Spyware: Scumware Out There

Security vendors big and small are in an arms race to root out spyware and other malicious code, but so far they're all losing.

Maybe I clicked "no" in a dialog box that I ought to have closed, or installed a bogus version of a browser plug-in. Maybe I just visited the wrong website on the wrong day, and with my Web browser's unwitting compliance became a victim of a drive-by downloading of rogue software. Whatever the case, my punishment was brilliant and unstoppable. The spyware hijacked my Web browser and bombarded me with pop-up ads, even when the browser was closed and the network connection was unplugged. It made dubious offers of antispyware tools that would supposedly clean my system, yet hid from three legitimate cleaning tools and my antivirus software. It resisted my attempts to close it from the Windows task manager or delete it from the startup file. Applications ran grindingly slowly, and my system crashed so often that it was rendered useless. Whenever I thought I had the monster killed, it reared its ugly head again.

Finally, my company's IT technicians threw up their hands and reformatted my hard drive, mystery unsolved.

Along the way, something happened to me that observers say has happened to a critical mass of even the most security-savvy computer users over the past six months: Spyware became not just a nuisance but a plague that brought my productivity to a screeching halt.

"In enterprise, the guys are telling me that as much as 25 percent of their desktops at any time are affected by increasingly destabilizing software," says Peter Firstbrook, an analyst at Meta Group. "It's their number-one help desk issue."

"We have evidence that [spyware] is at least partially responsible for approximately half of the application crashes our customers report to us," Jeffrey Friedberg, Microsoft's director of Windows privacy, told Congress last spring—and you know that's a lot of application crashes. "It has become a multimillion-dollar support issue."

"We've never seen malicious code to the level we've seen in the last six months," says Ed Skoudis, author of Malware: Fighting Malicious Code. "It's just exploded."

Unfortunately for CSOs, there simply isn't an automatic or foolproof way to make sure their companies' computer systems aren't infected with this type of malware. Antivirus vendors are still figuring out how to change their business models to encompass the threat, and antispyware boutique firms are struggling to roll out enterprise versions of their consumer-oriented products. Legislation and case law are only just emerging, even as the companies involved hurl lawsuits at one another faster than you can say "reboot." Meanwhile, creators of spyware and its trickster cousin, adware, are developing versions of their wares that are so elusive and pervasive that they've earned a nickname: scumware.

"First it becomes a nuisance, and we can use freeware to tackle it," says Stash Jarocki, senior vice president of information security at New York City-based Bessemer Trust, describing what has become a familiar cycle. "Then it reaches the point where you can't manage on a temporary basis, and you want to manage it enterprisewide. I think the cry has gone out to vendors that this has become an enterprise issue. It is a resource killer."

Welcome to the Internet's most vicious arms race. In case it isn't obvious by now, the bad guys are pounding us.Spies Like ThemLoosely put, spyware is software that, once installed on a computer, gathers information about the computer user, usually without the person knowing or understanding what is happening, and relays that information to a third party. The results can range from resource hogging to identity theft. But even the precise definition of spyware, and the problem's scope, is up for debate.

At the tamest end is adware. This can include anything from a program that gathers statistics on Web usage, to one that customizes a user's Internet experience based on the sites he visits, to one that takes over someone's browser in a way that she might or might not consider useful. Some consider Internet cookies to be a type of spyware because they quietly gather information about websites that a user has visited.

On the Wild West side of things are keystroke loggers that can be used to steal credit card numbers, account names and passwords, and tools that allow hackers to control other computers remotely. If this type of software finds its way onto a corporate network, the results can be devastating. The FBI is investigating a case in which source code from computer gaming company Valve Software was posted on the Internet. Hackers allegedly captured the code by using key loggers that they installed on company computers.

These most egregious examples aside, spyware's relative merits are in the eye of the beholder. The largest adware companies, WhenU and Claria, insist that their programs are not spyware because the computer owner agrees to an end-user license agreement (EULA) that explains what the software does. And even keystroke loggers have valid uses, such as when law enforcement is investigating a suspected criminal or an IT department is checking up on a problematic employee. (This, too, can be a gray area. This past summer, The Associated Press reported that an employee of the state of Alabama was fired in 2003 for installing spyware on his boss's computer, even though he did so to prove that the boss was spending 70 percent of his time on the computer playing solitaire.)

All of this is complicating antispyware efforts in Washington. There, lawmakers in both houses of Congress are trying to come up with an antispyware bill that will be more effective than the well-intentioned but largely useless Can-Spam Act. The Federal Trade Commission is also gathering information about the scope of the problem and determining the extent to which existing fraud laws apply.

Meanwhile, the lawsuits fly. WhenU and Claria and their clients have faced multiple lawsuits from businesses who charge that their advertising practices are unfair and deceptive. In Utah, WhenU convinced a judge to temporarily block the enforcement of a state antispyware law on grounds that it violated advertisers' free speech. And in the latest legal punch, the advertising software developer 180solutions sued a former distribution partner for deceptive practices and breach of contract. It's telling that even Skoudis watched his words when he spoke of adware vendors, and he warned me to be precise in what I wrote. "You've gotta be careful," he said. "They sue people."

Whatever legal definition is eventually hammered out, however, is likely to involve three elements: permission, transparency and ease of removal. The user needs to give permission to have the software installed. The software maker needs to be transparent about how the program works, what information it gathers and where that information goes. (This is the slipperiest distinction, since most people pay about as much attention to EULAs as they do to the weather on Venus—not that their ignorance really matters from a legal perspective.) And the program needs to have an uninstall feature that allows the user to remove the software if desired.

Unfortunately, that's just not happening. Some spyware programs install themselves even if the user clicks "no" when asked for permission. Others trick users with dialog boxes that say things like, "Click No to install this software," or bombard them with so many install windows that they agree, either on purpose or accidentally. Other times, the spyware is secretly hitched to another program that the user does want—often a free screen saver, game or peer-to-peer client.

Sometimes, the user doesn't need to do anything but visit the wrong website at the wrong time with the wrong Web browser. This past summer, hackers planted a malicious bit of JavaScript code known as Berbew on some Internet Information Server (IIS) Web servers used to run legitimate websites. "If you surfed to those machines using Internet Explorer, it would hack your browser, forcing it to download a piece of code from a Russian website," Skoudis says. The software then captured log-in information when the user visited certain sites such as financial services websites.

It gets worse. Skoudis laments the rise of what he calls the "bot-worm vicious cycle." Bots are semiautonomous programs that, once installed on a computer, can act on a behalf of a hacker. When bots consort with worms—programs that spread automatically—the results can be disastrous. We saw this with outbreaks like Bagel, Netsky and Sasser, all worm bots that contained keystroke loggers.

"You see how it all feeds together?" Skoudis says. "Worms spread bots, bots spread worms, and most of them carry spyware now. It's awful when a virus crashes your computer, but now we've got something that doesn't want to break your computer at all. It wants your computer to keep humming along while it spies on you."

Just uninstall? Forget about it. This type of software generally doesn't have an uninstall feature, and it's designed to hide from the uninstall function in the operating system. Some programs can seem to be deleted, but a small part of them remains. The next time the computer is online, the program surreptitiously reinvents itself. Others have multiple programs that watch one another's backs. The software I had appeared as two programs in the Windows Task Manager. I deleted one and another instantly appeared. Its anonymous creator strove for immortality.

"Spyware can be multiple programs watching each other to see if it gets deleted," Meta's Firstbrook says. "It's almost impossible to kill it." The user has to delete files in the right order and also edit the registry—a task for only the most sophisticated users.

Why aren't antivirus programs catching this malware? Killing insidious code, after all, is what they do best. Historically, however, antivirus companies have obliterated code that no one wants, ever. When it comes to spyware, observers say, they just haven't perceived it as a severe enough threat to respond quickly or effectively. "It hasn't been on their radar," Jarocki says. The reasons why are as complicated as the spyware itself.Vendor Arms RaceVincent Gullotto never thought he would be reading EULAs as part of his job. "Viruses don't come with EULAs," says Gullotto, vice president of McAfee's Anti-virus and Vulnerability Emergency Response Team. "If a program does something and tells you all along exactly what it's doing, from our perspective, it's not malicious. It's a program. Frankly, this is a quagmire for any organization to have to get into."

The distinction between software that's always considered bad and software that is sometimes considered bad is crucial. McAfee has dubbed spyware as "potentially unwanted programs," or PUPs—the importance here on the first "P." Potentially. That's because the company ran into legal problems when a version of its antivirus software classified a piece of adware as a virus and zapped it. An adware vendor argued that McAfee was taking away legitimate business.

Since then, McAfee and other major antivirus vendors have been struggling to figure out how to fit this type of threat into their business model. Should antispyware capabilities be a part of antivirus programs and to what extent? How can antivirus tools account for code that some users want to eliminate and others don't? What if a piece of adware is living up to the promises in its EULA but customers are still complaining? And, perhaps most important, if customers don't want to pay for separate antispyware products, how can the vendor justify the expense of building the capability into their existing software?

As the big guns try to answer these questions, smaller companies have moved onto their turf. Ad-Aware, from Lavasoft, Spybot Search and Destroy, Pest Patrol and Webroot's Spysweeper are the most popular of these programs. They operate like antivirus tools, matching lists of known malware against computer files and eradicating software that computer users don't want. Also like antivirus tools, they have to be updated and be set up to scan files. Until recently, they were marketed to home users and rarely appeared in corporate settings, and so didn't pose much of a threat to the security establishment. But now, they're making inroads to the enterprise, with versions that offer centralized control, updating and reporting features.

Webroot says that 100,000 paid seats of its Spysweeper Enterprise were installed within the first six weeks of the product being released this past June. Steve Thomas, founder and CTO of the Boulder, Colo.-based company, has been thrilled with the market's response. "We've gotten on the phone with some customers, and they'll say, We're literally rebuilding three to five machines a day because the spyware is so bad," says Thomas, whose company is privately held and turning a profit.

But products like Spysweeper are still in their infancy. CSOs report having to use several different types of antispyware tools to find some culprits, and even then they may not succeed. (I ran three programs on my computer, to no avail.) What's more, CSOs simply don't see why they should have to install a whole extra piece of software—one that needs updates and does scans—to deal with a problem that they think should be handled by antivirus tools.

1 2 Page 1
Page 1 of 2
7 hot cybersecurity trends (and 2 going cold)