Information AboutSpyware |
|
s, some added by spyware, overwhelm an Internet Explorer session.]] Spyware is Computer Software that is installed surreptitiously on a Personal Computer to intercept or take partial control over the user's interaction with the computer, without the user's Informed Consent . While the term ''spyware'' suggests software that secretly monitors the user's behavior, the functions of spyware extend well beyond simple monitoring. Spyware programs can collect various types of Personal Information , but can also interfere with user control of the computer in other ways, such as installing additional software, redirecting Web Browser activity, or diverting advertising revenue to a third party. In response to the emergence of spyware, a small industry has sprung up dealing in anti-spyware software. Running anti-spyware software has become a widely recognized element of Computer Security Best Practices for Microsoft Windows Desktop Computer s. A number of jurisdictions have passed anti-spyware laws, which usually target any software that is surreptitiously installed to control a user's computer. HISTORY AND DEVELOPMENT The first recorded use of the term 2004 . Since then, "spyware" has taken on its present sense. According to a 2005 study by AOL and the National Cyber-Security Alliance, 61% of surveyed users' computers had some form of spyware. 92% of surveyed users with spyware reported that they did not know of its presence, and 91% reported that they had not given permission for the installation of the spyware." AOL/NCSA Online Safety Study ". ''America Online'' & ''The National Cyber Security Alliance''. 2005. As of 2006, spyware has become one of the preeminent security threats to computer systems running 2005 . Internet Explorer also enables, by default, the silent (read ''surreptitious'') installation and execution of ActiveX controls under the naive assumption that such powerful executables are benign. The fragile, poorly documented, and arguably undesirable registry offers spyware numerous additional hiding places from which to start automatically and, along with sharing behavior, helps it circumvent attempts at removal. COMPARISON Spyware, adware and tracking The term '' Adware '' frequently refers to any software which displays advertisements, whether or not the user has consented. Programs such as the Eudora mail client display advertisements as an alternative to Shareware registration fees. These classify as "adware" in the sense of advertising-supported software, but not as spyware. Adware in this form does not operate surreptitiously or mislead the user, and provides the user with a specific service. Although most adware is ''spyware'' in a different sense for a different reason: it displays advertisements related to what it finds from spying on you. Claria Corporation 's Gator Software and Exact Advertising's BargainBuddy are examples. Visited Web sites frequently install Gator on client machines in a surreptitious manner, and it directs revenue to the installing site and to Claria by displaying advertisements to the user. The user receives many Pop-up Advertisement s. Other spyware behavior, such as reporting on websites the user visits, occurs in the background. The data is used for "targeted" advertisement impressions. The prevalence of spyware has cast suspicion upon other programs that track Web browsing, even for statistical or research purposes. Some observers describe the Alexa Toolbar , an Internet Explorer plug-in published by Amazon.com , as spyware, and some anti-spyware programs such as AdAware report it as such. Many of these adware distributing companies are backed by millions of dollars of adware-generating revenues. Adware and spyware are similar to viruses in that they can be malicious in nature, however, people are now profitting from these threats making them more and more popular. Similarly, software bundled with free, advertising-supported programs such as P2P act as spyware, (and if removed disable the 'parent' program) yet people are willing to download it. This presents a dilemma for proprietors of anti-spyware products whose removal tools may inadvertently disable wanted programs. For example, recent test results show that bundled software (WhenUSave) is ignored by popular anti spyware program AdAware , (but removed as spyware by most scanners) because it is part of the popular (but recently decommissioned) Edonkey client. To address this dilemma, the Anti-Spyware Coalition has been working on building consensus within the anti-spyware industry as to what is and isn't acceptable software behavior. To accomplish their goal, this group of anti-spyware companies, academics, and consumer groups have collectively published a series of documents including a definition of spyware , risk model , and best practices document. Spyware, virus and worm Unlike Viruses and Worms , spyware does not usually self-replicate. Like Many Recent Viruses , however, spyware — by design — exploits infected computers for commercial gain. Typical tactics furthering this goal include delivery of unsolicited pop-up advertisements; theft of personal information (including financial information such as Credit Card Number s); monitoring of Web-browsing activity for Marketing purposes; or routing of HTTP requests to advertising sites. ROUTES OF INFECTION Spyware does not directly spread in the manner of a computer virus or worm: generally, an infected system does not attempt to transmit the infection to other computers. Instead, spyware gets on a system through deception of the user or through exploitation of software vulnerabilities. Most spyware is installed without users' knowledge. Since they tend not to install software if they know that it will disrupt their working environment and compromise their privacy, spyware deceives users, either by Piggybacking on a piece of desirable software such as Kazaa , or tricking them into installing it (the Trojan Horse method). Some "rogue" anti-spyware programs even masquerade as security software. The distributor of spyware usually presents the program as a useful utility — for instance as a "Web accelerator" or as a helpful Software Agent . Users download and install the software without immediately suspecting that it could cause harm. For example, Bonzi Buddy , a spyware program targeted at children, claims that: ''He will explore the Internet with you as your very own friend and sidekick! He can talk, walk, joke, browse, search, e-mail, and download like no other friend you've ever had! He even has the ability to compare prices on the products you love and help you save money! Best of all, he's FREE!''''Bonzi.com''. http://www.bonzi.com/bonzibuddy/bonzimail.asp. Retrieved July 10 2005 . Spyware can also come bundled with Shareware or other downloadable software, as well as music CDs. The user downloads a program and installs it, and the installer additionally installs the spyware. Although the desirable software itself may do no harm, the bundled spyware does. In some cases, spyware authors have paid shareware authors to bundle spyware with their software. In other cases, spyware authors have repackaged desirable free software with installers that add spyware. A third way of distributing spyware involves tricking users by manipulating security features designed to prevent unwanted installations. may appear like a standard Windows Dialog Box . The box contains a message such as "Would you like to optimize your Internet access?" with links which look like buttons reading ''Yes'' and ''No''. No matter which "button" the user presses, a download starts, placing the spyware on the user's system. Later versions of Internet Explorer offer fewer avenues for this attack. Some spyware authors infect a system through security holes in the Web browser or in other software. When the user navigates to a Web page controlled by the spyware author, the page contains code which attacks the browser and forces the download and installation of spyware. The spyware author would also have some extensive knowledge of commercially-available anti-virus and firewall software. This has become known as a " Drive-by Download ", which leaves the user a hapless bystander to the attack. Common Browser Exploit s target security vulnerabilities in Internet Explorer and in the Microsoft Java runtime. The installation of spyware frequently involves Internet Explorer. Its popularity and history of security issues have made it the most frequent target. Its deep integration with the Windows environment and scriptability make it an obvious point of attack into Windows . Internet Explorer also serves as a point of attachment for spyware in the form of Browser Helper Object s, which modify the browser's behaviour to add toolbars or to redirect traffic. In a few cases, a 2005 . By directing traffic to ads set up to channel funds to the spyware authors, they profit personally. EFFECTS AND BEHAVIORS A spyware program is rarely alone on a computer: an affected machine can rapidly be infected by many other components. Users frequently notice unwanted behavior and degradation of system performance. A spyware infestation can create significant unwanted CPU activity, disk usage, and network traffic, all of which slow the computer down. Stability issues, such as application or system-wide crashes, are also common. Spyware which interferes with networking software commonly causes difficulty connecting to the Internet. In some infections, the spyware is not even evident. Users assume in those situations that the issues relate to hardware, to Windows installation problems, or a virus. Some owners of badly infected systems resort to contacting Technical Support experts, or even buying a new computer because the existing system "has become too slow". Badly infected systems may require a clean reinstallation of all their software in order to return to full functionality. Only rarely does a single piece of software render a computer unusable. Rather, a computer is likely to have multiple infections. As the 2004 AOL study noted, if a computer has any spyware at all, it typically has dozens of different pieces installed. The cumulative effect, and the interactions between spyware components, cause the symptoms commonly reported by users: a computer which slows to a crawl, overwhelmed by the many parasitic processes running on it. Moreover, some types of spyware disable software Firewalls and anti-virus software, and/or reduce browser security settings, thus opening the system to further Opportunistic Infection s, much like an Immune Deficiency disease. Some spyware has disabled or even removed competing spyware programs, on the grounds that more spyware-related annoyances make it even more likely that users will take action to remove the programs. One spyware maker, Avenue Media, even sued a competitor, Direct Revenue, over this; the two later settled with an agreement not to disable each others' products.Edelman, Ben; December 7, 2004 (updated February 8, 2005); Direct Revenue Deletes Competitors from Users' Disks ; benedelman.com; retrieved November 28, 2006. Some other types of spyware (Targetsoft, for example) modify system files so they will be harder to remove. Targetsoft modifies the " Winsock " Windows Sockets files. The deletion of the spyware-infected file "inetadpt.dll" will interrupt normal networking usage. Unlike users of many other operating systems, a typical Windows user has administrative privileges, mostly for convenience. Because of this, any program the user runs (intentionally or not) has unrestricted access to the system. Spyware, along with other threats, has led some Windows users to move to other platforms such as Linux or Apple Macintosh , which are less attractive targets for Malware . This is because these programs are not granted unrestricted access to the operating system (due to the Unix underpinnings upon which both Linux and Mac OS X are built) though some allege it's mainly due to the far smaller number of machines installed with these operating systems making spyware development potentially less profitable for these platforms. Advertisements Many spyware programs display advertisements. Some programs simply display Pop-up Ad s on a regular basis; for instance, one every several minutes, or one when the user opens a new browser window. Others display ads in response to specific sites that the user visits. Spyware operators present this feature as desirable to advertisers, who may buy ad placement in pop-ups displayed when the user visits a particular site. It is also one of the purposes for which spyware programs gather information on user behavior. Pop-ups are one of users' most common complaints about spyware. Many users complain about irritating or offensive advertisements as well. As with many Banner Ads , many spyware advertisements use animation or flickering banners which can be visually distracting and annoying to users. Pop-up ads for Pornography often display indiscriminately. When children are the users, this could possibly violate anti-pornography laws in some jurisdictions. A further issue in the case of some spyware programs has to do with the replacement of banner ads on viewed web sites. Spyware that acts as a Web Proxy or a Browser Helper Object can replace references to a site's own advertisements (which fund the site) with advertisements that instead fund the spyware operator. This cuts into the margins of advertising-funded Web sites. "Stealware" and affiliate fraud A few spyware vendors, notably 180 Solutions , have written what the New York Times has dubbed " Stealware ", and what spyware-researcher Ben Edelman terms ''affiliate fraud'', a form of Click Fraud . Stealware diverts the payment of Affiliate Marketing revenues from the legitimate affiliate to the spyware vendor. Spyware which attacks 2006 . Affiliate fraud is a violation of the Terms Of Service of most affiliate marketing networks. As a result, spyware operators such as 180 Solutions have been terminated from affiliate networks including LinkShare and ShareSale. Identity theft and fraud In one case, spyware has been closely associated with 2005 . This case is currently under investigation by the FBI . The Federal Trade Commission estimates that 27.3 million Americans have been victims of identity theft, and that financial losses from identity theft totaled nearly $48 billion for businesses and financial institutions and at least $5 billion in out-of-pocket expenses for individuals. FTC Releases Survey of Identity Theft in U.S. 27.3 Million Victims in Past 5 Years, Billions in Losses for Businesses and Consumers . Federal Trade Commission, September 3 2003 . Spyware-makers may commit Wire Fraud with '' Dialer '' program spyware. These can reset a Modem to dial up a premium-rate telephone number instead of the usual ISP . Connecting to these suspicious numbers involves long-distance or overseas charges which invariably result in high charges. Dialers are ineffective on computers that do not have a modem, or are not connected to a telephone line. Digital rights management Some copy-protection technologies have borrowed from spyware. In 2005, , 2005 , retrieved November 22, 2006 Like spyware, not only was it difficult to detect and uninstall, it was so poorly written that most efforts to remove it could have rendered computers unable to function. suits were filed.[http://news.bbc.co.uk/1/hi/technology/4424254.stm "Sony sued over copy-protected CDs; Sony BMG is facing three lawsuits over its controversial anti-piracy software"], ''BBC News,'' November 10, 2005, retrieved November 22, 2006. Sony BMG later provided a workaround on its website to help users remove it. Information About XCP Protected CDs , retrieved November 29, 2006. Beginning in 2006 , retrieved June 13 , 2006 It can be removed with the RemoveWGA tool. Spyware and cookies Anti-spyware programs often report Web advertisers' HTTP Cookie s, the small text files that track browsing activity, as spyware. While they are not always inherently malicious, many users object to third parties using space on their personal computers for their business purposes, and so many anti-spyware programs offer to remove them. Examples of spyware These common spyware programs illustrate the diversity of behaviors found in these attacks. Note that as with computer viruses, researchers give names to spyware programs which may not be used by their creators. Programs may be grouped into "families" based not on shared program code, but on common behaviors, or by "following the money" of apparent financial or business connections. For instance, a number of the spyware programs distributed by Claria are collectively known as "Gator". Likewise, programs which are frequently installed together may be described as parts of the same spyware package, even if they function separately.
LEGAL ISSUES RELATED TO SPYWARE Criminal law Unauthorized access to a computer is illegal under Spyware producers argue that, contrary to the users' claims, users do in fact give Consent to installations. Spyware that comes bundled with shareware applications may be described in the Legalese text of an End-user License Agreement (EULA). Many users habitually ignore these purported contracts, but spyware companies such as Claria claim these demonstrate that users have consented. Despite the ubiquity of EULAs and of " or that every term in one is enforceable. Some jurisdictions, including the U.S. states of , 2006 have passed laws criminalizing some forms of spyware. Such laws make it illegal for anyone other than the owner or operator of a computer to install software that alters Web-browser settings, monitors keystrokes, or disables computer-security software. In the 2007 , accessed March 24 2007 . Civil law Former 2005 . In a suit brought in 2005 by Spitzer, the California firm Intermix Media, Inc. ended up settling by agreeing to pay US$7.5 million and to stop distributing spyware.Gormley, Michael. . '' Yahoo! News''. June 15 2005 . The hijacking of Web advertisements has also led to litigation. In June 2002, a number of large Web publishers sued Claria for replacing advertisements, but Settled out of court. Courts have not yet had to decide whether advertisers can be held ''. June 24 2005 . Libel suits by spyware developers Litigation has gone both ways. Since "spyware" has become a common 2005 . As a result, other antispyware and antivirus companies have also used other terms such as "potentially unwanted programs" or Greyware to denote these products. REMEDIES AND PREVENTION As the spyware threat has worsened, a number of techniques have emerged to counteract it. These include programs designed to remove or to block spyware, as well as various user practices which reduce the chance of getting spyware on a system. Nonetheless, spyware remains a costly problem. When a large number of pieces of spyware have infected a Windows computer, the only remedy may involve backing up user data, and fully reinstalling the operating system. Anti-spyware programs ]] Many programmers and some commercial firms have released products designed to remove or block spyware. Steve Gibson's ''OptOut'', mentioned above, pioneered a growing category. Programs such as Lavasoft's '' Ad-Aware SE '' and Patrick Kolla's '' Spybot - Search & Destroy '' rapidly gained popularity as effective tools to remove, and in some cases intercept, spyware programs. More recently Microsoft acquired the '' GIANT AntiSpyware '' software, rebranding it as ''Windows AntiSpyware beta'' and releasing it as a free download for Genuine Windows XP and Windows 2003 users. In early spring, 2006, Microsoft renamed the beta software to Windows Defender , and it was released as a free download in October 2006. Microsoft currently ships the product for free with Windows Vista . Other well-known anti-spyware products include:
Major anti-virus firms such as Symantec , McAfee and Sophos have come later to the table, adding anti-spyware features to their existing anti-virus products. Early on, anti-virus firms expressed reluctance to add anti-spyware functions, citing lawsuits brought by spyware authors against the authors of web sites and programs which described their products as "spyware". However, recent versions of these major firms' home and business anti-virus products do include anti-spyware functions, albeit treated differently from viruses. Symantec Anti-Virus, for instance, categorizes spyware programs as "extended threats" and now offers Real-time Protection from them (as it does for viruses). Recently, the anti-virus company Grisoft , creator of AVG anti-virus program, acquired anti-spyware firm Ewido Networks, re-labeling their Ewido anti-spyware program as AVG Anti-Spyware. This shows a trend by anti virus companies to launch a dedicated solution to spyware and malware. Zone Labs, creator of Zone Alarm Firewall have also released an anti spyware program. , in real-time protection blocks an instance of the AlwaysUpdateNews from being installed.]] Anti-spyware programs can combat spyware in two ways:
Such programs inspect the contents of the Windows registry, the operating system files, and installed programs, and remove files and entries which match a list of known spyware components. Real-time protection from spyware works identically to real-time anti-virus protection: the software scans disk files at download time, and blocks the activity of components known to represent spyware. In some cases, it may also intercept attempts to install start-up items or to modify browser settings. Because many spyware and adware are installed as a result of browser exploits or user error, using security software (some of which are antispyware, though many are not) to Sandbox browsers can also be effective to help restrict any damage done. Earlier versions of anti-spyware programs focused chiefly on detection and removal. Javacool Software's SpywareBlaster , one of the first to offer real-time protection, blocked the installation of ActiveX -based and other spyware programs. Like most anti-virus software, many anti-spyware/adware tools require a frequently-updated database of threats. As new spyware programs are released, anti-spyware developers discover and evaluate them, making "signatures" or "definitions" which allow the software to detect and remove the spyware. As a result, anti-spyware software is of limited usefulness without a regular source of updates. Some vendors provide a subscription-based update service, while others provide updates free. Updates may be installed automatically on a schedule or before doing a scan, or may be done manually. Not all programs rely on updated definitions. Some programs rely partly (for instance many antispyware programs such as Windows Defender, Spybot 's TeaTimer and Spysweeper) or fully (programs falling under the class of Hips such as BillP's WinPatrol), on historical observation. They watch certain configuration parameters (such as certain portions of the Windows registry or browser configuration) and report any change to the user, without judgment or recommendation. While they do not rely on updated definitions, which may allow them to spot newer spyware, they can offer no guidance. The user is left to determine "what did I just do, and is this configuration change appropriate?" Windows Defender 's Spynet attempts to alleviate this through offering a community to share information, which helps guide both users, who can look at decisions made by others, and analysts, who can spot fast-spreading spyware. A popular generic spyware removal tool used by those with a certain degree of expertise is HijackThis , which scans certain areas of the Windows OS where spyware often resides and presents a list with items to delete manually. As most of the items are legitimate windows files/registry entries it is advised for those who are less knowledgeable on this subject to post a HijackThis log on the numerous antispyware sites and let the experts decide what to delete. If a spyware program is not blocked and manages to get itself installed, it may resist attempts to terminate or uninstall it. Some programs work in pairs: when an anti-spyware scanner (or the user) terminates one running process, the other one respawns the killed program. Likewise, some spyware will detect attempts to remove registry keys and immediately add them again. Usually, booting the infected computer in Safe Mode allows an anti-spyware program a better chance of removing persistent spyware. Killing the process tree can also work. A new breed of spyware (Look2Me spyware by NicTechNetworks is a good example) is starting to hide inside system-critical processes and start up even in safe mode. With no process to terminate they are harder to detect and remove. Sometimes they do not even leave any on-disk signatures. 2005 . as is the use of NTFS Alternate Data Streams . Newer spyware programs also have specific countermeasures against well known anti-malware products and may prevent them from running or being installed, or even uninstall them. An example of one that uses all three methods is Gromozon, a new breed of malware. It uses alternate data streams to hide. A Rootkit hides it even from alternate data streams scanners and actively stops popular Rootkit scanners from running. Website s attempt to install spyware on readers' Computers .]] Fake anti-spyware programs See Also: List of fake anti-spyware programs Malicious programmers have released a large number of fake anti-spyware programs, and widely distributed Web 2005 . The Recent proliferation of fake or spoofed antivirus products has occasioned some concern. Such products often bill themselves as antispyware, antivirus, or registry cleaners, and sometimes feature popups prompting users to install them. They are called Rogue Software . Known offenders include: On 2006 . On 2006 . Security practices To deter spyware, computer users have found several practices useful in addition to installing anti-spyware programs. Many system operators install a Web Browser other than IE, such as Opera or Mozilla Firefox . Although these have also suffered some security vulnerabilities, their comparatively small market share compared to Internet Explorer makes it uneconomic for hackers to target users on those browsers. Though no browser is completely safe, Internet Explorer is at a greater risk for spyware infection due to its large user base as well as vulnerabilities such as ActiveX . Some ISPs — particularly 2005 . Many other educational institutions have taken similar steps. Spyware programs which redirect network traffic cause greater technical-support problems than programs which merely display ads or monitor users' behavior, and so may more readily attract institutional attention. Some users install a large Hosts File which prevents the user's computer from connecting to known spyware related web addresses. However, by connecting to the numeric IP address, rather than the domain name, spyware may bypass this sort of protection. Spyware may get installed via certain Shareware programs offered for download. Downloading programs only from reputable sources can provide some protection from this source of attack. Recently, CNet revamped its download directory: it has stated that it will only keep files that pass inspection by Ad-Aware and Spyware Doctor. NOTABLE PROGRAMS DISTRIBUTED WITH SPYWARE
Notable programs formerly distributed with spyware NOTES SEE ALSO
EXTERNAL LINKS ; Guide
; Removal
; Prevention
; Testing and comparison
; Organizations
|
|
|