Home » Data Protection » Malware/Cybercrime

Spyware: Scumware Out There

Security vendors big and small are in an arms race to root out spyware and other malicious code, but so far they're all losing.

All of this is complicating antispyware efforts in Washington. There, lawmakers in both houses of Congress are trying to come up with an antispyware bill that will be more effective than the well-intentioned but largely useless Can-Spam Act. The Federal Trade Commission is also gathering information about the scope of the problem and determining the extent to which existing fraud laws apply.

Meanwhile, the lawsuits fly. WhenU and Claria and their clients have faced multiple lawsuits from businesses who charge that their advertising practices are unfair and deceptive. In Utah, WhenU convinced a judge to temporarily block the enforcement of a state antispyware law on grounds that it violated advertisers' free speech. And in the latest legal punch, the advertising software developer 180solutions sued a former distribution partner for deceptive practices and breach of contract. It's telling that even Skoudis watched his words when he spoke of adware vendors, and he warned me to be precise in what I wrote. "You've gotta be careful," he said. "They sue people."

Whatever legal definition is eventually hammered out, however, is likely to involve three elements: permission, transparency and ease of removal. The user needs to give permission to have the software installed. The software maker needs to be transparent about how the program works, what information it gathers and where that information goes. (This is the slipperiest distinction, since most people pay about as much attention to EULAs as they do to the weather on Venus—not that their ignorance really matters from a legal perspective.) And the program needs to have an uninstall feature that allows the user to remove the software if desired.

Unfortunately, that's just not happening. Some spyware programs install themselves even if the user clicks "no" when asked for permission. Others trick users with dialog boxes that say things like, "Click No to install this software," or bombard them with so many install windows that they agree, either on purpose or accidentally. Other times, the spyware is secretly hitched to another program that the user does want—often a free screen saver, game or peer-to-peer client.

Sometimes, the user doesn't need to do anything but visit the wrong website at the wrong time with the wrong Web browser. This past summer, hackers planted a malicious bit of JavaScript code known as Berbew on some Internet Information Server (IIS) Web servers used to run legitimate websites. "If you surfed to those machines using Internet Explorer, it would hack your browser, forcing it to download a piece of code from a Russian website," Skoudis says. The software then captured log-in information when the user visited certain sites such as financial services websites.