Spyware and Viruses

Adam Guzy
0151704

Introduction

Spyware and viruses cost companies millions of dollars to deal with, they operate
by exploiting the security weaknesses found in most commercial software. This paper
will cover the various kinds of spyware and viruses used today and potential solutions to
these problems.

Spyware
This category of malicious software generally has two effects, there are types that are
relatively quiet and those that are painfully visible. The implementations that are quiet
passively gather information and send it to third parties, entirely without the authorization
of the user creating a breach in privacy. The other implementation actively interferes
with the normal operation of various programs, for example, some Spyware will change
the user’s homepage to a specific company page, or based on gathered data, produce pop-
ups at regular intervals attempting to sell some product or service. In total there are 4
categories of Spyware used that produce these effects.

Adware Networks
Companies pay software creators (video games, utilities, music and video players etc)
somewhere between 0.1 and 0.2 cents per download of their software. An example is:
Gator Gain. The companies create networks of user’s PC’s to gather information from
each user and sells the information. These networks can also be used to create the pop-
ups that were previously mentioned. To deal with this, in a relatively simple way, would
be to update all web browsers (the usual source of spyware) with a filter to recognize
information coming from the Adware Network. This could include IP blocking, that is
-- Converted from Word to PDF for free by Fast PDF -- www.fastpdf.com --

block the IP of the company sending the spyware signals, effectively isolating them from
the rest of the internet. [1]

Stalking Horses
This software is what enables the Adware Network. The Stalking Horse usually arrives
bundled with other software, for example Cydoor (which stores information on which ads
the user clicks on). It is the program that connects the host computer to the Adware
Network. This is not a problem with the network protocol or anything that low level.
The Spyware is a program like any other, only it operates without the user’s knowledge.
Low level layers cannot tell the difference, the problem is on the application layer. The
solution to this is to either use a Spyware removal program, or use a port sniffer to
identify any unauthorized ports that are open. The sniffer will find every open port and
what program is currently using said port, with this information the user can close the
port and remove/close the offending program. The automated removal program only
finds Spyware identified in its database, where the sniffer allows the user to find any
suspicious programs and remove them (as some spyware may not be in the database).
Improving the firewall will help prevent unauthorized ports from opening. [1]
 Trojan Horse
These programs include the Adware Network software and a Stalking Horse. It bundles
these two together with a popular program, relying entirely on the user to let it pass
through so it can slip past the firewall. An example of this arrangement is Kazaa (which
contains many Stalking Horses). Often the spyware is tied to the popular program, so
removing the spyware will usually disable the program the user wanted to run. One way
of dealing with this problem is to modify the user’s hosts file to point to the user’s own IP
address, this way there is no data being sent out and the original program is still
functional. [2]

Backdoor Santas
These programs are completely stand-alone, they do not connect to Adware Networks.
Instead they gather information and send it directly to their respective servers. Examples
of these programs include Hotbar, Alexa. They arrive at a user’s PC by slipping past the
firewall the same way a Trojan Horse does. Spyware aspect of the program cannot be
separated from the ‘useful’ portion, as it is not a bundle, but one program. The best way
to defend against this kind of spyware is to use a strict firewall and monitor the ports to
be sure nothing gets through. [4]

Viruses
Viruses are programs that infect a system and reproduce to spread to other
systems or parts of the system. There is a variety of types of viruses, as listed below. [4]

Polymorphic
This type uses a mutation algorithm to change the virus each time it is copied. This is an
attempt to confuse anti-virus software, which is no longer successful with current
mutation methods. [3]
-- Converted from Word to PDF for free by Fast PDF -- www.fastpdf.com --

Stealth
For a virus to function, it must change something, be it boot sector, files etc, this is how a
virus is often detected. The stealth virus hides the modifications that it makes by taking
over functions that handle disk access etc. When a program requests some piece of data
the virus (that had modified that piece of data) sends a copy of the un-modified data back
to the program, thus evading detection. This is why most anti-virus programs work best
upon start up, before the virus can conceal the changes it made. [3]

Fast & Slow Infectors

This type of virus will get loaded into memory and watch for any activity. A slow
infector will infect files only when they are created or modified, and a fast infector will
infect files as soon as they are accessed. This virus will spread very quickly. [3]
 Sparse Infectors
In order to help minimize the probability of being detected, the virus does not infect
systems every single time it is run. It could infect every 20 times for example. This way
the user will not be able to look back and think “what was the last thing I installed?” and
be able to discover the source of the virus, or know how extensive the infection is. [3]

Armored Viruses
The task of eliminating a virus for antivirus programmers consists of going through every
instruction of the virus, or disassembling the virus. An armored virus attempts to make
this process extremely difficult, so no new automated solutions can arise. [3]

Multipartite Viruses
These viruses infect both system sectors as well as files. This is done by having multiple
parts to the virus, hence multipartite. This allows the virus to spread in a variety of ways,
making it difficult to remove, and fortunately difficult to write. [3]

Cavity (Spacefiller Viruses)

Normally, when a virus infects a program, it attaches itself to the start of the program
code, so when the program is run, the virus is run first. Alos, many programs have
spaces in them for a variety of reasons, a cavity filler virus places itself in one of these
spaces, thus no longer increasing the size of the program, and making detection that much
more difficult. [3]

NTFS ADS Viruses

The NT file system allows additional data to be attached to a file. This additional data is
not always apparent to the user as the Windows operating systems do no show this extra
information. Thus a virus can attach itself to an existing file undetected. [3]

Virus Droppers
-- Converted from Word to PDF for free by Fast PDF -- www.fastpdf.com --

These are not viruses on their own. What they do is move into a system without
triggering any warning programs and ‘drop’ viruses into the system. It is very similar in
nature to a Trojan. [3]

Conclusion

A partial solution to this problem (the portion that pertains to networks) is to

minimize contact between one PC and the rest of the network, that is make the firewalls
more secure by restricting the ports. This will help prevent infection by outside sources.
Another solution is to use a system similar to encryption, were only messages encrypted
with the correct key will be accepted. A good method would be PGP, where the two
parties communicating ‘know’ each other and ‘understand’ that accepting messages from
any other source is hazardous. Upgrading programs such as email clients and web
browsers so they no longer run extra code without the user’s permission will also help as
this will stop many viruses that arrive via email or scripts.
 The general cause of spyware is the user, often the average user ignores all
warnings regarding spyware and invite the infection of their system. Thus the solution is
to safeguard the application level for each PC, so it is not possible for spyware to enter
the PC accidentally. This would include using a firewall to manage the ports, making
sure that only authorized ports are being used, and a sniffer to monitor the programs that
are using those ports. With this, it will be more difficult to slip things past the user’s
attention, and in the case that the user does not know what to do, it would be possible to
reject by default.

References

[1] “SPYWARE!” Accessed March 25 2005, www.computer-outlets.com/spyware.htm

[2] “FAQ Malware, Spyware, Adware” Accessed March 25, 2005,

www.humboldt1.com/services/malware.html

[3] “Virus Types and Methods” Accessed March 25, 2005,

www.cknow.com/vtutor/vttypes.htm

[4] “What can you do about spyware infections”, FAST Corporpatre Services, Accessed
March 25, 2005, an.newbusiness.co.uk/cgi-bin/showArticle.pl?id=2702
-- Converted from Word to PDF for free by Fast PDF -- www.fastpdf.com --