Less than a year ago, the National Cyber Security Alliance reported that 80 percent of consumers had adware or spyware on their home PCs. Further information reveals that spyware is on the rise in industries as well, affecting offices, hospitals, and financial institutions.
Spyware – that ubiquitous application that conjures up images of someone lurking in the shadows – cripples computers while stealing time and information. The means to combat spyware & adware vary, but there’s one thing just about everyone can agree on: what started as a minor annoyance has ballooned into a full-blown headache.
How big of a headache? According to the most recent edition of the Symantec Internet Security Threat Report, adware is a growing concern. Between January 1 and June 30, 2004, adware made up 4 percent of the top 50 malicious code reports to Symantec. Between July 1 and December 31, it made up 5 percent of the top 50 reports. As for spyware, the most common program during the second half of 2004 was Webhancer, which alone represented 38 percent of the top 10 spyware programs reported.
The growth of adware and spyware puts enterprises at greater risk for loss of privacy, more help desk calls, decreased productivity, and potential legal liability. Indeed, researcher META Group estimates that cleaning infected clients can represent 20 percent or more of IT help desk efforts.
A 2005 Forrester Research Inc. survey of IT decision-makers found that 40 percent of respondents didn’t know how many systems in their organization were infected with spyware. Those who could measure the number of systems infected with spyware found that about 20 percent of systems were infected, and the number is growing rapidly.
Small wonder, then, that adware and spyware have surpassed spam and identity theft as the threats that security managers are most concerned about, according to Forrester. The research firm predicts that 65 percent of companies will either purchase or upgrade anti-spyware software this year, making it the most popular security technology of 2005.
Adware consists of programs that display advertising content on a user’s monitor, often without the user’s prior consent or explicit knowledge. It is usually, but not always, presented in the form of pop-up windows or bars that appear on the screen. Although adware is not always a security risk, it robs enterprises of their valuable time. In some cases, it simply delivers an advertising message, but other cases prove much more precarious. While much adware is benign, some forms of adware compromise data. If attributes of a security risk include the compromise of the confidentiality, availability, or integrity of data on a computing system, some forms of adware qualify.
Spyware refers to stand-alone programs that can secretly monitor system activity and relay the information back to another computer. In some cases, spyware may be legitimate programs that are employed by corporations to monitor employee Internet usage. However, it may also represent less legitimate applications. Spyware programs can be surreptitiously placed on users’ systems in order to gather confidential information such as passwords, login details, and credit card details.
This can be done through keystroke logging and by capturing email and instant messaging traffic. Because spyware can capture sensitive information before it is encrypted for transmission, it can bypass security measures such as firewalls, secure connections, and VPNs. Spyware is a particular concern because of its potential use in identity theft and fraud.
The dividing line between adware and spyware, experts say, is intent. Programs that install themselves on a user’s system without permission, avoid being detected and removed, and capture and transmit personal information without a user’s permission or knowledge have crossed the line into spyware.
Methods of installation
Some organizations justify the use of adware as a way of providing services while lowering costs to customers. This is particularly true of software that is made available for users to download for free. These “freeware” programs usually require the user to agree to a EULA (end user license agreement). But some EULAs can be complicated and confusing – to the point that the user is unable or unwilling to read and understand the terms and conditions before agreeing to it. As a result, adware that is bundled with the desired software gets installed without the user’s knowledge.
Adware is also often installed through the user’s Web browser. This can be done through pop-up ads offering free software to download. The pop-up offers the user a choice of clicking “Yes” or “No” to accept or reject the offer. In reality, though, clicking anywhere on the ad results in the download of adware. Browser-installed adware may also be installed through ActiveX controls or browser helper objects (BHOs). BHOs can provide spyware with a wide range of functionality, including the ability to download program updates, or log and export confidential data. During the last six months of 2004, three of the top 10 reported spyware programs used BHOs.
Some adware programs hijack a user’s browser and redirect searches. A program may redirect a search by replacing the default search engine or by replacing “404 page not found” messages with internal search queries. This is not only misleading for the user but also represents a security risk, as the redirection may result in the user downloading malicious code from the new page. Five of the top 10 adware programs reported in the last six months of 2004 hijacked browsers. Spyware can also hijack browsers.
If users’ browsers are enabled to accept cookies and ActiveX files, as many are, unwanted code can be installed in the background without their permission or knowledge. Spyware also travels on fake messages telling users their systems need to be tuned up, or similar instant message screens that appear to be sent by a system administrator.
Keeping trouble out
Like viruses and worms, adware and spyware are moving targets, and enterprises can best protect themselves by deploying multiple defenses — at the desktop, the gateway, and across the enterprise — and by educating users on what behaviors will best keep the spies where they belong: out in the cold.
The most effective way to reduce risks from programs such as spyware and adware is to use a complete security solution that deals with a wide range of threats. In particular, enterprises need a solution that categorizes programs according to their functionality and allows them to choose an acceptable risk level.
Integrated technologies (antivirus, firewall, and intrusion protection) should work together to provide defense in depth. For example, while an antivirus solution works to protect a system against spyware, a firewall allows an organization to create a list of recipients of personal information and to block unwanted advertisements. Furthermore, when a firewall detects that an application is trying to establish an outbound network communication (as a spyware program would to relay information to the outside world) it should automatically close the port and prevent the transmission.
Combating spyware and adware, like combating viruses and malicious code, requires a solid solution and a dedicated research and response mechanism to track new spyware risks and provide timely updates as the threat landscape evolves.
Other issues to consider: the number of spyware definitions supported by a particular solution, the process used for finding new spyware programs, and how the definitions are updated.
To strengthen their defenses, businesses should also consider implementing additional security precautions like securing encrypted Internet connections, implementing more restrictive Web browser settings, and disabling the acceptance of third party cookies.
In addition to the use of strong technologies, there are policy measures that can help organizations reduce their risks. For example, make sure that you know and trust the authenticity of any software before you download it and install it. Read the EULAs of software programs to make sure you know what you are getting, and make sure that you understand, and agree with, the program’s functionality. Examine EULAs carefully to make sure they are in agreement with your security policy. Also, as some spyware is installed using ActiveX controls, consider requiring a prompt for ActiveX to execute within Web browsers.
The Federal Trade Commission warns: “Before using a file-sharing program, you may want to buy software that can prevent the downloading of spyware or help detect it on your hard drive.” Due to the breadth of security threats and risks, it is vital that organizations heed this warning and use security products that can not only deal with spyware and adware, but the entire breadth of Internet security threats. Antivirus and firewall products allow users to protect themselves from malicious code such as viruses and Trojans, as well as expanded threats, which include spyware and adware.
Spyware and adware remain a pressing concern for the many industries. While much of spyware is benign, some is not. Even the smallest amount of malicious spyware threatens to rob valuable information. The annoyances caused by such applications cause headaches through pop-ups and cookies, which cause significant performance and productivity problems. Enterprises are encouraged to follow the recommendations in this article to keep their systems properly “scrubbed.”