Snoopy software, private data snatched off networks and sent to a server somewhere in Siberia or San Francisco ... all these unfortunate occurrences can be attributed to spyware, a generic term for software that regularly collects demographic and usage information from a computer and transmits it to a marketing company or other interested parties without the user's explicit permission. Spyware is far more intrusive than spam and can cause more real problems than many computer viruses. The more benign versions -- sometimes called adware -- confine themselves to downloading and displaying "targeted" ads and may only be resource hogs. But many spyware applications go farther. They auto-update themselves, alter system configurations, download and install additional software, and access and disclose data stored on computers they infect -- or on any shared network resources that the affected computer can access.
ISP EarthLink Inc. offers subscribers a free spyware scanning service. Of the more than 2 million computers scanned since January, one in three harbor spyware, with an average of 28 spyware programs per infected machine. Hardware vendor Dell Inc. says 12 percent of the support requests it receives concern spyware. Dell and EarthLink believe their respective support calls and scan requests come mainly from home or small-business users. Are enterprise networks spyware-free?
According to the results of a recent survey conducted on behalf of enterprise security vendor Secure Computing Inc. by independent research company TheInfoPro, only 25 percent of polled enterprise IT managers thought spyware was a major problem. That was not the response Tim McGurran, president and COO of Secure Computing, was expecting.
"Frankly, we were surprised that so few enterprises appear to be worried about spyware," McGurran says. "Statistics definitely show that spyware is a serious problem in the enterprise. Equally disturbing was that the majority of the respondents also said that they have spyware policies in place in their organizations but that the policies aren't really enforced."
Secure Computing's survey didn't ask IT managers whether spyware was or had been present on their systems. A recent poll by Harris Survey did ask, and 92 percent of polled IT managers said their organizations had been infected with spyware -- with an average of 29 percent of their corporate PCs infected.
Because both surveys were conducted according to accepted rules of research, we're left with a conundrum: IT administrators admit a large percentage of enterprise computers have been infected and yet insist spyware isn't a real problem. Enterprise security vendors themselves have only recently begun to take spyware seriously, meaning that the best software for detecting and removing spyware still originates from a handful of small, relatively obscure software vendors.
"When a company loses a significant amount of money -- or is the victim of a demonstrable case of corporate espionage -- and it makes a major impact in the newspaper, then corporations will take notice," says Bruce Schneier, founder and CTO of Counterpane Internet Security Inc. "My guess is that this kind of thing is already happening and will happen with a greater frequency in the future. Criminals, from lone criminals to organized crime, have discovered spyware."
Spyware or adware?
Businesses aren't ignoring the spyware issue, but it's not high on the agenda, says Kevin Harvey, senior technical consultant at technology consultancy Forsythe. "Part of the problem is that spyware isn't as well understood as other security risks," he says.
The confusion over what spyware is -- a plague from the darkest corners of the Internet or a nice software present with a small catch from the marketing world -- and the slight but legally actionable difference between it and its less malicious sibling adware make it difficult to develop solutions and strategies to deal with the problem.
Claria, which distributes the Gator software that some refer to as spyware, last year filed a libel suit against an anti-spyware program vendor. The suit was settled out of court when PC Pitstop removed information critical of the company and its software from the PC Pitstop Web site. Claria insists that Gator is not spyware because the software's behavior is clearly explained in end-user licensing agreements and the people who use Gator software know they are providing their personal information in exchange for free software. Claria claims it currently "serves" more than 43 million consumers who have agreed to receive advertising.
Claria's argument was borne out during a recent security scan of an enterprise network by Blue Coat Systems Inc., a company that manufactures proxy appliances that control how employees use the Internet. Blue Coat offers companies a free service called a Web Traffic Assessment. During an assessment, Blue Coat installs a proxy appliance onto the network without any policy controls, allowing the appliance to simply log all Web activity taking place on the network. Steve Mullaney, vice president of marketing at Blue Coat, says this has been very effective in helping some large companies identify spyware on their networks.
"Blue Coat recently ran a Web Traffic Assessment for a large Fortune 500 enterprise manufacturing company and found out that the No. 1 visited Web site in corporation was Gator.com," Mullaney says. "Management did not know what Gator was, and when we told them it was adware/spyware, they were shocked, to say the least."
How did Gator get on those machines and drive that traffic? Because Blue Coat can pinpoint individual users, management asked some users whether they knew they had spyware/adware on their machines. Surprisingly, the users said yes, they did know. In fact, they had installed Gator and explicitly agreed to receive aggressively served ads in exchange for Gator's e-wallet application.
"After further probing by IT staff, one user says, 'Well, I wouldn't install adware on my computer at home,' " Mullaney says. "The IT staff then learned that some of the users didn't want to slow down their home PC or home Internet connection with adware. The CIO was not amused."
So Claria may be right -- some users know what they're getting, and there may be some difference between adware and spyware. But does this matter to anyone but Claria and the people contacted by the company's lawyers? Some security experts say it does.
"It's necessary to understand the difference between adware and spyware when addressing how these programs are getting onto corporate networks," says Gregg Mastoras, senior security analyst at Sophos PLC, a security application vendor. "Adware is usually deliberately installed by a user. It is a noisy application, clearly announcing its presence on a computer through advertisements. You prevent it through policies and user education."
But spyware, Mastoras says, is stealthier. "Spyware usually installs itself without permission via holes in software or doesn't come with a clear explanation of its purposes. Spyware is a subtle, under-the-radar application that wishes to remain unnoticed so that it can collect data without interference," he says.
Aggressive spyware variants pose a severe threat, particularly for companies that subsist on sensitive data. "I know of one major HMO that has a 10-person staff dedicated solely to the eradication of spyware because they feel it is such a risk to their HIPAA compliance," says John Bedrick, group product marketing manager of system security at McAfee Inc. "We also worked with a major financial institute that was hacked. User IDs and passwords were gathered by spyware and transmitted to a third-world country, and the company's network was then hacked with remote administrative tools."
So what strategies should enterprises use to fend off spyware and adware? As with any vexing problem that has security implications, the solution derives from a combination of policy and technology.
One approach is simply to jettison Internet Explorer. The majority of adware and spyware works only on computers running Microsoft's operating system and Web browser. Some experts advise switching to the Mozilla's Firefox Web browser to cut down on "drive-by installs" -- that is, spyware that installs itself without users' knowledge or explicit permission.
Security experts agree, however, that spyware is sneaking onto corporate desktops largely as a result of user behavior. "Spyware has many vectors, but the critical issue is that the door is opened by user actions. If end-users are allowed to install software and to freely browse the Web, the enterprise is exposed," says Richard Stiennon, who until recently was a lead security analyst at Gartner and is now vice president of threat research at Webroot Software, a security software vendor.
Policy enforcement should ensure that good users don't do bad things such as installing silly programs on their desktops or running file-sharing applications that typically harbor a slew of spyware. And good patch management polices should prevent sneaky programs from installing themselves on a computer without the user's knowledge via security holes in operating systems and Web browsers.
Yet as Sophos' Mastoras notes, "End-user behavior generally triumphs over protection, patching, and policies. Few organizations are able to actually enforce the policies they create."
Factor in human behavior, and conventional security technologies alone aren't up to the task. "Typical large enterprises have firewalls and anti-virus but lack protection at the application layer. More specifically, they lack HTTP protection, which most spyware uses as its primary mode of communication," Blue Coat's Mullaney says. "Firewalls have traditionally focused on ports and, to some extent, protocols but have no visibility into content. Furthermore, attempts to extend anti-virus scanning to HTTP historically have failed due to poor performance and false positives that resulted in poor Web experiences for the end-user."
Enterprise anti-virus vendors such as McAfee, Sophos, and Symantec say they are bolstering their applications' capabilities of blocking and/or removing spyware and adware. But vendors that offer targeted enterprise anti-spyware apps point out that their products provide a good complement to anti-virus applications, offering focused, comprehensive protection against a specific threat.
Unlike anti-spyware products designed for home users, enterprise editions are fully automated, sweeping the network for infestation however often IT chooses to set the program to scan (most vendors recommend a daily sweep). Spyware can be automatically removed or remotely quarantined, as an administrator chooses.
Enterprise anti-spyware applications such as Webroot Spy Sweeper Enterprise and PestPatrol Corporate also allow system administrators to fine-tune spyware protection by defining safe lists of applications that users can install or run, a feature not yet offered by anti-virus applications. Certain or all types of cookies can be permitted. The applications can also inoculate networks, automatically blocking the installation of known spyware. Because one person's spyware is another's useful application, each company can configure auto-blocking to suit its enterprise.
"Good security requires defense in depth," Counterpane's Schneier says. "There's no 'benefits of inoculation vs. scanning' argument with spyware; a smart company does both. Security is always a trade-off, and companies always have to weigh the costs of loss vs. the costs of risk mitigation. In this case, it's a no-brainer. There are easy -- and cheap -- tools that drastically reduce the risk of spyware."
Counting on countermeasures
Enterprises may find these tools preferable to draconian measures such as preventing users from installing any applications on their computers. "If you do a total lockdown, you can interfere with people's ability to do their jobs, plus you foster a feeling of mistrust that impacts workers' attitudes towards the company," says Steven Anthony, who manages a Wall Street brokerage's network.
Meanwhile, spyware protection is moving into the mainstream. Paul Bryan, director at Microsoft's security business unit, says that the company is addressing the core issues of deceptive software with the goal of ensuring that what's happening on an individual machine is recognized and controllable.
"Microsoft's new IE pop-up blocker is turned on by default and cuts down on a key way consumers are enticed and tricked into downloading deceptive software. And unsolicited downloads are now blocked by default," Bryan says. "We also added additional group policy controls that allow administrators to block downloads in the intranet zone."
Bryan acknowledges, however, that "XP (Service Pack 2) is not the complete solution by any means. As with most security challenges, there is no silver bullet, but it represents the kind of technology solution that we believe will help all of our customers deal with the spyware problem."
Most security experts agree that Windows XP Service Pack 2 does a good job hardening its OS against spyware that installs without explicit user permission. And just in time, too. Security experts believe that spyware is quickly getting creepier and more capable.
"We are in the very early stages of spyware," Forsythe's Harvey says. "Spyware is likely to become even more stealthy and capture more information as current code is refined. I believe we will hear many horror stories in the coming months about confidential corporate information being divulged through spyware."
Michelle Delio is a New York-based freelance writer and a regular contributor to Wired News.
Spyware and adware rogues' gallery
These spyware and adware mischief-makers have taken root on more than their share of hard disks. Symptoms include performance and compatibility problems, not to mention continuous pop-up invasions.
1: Name: CoolWebSearch
Actions: CWS has more than three dozen variants, with new variants being released almost weekly. Typically, CWS blocks access to popular search engines and redirects users to coolwebsearch.com or other off-brand search sites. Entering incorrect or incomplete URLs results in users getting redirected to adult sites or obscure search sites. It adds links -- often to hardcore pornography sites -- to browser favorites/bookmarks menus. It also pops up ads -- again often for hardcore sites -- and changes default start pages to adulthyperlinks.com, allhyperlinks.com, or other ad-heavy directories or adult sites.
Security issues: CWS program code is remotely updated, apparently from a server in Russia. Some variants add CWS' servers to Internet Explorer's Trusted Sites list, enabling program code -- not limited to CWS code -- to be installed or altered without permission. Some variants collect and transmit personally identifiable information back to CWS servers.
Other issues: CWS severely impacts infected computer's performance. Software may freeze or crash, especially Internet Explorer. IE performance is noticeably slowed, particularly page scrolling. Microsoft tech support has had reports of computers locking up, crashing, and rebooting repeatedly due to CWS issues.
Transmission method: More than 1,000 domains are known to be affiliates of CWS. Affiliates get paid per referral/click-through to coolwebsearch.com. Users visiting any one of the affiliate sites may install CWS software by careless clicking on a pop-up or other ad. CWS has apparently been installed without user knowledge or permission via unpatched IE security holes.
2: Name: Xupiter
Aliases: OrbitExplorer(latest Xupiter variant)
Actions: Xupiter launches pop-up ads, changes default home pages, redirects mistyped or incomplete URLs to affiliate sites, redirects search requests to off-brand search sites, and adds Xupiter links to bookmarks/favorites. Xupiter blocks any attempts to restore the original browser settings or to delete Xupiter favorites.
Other issues: Technical support representatives at Microsoft's help center say Xupiter has odd effects on Windows XP, making it impossible for some users to open directories such as My Computer on infected computers.
Transmission method: Xupiter is installed via an Internet Explorer toolbar program. Some users claim toolbar was installed without their permission on unpatched versions of IE. Toolbar may be downloaded via Web sites, links in spam advertising a "Free Christian Toolbar" or a pop-up blocker program, or via links in pop-up ads.
3: Name: Gator Advertising Information Network (GAIN)
Actions: Gator overlays ads onto Web pages, tracks what Web sites are visited by users, transmits information about products and services users are interested in, and monitors response to Gator-produced ads. This information is made available to advertisers.
Other issues: Gator distributor Claria insists Gator is not spyware and has been involved in several court cases in attempts to prove this claim. Users report computers with Gator exhibit slowed performance and/or software crashes.
Transmission method: The Gator Advertising Information Network offers half a dozen applications that contain Gator, such as a desktop weather forecast program, a calendar, a computer clock synchronization program, the "Gator e-wallet," and a program called Websecure Alert, which Gator documentation says "helps to protect your browser security by monitoring for unauthorized tampering with Internet Explorer's security settings, and can help to protect your privacy by deleting your web surfing history on a regular basis."
4: Name: Live Online Portal (LOP)
Actions: This family of spyware applications reset user's default start and search pages to lop.com or one of 200 Live Online Portal (LOP) affiliates such as ifiz.com, iguu.com, samz.com, sckr.com, scrk.com, and sfux.com. LOP resets start and search pages back to lop.com if user attempts to change them, adds shortcuts to advertisers' sites on desktop and links in favorites/bookmarks, and adds new IE toolbar called Accessories, with yet more advertising links.
Security issues: LOP can download and execute arbitrary code from its server.
Other issues: Overall performance is slowed. Mobile users may get frequent dial-up connection requests if their computers are not online when LOP wants to perform some action. Computers may freeze for a few minutes after these connection requests are refused by user. LOP program may demand answers to series of riddles before allowing itself to be manually uninstalled. LOP program may demand answers to series of riddles before allowing itself to be manually uninstalled.
Transmission method: LOP's most infamous installation method is to create pop-up loops (pop-ups opening pop-ups) featuring ads for MP3 search and download tools. One false or frustrated click in the midst of the pop-up plethora and the machine is infected. LOP has also been bundled as a legitimate music/software download search tool with various freeware software offerings.
5: Name: Cydoor
Actions: Cydoor produces the usual complement of pop-up ads and many pop-under ads.
Security issues: No security issues are known with recent versions of the software. Program seems to confine its connections with the mothership to updating ad cache, not programming code. Little if any personal information not directly supplied by user is captured. The most recent versions of Cydoor are nearing the point where they can no longer quite be considered spyware.
Other issues: Users do not have to be online to view Cydoor-produced ads. Program pulls ads from cache (c:\Windows\System\adcache\) within affected computers. Cache is updated each time user goes online. Anti-spyware vendor PestPatrol reports numerous complaints of Cydoor causing system errors in Windows XP.
Transmission method: Cydoor is widely distributed as a component of p-to-p programs, some freeware games, and other applications. Not offered as a stand-alone download.
6: Name: Look2Me
Actions: Look2Me primarily displays pop-up advertising for clients. Pop-ups -- some full-window size -- can appear on screen every minute or so. Look2Me also installs shortcuts on desktops and changes default browser settings. Some users of infected machines report that applications linked to shortcuts have been installed without permission. But tests of Look2Me on patched Windows 2000 and XP systems did not exhibit any capability of self-installing programs.
Security issues: Look2Me monitors Web sites visited and then submits this information to its home server. Look2Me auto-updates its code, and program components could run arbitrary code during this procedure.
Other issues: No significant performance issues have been noted, besides users being pelted with pop-up ads. IE may slow down. Look2Me will not show up as a running process or application as it tightly integrates itself with Internet Explorer, making it difficult to monitor and manage its activity.
Michelle Delio is a New York-based freelance writer and a regular contributor to Wired News.
-- InfoWorld (US)