How did spyware manage to infect my computer?

There are two basic "vectors" for malware to get onto your PC: piggybacking on other applications, and "drive-by" installs through Internet Explorer.

Piggybacking and Bundling

There are two kinds of "ad-supported" applications. The benign kind has an advertising system built into itself, that shows you advertising while the application is running, and which has no effect on the system when the application is not. The banner ads in the unregistered versions of Eudora and Opera fall into this category.

The other kind of ad-supported application installs a separate advertising system onto your computer that runs all the time whether the ad-supported application is running or not. These advertising systems have names like CyDoor, Gator (who have renamed themselves "Claria" to hide their tracks), TopText , etc. Sometimes the application will warn you about the bundled advertising system, sometimes they will not. Sometimes uninstalling the application will get rid of the bundled advertising system, usually it will not.

These advertising systems will show pop-up ads, sometimes when you're not even browsing. Some of them will change the banner ads or links on web pages. Often, they are are self-updating, and will sometimes install other advertising systems, or alter your system's security settings to allow for easier drive-by installs. (See below.) They are classic browser parasites.

Common piggyback sources of advertising malware are most popular file-sharing applications that aren't open-source (including Kazaa, iMesh, LimeWire, Morpheus, WinMX, Xolox, and others), the free version of DivX Pro (which installs Gator), GoZilla (which has a veritable raft of junk), InternetWasher (ditto), and many "free" applications found on sites like download.com.

Most add-on toolbars for Internet Explorer are malware sources. This includes (but is not limited to) MySearchBar, DashBar, Xupiter, HotBar, UCMore, and many others. The Google and Yahoo toolbars are safe.

There is another class of application which might be considered "ad-supported", if there was any functionality other than the advertising. Things like DownloadWare/NetworkEssentials, Comet Cursor, Bonzi Buddy, the Gator/GAIN "applications" (DashBar, PrecisionTime, DateManager, and eWallet), Internet Optimizer, and the infamous eAcceleration package (including "Stop Sign") are like this. They masquerade as useful applications, but provide no substantial functionality and are merely a ruse to get their advertising software onto your computer.

To sum up: pay attention to what you're downloading and installing. If it's free, there may be a reason for that.

Drive-By Installs

The second (and harder to deal with) method for acquiring malware is through "drive-by" software installs in Internet Explorer. IE supports a technology called ActiveX, which allows website creators to embed small programs in their sites (called "ActiveX controls"), which can then call larger programs (such as software installers). Theoretically, there are safeguards to prevent unauthorized code from being run on your computer when you visit a website; you should normally see a dialogue box asking you if you want to install and run a given ActiveX control. When this technology is used correctly, it lets you install software like Macromedia Flash or Apple QuickTime from a website without having to download a separate installer. It's also the technology that drives Microsoft Update.

Unfortunately, there are problems with the implementation of ActiveX. The problems boil down to this:

• Security holes in some versions of Internet Explorer that can be exploited by malicious website creators to install ActiveX controls without prompting
• One malicious application can change the security settings on Internet Explorer so that all ActiveX controls (including malware) can auto-install without prompting
• Deceptive pop-ups can lead uninformed users to install malicious applications, believing them to be important system updates, or software required to view a site

This means that a system with an out-of-date version of Internet Explorer, or with incorrect security settings, can be infected with a huge amount of malware just by visiting a single website. And even a correctly-configured and up-to-date system can be infected if a user makes a single incorrect choice on the wrong website.

In addition to the problems with ActiveX, there are also many other security holes in Internet Explorer that can be exploited to install malware. These include bugs in IE's handling of MIME types, in the Microsoft Java implementation, and in Microsoft's scripting languages. Many of these security holes have not been fixed, even in the most current versions of Internet Explorer. Exploits using these bugs are much more rare than ActiveX exploits, and are often only usable in specific circumstances, but are still a problem.

There are also sites that try a very simple trick: they begin an automatic download of an installer (usually an EXE file), in the hopes that the user will either instinctively or accidentally hit "Open" instead of "Cancel". If the user hits "Save", then they'll have the installer sitting on their desktop or in their download directory, and they might accidentally run it later. This kind of attack isn't limited to Internet Explorer, and the only real defense against this sort of thing is to watch out for it.

Luckily, there are ways to deal with spyware. If your computer is already showing signs of infection, you can use a spyware removal tool like Spybot - Search & Destroy or Ad-Aware to clean it up. If your computer is spyware-free and you want to keep it that way, you can check out our spyware prevention guide for some tips.