Академический Документы
Профессиональный Документы
Культура Документы
com Page 1
This Product Proudly Brought To You By
Types of Viruses 18
Virus Examples 21
Virus Prevention 27
Virus Removal 31
A Word on Hoaxes 33
Additional Resources 34
Spyware
36
Types of Spyware
39
Adware
40
Browser Hijackers 41
Computer Barnacles 42
Dialers 42
Keyloggers 43
Malware 44
Spyware 44
Trojans 46
Worms 47
Phishing 57
Downloads 61
Prevention Techniques
63
Administrator Accounts
63
Email Safety 66
IE Search Toolbars 69
Install a Firewall 70
JVM Security 72
Windows Processes 73
Scanning Tools 74
Email SPAM
83
Why SPAM?
85
Understanding SPAM 92
Identifying SPAM
98
Hidden URLs
98
Personalization 101
The internet really resembles the wild, wild west of long ago.
Everybody fends for themselves and there are really no laws to speak of.
Well, more accurately, there are laws to prevent some of these things,
however they are simply not enforceable. Most activity on the internet can
be done anonymously and that means that ill-intentioned people can
operate almost carte blanche online. So, the thing to do is be educated so
that you do not fall into their trap.
✓ Spyware
✓ Email SPAM
One thing to keep in mind is that the internet is NOT dangerous. Not
at all. It just takes some basic education and knowledge to keep yourself
out of trouble. It is very similar to learning how to drive. If a person was
driving a car and did not know how to deal with the roads and the car itself,
that person would be in danger and so would others around him. On the
other hand, if that person knows how to do it, everything is fine. And as
most of us know, driving a car is completely second nature after awhile.
To understand this, let's take a look at the biological virus? Let's look
at the definition of “virus” as defined in Wikipedia:
A virus (from the Latin noun virus, meaning toxin or poison) is a sub-
microscopic particle (ranging in size from about 15–600 nm) that can infect
the cells of a biological organism. Viruses can replicate themselves only by
infecting a host cell.
So, a virus infects a host and cannot operate without the power and energy
of the host. The host is the thing which gets infected with the virus.
✓ To gain notoriety and see if they can get their work talked about in
the press
✓ To combat boredom
Not all authors of computer viruses actually spread their work. Some
do it just to see if they can. Others will publish their work on the web with
full documentation for the purposes of educating or for bragging rights.
While they might not personally spread the virus, somebody else will.
The people who work to spread computer viruses, whether they are
the authors or not, are usually people who are out for mischief. These
people are called “script kiddies”. This is a slang term, usually thought of as
derisive, which is used to refer to young hackers, often of high school or
college age, who take the work of others and release it into “the wild”. In
the world of computer viruses, “the wild” is used to refer to the world
outside of the “lab” where the virus was originally created. Many times, a
“script kiddy” does not have the necessary skills to create a virus on their
own. However, they have a mischievous side to them and they download
the work of others and release it, often claiming they are the author.
The script kiddy is the obvious bad guy here, but the person who
actually programmed the virus is certainly at fault as well. Unfortunately, the
law is not so clear. If the programmer is approached, they may admit that
they created it but will quickly note that they did not release it into the wild.
Legally, then, they didn't really do anything. The truth is, though, that many
of these virus authors put the code online knowing full well some script
kiddy is going to come along and let it loose. So we really are looking at
havoc by proxy.
Not all virus writers are trying to cause harm. Sometimes viruses are
programmed simply to be noticed. For example, some viruses are set to
simply display a message right in the middle of the screen. No harm done,
but it is definitely noticed by the owner of the infected machine.
The virus scene is oddly very social. Many viruses are created solely
for the bragging rights and the “street cred”. Virus programmers are very
intelligent. They may not be the most socially adept and they find friendship
with other programmers. They are often very libertarian and do not like to
confirm to societal norms. Many of them have a chip on their shoulder.
Perhaps they got fired by a company and want to get back at them.
Perhaps they want to take a poke at the industry after failing to get a job.
Most virus writers are quick to justify what they do. They are quick to
say that they are not the ones spreading the virus. They have simply
created a program that is designed to self-replicate but it is the actions of
the end user that allows the process to proceed. They argue that they
cannot be held accountable for the naïve actions of somebody else. This is
a very similar argument as is sometimes used with guns. The virus creator
may have created the gun, but they can't be blamed for what the gun is
used for. Virus programmers don't spread viruses – people do.
For those who fight viruses, casual virus programmers and “script
kiddies” are not the real threat. Sure, they can create a lot of trouble.
Types of Viruses
Not all computer viruses are equal. After all, virus writers are often
trying to impress their colleagues. Nobody would be impressed if they all
did the same thing. So, yes, there is a lot of variety, not only in what the
viruses do, how they spread, but also in methodology.
Computer virus.
A small piece of software that is designed to piggyback on other
programs to work and spread. For example, a virus may be designed
to attach itself to a particular operating system file. Whenever a
particular operation is performed on that computer, the file is run. The
virus is also run, leading to the virus spreading and doing what it was
designed to do.
Email virus.
An email virus is designed to spread specifically through email. It
does not tack itself onto other software. Instead it takes advantage of
email. For example, it may be spread by email attachment. Whenever
a user opens the attachment, it will run the virus. Typically the virus
will automatically and invisibly email itself to other email addresses in
your email software, such as your contacts. Some email viruses are
even designed to not specifically require the user to open the file.
Trojan Horses.
A trojan is a program that disguises itself as one thing while actually
doing another. For example, a trojan may masquerade as a movie
file, screensaver, or perhaps a picture file. When “opened”, the trojan
will infect the PC.
Worm.
A worm is a piece of software that is designed to take advantage of
security holes in software or networks in order to spread. When it
spreads to a computer, it will begin to scan the network for other
computers with the same security hole. If it finds an available host, it
will spread itself.
1. Boot Virus: A boot virus is designed to infect the master boot record
of the hard disk. The master boot record is that area of the hard drive
which is responsible for booting your computer when you turn it on.
When a virus is able to infect this section of your hard disk, it will be
executed immediately after you turn on your computer, before you
operating system even has a chance to load.
2. Program Virus: This is a virus which is run just like any other
program on your computer. Such a virus may have a file extension
like BIN, COM, EXE, DRV (driver file) or SYS (system driver). When
As you can see, there are a lot of very creative ways to breach the
security of your computer. As software on our computers get larger and
introduce more features, more and more effort is made to make things
more convenient. However, convenience sometimes means opening things
up to security breach. Since virus authors are just as creative as the
programmers of your favorite software, there are about as many avenues
of attach as there are programs available to your computer.
Virus Examples
There are new viruses, worms and trojans coming out all the time.
The volume of new virus activity is actually pretty staggering. Some worms
and viruses end up becoming more famous than others due to the speed of
spread or the type of damage it causes. This, of course, is what the creator
of the virus wanted – media coverage and notoriety. The larger majority of
viruses do not end up creating much of a ripple. Others can create tidal
waves.
on the 3rd of each month, about 30 minutes after the computer starts
up. The worm was designed to do many things. For example, it would
try to disable security software installed to the computer as well as
attempt to destroy certain kinds of Microsoft Office files. When
executed, it would attach itself to rundell16.exe, scanregw.exe,
update.exe and winzip.exe. The most usual type of email to contain
this worm are those advertising Viagra. For more information, read
about W32.Blackmal.E@mm at Symantec.
4. Mydoom: This was another famous worm that spread quickly by way
of mass email over computers powered by Windows. The worm
spread by way of emails that looked to be error emails, such as “Mail
Delivery System”, “Test”, or “Mail Transaction Failed”. The email had
an attachment that, if executed, would infect the PC with the worm.
The worm would then scan for email addresses locally on the infected
computer (such as in the Address book) and email everybody in it.
Once infected, the PC would serve as a zombie for spammers,
allowing back door remote control of the computer via port 3127. A
second version of the worm would block internet access to Microsoft
as well as the sites of many anti-virus software, thereby blocking
access to updated virus definitions and updates to Windows. You can
get more information at Viruslist.com.
5. SoBig.F: SoBig was a very well known computer worm that was also
a Trojan. It spread by way of e-mail yet again, however it was also a
Trojan because the email was designed to look like something
benign. The email would typically have a subject line like “Re:
Approved”, “Re: Thank you!” or “Re: Your application”. These subject
lines were designed to trick the user into thinking it was a legitimate
email and even a reply from an email they had sent earlier. The email
would contain the text “see the attached for details” and would
contain an attachment, usually with a PIF file extension. Opening the
6. Blaster: This worm infected Windows powered PCs as well and was
designed to launch a denial of service attack on windowsupdate.com.
A denial of service (DoS) attack is when a particular server is so
overloaded with incoming requests that it cannot handle legitimate
requests. So, the idea was to have infected computers
simultaneously hammer the Windows Update site such that the
service went offline. The worm was fairly easily stopped and the rapid
spread of the worm was eventually mitigated. The worm was also
known as Lovsan because inside the source code of the virus was
the line “I just want to say I love you San”. Notably, though, there was
another line which read “Billy Gates why do you make this possible?
Stop making money and fix your software!!”.
Those viruses that make the most press are often worms due to the
volatility with which they can spread. Also, Microsoft Windows often makes
the biggest target.
3. Increased level of disk access. The hard drive may get very busy or
may be accessed when you are not doing anything. The floppy
diskette drive (if you have one) may be accessed without explanation.
With the hard drive, it is easy to confuse this activity with normal
operating system maintenance activity.
It is also worth noting that it is possible that your computer has trojans
or other viruses laying dormant on the machine without your knowledge.
For example, most people will routinely get viruses emailed to them. This is
not really a matter of concern because, in most cases, you have to actually
open the attachment to begin infection. Besides, your virus scanner should
detect these. Via one method or another, it is not uncommon for a
computer to have various malware installed and not know about it. You will
not notice any symptoms simply because the computer is not officially
infected until the malware is actually executed.
Microsoft Windows is the most common attack point for virus writers.
According to statistics, there are over 140,000 known viruses for Windows,
around 4,000 for MS-DOS, and only 30 for Linux and 1 for Mac OS X. So, if
you are running a computer powered by Microsoft Windows, this is
certainly a problem you need to concern yourself with.
This is not to say that Linux and OS X users are immune. As noted
earlier, many virus writers have a particular bone to pick with Microsoft.
Perhaps they are jealous over the company's success and just want to
poke holes in their software. Whatever the motive, the popularity of
Windows also makes it an ideal target. The user population of OS X and
Linux is nowhere near as large as that of Windows, making it not as
attractive as a target.
Virus Prevention
Now that we have covered the general background of computer
viruses, it all comes down to one thing: how do you prevent it? The good
news is that it is very easy to prevent and it is not going to take long to
explain this to you.
1. Install and use an anti-virus program. I will list some options for you
below. This single act will prevent almost any type of infection you
can have.
2. Enable any real-time monitoring that comes with your security suite.
This will watch your computer for any signs of infection at the time of
execution.
4. Allow the software to perform a full system scan of your hard drives
for viruses at least twice per month.
6. Just in case, prepare a rescue disk with critical system files that will
allow you to boot the computer in case of a serious issue that keeps
the system from properly booting.
7. Go into your BIOS and make the C drive your primary boot drive. In
other words, place the C drive first in your boot order. This will
mitigate somewhat the effect of boot record viruses from external
media such as floppies.
9. Keep your operating system patched with the latest updates. Users of
Windows need to run Windows Update fairly often because they are
always finding and patching vulnerabilities in that operating system.
10. Treat all email suspiciously if it has an attachment. Even if the email
looks like it came from a close friend or family member, the virus
examples above should show you that sometimes that only means
your friend or family member has an infected PC.
11. Regularly back up your files. Should the worse happen, you can
always get your data back from backups.
There are a lot of different options out there for anti-virus software:
7. Nod32. A very fast and lightweight anti-virus scanner which has been
around for years. Definitely a good option if system performance
impact is of major concern to you.
www.eset.com
There are many, many others. Obviously, with the prevalence of the
threat and the fact that so many people use Windows, a lot of companies
have gotten on the bandwagon offering their own security suites for
Windows.
Virus Removal
Anti-virus software mostly works the same way. It scans your hard
drive for particular signatures that indicate a known computer virus that is
contained in the virus definitions supplied by the company. If it finds a sign
of a virus, it will typically offer to quarantine or delete the infected file.
Quarantining the file will place it in a tightly controlled area by the anti-virus
software so that it cannot infect the computer.
The best thing to do is first spot exactly which virus is infecting your
computer. Usually your anti-virus program will identify this for you. Next
(and only if your antivirus program cannot do it for you), you will need to go
online and search for removal instructions for the virus that you have.
Usually you will find information on the major sites of antivirus software
vendors. For example, Symantec maintains a library of removal tools for
various viruses at:
www.symantec.com/business/security_response/removaltools.jsp
If there is no removal tool which automates the job for you, often you can
find todo lists on how to manually remove it yourself. Many times the
If your computer gets infected with a particular bad virus that does
real harm to the files on your drive, your only option may be to format the
computer and re-install Windows. This is a last resort option only if the
computer is so far gone that you are pretty sure you will not be able to
1. Install the second hard drive to your computer and re-install all of
your software to the NEW hard drive.
2. Next, attach your old, infected hard drive to the new computer as a
second drive. If it is an IDE drive, connect it as a slave. If it is a SATA
drive, simply connect it.
3. When you reboot the computer, make sure to go into your BIOS and
make sure the NEW drive is designated as the bootable drive so that
your computer does not attempt to boot with the infected drive.
5. Only when the files check out as completely clean, you can copy and
paste those files over to your new hard drive.
A Word on Hoaxes
The world of computer viruses is not always understood by people.
Often that lack of understanding can lead to unnecessary worry. This has
given rise to virus hoaxes. A virus hoax is meant to simply scare people
3. If the email contains a bunch of technical jargon, don't fall for it.
Sometimes the hoax creators take advantage of the public's lack of
technical knowledge to fool them into thinking they know what they're
talking about. Even a janitor can appear as a doctor if they use
enough Latin words! Don't fall for it.
If you suspect that you have gotten a virus hoax email, do not forward it. If
you find clear evidence that it is a hoax, reply to your friend and tell them
they just got duped. It will at least keep them from emailing it to others.
Additional Resources
Computer Knowledge Virus Tutorial
http://www.cknow.com/vtutor/index.html
The Internet can be a great place to visit and can contain a wealth of
information that is made readily available at your fingertips, but like
anyplace else, you must exhibit a certain degree of caution while making
your way around. Wariness coupled with awareness can go a long way to
help combat spyware.
If you're a firm believer in the argument that you "don't have any
important data on you machine," just take into consideration that your
computer has the potential for conducting illegal activities and privacy
invasion. Like owning a car, owning a computer comes with certain
Types of Spyware
The single, all-encompassing term "spyware" is more or less a
misnomer, for there are a number of different kinds of software that engage
in data harvesting and come under the broad, umbrella-like term "spyware".
Spyware can be loosely associated with viruses; Trojans and Worms being
the closest relative to viruses, but there is a fine line of difference. Viruses
are typically self-replicating. They can copy themselves and spread from
computer to computer through security holes and exploits, as well as
relying on a user's poor security habits to quietly slip in to an unguarded
Adware
Browser Hijackers
Computer Barnacles
Dialers
There are two basic methods that dialers operate under. The first is
via security holes in Windows Operating Systems. They either use the
Windows dialer, another legitimate third party dialer, such as one included
with AOL, or someone's own malware dialer. The other method entices the
user with promises of special content only if they call the number listed,
which usually appears on sites providing pornography, warez, game
cheats, or any other "shady" activity.
Keyloggers
Interestingly enough, the prefix for this term in both the French and
Spanish languages translates to "bad". No argument here about that
description. It has also been stated that the term has been shorted from the
word "malicious" and combined with the word "software". Either way,
malware is software that intentionally causes harm on a computer system.
Malware should not be confused with faulty software containing bugs; for
bugs, no matter what the problem may be, are not intentional.
A less common form of malware that doesn't really fall under any
other categories and engages in self-replication is referred to as a "wabbit".
It doesn't self-replicate from system to system, but rather, uses a simple
recursion algorithm to replicate itself indefinitely to clog up system
resources until the system is rebooted. Any first year application
programmer has the ability to create one.
Spyware
Users who are not aware of the cause of all these problems
sometimes ditch their infected computer and go out and buy a new one.
That is a waste of money, as well as a waste of perfectly good computer.
Either awareness or a visit to a PC technician can help take care of a
spyware-infested system. Spyware has caused more visits to PC
technicians than any other problem in the last couple of years, and it
continues to grow.
Trojan horse programs work in much the same way; they may appear
useful or interesting at first glance to an unsuspecting user, but like the
Greek's Trojan Horse, it is certainly not the case. A Trojan is a form of
malware that cannot engage in self-replication, but can be harmful when
executed. A Trojan can be deliberately attached to otherwise useful
software, distributed on its own posing as useful software, or can be spread
through a variety of download methods over the Internet (i.e. email, IM, and
file sharing) by tricking users to open it. Note that Trojans cannot spread by
their own accord, they must be "invited" into systems, per say. They rely on
unsuspecting users to pass them around. If the Trojan poses as a harmless
joke or screensaver, for example, the idea is that unsuspecting users will
pass it along to their friends. It's yet another reason to ignore those chain
emails with "re: re: re:" in the subject header.
Worms
The name "worm" was taken from a 1970's Sci-Fi novel, The
Shockwave Rider by John Brunner. While working on a research paper on
experiments in distributed computing, researchers noted similarities
between their software and the program described in the novel, and thus
adopted the term.
These are terms that aren't directly related to spyware, but have been
mentioned briefly and will be mentioned later on. They're good to know
within the general scheme of things, for general awareness.
ActiveX Pop-up
Browser Cache
This is where all temporary webpage data is stored. All files that are
downloaded within your browser end up here, which can include: html, php,
cgi, jpg, gif, bmp, png, wma, txt, etc.
DoS Attack
DDoS Attack
JVM
MAC Address
msconfig
Phishing
UI - (User Interface)
This can be text based or graphical based. GUI (Graphical User Interface)
is the term most people are familiar with seeing.
Virus
Warez
Zombie Computer
✓ When you start your computer, or when your computer has been idle
for many minutes, your web browser opens to display
advertisements.
✓ When you use your browser to view websites, new browser windows
open to display website advertisements. This isn't always
attributed to spyware on your system, however. The website you
are visiting could be supported by these pop-ups.
✓ When you click a link in a program, the link does not work, or it
redirects you somewhere that you did not intend to go.
✓ Your browser suddenly closes or stops responding. Not just once, but
almost every time you use it.
✓ There are several processes listed in the task manager that you don't
recognize as legitimate programs or Operating System
components.
ActiveX
www.spywarewarrior.com/rogue_anti-spyware.htm#products
Advertisers will use every trick in the book to grab your attention.
They will use interactivity and movement, your sense of curiosity, your
sense of humor, your sense of justice and right and wrong, your sense of
greed and desire, and just plain unawareness or credulity simply to get you
to click. Your click on an ad registers "Ka-Ching!" for the advertiser, both in
terms of monetary profits and the installation of spyware for the purpose of
data harvesting.
At first glance, it looks like a serious Windows error message, and some
users will click the "yes" almost automatically. However, if you look in the
bottom right corner of the ad, it says "advertisement" in small light gray
letters. Its somewhat hard to catch if you are just skimming a webpage
quick. The other thing to know about these ads is that it doesn't matter
where you click on the ad; the whole ad is a clickable image that can
Phishing
✓ Check the webpage address for anything out of the ordinary. For
instance, if the phishing attempt includes a link to a form that asks
you to fill out personal information and does not contain the
legitimate website's base address, it is most likely a phishing
attempt. For example, if the attempt happens to be for Ebay and
the link does not include ebay.com somewhere near the beginning
of the address, it is most likely a phishing attempt. In addition to
that, some phishing links can appear with letters switched around
or omitted in the base address so it still looks like a legitimate
address at a quick glance. www.microsoft.com may appear as
www.mircosoft.com, www.micosoft, or may have an addition made
to the front of the address such as www.msn-microsoft.com. It is
also suggested that you do not actually click on the link because
the website may be a host to all sorts of spyware and malware.
So, if it doesn't fool you into entering information, it will at least get
that junk installed on your system.
✓ Beware of redirection links. Links that may look official may actually
redirect you to a phishing webpage.
✓ Never fall into the trap of "get rich quick" schemes, especially if you
are called to perform some sort of service beforehand, and
especially if it's for someone in a 3rd world country.
✓ Never fall into the trap of emails asking for money or to help shuffle
money around, especially if they say something like, "Help me. I'm
really a displaced prince and will have access to a numbered bank
account I will share it if you help" or "Help, I was the victim of a
horrible tragedy and could use your monetary assistance through
this difficult time." These are the kinds of scams where the phrase
"a fool and their money are soon parted" can be applied today.
Don't fall into the trap!
✓ For any email asking for personal information regarding some sort of
user or bank account, watch out for these (or similar) phrases
found in the email's subject or body: "Dear Valued Customer",
"Verify your account", "If you don't respond in [this amount of time],
your account will be closed", and "Click the link to gain access to
your account".
This MSN account phishing attempt is one of the most convincing phishing
attempts that I have noted. At first glance, it looks quite legitimate and even
sports a link to a page that looks convincingly legitimate. Take a look at it
and see if you can apply some of the telltale signs of phishing.
Downloads
When you download a file to install from the Internet, that piece of
software always has a license agreement that can be viewed at some time
during the installation process. This EULA (End User License Agreement)
is included to take care of issues with copyright and liability laws. They
include permissions of what the end user can and can't do with the
software, as well as inform the end user of what the software does and
doesn't do. You will be hard pressed to find someone who actually reads
those license agreements on their own free time. Most users simply click "I
agree to these terms". Included in the terms of agreement can be notices
that forms of spyware may be installed with the main software package,
albeit often hidden within complex legal jargon.
Prevention Techniques
Tightening up system security, keeping up to date with security
patches, and engaging in safe Internet usage are the three main ways to
prevent spyware from entering your computer system. Many of these
techniques rely on each other to maintain overall good system security.
Don't rely on just one or two. Use most, if not all, of these techniques. You
will end up with a much healthier computer.
Administrator Accounts
Show Caution With ActiveX Controls and Plug-ins. In IE, go to Tools >
Internet Options > "Security" tab > Custom Level. Under "ActiveX controls
and plug-ins," set the first two options ("Download signed ActiveX controls"
and "Download unsigned ActiveX controls") to "prompt", and "Initialize and
Script ActiveX controls not marked as safe" to "disable".
From now on, each time that ActiveX objects want to be executed or
installed will alert you with a dialog pop-up. "Yes" will allow the ActiveX
object to do its thing, while "no" will stop it from executing and/or installing.
You must read every "offered" ActiveX download carefully before you
decide to accept it. If it says something to the effect that it will enhance your
browsing experience or searching ability, this is a huge red flag, and should
not be downloaded and/or executed.
127.0.0.1 ad1.thisadserver.com
127.0.0.1 ad2.thisadserver.com
127.0.0.1 ad3.thisadserver.com
127.0.0.1 ad9.thisadserver.com
Sunbelt can shorten this and cover a lot more entries by adding this line of
code: ad([isx0-9].*)?.. *.. * It will block any addresses that start with “ad”,
followed by a number between 0 and 9.
Email Safety
Protect your email address like you would your phone number. This
helps cut down on spam and other junk that comes through email. The
same goes for your IP address, especially if its static.
There is a problem with emails that arrive in HTML format. With most
legitimate sites, it's no big deal, but with HTML spam, there can be all sorts
of junk code in the background that you really wouldn't want running. There
are a few methods to stop this from happening. The first is to disable your
email preview pane (found in Outlook, Outlook Express, Mozilla, Netscape,
and a few other email clients). If you're using outlook, go to View and
uncheck "Preview Pane". In OE, go to View > Layout and uncheck
"Preview Pane".
By default, Windows hides all file extensions for recognized file types
(jpg's, exe's, zip's, etc.). This makes it easy for executable malware files to
be disguised as a recognized file that doesn't look harmful. To reveal all file
extensions, open up "My Computer" > Tools > Folder Options > "View" tab
and uncheck "Hide extensions for known file types.
IE Search Toolbars
Install a Firewall
Basic firewalls have two uses. The first is to monitor connections and
programs requesting access to the Internet, which is referred to as an
JVM Security
Web pages that still use browser recognition scripts will sometimes
force you to use IE on their webpage saying something to the effect of
"This webpage does not support your browser." In other instances where
there may not be a recognition script, the page will simply appear not to
work correctly. In cases like these, yes, you will need to use IE for the time
being. Luckily, this does not happen often and many good web designers
are moving towards using coding standards, rather than using sloppy
browser-specific coding.
Windows Processes
Scanning Tools
The two most common and most used spyware tools, Lavasoft's
Adaware and Spybot Search&Destroy have been cleaning infected
systems for a few years now. Both still come highly recommended for your
spyware combat arsenal.
This just one large reason why a single scanning utility is not enough.
Spyware utility companies should not be playing the "scratch-my-back-and-
I'll-scratch-yours" game with spyware vendors. In order to catch everything,
you need to run multiple scanning utilities on your system. The Adaware/
Spybot combination can do a good job at getting rid of adware/spyware, but
Two other tools worthy of mention are Spy Sweeper and Pest Patrol.
Both of these products are worthwhile, but are not free. There are plenty of
free products available, therefore these tools are not necessary as a first
line of defense. Spy Sweeper is a very good tool to use as a last resort
option when other utilities were not successful in removing certain forms of
spyware.
Last but not least, the final scanning utility you may want to run is
HijackThis (http://www.spywareinfo.com/~merijn/programs.php). HijackThis
is a technical scanning utility which lists all running processes and installed
or altered system modules. It is best if this program is run right after
startup. Their site also has a link to a tutorial which will help interpret a
HijackThis log by giving you a more detailed description of each entry. If
you are still unsure about what may or may not be legitimate and what
should be removed, many computer forums across the Internet that have
experienced techs who are willing to assist users in identifying pests that
appear in HijackThis logs. Simply copy and paste the log’s contents into a
new thread and courteously request assistance. Also, be sure to clearly
state what Operating System and Service Pack for that Operating System
that you are running.
http://www.intermute.com/spysubtract/cwshredder_download.html
Another annoying pest is the infamous "About: Blank" home page in IE. If it
is a hijack and not a simple home page change, like CoolWebSearch, this
pest cannot be picked up by existing spyware or AV utilities. PCHell.com
has a tutorial on how to deal with this issue.
http://www.pchell.com/support/aboutblank.shtml
This fix may seem like a daunting task, but if it is taken one step at a time, it
shouldn't be all that overwhelming.
AboutBuster (http://www.malwarebytes.org/aboutbuster.php) is
another alternative for getting rid of "About: Blank" only if other problems
accompany it, only after a spyware scan. The problems can include
receiving random pop-ups, and the home page usually being set to
"About:Blank", or sometimes may be similar to "res:///random".
✓ 180solutions
✓ B3D Projector
✓ BackWeb
✓ BargainBuddy
✓ ClickTheButton
✓ CometCursor
✓ CommonName
✓ DownloadWare
✓ eAnthology/eAcceleration
✓ GoHip
✓ HotBar
✓ IEDriver
✓ Internet Optimizer
✓ IPInsight
✓ ISTBar
✓ MediaLoads
✓ MySearchBar
✓ N-Case
✓ NetworkEssentials
✓ SaveNow
✓ SearchAssistant
✓ SubSearch
✓ TopText
✓ WeatherCast
✓ Win32 BI Application
Next, go to Start > Run, type msconfig and hit enter. Once you have
the System Configuration Utility open, go to the “Startup” tab and uncheck
anything unfamiliar that you don’t want to load when the computer starts
up. You do not need to reboot when prompted.
Next, make sure the detection definitions for Adaware, Spybot, and
Microsoft AntiSpyware are up-to-date. Each of these tools has their own
web update utility built into it. If the spyware infestation is really bad, go
ahead and skip this step for now, but make sure you do eventually go back
to perform the updates and rescan the computer with all three removal
tools. Another option is to just download the updates, then boot in safe
mode to perform the spyware scans.
After the first set of spyware scans, be sure to clear the browser
cache, history, AutoComplete forms, and temp files. Then reboot and run
the spyware removal utilities again. There are actually components that are
not always detected the first time through, especially if the count is over a
dozen separate items.
Next, run the HijackThis utility. Details on its use were mentioned
earlier near the end of the “Scanning Tools” section in this section.
HijackThis can also help you identify self-regenerating pests so you can
find the appropriate removal tool that will remove it.
When all's said and done, that’s the basic framework of a spyware
removal procedure. The procedure can be altered and items swapped
around when necessary, but this is one of the most efficient and effective
removal procedures to make the most of your time and efforts.
There are a significant number of people out there who firmly believe
that just because something is free, there's a catch, but if you pay for
something that appears to do the same thing that is offered for free, it just
has to be better. This is not necessarily the case. Free alternatives are
usually best explored first, and more often than not, they turn out to be
equal to or better than purchasable alternatives.
All in all, there has been a huge amount of information thrown at you
in this section. I hope it has gone to help you become more aware of
spyware and ways to help protect yourself from it. Just be smart and aware
of some of the things out there. Put your newfound knowledge to use and I
guarantee you'll come out ahead of the game. Good luck!
Let's take myself for example. On any given day, I used to download
about 3,000 emails to my main email account. I would estimate that at least
90% of that is SPAM, and due to the filters I have set up, most of it is
automatically placed in my "Deleted Items" folder. This amount is the result
of quite a bit of work to bring the amount down, for PC Mechanic as a site
receives closer to 50,000 emails every day. I, as the owner of the site,
would normally receive the brunt of it. I did some configuration on the web
servers to automatically delete much of it, then yet another level of server-
side filters, and then yet
Once email hit the scenes, it didn't take long for mass marketers to
recognize the usefulness of the medium. It makes its way to people's
computers and it is free. No postage. Mailing lists are collected in a variety
of ways. They even have little programs that will browse the web and
harvest email addresses from public websites. This is, no doubt, how my
email addresses have ended up on so many mailing lists. The medium
being so new, it has remained essentially uncontrolled territory for quite
awhile. In 1999, there were the first attempts to propose legislation in the
United States to control the problem. It went on until the passage of the
CAN-SPAM Act in 2003, but the effectiveness of this legislation is certainly
limited.
Why SPAM?
Yes, Spam, is the name for that little blue can of processed "meat"
made by Hormel you can find in the grocery store. The meat is junk, which
is fitting, but I'm not sure if that's the source of the word we've grown so
fond of. Actually, the generally accepted derivation for the word is a Monty
Python skit. They had a skit in which a group of Vikings were singing
"spam, spam, spam, spam" so loud and often that it drowned everyone out.
In the early days of the internet, when the net was mostly populated by
nerds of the classical sense, there were very few net surfers who didn't
appreciate Monty Python, so I guess the word caught on and I can see the
correlation.
When we hear the word SPAM, our first thought is unsolicited junk
mail. For most practical purposes, this covers it. But, some have simply
defined it as "unsolicited email". This is an incomplete definition simply
because most of us get emails every day we didn't directly ask for. It's
simply not plausible for each of us to give people a call and say "Hey, send
me an email.". It's silly. Others have said SPAM is email coming from an
unknown source. Again, this is incomplete because people receive emails
every day from people they do not know. If I only accepted emails from
people I knew, then anybody reading this book or visiting PC Mechanic at
all could never email me. What most people mean when they think of
SPAM is simply annoying email. If they find the email annoying in some
fashion, then its SPAM. This definition gets a little closer, but it still left to
the preference and mood of the recipient and, for this reason, is not a very
While Scelson may escape much of the anti-spam tactics, others are
not so lucky. There are estimated 2,000 spammers in the United States.
Many companies spend millions battling SPAM. Microsoft and AOL have
had strong anti-spam efforts. Earthlink has pending legal action on a long
list of known spammers. A spammer named Howard Carmack, known as
the "Buffalo Spammer", was sentenced to 7 years in jail on 14 counts of
identity theft and forgery in 2004. He was estimated to have sent 850
million emails. Earthlink won a judgment of $16.4 million against Carmack,
who was accused of using stolen credit cards to sign up for Earthlink
accounts and then using those accounts to send spam.
Understanding SPAM
In order to understand a SPAM message and how to best prevent
them, one needs to know a little bit about how an email works in general.
One doesn't usually think about it. They just type their message along with
a "to" address, and it miraculously arrives on the other end. But, how does
that work? Well, ironically, one can compare it to postal mail, in a way.
When you send snail mail, you have the message in an envelope. The
envelope has a return address and an address to send it to. You put it in
your mailbox, the postman picks it up, and it is sent. The postal service is
the relay for the message, and your letter moves through the system, from
terminal to terminal, until it arrives at the recipient. Email messages, too,
contain a header which serves as the "envelope" for the message. It
Return-Path: <drisley@pcmech.com>
Delivered-To: pcmech-pcmech:com-drisley@pcmech.com
X-Envelope-To: drisley@pcmech.com
Received: (qmail 13463 invoked from network); 17 Jan
2005 15:14:23 -0000
Received: from relay01.pair.com (209.68.5.15)
by qs194.pair.com with SMTP; 17 Jan 2005 15:14:23 -0000
Received: (qmail 87092 invoked from network); 17 Jan
2005 15:14:22 -0000
Received: from unknown (HELO drisley) (unknown)
by unknown with SMTP; 17 Jan 2005 15:14:22 -0000
X-pair-Authenticated: 67.8.75.220
From: "David Risley" <drisley@pcmech.com>
To: <drisley@pcmech.com>
Subject: hello
Date: Mon, 17 Jan 2005 10:14:15 -0500
Message-ID: <040e01c4fca7$355c83d0$6601a8c0@drisley>
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.2616
X-MimeOLE: Produced By Microsoft MimeOLE
Now, some of these headers are not very important to the discussion at
hand. But, some are very important to your understanding of SPAM. These
are:
1. Return-path. This is the email address from which the email was
sent. Most of the time, this is a more trustworthy indication of the
sender, because it is very easy to manipulate the headers for "From".
However, it is still possible to forge the return path, so in the case of
SPAM, it cannot
really be trusted.
2. From. This contains the name (in quotes) and the email address of
the sender. This information is controlled by the email client and can
be very easily altered. In other words, just because an email has
"Paypal" as the From name, don't assume it came from Paypal.
4. X-Mailer. This is a record of the software which was used to send the
email.
6. Date. This is simply the timestamp for the message, or when it was
sent. The stamp is relative to GMT and will contain an offset. In the
example above, you can see the offset is -500, meaning 5 hours off
GMT. This is because I am located in the Eastern time zone. It is set
by the mail host's internal clock which may or may not be set
correctly. Also, in the case of SPAM, you
can look for date headers which are messed up. They can possibly
give a time zone offset which places them in the middle of an ocean,
or use a mangled timestamp that just doesn't fit the correct format (for
example a year beginning with 0).
Identifying SPAM
In looking at a SPAM message, we need to also look at the body of
the message and some of the things often done to entice, throw off, or fool
the recipient into responding. Let's look at the biggies:
Hidden URLs
Two other very common URL tricks are redirectors and deceptive
HTML links. There are URL address out there whose only purpose is to
redirect to another web address. They can give the click-through URL a
legitimate looking name, but clicking on it would route you somewhere else.
Lastly, being that much SPAM is in HTML format, they can have a link in
the email which is hyperlinked in the traditional blue, underlined text, but
actually clicking on the link takes you somewhere else entirely. The way to
protect yourself against this is to "View Source" on the message by right-
clicking and choosing "View Source". Look for the HTML
Random Characters
Personalization
In order to entice you to open their email, the spammer has to trick
you into thinking it is legitimate. One way to do this is to address you by
name. If they do not have your name, they may use a portion of your email
address and see if they get lucky. Another method is to use a subject line
which you may think is directed to you. Subjects like "Payment Past Due"
or "Important Notice About Your Account" are common. These aren't really
tricks, but more a form of social engineering.
Some spammers will take advantage of the fact that some HTML
simply does not render on the user's screen. For example, doing an
opening and closing bold tag ("<b></b>") would not show up to the user.
However, injected right into the middle of a commonly filtered word, it may
fool some filters into missing it and allow the email through. For example,
the word "mortgage" might get filtered, but the word "mort<b></b>gage"
might not. Sometimes they may use heavily nested tables which do not
show on the user's screen but may fool the filter. Another trick is to inject
bogus text, many times colored the same color as the background, to make
the email seem legitimate to filters which weigh the spam score. So, if the
body of the email that you see is advertising a low-interest loan, but
invisibly it is showing a long diatribe of text which is of an innocent nature,
that email may slip through the filters.
In this practice, the spammer may sign up for an affiliate program and
then set up their own website to promote it. Then they can spam
advertising this website and therefore shield themselves from automatic
notice when being reported from spam. The spammer earns a commission
on sales, and the company hosting the affiliate program benefits from a
large network of resellers. This kind of practice is very common on porn
websites. These sites offer galleries of some variety and then provide an
affiliate link to a larger website on which you need to pay. Any link in an
email which is passing an affiliate ID in it is more likely to be spam.
There are many ways you could end up on a spam list. If you are an
internet surfer and enter your email address into various websites, that
could be your opening. It is always best to check out a website's privacy
policy before giving them your email address. Ensure that they will not give
your email address to any third party.
The most common way that spammers get your email address,
though, are email harvesters. Harvesters are programs which are designed
to browse the web just as a search engine's spider would. As it does so, it
searches all webpages for email addresses and records those email
addresses into a database. So, if you run a website and your email address
is posted on the website, you can bet your life on the fact that it will be
picked up by an email harvester and find its way to a spammer's email list.
But, even if you don't host your own website, it can still happen. Ever
posted in an online forum? Some forum packages do not mask your email
address, leaving it wide open for harvesters. If you ever posted to a
newsgroup, you may have leaked your email address that way. These
email catcher programs harvest Usenet posts as well. Some spammers
also use websites to collect email addresses. Sites like porn sites, some
Once you've been picked up by one spammers, chances are you will
end up on a bunch more. Spammers make common practice of buying and
selling mailing lists.
1. If the email contains a form to fill out, do NOT fill it out. Forms in email
are about the most insecure and dangerous thing you could fill out.
2. If they send the form as an HTML file which is attached to the email,
do not fill it out.
4. Phishers aren't always the brightest bulbs in the box. Even though
they try to make the email look like it's official, many times its very
obvious to be a fake. Sometimes they send the email with broken
images. Sometimes the text will all be in default Times New Roman.
They're just very bad renditions of an email and you know the real
company would not send that.
5. Do not be fooled by the return address. Many times the email you see
as the return address will be a valid email address of the target
company. However, as discussed above, it is all too easy to
manipulate an email's headers.
6. If you do happen to click the link to the website, look at the URL in
your browser's location bar. Ensure it is the site you intend and is a
secure form.
Spam Laws
The US government has done things to try to curb the problem of
spam. After all, spam is a major problem. It clogs up the internet's data
pathways and costs companies money. The problem is that these laws
really don't mean much at all. Anybody can pass a law, but that doesn't
mean spammers will just all of a sudden turn into great little law followers.
And enforcement of these laws is a problem because it is hard to
sometimes find exactly who the spammer is.
Some other laws which are not passed include the Anti-Phishing Act
and the Anti-Spam Act of 2003 (which is essentially the same as the CAN-
SPAM act). The Ban on Deceptive Unsolicited Bulk Electronic Mail Act of
2003 would ban the use of email harvesters (CAN-SPAM does as well).
The Computer Owners' Bill of Rights would require the FTC to establish a
"do not email" registry. There are several other proposed laws, all of them
tackling the same problem in different ways.
The idea is that a real person could obviously figure out your real
email address, but an email harvester would not recognize it as a valid
address. If posting your address to the web in HTML, do not use the mailto:
tag. Even if the browser shows the altered email address, email harvesters
scan the HTML code, not the visible text. So, even if your email address is
hidden in the HTML code, it will still be harvested.
Contact Forms
If you use a contact form for people to email you, do not use a
standard form-to-mail script which has your email address in the form's
Email Images
Another way to display your email address but hide it from harvesters
is to display your email address in the form of an image. This way people
can see your address, but harvesters cannot. This will only work if you do
not hyperlink the image to your real email address.
Never buy anything from a spam message. Ever. The simple fact is
that spamming is a business. Its about making money. Spammers are not
evil guys out to get you and screw up your day. They are simply in the
advertising business. They employ the marketing method of sheer
numbers. Email millions in the hopes that a few stupid people will respond
to it and generate some business. If nobody ever bought anything, spam
Not only does this help alleviate the motivation to send spam, but it
also reduces your risk of being cheated. Anybody who operates their
business in such a fashion that they see absolutely nothing wrong with
spamming is probably also the kind of person who you should not trust with
your money. I'm sure there are exceptions, but this is just a safe
assumption. There are enough scams out there in spam messages to
assume they all are.
Report Spam
If you are getting spam from one source often, you can report it to the
companies involved. I will address this in more detail below.
Before giving any website your email address, review their privacy
policy to ensure they will not provide your address to any third party. Of
course, some sites might proceed to break their own policy, but most sites
will not.
When filling in a web form, if they offer a checkbox that tells them not
to email you, check it.
At full security levels, your email client should not automatically load
images in emails, should not run embedded javascript code or other code,
should not start up any other programs on your PC automatically, should
not launch attached files automatically. You should review your email client
and try to enable as much of these settings as you can. If you find that your
email client is lacking in security features, you may want to consider
migrating to another email client.
Many ISPs also provide net-based filtering which will filter email
before it even arrives in your in-box. SpamAssasin is a popular product
used. The way this works is that the email is scanned as soon as it arrives
to your ISP's mail server. The filter commonly uses content analysis filters,
but many also use header analysis. If the score is adequate to be labeled
as spam, the ISP will put the email into a queue of some kind rather than
deliver it to your in-box. On my server, we write all spam messages to a
large text file on the server. I never look at it, but the pont is that I could if I
wanted to. The advantages of a filter like this are great. My favorite is that
If you do not have net-based filtering available for your ISP, you can
use the SpamCop service. Its a paid subscription service, however they will
do the work for you. All your incoming email would be directed to
SpamCop. They will filter out the spam and then forward the good emails to
your own, secret email address. You can then log in to the SpamCop
website to view your filtered messages if you please.
Reporting SPAM
Reporting spam is a good way to fight the problem. You need to know
who to report to and what to report. The first rule of thumb is NOT to
complain directly to the spammer. As stated above, any reply to the
spammer simply tells them your email address is valid. That makes your
email address more valuable as a commodity to the spammer. They don't
care how huffy or puffy you get in your email. The proper parties to contact
are the people through which the spammer operates. The idea is to cut off
their ability to deliver spam or to create some sort of backlash against the
Another case you need to look for are people using legitimate mass-
marketing companies to send their spam. The companies that send the
So, the next question remains. How do you determine who to report
the spam message to? Well, read on...
Detective Work
In order to properly report spam, you need to learn a few basic
networking tools. Very often you will see IP addresses only in the email
headers. For those who do not know, IP addresses form the basic building
block of the internet. It is a series of numbers separated by periods. Every
computer connected to the internet has an IP address when it is connected
to the internet. Each ISP has a set of IP block assigned to it. The first 2 or 3
sets of numbers in the IP address will signify the IP block which will be
traceable to the ISP. The numbers after the IP block refer to the specific
user on the ISP's network. Additionally, the internet makes use of the
domain name service (DNS) to map those IP addresses to actual alpha-
numeric names which can be remembered by us - people. The DNS
system is a mapping of domain names to the specific IP address of the
server which hosts a website, mail server, or any other server online.
3. traceroute. A tool to allow you to trace the route which a data packet
follows to arrive at the target server.
Traceroute is used the exact same way as the above two commands.
The results will show you a listing of all servers which the data packet had
to go through to reach the target. See, the way the internet is designed, it is
very rare that you are communicating directly with your target server. Your
information is traveling over a series of servers, bouncing its way to the
target. Each line of the results represents a server bounce. If you get "* * *"
on a line, it is because that server was too slow to respond (or that that
server doesn't honor traceroute queries). Traceroute is just another
detective tool in figure out where a spammer is located.
Whois is run the same way as the prior commands, except that
Windows machines do not have it built in (shame on you, Microsoft). All
domain names on the internet have to be registered, meaning they all have
a person's name or company attached to it along with contact information.
Also, all domains have to be hosted somewhere if they are active, and this
information will be available via the DNS system as well. Even though
Windows users can't run this locally (unless they download a third-party
utility to do so), you can still run such requests via the web. You can try
InterNIC, DNSStuff, or visit one of the regional internet registry websites.
The Regional Internet Registries (RIRs) control the allocation of IP blocks
in certain areas of the world. They are:
3. Europe. www.ripe.net
5. Africa. www.afrinic.net
"chello080108009124.14.11.vie.surfer.at"
The story is mostly the same for each spam message I look at. I am
getting them from Pakistan, China, Vietnam, Iran, you name it.
Unfortunately, as I said, there is really no receptive ear to reporting to these
sources, even if you are able to track it to a specific company (in many
times you cannot). Most of the very obvious spam emails are from foreign
countries. The viagra ads, the sex ads, and those kind are mostly coming
from reasonably anonymous senders in countries which just don't care
about things like that. Then there are other, cleaner spam messages that
are CAN-SPAM compliant and do lead to legitimate websites. These
companies are likely using companies here in the US to send to a mass
mailing list. There is absolutely nothing illegal about it. And they wouldn't do
it if it didn't generate some business for them. However, it is still spam
because I did not subscribe to these people's mailing lists.
What is the answer? Not easy, that's for sure. The true solution, I
believe, would require a re-vamping of the entire internet email system.
What we need is a system that works like the phone company and the
caller ID service. In early 2005, Microsoft proposed such a plan. They are
testing a system that would publish the out-going email server's IP address
on every email in a format specified by the Caller ID for Email spec. By
then comparing this IP to the DNS for that IP address (much like we did
above), they can determine if the email headers are spoofed. Regardless of
what is implemented, though, a true solution is going to require the
cooperation of all email users. Today there are too many companies that do
not monitor their servers for spam or employ filtering.
One this is for sure, though - spam is here to stay. You might as well
understand it and learn to deal with it. Hopefully, this section has served
you to do precisely that.
3. Not hanging out with the "bad guys" means you're a lot less likely to
get zapped by them. This means you're a whole lot safer when you're
not surfing warez sites, porn sites, and other sites of questionable
material. The owners of such sites usually have a lower sense of
ethics and you're more likely to encounter PC infections on such
sites.
So, without further ado, here are 9 ways you can hand your PC (or
your identity) over to hackers, spyware applications, and advertising
agencies.
1. Downloading Warez
Warez software is unlicensed software. There are those who actively
try to find and install paid software for free by finding cracked
software and installing it. Besides the fact that this is illegal, it also
opens you up to computer viruses.
And there you have it, 9 easy steps to give a gift of love to your
favorite hacker, identity thief or spammer.
When you create a HOSTS file, you want each server specified to
redirect to your own computer (always 127.0.0.1). So, what you're telling
the computer is to redirect all calls to one of these servers back to itself.
The effect is that all calls to ads from these servers will be blank, thus
blocking any potential threat.
127.0.0.1 localhost
127.0.0.1 0dp.com
127.0.0.1 1.adbrite.com
127.0.0.1 1.primaryads.com
127.0.0.1 1118.ign.com
127.0.0.1 120x60.lt
127.0.0.1 2.adbrite.com