Spyware :: Information :: Polymorphic Spyware




Polymorphic Spyware and other advances

Many spyware removal programs such as Spybot & Search and Destroy and Ad-aware work by using large databases which detect suspected files and registry entries which have known to be part of spyware or Adware programs. Many spyware programs are becoming much like polymorphic viruses which change their byte pattern to try to avoid detection by virus checkers. For spyware programs, these polymorphic properties will normally involve changing filenames and registry entries (particularly CLSID values) for each install thus making it much more difficult for Spyware removal programs to even detect them. Some hijackers which I witnessed while testing disabled my firewall and other processes.

Spyware programs are evolving and becoming more advanced to avoid detection. The Lop toolbar is a current example of this. There are currently about 20 known variants of Lop which all do the same thing but install themselves in different locations. Even with your spyware removal software up-to-date it is quite possible it will not detect certain files because of this. Lop Toolbar also redirects to a particular search engine. The address is dynamic, but all are the same page. aavc.com, acjp.com, ecyb.com, ssaw.com, tjaw.com, tjem.com + 70 or some other 4 letter domains all containing the same search engine.

TinyBar is a parasite which installs a toolbar to Internet Explorer, it installs itself by exploiting a security hole in the Microsoft Java Virtual Machine. The spyware has a few variants, one of which hits the security site doxdesk.com by performing a denial of service attack against it. TinyBar is normally referred to as a Trojan and is detected by some virus checkers.

Spy Hardware

Although this topic is not about spyware as which, as spyware means it's a program. I'm going to briefly mention other methods attackers may spy on people using a computer. If spyware is intentionally placed on a system for monitoring purposes software isn't the only option. Hardware has been around of sometime which can achieve the same results as software. There tends to be less flexibility, like a much more limited capacity and no remote access (like some keyloggers may allow).

They are normally a small device which as added between the keyboard socket and the keyboard socket entry on the computer, is it can go unnoticed. Any experienced user may notice silently running programs monitoring keystrokes. These device can be quite discrete and will not require any software to work. These devices can be triggered by a combination of keystrokes to output all data in memory.