Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

The SpyWare Invasion

By Carnage4Life in MLP
Sun Mar 25, 2001 at 07:57:51 PM EST
Tags: Software (all tags)

While writing a proxy server for a class I noticed that for each URL I clicked, a number of POST requests were being sent to d2.webhancer.com and d3.webhancer.com. Wondering what was up I decided to go to the Web Hancer website where I found out that WebHancer is a company that claims to have an installed base of millions of WebHancer agents that report web browsing statistics to their corporate headquarters.

WebHancer currently charges businesses $12,000 a month to access these usage statistics. I found the webHancer agent on my Windows machine (after a quick 'ps -W | grep gent') in "C:\Program Files\webHancer\Programs\whAgent.exe" and deleted it. What I am wondering is how the Web Hancer agent got on my machine since I don't recall being asked whether I wanted to install any spyware. Also exactly how many of their millions of anonymous usage statistics are being generated by unsuspecting users? Which program did I install that decided to place this Trojan on my machine and is there a blacklist of such programs?

Finally, while searching for info on Web Hancer I found Ad-Aware which claims to locate and uninstall such spyware.


Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure


Which Of The Following Technical Articles Would You Be Interested In Reading On K5?
o Multithreaded Programming Concepts and Overview 14%
o Java: The Good, the Bad and the Ugly 5%
o Working With Object Oriented Databases 23%
o Using Threads with examples from POSIX threads and Java 8%
o None of the above 25%
o All of the above 14%
o I hate your shitty writing style. 8%

Votes: 78
Results | Other Polls

Related Links
o class
o Web Hancer
o $12,000 a month
o Ad-Aware
o Also by Carnage4Life

Display: Sort:
The SpyWare Invasion | 15 comments (14 topical, 1 editorial, 0 hidden)
someone is paying for your freebeerware (4.00 / 4) (#1)
by eLuddite on Sun Mar 25, 2001 at 04:59:54 PM EST

Software that spys on your online habits is distributed according to the same economic model that banner advertising uses. Spyware companies pay a bounty everytime their software is downloaded. You probably got it off some freebie or shareware application. I found one in my system about a year ago after downloading a game meant to be played by a 4 yr old child.

Is Your Freeware Spyware?.

God hates human rights.

Geeze (3.00 / 1) (#2)
by regeya on Sun Mar 25, 2001 at 05:01:00 PM EST

IIRC CometCursor did this at one time, but I'm not sure anymore. Silly me, I actually ended up letting that one install when visiting startrek.com once. I saw a cryptic reference on some site (I won't link to it because it wasn't very helpful) to some MIDI plugin doing the same...

Of course, this sort of thing only happens if you let your superior enterprise-ready web browser indiscriminately install .exe's. ;-)

[ yokelpunk | kuro5hin diary ]

Crescendo (4.50 / 2) (#10)
by SlydeRule on Sun Mar 25, 2001 at 06:32:51 PM EST

I saw a cryptic reference on some site (I won't link to it because it wasn't very helpful) to some MIDI plugin doing the same...
The MIDI plugin probably was Crescendo. The reviews at CNet sound fun:
My firewall notified me that webhancer was trying to contact the internet - I knew it wasn't anything I installed - so I used progams add/remove to uninstall it, and promptly LOST THE ABILITY TO CONNECT TO THE INTERNET! I wasted a day figuring out what happened and finally had to completely restore my system to a previous configuration.
My advice is to not install this at all, and if you have, uninstall it and run a good spyware detecting program (like Ad-aware) on your system to get rid of WebHancer.
Webhancer is one of the nastiest, hardest-to-get-rid-of little worms around. Really much closer to a virus than a product. Many free browser plug-ins are now bundled with this menace! Do not install Crecendo under any circumstances.
WebHancer tracks everything you do online and if you try and remove it, your internet connection is lost.

[ Parent ]
I blame the people. (3.00 / 2) (#4)
by tetsuo on Sun Mar 25, 2001 at 05:05:19 PM EST

Comet cursor is one of my favorites.

Although in truth, I think it's less the companies fault than the individuals. When Joe McMTV goes to a site and the little popup "would you like to install bla bla bla please read our privacy statement" window pops up, 99 times out of 100 they'll just click 'yes' to install it and get the obnoxious menu out of their face. But it is there. Perhaps it should be more clear as to what it does.

I suspect that many of the uses are not so much unsuspecting as uncaring and/or clueless.

Although I am curious as to how that got on there without your explicit permission. My guess would be it piggybacked onto something else and was listed in the fine print.

File sharing services (4.00 / 4) (#5)
by SbooX on Sun Mar 25, 2001 at 05:11:31 PM EST

I've recently come into contact with spyware myself. I downloaded AudioGalaxy and soon discovered that it too installed WebHancer. Naturally, I found AdAware and got rid of it rather quickly. iMesh also does this along with many other filesharing utilities. Its a real shame. AudioGalaxy is great once you get rid of the spyware crap. InfoAnarchy has a lot of good info about who installs it on you, I'd recommend checking them out.


god is silly. MGL 272:36

The Joy .. (4.00 / 2) (#6)
by Da Unicorn on Sun Mar 25, 2001 at 05:11:54 PM EST

Oh, the joy of never having to use winderZ is reconfirmed by this story.

But it ain't for everyone.


Your browser can be affected too (3.50 / 2) (#7)
by theboz on Sun Mar 25, 2001 at 05:44:39 PM EST

It's not just adware and spyware, but also there are things such as the ultra tiny graphics known as "web bugs" that appear on a webpage in order to send connection information to companies. It's easier for them to get away with than spyware and cookies and works on any graphics enabled web browser. With the complexity and effort going into spyware, I wouldn't be suprised if they eventually develop something that runs in java that exploits the browser via something like netscape's "brown orifice" problem, and thus puts a program that runs in java (almost everyone has a jre installed on their system anymore) and runs on your machine whenever your browser is open, happily sending all your system information and connection history to some marketing company.

[ Parent ]

It's not just the reporting that sucks (4.00 / 2) (#8)
by RangerBob on Sun Mar 25, 2001 at 05:55:21 PM EST

Spyware programs also have a nasty habit of breaking people's systems. I've seen a lot of people whose systems didn't work right until they ran something like optout to remove all the crud. I figure that these companies can't exactly afford the best programmers out there.

Not just that (5.00 / 1) (#12)
by Mendax Veritas on Sun Mar 25, 2001 at 08:11:11 PM EST

It's also that Microsoft's Win32 APIs make it possible to write spyware, but not necessarily easy, depending on what you want it to do. If you find yourself needing to write Win32 spyware that, to do its job, needs to intercept calls to Win32 APIs made by any application or DLL in any process, you had better be a top-notch programmer with expert-level knowledge of C, Win32, threading issues, and the internals of Microsoft's C runtime library, or you'll never get it to work right. You had also better be pretty paranoid, because while your spyware may work well enough on its own, and someone else's similar spyware may work well enough on its own, there may be problems when both are spying at once if the creators of either product did not fully understand what it takes for two such products to co-exist.

[ Parent ]
bleh (1.00 / 2) (#13)
by QuoteMstr on Sun Mar 25, 2001 at 11:50:50 PM EST

Windows hooks arn't *that* difficult to use. Annoying, yes, but you make it sound like they are some complex thing that can only be used the godlike.

[ Parent ]
bleh (1.66 / 3) (#14)
by QuoteMstr on Sun Mar 25, 2001 at 11:51:09 PM EST

Windows hooks arn't *that* difficult to use. Annoying, yes, but you make it sound like they are some complex thing that can only be used the godlike.

[ Parent ]
That's not the point (4.00 / 2) (#15)
by Mendax Veritas on Mon Mar 26, 2001 at 12:45:37 AM EST

It isn't just using SetWindowsHookEx. That's not at all a big deal. The tricky bit, as I described, has to do with intercepting Win32 API calls. There is no standard interface to do this; you have to rely on knowledge of the PE file format and the way that cross-module calls are resolved by the Win32 module loader. And there are a number of products that use this sort of technique, aside from obvious candidates like debuggers. Three that I can think of off the top of my head are McAfee AntiVirus's "Web scanning" feature (which checks HTTP/FTP downloads for viruses as they are downloaded), a third-party memory-management product (a plugin malloc replacement) called SmartHeap, and a client component of Visual Networks' IP InSight network management suite (which might reasonably be regarded as spyware, since it uploads network usage statistics to a server). To judge by the quality of their respective implementations of this concept, it is pretty close to rocket science; only Visual Networks' product worked well in its first release, while the other two were plagued with compability problems. McAfee VirusScan 4.0, in particular, was a nightmare largely because of the Web scanning, which, ironically, was VirusScan 4.0's major new feature.

[ Parent ]
there is an underlying problem here (1.43 / 23) (#9)
by 2400n81 on Sun Mar 25, 2001 at 06:30:28 PM EST

I found the webHancer agent on my Windows machine (after a quick 'ps -W | grep gent') in "C:\Program Files\webHancer\Programs\whAgent.exe" and deleted it.

um, maybe it is just me but if you know enough to install micros~1 compatible UNIX programs such as ps and grep and string them together with a pipe, maybe you shouldn't be using wind0ze.

Ummm.. (3.00 / 5) (#11)
by BigZaphod on Sun Mar 25, 2001 at 06:42:31 PM EST

Yeah, it's just you.

"We're all patients, there are no doctors, our meds ran out a long time ago and nobody loves us." - skyknight
[ Parent ]
The SpyWare Invasion | 15 comments (14 topical, 1 editorial, 0 hidden)
Display: Sort:


All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!