of this category, but probably the most popular ones are the Adware-type pro-
grams. Adware is programs that force unsolicited advertising on end users.
The idea is that the program gathers various statistics regarding the end user’s
browsing and shopping habits (sometimes transmitting that data to a central-
ized server) and uses that information to display targeted ads to the end user.
Adware is distributed in many ways, but the primary distribution method is
to bundle the adware with free software. The free software is essentially
funded by the advertisements displayed by the adware program.
There are several problems with these programs that effectively turn them
into a major annoyance that can completely ruin the end-user experience on an
infected system. First of all, in some programs the advertisements can appear
out of nowhere, regardless of what the end user is doing. This can be highly dis-
tracting and annoying. Second, the way in which these programs interface with
the operating system and with the Web browser is usually so aggressive and
poorly implemented that many of these programs end up reducing the perfor-
mance and robustness of the system. In Internet Explorer for example, it is not
uncommon to see the browser on infected systems freeze for a long time just
because a spyware DLL is poorly implemented and doesn’t properly use multi-
threaded code. The interesting thing is that this is not intentional—the adware/
spyware developers are simply careless, and they tend to produce buggy code.
Sticky Software
Some malicious programs, and especially spyware/adware programs that have
a high user visibility invest a lot of energy into preventing users from manually
uninstalling them. One simple way to go about doing this is to simply not offer
an uninstall program, but that’s just the tip of the iceberg. Some programs go to
great lengths to ensure that no one, especially no user (as opposed to a program
that is specifically crafted for this purpose) can remove them.
Here is an example on how this is possible under Windows. It is possible to
install registry keys that instruct Windows to always launch the malware as
soon as the system is started. The program can constantly monitor those keys
while it is running to make sure those keys are never deleted. If they are, the pro-
gram can immediately reinstate them. The way to fight this trick from the user’s
perspective would be to try and terminate the program and then delete the keys.
In such case, the malware can use two separate processes, each monitoring the
other. When one is terminated, the other immediately launches it again. This
makes it quite difficult to get both of them to go away. Because both executables
are always running, it becomes very difficult to remove the executable files from
the hard drive (because they are locked by the operating system).
Scattering copies of the malware engine throughout various components in
the system such as Web browser add-ons, and the like is another approach.
Reversing Malware 277