Topic: Adware

[Ed Form]

I discovered spyware on one workstation at my single client site that runs an SME server and when I got home I found some on two machines in my own network. In both cases the offending objects were gator and rapid blaster, and in both cases the symptoms were the same - browser windows popping up with adverts int hem, often for porn.

I used Lava Software's Ad Aware 6 to remove the junk from each of the machines involved and I can instal the commercial version to keep an eye on incoming stuff on workstations but I'd prefer to stop the stuff at the gateway.

What software can be run on an SME server to deal with intrusions of this type? And is it possible to obtain ready made rule-sets to deal with the standard stuff?

Ed Form

[Michiel]

Basically, adware is just a commercial virus. However, most virus scanners do NOT filter them out because the adware companies threaten to sue anyone who stops them from distributing their stuff (really, what's this world coming to?).

As far as I know, only Trend Micro catches adware (Norton and McAffe certainly don't). Since there is also a (commercial) version of TM for Linux servers, I would assume that you could implement it on an e-smith server. I haven't tried yet, but it’s on my to-do list .

If there are any other AV products that do stop adware, I’d love to hear about them.

[Bill Talcott]

The term adware has really lost its meaning. Adware itself is simply software supported by displaying ads. You don't have to pay for the software, but the author's costs are covered and some company gets exposure too. "Spyware" is used a lot now, though that really refers to the programs that collect data about you and send it back to a home server of some sort. Malware is sort of a general term for anything bad or unwanted.

The problem isn't so much the program itself, but the installation methods. Some websites use code to automatically install the software. If you use a decent browser, you should be prompted about it. Others are included with good programs, and get installed because people just keep clicking OK without looking at what they're doing. I can honestly say I've *never* had one of these programs make it onto my computer, simply by paying attention to what programs are trying to install, and choosing the option to not install them. The program itself doesn't infect other files and try to spread to other PCs, and it does exactly what it's claiming to (show ads), so it really can't be considered a virus. When you start doing that, you get censorship based on whatever the guy writing it decides he doesn't like. That was an issue with the netfilters a while back. They would block out competitors' perfectly legitimate sites and ones that pointed out flaws in their own software and stuff like that.

Also, many people prefer Spybot Search & Destroy over Ad-Aware. http://security.kolla.de/  A while back, Lavasoft completely stopped working on v5.x to focus on v6. This meant no updates for a long time, which gave people a false sense of security. Also, the default install plus the standard "Check for updates" will find more malware in Spybot S&D than in Ad-Aware.

[Ed Form]

In article <7ab427ff08c4dddbbbe70040c2fd4291.phorum-owner@e-smith.net>, invisibill@invisibill.net (Bill Talcott) wrote:

> The term adware has really lost its meaning. Adware itself is simply
> software supported by displaying ads. You don't have to pay for the
> software, but the author's costs are covered and some company gets
> exposure too. "Spyware" is used a lot now, though that really refers to the
> programs that collect data about you and send it back to a home server of some
> sort. Malware is sort of a general term for anything bad or unwanted.
>
>
> The problem isn't so much the program itself, but the installation
> methods. Some websites use code to automatically install the software. If you
> use a decent browser, you should be prompted about it.

Nobody but geeks use a decent browser. get real. The world uses MSIE and that's what we have to deal with. The standard settings in IE are wide open to malicious and clandestine entry.

I removed 101 hostile objects including 15 r4egistry entries from one of my clients workstations yesterday. When I went back this morning three were 15 more. After I removed them there was 1 more inside the hour.

> Others are included with good programs, and get installed because people just
> keep clicking OK without looking at what they're doing. I can honestly say
> I've *never* had one of these programs make it onto my computer, simply by paying
> attention to what programs are trying to install, and choosing the option to not
> install them. The program itself doesn't infect other files and try to
> spread to other PCs, and it does exactly what it's claiming to (show
> ads), so it really can't be considered a virus.

Yes it can. It is the direct equivalent of a virus spread to many people from a single infected carrier. The dissemination of these programs is invasion of privacy, deliberately intended to steal and make use of information private to the PC user, or to present to him things that he did not ask for and, in many cases, would *never* ask for. The *vast* majority of the adverts delivered by these programs are for porn. Some of them exceedingly graphic in nature. In the case of the client whose problem I have been dealing with, several of the adverts were for paedophile sites and contained very explicit pictures of things which are seriously illegal in this country and in every western nation.The UK police have a website specifically set up to allow these matters to be reported. The list of 'don't bother to report these, we know about them already is huge!! Your next comment...

> When you start doing that, you get censorship based on whatever the guy
> writing it decides he doesn't like. That was an issue with the netfilters a
> while back. They would block out competitors' perfectly legitimate sites
> and ones that pointed out flaws in their own software and stuff like that.

...is almost astonishingly naive.

A colleague of mine visited an 85 year old lady about 10 days ago - he does general computer repairs, maintenance and setup. She asked him to call because she was being bombarded with appalling porn. He found that she had receive 820 messages of this type in the previous 7 days. She now has a new email account and carefully installed Lavasoft Ad Aware to make sure the problem does not reoccur.

> Also, many people prefer Spybot Search & Destroy over Ad-Aware.
> http://security.kolla.de/  A while back, Lavasoft completely stopped
> working on v5.x to focus on v6. This meant no updates for a long
> time, which gave people a false sense of security. Also, the default
> install plus the standard "Check for updates" will find more malware
> in Spybot S&D than in Ad-Aware.

Ad Aware version 6 is now available and, in my newly-hardened opinion, should be legally required to be delivered pre-configured with every PC!!!!!

Ed Form

[Tom Carroll]

Ed, sorry to hear about all the problems.  Where some of the problem lies is in pop-up ads.  There is a really nifty free pop-up killer.  You can grab it from here:

http://www.mathies.com/popthis/

I have been using it ever since I found spyware and malware on my system.  I performs flawlessly and you can disable pop-up protection for sites that bring up legitimate windows outside the browser.

Another thing that needs to be done once you clear out the spyware, which causes the pop-ups to appear, is to clear all cache and history.

Remember the pop-up ads that do appear are targeted - most likely because they see those sites have been visited by scanning the cache and the history files...

I am not implying anything about your clients - it could be a result fo someone else using their computer/account.

Tom

[Ed Form]

Tom Carroll wrote:

> Ed, sorry to hear about all the problems.  Where some of the
> problem lies is in pop-up ads.  There is a really nifty free
> pop-up killer.  You can grab it from here:
>
> http://www.mathies.com/popthis/

Thanks for that. I'm not sure it will be able to deal with the situation that I was seeing on my client's machine - Windows were popping up when he was not browsing so a product that runs as a helper within IE may not deal with them.

> Another thing that needs to be done once you clear out the
> spyware, which causes the pop-ups to appear, is to clear all
> cache and history.

Noted, thanks.

> Remember the pop-up ads that do appear are targeted - most
> likely because they see those sites have been visited by
> scanning the cache and the history files...
>
> I am not implying anything about your clients - it could be a
> result fo someone else using their computer/account.

My clients preferences are his own affair. ~(:oD) but they would not account for the email targetting of old lady I mentioned in my last post. We know for certain that no one else had ever touched her machine and she would not have surfed the dark side.

Ed Form

[Tom Carroll]

Ed Form wrote:
>
> > Remember the pop-up ads that do appear are targeted - most
> > likely because they see those sites have been visited by
> > scanning the cache and the history files...
> >
> > I am not implying anything about your clients - it could be a
> > result fo someone else using their computer/account.
>
> My clients preferences are his own affair. ~(:oD) but they
> would not account for the email targetting of old lady I
> mentioned in my last post. We know for certain that no one
> else had ever touched her machine and she would not have
> surfed the dark side.

Ah, yes, e-mail that is an entirely different story.  I thought you said there were pornographic pop-ups.  My bad.

Good luck with the e-mail problem.  I have gotten so mad at companies selling my information that I have started creating forwarded e-mail accounts for every business and web site I give my e-mail address to so I can find out who is selling my account information.  Once I get an e-mail from a spammer with that unique e-mail address I will publicly list the company as selling e-mail addresses.

Tom

[Bill Talcott]

Ed Form wrote:
>
> Nobody but geeks use a decent browser. get real. The world
> uses MSIE and that's what we have to deal with. The standard
> settings in IE are wide open to malicious and clandestine
> entry.

If you buy a Yugo because it's the closest dealership, is it their fault when your car turns out to be a piece of junk? I'm sorry, but I don't have much sympathy for people who can get a perfectly good alternative but continue to use crappy software. It should be interesting when AOL drops IE and the marketshare completely reverses...

> I removed 101 hostile objects including 15 r4egistry entries
> from one of my clients workstations yesterday. When I went
> back this morning three were 15 more. After I removed them
> there was 1 more inside the hour.

Perhaps you should fix the problems (tweak the security settings, install patches, etc.) instead of just trying to clean up the results. Even with IE and OE at work, I've never gotten any of this stuff. http://camtech2000.com/Pages/Restrictions.htm has an IE-policy editor. It's designed for restricting user access, but you can also have the user use it to make sure hostile pages don't change their settings and stuff.

> Yes it can. It is the direct equivalent of a virus spread to
> many people from a single infected carrier. The dissemination
> of these programs is invasion of privacy, deliberately
> intended to steal and make use of information private to the
> PC user, or to present to him things that he did not ask for
> and, in many cases, would *never* ask for. The *vast*
> majority of the adverts delivered by these programs are for
> porn. Some of them exceedingly graphic in nature. In the case
> of the client whose problem I have been dealing with, several
> of the adverts were for paedophile sites and contained very
> explicit pictures of things which are seriously illegal in
> this country and in every western nation.The UK police have a
> website specifically set up to allow these matters to be
> reported. The list of 'don't bother to report these, we know

I have seen very few actual "spy" programs. Most of them are simply annoying ads for some site. Just because a large number of people (myself included) wish it would cease to exist, doesn't mean that everyone does. It seems impossible, but there are people who like those things. If it's something illegal that's a totally different issue...

> Your next comment...
>
> > When you start doing that, you get censorship based on
> whatever the guy
> > writing it decides he doesn't like. That was an issue with
> the netfilters a
> > while back. They would block out competitors' perfectly
> legitimate sites
> > and ones that pointed out flaws in their own software and
> stuff like that.
>
> ...is almost astonishingly naive.

Sorry, I feel that I should be able to choose what I do and don't want to see. I don't want my decisions made by some guy in some random office somewhere. Even the biggest names have shown that they're biased...

> A colleague of mine visited an 85 year old lady about 10 days
> ago - he does general computer repairs, maintenance and
> setup. She asked him to call because she was being bombarded
> with appalling porn. He found that she had receive 820
> messages of this type in the previous 7 days. She now has a
> new email account and carefully installed Lavasoft Ad Aware
> to make sure the problem does not reoccur.

My guess is that she used her email address on some form and didn't read the fine print to go along with it. I have an alias set up for my domain name registration that has never been used for anything else, and that's where a lot of my spam comes from, so I do know that there are people out there harvesting addresses and stuff. But for the most part, I find that the initial problem comes from people not paying attention to what they're doing.

> > Also, many people prefer Spybot Search & Destroy over
> Ad-Aware.
> > http://security.kolla.de/  A while back, Lavasoft
> completely stopped
> > working on v5.x to focus on v6. This meant no updates for a
> long
> > time, which gave people a false sense of security. Also,
> the default
> > install plus the standard "Check for updates" will find
> more malware
> > in Spybot S&D than in Ad-Aware.
>
> Ad Aware version 6 is now available and, in my newly-hardened
> opinion, should be legally required to be delivered
> pre-configured with every PC!!!!!

As I said, Spybot will catch more than Ad-Aware (even v6), and the author states openly that he's dedicated to the idea of free software, which is always a bonus. I believe it's updated more often too, which can be done from right in the program.

Also, yesterday's Lockergnome (http://www.lockergnome.com/issues/daily/20030417.html) has an article about using the moderation features of a Yahoo Group to allow you to receive only messages from real people, by forcing them to take action for you to receive the mail. http://www.schooner.com/~loverso/no-ads/ is the best web filter I've used yet. It uses Javascript and the browsers' dynamic proxying features to allow or "blackhole" requests based on the URL. For example, I can see "http://www.e-smith.org/forums/", but "http://www.e-smith.org/ads/" is blocked. It's quite rare that I even see a banner ad now. It works in email as well, stopping those annoying image spams.

[Ed Form]

Tom Carroll wrote:

> Ed Form wrote:
>
> > My clients preferences are his own affair. ~(:oD) but they
> > would not account for the email targetting of old lady I
> > mentioned in my last post. We know for certain that no one
> > else had ever touched her machine and she would not have
> > surfed the dark side.
>
> Ah, yes, e-mail that is an entirely different story.  I
> thought you said there were pornographic pop-ups.  My bad.

I did speak of pop-ups but moved on from there to the whole business of unsolicited invasion. It's all part of a business that should not be allowed. If people want to advertise on the web they should buy space in the body of websites that people legitimately visit, not pop stuff onto people's machines without permission.

> Good luck with the e-mail problem.  I have gotten so mad at
> companies selling my information that I have started creating
> forwarded e-mail accounts for every business and web site I
> give my e-mail address to so I can find out who is selling my
> account information.  Once I get an e-mail from a spammer
> with that unique e-mail address I will publicly list the
> company as selling e-mail addresses.

Cool!

Ed Form

[Ed Form]

Bill Talcott wrote:
>
> If you buy a Yugo because it's the closest dealership, is it
> their fault when your car turns out to be a piece of junk?
> I'm sorry, but I don't have much sympathy for people who can
> get a perfectly good alternative but continue to use crappy
> software. It should be interesting when AOL drops IE and the
> marketshare completely reverses...

For all their big user base AOl is an irrelevance in these matters. general use of IE swamps them and it isn't going to change anytime soon.

> > I removed 101 hostile objects including 15 r4egistry entries
> > from one of my clients workstations yesterday. When I went
> > back this morning three were 15 more. After I removed them
> > there was 1 more inside the hour.
>
> Perhaps you should fix the problems (tweak the security
> settings, install patches, etc.) instead of just trying to
> clean up the results.

I have and the stuff still gets in but certain things that are wanted no longer can.

> Even with IE and OE at work, I've never gotten any of this stuff.

I actually find that difficult to believe. Perhaps you mean its ability to get in has never survived for long because you know what to do.

> http://camtech2000.com/Pages/Restrictions.htm has an
> IE-policy editor. It's designed for restricting user access,
> but you can also have the user use it to make sure hostile
> pages don't change their settings and stuff.

I'll take a look.
 
> Sorry, I feel that I should be able to choose what I do and
> don't want to see. I don't want my decisions made by some guy
> in some random office somewhere. Even the biggest names have
> shown that they're biased...

You're perfectly welcome to choose to do or see anything you want, but *YOU* should have to choose. It is not acceptable that I have to flounder around wondering how to unchoose what I didn't choose in the first place because some people want the right to choose it. you should have t open settings and remove blockware to allow you tosee. I never even want to know the stuff exists at all. What other choose to do in dark corners is their affair. openng the door and letting the innocent see without option is a crime.

> > A colleague of mine visited an 85 year old lady about 10 days
> > ago - he does general computer repairs, maintenance and
> > setup. She asked him to call because she was being bombarded
> > with appalling porn. He found that she had receive 820
> > messages of this type in the previous 7 days. She now has a
> > new email account and carefully installed Lavasoft Ad Aware
> > to make sure the problem does not reoccur.
>
> My guess is that she used her email address on some form and
> didn't read the fine print to go along with it. I have an
> alias set up for my domain name registration that has never
> been used for anything else, and that's where a lot of my
> spam comes from, so I do know that there are people out there
> harvesting addresses and stuff. But for the most part, I find
> that the initial problem comes from people not paying
> attention to what they're doing.

So it the poor old dear's fault that disgusting crapheads bombarded her with filth? I suppose you would also defend the right of the pushers in Las Vegas to thrust graphic leaflets advertising prostitution into the free hand of an old gentleman walking near the Bellagio Hotel while his other hand is holding his wife's? I saw that happen with my own eyes. What i have ben dealing with these last few days is the same thing and your freedom should not require me or anyone else to live in a world as dirty as that.

Anyway this is off topic rather badly now. Sorry for the rant and thanks to all those who provided useful advice. The problem has now gone away.

Ed Form

[Bill Talcott]

Ed Form wrote:
>
> > Perhaps you should fix the problems (tweak the security
> > settings, install patches, etc.) instead of just trying to
> > clean up the results.
>
> I have and the stuff still gets in but certain things that
> are wanted no longer can.



> > Even with IE and OE at work, I've never gotten any of this
> stuff.
>
> I actually find that difficult to believe. Perhaps you mean
> its ability to get in has never survived for long because you
> know what to do.

I meant the unwanted programs. Obviously popups and stuff are a possibility on any site, as it's just HTML. The only thing Ad-Aware/Spybot have ever found on my work system are cookies, which I honestly don't care about. If I did, I could install CookieWall or change IE's settings.

> You're perfectly welcome to choose to do or see anything you
> want, but *YOU* should have to choose. It is not acceptable
> that I have to flounder around wondering how to unchoose what
> I didn't choose in the first place because some people want
> the right to choose it. you should have t open settings and
> remove blockware to allow you tosee. I never even want to
> know the stuff exists at all. What other choose to do in dark
> corners is their affair. openng the door and letting the
> innocent see without option is a crime.
>
> So it the poor old dear's fault that disgusting crapheads
> bombarded her with filth? I suppose you would also defend the
> right of the pushers in Las Vegas to thrust graphic leaflets
> advertising prostitution into the free hand of an old
> gentleman walking near the Bellagio Hotel while his other
> hand is holding his wife's? I saw that happen with my own
> eyes. What i have ben dealing with these last few days is the
> same thing and your freedom should not require me or anyone
> else to live in a world as dirty as that.

I do agree that nobody should be able to force anything onto you. Once their freedoms interfere with my freedoms, they should no longer have those "freedoms". However, you do have to be aware of what you're doing. "Well, I didn't read that part because I didn't think it would say that." is not a valid defense. If she agreed (which unfortunately is synonymous with "didn't disagree" in some places) to their terms, she can't complain about them. I do like the idea of enforced opt-in, especially with verifying that they really do want to opt-in. But at the same time, paying attention will keep you off most of those lists too. At this point, I honestly don't think there's much that can be done about spam.

Check out Habeas too. The more people get licenses for valid email (free for personal use), the more filters will support it and the better it will work for everyone.