Sign In

Communications of the ACM


Busting the Ghost in the Machine

This article describes an attempt to infect two new Dell WindowsXP-SP2 PCs (named Grease and Grime) with spyware and examines the results of the spyware infections. Each PC carried Symantec Antivirus, Spyware Doctor 3.1 (Doc), Spybot Search and Destroy 1.3 (SSD), and Sandra 2005 software, but no inoculation options were active during the infection and examination processes. Table 1 illustrates the initial benchmark metrics from Sandra 2005 obtained from SI Software at

Stage 1 infection. First, a Web mail client was employed to read the identical email from the same account on both Grease and Grime. Seven email messages were selected to give a broad yet classified coverage of typical spamRolex Watches, Canadian Pharmacy, Obtain a Diploma, CIALIS Softabs and three different porn email messages.

These email messages were simultaneously opened on each PC, and where possible, hyperlinks were followed from the email, to subsequent Web pages. Where the hyperlinks were operative, a drill down was made until a purchase opportunity was made available. If member logon/registration was required a valid user ID and password were created for that session. Email addresses, if requested, were faked. Credit card and personal information were never entered, but other instructions were followed to the penultimate step in the purchase/registration process. For example, when responding to a message with a subject header of "Order Rolex Online" we clicked to drill to the Buy button. At that point (when name, address, and credit information were requested), the browserís back button was used to back out of the site.

Following the initial reading of the seven spam messages, Doc and SSD were executed in scan mode and the following were identified as spyware:

  • Doc 3.1
  • SSD 1.3
  • 5 entries for DSO Exploit

Stage 2 infection. Repeated Sandra 2005 benchmark runs revealed no substantial differences between pre- and post-infection metrics as no test varied by more than 2%, and indeed some tests indicated better performance. In order to obtain additional spyware was visited to search for a telephone numbers in the same hometown. In addition, there were several attempts made to visit some of the clickable banner ads as well as pop-up advertisements. For instance, the fish bowl screensaver, along with its spyware, were installed from the well-known tracking company, GAIN.

During this stage the appropriate zip code was keyed, but no other information or email addresses were released. This stage was not as precisely controlled as was Stage 1 because different clickable ads were available at different times, so the exact visit sequence and visit sites were not identical between the two PCs. In total, no more than six minutes were spent making visits to the available sites that emanated from

After the second round of infection from and its affiliates, a new execution of SSD and Doc revealed the following infections on both Grease and Grime:

  • Doc 3.1
  • 1 Valueclick
  • 2
  • 1 Avenue A Inc.
  • 1 Core metrics
  • 1 DoubleClick
  • 5 DSO exploits
  • 11 GAIN.dashbar
  • 19 GAIN.Gator
  • 3 HitBox
  • 1 MediaPlex
  • SSD 1.3
  • 102 infections, including the tracking cookies

Stage 3 infection and cleanup. Because another Sandra 2005 benchmark testing revealed no substantial differences relative to the initial benchmark, additional spyware was acquired. We decided to use the "big guns" and downloaded Kazza and Skype. These products advertise "no spyware" for the paid versions, but our interest was in the spyware push from the free versions. These free versions give ample warning as to spyware, although some of the warning is cloaked so as to indicate more benefit for the user than we believe actually results. Kazaa and Skype were potent downloads even though we used none of their services.

A final execution of SSD and of Doc revealed surprises. Doc uncovered more than three times the prior reading with 384 infections, and SSD would not run. Rather, it generated the following error message:

`Error during check: Winpub32 ("Ungültiger Datentyp für").'

Following Stage 3 infection, the PCs were scanned for viruses and disinfected. Symantec Antivirus revealed zero viruses after a 24-plus minute scan of more than 125,000 files on each PC. Doc claimed a removal (after reboot) of all 384 infections. Then SSD was able to run without error. It identified nine infections including Claria, Kazaa Promotional Items, Joltid P2P Networking, Altnet Software, and MyWay. SSD claimed eight removals, but the five DSO registry changes remained after a reboot.

Back to Top

Final Benchmark Results

Both Grease and Grime were benchmarked seven times using Sandra 2005. Table 2 summarizes pre- and post-experiment disk access times. Before infection, average access time for the file system benchmark was eight milliseconds for both PCs. Before the final clean-up process, the access time for Grease increased by a whopping 20% and the access time for Grime increased by 11%. After cleaning both computers with Norton Antivirus, SSD, and Doc, the original access time of eight milliseconds returned. Intermediate benchmark executions, surprisingly, revealed conflicting results.

After the four-day infection, examination, and repair processes, and assuming that the benchmark metrics are reliable, several observations are appropriate:

  • Spyware comes in potent bundlesonly a few site visits resulted in more than 100 infections identified by Doc.
  • Spyware products exhibit differences in how infections are identified and in how they are eliminatedmore than one product is required to clean your computer, and an Internet search reveals that plenty of free or inexpensive packages are available.
  • PC slowdown from spyware may not be immediate. Indeed, spyware slows a machine over time and after repeated activities, the longer the time, then the worse performance likely becomes. For instance, a colleague's PC was found to be very slow on the Web and she was inundated with pop-up advertisements; and then over 700 instances of spyware were found on her computer.
  • Use of the services provided by a piece of software may generate additional spyware, but use is not a prerequisite for spyware. A visit to a single Web site may generate multiple spyware infections.
  • There is hope for the future!

Back to Top


Kirk P. Arnett ( is a professor of information systems in the College of Business and Industry, Department of Management and Information Systems at Mississippi State University.

Mark B. Schmidt ( is an assistant professor of information systems in the Business Computer Information Systems Department in the G.R. Herberger College of Business, at St. Cloud University, St. Cloud, MN.

Back to Top


T1Table 1. Selected Sandra 2005 benchmarks.

T2Table 2. Summary benchmark comparisonshard disk access.

Back to top

©2005 ACM  0001-0782/05/0800  $5.00

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.

The Digital Library is published by the Association for Computing Machinery. Copyright © 2005 ACM, Inc.


No entries found