a user's Internet connection in the background without their knowledge, and gathers/transmits info on the user or their behavior. Many spyware products will collect referrer info (information from your web browser which reveals what URL you linked from), your IP address (a number that is used by computers on the network to identify your computer), system information (such as time of visit, type of browser used, the operating system and platform, and CPU speed.) Spyware products sometimes wrap other commercial products, and are introduced to machines when those commercial products are installed."
  • Trojan: "Unwanted software which runs in a user's machine, as an agent of the attacker, without user awareness. Unlike viruses and worms, trojans do not replicate (make copies of themselves.)"

Internet Intruders are here defined as unwanted software that is installed while surfing the Internet, and that typically uses the Internet in the process of exploiting the user and the user's machine. Typically such software is installed without the user's full awareness of the consequences of such an install (although the user might have been given some notice of what would happen). Such software is typically difficult to manually detect, and difficult to remove. It usually compromises some combination of the user's privacy, the confidentiality of the user's information, or the user's productivity. Productivity is compromised when frequent ads popup, when bandwidth and storage space is consumed, when pages load more slowly, etc. In this tabulation, 'Internet Invaders' are the aggregate of pests that are categorized elsewhere as Adware, AOL Pest, Browser Helper Object, Dialer, Downloader, Firewall Killer, Hijacker, Hostile ActiveX, Hostile Java, Hostile Script, IRC War, Key Logger, Notifier, Password Capture, P2P, RAT, and Spyware. Definitions.

Internet Intruders are all unwanted, and for a variety of reasons. Consider this summary and draw your own conclusions:

Infraction Comment Nominees
Drive-by Download We think there should be no software in your machine that you did not choose to put there. But some products install themselves simply because you visited a web site. AdultLinks will not ask if you want to install it. Hotbar will install even if you indicate you do not want to install it, and some OnlineDialer installer pages open a JavaScript error and try again if you click 'No' to the install box, to try to force you to install the software. PerMedia was installed from e-mail; upon agreement to install, further invitations would be sent to all entries in a user's address book. StripPlayer and IEAccess can install automatically on versions of Internet Explorer older than IE6 Service Pack 1. AdBreak, AdultLinks, Brilliant Digital, BrowserAidToolbar, DownloadWare, HighTraffic, Hotbar, HuntBar, IEAccess, INetSpeak, Lop, MoneyTree, OnlineDialer, PerMedia, RapidBlaster, Search-Explorer, SearchitBar, StripPlayer, SuperBar, TinyBar, Xupiter
Misrepresentation of Intention We think that a product should do what it promises to do. A product that promises to block ads should not deliver them. A product that promises to stop spyware shouldn't be spyware. StopSign
Misrepresentation of Source We don't think a product should claim to be from one vendor when it is from another. Claiming your product is from Microsoft might give your product credibility, but it isn't the way business should be done. ASpam
Combining Good to Create Evil We are seeing a growing number of pests that combine (pirated) commercial software and legitimate applications with scripts or custom files to produce a dangerous result. The result is that proper detection is much more complex - just what these attackers have intended!  
Porn without Permission We believe that pornography should not be installed on a user's machine without their permission, and without parental consent if they are a minor. Not all vendors agree. AdultLinks, for instance, adds links to porn and other sites to the Internet Explorer Favorites menu. While installed, it can add more links when directed to do so by a web page. AdultLinks
Missing or Disappearing Uninstallers All software must include uninstallers. Nominees in this category do not. Cydoor, Cytron, DailyWinner, DialerOffline, HighTraffic, IEPlugin, IGetNet, Transponder
Uninstallers that Leave Working Code Behind If you run an uninstaller, you expect the product to be uninstalled -- not continue to operate silently. Nominees in this category leave working code after the uninstall is finished. HXDL AL and Aveo Attune continue to run after uninstallation -- the uninstaller claims that the program is removed, but at reboot, the software is back and running -- only the uninstaller is gone. HuntBar's uninstaller simply hides its working code, rather than removing it. Aureate Spy, HXDL AL and Aveo Attune, HuntBar, PalTalk, StopSign, Wnad, Xupiter
Hijacking Searches Everyone is entitled to use their favorite search engine, and see the results that it offers when they make their request. HuntBar changes your search bar settings to point to HuntBar's servers, and automatically opens this search bar when it detects you using any other search engine. SuperBar adds its own items to your search results. CnsMin, CommonName, HuntBar, IGetNet, SuperBar
Modifying Pages you Visit. We don't think that computers would be much worth defending if we could not trust their results. When you visit a web page, you expect to view the original web page, not a modification. Our nominees here include TopText, which will alter all pages viewed in IE, adding extra links to words and phrases targeted by advertisers. GAIN may superimpose ads on pages visited. GAIN, TopText
Silent Download and Execution of Arbitrary Code Silent updates to an installed product may be desirable if a user gives permission for this. But no product should download and execute arbitrary code, as an "update" feature, without your consent. AdBreak, CashToolbar, CommonName, DownloadWare, eXactSearch, FavoriteMan, FreeScratchAndWin, HighTraffic, HuntBar, IEPlugin, MoneyTree, OnlineDialer, PerMedia, RapidBlaster, SearchitBar, StopSign, TopText, Transponder, Xupiter
Uninstallers that cannot work with scripts There is no reason why an uninstaller should require a secret code to operate. Uninstalling a product should be easy. Nominees in this category went to some trouble to try to prevent anti-spyware products from removing them.  
Programs that fight back when you try to remove them. We assume that spyware, adware, and such is rarely removed by accident, and don't think it appropriate to fight the user who is trying to remove it. But some won't go down without a fight. n-Case.
Lost network and Internet Connections with Imperfect Removal We don't think that imperfect removal of any software should ever result in loss of a network or Internet connection. Our nominees think otherwise. CommonName, MarketScore, NewDotNet
Gratituitous Pop-Ups and Pop-Unders. We don't think that any software should be accompanied by software that displays ads throughout the day in your machine when you are not using that software. Tracking the source of such ads can be very aggravating for a user who may have never used the software, never intend to use it. Cydoor
Lousy Code Slows Machine, Causes Errors and Crashes. We think that if you are going to annoy a user, it shouldn't be with code that crashes their applications, generates error messages, or requires rebooting. Some vendors seem to think otherwise. The winner of our nominations might be IGetNet: An estimated 200,000 users have reported problems with IGetNet during the period January 10 and March 17, 2003. AtomWire, Brilliant Digital, Cydoor, DownloadWare, FavoriteMan, FlashTrack, Grokster, IGetNet, iMesh, NetPal, NewDotNet, ProfitZone, SaveNow, Search-Explorer, TinyBar, Transponder
Removal Refusal If you want to remove software, you shouldn't have to arm wrestle with the stuff. As they say, "no means no". But some, such as CnsMin, cannot be deleted while running, cannot be stopped without rebooting with no registry entries that invoke them, and insist on re-writing registry entries as fast as you delete them. CnsMin
Opening Security Holes No product that is installed in your system should reduce your security by design, without your permission. After Comload is installed, any web page has the ability to run any executable file on the local machine. Comload, StripPlayer
Disabling Security Software No product should offer to disable your security software. But some products do just that, and receive our nomination in this category. For instance, StopSign is a Firewall Killer interfering with the operation of several personal firewalls. In addition, it suggests turning off Norton Anti-Virus Email protection and PC-Cillin POP3 Filter, and detects and offers to remove both SpyBot and AdAware. Radlight will try to remove Ad-aware. Radlight, StopSign
Tampering with your Changes to Settings It is one thing for software to configure your machine to its liking, so that it runs better. But it is another story when software changes your subsequent settings back to those which suit it. Lop adds a task to run on startup which sets your homepage and search back to lop if you change them. AdBreak, Lop
KitchenSinkWare It is one thing to elect to install a package. It is another to find yourself out of space on your drive because the package installed all of its friends. Grokster is nominated here because its install can lead to the installation of BullGuard, Cydoor, EBates Moe Money Maker, GAIN, Golden Retriever, IGetNet, IPinsight, King Solomon's Casino, MyWay Speedbar, NetPalNow.com, NewtonKnows, Purity Scan, Sidestep, and Webhancer (14). StopSign will add about 28 Mb of software to your machine. FavoriteMan installs Transponder/VX2, NetPal, ClickTheButton , ezCyberSearch toolbar, SideStep, BargainBuddy/Adp, NewDotNet, IGetNet, HotBar, n-Case (180solutions), Mail.com Alerts (which also comes bundled with BargainBuddy/Apuc), and various homepage hijackers. (11+) iMesh includes GAIN, Cydoor, Hotbar, eZula TopText, New.Net, CommonName, SideStep, NetPal, FavoriteMan, VX2, FlashTrack, and BonziBuddy. FavoriteMan, Grokster, iMesh, StopSign
Logging your KeyStrokes, Capturing your Screen, Recording your Conversations - all surreptitiously.

Of course, the products listed above probably pale in comparison to the intrusion that a key logger can do. Products such as ISpyNow are designed to be small enough to be attached to e-mail. NETObserve Keylogger logs Internet conversation, window activity, application activity, clipboard activity, printing, keystrokes, web site activity, and captures screenshots and via webcam. Such products can be quite stealthy, too: STARR does not show up as an icon, does not appear in the Windows system tray, does not appear in Windows Programs, does not show up in the Windows task list, cannot be uninstalled without a pre-specified password, and does not slow down the operation of the computer it is recording.

Key Loggers

A Big Problem that is Getting Bigger

Adware, BHOs, Hijackers, and Spyware are easily the most common kinds of unwanted software, if measured by number of files found in user machines. If measured by number of times the product as a whole is encountered, then Adware, BHOs, Hijackers, and Spyware trail Spyware Cookies in commonness. If measured by numbers of files found in user machines, the most common kinds of pests, in descending order of "popularity": Adware, P2P, Spyware, Browser Helper Object, Spyware Cookie, Worm, Hijacker...

Our world of computing has changed quite radically in the past few years. Not long ago, few users had access to the Internet. Today, Internet Intruders have access to most users!