Which Adware and Spyware are the Most Insidious?

the_dreadnought asks: "I was just asked today which adware and spyware are the most insidious by an acquaintance. He asked me if this stuff was really legal, or was it just not important enough for law enforcement to deal with? I know the porn stuff (not from experience,,,ok, from experience) that dials out to foreign countries is one of the more extreme examples, and Gator is well known, but if Slashdot readers could describe what adware and spyware they think is the sneakiest I would appreciate it. Also, any thoughts on whether some of this stuff is even legal, as it is almost certainly not ethical."

New.Net

[TheSpoom]

I do tech support, and one of the worst things I've seen is a piece of software called New.Net [new.net]. While not technically spyware (though that's arguable), it actually overwrites parts of the user's TCP/IP stack so that any time they access the internet (not just their browser), it gets pushed through the (usually fairly buggy) New.Net DLLs.

And the fun part is, if you (or the user) uncheck the New.Net software in MSCONFIG, it doesn't just stop New.Net from working... They simply stop being able to use the internet. At all. So then we have to pray that their version of New.Net has a working uninstaller, or we have to go through a huge manual uninstall that involves removing multiple registry keys. BTW, if anyone here gets this or other spyware that is difficult to remove, try using a program called HijackThis [tomcoyote.org] and "Fix" anything that looks out of the ordinary (use common sense... don't delete everything).

Re:New.Net

[Jouster]

They used to offer a 5- to 10-cent "bounty" for each copy of New.Net you installed; that's why it was bundled with a lot of other programs.

The bounty program was discontinued, however.

Jouster

Worst Adware Revealed!

[missing000]

With absolute certainty, the worst adware is the threadjack /. post

Especially evil is the sig line advertisement.

Re:hahah

[dasmegabyte]

Autopr0n, your sig is an especially insipid sort of inline advert, because your website is so terrible.

I would never think of advertising my ventures in a slashdot post.

Re:New.Net

[shawnywany]

I agree, that HijackThis program did wonders for my parents' messed up computer. Not only did the search page mysteriously get changed after every reboot, we had the misfortune of answering questions from my little sister about the porn popups the BHO caused when she accessed Neopets. However, one or two clicks with HijackThis and all was right again. Adaware and S&D don't catch everything, looks like I had to add ANOTHER program to my arsenal.

Re:New.Net

[caseih]

The easiest way to delete New.Net is to do the following:
1. remove it using "Add/remove" programs
2. if still not working, remove the WinSock and WinSock2 registry keys from CurrentControlSet
3. Go to network settings on win98 or on 2000/XP, just go into the properties of your network connection and if possible, remove tcp/ip. On XP this is impossible, so ignore this step
4. Add new service. If you're not on XP, just reinstall tcp/ip. On XP, select "have disk" and point it at C:\windows\inf. Then select tcp/ip and install it
5. clean up any newdotnet files lying around.
6. Join a class-action lawsuit against the company that makes this piece of crapware.

Be aware that these steps can cause problems with programs like cyber-sitter or firewalling programs that modify the networking stack. Do this at your own risk.

This is very prolific. I've cleaned it on on laptop twice! I have a supsicion the user is downloading crap all the time, but I do wonder in what form it come in.

Michael

Re:New.Net

[Anonymous Coward]

Or you can just reset Windows XP's TCP/IP stack

from command prompt:

netsh [enter]
int ip [enter]
reset [enter]

then reboot

Re:New.Net

[TheQuantumShift]

or run them all together as MSN tech support is trained to do... "netsh int ip reset resetlog.txt" That along with "regsvr32 softpub.dll" and "regsvr32 wintrust.dll" will fix 99% of MSN problems. That and Referring to OEM...

Re:New.Net

[Tim C]

Isnt netsh a resource kit binary?

Apparently not - I've not installed the resource kit on this machine (which is running XP Pro), but I definitely have netsh available.

Re:New.Net

[uncoveror]

Have you tried Pest Patrol. [regnow.com] It has never failed me when I want to remove spyware crap for my father, or other non-techies who ask me for help. Tweaking The winsock registry keys might work for you or me, but not for them, and they are always asking for help.

Re:New.Net

[TaoJones]

The easiest way to delete New.Net is to do the following:
1. remove it using "Add/remove" programs
2. if still not working, remove the WinSock and WinSock2 registry keys from CurrentControlSet

This is the "easiest" way? Slow down there Turbo... Now, over the phone, YOU try to talk my mother through this "easy" way. Believe me, I'll Make Money Fast selling you a couple of Valium when (and if) you ever get the job done ;)

Re:New.Net

[zcat_NZ]

The problem with most spyware is that if you simply remove it, the software that installed it will also stop working. When the user notices this they will reinstall the software.

You need to find out what the user installed that contained spyware and make sure that software still works or replace it with a non-spyware equivalent. Then make sure the client is happy with the new software, understands why you changed it, and knows why they should NOT reinstall the original software.

Re:New.Net

[iamdrscience]

BTW, if anyone here gets this or other spyware that is difficult to remove, try using a program called HijackThis

Yeah, that one's pretty good, but my favorite program for dealing with invasive spyware is still fdisk!

Re:New.Net

[Deathlizard]

I'll drink to that.

Want to have more fun with new.net? put up a firewall on your network. New.net has problems getting through firewalls, so the internet stops working after five minutes on anything that has it installed.

I think it pissed off half the college students off in the first day the net was up. I got 100 calls the first day saying their internet wasn't working, then when I asked if they had (Insert piece of crap P2P app here), they would always say yes. Gee, I wonder why it doesn't work now.

May

Spyware/malware infests more than just P2P

[Analysis Paralysis]

While most P2P apps are riddled with the stuff (kudos to Shareaza [shareaza.com] and MLDonkey [berlios.de] for steering clear of it), malware can crop up in some surprising places. I once downloaded a Windows Theme from DebbiesThemes [debbiesthemes.com]. It came packaged in an .exe file - when running this it offered to install TopText, then silently (and without asking) tried to install the following:

• iGetNet [spywareguide.com]
• Bonzi Buddy [spywareguide.com]
• Lycos Sidesearch [lycos.com]

Using an application firewall like System Safety Monitor [narod.ru] can help limit these (it intercepts calls between applica

Re:New.Net

[CrazyDuke]

My vote goes to a program that is not quite as popular, but is similarly damaging called OSSproxy. Basically if you have the misfortune of deleting it, your system 's DNS resolution is hosed until you reinstall Windows. You can uncheck it in startup, but like New.Net, you can't DNS anything. Oh, did I mention it does not come with any (obvious) uninstall?

I usually run across this when a customer complains that since they switched off dialup to broadband, they can't access the net. Apparently, there is

IMHO the worst one was........

[i_want_you_to_throw_]

Xupiter! Or what used to be Xupiter. In it's time it really wreaked havoc. [wired.com] Although going to their home page says they are out of business [xupiter.com], ths link on their site shows that they may be up to something else soon [xupiter.com]

You can share some of the love for the Yomtobians here [urbandictionary.com]. These guys are right up there with Spamford Wallace and the Cantor/Siegel in the Internet Hall of Shame.

Xupiter is evil? Agreed 100%

[redgopher]

DEAR GOD! My stomach turns every time that name is mentioned. I worked as a CSR at a local ISP for a year or so, and every time Xupiter was mentioned, nearly all of the employees within earshot would mutter, "Aw, jeez" or something else to that effect.

On another note, I think that Gamespot's download manager, Kontiki, is kind of sneaky.. at least sneaky in the fact that I thought it was just another humble download manager. Then again, why would anyone want you to have their download manager unless they we

I had to help a user over the phone uninstall this

[headbulb]

I used to work for Customer service. A customer called in complaining about xupiter. I told them I didn't have a guide to uninstall it but that I would go the extra mile and find out how to get rid of it. I did a little googling. Found an unistall page. Got the bloody thing uninstalled while the woman on the other side of the phone is thanking me profussly (one of those customers That over reacts and it takes telling her twice to do something because, you are talking to her husband through her)

I then tol

RealOne

[JanusFury]

I'm sure there aren't many people who agree with me, but I personally consider RealOne to be spyware. It's intrusive and has lots of 'features' that are extremely difficult to turn off if you can turn them off at all, and it installs things without telling you. (For example, its 'message center' in the system tray that tells you to Buy RealNetworks Products(tm)(r)!0

Other than that, I don't really run into spyware much, but I find gator and its kin to be the most intrusive and common on the web.

Re:RealOne

[shird]

for the record, I agree with you. It completely overtakes your system, replacing home pages etc. Even the media has support for causing popups with its 'media browser' or whatever they call it.

They used to also have a screen which allowed you to sign up for newsletters.The first checkboxes would all be clear, but scroll down a bit to the ones hidden and they would all be checked!... Its some of the scummiest software I have ever seen, and unfortuantly there is no other player which plays their media.

Re:RealOne

[CaptBubba]

"unfortuantly there is no other player which plays their media"

There is Real Alternative [betanews.com]. I'm not sure how legal it is, but it plays the files and I don't have to install the RealOne crap. Until I found it I simply didn't use any sites that relied upon realplayer files. I was so happy when Amazon.com added WMP samples.

Re:RealOne

[anagama]

Don't forget Xine [xinehq.de]. It plays most of real media stuff (FAQ [xinehq.de]).

Re:RealOne

[tarquin_fim_bim]

unfortuantly there is no other player which plays their media

mplayer! [mplayerhq.hu]

Re:RealOne

[Raunch]

> there is no other player which plays their media

Whatever you feel of their supposed code nazi attitudes; mplayer [mplayerhq.hu] plays almost everything [mplayerhq.hu].

Don't hate the player, hate the game.
I don't have a sig.

Re:RealOne

[galacticdruid]

Ya - no kidding. I hate realplayer. Every time I set my mpgs to load in windows media player, 10 seconds later some kind of dll that always runs sets my file associations back to realplayer. lame!

Re:RealOne

[questionlp]

Depending on which version of Real Player you are using, I'm using 8, you can go into the application's preferences and tell it to disable the Real icon in the systray and not to hijack the associations for other supported media types (in 8's preference dialog and under the Upgrade tab, click on "Auto Restore Settings" and uncheck anything that's checked).

I did that during the setup and after it was running and haven't had that problem since. I haven't touched RealOne, so I don't know where they would hide

Re:RealOne

[MillionthMonkey]

I DO disagree with EVERY frickin app wanting to park itself in the tray.

I went to a bioinformatics conference a few months ago. These biologists would come up and plug their laptops into the projector so they could do their Powerpoint presentations. And it was amazing. ALL of them had tray icons spanning more than halfway across the screen! I completely stopped paying attention to one guy- it was more interesting to count how many spyware icons I could recognize in his tray. And they kept apologizing to t

I agree with you

[sweatyboatman]

I don't use RealPlayer at all. If for some reason a website offers only RealPlayer videos I just do without. not a big deal for me. much more annoying, as you say, to remove the tentacles of Real after you've installed their "free" player.

-sweatyb

Re:I agree with you

[Pieroxy]

Same here. I'm fed up with their sh*t. I do not play their media again, and my computer is just thanking me every day about it!

Re:I agree with you

[shogun]

If you want to play Real Player movies under windows without the crap, just install it, then associated the files with Media Player Classic [sourceforge.net] a neat little player that looks just like ole Media Player 6.x. (It also handles quicktime movies in a similiar fashion)

Re:RealOne

[desenz]

You hit that one on the head. I don't get much other spyware, because its usually easy to avoid (as long as you know what not to download, and aren't using IE) I don't think its even worth usuing Real to begin with. Qualitys not that great, and if you've got the bandwidth quicktime is a far better choice in my eyes.

That said, not everyone has the bandwidth or time to spend on it. And some just don't care.

Re:RealOne

[OYAHHH]

I'm,

Not sure if StartupMonitor will stop Real in it's tracks, at least in terms of dropping things in your startup/system tray, but it is definitely worth a look.

StartupMonitor just sits around and waits for a program to try to install itself into your system tray. If it detects such activity it pops up a message asking you if you want to allow it.

I can proudly state that I only have four icons in my startup tray and each and every one of them I want to be there.

Google for StartupMonitor and you shall

Re:RealOne

[cicho]

Correction. StartupMonitor [mlin.net] doesn't look for systray apps. Rather, it intercepts any attempt by an application to add itself to autostart folder or a registry entry, so that the application will run automatically at startup.

But you can't use it indiscriminately. Most setup programs for example will add a run-once entry to delete temp files or files that were in use and couldn't be replaced - this is something you want to allow. But the same setup program may also be installing fishy stuff, so you need to b

Re:RealOne

[Andy Smith]

I agree with you on two counts...

1. Last week I used RealOne's "check for updates" feature and it said there was a patch available so I told it to update. The update consisted of a full reinstallation, during which I had to give all of my details again and reset all of my settings and preferences to how they were before. Nice.

2. On my WinXP system, RealOne changes the "start navigation" setting in my sound scheme. (This is the sound that is played when, for example, you open a folder in Explorer. It's usu

MSN Messenger

[The Herbaliser]

Has all the same problems as RealOne, plus the way it gets on your computer is really insidious... it's on there before you even open the box.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:RealOne

[Bert64]

I use the "rm" command with "rm" files under any flavor of unix, rm really is the best way to deal with low quality realmedia files anyway.

A more interesting question might be:

[tarquin_fim_bim]

Should the purveyors of operating systems be prosecuted for allowing software to run on their loyal customers computers, without their knowledge or permission. I have never read a Microsoft EULA in it's entirety, does it mention that this is part of the agreement?

Ummmmm, no

[Sycraft-fu]

There are three ways spyware gets on to someone's computer:

1) You visit a website and it installs as an ActiveX control. However you must grant permission for this to happen. By default, it will ask you on a per control basis. You may change this to always deny or always permit if you wish, but it is up to the user to make the call. MS has done nothing wrong here, they allow you to choose how you want your system security set and what you wish to permit.

2) You install an application that, as part of its i

Windows = Spyware

[Deltan]

Windows likes to call home whenever it can. I'm sure it reports back to the mothership far more often than anyone would like to think about.

*synches the strap on his tin foil hat a bit tighter*

Re:Windows = Spyware

[l810c]

What version and exactly when does Windows phone home? I have several versions installed and it seems like I would be getting ZoneAlarm alerts if Windows was trying to phone home.

One word...GATOR

[bluethundr]

Without any doubt in my mind, the most evil form of spyware I am personally aware of is the infamous insidious Gator [gator.com]. Booo, hisss!!!! I am sure there are others, but I'm sure of this: there is a special place in hell for these folks.

Re:One word...GATOR

[H310iSe]

I need help with Gator! One of my clients is hooked on it - it has, literally, hundreds of his passwords for god knows what websites, and he can't function without it. I know you can export and import the password file (as I had to do when I rebuilt his PC, god it pained me to install gator on a PC) but is there any way to extract the URL/Login/Password combinations? I spent a little time looking on Google but found nothing. Any help is welcome.

Re:One word...GATOR

[DeadMeat (TM)]

Roboform [roboform.com] is your friend. It can import Gator passwords and then export them to HTML for printing (or parsing with your favorite scripting language).

It's recommended as Pricelessware [pricelessware.org] by alt.comp.freeware, which means no nasty spyware or adware.

Re:One word...GATOR

[jesser]

You can extract passwords from Gator (or any browser's password manager) one at a time with the "view passwords" bookmarklet [squarefree.com]. Be sure to tell your client that vanilla IE (new versions) and Mozilla Firebird have built-in password remembering, so he won't have to type his passwords each time after he gets rid of Gator.

There are also some password managers that can import from Gator. Roboform is an example. I don't know if I trust any of them, though.

Re:One word...GATOR

[bhtooefr]

Google Toolbar doesn't count, because it is a VOLUNTARY move to enable the spying features (default is to disable them, they give you a nice short EULA that tells you they'll get some info from you if you enable PageRank). Gator and the more insiduous MemoryBlaster (or something like that - it's a taskbar icon that shows you percent free RAM, and takes up about 50% of RAM on a 128MB box with XP itself) count. Taking into account that someone could be blindly clicking links, one could VERY easily get the whole GAIN suite in a few seconds. (BTW, there are MUCH nicer alternatives to those - I've heard RoboForm isn't spyware, and can even import your Gator data if you did once use it, Date Manager? double click on the clock! (oh wait, roblimo can't figure that out) PrecisionTime? ArgoSoft Time Synchronizer is what I use - good ol' fashioned freeware)

Windows Spyware Removal

[Davak]

Here are the removal programs...
Spybot [eon.net.au]
Adware [lsfileserv.com]

However, this begs the more interesting questions....

Is there *nix spyware?
Why not?

Davak

Re:Windows Spyware Removal

[MikeXpop]

Why not?

Because *nix isn't nearly as widely used as a desktop OS as Windows is, and the ones using it are generally more computer-savvy.

Re:Windows Spyware Removal

[zapp]

Is there *nix spyware?
Why not?

I am not aware of any. That doesn't mean there isn't though.

Why? 2 part.
1) a more secure use model. Not many apps allow plugins or scripts to run arbitrarilly. However, if they wanted to, I'm sure people could find a way to write to the user's ~/.profile or .bashrc, etc files. Or atleast hijack Mozilla/etc.

2) Popularity. It's all in the numbers for the people who design spyware. Windows has a significant chunk of the market, and so that is who advertisers target. It's also

Re:Windows Spyware Removal

[jqh1]

I've used ad-aware [lavasoftusa.com] to good effect

Re:Windows Spyware Removal

[MeanE]

"Is there *nix spyware?
Why not?"

Because *nix users are already subscribed to porn sites.

Re:Windows Spyware Removal

[mcpkaaos]

Simple. There is no adware for Linux as companies know that we don't have any money. Isn't that why we use it?

(Easy there mods, don't let the sarcasm fool ya.)

Re:Windows Spyware Removal

[martyros]

Is there *nix spyware?
Why not?

A bunch of reasons already mentioned, but also diversity of platforms. As long as most Unix users are super-choice people (use Mozilla, Galleon, Firebird, Konqueror, whatever), and as long as distributions and configurations abound (RedHat, Gentoo, Debian, Mandrake) it's going to be pretty tough to get spyware that hijacks enough applications to be worth any money to the spies.

OTOH, if one distribution or configuration takes over, and becomes popular, you can bet there wi

Weatherbug

[grumm3t]

That darn weatherbug thing that everyone I know has. You try to uninstall it but it manages to find a way back in :-/

Re:Weatherbug

[bivaughn]

Weatherbug generates massive amounts of fragmented TCP traffic, frustrating Intrusion Detection Sensor administrators everywhere.

Weird Comparison

[serutan]

If somebody leaves a paper bag full of shit on your porch, rings the doorbell and runs away, does it really make any difference whether it's dog shit or cat shit?

Re: Weird Comparison

[Ranger]

If somebody leaves a paper bag full of shit on your porch, rings the doorbell and runs away, ...

You forgot to set it on fire. How can you forget that? By the way, what's you address?

Re:Weird Comparison

[samhalliday]

is that a european, or an african cat?

Windows Media Player...

[penguinrenegade]

gets my vote. Not only does it report your media files, but also any other apps you're running!

/me adjusts tinfoil hat...

Lop.com

[DJ Rubbie]

Lop is by far the worse one ever... recently I convinced my cousin to switch over to Mozilla Firebird, but this article (http://www.spywareinfo.com/articles/lop/) suggested that Mozilla isn't 100% safe, but is much easier to cure than hacking the registry (apparently it's just one line in the user_prefs). One sources said that it changes 47 registry keys... I also found that it randomly mutates into new filenames (actually it downloads newer versions), making it much harder for programs like Adaware to hunt it down.

Also, Lop disguises itself as a mp3 search toolbar. It also comes with newer versions of MSN Plus.

One more thing, some people are willing to profit from lop uninstaller, such as this one - http://www.onlinepcfix.com/spyware/Lop.htm - it contains some more information related to lop.

Hijackers

[zapp]

Unfortunatelly I can't remember the names of them right now, but I've encountered a few spyware things out there that hijack your browser. In other words, they set your homepage to their page (and reset it if you change it), add their links to your favorites, your desktop, and add a flash object to you Active Desktop.

Of course, they aren't applications you can easily remove through control panel.

If anyone knows the names of some of these, please tack a reply onto this :)

Re:Hijackers

[zapp]

Lop.com is one of them. I just read someone else mention it here [slashdot.org]

hotbar

[a.koepke]

One program that really annoys me is hotbar. The main reason so, it adjusts your MS Outlook settings all the time turning off using Word as your HTML editor. It also requires about 2 hours to remove the stupid program.

You remove it using AdAware and it will remove it for that user profile. Then login as another user it will actually install itself again. I logged on as each user to remove it and finally managed to get rid of it, so I thought. It has now appeared back and I know it wasnt the (l)users installing it again since I gave them a lecture about adware and installing crap on machines that I am in charge of.

If a program comes with a valid uninstall feature then I can tolerate it. When its a program thats a biatch to get rid of and keeps coming back I get really ticked off.

It keeps coming back?!

[Dimensio]

I found it and uninstalled it on three employee computers while doing an Office 2000 update. One of them stated flat-out that she didn't know how it got there. I'll check up on them and find out if this bit of malware has returned.

Re:hotbar

[Dunark]

The company I work for has officially designated Hotbar as a "security risk", and has put a Hotbar remover utiity on their desktop support website.

a musical analogy

[Savatte]

which Creed album is the worst?

Spyware that you can't uninstall...

[LamerX]

The best spyware is the stuff that you can't un-install. I can't remember the names of this crap. But I remember one toolbar for IE that I was paid to remove. There was no way to get rid of it. Also, HotBar has to be the worst because everyone installs it without knowing just how bad it is. I've seen it cause more problems with the computer than anything else. Since it integrates into Explorer, OE, Outlook, etc, It causes major headaches. Its so poorly written, and pops up advertising all the time I can't s

AOL client of any flavor

[T5]

I can't count how many times I've had to clean up certain versions of the AOL software. One could strongly consider the new AOL 9, since it turns off Windows Messenger, malware. IMHO, it's not a bad idea to kill it, but to do so and not notify the user is insidious.

Pre-Installed Dell Software

[Jouster]

How about Dell's SupportLink, which (and I have the TCPdumps to prove this) broadcasts your system's S/N, your MS Windows S/N, and several other tantalyzing bits of data back to Dell every 30 minutes or so?

Mind you, I love my Dell, but this pissed me off.

Jouster

Re:Pre-Installed Dell Software

[1010011010]

http://www.macopinion.com/columns/macskeptic/00/1 1 /21/ [macopinion.com]

MacOS 9 made a call to Gilligan's Island and tried to send some information to its little buddy at littlebuddy.apple.com. This was supposed to be a one time event at the end of the install process - but of course, Apple, forgetting that not everyone on the planet has 24/7 high-speed internet to their homes, created a situation where if it fails (ie: God forbid, you're not connected to the internet while installing MacOS 9), it repeatedly tries to get

not just zealousy, they are all bad, Bad BAD!

[kraksmoka]

my most frequent complaint (And ubiquitous from my poor L-users) is "my (fill in browser, i install mozilla for them) is going slow, can you help it". every time. i get Lava Soft's AdAware and clean the systems. immediately, i hear a "oh, that wasn't happening that way before" and collect my tech support check (for beer).

i ilke tech support = beer. but its a lotta shit for a L-user to put up with

pr0n dialers

[Anonymous Coward]

when I worked at v!v!d V1deo, the boss loved the idea of the sneaky pr0n dialers the submitter talked about. (You click on a link that says "Free hot videos!" or whatever, and you get an active-x control which then downloads and installs a windows component and puts the icon on your desktop. Then when you doubleclick that, it actually hangs up your modem and dials out to a foreign country that has INSANE rates, several dollars a minute. Your phone bill can reach into the hundreds very quickly, and the ph

Redsheriff is the one I find particularly annoying

[kevinatilusa]

Not necessarily through the damage it does, but through the sheer number of times I have to get rid of it. Even though I use adaware and block cookies, it still manages to get itself in through a back door (I think it runs as a java applet, which then installs a cookie).

It doesn't do anything particularly nasty (other then send tracking data out), but I find it hard to block and its used by quite a few sites that I visit often (BBC, for example).

SaveNow

[pavera]

The worst program I've ever seen is savenow..
It starts like 5 processes on boot (using between 50-75mb of ram and 20-25% cpu), sends all of your browsing habits somewhere else, and pops up porn, and other various ads randomly while using the computer. It is by far the worst spy/ad ware I've ever seen.

Gator, Xupiter, and more!

[ShadowKatmandu]

Xupiter is a personal demon for me, but Gator is up there as well. Not to mention the uncountable number of little toolbars that install themselves without warning into IE. There was one some time back, I think it was called Bargains or Bargain.com or something like that which was terribly annoying. It was one of those that hijacks your browser and pops up ads whether the page you're on has ads or not.

Personally, I consider spy/adware more annoying than most viruses...

Spyware that launches multiple processes

[TheOtherAgentM]

I don't know the name of the specific spyware, but one of my clients had spyware that would have two processes running at a time. If you terminated one of the processes, a new one would pop up, probably created by the other one. The process names were also random characters, meaning you couldn't just stop certain processes from startup. I did end up using WinPatrol, which is a lifesaver. It's able to look at services, processes, and startup items. It gives more information than just the names and is useful

Most Filesharing software like iMesh and KaZaAaAaA

[dustwun]

Most of the filesharing software people are so eager to defend often install a who's who of spyware/adware today. For an interesting little test, take a clean windows system (no jokes) and install your iMesh kazaa, grokster or any other filesharing program. Then run adaware or spybot against it. You'll see new.net, shop-at-home select agent, gator, and many other nasty little goodies. File-sharing programs running on windows claim to be fighting for user/'fair use' rights, when they are simply fighting for

Business plan

[Chuck Chunder]

1. Ask Slashdot what sort of spyware is the worst. 2. Make this sort of spyware. 3. Profit!

I'll never know the name.

[Elwood P Dowd]

I didn't think that spyware existed on MacOS X, but... my girlfriend came home from school last winter with something really odd. Internet Explorer would, no matter your user preferences, always go to a certain internet shopping site as a homepage. And would give you a barrage of popups constantly. I forget what shopping site, and back then I only had inbound firewalling, so I had no logs to check.

No toolbars installed. No plugins. I created a new user account for her, and that worked, so apparently it hadn't messed with the internals of the Internet Explorer.app (which seems like a vector they'll soon exploit). Crappy, though.

Re:I'll never know the name.

[babbage]

Safari on the mac still can't even handle forms right. try tabbing to a drop down box and see what happens.

Actually, the "can't tab to all form elements" issue is a known one, and, according to David Hyatt, the primary developer of WebCore for Safari, a fix seems to be on the way [mozillazine.org]:

And in case you're curious, here's what we've already got working post 1.1 in WebCore that you can look forward to:

(1) Support for the title attribute using tooltips

(2) The ability to tab to all controls in a Web page and t

CoolWebSearch

[sysadmn]

See The CoolWebSearch Chronicles The story of a thousand hijacks [spywareinfo.com].
Quote:
The difficulty of removing CWS from a user's system has grown from slightly tricky in the first variant to virtually impossible for the latest few. Some of the variants even used methods of hiding and running themselves that had never been used before in any other spyware strains. End Quote.
15 variants so far....

Obviously

[lurker412]

The most insidious are the ones we don't even know about.

Re:Obviously

[morgue-ann]

The most insidious are the ones we don't even know about.

Mod parent up MORE!

Ding ding ding!!!

Why has AIDS killed more people than Ebola? Because it takes long enough to kill the host that many more hosts can be infected. You'd be lucky if you make it to the airport once you contract ebola, let alone fly to the States and bleed out on a Manhattan subway platform at rush hour.

We keep hearing about how horrible Blaster/SoBig/CodeRed &c &c are, but wait until the worm that's been in the wild for

Shocking disrepect for consumer choice

[StefanJ]

You should be ashamed, ashamed!

All these companies want to do is let you know about exciting new products and services that could entertain you, improve your life, and lengthen you genitalia.

Shutting out these innovators . . . well, it smacks of Communism, doesn't it? First TiVO, screening out the ads that broadcasters, our public servants, need to survive. Now this ungrateful attack on champions entreneurship and freedom of choice. Just a bunch of surly, consumer-choice hating Reds is what you all are.

I'm going to tell John Ashcroft what you've been up to so these SpyBot removers can be banned!

Stefan "scared to hell that someone out there might actually be thinking like this" Jones

Biggest spyware

[too_bad]

I am not sure what this thing was, but its the biggest spyware I have seen. It came installed
on my laptop, and even after I installed Linux, it continued to exists. Everytime I forget to press
arrow key while bootup, it would boot into this spyware. Once I am there, I am given a illusion that
this thing looks very similiar to my Linux system, but everything was slow. There was an ambulance
(I think thats what they use for hijacking my laptop) which would keep yelling "Click here to update".

Then it did have something that looked like konqueror and it did show some internet sites. But I couldnt
open more than one tabs in it. Also, every 2.5 seconds it used to open up a colourful window offering
me stuff I did not want.

Then I got a message saying Cindy wants to talk to me. I didnt want to talk to Cindy, but it kept yelling
at me for not saying Hi to Cindy. Cindy was barely wearing any clothes (shudders)

I finally managed to get rid of this spyware, and everytime I think about it I shudder.

Not just adware and spyware

[Ryan Mallon]

More and more applications are becoming intrusive, software such as Winamp, Windows Media Player and Kaaza all having annoying dialog boxes which popup each time you run them if they detect a newer version which you haven't yet downloaded. MSN actually refused to do anything until I upgraded it.

A large number of applications now have an online registration feature, they dont force you to do the registration, but they will bug the hell out of you if you choose not to.

Applications such as RealPlayer try and sign you up to email based newsletters(spam), why should I have to give my details (email address, home address and hobbies for example) to a company in exchange for using their software?

There seems to be a gradual increase in the invasiveness of software, currently most of these 'features' are still optional, but I dont think it will be long before many software companies start making things like software updates, online registration and having a valid email address mandatory.

Worst of them? LiveGirls.exe

[Anonymous Coward]

Recently a client came in with a PC and said it was acting funny and suspected there was some kind of virus on it. A scan detected that there was several files that appeared to be infected with something called "Downloader-DZ" and, along with the links to porn sites (my favorite one being "Operation... SEX!") and the homepage being replaced with a porn page, there were SEVERAL dialers installed, and an attempt to just delete LiveGirls.exe did nothing... it later reapeared.

To put it short, I spent two hours running spyware removal software and manually editing out bad registry keys. A pain.

Oh... and PLEASE tell people they don't need that FUCKING SHIT like hotbar and weather bug either!! I'm sick of seeing that crap on people's PCs!

Mostly Ethics, Seldom Legality

[billstewart]

Most of this software, while some of it is Ethically Challenged, doesn't have legal problems, at least in the US. The stuff claims to be free or cheap, and usually tells you that you'll get advertising, and even though it doesn't always tell you how much data it's collecting, it's usually not breaking any laws by doing it. Even the annoying features like popups or making your machine dog-slow aren't illegal, they're just misfeatures. Often you even have to press a "Pretended to read the fine print of the license" button for it to install.

Some of it's not even broken ethically - if all they're doing with it is deciding which ads to show you, rather than tracking your every move online, especially if they didn't collect personal information about you, and if they didn't lie to you about what they were doing, and if they have a privacy policy that actually reflects what they're doing, that's ok. Not necessarily something you want to run, but ok. Some particular examples are the adware versions of Eudora and Opera.

European data collection laws may have terms that popular spyware violates, but usually the spyware companies aren't based in Europe so there's no legal jurisdiction. The data collection laws themselves are often effectively spyware - in return for "protecting" you, they're also subjecting you to possible audits of your machines because you *might* have personal information about other people on your computer or your PDA or your cell phone. (Sure, they mostly pretend they wouldn't do that to regular citizens, only businesses, but it's pretty much a selective enforcement thing. And you are registering all your computers with the data protection bureau, aren't you?) But at least it doesn't slow your machine down when they're not auditing you.

For more info ...

[fygment]

... maybe this site would help:

http://www.spywareinfo.com/downloads.php

EarthLink users: think about SpyWare Blocker

[valmont]

i've been an earthlink user for quite a few years now and i usually tend to stay away from ISP-supplied software, but they have been putting out some pretty cool shit this year thru various 3rd-party software partnerships/cobrandizing, the latest of which being SpyWare Blocker [earthlink.net] powered by WebRoot. it is actually quite cool: it'll look for advertising companies cookies and disable'em for you, as well as offer you to remove 3rd-party spyware and trojans, i think it can do some other shit but i haven't entirely explored it yet. it maintains a constantly updated database of existing spyware. i wonder if it would catch the New.net shit. hrmzerz. and it's free for all earthlink customers.

Windows

[Hes Nikke]

Microsoft Windows and that dastardly Messenger service. (enabled by default) that would be the most insidious adware out there.

oh and i guess XP qualifies for spyware with that nasty activation "feature" (though not quite)

Re:Windows

[freeweed]

Microsoft Windows and that dastardly Messenger service. (enabled by default) that would be the most insidious adware out there.

Much as I hate the Messaging service, calling it adware is like calling your email client adware.

I think we're missing the point when we can just call any application that receives data and presents it to the user adware. Adware is better applied to things *intended* to serve up ads.

Believe it or not, the Messaging service was originally planned to do other things, and in fact,

How to stop it on XP and above

[friday2k]

In Windows XP there is a feature called Software Restriction Policies (SRP, see here [microsoft.com]). This feature allows you to deny software to run based on Certificates (and Path, and Hash, and Zone for MSI). Since all the Spyware installers use signed Active-X "drive-by" installers this is an effective way to kill them. This, however, is an arms race. You need to collect the certs you want to invalidate first (upon first encounter of a spyware safe their cert into a file and disallow it). You can find the feature in Control Panel->Administrative Tools->Local Security Policy. Have fun!

Preventing Spyware?

[kaptainsunshine]

I'm a end user admin on a small (300 machines ) network where both IE5 and Netscape4 are available ( and nothing else ) on WinNT4. I'm constantly fighting against end users that install spy/adware. I'm losing the battle and re-imaging machines on a daily basis... I'm looking for tips on reducing downtime due to this junk being installed. Any tips would be appreciated.

Re:Preventing Spyware?

[cyt0plas]

Deep Freeze [deepfreezeusa.com]. Once it's installed on a machine, unless they use a boot disk, all changes are transitory. You could even reformat the HD, and it would look like you really did, but after you restart, all changes are gone. You can even define "safe" folders where this doesn't happen, like a shared documents folder.

It's a pain for end users, but if you are already re-imaging daily, it's the same effect without the work.

Microsoft should fix windows

[jonwil]

Basicly, any time a program wants to do something like put something in startup or modify winsock settings or stick files in windows system folder or modify the hosts file or dns settings or things like that, windows should come up with a nicely worded warning about why clicking "yes" is a bad idea.
Also, it should log all these actions so that for example, you can see which programs installed what settings (so you know what to remove)
And it should have something that allows sysadmins to turn off these things completly (just like how its possible to turn off control panel and other system things)

That way, when some idiot wants to install kazza, the system detects that kazza wants to install "privacyviolatingspyware.exe" to c:\windows\system\importantmsfile.exe" and add it to startup and denies the request.

What should be done when the request is deined (either because its completly switched off or because the user clicked "no") is that it should return for file i/o calls "cant open file" and for registry calls whatever the appropriate error is.

Or better yet, pretend to write to the registry or the file but dont actually do it.

Most widespread spyware: Windows XP

[edxwelch]

Windows media player (which is part of WinXP) collects data about what you are listening to and sends it to a MS server. And we don't know what other things are going on under the hood.

Re:Anti-spyware software

[CrackHappy]

I know of a good one, it's called Linux.

Or alternatively, you could use an alternative browser, like Firebird, Mozilla, or Opera. This generally helps keep the spyware and adware down, as these browsers have much better security IMHO than IE.

Re:weird google override

[aderusha]

it's probably this [symantec.com]. likely your hosts file has been hijacked, and quite possibly moved to a different folder (try c:\windows\help\hosts). the link has a removal tool.