Adware and Bad Things it Does
Published: December 16, 2004
By Sandi Hardmeier, MVP
When I first started supporting users in the Internet Explorer newsgroups back in 1999 it was a very different world to what we see now. Back then, I spent virtually all of my time helping users resolve instability inherent to Internet Explorer itself, invariably caused by video driver problems, or a corrupt cache. Sadly, times have changed.
Nowadays, the newsgroups are full of people searching for help with home page hijackings, search engine hijackings, unwanted pop-up windows and other nasties. The types of software that cause these problems are numerous and varied.
The hardest thing about writing this article has been deciding what description to use – the most popular descriptions used to describe the bad stuff are "adware," "spyware," "malware," and "foistware." These descriptions are used interchangeably, often misused and often misunderstood.
Sandi's Definitions
A regular point of contention between anti-spyware commentators and those who distribute or write the software (and a point of confusion for the home user) is whether a particular piece of software should be labeled "adware" or "spyware." Debates can become quite heated, and lawsuits have even been triggered. I want to keep things as simple as possible so for much of this article I will use the catch-all term "malware." The following are the most common definitions as I understand them.
Adware is software that generates advertisements such as pop-up windows or hotlinks on Web pages that are not part of a page's code. Adware may add links to your favorites and your desktop. It will often change your home page and your search engine to sites that earn income from various advertisers. This income is dependent on, for example, how many people visit the adware site, or how many people click on the links or advertisements at the site. Ads are not bad by themselves but they become a problem when they are unauthorized. Unfortunately, many adware programs do not give users enough notice or control.
Spyware is software that collects and transmits user specific behavior and information, with or without permission. Sometimes, permission to collect and transmit is assumed to have been given simply by the act of installing software or loading a Web page. In reality, few people read EULAs (End User License Agreement) or Terms of Use/Service/Installation that are displayed during installation.
Like ads, data collection can be okay if done with consent or for a reasonable purpose. For example, software that transmits user specific information for the legitimate purpose of confirming eligibility for updates or upgrades should not be classed as spyware. Programmers are entitled to ensure that their software is not being pirated, and that the users of pirated software are not receiving the same benefits as legitimate users.
Malware is software that damages your system, causes instability, or exhibits antisocial behavior such as changing settings or interfering with a computer's registry and security settings. Typical examples include computer viruses or worms.
Bundled Software (sometimes called Foistware) is software (often adware and/or spyware) that is included with a particular product, and without which the product will not operate, or which is compulsory according to a product's EULA.
How Times Have Changed
When Adware first appeared on our computers it was very simple, dare I say harmless, stuff. Often it would involve only a few files which could be deleted or disabled at will, with no ill-effect. Early Adware even appeared in Control Panel under Add or Remove Programs.
As Adware has matured it has become smarter. Historically, as fast as the clean-up experts have worked out how to fight malware, those behind it have fought back with new tricks.
Over time malware started polluting and changing our computers' registries, and using random file names that were harder to identify and remove.
Adware began exhibiting spyware and malware characteristics. Even if victims were able to remove hijackers, they were sometimes unable to change hijacked home pages or other settings to what they wanted because the relevant buttons had been grayed out (made unavailable). Entire sections sometimes disappeared completely from Internet Options when the hijackers began to take advantage of the pre-existing ability to lock down Internet Explorer.
Malware writers began to design their programs so that they would reinstall automatically if removed, sometimes using different file names. The malware started monitoring itself and even the computer registry for detrimental changes. Other antisocial behavior that has appeared includes: using super hidden files, registering malware processes as a Microsoft Windows Service, and changing a victim's security rights so that they are unable to remove the malware.
The Bad Side of Adware
Adware is now big business and there is a lot of money to be made. It must be said that advertising is not unique to the internet. After all, advertising has been around forever and provides an important community service if used appropriately and responsibly. But there are dangers inherent to Adware that we must all be aware of.
From a technical viewpoint, the most obvious problem caused by unauthorized programs is computer instability. Badly infected systems may operate very slowly, crash constantly, and sometimes will not start at all. To add insult to injury, the owners of such badly infected machines may face serious problems when trying to clean up their machines. Their attempts to use popular anti-spyware software may fail if the number of items that require removal is so great that the software cannot cope with the load. Sometimes when the hijacking software is removed the computer's ability to connect to the internet may be damaged.
There is also a privacy and security risk. Adware may exhibit spyware tendencies, reporting where you go on the internet, when and how often, what you enter into search engines, and what advertisements you respond to.
During a malware installation, the security settings in Internet Explorer may be changed to register untrustworthy sites as Trusted sites. The Trusted sites zone is reserved for Web sites that you trust not to damage your computer or data. Obviously, we do not want malware sites to be added in our Trusted sites zone, because they should not be trusted. Sites should not add themselves to any security zone without permission or interaction from us.
Adware may add itself to the pop-up blocker exception list in Windows XP Service Pack 2, or to the Windows Firewall exceptions. There are also reports of some malware using Trojan Horses such as HackerDefender to hide themselves from popular anti-spyware software.
As a mother of two teenage children, my concern goes deeper than the technical and security problems caused by adware and spyware. For example, I know of a certain young teenage girl who is a big Delta Goodrem fan. Using her parent's computer, and a search engine, she went searching for the lyrics to her favorite song. You would think that such an innocent activity would be safe, but alas no. The computer ended up badly infected with adware and some very unsavory, family unfriendly pop-ups started appearing to which no teenage girl should be exposed. The malware was extremely difficult to remove – in fact, in the end I had no choice but to reformat the infected computer – wipe everything out and install afresh.
1. | Home page and search engine hijacking When a user's preferred choice of home page or search engine is changed to an unknown site an unwary victim may be exposed to an increased risk of further malware or spyware infection. It is not unusual for malware sites to direct hijacked computers to other Web sites that download and install even more malware. There may also be an increased risk of exposure to unwanted or unsavory content such as gambling or adult links via advertisements or sponsored links. |
2. | Tool bars that appear out of nowhere Often such toolbars are search engine based. Sometimes they cannot be turned off permanently and reappear on reboot, and sometimes they cannot be turned off at all. Sometimes, as part of their installation, they will disable other toolbars that may already be installed – for example, if a reputable toolbar such as GoogleBar, or AltaVista's toolbar, or Earthlink's toolbar is installed the hijacker will turn off those toolbars to remove competition. Search results from hijacking toolbars may be restricted to only sites that pay for positioning, otherwise known as "sponsored" results. It is important to understand the difference between sponsored results and standard search results. Standard search results are most often created by 'spidering.' Spidered pages earn a high ranking over time. Community popularity plays a big part when search engines determine the ranking of sites that appear in standard search results. Things such as number of hits to a site, or the number of other sites that link to the page, affect ranking. Sponsored links, on the other hand, are there simply because they have paid for the privilege. |
3. | Pop-up windows Pop-up advertisements can be very intrusive. Sometimes they interfere with Web browsing by taking over the entire computer screen. They can be difficult or impossible to close. In bad cases, many windows will appear in rapid succession, making the computer virtually unusable. Sometimes adware pop-ups are deliberately deceptive. I have seen examples where the "no" or "cancel" buttons are actually "yes" or "install" buttons. I have also heard of pop-up windows with fake Close buttons that when clicked trigger malware installations, much to the shock of their victims. Pop-up windows can sometimes be explicit and family-unfriendly. They can also advertise what is commonly known as "BetrayWare" (a term coined, and encouraged, by MVP Jim Eshelman at his Web page). One example that I saw on my own computer while I was testing a sponsor program bundled with free software was an advertisement that trumpeted a warning that my computer is infected with spyware. I can reassure you that it is, and was, not! Sadly, far too many people are fooled by such BetrayWare advertisements. |
Do not believe everything you read – the computer was NOT infected
Tip: An excellent site that discusses 'BetrayWare', also known as 'rogue' or 'suspect' anti-spyware products, in far more detail than is possible in this article, is Rogue/Suspect Anti-Spyware Products & Web Sites.
Ok, the Computer is Infected. Now What?
Thankfully we are not alone when we have been ensnared by the bad guys. Vibrant communities have appeared that are dedicated to helping users rid their machines of adware, spyware, malware, and foistware and what is even better, much of this expert support is free.
Microsoft newsgroups
Newsgroups are a collection of ongoing discussions ("threads") that cover a particular topic and are available to anyone who has access to a news server and a news reader program or even just a Web browser. It is a lot like sending an e-mail message, except for the fact that anybody with access to the server can read your message.
They are great forums for sharing your own knowledge and experience, as well as seeing what others have to say. When using a newsgroup, you can either post a message in response to an ongoing conversation thread, or pose your own questions.
When you post a question, many thousands of people may read about your problem, and you are generally assured of getting an answer quickly. Where else can you ask a question at 3:00 A.M. and know that somebody somewhere will be reading of your dilemma in what is the middle of their day? But always remember, the regular advisers are volunteers who help out in the newsgroups in the spare time left to them after work and family commitments. Sometimes you may have to wait a day or so, especially during business hours, or at busy times such as after the release of a new program, upgrade or beta, or during holidays. Find out how to get news from newsgroups.
An excellent first port of call for adware or spyware problems is the Microsoft newsgroup 'microsoft.public.security' that is found on the server msnews.microsoft.com. You can access this newsgroup using Outlook Express or any other NNTP capable news reader, or you can access the newsgroup via Microsoft's Web-based Community interface or services such as Google.
Tip: A comprehensive list of Web-enabled Security newsgroups is available at IT Pro Community Security Newsgroups.
Non-Microsoft Web Communities
My personal favorite is AumHa Forums. It is run by MVP Jim Eshelman and frequented by several Microsoft MVPs and well-known, highly skilled anti-spyware specialists. Another excellent forum is SpywareInfo.
"Is there anything I can do before going to the forums?"
There are certainly time-tested procedures that you can work through before posting to a forum for specialized assistance. Over time I have put together a troubleshooting FAQ that may be of assistance.
Conclusion
It can be very frightening for the new user when they are faced with the task of removing spyware or adware. Sadly it can be difficult, even for experts, to get rid of some of the worst offenders.
Don't be fooled into downloading or purchasing BetrayWare. Ask an expert first. There are many trustworthy helpers out there who go above and beyond the call of duty to help the victims of computer hijackings.
Also, remember that Windows XP SP2 makes it much harder for the unsavory end of town to sneak software on to our machines. Everybody who has automatic update enabled on their XP machines should have been updated by now. If your system has not been updated to XP SP2 yet, I strongly recommend that you take steps to install this very important upgrade as soon as possible.
