Adware

1
Adware Spyware

• Free Detection/Cleaning Tips and Techniques

François Paget McAfee AVERT Senior Virus Research
Engineer November 2005
2
Adware Spyware
Summary

• Who are they and what are they
• Preliminary definitions
• Some dangers
• Installation
• Tools used for tracking them
• Finding intruders
• Cleaning intruders

3
Adware Spyware
Etymology
Acronyms which cover 2 particular types of
commercial software

• Spyware
• Spy Ware
• Spying Software

• Adware
• Ads Ware
• Advertising Software

These 2 categories are sometimes linked with
other groups of tools of various origins
(malevolent or not).
4
PUPs Malware
PUP Potentially Unwanted Program
Malware Malevolent Program

• Adware/Spyware
• BHO Browser Helper Object
• Browser Hijacker
• Dialer
• Joke

• Virus, Worms
• Logic bombs
• Trojan / Backdoors
• Bots
• Remote Administration Tools
• Data Hijacking Tools
• Resource Hijacking Tools
• Network Attack Tools

Unwanted commercial programs, hijacked use, lack
of consent
5
Adware
The adware is a profiler

• Program of a commercial origin,
• Does not replicate itself. Binary file (EXE or
  DLL).
• Installs itself after initial agreement,
• Watches browsing habits,

• Carries out targeted advertising. Makes offers
  matching a particular profile,
• Does not collect any personal data intentionally.

6
Spyware
The spyware is a spy

• Program of a commercial origin,
• Does not replicate itself. Binary file (EXE or
  DLL).
• Sometimes installs itself without initial
  agreement,
• Collect and transfers much personal data
  intentionally.

• COMMERCE Can be used as a springboard by other
  commercial activities (marketing approach by
  email, post or phone).
• INFORMATION Provided for commendable purposes
  but, distorted from its original intent.

7
Adware
Main introduction vectors

• Free or demo software
• Downloading utilities,
• Browsing assistance,
• Resource sharing software (peer to peer),
• Screensavers,
• Games,
• Hazardous sites
• Pornography,
• Games,
• Underground world,

• Electronic mail
• Spam,
• Discussion forums,
• Online registration procedures
• Software licenses,
• Access to private browsing zones,
• Virus and Trojan

8
Example
Before

• A clean system is used for this test. It is a
  minimal VMWARE W2000 temporary disk with

• 1 icon on the desktop,
• 6 applications listed in the Add/Remove Programs
  facility,

• 30 processes in memory according to the Task
  Manager.

9
Example
During
A sniffer program recorded connections to more
than 100 distinct sites.
10
Example
After

• 8 new icons,
• 16 new applications,
• 10 new processes,
• 2 BHO,
• 2 new favorites,

• 1177 keys added in the system registry,
• 1579 values added or changed in the system
  registry,
• 96 new directories in the folders tree and, 649
  new files.

11
Tools used in this tutorial

• InCtrl5
• (http//www.pcmag.com/article2/0,4149,25126,00.asp
  )
• LspFix
• (http//www.cexx.org/lspfix.htm)
• ProcExp
• (http//www.sysinternals.com/Utilities/ProcessExpl
  orer.html)
• RegMon
• (http//www.sysinternals.com/ntw2k/source/regmon.
  shtml)
• StartupRun
• (http//www.nirsoft.net/utils/strun.html)
• Sporder.exe (from Microsoft)

12
Finding intruders
Applications loaded when Windows boots are
visible with SartupRun
13
Finding intruders
Applications loaded when Windows boots are
visible in the registry
Run and RunOnce keys
14
Finding intruders
With InCtrl5 we can compare the registry between
two distinct moments
15
Finding intruders
Keep an eye on the ShellServiceObjectDelayLoad
registry key

• This location contains only 3 entries in many
  standards configurations
• Network.ConnectionTray
• Systray
• WebCheck

16
Finding intruders
Look at the Internet Explorer Start Search
registry keys
17
Finding intruders
Look at the Internet Explorer Toolbar registry
key for suspicious CLSID
Look at the HKCR/CLSID branch for mapping
information
18
Finding intruders
Look at the Advanced Tab of Internet Explorer
options
Also visible in the registry at
HKLM\SOFTWARE\Microsoft\ Internet
Explorer\ AdvancedOptions
19
Finding intruders
Look at extra items in the Internet Explorer
Tools menu
20
Finding intruders
Search possible StyleSheet hijacking in Internet
Explorer
21
Finding intruders
Search for a possible DLL injection
22
Finding intruders
Search for trusted site
23
Finding intruders
Search for Internet Protocol Hijack
24
Finding intruders
Keep an eye in your Favorites
25
Finding intruders
Confirm the suspicion
http//www.sysinfo.org/bholist.php?typetextsubty
pebho http//castlecops.com/CLSID.html
26
Cleaning Adware
Cleaning the registry and removing the files
needs to boot in safe mode !
Run RunOnce ShellServiceObjectDelayLoad IE
Start Search Etc
MAIN CLSID ENTRIES
HKEY_CLASSES_ROOT HKEY_LOCAL_MACHINE\Software\Clas
ses HKEY_CURRENT_USER\Software\Classes
OTHER ENTRIES Restoring the default
values Deleting the others upsetting values
HKLM\SOFTWARE\Microsoft\Internet
Explorer\Toolbar HKEY_LOCAL_MACHINE\SOFTWARE\Micro
soft\Windows\ CurrentVersion\ShellServiceObjectDe
layLoad, CLSID-Value HKEY_CLASSES_ROOT\PROTOCOL
S\Filter (Plugin entries)
LINKED CLSID ENTRIES
DLL and EXE files launched by the here above
keys Whole directories when the doubt is absent
FILES AND DIRECTORIES
27
Cleaning Adware
In order to delete the file and to deal with such
 file in use  problem
CLEAN
INFECTED
28
Cleaning Adware
In order to delete the file and to deal with such
 file in use  problem, we need to eliminate the
processes that got created by booting in Safe
Mode.
SAFE MODE
29
Cleaning Adware
Example step_1) Suspicious EXE and DLL must be
identified.
30
Cleaning Adware
Example step_2) CLSID values linked to them
must be searched (and deleted) in the registry
(HKCR/CLSID)
4 CLSID (in this example) must be deleted
31
Cleaning Adware
Example step_3) duplicated CLSID values linked
to the previous one must be searched (and
deleted) in the registry,
step_4) Related files must be deleted.
One key must be deleted (in this example)
32
Cleaning Adware
LSPs Cleaning when adware installation use
Winsock 2 (L)ayered and (N)etwork (S)ervice
(P)rovider implementation to redirect visits to
specific sites
CLEAN
INFECTED
Sporder can be used as a diagnostic tool
33
Cleaning Adware
LSPs Cleaning when adware installation use
Winsock 2 (L)ayered and (N)etwork (S)ervice
(P)rovider implementation to redirect visits to
specific sites
LspFix can be used as a cleaning tool
I know what I am doing
34
Adware Spyware
Conclusion

• It was very easy to clean most of the viruses and
  Trojans we encountered some years ago. But now
  some of the new Trojans are more complicated.
  And adware and spyware are incredibly complex.
• The new war will happen on the cleaning way.