Mike Healan
Oct. 13, 2003
Several high profile incidents involving various malicious pieces of software (malware) have been written about in the mainstream press recently. Regulators, law enforcement and security experts are beginning to ask serious questions about the ethics and legality of spyware and other malware.
Spyware Opens The Backdoor For Thieves
A few months ago, two South African men, Edwin Lombard and Jeanne van der Merwe, conspired to steal over half a million South African Rands from South African bank Absa.
Lombard and van der Merwe used a commercial spyware program, Spectorsoft's eBlaster, to gather information from the bank's customers. eBlaster includes a controversial feature that allows a user to email the installer to victims disguised as an innocuous attachment. The spyware will install itself if the victim is foolish enough to run the email attachment.
Once the spyware was running, the thieves were able to monitor nearly every action performed on the infected computers. The two men managed to steal user names and passwords from bank customers, logged into their bank accounts and transferred the money to their own accounts.
Last week, a malicious hacker used a Remote Access Trojan (RAT) known as The Beast to hack into someone's brokerage account. Once the hacker had the account information, he stole $47,000 from his victim. Like the South African incident, the trojan was emailed to the victim. The victim installed it, believing that it was a new market analysis program.
A program known as Lover Spy also includes an installer that can be emailed to a victim. Lover Spy's installer is disguised as an email greeting card. The software has been pitched through multiple spam mailings as a way to spy on a lover without their knowledge.
The FBI has started an investigation into Lover Spy for violating federal wiretap laws. In most US jurisdictions, it is illegal to install monitoring software on a computer you don't own.
The developer of yet another spyware program, TrueActive Investigator (formerly WinWhatWhere), has removed a similar feature from his own product. The developer cited ethical concerns for his decision as well as pointing out that the remote installation feature was responsible for a disproportionate amount tech support issues.
No doubt the fact that the FBI has started investigating a competitor that uses the same sort of remote installation feature factored into his decision.
Around the same time the theft at South Africa's Absa bank was discovered, the FBI arrested New Yorker JuJu Jiang for computer fraud and unauthorized possession of access codes. Jiang installed several copies of a commercial keylogging program onto public internet terminals at Kinkos stores located all over New York City.
For nearly two years, Jiang stole financial information from people using those terminals, set up his bogus bank accounts and transferred money from the compromised accounts.
A New Threat
Starting in late 2001, a new threat has emerged which has grown far more serious than spyware.
One day, you double-click the Internet Explorer icon to start surfing the web, but instead of your familiar home page, your browser takes you to a pay-per-click search portal. You go to change your home page back to your own preferred site, but you find that access to Internet Options is denied. You click search to look for a way to fix this problem, but a strange search engine that you've never seen before opens up instead of the familiar Google page.
The phrase is "browser hijacking" and it has become one of the worst problems on the internet today. Malicious hackers have grown very adept at writing scripts that redirect Internet Explorer to point to pay-per-click search portals. The payoff for doing this can be huge; the punishment if you are caught is non-existent.
You don't have to install a freeware program that bundles a hijacker to be infected. You don't have to agree to ads. You don't have to open an email attachment. Surfing the web with Internet Explorer using the default settings is all that is required to become infected with a browser hijacker. Sooner or later, it will happen.
There are many ways to hijack Internet Explorer. It can be done very easily with ActiveX scripting. It can be done by exploiting the many flaws in Microsoft's Java VM. It can be done with HTA scripting. It can be done by fooling Internet Explorer into treating a dangerous script as a harmless HTML file.
Staying abreast of security patches from Microsoft goes a long way towards keeping you safe, but sometimes even a fully patched system is not safe. The only guaranteed method to avoid being hijacked by a malicious web site is to not use Internet Explorer.
Until recently, browser hijackers rarely received meaningful press coverage. Some of the tech magazines and newsletters would make an occasional mention of a particular problem. Xupiter is the only hijacker to receive any serious media attention.
For the most part, help sites such as SpywareInfo have been waging a private war with browser hijackers. Once we find a new hijacker using a new method to infect victims, we'll put it on a mailing list for antispyware and antivirus developers and wait for the next hijacker. The people creating these hijackers are becoming more and more clever all the time.
Browser hijackers finally have started to receive some media attention. Wired Magazine has written about Xupiter many times. Stephanie Olsen at CNet wrote a very good article about the QHosts trojan that blocked major search engines recently. PCWorld has written a few articles on this subject.
Personally, I am very pleased to see this subject in the press. This private war has gone on long enough. It's time the problem of browser hijacking malware became known to the public at large. It's past time that lawmakers made browser hijacking illegal to protect their constituents. How can it possibly be legal to exploit a flaw in Internet Explorer to sneak aboard software that steals traffic from Google and MSN in order to make a few bucks?
How To Find Help
If you or someone you know has been infected with a spyware or a browser hijacker, there are products designed to remove them. Spybot S&D is the most highly recommended of those listed, but any of them will find and remove most known advertising spyware and browser hijackers.
Unfortunately, Spybot will detect only a few surveillance spyware products. Spybot is a free product, so the developer is unable to purchase commercial spyware for testing. For removing commercial spyware, I recommend one of the commercial antispywares listed in bold on our software page. Any of them will do a fine job of detecting surveillance spyware.
If you have a new browser hijacker that is not removed by these products, we can provide free support at the message boards. Read the FAQ first to make sure you have everything we need to help you. Follow the instructions and someone will guide through a removal shortly thereafter. This support is provided free-of-charge, but donations are accepted gratefully.
What Is Your Opinion?
Should it be illegal to install spyware on a computer you don't own? Vote in the poll and let's hear your opionion
Links:
http://www.spywareinfoforum.info/rd/faq :: Malware removal FAQ
http://www.msnbc.com/news/979063.asp :: Spy Programs Threaten Data on Personal Computers
http://www.spywareinfoforum.info/newlsetter/oct7,2003#loverspy :: Spy on your lover, go to jail
http://news.com.com/2100-1038-5088552.html :: Craving for 'clicks' bogs down search
http://www.spywareinfoforum.info/newlsetter/july22,2003#spyware :: The Cost of Spyware
http://www.sundaytimes.co.za/specialreports/hacking/ :: Absa Bank Hacking Case
http://www.spywareinfoforum.info/downloads.php?cat=sp#det :: List of antispyware software
http://www.spywareinfoforum.info/newsletter/archives/0903/9.php :: Microsoft Patch Doesn't Work
http://www.wired.com/news/infostructure/0,1377,60694,00.html :: Students Toil as Spyware Hunters
http://www.eeye.com/html/Research/Advisories/AD20030820.html :: IE Object Data Remote Execution Vulnerability
http://www.cbsnews.com/stories/2003/09/03/tech/main571296.shtml :: Are You Being 'Snooped'?
