 |
Home | Contact Us | Press Room | Site Overview | Help | Login | Register |
 |
 |
| About NCSL | State & Federal Issues | Legislatures | Legislative Staff | Meetings | Bookstore | Legislators & Staff Only |
| NCSL Home > Legislative Staff: Staff Sections & Networks > NALIT > | Add to MyNCSL |
|
September 8-11, 2004, Malware Session Tom Salonick, Technology Support Technician, House of Representatives, WHAT IS SPYWARE? The term spyware refers to software that makes unauthorized use of a system's Internet connection to communicate with its developer. Before we talk about spyware/malware, let me first define the term. First of all, the terms spyware, malware, adware, eulaware, scumware, trickware and even crapware, are somewhat interchangeable. But there are exceptions. Adware, only displays ads to the end user, nothing else. So to call it spyware is a misconception. But nonetheless, it all detracts from the efficiency of the user. So with that said, I consider it all malware/spyware and may use those terms interchangeably. Malware is any software that installs on a workstation without the knowledge or consent of the user. I commonly refer to it as a "drive by" download, where clicking "OK," "Cancel" or closing simply closing the window transparently downloads and installs the software. Now here are some of the features that malware provides:
Advertising spyware is software that is installed along side other software or via active X controls on the internet, often without the user's knowledge, or without full disclosure that it will be used for gathering personal information and/or showing the user ads. Advertising spyware logs information about the user. That logging could include passwords, email addresses, web browsing history, online buying habits, the computer's hardware and software configuration, the name, age, sex, etc of the user. Advertising spyware uses the CPU, RAM and resources of the user's computer, making the user pay for the costs associated with operating it. It then makes use of the user's bandwidth to connect to the internet and upload whatever personal information it has gathered, and to download advertisements which it will present to the user, either by way of pop up windows, or with the ad banners of ad-supported software. Since there are literally countless variations of spyware, a single fix does not exist. Therefore, this documentation can only provide a very general set of guidelines for resolution. Spyware developers constantly deploy new and innovative methods. Therefore, it sometimes becomes necessary to research those new and unique issues. As new deviations are discovered and resolved, please feel free to add to this documentation.
The symptoms above are only mentioned as a very general set of guidelines that may identify the presence of spyware on a user’s workstation. As a general troubleshooting technique, if the user’s workstation is not performing as expected, regardless of the issue, a good start toward resolve is to perform a spyware cleanup on that workstation. More times than not, when a workstation is erratic, spyware removal will restore the workstation to normal operation. There is no magic program or a single cure for either disinfection or prevention. Workstation Cleanup There are three key steps necessary to resolve spyware/malware issues:
These steps require certain processes, requiring patience, diligence and oftentimes, further research. Each procedure will be discussed in detail. A. Recognition and Detection / Removal
For the purposes of discussion, two of the three key stages of resolution become inter-twined. Once recognized and detected, the next logical step is, of course, removal. Therefore, both of these subjects will be discussed concurrently. 1. Recognizing -- Detection -- Identification Many of the symptoms of malware have been listed above. This is only a guideline and is not, by any means, inclusive. As more of a general guideline, if a workstation does not react as expected, regardless of issue, treat as a malware infection. If malware is not the cause of the issue, this removal process will not affect other resolutions. In our experiences, the majority of those strange issues, without an obvious resolution, are, more times than not, caused by a malware infection. A series of manual processes can be deployed to identify malware presence on a particular workstation. Step I is to first identify what processes should be running on a known, malware free, workstation. As an example, from a known, malware free workstation, first identify the various processes running in the background (by launching Task Manager, system processes tab) discussed below, and log, by taking screenshots, (ALT-PRINTSCRN, then, in Microsoft Word, CTRL-V) of the various processes described below. By comparing the processes running on a "clean" workstation, when compared with a suspect workstation, malware is much easier to expose. I. Add or Remove Programs From the Control Panel, drill down to Add or Remove Programs. Remove the obvious. After implementing this process several times, malware programs become easily identified. Some malware programs cannot be removed by this process. If that is the case, manual removal may be necessary. Internet research, more times than not, will provide instructions for manual removal of such programs. If a malware program is identified, and manual removal instructions cannot be found on the Internet, other processes, described below, can be used to safely remove the program. II. Run Task Manager To launch the Task Manager, Ctrl-Alt-Delete or right-click on the Task Bar and select Task Manager. Click the "Processes" tab. Scroll through the list observing the CPU usage. Any unknown running processes, using any percentage of the CPU percentage could be malware. Identify the process. Oftentimes, a malware program will "piggyback" on IEXPLORER. If Internet Explorer is running more than 13-17k, malware is hidden, and running behind Internet Explorer. Of course, under the "Processes" tab, any of the processes can be terminated from running simply by highlighting the process, then clicking the "end process" tab. The Task Manager is a very good malware identification tool. The Task Manager recognizes most of the running processes. It is important to note that Task Manager is only a means of identification, not removal. By ending the process, the program is only terminated until it is started again by the user or the workstation is re-booted. The Task Manager can be compared to a fingerprint. A fingerprint, like Task Manager, only identifies the suspect. To entirely eliminate the process from running in the future on the workstation, other steps are required, up to and including a manual uninstallation. It is important to make note of the suspect executable file so that particular program can be manually removed by other means. Other processes, described below, may also assist in identifying the specific malware running and also removing the malware from starting on the next re-boot. III. Run MSCONFIG Start-Run-msconfig-select startup tab. Scroll through the list and observe the programs that are check marked to the left. Note the startup item and the command line. Uncheck any process that can be readily identified as malware. Unknown items require further research. A rule of thumb is that if it looks suspicious, take the time to further research the item. When running MSCONFIG, un-checking a process will not spell disaster. MSCONFIG only determines what processes are loaded into memory. Any changes made will not take effect until the workstation is re-booted. After un-checking a process and re-booting, the process can again be activated simply by adding a check mark. Again, make note of any processes that were un-checked. If an error was made, it is then very easy to go back, and re-check the process. And if the process was in fact malware, MSCONFIG provides a road map to the location of the program should a manual uninstall be required. IV. Editing the Registry Start regedit. Start-run-regedit. Before executing any other procedure, backup the registry: 1) Click the "File" (or
"Registry") menu
Registry navigation is very similar to that of Windows Explorer. To locate specific keys associated with malware, search for the specific files using the following: 1) Select Edit-Find 2) From "Find what" type the name of the executable file that was previously identified by "Add or Remove Programs," the "Task Manager" or "MSCONFIG" as being malware. 3) In the "Look at" box, verify that "Keys," "Values" and "Data" are all checked. Click "Find Next." 4) The "Find" feature will search the registry until a key, value or data containing the search criteria is located. The "Find" feature will stop and the key, value or data will be highlighted. 5) If you are certain the highlighted key, value or data is malware, delete by selecting "Edit," then "Delete." 6) To continue the search, press the F3 key. Again, the search will stop at the next key, value or data matching the search criteria. When the entire registry has been searched, a box will appear reading "Finished Searching Through The Registry." Continue to search for each executable previously identified as being malware. Delete accordingly. There are several other registry manipulations that will be discussed in a later subject matter V. Malware Removal Programs
Most geeks recommend running spyware removal software as the sole means of absolving an infected workstation. Why? It’s easy and it works, most of the time. More importantly, it sells software. I recommend using spyware removal software as a secondary tool. Why? Well, there are several reasons. Before qualifying my reasoning, let me be a little more specific about using removal software as a secondary tool. By that, my strategy is not to be fully dependant on removal software as the sole source of relief for a workstation infected with malware. It doesn’t necessarily mean that removal software should not be employed as the first step. But the point is, not to be fully dependant on removal software as the only process necessary to totally remove malware from an infected workstation. Now to qualify this reasoning. There are virtually dozens of malware programs available. Via my evaluation of many of these malware removal programs, I’ve come to the following conclusion. There is not a single program on the market that will remove malware completely from a given workstation. Most will recognize and remove the majority, but there is not a single program, in and of itself, that has been proven to be 100% effective. So with that, I’ve logically arrived at the following recommendation regarding malware removal programs. Simply put, there is not a single malware removal program, to date, that is worth it’s price, whether it be $2.95, $39.95 or $179.99. Why? Because there are several freeware programs that accomplish the same, if not more, than some of those hefty priced programs. So there is no logical reason to buy the farm when free milk is available in the form of programs such as Spybot, Adaware and Hijack This. Spybot is freeware, period. Regardless of the environment in which it is deployed. The interface is novice friendly and updates are provided at regular intervals. Adaware, too, is free, but only when used on a personal workstation. A licensing fee is required when used in a business environment. Adaware, like Spybot, is user friendly and updates are usually issued at least several times a month by Lavasoft. But to support my previous statement, Adaware will identify malware that goes unnoticed by Spybot and vice-versa. The other recommended program is HijackThis. This is not a malware removal program, instead, it searches for methods deployed by malware instead of the actual malware itself. When first deploying the Hijack This program, a warning reads: "Since HijackThis targets browser hijacking methods instead of actual browswer hijackers, entries may appear in the scan list that are not hijackers. Be careful what you delete, some system utilities can cause problems if disabled. For best results, ask spyware experts for help and show them your scan log. They will advise you what to fix and what to keep.
Some adware-supported programs may cease to function if the associated adware is removed." HijackThis is a tool, that lists all installed browser add-on, buttons, startup items allowing for the inspection and optional removal of selected items. The program can create a backup of your original settings and also ignore selected items. Backups of original settings are always recommended. If any item is deleted, restoration of the backup file will restore the original settings. HijackThis may identify instances of malware not recognized via either the other processes previously discussed. IMPORTANT FINAL STEP ** After completing all the processes described above, cold re-boot the workstation and verify it’s integrity. Once you feel certain the workstation is malware-free, there is one final step to complete before returning the operation back to the user. B. Prevention The final step is to follow up by deploying several preventive techniques on the workstation. The creation of a HOSTS file, altering Internet Explorer settings and the installation of a popup blocker are recommended These procedures, collectively, will greatly reduce the possibility of malware being installed on the workstation in the future. Their installation will not decrease the efficiency of the workstation to any notable degree. I. The HOSTS File
The "HOSTS" file in Windows XP, as well as other operating systems, is used to associate host names with IP addresses. Host names are the "www.yahoo.com" or the web address that is associated with any particular website. IP addresses are numbers that mean the same thing as the www words - the computers use the numbers to actually find the sites, but we have words like www.yahoo.com so humans do not need to remember the long strings of numbers in order to visit a particular site. As an example, the host name for Yahoo! is www.yahoo.com, while its IP address is 204.71.200.67 Either address will take you to Yahoo!'s site, but the www address will first have to be translated into the IP address. If you type in the IP address directly, your computer will not have to look it up. Try it. Instead of typing "http://www.yahoo.com" into the address bar, enter 204.71.200.67 instead. By typing the IP address, the automatic "lookup" procedure is eliminated. A series of steps are used when searching for IP addresses that go with these host names. The first step, and the one that concerns us here, is the hosts file on your local computer. In Windows XP, the HOSTS file is located on the local hard drive at: C:\WINDOWS\system32\drivers\etc. By default, the HOSTS file is hidden. To view the file, in Windows Explorer, go to Tools-Folder Options-View, then verify that "Show hidden files and folders" is checked. Note the filename is in uppercase with no file extension. Computers have a host address of their own - it is known as the "localhost" address, with an IP address of 127.0.0.1 which it uses to refer to itself. If you associate another computer's host name with your localhost IP address, you have effectively blocked that host since all attempts to access it will lead back to you. That is how sites are blocked using the HOSTS file. The local workstation is told that the IP address of the site we want to block is our own address. That way, the workstation will not ever leave and go looking for the site we are blocking - which keeps that site from appearing because the workstation thinks it has already found the site. Many web sites have links to other servers for the retrieval of advertisements. In the case of those web servers, the browser will quickly fail to locate the requested data (scripts, images, etc.) from the advertising server because we already told the workstation to look for the information locally - of course it won't find any of it and will quit looking for it - and will continue loading the pertinent portions of the page you want to see. This process will eliminate the workstation from even talking to the ad servers, and thus ad will not be downloaded, cookies will not be downloaded on the workstation’s hard drive, and the workstation will not be "profiled. " It is important not to simply overwrite the default HOSTS file. The Hosts file on a specific workstation may also include login scripts to certain websites or intranet sites used specifically by the particular user of that workstation. That data must remain in the Hosts file or the user will be unable to enter a specific web or intranet site. The content of the default Hosts file appears as follows: # Copyright (c) 1993-1999 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host 127.0.0.1 localhost Should the default HOST file on a workstation contain entries, other than the localhost, append the file, instead of overwriting the entire file. However, it’s important to note that some malware programs actually modify the HOSTS file. In that regard, if a HOSTS file is modified, pay particular attention to the customized additions and modify accordingly. Upon completion of adding the modified HOSTS file to a workstation, the final step is to make the file "read only" and change the permissions to ensure that only allow changes by an administrator. II. Internet Explorer Settings After cleaning the workstation, adjust the Internet Explorer security settings to disable ActiveX controls. To adjust Internet Security settings for ActiveX controls and plug-ins on Internet Explorer, open Internet Explorer, click on "Tools" menu and select "Internet Options..." Then select "Security" tab and make sure that it is set for medium or higher then click on "Custom Level..." button on the bottom. Adjust the following options for ActiveX controls and plug-ins:
Click on "OK" button to apply new settings. You can also adjust your settings for accepting cookies. Under "Internet Options.." select "Privacy" – Advanced – "check" Override automatic cookie handling" – "check" "Accept" First party cookies – "check" "Prompt" Third party Cookies. Click OK. These settings will allow cookies from the website visited by the user, but will prompt before saving any third party cookies. If nothing else, this will alert the user that an unexpected download may be taking place. III. Install Google or Yahoo Toolbar
There are two distinct advantages to installing either the Google or Yahoo toolbar. The user is able to perform a search directly from Internet Explorer. Secondly, but most significant, is that either of these toolbars transparently include a popup blocker. And both work quite well. Either of these ad-ons will eliminate most of the popups that would otherwise provide a nuisance to the user. One caveat is that certain web pages actually require a pop-up to load. If this is the case, either the Google or Yahoo pop-up blockers can be temporarily disabled.
IV. Cleanup
After removing all known malware from the workstation, take a minute to remove the remnants by running a disk cleanup and disk defragmenter on the local drive. Tools – Folder Options – View, then check "Show hidden files or folders." This will enable full view of the "Local Settings" under the user’s profile. Drill down to the Temp and Temporary Internet Files directory and delete all sub-directories and files. The path is C:\Documents and Settings\"username"\Local Settings\Temp and C:\Documents and Settings\"username"\Local Settings\Temporary Internet Files. In the Temp directory, select that root, then delete all sub-directories and files. The Temporary Internet Files usually contains the cookies and cached graphics. Delete all files and sub-directories in both but allow the Temp and Temporary Internet Files directories to remain. The final step includes running disk defragmenter. The following links have been helpful in researching and resolving various spyware issues: http://www.doxdesk.com/parasite/ - Removal instructions for various spyware applications. http://www.mvps.org/winhelp2002/hosts.htm#Attention – up-to-date HOSTS file. http://www.microsoft.com/athome/security/spyware/devioussoftware.mspx - What is Spyware? According to Microsoft. http://www.spywareguide.com/ - a wealth of information including a large database of spyware and adware applications. http://www.microsoft.com/windows/ie/using/howto/security/settings.mspx - Working with Internet Explorer settings according to Microsoft. http://www.nsclean.com/axtest.htm - Javascript exploit script. Safe to use. http://pgl.yoyo.org/adservers/links.php#2 – IAd blocking links via the hosts file as well as other miscellaneous spyware associated files. http://www.mvps.org/winhelp2002/ - A spyware troubleshooting guide to Windows XP. http://www.lavasoft.de – Adaware program. http://cexx.org/adware.htm - Adware, Spyware and other unwanted "malware" - and how to remove them. http://www.kephyr.com/ - maintains an up to date suspicious file database.
|
© 2008 National Conference of State Legislatures, All Rights Reserved
Denver Office: Tel: 303-364-7700 | Fax: 303-364-7800 | 7700 East First Place | Denver, CO 80230 | Map
Washington Office: Tel: 202-624-5400 | Fax: 202-737-1069 | 444 North Capitol Street, N.W., Suite 515 | Washington, D.C. 20001
