Republished with permission from
WatchGuard Technologies, Inc.
Spyware: Time to Get Smart
By David Piscitello, President, Core Competence
Many users vaguely understand the security risks, privacy invasions, and performance costs associated with having spyware secretly and maliciously installed on their computers. Fewer users know the many forms spyware takes and the truly evil activities it performs. Beyond a general sense that spyware is uninvited, malicious software, average users know very little about it.
Until recently, people have dismissed spyware as less important to contend with than viruses and spam. I believe spyware poses an even greater threat than viruses and spam. Spyware can be as debilitating as the nastiest of viruses. The financial threats spyware poses are far ranging and more serious than e-mail credit card scams (phishing), and the privacy issues and liabilities spyware exposes are grim. Small and medium business must understand what spyware is and the threats spyware poses. In this, the first of two articles, I'll explain why spyware represents greater risk than you might have realized. In the second article, we'll analyze spyware solutions, and pick the best.
A spyware sampler
To simply call spyware uninvited softwareis misleading. Spyware installed on your PC can modify the Windows Registry and add dynamic link libraries (DLLs) and download program files (DPFs, e.g., hostile ActiveX or Java VM objects) to your system. Some spyware exploits Web browsers (especially Internet Explorer) by installing ActiveX controls, browser helper objects (BHO), and toolbars, or by modifying browser Internet options, including home pages, favorites lists, and context menu items. Some spyware even alters TCP/IP settings and hosts files.
Online spyware encyclopedia and glossaries identify tens of thousands of malicious code considered spyware. Some commonly encountered types of spyware include:
Let's take a brief look at how each of these adds to your risk.
Not all adware is (technically) spyware, but many experts feel that even permission-ware is spyware when it delivers unsolicited advertising. Common delivery methods include unrequested browser windows (popups) and ad-sponsored applications. There are currently nearly 800 ad-sponsored and spyware-encumbered software offerings. This diverse group includes free versions of games (Midnight Oil Solitaire); FTP clients (FTP Works); e-mail clients (Eudora; music players; Web and system utility software; and more, often coming with a catch. The software developer receives revenue from advertisers who display advertising in windows or toolbar features of the so-called freeware. Some adware (e.g., FlashTrack) tracks a user's Web activities and search queries. It then sends this information to advertising servers like Aureate and Aveo, which return targeted advertising (commonly, popup ads) based on keywords and phrases. As many parents know, even seemingly benign keywords like "kittens" can expose their children to objectionable material, including pornography.
Browser session hijacking is a kind of virtual world bait-and-switch. Spyware (Icoo, WurldMedia, Xupiter Toolbar, Lop, BonziBuddy, CoolWebSearch) redirects browser sessions and search queries, taking users to Web sites and search engines they didn't intend to visit. The hijacked user can be exposed to undesirable or suspect content and advertising. The hijackers earn referral commissions and affiliate fees by selectively referring the user to an e-commerce site that offers some service or product similar to the site the user intended.
Certain Remote Administration Tools (RATs) and keyloggers are examples of Trojan horse spyware. As the names imply, these give attackers administrative control, or extraordinary eavesdropping and intercept capabilities. Acting remotely, an attacker can intercept and log user keystrokes, monitor application and browser activities, and even intercept WebCam streams. BackOrifice and Sub7 are examples of attacker RATs and pose a DDoS threat. Commercial RATs like NetObserve and Spyagent are ostensibly sold for "legitimate tracking" by managers, parents and suspicious spouses. The recent and notorious Bankhook.A is a keystroke-logging BHO delivered as an attachment to an e-mail message. Once installed, Bankhook tries to find banking account access data on a PC.
Tracking agents, Web bugs, and data miners are virtual dumpster divers. They can monitor your Web browsing, shopping, e-mail, and instant messaging activities, and might gather system configuration and personal information as well. Some tracking companies use this information to deliver targeted advertising, but others sell or abuse what they gather. Alexa, a popular search toolbar, is also a data miner. Transponder/VX2 mines e-mail addresses, browser histories, and also scrounges data from Web forms and configuration files. Gator/GAIN (now Claria) claims to be permission-ware, but anti-spyware experts claim the client, which auto-completes forms and saves passwords, tracks user buying habits.
Double agent spyware. Sadly, some software that advertises as anti-spyware is itself spyware . Users download trial- or freeware versions of so-called security software they expect will remove adware, only to learn that these versions are in fact adware. Reputable anti-spyware vendors like PestPatrol and Kephyr Labs identify RedV EasyInstaller and SpyBlast as spyware. If you think there's no worse behavior than this, think again: some anti-spyware (SpyWiper) hijacks home pages, hoping to scare unwitting users into purchasing their product (virtual protection racketeering!).
Assessing the spyware threat level
In the vernacular of Homeland Security, the spyware "threat level" is somewhere between Elevated and High. If your business operates in a regulated environment, place the threat level between High and Severe. Consider these threats:
I hope I've convinced you that spyware is a serious threat. In my next article, I'll describe methods to identify and remediate systems infected with spyware, and methods to provide ongoing protection. I'll also recommend spyware removal and blocking software to assist you in these processes, along with some emerging "best antispyware" practices. See you next week. ##
C|net: The spyware that loved me
Dave Piscitello's Anti-spyware Resources page
Copyright© 2004, WatchGuard Technologies, Inc. All rights reserved. WatchGuard, LiveSecurity, Firebox and ServerLock are trademarks or registered trademarks of WatchGuard Technologies, Inc. in the United States and other countries.
Copyright © 1996 - 2004
WatchGuard Technologies, Inc. All rights reserved.