Posted by: Steve Hamm on October 14, 2005
One year ago, my home computer was hijacked by a rogue program called Home Search. It replaced the opening page on my Internet Explorer browser, planted pieces of hard-to-remove code all over the hard disk, and, ultimately, I suspect, disabled my PC so it would barely work. Thanks to 16 hours of help from a Microsoft support technician and lot of free anti-spyware programs, my computer was freed. Now, I have the sneaking suspicion that it’s happening again. Though I now use the Mozilla Firefox browser, and nothing has afflicted it that I can make out, two days ago, when I shut the computer down, eight mystery files loaded themselves on to the hard disk. I ran McAfee Virus Scan, and didn’t come up with much—but that didn’t give me peace of mind. I’m hoping that a free anti-spyware product called SpyCatcher Express, from Tenebril Inc., which I learned about this morning, will save my PC’s butt. Either way, this incident is scary reminder of just how vulnerable our machines, and lives, are to evil computer programs.
As if viruses, Trojans, and worms weren't bad enough, the Black Hat hackers have cooked up a whole new generation of malware called evasive--or mutating--threats. These programs prey on the shortcomings of anti-malware software itself. About 20% of the malware that's detected these days is of this type, and it's growing fast. The reason: The stuff is placed on PCs by criminals or advertisers who have strong incentives to come up with clever ways of keeping their software on your hard disk.
Home Search, the little devil that attached itself to my PC last year, is one of the more common pieces of evasive malware. And it's just one of 44 variants of a program called Cool Web Search. The software creates a Yahoo-like directory on your browser, and its makers sell click-throughs to the e-commerce and marketing outfits listed on the directory. Another troublesome program is a Trojan called Bankash-A, which is designed to take advantage of shortcomings in Microsoft's anti-spyware software. The Tenebril people gave me the names of others, but they have Web sites and pose as legit businesses, so I won't name them for fear of being sued. One of them actually poses as an anti-spyware program.
Most anti-virus and anti-spyware programs are designed to scan your PC and look for programs with names or operational profiles that are known to be malware. The problem is, this pesky new type of malware is good at evading that kind of defense. The programs change their names. They set up automatic update procedures so if they're detected and removed, new versions can be downloaded later. Some of them have a handful of evasive techniques and monitor them to make sure they're still working. If not, they repair themselves.
I haven't tried the Tenebril software yet, but it seems to be based on smart ideas. The company sells commercial versions for enterprises and consumers, but just came out with a free version and with some new features. It has a spyware profiling engine that studies unknown files that are on your computer, or which are trying to come onto your computer, and grades them as more or less theatening--giving you a chance to kick them our or refuse entry. It also has a new feature called "deep defense" that watches for suspicious behavior by programs and stops them from activating.
In the malware world, it's a constant battle between the White Hats and the Black Hats. The Black Hats seem to be winning this round. But, hopefully the tide will be turning soon.