Spying on Spyware

By | January 15, 2005

2004 was the year that spyware became mainstream. Every computer user has been told that any issues with performance or their computer not functioning is due to the vile junk – as opposed to in days of old where poor performance could simply be blamed on “an old computer” that needed reformatting.

The change isn’t just visible in consumers’ frustrated faces, but also in the eyes of security officials everywhere. While many companies have Antispyware (A/S) software, there is no simple solution to spyware.

The Issues

The problem stems from the fact that most spyware installations are due in equal parts to operating system insecurity and poor user choices. The single greatest fear for most security experts – besides a massive security attack against a nation’s infrastructure – is that the safety of users will be in their own hands.

But this is the exact problem with spyware: the vast majority is software that users, in some way or another, actually choose to install.

The installation of spyware happens in 3 key ways: exploiting Operating System vulnerabilities, exploiting bad user habits and being installed as part of another application. Each of these is difficult to address in and of itself. OS issues are ultimately the responsibility of the OS manufacturer – Microsoft. Applications installed behind another application are ultimately based on misinformation by application providers – something that isn’t easily solved. And bad user decisions – such as choosing to install an application because a popup window says their computer is insecure or could be faster – are difficult to deal with without some kind of central authority.

The Solution

It is into this uncertain, difficult to maintain and nearly impossible to judge landscape that today’s Antispyware applications are entering. Until mid-2004, the most common Antispyware applications were created by smaller development companies who had realized the issues and come up with solutions largely on their own. Products such as Spybot, HijackThis and AdAware largely fall into this space: small products dealing with issues in a relatively simple manner.

After the summer of 2004, though, we began to see a larger number of security companies entering into the arena. Companies such as Symantec, Norton, CA and Microsoft have all taken stabs at the issue, with varying degrees of success.

As was mentioned earlier, this is largely due to the core issues surrounding dealing with spyware. It isn’t enough to simply block a known list of applications, as is the case with Antivirus because sometimes users do in fact want these applications installed. The problem then is that it also isn’t enough to simply tell a user that each application is being installed – because users may not know enough to know which ones should or shouldn’t be installed.

The solution is both elegant and maddeningly complex. Any successful Antispyware application must approach the issue from three angles simultaneously. First, it must have a “complete” – in as much as that is possible – database of applications (both valid and malicious – so that users can be presented with proper information.

Second, it must detect patterns that malicious and spyware applications use to do harm to a user’s computer. This could come in the form of monitoring the register, personal settings, Internet Explorer settings, attempts to access core Windows settings, etc.

And, finally, there needs to be a feedback loop between users and the manufacturer of the software. At the end of the day, the best way to determine if users want software – and to determine how effective a given Antispyware application is being – is by knowing what choices users are making.

The Applications

Until recently, no single product did a passable job at employing each of these methods. The most common scenarios Antispyware vendors took were a combination of databases and system protection. The only feedback most application vendors allowed was through literal “feedback forms” – which only the most advanced of users would take advantage of.

Microsoft’s recent acquisition of Giant Company Software, though, changed all of that. By taking a larger scale view, Microsoft has released a software product, which is strong enough at detecting spyware – even though there are some false positives in its current incarnation – has a solid system, settings and Internet Explorer protection system and includes “SpyNet” capabilities.

SpyNet is the missing “feedback loop” that Antispyware applications need. It allows users to notify Microsoft and other user management nodes of application installations and changes that happen on their system. For example, in the case of false positives, Microsoft would quickly become aware of why users weren’t uninstalling their VPN software – as an example of a typical false positive that Microsoft’s Windows Antispyware application detects – and would, hopefully, be able to take appropriate action.

Whether SpyNet and Microsoft manage to properly deal with the spyware threat remains to be seen. At the worst though, other application vendors should be able to build on the approach Microsoft has taken. Perhaps, even, by creating a central application tracking system. Such a system would allow for accurate information on millions of applications, accurate tracking and interpretation of user behavior and should – in an ideal world – allow Antispyware vendors to update and modify their systems to respond to the latest threats in days instead of weeks.

At the end of the day, this is a new software arena and one where significant work still needs to be done. It is doubtful that any of this second generation of software will be able to completely deal with the issue. Further innovations, research and customer feedback must be gathered so that users remain protected, productive and safe in their computer use.

Our hope is that this will happen in 2005, in spite of no major signals that a complete solution – that users will trust and that will not be overly expensive – will be available in this timeframe. However, considering the speed with which the OS and security companies have responded to the spyware threat it is certainly possible that just such a solution will be found. And I, for one, look forward to the day where computer usage is a safe and friendly practice once again.

Leave a Reply