Spyware

File:Spyware.png

A Windows XP computer infested with spyware. The application shown is Internet Explorer with a large number of spyware toolbars. The purple ape is the Bonzi Buddy mascot.

Spyware is a broad category of malicious software intended to intercept or take partial control of a computer's operation without the user's informed consent. While the term taken literally suggests software that surreptitiously monitors the user, it has come to refer more broadly to software that subverts the computer's operation for the benefit of a third party.

Spyware differs from viruses and worms in that it does not usually self-replicate. Like many recent viruses, spyware is designed to exploit the infected system for commercial gain. Typical tactics toward this goal include delivery of unsolicited pop-up advertisements; theft of personal information (including financial information such as credit card numbers); monitoring of web-browsing activity for marketing purposes; or routing of HTTP requests to advertising sites.

To date, spyware is exclusive to Microsoft Windows operating systems. Other platforms such as Mac OS X and Linux have not been affected.

History and development

The first recorded use of the term spyware occurred on October 16, 1995, in a Usenet post that poked fun at Microsoft's business model. Spyware later came to refer to espionage equipment such as tiny cameras. However, in 1999 Zone Labs used the term when they made a press release for the Zone Alarm Personal Firewall.^[1] Since then, computer users have used the term in its current sense. 1999 also saw the introduction of the first popular freeware program to include built-in spyware: a humorous and popular game called "Elf Bowling" spread across the Internet in November of 1999, and many users learned with surprise that the program actually transmitted user-information back to the game's creator, Nsoft.

In 2000, Steve Gibson of Gibson Research released the first anti-spyware program, OptOut, in response to the growth of spyware, and many more software antidotes have appeared since then.^[2] International Charter now offers software developers a Spyware-Free Certification programme.^[3]

According to an October 2004 study by America Online and the National Cyber-Security Alliance, 80% of surveyed users' computers had some form of spyware, with an average of 93 spyware components per computer. 89% of surveyed users with spyware reported that they did not know it was present, and 95% reported that they had not given permission for it to be installed.^[4]

Routes of infection

Spyware does not directly spread in the manner of a computer virus or worm: generally, an infected system does not attempt to transmit the infection to other computers. Instead, spyware gets on a system through deception of the user or exploitation of software vulnerabilities.

The most direct route by which spyware can get on a computer is for the user to install it. However, users would be unwilling to install software if they knew that it would disrupt their working environment and compromise their privacy. So many spyware programs deceive the user, either by piggybacking on a piece of desirable software, or by tricking the user to do something that installs the software without realizing it.

Classically, the definition of a Trojan horse is something dangerous that comes in the guise of something desirable. Some spyware programs are distributed in just this manner. The creator presents the program as a useful utility -- for instance a "Web accelerator" or a helpful software agent. Users download and install the software, only to find out later that it is harmful. For example, Bonzi Buddy, a spyware program targeted at children, claims that:

He will explore the Internet with you as your very own friend and sidekick! He can talk, walk, joke, browse, search, e-mail, and download like no other friend you've ever had! He even has the ability to compare prices on the products you love and help you save money! Best of all, he's FREE! ^[5]

Spyware can also come bundled with shareware or other downloadable software. The user downloads a program -- for instance, a music program or a file-trading utility -- and installs it; the installer additionally installs the spyware. Although the desirable software itself is not harmful, the bundled spyware is. In some cases, spyware authors have paid shareware authors to bundle spyware with their software, as with the Gator spyware now marketed by Claria. In other cases, spyware authors have repackaged desirable software with installers that add spyware.

A third way users can be tricked into installing spyware is by manipulation of security features designed to prevent unwanted installations. The Internet Explorer Web browser is intended not to allow Web sites to initiate an unwanted download. Instead, a download has to be triggered by a user action, such as clicking on a link. However, links can be made deceptively: for instance, a pop-up ad may be made to appear like a standard Windows dialog box. The box contains a message such as "Would you like to optimize your Internet access?" with links which look like buttons reading Yes and No. No matter which "button" the user presses, a download is initiated, placing the spyware on the user's system. Later versions of Internet Explorer have been much more resistant to this sort of attack.

Some spyware authors infect a system by attacking security holes in the Web browser or other software. When the user navigates to a Web page controlled by the spyware author, the page contains code which attacks the browser and forces the download and install of spyware. This has been termed a "drive-by download", by analogy to drive-by shooting in which the user is a hapless bystander. Common attacks target security vulnerabilities in Internet Explorer and in the Microsoft Java runtime.

Internet Explorer also serves as a point of attachment for these programs, which install themselves as Browser Helper Object plugins.

In a few cases, spyware has been delivered as the payload of a worm or virus. For instance, some attackers used the W32.Spybot.Worm worm to install spyware that popped up pornographic ads on the infected system's screen.^[6] By directing traffic to ads set up to channel funds to the spyware authors, they can profit even by such clearly illegal behavior.

Effects and behaviors

Windows-based computers can rapidly accumulate a great many spyware components. The consequences of a moderate to severe spyware infection (privacy issues aside) generally include a substantial loss of system performance (over 50% for bad infections), and major stability issues (crashes and hangs). Difficulty in connecting to the Internet is another common symptom.

Spyware infection is responsible for more visits to professional computer repairers than any other single cause. In many cases, the user has no awareness of spyware and assumes that the system performance, stability, and/or connectivity issues are related to hardware, Windows installation problems, or a virus. Typical cost to have spyware professionally removed is about $50 US. Owners of badly infected systems not infrequently buy an entire new computer system because the an existing system "has become too slow".

It is rare for a single piece of software to render a computer unusable. Rather, a computer rarely has only one infection. As the 2004 AOL study noted, if a computer has any spyware at all, it typically has dozens of different pieces installed. It is largely the cumulative effect, and the interactions between spyware components, which cause the stereotypical symptoms reported by users -- a computer which slows to a crawl, overwhelmed by the many parasitic processes running on it. Moreover, some types of spyware disable software firewalls and anti-virus software, and reduce browser security settings, opening the system to opportunistic infections, much like an immune deficiency disease.

Some spyware products have additional consequences. Stealth dialers may attempt to connect directly to a particular telephone number rather than to a user's own intended ISP: where connecting to the number in question involves long-distance or overseas charges, this can result in massive telephone bills which the user has no choice but to pay.

A few spyware vendors, notably 180 Solutions, have written what the New York Times has dubbed "stealware" — spyware applications that redirect affiliate links to major online merchants such as eBay and Dell, effectively hijacking the commissions that the affiliates would have expected to earn in the process. [7]

Some other types of spyware (Targetsoft, for example) modify system files to make themselves harder to remove. (Targetsoft modifies the Winsock (Windows Sockets) files. The deletion of the spyware-infected file "inetadpt.dll" will interrupt normal networking usage.)

Spyware, along with other threats, has led some former Windows users to move to other platforms such as Linux or Apple Macintosh.

Typical examples

A few examples of common spyware programs may serve to illustrate the diversity of behaviors found in these attacks.

CoolWebSearch is a group of programs which are installed through the exploitation of Internet Explorer vulnerabilities. Their broader purpose is to direct traffic to advertisements on Web sites including coolwebsearch.com. To this end, they display pop-up ads, rewrite search engine results, and alter the infected computer's hosts file to direct DNS lookups to these sites. ^[8]

Internet Optimizer, also known as DyFuCa, redirects Internet Explorer error pages to advertising. When the user follows a broken link or enters an erroneous URL, they are directed to a page of advertisements. However, because passworded Web sites (HTTP Basic authentication) use the same mechanism as HTTP errors, Internet Optimizer makes it impossible for the user to access passworded sites. ^[9]

180 Solutions transmits extensive information to advertisers about the Web sites users visit. It also alters HTTP requests for affiliate advertisements linked from a Web site, so that the advertisements make unearned profit for the 180 Solutions company. It opens pop-up ads that cover over the Web sites of competing companies. [10]

User consent and legality

Gaining unauthorized access to a computer is illegal, under computer crime laws such as the United States Computer Fraud and Abuse Act. Since the owners of computers infected with spyware generally claim that they never authorized the installation, a prima facie reading would suggest that the promulgation of spyware would be considered a criminal act. The authors of other malware programs, such as viruses, have often been pursued by law enforcement. Nonetheless, spyware creators have largely not been prosecuted for computer crime, and many operate openly as aboveboard businesses. Some have, however, been the subjects of lawsuits.

The primary argument used by spyware businesses in defense of the legality of their acts is that, contrary to the users' claims, users do in fact give consent to the installation of their spyware. Spyware that is bundled with shareware applications may be, for instance, described in the legalese text of an end-user license agreement (EULA). Users are accustomed to ignoring these purported agreements, but many commercial software firms argue that an EULA (or clickwrap agreement) constitutes a legal contract. Under this argument, spyware companies such as Claria purport that users have consented to the installation of their software.

Nonetheless, it is unlikely that this argument would apply to spyware that is installed by more surreptitious means, such as a drive-by download where the user is not given an opportunity to agree to or reject the installation.

Some jurisdictions, such as the U.S. state of Washington, have passed laws criminalizing forms of spyware. [11] The Washington law makes it illegal for anyone other than the owner or operator of a computer to install software that alters Web browser settings, monitors keystrokes, or disables computer security software.

New York Attorney General Eliot Spitzer has also pursued spyware companies for fraudulent installation of software.^[12] In a suit brought in 2005 by Spitzer, California firm Intermix Media, Inc. ended up settling by agreeing to pay $7.5 million and to stop distributing spyware. Intermix's spyware was installed via drive-by download, and intentionally installed in ways that made it difficult to remove.^[13]

A particular spyware practice which has attracted lawsuits is the replacement of Web site advertisements. Some spyware programs alter the text of Web pages, replacing advertisements which fund the Web site with ones which fund the spyware author. In June 2002, a number of large publishers sued Claria for replacing advertisements; the lawsuits were settled out of court.

One legal issue which has not yet been pursued is whether advertisers can be held responsible for spyware which displays their ads. In many cases, the companies whose advertisements appear in spyware pop-ups do not directly do business with the spyware firm. Rather, the advertised company contracts with an advertising agency, which in turn contracts with an online subcontractor who is paid by the number of "impressions" or appearances of the advertisement. Some major firms such as Dell Computer and Mercedes-Benz have "fired" advertising agencies which have run their ads in spyware.^[14]

In a sort of turnabout, a few spyware companies have threatened Web sites which have posted descriptions of their products. In 2003, Gator (now known as Claria) filed suit against Web site PC Pitstop for describing the Gator program as "spyware".^[15] PC Pitstop settled, agreeing not to use the word "spyware", but continues to publish descriptions of the harmful behavior of the Gator/Claria software. [16]

Remedies and prevention

As the spyware threat has worsened, a number of techniques have emerged to counteract it. These include programs designed to remove or to block spyware, as well as various user practices which reduce the chance of getting spyware on a system.

Nonetheless, spyware remains a costly problem. When a Windows computer has been infected by a large number of pieces of spyware, the only remedy may be to back up documents and other user data, and fully reinstall the operating system.

Anti-spyware programs

File:Ad-Aware Professional.png

Lavasoft's Ad-Aware is one of a few reliable commercial anti-spyware programs. Here it is depicted scanning the hard drive of a clean Windows XP system.

Many programmers and commercial firms have released products designed to remove or block spyware. Steve Gibson's OptOut, mentioned above, was the first of a growing category. Programs such as Lavasoft's Ad-Aware and Patrick Kolla's Spybot - Search & Destroy rapidly gained popularity as effective tools to remove, and in some cases intercept, spyware programs. More recently Microsoft acquired the Giant Anti-Spyware software, rebadging it as Windows AntiSpyware Beta and releasing it as a free download for Windows XP users.

Major anti-virus firms such as Symantec and McAfee have come later to the table, adding anti-spyware features to their existing anti-virus products. Early on, anti-virus firms expressed reluctance to add anti-spyware functions, citing lawsuits brought by spyware authors against the authors of Web sites and programs which described their products as "spyware". However, recent versions of these major firms' home and business anti-virus products do include anti-spyware functions, albeit treated differently from viruses. Symantec Anti-Virus, for instance, categorizes spyware programs as "extended threats" and does not offer real-time protection from them as it does for viruses.

File:Alwaysupdate-adware-winspy.PNG

Real-time protection blocks spyware in the process of installing itself. Here, Windows AntiSpyware blocks an instance of the AlwaysUpdateNews spyware.

A major distinction among anti-spyware programs is between those which offer real-time protection and those which only offer scanning and removal of spyware. Scanning and removal is much easier to implement, and so there are many more programs available which do so. The program inspects the contents of the Windows Registry, the operating system files, and installed programs, and removes files and entries which match a list of known spyware components. Real-time protection from spyware works identically to real-time anti-virus protection: the software scans incoming network data and disk files that are being loaded, and blocks the activity of components known to represent spyware. In some cases, it may also intercept attempts to install start-up items or to modify browser settings

Malicious programmers have released a large number of fake anti-spyware programs, and widely-distributed Web banner ads now spuriously warn users that their computers have been infected with spyware, directing them to purchase programs which do not actually remove spyware — or worse, may add more spyware of their own.^[17] ^[18]

Security practices

To deter spyware, computer users have found a number of techniques useful in addition to installing anti-spyware software.

One common one is to use a Web browser other than Microsoft's Internet Explorer, such as Mozilla Firefox and Opera. While other Web browsers have also had security vulnerabilities, Internet Explorer has contributed to the spyware problem in two ways: first, many spyware programs hook themselves into IE's functionality (as a Browser Helper Object or a toolbar); second, malicious Web advertisers have frequently used security holes in Internet Explorer to force the browser to download spyware. Many users of non-IE browsers on Windows report that they have switched from IE because of security concerns, including spyware. [19]

Internet Explorer's security can be raised by ensuring that it's kept up to date on security patches, and by altering settings in the browser -- particularly disabling scripting technologies such as ActiveX. However, websites that make use of ActiveX will not work in this scenario. The version of IE which comes with Windows XP Service Pack 2 also has substantially improved security defaults, although spyware infections are still quite possible.

Some Internet sites -- particularly colleges and universities -- have taken a different approach to blocking spyware: they use their network firewalls and Web proxies to block access to Web sites known to install spyware. On March 31, 2005, Cornell University's IT department released a report detailing the behavior of one particular piece of proxy-based spyware, Marketscore, and the steps the university took to intercept it.^[20] Many other educational institutions have taken similar steps against Marketscore and other spyware. Spyware programs which redirect network traffic cause greater technical-support problems than programs which merely display ads or monitor user behavior, and so are more likely to attract institutional attention.

One path by which spyware gets installed is via certain shareware programs which are offered for download. Downloading programs only from reputable sources can provide some protection from this source of attack. One site, CleanSoftware.org, has been founded as an alternative to other popular Windows software sites, offering only software that has been verified not to contain "nasties" such as spyware. Recently, C|Net revamped their download directory and will only keep files that pass inspection by Ad-Aware and Spyware Doctor.

Known programs bundling malware

Kazaa
EDonkey2000
Bearshare
DivX (except for the paid version, and the 'standard' version without the encoder)
WeatherBug
Atomic clock sync
Bonzi Buddy
LimeWire (except for the non-windows versions, the paid versions, and the free versions after 3.9.3)
Wildtangent
AOL Instant Messenger
Gator
ErrorGuard
FlashGet (free version)
Download Accelerator Pro
Grokster
Dope Wars
Cliprex DVD player
Note: Many related P2P networking software may also contain some type of known spyware. Users should read software licenses carefully.

References

^ "AOL/NCSA Online Safety Study". America Online & The National Cyber Security Alliance. October 2004.
^ Bonzi.com. http://www.bonzi.com/bonzibuddy/bonzimail.asp. Retrieved July 10, 2005.
Clover, Andrew (2005). "Parasites, or unsolicited commercial software". Retrieved July 10, 2005.
Edelman, Ben (2005). "'Spyware': Research, Testing, Legislation, and Suits". Retrieved July 10, 2005.
^ Festa, Paul. "See you later, anti-Gators?". News.com. October 22, 2003.
^ Gormley, Michael. "Intermix Media Inc. says it is settling spyware lawsuit with N.Y. attorney general". Yahoo! News. June 15, 2005.
^ Gormley, Michael. "Major advertisers caught in spyware net". Business Week. June 24, 2005.
Hardmeier, Sandi "Malware: Help prevent the Infection". Microsoft. March 22, 2005
Healan, Mike "Browser Hijacking". Spywareinfo. Jan 12, 2005
^ Howes, Eric L. "The Spyware Warrior List of Rogue/Suspect Anti-Spyware Products & Web Sites". Retrieved July 10, 2005.
^ "Parasite information database". Doxdesk.com. Retrieved July 10, 2005.
^ Roberts, Paul F. "Spyware-Removal Program Tagged as a Trap". eWeek. May 26, 2005.
^ Schuster, Steve. "Blocking Marketscore: Why Cornell Did It". Cornell University, Office of Information Technologies. March 31, 2005.
"Security at Home: Spyware". Microsoft.com. Retrieved July 10, 2005.
^ "Security Response: W32.Spybot.Worm". Symantec.com. Retrieved July 10, 2005.
^ "Spyware Certification". International Charter. Retrieved July 10, 2005.
^ "State Sues Major "Spyware" Distributor". Office of New York State Attorney General. April 28, 2005.
Wagner, Christian (2004). "Spyware/AdWare/Malware FAQ and Removal Guide". Retrieved July 10, 2005.
^ Wienbar, Sharon. "The Spyware Inferno". News.com. August 13, 2004.

External links

Anti-spyware software

Lavasoft Ad-Aware SE Personal [21] — (Freeware Version)
Spybot - Search & Destroy [22] — Free software, one of the better spyware removers available with immunization and real-time filter
HijackThis (mirrors: 1 2 3 4) — Offers utilities to manually select the removal of spyware. A tool for more advanced users.
Microsoft Anti-Spyware — Includes real-time filter[23] — (Still in beta as of July 2005)
PestPatrol [24]
Spyware Doctor [25] — Current PC Magazine Editors' Choice (requires payment for removal of infections)
Javacool SpywareBlaster — Prevents many spyware programs from running but does not actually scan for spyware[26]
Acronis Privacy Expert Suite — 2005 PC Magazine Editors' Choice anti-spyware and security suite
Corrupt Antispyware — List of corrupt antispyware software with clear evidence of corruption.

Communities

Security Forums HijackThis Logs // Malware Removal Forum — Spyware and malware removal forum
Google Spyware Removal Group
Bleeping Computer Spyware Removal Tutorials — tutorials for HijackThis, Spybot, and Ad-Aware.
Geeks To Go — Hijack assistance and malware removal forum.
Spywareinfo Forums — help for removing adware, spyware and malware.
ProcessLibrary.com — site providing users with detailed information on individual running processes.

Guides

Computer Security — Tips and tricks for manually removing common trojans, adware and spyware.
Spyware Tutorials — Information on removing Spyware and Viruses
Magoo's Guide to Eliminating Spyware — Infomation on how to get rid of spyware and keep it from coming back
CareOfWindowsXP Spyware guide — Advice on spyware for beginners

Prevention

Financial investors who support spyware — A list of investment firms which support large scale spyware companies
How Spyware And The Weapons Against It Are Evolving — Article discussing why the spyware problem has grown and possible remedies
Spyware Prevention and Removal — How to prevent Spyware and Adware, and a guide to removing it should the worst happen
Dealing with unwanted spyware and parasites