Nightmare on Web Street

New Spyware Uses Virus Tricks to Make Removal Difficult

August 18, 2004
By Paul Eng

Online security experts say there is a new type of sneaky software floating around in cyberspace. And like its namesake, Freddy Krueger of the Nightmare on Elm Street horror movie franchise, it's an online threat that just won't die.

The new scourge of the online world is a particularly nasty form of spyware — programs that are secretively downloaded when a Web surfer visits a particular site. Once installed on the unsuspecting user's computer, the program will gather information on users as they surf the Net.

Like other spyware programs, kruegerware can annoy Web users by replacing the starting page of their Web browser with an unfamiliar site and bombarding them with pop-up ads — usually for pornographic material.

But unlike common spyware, say experts, kruegerware contains extremely complex coding that allows the programs to avoid detection by defensive "anti-spyware" programs. And much like conventional computer viruses, some particularly robust strains of kruegerware even contain routines that will automatically reinstall the malicious programming if it has been removed from an infected PC.

The resurrection instructions are buried deep within the code for Microsoft Windows, making removal extremely difficult for even technically savvy users. And once kruegerware reinstalls itself on a "cleaned" machine, the nightmare continues.

Birth of the Blended Threat

The virus-like nature of kruegerware isn't surprising to software companies that have been following the online danger. For years, experts have warned of the possibility of such "blended threats." And now, the threat is here because of one simple fact: money.

"The lines between security threats and privacy threats are starting to blur because virus writers have figured out they can make a living off of [spyware]," says Christine Stevenson, vice president of Webroot Software Inc., an anti-spyware maker in Boulder, Colorado. "There is big money to be made in adware."

Like traditional Web operators, kruegerware makers can generate revenues by referring Web surfers to other sites or showing online ads. By locking in infected computers to a particular Web site or flooding them with porn ads, kruegerware authors can net hundreds of thousands of dollars.

And the lure of such easy money is leading to an increased number of reported kruegerware flare-ups.

According to SpywareInfo.com, a Web site run by a Dutch anti-spyware tracker named Merjin Bellekom, a particularly offensive case of kruegerware is tied to Cool Web Search, an alternative Web search engine reportedly based in Russia. By some accounts there are already more than 30 different versions of kruegerware that will force users to the Cool Web Search site. And each version has its own unique coding that will resurrect the program if it is detected and removed by the user.

On its Web site, Cool Web Search denies any involvement with such pieces of kruegerware and condemns its use. The company suggests such programs may be the work of "some webmasters, who are sending visitor traffic to us" and ask kruegerware victims to report their suspicions so the company can try to identify the culprits.

Taking the Offensive

But the technical trickery of kruegerware has anti-spyware makers scrambling to develop more robust anti-spyware tools. Like many anti-virus software makers, software makers such as Webroot are relying on a more active approach. Instead of looking for the exact coding that identifies each unique piece of offensive kruegerware, an effective anti-spyware program will look for patterns of activity — a sudden and automatic change of a Web browser's home page or list of favorite Web sites, for example.

And while security software companies race to find the right antidote, experts hope focusing more attention on the subject will help bring about more aggressive action — including better anti-spyware laws.

Several states, such as Utah, have already passed legislation banning spyware or programs that secretly monitor a computer user's activities. And in June, several U.S. congressional committees proposed various similar anti-spyware bills that would include prison sentences for spyware users. None of the bills, however, has made it beyond the various judiciary and commerce committees.

Safer Suring: Avoid the Nightmare

To protect yourself from becoming a victim of kruegerware, follow these simple steps:

• Keep your operating system up to date. Like viruses, most kruegerware exploits known weaknesses in Microsoft's Windows operating system.
  
  
• Install anti-spyware software. But be advised that no one anti-spyware software has been totally effective in stopping all kruegerware or even less-offensive spyware. You may have to install and use several different programs from several different makers.
  
  
• Install a firewall. This piece of software watches what programs on your computer are trying to access the Internet. A properly configured firewall could monitor and stop programs like kruegerware from sending data back to its creators.
  
  
• Be suspicious of Web site downloads. If a Web site asks you to download software before seeing the page, try to find out just what program is being put on your computer.
  
  
• Carefully read software licensing agreements. Make sure you understand what the program does. Also be on the lookout for key phrases, such as "marketing partners" and "privacy."
  
  
• Seek help on the Web. If you do become infected by kruegerware or other pieces of spyware, use an unaffected computer to search the Web for answers and other help. A simple search for "spyware" or "kruegerware" will direct you to Web sites such as SpywareInfo.com that offer software tools and step-by-step instructions on removing the offending software.

http://abcnews.go.com/sections/SciTech/US/nightmare_spyware_040818-1.html