When is a virus not a virus? When it's a piece of spyware. Spyware, aka advertising-supported software or adware, has been until recently a fairly benign snooper on your surfing habits. The data it gathers is then used to target you with tailored advertising, either in pop-up windows or e-mails.

The problem is that these software spies are starting to get nasty. Spyware is being written and propagated with the express purpose of recording personal data such as passwords and credit card numbers, or hijacking your browser and bookmarking porn or other undesirable sites, or grabbing your Web dialler. Some spyware even features self-updating code so that conventional freeware removal tools have no effect.

What's more, unlike viruses and worms, most people with spyware on their computers have asked for it, albeit unwittingly. Many Web sites may ask you to register or sign up to them to receive content, and by doing so you may agree that spyware can operate on your PC - but this critical point is often buried in lengthy terms and conditions where most users won't see it. And it isn't a small-scale problem. Research in the US in Spring 2004 showed that one in three PCs scanned had spyware hidden on their hard disks. A total of 650,000 PCs were scanned, finding more than 18 million spyware tools.

Nor is spyware confined to home users. The average amount of spyware on business machines is similar to home users', largely because most companies don't have centralised, managed anti-spyware protection in place. Certain spyware, such as that used by P2P networks like Kazaa, is also bandwidth hungry as it communicates a lot of data between machines, which can be a problem on corporate networks.

It's becoming such a sizeable problem in the US that the government voted unanimously in Spring 2004 to approve the first-ever anti-spyware bill. The Securely Protect Yourself Against Cyber Trespass (Spy Act), approved by the US House of Representatives, would levy fines up to $3 million for those who illegally collect personal information, change a browser's default home page or bookmarks, log keystrokes, or steal identities.

So how has spyware been allowed to get this far without being restrained? The key problem is that we have accepted spyware in a variety of forms for too long. A cookie - the Web site marketeer's long time friend - is a form or spyware. Microsoft uses various forms of friendly spyware to help most of us in our everyday work, by tracking what documents and applications we've used recently and giving us quick, one-click access to them.

But in the same way that Internet worms evolved to take advantage of e-mail, malware authors are now taking spyware away from its neutral roots into Internet crime, whether by hijacking browsers and diallers, keystroke logging or laying the groundwork for mass spamming. These authors are also using tricks from the virus world by finding and exploiting browser vulnerabilities to their advantage.

This means that spyware be installed even on a fully-patched Windows machine running the latest anti-virus software. A partial solution is to combine anti-virus with a personal firewall, but even this isn't a complete fix. Spyware can get installed through ActiveX which is enabled with Microsoft's Internet Explorer.

Alternatively, it can exploit vulnerabilities that are patched in Internet Explorer - so-called zero day vulnerabilities because the loophole is exploited before the patch is available and widely deployed. Disabling ActiveX is an option, but it makes surfing difficult because many Web sites actively rely on using ActiveX. It's frustrating to have to click 'Yes' every single time the Web browser asks you about running ActiveX scripts and controls.

So spyware has become both a security and a management issue for companies as it becomes destructive. But how do companies manage the problem? There's currently a dearth of corporate anti-spyware tools which integrate with other security applications, such as anti-virus and desktop firewalling. However, this is soon to change. Anti-virus vendors are starting to introduce spyware and adware pop-up blocking and removal to their core anti-virus and Internet security solutions.

These will be updated in exactly the same way as conventional virus signatures, and will give policy-based centralised management of this emerging issue, helping to nullify the threat from self-updating malicious spyware programs while giving IT staff the option to allow non-aggressive spyware. By putting spyware on the security map, companies can ensure that the more malicious spyware elements do NOT come in from the cold.

So much for the theory, how do you spot a spyware infection? The symptoms vary, but you will usually see one or more of the following signals. Web browsing may be slow, and the PC in general may perform sluggishly and take much longer to start up. Internet Explorer may be modified. Homepages and/or search pages may be changed, new favourite sites may appear that you didn't select, a new toolbar may appear or you may end up at unknown Web sites when you try to do a search.

To prevent these browser modifications being undone, some spyware removes or disable the Internet Options from the Tools menu and from within Windows' Control Panel. If you try to reset your home page and can't, it's due to spyware. You may be assailed with pop-up ads, some of an unsavoury nature. If you see pop-up ads even when you are offline, it's due to malware. If your firewall provides outbound call protection, spyware may be triggering its alerts by trying to connect to the Web to report what it found on your PC. Adware programs may create new icons on the Windows desktop, task bar, or system tray. They may also create pop-up windows that you are unable to close.

Cleaning up adware- or spyware-riddled machines starts with removing any adware programs you can find with Add/Remove Programs in the Windows' Control Panel. Once this is done, you can do basic housecleaning with the following: disabling ActiveX controls in your browser; deleting the Web browser cache (temporary Internet files); deleting temporary files; deleting cookies; deleting Web browser history; and, finally, emptying the Recycle Bin.

This can go a long way to getting you up and running, and will remove most benign adware and spyware. If this still doesn't work, then the spyware infection is more tenacious and it's time to step up a gear: use freeware tools to audit your PCs and identify what spyware is resident; use the same tools to try and remove unwanted spyware (a combination of two tools can often work where a single tool fails); and to protect your machines going forward, look at latest-generation anti-virus software which includes anti-spyware functionality, giving corporate, policy-driven spyware management of this emerging problem.


F-Secure is exhibiting at Infosecurity Manchester a one-day information security event sponsored by the DTI. Launched by the organisers of Infosecurity Europe, it is the first of a number of unique, regional networking events to take place around the country. Infosecurity Manchester will take place in The City of Manchester Stadium, on the November 17, 2004.

BIOS, Nov 04, 04 | Print | Send | Comments (0) | Posted In Security