This Article has been wrtten by Karsten M. Self and taken from here
Spyware, Adware, Windows, GNU/Linux, and Software Culture
.
For starters, I’ll note that I run GNU/Linux on my own personal
desktop, both at home
and at work, and that the problems delineated
in the article simply don’t exist for me there. While I strongly
favor Linux, I consider my bias grounded in experience and reality.
I’ve certainly had years of experience with both types of
systems.
I run herd over a small posse of legacy MS Windows systems at
work, a youth center in Napa, CA. I’m also called on periodically
to do maintenance on PCs used by adult staff in various businesses.
I have to say the the whole issue of spyware, adware, viruses,
worms, and other annoyances (generally: malware) really opened my
eyes to the problems MS Windows users face.
Among topics the article didn’t address for reasons of space and
focus:
- Keeping things clean. I’ve found a few
tricks that work, at least for the moment, with vigilance,
paranoia, and a healthy dose of luck. - Experiences. Just how bad the problem is,
with some quantified examples. - Some cultural observations.
- Ironies.
There were also a few general observations I had on the spyware
/ adware / malware issue. Briefly (and there’s more at depth later
on most of these points):
- Seeing both GNU/Linux and Windows systems running
side-by-side, the magnitude of the problem is just unbelievably
different. As in: nonexistent vs. a major constant concern. - It is possible to protect MS Windows systems against
the problem. But it’s a lot of work, restricts a lot of the
so-called useful functionality of the platform, and in my case
involves no email, greatly limited downloads, rather effectively
blocking use of MS Internet Explorer, and keeping virus and
adware definition files up to date. I spend thirty minutes daily
on this for ten systems and still don’t feel I’ve got things
comfortably nailed down. For those interested in the “how”, I
cover this in some detail below. - Typical small enterprise use of MS Windows is an absolute
nightmare from an adware/spyware perspective, and (so far) you
couldn’t pay me to go there. Home-usage is probably even
worse. - Most telling is the difference I see between the applications
space in my preferred GNU/Linux distribution (or version),
Debian, and MS Windows. Boiling it down: in a collaborative, open
platform, programs have to obey rules to be included. In a
fiercely competitive environment, there’s ferocious levels of
backstabbing and low tricks to try to get applications in front
of the user or on their system. Adware and its ilk are a logical
extension of the existing proprietary software marketplace.
There’s considerably more on this below.
Keeping things clean
I’ve found that it is possible, at least with luck and a lot of
work, to keep Microsoft systems clean.
Among the most effective, of course, is to install GNU/Linux on
the box. Very simply: no Linux system I’ve used or am aware of has
had any level of adware infestation. And were they to have a
problem, rooting it out would be largely trivial.
Assuming you’re not prepared to go to that level, here’s what
I’ve done at work, where my hands are tied (grants, boss, etc.). I
don’t believe you can get robust results with DOS-based systems:
Win3x/95/98/ME. Especially WinME, which is
probably the worst of a long line of bad OS products Microsoft has
produced.
As I said in extended comments to Mr. O’Brien (with whom I spoke
& corresponded), I’ve got an advantage over many systems
administrators in that I’m running a lab for kids: I am
the word of God, and I can simply decree that specific programs
and/or functionality aren’t available. I also run a couple of
GNU/Linux servers in the lab which provide certain functionality,
some of which is used in keeping things sane. This includes
Samba, Apache, Dansguardian, Squid, and numerous utilities.
I’ve also got Cygwin installed
on the desktop systems, which simplifies and extends administrative
management considerably. All of these tools are FSF Free Software
(often called Open Source), meaning several things, but mostly: you
can install and use them for free, and modify them if you choose to
do so.
Uninstall MS Outlook and Outlook Express
These are a pair of
virus-propagation utilities which offer a largely unsatisfactory
level of email functionality. Given that the kids don’t
(currently) have email, and that I’ve got other options
for providing ’em with same if we should choose to do so, simply
eliminate the problem by removing it.
This, incidentally, is a good example of security via minimum
exposure. If you don’t need to offer specific
functionality, then don’t. Unfortunately it means that you have to
give slightly more thought to your system configuration than a
default, kitchen-sink installation generally means.
If you must provide email functionality, Mozilla (more below)
offers a “Thunderbird” client, and Eudora is a popular
small-organization choice (advertising-supported). Both,
incidentally, use open and transportable mailbox formats making
your future migration to GNU/Linux far easier. Mozilla has
a utility for migrating your proprietary MS Outlook format PST
(mailbox) files.
Install Mozilla Firefox (or another non-MSIE browser)
Mozilla
Firefox, “Rediscover the web”, as the slogan says.
Opera is another popular choice, though in its free incarnation
it has certain adware characteristics (similar to Eudora
above).
Installing Firefox addresses a large host of evils in one swell
foop, including:
- Popups: blocking is a few mouse-clicks away.
- Tabbed browsing: you’ll consider MSIE horribly
primitive. - Selective image blocking: for the full effect, you’ll want to
explore the many, many plugins available
for the browser. While they’re a bit daunting to navigate,
initially, several of them really pay off. In
particular, you can block images from specific regions of a site,
or matching specific patterns (say: “/ad/” or “/ads/”) on a
website. - Similarly, plug-in blocking & management: while Flash can
be very cool, it’s about 99.98% annoying. In large part because
there is no “off” button. You can’t control
whether or not the plugin runs in your browser. Firefox plugins
provide this control. - A host of others. Animation limits (whether or not that
jitterstrobe ad banner loops infinitely, or…only once). Among
my own favorites, and definitely an advanced-user feature, is the
use of custom user
stylesheets to control how Web content is presented. If you
find yourself cursing site designer’s picks of squint-inducing
fonts and nausea-inducing colors, userContent.css can be a real
bonus.
Mozilla is about taking back control of the web. Very nice,
that.
Uninstall other dodgy software
There’s a whole mess of software on your MS Windows computer not
because it’s of any particular use to you, or because you asked for
it, but because of marketing arrangements between your hardware or
OS vendor and other companies. The mess of Internet service
provider icons, for example.
Most of these are relatively harmless. I did find one program,
Viewpoint, apparently provided by Yahoo, wanted to upgrade, and was
suddenly talking about putting search bars and buttons everywhere.
I decided that that particular collection of bits was no longer
welcome and uninstalled it. Possibly an overreaction, but any
additional icon on a desktop means another twenty minutes of
answering questions from kids (“What does this do? This wasn’t here
yesterday?”), even if it doesn’t do anything particularly
annoying. Prune ruthlessly. And a note to vendors: stay
out of our faces, you’re going to have a much better
survival profile. When in doubt, Google for the software by title,
adding “spyware” or “adware”, to find others’ discussions. In many
cases, the distinction between useful software and malware is
grey.
Block MSIE web access
There are a number of
methods to prevent users from accessing Microsoft Internet
Explorer. Unfortunately, few of them work effectively. The
program is too thoroughly entwined in the workings of legacy MS
Windows and various Microsoft products to make removing a few icons
a fix.
I’m addressing the full method in a forthcoming technical
article, but one relatively effective trick is to direct all MSIE
traffic to a proxy, except for a small set of hand-picked
sites which must get through. For example,
windowsupdate.microsoft.com. Doing this on multiple workstations
for multiple users is a headache, but can be accomplished with
scripting tools, your domain login’s “LOGON.BAT” file, and in my
case, an apache webserver given a virtual host who’s sole purpose
in life is to tell people not to use MSIE.
This breaks some stuff, you have to decide whether you value a
few conveniences over a generally working system. There are sites
which only work under MSIE (that’s their problem, not mine, is my
response). There are also specific tool under MS Windows which
require MSIE, notably Windows Media Player. Some third-party tools
such as anti-virus software will get caught by your proxy.
Monitoring my webserver’s logs is useful at identifying any such
issues, and if necessary, adding a site to the pass-through
list.
Using Web-Filtering Software
In my case, it’s Dansguardian. As mentioned above,
it’s FSF Free Software, and comes with its own highly tuned
filters. You’ll need to adjust them to your needs, slightly, which
mostly means adding sites to exception and/or ban lists, done by
editing a set of well-documented, easily understood, text files.
Blocking is based on several characteristics, including specific
domains, keywords, content-type, and extensions.
You need to keep an eye on what’s passing or not passing through
the filters, which means this is a bit of an ongoing task. For the
most part, done on an as-needed basis. After an initial week or so
of adjustments, I find I rarely need to touch things more than once
a month or so.
For the really bad guys: firewall-level blocking
The NY Times article doesn’t mention one particular homepage
hijacking site, (and don’t click that link yet)
http://www.domainsponsor.com/.
This is an organization which apparently registers a large number
of “typo” URLs — domain names close to, but not quite. Kids, as
you might guess, tend to have middlin’ to po’ typing and spelling
skills, so “disny.com” and similar expressions show up. When this
happens, your browser is redirected to the page above. And if you
are foolish enough to surf with MSIE, your homepage (the page you
see when first starting your browser) is reset to one of
DomainSponsor’s choosing. If you still want to follow the link
after all that, go ahead.
Their own webpage (and WHOIS record) indicates DomainSponsor is
owned by Oversee.net.
Netblock NET-65-235-246-0-1, CIDR 64.235.246.0/24, ASN 25973 (Mzima
Networks, Inc.).
My evolving attitude on ‘Net citizenship is rapidly approaching
a “take no prisoners” status, and is based on the principle of
network hygiene: bad behavior (viruses, malware, phishing, attacks,
zombies) reflect bad network management and oversight practices,
something I’ve come to appreciate in my
ongoing antispam activities. If a site demonstrates that it’s a
sufficiently bad neighbor that it’s going to do things like hijack
browsers’ home pages, regardless of how poorly designed the browser
is, that that particular neck of the ‘Net has no business
whatsoever swapping bits with my network. While a Web filter can
work with domain names or content, what you want is a firewall in
which you can explicitly block some or all traffic from a single
Internet (or IP) address — or an arbitrarily large range of them.
Locally, this particular source of malice is blocked by several
redundant methods.
For the truly dedicated, there are extensive lists of IP space associated
with organizations or countries from which some feel there is more
harm than good in allowing traffic through. For the malware
proponents: beware that the Net may be comprised of small players,
but there are many of them, powerful in aggregate, and with long
memories. As the recent
case of Savvis shows, the effect can be ultimately
persuasive.
Anti-virus software.
It’s not an option. And it’s not enough to install it, you have
to keep it up-to-date — at one mail service provider I worked for,
this meant updating every six hours (via an automated script). And
you need to run it.
My current choice has become something of a PITA following the
latest upgrade to the AV software itself, as its auto-upgrade
feature isn’t working. Which adds yet another item to the list of
things I’ve got to get fixed or updated to feel moderately
comfortable about the state of my systems.
The big names are Sophos, Command Software (now Authentium),
Symantec, and Trend Micro, in no particular order and with copious
omissions, I’m sure. There’s also an FSF Free Software alternative,
ClamAV, worthy of note.
Oh, and a request: if you install AV software on your mail
system, turn off
the notification feature. Anti-virus software itself is a
nontrivial contributer to the spam problem. The messages are
all-too-often misdirected. Really, it’s not your problem, here.
Anti-adware/spyware software.
I’m using Ad-Aware from LavaSoft,
with largely good results if somewhat mixed operational
experiences. The free version of the software is highly
interactive, and it’s literally a ninety-step process to get all
ten systems updated. Lately, downloads and scans have been
mysteriously hanging, as I commented to Tim O’Brien during one
phone interview. There are other products, I’d recommend installing
at least one.
Coming from the GNU/Linux side of the house, one major
gripe against all of the products is the reluctance with which they
support automation or silent background operation. Instead, the
products launch at login time (why not scan periodically or
as-needed?), display splash-screens or tray icons, and often allow
non-administrative users to disable or close them. From a systems
management perspective: a nightmare.
Eternal vigilance.
Keeping your systems clean is an ongoing chore. Updates need to
be downloaded, logs need to be read, users need to be monitored
(having them cancel in-process scans is a major factor). One
frustration, of course, is that log-ons, already slow for domain
users, become slower still as your arsenal of system defenses swing
slowly into action. Users are understandably frustrated by this and
want to have things happen faster, and will close down what they
see as “things in the way”.
When you do find a problem (or worse: a suspected
problem), you’ve got another hassle on your hands: trying to sort
out the good, the bad, and the ugly. Default tools for getting
systems information on MS Windows systems are primitive at best,
often unhelpful, and vary widely across various OS products, and
even among releases of the same product. In particular, getting a
task of running processes, identifying how they were run, and
finding out which are or are not malevolent, is a nontrivial task.
Even once you’ve got a list, sorting out the mess is a chore.
The Task Manager is the usual first course of action, but it’s a
poor tool for the job: it provides little information, you can’t
print the output, and you can’t filter to processes of interest.
The site HijackThis
at SpyChecker is useful in that it lists many people’s process list
dumps, often with analysis. While you can’t always find out what’s
running, you can usually get close. Often simply entering an
executable’s name into Google (say: example.exe), will give useful
information. I’ve found that there are malicious programs with
innocent looking names and innocent programs with malicious-looking
ones, it’s difficult to be sure. Under WinXP, there’s a
‘TASKLIST.EXE’ program which lists processes similarly to a Linux
‘ps’ command.
You want to check both your Startup folder(s) (if you have
multiple users) and the “Run” Windows Registry key, both of which
specify programs to be run at startup. Anything running out of
temporary folders is immediately suspect.
With the right tools, you can run a portscan of your system to
see how it’s talking on your network. GNU/Linux offers a great tool
for this, ‘nmap’, which is available on many “bootable” Linux
distributions. These are small (or not so small) collections of
GNU/Linux utilities that run from a CDROM, floppy disk, USB pen
drive, or other removable media, and don’t require installation on
your hard drive. LNX-BBC and
Knoppix are among the two
best known, the former being technically oriented and the latter a
full end-user desktop on CD ROM. But that’s another essay.