RM Logo
Technical Rating: 
Support Home PageSupport
Print This PagePrint This Page
Add to 'My Library' Add to 'My Library'
Forward to a ColleagueForward to a Colleague

Spyware, Adware and Malware - Advice for networks and network users
Published Date : 12 Aug 2004   Last Updated : 01 Jul 2014   Content Ref: TEC276510  





Symptoms

All references to Community Connect 3™ below apply equally to RM Smart-Tools 3.

You may experience the following if your computer is infected with Spyware, Adware or Malware:

  • Your Microsoft® Internet Explorer® Home Page has changed and you are unable to change it back.
  • An unexpected toolbar appears in Microsoft® Internet Explorer®.
  • New entries appear in your Microsoft® Internet Explorer® Favorites folder.
  • Your computer starts performing very slowly.
  • You experience a large number of unwanted pop-up windows.
  • CPU usage seems unusually high.
  • Every time you perform an Internet search, your browser is redirected to another Web site.
  • There is an unexpected program in the Add/Remove section of your Control Panel.
  • Your Internet auditing software logs access to Internet sites, which your users have not intentionally accessed.

Note that there may be other causes for some of these symptoms (network infrastructure issues, software misconfiguration, etc), and that some malware may generate other behaviour on your network. As such, do not take this for an exhaustive list of what to look for when diagnosing possible Spyware/Adware/Malware issues.



Cause

What is spyware?

Spyware is software that sits on a machine and gathers information, for example - keystrokes, passwords, credit card numbers, and Web sites visited. It will then transmit this back to the instigator of the attack. Sometimes, Spyware will arrive as a result of an outright attack, but it will often come as payload of a Trojan, or bundled with other software which has been installed. Typical sources here would be free downloads such as peer-to-peer ('P2P') file sharing software, screensavers, wallpapers, small games and animated jokes (such as those presented in Macromedia® Flash®).

Spyware is also sometimes used as a generic description of all similar infections, in much the same way as Malware (see below).


What is adware?

This is software related to advertising. Some will bring up adverts when the user is browsing, while others will build up a profile of browsing habits in order to target advertising. They tend to be more of an irritant than do actual damage to your system, but are an unwanted presence nonetheless. In general, they have to be installed on your PC, so they will tend to be bundled with other software in much the same way as Spyware.


What is malware?

Malware is short for 'malicious software'. It is sometimes used as a generic term for any software which can damage or attack computers (which could include viruses), but in this context it is used to describe software which is designed to damage your machine or perform an undesired action.

Typical examples include software which changes your browser's home page to another site (and may even prevent you changing it back), or so-called 'dialler' software. Diallers will alter a modem's connection script so that it dials a premium rate number rather than the usual ISP.


Associated problems

1.  Dirty Tricks

As alluded to previously, many of these infections rely upon being installed by the user, rather than using the more 'secret' techniques typical of other infections such as viruses. Because of this, two main techniques are used to trick users into installing them:

  • Pretending to be something else
    A popular technique is to spawn a browser 'pop up' window which looks like a Windows dialog box, and tries to persuade the user that it is a system message, hoping that they will click the faked "OK" or "Cancel" button and instigate a download.

    As shown in the example below, a very common technique is to play on users' fears about Spyware and pretend to be offering a piece of anti Spyware software! Similarly, there are some less-reputable suppliers of "anti" Spyware software which either fake or add infections when you install their free download, but need you to pay for a full version before they can remove the 'infections'. Educating users to avoid these is explained in the section 'Educating your users' below.
Example of typical fake Windows dialog
  Click to enlarge

  • 'Hiding' within other installations
    The other common technique is to install the Spyware along with other software which the user has intended to install. This 'bundling' is most frequently done with free software - the user instigates this installation, and the additional software is installed at the same time.

    Very frequently, the user will actually be told about the other software, but the information will be tucked away in the middle of the End User Licence Agreement (EULA) that installations always display. Unfortunately, most users are already in the habit of ignoring the text and just clicking "I Agree" in order to proceed with the installation, since EULAs will typically be lengthy tracts of dense legalese. This is another area covered in the 'Educating your users' section below.

2.  Definition

Part of the problem with the spread of such infections is that of definition. Software that is attempting to gather credit card numbers is clearly malicious, but there are less clear-cut cases. Some software which provides useful and desirable functionality, such as one of the many 'search toolbars' or 'desktop toolbars', may also be gathering information about your browsing habits. This exacerbates the problems, since users are less likely to consider the consequences of installing such software, and indeed may tend to take an attitude of "Well, there might be some tracking software added, but, hey, it's the price to pay for free stuff."

The security industry is currently working towards a formal definition of Spyware, so that issues may be more clearly delineated, and potential legal problems avoided. The broad definition which is emerging can be summarised as follows:

"Spyware is any software which is installed without the user's informed and explicit consent."

The key words here are those italicised, since these help counter the claims of Spyware/Adware source companies who say "Ah, but your user clicked 'I Agree'", when they know that very few people read them.


What can you do?

1. Educating your users

Since most infections require the intervention of a user, educating them can help remove a large proportion of the potential issues. In an ideal world, you would be able to teach them all of the following points, but even if they can only remember one, it will still help reduce the exposure to these pieces of undesirable software. As further discussed below, it is users with higher levels of privilege which present the biggest threat, so target education at these users in particular.

  • Always close pop-up windows with the 'X' in the top-right corner
    Many of the 'faked' pop-up windows used to instigate Spyware infections will be set up so that no matter where a user clicks in the window (including any 'Cancel' or 'No' button), it will instigate a download. It is very good practice to train users to use the 'X' button at the far top-right of every window to close them, since this almost completely removes the likelihood of triggering an installation.

  • Get in the habit of reading EULAs
    As tedious as they are, it is important to read, or at least scan through the End User Licence Agreement (EULA) of any software installed, particularly free software. These will often give a clue to any additional software being installed. Pay particular attention to phrases such as "Third-party software", "Conditions of Use" or "Conditions of Installation". An example of a typical clause which would alert you to potential issues is:

    "[...] Consent to receive ads and use of information.
    By downloading, installing or using XXXXXXX, you agree to receive advertisements from YYYYYY's business partners and associates."

  • Be careful who you trust
    This is an important point, not only from the point of view of trusting the sources of software chosen for download, but in terms of any Anti-Spyware software installed. There are many so-called 'rogue' Anti-Spyware applications which will often make matters worse. These frequently falsely report issues or use aggressive/misleading marketing in order to persuade you to pay for full versions of their software.

    An overview of this issue can be found in this article http://www.pcmag.com/article2/0,1895,1838043,00.asp.

    An extensive and frequently updated list of rogue (and trustworthy) software is maintained here: http://www.spywarewarrior.com/rogue_anti-spyware.htm.

  • "If in doubt, don't!"
    If a user is at all unsure about whether or not they should download/install a piece of software, then they should at the least check with informed sources (school ICT staff, online search, reference sites) before proceeding, and if any doubt remains, then they should not proceed.

2. Ensuring your own habits are safe

You should follow all of the advice given above for users, with the addition of the following points which are more appropriate for those with Administrator, System Admin or Manager accounts:

  • Only use higher levels of privilege when they are needed
    If you are routinely logging on as an administrator-level account in order to check email, browse the Web or perform other 'routine' tasks, then you are the greatest risk to your network in terms of these infections. Because the user account has elevated levels of privilege, the potential for damage from Spyware etc. is far greater, since anything you download or install will be operating at the same level of access.

    You should create a standard user account for performing these tasks, and only log on as Administrator/System Admin/Manager when you have to carry out an administrative task. On a Community Connect 3 network, you also have the option of staying logged on as a standard user, right-clicking and using Run As... to perform many administrative tasks.

  • Only give out higher levels of privilege when they are needed
    Be sure that every user to whom you give higher levels of privilege (eg a Privileged User on Community Connect 3 or Manager account on RM SchoolShare™) genuinely needs it. Each extra user with increased access will raise your exposure to infections. If you do have to do so, ensure that they are informed of all the advice given above, so that you can be confident that they are browsing safely.

    Similarly, only grant workstations on Community Connect 3 the level of access they genuinely require - a workstation with the 'No station security' setting is far more likely to be infected.

  • Check with trusted information sources for information
    Many Web sites exist which are full of information about the latest Spyware, Adware and Malware threats, and should be used if you are ever unsure of the provenance of some software, or need advice with preventing or removing infections. Some suggested sites are:
    http://www.sans.org/
    http://www.antispywarecoalition.org/
    http://www.spywareinfo.com/

  • Never browse the Web from a server
    You should not use a server or RM Store Box™ as a machine to routinely browse the Web from - the potential for damage from infections is far greater, since any software inadvertently added will affect the performance of the server, and therefore the whole network.


Procedure

If you believe your PC is infected with Spyware, Adware or Malware, then the following steps may help in removing them from your system:

Community Connect 3 and 4 networks:

  • Identify the cause of your problem and learn as much as you can about it. Try searching the Internet for the error message or symptoms that you have, it is very likely that someone else has had the same problem, and you might  find information on resolving the issue.
  • If you are able to determine the name of the program or process that is running (through using the Microsoft® Windows® Task Manager, for example), then search against that name - if it is a known piece of Spyware then you are likely to find many pages with advice on how to remove it.
  • If it is a known trojan or virus program, look at the anti-virus databases of major anti-virus companies such as Symantec.
  • Spyware, adware or malware can reside in the computer's memory, file system, registry and the user's profile. If you have a workstation that is infected with Spyware, Adware or Malware, then the quickest method of removal is to:
    • Rebuild/restore the affected workstation.
    • Reset the profile of any user that has logged on to the affected workstation
  • Many Web sites exist which are full of information about the latest Spyware, Adware and Malware threats, and should be used if you are ever unsure of the provenance of some software or need advice with preventing or removing infections. Some suggested sites are:

http://www.sans.org/
http://www.antispywarecoalition.org/
http://www.spywareinfo.com/

  • Third-party programs, such as Microsoft® AntiSpyware, Lavasoft Ad-Aware® and Spybot Search & Destroy can sometimes help. (Please note that these third-party software applications are not supported by RM, so we are unable to give direct support or advice on their use.)

RM SchoolShare networks:

  • Identify the cause of your issue and learn as much as you can about it. Try searching the Internet for the error message or symptoms that you have, it is very likely that someone else has had the same issue, and you might  find information on resolving the issue.
  • If you are able to determine the name of the program or process that is running (through using the Microsoft® Windows® Task Manager, for example), then search against that name - if it is a known piece of Spyware then you are likely to find many pages with advice on how to remove it.
  • If it is a known trojan or virus program, look at the anti-virus databases of major anti-virus companies such as Symantec.
  • Spyware, Adware or Malware can reside in the computer's memory, file system, registry and the user's profile. Sometimes the only way of removing Spyware, Adware or Malware is to run an RM Restor to reset the computer back to factory settings.
  • Third-party programs, such as Microsoft® AntiSpyware, Lavasoft Ad-Aware® and Spybot Search & Destroy can sometimes help. (Please note that these third-party software applications are not supported by RM, so we are unable to give direct support or advice on their use.)


More Information

Please note: RM currently makes no recommendations for Spyware, Adware or Malware alerting or removal tools.



Other Useful Articles

Spyware, Adware and Malware - Advice for non-networked PCs (TEC598493)

FEEDBACK
Did the information in this article help answer your question?
 Yes
 No
 Just browsing or article not relevant
Please add any comments about this article in the box below. If you answered No then it is important you tell us why so that we can change the article if required. We can only respond if you log in to the RM Support website or provide your contact details. Note: If you need help with a technical query, please log a call online or telephone our support team.
Thank you for your feedback, which is sent directly to the RM Knowledge team. We address every message received with the intention of improving our Knowledge Library articles. If you have an unresolved technical issue, please contact RM Support.


If this article has not helped provide a solution then it is also possible to log a call...



Document Keywords: malicious, security, virus, trojan, monitor, hidden, secret, cookies, dialler, premium rate, key logger, keystroke logger, browser hijackers, data mining, spysweeper, prevent, stop, issue, trouble


Please read - important disclaimer information.
http://www.rm.com/_RMVirtual/Includes/csredirect.asp?cref=&title=Standard Content Disclaimer


Top Of PageTop of page