Characteristics
Below are some of
the most common spyware symptoms and characteristics.
Spyware can perform functions other than the ones
listed here, and many spyware programs will perform
more than one of the listed functions. TTAsia uses this list to describe spyware programs within our Anti-Spyware
software and to evaluate the behaviour and relative
threat level of programs in our database.
This threat
displays advertising in an intrusive or unethical manner. Many Adware programs download and display pop-up or pop-under
ads (which appear in their own browser windows) while the user surfs the Web.
More malicious programs display ads even when the user is not surfing the Web,
and some Adware programs are difficult or impossible
to uninstall without a removal tool or anti-spyware
program. Certain applications, like file-sharing programs and media players,
are ad-supported, meaning they are offered to the user at no cost, but will
display ads in order to earn revenue. These programs often state expressly that
they are ad-supported, and it is the user's decision to use such software. Ads
are most often displayed in Web browser windows. If the user notices ad windows
popping up at random, ad-related links appearing alongside the results of Web searches,
or unrequested Web pages loading and offering a
product, the user's computer is likely infected with Adware.
Spyware programs specialize in recording personal
data about the user or the user's computer. Spyware
programs called keyloggers record all keystrokes to a
log file, which can often be automatically e-mailed to a remote intruder or Web
server. Surveillance programs can record data about a user's Internet activity,
program usage, and security settings. Some surveillance programs can even
capture images of the user's desktop and send them to a remote intruder,
allowing him or her to see what
the user is doing. Data miners record password/login info as well as Web usage
information in order to assist certain Web sites. Password Capture programs
focus on stealing passwords and logins from the user's computer. By definition,
Spyware programs record personal or sensitive
information and allow others to access that information. A program that
covertly records data that should be kept private is a likely a threat to the
user's privacy and security.
Many threats have
browser hijacking capabilities. A browser hijacker is a program that changes
the settings of a Web browser (often Internet Explorer, but others as well).
Most common are homepage hijackers, which set the user's homepage and make it
difficult to change. Browser hijackers will also co-opt the browser's Search
feature, routing searches through an unexpected search engine or server. Often these
hijackers record information about the user's Web searches. Browser hijackers
can change the browser's default error page and even affect the Address Bar (in
which URLs are typed), recasting all mistyped URLs to direct a user to a
specific Web site. Browser hijackers often serve as intrusive advertising and Spyware, collecting information about the user's Web
activity. Some hijackers will even block access to security-related Web sites.
Perhaps one of
the most feared aspects of Spyware, remote influence
refers to an intruder's ability to use, influence, or control a user's computer
via the Internet. That is, if a user's computer is infected with a threat (like
a Trojan or a RAT) that allows remote influence, the intruder will be able to
send commands to the user computer, instructing it to perform a number of
actions, which often include file deletion, uploading and downloading,
installing programs, disabling applications, participating in attacks on Web
servers, propagating a threat or virus, or even deleting all the data on a
user's computer. Programs that allow remote influence are among the most
dangerous Internet threats and should be dealt with quickly.
Some Internet
threats will attempt to download and install files onto the user's computer
without the user's knowledge. A program devoted specifically to this function
is called a downloader. Downloaders will usually not
inform the user that they are downloading or installing code. Outright malicious
downloaders will connect to remote servers and
download harmful Trojans, worms, or viruses onto a user's computer. More
commonly, Adware programs include downloader
functionality in order to download ads and update themselves when necessary.
Some Adware and Spyware
programs will attempt to download and install other advertising and
surveillance software. When a program downloads unsolicited files, it is
downloading code that the user has not requested and most likely does not want.
The fact that the program can download and install virtually anything, from the
most benign annoyance to the most crippling worm, is enough to make most users
wary, and rightfully so.
A threat that can
disable a program or process is a source of alarm. One that can disable an
entire system is even more offensive, and, unfortunately, more common. Many
Trojans and Remote Administration Tools (RATs) allow
a remote intruder to access the user's computer via the Internet and initiate a
shutdown or restart. Other threats attempt to disable certain programs, often
security or anti-virus programs, by simply ending the running processes of said
programs. Even programs that function on their own, without an intruder's instructions, can disable applications and perform shutdowns
and restarts. If an application that should be functioning is not, or if the
user's computer is intermittently shutting down or restarting for no reason,
the computer may be infected with a threat with disabling functionality.
Makes Unauthorized Phone Calls
If a user's
computer is connected to a phone line via a modem, the computer has access to
telephone networks. Certain Internet threats will attempt to access a user's
phone line through his or her computer. Programs called dialers use the
infected computer to make phone calls to pay-per-minute phone services or
long-distance numbers. Dialers are sometimes used to collect Web site fees,
particularly fees for pay porn sites. In addition to making expensive phone
calls, some dialer programs will allow the user access to a porn web site But, of course, the user has paid for access, and the charge
will appear on the user's next phone bill. Most dialers give no visual cues
that they are making phone calls. Only when the user can hear the modem's
activity or the resulting phone call will he or she know that a dialer is
functioning. Computers that are not connected to a phone line are not at risk
from dialers, although the dialer program may still exist on the computer.
Many Internet
threats gain access to a user's computer, a network or a program by exploiting
vulnerabilities in the code of other programs. Many threats exploit flaws or
vulnerabilities in Microsoft software. For this reason, Microsoft is
continually issuing security fixes and critical updates to address these
threats. An exploit is a program that specifically targets a programming
loophole or mistake in another program. Some flaws or vulnerabilities allow
remote intruders to access a user's computer. Hackers and rogue programmers are
always on the lookout for security flaws, as they provide the most reliable
means to invade or attack a remote computer or a network.
Some threats,
often Trojans, are designed to interrupt or temporarily disable a connection to
the Internet. One of the easiest ways to cripple an Internet connection is to
send it massive amounts of data, far too much for it to process. In such an
event, the connection will become unusable for a period of time and may even be
disabled by the user's Internet Service Provider (ISP). Certain Trojans allow a
remote intruder to specify an IP address to flood. All computers and networks
on the Internet have a unique IP address, to which data can be sent. The data
used to flood a connection need not be anything other than gibberish, text or
numbers or any single file repeatedly and quickly transferred to the specified
IP. Flooder programs are less common now than they were in the late '90s, but
they still represent a considerable danger, particularly for users or
businesses who rely on the Internet for professional
purposes.
Many viruses,
worms and other Malware are designed to spread
quickly and easily throughout networks, from computer to computer. For
instance, mass-mailing worms collect e-mail addresses stored on a user's PC and
e-mail themselves to the collected addresses. Certain Trojans and worms install
infected files with the names of popular downloads into the shared folders of
peer-to-peer file-sharing programs like some music download sites. When users
download and execute these falsely named files, their computers are infected
with the worm or Trojan. It's important to note, much of the spam e-mail we
receive is sent from worm-infected computers that happen to contain our e-mail
addresses. These computers may be those of our friends, employers or the
businesses we patronize. By allowing Spyware and Malware to infect our computers, we are often putting other
computers at risk of infection.