Spyware: An Update

How big of a problem is spyware?

It’s big enough that the U.S. House of Representatives voted unanimously to stiffen jail sentences for those who use secret surveillance programs to steal credit card numbers or commit other crimes.

Under the bill, known as the Internet Spyware (I-SPY) Prevention Act of 2004, those found guilty of using spyware to commit other crimes would face up to five years in prison on top of their original sentences. Those who use spyware to steal personal information with the intent of misusing it, or use spyware to compromise a computer’s defenses, could face up to two years behind bars.

The bill would also apply to those who perpetrate so-called “phishing” attacks — official-looking email messages that aim to trick people into disclosing their bank-account numbers or other personal information.

In addition, the I-SPY bill allocates $10 million to the Department of Justice to combat spyware and phishing scams.

Two days before the I-SPY vote, House lawmakers approved a separate bill that establishes multimillion-dollar fines for spyware perpetrators. (Some observers predict that the two bills will be combined with a spyware bill that is currently working its way through the Senate.)

A pervasive problem

Antivirus products allow users to protect themselves from a variety of potential software and Internet threats. These include malicious code such as viruses and Trojans, as well as expanded threats, which include spyware, adware, and dialers. While definitions of spyware vary, it’s generally agreed that these programs have the ability to scan systems or monitor activity and relay information to other computers or locations in cyberspace. Among the information that may be actively or passively gathered and disseminated by spyware: passwords, log-in details, account numbers, personal information, individual files or other personal documents. Spyware may also gather and distribute information related to the user’s computer, applications running on the computer, Internet browser usage, or other computing habits.

Many popular file-sharing programs come bundled with spyware. In fact, spyware is embedded in hundreds of programs — including games, utilities, and media players – that can be downloaded for free from the Internet. Spyware is also how many file-sharing vendors make money while not charging for their products. With these programs, it has been said, you pay with your privacy instead of with money.

For that reason, the Federal Trade Commission has repeatedly warned consumers as well as businesses about the trade-offs involved in shareware. In an alert issued last year, the FTC was unambiguous: “Before you use any file-sharing program, you may want to buy software that can prevent the downloading of spyware or help detect it on your hard drive.”

Just this month the FTC announced it had asked a U.S. District Court in New Hampshire to shut down a spyware operation that hijacks computers, secretly changes their settings, barrages them with pop-up ads, and installs adware and other software programs that spy on consumers’ Web surfing. The FTC alleges the spyware operation – a network of sites operated by former “spam king” Sanford Wallace — violates federal law and asks the court to bar the practices permanently.

How pervasive is spyware? Internet service provider Earthlink announced earlier this month that a scan of 3 million computer systems over nine months found 83 million instances of spyware. Researcher Gartner Inc. has estimated that more than 20 million people have installed adware applications (adware is a type of spyware that reports back on a user’s activities in order to serve up targeted advertising), and this covers only a portion of the spyware that is out there.

A dangerous evolution

All of this recent attention comes as traditional notions of spyware are evolving. Indeed, Gartner in July noted that spyware has evolved — from simple cookies to a range of sophisticated user-tracking systems. The researcher went so far as to issue a report this summer titled “A Field Guide to Spyware Variations.”

In that report, Gartner observed that, midway through 2004, its clients were seeing a “surge in manifestations” of spyware. Moreover, new methods to snare users are appearing all the time, including greater exploitation of multimedia and mobile and wireless systems. Gartner clients reported that cleanup efforts typically take a few hours; however, in no time at all, the same systems will become infected again.

Gartner’s research underscores a key finding of the latest Symantec Internet Security Threat Report: namely, that these violations are becoming more problematic. The Threat Report found that six of the top 50 malicious code submissions to Symantec Security Response in the first six months of 2004 were adware.

The Threat Report noted that adware packages perform numerous operations, including displaying pop-up ads, dialing to high-cost numbers through the system’s modem if one is present, modifying browser settings such as the default home page, and monitoring the user’s surfing activity to display targeted advertisements. The effects range from mere user annoyance to privacy violations to monetary loss.

Reasons to be vigilant

While the threats posed by these programs may be difficult to quantify, that doesn’t mean they aren’t a security concern to today’s enterprises. Because spyware and adware programs are unauthorized, surreptitiously installed software, administrators have no knowledge of or control over what the programs may be running. For instance, they could be used to monitor users’ browsing habits, constituting a loss of privacy. Most spyware and adware packages are also capable of dynamically updating themselves, often with new functionality that the user is unaware of.

As the Internet Security Threat Report observed, Symantec’s research has shown that there are good technical countermeasures to spyware and adware, such as implementing more restrictive Web browser settings. In addition, many companies have security policies in place that prohibit users from downloading or installing unauthorized software on corporate computers. Despite this, users often knowingly engage in activities that risk exposure of confidential information.

For this reason, it is important for users to read and understand the End User License Agreement (EULA) and other notification methods before installing any software. Spyware EULAs typically contain ambiguous language designed to mislead users about the information-gathering functionality of the software. At the same time, it is equally important that software publishers provide users with clear and unambiguous notifications of the actions that their software performs.

For its part, Gartner recommends that IT organizations promote cooperation between end-user groups, technical support, and security teams to ensure that a company’s response to spyware keeps pace with this growing threat to privacy.

Conclusion

As the spate of recent legislative and FTC activity attests, public intolerance of spyware has reached a new plateau. In the enterprise environment, spyware is rapidly becoming a serious security concern, particularly as most corporate networks allow HTTP traffic, the means by which spyware is propagated.

Symantec continues to view spyware as a significant threat and recommends that enterprise users be vigilant about updating their antivirus software. Security administrators should take extra measures to maintain a strong security posture on client systems. They should also ensure that client system patch levels are up-to-date and that acceptable usage policies are in place and enforced.