Number 254 - July 2004
Computer Parasites
by Brian K. Lewis, Ph.D. Sarasota PC UG, May 2004
   So, you have finally realized that you need to keep your anti-virus software up to date and you have installed a firewall on your Internet-connected computer. Now you are safe from any intrusions and you can relax, right? Wrong!! Now you only have to worry about programs that track you from web site to web site, especially programs that run in the background on web pages and install silent reporting programs on your computer. These programs, generally referred to as malware or malicious software, are not all stopped by A-V software or firewalls. What they do and how you can block them is the subject of this article.

   The easiest way to tell you what some of these programs do is to list and describe some of them. For example, Microsoft Money communicates, silently, with Microsoft at regular intervals. If you don't have a firewall that checks outgoing traffic, you would never be aware of this.

   I installed SpywareBlaster, which has a list of more than 144 different applications which can track your surfing habits, set up outgoing ports, report the software on your computer or other activities. However, just like A-V software, it has to be updated constantly because of newly identified parasites. Some examples (you may already have some of these on your system):
   
  • NewtonKnows: A browser plug-in that supposedly helps users find comparison prices online. However, the software transmits LARGE amounts of personal data to the makers. The hard to find privacy agreement includes this clause: THE COMPANY MAY USE INDIVIDUAL INFORMATION FOR ANY LEGALLY PERMISSIBLE PURPOSE IN THE COMPANY'S SOLE DISCRETION. Removal can be very difficult.

    •    
  • Go'Zilla: A download manager. It contains spyware/adware and reports information back to its vendor.

    •    
  • PerMedia/FriendGreetings: Installed by an ActiveX download linked to ecards sent from friendgreetings.com. This software will send similar e-card messages to all addresses in the user's e-mail address book. It can track web sites visited and transmit this information along with the user's e-mail address. It also pops up advertising windows during browsing.

    •    
  • Aureate/Radiate: Tracks your Internet activity and sends a detailed report to its makers every time you open your browser. The information includes the name the computer is registered to and a list of the installed software.

    •    
  • Lop.com: A browser hijacker. It sets your start page and IE search features to one of several Internet addresses. It will also reset your homepage and search page back to its choice if you try to change them back to your original settings. This software is frequently installed through pop-up ads and some sites may be able to install it without any warning due to security holes in Internet Explorer.

    •    
  • OnlineDialer: Allows WebPages to load and run an executable file. Once this control is installed, any WebPage has the ability run any executable file on your computer. Some pages that try to install this as an ActiveX drive-by download may actually keep trying to download the software onto your machine multiple times.

    •    
  • Aspam: This is a Trojan horse that provides remote access to a user's infected PC.

    •    
  • Xupiter: An Internet Explorer toolbar that bundles a program that may launch pop-up ads and can download updates of itself. The toolbar contains links to the Xupiter search engine. It can hijack your homepage, search settings and favorites. It is installed mainly by drive-by download. It may also download third-party software such as a casino loader application.

    •    
  • Tinybar: A browser toolbar that may spawn pop-up ads. Some versions do not display the toolbar in IE, just the ads. Newer versions also carry out a denial-of-service attack against a spyware information site. Tinybar probably installs through a security hole in Microsoft's Java Virtual Machine.

    •    
  • FreeScratchAndWin: A browser plug-in for Internet Explorer. It changes your homepage, opens pop-up ads and tracks your browsing habits. It can download and install code through its update feature.

    •    
  • TPS108 Dialer: If installed, it could dial to an overseas toll number without your knowledge and that would result in large charges on your phone bill.

       Remember that this is only eleven of over 144 parasite identifications marked by SpywareBlaster. There are others that install as cookies and have to be cleaned by other software. The most common of these is DoubleClick. DoubleClick is one of the largest advertising companies on the Internet. Anytime you encounter a web page with a DoubleClick ad on it, a cookie is loaded on your computer. If you already had a DoubleClick cookie, it reports back to the DoubleClick company where and when it was created. This allows the company to collect information on your browsing habits. You might say that this is not really a problem. However, when it happens on a supposedly secure site, it could be a real problem. The following paragraphs are quoted from an article located at SpywareInfo.com. www.spywareinfo.com/ newsletter/ archives/ feb-2003/5.php
    •    Go to the Bank of America web site and click on Online Bill Pay. It will ask you what state you are in. From there, click the enroll button. Then it takes you to a page located on a secure server. This means that the connection between you and the server is protected by 128-bit Secure Socket Layer encryption, and that there are supposed to be no outside parties involved in the transactions between your browser and the secure web page.

       On the bottom of that page there is a 1-pixel wide, 1-pixel high transparent graphic which is loaded from . In other words, a web bug. Normally a web bug will set a cookie, but uncharacteristically for DoubleClick, this web bug does not. The web bug is loaded from a secure server, so the normal browser warnings about a page that is not fully encrypted do not go off.

       This article goes on to state that there is no information as to what is being collected by this DoubleClick web bug. However, it is on the page where the user enters personal information. This web bug runs a Javascript program that reports information back to DoubleClick. All this in spite of Bank of America's disclaimer that third parties have no access to you while on their secure web site.

       So how do these parasites get on your computer? The most common method is loading using Internet Explorer's ActiveX installation option. These are the Drive-by Downloads. This facility was designed for installing plug-ins to view multimedia files, Active-X controls for online games, fonts for international languages, and other legitimate uses. When a web page includes a link to an ActiveX program, a window may appear asking if the user wishes to execute it. If Yes' is clicked (or if IE security settings are set lower than normal so that it never even asks), the software is allowed to run. It can then do anything it likes on your computer, including installing parasite software.

       Browser Hijacking can also occur as a result of ActiveX controls. This is where your browser settings, such as home page and/or search page are altered. The purpose of this is to force you to visit a web site of the hijacker's choice so that they can sell advertising. Most of the time this can be corrected simply by going to IE's tools menu and changing the settings under Options. However, some of these hijackers alter the registry settings so your restoration is undone. They may even reset their changes every time you boot your computer.

       AOL also exploits the ActiveX controls and even downloads ActiveX components to your computer without notification. It is not known what these are doing, but since they could control your computer, they would be classified as Trojans.

       Another common strategy is the EULA or End User License Agreement. How many of you actually read the complete agreement when you are installing new software or an update? How many times have you noted that the agreement specifies that third-party software is being installed? This is what happened to users of Intuit's TurboTax. The EULA specified that C-dilla software would be installed along with the Tax software. But who took the time to determine just what C-dilla was and would do? It is parasite software supposedly designed to prevent pirating of TurboTax. However, it is not removed when you remove the TurboTax software. Note that removal of the C-dilla application will prevent TurboTax from running. Just one example of how the EULA can be used to sneak software onto your computer.

       Now that you know something about what these parasites are, how do you get rid of them? Some A-V software is starting to include a few in their screening process. However, this is really not adequate. There are several very highly recommended freeware applications that everyone should have on their computer. I have already mentioned one: SpywareBlaster. This is a 500K program that is available from: www.javacoolsoftware.com/spywareblaster.html.

       This program modifies your registry to prevent any of its listed parasites from being installed by ActiveX controls on web pages you visit. Since these are registry entries, they really don't consume system resources. This application does need to be updated frequently to block new spyware.

       SpywareBlaster does not affect any pages that download cookies to your computer. For that you need a different application. There are two highly recommended applications, Ad-Aware and Spy-Bot Search & Destroy. Ad-Aware is available in several different versions from www.safer-networking.org/. There is a free version, a plus version and a professional version. For more information, check out their new web page. You should also note that Ad-Aware had a 6-month period last year where no updates were issued. In the parasite business, as in the anti-virus business, updates are essential to maintain your protection.

       Spy-Bot Search & Destroy is also freeware and is available from www.security.kolla.de. I started using it when I realized my Ad-Aware software was out-of-date. Spy-Bot is a 2.3 MB application that needs to be run whenever you have been on the Web. It will remove tracking cookies and other malware that has been downloaded to your computer. It should also be updated at least weekly. So, if you have these spyware removers, up-to-date anti-virus software, and a good firewall, you should be safer in your Web surfing - at least until the next menace comes along.

       Copyright 2003. This article is reproduced from the March 2003 issue of the Sarasota PC Monitor, the official monthly publication of the Sarasota Personal Computer Users Group, Inc. Dr. Lewis is a former University and Medical School professor who has been working with personal computers for more than thirty years.
      Number 254 - July 2004