Five Major Categories of Spyware

Special to Consumer Reports WebWatch

Robertson Barrett
Special to Consumer Reports WebWatch

Sidebar: Spyware Removal Options...view

Although a wide range of software, online services and Internet advertising and marketing firms engage in some form of information-gathering — adware firms constantly point out that online ad network DoubleClick and its competitors do so with no disclosures near clickable banner ads — Consumer Reports WebWatch found spyware practices concentrated in five major categories: adware networks, stalking-horse utilities that feed these networks, Trojan-horse programs that bundle spyware, stand-alone programs that watchdogs dub "backdoor santas," and high-risk programs that can create unusual headaches.

(Popular applications that serve advertisements within their own interfaces, such as SpeedBit's Download Accelerator Plus and AOL's ICQ instant messenger, don't meet experts' broad definition of spyware.)

Here's a look at each of the categories:

Adware Networks: The backbone for big-time spyware is a handful of ad-serving networks that have paid makers of popular games, utilities and music and video players 10 to 20 cents per download to include their ad-serving programs — a number that snowballs into real revenue for software makers that command huge audiences. In return, the adware firms charge higher advertising premiums because they can use the Web-surfing data to target ads to users who visit certain kinds of sites, in a practice they tout as "behavioral marketing." The major "adware" networks are:

Gator's GAIN: The largest adware player, Redwood City, Calif.-based Gator Corp., says its ad-serving network connects 400 advertisers to 25 million desktops a month. (Nielsen//NetRatings indicates 6.8 million unique users during the week ending Sept. 15.) GAIN targets ads based on Web sites visited and partial personal information like first names and ZIP codes. It even scans hard drives to determine what other software users have installed on their computers. GAIN appears in a number of forms on background programs that track Web behavior and serve pop-up ads, and through its own Gator eWallet (an online purchasing aid), Precision Time (which synchronizes a PC clock with the U.S. Atomic Clock), and Date Manager (a scheduler), which contain the same program.

"All we have is the anonymous user ID and we know about some of your Web surfing habits," said Scott Eagle, Gator's senior vice president of marketing. "It's very contextual. If you're online, we know whether you love to go to book sites."

Last year, Gator sued the Internet Advertising Bureau, its own industry lobby, for criticizing Gator's now-defunct practice of popping up ads that obscured banner ads on the site being visited. Eagle's claim that Gator now outdoes competitors with more aggressive opt-out buttons during installations is relatively true. But Gator is not out of the woods. In June, The Washington Post, The New York Times, Dow Jones and seven other publishers sued the company because its software detects when users visit the news sites and pops up ads relevant to the stories they are reading — a practice that Web users have called "drive-by downloads." The publishers assert that only they, not Gator, should be able to sell ads that pop up when readers see their content. A federal judge ordered Gator to stop the practice and the company plans an appeal.

WhenU.com's SaveNow: SaveNow, which had 4.2 million unique users in the last week of April, 2002 but had since fallen below 3 million by the end of September, does not collect Web URLs on its servers, but it similarly targets ads based on a surfing record stored on the user's own machine and constantly updates paid promotions based on that information. "If you go to a travel site, we might show you how to save 40 percent on travel at Hotwire," WhenU.com's site explains. "If you go to a retail site, you might see an offer for a $20-off coupon at Overstock.com." The practice raises the same copyright issues for Web publishers issues that GAIN does — in a more visible way, as SaveNow shrinks the browser to accommodate a pop-up bar that will affix itself to sites like Amazon.com and make similar offers, without paying Amazon.

Radiate: Founded in 1996, Radiate is the oldest of the major adware companies and takes a more dated approach, having bundled its Aureate ad-serving software with at least 250 shareware games and programs (Netvampire, Abe's MP3 Finder 4.0), a few well-known utilities (CuteFTP) and its own programs (ironically, Aureate SPAM-Killer). Although it does not directly retrieve personal information or track surfing, Aureate attaches itself to Web browsers and can serve ads even if a user is not online, since it stores pop-up ad materials on a user's hard drive during online sessions and presents them at any time. Software experts say Radiate is one of the most difficult programs to remove from hard drives, and in 2000, Microsoft found that Radiate's software caused severe crashes with several versions of Internet Explorer.

Web3000 Ad Network: Last spring, CNET gave Netsonic's Web3000 its most negative spyware rating, as its software — usually bundled with Netsonic Download Accelerator and, like Radiate's, with many lesser-known software applications — did not notify users that it was installing itself on their PCs. The Web3000 ad component infiltrates other basic desktop software to deliver marketing messages in splash screens, browser headlines, status bar messages, and e-mail newsletters.

Stalking Horses: A number of programs that enable the adware networks to function on desktops are bundled in many popular programs and often presented in installation disclosure screens as desirable add-ons to their Trojan-horse hosts. All collect some form of information.

Among the most common are:

• EZula's TopText, which inserts its own text advertisements as pop-ups linked to highlighted words in a Web page;
  
  
• Cydoor, which stores ads on a user's hard drive and records ad transactions;
  
  
• OnFlow, a "rich media" plug-in often necessary to play animated ads served by the networks, has no disclosure apart from what might be included by host software, and tracks user clicks on ads;
  
  
• Newer counterparts Medialoads and Delfin Media viewer (which serves up "TV-like entertainment" during Internet dial-ups, according to KaZaA's site, then serves targeted ads later) do notify users that the programs will be installed prior to activating themselves;
  
  
• The makers of WebHancer, which only collects and transmits information that measures Internet performance, have admitted that some attempts to uninstall it can interfere with Internet connections;
  
  
• New.Net is usually touted as a utility that allows browsers to recognize unofficial domain names such as .kids, but it also steers users to Web sites of partners.

Trojan Horses: These highly popular Internet downloads — for most people, the only face of spyware — usually come with the ad-serving networks' basic software and at least one stalking horse. Sometimes, they bundle these inside yet another application, often wrapping all disclosures into their own, briefer summaries. Users in nearly every case have to opt out, and cannot install or use the Trojan horse without allowing at least one core adware program onto their PC.

Security experts use the term "Trojan horse" for programs that carry programs that quietly damage hard drives, but many Web users and privacy experts use it to describe any program that includes another. Most of the latter are peer-to-peer file-sharing programs that emerged as ad-supported alternatives in the wake of Napster's decline.

Among the most popular are:

• KaZaA Media Desktop versions 2 (new in September) and the previous release, version 1.7.2. (Both KaZaA versions bundle more programs than competitors and include SaveNow, New.Net, Medialoads, Brilliant Digital's b3d Projector and Delfin Media viewer. All are listed by name in a small-print scrollbox on the installation screen, with links to their company sites for more information);
  
  
• Grokster (which includes Cydoor and Gator);
  
  
• FreePeers' free version of Bearshare (which includes SaveNow and New.Net);
  
  
• Morpheus (which includes Morpheus Shopping, an "adware" shopping aid from Wurld Media);
  
  
• Pre-spring releases of Limewire (which includes Cydoor);
  
  
• Music-finders AudioGalaxy (which includes Gator, WebHancer and BonziBUDDY);
  
  
• iMesh (which includes SaveNow);
  
  
• Video player DivX Video Bundle 5.0.2 (which includes Gator and SaveNow).

While many users have braved the "adware" in the file-sharing applications because they prefer certain features of these hosts, there are numerous ad-free alternatives, including Xolox, WinMX, Shareaza and Blubster.

"Backdoor Santas": Countless stand-alone programs that incorporate similar approaches have no links to adware networks or no ad-serving, per se, but they nonetheless collect information from users.
Among the most popular are:

• Floating Web search toolbars, such as Alexa (which merely tracks usage to offer upgrades) and Hotbar (bundled with iMesh, it adds buttons to browsers leading to advertiser sites and retrieves information from forms filled out in browsers);
  
  
• Comet Cursor (a cursor-transformation utility that serves no ads but automatically downloads and counts cursors displayed at partner sites);
  
  
• Gator's Gator eWallet, Precision Time, and Date Manager utilities;
  
  
• CuteFTP (which carries Aureate);
  
  
• BonziBUDDY (which serves adds, frequently prompts users for personal information, tracks all usage, deposits icons in the startup folder, system tray and on the desktop, repeatedly resets the browser homepage to BONZI.COM without asking permission, and leaves components behind after users use its uninstall program).

High-risk Spyware: Software experts have criticized a few programs for being particularly intractable, because they either pose security risks, execute elaborate stealth routines on PCs with no disclosure whatsoever or are just plain difficult for even experts to remove.

• Clicktilluwin, based in Las Vegas, calls itself "the Internet's fast, free, and fun online lottery game." Most commonly downloaded through BonziBUDDY, Net2Phone and older versions of file-sharers Limewire and Grokster, it has the distinction of being the first piece of "adware" that security experts classified as a Trojan horse — meaning its code is actively harmful to PCs. In January, the anti-virus software firm Symantec discovered that Clicktilluwin carried a program called "W32.DIDer," which installs itself even if a computer user selects an option that appears to block installation.
  
  
• VX2's Sputnik, which resides on pre-2002 versions of AudioGalaxy, has drawn virulent criticism from privacy advocates because it tracks not only Web pages visited and links selected, but collects information — including, in theory, credit card numbers, account numbers and passwords — entered into allegedly secure online forms. According to the company itself, "this information is automatically sent to VX2 in order to save you the time and trouble of submitting such information to us yourself. If [financial or password] data were . . . collected, VX2 would immediately purge such information from its database."

Other applications integrate with browsers to prevent firewalls from detecting that they are installed and sending out information. FlashTrack, an Internet Explorer plug-in bundled with iMesh, also collects some information from forms. And Britain's C2Media, which operates Live Online Portal, a site that earns revenue from user click-throughs to sponsor sites, offers file-searching software (also distributed by MP3Search.com) that plugs into Internet Explorer, and can add close to 100 new bookmarks to its Favorites list.

Spyware Removal Options

The hangover from record downloads of programs that include adware and other spyware in 2002 has created a matching demand for utilities designed to block unwanted pop-up ads or remove spyware altogether.

Security experts contacted by Consumer Reports WebWatch recommended several popular programs instead of manual software-removal methods. The Add/Remove Programs function in Windows' Control Panel, for example, requires users to know the names of the stealth spyware files or to find special uninstallers, and even then, some spyware programs can leave functional elements behind on the hard drive.

While even leading anti-spyware makers can't guarantee a clean sweep, they include services that update their programs to account for newly discovered offenders. (Note: No recommended programs offer versions for Apple operating systems, as no prevalent spyware targets Macintosh computers.)

(Click on links for details and downloads. Consumer Reports WebWatch does not endorse any of these software programs, but provides this information as a reference.)

All-Purpose Spyware Killers
Two programs have drawn the most praise from experts and users, and one effective free alternative is gaining in popularity:

Ad-aware 5.83
Lavasoft's free utility, by far the most popular with users and experts, scans the PC hard disk and removable drives and displays a list of all programs that match its latest spyware list. Before attempting to remove any suspicious program, Ad-aware allows users to confirm the choice in a list box, make a backup kept in a harmless, separate directory and keep certain components of programs if they wish. For prevention going forward, a $15 upgrade, Ad-aware Plus, includes additional security features, lifetime customer support and Ad-watch, a real-time spyware monitor that alerts users if any spyware program uses system RAM or tries to install itself in the system registry.

BPC Spyware and Adware Remover 2.3
Like Lavasoft's program, the Bullet Proof Soft's free Spyware Remover tool removes and has a real-time feature, SpyWatch, that scans the PC memory and registry for known spyware components. Taking advantage of that ongoing service costs $29 after a five-day free trial. The program is 7 megabytes (seven times the size of Lavasoft's) and includes an additional tool, Pop-Up Watch, which attempts to block pop-up ads even when "adware" is running.

SpyBot Search & Destroy 1.0
German developer Patrick Kolla has received positive reviews from users for offering a free "donationware" alternative (Windows only). While Kolla's tool is a first release and its database of current spyware is smaller than those maintained by the staffs at Lavasoft and other firms, Spybot performs similarly and removes the most well-known spyware programs — an option for users who want a reasonable ongoing spyware detection service but don't want to pay for it.

Ad Blockers
A second line of defense, if "adware" removers might miss some spyware, are utilities aimed at blocking some or all ads during Web surfing. (These aren't a solution for users concerned about tracking as well as ads.).

Well-received leaders among them include InterMute, Inc's AdSubtract Pro 2.5 ($29.95 after a 30-day free trial), Guardwall's Guard-IE ($29.95, Internet Explorer only) and Panicware, Inc.'s free Pop-Up Stopper (which requires users to hold down the "control" key to access some links; paid versions for $19.95 and $39.95 remove this distraction and offer advanced features).

Security and Privacy Aids
If all else fails, average PC users can minimize the security threat from back-door spyware with stronger software suites that monitor and squelch background Internet activity.

The leading packages — ZoneLabs' Zone Alarm Pro 3.0 ($49.95) and Symantec's Norton Internet Security 2002 ($69.95) — both include a personal firewall, up-to-date virus scanners and settings to block many Internet ads. A popular alternative, Anonymizer Privacy Toolbar, hides Web-surfing activity from advertisers and most spyware programs ($29.95 per year after a 30-day trial).