startupware.com

Another day, another cleanup. This morning’s cleanup was described by a new customer like this: “It’s broken. We can’t run our customer database program. The night staff keeps surfing the internet, and loading spyware, so that’s probably it.”

What I found was a computer that, on first look, had shortcuts to software on a drive “y:\” but had no mapped drives, and that was a member of a network named “MSHOME”, which is the default name for new peer-to-peer networks under the Windows XP “run me and I’ll change all your settings back to defaults” network wizard. There was no apparent connection to the network. “System Idle Process” was at 96 to 98%. There was clearly some spyware there, and a peer-to-peer music program, but they didn’t appear to be taking many cycles in Task Manager.

OK, next, ran HijackThis–the log is three pages long; it should be half a page. The customer created their own doorstop. There were four anti-spyware programs running–all trial versions, and an anti-virus program which included anti-spyware features. The anti-virus software was the product installed by Dell at the factory, and long past the 90-day trial. Overall, the anti-spyware had stopped the spyware from running, and from connecting to the network, in much the same way that a very large boulder, when strategically placed on the roof of a car, will act as a parking brake.

After over an hour, I’d chiseled and uninstalled and ripped out junk in Safe Mode until the task list was down to the absolute basics. Replaced the antivirus software, added parental control software to restrict internet access by password, did a scan, and the new Mcaffee antivirus (freeware, if you’re a Comcast customer) reported that it had found two pups. Right–it no longer searches for malware, but for pups. That’s “Potentially Unwanted Programs.” Mustn’t insult the spyware by putting a negative label on it–this is more software written by lawyers.

At some point, consumers are going to have to learn about autoplays and startupware. When they do, if you are a software author whose products autostart without a very good reason, it’s not going to stay installed past a very short trial. And if it does, I’ll personally rip it out as non-essential during the next spyware/virus/generic doorstop service call, because over and over, I’ve seen this pattern of multiple tools to do the same task all running as startupware and adding to the problem. And I’m not alone; every field tech I’ve spoken to does the same. Software must only when asked to, it should self-repair if needed, and maybe, just maybe, customers won’t blame it when they’ve turned their computers into doorstops.

The newest security issue for Windows is the WMF hole. First, a little history. WMF is the acronym for a Windows Meta File. That’s an old graphics format, vector style. Vector art is drawn by the computer, based on code in the file. (The other kind of graphics is a bitmap, like JPG.) Of course, vector art includes computer instructions, so of course code can hide in there.

However, in this case, it’s not the infamous buffer overrun. Not to get too techical, that’s what happens when you put 52 clowns in a clown car–the extra clowns get squeeeezzzzed out somewhere else, and goes into some other part of Windows, where it runs commands that aren’t so artistic.

So the WMF flaw isn’t an overrun. Turns out, it’s something much more basic. There is a feature in the WMF format that if the draw process has an error, it can run a program. Errors are easy. Now to be fair to Microsoft, WMF files date back to the eighties. They, like lots of other throwbacks to DOS, have been carried along for years as a tribute to compatibility with older versions of, well, just about everything.

There is a lot of bad reporting going on for this topic–the reliable source is the US Computer Emergency Readiness Team:
www.us-cert.gov/current/current_activity.html#0dayWMF

First, the antivirus companies are on top of this, although they are using their usual spell-check/dictionary approach to such things; they’ll catch what they recognize as evil by spelling out a few key letters from the code of anything that Windows tries to run, copy, or save. Anything truly new won’t be caught until hours or days have passed, so an actual patch or workaround is preferable.

Here’s the manual method of disabling WMF files, according to Microsoft; note that it will disable fax viewing and thumbnail views of graphics. (To catalog your clipart, including WMF files, SAFELY, visit http://www.graphcat.com.)

To un-register Shimgvw.dll, follow these steps:
1. Click Start, click Run, type “regsvr32 -u %windir%\system32\shimgvw.dll” (without the quotation marks), and then click OK.
2. A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

Microsoft has announced a patch for the WMF exploit will be out during January, after testing and localization (translation). But there are hackers, crackers, and bot farmers out there now with active viruses, worms, and spyware either in the wild or on the way, so a patch would be nice sooner than that.

Ilfak Guilfanov of hexblog.com has created a third-party hotfix, vulnerability checker, and a silent hotfix installer.

Today’s the day. It’s the second Tuesday of the month. That’s when Microsoft releases a month’s worth of patches, most months. Sometimes, they’ll skip a month. Now, many of the people reading this are thinking, “Why do I care? Automatic update is turned on.” Wrong. Nope. Gotcha–you’re now a target for the spyware of the month club.

The problem is two-fold. First, some spyware, and malware in general, disables the automatic update features of Windows. That keeps the early infectors from getting booted out of a computer when the patches arrive, because they won’t.

Second, Microsoft added a feature to Windows Update some months back that confirmed that the copy of Windows being updated was “genuine.” While I understand why–I’m a software publisher myself, after all–the Windows authentication program was designed to be politically correct, badly. It asks permission to check your Windows for authenticity, so the automatic update fails, and does so silently. To run it, you have to go to Windows Update (in the Tools menu of Internet Explorer), do an update run manually, and approve the installation and the running of the tool. Then go back to Windows Update and search for updates AGAIN, and you’ll probably find new patches that became available once Windows was validated as genuine.

So the moral of the story is to check Windows Update manually around once a month, after the second Tuesday, and see if the updates installed. More than half the machines I’ve checked manually in the last month needed manual patching, even though automatic updates were turned on.

While you’re checking software, check that antivirus programs and everything else are updating as designed. Don’t be a target–software, like people, does what you inspect, not what you expect.

It should be possible to rate individual products as startupware. Not just good or evil–that’s not it. What’s needed is a measure of how invasive they are, and how hard to remove.

Remember that this stuff isn’t all spyware; it includes antivirus software, overly-ambitious print drivers, and it’s not all evil, although most of it is bad, all of it need managing.

What’s that? Antivirus is never bad? Wrong. If in doubt, install two of them on a clean system, and try to do some work. Be sure to refresh your memory on safe-mode cleanups first, as most combos of this type will turn a computer into a vibrating doorstop. Like all startupware, it’s a management task.

To help consumers decide what products may be allowed on their systems, a scoring method is helpful. Scores skip technobabble–that’s good. They also can cause a blanket reaction of “take out all of it, don’t bother me.” That’s usually OK, but I don’t want the phone call when that breaks the antivirus software.

The basis for using startupware as a management tool for software products and their accumulations of autoplays is that no judgement calls are allowed. Again, here is the definition:

stärt’-up-wãre, noun, any software that configures portions of itself to automatically start with the operating system of a computer, or to start with other previously-installed software.

Now, there are different ways to autostart, and it helps to know if a product cleans up its own mess on removal, so let’s find a way to score a program for startupware.

First, we need to keep track of how many programs are set to run on system startup, and if all of them are removed on uninstallation. If one program is installed, but results in two add/remove program entries, that’s backpackware, which is common in adware and spyware products, as well as simpler trojan horse programs.

Here’s a preliminary formula for Startupware scoring (version 0.1) .

Orphaned programs: 1000 x number of programs installed to autorun but not uninstalled by removing the product that was chosen to be installed. Note that one install program that results in two or more product installations will always result in a high score for deceptive behavior. Exception: One install that offers to run an additional OPTIONAL install program is counted as more than one install program, so that, for example, a camera driver install that offers to install a graphics program is counted and scored as two installations.

Orphaned settings and silent programs: 100 x number of settings changes made, but not uninstalled, and number of programs that run when product isn’t doing work for the user, such as displaying information or being on standby to do or prevent something.

Autorun count: 10 x number of programs installed to autorun.

Settings count: 1x Number of settings changes made.
comma, “version” and number of program, or “tested” and 6-digit date downloaded (yymmdd) if no version number is used.

So for some program categories, it’s impossible to have score of 0, which would be totally non-invasive and non-autoplaying; a screensaver would have a score of 11, minimum, and so would most system tray utilities, because it takes both a program and a setting change to have an autoplaying program. And some actions aren’t counted. There is no count of icons added to the desktop, the quicklaunch area, or to the menus. There is no count of file extensions modified to point to the new program.

Here are some examples: a toolbar program, with no version number, with one program running in the background while the toolbar was not on screen (100 points). It made 12 changes to system settings, and failed to uninstall 1 of them (12 + 100 points). Total 212 points.
Score: 212, tested 050825.

Example 2: a utility program, installs two programs that don’t autoplay and don’t run in the background, changes no settings, leaves no settings or programs behind, version number 2.1.
Score: 0, version 2.1.

Example 3: an application program, version 12.0. Installs 17 programs, 3 autoplaying. Uninstalls all of them. Makes 32 settings changes, removes 12 of them. (Typical big-product sloppyness, in short.) That’s 30 points for autoplays, 32 for settings, 2000 for orphaned settings, and no orphaned programs.
Score: 2062, version 12.0.

Note that spyware won’t always get the highest scores. Startupware is about invasive software that drags down system performance, and not about subtlety or theft.

Example 4: a screensaver, no version number, downloaded Sept 10, 2005. Installs one autoplay program, clean uninstall, one setting change that runs the screensaver.
Score: 11, tested 050910.

Example 5: printer driver, version 18.544. Installed 3 autoplays, left one behind on uninstall, 71 settings changes, 26 left behind. That’s 1000 + 2600 + 30 + 71
Score: 3701, version 18.544.

Example 6: anti-spyware program, bundled with toolbar with no option to install only one, installed with one program but resulting in two entries in add/remove list. That’s backpack startupware, and if no permission was asked first, it’s stealth startupware. Determining Stealth or Backpack isn’t needed–it depends on disclosures and agreements, and doesn’t affect product behavior, and so doesn’t affect scoring. There are 3 autoplays, and the uninstall that matches the downloaded product removes one of them. Settings changes: 15, 10 left behind. That’s 2000 points for orphaned programs, 1000 points for orphaned settings, 30 points for autoplays, and 15 points for settings.
Score: 3045, tested 050901.

Essentially, what we’re trying to achieve is a high score for programs that fail to uninstall themselves completely, or that massively invade the system. In other words, don’t install a program with a score above 50.

Comments? Additions? Modifications?

Adware is spyware with permission to snoop.

Spyware is adware without the license agreement.

OK, so defining two words as a variation of each other is circular reasoning, but it’s still vastly less convoluted than the definitions that the companies creating this stuff would have the government enact. Those definitions are a mess.

It would be better to have a functional definition that doesn’t imply good or evil. Keystroke monitoring programs are evil as password stealers, and good as monitors for keeping employees honest. Calling a keystroke monitor spyware implies that it is inherently bad–it might be. Most of the time. Not always.

For owners of computers, a functional definition would ignore permissions and conditions of use. A program autoloads, or it doesn’t. If it does, it’s a management issue. Put another way, one cup holder per passenger is a good thing. 426 cupholders is beyond inconvenient; it’s a crash on the way.