Dirty Spyware Trickery

By Deane Barker on January 5, 2005

I had to remove some nasty spyware yesterday from an employee’s home machine. It was an IE search toolbar (I’m not going to say the name since I’d rather take a shotgun blast to the face than give them any publicity) that generated a JavaScript error on any search results page when this app tried to secretly send the search terms to a remote URL.

While troubleshooting, I noticed an odd phenomenon: I couldn’t get through to any anti-spyware sites to download anything. I’d get “Page Not Available” errors. CNN came up fine, but sites like Lavasoft and even GRC just wouldn’t work.

Ad-Aware was already installed, so I fired it up and had it check for updates. It came back very quickly and said no updates were available. I was suspicious because I knew this employee wasn’t in the habit of running Ad-Aware (hence her problem).

Turns out I’d fallen for the oldest trick in the book — a hacked HOSTS file. I cracked it open, and — sure enough — the app had written a list of perhaps 200 anti-spyware sites and sent them off into oblivion (127.0.0.2, 127.0.0.3, etc.). So it wasn’t that Ad-Aware had the latest data file, it was that it coudln’t contact its mothership for an update (you think it would have thrown an error message rather than just announcing that no updates were available).

In the end, this was a nasty one to get rid of. You needed to fix the HOSTS file, shut off all start-up tasks, reboot in Safe Mode, delete the executables (in a hidden directory, naturally), and put dummy files in their place, named the same and set to read-only.

A real mess, but that HOSTS file thing was what really got me. How friggin’ slimy can you get? And this wasn’t a blantant malware app on the surface — it made all sorts of claims that it provided “important benefits” to the user and that it wasn’t spyware.

So, why exactly do you need to prevent the user from visiting a site that may help them uninstall you, again? I feel so naive.

Gadgetopia

Comments

  1. That is interesting you actually saw the host file spyware. I am hoping I never get that one I usually run AdAware and check my hosts file anyway.

    I actually heard of a phishing attack using the hosts file where the hosts file would have the ip of the phishing site for a url for a major bank. That is pretty slimy as well but what else do you expect from these people.

    It is interesting how many people don’t know about spyware or how to help prevent it though. I had a friend that has a “slow computer with boot problems”, so I told them I would take a look. Turns out once I fixed the boot sector and got it booting it had tons of spyware on it. There was about a zillion popups everytime I opened anything. So being the nice guy that I am I started deleting the dlls of the more prominant spyware just to be able to download adware in a bit of piece. I ran AdAware and sure enough about 1200 objects were found. Let’s just say it was a long night.

    The hosts file is a very creapy attack though, it is pretty silent and most normal users wouldn’t check that file. Think of Aunt May checking her hosts file on her computer, not likely. Plus the big thing is that virus or AdAware can’t really detect it to well. I am sure it could make a warning of some sort if it’s url is pointing to 127.0.0.3 though.

  2. Note that Windows Antispyware (formerly Giant) traps any HOSTS file changes and forces you to approve them before it will use the new file.

Comments are closed. If you have something you really want to say, email editors@gadgetopia.com and we‘ll get it added for you.