Cyber Warfare in your Home Computer:
The Growing Problem of Shivas
Version 2005-05-30. Copyright 2005 by Terry Bollinger.

What's a Shiva?
A Shiva is a type of hardcore spyware that takes over the immune system of your computer. SHIVA is an acronym based on a suggestion from my friend David J; it means Spyware HIV-like Attacker. Shivas use your own virus and spyware checkers to fool you and protect themselves, making them very hard to detect and remove. Shivas also appear to be growing more common, presumably due to an overall increase in the use of automated, self-propagating networks of spyware that use conquered systems as sites for launching still more attacks.

An Early Shiva Encounter
I first encountered a Shiva on a Windows 98SE PC using Norton Internet Security Professional. Both Windows and Norton were fully updated. I had already removed one keylogger (Amecisco) from it, but it was still exhibiting the odd lagging behaviors that often indicate the presence of keyloggers or other hardcore spyware. Scans by Norton revealed nothing. Scans using three well-proven and thorough spyware checkers, Spybot Search & Destroy, Webroot Spy Sweeper, and Lavasoft Ad-Aware, also uncovered nothing. I then tried more recent (and now Microsoft-owned) GIANT AntiSpyware product. Surprisingly, GIANT uncovered a keylogger (Windows Spy) and two Remote Administration Terminals (RATs), Neoturk and Hanky Panky! Keylogger/RAT combos are especially bad, since a remote user can gain nearly complete control of your system with such a combination.

Self-Protection in Shivas
The curious part was that GIANT was unable to get rid of these hardcore spyware applications after detecting them. Even when working offline (physically unplugged from the Internet), GIANT in several cases simply went gray and froze before it reached the point of removing the spyware. In another particularly interesting case, it found the spyware in the middle of its run, then delisted them before completing, offering up instead a medium-threat spyware application that was far less dangerous. No amount of deinstalling/reinstalling GIANT helped, and no amount of cutting back Windows (SAFE mode) drives made any difference: GIANT could not remove the spyware it had found. At this point I became suspicious of Norton, since it was one of the few remaining packages that was still active in the SAFE mode I was using. Deinstalling Norton solved the problem: GIANT was then finally able to complete its procedure and remove the dangerous spyware. I've since seen this very unsettling scenario repeated on other systems using other virus checkers, such as a laptop in which clicking on the McAfee virus checker instantly caused spyware that I had just removed to start popping out again like popcorn.

Why Shivas are Not Detected by Spyware Scanners
The example of multiple spyware applications popping out of a virus checker demonstrates another distressing feature of Shivas, which is that they do not necessarily correspond to a single traditional spyware application. Once a hacker has a remote administration terminal (RAT) in your system, he can subtly change enough system, virus checker, and spyware checker settings to make them into tools that serve his purposes instead of yours. In the "popcorn" example, these changes were not detectable by any of the four spyware checkers I was using. Instead, the presence of the Shiva showed up indirectly through the simultaneous re-emergence of several previously removed spyware applications. As of early 2005 my impression is that the industry recognition and understanding of Shivas is still so early that spyware checkers are not looking for such subtle changes in checker configurations. For now, this means that the best (and often the only) way to deal with a Shiva is deinstallation and reinstallation of the virus and spyware checkers in which the Shiva resides.
 

Cyber Warfare in Your Home and Small Business
From the perspective of a malicious code designer, all these behaviors are all too reasonable. After all, spyware can be designed to have specific knowledge of major virus and spyware checkers, just as major spyware checkers have knowledge of spyware. The result is that when hardcore spyware and good spyware checkers are placed on the same system, the result is more akin to cyber warfare than a simple checklist scan for cookies and bad programs. Hardcore spyware uses its stealth, counter-attacks, and knowledge of virus and spyware checkers to hide itself, disable common spyware and virus checkers, and even take over virus and spyware checkers for its own purposes. For home and small business users who cannot afford the dedicated network protection staff and expertise of major corporation, these kinds of guerrilla-level, take-it-to-your home cyber attacks are just plain scary.

The Future: Expect Worse Before It Gets Better
It is reasonable to expect the Shiva problem to get worse before it gets better. Because there are almost no universally accepted standards on how to design applications for security against a direct, knowledgeable onslaught by an adversary with no compunctions, it is very difficult to figure out how to write an application so that it cannot be taken over in some subtle fashion. Securing the operating system is only the first step in this complex game -- a high-stakes game that is likely to continue for years to come, and one by which inherently more vulnerable home and small business computers will be deeply affected.

A Toolkit for Removing Shivas
The spyware removal kit on this web site tries to even the playing field by taking advantage of your most important asset: physical possession of your system. Having physical possession allows you to keep removing junk and reinstalling tools until, eventually, you break enough critical parts of any Shiva or other hardcore spyware to overcome their attacks and attempts to hide. At that point the standard removal tools begin to work again, and you will be able to secure your system.