Supplemental Resources and Links for Episode #7

Resources & Links for Security Now! Episode #7:

SPYaWAREness

Spyware management can be broken down into three main areas:

Prevention     Detection     Removal




Prevention:

"An ounce of prevention is worth a pound of cure."

Never is that more true than when dealing with spyware and malware. It is FAR better never to become infected than to need to deal with the consequences of being infected. The best advice for avoiding running unwanted software on a PC can be summed up with the following:

 Always keep your system updated with the latest patches
This is always important, since many malicious programs trick your SYSTEM into running their code. But it is NOT enough, since many more malicious programs trick YOU into running their code . . .

 Be distrustful
"Don't talk to strangers". Never forget that the Internet is like any big city: Much of it is safe and relatively secure, but there are definitely places you don't want to go at all. When surfing around the Internet it's very easy to end up in a dark corner with a single click. Always be careful.

 Use the safest tools possible
There is much less malware targeting Macintoshes than Windows, and much less for non-IE (Internet Explorer) browsers than for IE.

 If you must use unsafe tools, use them as safely as possible
Disabling scripting is the single best thing you can do, but it's also the most cumbersome. Eric Howes has some good information about locking down Internet Explorer.




Detection:

The top three spyware detection tools:

 Microsoft Windows AntiSpyware (Beta) – Microsoft is now getting into the business of protecting people from online threats. Unfortunately, most of these problems have been created by Microsoft's deliberately insecure security policies, such as web-based ActiveX controls.

 Lavasoft, home of Ad-Aware – Lavasoft is the grand daddy of anti-malware utilities. They came along shortly after my creation of the first anti-spyware utility, "OptOut" which removed the widespread "Aureate" advertising spyware. They agreed to always offer a free anti-spyware utility, so I halted further development of my own OptOut freeware.

 Spybot Search & Destroy – This is a top-rated terrific program for locating spyware and "questionable-ware". It's free and requires a lot of time from its authors. Consider sending them a little donation if you find Spybot useful.

 The excellent SpywareInfo site contains lots of current information about spyware on an ongoing basis. Periodic articles, and back-issues, provide great overview and plenty of specific information for everyone concerned about and fighting the fight against Spyware.

 The excellent SpywareGuide site maintains a comprehensive list of spyware-carrying software and has a search facility that makes lookups quick and easy. It also contains many terrific solutions for dealing with the spyware threat.

 Eric Howes Anti-Spyware testing and research pages. Eric is a graduate student in the school of library and information science at the University of Illinois. He has done a great deal of terrific research into spyware and malware, including extensive testing and comparisons of malware detection and removal utilities.

Be sure to check out Eric's . . .

   Lessons and conclusions

   Anti-spyware feature and performance comparison

   Extensive list of tools and utilities.

 Merlin.org, home of "HijackThis" — This free software is a highly regarded system scanner dealing with web browser home page hijacking and the detection and removal of many other particularly pernicious forms of spyware.




Removal:

The war against spyware is escalating daily with spyware becoming increasingly difficult to both detect and remove. This problem has grown to the point that spyware removal is a full-time business for many computer consultants, and is truly more of an art than a science. It requires deep experience and knowledge about the inner workings of the operating system and key applications, as well as intuition informed by extensive experience with past successes and failures.

The spyware removal challenge is a moving target because spyware is becoming extremely aggressive as the battle over the end-user's computer escalates. Today's spyware is much more resistant to automated removal tools, and it often goes so far as to prevent infected host computers from running anti-spyware tools, or even from visiting or downloading anti-spyware utilities. (It's difficult to use an anti-spyware utility that your already-infected computer refuses to run.)

This means that a badly infested machine either needs to be reformatted and reinstalled from scratch <<shudder>> or restored from a (hopefully recent) backup which was made before the infection.

Since, by far, the best solution is to restore the system from a recently made backup "snapshot", spending some time beforehand to optimize the system's configuration for easy baskups and restores can pay off tremendously if anything bad ever happens.

Optimizing a system for backup and restoration:

Unfortunately, most systems are initially setup with a single monstrous partition "C:" occupying and filling the entire drive:

This is unfortunate since only the main operating system files, configuration, and installed application software need to be preserved against an "installation attack" by malware. By mixing the "system" files together in the same partition with all of the user's data, backing up and restoring the "system" means backing up and restoring the ENTIRE hard drive's contents, which becomes daunting and time consuming, if not impossible.

A FAR better approach is what PC veterans have been doing for years – deliberately dividing a large hard drive into several purpose-specific partitions, like this . . .

Malware only infects the operating system's files and configuration, not the system's static data such as photos, music, or video. Since the operating system files are generally much smaller than modern hard drives, they can be contained within a small partition — perhaps 8 gigabytes or so, depending upon your OS version and the size of your applications. Another partition can be created at the end of the drive to contain the systems multi-gigabyte virtual memory "swap" file, and a rotating collection of drive "C:" images. This should be large enough to contain several backup images representing snapshots of the system at various points in time, and the virtual memory swap file which is typically about twice the size of the system's memory. All of the remaining space in between the first and last partition is then available for storing all user documents and other non-program data.

Detailed instructions for re-partitioning a hard drive along these lines are beyond the scope of this page. If you are unfamiliar with doing this, please consult the web or a local expert. My favorite software for performing this sort of work has always been Powerquest's excellent, reliable, and safe "Partition Magic".

One note: Your new "end of drive" partition containing your system's virtual memory "swap" file and main system backup image partitions should be formatted with the FAT32 file system and set to use 32k clusters. The use of the FAT32 file system will allow your backup images to be accessed from DOS, giving you the widest range of restoration options. The use of 32k clusters will be faster and more efficient than 4k clusters since this partition will only be used for storing large files. This will result in fewer accesses to the partition's FAT tables (which requires a slow head seek operation) and will minimize cluster fragmentation over time. Also, when moving the virtual memory file to this partition, its size should be fixed and locked at maximum size by setting the maximum and minimum to the same value. This will prevent the system from dynamically resizing the file and will further reduce cluster fragmentation. Moving the system's virtual memory to this drive is the FIRST thing you should do after creating this partition so that the newly created virtual memory file is a single contiguous block of clusters.

Note that re-partitioning an operating hard drive can never be 100afe. Everyone I know who has used re-partitioning software extensively has had it fail on them, sometimes destroying data, at one time or another. So PLEASE make a full backup — somehow just once — before using any re-partitioning software for the first time.

A free demo of Partition Magic 8.0 is available. Since you won't need to use it more than a few times, that should work for you.

 What to do once your drive is re-partitioned:
Once you have optimized your system's partitioning for quick backup and restoration, you'll need to choose a way to quickly and easily make whole-partition snapshot backups. My favorite program for doing this is "Drive Snapshot" . . .

 Drive Snapshot – This inexpensive "whole partition imaging" utility runs INSIDE Windows NT/2000/XP/2003/PE. It can make an offline snapshot image of an online running partition. This means that you can actually take a backup "snapshot" of your main running Windows "C:" drive while its running. This is important since backups that are quicker and easier tend to be done more often. A new snapshot can be taken just before doing anything "risky" with a PC.

What's more, offline drive images can be easily "mounted" as a fully readable, browsable and searchable read-only drive under Windows. This allows individual files to be retrieved from previously made images.

And finally, drive Snapshot's support for command-line operation allows fully automated and unattended scheduled images to be made without operator intervention. It's a terrific utility.




In Summary:

The spyware problem requires the attention of everyone who uses Internet connected computers. With today's wide open and inherently trusting and unprotected operating systems — which will run any program they are asked to without question — the burden of keeping our computers safe falls to individual end users.

There's no substitute for exercising safe computing. Stay away from high-risk out of the mainstream sites offering adult content, hacked and cracked software, and other shady deals. And choose your online tools such as web browsers and eMail with an eye toward which offer the most security.

Finally, if the worst happens and it becomes necessary to disinfect a compromised system, some planning ahead by creating an effective, fast, and easy system backup "snapshot" and restoration capability can greatly lessen the damage done if something nasty does manage to creep into your system.




Jump to top of page
Gibson Research Corporation is owned and operated by Steve Gibson.  The contents
of this page are Copyright (c) 2022 Gibson Research Corporation. SpinRite, ShieldsUP,
NanoProbe, and any other indicated trademarks are registered trademarks of Gibson
Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy.
Jump to top of page

Last Edit: May 04, 2013 at 18:12 (3,800.92 days ago)Viewed 1 times per day