Freddy Krueger's nightmare in "real world"...
Think of it as spyware meets Freddy Krueger - a genre of Internet monster that hijacks your browser and, like the villain of "Nightmare on Elm Street," can't be killed.
This new "kruegerware" can steal your home page, lock you permanently to a porno site, or ship all your Google queries to a dubious ad-driven alternative. Increasingly this type of program doesn't just wreak havoc. It can avoid detection by popular spyware programs and even if you think you've gotten rid of it, it usually comes back, like Freddy.
The "viruses" are actually processes that are tampering with Explorer, and anti virus program indicates they can't be deleted. Try to clear them out manually and "they are immediately downloaded from the Internet and restored when Explorer reopened."
Most experts think these persistent pests are only going to increase. The reason, according to Sam Curry, Computer Associates' resident security guru, is "unlike most hacking and most viruses, spyware is financially driven; people wouldn't do this if it didn't pay."
The way it works: Web sites that refer users to other sites may get commissions on sales, or on the volume of traffic directed. By locking in a page like greatsearch.biz as a user's main search page, kruegerware authors can generate hundreds of thousands of dollars in referral commissions. "They wouldn't do it if it didn't work, and if people didn't click through it. The returns exceed the risk," Curry said.
Greatsearch is a comparatively mild case. Truly gory details are chronicled at www.spywareinfo.com/~merijn/index.html, the home page of a Dutch student Merijn Bellekom who, like Dracula's literary foe Van Helsing, has dedicated his life, or at least his spare time, to fighting immortal evil with cool technology. In this case, it is browser hijackers that send computers to the home page of a Russia-based company, Cool Web Search. Says Curry "Cool Web Search is a horrible one, with 30 different iterations, and trying to find all the tentacles when you go in can be impossible. It will leave things like registry keys that say, if these files are missing, go to thus and so a page and download them."
For a couple of years now, Bellekom has written and rewritten a program called Cwshredder to remove more of the hijackers associated with the Cool Web Search page, but admits there still are a couple that are so slick he can't touch them. Some are like an inoperable form of cancer - they burrow into Windows so deeply that removing them will destroy Windows and force a new installation.
Ironically, some of the biggest problems are caused by badly designed hijackers, which, rather than go about their business surreptitiously, cause computers to crash or slow down dramatically. More successful versions can create bookmarks to pornographic Web sites, batter the user with porno popup ads, or set the home page to an unwanted address. Some of the worst of these addresses are listed on the www.spywareinfo.com site. Cool Web Search didn't respond to Newsday e-mails, but on its Web site, the company denies it is responsible for the problems.
Bellekom says that anti-virus software companies, which are increasingly taking aim at these hijackers, still aren't 100 percent successful.
"The antivirus companies really are targeting this, but the problem is that you don't have perfect targeting of so many different variants overnight," he said. "Some antivirus programs remove the main parts of the most widespread variants, but leave traces behind, sometimes allowing it to restore itself and reinfect a system. I'm sure that they will eventually remove all of the variants properly."
Bellekom and other experts blame poor Windows security for the emergence of these super threats. According to Curry, Windows allows one careless click on the wrong popup to download a browser hijacker with all the security privileges it needs to effect a complete takeover of your PC. At that point, Bellekom's Web site documented how these programs can turn off fire walls, disable security software, (including Ad-Aware, Spybot and most anti-virus scanners), and place sites in the Windows "trusted domains" so they can download even more spyware.
Although law enforcement is increasingly pursuing spammers and virus authors, the people who write spyware and browser hijackers are still beneath the official radar.
"They usually only inspect these kinds of things when massive monetary damages are suffered, and since this trojan strain doesn't actively spread from machine to machine [only from Web site to machine] it doesn't have their attention yet," Bellekom said.
Still, according to Mark Rasch, chief security counsel of Solutionary Inc., a smart prosecutor could go after companies and affiliates that spread browser hijackers. Said the former federal computer crime prosecutor, "In theory a lot of spyware would violate the computer crime statutes" that outlaw viruses. "Essentially it's code you don't want that's making your computer do something you don't want to do; how is that different from a computer virus?"
In the meantime, computer users are coping on their own by nervously downloading Windows security updates and by running multiple protective software programs. "My wife said: Isn't broadband fast?" a frustrated Clyde Smith, a Long Island retiree, says, laughing. "Five minutes to check for Windows updates, McAfee updates, and Spybot updates, one minute to download a recipe, and 20 minutes to run McAfee and Spybot to scan for problems with the file."
This new "kruegerware" can steal your home page, lock you permanently to a porno site, or ship all your Google queries to a dubious ad-driven alternative. Increasingly this type of program doesn't just wreak havoc. It can avoid detection by popular spyware programs and even if you think you've gotten rid of it, it usually comes back, like Freddy.
The "viruses" are actually processes that are tampering with Explorer, and anti virus program indicates they can't be deleted. Try to clear them out manually and "they are immediately downloaded from the Internet and restored when Explorer reopened."
Most experts think these persistent pests are only going to increase. The reason, according to Sam Curry, Computer Associates' resident security guru, is "unlike most hacking and most viruses, spyware is financially driven; people wouldn't do this if it didn't pay."
The way it works: Web sites that refer users to other sites may get commissions on sales, or on the volume of traffic directed. By locking in a page like greatsearch.biz as a user's main search page, kruegerware authors can generate hundreds of thousands of dollars in referral commissions. "They wouldn't do it if it didn't work, and if people didn't click through it. The returns exceed the risk," Curry said.
Greatsearch is a comparatively mild case. Truly gory details are chronicled at www.spywareinfo.com/~merijn/index.html, the home page of a Dutch student Merijn Bellekom who, like Dracula's literary foe Van Helsing, has dedicated his life, or at least his spare time, to fighting immortal evil with cool technology. In this case, it is browser hijackers that send computers to the home page of a Russia-based company, Cool Web Search. Says Curry "Cool Web Search is a horrible one, with 30 different iterations, and trying to find all the tentacles when you go in can be impossible. It will leave things like registry keys that say, if these files are missing, go to thus and so a page and download them."
For a couple of years now, Bellekom has written and rewritten a program called Cwshredder to remove more of the hijackers associated with the Cool Web Search page, but admits there still are a couple that are so slick he can't touch them. Some are like an inoperable form of cancer - they burrow into Windows so deeply that removing them will destroy Windows and force a new installation.
Ironically, some of the biggest problems are caused by badly designed hijackers, which, rather than go about their business surreptitiously, cause computers to crash or slow down dramatically. More successful versions can create bookmarks to pornographic Web sites, batter the user with porno popup ads, or set the home page to an unwanted address. Some of the worst of these addresses are listed on the www.spywareinfo.com site. Cool Web Search didn't respond to Newsday e-mails, but on its Web site, the company denies it is responsible for the problems.
Bellekom says that anti-virus software companies, which are increasingly taking aim at these hijackers, still aren't 100 percent successful.
"The antivirus companies really are targeting this, but the problem is that you don't have perfect targeting of so many different variants overnight," he said. "Some antivirus programs remove the main parts of the most widespread variants, but leave traces behind, sometimes allowing it to restore itself and reinfect a system. I'm sure that they will eventually remove all of the variants properly."
Bellekom and other experts blame poor Windows security for the emergence of these super threats. According to Curry, Windows allows one careless click on the wrong popup to download a browser hijacker with all the security privileges it needs to effect a complete takeover of your PC. At that point, Bellekom's Web site documented how these programs can turn off fire walls, disable security software, (including Ad-Aware, Spybot and most anti-virus scanners), and place sites in the Windows "trusted domains" so they can download even more spyware.
Although law enforcement is increasingly pursuing spammers and virus authors, the people who write spyware and browser hijackers are still beneath the official radar.
"They usually only inspect these kinds of things when massive monetary damages are suffered, and since this trojan strain doesn't actively spread from machine to machine [only from Web site to machine] it doesn't have their attention yet," Bellekom said.
Still, according to Mark Rasch, chief security counsel of Solutionary Inc., a smart prosecutor could go after companies and affiliates that spread browser hijackers. Said the former federal computer crime prosecutor, "In theory a lot of spyware would violate the computer crime statutes" that outlaw viruses. "Essentially it's code you don't want that's making your computer do something you don't want to do; how is that different from a computer virus?"
In the meantime, computer users are coping on their own by nervously downloading Windows security updates and by running multiple protective software programs. "My wife said: Isn't broadband fast?" a frustrated Clyde Smith, a Long Island retiree, says, laughing. "Five minutes to check for Windows updates, McAfee updates, and Spybot updates, one minute to download a recipe, and 20 minutes to run McAfee and Spybot to scan for problems with the file."
posted by Raysa @ 7:12 PM
0 Comments:
Post a Comment
<< Home