How Exactly Does This Spyware Work?

Factual Questions
1

I had an annoying bit of spyware pop up recently (I got rid of it with HijackThis! no problem, so I’m fine now). It was pretty subtle – it just larded in some additional search results when I used Google. For example, if I Google-searched freaky monkey sexx*, I’d get a couple legitimate hits, then “Buy freaky monkey sexx on e-bay” with an appropiate link, then a couple more legitimate hits, then something like “Buy freaky monkey sexx on sirscamsalot.com” then some more legit results, and so forth.

So my question is… how is this bit of software on my computer altering the Google search to include these bogus hits? Does it “reinterpret” a legit search page and add in its own results? Does it somehow force the Google search engine to return these oddball answers? How, exactly, does this thing work?

*[sub]completely made up for purposes of example[/sub]

2

Most likely, it directs you to its own site, which queries Google for the links, then puts its own links in the mix. The logo and other things are stolen, which I’m sure weighs very heavy on their conscience. :rolleyes:

3

I had that thing for a while. It had me convinced that the various websites had gamed Google’s search engine so that their sites came up more often- thereby effectively rendering Google useless. I love my Google goodness, so this really pissed me off- these people need to be strung up by their entrails, if you ask me.

4

Hmmm… that’s possible. If this thing is redirecting my Google requests to another site, will that other site’s URL show up in the browser window? When I noticed the weirdness, I looked at the URL displayed, and it looked like it was still pointing to Google, although I can’t swear that it wasn’t listing “www.googgle.com” or something of that nature.

5

It would be possible to create a program that monitored the data coming in from your Web connection, and acted when it recognized a Google search results page. From there, it would be trivial to modify the results as you described. No need to mess with Google itself, create fake domains, or anything.

6

But wait a minute – and you’re going to have to use little words here for me to understand – what exactly does it do when it “acts”? Does this program somehow insert itself “between” my browser and the incoming data stream, altering the incoming data packets? Or does it somehow override the browser program itself, so that the browser doesn’t actually display the incoming page source, but rather some modification thereof?

7

While I can’t tell you how exactly the program works, I can say that, in general, NOT searching for “freaky monkey sexx*” will probably go a long way in keeping the spyware off your computer to begin with.

*I know I know :cool:

8

Yep. It’s been a while, (so anyone feel free to correct) but basically, the Windows socket layer (or winsock) stack has what’s called LSP, or layered services provider. By default there are 10 subsystems in Windows that get to take a peek at data from the time it arrives to when it makes it’s way all the way up to your browser (or mail client, or whatever).

Valid 3rd party uses of this include firewalls and virus filters, both of which wish to intercept nasty stuff before it hits you right in the app. Invalid uses include munging http traffic to have “BuY V1@gr# N0W” links all over the place.

There are ways to inspect and reset your winsock stack, but you’ll have to look them up yourself, as time and this machine do not permit me doing it.

9

Just to clarify, I don’t know the specific program you’re dealing with, and I’ve never had an opportunity to take it apart and see what it does. I’m speaking of what it could be programmed to do.

When I say the program would “act,” I’m speaking of virus-like behavior. Viruses have what’s known as a trigger and a payload. The trigger could be any number of things, like the clock registering a certain time and date, or a certain program being run. In the case of this spyware, the trigger would likely be Google’s domain name appearing as the location of an incoming HTML page.

The payload is what I called “acting” in my earlier post, and it just refers to running a different part of the program (or a different program entirely).

It could be doing exactly that. Caution: I’m simplifying the bejeebers out of this process in the following description!

Nanoda described the layering system in Windows, and all modern operating systems have layered architectures of some sort. The advantage of that structure is that you don’t have to program the details of creating a socket or resolving a domain name into every single program that accesses the Internet. Think of it like this:

At the highest level is your Web browser. When you tell it to fetch www.google.com, it passes that command down a layer. The next layer down handles what it can, and then passes the rest down a layer. This process repeats until your request has been turned into TCP/IP packets and shipped out your network (or modem) port. When information starts coming back in that port, the lowest level sorts out which higher-level processes should get that information. The HTML for the Google web site is assembled and passed back up through the layers until it reaches your Web browser.

Let’s assume the spyware program has inserted itself between the Web browser and the next-lowest level. It looks at each incoming Web page and checks to see whether it’s Google search results. If not, it passes it on unchanged. If it is a search result page, it unleashes the payload process.

The payload process parses the page to find the search terms (trivially easy to do), and the inserts the fabricated results you mentioned in between the real results.

I don’t know if this is how the actual program you were infected by is working, but it’s certainly one way to do it.

If this thing is actually viral, it could attach itself to your Web browser and change the browser’s behavior. That would be much more complicated to create, as it would have to understand each version of each Web browser that you might possibly be running. The way I first described it, it would affect any browser program you used, even the ones embedded in other programs.

10

Oh, that’s all right – My question was intended to be more in the vein of “how could this be possibly be done?” rather than “how is this exactly being done?” Which your answer, and Nanoda’s, covers pretty well.

:slight_smile: I swear to God I was doing something legit – I was actually hunting down song lyrics for a word puzzle, and Googled up some German site that was filled with spyware. Bastards.

11

Seems to me it could also act as a DNS host, and resolve the google.com domain to somewhere else (perhaps another part of the program on your own computer, perhaps somewhere off in the internet) and that program could query google, insert the results, and present the page to the browser, which will think it’s the page produced by the google.com domain.

I dunno if this is possible, but I can’t see why it shouldn’t be.