In two years, spyware has gone from mere nuisance to serious concern, catching companies so off guard that many executives today still don’t know what exactly spyware is. Think of it as a computer virus that has found a purpose in life. Viruses and worms have long posed a risk to corporate security because of their potential to bring networks down or corrupt important data. Spyware, on the other hand, doesn’t just want to ruin your day, it wants to track your every movement, collect data right under your nose, and perhaps transmit sensitive corporate information outside the company. And since spyware is economically motivated (rather than being launched at the whim of bored computer geeks), its perpetrators have ample incentive to concoct new and improved versions that are consistently more difficult to eradicate.
“I’ve never seen anything evolve so quickly,” says Sam Curry, vice president, eTrust Security Management, at Computer Associates (CA). “About 15 months ago, the calls started coming in from our enterprise customers one after another. It’s been lurking for a while, but now everyone is worried about it.”
Spyware is a catchall term that refers to software applications that reside on desktop machines or laptops and that log and often transmit information about that machine’s user back to the creator of the spyware. While it’s meant to be invisible, it often gives subtle signs of its presence. Last year, for example, the IT support staff at Miami Children’s Hospital noticed something just wasn’t right with the desktop machines used by the hospital’s 650 physicians and 2,400 employees. “We had machines that experienced freak reactions,” says Alex Naveira, the hospital’s information security officer. “They were running too slow or they reacted oddly to Websites and pop-ups.” After a battery of tests, the diagnosis was clear: an acute case of spyware.
Large Dollars Behind It
Provident Bank has also felt the strangling strain on support-desk resources that spyware brings. “We had a meeting several weeks ago and spyware was all we talked about,” says Sean Wasta, senior network engineer at the $6.4 billion commercial bank. “Desktop support is noticing it cropping up on a lot of people’s workstations, and it’s taking up a lot of their time.” The company relies on Microsoft Explorer-based interfaces for many of its internal applications, he says, and the glut of spyware hiding on users’ machines often prevents these applications from working properly. Antivirus solutions haven’t helped one bit. “Spyware ends up on all our desktops even though we have all the antivirus software applications,” says Wasta.
In fact, two-thirds of IT professionals and security administrators say spyware is the top network-security threat of 2005, according to a survey by WatchGuard Technologies. Market research firm IDC predicts that the market for antispyware software will climb from $12 million in 2003 to $305 million in 2008. It also estimates that about two-thirds of the world’s computers already have some kind of spyware on them.
Forrester Research predicts that 65 percent of companies will either purchase or upgrade antispyware software this year, making it the number one security technology of 2005. And most think the spyware epidemic is nowhere near peaking. “There are large dollars behind the scenes. The denial-of-service [DOS] craze and superworms never had this much money behind them,” says CA’s Curry. “Spam was a nuisance. This is a genuine security threat, and it will get worse before it gets better.”
Sometimes spyware is simply annoying. It can take the form of applications dubbed “adware” that hide on your PC and then spring pop-up ads in your browser, or it might change your default home page or fiddle with the navigation toolbar of your browser to steer you toward specific Websites.
The developers of these programs embed their spyware on an unsuspecting user’s computer in a variety of ways, including legal and technical tricks and promises. One such approach includes presenting a pop-up window that purports to be an end-user license agreement. Most users have become so used to clicking “OK” when such boxes pop up (if only to get rid of them) that they do so automatically, and thus spyware finds a home by being invited in. Sometimes it masquerades as a “browser enhancer” or “download accelerator” to hide its devious intent. Other variants, dubbed “drive-by downloads,” are instantly triggered by clicking on banner ads (a technical trick), or by downloading a screen saver. And even if you vow to never click on anything you don’t trust, you may still be hit: new versions can load and upgrade without the user doing anything.
Even spyware that aims to do little more than change your default home page or pose some other kind of nuisance can exact a hidden price. As it runs unseen in the background, it can suck up memory and CPU usage, especially when several versions of the spyware are running at the same time. This can often bring a machine to a complete crawl and generate many frantic calls to the help desk. Worse, spyware can be designed to either fix or reinstall itself even as it is being removed, much like DNA’s ability to heal itself.
More insidious are the variants that violate a user’s privacy by tracking Website visits and tailoring pop-ups to keywords that the user has typed into search engines, E-mail, or documents. Some spyware takes this practice, known as keylogging and tracing, to new levels. These programs not only track your every move online, but also collect information about you, your customers, and your company based on anything you might type into your computer, be it your credit-card number, Social Security number, bank-account information, log-in name, passwords, or other information. It can all be neatly collated and sent off without your knowledge. This can be frightening enough for a consumer, but for a company, the risks are severe, with everything from customer trust to legal penalties at stake.
And then there is the financial risk. In March, Britain’s Hi-Tech Crime Unit foiled an attempt by hackers to steal $403 million from the London offices of the Japanese bank Sumitomo Mitsui. The hackers had placed a keylogger on the bank’s system and were using it to trace account numbers. They were caught when one of them attempted to transfer $25.5 million from one account to another.
The shift in emphasis that spyware represents — away from bringing systems down and toward gaining financial advantage — was recently in evidence at Cornell University. Colleges have long been a popular destination for hackers of all kinds (particularly students), who heretofore have been happy to crash networks or perhaps tinker with transcripts. But Cornell recently detected a spyware program in a less likely spot: the pro shop at the university’s golf course, where a keylogging program was detected on a point-of-sale system. Fortunately, says Ricky Stewart, Cornell’s computer service manager, “it was caught by antispyware software before it could be used. The system takes in people’s credit-card data, so someone could have gotten a lot of information if they had gotten into it.”
The war against spyware is being fought on several fronts: in the courts, in Congress and various statehouses, and on the desktop and enterprise level, where antispyware software programs are doing a booming business.
California and Utah have passed antispyware laws, but both have been challenged (Utah’s successfully). There are also three pending bills before Congress that seek to put the lid on spyware, much as the CAN-SPAM Act has tried (unsuccessfully, many critics say) to rein in junk E-mail. In October 2004, the Federal Trade Commission filed suit against a collection of spyware makers, including Mailwiper and Seismic Entertainment Productions, and has since added five more defendants to the case. Also in April, New York Attorney General Eliot Spitzer filed suit against Los Angeles-based Intermix Media, claiming that its downloads were installed on users’ machines without their consent, constituting deceptive business practices and false advertising. Spitzer was said to be interested in a nationwide solution; the programs were downloaded nearly 4 million times in New York alone.
I Spy a Loophole
Unfortunately, few people expect legal solutions to strike fear into the hearts of these cyberspies because there is simply too much money to be made. Digital security firm Aladdin Knowledge Systems estimates that more than 70 percent of former virus developers are now getting paid to write spyware applications for companies and criminal elements. Many of these mysterious developers are based offshore and have created dozens of shell companies to distribute legal responsibility and make it almost impossible to contact them, let alone file suit against them. “Legislation and lawsuits will not help,” says Shimon Gruper, vice president of Aladdin’s eSafe business unit. “Spyware vendors will simply move out of the United States. Bad deeds can be done from anywhere, and they will continue to bypass legislation, as they did with spam.”
Indeed, spyware developers have even gone on the offensive by filing suit against antispyware companies for classifying their applications as spyware, and in some cases, these suits may be on solid legal ground. After all, spyware is often lodged on a computer only after the user clicks “OK” on a pop-up screen, effectively agreeing to confusingly worded messages that green-light the installation of the program.
Meanwhile, many online advertisers and legitimate Websites that track users with cookies (information that a Website puts on a user’s hard disk so it can remember that user at a later time) have been lobbying Congress to tone down pending antispyware bills, because they fear the definition of spyware used in the legislation may be too broad. As CA’s Curry says, “There are a lot of companies bringing a great deal of resources to bear. You don’t see virus writers lobbying up on Capitol Hill. This is going to be a much bigger fight in the long run.”
If looking to the courts or government intervention for help against spyware seems futile, looking to software manufacturers is far from a silver bullet. Until recently, spyware detection and removal was usually included as an add-on to existing antivirus solutions, such as those from McAfee, Symantec, Aladdin, Lavasoft, and others. Most of these are fairly effective at detection but not cleaning at the desktop level. IT staffs have deemed them difficult to install and support across hundreds and thousands of desktops in large companies. In fact, most IT managers have had to deploy a combination of applications in an attempt to plug up all possible spyware entry points.
Miami Children’s Hospital uses that multitiered approach to fighting spyware. First it relies on managed E-mail security services from MessageLabs to monitor and track incoming E-mail messages for suspicious attachments, potential Trojan viruses, and keylogger threats. Next, it uses Web-filtering software from WebSense to block out sites that are known to harbor spyware and other insidious software parasites. Finally, the hospital deploys antivirus and antispyware software from a variety of vendors on all desktop workstations. “We don’t really have one technology to get the job done,” says MCH’s Naveira. “You cannot rely on one thing to protect your whole organization.”
The Search for Solutions
“I can kill a virus but I can’t kill spyware,” says Kim Jones, director of global security services at eFunds, a financial technologies company. “Right now, if I find a desktop with spyware on it, I have to pull the computer off the network, wipe the hard disk, do a hard format, and completely rebuild the system. You are talking about downtime and manual labor spent rebuilding that box. I’d love to have an antivirus-type solution instead.”
Having one centralized solution to the spyware problem has become a Holy Grail of sorts for large organizations. Vendors such as Symantec and Blue Coat have tried to differentiate themselves by offering enterprise or gateway products rather than desktop applications. CA has offered its eTrust Pest Patrol software as a consumer product and as a corporate edition for enterprises. The latter combines client software with a central console application that can remotely manage antispyware deployment and updating across thousands of PCs. Cornell University’s Athletic and Physical Education Department now uses eTrust to effectively manage antispyware installations across 250 desktop machines.
Microsoft’s dryly named AntiSpyware application, in beta testing but available for download at the company’s Website, represents the first step in what some hope will be a march of Microsoft antispyware tools for enterprise customers. Using technology originally developed by Giant Company Software (acquired by Microsoft in December), the application offers a fairly bare-bones approach to catching and deleting spyware on desktop PCs that run Windows. The software is expected to be officially released later this year, and many speculate that it will be incorporated into the next version of Windows.
The jury is still out on whether any of these solutions will provide the kind of safety net Corporate America will need against spyware infiltration. While waiting for someone to deliver a solution to satisfy large users, many industry analysts and technology managers fear spyware may evolve into a greater threat as it combines with viruses, phishing techniques, and other forms of “malware” to create a hydralike monster for corporations.
“This has already happened — we’re seeing it,” says eFunds’s Jones. “We are at the beginning of the curve. Viruses are already being used as delivery mechanisms for spyware. Next, I see spyware invading your PDAs, Blackberries, wireless devices, and cell phones. In fact, we are beginning to see some of those things already.”
Jones isn’t entirely pessimistic about the possibility of better tools in the antispyware war — he just doesn’t expect to see any within the next year or so. That, unfortunately, will give spyware developers more time to improve their wares. As he says, “Security lags technology. It will get better, but there will still be a certain level of pain.”