How spyware & adware programs threaten network security & performance

By /


Homogenous environments are dangerous because they are easy to predict.  As time goes on programmers find creative ways to collate useful data that can reflect patterns about the user and the way the user interacts with his/her machine.  Where the user clicks and where the mouse hovers most of the time becomes a strong statistical point that analytical programmers may use.  This information may be used to increase sales by means of placing the banners in the area where the mouse pointer may hover the most.  This information can even be profiled customizing the webpage so that when you specifically browse the webpage the banner is placed where your mouse pointer sends its most time. More personalized data has started to be transmitted and this is what needs to be publicized and known.  Spyware and adware are small unnoticeable windows based applications that transmit data to vendors about habits and personal information that is stored on your local machine.  The whole problem with spyware is that data is collected and transmitted to the vendor or 3rd party without the users knowledge.  The data is typically sent back to the vendor in a spare channel or related port to make it look less conspicuous and to avoid detection and being blocked by firewalls.  The information that is transmitted belongs to the organization where from it originates.  If searched for on the internet a list of spyware can quickly be put together for policy purposes.


Spyware is software that records keystrokes; this includes passwords, confidential and private information. This software can be installed by the user deliberately or by an internet based vendor.  The internet vendor traditionally only records historical data, comprising of habits and mouse co-ordinates.  User installed spyware is normally software that monitors other users using the same machine, or can be used by companies to monitor conspicuous employees.  The spyware that this document will focus on will be aimed at the type installed by the user unknowingly by using freeware or shareware.  The collected information can be stored on the user’s hard drive for inspection by the spy at a later stage.


Adware is an application that is funded by the adverts it supports and displays, the application has an area where continuous adverts are shown to the user.  The user benefits by the free services supplied and the sponsors benefit from user hits.  However information that is transacted is not only advertising information but information that has no relation to the advert.  Information like how the user browses the internet has been found to be transacted.  Most adware works on user profile data principle reporting data that can be used for statistical commerce use.  Most of these applications are not only resource intensive but also consume bandwidth costing the organization money.  So that free application that has been downloaded to download shared mp3 files is not only illegal but also costs the organization money in bandwidth and time spent online terms.


Where do these programs come from?


Developers have creative ways of enticing users and persuade them to download and install their software.  The common selling point is freeware this type of software is produced and supplied free of charge without requiring a licenses.  An example of this would be a very popular mp3 downloading utility.  These utilities have adware packages attached to them and may also have spyware lurking in the installation code as well.  Some software has hidden viruses and Trojan horses installed that also get distributed when you install such software. Cookies can be classified as spyware as confidential data can be read by 3rd party websites with normal scripting technology available to millions of people on the internet.  Ever wondered how when you visit a web mall it is fascinating how they always have something that you have been searching in search engines on the net.  Well that’s done in cookies, or specific user data that has been recorded about you. Ever wondered how those banner ads keep referring to things that interest you?  These organizations may sell this statistical data.  Furthermore they are not obliged in anyway to keep your personal activities confidential.  Does this concern you or your organization?  It should.  Data is not dangerous if it is not used to your disadvantage but by having specific habits analyzed and choreographed it becomes less of a challenge when marketing something to someone.  This puts the vendor at an unfair advantage that was gained without knowledge of the user or organization.


Protection



  1. Only install reputable software form reputable vendors.
  2. Keep your antivirus software up-to-date and ensure that spyware and adware applications have been added to virus list.
  3. Check your network sniffer regularly for any strange traffic occurrences and check this traffic for conspicuous traffic that streams form a machine without user activity.  (A good time to investigate this will be at a time when your users are not using the network.
  4. Install good intrusion detection systems these systems counter Trojans and other foul play that may be taking place and market leaders are starting to include adware and spyware activity as part of their pattern file interception mechanism.  Spyware servers often attempt to contact the slave machine to instruct commands.
  5. Disable cookies, Cookies are contentious and full of user info that takes up storage on companies machine and serve 3rd party organizations more benefit than they serve the user.

Applications like Ad-Aware have been developed to scan your computer hard drive and find known spyware. After this application is run on your machine you will find that there are a multitude of applications that invade your system. Companies like Aureate, Cydoor, New.Net. and gator have these applications bundled with freeware and this is the way they disseminate much like a fruit tree uses birds to disperse the seed.  Please note that there are over 800 known spyware applications and in time this can slow your organizations bandwidth down by a significant amount. By visiting www.infoforce.qc.ca/spyware/enknownlistfrm.html you will be able to check the latest list of latest and known spyware.  These spyware and adware locators list and give you the opportunity of deleting the offensive software.  Some of the applications run real time and will alert you to the fact that adware or spyware is attempting to install itself.  Please note that some companies produce the problem and the solution when it comes to spyware.  Lookup broadcast utility in a search engine and you will find some links that give you a better idea of what may be happening.


Please note that after running the adware/spyware removal utilities if you chose to delete the adware/spyware in most cases you will lose the functionality of the freeware as the advert Dll files are combined with the application.  There are ways to overcome this, one effective way is changing your hosts file to point to  your own IP address this points the spyware application to itself and no data is sent out and your freeware still works.  An application that can do this for you is Silencer.


There are organizations actively studying spyware and adware activity.  Emulation systems have been designed that emulate the spyware/adware server and the applications have been found to respond and exchange data and receive commands from the central server.  This bandwidth consumption is at the organizations expense and is divulgence of private data and will cost the organization the value of the bandwidth used.  If you have a network of 1000 users and 80% of them have the software installed if each machine only transmits a few kilobytes a day you will be looking at a significant performance loss, if there is more than one spyware/adware application on each machine now you can begin to see why it becomes a mammoth problem.


The latest trend is that companies that produce adware have now started alerting users to the fact that they will be reported on and that they can either opt in and install the adware or opt out and not install the adware and in some cases that will also not allow the installation of the freeware.  The issue with this is that a person wanting to download a file off  the internet will install this application very quickly without reading the agreement in most cases, if they read the agreement they do not clearly understand that by installing this free software will mean that in fact it is not free and that the payment is in information and in bandwidth.  Who is to say that the company is indeed disclosing exactly what the software will be reporting on and how can a normal user trust this company?  How do we know that the company is in-fact not gathering locally stored sensitive information and transmitting it unencrypted over the internet?  It has been found that some applications once installed function even if the freeware is not in use, consuming bandwidth without user benefit.
Antivirus vendors are researching and implementing pattern files that look for adware on the initial scan and then report if there is an attempted installation of the software.  Virus software normally flags adware and spyware as Trojan viruses.  Further more the firewall installed linking the machines to the network should be setup to block open net transitions and it is important that you do not socksify the connection as this will enable a spyware/adware application to bypass the firewall blocking mechanisms.  Set your network sniffers to look at any communication that is on non standard ports and then trace the IP address.  If you find that it belongs to a spyware vendor that appears on the spyware/adware lists remove that application from the machine if you feel that you need to.  If privacy is a big thing to the organization it is recommended that any conspicuous software be removed.
 
On the internet many free applications are released daily, it would be in the interest of the organization that any new application installed goes through a stringent test and authorized for use.  Make a list of the applications and the process allowed on the machine and if other applications are run ensure that it is reported and that these applications get removed.  It is in no ones best interest that your privacy be compromised. Instead choose an application that that does not use the adware/spyware principle.  It is good practice to remove any software that transmits any personal information unencrypted and without user consent.  Some organizations incorporate this statement into their security strategy for user protection.


Web browsers are at risk.


Where does it stop you ask? It doesn’t! Some web browsers like IE are affected by web applications that can load by merely visiting a website. When visiting a website with a non mainstream web browsers like Mozilla yu may find that a script will not load and functionality is lost, even though the browser is compatible will all internet browsing standards.  What is happening here?  Well some companies load applications onto your machine without you knowing about it.  These applications load themselves onto your local machine and typically report on topics of interest and habits that a user may have via http only when you are browsing making them very difficult to detect. Recommendation: set our browser security settings to high.  By doing this you gain security and lose some functionality but privacy is worth more than functionality to some.


Risk of Trojan infection.


Some applications have been found to contain Trojans that could be used as backdoors into networks.  These applications were quickly distributed and it was found that thousands of users had these applications installed within corporate networks.  W32.DlDer.Trojan was one such Trojan and it was found to be bundled with a very popular entertainment application.  Once it was found that this Trojan was distributed the company was confronted.  By this time it was stated that it would not be in the newer version and that the older version was not being distributed any longer.  This scenario displays how the company gathered information anyway and then was not bought to task as it quickly stopped distribution after being discovered.  Recommendation: keep your antivirus software up to date and do not install un-trusted, un-known software.


Website resources


http://www.spywareguide.com/ is a good website that takes you in the world of Spy vs spy.  This is a game for the most updated players and if you are not a step ahead you are loosing, it is in your interest to keep abreast of the latest adware and spyware threats.  There are some basic symptoms that a machine is infected with a piece of spyware or covert adware, these symptoms are listed below.



  1. Look for sluggish performance.
  2. Frequent machine restarts caused by memory leaks, this is caused by badly written software that very often results in being spyware.
  3. System is stalling and exception errors reporting unknown exe’s. This is also attributed to badly written software.
  4. Screen flicker this is a sign or screen scrapping.
  5. Mouse stutter and gibberish response this is sign of resource hungry adware.
  6. Observe your machines paging activities and how much paging happens when the machine is idle.
  7. Be aware that warez sites and other unscrupulous websites are known to contain malicious spy and hackware.

Summary:


As in all modes of spying there is an element of sophistication that is far beyond comprehension of the general public.  Spying is an invasion of privacy that can lead to serious repercussions if that data collected lands into unscrupulous hands.  Incidentally the same software that does the spying puts significant pressure on a system as well as the network that the system resides on, making it an undesirable situation for any corporate environment.  Keep one step ahead by knowing what is out there and reading articles like this one. Monitor your event log for unusual activities and look for any suspicious activity that may describe spy or adware.

About The Author

Ricky Magalhaes is a cyber-security expert and strategist for the past 17 + years working with the world’s leading brands. Ricky is on multiple advisory boards for vendors, customers and cyber security industry bodies and periodically works with leading analyst firms to help device strategy and advise on cyber security. Ricky Magalhaes is a seasoned cyber security strategist, architect and cyber expert, Ricky has trained government agencies and a myriad of governmental agencies on various information security disciplines and has speaks at national and international embassies, conferences on behalf of cyber software vendors.

Read Next

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top