Research and Advances
Architecture and Hardware Spyware

Busting the Ghost in the Machine

Posted
  1. Introduction
  2. Final Benchmark Results
  3. Authors
  4. Tables

This article describes an attempt to infect two new Dell WindowsXP-SP2 PCs (named Grease and Grime) with spyware and examines the results of the spyware infections. Each PC carried Symantec Antivirus 8.1.0.125, Spyware Doctor 3.1 (Doc), Spybot Search and Destroy 1.3 (SSD), and Sandra 2005 software, but no inoculation options were active during the infection and examination processes. Table 1 illustrates the initial benchmark metrics from Sandra 2005 obtained from SI Software at www.sisoftware.net/.

Stage 1 infection. First, a Web mail client was employed to read the identical email from the same account on both Grease and Grime. Seven email messages were selected to give a broad yet classified coverage of typical spam—Rolex Watches, Canadian Pharmacy, Obtain a Diploma, CIALIS Softabs and three different porn email messages.

These email messages were simultaneously opened on each PC, and where possible, hyperlinks were followed from the email, to subsequent Web pages. Where the hyperlinks were operative, a drill down was made until a purchase opportunity was made available. If member logon/registration was required a valid user ID and password were created for that session. Email addresses, if requested, were faked. Credit card and personal information were never entered, but other instructions were followed to the penultimate step in the purchase/registration process. For example, when responding to a message with a subject header of “Order Rolex Online” we clicked to drill to the Buy button. At that point (when name, address, and credit information were requested), the browserís back button was used to back out of the site.

Following the initial reading of the seven spam messages, Doc and SSD were executed in scan mode and the following were identified as spyware:

  • Doc 3.1
  • Mediaplex.com
  • Pointroll.com
  • Imrworldwide.com
  • Doubleclick.net
  • 2o7.net
  • SSD 1.3
  • MediaPlex.com
  • 5 entries for DSO Exploit
  • DoubleClick.net
  • Tribalfusion.com

Stage 2 infection. Repeated Sandra 2005 benchmark runs revealed no substantial differences between pre- and post-infection metrics as no test varied by more than 2%, and indeed some tests indicated better performance. In order to obtain additional spyware switchboard.com was visited to search for a telephone numbers in the same hometown. In addition, there were several attempts made to visit some of the clickable banner ads as well as pop-up advertisements. For instance, the fish bowl screensaver, along with its spyware, were installed from the well-known tracking company, GAIN.

During this stage the appropriate zip code was keyed, but no other information or email addresses were released. This stage was not as precisely controlled as was Stage 1 because different clickable ads were available at different times, so the exact visit sequence and visit sites were not identical between the two PCs. In total, no more than six minutes were spent making visits to the available sites that emanated from Switchboard.com.

After the second round of infection from Switchboard.com and its affiliates, a new execution of SSD and Doc revealed the following infections on both Grease and Grime:

  • Doc 3.1
  • 1 Valueclick
  • 2 Advertising.com
  • 1 Avenue A Inc.
  • 1 Core metrics
  • 1 DoubleClick
  • 5 DSO exploits
  • 11 GAIN.dashbar
  • 19 GAIN.Gator
  • 3 HitBox
  • 1 MediaPlex
  • SSD 1.3
  • 102 infections, including the tracking cookies

Stage 3 infection and cleanup. Because another Sandra 2005 benchmark testing revealed no substantial differences relative to the initial benchmark, additional spyware was acquired. We decided to use the “big guns” and downloaded Kazza and Skype. These products advertise “no spyware” for the paid versions, but our interest was in the spyware push from the free versions. These free versions give ample warning as to spyware, although some of the warning is cloaked so as to indicate more benefit for the user than we believe actually results. Kazaa and Skype were potent downloads even though we used none of their services.

A final execution of SSD and of Doc revealed surprises. Doc uncovered more than three times the prior reading with 384 infections, and SSD would not run. Rather, it generated the following error message:

`Error during check: Winpub32 (“Ungültiger Datentyp für”).’

Following Stage 3 infection, the PCs were scanned for viruses and disinfected. Symantec Antivirus revealed zero viruses after a 24-plus minute scan of more than 125,000 files on each PC. Doc claimed a removal (after reboot) of all 384 infections. Then SSD was able to run without error. It identified nine infections including Claria, Kazaa Promotional Items, Joltid P2P Networking, Altnet Software, and MyWay. SSD claimed eight removals, but the five DSO registry changes remained after a reboot.

Back to Top

Final Benchmark Results

Both Grease and Grime were benchmarked seven times using Sandra 2005. Table 2 summarizes pre- and post-experiment disk access times. Before infection, average access time for the file system benchmark was eight milliseconds for both PCs. Before the final clean-up process, the access time for Grease increased by a whopping 20% and the access time for Grime increased by 11%. After cleaning both computers with Norton Antivirus, SSD, and Doc, the original access time of eight milliseconds returned. Intermediate benchmark executions, surprisingly, revealed conflicting results.

After the four-day infection, examination, and repair processes, and assuming that the benchmark metrics are reliable, several observations are appropriate:

  • Spyware comes in potent bundles—only a few site visits resulted in more than 100 infections identified by Doc.
  • Spyware products exhibit differences in how infections are identified and in how they are eliminated—more than one product is required to clean your computer, and an Internet search reveals that plenty of free or inexpensive packages are available.
  • PC slowdown from spyware may not be immediate. Indeed, spyware slows a machine over time and after repeated activities, the longer the time, then the worse performance likely becomes. For instance, a colleague’s PC was found to be very slow on the Web and she was inundated with pop-up advertisements; and then over 700 instances of spyware were found on her computer.
  • Use of the services provided by a piece of software may generate additional spyware, but use is not a prerequisite for spyware. A visit to a single Web site may generate multiple spyware infections.
  • There is hope for the future!

Back to Top

Back to Top

Tables

T1 Table 1. Selected Sandra 2005 benchmarks.

T2 Table 2. Summary benchmark comparisons—hard disk access.

Back to top

Join the Discussion (0)

Become a Member or Sign In to Post a Comment

The Latest from CACM

Shape the Future of Computing

ACM encourages its members to take a direct hand in shaping the future of the association. There are more ways than ever to get involved.

Get Involved

Communications of the ACM (CACM) is now a fully Open Access publication.

By opening CACM to the world, we hope to increase engagement among the broader computer science community and encourage non-members to discover the rich resources ACM has to offer.

Learn More