Spyware: Scumware Out There

Maybe I clicked “no” in a dialog box that I ought to have closed, or installed a bogus version of a browser plug-in. Maybe I just visited the wrong website on the wrong day, and with my Web browser’s unwitting compliance became a victim of a drive-by downloading of rogue software. Whatever the case, my punishment was brilliant and unstoppable. The spyware hijacked my Web browser and bombarded me with pop-up ads, even when the browser was closed and the network connection was unplugged. It made dubious offers of antispyware tools that would supposedly clean my system, yet hid from three legitimate cleaning tools and my antivirus software. It resisted my attempts to close it from the Windows task manager or delete it from the startup file. Applications ran grindingly slowly, and my system crashed so often that it was rendered useless. Whenever I thought I had the monster killed, it reared its ugly head again.

Finally, my company’s IT technicians threw up their hands and reformatted my hard drive, mystery unsolved.

Along the way, something happened to me that observers say has happened to a critical mass of even the most security-savvy computer users over the past six months: Spyware became not just a nuisance but a plague that brought my productivity to a screeching halt.

“In enterprise, the guys are telling me that as much as 25 percent of their desktops at any time are affected by increasingly destabilizing software,” says Peter Firstbrook, an analyst at Meta Group. “It’s their number-one help desk issue.”

“We have evidence that [spyware] is at least partially responsible for approximately half of the application crashes our customers report to us,” Jeffrey Friedberg, Microsoft’s director of Windows privacy, told Congress last spring—and you know that’s a lot of application crashes. “It has become a multimillion-dollar support issue.”

“We’ve never seen malicious code to the level we’ve seen in the last six months,” says Ed Skoudis, author of Malware: Fighting Malicious Code. “It’s just exploded.”

Unfortunately for CSOs, there simply isn’t an automatic or foolproof way to make sure their companies’ computer systems aren’t infected with this type of malware. Antivirus vendors are still figuring out how to change their business models to encompass the threat, and antispyware boutique firms are struggling to roll out enterprise versions of their consumer-oriented products. Legislation and case law are only just emerging, even as the companies involved hurl lawsuits at one another faster than you can say “reboot.” Meanwhile, creators of spyware and its trickster cousin, adware, are developing versions of their wares that are so elusive and pervasive that they’ve earned a nickname: scumware.

“First it becomes a nuisance, and we can use freeware to tackle it,” says Stash Jarocki, senior vice president of information security at New York City-based Bessemer Trust, describing what has become a familiar cycle. “Then it reaches the point where you can’t manage on a temporary basis, and you want to manage it enterprisewide. I think the cry has gone out to vendors that this has become an enterprise issue. It is a resource killer.”

Welcome to the Internet’s most vicious arms race. In case it isn’t obvious by now, the bad guys are pounding us.Spies Like ThemLoosely put, spyware is software that, once installed on a computer, gathers information about the computer user, usually without the person knowing or understanding what is happening, and relays that information to a third party. The results can range from resource hogging to identity theft. But even the precise definition of spyware, and the problem’s scope, is up for debate.

At the tamest end is adware. This can include anything from a program that gathers statistics on Web usage, to one that customizes a user’s Internet experience based on the sites he visits, to one that takes over someone’s browser in a way that she might or might not consider useful. Some consider Internet cookies to be a type of spyware because they quietly gather information about websites that a user has visited.

On the Wild West side of things are keystroke loggers that can be used to steal credit card numbers, account names and passwords, and tools that allow hackers to control other computers remotely. If this type of software finds its way onto a corporate network, the results can be devastating. The FBI is investigating a case in which source code from computer gaming company Valve Software was posted on the Internet. Hackers allegedly captured the code by using key loggers that they installed on company computers.

These most egregious examples aside, spyware’s relative merits are in the eye of the beholder. The largest adware companies, WhenU and Claria, insist that their programs are not spyware because the computer owner agrees to an end-user license agreement (EULA) that explains what the software does. And even keystroke loggers have valid uses, such as when law enforcement is investigating a suspected criminal or an IT department is checking up on a problematic employee. (This, too, can be a gray area. This past summer, The Associated Press reported that an employee of the state of Alabama was fired in 2003 for installing spyware on his boss’s computer, even though he did so to prove that the boss was spending 70 percent of his time on the computer playing solitaire.)

All of this is complicating antispyware efforts in Washington. There, lawmakers in both houses of Congress are trying to come up with an antispyware bill that will be more effective than the well-intentioned but largely useless Can-Spam Act. The Federal Trade Commission is also gathering information about the scope of the problem and determining the extent to which existing fraud laws apply.

Meanwhile, the lawsuits fly. WhenU and Claria and their clients have faced multiple lawsuits from businesses who charge that their advertising practices are unfair and deceptive. In Utah, WhenU convinced a judge to temporarily block the enforcement of a state antispyware law on grounds that it violated advertisers’ free speech. And in the latest legal punch, the advertising software developer 180solutions sued a former distribution partner for deceptive practices and breach of contract. It’s telling that even Skoudis watched his words when he spoke of adware vendors, and he warned me to be precise in what I wrote. “You’ve gotta be careful,” he said. “They sue people.”

Whatever legal definition is eventually hammered out, however, is likely to involve three elements: permission, transparency and ease of removal. The user needs to give permission to have the software installed. The software maker needs to be transparent about how the program works, what information it gathers and where that information goes. (This is the slipperiest distinction, since most people pay about as much attention to EULAs as they do to the weather on Venus—not that their ignorance really matters from a legal perspective.) And the program needs to have an uninstall feature that allows the user to remove the software if desired.

Unfortunately, that’s just not happening. Some spyware programs install themselves even if the user clicks “no” when asked for permission. Others trick users with dialog boxes that say things like, “Click No to install this software,” or bombard them with so many install windows that they agree, either on purpose or accidentally. Other times, the spyware is secretly hitched to another program that the user does want—often a free screen saver, game or peer-to-peer client.

Sometimes, the user doesn’t need to do anything but visit the wrong website at the wrong time with the wrong Web browser. This past summer, hackers planted a malicious bit of JavaScript code known as Berbew on some Internet Information Server (IIS) Web servers used to run legitimate websites. “If you surfed to those machines using Internet Explorer, it would hack your browser, forcing it to download a piece of code from a Russian website,” Skoudis says. The software then captured log-in information when the user visited certain sites such as financial services websites.

It gets worse. Skoudis laments the rise of what he calls the “bot-worm vicious cycle.” Bots are semiautonomous programs that, once installed on a computer, can act on a behalf of a hacker. When bots consort with worms—programs that spread automatically—the results can be disastrous. We saw this with outbreaks like Bagel, Netsky and Sasser, all worm bots that contained keystroke loggers.

“You see how it all feeds together?” Skoudis says. “Worms spread bots, bots spread worms, and most of them carry spyware now. It’s awful when a virus crashes your computer, but now we’ve got something that doesn’t want to break your computer at all. It wants your computer to keep humming along while it spies on you.”

Just uninstall? Forget about it. This type of software generally doesn’t have an uninstall feature, and it’s designed to hide from the uninstall function in the operating system. Some programs can seem to be deleted, but a small part of them remains. The next time the computer is online, the program surreptitiously reinvents itself. Others have multiple programs that watch one another’s backs. The software I had appeared as two programs in the Windows Task Manager. I deleted one and another instantly appeared. Its anonymous creator strove for immortality.

“Spyware can be multiple programs watching each other to see if it gets deleted,” Meta’s Firstbrook says. “It’s almost impossible to kill it.” The user has to delete files in the right order and also edit the registry—a task for only the most sophisticated users.

Why aren’t antivirus programs catching this malware? Killing insidious code, after all, is what they do best. Historically, however, antivirus companies have obliterated code that no one wants, ever. When it comes to spyware, observers say, they just haven’t perceived it as a severe enough threat to respond quickly or effectively. “It hasn’t been on their radar,” Jarocki says. The reasons why are as complicated as the spyware itself.Vendor Arms RaceVincent Gullotto never thought he would be reading EULAs as part of his job. “Viruses don’t come with EULAs,” says Gullotto, vice president of McAfee’s Anti-virus and Vulnerability Emergency Response Team. “If a program does something and tells you all along exactly what it’s doing, from our perspective, it’s not malicious. It’s a program. Frankly, this is a quagmire for any organization to have to get into.”

The distinction between software that’s always considered bad and software that is sometimes considered bad is crucial. McAfee has dubbed spyware as “potentially unwanted programs,” or PUPs—the importance here on the first “P.” Potentially. That’s because the company ran into legal problems when a version of its antivirus software classified a piece of adware as a virus and zapped it. An adware vendor argued that McAfee was taking away legitimate business.

Since then, McAfee and other major antivirus vendors have been struggling to figure out how to fit this type of threat into their business model. Should antispyware capabilities be a part of antivirus programs and to what extent? How can antivirus tools account for code that some users want to eliminate and others don’t? What if a piece of adware is living up to the promises in its EULA but customers are still complaining? And, perhaps most important, if customers don’t want to pay for separate antispyware products, how can the vendor justify the expense of building the capability into their existing software?

As the big guns try to answer these questions, smaller companies have moved onto their turf. Ad-Aware, from Lavasoft, Spybot Search and Destroy, Pest Patrol and Webroot’s Spysweeper are the most popular of these programs. They operate like antivirus tools, matching lists of known malware against computer files and eradicating software that computer users don’t want. Also like antivirus tools, they have to be updated and be set up to scan files. Until recently, they were marketed to home users and rarely appeared in corporate settings, and so didn’t pose much of a threat to the security establishment. But now, they’re making inroads to the enterprise, with versions that offer centralized control, updating and reporting features.

Webroot says that 100,000 paid seats of its Spysweeper Enterprise were installed within the first six weeks of the product being released this past June. Steve Thomas, founder and CTO of the Boulder, Colo.-based company, has been thrilled with the market’s response. “We’ve gotten on the phone with some customers, and they’ll say, We’re literally rebuilding three to five machines a day because the spyware is so bad,” says Thomas, whose company is privately held and turning a profit.

But products like Spysweeper are still in their infancy. CSOs report having to use several different types of antispyware tools to find some culprits, and even then they may not succeed. (I ran three programs on my computer, to no avail.) What’s more, CSOs simply don’t see why they should have to install a whole extra piece of software—one that needs updates and does scans—to deal with a problem that they think should be handled by antivirus tools.

That’s why CSOs have been putting pressure on antivirus companies to get on top of the problem. Robert Garigue, CISO of the Bank of Montreal, says his company has warned its antivirus vendor that the next time his software licenses come up for renewal, the vendor will be assessed around new functionalities that incorporate spyware as well as spam protection. “We’ve been talking about this for two years with our antivirus vendors, because as far as we’re concerned, how is this different from antivirus software?” Garigue says.

Given that pressure, how quickly can antivirus vendors catch up? Symantec is working on enterprise and consumer products, to be released in late 2004, that finally will contain what a spokesman calls “significant repair functionality.” McAfee’s newest version of Virus Scan is the first to remove some spyware—but even then, Gullotto says, the company is not yet trying to compete with programs like Pest Patrol and Spybot. (This despite the fact that Gullotto expects spyware to eventually outnumber Trojans and worms.) All bets are on.

“We’re trying to evaluate who’s going to get there first,” Garigue says. “Is it going to be traditional antivirus companies that are going to be moving into spyware, or is it going to be the new antispyware point solutions coming into the enterprise? Who’s going to dominate?”Roll Your OwnIn the meantime, CSOs will have to roll their own solutions, by using a combination of existing anti-malware tools, clever architecture, tough policies and one other old standby: employee awareness.

Web filters and firewalls can help, both by preventing computer users from visiting sites that are known to harbor spyware and by keeping errant programs from communicating with their home bases. Outbound monitoring of intrusion detection systems can allow system administrators to identify when there might be a problem on the network. Spam filters can help users fend off infected e-mails.

Companies that are especially concerned may choose to lock down their desktops and prevent users from installing any software—on purpose or not. Or they may simply decide that the spyware problem calls for policies that prohibit software that is typically rife with spyware and adware. Peer-to-peer clients such as Kazaa, for instance, often are linked to adware, and many of the files available through these file-sharing services also may be infected with malicious code.

Patching is another key to prevention. Windows XP Service Pack 2 and other patches from Microsoft are supposed to lock down some of the vulnerabilities that allow software to be installed on a PC without a website visitor’s permission. (The need for these patches, of course, is fuel for those who favor open-source Web browsers like Mozilla and argue that Microsoft has not done enough to secure its products. But that’s another story.)

Just as important, though, CSOs need to spread the word about common tricks the software uses to install itself and ways to tell that your computer is infected. Not all of these are the old, “Don’t open unsolicited attachments” mantra that CSOs have been repeating for years. Think of this as Security Awareness 102. (See “What Spyware Does—and How to React,” on Page 32, for some common ploys.)

Every little bit helps. At UPS, Jim Flynn, systems manager for information security, says that awareness training—both for employees and for customers who have UPS-supplied hardware for shipping—has gone a long way toward limiting the amount of damage spyware can do. “We have an extremely strict no-download policy,” he says. “People know that if they notice any kind of abnormal installation activity, to notify us and we can take steps to get that corrected.”

A true solution, of course, will come only with more thorough, easier to manage antispyware tools. CSOs are in a unique position to make this happen more quickly by putting pressure on vendors to add the capabilities that they need. In fact, observers predict that soon, some of the large antivirus vendors will really start putting their money where their mouths are, and kick-start their antispyware efforts by acquiring some of the boutique firms like Webroot.

Meta’s Firstbrook says the market for antispyware tools is appearing just like that for antispam technologies, which saw tremendous vendor consolidation during the past year and a half. He thinks that antispyware functions will be swallowed up into antivirus tools, so users get “one scanner and one cleanup utility.” Problem incorporated.

But then, it’ll be on to the next thing. “Spyware is the chewing gum of the Internet that sticks underneath your soles,” Garigue says. “It clogs up your carpet. It’s really messy. Some of it is really nasty, and you need to be able to evaluate the germs you’re bringing home.”