What are specifics of how spyware gets loaded without user knowledge?

[bankboysb]

Looking for detailed (not beginner FAQ) info about how I can answer client questions -- "how do they install this spyware / adware without me knowing about it?"

Any sources or input is welcome!

 

[vop]

The very act of going to 'any' website loads many more components than we are ever aware of. Going to an iffy site could deposit very undesirable content more especially if some of the site's payload is script based. What your browser is permitted to do (disable/prompt) with such scripting (ActiveX, Java, etc.) may seriously impact your system's security problems. Helpful tools such as HOSTS files and IE-Spyad can be used to define a blacklist of bad places that should not be surfed.


In IE:View>Privacy Report you can see what a given site's payload package includes. I have have noticed that by blocking ad-based content, for instance, my script blocking statistics have increased significantly with major corresponding reductions in web bugs and cookies.

Vince
_____________________________________________________________
[*** If everyone is thinking alike, then somebody isn't thinking. ***]

 

[bankboysb]

Thanks for this info: good insights!

Unfortunately our orgztn uses web-based application launchers.

How do you recognize ad-based content?

 

[MasterRacker]

http://www.spywarewarrior.com/viewtopic.php?t=169

Jeff
The future is already here - it's just not widely distributed yet...

 

[vop]

[highlight #FF99FF]Unfortunately our orgztn uses web-based application launchers.[/highlight]

Could you explain this or provide some context or example?


[highlight #FF99FF]How do you recognize ad-based content?[/highlight]

The targeted URLs are generally completely distinctive 3rd party URLs from those 20-50 base-site URLs found in the 'privacy report' list. [highlight]Also, the URL ofen has the word 'ad' or 'media' in it. [/highlight]

Sometimes, I just put [highlight]'www.3rd_party_URL.com'[/highlight] in my HOSTS file to see what happens. I use 'Spyblocker' as my primary HOSTS file source and as my blocked statistics and scoreboard incidence tracker.

'SpyBlocker' is showing 35 blocked scripts , today, as we speak. It will be at least double (maybe triple) this by the end of the day.

Vince
_____________________________________________________________
[*** If everyone is thinking alike, then somebody isn't thinking. ***]

 

[bankboysb]

We have a browser-based applications launcher, but due to security restrictions I cannot give more details. It is our intranet source site and is intregal to all we do.

Probably can't use the

http://www.3rd_party_url.com/

due to our software restrictions. There is already a hardware firewall in place on our network, btw.

Any more ideas out there? Our computers are getting swamped!

 

[vop]

HW firewalls do not block specific sites, they block ports.

If you are browsing, you are using and choose to open Port 80.

Vince
_____________________________________________________________
[*** If everyone is thinking alike, then somebody isn't thinking. ***]

 

[vop]

What spyware items are you getting and what tools are you 'allowed' to use to prevent, detect, and remove such visitations?

Vince
_____________________________________________________________
[*** If everyone is thinking alike, then somebody isn't thinking. ***]

 

[bankboysb]

Well I have managed to get Adaware and Spybot in use (just barely passed management approval). But there are certain bugs that just glom onto some of our users' machines and won't let go. This is why I am trying to get a handle on the mechanics of the whole thing. If I can figure out just how they are transmitting this stuff to our systems perhaps I can use our filtering systems to stop it. Capisce?

And yes the firewall blocks ports, but the most common port is 80 and so adware uses it. Unless we have missed some we have most ports closed already. Anybody got a list of spyware ports?

 

[vop]

By naming the 'bugs', that MIGHT give you some means to findout what the delivery mechanisms are. Ultimately, your issues are going to be poor or uninformed user URL destination choices and acceptible barriers you might be willing to impose (by using a HOSTS file or other 'big brother' app, or by disabling most, if not all, scripting attributes).

You could do Google research - often very unproductive. You could go to

http://www.pestpatrol.com

- they have one of the best and most comprehensive knowledge bases for individual infections.

[highlight]WARNING:[/highlight] Most spyware information sites are geared to fixing the problems after the fact and are short on insights that you are seeking. They might mention 'driveby download' (user caused infliction) or ActiveX based (IE configuration settings based).

Vince
_____________________________________________________________
[*** If everyone is thinking alike, then somebody isn't thinking. ***]

 

[vop]

Have a look at this link and make your own conclusions:

thread760-917194

Vince
_____________________________________________________________
[*** If everyone is thinking alike, then somebody isn't thinking. ***]

 

[vop]

The very act and manner in which you use Email or Instant Messaging can release many kinds of questionable content and payload packages upon your PC. These two mediums often present many links or download opportunities. Such items may be unwisely tempting to an unknowing or just plain inattentive user.

HTML based email presents the same contamination issue possibilities as would be the case for any questionable website based active scripting content.

Vince
_____________________________________________________________
[*** If everyone is thinking alike, then somebody isn't thinking. ***]

 

[itexprt]

If you have INSTALL ON DEMAND or JAVASCRIPT enabled, spyware/adware will automatically install without you knowing it.

 

[eyec]

Trojan Port list

 

[eyec]

have your management review, revise and enforce their computer usage policies.