The Grey Chronicles


Understanding Junkwares: Adware, Spyware, BHOS, etc

A variety of threats exist that are not considered malware because they are not computer programs written with malicious intent but can still have both security (IT infrastructure) and financial implications (user productivity) for an organization.

Adware, also known as an Adbot, bundled (i.e. peer-to-peer file swapping products) with other software without the user’s knowledge or slipped in the fine print of a EULA. Adware is often combined with a gratis host application as long as the user agrees to accept the adware. Moreover, adware presents advertising windows (pop-ups or even pop-under) when it runs, and these usually degrade system performance. Many adware applications also track user information, including web surfing habits. Although Adware is similar to spyware, it does not transmit personally identifiable information, or at least the collector promises not to sell it. Instead, aggregated usage information is collected. ParasiteWare is any Adware that by default overwrites certain affiliate tracking links. The Claria Corp. (a.k.a. Gator) is one of the largest adware organizations; others include DoubleClick,, Radiate, and Web3000 Ad Network.[6]

Spyware, spybot or tracking software is covertly bundled with legitimate software users might want, such as free file sharing software. Spyware can conduct certain activities—collecting personal information, and changing Internet browser configuration settings—without obtaining appropriate user’s consent. Spyware is potentially more dangerous beast than Adware because it can record your keystrokes, history, passwords, and other confidential and private information. Spyware is a relatively new kind of threat that common anti-virus applications do not yet cover. Spyware emerged in the late 1990s and had reached epidemic levels by 2004. In that year, a survey by America Online and National Cyber-Security Alliance[7] found that 80 percent of the computers surveyed had some form of spyware on them, and there were an average of 93 pieces of spyware on each machine. The most notorious of all are Cool Web Search and Look2Me (Better Internet). A dangerous class[8] of spyware, called Man-in-the-Middle Proxy, is emerging under the guise of accelerating a user’s Internet connection but redirects all web surfing activity, including secure connections, to a man-in-the-middle proxy. One example of a difficult to remove and rampant man-in-the-middle proxy is MarketScore.

Hijackers are applications that attempt to usurp control of the user’s home page and reset it with one of the hijackers choosing. A layered service provider (LSP) sits between a computer’s Winsock layer and can modify all data that passes through the system. Microsoft by default installs numerous useful LSP programs. Spyware applications install malicious LSP’s to this layer called Winsock Hijackers. These applications monitor the network, accessing all data passing through the desktop, capable of redirecting web requests to affiliate websites. Any attempt to remove these Winsock hijackers can break the LSP chain and cause the Internet connection to stop working. Variants of CoolWebSearch are Winsock hijackers and require special programs to remove them.[9] Browser hijackers can permanently impair a browser, inhibiting a safe Internet experience.

Dialer is a type of software, often installed using the ActiveX technology, promises access to free porn, free games or free cracks for commercial software, but commandeers the modem to use your dial-up device to call a quite expensive phone or toll number.

A rootkit is a collection of programs that enable administrator-level access. Rootkits typically contain spyware, keyloggers, and tools for creating backdoors. A redirector transfers network traffic to a location other than that which the user intended. Keyloggers record keystrokes and then upload the information to a foreign host.

Browser Helper Objects (BHOs)[4] are small, automated programs [.OCX or .DLL] that monitor visited websites, switch advertising or home pages, download updates, or export data and sometimes use a backdoor as access point to bypasses security access measures. BHOs are also called web browser add-ons—extra toolbars, animated mouse pointers, stock tickers, and pop-up ad blockers—to make browsing a little more fun or effective. Add-ons are typically fine to use, but poorly-built add-ons sometime force Internet Explorer to shut down unexpectedly. CastleCops Network provides a weekly-updated CLSID / BHO List / Toolbar Master List.[10] Adware and spyware as well as browser hijackers often use BHOs to display ads or follow one’s track across the Internet.

Next: Understanding Junkwares: Characteristics


[4] Websense, Inc. (2006)Protecting Organizations from Spyware, p.3

[5] Harrison, Richard (2004), The Antivirus: Defense-in-Depth Guide, Microsoft Corporation, pp. 17-19.

[6] CNET Networks, Inc (2004), Battling Spyware. Sunbelt Software, p. 1

[7] America Online and the National Cyber Security Alliance (2005), AOL/NCSA Online Safety Study, December 2005

[8] Sequeira, Dinesh (2005), Understanding and Preventing Spyware in the Enterprise, White Paper, Tipping Point. p. 6

[9] Sequeira, Dinesh (2005), Understanding and Preventing Spyware in the Enterprise, White Paper, Tipping Point. p. 6

[10] Klein, Tony and CastleCops (2007), Master BHO and Toolbar list

Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 LicenseDisclaimer: The posts on this site do not necessarily represent any organization’s positions, strategies or opinions; and unless otherwise expressly stated, are licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 License.


Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Blog at

%d bloggers like this: