Monday, February 18, 2008

Definition Of Spyware

Spyware is computer software that enables a user to obtain covert information about someone’s computer activities by transmitting data covertly and silently from their hard drive.

Many of us only know that spyware was just a program that was used to collecting and stealing the confidential data from personal computer especially the credits card number and password. However, spyware also can interfere with users’ computer by installing the additional software, monitoring web browser activity for marketing purpose, accessing the internet blindly in order to cause infections of harm viruses, or routing the HTTP for advertising sites. Besides that, spyware also can adjust the setting of the computer’s performance that resulting in slow internet connections, changing of homepage, loss of internet or other programs.

Based on the information above, spywares are almost same with the many of the recent viruses. However, the differences were the spyware was designed to exploit the infected computer for commercial gain and it does not replicated it-self.

According to the Webroot Software, maker of the Spy Sweeper, said that nine out of ten computer that infected by spyware through the Internet Explorer (IE) due to the IE was easily vulnerable attacked by spyware. The reasons were the IE was the primary browser that was widely-used around the world and it also has a tight integration with the windows that allows the spywares able access the important and critical part of the settings of the computer.

Besides that, registry that contains numerous location that allow software executed automatically when the operations system boots. Spyware often exploits this design to help it circumvent attempts at removal. The spyware typically will link it-self from each of the locations in the registry that allows the execution. Once running, the spyware will periodically check if any of these links have been removed. If so, the spyware will be automatically restore registry links. This was ensuring that the spyware will executed when the operating system was booted even if the some or most of the registry link have been removed.

Negative Effect And The Behaviour Of Spyware In The Computer.

Once the computer has been affected by the spyware, it will rapidly infected by many other spyware or unwanted software when connected to internet. As the time pass long ago, user will be starts slowly observe the slow and the degradations of the system performance. This phenomenon was due to large amount of spyware that create a significant CPU activity, disk usage, and interrupt the network traffic which these all the negatives effect that will lead the computer to the system crash when the situation was serious. However, difficult connect to internet was a more common problem that cause by the spyware.

Next, users will start blaming all the performance problem of a computer was caused by computer hardware, windows installation problem, or a virus because users may not conscious about the present of the spyware in their computer. The result was users may call for specific technical help or even willing buy a new computer instead the old computer due the existing system have become slow and more slowly.

“According to the 2004 AOL study, if a computer has any spyware in it, it typically has dozens of different pieces installed. The cumulative effect and the interactions between spyware components, cause the symptoms commonly reported by user: a computer which slow to a crawl, overwhelmed by the many parasites processes running on it.”

Besides that, spyware have the abilities to disable the software firewall, antivirus software, and/or reduce the browser security setting such as activated the Active-X in order to open the system to further opportunistic infections. In a more serious case, a spyware even can remove the spyware program and modified the file in the computer in order to difficult to be deleted!

Route Of Infections Of Spywares

The way of infections of spywares was different from the infections of computer viruses and worms. In fact, spywares does not spread it-self through the network and connections. Instead, spyware break through the computer security by tricked the user to log on some websites that containing spyware or through the exploitations of software vulnerabilities that contain in the user’s computer.

Most of the spyware installed into the computer without the user’s knowledge. In order to achieve this kind of method, the spyware will bundled with other programs to trick the user to install it. For example, Bonzi Buddy, a programs that bundled with spyware and target at children claims that:

“He wills explore the Internet with you as your very own friend and sidekick! He can talk, joke, browse, walk, e-mail, and download like no other friend you’ve ever had! He even has the ability to compare prices on the product you love and help you save money! Best of all, he’s Free!”

Besides that, spyware can also bundled with other sharewares or the downloadable software from BitTorrent as well as media file i.e. mp3 music, RMVB file and so on. To achieve this goal, the spyware authors must paid for shareware authors in order to attach the spyware with their software. When user usually installs a program that downloaded from Internet, it is additionally will be install the spyware with it if that software has been infected by spyware. In other case, the spyware has to repackage desirable free software with installer that adds spyware.

Attacking the security hole in the web browser or other software was another way of infection of spyware. This case occur when the user navigates to webpage that controlled by the spyware author, and the page containing the code that will be attack the browser, then the code will force the user/computer to download and install the spyware. However, attacking the web browser was not easy way too because the prevention downloadable and installation by commercial antivirus and firewall programs. So, how does the spyware author achieve its goal? The answer was, the spyware author must have a wide knowledge of the commercial antivirus and firewall system and how this security system work. Later, they used the method of “drive by download” to put their spyware into the computer system, which leaves the user a helpless by standard to attack and the common victims of browser was Internet Explorer and in the Sun Microsystems Java run times.

Besides, installations of the spyware always involve the Internet Explorer. History has been proved that the Internet Explorer was the most attacking target by the spyware due to the Internet Explorer has a special integrate properties and relationship with window system that allow the spyware access into the important and critical part of computer system easily. In additional, spyware will also edit the browser setting such as editing the navigator security, redirect the traffic, or adding some toolbar into the Internet Explorer when spyware have attached with the Internet Explorer in the form of Browser Help Objects.

In another case, when a computer has affected by worm or viruses, the computer usually will be affected by spyware too. Some attacker even used the Spybot Worm to install the spyware in order to put the pornographic pop-ups on the screen of the infected windows. Why the spyware authors want to do like that? The answer was the spyware authors wants gain the profit personality by redirecting the traffic browser to advertisement to set up a channel funds.

Spyware For Advertisements

Most of spyware are gathering the information of user behaviour for the purpose of advertisements. Once the computer have by affected by spyware, the programs will display pop-up advertisement instantly, every seconds to minutes, or when the user open a new browser windows. Spyware for advertisement was desirable to advertisers because the user may visit the specific sites that show on the pop-up and the advertiser will pay for the placement advertisement on pop-up once the user click the advertisement links. The two sites get the profit!

Many users have complained about the irritating and the annoying of the pop-up ads because the spyware usually display the pop-ups advertisement indiscriminately for pornography. Linked to this sites may be added to the browser history, windows system, search functions, and so. This definitely will give a negative impact to those the users who are the children, this could be possibility violate to the anti-pornography law in jurisdictions.

A further issue of the case of the spyware programs that has to do with the replacement of banner ads on viewed sites. Spyware that acts as a web proxy or a Browser Helper Object can replace references to a site’s own advertisement (which funds the site) with advertisements the instead fund the spyware authors. This cuts into the margins of advertising –funded web sites.

Spyware Acts As Stealware, Affiliate Fraud, And Identity Theft

Spyware start collecting information from hard drive and important information by the methods of attacking the affiliate network then places the spyware operator’s affiliate tag on the user’s activity or replaces it when there was existed an original tag. The result was often means by scanning some folders and system registry to make a list of software installed on the computer, collect information about quality of connection, way of connecting, modem speed, etc

In other case, spyware also know as an identity theft. According to the researchers from security software firm Sunbelt Software in August 2005, it is believe that the maker of the common CoolWebSearch spyware had used it to transmit chat contains, user names, password, bank information, etc. However, it turned out that “it actually (was) its own sophisticated criminal little trojan that’s independent of CoolWebSearch.” This case is currently under investigation by the FBI.

Besides that, the Federal Trade Commission estimates there are about 27.3 million victims Americans of identity theft. Due to the large number of victims, financial loss were totalled nearly $48 billion for businesses and financial institutions and at least $5 billion in out-of-pocket expenses for individuals.

Spyware authors may commit wire fraud with dialler program spyware. These can reset a modem to dial-up a premium-rate telephone number instead of the usual ISP. Connecting to these suspicious numbers involves long-distance or overseas charges which invariably result in high call cost. Diallers are ineffective on computers that do not have a modem, or are not connected to a telephone line.

Methods Of Preventions Of Spyware

To protect the computer being infected by spyware, the most useful methods was installing the anti-spyware program such as Spyware Doctor, CounterSpy, Hijackthis, AVG antispyware, etc and recommended free firewall like Comodo firewall, PC Tool firewall and so on. Once the computer unfortunate have been infected by spyware and these antispyware programs difficulties remove its, then the user are advised to boot their computer in safe-mode that will allows an antispyware program a better change of removing persistent spyware and killing the process tree also can work.

Besides that, the users are advised to use other web browser such as Mozilla Firefox, Opera, etc instead of Internet Explorer. Although these browser are not safe as recommended. However, if these browser compare with Internet Explorer, the a greater risk of spyware infection will occur through the Internet Explorer due to the Internet Explorer have the special integration properties with the windows system and the Internet Explorer also vulnerability attacked by spyware through ActiveX.

Next, the users can install a large host file which prevents the user’s computer from connecting to known spyware related web address. However this kind of mthod may not perfectly block the spyware because the spyware can trespass the protection if it connecting the computer through the IP address instead of the domain name.

Another method was prevention downloading the shareware that consider unsafe and suspiciously. Downloading programs only from reputable sources can provide some protection from this source of attack. One of the recommended downloading website was CNET that will revamp its download directory pass inspection by Ad-Aware and Spyware Doctor.

As the information for student, the colleges and universities have taken the approach way to blocking the spyware through the network firewalls and preventing the known web sites to install spyware by editing the web proxies. This purpose was for preventing the spyware redirect the network traffic which can cause a big technical-support problem for the education system.

Tuesday, January 22, 2008

Definition Of Trojan Horse

What is a Trojan Horse?

Trojan Horse is a program designed to breach the security of a computer system while ostensibly performing some innocuous and malicious function.

Trojan Horse can cause destruction of data, unexpected system behaviour, and trepass the security of systems without your knowledge. However the main difference between the Trojan Horse with the computer virus was that a Trojan Horse inability to replicate itself because it does not infect other programs or data. A Trojan Horse, named from Greek mythology's Trojan Horse, typically comes in good packaging in file but has some hidden malicious intent within its code. When the infection of Trojan Horse occurs, it will put the computers’ user in the way that will likely experience unwanted system problems in operation, or sometimes loss of valuable data; i.e. automatically delete the information from discs, make the system freeze or slower than before, steal personal information, and etc.

Routes Of Infections Of Trojan Horse

The majority of the infections of the Trojan Horse occurs because the user were tricked in to running an infected program. That’s why it was advised not to open a suspicious attachment and email. However, the infections will be directly occurs if the suspicious program sent through the Instant Message i.e. the famous Windows Live Messenger, downloaded from web sites or by USB flash drive ( the physical infections were seldom occurs). Most of the Trojan Horse hidden in the cute animate picture and image and the infections of the Trojan Horse were very rare, the infections often occur through the download.

Method Of Deletion Of The Trojans Horse From Your Computer

Deleting the Trojan Horses From your computer was not a simple way since computers’ user may not conscious about the existing of the Trojan Horse. However, there were several methods to deleting the Trojan Horse. The method was by clearing the temporary internet file regularly, or finding the suspicious file and deletes it by manually. Normally, the antivirus programs can be detect and delete the Trojan Horse automatically. If the antivirus can not do this, just reboot your computer into the safe mode or without networking, then run your antivirus programs to search the unwanted programs again and then the Trojan Horse could be deleted already.

In short, what is more important was the computers’ user should updates the antivirus data regularly to keep their computer from infected by unwanted programs and if there is an infection, the antivirus program can be deleting them.

Monday, January 21, 2008

Definition Of Computer Viruses

What is a VIRUS? What differences between Viruses with worm?

A computer Virus is a piece of codes or more simple an unwanted program that was surreptitiously loaded into your computer system without your knowledge in order to corrupt and destroy your computer data.

In fact, viruses are programs that infect other programs by adding to them a virus code to get access at an infected file start-up. This simple definition discovers the main action of a virus infection. The level of destructions of computer viruses are more powerful than those the computer worm, however spreading speed of computer viruses is lower than those of computer worms.

The effect of computer viruses varies from different damage so that you are unaware your computer has been infected and damaged little by viruses that wiping out the entire contents of disks. Viruses come in many different forms, are manmade and most are intentionally designed to replicate themselves automatically. When the virus program runs it makes a copy of itself and adds itself to another computer program. Each time the infected program is run the virus is also run. If your system is infected, you can easily spread the virus to others through shared disks and email attachments.

Types of viruses

Boot viruses - These viruses infect floppy disk boot records or master boot records in hard disks. They replace the boot record program (which is responsible for loading the operating system in memory) copying it elsewhere on the disk or overwriting it. Boot viruses load into memory if the computer tries to read the disk while it is booting.
e.g.: Form, Disk Killer, Michelangelo, and Stone virus

Program viruses - These infect executable program files, such as those with extensions like .BIN, .COM, .EXE, .OVL, .DRV (driver) and .SYS (device driver). These programs are loaded in memory during execution, taking the virus with them. The virus becomes active in memory, making copies of itself and infecting files on disk.
e.g.: Sunday, Cascade

Multipartite viruses - A hybrid of Boot and Program viruses. They infect program files and when the infected program is executed, these viruses infect the boot record. When you boot the computer next time the virus from the boot record loads in memory and then start infecting other program files on disk.
e.g.: Invader, Flip, and Tequila

Stealth viruses - These viruses use certain techniques to avoid detection. They may either redirect the disk head to read another sector instead of the one in which they reside or they may alter the reading of the infected file’s size shown in the directory listing. For instance, the Whale virus adds 9216 bytes to an infected file; then the virus subtracts the same number of bytes (9216) from the size given in the directory.
e.g.: Frodo, Joshi, Whale

Metamorphic Viruses - A virus that can reprogram itself. Often, it does this by translating its own code into a temporary representation, edit the temporary representation of itself, and then write itself back to normal code again.

Polymorphic viruses - A virus that can encrypt its code in different ways so that it appears differently in each infection. These viruses are more difficult to detect by the anti-virus search engine.
e.g.: Involuntary, Stimulate, Cascade, Phoenix, Evil, Proud, Virus 101

Macro Viruses - A macro virus is a new type of computer virus that infects the macros within a document or template. When you open a word processing or spreadsheet document, the macro virus is activated and it infects the Normal template ( general purpose file that stores default document formatting settings. Every document you open refers to the Normal template, and hence gets infected with the macro virus. Since this virus attaches itself to documents, the infection can spread if such documents are opened on other computers.
e.g.: DMV, Nuclear, Word Concept.

Active X - ActiveX and Java controls will soon be the scourge of computing. Most people do not know how to control their web browser to enable or disable the various functions like playing sound or video and so, by default, leave a nice big hole in the security by allowing applets free run into their machine. There has been a lot of commotion behind this and with the amount of power that JAVA imparts; things from the security angle seem a bit gloom.

These are just few broad categories. There are many more specialized types. But let us not go into that. We are here to learn to protect our self, not write a thesis on computer virus specification.

Nowadays, Metamorphic Viruses & Polymorphic Viruses have been being the most deadly of malware for now. The table below show the differences between the Polymorphic Viruses and Metamorphic viruses.

The Differences Of The Polymorphic Viruses and Metamorphic Viruses.



  • These kind of viruses encrypt it’s code to various codes every times when it replicate itself to infect a new file in order to keep being detected by the antivirus programs.
  • These viruse used the Mutation Engine (MtE) and random- number generator module to encrypt their codes in different form.
  • They are hard to found by the antivirus programs after the Metamorphic Viruses.
  • These kind of viruses hide themselves by rewrite them themselves completely each times they are to be infects a new executables.
  • Metamorphic Engine was needed to rewrite themselves.
  • Most of these kind of viruses are very large and complicated – almost 90% was it part of its Metamorphic Engine.
  • Very hard to search by the antivirus programs.

Based on the data above, Metamorphic Viruses are more effective than the Polymorphic Viruses. For present time, only 30% of the unknown Polymorphic Viruses can be detected by the best antivirus program search engine. How about the METAMORPHIC VIRUSES which were even more powerful?