Sneaky Apps Attack

Bob Terry, founder of BBX Technologies, which makes a program that catches stealthware as it installs.
Bob Terry, founder of BBX Technologies, which makes a program that catches stealthware as it installs.
Photograph: John Abbott
If you're beset by icons that appear in the system tray without warning, or by pop-up ads that run even when your browser isn't open, or by a mysteriously reconfigured browser, you aren't alone. The culprits--among them MemoryMeter and Rapidblaster--represent a new and more aggressive breed of application that's often called stealthware.

Some stealthware apps track you as you surf a given site. Most of them are adware programs that serve up streams of ads no matter what you're doing on your PC. (We repeatedly contacted these stealthware companies for comment; they did not reply.)

What these apps have in common is their often covert entry: Stealthware apps are not illegal, but like worms and viruses, they can exploit vulnerabilities or low security settings in Internet Explorer to install themselves without so much as a dialog box of warning. Worse, some stealthware is designed to bypass firewalls and other such safeguards.

Stealthware is found mostly on ads served at free Web-hosting sites, at porn sites, or at so-called typo sites (those that take advantage of users' misspelling site URLs). But pinpointing the origin of some programs can be difficult; even an expert like Anthony Porter, founder of Spywareguide.com, admits that he can have trouble doing so.

The problem has become so prevalent, antivirus software maker Symantec last year began including some of these apps in its virus definition updates. "In the last six months, [stealthware] really has become an issue," says Kevin Hogan, a senior manager with Symantec Security Response.

Congress is also getting involved. Representative Mary Bono (R-California) introduced a bill that would require companies making or hosting some types of stealthware to disclose the software's presence--and get users' permission before installation.

Stealthware often takes advantage of IE's Browser Help Object subsystem, which lets plug-ins run within IE. Normally, you get a dialog-box warning if you load a new BHO. But by default IE lets scripts --such as ones that trigger a BHO installer download--run automatically. Just visiting a site can be enough to start such a script. You end up with a new app, and your system thinks you authorized it. And because BHO applets run within IE, software firewalls don't readily catch them.

Why not just turn off scripting and BHOs? They serve legitimate functions on many sites; the Google Toolbar, for example, is a BHO. You can tell IE to get your permission each time a site wants to run a script (click Tools, Internet Options, select the Security tab, then click the Custom Level button; scroll to the Scripting area, choose the radio button by Prompt for all three items, click OK, Yes, then OK again). But many sites run dozens of scripts per page--you'll see that dialog box a lot. Currently, Microsoft offers no way to selectively disable BHOs.

Delete Them

Adware and spyware removers like Spybot Search & Destroy or Ad-aware 6 can detect and, in most cases, eliminate stealthware--provided you have the latest definitions.

ImmuneEngine tells you when a new executable tries to install itself, giving you the option to delete.
ImmuneEngine tells you when a new executable tries to install itself, giving you the option to delete.
Spybot also includes a BHO scanning tool that compares a list of your PC's BHOs with Spybot's database of "good" and "bad" plug-ins so you can disable unwanted ones. Symantec's Norton AntiVirus identifies some stealthware apps, such as Flyswat and SaveNow, and targets them; the firm plans more protection. Similarly, CA's ETrust antivirus package recently added CWS to its list of targets. Spywareguide.com offers a Block List File download, which changes a few Windows Registry settings to disable many aggressive self-installers.

BBX's ImmuneEngine (revised in July; pictured here) attacks the problem another way: It detects, and can delete, new executable files as they appear. "It's like a protective layer on top of Windows," says Bob Terry, BBX founder.

You can also try an IE alternative, such as Mozilla or Opera, but the best defense is to watch where you surf, and to keep your protective apps up-to-date.

Subscribe to the Security Watch Newsletter

Comments