Dave Taylor answers free tech support questions about a wide variety of business and technical topics, including blogging, iphone help, ipod help, AdSense, MySpace, Sony PSP help, Mp3 players, Windows XP, Windows Vista, Linux, SEO, Mac OS X, Facebook, Twitter and LinkedIn.

Did I pick up spyware by visiting a Web site?

Hey Dave, I was looking at information on the Mirc website and I happened to come across a link called ircnick.com. Since the link came from an official website, I clicked on the link only to be redirected to a site called eta.us. Ever since hearing about phishing and malicious websites (e.g. Googkle) I was concerned as to whether or not the site I was redirected to was insidious in any kind of way (whether or not I had spyware, adware, trojans, etc.). I scanned my computer using various virus and adware scanners (everything was clean). Still feeling uneasy, I need advice, therefore I'm asking you.

Dave's Answer:

I can understand your concern, but fortunately there are some tools available that make tracking down this sequence pretty straightforward. I'm going to use a Unix command-line based tool called lynx to step through the sequence of what was sent from the site. I'm actually doing this on the Mac OS X command line by using the Terminal application that's included with the operating system (it's in Applications --> Utilities).

The first step is to recognize that when you visit a Web page you get two things sent back to you, a HEAD and an actually web page. The header is the http protocol handshake, and you can view it with lynx by using the following command:

$ lynx -head -dump http://www.ircnick.com/
HTTP/1.1 200 OK
Connection: close
Date: Wed, 25 May 2005 15:24:37 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Set-Cookie: ASP.NET_SessionId=32sgufnkkyppad2nkpcqnd45; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 644

Nothing untoward here, no suspicious redirects, but do note that there's a Cookie set and that it's obviously from a Windows server (which is confirmed by the fact that it's running Microsoft's IIS server).

Next step is to see the HTML itself, which can be done from lynx too:

$ lynx -source  http://www.ircnick.com/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Frameset//EN">
<html>
<head>
<title>ircnick.com</title>
<meta name="GENERATOR" Content="Microsoft Visual Studio .NET 7.1">
<meta name="CODE_LANGUAGE" Content="C#">
<meta name="vs_defaultClientScript" content="JavaScript">
<meta name="vs_targetSchema" 
  content="http://schemas.microsoft.com/intellisense/ie5">

<noframes>
<body>
IRCNICK.COM
<a href='www1.eta.us/default.aspx?a=ircnick.com'>
</body>
</noframes>
</head>
<frameset rows="*">
<frame src='http://www1.eta.us/default.aspx?a=ircnick.com&ref=*&rs='>
</frameset>
<!-- #11 -->
</html>

You can see the link to the ETA site, so let's now traverse that with the same set of commands...

$ lynx -head -dump http://www1.eta.us/default.aspx?a=ircnick.com
HTTP/1.1 200 OK
Connection: close
Date: Wed, 25 May 2005 15:34:44 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
p3p: CP="CAO PSA OUR"
Set-Cookie: ASP.NET_SessionId=ghuy3yqeu4roesak3bveykyc; path=/
Set-Cookie: tengnikrap=domain=ircnick.com:ref=:refst=; path=/
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 11471

Again, no big deal. But when I go to actually view their page, phew! Lots of dense code, but it all looks benign to me. Here's how I can test this hypothesis: if there were anything bad going on, we'd find some JavaScript or similar scripting code, so we can just look for a few key words or phrases in the HTML source itself, again, easily doable with lynx when coupled with the pattern matching grep command:

$ lynx -source http://www1.eta.us/default.aspx?a=ircnick.com | \
  grep -iE '(java|form|action| on|object)'
<form id="parking_form" method="post" action="Default.aspx">
</form>

Looks like you're clear this time, but you might well want to check out my recent article on Safe Web Surfing and also seriously consider using a Web browser other than Internet Explorer for better security.

Oh, and if you are surfing the web - which you're obviously doing since you're here on my site! -- then you must have both a solid antivirus solution and anti-spyware solution. I recommend AVG Antivirus for the former and Spy Sweeper for the latter.

Help others find this article at Del.icio.us, Digg, Netscape, Reddit, and Stumble Upon

Categorized: Computer and Internet Basics (Article 4013)
Tagged: antivirus, security, spyware
Previous: Best practices for Google AdSense for Feeds?
Next: Can I delete the contents of Windows NtUninstall?

Subscribe!

Never miss another useful Q&A article again! Subscribe to AskDaveTaylor with Google Reader.

Comments

People surfing the web with Windows should probably use Firefox to start with, and should probably use whatever they can in the way of filters - ad blockers, etc.

So Dave, there are scads of these filtering plugins for Windows, but some of them are undoubtedly vehicles for delivering "preferred" adware and spyware. What do you recommend to Windows users?

PC users ask me all the time, and I always say, "Sell your PC on eBay and buy a Macintosh." If they want to keep the Windows PC, what else can they do for prevention of browser based malware?

Posted by: Gary W. Longsine at May 26, 2005 12:01 AM

Although Macs are less attacked by viruses Mac users can also use the free virus checker www.clamxav.com to make sure that their machines are not misused as virus safe havens.

Posted by: Mike at May 26, 2005 11:14 AM

I have a lot to say, but ...

I have a lot to say, and questions of my own for that matter, but most of all I'd like to say thank you for all your efforts on this Web site by buying you a chai!

I do have a comment, now that you mention it!