re: Adware, spyware, and trojans

[H C <keydet89 () yahoo com>]

Courtney,

> he writes that most antivirus software does not
detect 
> spyware, which was a shock to me.  Spyware seems to
> be defined as software that logs keystrokes, 
> screenshots, user actions, etc.

Don't get caught up in semantics.  What might be
better to do is visit the various A/V sites, and see
how *they* define these particular items.

> 1.  What's the distinction between spyware, adware, 
> and trojan software?  

As you've probably seen by now, you've gotten several
responses from people who are telling you what *they*
think the distinctions are...in fact, one response
posted to the list even states that "It's simple
trojan is a virus".  Hardly!  Best to check your A/V
site...the company that makes the product and see what
they say.  But for the most part, Trojans and viruses
are different forms of malware, as their definitions
clearly show.  

> (My antivirus software says it 
> protects against Trojans, and I've seen programs
like
>  SubSeven in its log files.)

What does this mean?  In what capacity or context have
you seen "SubSeven" in your A/V logs?  Did the trojan
come in via an email attachment and was quarantined?  

> 2.  Is there any good software that detects and 
> removes spyware, ideally controlled and updated 
> continuously from a central server?

Sure is...AdAware, which I've seen has been
recommended several times.  

> SpyWare is a software (usually) which wait a special
> actions (for examp. key press, mouse move,
filework).

This is most likely a matter of interpretation.  For
example, things like iMesh install spyware, in
particular things like Ezula TopText.  TopText is
spyware in the sense that it reads through web pages
that your browser is downloading, and adds dynamic
links to the HTML based on keywords.  These links will
point you to the Ezula customer's site, if you click
on them.  Other forms of spyware have watched what
pages the user requests, and keeps track of how long
they take to download to the system.  Usually,
"spyware" that specifically watches keystrokes will be
referred to specifically as a "keylogger" or
"keystroke monitor".  This is pretty much what
Frederick pointed out, and what I'd fully agree with. 


I have no idea what "filework" refers to...

> unfortunately it must be run on each computer 
> individually (as opposed to a server) and doesn't 
> allow much room for automation...

Welcome to the world of free-/shareware!  The
necessary level of automation that you require is
likely to be found in a commercial product.  However,
another way to approach it would be to use a
combination of freeware tools, such as Perl,
pslist.exe from SysInternals, etc, to dump the process
list from remote machines, and compare the output to a
list of "known good" processes.  This would work
pretty well for the spyware, but not for Trojans that
are truly configured for malicious purposes (though it
would work against 99% of the kiddies who make no
configuration changes at all to the basic Trojan
server setup).  

> maybe scanning for established connections on ports 
> used as the default for some well-known trojans,
> something like that.  

A combination of personal firewalls and A/V, or simply
running FoundStone's fport.exe (via SysInternal's
psexec.exe) would work.  Launch psexec/fport via Perl,
and parse the output.  One example of this can be
found at http://patriot.net/~carvdawg/perl.html.  Look
for procdmp.pl.  This script takes the output of 5
tools and parses them into output seen at
http://patriot.net/~carvdawg/pd.html.  That way, with
a quick, easy glance, you can spot potential spyware
and Trojans.

> As far as I know, antivirus software doesn't do
this.

There's a lot that A/V doesn't do.  It doesn't (for
the most part) scan NTFS alternate data streams (for
more info on ADSs,
http://patriot.net/~carvdawg/docs/dark_side.html).  It
doesn't scan the Registry...segments of (or entire)
applications can be hidden in the Registry for use at
a later date.

> you can simply "Google" each topic you want
to learn about...

The problem with this is the credibility issue.  Some
of what pops up on Google might be from the poster who
said Trojans are viruses.  If you're curious about
what a particular A/V product considers to be a
"Trojan" or "spyware", check the site.












__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com