Thanks to massive publicity about the subject, computer users are now widely concerned that their machines might be infected with "spyware" programs. These applications monitor users’ activities and perhaps transmit to a hacker the users’ passwords and other confidential information. But many Web sites that claim to “scan your computer” to detect spyware are, in fact, spreading spyware themselves.
In one of the latest examples, the U.S. Federal Trade Commission announced on Mar. 11 that Spyware Assassin, a $29.95 program sold by MaxTheatre Inc., was promoted by bogus pop-up windows. These windows falsely claimed, "You have dangerous spyware virus infections on your computer. Click OK to install the latest free update to fix these errors."
The FTC said that if a computer user clicked OK, a phony "local scan" then reported that spyware has been found, displaying a phony list of supposedly infected files and folders. Both the original message and the "local scan" reported problems even if the computer was free from infections, the FTC said.
The federal agency persuaded the U.S. District Court in Spokane, Wash., where MaxTheatre is based, to issue a temporary restraining order. The site is now shut down.
This kind of scam is now so common on the Web that it’s generating its own macabre jokes. One wag suggested in a Slashdot posting that, if the FTC really got serious, we’d soon see the following story:
- "The Federal Trade Commission has shut down Microsoft, alleging the company participated in fraudulent practices with its Windows and Office software, which purportedly gave the illusion of an operating system and/or increased productivity at work, even though no improvement was done and in most cases, the user machine would stop working correctly after a day. The company’s site then offered the user a $30 product to enhance security, which the commission reports ‘didn’t do a thing.’“
All kidding aside, the number of bogus programs that now pose as "antispyware" applications is enormous and still growing.
Eric Howes, a security researcher who has published numerous tests of cleanup programs (as described in our Feb. 24 and previous newsletters), has found more than 100 examples of disreputable applications on the Web.
He maintains a detailed list of Rogue/Suspect Antispyware Products on a page at Spyware Warrior, an informational site. The rogue’s gallery includes such programs as "SpyDeleter," a product promoted, according to an FTC complaint, by Sanford Wallace, formerly a well-known spammer. The FTC sought a restraining order against Wallace and a related company, Seismic Entertainment Productions Inc., last October.
In many cases, according to Howes’ listings, rogue programs actually install browser home-page hijackers and open a back door to install other software.
Many computer users are understandably fearful of online threats and click OK to cleanup offers, without first questioning the source of the “alert.” This is one more thing to guard against on the Web.
Unfortunately, some legitimate security companies also offer online scans to detect malware on PCs. Although these companies mean well, I can’t recommend such scans at this time. Even if the company produces a fine software product, any remote scan is subject to false positives. In other words, the scan might detect something on a PC and incorrectly label it malware. If the company then offers to sell a product to clean up the system, it can be accused of engineering the false positives, just as the FTC charged MaxTheatre of doing.
A much better approach is for computer owners to purchase low-cost but effective security programs to clean up their systems and then protect them from further infections. We include a summary of the top-rated programs in our Security Baseline section, below.
Important: Please note that my recommendation against Web scans of PCs does not apply to vulnerability detection sites, such as the excellent Shields Up! service provided by Steve Gibson of the Gibson Research Corp. This service, with your permission, examines a PC’s network connection to determine whether or not it has "open ports" that can be exploited by hackers. Since the testing mechanism needs to be outside your network in order to conduct such vulnerability assessments, Shields Up! provides a valuable service that cannot easily be performed by software you install.
Let’s call it spyware if it qualifies
I wrote in the Feb. 24 newsletter that the distinction between "spyware" and "adware" was meaningless. Since all such programs generate revenue or something else of value for their promoters, they should all be called adware, I said. This would preclude authors of such programs from saying, "Our product is not spyware, it’s adware, which is fine." Programs that control any aspect of your PC without your full knowledge and consent are always a severe security risk and should not be tolerated. (I have always stated that "ad-supported software," where the ads are displayed within an application’s primary window, as with Opera and Google, are fine.)
I now believe I shouldn’t have dissed the term "spyware" so much. The public has come to fear "spyware" because of saturation coverage of the problem in the mass media. For this reason, I’m dropping my objections to the term and the newsletter will use "spyware," "adware," "malware" and other terms as appropriate.
Howes has written to me that definitions of spyware are actually becoming a burden on consumer advocates such as himself. He now feels that the more specific a definition is, the more it may be a trap:
- "I’m really skeptical at this point that we ever will come up with a term for this kind of software that everyone can live with. The problem is that once you come up with a term and that term becomes even remotely tainted or even hints that the software is in any way undesirable, the people whose software you’re trying to hang that term on are going to object.
"Just one year ago the industry was pushing the ‘spyware=bad / adware=good’ distinction. Now many of these same companies don’t even want to be associated with the term “adware,” so tainted has that term become.
"I actually think the right approach now is to push people to stop getting hung up on the precise word(s) you use to name the software, which leads only to useless definitional disputes that the bad guys exploit to wriggle out of your term, and focus on the practices and behaviors of the companies and the software."
The problem isn’t ads, it’s remote control
Unfortunately, the issue of pop-up ads (which are bad enough) has confused the main threat facing us. It isn’t a display of ads that makes a program malware. It’s the fact that the application has (1) the ability to run commands on the infected PC, or (2) download new versions of itself (which may have negative features), or (3) download entirely new programs that aren’t in the best interest of the computer owner.
The fact that a PC user is giving control of the machine to someone other than its owner is the heart of the matter.
If I were writing laws about this, I’d prohibit software that can "morph" its code once installed, except under strict conditions. I believe all such software should be removed automatically by security programs. The user should then be able to see a log of what was removed, and should be able to undo some of the uninstalls, in some cases.
As I noted on Feb. 24, the license for the iSearch Toolbar, an adware program, says it may "without any further prior notice to you… install software from iSearch affiliates; and install Third Party Software." There is absolutely no reason for a legitimate software company to claim the right to install on your PC other programs from other companies, which you may never have heard of.
I believe there’s an enormous financial incentive for adware makers to sell access to their network of PCs to questionable characters. With this temptation, I believe it’s only a matter of time before seriously nasty programs are installed everywhere, making them stronger than the defenders. (At some point, say, they may collectively launch a massive DDoS against the servers of Symantec, McAfee, and other security firms. Some such attacks have already begun. Numerous malware programs alter a PC’s Hosts file so attempts to connect to security firms’ sites fail. These alterations are stopped by installing the leading antispyware apps, which are shown in our Security Baseline section, below)
That’s why I believe all computer users should eradicate this stuff now, and that ISPs should start checking for and eradicating it, too.
Don’t use P2P software that installs spyware
I’ve written previously that file-sharing software usually tries to install spyware. I noted on Jan. 27, for example, that Grokster alone could install as many as 15 separate adware programs.
If you insist on using such peer-to-peer applications — which open connections in your PC that have their own serious security risks — I urge you to read Ben Edelman’s Unwanted Software Installed by P2P Programs.
Edelman, a respected researcher who is a Ph.D. economics candidate at Harvard University, shows the junk you can accumulate from file-sharing applications. Of the five programs he tested, only LimeWire was free from adware. (Edelman discloses that LimeWire has a consulting relationship with him. I believe his results are trustworthy none the less.)
In future issues of the newsletter, I hope to publish a list of Web sites that actually do provide useful PC scanning services without any hint that they might use false positives to sell products. This is an extremely difficult topic to research, because such sites may change at any time, making guarantees difficult. All I can say is: Watch this space.
Our thanks go out to our reader whose handle is Navigatr1 for help in researching this topic. To send us more information about spyware, or to send us a tip on any other subject, visit WindowsSecrets.com/contact. You’ll receive a gift certificate for a book, CD, or DVD of your choice if you send us a comment that we print.