Top 10 "Most Unwanted" Spyware Named

TechWeb ^ | December 10, 2004 (2:48 PM EST) | Gregg Keizer,

[Ernest_at_the_Beach]

A security firm named the top 10 spyware threats this week, saying that the secretly-installed software poses an "insidious" threat to consumers and corporations alike.

Webroot, which makes end-user and enterprise editions of Spy Sweeper, used its relationship with Internet service provider EarthLink to tally the most prevalent spyware, then selected the worst based on its knowledge of how each works and the damage it can cause.

"We use the P-I index," said Richard Stiennon, Webroot's vice president of threat research. "P is for prevalence, I is for insidiousness."

Each of the ten spyware programs cited by Webroot was spotted at least 50,000 times in the scans that the Boulder, Colo.-based vendor does free of charge on its own Web site, or in conjunction with EarthLink.

"The people who write this stuff are gaining sophistication in their coding practices as they attempt to evade detection and removal," said Stiennon. "These ten are the most insidious programs in terms of prevalence and effect."

Some of the software in Webroot's top 10 may be familiar to users, but most is a blur of anonymous titles that don't impart their potential impact.

Among the former is Gator (also known as GAIN), long infamous because it's bundled with the popular Kazaa peer-to-peer file sharing software. Gator/GAIN, said Webroot, made the top 10 list because it spews banner ads based on your surfing habits.

Others on the list, however, are unknown to all but the most dedicated follower of spyware. They include such programs as PurityScan, which puts up pop-up ads and tricks users into installation by claiming to find and delete porn on the PC; CoolWebSearch, which can hijack searches, browser home page, and IE's settings; and Perfect Keylogger, a spy that records all visited sites, keystrokes, and mouse clicks to, for instance, divine passwords, account numbers, and other sensitive information.

The rest of the list is fleshed out with the likes of n-CASE and KeenValue (adware), TIBS Dialer (software the usurps the modem and dials toll numbers, typically porn pay-by-the-minute phone sites), Transponder and ISTbar/AUpdate (spyware posing as browser assistants), and Internet Optimizer, which hijacks Web errors and re-directs them to its own site.

"It's our goal to inform Internet users of the ramifications of having potentially unwanted programs on their systems," said Stiennon, adding that, "it's their choice to keep or remove these programs. We're just making sure they have that information so they are making knowledgeable decisions."

Webroot isn't the only ranker or rater of behind-the-scene spyware. Computer Associates, which earlier this year purchased Webroot rival PestPatrol, recently added a spyware-only section to its online alert center, where it regularly lists the top 5 threats based on the number of reports it receives from users.

It's current list puts Kazaa at the top, with GameSpy Arcade, Download Accelerators Plus, Ezula, and Adopt.Hotbar.com rounding out the five.

Spyware plagues both consumers and corporations, according to data from analysts. In a recent survey done by IDC, for instance, enterprise users labeled spyware as the fourth-biggest threat to their company's security. They're reacting to the problem by spending money on additional security, a trend that will grow dramatically in the next several years.

According to IDC, anti-spyware software revenues will reach approximately $31 million in 2004, but skyrocket by nearly 10 times to $305 million in 2008.

[GVnana]

I'm on earthlink (love it BTW) but I'm not finding a reference for this.

[Ernest_at_the_Beach]

Says that uses an ActiveX entry....so Firefox might avoid that one............

_________________________________________

Spyware: ISTbar

NUISANCE LEVEL
THREAT LEVEL

 
ISTbar

ISTbar is an MSIE toolbar, homepage and search hijacker provided by Integrated Search Technologies/CDT Inc. It installs several spyware agents mainly by ActiveX drive-by download (yes you read it correctly) on affiliate sites and delivers mostly porn ads. More details here.
ISTbar also installs porn pop-up producer RapidBlaster and the download assistant DownloadPlus. Can download and execute arbitrary unsigned code from its controlling server. This is used to update the software and to install third-party software.

Files installed are:

mscache.exe, aupdate.exe, aupdate_uninstall.exe, istsvc.exe, mscache.dll and istbar.dll.

Removal:

Uninstall ISTBar from "Add/Remove Programs" in the Windows Control Panel. Look for MS AUpdate, MS Updates, XXXToolbar, ISTsvc or ISTBar. If no such entry exists or if the uninstall fails, contact the vendor for support, use a spyware cleaner, or uninstall ISTBar manually.

AUpdate

Open the Registry and find the key HKCU\Software\Microsoft\Windows\CurrentVersion\Run. Delete the 'AutoUpdater' entry on the right (points to aupdate.exe). Find the key HKCR\CLSID, and delete the subkey '{69550BE2-9A78-11D2-BA91-00600827878D}'. Delete the subkey of the same name from HKLM\Software\Microsoft\Internet Explorer\Explorer Bars, and the entry of the same name from HKLME\Software\Microsoft\Internet Explorer\Toolbar.

Restart the computer and delete the files 'aupdate.exe', 'aupdate.conf', 'aupdate.trk' and 'aupdate_uninstall.exe' from your System folder. (\System32 on Windows NT/2000/XP or just \System on Windows 95/98/ME). Restore your normal search settings (Internet Options > Programs > Reset Web Settings).

MSCache

Open a DOS command prompt window and enter:

cd "%WinDir%\System"
regsvr32 /u ../mscache.dll

Open the Registry and find the key HKCU\Software\Microsoft\Windows\CurrentVersion\Run. Delete the 'MS Updates' entry on the right (points to mscache.exe). Find the key HKCR\CLSID, and delete the subkey '{69550BE2-9A78-11D2-BA91-00600827878D}'. Delete the subkey of the same name from HKLM\Software\Microsoft\Internet Explorer\Explorer Bars, and the entry of the same name from HKLM\Software\Microsoft\Internet Explorer\Toolbar.

Restart the computer and delete the files 'mscache.exe', and 'mscache.dll' from the Windows (Windows 95/98/ME) or WinNT (Windows NT/2000/XP) folder. Restore your normal search settings (Internet Options > Programs > Reset Web Settings).

XXXToolbar

Open the Registry and find the key HKCU\Software\Microsoft\Windows\CurrentVersion\Run. Delete the 'IST Service' entry (if there). Open a DOS command prompt window and enter:

cd "%WinDir%\System"
regsvr32 /u "\Program Files\ISTbar\istbar.dll"

Restart the computer and delete the 'ISTbar' folder from the c:\Program Files folder, and the 'istsvc.exe' file from the Windows (Windows 95/98/ME) or WinNT (Windows NT/2000/XP) folder. You can also delete the registry keys HKCU\Software\ISTbar and HKCR\Pugi.PugiObj.

---

Cleaning

If you are cleaning your system manually, using some of the tips mentioned above, you do this at your own risk. Editing the Registry without some basic knowledge may result in your computer not starting up anymore. And reinstalling Windows may be the only way back. 

Spyware cleaners  Spyware resources
 

Main spyware page

[] [TOP]

[Always Right]

I find if my daughter leaves on her AIM, her computer just gets loads of spyware stuff on it.

[dr_pat]

CA has a free spyware scan offer (using PestPatrol) at their website. You can use it to find out what (if anything) is currently on your system.

I was astonished to find Gator and two keystroke reporters on my PC. Needless to say, I quickly got and installed software to clean up current and prevent future infections.

[Ernest_at_the_Beach]

OK.....well, see post #5.....

[red-dawg]

I spent 8 hours today on one machine. It had 148 instances of "backweb" plus about 20 others.
msie.exe and msrpc32.exe to name a couple.

[Ernest_at_the_Beach]

CWS has the ability to modify itself, so finding and removing it is an ongoing challenge for consumers. Once CWS is discovered by an anti-spyware application, such as EarthLink's Spyware Blocker, powered by Webroot, Internet users should take action to immobilize or erase the program from their PCs.

So are you using Spyware Blocker?

Any comments about it...Like does it work?

[Ernest_at_the_Beach]

Damn.....that has to be painful....

[JWinNC]

I'm spending a big chunk of my time cleaning Trojans and HiJackers off my client's PCs. It's getting really bad especially for IE users. The stuff that replicates itself and hides in the registry is unbelievable. If you miss something, it'll just come right back.

JWinNC

[Publius6961]

Stupid question from a non geek...

Why can't there be a way to prevent any program from sending anything out?

Example. You are getting information from a site you have chosen. You are connected through your ISP. You know who those two are.
Why can't I limit uploads to just those two sites until I choose otherwise, and no others?

I assume there must be a good reason.

[Cicero]

CW Shredder is a nice little program that will help remove Cool Web Search. But you also have to comb through the Registry to get rid of it completely.

I hate to think how much of my computer's memory is taken up by Norton AntiVirus, ZoneAlarm, Spyware Blaster, Spyware Guard, SpamPal, Ad Muncher, and all the other programs I use to prevent infections. It wouldn't surprise me that it's about 75% protection and 25% programs that I'm running. And that's not to speak of all the complications that have been introduced into Windows itself in order to block these various malicious attacks. SP2 has definitely slowed my computers a bit.

[Boazo]

ping

[Ernest_at_the_Beach]

I assume there must be a good reason.

Do you know about ActiveX?

That seems to be a favored entry path....and sockets?

[steve86]

it is a fallacy that Linux is immune from such problems.

Theoretically immune? Probably not.

Does Linux actually get infected by Spyware? No, not in my many-year experience.

[Xenalyte]

CWShredder didn't do the trick for my polluted PC and my techie fiance working on it; we did the process three times with no luck. A Format C solved the problem nicely, though, and freed up a chunk of space.

[Ernest_at_the_Beach]

It hasn't been a very big target for the malware writers......yet.

[OKSooner]

Don't know what the top 10 are, but you catch 9 of them from Drudge.

[elmer fudd]

As a cable internet installer that's probably a little more effort than I'm going to go to. Ussually I do the cleanup on customers computers in the course of my work, but I generally restrict myself to downloading and running, AdAware, Spybot and Firefox and then explaining to the customer a little about spyware and security in general. Strictly speaking, hardware and software problems are not our concern, but ussually we'll try to fix things if we can.

[Ernest_at_the_Beach]

Here is a list:

__________________________________________

Spyware perpetrators Alexa Aureate / Radiate BargainBuddy ClickTillUWin Comet Cursor Conducent Timesink Cydoor eZula / KaZaa Toptext Flashpoint / Flashtrack Flyswat Gator GoHip Hotbar ISTbar Lions' Pride Enterprises Look2me Lop C2Media Mattel Brodcast Morpheus NewDotNet PurityScan RealPlayer Songspy Web3000 WebHancer Windows Messenger Xupiter Spyware promotors Downloadalot