PC TUTOR

internet
spyware
If you’ve ever been skeptical of the extensive measures some people go to to en-
sure that their Internet privacy is uncompromised, then think again. Whichever
Web waves you choose to surf, keep this in mind: you are not alone. There are trai-
torous spies in our e-midsts, watching and gathering information you never re-
alised you were giving—and you can do something about it.
86 September 2000 www.DITnet.co.ae ■ www.pcmag-mideast.com
 ecurity is a critical issue for every site. Some spyware programs are installed programs of inventorying software on the user’s

S computer that’s connected to the automatically when you visit Web sites that system, scanning the Registry, searching out pri-
Internet, whether in the office or at use them. Others are installed along with par- vate information, and then shipping all this
home. The recent denial of service ticular shareware or freeware programs. The in- data back to the home site. In truth, none of
attacks that brought down major Web sites stallation may occur completely without your these accusations have been proven. We call
were possible only because hackers managed knowledge, or you may accept it by clicking on these programs spyware not because they ac-
to subvert many poorly secured computers, Yes without reading the entire licence agree- tively steal private information but because
forcing them to participate in the attack. Some ment. they act in secret, without your knowledge or
email–enabled viruses (such as the notorious News items have accused various spyware permission.
Melissa virus) attempt to broadcast pri- Their stated purposes seem innocent
vate documents—your own or those of enough. Some, called adbots, display ban-
your company. And if the infamous "Back ner ads in associated programs and at-
Orifice" Trojan horse has inveigled its way tempt to tailor the advertising to your in-
into your computer system, it will turn terests. Others collect usage statistics for
over control to any hacker who asks. their clients. All of the known spyware
Fortunately, most corporate users are programs claim to respect your privacy,
sheltered by a company firewall, and per- and under scrutiny, these claims appear
sonal firewalls such as Blackice Defend- to be true. The non-personal information
er (www.netice.com) and ZoneAlarm gathered by these programs could be mis-
(www.zonelabs.com) can protect small- used, however, and the presence of spy-
office and personal PCs (see page 65 for ware might compromise your system.
a review of desktop security tools). With We’ll look at three of the most common
a firewall and an anti-virus program run- examples, and discuss what (if anything)
ning, you’re safe. Or are you? you should do about them.
Even though your system is protected
against outside attack, it’s still vulnera- COMET CURSORS
ble to betrayal from within. Each time you Comet Cursors, an ActiveX control from
connect to the Internet, you may be shar- Figure 1: Many of the shareware or freeware programs you Comet Systems (www.cometsy st e m s
ing that connection with a traitor—a spy- download—whether from Conducent or its affiliates—are .com), provides colourful, unusual, ani-
ware program that has its own agenda accompanied by TSAdBot, which downloads ads that display
when you run the associated programs.
m ated cursors any time you visit a Web
and communicates secretly with its home site that has licensed the Comet Cursors

www.DITnet.co.ae ■ www.pcmag-mideast.com September 2000 87

SEPTEMBER TUTOR ■
INTERNET SPYWARE

control (Figure 2). Depending on your securi-

ty settings, the signed and certified ActiveX Figure 2: When
control may be downloaded and installed with- you visit this
page, Comet
out your knowledge or participation. Cursors chsnges
Comet Systems counts the number of visitors your cursor into
using Comet Cursors on its partner sites. The a unicorn (circle
utility associates a unique ID with each user, so in red).
it can report the number of distinct users. Ac-
cording to Comet Systems, it never asks for an
email address or other personal information,
it does not associate the unique ID with an in-
dividual and it does not track patterns of move-
ment from one site to another. You can view
the privacy policy for Comet Systems at
www.cometsystems.com/ help/privacy.shtml. Figure 3: When you download
On the other hand, whether the company a program, you may or may
records it or not, Comet Systems does receive not be told about TSAdBot.
your IP address. If you have a fixed IP con- Even if you are, the informa-
tion may be hidden in the
nection, such as a cable modem or DSL, the IP licence agreement.
address can identify you; otherwise, it identi-
fies your ISP. For an eye opening view of how
much an IP address can reveal, check the in-
dex pages for Class C IP a d d resses at
www.ipindex.net/c/indexc.html.
In case you’d like to retain the pretty cursors
but remove your unique ID, Comet Systems Figure 4: User profile infor -
graciously supplies a utility for this purpose at mation and downloaded
w w w . c o m e t s y s t e m s . c o m / w h a t / d d n i n- ads are maintained on your
hard drive.
staller_ns.shtml. To remove Comet Cursors
completely, first try the Add/Remove Programs
applet in Control Panel. There may or may not programs are relying on it. Unfortu-
be an entry for Comet Cursors. If you can’t find nately, this degree of candour is rare;
it, download the uninstall program from many other programs install and use
www.cometsystems.com/what/cleaner.shtml. TSAdBot without ever informing the
user.
TSADBOT To determine whether this program
TSAdBot, from Conducent Technologies (for- is present on your system, click Find
merly TimeSink), is distributed with many free- on the Start menu and search all local drives for of freeware and shareware programs; it dis-
ware and shareware programs, including the files named Tsad*.*. If TSAdBot is present, you plays banner ads while the program is run-
Windows version of the popular compression will find Tsad.dll in the Windows folder and ning (Figure 7). It downloads advertisements
utility PKZip. It downloads advertisements Tsadbot.exe in another folder, probably C:Files. from its home site and reports which ads have
from its home site, stores them on your com- Subfolders below the AdGateway folder con- been shown and clicked on. The program’s
puter and displays them when an associated tain user profile information as well as the author is paid based on the advertising views
program is running. According to Conducent, downloaded ads. and click-throughs. In the case of a freeware
TSAdBot reports your operating system, your If you want to remove TSAdBot, you must program, this is the only money the author
ISP’s IP address, the ID of the TSAdBot-licensee first uninstall all programs that rely on it. You’re gets. The Aureate DLL includes an optional
program you’re running and the number of effectively paying for these programs by al- survey that may appear some time after the
different ads you’ve been shown. It also indi- lowing them to show you banner ads, so in all initial installation. Uninstalling the host pro-
cates whether you have clicked on any of the fairness, you should remove them. (If fairness gram does not remove the DLL; it can contin-
ads. On installation, TSAdBot may present an is not sufficient incentive, consider that these ue to operate independently.
optional survey. If you answer the survey, your programs will not run in TSAdBot’s absence!) Worst of all, according to Steve Gibson of
answers are conveyed along with the other In most cases, uninstalling the related pro- Gibson Research (www.grc.com), the Aure-
information gathered by TSAdBot. Condu- grams will not remove TSAdBot itself, so you’ll ate DLL introduces a serious security hole. A
cent’s privacy statement is available at have to delete Tsad.dll and the entire AdGate- malicious hacker could redirect the Aureate
www.conducent.com/privacy.shtm. way folder using Windows Explorer. Explor- DLL to phone the hacker’s server. That server
The install program for PKZip for Windows er may refuse with an Access denied message; could then take control of the Aureate DLL,
2.70 clearly states that the product integrates in that case, restart Windows and try again. If instructing it to download further malicious
"sponsored messaging technology" that will you still can’t delete them, restart the comput- code onto the user’s machine and execute that
make use of your Internet connection, and er in MS-DOS mode and delete these files us- code. According to Gibson, the Aureate DLL’s
identifies Conducent Technologies as the ing the command line. ability to download new programs has been
source. The program also describes precisely confirmed, though there is no evidence that this
what information will be sent to the Conducent AUREATE DLL has yet been used for nefarious purposes. Gib-
home site. Furthermore, PKZip’s uninstall pro- The Aureate DLL, from Radiate.com (former- son also notes that browser problems, in-
gram removes TSAdBot, as long as no other ly Aureate Media), is installed with hundreds cluding complete browser crashes, have been

88 September 2000 www.DITnet.co.ae ■ www.pcmag-mideast.com

 ■ SEPTEMBER TUTOR
INTERNET SPYWARE

ever changing banner ads, check with the ven-

Figure 5: You may be presented dor to find out where they’re coming from.
with an optional survey form during
installation. If you fill it out, the in- You can learn a lot by visiting a spyware
formation is sent back to Condu- vendor’s Web site. You’ll usually find links
cent’s site along with the other in- with information for advertisers and develop-
formation gleaned by TSAdBot. ers.
Follow those links and carefully peruse them.
Chances are good you’ll find phrases like "...sig-
nificantly improve online advertising perfor-
mance by integrating actual online identity
with off-line demographics and behaviour."
This will appeal to an advertiser but may ap-
pall the consumer whose "demographics and
behaviour" are under scrutiny.

OPTING OUT
Figure 7: The $24.95 OptOut utility, seen her e Internet security cognoscenti are already fa-
in a pre-release version, will locate all spyware miliar with the ShieldsUp! page on Gibson Re-
on your system and optionally remove it. search’s Web site. With your permission, Shield-
sUp! probes your system’s security in much
the same way a hacker would and reports any
loopholes. The related OptOut site
(www.grc.com/optout.htm) provides infor-
mation and tools for users who want to opt out
Figure 6: As you run a program, of providing free marketing data through spy-
TSAdBot uses your Internet ware. The site supplies detailed information on
connection to convey informa-
tion to its home site and to all known spyware programs, including the
download more ads. A personal names and Web addresses of the suppliers,
firwall, such as ZoneAlarm, can what information is gathered and the programs
alert you when this occurs. that integrate them.
Gibson doesn’t suggest eliminating such
they could deliver advertisements marketing tools; after all, some users adore
that would pique your interest. free programs and don’t consider privacy an
Some people think this is just issue. He proposes a "Code of Backchannel
fine; they love getting mailings Conduct" for tools that work in the background
and catalogues that cater to their and share your Internet connection. The code
hobbies and interests. If that’s not is fairly detailed, but this quote sums it up:
traced to the Aureate DLL. your style, you’ll need to stay alert. "You may use my Internet connection, but you
Radiate states that its DLL does not gather Check your browser’s security settings to must first help me to understand why you
or report any personal information, does not make sure ActiveX controls can’t be installed want to use it and how you will use it, then re-
track your Web surfing habits and does not without your knowledge. In Internet Explor- ceive my explicit consent before using it. Then,
monitor what you do on your computer. The er 5, choose Options from the Tools menu if I ever change my mind, you must cease such
DLL does, however, associate the information and click the Security tab. By default, the In- use and go away."
it gathers with a unique ID, so as to tailor the ternet zone is set for the Medium security lev- Central to the site is the OptOut utility (Fig-
ad offerings to your interests. For those who el. At this level, you’ll be prompted before ure 7), which searches your system for known
wish to remove the program, Radiate offers downloading ActiveX controls but not before spyware, reports its findings and optionally
an uninstall utility at www.radiate.com/priva- running or scripting them. If you want to removes the offending files. As of this writing,
cy/remover.html. Naturally, removing the Au- change the security options, click the Custom OptOut exists as a free pre-release program
reate DLL will disable any freeware or share- Level... button. Make sure the Prompt box is that removes only the Aureate DLL. The final
ware programs associated with it. You can checked under Download Signed ActiveX version should detect and remove them all. It
check Radiate’s privacy policy at www.radi- Controls, so you’ll be prompted before any will be a $24.95 purchase (direct), with indef-
ate.com/privacy. such installation. Select Prompt under Run Ac- inite free updates to handle newly discovered
tiveX Controls and Plug-ins and Script ActiveX spyware.
WHAT CAN YOU DO? Controls Marked Safe for Scripting, at least There’s no evidence that spyware programs
The distinction between marketing demo- temporarily. If the frequent prompts generat- are gathering private information or associat-
graphic analysis and invasion of privacy was ed by the second two settings prove too an- ing that information with individuals. You may
already blurred long before the invention of noying, you can change them back to Enabled. feel that giving away some limited, non-per-
spyware. Right now, you’re targeted for spe- Every time you install a new program or util- sonal information is a small price to pay in re-
cific direct mail advertisements based solely ity, read the licence agreement. If it mentions turn for free programs. But the possibility of
on your zip code. Every time you enter a con- integrated advertising, background use of your abuse exists, so it behooves you to know just
test, fill out a survey, or send in box tops for a Internet connection, or anything that suggests who’s sharing your Internet connection. For
free trinket, you’re adding to the vendor’s data- spyware, you may want to abort the installa- more information on privacy concerns, see
base of demographic data. Marketers would tion and investigate. And if, despite these pre- our Special Report on Internet Privacy in the
love to know every little thing about you, so cautions, your newest game or utility sports August 2000 issue.

www.DITnet.co.ae ■ www.pcmag-mideast.com September 2000 89