Digital Threats Unmasked Gaining a solid understanding of viruses, spyware and spam so that YOU will not fall victim to it!
By David Risley Founder/Publisher, PC Mechanic, www.pcmech.com
With contribution by: Adam Deutschmann
Copyright 2007 PC Media, Inc. All Rights Reserved. www.pcmech.com Page 2
Table of Contents
Introduction...... 5 Computer Viruses...... 7 What is a computer virus?...... 7 Who Programs Computer Viruses? ...... 9 Types of Viruses ...... 16 Virus Examples ...... 19 How To Tell If You're Infected...... 22 Virus Prevention...... 25 Virus Removal...... 29 A Word on Hoaxes ...... 31 Additional Resources ...... 32 Spyware...... 34 Types of Spyware...... 37 Adware ...... 38 Browser Helper Objects ...... 38 Browser Hijackers ...... 39 Computer Barnacles ...... 40 Dialers...... 41 Keyloggers...... 41 Malware...... 42 Spyware ...... 43 Trojans ...... 44 Worms...... 45 Other Terms To Know ...... 46 Effects & Telltale Symptoms of Spyware ...... 49 What Kinds of Tactics Are Used? ...... 51 ActiveX...... 51 Fake Removal Tools ...... 53 Misleading or Enticing Advertisements ...... 53 Phishing ...... 56 Downloads...... 60 Prevention Techniques ...... 62 Administrator Accounts...... 62 ActiveX Security and Safety ...... 63 www.pcmech.com Block Adservers & Spyware Servers ...... 64 Browsing & Downloading Habits ...... 65 Email Safety ...... 65 Hidden File Extensions...... 67 IE AutoComplete Security Risk ...... 67 IE Search Toolbars...... 68 Install a Firewall...... 69 JVM Security...... 71 Software Updates & Patches ...... 71 Use an Alternative Browser...... 72 Windows Processes ...... 73 Scanning Tools ...... 73 Problem Specific Tools ...... 76 The Spyware Removal Process...... 77 The Last Word...... 81 Email SPAM ...... 83 Why SPAM? ...... 85 Understanding SPAM...... 92 Identifying SPAM ...... 98 Hidden URLs...... 99 Javascript in Message Bodies...... 101 Random Characters ...... 101 Email Addresses in Links ...... 102 Personalization ...... 102 Dirty HTML ...... 102 Use of Affiliate Sites ...... 103 How Did You Get Spam In the First Place?...... 103 Spam Damaging Your Computer?...... 105 Spam Laws ...... 108 How To Stop Spam...... 109 Use a Junk Email Account...... 110 Spell Out Your Address ...... 110 Contact Forms ...... 111 Email Images...... 111 Using Javascript to Hide Emails...... 111 But, I Already Get Spam!...... 111 Don't Buy Anything...... 111 www.pcmech.com Page 4
Don't Ever Reply ...... 112 Keep Your Cool ...... 113 Don't Open It ...... 113 Report Spam ...... 113 Read Website Privacy Policies ...... 113 Check the "Do Not Mail" boxes...... 113 Secure Your Email Client ...... 114 Spam Filters ...... 114 How Filters Work ...... 115 Reporting SPAM ...... 119 Detective Work...... 121 And That is Spam...... 127 Handing Your PC to Hackers in 9 Steps ...... 130 Appendix...... 135 Sample HOSTS File for Blocking Spyware Sources...... 135
www.pcmech.com Introduction
The days of a computer being a self-contained little world are over. Today, an internet connection is almost a necessity. More and more of our computer activity is going online. Whether it be surfing the internet, using web-based service, chatting with friends or connecting up in social networks, there is so much going on online today that being forced to use a computer with no internet connection can make you feel like you just ported back to the dark ages.
With that pipeline to the internet comes a lot of freedoms. Freedoms to speak to others. Freedoms to share you work. Freedoms to chat, email, watch videos, you name it. But, over that pipeline, other things can travel as well. Things you don't necessarily want on your computer. It is a turf war. You are trying to defend your turf – your computer. Others are trying to stake a claim and take use of your computing real estate for themselves.
The internet really resembles the wild, wild west of long ago. Everybody fends for themselves and there are really no laws to speak of. Well, more accurately, there are laws to prevent some of these things, however they are simply not enforceable. Most activity on the internet can be done anonymously and that means that ill-intentioned people can operate almost carte blanche online. So, the thing to do is be educated so that you do not fall into their trap.
That is where this book comes in.
www.pcmech.com Page 6
The threats today that you need to worry about are:
Computer viruses
Spyware
Email SPAM
I am going to address each of these in an in-depth fashion. And I will also be giving you a lot of information so that you can avoid these threats altogether.
One thing to keep in mind is that the internet is NOT dangerous. Not at all. It just takes some basic education and knowledge to keep yourself out of trouble. It is very similar to learning how to drive. If a person was driving a car and did not know how to deal with the roads and the car itself, that person would be in danger and so would others around him. On the other hand, if that person knows how to do it, everything is fine. And as most of us know, driving a car is completely second nature after awhile.
Well, staying safe online is the same way.
Read on to learn how to stay safe at your digital wheel.
www.pcmech.com Computer Viruses
Computer viruses can be a matter of some confusion among computer users. Without understanding the nature of them, it is easy to get paranoid. However, a computer virus is actually a very simple thing and very easy to defend against.
What is a computer virus?
You might wonder why it is called a virus. Is your computer getting sick? Is it going to die? Obviously a computer is not made up of cells. It cannot get sick the same way a person does. So, why is it called a virus?
To understand this, let's take a look at the biological virus? Let's look at the definition of “virus” as defined in Wikipedia:
A virus (from the Latin noun virus, meaning toxin or poison) is a sub- microscopic particle (ranging in size from about 15–600 nm) that can infect the cells of a biological organism. Viruses can replicate themselves only by infecting a host cell.
So, a virus infects a host and cannot operate without the power and energy www.pcmech.com Page 8 of the host. The host is the thing which gets infected with the virus. So, what we have here is a parallel. An organic virus infects a host (person or animal), attaches to the cells of the organism and spreads. A computer virus does exactly the same thing. It infects your computer (the host) and uses it to spread. The only difference is that a computer virus is obviously not organic. Instead it is simply another software program, programmed by an actual person, but programmed specifically with the intention to do harm or other make an effect that will be noticed.
So, a computer virus would be defined as:
1. A program which is specifically designed to replicate itself. Copies may be exact duplicates or may perhaps even be slightly different in order to throw off anti-virus utilities looking for a particular signature.
2. The replication is done on purpose.
3. A virus has to attach itself to a host, in the sense that execution of the host program leads to execution of the virus.
To clearly understand what is happening here, it is important to realize that a computer is just a dumb machine that blindly executes whatever program instructions are fed into it. Programs can be large or small, and can have multiple purposes. Such a purpose could potentially be:
To do harm to the host computer
To spread to other computers www.pcmech.com To hide itself from anti-virus programs
From the computer's perspective, the computer virus is just another program to be executed. The computer obediently does what it is told by the computer virus, whether the owner likes it or not.
Who Programs Computer Viruses?
All computer viruses have an author. It was programmed by a real live person with the sole intent of creating a piece of software that will function like a virus. The people who create computer viruses are fairly technologically inclined as they obviously have good programming skills. In fact, some virus programmers are actually employed as programmers. They are not employed to create viruses, however they may work for a large IT company performing legitimate programming but create viruses in their spare time. Or perhaps their creation of the computer virus was more or less a one-time thing on their part just to see if they could do it. Which leads us to ask: why would a person create a computer virus? Reasons could include:
Seeing if they can do it
Getting revenge (on a company, for example)
To generally create trouble
To gain notoriety and see if they can get their work talked about in the press
To combat boredom www.pcmech.com Page 10
To get an idea of the type of people who create computer viruses, we can take a profile of a young virus programmer named Mario who was profiled in a 2004 article in the New York Times by Clive Thompson:
Mario stubs out his cigarette and sits down at the desk in his bedroom. He pops into his laptop the CD of Iron Maiden's ''Number of the Beast,'' his latest favorite album. ''I really like it,'' he says. ''My girlfriend bought it for me.'' He gestures to the 15-year-old girl with straight dark hair lounging on his neatly made bed, and she throws back a shy smile. Mario, 16, is a secondary-school student in a small town in the foothills of southern Austria. (He didn't want me to use his last name.) His shiny shoulder- length hair covers half his face and his sleepy green eyes, making him look like a very young, languid Mick Jagger. On his wall he has an enormous poster of Anna Kournikova -- which, he admits sheepishly, his girlfriend is not thrilled about. Downstairs, his mother is cleaning up after dinner. She isn't thrilled these days, either. But what bothers her isn't Mario's poster. It's his hobby.
When Mario is bored -- and out here in the countryside, surrounded by soaring snowcapped mountains and little else, he's bored a lot -- he likes to sit at his laptop and create computer viruses and worms. Online, he goes by the name Second Part to Hell, and he has written more than 150 examples of www.pcmech.com what computer experts call ''malware'': tiny programs that exist solely to self-replicate, infecting computers hooked up to the Internet. Sometimes these programs cause damage, and sometimes they don't. Mario says he prefers to create viruses that don't intentionally wreck data, because simple destruction is too easy. ''Anyone can rewrite a hard drive with one or two lines of code,'' he says. ''It makes no sense. It's really lame.'' Besides which, it's mean, he says, and he likes to be friendly.
But still -- just to see if he could do it -- a year ago he created a rather dangerous tool: a program that autogenerates viruses. It's called a Batch Trojan Generator, and anyone can download it freely from Mario's Web site. With a few simple mouse clicks, you can use the tool to create your own malicious ''Trojan horse.'' Like its ancient namesake, a Trojan virus arrives in someone's e-mail looking like a gift, a JPEG picture or a video, for example, but actually bearing dangerous cargo.
Mario starts up the tool to show me how it works. A little box appears on his laptop screen, politely asking me to name my Trojan. I call it the ''Clive'' virus. Then it asks me what I'd like the virus to do. Shall the Trojan Horse format drive C:? Yes, I click. Shall the Trojan Horse overwrite every file? Yes. It asks me if I'd like to have the virus activate the www.pcmech.com Page 12 next time the computer is restarted, and I say yes again.
Then it's done. The generator spits out the virus onto Mario's hard drive, a tiny 3k file. Mario's generator also displays a stern notice warning that spreading your creation is illegal. The generator, he says, is just for educational purposes, a way to help curious programmers learn how Trojans work.
But of course I could ignore that advice. I could give this virus an enticing name, like ''britney-- spears--wedding--clip.mpeg,'' to fool people into thinking it's a video. If I were to e-mail it to a victim, and if he clicked on it -- and didn't have up- to-date antivirus software, which many people don't -- then disaster would strike his computer. The virus would activate. It would quietly reach into the victim's Microsoft Windows operating system and insert new commands telling the computer to erase its own hard drive. The next time the victim started up his computer, the machine would find those new commands, assume they were part of the normal Windows operating system and guilelessly follow them. Poof: everything on his hard drive would vanish -- e-mail, pictures, documents, games.
I've never contemplated writing a virus before. Even if I had, I wouldn't have known how to do it. But thanks to a teenager in Austria, it took me less than www.pcmech.com a minute to master the art.
Mario drags the virus over to the trash bin on his computer's desktop and discards it. ''I don't think we should touch that,'' he says hastily.
Not all authors of computer viruses actually spread their work. Some do it just to see if they can. Others will publish their work on the web with full documentation for the purposes of educating or for bragging rights. While they might not personally spread the virus, somebody else will.
The people who work to spread computer viruses, whether they are the authors or not, are usually people who are out for mischief. These people are called “script kiddies”. This is a slang term, usually thought of as derisive, which is used to refer to young hackers, often of high school or college age, who take the work of others and release it into “the wild”. In the world of computer viruses, “the wild” is used to refer to the world outside of the “lab” where the virus was originally created. Many times, a “script kiddy” does not have the necessary skills to create a virus on their own. However, they have a mischievous side to them and they download the work of others and release it, often claiming they are the author.
Essentially, this means that the spread of computer viruses is the combined work of two groups of people: (1) the original programmer who did it for fun, the challenge, or perhaps something more dark, and (2) the person who is naïve and stupid enough to release that virus onto the unwitting public. Sometimes these script kiddies actually are pretty naïve, www.pcmech.com Page 14 too. Sometimes they will download the virus and modify the source code to include their own identity or the URL to their personal website. This, of course, is designed to lend “street cred” to their supposed programming skills and gain them some fame. Unfortunately for them, it also makes them a lot easier to track down and prosecute by the authorities.
The script kiddy is the obvious bad guy here, but the person who actually programmed the virus is certainly at fault as well. Unfortunately, the law is not so clear. If the programmer is approached, they may admit that they created it but will quickly note that they did not release it into the wild. Legally, then, they didn't really do anything. The truth is, though, that many of these virus authors put the code online knowing full well some script kiddy is going to come along and let it loose. So we really are looking at havoc by proxy.
Not all virus writers are trying to cause harm. Sometimes viruses are programmed simply to be noticed. For example, some viruses are set to simply display a message right in the middle of the screen. No harm done, but it is definitely noticed by the owner of the infected machine.
Some viruses are programmed specifically to exploit a new hole found in certain software or operating systems. Microsoft Windows and other software by the company is a pretty common target. In fact, Microsoft finds itself a common target for virus writers who are particular hostile toward the company. These programmers actually blame Microsoft for the troubles caused by the viruses, saying that it could not occur if the company released more secure products. Many virus writers resent the fact www.pcmech.com that Microsoft is so successful and is used on so many computers. They take pride in causing trouble for the software giant. At the same time, the typical end user of Microsoft Windows is not always computer literate and this makes for easy victims. If the user of Windows doesn't know enough to know how to avoid infections (as is common for many new computer users), it is really easy for infections to spread.
It is really hard to say if Microsoft finds itself a target because of it's poor product quality or simply because it is the “big dog” in the industry.
The virus scene is oddly very social. Many viruses are created solely for the bragging rights and the “street cred”. Virus programmers are very intelligent. They may not be the most socially adept and they find friendship with other programmers. They are often very libertarian and do not like to confirm to societal norms. Many of them have a chip on their shoulder. Perhaps they got fired by a company and want to get back at them. Perhaps they want to take a poke at the industry after failing to get a job.
Most virus writers are quick to justify what they do. They are quick to say that they are not the ones spreading the virus. They have simply created a program that is designed to self-replicate but it is the actions of the end user that allows the process to proceed. They argue that they cannot be held accountable for the naïve actions of somebody else. This is a very similar argument as is sometimes used with guns. The virus creator may have created the gun, but they can't be blamed for what the gun is www.pcmech.com Page 16 used for. Virus programmers don't spread viruses – people do.
For those who fight viruses, casual virus programmers and “script kiddies” are not the real threat. Sure, they can create a lot of trouble. However, it is fairly predictable and it can be dealt with. What keeps them up at night are the more sinister ones – those viruses designed specifically for criminal purposes.
Types of Viruses
Not all computer viruses are equal. After all, virus writers are often trying to impress their colleagues. Nobody would be impressed if they all did the same thing. So, yes, there is a lot of variety, not only in what the viruses do, how they spread, but also in methodology.
We can classify this whole area into the following:
Computer virus. A small piece of software that is designed to piggyback on other programs to work and spread. For example, a virus may be designed to attach itself to a particular operating system file. Whenever a particular operation is performed on that computer, the file is run. The virus is also run, leading to the virus spreading and doing what it was designed to do.
Email virus. An email virus is designed to spread specifically through email. It does not tack itself onto other software. Instead it takes advantage of email. For example, it may be spread by email attachment. www.pcmech.com Whenever a user opens the attachment, it will run the virus. Typically the virus will automatically and invisibly email itself to other email addresses in your email software, such as your contacts. Some email viruses are even designed to not specifically require the user to open the file. Simply by previewing the email in the email viewer, it could execute the virus.
Trojan Horses. A trojan is a program that disguises itself as one thing while actually doing another. For example, a trojan may masquerade as a movie file, screensaver, or perhaps a picture file. When “opened”, the trojan will infect the PC.
Worm. A worm is a piece of software that is designed to take advantage of security holes in software or networks in order to spread. When it spreads to a computer, it will begin to scan the network for other computers with the same security hole. If it finds an available host, it will spread itself.
Within these virus types, we have some other different classifications:
1. Boot Virus: A boot virus is designed to infect the master boot record of the hard disk. The master boot record is that area of the hard drive which is responsible for booting your computer when you turn it on. When a virus is able to infect this section of your hard disk, it will be executed immediately after you turn on your computer, before you operating system even has a chance to load. www.pcmech.com Page 18
2. Program Virus: This is a virus which is run just like any other program on your computer. Such a virus may have a file extension like BIN, COM, EXE, DRV (driver file) or SYS (system driver). When the program is run, the virus is executed as well and becomes active in system memory.
3. Stealth Virus: This is a computer virus which is designed specifically to avoid detection by anti-virus software. It may do this by redirecting the drive's read/write head to another sector if the sector the virus is on is accessed.
4. Multipartite Virus: This is a combination of boot virus and program virus. The virus is executed as a normal program but, when run, will then infect the master boot record. A program which is designed to install a virus is often called a dropper.
5. Polymorphic Virus: A virus that will encrypt itself in different ways so as to look different each time it is spread. This makes detection harder for anti-virus programs.
6. Macro virus: This is a virus designed to take advantage of the macro capability of many types of documents, such as Microsoft Word. When the document is opened that is infected, the macro virus is activated and run. The virus may be designed to infect the Normal.dot file (the document template for all Word documents created by default) which would mean that all Word documents you create after infection will also contain the macro virus.
7. Active X: ActiveX is a Microsoft-created way of allowing small www.pcmech.com applets to run on your computer directly from the web browser. For example, when you run Windows Update inside of Internet Explorer, you will notice that it is updating your computer by way of Internet Explorer. Well, this same interface opens up a whole world of potential security breaches. ActiveX could be used to run other software code as well, even if not created for helpful purposes.
8. Cross-Site Scripting: This is a type of vulnerability that is more or less exclusive to web-based applications. Essentially, a security hole would exist in the website which would allow the attacker to inject their own programming code into the webpages viewed by other people.
As you can see, there are a lot of very creative ways to breach the security of your computer. As software on our computers get larger and introduce more features, more and more effort is made to make things more convenient. However, convenience sometimes means opening things up to security breach. Since virus authors are just as creative as the programmers of your favorite software, there are about as many avenues of attach as there are programs available to your computer.
Virus Examples There are new viruses, worms and trojans coming out all the time. The volume of new virus activity is actually pretty staggering. Some worms and viruses end up becoming more famous than others due to the www.pcmech.com Page 20 speed of spread or the type of damage it causes. This, of course, is what the creator of the virus wanted – media coverage and notoriety. The larger majority of viruses do not end up creating much of a ripple. Others can create tidal waves.
Let us look at a few examples of computer virus and/or worm:
1. Nyxem: This worm was discovered in the beginning of 2006. The worm spread itself by using mass email. It was designed to activate on the 3rd of each month, about 30 minutes after the computer starts up. The worm was designed to do many things. For example, it would try to disable security software installed to the computer as well as attempt to destroy certain kinds of Microsoft Office files. When executed, it would attach itself to rundell16.exe, scanregw.exe, update.exe and winzip.exe. The most usual type of email to contain this worm are those advertising Viagra. For more information, read about W32.Blackmal.E@mm at Symantec.
2. Samy (XSS): This was a cross-site scripting virus designed to use Myspace.com to spread. When infected, the virus would display the words “but most of all, Samy is my hero” on the Myspace profile of the infected person. When a user viewed that profile, they would have the same thing planted onto their own Myspace profile. The virus was relatively harmless, only designed to automatically make a friend request to the author of the virus. By attaching itself to Myspace, one of the most popular sites on the entire internet, Samy was able to spread to over one million users www.pcmech.com in less than 24 hours. Myspace sued the creator of the virus and he was ultimately sentenced to three years probation.
3. Sasser: Sasser was a computer worm sometimes referred to as “the Big One”. It spread itself by finding a vulnerable network port on computers powered by Windows XP, Windows 2000 and some versions of Windows 98. The worm would result in random crashes to Windows. Due to the popularity of Windows itself, the worm was able to spread quickly and have many side effects. It managed to cause Delta Air Lines to cancel several transAtlantic flights because their computers were down. The AFP news agency had it's satellite communications down for several hours.
4. Mydoom: This was another famous worm that spread quickly by way of mass email over computers powered by Windows. The worm spread by way of emails that looked to be error emails, such as “Mail Delivery System”, “Test”, or “Mail Transaction Failed”. The email had an attachment that, if executed, would infect the PC with the worm. The worm would then scan for email addresses locally on the infected computer (such as in the Address book) and email everybody in it. Once infected, the PC would serve as a zombie for spammers, allowing back door remote control of the computer via port 3127. A second version of the worm would block internet access to Microsoft as well as the sites of many anti- virus software, thereby blocking access to updated virus definitions and updates to Windows. You can get more information at www.pcmech.com Page 22
Viruslist.com.
5. SoBig.F: SoBig was a very well known computer worm that was also a Trojan. It spread by way of e-mail yet again, however it was also a Trojan because the email was designed to look like something benign. The email would typically have a subject line like “Re: Approved”, “Re: Thank you!” or “Re: Your application”. These subject lines were designed to trick the user into thinking it was a legitimate email and even a reply from an email they had sent earlier. The email would contain the text “see the attached for details” and would contain an attachment, usually with a PIF file extension. Opening the attachment would infect the PC. The worm infected internet-enabled, Windows-powered computers.
6. Blaster: This worm infected Windows powered PCs as well and was designed to launch a denial of service attack on windowsupdate.com. A denial of service (DoS) attack is when a particular server is so overloaded with incoming requests that it cannot handle legitimate requests. So, the idea was to have infected computers simultaneously hammer the Windows Update site such that the service went offline. The worm was fairly easily stopped and the rapid spread of the worm was eventually mitigated. The worm was also known as Lovsan because inside the source code of the virus was the line “I just want to say I love you San”. Notably, though, there was another line which read “Billy Gates why do you make this possible? Stop making money and fix your software!!”. www.pcmech.com Those viruses that make the most press are often worms due to the volatility with which they can spread. Also, Microsoft Windows often makes the biggest target.
How To Tell If You're Infected There are a lot of different worms and viruses out there. You may think that the entire thing is beyond your control. However, it really is no more beyond your control than a biological virus. A biological virus, when it infects the host, becomes apparent by way of certain observable symptoms. You are not going to get a little notification on your screen saying “You are infected with the BLAH virus”. Instead, you will begin to notice things that are out of the ordinary.
Here are some typical signs that your computer may be infected with a computer virus:
1. The PC has slowed down noticeably and programs take longer to load.
2. The time-stamp on files may change. When a virus attaches itself to one of your files, it has to modify that file and this will result in the time-stamp (the date last modified) of the file being updated. If you notice a file that has been updated when it shouldn't have, this may be a sign.
3. Increased level of disk access. The hard drive may get very busy or may be accessed when you are not doing anything. The floppy diskette drive (if you have one) may be accessed without www.pcmech.com Page 24
explanation. With the hard drive, it is easy to confuse this activity with normal operating system maintenance activity.
4. Increased use of disk space without explanation – caused by the virus spreading in your files and attaching itself.
5. Errors about attempts to write to write-protected files or folders.
6. Strange characters appearing in file or folder names.
7. Strange messages appear on screen or in your documents.
8. Strange graphical displays on screen, such as falling letters or some other attention-getting display.
9. Overall instability, random crashes.
10. Documents overwritten with garbled text.
It is also worth noting that it is possible that your computer has trojans or other viruses laying dormant on the machine without your knowledge. For example, most people will routinely get viruses emailed to them. This is not really a matter of concern because, in most cases, you have to actually open the attachment to begin infection. Besides, your virus scanner should detect these. Via one method or another, it is not uncommon for a computer to have various malware installed and not know about it. You will not notice any symptoms simply because the computer is not officially infected until the malware is actually executed.
Microsoft Windows is the most common attack point for virus writers. According to statistics, there are over 140,000 known viruses for www.pcmech.com Windows, around 4,000 for MS-DOS, and only 30 for Linux and 1 for Mac OS X. So, if you are running a computer powered by Microsoft Windows, this is certainly a problem you need to concern yourself with.
This is not to say that Linux and OS X users are immune. As noted earlier, many virus writers have a particular bone to pick with Microsoft. Perhaps they are jealous over the company's success and just want to poke holes in their software. Whatever the motive, the popularity of Windows also makes it an ideal target. The user population of OS X and Linux is nowhere near as large as that of Windows, making it not as attractive as a target.
If a virus writer is trying to create an effect, they will go where the people are. If more end users migrate to OS X or Linux, those operating systems will begin to find themselves the target for these same kinds of security breaches. Users of Linux and OS X like to brag that those operating systems are immune from computer viruses. This is almost definitely not the case. The truth is only that those systems are not as attractive of a target because not as many people use them.
Virus Prevention Now that we have covered the general background of computer viruses, it all comes down to one thing: how do you prevent it? The good news is that it is very easy to prevent and it is not going to take long to explain this to you.
Here are the general preventative techniques. Some of these will be www.pcmech.com Page 26 obvious. Others perhaps not as much.
1. Install and use an anti-virus program. I will list some options for you below. This single act will prevent almost any type of infection you can have.
2. Enable any real-time monitoring that comes with your security suite. This will watch your computer for any signs of infection at the time of execution.
3. Set the update schedule on automatic for your anti-virus software so that you do not rely on your memory to keep your virus definitions up to date.
4. Allow the software to perform a full system scan of your hard drives for viruses at least twice per month.
5. Be sure to virus scan ALL software and attachments that come from the internet.
6. Just in case, prepare a rescue disk with critical system files that will allow you to boot the computer in case of a serious issue that keeps the system from properly booting.
7. Go into your BIOS and make the C drive your primary boot drive. In other words, place the C drive first in your boot order. This will mitigate somewhat the effect of boot record viruses from external media such as floppies.
8. Do not download or install software from questionable sources, such as sites with illegal “warez” software. In short, any pirated www.pcmech.com software site or porn site is a sure-fire way to get your computer infected quickly.
9. Keep your operating system patched with the latest updates. Users of Windows need to run Windows Update fairly often because they are always finding and patching vulnerabilities in that operating system.
10. Treat all email suspiciously if it has an attachment. Even if the email looks like it came from a close friend or family member, the virus examples above should show you that sometimes that only means your friend or family member has an infected PC.
11. Regularly back up your files. Should the worse happen, you can always get your data back from backups.
The chance is probably as high as 99% that any virus that makes it's way to your computer will do so via your internet connection. So, as long as you have your defenses up on things coming IN to your computer, you will be fine. The primary focus of attention will be on your email and anything that you download. Keep in mind that when you are surfing the internet, you are downloading code in order to display websites. So, surfing the internet counts as downloads and needs to be watched as well.
There are a lot of different options out there for anti-virus software:
1. Norton Antivirus. This is perhaps the most popular option and is a quality product. Symantec is a leader in anti-virus and you are generally in good hands using their product. www.pcmech.com Page 28
www.symantec.com
2. Kaspersky Anti-Virus Personal. Another good anti-virus suite with a team that is very quick to responding to and releasing new virus updates when a new virus is discovered. www.kaspersky.com
3. McAfee VirusScan Plus. Another good scanner, also including SiteAdvisor which supposedly helps you against spyware and phishing sites. www.mcafee.com
4. Panda Antivirus. Guards against viruses and spyware with a light system footprint. www.pandasecurity.com
5. F-PROT Antivirus. Defense against viruses, spyware and malicious ActiveX controls. Also allows for command line scans in Windows safe mode. www.f-prot.com
6. AVG Anti-Virus. Another quality product, most notable for also having a FREE personal edition available, creatively called AVG Anti-Virus Free Edition. The free versions works quite well for typical home user use. www.grisoft.com free.grisoft.com
7. Nod32. A very fast and lightweight anti-virus scanner which has www.pcmech.com been around for years. Definitely a good option if system performance impact is of major concern to you. www.eset.com
There are many, many others. Obviously, with the prevalence of the threat and the fact that so many people use Windows, a lot of companies have gotten on the bandwagon offering their own security suites for Windows.
A user of Mac OS X also has some antivirus options available to them, although it is debatable that they have a strong need to have anything installed. If they do wish to have something, a Mac user might try:
1. ClamXav. A free virus checker for Mac OS X. www.clamxav.com
2. Norton Antivirus for Mac. www.symantec.com/nav/nav_mac/
3. Sophos. www.sophos.com
4. McAfee VirusScan. www.mcafee.com/us/enterprise/products/anti_virus/file_servers_de sktops/virex.html
Virus Removal Anti-virus software mostly works the same way. It scans your hard drive for particular signatures that indicate a known computer virus that is contained in the virus definitions supplied by the company. If it finds a sign of a virus, it will typically offer to quarantine or delete the infected www.pcmech.com Page 30 file. Quarantining the file will place it in a tightly controlled area by the anti-virus software so that it cannot infect the computer.
Anti-virus programs work best as a line of defense. In some instances, they can repair the damage after infection. In other cases, it cannot. So, what do you do if your computer is already infected by a computer virus?
The best thing to do is first spot exactly which virus is infecting your computer. Usually your anti-virus program will identify this for you. Next (and only if your antivirus program cannot do it for you), you will need to go online and search for removal instructions for the virus that you have. Usually you will find information on the major sites of antivirus software vendors. For example, Symantec maintains a library of removal tools for various viruses at: www.symantec.com/business/security_response/removaltools.jsp
If there is no removal tool which automates the job for you, often you can find todo lists on how to manually remove it yourself. Many times the removal processes are not quick and easy, depending on the nature of the virus you are infected with.
A particularly bad virus may render your computer unbooatable. In this case, you will not be able to use your anti-virus software as usual in order to detect and/or remove the virus. The good news is that most good anti-virus programs give the ability to create a rescue disc. This rescue disc is usually bootable so that you can boot the machine even if Windows cannot. It will then automate the process of scanning for viruses even www.pcmech.com without officially going into Windows. If Windows itself will not work, this is usually your only way to fix the problem.
Another option may be to go into Windows safe mode and attempt to run a virus scan that way. Safe mode is a reduced mode of running Windows. In safe mode, all startup software, services and many drivers are usually disabled. This allows you to run Windows without any of the payload which may be allowing the virus to operate. You can get into safe mode by rebooting your computer and pressing the F8 button BEFORE the Windows logo appears on screen. You may need to hit the F8 button several times to ensure the system detected it. You will then get a boot menu. Option 3 will be to enter safe mode. Once in safe mode, run your anti-virus software and/or perform the manual removal actions for a virus you know you are infected with.
If your computer gets infected with a particular bad virus that does real harm to the files on your drive, your only option may be to format the computer and re-install Windows. This is a last resort option only if the computer is so far gone that you are pretty sure you will not be able to recover it properly. In this case, your data backups (which you should have) will come in handy. You will need to format the drive, re-install all your software, then restore your data files from your backup.
If you do not have valid or up-to-date backups, there is yet another option available to you. In order to do this, you will need a second hard drive.
1. Install the second hard drive to your computer and re-install all of www.pcmech.com Page 32
your software to the NEW hard drive.
2. Next, attach your old, infected hard drive to the new computer as a second drive. If it is an IDE drive, connect it as a slave. If it is a SATA drive, simply connect it.
3. When you reboot the computer, make sure to go into your BIOS and make sure the NEW drive is designated as the bootable drive so that your computer does not attempt to boot with the infected drive.
4. Once the computer has completed booting, use your anti-virus software to scan all of your data files on the old drive (which should be available in Windows Explorer as a second hard drive).
5. Only when the files check out as completely clean, you can copy and paste those files over to your new hard drive.
A Word on Hoaxes The world of computer viruses is not always understood by people. Often that lack of understanding can lead to unnecessary worry. This has given rise to virus hoaxes. A virus hoax is meant to simply scare people and has no actual harm potential to anybody's computer. It is simply a practical joke and, cleverly done, can result in thousands of people forwarding it around thinking it is legitimate. Those who have fallen for it are simply trying to warn people. Those who created it laugh the whole way.
How do you spot a virus hoax? www.pcmech.com 1. If it comes from a friend or family member, it is usually forwarded with the hopes of warning you. If you search the internet for any of the facts in the email, you will usually find others are calling it a hoax.
2. If the email encourages you to forward the email to as many people as you can, it is usually a hoax. A real warning would refer you to a respected source for information.
3. If the email contains a bunch of technical jargon, don't fall for it. Sometimes the hoax creators take advantage of the public's lack of technical knowledge to fool them into thinking they know what they're talking about. Even a janitor can appear as a doctor if they use enough Latin words! Don't fall for it.
If you suspect that you have gotten a virus hoax email, do not forward it. If you find clear evidence that it is a hoax, reply to your friend and tell them they just got duped. It will at least keep them from emailing it to others.
Additional Resources
Computer Knowledge Virus Tutorial http://www.cknow.com/vtutor/index.html
Computer Virus/alt FAQ http://www.landfield.com/faqs/computer-virus/alt-faq/
Essential Free Tools for Removing Spyware, Adware and Malware http://www.pchell.com/support/spywaretools.shtml www.pcmech.com Page 34
Symantec Threat Explorer http://www.symantec.com/business/security_response/threatexplor er/index.jsp
List of Antivirus Software http://en.wikipedia.org/wiki/List_of_antivirus_software
List of Computer Viruses http://en.wikipedia.org/wiki/List_of_computer_viruses
The WildList Organization International http://www.wildlist.org/
Trend Micro Virus Information http://www.trendmicro.com/vinfo/
avast! Virus Cleaner – free virus removal tool http://www.avast.com/eng/avast-virus-cleaner.html
www.pcmech.com Spyware Spyware: a term computer users have been hearing about more and more often during their travels through the World Wide Web, or through visits to the repair shop.
Spyware is something that has been becoming increasingly common on systems. A system brought online with no protection is completely vulnerable within the first few minutes it is connected to the Internet. Statistically speaking, you have about 20 minutes before the system is completely loaded up with spyware and malware. It has become more of a common problem than virus infections. Most forms of spyware do not outright destroy your computer system, but rather, create various annoying issues and also result in an overall negative impact on system performance. It can sometimes render the speediest 3.2GHz system helpless, making it act like an old 266MHz machine on a good day. For you, the user, there has yet to be an instance where spyware helps in some fashion and while remaining free of any negative attributes. Spyware infests your system, compromises privacy and security, and goes on to bog down system performance and Internet bandwidth.
Taken down to its simplest form and to be quite general, spyware is a software technology that assists in information gathering. The kind of information being gathered depends on how the spyware was written and what it was made to target. Once installed on a system, it can collect password data, bank and credit data, information on web surfing habits, email addresses, or just about anything else that you may consider a www.pcmech.com Page 36 breach in privacy. This information is gathered from your computer and then relayed over the Internet to advertisers and any other interested parties, as allowed and directed by the piece of spyware. This definition, however, does not include or apply to all forms of software that fall under the heading of "spyware".
The Internet can be a great place to visit and can contain a wealth of information that is made readily available at your fingertips, but like anyplace else, you must exhibit a certain degree of caution while making your way around. Wariness coupled with awareness can go a long way to help combat spyware.
A common rebuttal as to not making a good effort in the area of system security is this common excuse: "I don't keep sensitive data on my computer. Why would anyone care to hit my computer with spyware and malware?" Machines that can be easily compromised are usually turned into servants for launching larger attacks and flood their Internet connection as a result. In other words, your system will be quite easily turned into a zombie computer without adequate protection, which will go to hurt other computer users. Additionally, there can be a significant amount of data transferred while your computer is serving as this kind of host, and many ISPs have limitations on a user's monthly bandwidth, which can include a speed cap or disconnection of service.
If you're a firm believer in the argument that you "don't have any important data on you machine," just take into consideration that your computer has the potential for conducting illegal activities and privacy www.pcmech.com invasion. Like owning a car, owning a computer comes with certain responsibilities that must be fulfilled so that harm does not befall others on the information superhighway.
The first known recorded use of the term "spyware" reputedly appeared in a Usenet post on October 16, 1995 that took a humorous stab at Microsoft's business model. The term "spyware" was applied to espionage equipment until its next appearance in 1999. Zone Labs used the term in a press release for their new Zone Alarm Personal Firewall software. From then on, the term "spyware" has been applied as we know it today. The first anti-spyware program, OptOut, was released in 2000 by Steve Gibson of Gibson Research, as the result of the growing problem of spyware. Other spyware removal and prevention tools have since surfaced.
Spyware almost always comes as "extra baggage" from sites providing "shady" content, such as pornography, warez, and game cheats. ActiveX pop-ups asking for permission for software modules to be installed is another method. They usually go hand-in-hand with sites containing "shady" or "underground" content.
Another large source of spyware comes from downloaded shareware or freeware programs. Licensing agreements included with downloaded software sometimes warn the user that some sort of spyware program will be installed along with the main software package. However, the spyware notices in licensing agreements are usually difficult to locate, as they are often seeded within lengthy, hard-to-read legal disclaimers. However, this doesn't mean that all freeware and shareware programs www.pcmech.com Page 38 contain spyware.
Some file sharing networks, such as KaZaa, have been flooded with all sorts of malicious files and programs, and what you may be downloading might not be what you think it is.
All in all, there's no such thing as a "free lunch" when it comes to illegitimate software and "free" underground content.
As of now, spyware itself is not illegal. It is simply software that is freely downloadable off of the Internet. The only recognized form of illegal software is known as "warez". However, this doesn't make all of the activities performed by spyware legal. Some of them are quite illegal. Because of the array of illegal activities that can be spawned from spyware, the U.S. Courts have been tossing around the issue of spyware and its legality. No formal decision has yet been reached. There is, however, an Anti-Spyware bill floating around the U.S. Legislative system that is undergoing amendments. The details of the most recent actions concerning this bill can be found in Wired News. As for the actual bill itself, a readable copy can be found here.
Types of Spyware
The single, all-encompassing term "spyware" is more or less a misnomer, for there are a number of different kinds of software that engage in data harvesting and come under the broad, umbrella-like term "spyware". Spyware can be loosely associated with viruses; Trojans and Worms being the closest relative to viruses, but there is a fine line of www.pcmech.com difference. Viruses are typically self-replicating. They can copy themselves and spread from computer to computer through security holes and exploits, as well as relying on a user's poor security habits to quietly slip in to an unguarded system. Spyware usually relies on a user's ignorance and credulity to infect a system and does not engage in replication. So, in effect, the first and best form of prevention is awareness.
Adware
Adware, or advertising-supported software, is basically software that displays advertisements on your computer. Adware by itself does not threaten privacy or security. It is not usually written with the intent to vandalize computer systems or the Internet. Fundamentally, there were three major influences that led the push behind the development of adware: the failure of selling small, low-priced software in retail packages, the rise of peer-to-peer apps, and the rise of cost-per-click advertising.
Adware helps offset development and maintenance costs of software or website hosting, and in turn, can help provide software and website hosting free of charge. It can even help turn a profit when software or websites are provided free of charge to users and supported by ads. Ad supported software is one of the forms of "shareware".
Certain forms of adware sometimes go overboard and stray into the realm of spyware. They collect personal information and pass it on to third parties without the expressed consent or knowledge of the user in the www.pcmech.com Page 40 hopes of providing more specific ad targeting.
Browser Helper Objects
A BHO, or Browser Helper Object, can be a useful little browser plug-in module when used legitimately. For instance, the Microsoft Word plug-in that allows Internet Explorer to read .doc (a.k.a. Word Document) files within their browser is a BHO. The same goes for Adobe Acrobat's plug-in for PDF files. Google Toolbar is also another example of a BHO, but in this case, it is attached to IE's UI, so it can be used directly by the user.
Because of the free roaming privileges BHOs are allotted within Internet Explorer, some forms of spyware are installed into IE as BHOs, and can perform a number of tasks. This can include a keylogger (which usually activates when some sort of HTTP financial service is detected, intending to collect credit card numbers, usernames and passwords), and can record a user's browsing habits and send the recorded data off to third parties.
Browser Hijackers
Browser Hijackers can include malicious BHOs, as well as go to change various settings within Internet browsers (usually directed at Microsoft Internet Explorer). These altered settings can cause your homepage to change, add bookmarks, create pop-ups faster than they can be closed, and redirect addresses that users may type in (especially if www.pcmech.com typed without the www. preface.) All of these browser alterations usually end up directing the user to sites containing pornography, warez, game cheats, or any other "underground" material.
One of the most common browser hijack methods used is to add entries to the hosts file. So, instead of sending servers to the localhost black hole, certain web addresses are redirected to servers that you probably would not want to go on your own.
The results of browser hijacking most often lead to non-technical problems, which include accessing inappropriate sites at work, straining personal relationships, and/or coming under scrutinization (and possibly as far as being arrested) for possession of illegal material. Browser hijackers are often one of the hardest forms of malware to deal with, on both technical and non-technical standpoints.
Computer Barnacles
Barnacles are data collection and/or advertisement producing software that are often bundled along side larger software packages, and are usually installed with the user's unwitting consent. Consent is usually gained through hard-to-read license agreements, or ActiveX pop-ups.
Barnacles are made to be difficult to uninstall, often intentionally using confusing or counterintuitive uninstallation wizards to prevent the removal of the spyware software. Sometimes, uninstallation requires the user to fill out an online form, but depending on the shape that the system is in (with other forms of spyware possibly installed), this may not always www.pcmech.com Page 42 be possible.
Barnacles often exhibit the same system degradation symptoms as other forms of spyware, however barnacles often target the Layered Service Provider (basically this is a protocol called winsock, which defines how software accesses network services, such as TCP/IP) to redirect data from a system's TCP/IP stack (a set of protocols that defines how data is sent over the Internet). When this form of barnacle is removed, it usually corrupts Internet protocols, thus requiring a reinstallation of the TCP/IP stack.
Dialers
This form of malware is only applicable to dialup or ISDN Internet connections. Some of these dialers include scripts to disable the modem's connection sounds, so you can't tell if and when it may be dialing out. Users on broadband connections may still get dialers installed on their system, but dialing a phone number is not possible on broadband networks because they are not composed of regular phone numbers.
There are two basic methods that dialers operate under. The first is via security holes in Windows Operating Systems. They either use the Windows dialer, another legitimate third party dialer, such as one included with AOL, or someone's own malware dialer. The other method entices the user with promises of special content only if they call the number listed, which usually appears on sites providing pornography, warez, game cheats, or any other "shady" activity. www.pcmech.com Any of these dialing methods may rack up a significant phone bill. This money usually lines the pocket of the person or organization providing the malware. 900 numbers, a.k.a. premium rate numbers, are most often used, and can generally cost up to $4 per minute, with the call usually lasting about 10 minutes.
Keyloggers
Keyloggers are either small programs or small hardware devices that mainly do one thing- record any and all keystrokes that may be typed in by a user. In the case of espionage, a device is used to capture keystrokes by placing it at the end of a keyboard cable, whereas another kind can be soldered right into the keyboard's circuit board.
In terms of spyware, keyloggers can be distributed and installed on a computer system by means of a Trojan, virus or worm.
Malware
Interestingly enough, the prefix for this term in both the French and Spanish languages translates to "bad". No argument here about that description. It has also been stated that the term has been shorted from the word "malicious" and combined with the word "software". Either way, malware is software that intentionally causes harm on a computer system. Malware should not be confused with faulty software containing bugs; for bugs, no matter what the problem may be, are not intentional.
It is difficult to specifically classify malware, since other types of www.pcmech.com Page 44 spyware tend to overlap with it. Viruses, trojans and worms all fall into this category.
A less common form of malware that doesn't really fall under any other categories and engages in self-replication is referred to as a "wabbit". It doesn't self-replicate from system to system, but rather, uses a simple recursion algorithm to replicate itself indefinitely to clog up system resources until the system is rebooted. Any first year application programmer has the ability to create one.
Spyware
Overlapping with the extreme form of adware, spyware is more engaged in unethical and explicitly illegal purposes. These activities can include spying on a user's surfing habits for marketing purposes, as well as anything else coming under the heading of "spyware", where each activity is explained under the associated form of spyware in this article.
Unprotected Windows-based computers can rapidly accumulate a surprising about of spyware components. Awareness, tighter system security and establishing a practice of more cautionary browsing habits can help alleviate the problem.
Spyware is not known to cause outright system destruction or replication, unlike a virus infection, but it functions more as parasite that sucks up system resources. In most cases, the user is not at all aware that spyware is installed, and assumes that it is the hardware that is no longer up to par. Usually executing at startup, spyware runs in the background, www.pcmech.com sometimes causing a huge drop in performance, system stability (crashes, lock-ups and hangs), and available bandwidth on Internet connections (because it is flooded to capacity). These results are mainly unintended by- products of having a large amount of spyware flood a computer system. The direct damage caused in this respect is merely incidental (discounting the result of privacy invasion). However, some forms of spyware integrate themselves into certain operating system files and can cause a mired set of problems if the files are purged outright. This makes it even more difficult and time-consuming task to completely clean a computer system and have everything in fine working order afterwards.
Users who are not aware of the cause of all these problems sometimes ditch their infected computer and go out and buy a new one. That is a waste of money, as well as a waste of perfectly good computer. Either awareness or a visit to a PC technician can help take care of a spyware-infested system. Spyware has caused more visits to PC technicians than any other problem in the last couple of years, and it continues to grow.
Trojans
A Trojan, or rather its full name, "Trojan Horse" is an allusion to the epic tale of the ancient city of Troy and the Greek's Trojan Horse. In the siege of Troy, the Greeks left a large wooden horse outside the city. The Trojans were convinced that it was a gift, and brought the horse within the safety of the city walls. What the Trojans didn't know was that horse was hollow, and hidden inside were a small number of Greek www.pcmech.com Page 46 soldiers. After nightfall, they snuck out of the horse and opened the city gates of Troy, allowing the Greek army to enter and pillage the city.
Trojan horse programs work in much the same way; they may appear useful or interesting at first glance to an unsuspecting user, but like the Greek's Trojan Horse, it is certainly not the case. A Trojan is a form of malware that cannot engage in self-replication, but can be harmful when executed. A Trojan can be deliberately attached to otherwise useful software, distributed on its own posing as useful software, or can be spread through a variety of download methods over the Internet (i.e. email, IM, and file sharing) by tricking users to open it. Note that Trojans cannot spread by their own accord, they must be "invited" into systems, per say. They rely on unsuspecting users to pass them around. If the Trojan poses as a harmless joke or screensaver, for example, the idea is that unsuspecting users will pass it along to their friends. It's yet another reason to ignore those chain emails with "re: re: re:" in the subject header.
To further complicate matters, some Trojans can spread or initialize other forms of malware. When used in this fashion, they are referred to as "droppers". Other common features of a Trojan can include (but are not limited to) file deletion, subtle to major file corruption, spying activities, and data theft. Last but not least, Trojans can install backdoors in systems in order to turn them into zombie computers, which can perform any one or even many of the tasks just listed, as well as email spamming and DoS or DDoS attacks.
www.pcmech.com Worms
The name "worm" was taken from a 1970's Sci-Fi novel, The Shockwave Rider by John Brunner. While working on a research paper on experiments in distributed computing, researchers noted similarities between their software and the program described in the novel, and thus adopted the term.
A worm is a form of malware that is similar to both a virus and a Trojan. It's similar to a virus in that it engages in self-replication, and is somewhat similar to a Trojan in that it can be, and usually is, a completely self-contained program. Unlike a Trojan, a worm does not need to be executed by the user; it can execute and jump around from system to system on its own accord because of its ability to self-replicate. It can clog up systems, as well as networks, and bring both to their knees. Other features can include file deletion, email spamming (with or without file attachments), and DoS or DDoS attacks. Like Trojans, worms can install backdoors in systems in order to turn them into zombie computers, which can perform any one, even many, of the tasks just listed.
For a brief time, programmers attempted to use worms as useful system patching tools to plug security holes and other various vulnerabilities. This, however, ultimately backfired. These types of worms often clogged up networks more effectively than intentionally malicious worms, as well as doing their work on systems without the user's explicit consent. In the course of applying these patches, systems suffered from sudden and unexpected reboots, thus effectively causing data loss in open www.pcmech.com Page 48 or unsaved files, as well as causing connection problems with the rebooting of a server. Today, the potential legitimate uses of worms are now the talk of computer science and AI theory.
Other Terms To Know
These are terms that aren't directly related to spyware, but have been mentioned briefly and will be mentioned later on. They're good to know within the general scheme of things, for general awareness.
ActiveX Pop-up
This contains an ActiveX Control, which is most often downloaded and executed through a web browser, and can have full reign over Windows Operating Systems. Because ActiveX Controls have such free access in Windows systems, there is a huge risk that the software being installed can be almost any form of spyware or malware.
Browser Cache
This is where all temporary webpage data is stored. All files that are downloaded within your browser end up here, which can include: html, php, cgi, jpg, gif, bmp, png, wma, txt, etc.
DoS Attack
(Denial of Service Attack) An attack on a computer system or network that overloads all available resources, which causes a loss of network connectivity by consuming all available bandwidth, or an overload of computational resources in a computer system (flooding the RAM, maxing www.pcmech.com out the CPU, or filling the hard drive), which often leads to lockups and freezes.
DDoS Attack
(Distributed Denial of Service Attack) This attack is very similar to a regular DoS attack, but in this case, the attack is made from multiple sources; usually from zombie computers.
JVM
(Java Virtual Machine) A cross-platform execution environment. It allows programming, program execution and computer connectivity compatibility between Operating System platforms by means of a virtual machine (computer).
MAC Address
(Media Access Control address) This is a unique identification address used in hardware that connects to a network (ie, a modem or Ethernet card). msconfig
(Microsoft System Configuration Utility) This utility handles startup tasks. Most often when it is referenced, it implies that the user should look at the "Startup" tab. To access it, simply go to Start > Run, type msconfig and hit enter. This utility is not included on Windows 2000 systems, so it will have to be manually installed.
Phishing www.pcmech.com Page 50
Put simply, they are fraudulent acts committed online. It is an attempt to get a user to reveal their passwords, credit card information, or any other personal information via deceptive practices (usually by email).
UI - (User Interface)
This can be text based or graphical based. GUI (Graphical User Interface) is the term most people are familiar with seeing.
Virus
Similar to a worm, but needs to be inserted into a file or program in order to execute and propagate. They are not self-contained.
Warez
Illegal/pirated software; software that has been distributed freely without being paid for and/or does not have a valid individual software license.
Zombie Computer
A computer with an Internet connection (most often broadband) that has one or many hidden software programs or backdoors that have been installed by a third party. This software can allow the computer to be remotely controlled. Zombie uses include conducting DDoS attacks, email spamming, warez file hosting and malware distribution. This can all be accomplished while not revealing the attacker's true identity and laying blame on the computer's owner. This can sometimes lead to an ISP shutting down the Internet connection and/or blacklisting the connection or MAC address.
www.pcmech.com Effects & Telltale Symptoms of Spyware
There is a large set of problems that are usually attributed to spyware, but that doesn't mean the effects of spyware are limited to the items described below. If you are experiencing any one of these, it may be a good idea to run some spyware scans.
When you start your computer, or when your computer has been idle for many minutes, your web browser opens to display advertisements.
When you use your browser to view websites, new browser windows open to display website advertisements. This isn't always attributed to spyware on your system, however. The website you are visiting could be supported by these pop-ups.
Web pages are unexpectedly added to your Favorites folder.
New toolbars are unexpectedly added to your browser.
New icons are unexpectedly added to the desktop or system tray. However, with most newer programs, a tray icon is automatically placed in your system tray. This can be turned off in msconfig or within the program's options or preferences.
A program that has worked fine before behaves unexpectedly. This can be attributed to spyware, but there can be other causes as well.
Windows components cease to work or behave unexpectedly. Again, this is not always due to spyware.
www.pcmech.com Page 52
Random Windows error messages appear. Yet again, this is not exclusively attributed to spyware.
When you click a link in a program, the link does not work, or it redirects you somewhere that you did not intend to go.
Your browser suddenly closes or stops responding. Not just once, but almost every time you use it.
It takes a much longer time to start or shutdown your computer. This symptom can also be caused by having a large number of programs installed.
Your computer seems very sluggish when opening programs or processing tasks.
There are several processes listed in the task manager that you don't recognize as legitimate programs or Operating System components.
These are some of the main symptoms exhibited on a spyware- infested system. A user can exhibit one or more of these, and symptoms are not necessarily limited to these descriptions. Although these symptoms can allude to a spyware infection, spyware may not always be the culprit causing these problems.
What Kinds of Tactics Are Used?
Much of the time, spyware relies on persuading unaware or credulous users to download and install it by offering some kind of www.pcmech.com seemingly enticing bait, such as a prize, free money, a free service, or a free service that's "better" and supposedly gives you a leg up on widely known legitimate software or services. 99% of the time, you can assume that it will not help in any way.
Here is a list of known spyware applications (http://www.spywareguide.com/product_list_full.php) and a list of known spyware creators/vendors (http://www.spywareguide.com/creator_list_full.php). Check these lists if you run across a program you want to install, but don't really know anything about its origins or appear on unprofessional websites. If the software does not appear in the product search, it is either too new, too obscure, or not a threat.
ActiveX
Accepting ActiveX plug-ins is an easy way to get spyware installed on your system. These are usually found on sites containing "underground" or "shady" content. Legitimate sites, such as Microsoft and Macromedia may ask to install installer engines if you are downloading updates or programs and usually say on the web page that you will be prompted to install an ActiveX plug-in. In cases like these, it is fine to let the ActiveX plug-in be installed, for it is needed to complete an operation. There is a big "however" to add to this - some sites with spyware are clever enough to include a notice for the ActiveX pop-up, so be careful. Pop-ups offering "free" something-or-other or "browser enhancements" should be avoided. Additionally, random junk that pops up on random www.pcmech.com Page 54 sites where you are not explicitly downloading something should not be allowed to be installed.
Here is one such example of an ActiveX pop-up that should not be allowed to run:
Fake Removal Tools
Beware of programs masquerading as adware or spyware removal tools, becoming known as "BetrayWare". There are a small number of legitimate adware and spyware programs available; make sure that the removal tool program you download is a legitimate one. Other fake removal tools don't go to cause harm to your system - some tools merely www.pcmech.com do nothing to combat the spyware problems, contrary to promises in their advertisements. Still others are simply clones of legitimate removal tools, but aren't quite as good as the originals, where the core engine was swiped or licensed from, meaning that the major change is just a different GUI.
A comprehensive list of fake removal tools is available if you should want to check up on some removal tool that is being advertised or has been installed on your machine. That URL is: www.spywarewarrior.com/rogue_anti-spyware.htm#products
Misleading or Enticing Advertisements
Advertisers will use every trick in the book to grab your attention. They will use interactivity and movement, your sense of curiosity, your sense of humor, your sense of justice and right and wrong, your sense of greed and desire, and just plain unawareness or credulity simply to get you to click. Your click on an ad registers "Ka-Ching!" for the advertiser, both in terms of monetary profits and the installation of spyware for the purpose of data harvesting.
Users are often tricked by advertisements such as these:
www.pcmech.com Page 56
At first glance, it looks like a serious Windows error message, and some users will click the "yes" almost automatically. However, if you look in the bottom right corner of the ad, it says "advertisement" in small light gray letters. Its somewhat hard to catch if you are just skimming a webpage quick. The other thing to know about these ads is that it doesn't matter where you click on the ad; the whole ad is a clickable image that can redirect the user to a spyware infested webpage, or to a page that offers a spyware infested scanning utility (BetrayWare).
Another similar (and newer) advertisement is usually presented as a pop-up, and contains similar content as the previous example. See if you can spot the "advertisement" label in this ad:
www.pcmech.com Another common gimmick spyware creators/vendors love to use are the interactive ads; the ads where the user had to click on something that's moving around. All those "punch the monkey and win", and "knock out the boxer and win" type ads are redirects to places users would not really want to go on their own accord, since they are chockfull of spyware. No, you never actually win anything, and if you enter your email address on their website you will get spammed.
Here's an example of an interactive ad promising that free $20 for performing an action. Notice the asterisk at the end of the phrase. That implies there is fine print that is attached to the deal that is being offered in the ad.
Here's an example of an animated lottery ad that goes to entice users hooked on the game of chance; all forms of lotteries and gambling. www.pcmech.com Page 58
When it comes down to it, any ad involving money, offering free anything, offering great benefits of drug enhancements, offering better abs, offering a better love life, or any other enticing item or service, beware! It is most likely a scam to install spyware and try to get you to submit your email address for the purpose of spam. To make use of an overused geek cliché, Admiral Ackbar says, "It's a trap!"
Phishing
Phishing is not a form of direct spyware, but it can still be a simple, yet very effective tool for gathering personal information, sometimes leading to identity theft. It can be very scary if someone is taken in by a phishing attempt. As with anything else, there are a few things to look out for so it can be avoided.
Read critically for spelling or grammatical errors.
Legitimate sites/organizations never ask for personal information over email.
Make sure the link included in a phishing www.pcmech.com attempt is not masked. Here is an example of what to look for. Notice that the text of the link displayed looks legitimate, whereas the real link address directs you to a phishing page. This of course screams "phishing attempt".
Check the webpage address for anything out of the ordinary. For instance, if the phishing attempt includes a link to a form that asks you to fill out personal information and does not contain the legitimate website's base address, it is most likely a phishing attempt. For example, if the attempt happens to be for Ebay and the link does not include ebay.com somewhere near the beginning of the address, it is most likely a phishing attempt. In addition to that, some phishing links can appear with letters switched around or omitted in the base address so it still looks like a legitimate address at a quick glance. www.microsoft.com may appear as www.mircosoft.com, www.micosoft, or may have an addition made to the front of the address such as www.msn-microsoft.com. It is also suggested that you do not actually click on the link because the website may be a host to all sorts of spyware and malware. So, if it doesn't fool you into entering information, it will at least get that junk installed on your system.
Beware of link addresses that contain an IP address. This is a big red flag that signifies that the server won't be up long enough to be worth purchasing a domain name for it. In other words, it's a host to a phishing site that probably won't be online for too long. The IP www.pcmech.com Page 60
address offers a direct link to the server without having to go through a domain name server, so no record of it would be logged. The link address can also be hidden by a mask, as shown in an earlier example.
Beware of redirection links. Links that may look official may actually redirect you to a phishing webpage.
Never fall into the trap of "get rich quick" schemes, especially if you are called to perform some sort of service beforehand, and especially if it's for someone in a 3rd world country.
Never fall into the trap of emails asking for money or to help shuffle money around, especially if they say something like, "Help me. I'm really a displaced prince and will have access to a numbered bank account I will share it if you help" or "Help, I was the victim of a horrible tragedy and could use your monetary assistance through this difficult time." These are the kinds of scams where the phrase "a fool and their money are soon parted" can be applied today. Don't fall into the trap!
If you receive an email from a bank regarding account or personal information, or if it's not from a bank you even use, it's definitely a phishing attempt. Banks never ask for personal or account information by email. They usually contact by snail mail or phone. Also, it's rare, but not unheard of phishing attempts (fraud) being carried out via snail mail or phone, although this method is usually more expensive than sending out emails, and isn't used often for www.pcmech.com this reason.
For any email asking for personal information regarding some sort of user or bank account, watch out for these (or similar) phrases found in the email's subject or body: "Dear Valued Customer", "Verify your account", "If you don't respond in [this amount of time], your account will be closed", and "Click the link to gain access to your account".
This MSN account phishing attempt is one of the most convincing phishing attempts that I have noted. At first glance, it looks quite legitimate and even sports a link to a page that looks convincingly legitimate. Take a look at it and see if you can apply some of the telltale signs of phishing.
Take a look at the spelling. It's hard to catch at first glance, but "Automatical" is not a word. This anti-phishing site shows details of this www.pcmech.com Page 62 specific phishing attempt. If you are ever not quite sure if something you receive is a phishing attempt, Google it. Search for a small phrase found in the phishing attempt and see you get any hits. If there are more than 3 hits that say "Yes, this is a phishing attempt," it most likely is one. You can also take a look at these two anti-phishing sites for information on phishing attempts: http://www.antiphishing.org/index.html and http://www.millersmiles.co.uk/.
Downloads
When you download a file to install from the Internet, that piece of software always has a license agreement that can be viewed at some time during the installation process. This EULA (End User License Agreement) is included to take care of issues with copyright and liability laws. They include permissions of what the end user can and can't do with the software, as well as inform the end user of what the software does and doesn't do. You will be hard pressed to find someone who actually reads those license agreements on their own free time. Most users simply click "I agree to these terms". Included in the terms of agreement can be notices that forms of spyware may be installed with the main software package, albeit often hidden within complex legal jargon.
Cutesy applications are a huge success for spyware vendors/manufactures in that they are often laced with spyware that is installed along side the main package as an extra feature that does users no good. These “cutesy applications” can be screen savers, IM emoticon packages, desktop buddies, and so on. A few good examples are Bonzi www.pcmech.com Buddy, Comet Cursor, and Smiley Central. Whether or not the main purpose of the package is entertainment or data harvesting, it is hard to tell. They do a good job with both tasks. The amazing thing is that users sometimes pay for these applications in order to get “special” or “extra” services.
Cutesy applications aside, there are additional freeware packages that offer themselves as so-called legitimate and useful software, but actually do more harm to you as a user, rather than good. Such applications can include any Gator products, DashBar, PrecisionTime, DateManager, eWallet, eAcceleration, and, yes, even the seeming popular WeatherBug. Make sure you do your research on freeware that you may want to install. There’s a relatively small portion of free applications that are intentionally malicious, if all freeware is taken as a whole. There is a great many more legitimate freeware applications available for use, so don’t let these few malicious applications deter you from taking advantage of all the freeware that’s available. A simple Google search of the application’s name and the word “spyware” will usually turn up a significant number of results if the freeware package is indeed malicious.
Search Toolbars are another set of applications that have become quite popular. They are also a large source of data harvesting by collecting search string information, as well as browsing habits, and can even act as a keylogger.
Another source of adware, spyware and malware that gets installed on a user’s system without their consent is referred to as a drive-by www.pcmech.com Page 64 download. Drive-by downloads are either embedded within a webpage, installed as a result of clicking on a deceptive ad or pop-up, or just bouncing around the Internet dropping into whatever unsecured computer they happen to run across. Older browsers and un-patched security flaws, in both browsers and Operation Systems, can allow drive-by downloads to take advantage of your unprotected system. The lack of a firewall can also be a big contributing factor, which can be compounded with the lack of up-to-date security patches, making for a good double whammy.
This is why it is dangerous to go poking around and following phishing links and ad links. Note that not all ads hide a page loaded with spyware. A good portion of ads on legitimate websites are in fact, not ill intended and will not install spyware on a user’s system. Just be aware of deceptive pop-ups and ads because after all, they do exist.
Prevention Techniques
Tightening up system security, keeping up to date with security patches, and engaging in safe Internet usage are the three main ways to prevent spyware from entering your computer system. Many of these techniques rely on each other to maintain overall good system security. Don't rely on just one or two. Use most, if not all, of these techniques. You will end up with a much healthier computer.
Administrator Accounts
It is wise to password protect all your administrator accounts as www.pcmech.com well as the administrator user account named "Administrator". There are some forms of spyware and malware that have been spread through these accounts thanks to blank password fields. It is recommended that you use at least an 8-letter/number combination.
You can access user account information in Windows XP by going into the Control Panel > User Accounts. Select a user account and click "Change my password". Follow the onscreen instructions. In order to change the Administrator account's password, you will have to boot up into safe mode. Restart the machine and before the windows loading screen appears, press F8. You should then be given a menu of choices. Choose "Safe Mode". Make sure that you do not allow a system restore if you should be prompted. Next, proceed to the User Accounts as before to change the password.
In Windows 2000, go to Control Panel > Users and Passwords, select the user account and click "Set Password". Enter the new password in the dialog box that appears, hit ok after you're done, and hit ok on the "Users and Passwords" window.
ActiveX Security and Safety
Show Caution With ActiveX Controls and Plug-ins. In IE, go to Tools > Internet Options > "Security" tab > Custom Level. Under "ActiveX controls and plug-ins," set the first two options ("Download signed ActiveX controls" and "Download unsigned ActiveX controls") to "prompt", and "Initialize and Script ActiveX controls not marked as safe" www.pcmech.com Page 66 to "disable".
From now on, each time that ActiveX objects want to be executed or installed will alert you with a dialog pop-up. "Yes" will allow the ActiveX object to do its thing, while "no" will stop it from executing and/or installing. You must read every "offered" ActiveX download carefully before you decide to accept it. If it says something to the effect that it will enhance your browsing experience or searching ability, this is a huge red flag, and should not be downloaded and/or executed.
Block Adservers & Spyware Servers
There is an available HOSTS file for your use with common adservers and spyware servers blocked in the appendix of this book. This file contains general ad and spyware servers and does not block site- specific ads (such as ads hosted on the same server as the website). By blocking the server, the ads/spyware never get downloaded onto your computer because the request never actually goes out over the Internet; the request is routed directly to 127.0.0.1. Note that by blocking adservers, you may be depriving website owners from income that keeps their site up and running.
A second effective method to block servers and web addresses is to use Sunbelt Personal Firewall’s (formally Kerio Personal Firewall) built-in web tools (note that this is only available for free as a limited trial). Unlike the hosts file, Sunbelt's server blocking feature allows for wildcards in domain addresses. For instance, instead of having these entries in your www.pcmech.com hosts file:
127.0.0.1 ad1.thisadserver.com 127.0.0.1 ad2.thisadserver.com 127.0.0.1 ad3.thisadserver.com 127.0.0.1 ad9.thisadserver.com
Sunbelt can shorten this and cover a lot more entries by adding this line of code: ad([isx0-9].*)?.. *.. * It will block any addresses that start with “ad”, followed by a number between 0 and 9.
Browsing & Downloading Habits
A majority of the spyware, malware and adware usually gets installed from visiting certain websites. These "underground" websites can contain pirated software and cracks, pornography, or game cheats. Surprisingly enough, game sites devoted to flash/shockwave/java games are also major sources for spyware and malware.
Sometimes malware is downloaded directly into your browser cache without your knowledge. If it is a worm, Trojan or virus, real-time AV scan programs can sometimes catch it, however, detection is never 100%. Your best bet is to avoid these "shady" sites.
Whenever you download and install a program from the Internet, it is often a good idea to run virus and spyware scans on it if you are not sure if it contains spware/malware/adware. Some P2P sharing networks, KaZaa being a prime example, have been loaded with all sorts of malicious files, so it may be wise to stave off the downloading from P2P networks that are www.pcmech.com Page 68 overrun with junk. Also, should you choose to run P2P applications, make sure that you do not share your entire hard drive. This is a huge security risk, on your part, if everything that is on your computer is made available for download.
Email Safety
Protect your email address like you would your phone number. This helps cut down on spam and other junk that comes through email. The same goes for your IP address, especially if its static.
Never open email attachments when you aren't expecting them, and especially from people or email addresses you do not recognize. Either one can potentially contain a virus, trojan or worm. Some forms of malware can access a user's address book and spam all the contacts with spam and malware through the user's email account.
If you need to attach a file to an email, make sure you include a description of what the attachment is somewhere in the body of the email. For example, "I am attaching 2 pictures of Bill's wedding" or "I am attaching a copy of my resumé in Word 2000 format." Just make it simple, yet descriptive enough so that the email recipient knows what to expect.
There is a problem with emails that arrive in HTML format. With most legitimate sites, it's no big deal, but with HTML spam, there can be all sorts of junk code in the background that you really wouldn't want running. There are a few methods to stop this from happening. The first is to disable your email preview pane (found in Outlook, Outlook Express, www.pcmech.com Mozilla, Netscape, and a few other email clients). If you're using outlook, go to View and uncheck "Preview Pane". In OE, go to View > Layout and uncheck "Preview Pane".
Another option would to go in "Offline" mode after you have finished downloading your messages. That way, if any HTML emails need to go out to the Internet for pictures or whatnot, they can't because the mail client has gone "Offline". The last option would be to turn off HTML all together and only accept plain text. In Outlook, go to Tools > Options > "Preferences" tab > E-mail options and check "Read all mail as plain text". In OE, go to Tools > Options > "Read" tab and check "Read all messages in plain text.
Hidden File Extensions
By default, Windows hides all file extensions for recognized file types (jpg's, exe's, zip's, etc.). This makes it easy for executable malware files to be disguised as a recognized file that doesn't look harmful. To reveal all file extensions, open up "My Computer" > Tools > Folder Options > "View" tab and uncheck "Hide extensions for known file types.
For example, with file extensions hidden, a file could display as "destroysys.jpg", a harmless enough looking image, but really be "destroysys.jpg.exe," an executable that may do an untold amount of system damage. Windows allows periods in filenames, so someone could give the file a false extension, misleading a user to think that the file is something that it's not. It's important to know what extensions mean; you www.pcmech.com Page 70 can't just depend on what the file icons look like. Those can be changed easily enough.
FILExt (www.filext.com) is a site that contains information on file extensions, as well as a file extension database.
IE AutoComplete Security Risk
IE's AutoComplete feature enables users to begin typing website addresses, usernames, passwords, and passwords and have them automatically filled in if they have been entered before. This offers convenience and saves a little time while browsing. However, the downside is that it can be a security risk. Everything that was just mentioned can be accessed by someone using your computer, and sometimes by some forms of spyware. This will allow people to see what sites you have been visiting, gather personal information, and go as far as impersonate you to a degree.
To access the AutoComplete options, open up an IE window and go to Tools > Internet Options > "Content" tab > AutoComplete. Anything that has been checked will be remembered and saved.
IE Search Toolbars
No matter what kind of search toolbar you install I guarantee it has some form of spyware in it. Yes, even the praised Google toolbar that acts as both a search bar and pop-up blocker. It is, however, one of the better pop-up blockers out there. Windows XP SP2's pop-up blocker is defiantly www.pcmech.com way too restrictive even with the default settings, so even legitimate pop- up windows are blocked. Google toolbar seems to have a good balance. As for it containing spyware, take a look at this image from the installation procedure:
If you take a close look at the bottom where you have to make a selection to enable or disable something, you'll notice that enable says, "Anonymous information will be sent to Google." Translation: statistics on your browsing habits will be sent back to Google. This is a form of data collection. Make sure when you install Google toolbar that you hit "Disable".
Most toolbars have some sort of spyware or adware bundled. There is yet to be a search bar that is totally free of spyware and adware. www.pcmech.com Page 72
Suggestion: avoid them when possible, although there are a few reasonable exceptions, such as Google toolbar.
Install a Firewall
Basic firewalls have two uses. The first is to monitor connections and programs requesting access to the Internet, which is referred to as an application firewall. This is a good way to see which programs are trying to access the Internet. It's somewhat surprising to find that most applications actually ask for Internet access at one time or another. Application firewalls usually have 4 basic settings: allow this time, always allow, don't allow this time, and never allow. These four options give the user the power to control which programs are allowed to access the Internet. It is also a good way to detect spyware that may be floating around on your system. Most often, they request Internet access at one time or another to "phone home".
The second basic use of a firewall is to block certain forms of spyware and malware, protect from DoS attacks, block random, unrequested, or "background noise" traffic coming from the Internet, all of which can be accomplished for the most part by closing ports from outside intrusions.
In most cases, a single firewall can take care of both situations. Sygate Personal Firewall, Sunbelt Personal Firewall, or ZoneAlarm would be adequate protection. Windows XP SP2’s Internet Security is very good as well, however, it would not be wise to rely solely on this high www.pcmech.com profile target. First, it is far less customizable than other solutions and tends to be too restrictive, as to the traffic it is blocking. Second, when something is widely used, malicious software writers usually target the largest base of attack, namely, the Windows platform. The long short of it, use a firewall that doesn’t come with the Microsoft tag. It would also be wise to avoid Norton Security products. Newer versions (2002 and above) have been known to cause an array of random issues with Windows XP. Also avoid "System Utility", or all-in-one packages. They may appear to help, but more often than not, they actually end up causing headaches and have a huge negative impact on your system by eating up system resources. All of the extra and unnecessary "stuff" that is added to the software package is really a bloated set of applications that can be replaced, most of the time, with either freeware or shareware applications that have smaller footprints (meaning, they are not resource hogs).
In any case, if you don’t have a firewall installed, your computer is completely open to attack. In less than 20 minutes, your computer will be full of all sorts of junk, and your security and privacy will be compromised. A firewall is one of the best pieces of software you could install on your system as a preventative measure to spyware and malware infestations.
JVM Security
Make sure your installation of JVM is up to date. There are some well-known security holes in Microsoft's JVM that can be exploited by browser hijackers. It helps to replace Microsoft's JVM with Sun's official www.pcmech.com Page 74
JVM. The JRE downloads are for everyday users, while the SDK downloads are for Java developers and programmers.
Software Updates & Patches
Make sure to check for updates for security programs (firewalls, spyware removal tools, and AV tools), your web browser, and Windows often. They usually contain security fixes that would otherwise be open to exploitation.
Use an Alternative Browser
To be concise, avoid using Internet Explorer. It can be a huge magnet for spyware, adware, malware and various hijacks. Just because IE comes preinstalled on your system doesn't mean it has to be used as your primary browser. The reason IE is such a huge magnet is because of its wide user base.
Alternative browsers contain changes in the speed of browsing, caching, and the way image loading is handled, which are also significant advantages over IE, but lack ActiveX support. Opera and Firefox are two of the most popular alternative browsers. As long as IE is not being used, it is a good choice. There are also a small number alternative browsers that are based on IE, and often have many of the same security exploits that can be taken advantage of as in IE. They should be avoided. Firefox and Opera are the two major accepted alternative browsers that are available for use. However, a note about Firefox: since it is growing in popularity www.pcmech.com and becoming the second most used browser, it is starting to become a target for adware, spyware and malware. Regardless of the browser you use, keep it up to date against vulnerabilities.
Web pages that still use browser recognition scripts will sometimes force you to use IE on their webpage saying something to the effect of "This webpage does not support your browser." In other instances where there may not be a recognition script, the page will simply appear not to work correctly. In cases like these, yes, you will need to use IE for the time being. Luckily, this does not happen often and many good web designers are moving towards using coding standards, rather than using sloppy browser-specific coding.
Windows Processes
Check up on what is running in the system processes in the task manager (right click on toolbar > Task Manager > "Processes" tab). Pay special attention to executables (*.exe files). If you don't know what it is, try running a search for it at www.processlibrary.com or on Google.
Scanning Tools
The two most common and most used spyware tools, Lavasoft's Adaware and Spybot Search&Destroy have been cleaning infected systems for a few years now. Both still come highly recommended for your spyware combat arsenal.
However, an interesting factor has cropped up recently where www.pcmech.com Page 76
Lavasoft has removed a large well-known adware vendor called WhenU from their definitions database. That means any utilities produced by the WhenU vendor will be ignored by Adaware scans. This is a very disappointing move for Lavasoft to make. Pest Patrol and Aluria have also failed to include WhenU's set of pests in their databases. Lavasoft's response to its removal was that WhenU software was no longer a threat. Many spyware experts strongly disagree. There are other cases of known adware/spyware vendors going after the creators of spyware removal software, which can be found under this list of litigations pursued by spyware vendors when their software was included in various removal utilities.
This just one large reason why a single scanning utility is not enough. Spyware utility companies should not be playing the "scratch-my- back-and-I'll-scratch-yours" game with spyware vendors. In order to catch everything, you need to run multiple scanning utilities on your system. The Adaware/Spybot combination can do a good job at getting rid of adware/spyware, but it does not get rid of everything on your system, for spyware often changes faster than these companies can update their software. The spyware detection engines are starting to show their age by not picking up as much spyware as they used to in the past. In general, what one spyware utility misses, the other usually catches. Also, check the list of spyware your software detects and make sure they aren't core Operating System modules or programs that you need or use (one such program called VNC for remote desktop control does get picked up, and yes, can be a security risk to an extent). Note that if you check for detected www.pcmech.com programs, it could also backfire because a program you have installed that you think may not have spyware, actually does. If you're unsure, check this program search database.
Two other tools worthy of mention are Spy Sweeper and Pest Patrol. Both of these products are worthwhile, but are not free. There are plenty of free products available, therefore these tools are not necessary as a first line of defense. Spy Sweeper is a very good tool to use as a last resort option when other utilities were not successful in removing certain forms of spyware.
Spyware removal utilities do not usually pick up certain forms of malware, such as worms and Trojans, which usually come under the category of Anti-Virus protection. A good free AV application called AVG comes highly recommended and is often better than many AV packages you can purchase.
If you need an emergency scan quickly and don't have an AV application installed, or AVG or some other utility isn't picking anything up, but you still suspect a problem, using these online Trojan and virus scanners. Symantec's AV Center Database contains information and removal tools for viruses, Trojans and worms, in case any of the above mentioned AV tools do not get rid of the virus/Trojan/worm.
Another good source for information on malware in general is 2- spyware.com, which has a database filled with malware-specific removal tools.
Last but not least, the final scanning utility you may want to run is www.pcmech.com Page 78
HijackThis (http://www.spywareinfo.com/~merijn/programs.php). HijackThis is a technical scanning utility which lists all running processes and installed or altered system modules. It is best if this program is run right after startup. Their site also has a link to a tutorial which will help interpret a HijackThis log by giving you a more detailed description of each entry. If you are still unsure about what may or may not be legitimate and what should be removed, many computer forums across the Internet that have experienced techs who are willing to assist users in identifying pests that appear in HijackThis logs. Simply copy and paste the log’s contents into a new thread and courteously request assistance. Also, be sure to clearly state what Operating System and Service Pack for that Operating System that you are running.
Problem Specific Tools
Still other annoying forms of malware mutate so fast that they cannot be thoroughly removed by existing spyware or AV utilities. Such is the case with the CoolWebSearch infections. Spyware utilities may pick up the infection, but are not equipped to fully remove, or remove it correctly without side effects. CWShredder is a utility that focuses solely on removing this annoying pest. http://www.intermute.com/spysubtract/cwshredder_download.html
Another annoying pest is the infamous "About: Blank" home page in IE. If it is a hijack and not a simple home page change, like CoolWebSearch, this pest cannot be picked up by existing spyware or AV utilities. www.pcmech.com PCHell.com has a tutorial on how to deal with this issue. http://www.pchell.com/support/aboutblank.shtml
This fix may seem like a daunting task, but if it is taken one step at a time, it shouldn't be all that overwhelming.
AboutBuster (http://www.malwarebytes.org/aboutbuster.php) is another alternative for getting rid of "About: Blank" only if other problems accompany it, only after a spyware scan. The problems can include receiving random pop-ups, and the home page usually being set to "About:Blank", or sometimes may be similar to "res:///random".
Yet another annoying pest that is starting to become increasingly common is the nail.exe infection paired with the Aurora pop-up infection. It is nearly impossible to remove these regenerating infestations manually, so a 3rd party utility is extremely useful in this case.
The Spyware Removal Process
Now that you have been introduced to some of the spyware tools that are available, there is a general procedure of attack to rid your system of that pesky software.
First, identify any odd-ball applications listed in Control Panel > Add/Remove programs. You will need to be online to remove certain spyware applications because they require you to go to their website’s uninstall interface. Read carefully! They try to trick users by using odd wording to keep the spyware installed. For example, it could say, “Are you www.pcmech.com Page 80 sure you don’t want to uninstall our software? Click yes or no.” In this case, the answer is “No”. Those double negatives can be confusing.
Uninstalling spyware with provided uninstallers saves a lot of hassle later down the road, however, the downside is that some of these uninstallers need an active net connection for the uninstaller to work. Either way, uninstalling everything you can as a first step saves hours of headaches if you do not want to reformat and reinstall the Operating System.
If you simply allow a spyware scanner to try to remove these strains of spyware that appear in “Add/Remove Programs”, you will be left with bits and pieces on the hard drive and in various places in the registry. These left over pieces will have to be removed manually because they are no longer being detected as threats, but may still be reappearing, recreating themselves, and causing problems. So, make sure you uninstall items that are listed here, plus any additional packages that looks suspicious:
180solutions
B3D Projector
BackWeb
BargainBuddy
CashBack
ClickTheButton
www.pcmech.com CometCursor
CommonName
DownloadWare
eAnthology/eAcceleration
Ebates Moe Money Maker
GoHip
Golden Palace Casino
HotBar
IEDriver
Internet Optimizer
IPInsight
ISTBar
MediaLoads
MySearchBar
N-Case
NetworkEssentials
New.net
SaveNow
SearchAssistant
www.pcmech.com Page 82
SubSearch
TopText
WeatherCast
Win32 BI Application
Note that manufactured PCs come with many pre-installed applications. Do a quick Google search for the application name to see if it is software associated with the manufacturer, or a piece of possible spyware.
Next, go to Start > Run, type msconfig and hit enter. Once you have the System Configuration Utility open, go to the “Startup” tab and uncheck anything unfamiliar that you don’t want to load when the computer starts up. You do not need to reboot when prompted.
Next, make sure the detection definitions for Adaware, Spybot, and Microsoft AntiSpyware are up-to-date. Each of these tools has their own web update utility built into it. If the spyware infestation is really bad, go ahead and skip this step for now, but make sure you do eventually go back to perform the updates and rescan the computer with all three removal tools. Another option is to just download the updates, then boot in safe mode to perform the spyware scans.
These is no official order in which to use these programs. Personally, I usually start with Adaware since it’s the fastest scanner, and usually removes a good chunk of spyware that may be slowing the machine down. This allows the other two utilities, which are resource www.pcmech.com intensive, to run a bit more efficiently.
If you have trouble getting rid of something, try booting up Windows in Safe Mode and scanning the computer with the above mentioned removal tools.
After the first set of spyware scans, be sure to clear the browser cache, history, AutoComplete forms, and temp files. Then reboot and run the spyware removal utilities again. There are actually components that are not always detected the first time through, especially if the count is over a dozen separate items.
Next, run the HijackThis utility. Details on its use were mentioned earlier near the end of the “Scanning Tools” section in this section. HijackThis can also help you identify self-regenerating pests so you can find the appropriate removal tool that will remove it.
When all's said and done, that’s the basic framework of a spyware removal procedure. The procedure can be altered and items swapped around when necessary, but this is one of the most efficient and effective removal procedures to make the most of your time and efforts.
The Last Word
Remember, using spyware removal tools and following specific spyware removal instructions are done so at your own risk, and have the potential to remove windows components that are mistaken for spyware. Be wary of removal utilities, especially if they have not been thoroughly tested. www.pcmech.com Page 84
Another thing to keep in mind - there is a large amount of spyware removal applications out there that give you false positives or pick up on trivial items for the express purpose of enticing you to buy the application to remove the alleged spyware it detects. Do your research carefully on the spyware tool in question. All the tools listed in this article are legitimate and do a good job at removing real problems. What isn't included in the article cannot be vouched for and most often is not worth the money you would pay for it.
There are a significant number of people out there who firmly believe that just because something is free, there's a catch, but if you pay for something that appears to do the same thing that is offered for free, it just has to be better. This is not necessarily the case. Free alternatives are usually best explored first, and more often than not, they turn out to be equal to or better than purchasable alternatives.
All in all, there has been a huge amount of information thrown at you in this section. I hope it has gone to help you become more aware of spyware and ways to help protect yourself from it. Just be smart and aware of some of the things out there. Put your newfound knowledge to use and I guarantee you'll come out ahead of the game. Good luck!
www.pcmech.com Email SPAM
Every one of us deal with it - we go to check our email and, along with the messages we want from business contacts, friends and family, we download a bunch of unsolicited email advertising. Things like porn sites, medications, low-interest loans, and even the long lost secret of an adventurous love life. It's novel at first, but after, oh, a few seconds, it's annoying. To some, it is simply an annoyance and stays that way. You simply delete the email and move on with your life. This is the usual procedure for people who use email mainly for personal use. But, those of us with email addresses that are pretty public have this problem in a huge way. If you use your email for business, then likely your email address is on at least a few mailing lists and on people's address books. If you have had your email address for some time, its probably gotten worse. But, on the far end of the spectrum, there are those who run internet websites and whose email addresses are very public. Large companies and internet business actually waste a lot of time and money due to this problem.
Let's take myself for example. On any given day, I used to download about 3,000 emails to my main email account. I would estimate that at least 90% of that is SPAM, and due to the filters I have set up, most of it is automatically placed in my "Deleted Items" folder. This amount is the result of quite a bit of work to bring the amount down, for PC Mechanic as a site receives closer to 50,000 emails every day. I, as the owner of the site, would normally receive the brunt of it. I did some configuration on the web servers to automatically delete much of it, then www.pcmech.com Page 86 yet another level of server-side filters, and then yet another level of client-side filters on my local PC. So, every email goes through 3 levels of filter before it reaches my inbox, and yet I still have to delete many useless messages every day. As an aside, I would highly recommend the Cloudmark Desktop service (formerly Safetybar), from Cloudmark. It integrates with Outlook and has reduced my spam volume considerably.
Once email hit the scenes, it didn't take long for mass marketers to recognize the usefulness of the medium. It makes its way to people's computers and it is free. No postage. Mailing lists are collected in a variety of ways. They even have little programs that will browse the web and harvest email addresses from public websites. This is, no doubt, how my email addresses have ended up on so many mailing lists. The medium being so new, it has remained essentially uncontrolled territory for quite awhile. In 1999, there were the first attempts to propose legislation in the United States to control the problem. It went on until the passage of the CAN-SPAM Act in 2003, but the effectiveness of this legislation is certainly limited.
SPAM, then, is certainly a topic which is germane to almost everyone who reads this book. And in this book, I intend to cover the subject fairly thoroughly. I want to answer the question of what SPAM is exactly (it's a subject of some disagreement), who is sending it, how they get your email address, and ways you can prevent the problem. I would like to cover the www.pcmech.com subject of filtering and how you can set it up. In short, my aim is to give you the knowledge to make you have some control over SPAM rather than be the effect of it continually. It's not a problem that you can do away with, given the nature of the internet, but it is one you can control. Read on...
Why SPAM?
Yes, Spam, is the name for that little blue can of processed "meat" made by Hormel you can find in the grocery store. The meat is junk, which is fitting, but I'm not sure if that's the source of the word we've grown so fond of. Actually, the generally accepted derivation for the word is a Monty Python skit. They had a skit in which a group of Vikings were singing "spam, spam, spam, spam" so loud and often that it drowned everyone out. In the early days of the internet, when the net was mostly populated by nerds of the classical sense, there were very few net surfers who didn't appreciate Monty Python, so I guess the word caught on and I can see the correlation.
When we hear the word SPAM, our first thought is unsolicited junk mail. For most practical purposes, this covers it. But, some have simply defined it as "unsolicited email". This is an incomplete definition simply because most of us get emails every day we didn't directly ask for. It's simply not plausible for each of us to give people a call and say "Hey, send me an email.". It's silly. Others have said SPAM is email coming from an unknown source. Again, this is incomplete because people receive emails every day from people they do not know. If I only accepted emails www.pcmech.com Page 88 from people I knew, then anybody reading this book or visiting PC Mechanic at all could never email me. What most people mean when they think of SPAM is simply annoying email. If they find the email annoying in some fashion, then its SPAM. This definition gets a little closer, but it still left to the preference and mood of the recipient and, for this reason, is not a very useful definition. For example, PC Mechanic sends out a Tip of the Day every day. There are always a few people who say we are spamming them and they take themselves off the mailing list. There is nobody on our mailing list who did not directly sign themselves up for it. Therefore, it not unsolicited at all, but that particular day they found our Tip of the Day annoying and therefore, to them, it is SPAM. Again, a very useless definition. How about "unsolicited bulk email" as a definition? Close, but again there are caveats. If I receive an email from my bank or some other company who provides a service to me, then chances are the email is unsolicited. I didn't ask them to send me emails. But, at the same time, I have a business relationship with them and therefore it is reasonable that I would receive occasional emails from them.
Get the point? Determining whether an email is SPAM or not is a gray area and is, to large degree, in the eye of the beholder. Perhaps the most accurate definition would be "unethical mass email". Ethics is that effort on each person's part to perform the most good for the most number. So, on the reverse side of this, if you have a mass email which offends the ethical sense or netiquette of a majority of internet users, it is probably SPAM. Therefore, any email sent individually to a person is not SPAM; it is not a mass email. But, a commercial email (one advertising a product or www.pcmech.com service) can be if it does the following:
1. Sent blindly to a large mailing list without any form of targeting. Usually, this type of SPAM will be sent to thousands, even millions at a time with the expectation that maybe a few dozen will respond to that ad, whether accidentally or stupidly. These kinds of emails are not of any interest to probably 99% of the people receiving them, and are thus unethical. 2. Sent with spoofed headers. The email header is a block of information appended to the beginning of every email. Think of every email as a packet of information. The body of that packet is what you read in your email client. The header is generally not seen by you when you read the email (some email clients allow you the option to view them), but is useful to the network of servers on the internet which are responsible for delivering the email to you. The header contains the sender of the message, their return address, the subject line, the originating IP address and more. Well, SPAM messages often spoof the headers or use invalid headers. The result is an email which is untraceable or which looks like it was sent from a place where it was not. 3. Does not contain an opt-out option. Any kind of mass mailing MUST contain a working method of unsubscribing from the mailing list. 4. Is not sent on a list requiring double opt-in. www.pcmech.com Page 90
A well managed mass email list will require double opt-in, meaning after the email address is entered, they receive a confirmation message via email which requires them to perform yet another action to finally subscribe themselves to the list. That action may be to follow a web link or to simply reply. Any other method is unethical, not to mention insecure because then anybody could sign anybody else up for any mailing list. 5. Performs any kind of tracking or other action. Email messages are often opened by the recipient without them even knowing anything about it. When you click the subject line in your email client, it shows up in the preview window. Even if it shows there for less than a second, it counts as opening the email. Thus, any email which contains any code which executes on the user's machine, sets a cookie, or otherwise performs any tracking is unethical and potential SPAM. It should be noted that the use of tracking is ethical if the recipient directly signed up for the list, although such tracking should be mentioned in the website's privacy policy. 6. Is Sent using Email Harvesters. An email harvester is a software robot which spiders websites across the internet looking for email addresses. These email addresses are usually on "Contact Us" pages and the like, allowing visitors to legitimately contact the site's author. Harvesters collect these email addresses and saves them in a database, thereby www.pcmech.com allowing the mailing list to be used and re-distributed to others. 7. Is Sent using open relay server or unprotected form mail scripts. Legitimate emails do not have to hide their identity and usually send through a legitimate source. Using an unsecured relay server (sometimes called an injection point) or form mail script is unethical.
SPAM is sent usually by someone who wants to sell you something. Sometimes these are companies, but more often, these are individuals or fly-by-night small businesses. Sometimes these entities go to a third-party company who they then pay to send a bulk mail on their behalf. Most of the time, these third party bulk email companies are ethical and will seek to enforce anti-spam regulation on their clients. But, other times spammers will use simple home computers to send their bulk email. Computer security experts estimate that as much as 30% of all spam is relayed using compromised home PCs located around the world in home offices and living rooms. These computers are not necessarily set up for the purpose of spamming, but could be vulnerable to outside control, which thus allows the unethical spammer to use that PC as a relay. (more on securing your computer against this later in the book).
But, who is the typical spammer? Usually they are an individual person. They are predominantly male, around 16-35 years old. They are usually living in or working from their home. They are usually technically competent, and you would need to be to devise ways to send emails using www.pcmech.com Page 92 other people's computers. Sometimes, a spammer will be involved with other illegal activities such as credit card fraud. Almost all of them consider their "business" to be harmless and see absolutely nothing wrong with what they do. Properly set up, a single spammer can send millions of emails every single day. A well-known spammer by the name of Ronnie Scelson boasts that he can send as much as 84 million emails every day. They use software like News Blast, Mailbomb or Prospect Mailer. Some spammers will have software custom written to send their bulk mails. Spammers generate income based on sales or leads, so the more emails they send out, the better. Even though nobody really wants spam in their inbox, a few still respond and this is what keeps the spammer in business. For any given 1 million bulk emails, maybe 100 or 150 will respond to it, which is a sales lead or even an actual sale for the spammer. The spammer's products might be by way of drop shipping or something similar. Some take clients who pay them to send spam, so the spammer will make money for sales leads or simply for the service of having sent the bulk mail. A good spammer can generate a decent income from this practice; some earn as much as $100,000 per year.
Ronnie Scelson, as I mentioned above, is a notorious spammer that is well-known. Based in Louisiana, he is known as the "Cajun king of spam". He is a high school dropout, early thirties, married with 3 kids. In a USA Today profile, he says "I hate spam as much as the next guy. What I do is not illegal. It's the people who spam sex, Viagra and get-rich-quick schemes that give commercial e-mailers a bad name." The article goes on to reveal a man who lives life on the edge, constantly trying to out-flank www.pcmech.com anti-spam forces online. He chain-smokes. He claims to send out 60 million to 70 million emails per day. He has no qualms about what he does. He says he provides all recipients an option to remove themselves from the mailing list, does not hide behind forged email addresses, and leaves contact info in the email. He has testified before the US Senate about spam, but says openly that if any anti-spam legislation is passed which affects his business, he will simply move offshore.
Scelson makes a good income in the business, too. He works from a home office, but has a dozen rack-mounted servers on 24 hours per day, going though 165,000 emails per hour in order to weed out the roughly 16% that are actually legitimate addresses. He sends those emails to servers located throughout the US, China, South America and Europe. He says he sends them an automated message asking them if they want spam, and if they say yes, he will send them bulk emails. Otherwise, he says he leaves them alone. He charges clients anywhere from $10,000 to $50,000 per month to send their ads, and Scelson estimates he makes $30,000- $40,000 per month in profit. He has a staff who help fend off anti-spam attacks and maintain his various operations around the world.
Scelson is an extreme case of a bulk mailer, and is not really a typical case. But, his notoriety has earned him a threat-filled life, one in which he keeps a 9mm handgun right next to his computer. Scelson has been kicked off of numerous networks and has sued to stay on others. His costs and legal fees forced him to file for Chapter 13 bankruptcy in March of 2003, claiming $500,000 debt. www.pcmech.com Page 94
While Scelson may escape much of the anti-spam tactics, others are not so lucky. There are estimated 2,000 spammers in the United States. Many companies spend millions battling SPAM. Microsoft and AOL have had strong anti-spam efforts. Earthlink has pending legal action on a long list of known spammers. A spammer named Howard Carmack, known as the "Buffalo Spammer", was sentenced to 7 years in jail on 14 counts of identity theft and forgery in 2004. He was estimated to have sent 850 million emails. Earthlink won a judgment of $16.4 million against Carmack, who was accused of using stolen credit cards to sign up for Earthlink accounts and then using those accounts to send spam.
Some other spammers you can check out are Scott Richter, "Captain Bob",
You can research spammers on your own using the ROKSO database, hosted by the SpamHaus Project. The Register of Known Spam Operations (ROKSO) is a database of spammers which have been terminated by a minimum of 3 ISPs for spam offenses. Each member of the list has detailed information, including their aliases, media stories on them, etc. They even mention which other spammers they are partnering with, something that occurs rather frequently in the spammer community. According to the ROKSO site, 80% of spam received by users in North America and Europe "can be traced via aliases and addresses, redirects, hosting locations of sites and domains, to a hard-core group of around 200 known spam operations ("spam gangs"), almost all of whom are listed in the ROKSO database". This is a very interesting database. www.pcmech.com Understanding SPAM
In order to understand a SPAM message and how to best prevent them, one needs to know a little bit about how an email works in general. One doesn't usually think about it. They just type their message along with a "to" address, and it miraculously arrives on the other end. But, how does that work? Well, ironically, one can compare it to postal mail, in a way. When you send snail mail, you have the message in an envelope. The envelope has a return address and an address to send it to. You put it in your mailbox, the postman picks it up, and it is sent. The postal service is the relay for the message, and your letter moves through the system, from terminal to terminal, until it arrives at the recipient. Email messages, too, contain a header which serves as the "envelope" for the message. It contains the sender's name, the return address, the subject line and where the message is going, along with a bunch of other information. When you send the message, it is sent via a mail host server. It uses a protocol called SMTP to transfer the message. It transfers over the internet, each mail server it hits reading the headers and moving it along. It finally reaches a mail host at the recipient's ISP, where it sits until the recipient logs on, checks their email and downloads it from the server.
To demonstrate, I sent a message from myself to myself and below are the headers for that email:
Return-Path:
1. Return-path. This is the email address from which the email was sent. Most of the time, this is a more trustworthy indication of the sender, because it is very easy to manipulate the headers for "From". However, it is still possible to forge the return path, so in the case of SPAM, it cannot really be trusted. 2. From. This contains the name (in quotes) and the email address of the sender. This information is controlled by the email client and www.pcmech.com can be very easily altered. In other words, just because an email has "Paypal" as the From name, don't assume it came from Paypal. 3. Received. This fields describes the routing of the email message from the sender to the recipient. Each line of the header marked "Received" marks a bounce in the path that email message took to arrive to you. In the example above, you can see that the number of bounces is very low and that is simply because I was sending the message to myself. In other cases, you may have more bounces. In the case of SPAM, you can sometimes use this information to see where a message came from. I say "sometimes" because not all mail hosts actually add their record to the headers as the message goes through them, so sometimes this record is not a complete picture of the path the email took. Lastly, one often sees the word "HELO" in this field. This represents the name that the sender reported into the SMTP server when they signed on to send the mail. It can be forged so this is not accurate. 4. X-Mailer. This is a record of the software which was used to send the email. 5. Reply-To. This is the name and email of where an email message would be sent if you hit the Reply button in your email client. This information is very easy to alter, but at the same time, you can look for instances where the From data does not match the Reply-To data. 6. Date. This is simply the timestamp for the message, or when it was sent. The stamp is relative to GMT and will contain an offset. In www.pcmech.com Page 98
the example above, you can see the offset is -500, meaning 5 hours off GMT. This is because I am located in the Eastern time zone. It is set by the mail host's internal clock which may or may not be set correctly. Also, in the case of SPAM, you can look for date headers which are messed up. They can possibly give a time zone offset which places them in the middle of an ocean, or use a mangled timestamp that just doesn't fit the correct format (for example a year beginning with 0).
In the case of SPAM, much of this header information can be and usually is forged. For example, they can spoof the host name or the HELO when the message is sent. They can also add bogus "Received" lines to give the message a false routing history. The From names and return addresses are EXTREMELY easy to alter and any of us can do so right now by entering different names into our email profiles in our email clients (Outlook., Thunderbird, etc.). The HELO names are pretty easy to change given the right software, and the routing of the message can be forged as long as the computer that sends the mail is set to allow it. Open relay servers or open proxies are usually free reign for this. An open relay is a server which will accept email from anyone to send to anyone. Basically, it acts as a public bounce point for all emails, and spammers can make ample use of them. In the earlier days, relay servers were everywhere, but as SPAM has become more of an issue, the pool of relay servers has dropped quite a bit. Most system admins now have some kind of security on their mail relay servers, usually requiring some kind of POP3 login from an allowed machine in the same domain before allowing www.pcmech.com mail through. ISPs do this routinely, meaning you must log in and check your email before you can send your email, thus giving the ISP proof that you are truly a customer of their's before allowing you to use their relay server.
As relay servers have become fewer, spammers have found a more effective alternative, the open proxy, or sometimes called "Zombies". Zombie machines are usually Windows-based machines belonging to innocent and unwitting home users who, due to lack of proper security, have left their computer open to the installation of special software (through the use of trojans, viruses and other such things). These machines are usually connected to the internet via cable broadband or DSL, which by their very nature, are always on. A PC connected this way with no security can be used to send spam all day long and the PC's owner will never know its happening. The recipient of the SPAM sent through the machine cannot trace the message back any further than the zombie machine because the zombie can be set up to use "direct-to-MX" routing, whereby the outgoing mail is simply sent without any trace of the email in the zombie's email log. In other words, if your PC was serving as a zombie, you would have no record anywhere of the outgoing emails. The FTC estimates that as much as 30% of all SPAM is sent through the use of zombies.
Some spammers use offshore ISPs to send their mail, usually because these offshore ISPs are not exactly reputable in many cases and, therefore, don't implement proper security. In some countries, the system www.pcmech.com Page 100 admins are just not as picky about their ethical standards. Plus, they are usually more in need of money and therefore will offer less secured accounts for less money. Popular sources for these accounts are China, South Korea, Indonesia, Malaysia, as well as countries in the Eastern Rim, South America and the former Soviet bloc. Sometimes as these countries find themselves trying to become more a legit member of the new information economy, they get more interested in controlling this problem and start playing nice with the rest of the internet. Other countries, though, don't seem to change. China, for example, does not seem particularly interested in controlling their network traffic when it comes to spam, pornography, stolen software and other such items, while at the same time they move heaven and earth to keep their own citizens from accessing the internet with any freedom.
Another trick spammers use to send email is improperly secured form mail scripts. Form mail is the name for a specific program which accepts emails from a web-based form and delivers the results via email. There are many such scripts out there, though, other than Form mail. Many webmasters, though, will use forms to control their level of spam. Rather than display their email address publicly on the web (which leaves it open to email harvesters), they use a form. The website visitor fills in the form and when they submit it an email is sent behind the scenes to the webmaster. However, an improperly programmed delivery script can be open to being hijacked by spammers to send mail to anyone. And these server-based mail delivery scripts offer the programmer full control over the email headers, so a spammer who is able to take advantage of one can www.pcmech.com send their emails and those emails will not be traceable at all. Any form- to-mail script on the internet needs to be properly programmed to verify the originator of the data as well as keep a record of the originating IP address. Also, it is a good idea to NOT have the TO address of the email in the web form as a hidden field, but to instead have the TO address coded right into the script itself.
Identifying SPAM
In looking at a SPAM message, we need to also look at the body of the message and some of the things often done to entice, throw off, or fool the recipient into responding. Let's look at the biggies:
Hidden URLs Some spammers will make use of various forms of encoding to hide URLs or fool users into clicking on URLs they would not otherwise click on. Many will use IP addresses rather than domain names, thereby obfuscating the potential nature of the target site from the user until they actually visit it. However, one can use the "nslookup" tool on their computer to get the domain itself in many cases (more on this later). Sometimes they will encode the IP address in escaped characters, meaning the ASCII or HTML special character code for the item. Other spammers will use the little-used user ID field of the URL to fool people. For example, sending a browser to "http://www.notspam.com%10.10.10.10/" is, to a browser, the same as going to 10.10.10.10 with a username of "www.notspam.com". The site will, usually, ignore the user field so www.pcmech.com Page 102 therefore there you are staring at 10.10.10.10. Most users, though, would believe they are going to www.notspam.com. Related, some spammers will make use of other IP ports. Typically internet traffic comes in on port 80, which is used for HTTP transactions. But, if a spammer tries to link you to "www.notspam.com:2000", then they are routing you to port 2000 rather than 80. If the spammer has some kind of control placed on port 2000 on that server, then you just got "had".
Two other very common URL tricks are redirectors and deceptive HTML links. There are URL address out there whose only purpose is to redirect to another web address. They can give the click-through URL a legitimate looking name, but clicking on it would route you somewhere else. Lastly, being that much SPAM is in HTML format, they can have a link in the email which is hyperlinked in the traditional blue, underlined text, but actually clicking on the link takes you somewhere else entirely. The way to protect yourself against this is to "View Source" on the message by right-clicking and choosing "View Source". Look for the HTML
, and whatever is in place of the "reallink" text is where you will actually go if you click on that link. This is a common trick in deceptive emails trying to get sensitive information from users. For example, emails that appear to come from Ebay or Paypal will claim to have a problem with your account and need you to click on a link to verify your information. The link and the email will appear official, when viewing www.pcmech.com source on that email will reveal unrecognized IP addresses. It is very apparent, in these cases, that such emails are deceptive hoaxes designed to get you to give your account information to the spammer.
Javascript in Message Bodies Some spammers will insert javascript into their messages in order to track users and avoid spam detection. For example, a javascript could be programmed to detect the users IP address, OS and browser and then send back a message which looks like a regular email. Behind the scenes, the spammer just learned a little bit about you. Or they could use javascript to disable the right mouse button on your HTML emails, thereby keeping you from viewing source in the traditional manner. It is, however still pretty easy to view source. You can use the top menu option to view source (if your email client has one), or you could simply save the email as an HTML source file on your computer.
Random Characters Quite commonly spammers will insert random characters into the subject line or body message so that the message will slip through spam detection. For example, take this subject line:
S'up'er L'ow P'ri'ces For Yo'ur M'ed'ic''ation ! YJOR
Obviously, they are advertising online medication, but with the random characters, they are hoping to keep spam-detection tools from recognizing those common spam keywords such as "low prices" and "medication". Very lame, but very common. Sometimes they will simply randomly www.pcmech.com Page 104 misspell words that are commonly flagged, such as "v1agra" rather than "viagra".
Email Addresses in Links Spammers like to know if their emails are being opened by anyone. They also like to know who is opening them. In this way, they can flag your email address as valid and continue to spam it with the knowledge that it is a good address. One way of doing this is to append your email address to any link contained in the email message. It may be either directly appended or appended in URL encoded form. When you click that link, the spammer knows who clicked on it. Another way is to have a zero- size or 1x1 image embedded into the email. The image is not really a simple image but is actually a small script which is taking your email address and updating some database that your email is good.
Personalization In order to entice you to open their email, the spammer has to trick you into thinking it is legitimate. One way to do this is to address you by name. If they do not have your name, they may use a portion of your email address and see if they get lucky. Another method is to use a subject line which you may think is directed to you. Subjects like "Payment Past Due" or "Important Notice About Your Account" are common. These aren't really tricks, but more a form of social engineering.
www.pcmech.com Dirty HTML Some spammers will take advantage of the fact that some HTML simply does not render on the user's screen. For example, doing an opening and closing bold tag ("") would not show up to the user. However, injected right into the middle of a commonly filtered word, it may fool some filters into missing it and allow the email through. For example, the word "mortgage" might get filtered, but the word "mortgage" might not. Sometimes they may use heavily nested tables which do not show on the user's screen but may fool the filter. Another trick is to inject bogus text, many times colored the same color as the background, to make the email seem legitimate to filters which weigh the spam score. So, if the body of the email that you see is advertising a low-interest loan, but invisibly it is showing a long diatribe of text which is of an innocent nature, that email may slip through the filters.
Use of Affiliate Sites In this practice, the spammer may sign up for an affiliate program and then set up their own website to promote it. Then they can spam advertising this website and therefore shield themselves from automatic notice when being reported from spam. The spammer earns a commission on sales, and the company hosting the affiliate program benefits from a large network of resellers. This kind of practice is very common on porn websites. These sites offer galleries of some variety and then provide an affiliate link to a larger website on which you need to pay. Any link in an email which is passing an affiliate ID in it is more likely to be spam. www.pcmech.com Page 106
How Did You Get Spam In the First Place?
We've all experienced this. You sign up for a brand new email account, maybe having switched internet providers. You are getting no spam because nobody knows your email address. But, over time, you begin to get more and more spam until, before too long, its as if you never changed your email address. It can leave you baffled. How the hell did they get my email address?
There are many ways you could end up on a spam list. If you are an internet surfer and enter your email address into various websites, that could be your opening. It is always best to check out a website's privacy policy before giving them your email address. Ensure that they will not give your email address to any third party.
The most common way that spammers get your email address, though, are email harvesters. Harvesters are programs which are designed to browse the web just as a search engine's spider would. As it does so, it searches all webpages for email addresses and records those email addresses into a database. So, if you run a website and your email address is posted on the website, you can bet your life on the fact that it will be picked up by an email harvester and find its way to a spammer's email list. But, even if you don't host your own website, it can still happen. Ever posted in an online forum? Some forum packages do not mask your email address, leaving it wide open for harvesters. If you ever posted to a newsgroup, you may have leaked your email address that way. These email catcher programs harvest Usenet posts as well. Some spammers also www.pcmech.com use websites to collect email addresses. Sites like porn sites, some dating sites, greeting card sites, joke mailing sites and other such sites sometimes serve as fronts for spammers. They run the site and when you sign up, they get your email address.
Once you've been picked up by one spammers, chances are you will end up on a bunch more. Spammers make common practice of buying and selling mailing lists.
Lastly, if you've ever gotten fed up and actually followed a spammer's method of unsubscribing, you just confirmed your email address to them. In almost all cases, the unsubscribe notice given by a spammer is not provided in good faith. They are not likely to sit there and honestly remove your email address from their list. After all, you don't know who they are. You can't exactly go to the spammer's website and complain. Instead, they get an unsubscribe notice from you and they say "Bingo!, we have a valid email address!". You just guaranteed you will get more spam.
Spam Damaging Your Computer?
There is has been a lot of lore about a spam message giving your computer a virus and causing all kinds of problems. But, does it actually happen? If the email you received is in text format, the answer is most definitely no. A text message cannot harm your system in any way, so while it may be annoying, you do not have to worry about it. However, if you receive an HTML message (and most spammers do use HTML), there www.pcmech.com Page 108 is a possibility that there is some harmful code in that email. Many HTML-capable email programs do run code inside of an email without your warning. A spammer could use this code to launch pop-ups, cover their own tracks, or more dangerous activities. Properly coded, and if you don't have adequate protection, a spammer could implant a virus on your machine which then sets you up as a zombie (see above). A virus could also potentially install a keystroke macro, meaning anytime you press certain key combinations, you will get some ad or other thing.
Another potentially dangerous practice is phishing. This is not dangerous because it can install software to your computer. It is dangerous because, through social engineering, it could trick people into giving up sensitive information such as log-ins, social security numbers, bank account numbers, etc. The way it works is that the phisher will create an email which is designed to look like a well-known website. Ebay and Paypal are common targets. The email that is sent is designed to look like it came directly from eBay or Paypal (for example). They usually say something like they need to confirm your information because of a server problem or some routine maintenance. In short, they say there is some problem with your account and they need info from you. If you lick the link and go to their website, it is a look-alike copy of the original website. However, if you filled in the form, your info would NOT be going to the company allegedly sending the email. It goes right to the phisher's database who may then turn around and sell it to criminals. After all, the phisher is a criminal.
www.pcmech.com How can you identify a phishing email? Its not difficult.
1. If the email contains a form to fill out, do NOT fill it out. Forms in email are about the most insecure and dangerous thing you could fill out. 2. If they send the form as an HTML file which is attached to the email, do not fill it out. 3. If the email looks like it came from eBay or Paypal, view source on the message and see if the images or the form lead indeed to the correct website. Many times, the URLs will have the target website's name within the URL, but the actual domain which you would go to is not proper. You may also find that the form is submitted to an IP address. 4. Phishers aren't always the brightest bulbs in the box. Even though they try to make the email look like it's official, many times its very obvious to be a fake. Sometimes they send the email with broken images. Sometimes the text will all be in default Times New Roman. They're just very bad renditions of an email and you know the real company would not send that. 5. Do not be fooled by the return address. Many times the email you see as the return address will be a valid email address of the target company. However, as discussed above, it is all too easy to manipulate an email's headers. 6. If you do happen to click the link to the website, look at the URL in your browser's location bar. Ensure it is the site you intend and is a secure form. www.pcmech.com Page 110
7. Many times the address in a phishing email will be an address which is other than port 80. Port 80 is the standard data port for a web server. If the domain is going in on another port, suspect it. They may be doing that in order to avoid search engine detection. 8. This one is point blank: no bank, Ebay or Paypal or any similar site will ever send you an email with a form in it or ask you to send your login information. If you get such an email, it is NOT from them. If you are unsure, simply log in to your account on that site (not from the phishing email...the real thing) and check your account.
So, is SPAM dangerous? Without proper software settings in your email client, it can be. Without virus software on your computer, it can be. And with a moment of stupidity on your part, it can be. Social engineering is an art, and even the best can fall prey to it at times. It is very simple to avoid the dangers of Spam. I've addressed some of the ways to avoid the social engineering above. I will address other ways below.
Spam Laws
The US government has done things to try to curb the problem of spam. After all, spam is a major problem. It clogs up the internet's data pathways and costs companies money. The problem is that these laws really don't mean much at all. Anybody can pass a law, but that doesn't mean spammers will just all of a sudden turn into great little law followers. And enforcement of these laws is a problem because it is hard to sometimes find exactly who the spammer is. www.pcmech.com The CAN-SPAM Act of 2003 is perhaps the most famous legislation regarding spam that has actually passed into law. The Controlling the Assault of Non-Solicited Pornography and Marketing Act requires unsolicited commercial email messages to be properly labeled, to include opt-out instructions and to include the sender's physical address. It also prohibits the use of deceptive subject lines and false headers. The act turned to law in 2004, yet as we all can see, spam continues and people break those requirements all the time. Obviously no congressional action can be the panacea to this problem.
Some other laws which are not passed include the Anti-Phishing Act and the Anti-Spam Act of 2003 (which is essentially the same as the CAN-SPAM act). The Ban on Deceptive Unsolicited Bulk Electronic Mail Act of 2003 would ban the use of email harvesters (CAN-SPAM does as well). The Computer Owners' Bill of Rights would require the FTC to establish a "do not email" registry. There are several other proposed laws, all of them tackling the same problem in different ways.
The nature of the internet is such that governmental action can't do much about this problem. The only way to curb this is to re-organize the email system so that emails have a kind of caller ID to identify the sender of emails. In this way we could at least hold spammers accountable in more cases. Finding them is the problem. We have a law in place, but its enforcement that is the issue.
www.pcmech.com Page 112
How To Stop Spam
How do you stop Spam? After all, that is what this section has been leading up to. Well, the first line of defense is not to get onto their email lists in the first place. As mentioned previously, the main ways they get your email address are you submitting your email address to a website and email harvesters scanning your email address off the web. So, your first line of defense, obviously, is not to provide your email address in a fashion where a spammer can get it. Here are some ways to do it.
Use a Junk Email Account Using a free, web-based email account such as that provided by Google, Yahoo or Hotmail can be one way to avoid spam in your personal email account. Sign up for such an account. Whenever you are posting your email address in forms on questionable sources or in newsgroups, use this sacrificial email account. These email services have spam filters of their own. Plus, since this is a sacrificial email account, you don't really care what goes in there. You can just check the account every few days at your leisure. In order for this to work, you have to never post your personal email account to the web. You also need to not forward email from your sacrificial account to your main account.
Spell Out Your Address When posting your email address in public places like forums or newsgroups, you can spell out your account rather than entering it properly formatted. For example, enter "david at nospam.com", david at www.pcmech.com nospam dot com" or "[email protected]", assuming your real address is [email protected].
The idea is that a real person could obviously figure out your real email address, but an email harvester would not recognize it as a valid address. If posting your address to the web in HTML, do not use the mailto: tag. Even if the browser shows the altered email address, email harvesters scan the HTML code, not the visible text. So, even if your email address is hidden in the HTML code, it will still be harvested.
Contact Forms If you use a contact form for people to email you, do not use a standard form-to-mail script which has your email address in the form's HTML code as a hidden field. As said above, harvesters scan the code itself, and they will find it. Instead, it is best to submit the form to a script which contains your email address in the source code. This way it remains server-side and harvesters cannot get to it.
Email Images Another way to display your email address but hide it from harvesters is to display your email address in the form of an image. This way people can see your address, but harvesters cannot. This will only work if you do not hyperlink the image to your real email address.
Using Javascript to Hide Emails If posting your address to a webpage, you can also use javascript to www.pcmech.com Page 114 create a working email link "on the fly", but in the source code of the page it is not readable. If interested in this, you can search the web for such a script. Javascript programming is not within the scope of this article.
But, I Already Get Spam!
Ok, so what can you do if you do not host your address on a website but you are still getting spam? You already have the problem. Now what?
Don't Buy Anything Never buy anything from a spam message. Ever. The simple fact is that spamming is a business. Its about making money. Spammers are not evil guys out to get you and screw up your day. They are simply in the advertising business. They employ the marketing method of sheer numbers. Email millions in the hopes that a few stupid people will respond to it and generate some business. If nobody ever bought anything, spam would stop cold. They only do it because it works and they can. So, do your part in tackling this problem from the supply side. Do not buy anything from spam promotions.
Not only does this help alleviate the motivation to send spam, but it also reduces your risk of being cheated. Anybody who operates their business in such a fashion that they see absolutely nothing wrong with spamming is probably also the kind of person who you should not trust with your money. I'm sure there are exceptions, but this is just a safe assumption. There are enough scams out there in spam messages to assume they all are. www.pcmech.com Don't Ever Reply Do not send reply messages back to spammers. This includes any email asking to unsubscribe, following the opt-out instructions, or just sending them a flame email because you have just had enough. Bite your tongue. While you might enjoy telling them where they can stuff their computer, the spammer doesn't care about that. All they then know is that your email address is valid. You can count on the fact that spam will continue and that your email address will be sold to other spammers.
Keep Your Cool Some people just WAY overreact to spam, threatening lawsuits, "mail bombs", denial-of-service attacks and the like. Despite the fact that these people are usually just blowing hot air (they don't know how to do what they are threatening), its just a bad idea. In many cases, it can get you in more trouble than the spammer. Just do what you can to battle spam, but do not get emotionally involved.
Don't Open It If a spam message makes it to your inbox, do not open it unless you want to read it or report it. If you can tell from the subject line that it is spam, just drag it to your Trash folder without opening it.
Report Spam If you are getting spam from one source often, you can report it to the companies involved. I will address this in more detail below. www.pcmech.com Page 116
Read Website Privacy Policies Before giving any website your email address, review their privacy policy to ensure they will not provide your address to any third party. Of course, some sites might proceed to break their own policy, but most sites will not.
Check the "Do Not Mail" boxes When filling in a web form, if they offer a checkbox that tells them not to email you, check it.
Secure Your Email Client At full security levels, your email client should not automatically load images in emails, should not run embedded javascript code or other code, should not start up any other programs on your PC automatically, should not launch attached files automatically. You should review your email client and try to enable as much of these settings as you can. If you find that your email client is lacking in security features, you may want to consider migrating to another email client.
Spam Filters
Using spam filters is one of the most common ways to battle spam. What this means is that the software scans the incoming email, runs it through a series of tests and compares it to known spam criteria, then decides whether it is a good email or a spam message. If it is spam, it will act according to settings. www.pcmech.com If it is good, it makes it to your inbox. The perfect spam filter would always get it right, filtering out all spam and letting all valid email through. In real life, however, its a constant battle for accuracy. Filters miss email or falsely flag email all the time. A "false negative" is when the filter does not flag an email as spam when it should have. A "false positive" is when the filter incorrectly flags a legitimate email as spam. For most, a false positive is the worse of the two because perfectly valid email can get removed. This happened to me just the other day when a perfectly valid email contained the word "mortgage" got filtered out. The sender called wondering if I got the email, which of course, I didn't. The only solution (other than training your filter) is to periodically check your “Deleted Items” folder to see if there are any valid emails in there.
How Filters Work Filters work primarily by scanning content or scanning the email's routing information in the headers. When scanning the content, the email is given a score by running it up against the filter's rules. Based on that score, it is either determines to be spam or allowed to pass. When scanning the headers, it is comparing the origin of the email to a list of known spam hosts, or looking for headers which appear to be altered or bogus. Filters which filter based on the headers tend to be more accurate in many cases. By using network analysis, they identify the source of the spam and then just ban anything from that source. However, the market for spam filters seems to concentrate more on keyword filtering. These filters are complicated because they have to perform complex string www.pcmech.com Page 118 scanning of the email. In order to be accurate, they require pretty constant updates. At the same time, though, it is purely a defense operation, whereas the other type of filter helps you identify the source of the spam, allowing you to report the sender.
Filters can be run in two places - locally on your computer or on your ISP's server. The first option is very common, but it has limited workability. Most of the time, this entails using the built-in filtering capability of your email program to filter spam into your trash folder. In order to be accurate, though, it takes a lot of setup time and training as well as constant updates and re-training. Email programs allow you to setup a series of rules to filter email into specific folders or perform other actions with them. This is a great tool for organizing email automatically. Using this feature to fight spam, though, is limited in workability for the reasons stated above. When you set up rules to organize emails from known sources, it is predictable. But, these filters are not robust enough to handle all the various incarnations of spam message.
There are also third-party software products available which will do the job of spam filtering for you. In this way, you do not need to take the time to set up your own filters in your email client and then complain when they don't work. These third-party utilities usually come trained to identify much spam. They also come with updates so that you can keep the filters up-to-date based on the latest spammer tricks. This software is still subject to false negatives and false positives, so you will still need to evaluate the product to see how it works for you. www.pcmech.com There are also filters which work based on a black-list or a white- list. Basically, a black list is a list of identified spammers. Any spammer which is on the list will automatically have their emails blocked. This technique is limited in workability because it is so easy to spam from sources that are not on the black list. It is also up to you to keep the black list up-to-date by identifying each message as spam from your computer. I personally don't like this technique because it takes a lot of time to train the system and the job is never-ending. I prefer a solution which needs minimal interaction on my part. After all, the spammers win if I need to waste ANY of my time on their emails. The white-list technique is a list which contains a list of good senders, and any email which is not on that list is blocked. This, too, is slightly dangerous because you could not receive emails from anybody you don't approve ahead of time. If one of your contacts changes their email address, they will get blocked. If you receive email from people you do not know, this white-list technique simply will not work.
Many ISPs also provide net-based filtering which will filter email before it even arrives in your in-box. SpamAssasin is a popular product used. The way this works is that the email is scanned as soon as it arrives to your ISP's mail server. The filter commonly uses content analysis filters, but many also use header analysis. If the score is adequate to be labeled as spam, the ISP will put the email into a queue of some kind rather than deliver it to your in-box. On my server, we write all spam messages to a large text file on the server. I never look at it, but the pont is that I could if I wanted to. The advantages of a filter like this are great. My www.pcmech.com Page 120 favorite is that the spam is never downloaded to your computer in the first place. With computer-based filtering as discussed above, the email has to be downloaded and then scanned. It takes up your bandwidth, makes you wait for the download, and then uses CPU power to scan the emails, only then to move it to your Deleted Items. With the volume of spam I have gotten in the past, my in-box can be so full of spam after a short vacation that my PC literally took hours to download everything - even on a cable modem. I've even had my email program (Outlook) crash under all of the filtering load. The other advantages of net-based filtering are that the filtering is usually much more robust and complex than you will get using your PC. They can also do automatic header analysis, something that your PC-based content filters cannot do. Also, many of these filters can also automatically filter out emails containing viruses.
If you do not have net-based filtering available for your ISP, you can use the SpamCop service. Its a paid subscription service, however they will do the work for you. All your incoming email would be directed to SpamCop. They will filter out the spam and then forward the good emails to your own, secret email address. You can then log in to the SpamCop website to view your filtered messages if you please.
The last type of filter I will mention is the challenge/response filter. The way this works is that an incoming email arrives and is compared against a white-list or other set of rules. If the email passed the test, it proceeds to the in-box. If it does not, an automatic email is sent back to the sender. This email requires that they click on a link in order to verify www.pcmech.com that they are real, at which point they will be added to the white list. The idea is that spammers won't take the time to respond to these emails while people who truly want to communicate to you will. The problem is that the assumptions that these filters make are flawed. First, many spammers spoof their return address. Sometimes the return address belongs to some innocent party. So, while the spammer never receives a thing, the innocent party is sitting there receiving email challenges from the filter system. So, even though you might not be getting the spam personally, the truth is that your filter system is contributing to the overall problem of spam on the internet. Another problem is that many times perfectly valid senders are not willing to waste their time dealing with the challenges. In our case, we publish a weekly newsletter and tip of the day here on PC Mechanic. Every time we send an out-going email, we receive email challenges. However, nobody here is going to take the time to respond to challenges. We have better things to do. We are not spamming anyone and everybody on our mailing list signed themselves up for the emails and confirmed themselves using double opt-in. But, they will not receive what they signed up for because we are not going to waste our time with challenges. At the very least, when you sign up for a mailing list, add that sender to your white list.
Reporting SPAM
Reporting spam is a good way to fight the problem. You need to know who to report to and what to report. The first rule of thumb is NOT to complain directly to the spammer. As stated above, any reply to the www.pcmech.com Page 122 spammer simply tells them your email address is valid. That makes your email address more valuable as a commodity to the spammer. They don't care how huffy or puffy you get in your email. The proper parties to contact are the people through which the spammer operates. The idea is to cut off their ability to deliver spam or to create some sort of backlash against the spammer. You can do this by either contacting the ISP which is hosting the email servers which were used to send the spam or by contacting the ISP who hosts the company which was being advertised in the spam. The idea here is that the spammer obviously doesn't care whether you like the spam or not. The website being advertised by the spammer is either his own (which of course won't get you anywhere) or is owned by a company which may have no qualms with spam because they are making money. However, almost all ISPs will care immensely if anyone is using their systems to send spam. As stated previously, spam costs the ISP industry a whole lot of money. If an ISP becomes aware that they are empowering a user to send spam, they will almost always shut down the account.
Most reputable web hosts or ISPs will have an anti-spam policy. Before reporting a spammer, it is good to see if the company you are about to report to does indeed have such a policy. Even if they do not, you can still report the spammer.
Finding the proper companies to report to takes a little bit of detective work. As mentioned, most spammers will spoof the return address in their emails. So, in many cases reporting a spam to the www.pcmech.com company whose email address is in the return address field is not likely to get you very far. Or worse, if the spammer spoofed their return address to someone who is completely innocent, you may inadvertently bring down action on a totally innocent party. So, don't blindly just report to the return address's ISP. Do your homework.
Another case you need to look for are people using legitimate mass-marketing companies to send their spam. The companies that send the emails are "legitimate" in that they require compliance to the CAN- SPAM act and reportedly do what they can to minimize spam. The problem here is twofold, though. The mailing lists these companies use are generally purchased. They say all of the emails on the list are opt-in, however there is really no way of knowing that from outside. Secondly, if people report the spam or request to unsubscribe, many times the company will simply forward those addresses to the spammer as "removal requests". They are not removing the email addresses themselves. Instead, they are actually helping the spammer by sending them a list of valid email addresses!
So, the next question remains. How do you determine who to report the spam message to? Well, read on...
Detective Work
In order to properly report spam, you need to learn a few basic networking tools. Very often you will see IP addresses only in the email headers. For those who do not know, IP addresses form the basic building www.pcmech.com Page 124 block of the internet. It is a series of numbers separated by periods. Every computer connected to the internet has an IP address when it is connected to the internet. Each ISP has a set of IP block assigned to it. The first 2 or 3 sets of numbers in the IP address will signify the IP block which will be traceable to the ISP. The numbers after the IP block refer to the specific user on the ISP's network. Additionally, the internet makes use of the domain name service (DNS) to map those IP addresses to actual alpha- numeric names which can be remembered by us - people. The DNS system is a mapping of domain names to the specific IP address of the server which hosts a website, mail server, or any other server online.
There are a series of tools in order to work with this system and identify information based on the information you have. Those tools are:
1. ping. All ping does is sends a packet of information to a server and looks for an echo. It determines if the server you are pinging is online and responding. 2. nslookup. A tool to allow you to determine the IP address of a given domain, or the domain of a given IP address. 3. traceroute. A tool to allow you to trace the route which a data packet follows to arrive at the target server. 4. whois. A tool to allow you to determine the owner of a given domain name.
To use ping, all you need to do is open up your command prompt window and type "ping [hostname or IP address]", supplying the domain or IP you wish to ping. Ping will then send a series of data packets to the www.pcmech.com target and print out on-screen the responses it got (if any) from the server and how long the responses took. Once you've sent a few pings and gotten a reply, hit Ctrl-C to stop delivery of the data packets.
NSLookup is also available on your PC through the command prompt. Just type "nslookup [hostname or IP address]", supplying the domain or IP. If the DNS lookup is available, you will get a result. If you enter a hostname, you will get an IP address. If you enter an IP address, you will get a hostname. Sometimes if you look up a hostname you may get several IP addresses back as a result. This is simply because each of those IP's responds to that domain. You may find this on popular websites which employ several servers for load-balancing purposes. NSLookup can be useful to see if a hostname in a spam message's headers actually correspond to the IP address. Many spammers will spoof the hostname to make the email look legitimate. But, an NSLookup will tell you if it is indeed a spoof.
Traceroute is used the exact same way as the above two commands. The results will show you a listing of all servers which the data packet had to go through to reach the target. See, the way the internet is designed, it is very rare that you are communicating directly with your target server. Your information is traveling over a series of servers, bouncing its way to the target. Each line of the results represents a server bounce. If you get "* * *" on a line, it is because that server was too slow to respond (or that that server doesn't honor traceroute queries). Traceroute is just another detective tool in figure out where a spammer is located. www.pcmech.com Page 126
Whois is run the same way as the prior commands, except that Windows machines do not have it built in (shame on you, Microsoft). All domain names on the internet have to be registered, meaning they all have a person's name or company attached to it along with contact information. Also, all domains have to be hosted somewhere if they are active, and this information will be available via the DNS system as well. Even though Windows users can't run this locally (unless they download a third-party utility to do so), you can still run such requests via the web. You can try InterNIC, DNSStuff, or visit one of the regional internet registry websites. The Regional Internet Registries (RIRs) control the allocation of IP blocks in certain areas of the world. They are:
1. Asia, Pacific Rim. www.apnic.net 2. USA, Canada, Caribbean. www.arin.net 3. Europe. www.ripe.net 4. Latin America, Caribbean. www.lacnic.org 5. Africa. www.afrinic.net
In order to identify who to report a spam message to, you need to learn to do a couple things: (1) Retrieve the email headers, and (2) run the command-line utilities to identify the source of an IP address. Finding the email headers varies from email program to email program, so you will need to look into that yourself. However, in Outlook 2003 (which I am using), you simply right-click on the email and choose "Options". You will then see the internet headers. So, for example, I will take a spam message I just got as I was typing this. The email thanked me for my loan request www.pcmech.com (which I never made), said they were willing to loan me $260,000 and then linked me to a form to fill out. The email's headers contained the following line:
Received: from rwp44.pie.net.pk (202.125.151.151) by [MY SERVER] with SMTP; 19 Oct 2005 09:06:55 - 0000 Received: from adamsnowzzz (HELO pointhost.localbootlegged) by bibbl7.epic.sd.biz with WQMTP; Wed, 19 Oct 2005 14:05:55 +0400 Now, the IP address in parentheses cannot be forged, so we can do a look- up on 202.125.151.151. So, the first thing you would want to do is a nslookup or reverse DNS lookup on this IP address. When I do an nslookup on this address, I find that the hostname given in the email's headers is accurate: rwp44.pie.net.pk. When doing a reverse DNS lookup via DNSStuff.com, I get the same results and I find that the server's location is in Islamabad, Pakistan. Well, not that I didn't know this was spam going into it, but if I had my doubts, this would have confirmed it. After all, how likely are we to get a legitimate loan offer here in the US from Pakistan? But, this brings up a lesson for spam reporting which is not so good. Typically, it is not worth your effort to report spammers who have overseas providers. ISPs in the United States are much more likely to run their businesses legitimately. When you see internet activity coming out of areas like Pakistan (mainland China is particularly bad), you can be reasonably accurate in assuming that the owners of those servers do not care what passes through them.
Let's look at some other spam messages in my account. I see a www.pcmech.com Page 128 spam message here from Millionaire's Concierge, based in Ft. Lauderdale, FL. Based on their email, they are complying with CAN-SPAM. The email is legal and they are probably using a mass-marketing company to send this. However, it is still spam. Next, I find a spam for yet another $400,000 pre-approved loan. Interesting that the offer is coming from Russia. The email even has an account number in the subject line. How cute. Here's another spam for home-buying of Viagra. The email is coming from Austria.The true hostname was
"chello080108009124.14.11.vie.surfer.at" however the spammer spoofed it to "alibi". Here's another one advertising penis enlargement. It says "To be a Stud, press here" and it links to a Geocities site in Brazil, yet the mail server's location is in Beijing, China (according to the reverse DNS Lookup). Another interesting thing about this email is that they padded the bottom of the email with what appeared to be some lines out of a book. As started previously, this is a common spammer trick to try to fool bad content filters into thinking it is legitimate. By padding the email with seemingly un-spam like text, maybe they can reduce the spam score enough to make it to your in-box.
Here is another one. They are advertising a virtual postcard service. The link in the email seems to point to postcards.org. However, the email is in HTML format, so you can view source on the message and see that the link, even though it LOOKS to point to postcards.org, is actually pointing to a Romanian domain name. And worse yet, the link is to an executable, an EXE file. There is a potentially very unsafe link to actually www.pcmech.com click on. Who knows what it would do. And, of course, a reverse DNS lookup on the IP address in parentheses in the header shows the message is coming from Japan.
Here's another one that is advertising a free Ipod Nano. They addressed me as "Dear drisley" (a common spam trick, an attempt at social engineering). They apparently appreciate my business, and in return they will give me a free Ipod Nano. Ironically, they link me to dastardliness.com However, doing a reverse DNS on the IP, I get a server under the domain frouncing.com. If you do a WHOIS on that, you get an apartment (most likely) address in Salt Lake City, Utah along with a phone number. Their email address is with Gmail, Google's free email service. The lookups of the name servers seem to be very circular, so its possible the guy is hosting his own servers. In this case, reporting the spammer by calling that phone number is likely not going to roll any heads. It might, perhaps, shock the guy at that address, though.
The story is mostly the same for each spam message I look at. I am getting them from Pakistan, China, Vietnam, Iran, you name it. Unfortunately, as I said, there is really no receptive ear to reporting to these sources, even if you are able to track it to a specific company (in many times you cannot). Most of the very obvious spam emails are from foreign countries. The viagra ads, the sex ads, and those kind are mostly coming from reasonably anonymous senders in countries which just don't care about things like that. Then there are other, cleaner spam messages that are CAN-SPAM compliant and do lead to legitimate websites. These www.pcmech.com Page 130 companies are likely using companies here in the US to send to a mass mailing list. There is absolutely nothing illegal about it. And they wouldn't do it if it didn't generate some business for them. However, it is still spam because I did not subscribe to these people's mailing lists.
And That is Spam
At last, we have arrived. As you can see, spam is a huge and apparently growing problem on the internet. Due to the nature of the internet, though, it is not a problem that is easily controlled. As I outlined, spammers are spread out all over the world. Many of them reside in countries which have no laws regarding spam. Additionally, the email system, as designed, is very insecure. There is no fool-proof way to track a message to it's sender and it is all too easy to manipulate the headers of an email to make it look like it came from anyone. It would be like all of us, anywhere, being able to type in our own name and phone number before making a call to someone and that information showing up on the Caller ID system. We would never be able to trust the information on caller ID. Instead, though, we have a centralized system controlled by the phone company which provides that control. On the internet, there is no such thing.
According to a February 2005 article, spam is costing businesses $50 billion annually worldwide, with roughly a third of that from the United States. And despite laws in the US to curb the problem, volume is growing. And, despite the use of spam filters, volume is still increasing. Many businesses are reluctant to incorporate the most aggressive spam www.pcmech.com filtering in fear of cutting communications for valid customers. So, its a true catch-22.
What is the answer? Not easy, that's for sure. The true solution, I believe, would require a re-vamping of the entire internet email system. What we need is a system that works like the phone company and the caller ID service. In early 2005, Microsoft proposed such a plan. They are testing a system that would publish the out-going email server's IP address on every email in a format specified by the Caller ID for Email spec. By then comparing this IP to the DNS for that IP address (much like we did above), they can determine if the email headers are spoofed. Regardless of what is implemented, though, a true solution is going to require the cooperation of all email users. Today there are too many companies that do not monitor their servers for spam or employ filtering.
The end-all solution to spam might perhaps be impossible due to political implications. The internet is a global medium, but the users of the internet are each subject to their own government's laws. Here in the US, we have the CAN-SPAM act. While it is not very effective, it does at least ensure that those spammers who choose to comply will follow certain guidelines. But, too much spam comes from overseas where there are no laws about it. And political reality is that most of these countries are not likely to spend any time dealing with the problem. Some of these countries are very poor and hence you will find people who will throw all ethics out the window in order to make money. And, in many cases, the governments of these countries are no different. Forming a worldwide enforcement www.pcmech.com Page 132 body to regulate this medium is not only hard because you likely won't get too many nations to submit to it, but it also opens up another can of worms - regulation of the internet.
Obviously, we don't want the internet to become a managed medium. Communication is the universal solvent. It is always good and we'd rather have communication than bombs. We obviously don't want any managing body to be in a position where they can dictate what can and cannot be present on the internet. We get into inherent issues of free speech. So, a true solution is either going to involve the tight cooperation of private industry (good), or the regulation of a governmental body (potentially scary). Either that, or we just learn to deal with it.
One this is for sure, though - spam is here to stay. You might as well understand it and learn to deal with it. Hopefully, this section has served you to do precisely that.
www.pcmech.com Handing Your PC to Hackers in 9 Steps
In many ways, the internet today resembles a digital version of the wild, wild west. There are a lot of ways that you can potentially open up your computer and allow "bad guys" in. Then you have companies like Symantec that turn all this into a game of "cops and robbers", with your PC as the battleground and your wallet as collateral. This is not to say that companies like Symantec don't have a purpose. They certainly do, and they help guard your computer against "bad guys" when you are stupid enough to allow them in in the first place.
If you are using a computer, you need to obey certain laws of common sense so that you don't give your computer away as an early Christmas present to some hacker. These basic laws of common sense are:
1. Do not click on any links in an email which is not solicited. 2. Do not install little-known shareware applications to your computer. 3. Not hanging out with the "bad guys" means you're a lot less likely to get zapped by them. This means you're a whole lot safer when you're not surfing warez sites, porn sites, and other sites of questionable material. The owners of such sites usually have a lower sense of ethics and you're more likely to encounter PC infections on such sites.
Now, there are more than 9 ways to give your PC over to hackers. But, I am going to focus on some of the "biggies" that I see people do. I don't fault people if they have done some of these things. It's really easy to www.pcmech.com Page 134 trust everybody until they prove otherwise, but unfortunately, that's risky when you're talking about the internet.
So, without further ado, here are 9 ways you can hand your PC (or your identity) over to hackers, spyware applications, and advertising agencies.
1. Downloading Warez Warez software is unlicensed software. There are those who actively try to find and install paid software for free by finding cracked software and installing it. Besides the fact that this is illegal, it also opens you up to computer viruses. 2. Downloading or Surfing Porn Sorry, guys. But, porn sites have a much higher likelihood of trying to employ questionable tactics and compromising your web browser. Sure, today's browsers have safeguards built in now, but the dangers are still there. If you're trying to keep your PC totally clean, you're better off staying off of these kinds of sites. 3. Clicking a Link in ANY email about your "account". Common phishing schemes employ emails which LOOK like they came from Ebay, Paypal, your bank, etc. They will say that something on your account needs attention, and "click here" to log in and deal with it. The email is designed to look exactly like the real thing, except for the minor fact that the real company would likely NEVER send you an email like that. If the email is a fake, clicking on that link will take you to a page which LOOKS like the www.pcmech.com real thing, but is actually a fake page which is designed to get your account login information. And you can only imagine what the person will do once they get your account information. Never do anything with these emails. If you suspect it could be real, then go to your account BY HAND in your web browser, not by clicking anything in the email. 4. Accepting online greeting cards. These things really piss me off because they take advantage of the human need for friendship. You will get an email saying somebody sent you a greeting card, but to get the card you have to install some "special" software to your computer. Nine times out of ten that software will be rife with spyware. Do NOT fall for this crap unless you enjoy random popup ads when you're just trying to use Microsoft Word. 5. Not Using a Firewall. If your computer is connected to the internet using an always-on connection (like cable, DSL or fiber optic), then you absolutely need a firewall. A firewall will provide a line of defense between your computer and the outside world, like a mote to a castle. Most routers today have a hardware-based firewall built right in which is completely adequate. NEVER plug your computer directly into the modem. I highly recommend using a router or, at the very least, using a software-based firewall. 6. Not Securing Your Wireless Network. If you have wireless in your home (and most do today), then you www.pcmech.com Page 136
need to secure the network. If you do not, then anybody can casually get on and use your home network from outside your home. And if you have any files shared on your computer, they may very well be able to get to them from outside. Some ISPs today (like Verizon's FIOS service) supply routers with the wireless security already on. But, if you buy a wireless router, don't do anything else until you have set up wireless security. 7. Casually Installing Freeware or Shareware Now, I say "casually" here because I definitely don't want to say you can't install shareware or freeware. What I am trying to say, though, is to exercise some caution when doing so. There is a lot of freeware out there (usually the lesser known ones) that loads your PC up with spyware upon installation. For example, Kazaa is a file-sharing application that, when installed, will inundate your computer with adware. If you do not know about a particular program you are thinking of installing, try searching Google for it and see what others are saying. If it has an adware problem, people will complain. 8. Responding to Junk Mail Don't ever respond to SPAM. I emphasize commercial spam. If it is a newsletter or something, it isn't spam because, chances are, you signed up for it and don't remember. But, if the email is obvious spam (home mortgages, sex ads, viagra, some home business opportunity, etc), it is junk. Don't ever reply and ask them to remove you from the list. It is a lost cause, and it only tells them www.pcmech.com that they have a real email address (which means you're sure to get MORE spam for your troubles). If the email is coming from a trusted source, they will usually not hide the address they are sending from and will publish a physical address in the email. You can also verify in your web browser the site who sent the email. 9. Fill out a form in an email. NEVER, EVER fill out and submit a form which is directly in an email message. Email is the most insecure medium there is, and you have no way of knowing where that data is going. I've even gotten emails in the past with forms in them asking for PIN #s. You GOT to be kidding me!
And there you have it, 9 easy steps to give a gift of love to your favorite hacker, identity thief or spammer.
www.pcmech.com Page 138
Appendix
Sample HOSTS File for Blocking Spyware Sources This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
This file contains the mappings of IP addresses to host names. Each entry should be kept on an individual line. The IP address should be placed in the first column followed by the corresponding host name. The IP address and the host name should be separated by at least one space.
When you create a HOSTS file, you want each server specified to redirect to your own computer (always 127.0.0.1). So, what you're telling the computer is to redirect all calls to one of these servers back to itself. The effect is that all calls to ads from these servers will be blank, thus blocking any potential threat.
It is important to note, too, that this is a very expansive list of ad services and spyware sources BOTH. Just because a particular server is listed here does not mean that that company engages in spyware. Just because they may place a cookie on your computer does not mean they are practicing in spyware.
127.0.0.1 localhost 127.0.0.1 0dp.com 127.0.0.1 1.adbrite.com 127.0.0.1 1.primaryads.com 127.0.0.1 1118.ign.com 127.0.0.1 120x60.lt 127.0.0.1 2.adbrite.com 127.0.0.1 468x60.lt 127.0.0.1 a.adstome.com 127.0.0.1 a.as-eu.falkag.net 127.0.0.1 a.as-us.falkag.net 127.0.0.1 a1945.g.akamai.net 127.0.0.1 a248.e.akamai.net 127.0.0.1 ad.about.com 127.0.0.1 ad.adlegend.com 127.0.0.1 ad.adserver.adtech.de www.pcmech.com 127.0.0.1 ad.advisor.com 127.0.0.1 ad.bannerexchange.com 127.0.0.1 ad.au.doubleclick.net 127.0.0.1 ad.ca.doubleclick.net 127.0.0.1 ad.de.doubleclick.net 127.0.0.1 ad.ch.doubleclick.net 127.0.0.1 ad.es.doubleclick.net 127.0.0.1 ad.fr.doubleclick.net 127.0.0.1 ad.jp.doubleclick.net 127.0.0.1 ad.nl.doubleclick.net 127.0.0.1 ad.no.doubleclick.net 127.0.0.1 ad.uk.doubleclick.net 127.0.0.1 ad.deviantart.com 127.0.0.1 ad.digitallook.com 127.0.0.1 ad.doubleclick.net 127.0.0.1 ad.espn.starwave.com 127.0.0.1 ad.free6.com 127.0.0.1 ad.freefind.com 127.0.0.1 ad.inetfast.com 127.0.0.1 ad.infoseek.com 127.0.0.1 ad.linkexchange.com 127.0.0.1 ad.linkexchange.net 127.0.0.1 ad.linksynergy.com 127.0.0.1 ad.preferences.com 127.0.0.1 ad.ir.ru 127.0.0.1 ad.usatoday.com 127.0.0.1 ad.weatherbug.com 127.0.0.1 ad.yieldmanager.com 127.0.0.1 ad1.gamezone.com 127.0.0.1 adbrite.com 127.0.0.1 addserv.com 127.0.0.1 adfarm.mediaplex.com 127.0.0.1 adlog.com.com 127.0.0.1 admanager2.broadbandpublisher.com 127.0.0.1 admanager3.collegepublisher.com 127.0.0.1 adremote.timeinc.net 127.0.0.1 ads.ad-flow.com 127.0.0.1 ads.addynamix.com 127.0.0.1 ads.aol.com 127.0.0.1 ads.bidclix.com 127.0.0.1 ads.businessweek.com 127.0.0.1 ads.clearchannel.com 127.0.0.1 ads2.clearchannel.com 127.0.0.1 ads4.clearchannel.com 127.0.0.1 ads5.canoe.ca www.pcmech.com Page 140
127.0.0.1 ads.collegepublisher.com 127.0.0.1 ads.crucialparadigm.com 127.0.0.1 ads.developershed.com 127.0.0.1 ads.doubleclick.com 127.0.0.1 ads.doubleclick.net 127.0.0.1 ad2.doubleclick.net 127.0.0.1 ad3.doubleclick.net 127.0.0.1 ad4.doubleclick.net 127.0.0.1 ad5.doubleclick.net 127.0.0.1 ad6.doubleclick.net 127.0.0.1 ad7.doubleclick.net 127.0.0.1 ad8.doubleclick.net 127.0.0.1 ad9.doubleclick.net 127.0.0.1 ads.euniverseads.com 127.0.0.1 ads.globeandmail.com 127.0.0.1 ads.infospace.com 127.0.0.1 ads.isoftmarketing.com 127.0.0.1 ads.jolinko.com 127.0.0.1 ads.mdchoice.com 127.0.0.1 ads.mediaturf.net 127.0.0.1 ads.msn.com 127.0.0.1 ads.osdn.com 127.0.0.1 ads.pbs.bb.ru 127.0.0.1 ads.peel.com 127.0.0.1 ads.peoplesound.com 127.0.0.1 ads.pointroll.com 127.0.0.1 ads.realmedia.com 127.0.0.1 ads.rediff.com 127.0.0.1 ads.revsci.net 127.0.0.1 ads.simtel.net 127.0.0.1 ads.spymac.net 127.0.0.1 ads.switchboard.com 127.0.0.1 ads.thewebfreaks.com 127.0.0.1 ads.tripod.com 127.0.0.1 ads.weather.ca 127.0.0.1 ads.weather.com 127.0.0.1 ads.web.aol.com 127.0.0.1 adserv.com 127.0.0.1 adserv.internetfuel.com 127.0.0.1 adserver.orion.de 127.0.0.1 adserver.rgforums.com 127.0.0.1 adsfac.net 127.0.0.1 adserver.adtech.de 127.0.0.1 adserver.altruis.net 127.0.0.1 adserver.crunked.com www.pcmech.com 127.0.0.1 adserver.zeads.com 127.0.0.1 adtrak.net #127.0.0.1 ai.pricegrabber.com #PCMech ad 127.0.0.1 ak.bluestreak.com 127.0.0.1 altfarm.mediaplex.com 127.0.0.1 anrdoezrs.net 127.0.0.1 www.anrdoezrs.net 127.0.0.1 ar.atwola.com 127.0.0.1 as.casalemedia.com 127.0.0.1 advertising.gfxartist.com 127.0.0.1 adz.afterdawn.net 127.0.0.1 affiliates.emaxhosting.com 127.0.0.1 backups.cd 127.0.0.1 banner.casinodelrio.com 127.0.0.1 banner.linkexchange.com 127.0.0.1 banner.noblepoker.com 127.0.0.1 banners.ebay.com 127.0.0.1 banners.friendfinder.com 127.0.0.1 banners.linkbuddies.com 127.0.0.1 banners.wunderground.com 127.0.0.1 bans.bride.ru 127.0.0.1 banserv.internetfuel.com 127.0.0.1 bestmagsdirect.com 127.0.0.1 bride.ru 127.0.0.1 bs.serving-sys.com 127.0.0.1 burstnet.com 127.0.0.1 www.burstnet.com 127.0.0.1 c.casalemedia.com 127.0.0.1 c.qckjmp.com 127.0.0.1 c.azjmp.com 127.0.0.1 c4.maxserving.com 127.0.0.1 c5.zedo.com 127.0.0.1 campaigns.fairfax.com.au 127.0.0.1 canbet.com 127.0.0.1 cd1.tribalfusion.com 127.0.0.1 chestrest.com 127.0.0.1 www.chestrest.com 127.0.0.1 click.linksynergy.com 127.0.0.1 clickthru.nbc.com 127.0.0.1 clicktorrent.info 127.0.0.1 clk.about.com 127.0.0.1 clk.admt.com 127.0.0.1 clkuk.tradedoubler.com 127.0.0.1 counter2.hitslink.com 127.0.0.1 dist.belnk.com www.pcmech.com Page 142
127.0.0.1 djbanners.deadjournal.com 127.0.0.1 doubleclick.net 127.0.0.1 dpbolvw.net 127.0.0.1 www.dpbolvw.net 127.0.0.1 ds.serving-sys.com 127.0.0.1 e0.extreme-dm.com 127.0.0.1 eastworldnetwork.com 127.0.0.1 www.eastworldnetwork.com 127.0.0.1 empiremovies.com 127.0.0.1 fastclick.net 127.0.0.1 fdimages.fairfax.com.au 127.0.0.1 focusin.ads.targetnet.com 127.0.0.1 gfx.statgfx.com #PCMech ad 127.0.0.1 global.msads.net 127.0.0.1 go.cdw.com 127.0.0.1 hb.lycos.com 127.0.0.1 hera.hardocp.com 127.0.0.1 hg1.hitbox.com 127.0.0.1 hit-now.com 127.0.0.1 www.hit-now.com 127.0.0.1 hspinbox.versiontracker.com 127.0.0.1 images.blogads.com 127.0.0.1 images.fastclick.net 127.0.0.1 images.imgehost.com 127.0.0.1 images.trafficmp.com 127.0.0.1 images2.laih.com 127.0.0.1 imageserv.adtech.de 127.0.0.1 img.mediaplex.com 127.0.0.1 img-cdn.mediaplex.com 127.0.0.1 install.xxxtoolbar.com #127.0.0.1 itxt.vibrantmedia.com #PCMech ad 127.0.0.1 iv.doubleclick.net 127.0.0.1 jdoqocy.com 127.0.0.1 www.jdoqocy.com 127.0.0.1 jlist.com 127.0.0.1 juggler.inetinteractive.com 127.0.0.1 kqzyfj.com 127.0.0.1 www.kqzyfj.com 127.0.0.1 leader.linkexchange.com 127.0.0.1 liveadvert.com 127.0.0.1 m.tribalfusion.com 127.0.0.1 m3.doubleclick.net 127.0.0.1 media.adrevolver.com 127.0.0.1 media.popuptraffic.com 127.0.0.1 media.fastclick.net www.pcmech.com 127.0.0.1 media13.fastclick.net 127.0.0.1 media15.fastclick.net 127.0.0.1 media17.fastclick.net 127.0.0.1 media19.fastclick.net 127.0.0.1 media28.fastclick.net 127.0.0.1 media59.fastclick.net 127.0.0.1 mediamgr.ugo.com 127.0.0.1 mediaplazza.com 127.0.0.1 mediats.lostfrog.com 127.0.0.1 mjxads.internet.com 127.0.0.1 multi1.rmuk.co.uk 127.0.0.1 n479ad.doubleclick.net 127.0.0.1 network.realmedia.com 127.0.0.1 noblepoker.com 127.0.0.1 novisearch.net 127.0.0.1 obdb4.ars.jupiterhosting.com 127.0.0.1 pagead2.googlesyndication.com 127.0.0.1 partypoker.com 127.0.0.1 pez.ign.com 127.0.0.1 pops.freeze.com 127.0.0.1 qksrv.com 127.0.0.1 www.qksrv.com 127.0.0.1 r.rediff.com 127.0.0.1 r.hotbot.com 127.0.0.1 randallmorse.com 127.0.0.1 realmedial.com 127.0.0.1 red01.as-us.falkag.net 127.0.0.1 rightmedia.net 127.0.0.1 rmedia.boston.com 127.0.0.1 rotator.juggler.inetinteractive.com 127.0.0.1 searchfeed.com 127.0.0.1 servedby.advertising.com 127.0.0.1 servedby.clickexperts.net 127.0.0.1 servedby.netshelter.net #PCMech ad 127.0.0.1 servedby.valuead.com 127.0.0.1 server.as5000.com 127.0.0.1 shareasale.com 127.0.0.1 smile.modchipstore.com 127.0.0.1 www.shareasale.com 127.0.0.1 s0b.bluestreak.com 127.0.0.1 spe.atdmt.com #127.0.0.1 srd.yahoo.com 127.0.0.1 spinbox.versiontracker.com 127.0.0.1 srs.targetpoint.com 127.0.0.1 swjbx.com www.pcmech.com Page 144
127.0.0.1 t.extreme-dm.com 127.0.0.1 tkqlhce.com 127.0.0.1 www.tkqlhce.com #127.0.0.1 us.lrd.yahoo.com 127.0.0.1 VTOT.proxy.aol.com 127.0.0.1 w3.aquent.com 127.0.0.1 www.180solutions.com 127.0.0.1 www.247realmedia.com 127.0.0.1 www.ad-flow.com 127.0.0.1 www.addserv.com 127.0.0.1 www.afcyhf.com 127.0.0.1 www.awltovhc.com 127.0.0.1 www.doubleclick.net 127.0.0.1 www.dpbolvw.net 127.0.0.1 www.ftjcfx.com 127.0.0.1 www.heathmedsonline.com 127.0.0.1 www.lduhtrp.net 127.0.0.1 www.myfreepaysite.com 127.0.0.1 www.n-case.com 127.0.0.1 www.partypoker.com 127.0.0.1 www.paypopup.com 127.0.0.1 www1.paypopup.com 127.0.0.1 www2.paypopup.com 127.0.0.1 www20.overture.com 127.0.0.1 www3.bannerspace.com 127.0.0.1 www3.paypopup.com 127.0.0.1 www4.contextweb.com 127.0.0.1 www4.paypopup.com 127.0.0.1 www6.bannerspace.com 127.0.0.1 www7.bannerspace.com 127.0.0.1 www8.bannerspace.com 127.0.0.1 www.qksrv.net 127.0.0.1 www.quickquid.com 127.0.0.1 www.thefreecelebritymoviearchive.com 127.0.0.1 www.tkqlhce.com 127.0.0.1 www.va-bank.com 127.0.0.1 www.yceml.net 127.0.0.1 xads.zedo.com 127.0.0.1 xlonhcld.xlontech.net 127.0.0.1 z1.adserver.com
www.pcmech.com