Rooting out the spies.

December 14, 2004

There is an interesting site that I frequent that is now providing a free tool for combating spyware. SpywareGuide, as a whole, is full of very useful information on spyware, but this tool in particular provides quite a bit of insight into how most spyware applications work.

Most spyware loads itself as a Browser Helper Object (BHO).  This means, that it takes a very useful feature built into Microsoft’s Internet Explorer (and Windows Explorer), and corrupts it into a means of spying on everything you do.  All a spyware application needs to do is set a few key registry settings, and Explorer will load it into memory and give it full access to everything.

The tool I found, is simply a registry file that sets a special “Kill Bit” within the BHO registry settings for each of the known spyware applications.  This Microsoft article explains how the bit works.

Of course the downside to this tool, and all other spyware scanning applications, is that they can’t keep up with the rate at which new spyware applications are appearing.  In order to get around this block, and most spyware scanners, all a spyware writer needs to do is change the CLSID of the spyware component’s COM object. A different CLSID means a different registry setting, allowing it to get past the scanners until the vendors update their lists and distribute them to everyone.  That in mind, it’s easy to see why spyware is one of the biggest threats to personal computing.

Fortunately, there is hope — at least for Windows users. XP SP2 locks down the BHO installation process significantly, making it more difficult for a component to be installed without your knowledge.