Malware: what it is and how to prevent it

Introduction

Along with viruses, one of the biggest threats to computer users on the Internet today is malware. It can hijack your browser, redirect your search attempts, serve up nasty pop-up ads, track what web sites you visit, and generally screw things up. Malware programs are usually poorly-programmed and can cause your computer to become unbearably slow and unstable in addition to all the other havoc they wreak.

Many of them will reinstall themselves even after you think you have removed them, or hide themselves deep within Windows, making them very difficult to clean. This guide will detail the different varieties of malware along with basic preventive measures. In a follow-up article, we will examine the removal process and review a set of spyware removers. Although also considered to be malware, programs such as viruses, worms, trojans, and everything else generally detected by anti-virus software will not be discussed here, and the use of the word malware will only explicitly refer to software that fits in the categories listed below.

You can get infected by malware in several ways. Malware often comes bundled with other programs (Kazaa, iMesh, and other file sharing programs seem to be the biggest bundlers). These malware programs usually pop-up ads, sending revenue from the ads to the program's authors. Others are installed from websites, pretending to be software needed to view the website. Still others, most notably some of the CoolWebSearch variants, install themselves through holes in Internet Explorer like a virus would, requiring you to do nothing but visit the wrong web page to get infected.

The vast majority, however, must be installed by the user. Unfortunately, getting infected with malware is usually much easier than getting rid of it, and once you get malware on your computer it tends to multiply.

Will anti-virus programs protect against malware?

Anti-virus companies are only beginning to pay attention to malware. Aside from some of the latest versions (many include the malware scanner in the Internet security portion of their suites), most anti-virus programs have little to no protection. Those anti-virus programs that do protect are generally not as thorough as a dedicated malware remover. However, some especially virulent malware that malware scanners may miss will be removed by anti-virus programs, so it is generally a good idea to run a virus scan as well. Some of the anti-virus vendors' delay may be caused by worries they will get sued if they start labeling programs spyware, adware, etc., which has already happened.

Types of malware

Although there is no official breakdown, we can divide malware into several broad categories of malware: adware, spyware, hijackers, toolbars, and dialers. Many, if not most malware programs will fit into more than one category.

It is very common for people to use the words adware, spyware, and malware interchangeably. Most products that call themselves spyware or adware removers will actually remove all types of malware.

Adware

Adware is the class of programs that place advertisements on your screen. These may be in the form of pop-ups, pop-unders, advertisements embedded in programs, advertisements placed on top of ads in web sites, or any other way the authors can think of showing you an ad. The pop-ups generally will not be stopped by pop-up stoppers, and often are not dependent on your having Internet Explorer open. They may show up when you are playing a game, writing a document, listening to music, or anything else. Should you be surfing, the advertisements will often be related to the web page you are viewing.

Spyware

Programs classified as spyware send information about you and your computer to somebody else. Some spyware simply relays the addresses of sites you visit or terms you search for to a server somewhere. Others may send back information you type into forms in Internet Explorer or the names of files you download. Still others search your hard drive and report back what programs you have installed, contents of your e-mail client's address book (usually to be sold to spammers), or any other information about or on your computer – things such as your name, browser history, login names and passwords, credit card numbers, and your phone number and address.

Spyware often works in conjunction with toolbars. It may also use a program that is always running in the background to collect data, or it may integrate itself into Internet Explorer, allowing it to run undetected whenever Internet Explorer is open.

Hijackers

Hijackers take control of various parts of your web browser, including your home page, search pages, and search bar. They may also redirect you to certain sites should you mistype an address or prevent you from going to a website they would rather you not, such as sites that combat malware. Some will even redirect you to their own search engine when you attempt a search. NB: hijackers almost exclusively target Internet Explorer.

Toolbars

Toolbars plug into Internet Explorer and provide additional functionality such as search forms or pop-up blockers. The Google and Yahoo! toolbars are probably the most common legitimate examples, and malware toolbars often attempt to emulate their functionality and look. Malware toolbars almost always include characteristics of the other malware categories, which is usually what gets it classified as malware. Any toolbar that is installed through underhanded means falls into the category of malware.

Dialers

Dialers are programs that set up your modem connection to connect to a 1-900 number. This provides the number's owner with revenue while leaving you with a large phone bill. There are some legitimate uses for dialers, such as for people who do not have access to credit cards. Most dialers, however, are installed quietly and attempt to do their dirty work without being detected.

Examples of malware

GAIN

One of the oldest and best known examples of malware is from the company Claria, which changed its name from Gator in 2003. Unlike most malware creators, Claria is a legitimate corporation with several big name advertisers and offices in both the United States and Europe. Claria is the maker of Gator Advertising and Information Network Publishing (or just GAIN), which actually consists of two programs that run in the background and work together. One program pops up ads while the other collects personal information. GAIN is typically bundled with other programs, including several published by Claria.

As far as malware is concerned, GAIN at first glance looks to be a well-behaved program. As can be in the above examples, all GAIN ads are usually clearly marked as such. Also included with GAIN is a utility that will display which program or programs it was bundled with, and thus require its presence, as shown below.

Unfortunately, GAIN does not come with an uninstaller of its own. One must use the uninstaller used by the program GAIN came bundled with and hope it does a thorough job.

A closer look at GAIN reveals more troubling features of the program. The first trouble signs come from the GAIN Privacy Statement (the privacy statement from the latest GAIN version, 6.0, is used here). From the privacy policy, we learn GAIN is doing a bit more than simply serving ads. These other functions cause GAIN to cross categories and also fall into the realm of spyware.

From the statement, we learn that Claria likely is not only getting money from advertisements, but they are also gathering information that they can then sell to other entities. Claria also anonymously collects information it finds on the user's computer, including their zip code, first name, software that is installed, even what password they use for eWallet, a program Claria distributes. They do not stop there, however.

We also associate the anonymous information we collect with a particular computer through a randomly generated anonymous ID number

In short, Claria maintains a database with profiles of each machine on which GAIN has been installed. Each profile has all the information mentioned before, along with anything they can infer from that data. Claria doesn't simply store this information away, but also shares some of it with third parties:

We share certain anonymous information we collect in aggregated form with some of our partners and prospective partners... Our partners may use this anonymous aggregated information to improve their services, and may, in some cases, share this anonymous aggregated information with third parties such as their customers.

Keep in mind that, as intrusive as Claria's data collection policies may sound, Claria is still a corporation with a public image to worry about. It is an easy target for lawsuits should Claria attempt something that goes against their user agreements (whether such agreements are legally binding is largely untested).

The larger problem comes from the vast majority of spyware programs are created by groups or individuals who will have no problem stealing whatever data they can from you, and they will not keep it anonymous or private. Most spyware creators do not have a valid website, much less any sort of user agreement or privacy statement they are obliged to keep.

webHancer

webHancer is a spyware application that is commonly bundled with other programs. Upon installation, it starts a program that runs in the background. This program, according to webHancer's Privacy Policy, collects details of your surfring, such as the URL, page size, page load time, page completion state, and network delay time of the sites you visit. Looking at their products page, it is obvious they are going to sell the information gathered to other entities, as they attempt to answer questions like "What other sites are my customers visiting? Before? After? Where are they buying?" webHancer claims to have their program installed on millions of desktops, and it's likely that most of those running the program have no idea what it's doing.

While browsing the Internet for several minutes with Kerio Personal Firewall installed (we'll discuss firewalls later), I was constantly being alerted that webHancer was attempting to access the Internet, always while a page was loading or immediately after it was finished loading. This didn't happen on every page, and there did not seem to be any real relationship between what web site I was viewing and when webHancer would attempt to connect (it went crazy while I was loading Slashdot, for example, but was quiet when I went to Ars).

Because of its deep hooks into Windows, webHancer has been known to leave the computer without working networking after being uninstalled (to fix this, the company suggests installing and uninstalling webHancer again) and may cause errors in other programs.

ISTBar

ISTBar is a combination toolbar and hijacker. It installs a toolbar with search functions provided by slotch.com, a web portal. The toolbar also has links to various web sites and a list of "TopSearches," which include such classic keywords as "Britney Spears," "Blackjack," and "Loans." ISTBar also sets your home page to www.slotch.com (which is infested with pop-up ads) and adds its own search sidebar to replace the default one.

ISTBar includes the ability to download and install other software. Among the processes started by ISTBar is a hijacker that redirects you to internet-optimizer.com when you enter a bad URL This sends the link you attempted to retrieve to internet-optimizer.com in the process.

More malware

searchWWW

searchWWW is a malware program that is installed by the widely-used cjb.net redirection service. As a bonus, searchWWW has a hijacker component as well adware. The adware portion, once installed, will occasionally pop up ad windows. If we let the program run for a while, a collection of different popups will appear, including one that correctly warns that "AdWare" and "SpyWare" are installed on the computer.

In terms of adware, searchWWW is fairly benign. Many other adware programs are much more aggressive in popping up windows and embed themselves much deeper into Windows.

The searchWWW malware also has a hijacker component. Upon being installed, it changes both your Internet Explorer home page and the search bar. Your home page is changed to http://www.searchwww.com, and your search sidebar altered as well. Instead of the default, you get a rather minimalistic replacement that uses searchWWW.com's very poor engine.

HuntBar/WinTools

HuntBar looks like a fairly typical toolbar. After installation, a toolbar appears with the usual staples: a search box, pop-up blocker, word highlighter, and even skin support. Many of its functions work through websearch.com, which gets its results from other sites. For example, web search results come from Yahoo, only with a dozen sponsored links above the results, while the maps come from Mapquest.

HuntBar also hijacks the search bar. This also uses websearch.com. The full address of every site you visit is sent to the server, along with a unique ID, adding a spyware component to Huntbar. The toolbar can also install updates or any other code the server may send it.

What makes HuntBar especially difficult to remove is that, along with the toolbar, three processes are installed, one of which is a service. Should you attempt to remove any part of HuntBar, these processes will simply replace the files or reset the settings. They will also restart each other should one of them be killed.

AccessPlugin

AccessPlugin is a somewhat legitimate dialer, as it actually needs you to set it up. However, nowhere on the web site it was downloaded from was there any mention of what this program actually does, only that it would allow you to view the site. In the terms and conditions pictured below you can see it mentions it costs $49.95 for a month. It would be very simple for somewhat to miss that, as most people do not read the fine print.

I decided not to let it try and continue as I did not have a modem (and if I did, I wouldn't want to risk getting a hefty bill).

Most dialers will come from adult web sites and will advertise themselves as having to be downloaded in order to access a certain site, or as a "viewer." However, the install process does not give any warning of the program's true functionality, and they will often attempt to dial as soon as possible. Dialers are often detectable only by looking for the running process.

Windows Messenger Service

Although not a program downloaded to your computer and thus not really considered adware, Windows Messenger Service can be an annoyance easily dealt with. Some people may have noticed text messages popping up on their displays trying to sell something (often a program that will stop the messages from popping up). These may appear any number of times a day.

Such messages come through a little known part of Windows called the Messenger Service. This is not the same as the Internet Messaging (IM) program. The vast majority of users do not need this on.

Turning it off is rather straightforward: if you're running Windows 2000, go to Control Panel >> Administrative Tools >> Services. Scroll down and highlight "Messenger." Right-click the highlighted line, select "Properties," and click the "STOP" button. Then select "Disable" or "Manual" in the Startup Type scroll bar. Click OK and you're all set.

For Windows XP Home: Control Panel >> Performance and Maintenance, then click Administrative Tools. Double click "Services," scroll down and highlight "Messenger." Then right-click the highlighted line, choose "Properties," and click the "Stop" button. Similar to 2000, Select "Disable" or "Manual" in the Startup Type scroll bar, click OK, and you're done. The process for XP Pro is identical except that you go straight to "Administrative Tools" from the Control Panel. Windows Messenger Service is now disabled by default with Windows XP SP2.

The importance of a clean machine

Keeping your computer clean of malware is important for several reasons.

First and foremost, malware programs are a security risk. One can never be certain what information these programs are collecting about you from your computer. They potentially could have your name, physical address, e-mail address, credit card number, web site history, passwords, and any other information you have on your PC. The malware authors could use the information themselves or pass it on to others.

Second, malware programs are usually poorly written. They may be unstable, use up the majority of your PC's of resources, or simply slow the computer to a crawl. If you have several malware programs installed, they will often conflict with each other and cause even more problems. Even the fastest computer can be brought to its knees with only a handful of malware programs installed.

Third, any sort of adware will bombard you with advertisements. In addition to the familiar pop-ups and pop-unders, some adware will replace ads on a web site with their own. You do not even need to be surfing the 'Net to get pop-ups, as they will show up at any random time. They often contain adult content, advertise questionable products (including rogue malware removers), or link to scams and other questionable sites.

As mentioned before, malware programs are usually very poorly written and are thus likely to have security holes on top of their "features" which can report your personal information to the authors. Such holes could allow unauthorized access to your system.

Many malware programs also have the ability to update themselves, which not only means they can add new ? possibly more dangerous ? functionality any time, they can also run any other code sent to them by the author (or if there is poor security, anybody).

Broaching the subject of malware

Many people reading this work in IT or serve as a one-person help desk to friends and family. And as most of you know, it is often very difficult to explain technical subjects to those who are not technically inclined (e.g., managers, parents). So how do you get your technically-challenged boss or father-in-law to realize that malware is as bad it sounds and to be avoided at all cost?

First explain the obvious. Malware is responsible for slowdowns and crashes. Besides hurting the productivity and patience of those using infected PCs, it's a productivity waster ? a problem which takes time away from other issues.

If you are discussing the matter with your manager, explain that malware frequently causes pop-ups and other forms of unsolicited advertising to appear on work computers. Time spent closing pop-ups is wasted time. It may also be worth mentioning that ads from adware often contain adult content, content that employers usually try to block under most circumstances.

Finally, explain that malware programs are security risks. Spyware can capture online purchases and other sensitive information. It doesn't take too much imagination to come up with some consequences of having a keylogger installed on a work computer.

Of course you may hear something like "I don't use malware. I use Bonzi Buddy/Weatherbug (insert name of other problematic program)."

Counter with the fact that malware frequently comes attached to seemingly-benign pieces of software. The two parts are often inseparable. If your boss or father-in-law is attached to the functionality provided by a piece of malware, point him or her to a legitimate alternative.

Malware prevention

The easiest way to deal with malware is to not get it in the first place. A little bit of common sense helps, but experience goes a lot farther. Experienced computer users, like it or not, hopefully possess the common sense that will let them avert potential disasters.

This edge can be acquired. The distinction is largely one of attitude, one which for lack of a better term I'll call "skeptical computing." We can examine this attitude and see how it reacts to common sources of trouble.

Skeptical computing breaks down into two parts. The first is having a minimum level of expectations for the working state of their computers. Operating systems for personal computers are extremely stable and reliable. Computers are no longer the cantankerous contraptions they were with Windows 9x or earlier versions of Mac OS. It's not acceptable to have a computer that runs at a snail's pace with advertisements flying up left and right. If things aren't working as they should, you can find a fix, whether through Google, anonymous forums, or your friendly neighborhood guru.

The second component of skeptical computing is maintaining a skeptical attitude while browsing the internet. If something looks too good to be true, it probably is. Any "hot deals" had better come from a trusted source. If a warning starts flashing on your computer, look closely to see if it's a legitimate message from Windows or just an animated image in a web browser.

Drive-by-Downloads

Internet Explorer can prompt users to download software that gets automatically installed on computers. The intention is that programs, such as Flash, that certain web pages depend on for viewing, can be seamlessly loaded so the user's browsing experience isn't interrupted. However, many malware developers take advantage of this process to foist their wares on unsuspecting users. Let's look at two examples, one legitimate and one malicious:

It's important to separate the generic form filler from the content provided by the program in each case. The item on the left identifies itself as "Windows Update," the other "IE Plugin - Once you agree to the License Terms and Privacy Policy - click YES to CONTINUE." The program on the right is imploring you to click yes, not Internet Explorer. It also doesn't really tell you what the program is. Disregarding the second half of its name, it just identifies itself as "IE Plugin." It's not clear where it came from or what it would do if you installed it. This is one major tip-off.

Both products identify their supposed (remember, be skeptical) publisher. The one on the left is from "Microsoft Windows Publisher," the right from "CLICK YES TO CONTINUE." What would a program gain from obscuring its origin, especially by inserting a message in its place that suggests that clicking yes is your only option?

The last unique piece of information is the group that verified the publisher's identity. This bit doesn't tell you very much in either case. Both sound legitimate. However, weighing what else we know, it's safe to say that the program on the right is bad news. The program on the left looks trustworthy.

While our deductions were accurate in both cases, you should also consider what you were doing when you received the prompt. The left prompt appeared while browsing Windows Update, the right prompt showed up on a warez site. It's quite reasonable to expect that OS updates would require something to be installed. When you're looking at something seamy or of questionable legality, you should be on the lookout for possible malware.

It should be noted that drive-by download prompts have changed in Windows XP SP2. The new design stops controls when new dialogs pop up and forces you to think more about what you're about to download. Let's look at what heppens when Flash wants to install itself.

Unlike in prior versions of Windows, a dialog box is not the first thing to appear. Instead, a brief message appears in the toolbar, similar to IE's built-in pop-up blocker. It informs you that the page wants to install an ActiveX Control. The information, program name, and publisher are exactly the same.

When you click on the message, you can either allow the installation, or seek further help ("What's the Risk?"). The help is a generic section of IE's help page informing you of the risks associated with installing ActiveX controls. If you choose to install, you then see a dialog similar to the one we looked at before:

Its appearance is more streamlined, plus it gives you an additional option. You can tell it to always deny the installation of controls from any given publisher. Definitely useful for users who frequently get asked to install particular pieces of malware, or just those who have a vendetta against Flash.

Bundlers

Much malware, especially adware, comes bundled with other programs. P2P software is a common source of bundled adware. The following message comes up while installing iMesh:

You can't say the program isn't honest. It lets you know it's ad-supported, which pieces of adware get installed, and what you agree to in the process. Messages about required programs for displaying ads should set off warning sirens in your head. That information alone should be enough to make you stop installation.

Additional preventive measures

Beyond skeptical computing, there are other preventive measures you can take to secure your computer. Verify that your Internet Explorer security settings are set correctly. To do this, open up Internet Explorer and go to the Tools menu. Click on "Internet Options." Go to the Security tab and click on the globe labeled "Internet." Then click the "Custom Level" button. Make sure "Download signed ActiveX controls" is set to "Prompt" (if you think you have everything installed that you need, you can set this to "Disable" for extra security), "Download unsigned ActiveX controls" is set to "Disable," and "Initialize and script ActiveX controls not marked as safe" is set to "Disable."

Updating Windows

Another easy and very important step is to update Windows. Some malware uses holes in Internet Explorer and Windows to install themselves without you knowing. There are many viruses which exploit Windows in similar ways, so it's important to either enable Automatic Update or regularly visit Windows Update.

Users of Windows XP should make sure they have Service Pack 2 installed. It includes many improvements that should make it much more difficult for malware to infect your computer, including a basic firewall (more on these below). Before installing a major update such as a Service Pack, it is recommended that you back up any critical data. Also make sure that your system is free of malware before installing SP2. Malware can interact with the installation process in undesirable ways. You can get SP2 through Automatic Updates or Windows Update.

Users of Windows 98 or ME should upgrade if at all possible to Windows XP. XP is a much more stable and reliable OS, not to mention more secure. Those who can't upgrade should be extra vigilant about system updates. Not only are the security holes in 98 and ME more well-known by malware developers, but those versions of Windows are less proactive about getting users to update.

Firewalls

One way of being warned that malware has infected your machine is by using a software firewall (this also works well for viruses too). Should malware get past your defenses and infect your computer, a software firewall will notify you if it tries to "dial home" (unfortunately, this will probably not work for malware that integrates itself into Internet Explorer). When a software firewall catches a program trying to make a connection, it will alert you, give you the name of the program, and ask if you want to block it from the Internet.

When using this software, apply skepticism in the same way you would when looking at a drive-by-download. When you receive a prompt from your firewall, scrutinize the program requesting access. Have you seen it before? Do you remember installing it? Does its function appear generic or otherwise ambiguous?

Software firewall warnings will aid in finding and removing the malware, as they give you the exact location of the process. They are especially important if you are not behind a hardware firewall. Firewalls do not know the difference between what is good and what is bad, so they will ask you about legitimate programs as well as illegitimate ones (many come with a whitelist of commonly-used programs that need the Internet, however).

If you do not know what a program is, usually a web search on it will tell you if it is something that should be accessing the Internet or not. Unfortunately, Windows XP's built-in firewall (users of any previous Windows versions have no firewall protection at all built in) does not monitor traffic leaving your computer, just traffic that is entering it, so Windows XP users may wish to download a stronger third-party solution.