MTCS Parasite FAQ

What are parasites?

‘Parasite' is a shorthand term for “unsolicited commercial software” — that is, a program that gets installed on your computer which you never asked for, and which does something you probably don't want it to, for someone else's profit.

The parasite problem has grown enormously recently, and many millions of computers are affected. Unsolicited commercial software can typically:

• plague you with unwanted advertising (‘adware');
• watch everything you do on-line and send information back to marketing companies (‘spyware');
• add advertising links to web pages, for which the author does not get paid, and redirect the payments from affiliate-fee schemes to the makers of the software (such software is sometimes called ‘scumware');
• set browser home page and search settings to point to the makers' sites (generally loaded with advertising), and prevent you changing it back (‘homepage hijackers');
• make your modem (analogue or ISDN) call premium-rate phone numbers (‘diallers');
• leave security holes allowing the makers of the software — or, in particularly bad cases, anyone at all — to download and run software on your machine;
• degrade system performance and cause errors thanks to being badly-written;
• provide no uninstall feature, and put its code in unexpected and hidden places to make it difficult to remove.

All the parasites I currently know about are only compatible with Windows, and some only affect the Internet Explorer browser. The script on this site — when it is run in IE for Windows — can detect many of them. But not all, for tedious technical reasons.

Where do they come from?

There are three major ways unsolicited commercial software can make its way on to your machine:

• Some freeware programs are ‘bundled' with parasites, which are installed at the same time. The P2P file-sharing programs are notorious for this; in particular, iMesh and Grokster come with countless unwanted add-ons.

  Often if you are careful to read the small print when you install the software it will warn you about this, and it is sometimes possible to opt out. So always skim the licence agreement when you install and don't just click Next-Next-Next... but you still can't be sure they'll tell you.

• Many parasites load using Internet Explorer's ActiveX installation option. When a web page includes a link to an ActiveX program, a window will appear asking the user wishes to execute it. If ‘Yes' is clicked (or if IE security settings are set lower than normal so that it never even asks * ), the software is allowed to run and can do anything at all it likes on our computer, including installing parasites.

  For this reason, you should never click ‘Yes' to a “Do you wish to download and install...” prompt unless you are 100% sure you trust the publisher of the software, which might not be the publisher of the web site you are viewed — read the dialogue box very carefully.

  Sometimes sites (or pop-up ads) try to fool you into clicking ‘Yes' by stating that the software is necessary to view the site, or opening endless error windows if you click ‘No', or claiming that the digital certificate on the code means it is safe. It means no such thing. ‘Microsoft Authenticode', signed by companies like Verisign, means only that the company that wrote the software is the same as the company whose name appears on the download prompt — nothing more.

• Some of the really sleazy parasites, particularly homepage-hijackers and diallers, execute by exploiting security holes in Internet Explorer, ways of getting code to run that are not supposed to be possible, but are due to mistakes in the browser code.

  You can do your best to guard against this by ensuring you have the latest updates and patches from Microsoft . Still, there are usually a handful of security holes that have not yet been corrected, so you can never be 100% sure you are safe.

  One way of reducing your risk of exploitation is to go to Tools->Internet Options->Security and set the security level for the Internet Zone to ‘High'. (If no slider is visible, click ‘Default level to make it appear first.) Then set the security level for the Trusted Zone to ‘Medium' and add the sites you use and trust to this zone; you may need to do this quite often as many badly-designed sites just won't work in high-security mode.

An alternative solution for the last two problems is just to use a different web browser for everyday browsing, and Internet Explorer only for sites you trust that stubbornly refuse to work with other browsers.

Why doesn't my anti-virus software detect this?

Technically, most unsolicited commercial software isn't viral: it doesn't spread from computer to computer, it just installs and runs on one system.

That doesn't mean it's not harmful, but anti-virus software does not attempt to detect all software that could be harmful. Whether it should is a tricky argument that ends up a question of where you draw the line.

Actually some anti-virus programs do detect some of the parasites outlined on these pages, but not nearly all, and not all versions of them. Parasites that install using IE security holes are more likely to be targeted by the anti-virus software vendors, but the selection of targets seems for the most part to be pretty arbitrary.

For this reason there are now a number of anti-parasite packages around that work as a complement to anti-virus software.

Links

General information

• Mike Healan's SpywareInfo offers information and a regular(ish) newsletter covering all types of parasite;
• Bill Webb's Counterexploitation has a large collection of things to look out for;
• SimplyTheBest lists many of the major parasites.

Free anti-parasite software

• LavaSoft Ad-Aware is the original anti-adware tool. It has a good database of adware and spyware.
• Spybot Search & Destroy is an impressive one-man effort from PepiMK Software. Its large database targets premium-rate diallers as well as adware and spyware; it can also remove usage records and keyloggers.
• SpywareBlaster by JavaCool takes a different, complementary approach. Instead of detecting or removing its targets, it inoculates your computer by telling it never to execute certain software. This stops you downloading some types of parasite, and stops others from working. However, like the script on this page, it can only target ActiveX controls, so it is not a complete solution.

Commercial anti-parasite software

• Aluria's Spyware Eliminator aims to remove parasites cleanly. Free trial available.
• Webroot's Spy Sweeper is a newer application. Free trial available (no updates); there is also a limited scanner-only 'SpyAudit' download which is not worth bothering with.
• PestPatrol is an established anti-trojan application that now targets unsolicited commercial software as well as more traditional hacker tools. Free trial available.
• ITCompany's SpyRemover is a commercial program based around code from Spybot.

Questionable anti-parasite software

Since the issue of adware and spyware has become better known, many companies have been jumping on the bandwagon and offering anti-parasite software. Not all are as trustworthy as one would hope, for a company offering to take care of your computer's security.

• TrekBlue offer a spyware removal program called Spyware Nuker, which is advertised through junk e-mail from its affiliates and misleading fake-dialogue-box web advertising. TrekBlue are the same company as e-mail marketers ‘TrekData' and ‘Blue Haven Media', who are linked to the 'InContext' spyware (aka AdGoblin) and distribute this and other spyware through ActiveX drive-by-download on web pages. (They also used to work for Lions Pride Enterprises, who made and controlled the ‘wnad' spyware).
• WarNet offer software including an adware remover. However, WarNet is owned and run by the same people who own and run C2 Media, producers of the infamous lop parasite.
• SpywareLabs produce a parasite detection program called Virtual Bouncer, with a removal option requiring payment. It which is distributed by the same bundling and drive-by download techniques as the parasites it claims to remove, so definitely qualifies as unsolicited commercial software in itself. (It also has an update feature that can download and execute arbitrary code.)
• RedV offer an adware remover called AdProtector. However, the installer used to download this and the other RedV ‘Protector' applications is itself adware, and RedV are the same company as Web3000, one of the earliest large spyware makers.
• Bulletproof Soft offer a commercial Spyware Remover ; OnlinePCFix offer a utility called SpyFerret ; Ideal World Online offer SpyGone . All have copied Spybot Search and Destroy's definitions database without permission or attribution; additionally, SpyFerret includes actual program code taken from Spybot, and SpyGone is an unlicensed copy of SpyRemover.
• N-Light (previously Razor Media) offer a free scanner-only promotion for their software ‘SpyAssault'. However this has installed the commercial trojan FavoriteMan/Ss32 . Razor Media were also responsible for the Daily Winner parasite.
• SpyBan is distributed by NICtech Networks, the marketing company behind the Look2Me parasite that SpyBan itself installs.
• SpyBlast is a parasite itself.
• SoftDD offer a free ‘trial version' of ‘Spy Guardian Pro', which always tells you you have spyware installed (even on a completely clean machine), but won't tell you where, asking you to buy the full version to find out.
• InterEsoft are promoting the previously unknown commercial program 'NospyX' through heavy spam campaigns.

Other security services

• Henrik Gemal's BrowserSpy is a comprehensive web-browser-analysis tool aimed at showing you what information your browser is passing to sites visited.
• AuditMyPC offers free port scans and other security and privacy checks and information.
• Personal firewalls can catch some types of parasite (not ones that integrate into IE) as they try to connect to the internet. The more popular ones include Zone Alarm , Outpost and Tiny .
• HijackThis! can list and fix many problems relating to homepage- and search-hijackers. BillP's WinPatrol keeps tracks programs-run-on-startup settings and has various miscellaneous monitoring functions.

Discussion

• SpywareInfo's discussion forum covers many topics, including upcoming threats .
• The Usenet group alt.privacy.spyware ( newsgroup , web interface ) covers parasites as well as intentionally-installed spyware.
• Counterexploitation's forums offers discussion and removal help.
• GRC's spyware group ( newsgroup , web interface ) discusses possible new threats.
• The ParasiteWare forums concentrate on ‘scumware' and other issues affecting webmasters.
• DSL Reports has a high-traffic security forum which covers unsolicited commercial software along with viruses, trojans and security holes.