[edit] Virus - TeacherTube
advertisement
Linux malware
From Wikipedia, the free encyclopedia
Jump to: navigation, search
Linux malware includes viruses, trojans, worms and other types of malware that affect the
Linux operating system. Linux, Unix and other Unix-like computer operating systems are
generally regarded as very well-protected — but not immune — from computer viruses.
According to advocates like Scott Granneman, Linux provides better protection compared to
Microsoft Windows.[1]
There has not yet been a widespread Linux malware threat of the type that Microsoft Windows
software faces; this is commonly attributed to the malware's lack of root access and fast updates
to most Linux vulnerabilities.[2] These are the equivalents of User Account Control and Windows
Update in modern Windows operating systems.
The number of malicious programs — including viruses, Trojans, and other threats —
specifically written for Linux has been on the increase in recent years and more than doubled
during 2005 from 422 to 863.[3]
Contents
[hide]
1 Linux vulnerability
o 1.1 Viruses and trojan horses
o 1.2 Worms and targeted attacks
o 1.3 WWW scripts
o 1.4 Buffer overruns
o 1.5 Cross-platform viruses
o 1.6 Social engineering
2 Anti-virus applications
3 Threats
o 3.1 Trojans
o 3.2 Viruses
o 3.3 Worms
4 See also
5 References
6 External links
[edit] Linux vulnerability
Like Unix systems, Linux implements a multi-user environment where users are granted specific
privileges and there is some form of access control implemented. To gain control over a Linux
system or cause any serious consequence to the system itself, the malware would have to gain
root access to the system.[2] Shane Coursen, a senior technical consultant with Kaspersky Lab,
claims, "The growth in Linux malware is simply due to its increasing popularity, particularly as a
desktop operating system ... The use of an operating system is directly correlated to the interest
by the malware writers to develop malware for that OS."[3]
However, this view is not universal. Rick Moen, an experienced Linux system administrator,
says "[That argument] ignores Unix's dominance in a number of non-desktop specialties,
including Web servers and scientific workstations. A virus/trojan/worm author who successfully
targeted specifically Apache httpd Linux/x86 Web servers would both have an extremely targetrich environment and instantly earn lasting fame, and yet it doesn't happen."[4]
Some Linux users run Linux-based anti-virus software to scan insecure documents and email
which comes from or is going to Windows users. SecurityFocus's Scott Granneman stated:
...some Linux machines definitely need anti-virus software. Samba or NFS servers, for instance,
may store documents in undocumented, vulnerable Microsoft formats, such as Word and Excel,
that contain and propagate viruses. Linux mail servers should run AV software in order to
neutralize viruses before they show up in the mailboxes of Outlook and Outlook Express
users."[1]
The total number of viruses has passed the one million boundary.[5] If the 4 % Linux adoption
was proportional to the amount of malware for this system, we would expect to see at least
several thousands of viruses and worms. This may be near an order of magnitude more than
observed. Hence minority may not be the only reason contributing to Linux security.
Because they are predominantly used on mail servers which may send mail to computers running
other operating systems, Linux virus scanners generally use definitions for, and scan for, all
known viruses for all computer platforms. For example the open source ClamAV "Detects ...
viruses, worms and trojans, including Microsoft Office macro viruses, mobile malware, and
other threats."[6]
[edit] Viruses and trojan horses
The viruses listed below pose a potential, although minimal, threat to Linux systems. If an
infected binary containing one of the viruses were run, the system would be infected. The
infection level would depend on which user with what privileges ran the binary. A binary run
under the root account would be able to infect the entire system. Privilege escalation
vulnerabilities may permit malware running under a limited account to infect the entire system.
It is worth noting that this is true for any malicious program that is run without special steps
taken to limit its privileges. It is trivial to add a code snippet to any program that a user may
download and let this additional code download a modified login server, an open mail relay or
similar and make this additional component run any time the user logs in. No special malware
writing skills are needed for this. Special skill may be needed for tricking the user to run the
(trojan) program in the first place.
The use of software repositories significantly reduces any threat of installation of malware, as the
software repositories are checked by maintainers, who try to ensure that their repository is
malware-free. Subsequently, to ensure safe distribution of the software, md5 checksums are
made available. These make it possible to reveal modified versions that may have been
introduced by e.g. hijacking of communications using a man-in-the-middle attack or via a
redirection attack such as ARP or DNS poisoning. Careful use of these digital signatures
provides an additional line of defense, which limits the scope of attacks to include only the
original authors, package and release maintainers and possibly others with suitable
administrative access, depending on how the keys and checksums are handled.
Vulnerability to trojan horses and viruses results from users willing to run code from sources that
should not be trusted and to some extent about distributions not by default checking the
authenticity of software downloaded while a system was the target of an attack.
[edit] Worms and targeted attacks
The classical threat to Unix-like systems is vulnerabilities in network daemons, such as ssh and
WWW servers. These can be used by worms or for attacks against specific targets. As servers are
patched quite quickly when a vulnerability is found, there have been only a few widespread
worms of this kind. As specific targets can be attacked through a vulnerability that is not publicly
known there is no guarantee that a certain installation is secure. Also servers without such
vulnerabilities can be successfully attacked through weak passwords.
[edit] WWW scripts
Linux servers may also be used by malware without any attack against the system itself, where
e.g. WWW content and scripts are insufficiently restricted or checked and used by malware to
attack visitors. Typically a CGI script (meant for leaving comments) by mistake allows inclusion
of code exploiting vulnerabilities in the browser.
[edit] Buffer overruns
Older Linux distributions were relatively sensitive to buffer overrun attacks: if the program did
not care about the size of the buffer itself, the kernel provided only limited protection, allowing
an attacker to execute arbitrary code under the rights of the vulnerable application under attack.
Programs that gain root access even when launched by a non-root user (via the setuid bit) were
particularly attractive to attack. However as of 2009 most of the kernels include address space
randomization, enhanced memory protection and other extensions making such attacks much
more difficult to arrange.
[edit] Cross-platform viruses
A new area of concern identified in 2007 is that of cross-platform viruses, driven by the
popularity of cross-platform applications. This was brought to the forefront of malware
awareness by the distribution of an Openoffice.org virus called Bad Bunny.
Stuart Smith of Symantec wrote the following:
"What makes this virus worth mentioning is that it illustrates how easily scripting platforms,
extensibility, plug-ins, ActiveX, etc, can be abused. All too often, this is forgotten in the pursuit
to match features with another vendor... [T]he ability for malware to survive in a cross-platform,
cross-application environment has particular relevance as more and more malware is pushed out
via Web sites. How long until someone uses something like this to drop a JavaScript infector on
a Web server, regardless of platform?"[7]
[edit] Social engineering
Linux is as vulnerable to malware that tricks the user into installing it through social engineering
as other operating systems. In December 2009 a malicious waterfall screensaver was discovered
that contained a script that used the infected Linux PC in denial-of-service attacks.[8]
[edit] Anti-virus applications
The ClamTk GUI for ClamAV running a scan on Ubuntu 8.04 Hardy Heron
There are a number of anti-virus applications available for Linux, most of which are designed for
servers, including:
Avast! (freeware and commercial versions)
AVG (freeware and commercial versions)
Avira (freeware and commercial)
Bitdefender (freeware and commercial versions)
ClamAV (free open source software)
Dr.Web (commercial versions) [9]
Eset (commercial versions)[10][11][12]
F-Secure Linux (commercial)
Kaspersky Linux Security (commercial)[13]
Linux Malware Detect (free open source software)
McAfee VirusScan Enterprise for Linux (commercial)[14]
Panda Security for Linux (commercial version)[15]
Root Kit Hunter [16]
Sophos (commercial)
Symantec AntiVirus for Linux (commercial)[17]
Trend Micro ServerProtect for Linux (commercial)
[edit] Threats
The following is a partial list of known Linux malware; however, few if any are in the wild, and
most have been made obsolete by updates. Known malware is not the only or even the most
important threat: new malware or attacks directed to specific sites can use vulnerabilities not
previously known to the community or not previously used by malware.
[edit] Trojans
Kaiten - Linux.Backdoor.Kaiten trojan horse[18]
Rexob - Linux.Backdoor.Rexob trojan[19]
Waterfall screensaver backdoor - on gnome-look.org[20]
[edit] Viruses
42 [21][22]
Arches [23]
Alaeda - Virus.Linux.Alaeda[24]
Bad Bunny - Perl.Badbunny[7][25]
Binom - Linux/Binom[26]
Bliss - requires root privileges
Brundle[27]
Bukowski[28]
Caveat [29][30]
Coin [31][32]
Diesel - Virus.Linux.Diesel.962[33]
Hasher [34][35]
Kagob a - Virus.Linux.Kagob.a[36]
Kagob b - Virus.Linux.Kagob.b[37]
Lacrimae (aka Crimea) [38][39]
MetaPHOR (also known as Simile)[40]
Nuxbee - Virus.Linux.Nuxbee.1403[41]
OSF.8759
PiLoT[42][43]
Podloso - Linux.Podloso (The iPod virus)[44][45]
RELx [46]
Rike - Virus.Linux.Rike.1627[47]
RST - Virus.Linux.RST.a[48] (known for infecting Korean release of Mozilla Suite 1.7.6
and Thunderbird 1.0.2 in September 2005[49])
Satyr - Virus.Linux.Satyr.a[50]
Staog - made obsolete by updates
Vit - Virus.Linux.Vit.4096[51]
Winter - Virus.Linux.Winter.341[52]
Winux (also known as Lindose and PEElf)[53]
Wit virus[54]
ZipWorm - Virus.Linux.ZipWorm[55]
[edit] Worms
Adm - Net-Worm.Linux.Adm[56]
Adore[57]
Cheese - Net-Worm.Linux.Cheese[58]
Devnull
Kork[59]
Linux/Lion
Linux/Lupper.worm[60]
Mighty - Net-Worm.Linux.Mighty[61]
Millen - Linux.Millen.Worm[62]
Ramen worm - targeted versions 6.2 and 7.0 of the Red Hat Linux distributions only
Slapper[63]
SSH Bruteforce[64]
Hacker (computer security)
From Wikipedia, the free encyclopedia
Jump to: navigation, search
This article is about computer security hackers. For other types of computer hackers, see Hacker
(computing). For other uses, see Hacker (disambiguation).
This article needs additional citations for verification.
Please help improve this article by adding reliable references. Unsourced material may be challenged
and removed. (November 2007)
It has been proposed that Hacker (computer security) be renamed and moved to
Cracker (computer security). Please discuss it at Talk:Hacker (computer security).
This article is part of a series on:
Computer hacking
Hacker definition controversy
Hacking in computer security
Computer security
Computer insecurity
Network security
History
Phreaking
Cryptovirology
Hacker ethic
Black hat, Grey hat, White hat
Black Hat Briefings, DEF CON
Cybercrime
Computer crime, Crimeware
List of convicted computer criminals
Script kiddie
Hacking tools
Vulnerability
Exploit
Payload
Software
Malware
Rootkit, Backdoor
Trojan horse, Virus, Worm
Spyware, Botnet, Keystroke logging
Antivirus software, Firewall, HIDS
In common usage, a hacker is a person who breaks into computers and computer networks,
either for profit or motivated by the challenge.[1] The subculture that has evolved around hackers
is often referred to as the computer underground but is now an open community.[2]
Other uses of the word hacker exist that are not related to computer security (computer
programmer and home computer hobbyists), but these are rarely used by the mainstream media
because of the common stereotype that is in TV and movies. Before the media described the
person who breaks into computers as a hacker there was a hacker community. This group was a
community of people who had a large interest in computer programming, often sharing, without
restrictions, the source code for the software they wrote. These people now refer to the cybercriminal hackers as "crackers", a term which has not been picked up by the media or general
public. [3]
Contents
[hide]
1 History
2 Artifacts and customs
o 2.1 Hacker groups and conventions
3 Hacker attitudes
o 3.1 White hat
o 3.2 Grey hat
o 3.3 Black hat
o 3.4 Elite (or known as 1337 or 31337 in 1337_speak)
o 3.5 Script kiddie
o 3.6 Neophyte
o 3.7 Blue hat
o 3.8 Hacktivism
4 Common methods
o 4.1 Security exploit
o 4.2 Vulnerability scanner
o 4.3 Password cracking
o 4.4 Packet sniffer
o 4.5 Spoofing attack
o 4.6 Rootkit
o 4.7 Social engineering
o 4.8 Trojan horse
o 4.9 Virus
o 4.10 Worm
o 4.11 Key loggers
5 Notable intruders and criminal hackers
6 Notable Security Hackers
o 6.1 Kevin Mitnick
o 6.2 Eric Corley
o 6.3 Fyodor
o 6.4 Solar Designer
o 6.5 Michał Zalewski
o 6.6 Gary McKinnon
7 Hacking and the media
o 7.1 Hacker magazines
o 7.2 Hackers in fiction
o 7.3 Non-fiction books
o 7.4 Fiction books
8 See also
9 References
10 Related literature
11 External links
[edit] History
Main article: Timeline of hacker history
In today's society understanding the term Hacker is complicated because it has many different
definitions. The term Hacker can be traced back to MIT (Massachusetts Institute Technology).
MIT was the first institution to offer a course in computer programming and computer science
and it is here in 1960 where a group of MIT students taking a lab on Artificial Intelligence first
coined this word. These students called themselves hackers because they were able to take
programs and have them perform actions not intended for that program. “The term was
developed on the basis of a practical joke and feeling of excitement because the team member
would “hack away” at the keyboard hours at a time.” (Moore R., 2006).[4]
Hacking developed alongside "Phone Phreaking", a term referred to exploration of the phone
network without authorization, and there has often been overlap between both technology and
participants. The first recorded hack was accomplished by "Joe Engressia" also known as The
Whistler. Engressia is known as the grandfather of Phreaking. His hacking technique was that he
could perfectly whistle a tone into a phone and make free call.[5] Bruce Sterling traces part of the
roots of the computer underground to the Yippies, a 1960s counterculture movement which
published the Technological Assistance Program (TAP) newsletter. [6]. Other sources of early
70s hacker culture can be traced towards more beneficial forms of hacking, including MIT labs
or the homebrew club, which later resulted in such things as early personal computers or the
open source movement.
[edit] Artifacts and customs
The computer underground[1] is heavily dependent on technology. It has produced its own slang
and various forms of unusual alphabet use, for example 1337speak. Writing programs and
performing other activities to support these views is referred to as hacktivism. Some go as far as
seeing illegal cracking ethically justified for this goal; a common form is website defacement.
The computer underground is frequently compared to the Wild West.[7] It is common among
hackers to use aliases for the purpose of concealing identity, rather than revealing their real
names.
[edit] Hacker groups and conventions
Main articles: Hacker conference and Hacker group
The computer underground is supported by regular real-world gatherings called hacker
conventions or "hacker cons". These drawn many people every year including SummerCon
(Summer), DEF CON, HoHoCon (Christmas), ShmooCon (February), BlackHat, Hacker Halted,
and H.O.P.E..[citation needed]. In the early 1980s Hacker Groups became popular, Hacker groups
provided access to information and resources, and a place to learn from other members. Hackers
could also gain credibility by being affiliated with an elite group.[8]
[edit] Hacker attitudes
Several subgroups of the computer underground with different attitudes and aims use different
terms to demarcate themselves from each other, or try to exclude some specific group with which
they do not agree. Eric S. Raymond (author of The New Hacker's Dictionary) advocates that
members of the computer underground should be called crackers. Yet, those people see
themselves as hackers and even try to include the views of Raymond in what they see as one
wider hacker culture, a view harshly rejected by Raymond himself. Instead of a hacker/cracker
dichotomy, they give more emphasis to a spectrum of different categories, such as white hat,
grey hat, black hat and script kiddie. In contrast to Raymond, they usually reserve the term
cracker. According to (Clifford R.D. 2006) a cracker or cracking is to "gain unauthorized access
to a computer in order to commit another crime such as destroying information contained in that
system".[9] These subgroups may also defined by the legal status of their activities.[10]
[edit] White hat
Main article: White hat
A white hat hacker breaks security for non-malicious reasons, for instance testing their own
security system. This classification also includes individuals who perform penetration tests and
vulnerability assessments within a contractual agreement. Often, this type of 'white hat' hacker is
called an ethical hacker. The International Council of Electronic Commerce Consultants, also
known as the EC-Council has developed certifications, courseware, classes, and online training
covering the diverse arena of Ethical Hacking.[10]
[edit] Grey hat
Main article: Grey hat
A gray hat hacker is a combination of a Black Hat Hacker and a White Hat Hacker. A Grey Hat
Hacker may surf the internet and hack into a computer system for the sole purpose of notifying
the administrator that their system has been hacked, for example. Then they may offer to repair
their system for a small fee.[4]
[edit] Black hat
Main article: Black hat
A black hat hacker, sometimes called "cracker," is someone who breaks computer security
without authorization or uses technology (usually a computer, phone system or network) for
malicious reasons such as vandalism, credit card fraud, identity theft, piracy, or other types of
illegal activity.[10][11]
[edit] Elite (or known as 1337 or 31337 in 1337_speak)
Main article: Elite
Elite is a term used to describe the most advanced hackers who are said to be on "the cutting
edge" of computing and network technology. These would be individuals in the earliest 2.5
percentile of the technology adoption lifecycle curve, referred to as "innovators." As opposed to
script kiddies and noobs who utilize and exploit weaknesses in systems discovered by others,
elites are those who bring about the initial discovery.
[edit] Script kiddie
Main article: Script kiddie
A script kiddie is a non-expert who breaks into computer systems by using pre-packaged
automated tools written by others, usually with little understanding of the underlying concept—
hence the term script (i.e. a prearranged plan or set of activities) kiddie (i.e. kid, child—an
individual lacking knowledge and experience, immature).[11]
[edit] Neophyte
Main article: Noob
A neophyte or "newbie" is a term used to describe someone who is new to hacking or phreaking
and has almost no knowledge or experience of the workings of technology, and hacking.[4]
[edit] Blue hat
Main article: Blue hat
A blue hat hacker is someone outside computer security consulting firms who is used to bug test
a system prior to its launch, looking for exploits so they can be closed. Microsoft also uses the
term BlueHat to represent a series of security briefing events.[12][13][14]
[edit] Hacktivism
Main article: Hacktivism
A hacktivist is a hacker who utilizes technology to announce a social, ideological, religious, or
political message. In general, most hacktivism involves website defacement or denial-of-service
attacks. In more extreme cases, hacktivism is used as tool for Cyberterrorism.
[edit] Common methods
Main article: Computer insecurity
Computer security
Secure operating systems
Security architecture
Security by design
Secure coding
Computer insecurity
Vulnerability
Social engineering
Eavesdropping
Exploits
Trojans
Viruses and worms
Denial of service
Payloads
Backdoors
Rootkits
Keyloggers
v•d•e
A typical approach in an attack on Internet-connected system is:
1. Network enumeration: Discovering information about the intended target.
2. Vulnerability analysis: Identifying potential ways of attack.
3. Exploitation: Attempting to compromise the system by employing the vulnerabilities
found through the vulnerability analysis.[15]
In order to do so, there are several recurring tools of the trade and techniques used by computer
criminals and security experts.
[edit] Security exploit
Main article: Exploit (computer security)
A security exploit is a prepared application that takes advantage of a known weakness. Common
examples of security exploits are SQL injection, Cross Site Scripting and Cross Site Request
Forgery which abuse security holes that may result from substandard programming practice.
Other exploits would be able to be used through FTP, HTTP, PHP, SSH, Telnet and some webpages. These are very common in website/domain hacking.
[edit] Vulnerability scanner
Main article: Vulnerability scanner
A vulnerability scanner is a tool used to quickly check computers on a network for known
weaknesses. Hackers also commonly use port scanners. These check to see which ports on a
specified computer are "open" or available to access the computer, and sometimes will detect
what program or service is listening on that port, and its version number. (Note that firewalls
defend computers from intruders by limiting access to ports/machines both inbound and
outbound, but can still be circumvented.)
[edit] Password cracking
Main article: Password cracking
Password cracking is the process of recovering passwords from data that has been stored in or
transmitted by a computer system. A common approach is to repeatedly try guesses for the
password.
[edit] Packet sniffer
Main article: Packet sniffer
A packet sniffer is an application that captures data packets, which can be used to capture
passwords and other data in transit over the network.
[edit] Spoofing attack
Main article: Spoofing attack
A spoofing attack involves one program, system, or website successfully masquerading as
another by falsifying data and thereby being treated as a trusted system by a user or another
program. The purpose of this is usually to fool programs, systems, or users into revealing
confidential information, such as user names and passwords, to the attacker.
[edit] Rootkit
Main article: Rootkit
A rootkit is designed to conceal the compromise of a computer's security, and can represent any
of a set of programs which work to subvert control of an operating system from its legitimate
operators. Usually, a rootkit will obscure its installation and attempt to prevent its removal
through a subversion of standard system security. Rootkits may include replacements for system
binaries so that it becomes impossible for the legitimate user to detect the presence of the
intruder on the system by looking at process tables.
[edit] Social engineering
Main article: Social engineering (computer security)
Social Engineering is the art of getting persons to reveal sensitive information about a system.
This is usually done by impersonating someone or by convincing people to believe you have
permissions to obtain such information.
[edit] Trojan horse
Main article: Trojan horse (computing)
A Trojan horse is a program which seems to be doing one thing, but is actually doing another. A
trojan horse can be used to set up a back door in a computer system such that the intruder can
gain access later. (The name refers to the horse from the Trojan War, with conceptually similar
function of deceiving defenders into bringing an intruder inside.)
[edit] Virus
Main article: Computer virus
A virus is a self-replicating program that spreads by inserting copies of itself into other
executable code or documents. Therefore, a computer virus behaves in a way similar to a
biological virus, which spreads by inserting itself into living cells.
While some are harmless or mere hoaxes most computer viruses are considered malicious.
[edit] Worm
Main article: Computer worm
Like a virus, a worm is also a self-replicating program. A worm differs from a virus in that it
propagates through computer networks without user intervention. Unlike a virus, it does not need
to attach itself to an existing program. Many people conflate the terms "virus" and "worm", using
them both to describe any self-propagating program.
[edit] Key loggers
Main article: Keystroke logging
A keylogger is a tool designed to record ('log') every keystroke on an affected machine for later
retrieval. Its purpose is usually to allow the user of this tool to gain access to confidential
information typed on the affected machine, such as a user's password or other private data. Some
key loggers uses virus-, trojan-, and rootkit-like methods to remain active and hidden. However,
some key loggers are used in legitimate ways and sometimes to even enhance computer security.
As an example, a business might have a key logger on a computer that was used as at a Point of
Sale and data collected by the key logger could be use for catching employee fraud.
[edit] Notable intruders and criminal hackers
Main article: List of convicted computer criminals
[edit] Notable Security Hackers
Main article: List of hackers
[edit] Kevin Mitnick
Main article: Kevin Mitnick
Kevin Mitnick is a computer security consultant and author, formerly the most wanted computer
criminal in United States history.[16]
[edit] Eric Corley
Main article: Eric Gorden Corley
Eric Corley (also known as Emmanuel Goldstein) is the long standing publisher of 2600: The
Hacker Quarterly. He is also the founder of the H.O.P.E. conferences. He has been part of the
hacker community since the late '70s.
[edit] Fyodor
Main article: Gordon Lyon
Gordon Lyon, known by the handle Fyodor, authored the Nmap Security Scanner as well as
many network security books and web sites. He is a founding member of the Honeynet Project
and Vice President of Computer Professionals for Social Responsibility.
[edit] Solar Designer
Main article: Solar Designer
Solar Designer is the pseudonym of the founder of the Openwall Project.
[edit] Michał Zalewski
Main article: Michal Zalewski
Michał Zalewski (lcamtuf) is a prominent security researcher.
[edit] Gary McKinnon
Main article: Gary McKinnon
Gary McKinnon is a British hacker facing extradition to the United States to face charges of
perpetrating what has been described as the "biggest military computer hack of all time".[17]
[edit] Hacking and the media
This section is in a list format that may be better presented using prose. You can
help by converting this section to prose, if appropriate. Editing help is available. (August
2008)
[edit] Hacker magazines
Main category: Hacker magazines
The most notable hacker-oriented magazine publications are Phrack, Hakin9 and 2600: The
Hacker Quarterly. While the information contained in hacker magazines and ezines was often
outdated, they improved the reputations of those who contributed by documenting their
successes.[8]
[edit] Hackers in fiction
See also: List of fictional hackers
Hackers often show an interest in fictional cyberpunk and cyberculture literature and movies.
Absorption of fictional pseudonyms, symbols, values, and metaphors from these fictional works
is very common.[citation needed]
Books portraying hackers:
The cyberpunk novels of William Gibson — especially the Sprawl Trilogy — are very
popular with hackers.[18]
Merlin, the protagonist of the second series in The Chronicles of Amber by Roger
Zelazny is a young immmortal hacker-mage prince who has the ability to traverse
shadow dimensions.
Hackers (short stories)
Snow Crash
Helba from the .hack manga and anime series.
Little Brother by Cory Doctorow
Rice Tea by Julien McArdle
Lisbeth Salander in Men who hate women by Stieg Larsson
Films also portray hackers:
Cypher
Tron
WarGames
The Matrix series
Hackers
Swordfish
Pirates of silicon valley (related to hacker like Steve Jobs, not crackers)
The Net
The Net 2.0
Antitrust
Enemy of the State
Sneakers
Untraceable
Firewall
Die Hard "4": Live Free or Die
Hard
Eagle Eye
Take Down
Weird Science
[edit] Non-fiction books
Hacking: The Art of Exploitation, Second Edition by Jon Erickson
The Hacker Crackdown
The Art of Intrusion by Kevin D. Mitnick
The Art of Deception by Kevin D. Mitnick
Takedown
The Hacker's Handbook
The Cuckoo's Egg by Clifford Stoll
Underground by Suelette Dreyfus
[edit] Fiction books
Ender's Game
Neuromancer
Evil Genius
Spam (electronic)
From Wikipedia, the free encyclopedia
Jump to: navigation, search
An email box folder littered with spam messages.
Spam is the use of electronic messaging systems (including most broadcast media, digital
delivery systems) to send unsolicited bulk messages indiscriminately. While the most widely
recognized form of spam is e-mail spam, the term is applied to similar abuses in other media:
instant messaging spam, Usenet newsgroup spam, Web search engine spam, spam in blogs, wiki
spam, online classified ads spam, mobile phone messaging spam, Internet forum spam, junk fax
transmissions, social networking spam, television advertising and file sharing network spam.
Spamming remains economically viable because advertisers have no operating costs beyond the
management of their mailing lists, and it is difficult to hold senders accountable for their mass
mailings. Because the barrier to entry is so low, spammers are numerous, and the volume of
unsolicited mail has become very high. The costs, such as lost productivity and fraud, are borne
by the public and by Internet service providers, which have been forced to add extra capacity to
cope with the deluge. Spamming has been the subject of legislation in many jurisdictions.[1]
People who create electronic spam are called spammers.[2]
Contents
[hide]
1 In different media
o 1.1 E-mail
o 1.2 Instant Messaging
o 1.3 Newsgroup and forum
o 1.4 Mobile phone
o 1.5 Online game messaging
o 1.6 Spam targeting search engines (spamdexing)
o 1.7 Blog, wiki, and guestbook
o 1.8 Spam targeting video sharing sites
o 1.9 SPIT
2 Noncommercial forms
3 Geographical origins
4 History
o 4.1 Pre-Internet
o 4.2 Etymology
o 4.3 History of Internet forms
5 Trademark issues
6 Costs
o 6.1 General costs
7 In crime
8 Political issues
9 Court cases
o 9.1 United States
o 9.2 United Kingdom
o 9.3 New Zealand
10 Newsgroups
11 See also
12 References
o 12.1 Notes
o 12.2 Sources
13 Further reading
14 External links
[edit] In different media
[edit] E-mail
Main article: E-mail spam
E-mail spam, known as unsolicited bulk Email (UBE), junk mail, or unsolicited commercial
email (UCE), is the practice of sending unwanted e-mail messages, frequently with commercial
content, in large quantities to an indiscriminate set of recipients. Spam in e-mail started to
become a problem when the Internet was opened up to the general public in the mid-1990s. It
grew exponentially over the following years, and today composes some 80 to 85% of all the
email in the world, by a "conservative estimate".[3] Pressure to make e-mail spam illegal has been
successful in some jurisdictions, but less so in others. Spammers take advantage of this fact, and
frequently outsource parts of their operations to countries where spamming will not get them into
legal trouble.
Increasingly, e-mail spam today is sent via "zombie networks", networks of virus- or worminfected personal computers in homes and offices around the globe; many modern worms install
a backdoor which allows the spammer access to the computer and use it for malicious purposes.
This complicates attempts to control the spread of spam, as in many cases the spam doesn't even
originate from the spammer. In November 2008 an ISP, McColo, which was providing service to
botnet operators, was depeered and spam dropped 50%-75% Internet-wide. At the same time, it
is becoming clear that malware authors, spammers, and phishers are learning from each other,
and possibly forming various kinds of partnerships.[citation needed]
An industry of e-mail address harvesting is dedicated to collecting email addresses and selling
compiled databases.[4] Some of these address harvesting approaches rely on users not reading the
fine print of agreements, resulting in them agreeing to send messages indiscriminately to their
contacts. This is a common approach in social networking spam such as that generated by the
social networking site Quechup.[5]
[edit] Instant Messaging
Main article: Messaging spam
Instant Messaging spam makes use of instant messaging systems. Although less ubiquitous than
its e-mail counterpart, according to a report from Ferris Research, 500 million spam IMs were
sent in 2003, twice the level of 2002. As instant messaging tends to not be blocked by firewalls,
it is an especially useful channel for spammers. This is very common on many instant messaging
system such as Skype.
[edit] Newsgroup and forum
Main article: Newsgroup spam
Newsgroup spam is a type of spam where the targets are Usenet newsgroups. Spamming of
Usenet newsgroups actually pre-dates e-mail spam. Usenet convention defines spamming as
excessive multiple posting, that is, the repeated posting of a message (or substantially similar
messages). The prevalence of Usenet spam led to the development of the Breidbart Index as an
objective measure of a message's "spamminess".
Main article: Forum spam
Forum spam is the creating of messages that are advertisements or otherwise unwanted on
Internet forums. It is generally done by automated spambots. Most forum spam consists of links
to external sites, with the dual goals of increasing search engine visibility in highly competitive
areas such as weight loss, pharmaceuticals, gambling, pornography, real estate or loans, and
generating more traffic for these commercial websites. Some of these links contain code to track
the spambot's identity if a sale goes through, when the spammer behind the spambot works on
commission.
[edit] Mobile phone
Main article: Mobile phone spam
Mobile phone spam is directed at the text messaging service of a mobile phone. This can be
especially irritating to customers not only for the inconvenience but also because of the fee they
may be charged per text message received in some markets. The term "SpaSMS" was coined at
the adnews website Adland in 2000 to describe spam SMS.
[edit] Online game messaging
Many online games allow players to contact each other via player-to-player messaging, chat
rooms, or public discussion areas. What qualifies as spam varies from game to game, but usually
this term applies to all forms of message flooding, violating the terms of service contract for the
website. This is particularly common in MMORPGs where the spammers are trying to sell gamerelated "items" for real-world money, chiefly among these items is in-game currency. This kind
of spamming is also called Real Money Trading (RMT). In the popular MMORPG World of
Warcraft, it is common for spammers to advertise sites that sell gold in multiple methods of
spam. They send spam via the in-game private messaging system, via the in-game mailing
system, via yelling publicly to everyone in the area and by creating a lot of characters and
committing suicide (with hacks) and making a row of bodies resemble a site URL which takes
the user to a gold-selling website. All of these spam methods can interfere with the user's
gameplay experience by means of scamming or account fraud. This is one reason why spam is
discouraged by game developers.
[edit] Spam targeting search engines (spamdexing)
Main article: Spamdexing
Spamdexing (a portmanteau of spamming and indexing) refers to a practice on the World Wide
Web of modifying HTML pages to increase the chances of them being placed high on search
engine relevancy lists. These sites use "black hat search engine optimization (SEO) techniques"
to deliberately manipulate their rank in search engines. Many modern search engines modified
their search algorithms to try to exclude web pages utilizing spamdexing tactics. For example,
the search bots will detect repeated keywords as spamming by using a grammar analysis. If a
website owner is found to have spammed the webpage to falsely increase its page rank, the
website may be penalized by search engines.
[edit] Blog, wiki, and guestbook
Main article: Spam in blogs
Blog spam, or "blam" for short, is spamming on weblogs. In 2003, this type of spam took
advantage of the open nature of comments in the blogging software Movable Type by repeatedly
placing comments to various blog posts that provided nothing more than a link to the spammer's
commercial web site.[6] Similar attacks are often performed against wikis and guestbooks, both
of which accept user contributions.
[edit] Spam targeting video sharing sites
Video sharing sites, such as YouTube, are now being frequently targeted by spammers. The most
common technique involves people (or spambots) posting links to sites, most likely pornographic
or dealing with online dating, on the comments section of random videos or people's profiles.
Another frequently used technique is using bots to post messages on random users' profiles to a
spam account's channel page, along with enticing text and images, usually of a sexually
suggestive nature. These pages may include their own or other users' videos, again often
suggestive. The main purpose of these accounts is to draw people to their link in the home page
section of their profile. YouTube has blocked the posting of such links. In addition, YouTube has
implemented a CAPTCHA system that makes rapid posting of repeated comments much more
difficult than before, because of abuse in the past by mass-spammers who would flood people's
profiles with thousands of repetitive comments.
Yet another kind is actual video spam, giving the uploaded movie a name and description with a
popular figure or event which is likely to draw attention, or within the video has a certain image
timed to come up as the video's thumbnail image to mislead the viewer. The actual content of the
video ends up being totally unrelated, a Rickroll, sometimes offensive, or just features on-screen
text of a link to the site being promoted.[7] Others may upload videos presented in an
infomercial-like format selling their product which feature actors and paid testimonials, though
the promoted product or service is of dubious quality and would likely not pass the scrutiny of a
standards and practices department at a television station or cable network.
[edit] SPIT
SPIT (SPam over Internet Telephony) is VoIP (Voice over Internet Protocol) spam, usually using
SIP (Session Initiation Protocol).
[edit] Noncommercial forms
E-mail and other forms of spamming have been used for purposes other than advertisements.
Many early Usenet spams were religious or political. Serdar Argic, for instance, spammed
Usenet with historical revisionist screeds. A number of evangelists have spammed Usenet and email media with preaching messages. A growing number of criminals are also using spam to
perpetrate various sorts of fraud,[8] and in some cases have used it to lure people to locations
where they have been kidnapped, held for ransom, and even murdered.[9]
[edit] Geographical origins
A 2009 Cisco Systems report lists the origin of spam by country as follows:[10]
Rank
1
2
3
4
Country
Spam messages per year (in trillions)
Brazil
7.7
United States 6.6
India
3.6
South Korea 3.1
5
6
7
8
9
10
Turkey
Vietnam
China
Poland
Russia
Argentina
2.6
2.5
2.4
2.4
2.3
1.5
[edit] History
[edit] Pre-Internet
In the late 19th Century Western Union allowed telegraphic messages on its network to be sent
to multiple destinations. The first recorded instance of a mass unsolicited commercial telegram is
from May 1864.[11] Up until the Great Depression wealthy North American residents would be
deluged with nebulous investment offers. This problem never fully emerged in Europe to the
degree that it did in the Americas, because telegraphy was regulated by national post offices in
the European region.
[edit] Etymology
According to the Internet Society and other sources, the term spam is derived from the 1970
Spam sketch of the BBC television comedy series "Monty Python's Flying Circus".[12][12] The
sketch is set in a cafe where nearly every item on the menu includes Spam canned luncheon
meat. As the waiter recites the Spam-filled menu, a chorus of Viking patrons drowns out all
conversations with a song repeating "Spam, Spam, Spam, Spam... lovely Spam! wonderful
Spam!", hence "Spamming" the dialogue.[13] The excessive amount of Spam mentioned in the
sketch is a reference to the preponderance of imported canned meat products in the United
Kingdom, particularly corned beef from Argentina, in the years after World War II, as the
country struggled to rebuild its agricultural base. Spam captured a large slice of the British
market within lower economic classes and became a byword among British children of the 1960s
for low-grade fodder due to its commonality, monotonous taste and cheap price - hence the
humour of the Python sketch.
In the 1980s the term was adopted to describe certain abusive users who frequented BBSs and
MUDs, who would repeat "Spam" a huge number of times to scroll other users' text off the
screen.[14] In early Chat rooms services like PeopleLink and the early days of AOL, they actually
flooded the screen with quotes from the Monty Python Spam sketch. With internet connections
over phone lines, typically running at 1200 or even 300 baud, it could take an enormous amount
of time for a spammy logo, drawn in ASCII art to scroll to completion on a viewer's terminal.
Sending an irritating, large, meaningless block of text in this way was called spamming. This was
used as a tactic by insiders of a group that wanted to drive newcomers out of the room so the
usual conversation could continue. It was also used to prevent members of rival groups from
chatting—for instance, Star Wars fans often invaded Star Trek chat rooms, filling the space with
blocks of text until the Star Trek fans left.[15] This act, previously called flooding or trashing,
came to be known as spamming.[16] The term was soon applied to a large amount of text
broadcast by many users.
It later came to be used on Usenet to mean excessive multiple posting—the repeated posting of
the same message. The unwanted message would appear in many if not all newsgroups, just as
Spam appeared in nearly all the menu items in the Monty Python sketch. The first usage of this
sense was by Joel Furr[17] in the aftermath of the ARMM incident of March 31, 1993, in which a
piece of experimental software released dozens of recursive messages onto the
news.admin.policy newsgroup.[18] This use had also become established—to spam Usenet was
flooding newsgroups with junk messages. The word was also attributed to the flood of "Make
Money Fast" messages that clogged many newsgroups during the 1990s.[citation needed] In 1998, the
New Oxford Dictionary of English, which had previously only defined "spam" in relation to the
trademarked food product, added a second definition to its entry for "spam": "Irrelevant or
inappropriate messages sent on the Internet to a large number of newsgroups or users."[19]
There are several popular false etymologies of the word "spam". One, promulgated by early
spammers Laurence Canter and Martha Siegel, is that "spamming" is what happens when one
dumps a can of Spam luncheon meat into a fan blade.[citation needed] Some others are the backronym
stupid pointless annoying messages."[citation needed]
[edit] History of Internet forms
The earliest documented spam was a message advertising the availability of a new model of
Digital Equipment Corporation computers sent to 393 recipients on ARPANET in 1978, by Gary
Thuerk.[17][20][21] The term "spam" for this practice had not yet been applied. Spamming had been
practiced as a prank by participants in multi-user dungeon games, to fill their rivals' accounts
with unwanted electronic junk.[21] The first known electronic chain letter, titled Make Money
Fast, was released in 1988.
The first major commercial spam incident started on March 5, 1994, when a husband and wife
team of lawyers, Laurence Canter and Martha Siegel, began using bulk Usenet posting to
advertise immigration law services. The incident was commonly termed the "Green Card spam",
after the subject line of the postings. Defiant in the face of widespread condemnation, the
attorneys claimed their detractors were hypocrites or "zealouts", claimed they had a free speech
right to send unwanted commercial messages, and labeled their opponents "anti-commerce
radicals." The couple wrote a controversial book entitled How to Make a Fortune on the
Information Superhighway.[21]
Later that year a poster operating under the alias Serdar Argic posted antagonistic messages
denying the Armenian Genocide to tens of thousands of Usenet discussions that had been
searched for the word Turkey. Within a few years, the focus of spamming (and anti-spam efforts)
moved chiefly to e-mail, where it remains today.[14] Arguably, the aggressive email spamming by
a number of high-profile spammers such as Sanford Wallace of Cyber Promotions in the mid-tolate 1990s contributed to making spam predominantly an email phenomenon in the public
mind.[citation needed] By 2009, the majority of spam sent around the world was in the English
language; spammers began using automatic translation services to send spam in other
languages.[22]
[edit] Trademark issues
Hormel Foods Corporation, the maker of Spam luncheon meat, does not object to the Internet
use of the term "spamming". However, they did ask that the capitalized word "Spam" be reserved
to refer to their product and trademark.[23] By and large, this request is obeyed in forums which
discuss spam. In Hormel Foods v SpamArrest, Hormel attempted to assert its trademark rights
against SpamArrest, a software company, from using the mark "spam", since Hormel owns the
trademark. In a dilution claim, Hormel argued that Spam Arrest's use of the term "spam" had
endangered and damaged "substantial goodwill and good reputation" in connection with its
trademarked lunch meat and related products. Hormel also asserts that Spam Arrest's name so
closely resembles its luncheon meat that the public might become confused, or might think that
Hormel endorses Spam Arrest's products.
Hormel did not prevail. Attorney Derek Newman responded on behalf of Spam Arrest: "Spam
has become ubiquitous throughout the world to describe unsolicited commercial e-mail. No
company can claim trademark rights on a generic term." Hormel stated on its website:
"Ultimately, we are trying to avoid the day when the consuming public asks, 'Why would
Hormel Foods name its product after junk email?".[24]
Hormel also made two attempts that were dismissed in 2005 to revoke the marks
"SPAMBUSTER"[25] and Spam Cube.[26] Hormel's Corporate Attorney Melanie J. Neumann also
sent SpamCop's Julian Haight a letter on August 27, 1999 requesting that he delete an
objectionable image (a can of Hormel's Spam luncheon meat product in a trash can), change
references to UCE spam to all lower case letters, and confirm his agreement to do so.[27]
[edit] Costs
The European Union's Internal Market Commission estimated in 2001 that "junk e-mail" cost
Internet users €10 billion per year worldwide.[28] The California legislature found that spam cost
United States organizations alone more than $13 billion in 2007, including lost productivity and
the additional equipment, software, and manpower needed to combat the problem.[29] Spam's
direct effects include the consumption of computer and network resources, and the cost in human
time and attention of dismissing unwanted messages.[30]
In addition, spam has costs stemming from the kinds of spam messages sent, from the ways
spammers send them, and from the arms race between spammers and those who try to stop or
control spam. In addition, there are the opportunity cost of those who forgo the use of spamafflicted systems. There are the direct costs, as well as the indirect costs borne by the victims—
both those related to the spamming itself, and to other crimes that usually accompany it, such as
financial theft, identity theft, data and intellectual property theft, virus and other malware
infection, child pornography, fraud, and deceptive marketing.
The cost to providers of search engines is not insignificant: "The secondary consequence of
spamming is that search engine indexes are inundated with useless pages, increasing the cost of
each processed query".[2] The methods of spammers are likewise costly. Because spamming
contravenes the vast majority of ISPs' acceptable-use policies, most spammers have for many
years gone to some trouble to conceal the origins of their spam. E-mail, Usenet, and instantmessage spam are often sent through insecure proxy servers belonging to unwilling third parties.
Spammers frequently use false names, addresses, phone numbers, and other contact information
to set up "disposable" accounts at various Internet service providers. In some cases, they have
used falsified or stolen credit card numbers to pay for these accounts. This allows them to
quickly move from one account to the next as each one is discovered and shut down by the host
ISPs.
The costs of spam also include the collateral costs of the struggle between spammers and the
administrators and users of the media threatened by spamming. [31] Many users are bothered by
spam because it impinges upon the amount of time they spend reading their e-mail. Many also
find the content of spam frequently offensive, in that pornography is one of the most frequently
advertised products. Spammers send their spam largely indiscriminately, so pornographic ads
may show up in a work place e-mail inbox—or a child's, the latter of which is illegal in many
jurisdictions. Recently, there has been a noticeable increase in spam advertising websites that
contain child pornography.
Some spammers argue that most of these costs could potentially be alleviated by having
spammers reimburse ISPs and persons for their material.[citation needed] There are three problems
with this logic: first, the rate of reimbursement they could credibly budget is not nearly high
enough to pay the direct costs[citation needed], second, the human cost (lost mail, lost time, and lost
opportunities) is basically unrecoverable, and third, spammers often use stolen bank accounts
and credit cards to finance their operations, and would conceivably do so to pay off any fines
imposed.
E-mail spam exemplifies a tragedy of the commons: spammers use resources (both physical and
human), without bearing the entire cost of those resources. In fact, spammers commonly do not
bear the cost at all. This raises the costs for everyone. In some ways spam is even a potential
threat to the entire e-mail system, as operated in the past. Since e-mail is so cheap to send, a tiny
number of spammers can saturate the Internet with junk mail. Although only a tiny percentage of
their targets are motivated to purchase their products (or fall victim to their scams), the low cost
may provide a sufficient conversion rate to keep the spamming alive. Furthermore, even though
spam appears not to be economically viable as a way for a reputable company to do business, it
suffices for professional spammers to convince a tiny proportion of gullible advertisers that it is
viable for those spammers to stay in business. Finally, new spammers go into business every day,
and the low costs allow a single spammer to do a lot of harm before finally realizing that the
business is not profitable.
Some companies and groups "rank" spammers; spammers who make the news are sometimes
referred to by these rankings.[32][33] The secretive nature of spamming operations makes it
difficult to determine how proliferated an individual spammer is, thus making the spammer hard
to track, block or avoid. Also, spammers may target different networks to different extents,
depending on how successful they are at attacking the target. Thus considerable resources are
employed to actually measure the amount of spam generated by a single person or group. For
example, victims that use common anti-spam hardware, software or services provide
opportunities for such tracking. Nevertheless, such rankings should be taken with a grain of salt.
[edit] General costs
In all cases listed above, including both commercial and non-commercial, "spam happens"
because of a positive Cost-benefit analysis result if the cost to recipients is excluded as an
externality the spammer can avoid paying.
Cost is the combination of
Overhead: The costs and overhead of electronic spamming include bandwidth,
developing or acquiring an email/wiki/blog spam tool, taking over or acquiring a
host/zombie, etc.
Transaction cost: The incremental cost of contacting each additional recipient once a
method of spamming is constructed, multiplied by the number of recipients. (see
CAPTCHA as a method of increasing transaction costs)
Risks: Chance and severity of legal and/or public reactions, including damages and
punitive damages
Damage: Impact on the community and/or communication channels being spammed (see
Newsgroup spam)
Benefit is the total expected profit from spam, which may include any combination of the
commercial and non-commercial reasons listed above. It is normally linear, based on the
incremental benefit of reaching each additional spam recipient, combined with the conversion
rate. The conversion rate for botnet-generated spam has recently been measured to be around one
in 12,000,000 for pharmaceutical spam and one in 200,000 for infection sites as used by the
Storm botnet.[34]
Spam is prevalent on the Internet because the transaction cost of electronic communications is
radically less than any alternate form of communication, far outweighing the current potential
losses, as seen by the amount of spam currently in existence. Spam continues to spread to new
forms of electronic communication as the gain (number of potential recipients) increases to
levels where the cost/benefit becomes positive. Spam has most recently evolved to include
wikispam and blogspam as the levels of readership increase to levels where the overhead is no
longer the dominating factor. According to the above analysis, spam levels will continue to
increase until the cost/benefit analysis is balanced[citation needed].
[edit] In crime
Spam can be used to spread computer viruses, trojan horses or other malicious software. The
objective may be identity theft, or worse (e.g., advance fee fraud). Some spam attempts to
capitalize on human greed whilst other attempts to use the victims' inexperience with computer
technology to trick them (e.g., phishing). On May 31, 2007, one of the world's most prolific
spammers, Robert Alan Soloway, was arrested by U.S. authorities.[35] Described as one of the top
ten spammers in the world, Soloway was charged with 35 criminal counts, including mail fraud,
wire fraud, e-mail fraud, aggravated identity theft and money laundering.[35] Prosecutors allege
that Soloway used millions of "zombie" computers to distribute spam during 2003.[citation needed]
This is the first case in which U.S. prosecutors used identity theft laws to prosecute a spammer
for taking over someone else's Internet domain name.[citation needed]
[edit] Political issues
Spamming remains a hot discussion topic. In 2004, the seized Porsche of an indicted spammer
was advertised on the Internet;[36] this revealed the extent of the financial rewards available to
those who are willing to commit duplicitous acts online. However, some of the possible means
used to stop spamming may lead to other side effects, such as increased government control over
the Internet, loss of privacy, barriers to free expression, and the commercialization of email.[citation needed]
One of the chief values favored by many long-time Internet users and experts, as well as by
many members of the public, is the free exchange of ideas. Many have valued the relative
anarchy of the Internet, and bridle at the idea of restrictions placed upon it.[citation needed] A
common refrain from spam-fighters is that spamming itself abridges the historical freedom of the
Internet, by attempting to force users to carry the costs of material which they would not
choose.[citation needed]
An ongoing concern expressed by parties such as the Electronic Frontier Foundation and the
ACLU has to do with so-called "stealth blocking", a term for ISPs employing aggressive spam
blocking without their users' knowledge. These groups' concern is that ISPs or technicians
seeking to reduce spam-related costs may select tools which (either through error or design) also
block non-spam e-mail from sites seen as "spam-friendly". SPEWS is a common target of these
criticisms. Few object to the existence of these tools; it is their use in filtering the mail of users
who are not informed of their use which draws fire.[citation needed]
Some see spam-blocking tools as a threat to free expression—and laws against spamming as an
untoward precedent for regulation or taxation of e-mail and the Internet at large. Even though it
is possible in some jurisdictions to treat some spam as unlawful merely by applying existing laws
against trespass and conversion, some laws specifically targeting spam have been proposed. In
2004, United States passed the CAN-SPAM Act of 2003 which provided ISPs with tools to
combat spam. This act allowed Yahoo! to successfully sue Eric Head, reportedly one of the
biggest spammers in the world, who settled the lawsuit for several thousand U.S. dollars in June
2004. But the law is criticized by many for not being effective enough. Indeed, the law was
supported by some spammers and organizations which support spamming, and opposed by many
in the anti-spam community. Examples of effective anti-abuse laws that respect free speech
rights include those in the U.S. against unsolicited faxes and phone calls, and those in Australia
and a few U.S. states against spam.[citation needed]
In November 2004, Lycos Europe released a screen saver called make LOVE not SPAM which
made Distributed Denial of Service attacks on the spammers themselves. It met with a large
amount of controversy and the initiative ended in December 2004.[citation needed]
While most countries either outlaw or at least ignore spam, Bulgaria is the first and until now
only one to partially legalize it. According to recent changes in the Bulgarian E-Commerce act
anyone can send spam to mailboxes, owned by company or organization, as long as there is
warning that this may be unsolicited commercial email in the message body. The law contains
many other inadequate texts - for example the creation of a nationwide public electronic register
of email addresses that do not want to receive spam, something valuable only as source for email address harvesting.
Anti-spam policies may also be a form of disguised censorship, a way to ban access or reference
to questioning alternative forums or blogs by an institution. This form of occult censorship is
mainly used by private companies when they can not muzzle criticism by legal ways.[37]
[edit] Court cases
See also: E-mail spam legislation by country
[edit] United States
Sanford Wallace and Cyber Promotions were the target of a string of lawsuits, many of which
were settled out of court, up through the famous 1998 Earthlink settlement[citation needed]which put
Cyber Promotions out of business. Attorney Laurence Canter was disbarred by the Tennessee
Supreme Court in 1997 for sending prodigious amounts of spam advertising his immigration law
practice. In 2005, Jason Smathers, a former America Online employee, pled guilty to charges of
violating the CAN-SPAM Act. In 2003, he sold a list of approximately 93 million AOL
subscriber e-mail addresses to Sean Dunaway who, in turn, sold the list to spammers.[38][39]
In 2007, Robert Soloway lost a case in a federal court against the operator of a small Oklahomabased Internet service provider who accused him of spamming. U.S. Judge Ralph G. Thompson
granted a motion by plaintiff Robert Braver for a default judgment and permanent injunction
against him. The judgment includes a statutory damages award of $10,075,000 under Oklahoma
law.[40]
In June 2007, two men were convicted of eight counts stemming from sending millions of e-mail
spam messages that included hardcore pornographic images. Jeffrey A. Kilbride, 41, of Venice,
California was sentenced to six years in prison, and James R. Schaffer, 41, of Paradise Valley,
Arizona, was sentenced to 63 months. In addition, the two were fined $100,000, ordered to pay
$77,500 in restitution to AOL, and ordered to forfeit more than $1.1 million, the amount of
illegal proceeds from their spamming operation.[41] The charges included conspiracy, fraud,
money laundering, and transportation of obscene materials. The trial, which began on June 5,
was the first to include charges under the CAN-SPAM Act of 2003, according to a release from
the Department of Justice. The specific law that prosecutors used under the CAN-Spam Act was
designed to crack down on the transmission of pornography in spam.[42]
In 2005, Scott J. Filary and Donald E. Townsend of Tampa, Florida were sued by Florida
Attorney General Charlie Crist for violating the Florida Electronic Mail Communications Act.[43]
The two spammers were required to pay $50,000 USD to cover the costs of investigation by the
state of Florida, and a $1.1 million penalty if spamming were to continue, the $50,000 was not
paid, or the financial statements provided were found to be inaccurate. The spamming operation
was successfully shut down.[44]
Edna Fiedler, 44, of Olympia, Washington, on June 25, 2008, pleaded guilty in a Tacoma court
and was sentenced to 2 years imprisonment and 5 years of supervised release or probation in an
Internet $1 million "Nigerian check scam." She conspired to commit bank, wire and mail fraud,
against US citizens, specifically using Internet by having had an accomplice who shipped
counterfeit checks and money orders to her from Lagos, Nigeria, last November. Fiedler shipped
out $ 609,000 fake check and money orders when arrested and prepared to send additional $ 1.1
million counterfeit materials. Also, the U.S. Postal Service recently intercepted counterfeit
checks, lottery tickets and eBay overpayment schemes with a face value of $2.1 billion.[45][46]
[edit] United Kingdom
In the first successful case of its kind, Nigel Roberts from the Channel Islands won £270 against
Media Logistics UK who sent junk e-mails to his personal account.[47]
In January 2007, a Sheriff Court in Scotland awarded Mr. Gordon Dick £750 (the then maximum
sum which could be awarded in a Small Claim action) plus expenses of £618.66, a total of
£1368.66 against Transcom Internet Services Ltd.[48] for breaching anti-spam laws.[49] Transcom
had been legally represented at earlier hearings but were not represented at the proof, so Gordon
Dick got his decree by default. It is the largest amount awarded in compensation in the United
Kingdom since Roberts -v- Media Logistics case in 2005 above, but it is not known if Mr Dick
ever received anything. (An image of Media Logistics' cheque is shown on Roberts' website[50] )
Both Roberts and Dick are well known figures in the British Internet industry for other things.
Dick is currently Interim Chairman of Nominet UK (the manager of .UK and .CO.UK) while
Roberts is CEO of CHANNELISLES.NET (manager of .GG and .JE).
Despite the statutory tort that is created by the Regulations implementing the EC Directive, few
other people have followed their example. As the Courts engage in active case management,
such cases would probably now be expected to be settled by mediation and payment of nominal
damages.
[edit] New Zealand
In October 2008, a vast international internet spam operation run from New Zealand was cited by
American authorities as one of the world’s largest, and for a time responsible for up to a third of
all unwanted emails. In a statement the US Federal Trade Commission (FTC) named
Christchurch’s Lance Atkinson as one of the principals of the operation. New Zealand’s Internal
Affairs announced it had lodged a $200,000 claim in the High Court against Atkinson and his
brother Shane Atkinson and courier Roland Smits, after raids in Christchurch. This marked the
first prosecution since the Unsolicited Electronic Messages Act (UEMA) was passed in
September 2007. The FTC said it had received more than three million complaints about spam
messages connected to this operation, and estimated that it may be responsible for sending
billions of illegal spam messages. The US District Court froze the defendants’ assets to preserve
them for consumer redress pending trial.[51] U.S. co-defendant Jody Smith forfeited more than
$800,000 and faces up to five years in prison for charges to which he plead guilty.[52]
Computer worm
From Wikipedia, the free encyclopedia
Jump to: navigation, search
Morris Worm source code disk at the Computer History Museum.
Spread of Conficker worm.
A computer worm is a self-replicating malware computer program. It uses a computer network
to send copies of itself to other nodes (computers on the network) and it may do so without any
user intervention. This is due to security shortcomings on the target computer. Unlike a virus, it
does not need to attach itself to an existing program. Worms almost always cause at least some
harm to the network, even if only by consuming bandwidth, whereas viruses almost always
corrupt or modify files on a targeted computer.
Contents
[hide]
1 Payloads
2 Worms with good intent
3 Protecting against dangerous computer worms
4 Mitigation techniques
5 History
6 See also
7 References
8 External links
[edit] Payloads
Many worms that have been created are only designed to spread, and don't attempt to alter the
systems they pass through. However, as the Morris worm and Mydoom showed, the network
traffic and other unintended effects can often cause major disruption. A "payload" is code
designed to do more than spread the worm–it might delete files on a host system (e.g., the
ExploreZip worm), encrypt files in a cryptoviral extortion attack, or send documents via e-mail.
A very common payload for worms is to install a backdoor in the infected computer to allow the
creation of a "zombie" computer under control of the worm author. Networks of such machines
are often referred to as botnets and are very commonly used by spam senders for sending junk
email or to cloak their website's address.[1] Spammers are therefore thought to be a source of
funding for the creation of such worms,[2][3] and the worm writers have been caught selling lists
of IP addresses of infected machines.[4] Others try to blackmail companies with threatened DoS
attacks.[5]
Backdoors can be exploited by other malware, including worms. Examples include Doomjuice,
which spreads better using the backdoor opened by Mydoom, and at least one instance of
malware taking advantage of the rootkit and backdoor installed by the Sony/BMG DRM
software utilized by millions of music CDs prior to late 2005.[dubious – discuss]
[edit] Worms with good intent
Beginning with the very first research into worms at Xerox PARC, there have been attempts to
create useful worms. The Nachi family of worms, for example, tried to download and install
patches from Microsoft's website to fix vulnerabilities in the host system–by exploiting those
same vulnerabilities. In practice, although this may have made these systems more secure, it
generated considerable network traffic, rebooted the machine in the course of patching it, and did
its work without the consent of the computer's owner or user.
Some worms, such as XSS worms, have been written for research to determine the factors of
how worms spread, such as social activity and change in user behavior, while other worms are
little more than a prank, such as one that sends the popular image macro of an owl with the
phrase "O RLY?" to a print queue in the infected computer. Another research proposed what
seems to be the first computer worm that operates on the second layer of the OSI model (Data
link Layer), it utilizes topology information such as Content-addressable memory (CAM) tables
and Spanning Tree information stored in switches to propagate and probe for vulnerable nodes
until the enterprise network is covered.[6]
Most security experts regard all worms as malware, whatever their payload or their writers'
intentions.
[edit] Protecting against dangerous computer worms
Worms spread by exploiting vulnerabilities in operating systems. Vendors with security
problems supply regular security updates[7] (see "Patch Tuesday"), and if these are installed to a
machine then the majority of worms are unable to spread to it. If a vulnerability is disclosed
before the security patch released by the vendor, a Zero-day attack is possible.
Users need to be wary of opening unexpected email,[8] and should not run attached files or
programs, or visit web sites that are linked to such emails. However, as with the ILOVEYOU
worm, and with the increased growth and efficiency of phishing attacks, it remains possible to
trick the end-user into running a malicious code.
Anti-virus and anti-spyware software are helpful, but must be kept up-to-date with new pattern
files at least every few days. The use of a firewall is also recommended.
In the April–June, 2008, issue of IEEE Transactions on Dependable and Secure Computing,
computer scientists describe a potential new way to combat internet worms. The researchers
discovered how to contain the kind of worm that scans the Internet randomly, looking for
vulnerable hosts to infect. They found that the key is for software to monitor the number of scans
that machines on a network sends out. When a machine starts sending out too many scans, it is a
sign that it has been infected, allowing administrators to take it off line and check it for
viruses.[9][10]
[edit] Mitigation techniques
ACLs in routers and switches
Packet-filters
Nullrouting
TCP Wrapper/libwrap enabled network service daemons
[edit] History
The actual term "worm"' was first used in John Brunner's 1975 novel, The Shockwave Rider. In
that novel, Nichlas Haflinger designs and sets off a data-gathering worm in an act of revenge
against the powerful men who run a national electronic information web that induces mass
conformity. "You have the biggest-ever worm loose in the net, and it automatically sabotages
any attempt to monitor it... There's never been a worm with that tough a head or that long a
tail!"[11]
On November 2, 1988, Robert Tappan Morris, a Cornell University computer science graduate
student, unleashed what became known as the Morris worm, disrupting perhaps 10% of the
computers then on the Internet[12][13] and prompting the formation of the CERT Coordination
Center[14] and Phage mailing list[15] Morris himself became the first person tried and convicted
under the 1986 Computer Fraud and Abuse Act.[16]
Trojan horse (computing)
From Wikipedia, the free encyclopedia
Jump to: navigation, search
Beast, a Windows-based backdoor Trojan horse
A Trojan horse, or Trojan, is malware that appears to perform a desirable function for the user
prior to run or install but instead facilitates unauthorized access of the user's computer system. "It
is a harmful piece of software that looks legitimate. Users are typically tricked into loading and
executing it on their systems", as Cisco describes.[1] The term is derived from the Trojan Horse
story in Greek mythology.
Contents
[hide]
1 Purpose and operation
o 1.1 Adware
o 1.2 Security
2 Installation and distribution
o 2.1 Self-replication
3 Removal
4 Current use
5 See also
6 Notes
7 References
8 External links
[edit] Purpose and operation
[edit] Adware
A horse may modify the user's computer to display advertisements in undesirable places, such as
the desktop or in uncontrollable pop-ups, or it may be less notorious, such as installing a toolbar
on to the user's Web browser without prior notice. This can create revenue for the author of the
Trojan, despite it being against the Terms of Service of most major Internet advertising
networks, such as Google AdSense.[2]
[edit] Security
Trojan horses may allow a hacker remote access to a target computer system. Once a Trojan
horse has been installed on a target computer system, a hacker may have access to the computer
remotely and perform various operations, limited by user privileges on the target computer
system and the design of the Trojan horse.
Operations that could be performed by a hacker on a target computer system include:
Use of the machine as part of a botnet (e.g. to perform automated spamming or to
distribute Denial-of-service attacks)
Data theft (e.g. retrieving passwords or credit card information)
Installation of software, including third-party malware
Downloading or uploading of files on the user's computer
Modification or deletion of files
Keystroke logging
Watching the user's screen
Crashing the computer
Trojan horses in this way require interaction with a hacker to fulfill their purpose, though the
hacker need not be the individual responsible for distributing the Trojan horse. It is possible for
individual hackers to scan computers on a network using a port scanner in the hope of finding
one with a malicious Trojan horse installed, which the hacker can then use to control the target
computer.[3]
[edit] Installation and distribution
Trojan horses can be installed through the following methods:
Software downloads
Bundling (e.g. a Trojan horse included as part of a software application downloaded from
a file sharing network)
Email attachments
Websites containing executable content (e.g., a Trojan horse in the form of an ActiveX
control)[4]
Application exploits (e.g., flaws in a Web browser, media player, instant-messaging
client, or other software that can be exploited to allow installation of a Trojan horse)
Some users, particularly those in the Warez scene, may create and distribute software with or
without knowing that a Trojan has been embedded inside. Compilers and higher-level software
makers can be written to attach malicious software when the author compiles his code to
executable form.
[edit] Self-replication
A Trojan horse may itself be a computer virus, either by asking other users on a network, such as
a instant-messaging network, to install the said software, or by spreading itself through the use of
application exploits.
[edit] Removal
Antivirus software is designed to detect and delete Trojan horses and prevent them from ever
being installed. Although it is possible to remove a Trojan horse manually, it requires a full
understanding of how that particular Trojan horse operates. In addition, if a Trojan horse has
possibly been used by a hacker to access a computer system, it will be difficult to know what
damage has been done and what other problems have been introduced. In situations where the
security of the computer system is critical, it is advisable to simply erase all data from the hard
disk and reinstall the operating system and required software.[citation needed]
[edit] Current use
Due to the popularity of botnets among hackers and the availability of advertising services that
permit authors to violate their users' privacy, Trojan horses are becoming more common.
According to a survey conducted by BitDefender from January to June 2009, "Trojan-type
malware is on the rise, accounting for 83-percent of the global malware detected in the world".
This virus has a relationship with worms as it spreads with the help given by worms and travel
across the internet with them. [5]
Spyware
From Wikipedia, the free encyclopedia
Jump to: navigation, search
Spyware is a type of malware that can be installed on computers, and which collects small
pieces of information about users without their knowledge. The presence of spyware is typically
hidden from the user, and can be difficult to detect. Typically, spyware is secretly installed on
the user's personal computer. Sometimes, however, spywares such as keyloggers are installed by
the owner of a shared, corporate, or public computer on purpose in order to secretly monitor
other users.
While the term spyware suggests software that secretly monitors the user's computing, the
functions of spyware extend well beyond simple monitoring. Spyware programs can collect
various types of personal information, such as Internet surfing habits and sites that have been
visited, but can also interfere with user control of the computer in other ways, such as installing
additional software and redirecting Web browser activity. Spyware is known to change computer
settings, resulting in slow connection speeds, different home pages, and/or loss of Internet
connection or functionality of other programs. In an attempt to increase the understanding of
spyware, a more formal classification of its included software types is provided by the term
privacy-invasive software.
In response to the emergence of spyware, a small industry has sprung up dealing in anti-spyware
software. Running anti-spyware software has become a widely recognized element of computer
security practices for computers, especially those running Microsoft Windows. A number of
jurisdictions have passed anti-spyware laws, which usually target any software that is
surreptitiously installed to control a user's computer.
Contents
[hide]
1 History and development
2 Comparison
o 2.1 Spyware, adware and tracking
o 2.2 Spyware, viruses and worms
3 Routes of infection
4 Effects and behaviors
o 4.1 Advertisements
o 4.2 "Stealware" and affiliate fraud
o 4.3 Identity theft and fraud
o 4.4 Digital rights management
o 4.5 Personal relationships
o 4.6 Browser cookies
o 4.7 Examples
5 Legal issues
o 5.1 Criminal law
o 5.2 Administrative sanctions
5.2.1 US FTC actions
5.2.2 Netherlands OPTA
o 5.3 Civil law
o 5.4 Libel suits by spyware developers
o 5.5 WebcamGate
6 Remedies and prevention
o 6.1 Anti-spyware programs
o 6.2 Security practices
7 Programs distributed with spyware
o 7.1 Programs formerly distributed with spyware
8 Rogue anti-spyware programs
9 See also
10 References
11 Further reading
12 External links
[edit] History and development
The first recorded use of the term spyware occurred on 16 October 1995 in a Usenet post that
poked fun at Microsoft's business model.[1] Spyware at first denoted software meant for
espionage purposes. However, in early 2000 the founder of Zone Labs, Gregor Freund, used the
term in a press release for the ZoneAlarm Personal Firewall.[2] Since then, "spyware" has taken
on its present sense.[2] According to a 2005 study by AOL and the National Cyber-Security
Alliance, 61 percent of surveyed users' computers were infected with form of spyware. 92
percent of surveyed users with spyware reported that they did not know of its presence, and 91
percent reported that they had not given permission for the installation of the spyware.[3] As of
2006, spyware has become one of the preeminent security threats to computer systems running
Microsoft Windows operating systems. Computers on which Internet Explorer (IE) is the
primary browser are particularly vulnerable to such attacks, not only because IE is the most
widely-used,[4] but because its tight integration with Windows allows spyware access to crucial
parts of the operating system.[4][5]
Before Internet Explorer 6 SP2 was released as part of Windows XP Service Pack 2, the browser
would automatically display an installation window for any ActiveX component that a website
wanted to install. The combination of user naivety concerning malware, and the assumption by
Internet Explorer that all ActiveX components are benign, led, in part, to the massive spread of
spyware. Many spyware components would also make use of exploits in Javascript, Internet
Explorer and Windows to install without user knowledge or permission.
The Windows Registry contains multiple sections where modification of key values allows
software to be executed automatically when the operating system boots. Spyware can exploit this
design to circumvent attempts at removal. The spyware typically will link itself from each
location in the registry that allows execution. Once running, the spyware will periodically check
if any of these links are removed. If so, they will be automatically restored. This ensures that the
spyware will execute when the operating system is booted, even if some (or most) of the registry
links are removed.
[edit] Comparison
[edit] Spyware, adware and tracking
The term adware frequently refers to any software which displays advertisements, whether or not
the user has consented. Programs such as the Eudora mail client display advertisements as an
alternative to shareware registration fees. These may be classified as "adware", in the sense of
advertising-supported software, but not as spyware. Adware in this form does not operate
surreptitiously or mislead the user, and provides the user with a specific service.
Most adware is spyware in a different sense than "advertising-supported software": it displays
advertisements related to what it finds from spying on users. Gator Software from Claria
Corporation (formerly GATOR) and Exact Advertising's BargainBuddy are examples. Visited
Web sites frequently install Gator on client machines in a surreptitious manner, and it directs
revenue to the installing site and to Claria by displaying advertisements to the user. The user is
shown many pop-up advertisements.
Other spyware behavior, such as reporting on websites the user visits, occurs in the background.
The data is used for "targeted" advertisement impressions. The prevalence of spyware has cast
suspicion on other programs that track Web browsing, even for statistical or research purposes.
Some observers describe the Alexa Toolbar, an Internet Explorer plug-in published by
Amazon.com, as spyware, and some anti-spyware programs such as Ad-Aware report it as such.
Many of these adware-distributing companies are backed by millions of dollars of adwaregenerating revenues. Adware and spyware are similar to viruses in that they can be considered
malicious in nature. People are profiting from misleading adware, sometimes known as
scareware, such as Antivirus 2009.
Similarly, software bundled with free, advertising-supported programs such as P2P acts as
spyware (and, if removed, disables the 'parent' program), yet people are willing to download it.
This presents a dilemma for proprietors of anti-spyware products whose removal tools may
inadvertently disable wanted programs. For example, WhenUSave is ignored by popular antispyware program Ad-Aware (but removed as spyware by most scanners) because it is part of the
popular (but recently decommissioned) eDonkey client.[6] To address this dilemma, the AntiSpyware Coalition was formed to establish and document best practices regarding acceptable
software behavior.[citation needed]
[edit] Spyware, viruses and worms
Unlike viruses and worms, spyware does not usually self-replicate. Like many recent viruses,
however, spyware—by design—exploits infected computers for commercial gain. Typical tactics
include delivery of unsolicited pop-up advertisements, theft of personal information (including
financial information such as credit card numbers), monitoring of Web-browsing activity for
marketing purposes, and routing of HTTP requests to advertising sites.
However, spyware can be dropped as a payload by a worm.
[edit] Routes of infection
Malicious websites attempt to install spyware on readers' computers.
Spyware does not directly spread in the manner of a computer virus or worm: generally, an
infected system does not attempt to transmit the infection to other computers. Instead, spyware
gets on a system through deception of the user or through exploitation of software
vulnerabilities.
Most spyware is installed without users' knowledge. Since they tend not to install software if
they know that it will disrupt their working environment and compromise their privacy, spyware
deceives users, either by piggybacking on a piece of desirable software such as Kazaa, or by
tricking them into installing it (the Trojan horse method). Some "rogue" spyware programs
masquerade as security software.
The distributor of spyware usually presents the program as a useful utility—for instance as a
"Web accelerator" or as a helpful software agent. Users download and install the software
without immediately suspecting that it could cause harm. For example, Bonzi Buddy, a program
bundled with spyware[7] and targeted at children, claims that:
He will explore the Internet with you as your very own friend and sidekick! He can talk, walk,
joke, browse, search, e-mail, and download like no other friend you've ever had! He even has the
ability to compare prices on the products you love and help you save money! Best of all, he's
FREE![8]
Spyware can also come bundled with other software. The user downloads a program and installs
it, and the installer additionally installs the spyware. Although the desirable software itself may
do no harm, the bundled spyware does. In some cases, spyware authors have paid shareware
authors to bundle spyware with their software. In other cases, spyware authors have repackaged
desirable freeware with installers that slipstream spyware.
Some spyware authors infect a system through security holes in the Web browser or in other
software. When the user navigates to a Web page controlled by the spyware author, the page
contains code which attacks the browser and forces the download and installation of spyware.
The spyware author would also have some extensive knowledge of commercially-available antivirus and firewall software. This has become known as a "drive-by download", which leaves the
user a hapless bystander to the attack. Common browser exploits target security vulnerabilities in
Internet Explorer and in the Sun Microsystems Java runtime.
The installation of spyware frequently involves Internet Explorer. Its popularity and history of
security issues have made it the most frequent target. Its deep integration with the Windows
environment and scriptability make it an obvious point of attack into Windows. Internet Explorer
also serves as a point of attachment for spyware in the form of Browser Helper Objects, which
modify the browser's behavior to add toolbars or to redirect traffic.
In a few cases, a worm or virus has delivered a spyware payload. Some attackers used the Spybot
worm to install spyware that put pornographic pop-ups on the infected system's screen.[9] By
directing traffic to ads set up to channel funds to the spyware authors, they profit personally.
[edit] Effects and behaviors
A spyware program is rarely alone on a computer: an affected machine usually has multiple
infections. Users frequently notice unwanted behavior and degradation of system performance. A
spyware infestation can create significant unwanted CPU activity, disk usage, and network
traffic. Stability issues, such as applications freezing, failure to boot, and system-wide crashes,
are also common. Spyware, which interferes with networking software, commonly causes
difficulty connecting to the Internet.
In some infections, the spyware is not even evident. Users assume in those situations that the
performance issues relate to faulty hardware, Windows installation problems, or another
infection. Some owners of badly infected systems resort to contacting technical support experts,
or even buying a new computer because the existing system "has become too slow". Badly
infected systems may require a clean reinstallation of all their software in order to return to full
functionality.
Only rarely does a single piece of software render a computer unusable. Rather, a computer is
likely to have multiple infections. The cumulative effect, and the interactions between spyware
components, causes the symptoms commonly reported by users: a computer, which slows to a
crawl, overwhelmed by the many parasitic processes running on it. Moreover, some types of
spyware disable software firewalls and anti-virus software, and/or reduce browser security
settings, thus opening the system to further opportunistic infections, much like an immune
deficiency disease. Some spyware disables or even removes competing spyware programs, on
the grounds that more spyware-related annoyances make it even more likely that users will take
action to remove the programs. One spyware maker, Avenue Media, even sued a competitor,
Direct Revenue, over this; the two later settled with an agreement not to disable each others'
products.[10]
Some other types of spyware use rootkit like techniques to prevent detection, and thus removal.
Targetsoft, for instance, modifies the "Winsock" Windows Sockets files. The deletion of the
spyware-infected file "inetadpt.dll" will interrupt normal networking usage.
A typical Windows user has administrative privileges, mostly for convenience. Because of this,
any program the user runs (intentionally or not) has unrestricted access to the system. As with
other operating systems, Windows users too are able to follow the principle of least privilege and
use non-administrator least user access accounts, or to reduce the privileges of specific
vulnerable Internet-facing processes such as Internet Explorer (through the use of tools such as
DropMyRights). However, as this is not a default configuration, few users do this.
In Windows Vista, by default, a computer administrator runs everything under limited user
privileges. When a program requires administrative privileges, Vista will prompt the user with an
allow/deny pop-up (see User Account Control). This improves on the design used by previous
versions of Windows.
[edit] Advertisements
Many spyware programs display advertisements. Some programs simply display pop-up ads on a
regular basis; for instance, one every several minutes, or one when the user opens a new browser
window. Others display ads in response to the user visiting specific sites. Spyware operators
present this feature as desirable to advertisers, who may buy ad placement in pop-ups displayed
when the user visits a particular site. It is also one of the purposes for which spyware programs
gather information on user behavior.
Many users complain about irritating or offensive advertisements as well. As with many banner
ads, spyware advertisements often use animation or flickering banners, which can be visually
distracting and annoying to users. Pop-up ads for pornography often display indiscriminately.
Links to these sites may be added to the browser window, history or search function. When
children are the users, this could possibly violate anti-pornography laws in some jurisdictions.
A number of spyware programs break the boundaries of illegality; variations of “Zlob.Trojan”
and “Trojan-Downloader.Win32.INService” have been known to show undesirable child
pornography, key gens, cracks and illegal software pop-up ads, which violate child pornography
and copyright laws.[11][12][13][14]
A further issue in the case of some spyware programs concerns the replacement of banner ads on
viewed web sites. Spyware that acts as a web proxy or a Browser Helper Object can replace
references to a site's own advertisements (which fund the site) with advertisements that instead
fund the spyware operator. This cuts into the margins of advertising-funded Web sites.
[edit] "Stealware" and affiliate fraud
A few spyware vendors, notably 180 Solutions, have written what the New York Times has
dubbed "stealware", and what spyware researcher Ben Edelman terms affiliate fraud, a form of
click fraud. Stealware diverts the payment of affiliate marketing revenues from the legitimate
affiliate to the spyware vendor.
Spyware which attacks affiliate networks places the spyware operator's affiliate tag on the user's
activity — replacing any other tag, if there is one. The spyware operator is the only party that
gains from this. The user has their choices thwarted, a legitimate affiliate loses revenue,
networks' reputations are injured, and vendors are harmed by having to pay out affiliate revenues
to an "affiliate" who is not party to a contract.[15]
Affiliate fraud is a violation of the terms of service of most affiliate marketing networks. As a
result, spyware operators such as 180 Solutions have been terminated from affiliate networks
including LinkShare and ShareSale.[citation needed]
[edit] Identity theft and fraud
In one case, spyware has been closely associated with identity theft.[16] In August 2005,
researchers from security software firm Sunbelt Software suspected the creators of the common
CoolWebSearch spyware had used it to transmit "chat sessions, user names, passwords, bank
information, etc.";[17] however it turned out that "it actually (was) its own sophisticated criminal
little trojan that's independent of CWS."[18] This case is currently under investigation by the FBI.
The Federal Trade Commission estimates that 27.3 million Americans have been victims of
identity theft, and that financial losses from identity theft totaled nearly $48 billion for
businesses and financial institutions and at least $5 billion in out-of-pocket expenses for
individuals.[19]
Spyware-makers may commit wire fraud with dialer program spyware. These can reset a modem
to dial up a premium-rate telephone number instead of the usual ISP. Connecting to these
suspicious numbers involves long-distance or overseas charges which invariably result in high
call costs. Dialers are ineffective on computers that do not have a modem, or are not connected
to a telephone line, and are now very rare due to the decline in use of dial-up internet access.
[edit] Digital rights management
Some copy-protection technologies have borrowed from spyware. In 2005, Sony BMG Music
Entertainment was found to be using rootkits in its XCP digital rights management technology[20]
Like spyware, not only was it difficult to detect and uninstall, it was so poorly written that most
efforts to remove it could have rendered computers unable to function. Texas Attorney General
Greg Abbott filed suit,[21] and three separate class-action suits were filed.[22] Sony BMG later
provided a workaround on its website to help users remove it.[23]
Beginning on 25 April 2006, Microsoft's Windows Genuine Advantage Notifications
application[24] was installed on most Windows PCs as a "critical security update". While the
main purpose of this deliberately uninstallable application is to ensure the copy of Windows on
the machine was lawfully purchased and installed, it also installs software that has been accused
of "phoning home" on a daily basis, like spyware.[25][26] It can be removed with the
RemoveWGA tool.
[edit] Personal relationships
Spyware has been used to surreptitiously monitor electronic activities of partners in intimate
relationships, generally to uncover evidence of infidelity. At least one software package,
Loverspy, was specifically marketed for this purpose. Depending on local laws regarding
communal/marital property, observing a partner's online activity without their consent may be
illegal; the author of Loverspy and several users of the product were indicted in California in
2005 on charges of wiretapping and various computer crimes.[27]
[edit] Browser cookies
Anti-spyware programs often report Web advertisers' HTTP cookies, the small text files that
track browsing activity, as spyware. While they are not always inherently malicious, many users
object to third parties using space on their personal computers for their business purposes, and
many anti-spyware programs offer to remove them.[28]
[edit] Examples
These common spyware programs illustrate the diversity of behaviors found in these attacks.
Note that as with computer viruses, researchers give names to spyware programs which may not
be used by their creators. Programs may be grouped into "families" based not on shared program
code, but on common behaviors, or by "following the money" of apparent financial or business
connections. For instance, a number of the spyware programs distributed by Claria are
collectively known as "Gator". Likewise, programs that are frequently installed together may be
described as parts of the same spyware package, even if they function separately.
CoolWebSearch, a group of programs, takes advantage of Internet Explorer
vulnerabilities. The package directs traffic to advertisements on Web sites including
coolwebsearch.com. It displays pop-up ads, rewrites search engine results, and alters the
infected computer's hosts file to direct DNS lookups to these sites.[29]
Internet Optimizer, also known as DyFuCa, redirects Internet Explorer error pages to
advertising. When users follow a broken link or enter an erroneous URL, they see a page
of advertisements. However, because password-protected Web sites (HTTP Basic
authentication) use the same mechanism as HTTP errors, Internet Optimizer makes it
impossible for the user to access password-protected sites.[30]
HuntBar, aka WinTools or Adware.Websearch, was installed by an ActiveX drive-by
download at affiliate Web sites, or by advertisements displayed by other spyware
programs—an example of how spyware can install more spyware. These programs add
toolbars to IE, track aggregate browsing behavior, redirect affiliate references, and
display advertisements.[31][32]
Movieland, also known as Moviepass.tv and Popcorn.net, is a movie download service
that has been the subject of thousands of complaints to the Federal Trade Commission
(FTC), the Washington State Attorney General's Office, the Better Business Bureau, and
other agencies. Consumers complained they were held hostage by a cycle of oversized
pop-up windows demanding payment of at least $29.95, claiming that they had signed up
for a three-day free trial but had not cancelled before the trial period was over, and were
thus obligated to pay.[33][34] The FTC filed a complaint, since settled, against Movieland
and eleven other defendants charging them with having "engaged in a nationwide scheme
to use deception and coercion to extract payments from consumers."[35]
MyWebSearch (of Fun Web Products) has a plugin that displays a search toolbar near
the top of a browser window, and it spies to report user search-habits.[36] MyWebSearch
is notable for installing over 210 computer settings, such as over 210 MS Windows
registry keys/values.[37][38] Beyond the browser plugin, it has settings to affect Outlook,
email, HTML, XML, etc. Although tools exist to remove MyWebSearch,[37] it can be
hand-deleted in 1 hour, by users familiar with using Regedit to find and delete
keys/values (named with "MyWebSearch"). After reboot, the browser returns to the prior
display appearance.
WeatherStudio has a plugin that displays a window-panel near the bottom of a browser
window. The official website notes that it is easy to remove (uninstall) WeatherStudio
from a computer, using its own uninstall-program, such as under C:\Program
Files\WeatherStudio.[39] Once WeatherStudio is removed, a browser returns to the prior
display appearance, without the need to modify the browser settings.
Zango (formerly 180 Solutions) transmits detailed information to advertisers about the
Web sites which users visit. It also alters HTTP requests for affiliate advertisements
linked from a Web site, so that the advertisements make unearned profit for the 180
Solutions company. It opens pop-up ads that cover over the Web sites of competing
companies (as seen in their [Zango End User License Agreement]).[15]
Zlob trojan, or just Zlob, downloads itself to a computer via an ActiveX codec and
reports information back to Control Server[citation needed]. Some information can be the
search-history, the Websites visited, and even keystrokes.[citation needed] More recently, Zlob
has been known to hijack routers set to defaults.[40]
[edit] Legal issues
[edit] Criminal law
Unauthorized access to a computer is illegal under computer crime laws, such as the U.S.
Computer Fraud and Abuse Act, the U.K.'s Computer Misuse Act, and similar laws in other
countries. Since owners of computers infected with spyware generally claim that they never
authorized the installation, a prima facie reading would suggest that the promulgation of spyware
would count as a criminal act. Law enforcement has often pursued the authors of other malware,
particularly viruses. However, few spyware developers have been prosecuted, and many operate
openly as strictly legitimate businesses, though some have faced lawsuits.[41][42]
Spyware producers argue that, contrary to the users' claims, users do in fact give consent to
installations. Spyware that comes bundled with shareware applications may be described in the
legalese text of an end-user license agreement (EULA). Many users habitually ignore these
purported contracts, but spyware companies such as Claria say these demonstrate that users have
consented.
Despite the ubiquity of EULAs and of "clickwrap" agreements, under which a single click can be
taken as consent to the entire text, relatively little caselaw has resulted from their use. It has been
established in most common law jurisdictions that a clickwrap agreement can be a binding
contract in certain circumstances.[43] This does not, however, mean that every such agreement is
a contract, or that every term in one is enforceable.
Some jurisdictions, including the U.S. states of Iowa[44] and Washington,[45] have passed laws
criminalizing some forms of spyware. Such laws make it illegal for anyone other than the owner
or operator of a computer to install software that alters Web-browser settings, monitors
keystrokes, or disables computer-security software.
In the United States, lawmakers introduced a bill in 2005 entitled the Internet Spyware
Prevention Act, which would imprison creators of spyware.[46]
[edit] Administrative sanctions
[edit] US FTC actions
The US Federal Trade Commission has sued Internet marketing organizations under the
"unfairness doctrine" [47] to make them stop infecting consumers’ PCs with spyware. In one case,
that against Seismic Entertainment Productions, the FTC accused the defendants of developing a
program that seized control of PCs nationwide, infected them with spyware and other malicious
software, bombarded them with a barrage of pop-up advertising for Seismic’s clients, exposed
the PCs to security risks, and caused them to malfunction, slow down, and, at times, crash.
Seismic then offered to sell the victims an “antispyware” program to fix the computers, and stop
the popups and other problems that Seismic had caused. On November 21, 2006, a settlement
was entered in federal court under which a $1.75 million judgment was imposed in one case and
$1.86 million in another, but the defendants were insolvent[48]
In a second case, brought against CyberSpy Software LLC, the FTC charged that CyberSpy
marketed and sold "RemoteSpy" keylogger spyware to clients who would then secretly monitor
unsuspecting consumers’ computers. According to the FTC, Cyberspy touted RemoteSpy as a
“100% undetectable” way to “Spy on Anyone. From Anywhere.” The FTC has obtained a
temporary order prohibiting the defendants from selling the software and disconnecting from the
Internet any of their servers that collect, store, or provide access to information that this software
has gathered. The case is still in its preliminary stages. A complaint filed by the Electronic
Privacy Information Center (EPIC) brought the RemoteSpy software to the FTC’s attention.[49]
[edit] Netherlands OPTA
An administrative fine, the first of its kind in Europe, has been issued by the Independent
Authority of Posts and Telecommunications (OPTA) from the Netherlands. It applied fines in
total value of Euro 1,000,000 for infecting 22 million computers. The spyware concerned is
called DollarRevenue. The law articles that have been violated are art. 4.1 of the Decision on
universal service providers and on the interests of end users; the fines have been issued based on
art. 15.4 taken together with art. 15.10 of the Dutch telecommunications law. A part of these
fines has to be paid personally by the directors of these companies, i.e. not from the accounts of
their companies, but from their personal fortunes.[50] Since an appeal has been lodged, the fines
will have to be paid only after a Dutch law court makes a decision in this case. The culprits
maintain that the evidence for violating the two law articles has been obtained illegally. The
names of the directors and the names of the companies have not been revealed, since it is not
clear that OPTA is allowed to make such information public.[51]
[edit] Civil law
Former New York State Attorney General and former Governor of New York Eliot Spitzer has
pursued spyware companies for fraudulent installation of software.[52] In a suit brought in 2005
by Spitzer, the California firm Intermix Media, Inc. ended up settling, by agreeing to pay US$7.5
million and to stop distributing spyware.[53]
The hijacking of Web advertisements has also led to litigation. In June 2002, a number of large
Web publishers sued Claria for replacing advertisements, but settled out of court.
Courts have not yet had to decide whether advertisers can be held liable for spyware that displays
their ads. In many cases, the companies whose advertisements appear in spyware pop-ups do not
directly do business with the spyware firm. Rather, they have contracted with an advertising
agency, which in turn contracts with an online subcontractor who gets paid by the number of
"impressions" or appearances of the advertisement. Some major firms such as Dell Computer
and Mercedes-Benz have sacked advertising agencies that have run their ads in spyware.[54]
[edit] Libel suits by spyware developers
Litigation has gone both ways. Since "spyware" has become a common pejorative, some makers
have filed libel and defamation actions when their products have been so described. In 2003,
Gator (now known as Claria) filed suit against the website PC Pitstop for describing its program
as "spyware".[55] PC Pitstop settled, agreeing not to use the word "spyware", but continues to
describe harm caused by the Gator/Claria software.[56] As a result, other anti-spyware and antivirus companies have also used other terms such as "potentially unwanted programs" or
greyware to denote these products.
[edit] WebcamGate
Main article: Robbins v. Lower Merion School District
In the 2010 WebcamGate case, plaintiffs charged two suburban Philadelphia high schools
secretly spied on students by surreptitiously and remotely activating webcams embedded in
school-issued laptops the students were using at home, and therefore infringed on their privacy
rights. The school loaded each student's computer with LANrev's remote activation tracking
software. This included the now-discontinued "TheftTrack". While TheftTrack was not enabled
by default on the software, the program allowed the school district to elect to activate it, and to
choose which of the TheftTrack surveillance options the school wanted to enable.[57]
TheftTrack allowed school district employees to secretly remotely activate a tiny webcam
embedded in the student's laptop, above the laptop's screen. That allowed school officials to
secretly take photos through the webcam, of whatever was in front of it and in its line of sight,
and send the photos to the school's server. The LANrev software disabled the webcams for all
other uses (e.g., students were unable to use Photo Booth or video chat), so most students
mistakenly believed their webcams did not work at all. In addition to webcam surveillance,
TheftTrack allowed school officials to take screenshots, and send them to the school's server. In
addition, LANrev allowed school officials to take snapshots of instant messages, web browsing,
music playlists, and written compositions. The schools admitted to secretly snapping over 66,000
webshots and screenshots, including webcam shots of students in their bedrooms.[57][58]
[edit] Remedies and prevention
As the spyware threat has worsened, a number of techniques have emerged to counteract it.
These include programs designed to remove or to block spyware, as well as various user
practices which reduce the chance of getting spyware on a system.
Nonetheless, spyware remains a costly problem. When a large number of pieces of spyware have
infected a Windows computer, the only remedy may involve backing up user data, and fully
reinstalling the operating system. For instance, some versions of Vundo cannot be completely
removed by Symantec, Microsoft, PC Tools, and others because it infects rootkit, Internet
Explorer, and Windows' lsass.exe (Local Security Authority Subsystem Service) with a
randomly-filenamed dll (dynamic link library).
[edit] Anti-spyware programs
See also: Category:Spyware removal
Many programmers and some commercial firms have released products dedicated to remove or
block spyware. Steve Gibson's OptOut pioneered a growing category. Programs such as PC
Tools' Spyware Doctor, Lavasoft's Ad-Aware SE (free scans for non-commercial users, must pay
for other features) and Patrick Kolla's Spybot - Search & Destroy (all features free for noncommercial use) rapidly gained popularity as effective tools to remove, and in some cases
intercept, spyware programs. On December 16, 2004, Microsoft acquired the GIANT
AntiSpyware software,[59] rebranding it as Windows AntiSpyware beta and releasing it as a free
download for Genuine Windows XP and Windows 2003 users. In 2006, Microsoft renamed the
beta software to Windows Defender (free), and it was released as a free download in October
2006 and is included as standard with Windows Vista as well as Windows 7.
Major anti-virus firms such as Symantec, PC Tools, McAfee and Sophos have come later to the
table, adding anti-spyware features to their existing anti-virus products. Early on, anti-virus firms
expressed reluctance to add anti-spyware functions, citing lawsuits brought by spyware authors
against the authors of web sites and programs which described their products as "spyware".
However, recent versions of these major firms' home and business anti-virus products do include
anti-spyware functions, albeit treated differently from viruses. Symantec Anti-Virus, for
instance, categorizes spyware programs as "extended threats" and now offers real-time protection
from them (as it does for viruses).
Recently[when?], the anti-virus company Grisoft, creator of AVG Anti-Virus, acquired antispyware firm Ewido Networks, re-labeling their Ewido anti-spyware program as AVG AntiSpyware Professional Edition. AVG also used this product to add an integrated anti-spyware
solution to some versions of the AVG Anti-Virus family of products, and a freeware AVG AntiSpyware Free Edition available for private and non-commercial use. This shows a trend by anti
virus companies to launch a dedicated solution to spyware and malware. Zone Labs, creator of
Zone Alarm firewall have also released an anti-spyware program.
Anti-spyware programs can combat spyware in two ways:
1. They can provide real time protection against the installation of spyware software on the
computer. This type of spyware protection works the same way as that of anti-virus
protection in that the anti-spyware software scans all incoming network data for spyware
software and blocks any threats it comes across.
2. Anti-spyware software programs can be used solely for detection and removal of spyware
software that has already been installed onto the computer. This type of spyware
protection is normally much easier to use and more popular. With this spyware protection
software the user can schedule weekly, daily, or monthly scans of the computer to detect
and remove any spyware software that have been installed on the computer. This type of
anti-spyware software scans the contents of the windows registry, operating system files,
and installed programs on the computer and will provide a list of any threats found,
allowing the user to choose what to delete and what to keep.
Such programs inspect the contents of the Windows registry, the operating system files, and
installed programs, and remove files and entries which match a list of known spyware
components. Real-time protection from spyware works identically to real-time anti-virus
protection: the software scans disk files at download time, and blocks the activity of components
known to represent spyware. In some cases, it may also intercept attempts to install start-up
items or to modify browser settings. Because many spyware and adware are installed as a result
of browser exploits or user error, using security software (some of which are antispyware, though
many are not) to sandbox browsers can also be effective to help restrict any damage done.
Earlier versions of anti-spyware programs focused chiefly on detection and removal. Javacool
Software's SpywareBlaster, one of the first to offer real-time protection, blocked the installation
of ActiveX-based and other spyware programs.
Like most anti-virus software, many anti-spyware/adware tools require a frequently-updated
database of threats. As new spyware programs are released, anti-spyware developers discover
and evaluate them, making "signatures" or "definitions" which allow the software to detect and
remove the spyware. As a result, anti-spyware software is of limited usefulness without a regular
source of updates. Some vendors provide a subscription-based update service, while others
provide updates free. Updates may be installed automatically on a schedule or before doing a
scan, or may be done manually.
Not all programs rely on updated definitions. Some programs rely partly (for instance many
antispyware programs such as Windows Defender, Spybot's TeaTimer and Spysweeper) or fully
(programs falling under the class of HIPS such as BillP's WinPatrol) on historical observation.
They watch certain configuration parameters (such as certain portions of the Windows registry or
browser configuration) and report any change to the user, without judgment or recommendation.
While they do not rely on updated definitions, which may allow them to spot newer spyware,
they can offer no guidance. The user is left to determine "what did I just do, and is this
configuration change appropriate?"
Windows Defender's SpyNet attempts to alleviate this through offering a community to share
information, which helps guide both users, who can look at decisions made by others, and
analysts, who can spot fast-spreading spyware. A popular generic spyware removal tool used by
those with a certain degree of expertise is HijackThis, which scans certain areas of the Windows
OS where spyware often resides and presents a list with items to delete manually. As most of the
items are legitimate windows files/registry entries it is advised for those who are less
knowledgeable on this subject to post a HijackThis log on the numerous antispyware sites and let
the experts decide what to delete.
If a spyware program is not blocked and manages to get itself installed, it may resist attempts to
terminate or uninstall it. Some programs work in pairs: when an anti-spyware scanner (or the
user) terminates one running process, the other one respawns the killed program. Likewise, some
spyware will detect attempts to remove registry keys and immediately add them again. Usually,
booting the infected computer in safe mode allows an anti-spyware program a better chance of
removing persistent spyware. Killing the process tree may also work.
A new breed of spyware (Look2Me spyware by NicTechNetworks is a good example) hides
inside system-critical processes and start up even in safe mode, see rootkit. With no process to
terminate they are harder to detect and remove. Sometimes they do not even leave any on-disk
signatures. Rootkit technology is also seeing increasing use,[60] as is the use of NTFS alternate
data streams. Newer spyware programs also have specific countermeasures against well known
anti-malware products and may prevent them from running or being installed, or even uninstall
them. An example of one that uses all three methods is Gromozon, a new breed of malware. It
uses alternate data streams to hide. A rootkit hides it even from alternate data streams scanners
and actively stops popular rootkit scanners from running.
[edit] Security practices
To detect spyware, computer users have found several practices useful in addition to installing
anti-spyware programs.
Many system operators install a web browser other than IE, such as Opera, Google Chrome or
Mozilla Firefox. Though no browser is completely safe, Internet Explorer is at a greater risk for
spyware infection due to its large user base as well as vulnerabilities such as ActiveX.
Some ISPs—particularly colleges and universities—have taken a different approach to blocking
spyware: they use their network firewalls and web proxies to block access to Web sites known to
install spyware. On March 31, 2005, Cornell University's Information Technology department
released a report detailing the behavior of one particular piece of proxy-based spyware,
Marketscore, and the steps the university took to intercept it.[61] Many other educational
institutions have taken similar steps. Spyware programs which redirect network traffic cause
greater technical-support problems than programs which merely display ads or monitor users'
behavior, and so may more readily attract institutional attention.[citation needed]
Some users install a large hosts file which prevents the user's computer from connecting to
known spyware-related web addresses. However, by connecting to the numeric IP address, rather
than the domain name, spyware may bypass this sort of protection.
Spyware may get installed via certain shareware programs offered for download. Downloading
programs only from reputable sources can provide some protection from this source of attack.
Recently, CNet revamped its download directory: it has stated that it will only keep files that
pass inspection by Ad-Aware and Spyware Doctor.[citation needed]
The first step to removing spyware is to put a computer on "lockdown". This can be done in
various ways, such as using anti-virus software or simply disconnecting the computer from the
internet. Disconnecting the internet prevents controllers of the spyware from being able to
remotely control or access the computer. The second step to removing the spyware is to locate it
and remove it, manually or through use of credible anti-spyware software. During and after
lockdown, potentially threatening websites should be avoided.
[edit] Programs distributed with spyware
Bonzi Buddy[62]
Dope Wars[63]
EDonkey2000[64]
Grokster[65]
Kazaa[66]
Morpheus[64]
RadLight[67]
Sony's Extended Copy Protection involved the installation of spyware from audio
compact discs through autorun. This practice sparked considerable controversy when it
was discovered.
WeatherBug[68]
WildTangent[69] The antispyware program Counterspy used to say that it's okay to keep
WildTangent, but it now says that the spyware Winpipe is "possibly distributed with the
adware bundler WildTangent or from a threat included in that bundler".[70]
[edit] Programs formerly distributed with spyware
AOL Instant Messenger[69] (AOL Instant Messenger still packages Viewpoint Media
Player, and WildTangent)
DivX (except for the paid version, and the "standard" version without the encoder). DivX
announced removal of GAIN software from version 5.2.[71]
FlashGet (trial version prior to program being made freeware)[72][73][74][75][76][77]
magicJack[78]
[edit] Rogue anti-spyware programs
See also: List of fake anti-spyware programs
See also: Rogue software
Malicious programmers have released a large number of rogue (fake) anti-spyware programs,
and widely distributed Web banner ads now spuriously warn users that their computers have
been infected with spyware, directing them to purchase programs which do not actually remove
spyware—or else, may add more spyware of their own.[79][80]
The recent proliferation of fake or spoofed antivirus products has occasioned some concern.
Such products often bill themselves as antispyware, antivirus, or registry cleaners, and
sometimes feature popups prompting users to install them. This software is called rogue
software.
It is recommended that users do not install any freeware claiming to be anti-spyware unless it is
verified to be legitimate. Some known offenders include:
AntiVirus 360
Antivirus 2008
Antivirus 2009
AntiVirus Gold
ContraVirus
MacSweeper
Pest Trap
PSGuard
Spy Wiper
Spydawn
Spylocked
Spysheriff
SpyShredder
Spyware Quake
SpywareStrike
UltimateCleaner
WinAntiVirus Pro 2006
Windows Police Pro
WinFixer[81]
WorldAntiSpy
Fake antivirus products constitute 15 percent of all malware.[82]
On January 26, 2006, Microsoft and the Washington state attorney general filed suit against
Secure Computer for its Spyware Cleaner product.[83] On December 4, 2006, the Washington
attorney general announced that Secure Computer had paid $1 million to settle with the state. As
of that date, Microsoft's case against Secure Computer remained pending.[84]
Malware
From Wikipedia, the free encyclopedia
Jump to: navigation, search
Beast, a Windows-based backdoor Trojan horse
Malware, short for malicious software, is software designed to secretly access a computer
system without the owner's informed consent. The expression is a general term used by computer
professionals to mean a variety of forms of hostile, intrusive, or annoying software or program
code.[1]
Software is considered to be malware based on the perceived intent of the creator rather than any
particular features. Malware includes computer viruses, worms, trojan horses, spyware, dishonest
adware, scareware, crimeware, most rootkits, and other malicious and unwanted software or
program. In law, malware is sometimes known as a computer contaminant, for instance in the
legal codes of several U. S. states, including California and West Virginia.[2][3]
Preliminary results from Symantec published in 2008 suggested that "the release rate of
malicious code and other unwanted programs may be exceeding that of legitimate software
applications."[4] According to F-Secure, "As much malware [was] produced in 2007 as in the
previous 20 years altogether."[5] Malware's most common pathway from criminals to users is
through the Internet: primarily by e-mail and the World Wide Web.[6]
The prevalence of malware as a vehicle for organized Internet crime, along with the general
inability of traditional anti-malware protection platforms (products) to protect against the
continuous stream of unique and newly produced malware, has seen the adoption of a new
mindset for businesses operating on the Internet: the acknowledgment that some sizable
percentage of Internet customers will always be infected for some reason or another, and that
they need to continue doing business with infected customers. The result is a greater emphasis on
back-office systems designed to spot fraudulent activities associated with advanced malware
operating on customers' computers.[7]
On March 29, 2010, Symantec Corporation named Shaoxing, China, as the world's malware
capital.[8]
Malware is not the same as defective software, that is, software that has a legitimate purpose but
contains harmful bugs. Sometimes, malware is disguised as genuine software, and may come
from an official site. Therefore, some security programs, such as McAfee may call malware
"potentially unwanted programs" or "PUP". Though a computer virus is malware that can
reproduce itself, the term is often used erroneously to refer to the entire category. Malware is
sometimes called scumware.
Contents
[hide]
1 Purposes
2 Infectious malware: viruses and worms
o 2.1 Capsule history of viruses and worms
3 Concealment: Trojan horses, rootkits, and backdoors
o 3.1 Trojan horses
o 3.2 Rootkits
o 3.3 Backdoors
4 Malware for profit: spyware, botnets, keystroke loggers, and dialers
5 Data-stealing malware
o 5.1 Characteristics of data-stealing malware
o 5.2 Examples of data-stealing malware
o 5.3 Data-stealing malware incidents
6 Controversy about assignment to spyware
7 Vulnerability to malware
o 7.1 Eliminating over-privileged code
8 Anti-malware programs
9 Academic research on malware: a brief overview
10 Grayware
11 Web and spam
o 11.1 Wikis and blogs
o 11.2 Targeted SMTP threats
o 11.3 HTTP and FTP
12 See also
13 References
14 External links
[edit] Purposes
Many early infectious programs, including the first Internet Worm and a number of MS-DOS
viruses, were written as experiments or pranks. They were generally intended to be harmless or
merely annoying, rather than to cause serious damage to computer systems. In some cases, the
perpetrator did not realize how much harm his or her creations would do. Young programmers
learning about viruses and their techniques wrote them simply for practice, or to see how far they
could spread. As late as 1999, widespread viruses such as the Melissa virus and the David virus
appear to have been written chiefly as pranks. The first mobile phone virus, Cabir, appeared in
2004.
Hostile intent related to vandalism can be found in programs designed to cause harm or data loss.
Many DOS viruses, and the Windows ExploreZip worm, were designed to destroy files on a hard
disk, or to corrupt the file system by writing invalid data to them. Network-borne worms such as
the 2001 Code Red worm or the Ramen worm fall into the same category. Designed to vandalize
web pages, worms may seem like the online equivalent to graffiti tagging, with the author's alias
or affinity group appearing everywhere the worm goes.[citation needed]
Since the rise of widespread broadband Internet access, malicious software has been designed for
a profit, for examples forced advertising. For instance, since 2003, the majority of widespread
viruses and worms have been designed to take control of users' computers for black-market
exploitation.[9] Infected "zombie computers" are used to send email spam, to host contraband
data such as child pornography [10], or to engage in distributed denial-of-service attacks as a form
of extortion.[11]
Another strictly for-profit category of malware has emerged in spyware -- programs designed to
monitor users' web browsing, display unsolicited advertisements, or redirect affiliate marketing
revenues to the spyware creator. Spyware programs do not spread like viruses; they are, in
general, installed by exploiting security holes or are packaged with user-installed software, such
as peer-to-peer applications.
[edit] Infectious malware: viruses and worms
Main articles: Computer virus and Computer worm
The best-known types of malware, viruses and worms, are known for the manner in which they
spread, rather than any other particular behavior. The term computer virus is used for a program
that has infected some executable software and that causes that when run, spread the virus to
other executables. Viruses may also contain a payload that performs other actions, often
malicious. A worm, on the other hand, is a program that actively transmits itself over a network
to infect other computers. It too may carry a payload.
These definitions lead to the observation that a virus requires user intervention to spread,
whereas a worm spreads itself automatically. Using this distinction, infections transmitted by
email or Microsoft Word documents, which rely on the recipient opening a file or email to infect
the system, would be classified as viruses rather than worms.
Some writers in the trade and popular press appear to misunderstand this distinction, and use the
terms interchangeably.
[edit] Capsule history of viruses and worms
Before Internet access became widespread, viruses spread on personal computers by infecting
the executable boot sectors of floppy disks. By inserting a copy of itself into the machine code
instructions in these executables, a virus causes itself to be run whenever a program is run or the
disk is booted. Early computer viruses were written for the Apple II and Macintosh, but they
became more widespread with the dominance of the IBM PC and MS-DOS system. Executableinfecting viruses are dependent on users exchanging software or boot-able floppies, so they
spread rapidly in computer hobbyist circles.
The first worms, network-borne infectious programs, originated not on personal computers, but
on multitasking Unix systems. The first well-known worm was the Internet Worm of 1988,
which infected SunOS and VAX BSD systems. Unlike a virus, this worm did not insert itself into
other programs. Instead, it exploited security holes (vulnerabilities) in network server programs
and started itself running as a separate process. This same behaviour is used by today's worms as
well.
With the rise of the Microsoft Windows platform in the 1990s, and the flexible macros of its
applications, it became possible to write infectious code in the macro language of Microsoft
Word and similar programs. These macro viruses infect documents and templates rather than
applications (executables), but rely on the fact that macros in a Word document are a form of
executable code.
Today, worms are most commonly written for the Windows OS, although a few like Mare-D[12]
and the Lion worm[13] are also written for Linux and Unix systems. Worms today work in the
same basic way as 1988's Internet Worm: they scan the network and leverage vulnerable
computers to replicate. Because they need no human intervention, worms can spread with
incredible speed. The SQL Slammer infected thousands of computers in a few minutes.[14]
[edit] Concealment: Trojan horses, rootkits, and backdoors
Main articles: Trojan horse (computing), Rootkit, and Backdoor (computing)
[edit] Trojan horses
For a malicious program to accomplish its goals, it must be able to run without being shut down,
or deleted by the user or administrator of the computer system on which it is running.
Concealment can also help get the malware installed in the first place. When a malicious
program is disguised as something innocuous or desirable, users may be tempted to install it
without knowing what it does. This is the technique of the Trojan horse or trojan.
In broad terms, a Trojan horse is any program that invites the user to run it, concealing a harmful
or malicious payload. The payload may take effect immediately and can lead to many
undesirable effects, such as deleting the user's files or further installing malicious or undesirable
software. Trojan horses known as droppers are used to start off a worm outbreak, by injecting the
worm into users' local networks.
One of the most common ways that spyware is distributed is as a Trojan horse, bundled with a
piece of desirable software that the user downloads from the Internet. When the user installs the
software, the spyware is installed alongside. Spyware authors who attempt to act in a legal
fashion may include an end-user license agreement that states the behavior of the spyware in
loose terms, which the users are unlikely to read or understand.
[edit] Rootkits
Once a malicious program is installed on a system, it is essential that it stays concealed, to avoid
detection and disinfection. The same is true when a human attacker breaks into a computer
directly. Techniques known as rootkits allow this concealment, by modifying the host's operating
system so that the malware is hidden from the user. Rootkits can prevent a malicious process
from being visible in the system's list of processes, or keep its files from being read. Originally, a
rootkit was a set of tools installed by a human attacker on a Unix system, allowing the attacker to
gain administrator (root) access. Today, the term is used more generally for concealment routines
in a malicious program.
Some malicious programs contain routines to defend against removal, not merely to hide
themselves, but to repel attempts to remove them. An early example of this behavior is recorded
in the Jargon File tale of a pair of programs infesting a Xerox CP-V time sharing system:
Each ghost-job would detect the fact that the other had been killed, and would start a new
copy of the recently slain program within a few milliseconds. The only way to kill both
ghosts was to kill them simultaneously (very difficult) or to deliberately crash the
system.[15]
Similar techniques are used by some modern malware, wherein the malware starts a number of
processes that monitor and restore one another as needed. In the event a user running Microsoft
Windows is infected with such malware, if they wish to manually stop it, they could use Task
Manager's 'processes' tab to find the main process (the one that spawned the "resurrector
process(es)"), and use the 'end process tree' function, which would kill not only the main process,
but the "resurrector(s)" as well, since they were started by the main process. Some malware
programs use other techniques, such as naming the infected file similar to a legitimate or trustable file (expl0rer.exe VS explorer.exe).
[edit] Backdoors
A backdoor is a method of bypassing normal authentication procedures. Once a system has been
compromised (by one of the above methods, or in some other way), one or more backdoors may
be installed in order to allow easier access in the future. Backdoors may also be installed prior to
malicious software, to allow attackers entry.
The idea has often been suggested that computer manufacturers preinstall backdoors on their
systems to provide technical support for customers, but this has never been reliably verified.
Crackers typically use backdoors to secure remote access to a computer, while attempting to
remain hidden from casual inspection. To install backdoors crackers may use Trojan horses,
worms, or other methods.
[edit] Malware for profit: spyware, botnets, keystroke
loggers, and dialers
Main articles: Spyware, Botnet, Keystroke logging, Web threats, and Dialer
During the 1980s and 1990s, it was usually taken for granted that malicious programs were
created as a form of vandalism or prank. More recently, the greater share of malware programs
have been written with a profit motive (financial or otherwise) in mind. This can be taken as the
malware authors' choice to monetize their control over infected systems: to turn that control into
a source of revenue.
Spyware programs are commercially produced for the purpose of gathering information about
computer users, showing them pop-up ads, or altering web-browser behavior for the financial
benefit of the spyware creator. For instance, some spyware programs redirect search engine
results to paid advertisements. Others, often called "stealware" by the media, overwrite affiliate
marketing codes so that revenue is redirected to the spyware creator rather than the intended
recipient.
Spyware programs are sometimes installed as Trojan horses of one sort or another. They differ in
that their creators present themselves openly as businesses, for instance by selling advertising
space on the pop-ups created by the malware. Most such programs present the user with an enduser license agreement that purportedly protects the creator from prosecution under computer
contaminant laws. However, spyware EULAs have not yet been upheld in court.
Another way that financially motivated malware creators can profit from their infections is to
directly use the infected computers to do work for the creator. The infected computers are used
as proxies to send out spam messages. A computer left in this state is often known as a zombie
computer. The advantage to spammers of using infected computers is they provide anonymity,
protecting the spammer from prosecution. Spammers have also used infected PCs to target antispam organizations with distributed denial-of-service attacks.
In order to coordinate the activity of many infected computers, attackers have used coordinating
systems known as botnets. In a botnet, the malware or malbot logs in to an Internet Relay Chat
channel or other chat system. The attacker can then give instructions to all the infected systems
simultaneously. Botnets can also be used to push upgraded malware to the infected systems,
keeping them resistant to antivirus software or other security measures.
It is possible for a malware creator to profit by stealing sensitive information from a victim.
Some malware programs install a key logger, which intercepts the user's keystrokes when
entering a password, credit card number, or other information that may be exploited. This is then
transmitted to the malware creator automatically, enabling credit card fraud and other theft.
Similarly, malware may copy the CD key or password for online games, allowing the creator to
steal accounts or virtual items.
Another way of stealing money from the infected PC owner is to take control of a dial-up
modem and dial an expensive toll call. Dialer (or porn dialer) software dials up a premium-rate
telephone number such as a U.S. "900 number" and leave the line open, charging the toll to the
infected user.
[edit] Data-stealing malware
Data-stealing malware is a web threat that divests victims of personal and proprietary
information with the intent of monetizing stolen data through direct use or underground
distribution. Content security threats that fall under this umbrella include keyloggers, screen
scrapers, spyware, adware, backdoors, and bots. The term does not refer to activities such as
spam, phishing, DNS poisoning, SEO abuse, etc. However, when these threats result in file
download or direct installation, as most hybrid attacks do, files that act as agents to proxy
information will fall into the data-stealing malware category.
[edit] Characteristics of data-stealing malware
Does not leave traces of the event
The malware is typically stored in a cache that is routinely flushed
The malware may be installed via a drive-by-download process
The website hosting the malware as well as the malware is generally temporary or rogue
Frequently changes and extends its functions
It is difficult for antivirus software to detect final payload attributes due to the
combination(s) of malware components
The malware uses multiple file encryption levels
Thwarts Intrusion Detection Systems (IDS) after successful installation
There are no perceivable network anomalies
The malware hides in web traffic
The malware is stealthier in terms of traffic and resource use
Thwarts disk encryption
Data is stolen during decryption and display
The malware can record keystrokes, passwords, and screenshots
Thwarts Data Loss Prevention (DLP)
Leakage protection hinges on metadata tagging, not everything is tagged
Miscreants can use encryption to port data
[edit] Examples of data-stealing malware
Bancos, an info stealer that waits for the user to access banking websites then spoofs
pages of the bank website to steal sensitive information.
Gator, spyware that covertly monitors web-surfing habits, uploads data to a server for
analysis then serves targeted pop-up ads.
LegMir, spyware that steals personal information such as account names and passwords
related to online games.
Qhost, a Trojan that modifies the Hosts file to point to a different DNS server when
banking sites are accessed then opens a spoofed login page to steal login credentials for
those financial institutions.
[edit] Data-stealing malware incidents
Albert Gonzalez (not to be confused with the U.S. Attorney General Alberto Gonzalez) is
accused of masterminding a ring to use malware to steal and sell more than 170 million
credit card numbers in 2006 and 2007—the largest computer fraud in history. Among the
firms targeted were BJ's Wholesale Club, TJX, DSW Shoe, OfficeMax, Barnes & Noble,
Boston Market, Sports Authority and Forever 21.[16]
A Trojan horse program stole more than 1.6 million records belonging to several hundred
thousand people from Monster Worldwide Inc’s job search service. The data was used by
cybercriminals to craft phishing emails targeted at Monster.com users to plant additional
malware on users’ PCs.[17]
Customers of Hannaford Bros. Co, a supermarket chain based in Maine, were victims of
a data security breach involving the potential compromise of 4.2 million debit and credit
cards. The company was hit by several class-action law suits.[18]
The Torpig Trojan has compromised and stolen login credentials from approximately
250,000 online bank accounts as well as a similar number of credit and debit cards. Other
information such as email, and FTP accounts from numerous websites, have also been
compromised and stolen.[19]
[edit] Controversy about assignment to spyware
There is a group of software (Alexa toolbar, Google toolbar, Eclipse data usage collector, etc)
that sends to the central server data on which pages have been visited or which features of the
software have been used. However differently from "classic" malware these tools document they
activities and only send data with the user approval. The user may opt in to share the data in
exchange to the additional features and services, or (in case of Eclipse) as the form of voluntary
support for the project. Some security tools report such loggers as malware while others do not.
The status of the group is questionable. Some tools like PDFCreator are more on the boundary
than others because opting out has been made more complex than it could be (during the
installation, the user needs to uncheck two check boxes rather than one). However also
PDFCreator is only sometimes mentioned as malware and is still subject of discussions.
[edit] Vulnerability to malware
Main article: Vulnerability (computing)
In this context, as throughout, it should be borne in mind that the “system” under attack may be
of various types, e.g. a single computer and operating system, a network or an application.
Various factors make a system more vulnerable to malware:
Homogeneity: e.g. when all computers in a network run the same OS, upon exploiting
one, one can exploit them all.
Weight of numbers: simply because the vast majority of existing malware is written to
attack Windows systems, then Windows systems, ipso facto, are more vulnerable to
succumbing to malware (regardless of the security strengths or weaknesses of Windows
itself).
Defects: malware leveraging defects in the OS design.
Unconfirmed code: code from a floppy disk, CD-ROM or USB device may be executed
without the user’s agreement.
Over-privileged users: some systems allow all users to modify their internal structures.
Over-privileged code: some systems allow code executed by a user to access all rights of
that user.
An oft-cited cause of vulnerability of networks is homogeneity or software monoculture.[20] For
example, Microsoft Windows or Apple Mac have such a large share of the market that
concentrating on either could enable a cracker to subvert a large number of systems, but any total
monoculture is a problem. Instead, introducing inhomogeneity (diversity), purely for the sake of
robustness, could increase short-term costs for training and maintenance. However, having a few
diverse nodes would deter total shutdown of the network, and allow those nodes to help with
recovery of the infected nodes. Such separate, functional redundancy would avoid the cost of a
total shutdown, would avoid homogeneity as the problem of "all eggs in one basket".
Most systems contain bugs, or loopholes, which may be exploited by malware. A typical
example is the buffer-overrun weakness, in which an interface designed to store data, in a small
area of memory, allows the caller to supply more data than will fit. This extra data then
overwrites the interface's own executable structure (past the end of the buffer and other data). In
this manner, malware can force the system to execute malicious code, by replacing legitimate
code with its own payload of instructions (or data values) copied into live memory, outside the
buffer area.
Originally, PCs had to be booted from floppy disks, and until recently it was common for this to
be the default boot device. This meant that a corrupt floppy disk could subvert the computer
during booting, and the same applies to CDs. Although that is now less common, it is still
possible to forget that one has changed the default, and rare that a BIOS makes one confirm a
boot from removable media.
In some systems, non-administrator users are over-privileged by design, in the sense that they are
allowed to modify internal structures of the system. In some environments, users are overprivileged because they have been inappropriately granted administrator or equivalent status.
This is primarily a configuration decision, but on Microsoft Windows systems the default
configuration is to over-privilege the user. This situation exists due to decisions made by
Microsoft to prioritize compatibility with older systems above security configuration in newer
systems[citation needed] and because typical applications were developed without the underprivileged users in mind. As privilege escalation exploits have increased this priority is shifting
for the release of Microsoft Windows Vista. As a result, many existing applications that require
excess privilege (over-privileged code) may have compatibility problems with Vista. However,
Vista's User Account Control feature attempts to remedy applications not designed for underprivileged users, acting as a crutch to resolve the privileged access problem inherent in legacy
applications.
Malware, running as over-privileged code, can use this privilege to subvert the system. Almost
all currently popular operating systems, and also many scripting applications allow code too
many privileges, usually in the sense that when a user executes code, the system allows that code
all rights of that user. This makes users vulnerable to malware in the form of e-mail attachments,
which may or may not be disguised.
Given this state of affairs, users are warned only to open attachments they trust, and to be wary
of code received from untrusted sources. It is also common for operating systems to be designed
so that device drivers need escalated privileges, while they are supplied by more and more
hardware manufacturers.
[edit] Eliminating over-privileged code
Over-privileged code dates from the time when most programs were either delivered with a
computer or written in-house, and repairing it would at a stroke render most antivirus software
almost redundant. It would, however, have appreciable consequences for the user interface and
system management.
The system would have to maintain privilege profiles, and know which to apply for each user
and program. In the case of newly installed software, an administrator would need to set up
default profiles for the new code.
Eliminating vulnerability to rogue device drivers is probably harder than for arbitrary rogue
executables. Two techniques, used in VMS, that can help are memory mapping only the registers
of the device in question and a system interface associating the driver with interrupts from the
device.
Other approaches are:
Various forms of virtualization, allowing the code unlimited access only to virtual
resources
Various forms of sandbox or jail
The security functions of Java, in java.security
Such approaches, however, if not fully integrated with the operating system, would reduplicate
effort and not be universally applied, both of which would be detrimental to security.
[edit] Anti-malware programs
Main article: Antivirus software
As malware attacks become more frequent, attention has begun to shift from viruses and spyware
protection, to malware protection, and programs have been developed to specifically combat
them.
Anti-malware programs can combat malware in two ways:
1. They can provide real time protection against the installation of malware software on a
computer. This type of spyware protection works the same way as that of antivirus
protection in that the anti-malware software scans all incoming network data for malware
software and blocks any threats it comes across.
2. Anti-malware software programs can be used solely for detection and removal of
malware software that has already been installed onto a computer. This type of malware
protection is normally much easier to use and more popular.[citation needed] This type of antimalware software scans the contents of the Windows registry, operating system files, and
installed programs on a computer and will provide a list of any threats found, allowing
the user to choose which files to delete or keep, or to compare this list to a list of known
malware components, removing files that match.
Real-time protection from malware works identically to real-time antivirus protection: the
software scans disk files at download time, and blocks the activity of components known to
represent malware. In some cases, it may also intercept attempts to install start-up items or to
modify browser settings. Because many malware components are installed as a result of browser
exploits or user error, using security software (some of which are anti-malware, though many are
not) to "sandbox" browsers (essentially babysit the user and their browser) can also be effective
in helping to restrict any damage done.
[edit] Academic research on malware: a brief overview
The notion of a self-reproducing computer program can be traced back to when presented
lectures that encompassed the theory and organization of complicated automata.[21] Neumann
showed that in theory a program could reproduce itself. This constituted a plausibility result in
computability theory. Fred Cohen experimented with computer viruses and confirmed
Neumann's postulate. He also investigated other properties of malware (detectability, selfobfuscating programs that used rudimentary encryption that he called "evolutionary", and so on).
His 1988 doctoral dissertation was on the subject of computer viruses.[22] Cohen's faculty
advisor, Leonard Adleman (the A in RSA) presented a rigorous proof that, in the general case,
algorithmically determining whether a virus is or is not present is Turing undecidable.[23] This
problem must not be mistaken for that of determining, within a broad class of programs, that a
virus is not present; this problem differs in that it does not require the ability to recognize all
viruses. Adleman's proof is perhaps the deepest result in malware computability theory to date
and it relies on Cantor's diagonal argument as well as the halting problem. Ironically, it was later
shown by Young and Yung that Adleman's work in cryptography is ideal in constructing a virus
that is highly resistant to reverse-engineering by presenting the notion of a cryptovirus.[24] A
cryptovirus is a virus that contains and uses a public key and randomly generated symmetric
cipher initialization vector (IV) and session key (SK). In the cryptoviral extortion attack, the
virus hybrid encrypts plaintext data on the victim's machine using the randomly generated IV
and SK. The IV+SK are then encrypted using the virus writer's public key. In theory the victim
must negotiate with the virus writer to get the IV+SK back in order to decrypt the ciphertext
(assuming there are no backups). Analysis of the virus reveals the public key, not the IV and SK
needed for decryption, or the private key needed to recover the IV and SK. This result was the
first to show that computational complexity theory can be used to devise malware that is robust
against reverse-engineering.
Another growing area of computer virus research is to mathematically model the infection
behavior of worms using models such as Lotka–Volterra equations, which has been applied in
the study of biological virus. Various virus propagation scenarios have been studied by
researchers such as propagation of computer virus, fighting virus with virus like predator
codes,[25][26] effectiveness of patching etc.
[edit] Grayware
Grayware[27] (or greyware) is a general term sometimes used as a classification for applications
that behave in a manner that is annoying or undesirable, and yet less serious or troublesome than
malware.[28] Grayware encompasses spyware, adware, dialers, joke programs, remote access
tools, and any other unwelcome files and programs apart from viruses that are designed to harm
the performance of computers on your network. The term has been in use since at least as early
as September 2004.[29]
Grayware refers to applications or files that are not classified as viruses or trojan horse programs,
but can still negatively affect the performance of the computers on your network and introduce
significant security risks to your organization.[30] Often grayware performs a variety of undesired
actions such as irritating users with pop-up windows, tracking user habits and unnecessarily
exposing computer vulnerabilities to attack.
Spyware is software that installs components on a computer for the purpose of recording
Web surfing habits (primarily for marketing purposes). Spyware sends this information to
its author or to other interested parties when the computer is online. Spyware often
downloads with items identified as 'free downloads' and does not notify the user of its
existence or ask for permission to install the components. The information spyware
components gather can include user keystrokes, which means that private information
such as login names, passwords, and credit card numbers are vulnerable to theft.
Adware is software that displays advertising banners on Web browsers such as Internet
Explorer and Mozilla Firefox. While not categorized as malware, many users consider
adware invasive. Adware programs often create unwanted effects on a system, such as
annoying popup ads and the general degradation in either network connection or system
performance. Adware programs are typically installed as separate programs that are
bundled with certain free software. Many users inadvertently agree to installing adware
by accepting the End User License Agreement (EULA) on the free software. Adware are
also often installed in tandem with spyware programs. Both programs feed off each
other's functionalities: spyware programs profile users' Internet behavior, while adware
programs display targeted ads that correspond to the gathered user profile.
[edit] Web and spam
<iframe
src="http://example.net/out.ph
p?s_id=11" width=0 height=0 />
If an intruder can gain access to a website, it can be hijacked with a single HTML element.[31]
The World Wide Web is a criminals' preferred pathway for spreading malware. Today's web
threats use combinations of malware to create infection chains. About one in ten Web pages may
contain malicious code.[32]
[edit] Wikis and blogs
Attackers may use wikis and blogs to advertise links that lead to malware sites.[33]
Wiki and blog servers can also be attacked directly. Just in 2010, Network Solutions have been
hacked[34][35] and some sites hosting in there became a path to malware and spam.
[edit] Targeted SMTP threats
Targeted SMTP threats also represent an emerging attack vector through which malware is
propagated. As users adapt to widespread spam attacks, cybercriminals distribute crimeware to
target one specific organization or industry, often for financial gain.[36]
[edit] HTTP and FTP
Infections via "drive-by" download are spread through the Web over HTTP and FTP when
resources containing spurious keywords are indexed by legitimate search engines, as well as
when JavaScript is surreptitiously added to legitimate websites and advertising networks.[37]
