Programmer’s Challenge: Reversing the Spyware Model

Definitions

There is such thing as spyware, despite the news reports. No, really. I’ve been saying that since last year. But to review: Spyware is software that sends personally-identifiable information back to its publisher. But the software publishers involved all claim to send NON-personally-identifiable information back, and to be adware publishers. Therefore, there is no such thing as spyware, and no spyware problem. And if you say there is, expect warning letters from the attorneys of those not-spyware
products.

All this is part of the general security environment we have now. Windows, by cause of its evolution from DOS and Windows 3.1 through to 32-bit code, has had a long-standing tradition of no code left behind. All the old stuff runs, if it doesn’t involve graphics or peripherals. But the result is patch recalls on patches to patches. And the spyware issue is just a commercial method of doing what big business always does: it waits until a new industry gets big enough to be profitable, and then it finds a way to monetize it. Right, monetize was not a word until recently, but now that’s what we do to make money on information web sites–we add ads to it. So that’s what is happening now–spyware is the venture capital approach to making money from computer viruses and trojans, by using them to distribute and display advertising. Some of you have already seen my earlier post on the definition of startupware, but I’ll review the main one here:

stÃrt’-up-wÃre, noun, any software that configures portions of itself to automatically start with the operating system of a computer, or to start with other previously-installed software. Startupware isn’t automatically good or evil, useful, or destructive. The definition is based on easily-verifiable action, mostly during installation, and never on the contents of license agreements, external documents, or off-site servers. It autoloads, or it doesn’t.

So startupware is a bigger category than spyware. It includes everything that autoplays. That means spyware, adware, viruses, trojans, toolbar accessories, system tray utilities, application software pre-loaders, application software phonehome-for-any-reason applets, and hardware drivers that substitute software for chips. Everything that autoplays that is not part of a default operating system configuration. Every program, process, or browser trigger. Everything in that category slows down our computers, most of it is installed by silent default, and most of it should be removed. I don’t need five autostart entries to run a color inkjet, thanks, anyway. No, I don’t want an autostart program to upload my photographs to the web. No, I don’t want a daily update check on checkbook software that’s five years and six versions out of date.

The problem is that even retail boxed software is getting into adware behavior in a big way, and if you buy a notebook computer, expect to spend hours unweaving a web of autoplaying software, all of which was installed without permission, where most does nothing for you–it just loads and tries to sell you wireless access subscriptions, or web photo service, or online this, and more of that. It’s a mess, and messes need management.

And of course, there is always the free antivirus software that doesn’t detect spyware, because the adware publisher has threatened legal action if the antivirus vendor dares to label it with such an evil label. The result is that on any one computer, we need to have antivirus software, antispyware software, popup blocker software, patches, more patches, and so on. And on. This model is too profitable for the publishers, and for me, too. I clean this stuff up, and charge by the hour. I and my clients would rather that I be paid for setting up new computers and new productivity tools, and not all this cleanup. But the tools are scattered.

OK, so what’s the programming challenge? Simple enough: create a startupware management and cleanup tool. Such a program would include these features:

    Record all currently-running programs and processes for comparison on next run, including full file paths, where applicable.
    Record user comments for all entries, such as “camera software–“only needed for cable sync”
    Report all startupware currently set to run on the system.
    Report all startupware that’ new since the last run, with options to remove it, add it to a commented ‘OK’ list, or add it to an ‘unknown, pending identification’ list.
    Must be usable in safe mode.

Optional features:

    Scan for viruses, trojans, and other malware based on a list of known bad products.
    Block installation of startupware, with an option to add a new entry and comment to the ‘OK’ list.

Now, chunks of these programs exist. There are startup managers–that’s the closest category. But the programs currently out there can’ be used by anyone with less training than a system tech. You have to already know what every program is before you can do much of anything. Surprisingly, the closest program I’ve seen to a startupware manager is Microsoft’s MSconfig.exe. It doesn’t uninstall startupware, but it lists settings, and can temporarily block programs. There’s no record of previous settings, or commenting features.

A startupware manager is not antistartupware. Remember, startupware is neither good nor evil. Some users want popups of weather alerts. Some need reminders to get up and stretch. Some may need their software to be no more than 1 hour out of date. Well, very few, but some.

I’ll give a free mention here to at least the first five startupware managers that I find about that match the definition above, and that are usable by average computer end-users.

WMF Patch Released Early

Field Reports

On Thursday, Microsoft released the patch to remove the “SETABORTPROC” functionality from WMF image processing. The patch is on Windows update as # MS06-001, and should be installed on all systems running Windows 2000 and above. Anyone who previously installed the unofficial patch should first install the Microsoft patch, and then uninstall the unofficial patch.

Anyone who disabled the Windows fax viewer can restore it like this:

To re-register Shimgvw.dll, follow these steps:
1. Click Start, click Run, type “regsvr32 %windir%\system32\shimgvw.dll” (without the quotation marks), and then click OK.
2. A dialog box appears to confirm that the registration process has succeeded. Click OK to close the dialog box.

The WMF abort process security hole doesn’t affect Windows 98. Microsoft has stated that it is a ‘non-critical’ problem in Windows Me, but has not released a patch. In other words: to be continued…

Self-Imposed Doorstops

Field Reports

Another day, another cleanup. This morning’s cleanup was described by a new customer like this: “It’s broken. We can’t run our customer database program. The night staff keeps surfing the internet, and loading spyware, so that’s probably it.”

What I found was a computer that, on first look, had shortcuts to software on a drive “y:\” but had no mapped drives, and that was a member of a network named “MSHOME”, which is the default name for new peer-to-peer networks under the Windows XP “run me and I’ll change all your settings back to defaults” network wizard. There was no apparent connection to the network. “System Idle Process” was at 96 to 98%. There was clearly some spyware there, and a peer-to-peer music program, but they didn’t appear to be taking many cycles in Task Manager.

OK, next, ran HijackThis==the log is three pages long; it should be half a page. The customer created their own doorstop. There were four anti-spyware programs running–all trial versions, and an anti-virus program which included anti-spyware features. The anti-virus software was the product installed by Dell at the factory, and long past the 90-day trial. Overall, the anti-spyware had stopped the spyware from running, and from connecting to the network, in much the same way that a very large boulder, when strategically placed on the roof of a car, will act as a parking brake.

After over an hour, I’d chiseled and uninstalled and ripped out junk in Safe Mode until the task list was down to the absolute basics. Replaced the antivirus software, added parental control software to restrict internet access by password, did a scan, and the new Mcaffee antivirus (freeware, if you’re a Comcast customer) reported that it had found two pups. Right–it no longer searches for malware, but for pups. That’s “Potentially Unwanted Programs.” Mustn’t insult the spyware by putting a negative label on it–this is more software written by lawyers.

At some point, consumers are going to have to learn about autoplays and startupware. When they do, if you are a software author whose products autostart without a very good reason, it’s not going to stay installed past a very short trial. And if it does, I’ll personally rip it out as non-essential during the next spyware/virus/generic doorstop service call, because over and over, I’ve seen this pattern of multiple tools to do the same task all running as startupware and adding to the problem. And I’m not alone; every field tech I’ve spoken to does the same. Software must only run when asked to, it should self-repair if needed, and maybe, just maybe, customers won’t blame it when they’ve turned their computers into doorstops.