Home arrow Help Docs arrow Spyware, Adware, Windows, GNU/Linux, and Software Culture .
Main Menu
Home
Help Docs
Newbies
Corporates
Gnu/Linux Distros
Programming
Databases
Links
Search
Regular
News
Interviews
Aaj Ka Tip
Aaj Ka Command
Community
Blogs
Wiki
Forums
Services
Free Software

Spyware, Adware, Windows, GNU/Linux, and Software Culture . Print E-mail
This Article has been wrtten by Karsten M. Self and taken from here

Spyware, Adware, Windows, GNU/Linux, and Software Culture .

For starters, I'll note that I run GNU/Linux on my own personal desktop, both at home
and at work, and that the problems delineated in the article simply don't exist for me there. While I strongly favor Linux, I consider my bias grounded in experience and reality. I've certainly had years of experience with both types of systems.

I run herd over a small posse of legacy MS Windows systems at work, a youth center in Napa, CA. I'm also called on periodically to do maintenance on PCs used by adult staff in various businesses. I have to say the the whole issue of spyware, adware, viruses, worms, and other annoyances (generally: malware) really opened my eyes to the problems MS Windows users face.

Among topics the article didn't address for reasons of space and focus:

  • Keeping things clean. I've found a few tricks that work, at least for the moment, with vigilance, paranoia, and a healthy dose of luck.
  • Experiences. Just how bad the problem is, with some quantified examples.
  • Some cultural observations.
  • Ironies.

There were also a few general observations I had on the spyware / adware / malware issue. Briefly (and there's more at depth later on most of these points):

  • Seeing both GNU/Linux and Windows systems running side-by-side, the magnitude of the problem is just unbelievably different. As in: nonexistent vs. a major constant concern.
  • It is possible to protect MS Windows systems against the problem. But it's a lot of work, restricts a lot of the so-called useful functionality of the platform, and in my case involves no email, greatly limited downloads, rather effectively blocking use of MS Internet Explorer, and keeping virus and adware definition files up to date. I spend thirty minutes daily on this for ten systems and still don't feel I've got things comfortably nailed down. For those interested in the "how", I cover this in some detail below.
  • Typical small enterprise use of MS Windows is an absolute nightmare from an adware/spyware perspective, and (so far) you couldn't pay me to go there. Home-usage is probably even worse.
  • Most telling is the difference I see between the applications space in my preferred GNU/Linux distribution (or version), Debian, and MS Windows. Boiling it down: in a collaborative, open platform, programs have to obey rules to be included. In a fiercely competitive environment, there's ferocious levels of backstabbing and low tricks to try to get applications in front of the user or on their system. Adware and its ilk are a logical extension of the existing proprietary software marketplace. There's considerably more on this below.

Keeping things clean

I've found that it is possible, at least with luck and a lot of work, to keep Microsoft systems clean.

Among the most effective, of course, is to install GNU/Linux on the box. Very simply: no Linux system I've used or am aware of has had any level of adware infestation. And were they to have a problem, rooting it out would be largely trivial.

Assuming you're not prepared to go to that level, here's what I've done at work, where my hands are tied (grants, boss, etc.). I don't believe you can get robust results with DOS-based systems: Win3x/95/98/ME. Especially WinME, which is probably the worst of a long line of bad OS products Microsoft has produced.

As I said in extended comments to Mr. O'Brien (with whom I spoke & corresponded), I've got an advantage over many systems administrators in that I'm running a lab for kids: I am the word of God, and I can simply decree that specific programs and/or functionality aren't available. I also run a couple of GNU/Linux servers in the lab which provide certain functionality, some of which is used in keeping things sane. This includes Samba, Apache, Dansguardian, Squid, and numerous utilities. I've also got Cygwin installed on the desktop systems, which simplifies and extends administrative management considerably. All of these tools are FSF Free Software (often called Open Source), meaning several things, but mostly: you can install and use them for free, and modify them if you choose to do so.

Uninstall MS Outlook and Outlook Express

These are a pair of virus-propagation utilities which offer a largely unsatisfactory level of email functionality. Given that the kids don't (currently) have email, and that I've got other options for providing 'em with same if we should choose to do so, simply eliminate the problem by removing it.

This, incidentally, is a good example of security via minimum exposure. If you don't need to offer specific functionality, then don't. Unfortunately it means that you have to give slightly more thought to your system configuration than a default, kitchen-sink installation generally means.

If you must provide email functionality, Mozilla (more below) offers a "Thunderbird" client, and Eudora is a popular small-organization choice (advertising-supported). Both, incidentally, use open and transportable mailbox formats making your future migration to GNU/Linux far easier. Mozilla has a utility for migrating your proprietary MS Outlook format PST (mailbox) files.

Install Mozilla Firefox (or another non-MSIE browser)

Mozilla Firefox, "Rediscover the web", as the slogan says.

Opera is another popular choice, though in its free incarnation it has certain adware characteristics (similar to Eudora above).

Installing Firefox addresses a large host of evils in one swell foop, including:

  • Popups: blocking is a few mouse-clicks away.
  • Tabbed browsing: you'll consider MSIE horribly primitive.
  • Selective image blocking: for the full effect, you'll want to explore the many, many plugins available for the browser. While they're a bit daunting to navigate, initially, several of them really pay off. In particular, you can block images from specific regions of a site, or matching specific patterns (say: "/ad/" or "/ads/") on a website.
  • Similarly, plug-in blocking & management: while Flash can be very cool, it's about 99.98% annoying. In large part because there is no "off" button. You can't control whether or not the plugin runs in your browser. Firefox plugins provide this control.
  • A host of others. Animation limits (whether or not that jitterstrobe ad banner loops infinitely, or...only once). Among my own favorites, and definitely an advanced-user feature, is the use of custom user stylesheets to control how Web content is presented. If you find yourself cursing site designer's picks of squint-inducing fonts and nausea-inducing colors, userContent.css can be a real bonus.

Mozilla is about taking back control of the web. Very nice, that.

Uninstall other dodgy software

There's a whole mess of software on your MS Windows computer not because it's of any particular use to you, or because you asked for it, but because of marketing arrangements between your hardware or OS vendor and other companies. The mess of Internet service provider icons, for example.

Most of these are relatively harmless. I did find one program, Viewpoint, apparently provided by Yahoo, wanted to upgrade, and was suddenly talking about putting search bars and buttons everywhere. I decided that that particular collection of bits was no longer welcome and uninstalled it. Possibly an overreaction, but any additional icon on a desktop means another twenty minutes of answering questions from kids ("What does this do? This wasn't here yesterday?"), even if it doesn't do anything particularly annoying. Prune ruthlessly. And a note to vendors: stay out of our faces, you're going to have a much better survival profile. When in doubt, Google for the software by title, adding "spyware" or "adware", to find others' discussions. In many cases, the distinction between useful software and malware is grey.

Block MSIE web access

There are a number of methods to prevent users from accessing Microsoft Internet Explorer. Unfortunately, few of them work effectively. The program is too thoroughly entwined in the workings of legacy MS Windows and various Microsoft products to make removing a few icons a fix.

I'm addressing the full method in a forthcoming technical article, but one relatively effective trick is to direct all MSIE traffic to a proxy, except for a small set of hand-picked sites which must get through. For example, windowsupdate.microsoft.com. Doing this on multiple workstations for multiple users is a headache, but can be accomplished with scripting tools, your domain login's "LOGON.BAT" file, and in my case, an apache webserver given a virtual host who's sole purpose in life is to tell people not to use MSIE.

This breaks some stuff, you have to decide whether you value a few conveniences over a generally working system. There are sites which only work under MSIE (that's their problem, not mine, is my response). There are also specific tool under MS Windows which require MSIE, notably Windows Media Player. Some third-party tools such as anti-virus software will get caught by your proxy. Monitoring my webserver's logs is useful at identifying any such issues, and if necessary, adding a site to the pass-through list.

Using Web-Filtering Software

In my case, it's Dansguardian. As mentioned above, it's FSF Free Software, and comes with its own highly tuned filters. You'll need to adjust them to your needs, slightly, which mostly means adding sites to exception and/or ban lists, done by editing a set of well-documented, easily understood, text files. Blocking is based on several characteristics, including specific domains, keywords, content-type, and extensions.

You need to keep an eye on what's passing or not passing through the filters, which means this is a bit of an ongoing task. For the most part, done on an as-needed basis. After an initial week or so of adjustments, I find I rarely need to touch things more than once a month or so.

For the really bad guys: firewall-level blocking

The NY Times article doesn't mention one particular homepage hijacking site, (and don't click that link yet) http://www.domainsponsor.com/. This is an organization which apparently registers a large number of "typo" URLs -- domain names close to, but not quite. Kids, as you might guess, tend to have middlin' to po' typing and spelling skills, so "disny.com" and similar expressions show up. When this happens, your browser is redirected to the page above. And if you are foolish enough to surf with MSIE, your homepage (the page you see when first starting your browser) is reset to one of DomainSponsor's choosing. If you still want to follow the link after all that, go ahead.

Their own webpage (and WHOIS record) indicates DomainSponsor is owned by Oversee.net. Netblock NET-65-235-246-0-1, CIDR 64.235.246.0/24, ASN 25973 (Mzima Networks, Inc.).

My evolving attitude on 'Net citizenship is rapidly approaching a "take no prisoners" status, and is based on the principle of network hygiene: bad behavior (viruses, malware, phishing, attacks, zombies) reflect bad network management and oversight practices, something I've come to appreciate in my ongoing antispam activities. If a site demonstrates that it's a sufficiently bad neighbor that it's going to do things like hijack browsers' home pages, regardless of how poorly designed the browser is, that that particular neck of the 'Net has no business whatsoever swapping bits with my network. While a Web filter can work with domain names or content, what you want is a firewall in which you can explicitly block some or all traffic from a single Internet (or IP) address -- or an arbitrarily large range of them. Locally, this particular source of malice is blocked by several redundant methods.

For the truly dedicated, there are extensive lists of IP space associated with organizations or countries from which some feel there is more harm than good in allowing traffic through. For the malware proponents: beware that the Net may be comprised of small players, but there are many of them, powerful in aggregate, and with long memories. As the recent case of Savvis shows, the effect can be ultimately persuasive.

Anti-virus software.

It's not an option. And it's not enough to install it, you have to keep it up-to-date -- at one mail service provider I worked for, this meant updating every six hours (via an automated script). And you need to run it.

My current choice has become something of a PITA following the latest upgrade to the AV software itself, as its auto-upgrade feature isn't working. Which adds yet another item to the list of things I've got to get fixed or updated to feel moderately comfortable about the state of my systems.

The big names are Sophos, Command Software (now Authentium), Symantec, and Trend Micro, in no particular order and with copious omissions, I'm sure. There's also an FSF Free Software alternative, ClamAV, worthy of note.

Oh, and a request: if you install AV software on your mail system, turn off the notification feature. Anti-virus software itself is a nontrivial contributer to the spam problem. The messages are all-too-often misdirected. Really, it's not your problem, here.

Anti-adware/spyware software.

I'm using Ad-Aware from LavaSoft, with largely good results if somewhat mixed operational experiences. The free version of the software is highly interactive, and it's literally a ninety-step process to get all ten systems updated. Lately, downloads and scans have been mysteriously hanging, as I commented to Tim O'Brien during one phone interview. There are other products, I'd recommend installing at least one.

Coming from the GNU/Linux side of the house, one major gripe against all of the products is the reluctance with which they support automation or silent background operation. Instead, the products launch at login time (why not scan periodically or as-needed?), display splash-screens or tray icons, and often allow non-administrative users to disable or close them. From a systems management perspective: a nightmare.

Eternal vigilance.

Keeping your systems clean is an ongoing chore. Updates need to be downloaded, logs need to be read, users need to be monitored (having them cancel in-process scans is a major factor). One frustration, of course, is that log-ons, already slow for domain users, become slower still as your arsenal of system defenses swing slowly into action. Users are understandably frustrated by this and want to have things happen faster, and will close down what they see as "things in the way".

When you do find a problem (or worse: a suspected problem), you've got another hassle on your hands: trying to sort out the good, the bad, and the ugly. Default tools for getting systems information on MS Windows systems are primitive at best, often unhelpful, and vary widely across various OS products, and even among releases of the same product. In particular, getting a task of running processes, identifying how they were run, and finding out which are or are not malevolent, is a nontrivial task. Even once you've got a list, sorting out the mess is a chore.

The Task Manager is the usual first course of action, but it's a poor tool for the job: it provides little information, you can't print the output, and you can't filter to processes of interest. The site HijackThis at SpyChecker is useful in that it lists many people's process list dumps, often with analysis. While you can't always find out what's running, you can usually get close. Often simply entering an executable's name into Google (say: example.exe), will give useful information. I've found that there are malicious programs with innocent looking names and innocent programs with malicious-looking ones, it's difficult to be sure. Under WinXP, there's a 'TASKLIST.EXE' program which lists processes similarly to a Linux 'ps' command.

You want to check both your Startup folder(s) (if you have multiple users) and the "Run" Windows Registry key, both of which specify programs to be run at startup. Anything running out of temporary folders is immediately suspect.

With the right tools, you can run a portscan of your system to see how it's talking on your network. GNU/Linux offers a great tool for this, 'nmap', which is available on many "bootable" Linux distributions. These are small (or not so small) collections of GNU/Linux utilities that run from a CDROM, floppy disk, USB pen drive, or other removable media, and don't require installation on your hard drive. LNX-BBC and Knoppix are among the two best known, the former being technically oriented and the latter a full end-user desktop on CD ROM. But that's another essay.


< Previous   Next >



gnulinuxclub
Join Us
About Us
Contact Us
Support Us
Acknowlegdement
Login(only for dev.)

Royalty Free Images

O'Reilly User Group discount!




Powered By GIMP GIMP
Contact Webmaster Copyleft 2011 gnulinuxclub.org