374_Spyware_FM.qxd

6/30/06

4:47 PM

Page i

Visit us at
www.syngress.com
Syngress is committed to publishing high-quality books for IT Professionals and
delivering those books in media and formats that fit the demands of our customers. We are also committed to extending the utility of the book you purchase
via additional materials available from our Web site.

SOLUTIONS WEB SITE
To register your book, visit www.syngress.com/solutions. Once registered, you can
access our Web pages. There you will find an assortment
of value-added features such as free e-booklets related to the topic of this book,
URLs of related Web site, FAQs from the book, corrections, and any updates from
the author(s).

ULTIMATE CDs
Our Ultimate CD product line offers our readers budget-conscious compilations of
some of our best-selling backlist titles in Adobe PDF form. These CDs are the perfect
way to extend your reference library on key topics pertaining to your area of expertise, including Cisco Engineering, Microsoft Windows System Administration,
CyberCrime Investigation, Open Source Security, and Firewall Configuration, to
name a few.

DOWNLOADABLE EBOOKS
For readers who can’t wait for hard copy, we offer most of our titles in downloadable Adobe PDF form. These eBooks are often available weeks before hard copies,

and are priced affordably.

SYNGRESS OUTLET
Our outlet store at syngress.com features overstocked, out-of-print, or slightly hurt
books at significant savings.

SITE LICENSING
Syngress has a well-established program for site licensing our ebooks onto servers
in corporations, educational institutions, and large organizations. Contact us at
for more information.

CUSTOM PUBLISHING
Many organizations welcome the ability to combine parts of multiple Syngress
books, as well as their own content, into a single volume for their own internal use.
Contact us at for more information.


374_Spyware_FM.qxd

6/30/06

4:47 PM

Page iii

Combating

Spyware in the
Enterprise
Brian Baskin

Tony Bradley
Jeremy Faircloth
Craig A. Schiller
Tony Piltzecker

Ken Caruso
Paul Piccard
Lance James

Technical Editor


374_Spyware_FM.qxd

6/30/06

4:47 PM

Page iv

Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be
obtained from the Work.
There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is
sold AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to
state.
In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other
incidental or consequential damages arising out from the Work or its contents. Because some states do not
allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation
may not apply to you.
You should always use reasonable care, including backup and other appropriate precautions, when working

with computers, networks, data, and files.
Syngress Media®, Syngress®, “Career Advancement Through Skill Enhancement®,” “Ask the Author
UPDATE®,” and “Hack Proofing®,” are registered trademarks of Syngress Publishing, Inc. “Syngress:The
Definition of a Serious Security Library”™, “Mission Critical™,” and “The Only Way to Stop a Hacker is
to Think Like One™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned
in this book are trademarks or service marks of their respective companies.
KEY
001
002
003
004
005
006
007
008
009
010

SERIAL NUMBER
HJIRTCV764
PO9873D5FG
829KM8NJH2
387GGDWW29
CVPLQ6WQ23
VBP965T5T5
HJJJ863WD3E
2987GVTWMK
629MP5SDJT
IMWQ295T6T


PUBLISHED BY
Syngress Publishing, Inc.
800 Hingham Street
Rockland, MA 02370
Combating Spyware in the Enterprise
Copyright © 2006 by Syngress Publishing, Inc. All rights reserved. Except as permitted under the
Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by
any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer
system, but they may not be reproduced for publication.
1 2 3 4 5 6 7 8 9 0
ISBN: 1-59749-064-4
Publisher: Andrew Williams
Acquisitions Editor: Erin Heffernan
Technical Editor:Tony Piltzecker
Cover Designer: Michael Kavish

Page Layout and Art: Patricia Lupien
Copy Editor: Audrey Doyle
Indexer: Odessa&Cie


374_Spyware_FM.qxd

6/30/06

4:47 PM

Page v

Acknowledgments

Syngress would like to acknowledge the following people for their kindness and support in making this book possible.
Syngress books are now distributed in the United States and Canada by O’Reilly
Media, Inc.The enthusiasm and work ethic at O’Reilly are incredible, and we would
like to thank everyone there for their time and efforts to bring Syngress books to
market:Tim O’Reilly, Laura Baldwin, Mark Brokering, Mike Leonard, Donna Selenko,
Bonnie Sheehan, Cindy Davis, Grant Kikkert, Opol Matsutaro, Steve Hazelwood, Mark
Wilson, Rick Brown,Tim Hinton, Kyle Hart, Sara Winge, Peter Pardo, Leslie Crandell,
Regina Aggio Wilkinson, Pascal Honscher, Preston Paull, Susan Thompson, Bruce
Stewart, Laura Schmier, Sue Willing, Mark Jacobsen, Betsy Waliszewski, Kathryn
Barrett, John Chodacki, Rob Bullington, Kerry Beck, and Karen Montgomery.
The incredibly hardworking team at Elsevier Science, including Jonathan Bunkell, Ian
Seager, Duncan Enright, David Burton, Rosanna Ramacciotti, Robert Fairbrother,
Miguel Sanchez, Klaus Beran, Emma Wyatt, Chris Hossack, Krista Leppiko, Marcel
Koppes, Judy Chappell, Radek Janousek, and Chris Reinders for making certain that
our vision remains worldwide in scope.
David Buckland, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, Pang Ai Hua,
Joseph Chan, and Siti Zuraidah Ahmad of STP Distributors for the enthusiasm with
which they receive our books.
David Scott, Tricia Wilden, Marilla Burgess, Annette Scott, Andrew Swaffer, Stephen
O’Donoghue, Bec Lowe, Mark Langley, and Anyo Geddes of Woodslane for distributing
our books throughout Australia, New Zealand, Papua New Guinea, Fiji,Tonga, Solomon
Islands, and the Cook Islands.

v


374_Spyware_FM.qxd

6/30/06


4:47 PM

Page vi


374_Spyware_FM.qxd

6/30/06

4:47 PM

Page vii

Technical Editor
Tony Piltzecker (CISSP, MCSE, CCNA, CCVP, Check Point
CCSA, Citrix CCA), author and technical editor of Syngress
Publishing’s MCSE Exam 70-296 Study Guide and DVD Training
System, is a Consulting Engineer for Networked Information
Systems in Woburn, MA. He is also a contributor to How to Cheat at
Managing Microsoft Operations Manager 2005 (Syngress, ISBN:
1597492515).
Tony’s specialties include network security design, Microsoft
operating system and applications architecture, as well as Cisco IP
Telephony implementations.Tony’s background includes positions as
IT Manager for SynQor Inc., Network Architect for Planning
Systems, Inc., and Senior Networking Consultant with Integrated
Information Systems. Along with his various certifications,Tony
holds a bachelor’s degree in Business Administration.Tony currently
resides in Leominster, MA, with his wife, Melanie, and his daughters, Kaitlyn and Noelle.


Contributors
Brian Baskin (MCP, CTT+) is a researcher and developer for
Computer Sciences Corporation. In his work he researches,
develops, and instructs computer forensic techniques for members of
the government, military, and law enforcement. Brian currently specializes in Linux/Solaris intrusion investigations, as well as in-depth
analysis of various network protocols. He also has a penchant for
penetration testing and is currently developing and teaching basic
vii


374_Spyware_FM.qxd

6/30/06

4:47 PM

Page viii

exploitation techniques for clients. Brian has been developing and
instructing computer security courses since 2000, including presentations and training courses at the annual Department of Defense
Cyber Crime Conference. He is an avid amateur programmer in
many languages, beginning when his father purchased QuickC for
him when he was 11, and has geared much of his life around the
implementations of technology. He has also been an avid Linux user
since 1994, and he enjoys a relaxing terminal screen whenever he
can. He has worked in networking environments for many years
from small Novell networks to large Windows-based networks for a
number of the largest stock exchanges in the United States.
Brian would like to thank his wife and family for their continued support and motivation, as well as his friends and others who
have helped him along the way: j0hnny Long, Grumpy Andy,

En”Ron”, “Ranta, Don”,Thane, “Pappy”, “M”, Steve O., Al Evans,
Chris pwnbbq, Koko, and others whom he may have forgotten.
Most importantly, Brian would like to thank his parents for their
continuous faith and sacrifice to help him achieve his dreams.
Brian wrote Chapter 5 (Solutions for the End User) and Chapter
6 (Forensic Detection and Removal)
Tony Bradley (CISSP-ISSAP, MCSE, MCSA, A+) is a Fortune
100 security architect and consultant with more than eight years of
computer networking and administration experience, focusing the
last four years on security.Tony provides design, implementation,
and management of security solutions for many Fortune 500 enterprise networks.Tony is also the writer and editor of the About.com
site for Internet/Network Security and writes frequently for many
technical publications and Web sites.
I want to thank my Sunshine for everything she has done
for me, and everything she does for me and for our family each day.
She is the glue that holds us together and the engine that drives us
forward.
I also want to thank Erin Heffernan and Jaime Quigley for
their patience and support as I worked to complete my contribuviii


374_Spyware_FM.qxd

6/30/06

4:47 PM

Page ix

tions to this book. Lastly, I want to thank Syngress for inviting me

to participate on this project.
Tony wrote Chapter 1 (An Overview of Spyware) and Chapter 2
(The Transformation of Spyware)
Jeremy Faircloth (Security+, CCNA, MCSE, MCP+I, A+, etc.) is
an IT Manager for EchoStar Satellite L.L.C., where he and his team
architect and maintain enterprisewide client/server and Web-based
technologies. He also acts as a technical resource for other IT professionals, using his expertise to help others expand their knowledge.
As a systems engineer with over 13 years of real-world IT experience, he has become an expert in many areas, including Web development, database administration, enterprise security, network design,
and project management. Jeremy has contributed to several Syngress
books, including Microsoft Log Parser Toolkit (Syngress, ISBN:
1932266526), Managing and Securing a Cisco SWAN (ISBN: 1932266-91-7), C# for Java Programmers (ISBN: 1-931836-54-X),
Snort 2.0 Intrusion Detection (ISBN: 1-931836-74-4), and Security+
Study Guide & DVD Training System (ISBN: 1-931836-72-8).
Jeremy wrote Chapter 3 (Spyware and the Enterprise Network)
Craig A. Schiller (CISSP-ISSMP, ISSAP) is the President of
Hawkeye Security Training, LLC. He is the primary author of the
first Generally Accepted System Security Principles. He was a coauthor of several editions of the Handbook of Information Security
Management and a contributing author to Data Security Management.
Craig is also a contributor to Winternals Defragmentation, Recovery, and
Administration Field Guide (Syngress, ISBN: 1597490792). Craig has
cofounded two ISSA U.S. regional chapters: the Central Plains
Chapter and the Texas Gulf Coast Chapter. He is a member of the
Police Reserve Specialists unit of the Hillsboro Police Department
in Oregon. He leads the unit’s Police-to-Business-High-Tech
speakers’ initiative and assists with Internet forensics.

ix


374_Spyware_FM.qxd


6/30/06

4:47 PM

Page x

Craig wrote Chapter 4 (Real SPYware—Crime, Economic
Espionage, and Espionage)
Ken Caruso is a Senior Systems Engineer for Serials Solutions, a
Pro Quest company. Serials Solutions empowers librarians and
enables their patrons by helping them get the most value out of
their electronic serials. Ken plays a key role in the design and engineering of mission-critical customer-facing systems and networks.
Previous to this position, Ken has worked at Alteon, a Boeing
Company, Elevenwireless, and Digital Equipment Corporation.
Ken’s expertise includes wireless networking, digital security, and
design and implementation of mission-critical systems. Outside of
the corporate sector Ken is cofounder of Seattlewireless.net, one of
the first community wireless networking projects in the U.S. Ken is
a contributor to OS X for Hackers at Heart (Syngress, ISBN:
1597490407).
Ken studied Computer Science at Daniel Webster College
and is a member of The Shmoo Group of Security Professionals.
Ken has been invited to speak at many technology and security
events, including but not limited to Defcon, San Diego Telecom
Council, Society of Broadcast Engineers, and CPSR: Shaping the
Network Society.
Ken wrote Chapter 7 (Dealing with Spyware in a non-Microsoft
World)
Paul Piccard serves as Director of Threat Research for Webroot,

where he focuses on research and development, and provides early
identification, warning, and response services to Webroot customers.
Prior to joining Webroot, Piccard was manager of Internet Security
Systems’ Global Threat Operations Center.This state-of-the-art
detection and analysis facility maintains a constant global view of
Internet threats and is responsible for tracking and analyzing
hackers, malicious Internet activity, and global Internet security
threats on four continents.

x


374_Spyware_FM.qxd

6/30/06

4:47 PM

Page xi

His career includes management positions at VistaScape
Security Systems, Lehman Brothers, and Coopers & Lybrand.
Piccard was researcher and author of the quarterly Internet Risk
Impact Summary (IRIS) report. He holds a Bachelor of Arts from
Fordham University in New York.
Paul wrote Chapter 8 (The Frugal Engineer’s Guide to Spyware
Prevention)
Lance James has been heavily involved with the information security community for the past 10 years. With over a decade of experience with programming, network security, reverse engineering,
cryptography design and cryptanalysis, attacking protocols, and a
detailed expertise in information security, Lance provides consultation to numerous businesses ranging from small start-ups, governments, both national and international, as well as Fortune 500’s and

America’s top financial institutions. He has spent the last three years
devising techniques to prevent, track, and detect phishing and online
fraud. He is a lead scientist with Dachb0den Laboratories, a wellknown Southern California “hacker” think tank; creator of
InvisibleNet; a prominent member of the local 2600 chapter; and
the Chief Scientist with Secure Science Corporation, a security software company that is busy tracking over 53 phishing groups. As a
regular speaker at numerous security conferences and a consistent
source of information by various news organizations, Lance is recognized as a major asset in the information security community.
Lance wrote Appendix A (Malware, Money Movers, and Ma Bell
Mayhem!)

xi


374_Spyware_FM.qxd

6/30/06

4:47 PM

Page xii


374_Spyware_TOC.qxd

6/30/06

5:15 PM

Page xiii


Contents

Chapter 1 An Overview of Spyware . . . . . . . . . . . . . . . . 1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
Spyware: Defined . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
How Spyware Works . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
Why Spyware Is Not a “Virus” . . . . . . . . . . . . . . . . . .5
Commonly Seen Spyware . . . . . . . . . . . . . . . . . . . . . . .5
Identity Theft . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
Malware: Defined . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
How Malware Works . . . . . . . . . . . . . . . . . . . . . . . . . . .7
Commonly Seen Malware . . . . . . . . . . . . . . . . . . . . . . . .8
Adware: Defined . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
How Adware Works . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
Commonly Seen Adware . . . . . . . . . . . . . . . . . . . . . . . .10
Parasiteware: Defined . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
How Parasiteware Works . . . . . . . . . . . . . . . . . . . . . . .11
Commonly Seen Parasiteware . . . . . . . . . . . . . . . . . . . .12
Phishing: Defined . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
How Phishing Works . . . . . . . . . . . . . . . . . . . . . . . . . .12
Commonly Seen Phishing Attacks . . . . . . . . . . . . . . . . .14
PayPal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
eBay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Citibank . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
Washington Mutual . . . . . . . . . . . . . . . . . . . . . . . . .17
IRS Tax Refund . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
Botnets: Defined . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
How Botnets Work . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
Commonly Seen Botnets . . . . . . . . . . . . . . . . . . . . . . . .19
xiii



374_Spyware_TOC.qxd

xiv

6/30/06

5:15 PM

Page xiv

Contents

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . .24
Chapter 2 The Transformation of Spyware . . . . . . . . . . 27
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
The Humble Beginnings . . . . . . . . . . . . . . . . . . . . . . . . . . .28
Targeted Marketing . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
Hitting the Internet Target . . . . . . . . . . . . . . . . . . . . . . .30
Selling Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
Adware Evolves . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32
Making a Name for Itself . . . . . . . . . . . . . . . . . . . . . . .34
All Roads Lead to Microsoft . . . . . . . . . . . . . . . . . . .34
The Making of a Buzzword . . . . . . . . . . . . . . . . . . .34
The Early Effects of Spyware . . . . . . . . . . . . . . . . . . . .35
Early Means of Prevention . . . . . . . . . . . . . . . . . . . . . . .35
Spyware in the Twenty-First Century . . . . . . . . . . . . . . . . . .38

How Spyware Has Evolved . . . . . . . . . . . . . . . . . . . . .38
Increased Use of Spyware
in the Commission of Criminal Acts . . . . . . . . . . . . .39
Antispyware Legislation . . . . . . . . . . . . . . . . . . . . . . . . .41
The Future of Spyware . . . . . . . . . . . . . . . . . . . . . . . . . . . .42
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . .46
Chapter 3 Spyware and the Enterprise Network . . . . . 49
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50
Keystroke Loggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51
How Keystroke Loggers Work . . . . . . . . . . . . . . . . . . .53
Known Keystroke Loggers . . . . . . . . . . . . . . . . . . . . . .56
KeyGhost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56
KEYKatcher/KEYPhantom . . . . . . . . . . . . . . . . . . .57
Invisible KeyLogger Stealth . . . . . . . . . . . . . . . . . . . .58
Spector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58
Boss EveryWhere . . . . . . . . . . . . . . . . . . . . . . . . . . .59
Known Exploits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60


374_Spyware_TOC.qxd

6/30/06

5:15 PM

Page xv

Contents


Trojan Encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62
How Spyware Works with Trojan Horses . . . . . . . . . . .63
Known Spyware/Trojan Software . . . . . . . . . . . . . . . . .65
D1Der . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65
Sony Digital Rights Management . . . . . . . . . . . . . . .66
Kazanon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67
Spyware and Backdoors . . . . . . . . . . . . . . . . . . . . . . . . . . .68
How Spyware Creates Backdoors . . . . . . . . . . . . . . . . .68
Known Spyware/Backdoor Combinations . . . . . . . . . . .70
A Wolf in Sheep’s Clothing: Fake Removal Tools . . . . . .71
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . .77
Chapter 4 Real Spyware—Crime,
Economic Espionage, and Espionage . . . . . . . . . . . . . . 79
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80
White to Gray to Black—
Increasing Criminal Use of Spyware . . . . . . . . . . . . . . . . . .81
White to Gray—Ethical to Unethical . . . . . . . . . . . . . . .82
Hacker Ethic to Criminal Ethic . . . . . . . . . . . . . . . . . . .82
Unethical Practices for the Benefit of Companies . . . . . .84
Spyware for Government Use . . . . . . . . . . . . . . . . . . . .86
It’s All in the Delivery . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88
Targeted, Networked Spyware . . . . . . . . . . . . . . . . . . . .89
Phishing Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . .89
Botnets Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93
The Botnet-Spam and Phishing Connection . . . . . . .99
Phishing Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100
What to Look For . . . . . . . . . . . . . . . . . . . . . . . . . . . .100

Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106
Internet Resources . . . . . . . . . . . . . . . . . . . . . . . . . . .107
Reporting Phishing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .108
Law Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . .110
Antiphishing Consortiums . . . . . . . . . . . . . . . . . . . . . .112
Antiphishing Software Vendors . . . . . . . . . . . . . . . . . . .115
Bot Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .116
Detecting Bots on a Host . . . . . . . . . . . . . . . . . . . . . .116

xv


374_Spyware_TOC.qxd

xvi

6/30/06

5:15 PM

Page xvi

Contents

Finding Botnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .118
Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .125
Internet Resources . . . . . . . . . . . . . . . . . . . . . . . . . . .125
Reporting Botnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .125
Law Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . .129
Antibotnet Consortiums . . . . . . . . . . . . . . . . . . . . . . .130

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .131
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .135
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .141
Chapter 5 Solutions for the End User . . . . . . . . . . . . . 143
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .144
Freeware Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .144
Ad-Aware Personal . . . . . . . . . . . . . . . . . . . . . . . . . . .145
Installing Ad-Aware Personal . . . . . . . . . . . . . . . . . .145
Scanning for Spyware . . . . . . . . . . . . . . . . . . . . . . .146
Reviewing Detected Spyware . . . . . . . . . . . . . . . . .149
Additional Ad-Aware Features . . . . . . . . . . . . . . . . .151
Spybot – Search & Destroy . . . . . . . . . . . . . . . . . . . . .154
Installing Spybot – Search & Destroy . . . . . . . . . . . .154
Updating Spybot – Search & Destroy . . . . . . . . . . .157
Scanning for Spyware . . . . . . . . . . . . . . . . . . . . . . .158
Additional Spybot Features . . . . . . . . . . . . . . . . . . .159
Microsoft Windows Defender . . . . . . . . . . . . . . . . . . .164
Installing Windows Defender . . . . . . . . . . . . . . . . .165
Scanning for Spyware . . . . . . . . . . . . . . . . . . . . . . .167
Reviewing Detected Spyware . . . . . . . . . . . . . . . . .169
Windows Defender Tools . . . . . . . . . . . . . . . . . . . .172
AntiSpyware versus Windows Defender . . . . . . . . . .176
Keylogger Hunter . . . . . . . . . . . . . . . . . . . . . . . . . . . .177
Testing Keylogger Hunter . . . . . . . . . . . . . . . . . . . .178
Toolbar Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .179
12Ghosts Popup-Killer . . . . . . . . . . . . . . . . . . . . . . . .179
Yahoo! Anti-Spy Toolbar . . . . . . . . . . . . . . . . . . . . . . .181
Google Toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . .184
Mozilla Firefox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .185
Licensed Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .185

Webroot Spy Sweeper . . . . . . . . . . . . . . . . . . . . . . . .186


374_Spyware_TOC.qxd

6/30/06

5:15 PM

Page xvii

Contents

Ad-Aware Plus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .187
McAfee AntiSpyware . . . . . . . . . . . . . . . . . . . . . . . . .190
SpyCop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .192
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .195
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .197
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .198
Chapter 6 Forensic Detection and Removal . . . . . . . . 201
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .202
Manual Detection Techniques . . . . . . . . . . . . . . . . . . . . . .202
Working with the Registry . . . . . . . . . . . . . . . . . . . . .203
Registry Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . .203
Start-Up Applications . . . . . . . . . . . . . . . . . . . . . . .206
File Association Hijacking . . . . . . . . . . . . . . . . . . . .208
Detecting Unknown Processes . . . . . . . . . . . . . . . . . . .209
Researching Unknown Processes . . . . . . . . . . . . . . .213
Detecting Spyware Remnants . . . . . . . . . . . . . . . . . . .216
Temporary File Caches . . . . . . . . . . . . . . . . . . . . . .216

Windows System Restore . . . . . . . . . . . . . . . . . . . .218
Windows File Protection . . . . . . . . . . . . . . . . . . . .219
Windows Hosts File . . . . . . . . . . . . . . . . . . . . . . . .220
Internet Explorer Settings . . . . . . . . . . . . . . . . . . . .222
Detection and Removal Tools . . . . . . . . . . . . . . . . . . . . . .223
HijackThis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .224
Reviewing HijackThis Results . . . . . . . . . . . . . . . .226
Reviewing a HijackThis Sample Log . . . . . . . . . . . .229
Removing Detected Items . . . . . . . . . . . . . . . . . . .234
HijackThis Miscellaneous Tools . . . . . . . . . . . . . . . .235
2
a HiJackFree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .236
InstallWatch Pro . . . . . . . . . . . . . . . . . . . . . . . . . . . . .240
Performing a Scan with the
InstallWatch Pro Wizard . . . . . . . . . . . . . . . . . . . . .241
Performing a Scan without
the InstallWatch Pro Wizard . . . . . . . . . . . . . . . . . .245
Reviewing InstallWatch Pro Results . . . . . . . . . . . .246
Unlocker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .247
VMware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .249
Snapshots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .252

xvii


374_Spyware_TOC.qxd

xviii

6/30/06


5:15 PM

Page xviii

Contents

Enterprise Removal Tools . . . . . . . . . . . . . . . . . . . . . . . . .253
BigFix Enterprise Suite . . . . . . . . . . . . . . . . . . . . . . . .253
FaceTime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .256
Websense Web Security Suite . . . . . . . . . . . . . . . . . . . .257
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .258
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .260
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .262
Chapter 7 Dealing with Spyware
in a Non-Microsoft World . . . . . . . . . . . . . . . . . . . . . . 265
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .266
Spyware and Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .266
Does It Exist? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .266
What Keeps Linux Spyware Free? . . . . . . . . . . . . . . . .267
Linux Is Not a Large Enough Target . . . . . . . . . . . .267
Linux Is Fundamentally Not
Vulnerable to These Types of Attacks . . . . . . . . . . . .268
The Definitive Answer? . . . . . . . . . . . . . . . . . . . . . .269
Root Security . . . . . . . . . . . . . . . . . . . . . . . . . . . .270
Malware, Worms, and Viruses . . . . . . . . . . . . . . . . . . .271
Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .272
Spyware and the Macintosh . . . . . . . . . . . . . . . . . . . . . . . .274
OS X Viruses and Malware . . . . . . . . . . . . . . . . . . . . .274
Leap-A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .274

Inqtana.A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .275
Tools for the Macintosh . . . . . . . . . . . . . . . . . . . . . . . .276
MacScan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .276
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .282
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .283
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .284
Chapter 8 The Frugal Engineer’s Guide to Spyware
Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .288
Locking Down Internet Explorer . . . . . . . . . . . . . . . . . . .288
Social Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . .290
Drive-by Downloads . . . . . . . . . . . . . . . . . . . . . . . . . .291
Locking Down Internet Explorer . . . . . . . . . . . . . . . . .293
Pop-Up Blocker . . . . . . . . . . . . . . . . . . . . . . . . . . . . .300
Developing a Security Update Strategy . . . . . . . . . . . . . . .301


374_Spyware_TOC.qxd

6/30/06

5:15 PM

Page xix

Contents

Using Microsoft WSUS . . . . . . . . . . . . . . . . . . . . . . . .302
Microsoft Baseline Security Analyzer . . . . . . . . . . . . . .308
Windows Checks . . . . . . . . . . . . . . . . . . . . . . . . . .310

IIS Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .311
SQL Server Checks . . . . . . . . . . . . . . . . . . . . . . . .311
Desktop Application Checks . . . . . . . . . . . . . . . . . .312
Securing E-mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .313
Securing Outlook . . . . . . . . . . . . . . . . . . . . . . . . . . .315
Securing Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .318
Using Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . .324
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .329
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .330
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .332
Appendix A Malware, Money
Movers, and Ma Bell Mayhem! . . . . . . . . . . . . . . . . . . 335
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .336
Mule Driving and Money Laundering . . . . . . . . . . . . . . . .336
How Phishers Set Up Shop . . . . . . . . . . . . . . . . . . . . .337
The Process of Receiving the Money . . . . . . . . . . . . . .338
Western Union . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .341
Mule Liability and Position . . . . . . . . . . . . . . . . . . . . .341
U.S. Operations and Credit Cards . . . . . . . . . . . . . .341
Phishers Phone Home . . . . . . . . . . . . . . . . . . . . . . . . . . . .342
Defining Telecommunications Today . . . . . . . . . . . . . . .342
SIP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .344
SIP Communication . . . . . . . . . . . . . . . . . . . . . . . .345
Caller ID Spoofing . . . . . . . . . . . . . . . . . . . . . . . . . . .346
SBC Network Takeover . . . . . . . . . . . . . . . . . . . . .349
Anonymous Telephony . . . . . . . . . . . . . . . . . . . . . . . .352
Phreakin’ Phishers! . . . . . . . . . . . . . . . . . . . . . . . . . . .352
Slithering Scalability . . . . . . . . . . . . . . . . . . . . . . . . . . . . .353
Malware in 2004 . . . . . . . . . . . . . . . . . . . . . . . . . . . . .354
Early 2004 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .354

Mid-2004 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .355
End of 2004 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .356
Trojans of 2004 . . . . . . . . . . . . . . . . . . . . . . . . . . .356
Malware in 2005 . . . . . . . . . . . . . . . . . . . . . . . . . . . . .357

xix


374_Spyware_TOC.qxd

xx

6/30/06

5:15 PM

Page xx

Contents

Malware Distribution Process . . . . . . . . . . . . . . . . .357
Botnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .367
Blind Drops . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .369
The Phuture of Phishing . . . . . . . . . . . . . . . . . . . . . . . . . .370
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .371
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .371
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .373
Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375



374_Spyware_01.qxd

6/30/06

12:24 PM

Page 1

Chapter 1

An Overview
of Spyware

Solutions in this chapter:
■

Spyware: Defined

■

Malware: Defined

■

Adware: Defined

■

Parasiteware: Defined


■

Phishing: Defined

■

Botnets: Defined

Summary
Solutions Fast Track
Frequently Asked Questions
1


374_Spyware_01.qxd

2

6/30/06

12:24 PM

Page 2

Chapter 1 • An Overview of Spyware

Introduction
Spyware is a term that in many ways has become a commonly used substitute
for many other types of intrusions on a host.To compare it to something in
the nontechnical world, it would be similar to asking someone for some

aspirin, but in return getting acetaminophen, ibuprofen, or some other pain
reliever.
In this chapter, we are going to set aside a number of pages to pull back
from this grouping of concepts. As such, we will define what spyware is and
compare and contrast it against other types of similar attacks. We will begin
with what is generally accepted as the true definition of spyware.

Spyware: Defined
Spyware is unauthorized software installed on your computer system which
somehow “spies” or gathers information about you or your computer and
delivers it to someone else. It runs hidden in the background and can monitor
your Web surfing, capture keystrokes typed on your keyboard, gather information from your hard drive, and more.
The majority of spyware is not inherently designed to harm you or your
computer.The intent of the spyware is to monitor your actions and behaviors
on the computer and return that information to someone else, who can use it
to predict what will interest you so that they can sell you products and services. What makes spyware “malicious” is primarily that it is installed without
your direct knowledge or consent.

How Spyware Works
One of the most common ways to get spyware on your system is by installing
software from questionable sources. Many freeware and shareware applications,
or Peer-to-Peer (P2P) file-sharing programs, install spyware applications in the
background. Some provide notification about the software buried within the
legalese of the End User License Agreement (EULA), but few users read the
EULA in its entirety.
InstaFinder is an example of an adware or spyware program that does, in
fact, explain up front what the software will do.The EULA for InstaFinder
www.syngress.com



374_Spyware_01.qxd

6/30/06

12:24 PM

Page 3

An Overview of Spyware • Chapter 1

(see Figure 1.1), which the user can click on to read before installing the
Kazaa Desktop, details the activities the software will do and what the user’s
rights are related to the spyware. Most users will simply click OK without
reading or fully understanding the legally binding EULA they are agreeing to,
though.
Figure 1.1 Kazaa Desktop and the EULA for InstaFinder

The more malicious or insidious spyware programs don’t even provide the
courtesy of notifying you through a EULA, though.They simply install themselves as a part of, or in addition to, some other software you install on your
computer. Some may even take advantage of “features” or vulnerabilities in
certain operating systems or Web browser applications to automatically install
themselves when you visit certain Web sites.This is referred to as a drive-by
download.
One company has built its entire advertising business model on the concept of using drive-by downloads to install software that will allow it to generate ad revenue. iFrameDollars.biz markets the use of the iFrame browser
exploit to compromise vulnerable machines. iFrameDollars.biz claims that
only a 3k file will be installed on vulnerable machines that visit the Web sites,
www.syngress.com

3



374_Spyware_01.qxd

4

6/30/06

12:24 PM

Page 4

Chapter 1 • An Overview of Spyware

but the iFrame exploit also installs a Trojan downloader called X.chm, which
in turn downloads and installs more than 100 additional malicious spyware
and backdoor components.

Are You Owned?
Camouflaged Spyware Files
Spyware installs itself in the background, typically with no indication to
the user that any installation is going on. The filename of the executable
that actually runs the spyware is often disguised to appear as though it is
a harmless system file—for example, calling the file svchost32.exe or
msexplorer.exe to mimic the svchost.exe or explorer.exe files normally
found on a Windows system.
Computer experts may be able to discern which files are normal and
which are potentially malicious and disguised to appear “normal,” but for
everyday users this type of camouflage is extremely effective. If you want
to investigate further, you can use a tool like Process Explorer from
Sysinternals (www.sysinternals.com/Utilities/processexplorer.html) to help

map which processes are associated with which files.

Once on your system, spyware does what its name implies: It spies.
Spyware typically monitors and logs Web-surfing habits and reports the information back to some central repository so that the information can be used
to target pop-up ads and other annoying messages to you based upon your
Web-surfing habits.
Many spyware applications take things even further, though. Spyware may
actually monitor and record your keystrokes, capturing credit card numbers,
passwords, and other sensitive information and sending that information out
as well. Some spyware will alter your Web browser settings and may change
your default home page or default search engine without your knowledge or
consent.
These are just a few examples of the insidious things spyware can do to an
infected system. Aside from delivering annoying pop-up ads and changing
your Web browser settings, spyware also saps precious system resources.
www.syngress.com


374_Spyware_01.qxd

6/30/06

12:24 PM

Page 5

An Overview of Spyware • Chapter 1

Although it is designed to run in the background where it won’t be noticed,
it uses memory and network bandwidth and may cause a noticeable drop in

performance.

Why Spyware Is Not a “Virus”
Spyware differs from a virus primarily from the standpoint that it does not
replicate or propagate on its own. By definition, a virus is capable of replicating itself and sending itself out to infect other computers.
A spyware application installs only when the user initiates it, either by
agreeing to install it through the EULA, by unwittingly installing it as part of
another program, or by visiting a Web site that automatically downloads and
installs it. Once on the target system, it does not attempt to make new copies
of itself or seek out new machines to infect.

TIP
By disabling or restricting the ability of your Web browser to execute
scripts or run ActiveX controls, you can eliminate the threat of drive-by
downloads on your system.

Commonly Seen Spyware
Here are three examples of commonly seen spyware:
■

Cydoor The vendor of this program markets Cydoor as adware.
However, the product provides no uninstallation routine and you
cannot remove it using Windows Add/Remove programs. It also
modifies Web browser settings without permission. For more information, visit www3.ca.com/securityadvisor/pest/pest.aspx?id=1472.

■

Claria.eWallet Also referred to as Gator and GAIN, eWallet claims
to be a product that is available for free and is supported by the
advertising it targets at the user. eWallet is spyware, however, because

it changes Web browser settings without permission and covertly
sends information, including personally identifiable information,
www.syngress.com

5