Cyber Warfare in your Home Computer:
The Growing Problem of
Shivas
Version
2005-05-30. Copyright
2005 by Terry Bollinger.
What's
a Shiva?
A Shiva is
a type of hardcore spyware that takes over the immune system of your
computer. SHIVA is an acronym based on a suggestion from my friend
David J; it
means Spyware HIV-like Attacker. Shivas use your own virus and spyware
checkers to fool you
and protect themselves, making them very hard to detect and remove.
Shivas also appear to be growing more common, presumably due to an
overall increase in the use of automated, self-propagating networks of
spyware that use conquered systems as sites for launching still more
attacks.
An
Early Shiva Encounter
I first
encountered a Shiva on a Windows 98SE PC
using Norton Internet Security Professional. Both Windows and Norton
were fully updated. I had already removed one keylogger (Amecisco) from
it, but it was still exhibiting the odd lagging behaviors that often
indicate the presence of keyloggers or other hardcore spyware. Scans
by Norton revealed nothing. Scans using three well-proven and thorough
spyware
checkers, Spybot Search & Destroy, Webroot Spy Sweeper, and
Lavasoft Ad-Aware, also uncovered nothing. I then tried more recent
(and now Microsoft-owned) GIANT AntiSpyware product. Surprisingly,
GIANT uncovered a keylogger (Windows Spy) and two Remote Administration
Terminals (RATs), Neoturk and Hanky Panky! Keylogger/RAT combos are
especially bad, since a remote user can gain nearly complete control of
your system with such a combination.
Self-Protection in
Shivas
The
curious part was that GIANT was unable to get rid of these
hardcore spyware applications after detecting them. Even when
working offline (physically unplugged from the Internet), GIANT in
several cases simply went gray and froze before it reached the point of
removing the spyware. In another particularly interesting case, it
found the spyware in the middle of its run, then delisted them before
completing, offering up instead a medium-threat spyware application
that was far less dangerous. No amount of deinstalling/reinstalling
GIANT helped, and no amount of cutting back Windows (SAFE mode) drives
made any difference: GIANT could not remove the spyware it had found.
At this point I became suspicious of Norton, since it was one of the
few remaining packages that was still active in the SAFE mode I was
using. Deinstalling Norton solved the problem: GIANT was then finally
able to complete its procedure and remove the dangerous spyware. I've
since seen this very unsettling scenario repeated on other systems
using other virus checkers, such as a laptop in which clicking on the
McAfee virus checker instantly caused spyware that I had just removed
to start popping out again like popcorn.
Why Shivas are Not
Detected by Spyware
Scanners
The
example of multiple spyware applications popping out of a virus
checker demonstrates another distressing feature of Shivas, which is
that they do not necessarily correspond to a single traditional spyware
application. Once a hacker has a remote administration terminal (RAT)
in your system, he can subtly change enough system, virus checker, and
spyware checker settings to make them into tools that serve his
purposes instead of yours. In the "popcorn" example, these changes were
not detectable by any of the four spyware checkers I was using.
Instead, the presence of the Shiva showed up indirectly through the
simultaneous re-emergence of several previously removed spyware
applications. As of early 2005 my impression is that the industry
recognition and understanding of Shivas is still so early that spyware
checkers are not looking for such subtle changes in checker
configurations. For now, this means that the best (and often the only)
way to deal with a Shiva is deinstallation and reinstallation of the
virus and spyware checkers in which the Shiva resides.
Cyber Warfare in Your
Home and Small
Business
From the
perspective of a malicious code designer, all these behaviors
are all too reasonable. After all, spyware
can be designed to have specific
knowledge of major virus and spyware checkers, just as major spyware
checkers have knowledge of spyware. The result is that
when hardcore
spyware and good spyware checkers are placed on the same system, the
result is more akin to cyber warfare than a simple checklist scan
for cookies and bad programs. Hardcore spyware uses its stealth,
counter-attacks, and knowledge of virus and spyware checkers to hide
itself, disable common spyware and virus checkers, and even take over
virus and spyware checkers for its own purposes. For home and
small business users who cannot afford the dedicated network protection
staff and expertise of major corporation, these kinds of
guerrilla-level, take-it-to-your home cyber attacks are just plain
scary.
The
Future: Expect Worse Before It Gets
Better
It is
reasonable to expect the Shiva problem to get worse before it gets
better. Because there are almost no universally accepted standards on
how to design applications for security against a direct, knowledgeable
onslaught by an adversary with no compunctions, it is very difficult to
figure out how to write an application so that it cannot be taken over
in some subtle fashion. Securing the operating system is only the first
step in this complex game -- a high-stakes game that is likely to
continue for years to come, and one by which inherently more vulnerable
home and small business computers will be deeply affected.
A Toolkit for
Removing Shivas
The spyware removal kit
on this web site tries to even the playing field by taking advantage of
your most important asset: physical possession of your system. Having
physical possession allows you to keep removing junk and reinstalling
tools until, eventually, you break enough critical parts of any Shiva
or other hardcore spyware to overcome their attacks and attempts to
hide. At that point the standard removal tools begin to work again, and
you will be able to secure your system.