What Is Spyware

by Anton Chuvakin, Security Strategist with a major information security company.

Spyware
Spyware is a new strand of malicious software (or malware), annoying, and capable of robbing computer users all over the world.

In This Article: How Spyware Works - Protecting Yourself - The Future

Spyware is such a broad term that even the definition of this computer scourge is fuzzy. So, what is spyware? The best definition out there is given by Wikipedia:

"Spyware is a broad category of malicious software intended to intercept or take partial control of a computer's operation without the user's informed consent." Thus, spyware has come to mean not only the "software that spies on you," but also the software that performs other kinds of abuses and annoyances, outside the traditional virus-and-worm world. For example, displaying unwanted ads is a primary purpose of "adware," which is often categorized as a type of spyware. In fact, some people even extend the definition to cover browser cookies, relatively innocuous pieces of text used by Web sites for user tracking.

One angle missed by the above definition is that while some folks are known to launch viruses and worms, two well-known types of computer nasties, "just for fun," spyware is usually written for somebody's direct monetary benefit, often in the form of good old cash. This aspect is one of the keys to the dramatic rise of spyware.

Spyware emerged in recent years to "entertain" computer users. This emergence coincided with a sea change in the world of mainstream computer attackers that shifted their focus from having fun at somebody else's expense to making money at somebody else's expense. Spyware, along with spam, phishing ("social engineering" attacks via e-mail intent on stealing credentials), and pharming (DNS attacks aimed at attracting users to malicious Web sites), is one of the most noticeable computer threats of the day. We did say "noticeable," although spyware is often engineered to be hard to find, hard to notice, hard to pay attention to (that is, hidden in a lengthy license) and, obviously, hard to remove. Spyware evolved in the same time frame as e-commerce and online banking. As business use of the internet was growing up, so was business abuse.

The world of spyware is extremely broad and the mechanisms of its operation range from a mundane social engineering ruse (e.g. three pages of license "blah-blah-blah" followed by "and we will also steal your cookies and browser history for 'marketing purposes'") to a "zero-day" (that is, previously unpublished) exploit launched against the victim's Internet Explorer by malicious or compromised Web sites.

Here are some of the commonly identified types of spyware:

• Browser objects (IE hacks, ActiveX controls, malicious toolbars, and so on)
• Bots and rootkits (allow others to control your system remotely)
• Keyloggers (record your keystrokes looking for sensitive data)
• Bundled parasite software (miscellaneous nuisance)
• Adware (run on the system or in the browser to display advertisements)

Let's look at some common spyware specimens. As reported by commercial anti-spyware company Sunbelt Software, these spyware programs were common in September 2005: Claria.DashBar, AvenueMedia.DyFuCA, IST.SlotchBar, ABetterInternet, and IST.ISTbar, to name a few. Most of the above are "adware" specimens (they display ads that can potentially generate revenue for the software creator) and do not spy on the victim, but others (such as IST.ISTbar, a malicious browser toolbar) actually collect Web usage information and may install other, more harmful spyware on the user's system.

How Spyware Spreads
There are many mechanisms for spreading spyware, employed by their creators. Let's look at a few common ways spyware can infect:

• When installed by other spyware (unlike viruses and worms, spyware rarely treads alone; some machines analyzed by the anti-spyware vendors were found to have hundreds of spyware specimens)
• When installed by malicious websites through flaws in Internet Explorer (so called "drive-by downloads")
• When bundled with "free" or sponsored applications (unfortunately, with permission of the application creators)

Later we'll cover some of the things all computer users should do to lower the risk of "catching spyware."

Spyware's Impact on Your PC

Overall, what can spyware do on your system? For that, we will refer you to Microsoft's Ten Immutable Laws of Security. While it might be ironic that such laws are formulated by the makers of the most common spyware platform – Windows – they do provide vital insight into security. For example, Law 1 proclaims: "If a bad guy can persuade you to run his program on your computer, it's not your computer anymore." Thus, the above question becomes "what can spyware do on their system?" The answer to this one is really easy: everything that its creator wants. Common changes due to spyware include registry changes, browser configuration and settings modification, new program installation, as well as using your system for whatever else is needed. In other words, spyware, when installed and running, can do everything you can do on your system (and sometimes more).

Table 1 shows the direct damage you might suffer from spyware.

• Loss
  • Types of spyware
  •  Scenario
• Direct financial loss
  • Keylogger
  • Somebody steals your online banking passwordsand transfers the money to his account abroad
• Slow system performance
  • All
  • A machine running dozens or more types of spy  ware will slow down to a crawl
• Display unwanted content          
  • Browser objects, other
  • A Web site can install a malicious toolbar that will show popup ads and objectionable web content
• Loss of privacy
  • Browser plug-ins
  • All Web personal history collected and potentially exposed

 

Table 1. Types of Loss Caused by Spyware

Protecting Yourself
Now that the evils of spyware are understood, let's use the well-known security mantra "prevention/detection/response" to focus on what you can do to:

• Prevent spyware from happening to you
• Detect that it might be sneaking by the defenses
• After it happens anyway, respond by cleaning your systems

First, will an antivirus solution will take care of all spyware problems? The answer is a resounding "no." Many anti-spyware products (both freeware and commercial) have features to block (prevention), scan for (detection), and remove the offending program (response), but PC Magazine's recent anti-spyware and antivirus software review, which compares stand-alone anti-spy defenses, indicates that antivirus solutions still do not do a good job of fending off hordes of spies.

Fortunately though, there are several simple things every computer user can do to lower the risk of spyware infection:

• Keep your Windows systems up-to-date by using Microsoft Update, which will update both your Windows and MS Office software. Installing Windows XP SP2 (Service Pack) is also important.
  
  
• Restrict some of the Internet Explorer settings (refer to Google for tips) or use Firefox, which significantly decreases the chance of spyware infestation. Here are some of the important settings to tweak: block popups using Windows XP SP2 popup blocker or another solution, limit or block ActiveX controls, and limit file downloads via the IE settings panel.
  
  
• Use antivirus and anti-spyware tools, and frequently update them using each tool's own automated update mechanism. The best free programs to use are Spybot Search and Destroy, Ad-Aware, and Windows AntiSpyware (to be renamed Windows Defender later this year). Most antivirus vendors, such as Symantec, McAfee, and Trendmicro are launching their own anti-spyware solutions. However, stand-alone anti-spyware companies such as Webroot and Sunbelt Software still outperform them. Also, make sure that you not only run the anti-spyware software, but also use it to perform spyware scans on a periodic basis, just like you do with an antivirus software.
  
  
• Use a personal firewall with outbound protection; it might notify you when the spyware that sneaked in tries to "extrude" the stolen information to its "mothership." It is important to note that at the time of this writing, Windows' built-in firewall didn't offer this protection, so other free (such as ZoneAlarm from Check Point) or paid (such as Norton or McAfee) software solutions should be used.
  
  
• Use only software obtained from trusted sources. For those needing a more specific suggestion, downloading from a random site from the Internet or receiving it from a "friend" you just met online does not count.

If you think your system is acting suspiciously, you need to determine if spyware is the factor to blame. Since there are so many parts of the system that can be modified by spyware, the best way for users to detect spyware is to run any of the free anti-spyware tools mentioned above. For better results, run multiple tools, since recent tool surveys indicate that no commercial or free tool will detect all spyware specimens. Some of the tools will also attempt to clean spyware traces, which brings us to the next item: response to spyware infections.

As far as responding to a spyware infection, the only guaranteed 100 percent effective measure a user can take is to rebuild a system. Only this will guarantee removal of all traces of malicious software from a system. On a typical Windows system there are numerous places where a piece of malicious code might reside. In a more real-world situation, where it is not possible or desirable to rebuild the entire system, try looking for spyware removal tools, sometime published by anti-spyware and antivirus vendors. All of the above anti-spyware solutions provide this functionality and will clean the spyware traces with varying degrees of efficiency (often depending on the type of malicious program). Same applies to the antivirus tools with anti-spyware defenses. However, note that the latter category is more likely to leave the risk alone and just warn the user about its presence.

Microsoft, which is now an anti-spyware vendor due to a recent acquisition, often publishes stand-alone removal tools for various malware. Microsoft's Malicious Software Removal Tool, which is updated monthly, can be downloaded to your system via Automatic Updates or the above link. It can be run online from the above link (via an ActiveX control).

Removing complicated spyware manually, such as a driver-based keylogger, will often render the system inoperable and should only be undertaken by those intimately familiar with their system internals. On the other hand, instructions for removing simpler specimens, such as adware, are often published online and can be followed by anybody who maintains their own PC.

The Future
To conclude, we will try to peek into our crystal ball, a necessary tool for an enlightened security professional. What's next for spyware? Will spyware bother us for years to come? It sure looks likely; there is no reason why the spyware creators will stop since – guess what – it pays the bills and there is no clear way to make such practices "prohibitively expensive" for their creators.

The Editorial Committee of the Association of Personal Computer User Groups (APCUG), an international organization of which CFCS is a member, brings this article to you.

Author: Anton Chuvakin is a Security Strategist with a major information security company.
Published online at O’Reilly® Windows DevCenter (www.windowsdevcenter.com)

Jump Article
Date: 04 / 2006

...return to top