Spyware FAQ

Terry Bollinger
terrybollinger.com
(updated 2005-06-25, created 2004-12-01)

Copyright 2004 by Terry Bollinger, but unlimited rights to copy for free or for profit
are granted provided only that the document as a whole and this copyright remain
intact. Translation into other languages is also permitted, in which case the original
English version may be omitted. Please read the legal disclaimers at the end of this
document
carefully BEFORE using any of the spyware removal methods given here.



Q: What is spyware?

A: Spyware is software inserted into your computer without your permission, to gather information about you for someone else's benefit. It is useful to distinguish two categories: softcore spyware and hardcore spyware.


Q: How bad is the spyware problem, really?

A: The best answer to this is a challenge: After reading and making sure you can agree to the legal disclaimers at the end of this document, try applying my procedure for removing hardcore spyware to an example PC or laptop. Some of the most interesting results come from systems that in which you are already using good virus and spyware checkers and would generally expect to be free from hardcore spyware.


Q: How can I tell if my system has spyware?

A: Common indicators of spyware infections include:


Q: What is softcore spyware?

A: Softcore spyware uses your PC or laptop resources without your permission and collects information about you as a potential buyer, albeit not necessarily of a product in which you would normally have any interest. Examples include adware, which in one way or another subjects you to unwanted web or email ads. Softcore spyware is often nominally legal, in the sense that it does not attempt to steal critical information such as passwords or bank numbers. On the other hand, large numbers of softcore spyware applications can drag your computer down to the point where it seems "old" and unreliable, when what is really happening is that your PC or laptop is too busy running other people's software to bother much with yours. 

Q: Is it OK to use a PC or laptop with softcore spyware on it?

A: Yes, but only if you enjoy being harassed. Leaving softcore spyware on a PC or laptop can result in significant annoyances such as seriously degraded performance, unwanted popup ads, and huge volumes of junk mail, but by definition this type of spyware will not attempt to take your identity or use your computer for illegal purposes.

The risky part, however, is how to determine with certainty that your system only has softcore spyware on it. In general, a system with lots of softcore spyware is also likely to contain far more dangerous, and far better hidden, hardcore spyware applications.


Q: Will upgrading to the latest version of Windows fix existing spyware problems?

A: No. If you currently have hardcore spyware in your Windows system, upgrading to a more recent version of Windows will help considerably in preventing entirely new spyware from coming in. For the burglar that is already in your house, however, putting up new and tighter walls does little to get him out. For that you will still need third-party spyware checkers.

The most secure version of Windows as of late 2004 is probably Windows XP with Service Pack 2 (SP2), which includes features such as a built-in firewall and a substantial reduction in security holes. In terms of price performance, however, you can almost certainly get a larger increase in spyware protection per unit of cost by simply adding third-party spyware detectors and firewalls to your current Windows version.


Q: Can I avoid spyware by not opening attachments and not downloading untrusted software?

A: No. For example, older browsers allow a mild form of softcore spyware called tracking cookies to be accepted by default, meaning you will accumulate this form of spyware simply be using the web. More importantly, hardcore spyware does not bother with such legal niceties as entering only through badly designed but legal browser defaults. If your system has security holes of any sort, networks of hardcore spyware will try and often succeed in loading spyware onto your system. On one Windows 98SE system, I encountered an average of about one attempt per day to place hardcore spyware (Cool Web Search and others) into the system. While I was able to detect such placements, I was not able to prevent them entirely without extensive reconfiguring of the Windows system.

Q: What can I do to remove softcore spyware?

A: Softcore spyware can be removed quickly and easily with any spyware checker that has a proven reputation for effectiveness and trustworthiness. I can recommend four such spyware checkers that I have personally checked out for effectiveness and trustworthiness. Any one of these will remove all or nearly all of the softcore spyware in your PC or laptop, and may provide a substantial improvement in performance and reliability if your system was badly infected:

1. Webroot Spy Sweeper - http://www.webroot.com/downloads/

2. Lavasoft Ad-Aware SE - http://www.lavasoftusa.com/support/download/

3. Spybot Search & Destroy - http://www.safer-networking.org/en/

4. Microsoft's GIANT AntiSpyware - http://www.giantcompany.com/

Spy Sweeper is the best of the free demos, and is also unusually good at removing any hardcore spyware from you system. It has a 30-day demo period. Spybot Search & Destroy is the best bargain by far. It is very powerful and free, with a donate-only-if-you-like-it revenue model, but it has also been around long enough that it is often specifically targeted by hardcore spyware. Ad-Aware SE Personal is especially thorough at finding softcore spyware. It is free for home or educational use, but is an bit of a resource hog and cannot be with other applications. Until it was purchased by Microsoft on December 16, 2004, GIANT AntiSpyware was a free demo with the best overall features, including in particular hardcore spyware removal, of any of the tools listed here. Microsoft plans to make a version of it available for Windows, but for now it must be purchased.

Finally, a note of caution: Never select spyware checkers based solely on their own advertising. Since this is a relatively new market, there are still some very shaky products around, including spyware checkers that do more harm than good, such as by removing the wrong files. There are also more than a few cases in which a spyware checker is actually itself a form of spyware. Due to such issues, I strongly encourage that readers of this document verify all spyware checker recommendations independently, including the ones I have just made. Good resources for making such assessments include reviews of the applications in major magazines or on accepted web resources such as TUCOWS.


Q: How can I avoid accumulating more softcore spyware?

A: Use a browser other than the default one on Windows. Despite many helpful changes in the early 2000s, Internet Explorer remains the single most significant entry point into Windows systems for both softcore and hardcore spyware. Changing browsers can help tremendously by removing a major entry point for such spyware.

Mozilla Firefox (http://www.mozilla.org/products/firefox/) not only follows excellent browser safety practices, but also provides convenient functions such as tabbed browsing, in which new pages are located on tabs instead of separate windows. Also, look into adding a software firewall such as the free Sygate Personal Firewall (http://www.tucows.com/preview/213160.html). While firewalls are aimed more at keeping out hardcore spyware, they also reduce softcore accumulation by increasing overall security.


Q: What is hardcore spyware?

A: Hardcore spyware attempts to take control of your computer system and/or personal identity for purposes that are almost never legal. It is comparatively less common, but far more dangerous, than softcore spyware. Examples include keyloggers that capture everything you type and send the records off to remote locations, and Remote Administration Terminals (RATs) that allow remote users to take more-or-less complete control of your computer. As defined here, hardcore spyware includes applications such as Trojans that attempt to take over your computer. Since all such applications share an intent to steal your data and resources, and since they are all for that very reason detected and removed by all the major spyware checkers, the phrase hardcore spyware provides a convenient name for any type of steal-your-resources software that must be removed before you can use your system safely.


Q: Isn't hardcore spyware so rare that I don't need to worry about it?

A: As of late 2004, hardcore spyware has become so common that everyone should be worrying about it. In the late 1990s, hardcore spyware was almost certainly less common than now because of its need for time-consuming "tending" by whoever planted the spyware. What has changed in the early 2000s was a dramatic increase in the use of automated methods to place and monitor hardcore spyware. With automated placement, any home or small business Windows system with even a minor security hole becomes a candidate for hardcore spyware. Consequently, a home network with broadband access, teenagers, and one or more old (e.g., 98SE) Windows PCs or laptops is now likely to have keyloggers and RATs somewhere in their home network. Fortunately, the ability of spyware producers to absorb and fully use the using the resulting flood of random personal data seems to be lagging behind their ability to install the spyware that collects it. Nonetheless, the financial and security implications of such high levels of data leaks from hardcore spyware are truly frightening when multiplied by the global size of the Internet. The fact that control can go in the other direction, allowing manipulation of data and even applications on affected computers, is even more worrisome.


Q: Don't most spyware checkers find and remove hardcore spyware?

A: Technically, yes, since any good spyware checker is aware of hardcore spyware and is nominally capable of removing it. In practice, even using a good spyware checker on a regular basis is more likely to result in a false sense of security than a PC or laptop that is free from hardcore spyware.


Q: Why is hardcore spyware so difficult to remove?

A: In sharp contrast to softcore spyware, hardcore spyware typically includes an impressive array of stealth and counter-attack capabilities of its own. Advanced forms of hardcore spyware can have detection and response capabilities comparable to, or even exceeding, those of the spyware checkers trying to find them. Furthermore, they are often designed to have specific knowledge of major virus and spyware checkers, just as major spyware checkers have knowledge of them. The result is that when hardcore spyware and good spyware checkers are placed on the same system, the result is more akin to outright warfare than a simple checklist scan for cookies and bad programs. Hardcore spyware uses its stealth, counter-attacks, and knowledge of virus and spyware checkers to hide itself, disable common spyware and virus checkers, and even take over virus and spyware checkers for its own purposes.

For example, I recently checked out one Windows 98SE PC using three fully updated spyware checkers, and all three of the checkers declared it to be free of spyware. I then tried another more recent spyware checker, and uncovered a keylogger and two RATs! It turned out that the spyware (or more likely its human owners) had compromised the top-end virus checker on the system, allowing the spyware to take over its privileged position within the Windows operating system. From this deeply entrenched position the spyware was partially able to prevent spyware checkers from detecting it, and fully able to prevent me from removing it. I was unable to remove the spyware until I took the system offline and fully deinstalled the virus checker.

I have since encountered variations of this same strategy in other versions of Windows, using virus checkers from other vendors. The ease with which I have encountered it and the variety of systems and applications involved indicates that it may be a far more common problem than one might expect. Since a spyware application that use this approach is infecting the "immune system" of a PC or laptop, my friend David J has suggested for them the appropriately ominous acronym Shiva, for Spyware HIV-like Attacker.


Q: What is a "Shiva?"

[Added 2005-06-18]
A:
A Shiva is a program or configuration of system utilities that protects spyware either from being detected or from being removed. Shivas often take over well-known, widely-used virus and spyware checkers to help protect their client spyware programs. This tendency to take over the application "immune system" of a computer is the source of their full name, Spyware HIV-like Attackers (by Bollinger from a suggestion by David J), for which Shiva is the acronym.  Possibly because they are not well recognized as a problem, spyware checkers do not typically look for Shivas. This makes it necessary to find them indirectly, such as by looking for unexpected offline reinstallations of previously removed spyware, or by deinstalling and then reinstalling potentially infected virus and spyware checkers to see if fresh installs detect additional spyware.

The dangers of having Shivas in systems cannot be overstated, since they lull users into thinking they are "safe" when in fact they are almost certainly infected with some of the most dangerous forms of hardcore spyware. For example, a Shiva is often part of a trio that also includes a keylogger and a Remote Access Terminal (RAT). In such a trio the keylogger gives a remote user access to your passwords, the RAT allows full remote access to your computer, and the Shiva keeps the keylogger and RAT from being removed by ordinary virus and spyware scans.


Q: Is it OK to use a PC or laptop with hardcore spyware on it?

A: No. A computer infected with hardcore spyware should literally be treated as if it belongs to someone else -- more specifically, someone who is entirely willing to steal your computer, your finances, and even your identity. Even if they are not interested in your personal data, they may choose to use your computer as a node in an illegal undertaking. As for privacy, the first preference of the new remote owner of your computer will be to capture all your keystrokes, since they are compact and can be transmitted with less chance of detection. It is worth noting that an especially nosy remote user can just as easily use a RAT to configure your computer to capture audio or even video from attached microphones or video cameras.


Q: Is it OK to use a PC or laptop with hardcore spyware if I stay offline?

A: No. While keeping a PC or laptop with hardcore spyware offline reduces the risk of it being used as active part of an illegal network, it does not keep hardcore spyware from capturing and storing personal data collected from the keyboard and other inputs devices. If at any point you reconnect to the Internet, the spyware can send out logs of devices such as keyboards even during a connection.


Q: Is it OK to use a PC or laptop with hardcore spyware for gaming only?

A: No. While avoiding using a PC or laptop for nothing but gaming reduces the odds of it being used to acquire personal or financial data about you, it is much more difficult to keep all personal data off such systems over long periods. For example, if other systems in a home go down, the temptation to use an infected system for "just a while" can be overpowering if the hardcore spyware does not cause any obvious symptoms. Finally, while using a system for gaming only does reduce the odds that hardcore spyware can collect information on you form your keyboard, it does not prevent hardcore spyware from hijacking other increasingly common types of input devices such as microphones and video cameras. While the high bandwidth of audio and video logging makes such inputs devices less attractive than keylogging to most categories of malicious remote users, the internal design of most operating system makes audio and video about as easy to capture -- if not easier -- than keyboard inputs.

In addition, specific categories of malicious users (e.g., porn nets) may actual prefer video capture and be willing to risk the additional attention that their extra bandwidth use can cause.


Q: Surely, spyware attacks are not as common at all this implies?

A: On a typical home system with wideband connections, casual attempts to break into my systems occur about once every ten to thirty seconds. By far the most common attempt is a query to Microsoft Directory Services (also called Port 445) to look for shared Windows resources such as printers or folders, both of which are extremely common in home networks. Most hardware routers do not even both to log such attempts unless you request them too, since they are so common that a user spend all their time responding to report incidents. My own experience with more subtle break-in attempts indicates that hardcore spyware such as Cool Web Search (CWS) attempts to place itself into well-protected, heavily firewalled systems, often successfully, with a frequency of about once per day. Most such break-in attempts appear to occur using applications that connect automatically to the Internet, combined with unfixed security holes in loadable Microsoft Windows software modules (called DLLs). This does not mean that such applications are directly infected by spyware; it just means that clever spyware can use them easily.

Skeptics should look examine the daily SANS overview of network exploits, located at http://isc.sans.org/top10.php. A blunt-spoken but also distressingly accurate assessment of the dangers of Port 445 and several other Windows ports can be found at the Gibson Research Corporation's Shield's UP!! site, http://www.grc.com/port_445.htm.


Q: If I reformat all the disks on my computer and reinstall Windows, will that eliminate all spyware?

A: This will of course also obliterate every application, update, personal customization, and file with personal that you have placed on your system over the months or years that you have had it. Nevertheless, yes, if you have an old PC or laptop that has nothing valuable on it (often a surprisingly risky assumption), and if you can reload Windows directly from original CDs or from verifiably undamaged hard disk partitions, then the resulting refurbished system should be free of both hardcore and softcore spyware.

With that said, please also note that as soon as you reload saved data or applications from your old system, download a new Internet application from an untrustworthy site, attempt to update your Windows software without proper protections, or simply reconnect to the Internet without proper protections, you run a substantial risk of reintroducing spyware into your system.

At the very least, be sure to install a firewall before attempting to connect your newly refurbished system to the Internet. If you do not, you run a substantial risk of acquiring new hardcore spyware in as little as few seconds (if you have locally shared resources such as printers or folders) to a few days (for spyware that exploits more subtle security holes).


Q: What can I do to remove hardcore spyware without obliterating my data and applications?

A: Hardcore spyware is far more difficult to detect and remove than softcore spyware. A procedure for detecting and removing hardcore spyware can be found at the following web site, which is also the source of this FAQ:

http://www.terrybollinger.com/spyware/

The procedure described at the above site uses the same spyware checkers mentioned above, but in combination with other tools and with procedures that greatly increase your odds of finding and removing hardcore spyware from your PC or laptop.


Q: How can I minimize future hardcore spyware break-in attempts?

A: Use firewalls -- at least one, and preferably two. If you have more than one computer in your home, your first firewall should be built into your router, the device allows your PCs or laptops to talk to each other and share your broadband line. If you have broadband and do not have a router with a built-in firewall, you should seriously consider getting one. They are relatively inexpensive, typically costing less than a hundred or so write-once CDs.

Your second firewall should be software. For this, I highly recommend the free-for-personal-use Sygate Personal Firewall, which TUCOWS gives its highest rating for any firewall, either free or purchased:

http://www.tucows.com/preview/213160.html

If you have a tight budget or are using dial-up access only, at least get the Sygate firewall, since it is free and provides an excellent approximation of a hardware firewall.


Q: If I use a Mac, do I need to worry about spyware?

A: Yes, but not as much. Viruses and spyware are both far less common in Macs than in Windows PCs or laptops. Ironically, one of the areas where viruses and spyware are more likely in Macs is applications ported from Windows. Virus and spyware checkers both exist for Macs, but are beyond the scope of this FAQ.

If you are deeply concerned about spyware, have the money to buy a new and somewhat pricey computer, and prefer not to deal with the details of your operating system, a Mac is definitely worth considering.


Q: If I use Linux, do I need to worry about spyware?

A: Yes, but not as much. As with Macs, viruses and spyware are both far less common in Linux than in Windows systems. Virus and spyware checkers both exist for Linux systems, but are beyond the scope of this FAQ.

If you are deeply concerned about spyware, would prefer to reuse your existing computer system instead of buying a new one, and enjoy diving into whatever level of detail you choose in your operating system, buying or downloading Linux is definitely worth considering. Current Linux systems have very good compatibility with almost any kind of PC or laptop, strong graphical users interfaces, and a remarkably rich variety of free applications, many of which would have to be purchases separately for Windows or Mac systems. Be sure to get a version that comes with a firewall preinstalled by default, unless you are already familiar with how to install a Linux firewall.


Q: What is the most spyware-proof operating system available?

A: Probably OpenBSD (http://www.openbsd.org/). OpenBSD is a distant cousin of the current Macintosh operating system, since both are originally based on the BSD Unix code base. OpenBSD tends to do well at resisting spyware break-ins because it has been scoured for over a decade by a group of users whose dedication to security can only be described as fanatical, in the best sense of the word.

Unfortunately, although it runs on PCs, OpenBSD is not an intended for everyday users. It is more a tool for system administrators who want to have very high levels of confidence in the security track record of the operating system they are using.


Q: I used backtracking tools in my spyware checker to find the source of an attack. What should I do?

A: Usually nothing. If the site appears to be owned by a reputable hosting or communications company, you may at most want to send the system administrator of the site a polite email including a copy of what you found. A good default strategy is to use the same level of politeness you would use to talk to a fellow victim, since the chances that you have actually found the real source of such an attack are almost vanishingly small. As of late 2004, most such attacks are automated attacks coming from other web sites that have been infected in much the same way as yours, and the owners of such sites are seldom aware of what is going on. This means that in most cases you are commiserating with fellow victims, rather than identifying the real culprits.


Q: Who is creating all of this spyware?

A: For softcore spyware, the answer is easy: Advertisers. The Internet has created an instantaneously available global market, and a marketer who can exploit even a very tiny sliver of that market often stands to make a sizable profit. This has created a cyberspace feeding frenzy of marketers vying to place annoying ads on your PC or laptop. The resulting effect on the target, your computer system, is about what you would expect from any good feeding frenzy.

For hardcore spyware there are two answers. The first one, surprisingly, is that much of the software used for hardcore spying is derived from software created for legitimate purposes. Remote administration applications are a good example, since the ability to control hundreds or thousands of PCs remotely is a useful and highly cost-effective capability when used legitimately within a large corporation or enterprise. The same capability can create horror stories when used illegally to take over other people's computers and identities.

A much stranger and far more debatable commercial source of spyware is the sale of applications for self-spying, either of your own system or of members of your household or small business. For example, such software might be used by people who are away from their computer and want to verify that it is not being abused in their absence. Apart from ethical and legal debates, the biggest practical problem with such products is that they are usually trivially easy to adapt to use as hardcore spyware of almost anyone. About half of the keyloggers I've seen are "legitimate" self-tracking packages that are being used for hardcore spying.

The second answer is that no one really knows where some spyware originates. For example, the creators of the very hardcore Cool Web Search (CWS) application are exceptionally good at covering their tracks, and take a perverse delight in obfuscation. The people who support CWS, for example, like to misdirect angry victims to the site of the computer science student (http://www.merijn.org/) who created the best available tool for removing it, CWShredder (http://www.intermute.com/spysubtract/cwshredder_download.html).

A further complication in analyzing the sources of hardcore spyware is that the creators of a particular spyware application are seldom its only users. Hardcore spyware creators are pretty much by definition highly opportunistic, and so will grab whatever spyware tools serve their purposes best, regardless of who originally created them. In several systems I have looked at, the behaviors of diverse spyware applications were closely coordinated, indicating a single group or individual had placed them. For example, different spyware applications would share identical installation dates, and would all re-emerge at the same time when any attempt was made to use the fully subverted out-of-date virus checker on the system. A particularly common form of multiple spyware use is to infect a system with a RAT/keylogger pair, since this provides the remote user with the passwords and detailed system information needed to achieve near-total control of a your system.

While it is always hard to identify the specific individuals behind a given hardcore spyware attack, it is easy to identify some of the incentives behind such attacks. Early coordinated networks of spyware (spynets) tended to be financially motivated, such as ones created by to skim very small percentages of funds from a large number of victims. The game in that case was is that if the individual amounts stolen are small enough, it is likely that even tens of thousands of victims will fail to notice them, ignore them as insignificant, or be too afraid of the consequences of announcing their lack of security to respond.

Spynets also steal computer resources for their own sake. Spynets grow more powerful and dangerous as they increase in size, and they way grow is not by adding legitimate resources, but by capturing and adding more computers. Porn networks are notorious for this kind of capture and exploitation of local PCs and laptops, placing them materials on the systems of unsuspecting users and then using broadband access of those users to further distribute their wares.

Industrial and international espionage -- true spying -- are likely to be behind some spynets, since poorly protected home computer systems are one of the easiest targets in existence for collecting data on what employees of technology companies and government agencies are doing at work. As of late 2004, however, most companies and government agencies are so poorly protected against hardcore spyware that the focus of hardcore spyware may be shifting away from home systems and towards direct attacks on the main systems of the primary corporate and government targets.

Another category of hardcore spyware incentives is opportunist blackmail. While hardcore spyware in one household is unlikely to come up with material that reaches blackmail potential, a spynet with hundreds of thousands of nodes is likely to uncover hundreds of examples of potential blackmail. Households also inadvertently create opportunities for "pure embarrassment" blackmail by leaving audio and video feeds open on infected PCs or laptops with broadband access.

The most worrisome incentive of all is spynets that troll to capture high-leverage computers -- that is, computers whose specific roles gives them very high value to the right bidder. Obvious examples from this category include computers used to tabulate electronic-only votes and military command and control computers, but more subtle examples could include misdirection of key pieces of information during a coordinated physical/cyber attack, such as a biological attack.

Finally, there is undoubtedly a small percentage of spyware that has been court authorized and is performing fully legal "computer tapping" of people for whom there has been significant prior evidence of criminal activity. This category, however, is necessarily very small compared to what is going on in 2004, which is a free-for-all in nearly every computer that is attached to a DSL line. Essentially every other form of hardcore spyware should, and hopefully in time will be, be made illegal in the future. In particular, sufficiently severe criminal penalties for are needed for even casual use of hardcore spyware to help establish some kind of reasonable rule of law in cyberspace.


Q: Recent elections have seen the rise of pure electronic voting. Is spyware an issue in electronic voting?

[Last updated 2005-06-18]
A:
I am not aware of any rumors of spyware affecting elections. However, both the motives of spyware creators and the way in which computers are being used in elections argue that the danger of malicious groups influencing democratic elections is significant, and that the danger increases very rapidly if the election is made all-electronic. The counter for this danger is surprisingly simple: All elections should create and retain physical, non-electronic copies of every original vote, just as elections have been done for hundreds of years. If physical voting records prove to ambiguous -- e.g. the infamous dangling chads of the 2000 U.S. Presidential elections -- then the correct solution is to design voting machines that minimize the physical ambiguity of each voting record, such as by ensuring full removal of every selected chad.

Far from removing doubt, converting voter records from physical to all-electronic form enormously increases ambiguity in two ways. Firstly, since computer storage is by design immensely easier and faster to alter than physical media such as cards, the number of results that can be altered convincingly within a short period of time increases vastly, often by a factor of millions or more. For example, it is easy to come up with scenarios in which millions of magnetic disk based voting records can be believably altered within a single minute, whereas the impossibility of "repairing" punched holes in a physical card means that it cannot be altered in any amount of time. This forces physical voter fraud to rely on more easily spotted methods, such as large scale replacement of valid card records with counterfeit ones. Secondly, since for cost reasons electronic voting systems for large (e.g., national) voting must rely at least in part on publicly networked resources such as the Internet to collect and tally results, all-electronic records are at various points in their processing subjected to an much larger number and range of potentially malicious groups than is possible with physical records kept in a locked and guarded room. And while current computer technology can provide reasonable safeguards (e.g., encryption) against public attacks on such pathways, this is only true when the voting infrastructure is itself fully verified to be secure. Given the current levels of undetected spyware in many computing platforms, wagering the results of an election on the assumption that the voting infrastructure is fully and completely free of malicious software would be a risky bet indeed.

Also, it should be noted that an election need not be fully electronic for it to be affected by spyware. Since nearly every modern election relies on computers to collect and tabulate votes, the easiest scenario by which hardcore spyware could subvert an election is to alter the tabulation process. This requires subversion of a much smaller and more easily handled number of machines than does direct subversion of voting records. Consequently, the number of elections in the world that in principle already could have been influenced by hardcore spyware is surprisingly large. On the positive side, well-designed election processes traditionally include extensive checks and balances to prevent more mundane forms of election fraud. Provided that the people performing such checks and balances are not overly trusting of computer results, such safeguards would hopefully also detect the kinds of mismatches between raw counts and tabulated results that would be produced by hardcore spyware.

However, given that many elections are not done so carefully, and given the rise of more easily subverted pure electronic elections, I would judge that it is nearly a certainty that at some point hardcore spyware will alter the final results of an election somewhere in the world, if this has not already occurred. It is interesting to note that in terms of windows of opportunity, early 2004 was likely close to being the ideal time for such an attempt. At that time, spyware had already grown to epidemic proportions, while public and especially government awareness of it prevalence and risks was close to nonexistent. Fortunately, as of late 2004 there has been an increase in government recognition of the dangers of hardcore spyware, such as when the United States declared hardcore forms of spyware such as RATs to be illegal in late 2004. If public and government awareness of the spyware threat continues to grow in 2005, and if the difficulty of removing hardcore spyware is recognized and addressed with very thorough attempts to avoid, detect, and remove hardcore spyware from election related systems, this non-trivial risk to the global democratic process should hopefully begin to decline.

Evaluating the preconditions needed for hardcore spyware to affect the results of an election provides some idea of the level of risk. The first precondition is a failure to check meticulously for hardcore spyware in the computer systems used to collect and tabulate electronic votes. By mid 2005 this general awareness of the dangers of spyware had increased significantly, but the extent and danger of hardcore spyware was still underestimated by most computer users. The second precondition is that the computers involved must spend significant periods of time connected to the Internet, such as to exchange data or to coordinate the vote tabulation process. A totally isolated network with no physical connections to the Internet would be vastly safer, but would also be very costly. This precondition thus is also unfortunately likely true for many cost-conscious early forms of electronic voting. The third precondition is that the operating system used in voting systems must be ones sufficiently familiar to spyware creators to allow them to create or use sufficiently powerful hardcore spyware such as RATs (Remote Access Terminals). This precondition is most likely to be met if the designers of the voting systems choose to use a version of Windows, and especially if they happened to choose an older version of Windows, such as Windows 2000 or Windows 98SE. The final precondition is that no physical record of individual votes is kept. As mentioned earlier, this is not essential, since spyware can simply influence tabulation systems without bothering with vote collection systems. However, having the entire voting process exist solely in cyberspace enormously increases the likelihood that a malicious spyware network could influence an election significantly without being detected. From the perspective of any spyware networks interested in influencing an election, not keeping physical records of votes is like the government providing a built-in vote laundering system. That is, it allows the spyware network both to create any fantasy they desire and obliterate and inconvenient evidence to the contrary. Electronic measures to protect results, such as widespread duplication, may not be as effective as one would expect if the spyware has about the same level of control of the systems as a system administrator would. Such an extreme level of remote control is a real possibility if the voting system has been infected by RAT/keylogger pairs.

If the above preconditions exist, a spynet with enough participating nodes could manipulate the results of an election at multiple levels, from initial vote collection through final tabulation and certification. This would allow the spynet both to hide its actions and to construct a plausible overall fictional scenario for how any highly unexpected election result could have occurred.

It is hard to emphasize how bad an idea pure electronic voting is in a world where spyware is far more common than means for detecting it. As of late 2004, the danger in any country or state using purely electronic elections is threefold. The first danger is that at this time the level of undetected levels of hardcore spyware in home, small business, and likely even in large enterprise systems is far too high for voting to rely on technically similar classes of systems. The second danger is that the nature of the voting process unavoidably creates highly tempting targets for groups interested in cyber manipulation of world affairs, both due to the extraordinary criminal value of being able to altering the results of a national election, and because from a technical risk perspective the process of collecting and tabulating votes unavoidably creates both highly replicated processes and critical summarization points, both of which are examples of risk points for which relatively small amounts of technical efforts could result in dramatic changes to the outcome. The third danger is that by choosing to use a purely electronic voting process, a skilled spyware network is provide with a greatly improved opportunity to create a plausible and fully self-consistent fictional election scenario.

For voting processes that have been upset by the "dangling chad" phenomenon, the most powerful tool for removing  ambiguity in the future is to design better physical voting machines that ensure both that a card is very unlikely to be ambiguous, and that the voter can easily verify that the vote recorded is the one that the voter intended. Faster but less trustworthy electronic vote could still be used to tally votes quickly, but only as long as the overall process ensures that the slower physical counting or recounting of untainted physical voter records always overrules electronic results.

Finally, no system of computers should be used for voting if it has not been rigorously evaluated for the possible presence of spyware and other forms of malicious software. As described elsewhere in this FAQ, such an examination is not trivial, and can easily be fooled by the presence of Shivas that are protecting spyware. The examination should take this possibility into account, and thus should include a process of deinstallation and installation of verification tools to make sure they have not been taken over by Shivas.


Q: Are there any other types of spyware to be worried about?

A: Yes. In an ominous new trend, manufacturers are coming out with hardware spyware that is truly undetectable both in terms of the behavior of your system and, in some cases, even in terms of logs of data sent out from your system. Keyboards with built-in keyloggers can be ordered over the Internet, and can be installed without the knowledge of users.

Given the abuse that is already occurring with software spyware, the growth of hardware spyware is a very serious legal issue that needs to be addressed with criminal penalties comparable to those for illegal wiretapping.


LEGAL DISCLAIMERS: This document is provided solely as a public service for computer users having problems with spyware. I have no direct, nor to the best of my knowledge any indirect (e.g., mutual funds), financial ties with any of the tools or applications listed or recommended within this document. The views presented in this document are entirely my own and do not represent the views of my employer or of any of customers of my employer. Removing spyware unavoidably entails risks that your computer will stop working or lose data. This procedure does not guarantee removal of all spyware. PLEASE NOTE THE FOLLOWING REQUEST FOR YOUR EXPLICIT CONCURRENCE BEFORE YOU USE ANY PROCEDURE DESCRIBED IN THIS DOCUMENT: By applying any spyware removal procedure originating either directly in this document or indirectly in documents referenced by this document, you are by your actions agreeing to the following two conditions: (1) You have sufficient legal ownership and/or administrative rights to apply operating system level changes to the computer or computers upon which you are performing any such procedure. (2) You accept all of the risks and responsibilities for any damage that could occur to your computer as a direct or indirect result of applying spyware removal procedures to the computer or computers. Please DO NOT apply any of the procedures in this document if you cannot or do not have sufficient authority to agree fully with the above two conditions.