The Market Ticker
Commentary on The Capital Markets- Category [Technology]

Be careful out there.

I found a particularly-pernicious bit of spyware today and had some fun getting rid of it.

It's called Metroids and when loaded (usually as part of a bundle with some sort of free utility or other legitimate package) it displays a "cute" rendition of the game Asteroids on top of all your browser windows.  The theory is that it brings you great "offers."

Needless to say that display is damned annoying and if you manage to accidentally load it you will instantly head over to the Program window and uninstall it.

All good, right?

Not so fast, Kemosabe!

Unknown to you it dropped a service into Windows under an obscure apparently-random letter name (very clever guys, trying to hide your intentions) when it had administrative privilege during installation -- privilege it retains, incidentally.  The problem is that the service survives the uninstall, and worse, it is capable of and does "hook" a browser session even without an extension loaded!

The odds are very good you'll never know it's there since it doesn't call itself what it is and in addition it claims to have uninstalled when you told it to.  But it didn't, and it's still creating and, presumably, transmitting data about whatever you do.  If you find the working directory and kill it (it's in AppData) it will be re-created as soon as you open a new browser window, or if you have one open.  Since it's running with privileges an ordinary user account can't stop the service either and worse, it has access to everything on the machine.

Malwarebytes can find it as can someone who knows what they're doing, but most anti-virus systems will not pick it up -- including Avast.

I have no idea how extensive the data it is collecting and sending is once it "claims" to be uninstalled but this is an especially nasty little piece of **** due to its persistent nature, that it is running with privileges and thus could get to anything on the machine and the fact that you'll get infested with it from perfectly "legitimate" downloads -- not browsing porn sites or other similar places.

I'm not usually one to say "there ought to be a law", but I will this time: If you as a software author or distributor allow your code to be bundled with such an "installer" -- anything that leaves a piece of itself behind after being de-installed specifically and/or attempts to obscure its components and functions by calling itself anything other than what it is -- that ought to be treated as felony computer fraud and abuse and you, along with the entity that wrote that crap, ought to go to prison.

Yeah, I know how to get rid of it and did with no harm done.  But I know what I'm looking for.

Most people don't and won't even know it's there.

View this entry with comments (registration required to post)

Main Navigation
Full-Text Search & Archives
Archive Access
Get Adobe Flash player
Legal Disclaimer

The content on this site is provided without any warranty, express or implied. All opinions expressed on this site are those of the author and may contain errors or omissions.


The author may have a position in any company or security mentioned herein. Actions you undertake as a consequence of any analysis, opinion or advertisement on this site are your sole responsibility.

Market charts, when present, used with permission of TD Ameritrade/ThinkOrSwim Inc. Neither TD Ameritrade or ThinkOrSwim have reviewed, approved or disapproved any content herein.

The Market Ticker content may be reproduced or excerpted online for non-commercial purposes provided full attribution is given and the original article source is linked to. Please contact Karl Denninger for reprint permission in other media or for commercial use.

Submissions or tips on matters of economic or political interest may be sent "over the transom" to The Editor at any time. To be considered for publication your submission must include full and correct contact information and be related to an economic or political matter of the day. All submissions become the property of The Market Ticker.