Home » Data Protection » Malware/Cybercrime

Spyware: Scumware Out There

Security vendors big and small are in an arms race to root out spyware and other malicious code, but so far they're all losing.

"First it becomes a nuisance, and we can use freeware to tackle it," says Stash Jarocki, senior vice president of information security at New York City-based Bessemer Trust, describing what has become a familiar cycle. "Then it reaches the point where you can't manage on a temporary basis, and you want to manage it enterprisewide. I think the cry has gone out to vendors that this has become an enterprise issue. It is a resource killer."

Welcome to the Internet's most vicious arms race. In case it isn't obvious by now, the bad guys are pounding us.Spies Like ThemLoosely put, spyware is software that, once installed on a computer, gathers information about the computer user, usually without the person knowing or understanding what is happening, and relays that information to a third party. The results can range from resource hogging to identity theft. But even the precise definition of spyware, and the problem's scope, is up for debate.

At the tamest end is adware. This can include anything from a program that gathers statistics on Web usage, to one that customizes a user's Internet experience based on the sites he visits, to one that takes over someone's browser in a way that she might or might not consider useful. Some consider Internet cookies to be a type of spyware because they quietly gather information about websites that a user has visited.

On the Wild West side of things are keystroke loggers that can be used to steal credit card numbers, account names and passwords, and tools that allow hackers to control other computers remotely. If this type of software finds its way onto a corporate network, the results can be devastating. The FBI is investigating a case in which source code from computer gaming company Valve Software was posted on the Internet. Hackers allegedly captured the code by using key loggers that they installed on company computers.

These most egregious examples aside, spyware's relative merits are in the eye of the beholder. The largest adware companies, WhenU and Claria, insist that their programs are not spyware because the computer owner agrees to an end-user license agreement (EULA) that explains what the software does. And even keystroke loggers have valid uses, such as when law enforcement is investigating a suspected criminal or an IT department is checking up on a problematic employee. (This, too, can be a gray area. This past summer, The Associated Press reported that an employee of the state of Alabama was fired in 2003 for installing spyware on his boss's computer, even though he did so to prove that the boss was spending 70 percent of his time on the computer playing solitaire.)