PC TUTOR

internet
spyware
If you’ve ever been skeptical of the extensive measures some people go to to en-
sure that their Internet privacy is uncompromised, then think again. Whichever
Web waves you choose to surf, keep this in mind: you are not alone. There are trai-
torous spies in our e-midsts, watching and gathering information you never re-
alised you were giving—and you can do something about it.
86 September 2000 www.DITnet.co.ae ■ www.pcmag-mideast.com
 ecurity is a critical issue for every site. Some spyware programs are installed programs of inventorying software on the user’s

S computer that’s connected to the automatically when you visit Web sites that system, scanning the Registry, searching out pri-
Internet, whether in the office or at use them. Others are installed along with par- vate information, and then shipping all this
home. The recent denial of service ticular shareware or freeware programs. The in- data back to the home site. In truth, none of
attacks that brought down major Web sites stallation may occur completely without your these accusations have been proven. We call
were possible only because hackers managed knowledge, or you may accept it by clicking on these programs spyware not because they ac-
to subvert many poorly secured computers, Yes without reading the entire licence agree- tively steal private information but because
forcing them to participate in the attack. Some ment. they act in secret, without your knowledge or
email–enabled viruses (such as the notorious News items have accused various spyware permission.
Melissa virus) attempt to broadcast pri- Their stated purposes seem innocent
vate documents—your own or those of enough. Some, called adbots, display ban-
your company. And if the infamous "Back ner ads in associated programs and at-
Orifice" Trojan horse has inveigled its way tempt to tailor the advertising to your in-
into your computer system, it will turn terests. Others collect usage statistics for
over control to any hacker who asks. their clients. All of the known spyware
Fortunately, most corporate users are programs claim to respect your privacy,
sheltered by a company firewall, and per- and under scrutiny, these claims appear
sonal firewalls such as Blackice Defend- to be true. The non-personal information
er (www.netice.com) and ZoneAlarm gathered by these programs could be mis-
(www.zonelabs.com) can protect small- used, however, and the presence of spy-
office and personal PCs (see page 65 for ware might compromise your system.
a review of desktop security tools). With We’ll look at three of the most common
a firewall and an anti-virus program run- examples, and discuss what (if anything)
ning, you’re safe. Or are you? you should do about them.
Even though your system is protected
against outside attack, it’s still vulnera- COMET CURSORS
ble to betrayal from within. Each time you Comet Cursors, an ActiveX control from
connect to the Internet, you may be shar- Figure 1: Many of the shareware or freeware programs you Comet Systems (www.cometsy st e m s
ing that connection with a traitor—a spy- download—whether from Conducent or its affiliates—are .com), provides colourful, unusual, ani-
ware program that has its own agenda accompanied by TSAdBot, which downloads ads that display
when you run the associated programs.
m ated cursors any time you visit a Web
and communicates secretly with its home site that has licensed the Comet Cursors

www.DITnet.co.ae ■ www.pcmag-mideast.com September 2000 87

SEPTEMBER TUTOR ■
control (Figure 2). Depending on your securi-
ty settings, the signed and certified ActiveX
control may be downloaded and installed with-
out your knowledge or participation.
Comet Systems counts the number of visitors
using Comet Cursors on its partner sites. The
utility associates a unique ID with each user, so
it can report the number of distinct users. Ac-
cording to Comet Systems, it never asks for an
email address or other personal information,
it does not associate the unique ID with an in-
dividual and it does not track patterns of move-
ment from one site to another. You can view
the privacy policy for Comet Systems at
www.cometsystems.com/ help/privacy.shtml.
On the other hand, whether the company
records it or not, Comet Systems does receive
your IP address. If you have a fixed IP con-
nection, such as a cable modem or DSL, the IP
address can identify you; otherwise, it identi-
fies your ISP. For an eye opening view of how
much an IP address can reveal, check the in-
dex pages for Class C IP a d d resses at
www.ipindex.net/c/indexc.html.
In case you’d like to retain the pretty cursors
but remove your unique ID, Comet Systems
graciously supplies a utility for this purpose at
w w w . c o m e t s y s t e m s . c o m / w h a t / d d n i n-
staller_ns.shtml. To remove Comet Cursors
completely, first try the Add/Remove Programs
applet in Control Panel. There may or may not
be an entry for Comet Cursors. If you can’t find
it, download the uninstall program from
www.cometsystems.com/what/cleaner.shtml.
TSADBOT
TSAdBot, from Conducent Technologies (for-
merly TimeSink), is distributed with many free-
ware and shareware programs, including the
Windows version of the popular compression
utility PKZip. It downloads advertisements
from its home site, stores them on your com-
puter and displays them when an associated
program is running. According to Conducent,
TSAdBot reports your operating system, your
ISP’s IP address, the ID of the TSAdBot-licensee
program you’re running and the number of
different ads you’ve been shown. It also indi-
cates whether you have clicked on any of the
ads. On installation, TSAdBot may present an
optional survey. If you answer the survey, your
answers are conveyed along with the other
information gathered by TSAdBot. Condu-
cent’s privacy statement is available at
www.conducent.com/privacy.shtm.
The install program for PKZip for Windows
2.70 clearly states that the product integrates
"sponsored messaging technology" that will
make use of your Internet connection, and
identifies Conducent Technologies as the
source. The program also describes precisely
what information will be sent to the Conducent
home site. Furthermore, PKZip’s uninstall pro-
gram removes TSAdBot, as long as no other
88 September 2000
INTERNET SPYWARE
Figure 2: When
you visit this
page, Comet
Cursors chsnges
your cursor into
a unicorn (circle
in red).
Figure 4: User profile infor -
mation and downloaded
ads are maintained on your
hard drive.
programs are relying on it. Unfortu-
nately, this degree of candour is rare;
many other programs install and use
TSAdBot without ever informing the
user.
To determine whether this program
is present on your system, click Find
on the Start menu and search all local drives for
files named Tsad*.*. If TSAdBot is present, you
will find Tsad.dll in the Windows folder and
Tsadbot.exe in another folder, probably C:Files.
Subfolders below the AdGateway folder con-
tain user profile information as well as the
downloaded ads.
If you want to remove TSAdBot, you must
first uninstall all programs that rely on it. You’re
effectively paying for these programs by al-
lowing them to show you banner ads, so in all
fairness, you should remove them. (If fairness
is not sufficient incentive, consider that these
programs will not run in TSAdBot’s absence!)
In most cases, uninstalling the related pro-
grams will not remove TSAdBot itself, so you’ll
have to delete Tsad.dll and the entire AdGate-
way folder using Windows Explorer. Explor-
er may refuse with an Access denied message;
in that case, restart Windows and try again. If
you still can’t delete them, restart the comput-
er in MS-DOS mode and delete these files us-
ing the command line.
AUREATE DLL
The Aureate DLL, from Radiate.com (former-
ly Aureate Media), is installed with hundreds
www.DITnet.co.ae
Figure 3: When you download
a program, you may or may
not be told about TSAdBot.
Even if you are, the informa-
tion may be hidden in the
licence agreement.
of freeware and shareware programs; it dis-
plays banner ads while the program is run-
ning (Figure 7). It downloads advertisements
from its home site and reports which ads have
been shown and clicked on. The program’s
author is paid based on the advertising views
and click-throughs. In the case of a freeware
program, this is the only money the author
gets. The Aureate DLL includes an optional
survey that may appear some time after the
initial installation. Uninstalling the host pro-
gram does not remove the DLL; it can contin-
ue to operate independently.
Worst of all, according to Steve Gibson of
Gibson Research (www.grc.com), the Aure-
ate DLL introduces a serious security hole. A
malicious hacker could redirect the Aureate
DLL to phone the hacker’s server. That server
could then take control of the Aureate DLL,
instructing it to download further malicious
code onto the user’s machine and execute that
code. According to Gibson, the Aureate DLL’s
ability to download new programs has been
confirmed, though there is no evidence that this
has yet been used for nefarious purposes. Gib-
son also notes that browser problems, in-
cluding complete browser crashes, have been
■ www.pcmag-mideast.com

Figure 7: The $24.95 OptOut utility, seen her e
in a pre-release version, will locate all spyware
on your system and optionally remove it.
traced to the Aureate DLL.
Radiate states that its DLL does not gather
or report any personal information, does not
track your Web surfing habits and does not
monitor what you do on your computer. The
DLL does, however, associate the information
it gathers with a unique ID, so as to tailor the
ad offerings to your interests. For those who
wish to remove the program, Radiate offers
an uninstall utility at www.radiate.com/priva-
cy/remover.html. Naturally, removing the Au-
reate DLL will disable any freeware or share-
ware programs associated with it. You can
check Radiate’s privacy policy at www.radi-
ate.com/privacy.
WHAT CAN YOU DO?
The distinction between marketing demo-
graphic analysis and invasion of privacy was
already blurred long before the invention of
spyware. Right now, you’re targeted for spe-
cific direct mail advertisements based solely
on your zip code. Every time you enter a con-
test, fill out a survey, or send in box tops for a
free trinket, you’re adding to the vendor’s data-
base of demographic data. Marketers would
love to know every little thing about you, so
www.DITnet.co.ae ■ www.pcmag-mideast.com
INTERNET SPYWARE
Figure 5: You may be presented
with an optional survey form during
installation. If you fill it out, the in-
formation is sent back to Condu-
cent’s site along with the other in-
formation gleaned by TSAdBot.
Figure 6: As you run a program,
TSAdBot uses your Internet
connection to convey informa-
tion to its home site and to
download more ads. A personal
firwall, such as ZoneAlarm, can
alert you when this occurs.
they could deliver advertisements
that would pique your interest.
Some people think this is just
fine; they love getting mailings
and catalogues that cater to their
hobbies and interests. If that’s not
your style, you’ll need to stay alert.
Check your browser’s security settings to
make sure ActiveX controls can’t be installed
without your knowledge. In Internet Explor-
er 5, choose Options from the Tools menu
and click the Security tab. By default, the In-
ternet zone is set for the Medium security lev-
el. At this level, you’ll be prompted before
downloading ActiveX controls but not before
running or scripting them. If you want to
change the security options, click the Custom
Level... button. Make sure the Prompt box is
checked under Download Signed ActiveX
Controls, so you’ll be prompted before any
such installation. Select Prompt under Run Ac-
tiveX Controls and Plug-ins and Script ActiveX
Controls Marked Safe for Scripting, at least
temporarily. If the frequent prompts generat-
ed by the second two settings prove too an-
noying, you can change them back to Enabled.
Every time you install a new program or util-
ity, read the licence agreement. If it mentions
integrated advertising, background use of your
Internet connection, or anything that suggests
spyware, you may want to abort the installa-
tion and investigate. And if, despite these pre-
cautions, your newest game or utility sports
■ SEPTEMBER TUTOR
ever changing banner ads, check with the ven-
dor to find out where they’re coming from.
You can learn a lot by visiting a spyware
vendor’s Web site. You’ll usually find links
with information for advertisers and develop-
ers.
Follow those links and carefully peruse them.
Chances are good you’ll find phrases like "...sig-
nificantly improve online advertising perfor-
mance by integrating actual online identity
with off-line demographics and behaviour."
This will appeal to an advertiser but may ap-
pall the consumer whose "demographics and
behaviour" are under scrutiny.
OPTING OUT
Internet security cognoscenti are already fa-
miliar with the ShieldsUp! page on Gibson Re-
search’s Web site. With your permission, Shield-
sUp! probes your system’s security in much
the same way a hacker would and reports any
loopholes. The related OptOut site
(www.grc.com/optout.htm) provides infor-
mation and tools for users who want to opt out
of providing free marketing data through spy-
ware. The site supplies detailed information on
all known spyware programs, including the
names and Web addresses of the suppliers,
what information is gathered and the programs
that integrate them.
Gibson doesn’t suggest eliminating such
marketing tools; after all, some users adore
free programs and don’t consider privacy an
issue. He proposes a "Code of Backchannel
Conduct" for tools that work in the background
and share your Internet connection. The code
is fairly detailed, but this quote sums it up:
"You may use my Internet connection, but you
must first help me to understand why you
want to use it and how you will use it, then re-
ceive my explicit consent before using it. Then,
if I ever change my mind, you must cease such
use and go away."
Central to the site is the OptOut utility (Fig-
ure 7), which searches your system for known
spyware, reports its findings and optionally
removes the offending files. As of this writing,
OptOut exists as a free pre-release program
that removes only the Aureate DLL. The final
version should detect and remove them all. It
will be a $24.95 purchase (direct), with indef-
inite free updates to handle newly discovered
spyware.
There’s no evidence that spyware programs
are gathering private information or associat-
ing that information with individuals. You may
feel that giving away some limited, non-per-
sonal information is a small price to pay in re-
turn for free programs. But the possibility of
abuse exists, so it behooves you to know just
who’s sharing your Internet connection. For
more information on privacy concerns, see
our Special Report on Internet Privacy in the
August 2000 issue.
September 2000 89