Scumware, Spyware, Adware, Sneakware
by shinohara (shinohara @ziplip.com)
Forget about cookies. They're child's play compared to the sheer nastiness of Gator or to the insolence of NewtonKnows Best. The more I studied them, the angrier I got. I simply had to write an article about them to warn people.
What is Spyware and Adware?
Let's first get our definitions straight.
There are a lot of different names floating around. Spyware is seemingly useful software installed on your PC that will observe your actions, gather data on your surfing habits and what you are interested in, compile that data, and send it back to the main server. In this sense, it's similar to a Trojan horse.
Adware mainly receives ads in the form of images (simple GIFs, animated GIFs) or other multimedia type files. Adware can also include components which will spy on users' actions. Those components which are installed on the PC without a user's permission can be called sneakware.
Spamware is essentially the same as adware - serving unwanted ads. A lot of people (myself included) have begun calling all of these types simply scumware.
Gator
There are many scumwares on the market that we can examine.
In fact, if we try to look at all of them, we will spent literally days doing so. That is why I have narrowed the list to the most notorious ones and the ones you are most likely to meet. Gator/GAIN is one of them.
Gator is one of the nastiest pieces of spyware around. Gator's parent company changed their name to Claria Corporation (www.claria.com) in an attempt to disassociate themselves from Gator. But they still stink just as bad. It is carried by almost all P2P file-share apps as well as free ISP's like Netzero.
In fact, I can't seem to be able to get rid of it. Every time I turn around, there is a fresh install of Gator on my system. Worse, Gator software is composed of several separate modules, incarnations, and names: Gator, OfferCompanion, Trickler, GAIN, GMT.EXE, CMEsys.EXE and a quite a few others.
Gator Advertising Information Network (GAIN) is marketed as a software product that will automatically fill in passwords and other form-elements on web pages, but its main purpose is to load an advertising spyware module called OfferCompanion which displays pop-up ads when visiting some websites.
Once installed, Gator's software never stops running and it monitors pretty much everything a user does. The program is freely distributed by www.gainpulbishing.com but it can be found in a slew of file-sharing applications, including the "most downloaded software" on the Internet - the new Kazaa version that just came out a few days ago and which I investigated while writing this article. In fact, you cannot even install and use Kazaa without agreeing to also install GAIN. Talk about assholes!
Gator are so insolent that they justify what they do as "right." From a CNET news.com article in 2001:
"'We get lots of angry calls; maybe even an attorney calls up because they're angry,' said Gator's Eagle. 'We explain it's the consumers' right because we're invited onto the desktop. We're not changing their content; we're popping up on the consumers' desktop. Don't they advertise on TV showing competitor comparisons? The only difference is that we're more effective. The next call we get is usually from the VP of sales, saying, 'We would like to work with you.'"
In Gator's case, it can come into your PC in three ways: either pre-bundled in a file-sharing program such as Kazaa, iMesh and a few others, in some alleged "freeware" such as Audiogalaxy, Go!zilla, and WeatherBug, or the so-called drive-by-installation, using Internet Explorer's ActiveX controls where a website attempts to download and install software (executable code) from a banner or a pop-up ad on the user's PC.
This is by far the sneakiest way, since most average users don't have a clue about Secure Zone settings and often choose Yes when confronted with a dialog, thinking the browser is simply installing a needed plug-in for a website they're viewing. Depending on the browser's security settings, the software will either download silently and without any user action, or present an install dialog.
Gator is also now available for download in separate freeware applications called eWallet and Precision Time/Date Manager, but nobody in their right mind would even use those. When installed, Gator begins to slowly download and install other modules.
What Does It Do?
Gator has two main purposes: to deliver ads to the user based on the profile it builds and to collect information on the user's habits, including (but not limited to) every page visited, the length of time the user spent at each site, what the user is interested in, what ads (if any) the user clicks on, any special searches the user does, any keywords entered, and any files downloaded.
It saves all of that info in a file on your computer which identifies your PC through its IP address.
The newest Gator trick is to hijack a pop-up ad from another company when users visit a competitor's website.
This practice (which I find rather amusing, I must admit) is known as "being Gatored." It is accomplished by selling common "keywords" to companies such as search engines. One e-tailer that's been bitten is 1-800-Flowers.com. When certain web surfers visit the site to browse for bouquets, a pop-up ad appears for $10 off at chief rival FTD.com.
The same sort of thing happens at americanairlines.com, where a Delta Airlines promotion is waiting in the wings. Ads like these find their way onto browser windows through "plug-ins" that come bundled with certain software downloads.
Keyword advertising consists mostly of selling trademark owners the rights to their own names - on a search engine, for example. But the reverse is true in many new application services such as Gator.
And because the applications are downloaded with the consumer's consent, the companies say they are standing on firm legal ground, despite numerous complaints from marketing executives. After compiling the data it receives, Gator sells to other advertisers, who can then purchase the opportunity to display pop-up ads at certain moments, such as when specific words appear on the screen or specific words are typed into search engines.
Gator/GAIN Modules
Gator - (IEGATOR.DLL and others) is the main software, which auto completes web forms, which is completely unnecessary for many users these days, since IE and Mozilla have had automatic form completion, password saving, etc. built in for some time.
OfferCompanion - Is the advertising spyware module. It is responsible for spying on your web browsing habits, downloading and displaying pop-up ads, and transmitting personal information to Gator.
Trickler - (FSG.EXE, FSG-AG.EXE, FSG*.EXE) is an "install stub," a small program that is installed with the application you really wanted. (Gator almost always appears on your system due to installing other software and not the installer available from Gator's website.) When installed, Trickler inserts a Run key in your Registry so that it is silently and automatically loaded every time you start your computer. Trickler runs hidden and very slowly downloads the rest of Gator/OfferCompanion onto your system. It is suggested that this "trickling" activity is intended to slip under the user's radar, the steady, low usage of bandwidth going unnoticed. While often named FSG.EXE, Trickler can go under other similar names, such as FSG-AG.EXE (installed with Audiogalaxy) or another name containing "fsg" or "trickler".
GAIN - (GMT.EXE, CMEsys.EXE, GAIN_TRICKLER_*.EXE, plus other files) is short for Gator Advertising Information Network (GAIN) and is the newest incarnation of the Gator spyware we all know and love. Each EXE file installs itself into a different directory.
For example, GAIN can be found in: C:\Program Files\Gator and the registry key:
GMT is in: C:\Program Files\Common Files\GMT and in: C:\Windows\Start Menu\Programs\StartUp
CMiie can be found inside: C:\Program Files\Common Files
Removing Gator/GAIN
This is a somewhat long and annoying process, so let's get right to it.
I must warn you it involves tweaking Window's registry, so if you don't feel comfortable doing that, seek professional attention. There are several places you need to clean up, depending on how the software was installed. I will go over each step-by-step:
Add/Remove Program Applet - The best way is to begin by first uninstalling it through the Add/Remove function in the Control Panel, since simply manually removing it may result in some of the components being left on your PC. To accomplish this, go to Start --> Settings, open the Control Panel, start up Add/Remove applet, and hunt for either GM, GAIN, GATOR, or any of the above listed modules.
Windows' Registry - Click on Start, go to Run, and type regedit. Click "O.K." to start the registry editor. There are several keys you need to check here.
First, using the directory tree, browse to the key:
If you got either CMEsys and the GMT in the right pane, delete them both by using the right mouse key. Now you need to exit the registry editor and restart your computer.
Here are the other keys you should check:
Another three registry keys are:
HKEY_CLASSES_ROOT\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com HKEY_LOCAL_MACHINE\SOFTWARE\GatorTestUsing the directory tree browse to those keys and delete them.
"Program Files" Directory Folder - Next, you will need to locate and remove both the CEII and GMT directory folders on your computer. They are both located in the Program Files directory. To get there, start from My Computer, go to Program Files, locate Common Files, and peek inside. If you see CEII and/or GMT, simply click on them with the right mouse button and choose Delete.
If Gator was installed by Precision Time & Date Manager, locate and delete the "WebPT" or "WebDM" inside the Program Files folder if it exists.
StartUp Directory Folder - The next place to check will be your StartUp folder. The StartUp folder loads the software listed in there every time you start up or reboot the computer.
To go there, start up from My Computer go to C:\, go inside Windows, and look for the Start Menu folder. See if any of the EXE files listed above are in there. Remove them if you find any. This will have the added benefit of making your computer boot and run faster. Note that using the program associated with a particular ad-Trojan may reinstall these references, and even the ad-Trojan itself. PKZIP is notorious for this. (For this reason, it is important that you zap the associated adware program as well, or at least make sure nobody runs it.)
MSCONFIG - Under Windows 98 and higher, there is a program called MSCONFIG.EXE that allows you to view and enable/disable StartUp applications. This can be used (usually) to turn off auto-loading spyware components. (To run MSCONFIG.EXE if you have it, click on Start --> Run, and type msconfig in the Run box.) As you can see, MSCONFIG.EXE is a System Configuration Utility and it's got several options you can modify.
Let's now go over each one, briefly discussing what they are and what can be changed inside them. The General option specifies what system files your PC reads and executes while booting up. This option is useful in case of an emergency during Safe Mode boot-up. Normally, most AUTOEXEC.BAT and CONFIG.SYS files are empty today, but they used to play a big role in the olden DOS days (Windows 95 and Windows 98). If you know DOS (and DOS is still extremely useful in many ways, even if Microsoft makes it exceedingly difficult for you to even run DOS programs on NT based systems such as Windows 2000 and Windows XP), you can peek inside those files and remove any lines you don't want or don't think you need. A good idea is instead of removing the lines to just place a REM in front of them.
SYSTEM.INI / WIN.INI - Are more Windows configuration files, telling it how to boot-up. I suggest you don't mess with them unless you really know what you are doing.
The StartUp Option - Is another more advanced way to tell Windows what software to run when it boots-up. Personally, I like to keep mine as clean and tidy and program-free as possible. I have seen some people's computers that had at least 30 lines inside StartUp, all from various software packages installed that did nothing for the user except take memory. I had to argue with a client several days ago, trying to convince him that in fact Microsoft's Office does not need to be inside StartUp and that, yes, he still would have been able to use Office any time he wanted to. Talk about ignorance not being bliss!
How does yours look? Can you justify why all of the programs listed in there have to begin at boot-up time? Do you know what each program is and what its function is? Don't you think you should?
NewtonKnows Best
This is another very annoying spyware or scumware or whatever you wanna call it that gets installed in a variety of ways, including with several file-sharing programs.
One of them is Grokster. I read about Grokster, one of the most infested of the P2P services, so I decided to see if it was really as bad as the writer claimed. I'm sorry to report it was worse.
When Grokster ran for the first time, a separate program popped up, asking me what my country and ZIP Code was. It was called NewtonKnows Best. Since I didn't remember allowing it to install, instead of just removing it I decided to observe what it was and what it would do. So far I am not very happy with it at all. It added an extra bar to my Internet Explorer that I had trouble removing. When I launched Netscape, Newton jumped up and stared too. It even booted the self-updated Newton EXE. I was aghast. Yet another of the many shameless companies who surreptitiously install software on my PC without asking me first, then begin to monitor my surfing habits.
I did a quick search on NewtonKnows Best, but couldn't find much.
Newton bills itself as a personal search companion. It claims it will help us get the most out of the Internet. Here is what they say at www.newfreeware.com/internet/711:
"We designed NewtonKnows based on user functionality and benefit. As you surf the web, Newton sits discretely in the background, waiting to fetch relevant content for you. As soon as he digs some up, the Newton suggestion window slides up and presents his top finds. For example, 'My Auction Items' fetches eBay auctions for your favorite items. Newton further enhances your browsing experience by delivering related content links directly into his toolbar. Newton quickly connects you to your favorite shopping, music, travel sites and more. With its built-in auto-update feature and our continuing commitment to quality, Newton will continue to evolve, and so too will your surfing prowess. Plus, with the ability to request your favorite new feature, NewtonKnows is destined to become your me Internet search companion."
Newton made me see red in several ways, such as adding an extra search bar into Internet Explorer and not even asking me if I would allow it to do so.
Removing Newton Knows Best
This is somewhat difficult, since it places a key inside the registry and installs itself in several places.
Run a search via Start --> Find and uninstall. Don't just remove Newton. Hit the same places I outlined above in removing Gator/GAIN.
SaveNow (When UShop)
This gets installed by BearShare among others.
Put quickly, it is an advertising toolbar that monitors what sites you visit and pops up sponsored "deals" when visiting those sites.
Fighting Back
There are several software packages that will help you to manually look for Gator and many other scumwares on your system.
Adaware from Lavasoft (www.lavasoftusa.com) is a good one that has both a freeware and paid shareware version. It can help you remove remnants of programs installed surreptitiously on your machines.
Adaware is easy to use. Start it up and click on Scan Now. From there, you will be giving the following options: Perform Smart System Scan, Use Custom Scanning Options, and Select Drives/Folder to Scan.
Performing the smart system scan is good. Click on Next and let it run.
Once Adaware is done, you will be given a list of suspicious registry keys, registry values, and possible scumware EXE files and folders. Click on Next.
You will be given the filename, what type it is (registry key or EXE), what it is, where it is in your system, and comments that will even tell you what website was responsible for the scumware. If you hover over each with your mouse button, a yellow pop-up screen will appear with more info. You have two options here: either quarantine the offending files or outright delete them by choosing Next.
As a precaution, I again must warn you some of your nice "free" programs won't be able to work if you kill their spywares, so before you push Next you must find what is needed by you and what you can live without.
Some suggestions on how to find scumware:
1.) Begin using a process observer that will show all the software currently running on your system at all times. I can easily find and monitor any of these programs using the great and free Process Explorer from: www.sysinternals.com/ntw2k/freeware/procexp.shtml
- Download Process Explorer (x86) If you plan on using Process Explorer on Win9x/ME.
- Download Process Explorer (x86) If you plan on using Process Explorer on WinNT/2K/XP.
- Download Process Explorer (XP/Server 2003 64-bit Edition/x64)
Using it, I discovered GAIN, Gator-whatever you wanna call it writes to the following files:
2.) Set up and configure a good firewall. Make sure you monitor all the incoming and outgoing connections your computer makes. Forget about ZoneAlarm. That's not good enough and it doesn't do much. I tested it several times, trying to figure out why so many people liked it. I think the main reason is because it is free.
3.) Run a weekly check on all the places I mentioned: Windows' StartUp folder, Registry's Run, MSCONFIG.EXE. Keep them clean. There are so many scumwares confronting the average computer users today, it's easy to become overwhelmed! Worse, new ones are coming out daily! Keep up with them by reading sites such as www.cexx.org, or search for more info on your own.
4.) Practice some self control and stop downloading and installing all the new hot P2P apps your buddies told you about.
This is just a small introduction into the world of scumwares.
I would like to hear from other people about their own experiences with other scumwares so we can all learn.