FAQ: Where does info for IE-SPYAD/AGNIS come from?
I've been getting this question a lot in recent months (esp. as updates to IE-SPYAD and AGNIS have become more frequent). The answer is a bit involved, so I thought I'd post a somewhat detailed explanation or answer.
I get my info from a number of different sources:
1) Stephen Martin's HOSTS file (and other block lists)
IE-SPYAD and AGNIS were originally based on Stephen Martin's HOSTS file (»www.smartin-designs.com/), and every time he updates the HOSTS file, I update my block lists as well.
When Stephen Martin does release an update, I go through his list of changes, looking for new domains that are primarily associated with advertisers, marketers, and crapware pushers. I then visit those domains to verify that they are in fact used by marketing and advertising outfits. I do not blindly dump updates to the HOSTS file into IE-SPYAD and AGNIS -- I pick and choose.
Also, I do occasionally look at other block lists that folks have built for web filtering programs. Aside from Stephen Martin's HOSTS file, though, many of these other block lists aren't maintained very well, so it's rare that I find much of anything that I didn't already have.
2) SpywareInfo Support Forums
Mike Healan's SpywareInfo hosts several important discussion forums:
...where people with spyware problems can seek help. In particular, the "Spywatch," "Spyware Removal," and "Browser Hijacking" forums are esp. useful. Users regularly bring system logs generated with HijackThis! and StartupList (both available from »www.spywareinfo.com/~merijn/ ) into those forums for troubleshooting advice. Those logs (and the discussions that result from them) are invaluable for identifying new sources of spyware/adware/hijackers.
3) Other Spyware Reference Sites
I constantly comb through several well-known spyware reference sites for leads on new forms of crapware and the outfits that distribute them:
All four of the above sites keep excellent data about spyware, adware, hijackers, and dialers, including distribution and uninstallation information.
4) Anti-Spyware Program Updates
I monitor the updates to programs such as:
SpyBot Search & Destroy
...looking for new forms of crapware. SpyBot Search & Destroy is esp. useful because of the included .NFO files that contain detailed info on the programs it targets. Occasionally, all I'll get is the name of a program or direct marketing outfit -- some digging in Google turns up the rest.
5) News Stories
Direct marketers and crapware pushers are often desperate to get their names in front of the public in order to attract sales and investors. Thus, major tech media outlets such as:
...(to name a few) regularly carry stories about direct marketing outfits and spyware pushers, esp. those who are doing things new and noteworthy. The online technology sections for newspapers such as:
New York Times
San Francisco Chronicle
San Jose Mercury News
...are also helpful in this regard.
6) Discussion forums
I monitor privacy & security oriented forums such as:
DSLR/BBR Security forum
...as posters often provide useful info about and pointers to new forms of advertising and spyware.
7) Web sites of direct marketers themselves
I spend a good amount of time going through the web sites of known advertisers and spyware pushers themselves. You'd be surprised what a little digging can turn up. When I visit a direct marketer's web page, I look at the HTML source as well as the following sections of the web site (if they exist):
* About Us (Our Company)
* Contact Us
I'm looking for affiliated/related web sites, names of products and services, names of partners/affiliates, etc. Esp. in the case of adult-oriented companies, the network of relationships can be quite complicated.
I'll often follow up by doing searches within Google (which can be a more trustworthy/reliable source of info than the marketers and crapware pushers themselves). Occasionally I stumble across web sites that yield a "mother load" of links to direct marketers and crapware pushers. This is esp. true of web sites targeted towards webmasters (and adult site webmasters), as such web sites often include handy indices of direct marketing networks, technologies, partnering programs that webmasters might be interested in.
A lot of this is just persistence and following one link to another, looking through the HTML source for web pages, or taking the name of a marketing outfit and digging for info in Google.
8) My own web-surfing
I monitor my firewall logs and track down new entries based on info that I find there. I pay attention to what's happening at web pages that I visit. I've even been known to drop all my "defenses" and deliberately go trolling for spyware and other obnoxious direct marketing gimmicks at dodgy web sites.
If I come across an unfamiliar program, I'll download it and inspect it. I unpack .CAB files when necessary, and look at the Properties and Digital Signatures for each file. I also look at installer .INF files for clues as to the origin or author of the program. Again, often all it takes is a name that I can plug in to Google.
So, there's no one source for the information that feeds into AGNIS and IE-SPYAD. It comes from a lot of different places.
Hope the above has been of interest.
Eric L. Howes
[text was edited by author 2003-03-28 23:29:39]