Overview | I.E. Low | I.E. Medium | I.E. High | Firefox

  Project Overview

Western Oregon University - Spyware Research Project Study by Brian Padgett and Michael Clark

Thesis: To the average internet user spyware is a serious and real threat that can attack without warning through various deceptive methods.

Testing Methodology: Visit various sites using two versions of Microsoft XP with different configurations and different security settings for Internet Explorer. Lastly we tested both OS versions for spyware threats using the wildly popular Firefox browser. After each test we set machines back to an original clean slate using Nero software.

OS configuration
1. Microsoft XP Home SP1
2. Microsoft XP Pro SP2 with firewall enabled and all security updates as of 2/25/05

On both machines we visited sites that we thought might be suspect for giving out spyware. Often Spyware uses deceptive tactics to lure a target into installing software onto their machine. We were looking to find the various levels of deception that the sites would possibly use. Our biggest question going into the research study was whether or not any sites installed spyware without any user interaction.

Our study began at the top google hit for the term warez. The second site we visited was navigated to by clicking on a shortcut that was automatically installed on our desktop after site 1. Site 3 was navigated to by clicking on a link provided by a toolbar installed after site 1. The forth and fifth site was navigated to the same way. Site 6 was navigated to by clicking on the top google hit for the term crackz.

We initially were going to visit more sites. It quickly became evident that we would not have to look very hard for spyware. For this study we acted as a user with little to know knowledge regarding spyware and would be considered a naive internet user. When prompted for a free product or toolbar we went ahead and followed any user prompts. Even if you are not a naive user and are very defensive against possible spyware attacks these results will probably be alarming.

Software acknoledgments: Microsoft XP Home, and Microsoft XP Pro were both obtained free through the agreement between Western Oregon University and MSDN. The Nero software that was used was a trial version. Our benchmark for detecting spyware came from Microsofts Anti-Spyware Software beta that was obtained free from Microsoft.

Following School Computer Use Guidelines: Before starting our research using our school network and machines we verified that we would not be violating any terms of use, which we did not. To view school's technology contract visit the link: Western Oregon Technology Contract.

Work Breakdown: All of the spyware testing was done simultaneously on two machines. Determining how the machines would be configured and returned to a fresh state after each test was performed by Brian. Note taking and screenshots were performed simultaneously by both Michael and Brian. Lastly the final write up was performed by Michael.

Background Information: Background knowledge regarding computer security and spyware came from CS459 (Introduction to Information Assurance) offered at Western Oregon University by Dr. Anderson

Visited Sites
1. easywarez.com
2. 888.com
3. metareward.com
4. yukoryum.com
5. icewarez.net
6. crackz.ws

This table shows a quick comparison of the threats encountered during our study for both machines.

note: pop-ups are only mentioned if they were the only thing present during test.

	easywarez.com	888.com	metareward.com	yukoryum.com	icewarez.net	crackz.ws
I.E. Low	auto attack	deceptive attack	auto attack	no attack	pop-ups	deceptive attack
I.E. Medium	auto attack	deceptive attack	pop-ups	no attack	auto attack	deceptive attack
I.E. High	no attack	no attack	no attack	no attack	no attack	no attack
Firefox std.	no attack	deceptive attack	no attack	no attack	no attack	deceptive attack

( top )   Test One - I.E. Low Security Setting

Both machines have fresh installs of the OS and have not yet visited any websites.

note: If not implicitly stated every site tested also opened multiple pop-up windows without our consent. In many cases the amount of windows was greater than 5.

Click to see the screenshots:

• System Properties of XP PRO and XP HOME
• Firewall Configuration XP PRO Firewall and XP HOME did not have firewall set-up.
• Internet Explorer set to Low Setting on bothXP HOME and XP PRO.

Site One: was easywarez.com, which was the top google hit for the term warez. At this site we were prompted to click on an "ok" button to proceed to the download section (screenshot). After we clicked on the "ok" button spyware started to get installed on both machines without user knowledge or permission(screenshot). In the screenshot there was a message being shown by Microsofts Anti-Spyware software and also multiple pop-up windows had opened as well.

At this point multiple spyware programs were installed on both machines. Besides the hidden spyware both browsers also had new toolbars installed and both machines had tons of new shortcuts on the desktops (XP HOME Screenshot of Desktop) (XP PRO Screenshot of Desktop). Besides installing spyware, toolbars, desktop shortcuts, and pop-ups this site also tried to change default search pages and homepage but was unsuccessful because of the Microsoft anti-spyware software that was being used.

Site Two: was 888.com, which was a gambling site that we got to by clicking on the gambling icon on the newly installed toolbars. At this site we were asked to download a "FREE" casino program and we went ahead and did so. The program installed and added a shortcut to our desktop. During the installation we did not get a warning from Microsofts Anti-Spyware software. Nothing else happened as a result of visiting this website.

Site Three: was metareward.com, which is a "give-a-way" site that we got to by clicking on an icon labeled "FREE" on our spyware installed toolbars. Upon arriving at metareward.com we were offered the chance to get spyware removed from our machines (Screenshot). We gladly accepted this gracious offer from metareward.com. After accepting to get spyware removed, multiple spyware programs were quickly installed on both machines without any user agreement. At this point both machines were running very slow and both received alerts that our Virtual Memory was low (Screenshot) . To investigate what was going on we looked into the Window's task manager and saw that around a gigabyte of resources were being used, but items in task manger did not add up to amount of resources. At this point the Windows XP Home machine completely froze up and had to be restarted. The fact that so much spyware had been installed after only 3 websites was absolutely astonishing.

After re-booting the XP Home machine instantly more spyware was getting installed.(Screenshot). Then a browser window came up offering to check for system errors (Screenshot) by ErrorGuard.com. We went ahead and checked the system and we were informed that our system had 40 errors. Again, Error Guard was kind enough to perform this test for us without any charge. However to fix the errors Error Guard requires a payment of $29.95 (Screenshot) which might be a decent price if this whole operation wasn't a total SCAM. We have no idea how Error Guard went about checking our system, or how they would actually check our system using just a I.E. browser window. However, we decided to do a little investigation and found out that it turns out every computer checked by Error Guard has exactly 40 computer errors (Screenshot) which seems a little suspicious. The previous Screenshot shows that the number "40" is a static element on the web page using no dynamic information whatsoever.

At this point the XP Home and XP Pro machines both had more desktop shortcut's leading to various spyware and adware sponsored sites (Screenshot), including one for Error Guard.

Site Four: was yokoryum.com, which was a site with "hot sexy mama's" that we got to by clicking on one of the installed desktop shortcuts (Screenshot). This site did not install any spyware at least not from the homepage. Most likely this site pays some spyware company for driving traffic to their site (Screenshot).

Site Five: was icewarez.net, which we got to by clicking on a link in the automatically installed toolbar after site one. At this site we did not get any spyware alerts, but did get presented with two XXX pop-ups (Screenshot),(Screenshot).

Site Six: was crackz.ws, which was navigated to by clicking on the top google hit for the term crackz which refers to illegally free software and not butts. At this site we actually clicked on a link for a free toolbar which installed more spyware.

Test Summary: Both operating systems with their varied initial configurations were attacked by spyware by way of auto and various deceptive attacks. In some cases XP Pro with firewall and SP2 was hit harder than XP HOME. One example of this was that more desktop shortcuts were added to XP Pro and in some cases had more pop-up windows appear. Also, even though we did not receive alerts of spyware at the sites does not mean that they were not installed. In the case of site five we did not get any alerts but later in study determined this site as being very spyware ridden.

• XP Home:
• Total Spyware Threats Detetected: 14
• Memory locations scanned 34, detected 2
• Files checked 16713, detected 640
• Registry locations checked 8442, detected 474
• Scanning in progress (Screenshot)
• Scan and removal completed (Screenshot)
• note:After Microsoft's Anti-Spyware software removed all of the spyware instantly more spyware started to auto-install itself. This shows that some form of spyware was still on machine after the scan and removal (Screenshot).
• XP Pro:
• Total Spyware Threats Detetected: 3
• Memory locations scanned 29, detected 0
• Files checked 17375, detected 573
• Registry locations checked 8442, detected 289
• Scan and removal completed (Screenshot)

( top )   Test Two - I.E. Medium Security Setting

note:As mentioned before, both machines were returned to a state of fresh operating system install with no spyware on machine from previous test. This operation was performed quickly using the Nero software. Also note that this section will not provide screenshots of the various attacks since they are basically same as shown with test one. However, the summary part of this section will show the final spyware statistics provided by Microsoft's Anti-Spyware software with screenshots.

Site One: Spyware attack same as in test one on both machines, except this time 9 desktop shortcuts were installed on XP Pro compared to 13.

Site Two: Spyware deception attack same as test one.

Site Three: This time site did not ask to remove spyware from our machines, but still had pop-ups. So, for this site the spyware threat was reduced.

Site Four: Same as in test one, no spyware attack. At the time of visiting this fourth site spyware was starting to slow down both machines which was a result of site one.

Site Five: Spyware attack was different with the medium setting but not better. We were presented with a dialog box asking us to click "ok" to proceed to the download section. After which point spyware began to install automatically and both machines ultimately had to be re-booted because they became frozen. Before shutting down we were able to quickly see the CPU usage on XP Pro and it was running at 100%.

Site Six: XP Home got 2 XXX pop-ups while XP Pro did not. At this site we went ahead and got the free toolbar again.

Test Summary: Both operating systems with their varied initial configurations were attacked by spyware by way of auto and various deceptive attacks. Also, even though we did not receive alerts of spyware at the sites does not mean that they were not installed. Overall the spyware threat was GREATER with Internet Explorer's security setting at medium as opposed to low. This was the case for both XP Home and XP Pro. This finding is contrary to what one would expect. We attribute this to the fact that site five seemed to attack our machines with the medium setting and not the low setting from test one. Remember, that after site 5 both machines had to be re-booted and were running at max cpu rate of 100%.

• XP Home:
• Total Spyware Threats Detetected: 28
• Memory locations scanned 38, detected 4
• Files checked 16777, detected 635
• Registry locations checked 8481, detected 2302
• Scan and removal completed (Screenshot)
• note:After Microsoft's Anti-Spyware software removed all of the spyware instantly more spyware started to auto-install itself. This shows that some form of spyware was still on machine after the scan and removal (Screenshot).
• XP Pro:
• Total Spyware Threats Detetected: 8
• Memory locations scanned 33, detected 0
• Files checked 17446, detected 585
• Registry locations checked 8481, detected 3818
• Scan and removal completed (Screenshot)

( top )   Test Three - I.E. High Security Setting

note:As mentioned before, both machines were returned to a state of fresh operating system install with no spyware on machine from previous test. This operation was performed quickly using the Nero software. Also note that this section will not provide screenshots of the various attacks since they are basically same as shown with test one. However, the summary part of this section will show the final spyware statistics provided by Microsoft's Anti-Spyware software with screenshots.

Site One: No Spyware attack. Were not presented with a window asking to click on anything.

Site Two: No Spyware attack. No pop-ups asking if we wanted to download anything.

Site Three: No Spyware attack.

Site Four: No Spyware attack

Site Five: No Spyware attack

Site Six: No Spyware attack

Test Summary: With Internet Explorer's High security setting the browser is essentially locked down. It does not allow the downloading of anything to the machine. Even trying to download a picture is prohibited and prevented with no temporary work around. This setting is basically useless for the average user because it's functionality is so severely limited.

• XP Home:
• Total Spyware Threats Detetected: 0
• Scan and removal completed (Screenshot)
• XP Pro:
• Total Spyware Threats Detetected: 0
• Scan and removal completed (Screenshot)

( top )   Test Four - Firefox with default installation

note:As mentioned before, both machines were returned to a state of fresh operating system install with no spyware on machine from previous test. This operation was performed quickly using the Nero software. Also note that this section will not provide screenshots of the various attacks since they are basically same as shown with test one. However, the summary part of this section will show the final spyware statistics provided by Microsoft's Anti-Spyware software with screenshots.

Site One: Dialog box did come up prompting us to click "ok". Pop-up windows were prevented. Possible Spyware threat.

Site Two: Asked to download casino software and we went ahead and did so.

Site Three: No Spyware attack.

Site Four: No Spyware attack

Site Five: Dialog box did come up prompting us to click "ok", possible Spyware threat.

Site Six: No Spyware attack initially but went ahead and downloaded toolbar. Of note the toolbar did not get installed on either Firefox or I.E.

Test Summary: With Firefox and its default installation it effectively manages pop-up windows. Each time it prevents a pop-up window it alerts the user with a discreet message at the top of the browser window. It was also very effective in showing us implicitly each time something was getting downloaded to the machine.

• XP Home:
• Total Spyware Threats Detetected: 2
• Scan and removal completed (Screenshot)
• XP Pro:
• Total Spyware Threats Detetected: 2
• Scan and removal completed (Screenshot)

PROJECT SUMMARY: To the average user, online browsing can pose many spyware and security threats. Unless the user is highly suspicious and careful about their online browsing they will get attacked, period. If we were asked to set up a computer for a client that wanted a totally security free browsing experince, we would recommend using either Firefox or I.E. with locked down security environment. However, if the user actually wanted normal browsing functionality the clear choice would be to use Firefox.