Spyware |
Spyware is a broad category of malicious software intended to intercept or take partial control of a computer s operation without the user s informed consent. While the term taken literally suggests software that surreptitiously monitors the user, it has come to refer more broadly to software that subverts the computer s operation for the benefit of a third party.
Spyware differs from computer virus and computer worm in that it does not usually self-replicate. Like e-mail spam#Using other people s computers, spyware is designed to exploit infected computers for commercial gain. Typical tactics furthering this goal include delivery of unsolicited pop-up advertisements; theft of personal information (including financial information such as credit card numbers); monitoring of Web-browsing activity for marketing purposes; or routing of HTTP requests to advertising sites. In some cases, spyware may be used to verify compliance with a software license agreement (or EULA).
As of 2005, spyware is only a common problem for computers running Microsoft Windows operating systems. Some worms or rootkits able to attack Linux and other Unix platforms include spyware-like functions, and keyloggers or other similar monitoring software exists for nearly every operating system.
=History and development=
The first recorded use of the term spyware occurred on in November 1999, and many users learned with surprise that the program actually transmitted user information back to the game s creator, Nsoft.
In early 2000, Steve Gibson of Gibson Research realized that advertising software had been installed on his system, and he suspected that the software was stealing his personal information. After analyzing the software he determined that they were adware components from the companies Aureate (later Radiate) and Conducent. He eventually recinded his claim that the ad software collected information without the user s knowledge, but still chastised the ad companies for covertly installing the spyware and making it difficult to remove.
As a result of his analysis in 2000, Gibson released the first anti-spyware program, OptOut, and many more software antidotes have appeared since then. International Charter now offers software developers a Spyware-Free Certification program.
According to an October 2004 study by America Online and the National Cyber-Security Alliance, 80% of surveyed users computers had some form of spyware, with an average of 93 spyware components per computer. 89% of surveyed users with spyware reported that they did not know of its presence, and 95% reported that they had not given permission for it to be installed.
=Spyware, adware , and tracking=
The term Adware frequently refers to any software which displays advertisements, whether or not it does so with the user s consent. Programs such as the Eudora (email client) mail client display advertisements as an alternative to shareware registration fees. These classify as adware in the sense of advertising-supported software, but not as spyware. They do not operate surreptitiously or mislead the user.
Many of the programs frequently classified as spyware function as adware in a different sense: their chief observed behavior consists of displaying advertising. Claria Corporation s Gator Software provides an example of this sort of program. Visited Web sites frequently install Gator on client machines in a surreptitious manner, and it directs revenue to the installing site and to Claria by displaying advertisements to the user. The user s experience is that their computer begins displaying a large number of pop-up advertisements.
Other spyware behaviors, such as reporting on Web sites the user visits, frequently accompany the displaying of advertisements. The goal of monitoring Web activity is to build up a marketing profile on the user in order to sell targeted advertisement impressions. The prevalence of spyware has cast suspicion upon other programs that track Web browsing, even for statistical or research purposes. Some observers describe the Alexa Toolbar, an Internet Explorer plug-in published by Amazon.com, as spyware (and some anti-spyware programs report it as such) although many users choose to install it.
=Routes of infection=
Spyware does not directly spread in the manner of a computer virus or worm: generally, an infected system does not attempt to transmit the infection to other computers. Instead, spyware gets on a system through deception of the user or through exploitation of software vulnerabilities.
The most direct route by which spyware can get on a computer is for the user to install it. However, users are unlikely to install software if they know that it may disrupt their working environment and compromise their privacy. So many spyware programs deceive the user, either by piggybacking on a piece of desirable software, or by tricking the user to do something that installs the software without realizing it.
Classically, the definition of a Trojan horse is something dangerous that comes in the guise of something desirable. Some spyware programs are distributed in just this manner. The distributor of spyware presents the program as a useful utility—for instance as a Web accelerator or as a helpful software agent. Users download and install the software, only to find out later that it can cause harm. For example, Bonzi Buddy, a spyware program targeted at children, claims that:
: He will explore the Internet with you as your very own friend and sidekick! He can talk, walk, joke, browse, search, e-mail, and download like no other friend you ve ever had! He even has the ability to compare prices on the products you love and help you save money! Best of all, he s FREE!
Image:Benedelman-spyware-whenu-license-image011.png|right|thumb|300px file-trading program is supported by WhenU spyware. In order to install BearShare, users must agree to install the SAVE! bundle from WhenU. The installer provides only a tiny window in which to read the lengthy license agreement. Although the installer claims otherwise, the software transmits users browsing activity to WhenU servers.]]
Spyware can also come bundled with shareware or other downloadable software. The user downloads a program—for instance, a music program or a file-trading utility—and installs it; the installer additionally installs the spyware. Although the desirable software itself may do no harm, the bundled spyware does. In some cases, spyware authors have paid shareware authors to bundle spyware with their software, as with the Gator spyware now marketed by Claria. In other cases, spyware authors have repackaged desirable software with installers that add spyware.
A third way of distributing spyware involves tricking users by manipulating security features designed to prevent unwanted installations. The design of the . The box contains a message such as Would you like to optimize your Internet access with links which look like buttons reading Yes and No . No matter which button the user presses, a download starts, placing the spyware on the user s system. Later versions of Internet Explorer offer fewer avenues for this attack.
Some spyware authors infect a system by attacking security holes in the Web browser or in other software. When the user navigates to a Web page controlled by the spyware author, the page contains code which attacks the browser and forces the download and install of spyware. This has become known as a drive-by download , by analogy to drive-by shooting in which the user is a hapless bystander. Common browser exploits target security vulnerabilities in Internet Explorer and in the Microsoft Java programming language runtime. Given that Internet Explorer is still the most widely used browser and that many users systems are not up to date, it creates an attractive entry point for the less scrupulous advertisers.
Internet Explorer also serves as a point of attachment for these programs, which install themselves as Browser Helper Object Plugins.
In a few cases, a worm or virus has delivered a payload of spyware. For instance, some attackers used the W32.Spybot.Worm worm to install spyware that popped up pornographic ads on the infected system s screen. By directing traffic to ads set up to channel funds to the spyware authors, they can profit even by such clearly illegal behavior.
=Effects and behaviors=
Microsoft Windows-based computers can rapidly accumulate a great many spyware components. Users frequently notice unwanted behavior and degradation of system performance. A spyware infestation can create significant unwanted CPU activity, disk usage, and network traffic -- slowing down legitimate uses of these resources. Stability issues -- application or system crashes -- are also common. Spyware which interferes with the networking software commonly causes difficulty connecting to the Internet.
Spyware infection is the most common reason that Windows users seek technical support -- whether from computer manufacturers, Internet service providers, or other sources. In many cases, the user has no awareness of spyware and assumes that the system performance, stability, and/or connectivity issues relate to hardware, to Windows installation problems, or to a virus. Some owners of badly infected systems resort to buying an entire new computer system because the existing system has become too slow . For badly infected systems, a clean reinstall may be required to restore the system to a working order—a time-consuming project even for experienced users.
Only rarely does a single piece of software render a computer unusable. Rather, a computer rarely has only one infection. As the 2004 AOL study noted, if a computer has any spyware at all, it typically has dozens of different pieces installed. The cumulative effect, and the interactions between spyware components, typically cause the stereotypical symptoms reported by users—a computer which slows to a crawl, overwhelmed by the many parasitic processes running on it. Moreover, some types of spyware disable software firewall (networking)s and anti-virus software, and reduce browser security settings, opening the system to further opportunistic infections, much like an immune deficiency disease. There are also documented cases where a spyware program disabled other spyware programs created by the competitors.
Some other types of spyware (Targetsoft, for example) modify system files to make themselves harder to remove. (Targetsoft modifies the Winsock (Windows Sockets) files. The deletion of the spyware-infected file inetadpt.dll will interrupt normal networking usage.) Unlike many other operating systems, a typical Windows user has administrator-level privileges on the system, mostly for the sake of convenience. Any program run by the said user, intentionally or not, has completely unrestricted access to the entire system.
Spyware, along with other threats, has led some former Windows users to move to other platforms such as Linux or Apple Macintosh.
==Advertisements==
The most visible behavior of many spyware programs is to display advertisements. Some programs simply display pop-up ads on a regular basis -- for instance, one every several minutes, or one when the user opens a new browser window. Others display ads in response to specific sites that the user visits. Spyware operators present this feature as desirable to advertisers, who may buy ad placement in pop-ups displayed when the user visits a particular site. It is also one of the purposes for which spyware programs gather information on user behavior.
Pop-up advertisements lead to some of users most common complaints about spyware. The first is simply that the computer can become overwhelmed downloading or displaying ads. An infected computer rarely has only one spyware component installed -- they more often number in the dozens -- and so while a single program might display ads only infrequently, the cumulative effect is overwhelming.
Irritating or offensive advertisements are another common complaint. As with many banner ads, many spyware advertisements are animated, flickering banners designed to catch the eye -- that is, they are highly visually distracting. Pop-up ads for pornography are often displayed indiscriminately, including when children are using the computer -- possibly in violation of laws on the subject.
A further issue in the case of some spyware programs has to do with the replacement of banner ads on viewed web sites. Spyware which acts as a web proxy or a Browser Helper Object can replace references to a site s own advertisements (which fund the site) with advertisements which instead fund the spyware operator. This cuts into the margins of advertising-funded Web sites.
== Stealware and affiliate fraud ==
A few spyware vendors, notably WhenU and 180 Solutions, have written what the New York Times has dubbed stealware , and spyware researcher Ben Edelman terms affiliate fraud , also known as click fraud. These redirect the payment of affiliate marketing revenues from the legitimate affiliate to the spyware vendor.
Affiliate marketing networks work by tracking users who follow an advertisement from an affiliate and subsequently purchase something from the advertised Web site. Electronic commerce such as EBay and Dell, Inc. are among the larger companies which use affiliate marketing. In order for affiliate marketing to work, the affiliate places a tag such as a cookie or a session variable on the user s request, which the merchant associates with any purchases made. The affiliate then receives a small commission.
Spyware which attacks affiliate networks does so by placing the spyware operator s affiliate tag on the user s activity -- replacing any other tag, if there is one. This harms just about everyone involved in the transaction other than the spyware operator. The user is harmed by having their choices thwarted. A legitimate affiliate is harmed by having their earned income redirected to the spyware operator. Affiliate marketing networks are harmed by the degradation of their reputation. Vendors are harmed by having to pay out affiliate revenues to an affiliate who did not earn them according to contract. [http://www.benedelman.org/spyware/180-affiliates/]
Affiliate fraud is a violation of the terms of service of most affiliate marketing networks. As a result, spyware operators such as WhenU and 180 Solutions have been terminated from affiliate networks including LinkShare and ShareSale.
== Identity theft and fraud ==
In one case, spyware has been closely associated with .
Another sort of fraud perpetrated via spyware is wire fraud in the form of dialer programs. Dialers cause a computer with a Modem to dial up a long-distance telephone number instead of the usual Internet service provider. Connecting to the number in question involves long-distance or overseas charges, this can result in massive telephone bills, which the user must either pay or contest with the telephone company. Dialers are somewhat less effective today, now that fewer Internet users use Modems.
==Spyware and cookies==
Anti-spyware programs often report Web advertisers HTTP cookies as spyware. Cookies are not software of any sort—they are variables set by Web sites (including advertisers) which can be used to track Web-browsing activity, for instance to maintain a shopping cart for an online store or to maintain consistent user settings on a search engine.
Cookies can only be accessed by the Web site that sets them. In the case of cookies associated with advertisements, this is generally not the Web site that the user intended to visit, but a third-party site referenced by a banner ad image. Some Web browsers and privacy tools offer to reject cookies from sites other than the one that the user requested.
Advertisers use cookies to track people s browsing among various sites carrying ads from the same firm and thus to build up a marketing profile of the person or family using the computer. It is for this reason that many users object to such cookies, and that anti-spyware programs offer to remove them.
==Typical examples of spyware==
A few examples of common spyware programs may serve to illustrate the diversity of behaviors found in these attacks.
Caveat: As with computer viruses, the names given to spyware programs by researchers are frequently unrelated to any names that the spyware creators use. Researchers may group programs into families based not on shared program code, but on common behaviors, or by following the money or apparent financial or business connections. For instance, a number of the spyware programs distributed by Claria are collectively known as Gator . Likewise, programs which are frequently installed together may be described as parts of the same spyware package, even if they function separately.
CoolWebSearch, a group of programs, installs through the exploitation of Internet Explorer vulnerabilities. The programs direct traffic to advertisements on Web sites including coolwebsearch.com . To this end, they display pop-up ads, rewrite search engine results, and alter the infected computer s hosts file to direct DNS lookups to these sites.
Internet Optimizer, also known as DyFuCa, redirects Internet Explorer error pages to advertising. When users follow a broken link or enter an erroneous URL, they see a page of advertisements. However, because password-protected Web sites (HTTP Basic authentication) use the same mechanism as HTTP errors, Internet Optimizer makes it impossible for the user to access password-protected sites.
180 Solutions transmits extensive information to advertisers about the Web sites which users visit. It also alters HTTP requests for affiliate marketing advertisements linked from a Web site, so that the advertisements make unearned profit for the 180 Solutions company. It opens pop-up ads that cover over the Web sites of competing companies. [http://www.benedelman.org/spyware/180-affiliates/]
HuntBar, aka WinTools or [http://securityresponse.symantec.com/avcenter/venc/data/adware.websearch.html Adware.Websearch], is a small family of spyware programs distributed by [http://www.trafficsyndicate.com/ Traffic Syndicate]. It is installed by ActiveX drive-by download at affiliate Web sites, or by advertisements displayed by other spyware programs -- an example of how spyware can install more spyware. These programs add toolbars to Internet Explorer, track Web browsing behavior, redirect affiliate references, and display advertisements.
=User consent and legality=
Gaining unauthorized access to a computer is illegal, under computer crime laws such as the United States Computer Fraud and Abuse Act. Since the owners of computers infected with spyware generally claim that they never authorized the installation, a prima facie reading would suggest that the promulgation of spyware would count as a criminal act. Law enforcement has often pursued the authors of other malware programs, such as viruses. Nonetheless, few prosecutions of writers of spyware have occurred, and many such producers operate openly as aboveboard businesses. Some have, however, faced lawsuits.
Spyware producers primarily argue in defense of the legality of their acts that, contrary to the users claims, users do in fact give consent to the installation of their spyware. Spyware that comes bundled with shareware applications may appear, for instance, described in the Legalese text of an end-user license agreement (EULA). Many users habitually ignore these purported contracts, but spyware companies such as Claria claim that these demonstrate that users have consented to the installation of their software.
Despite the ubiquity of EULAs and Clickwrap agreements relatively little case law has resulted from their use. It has been established in most common law jurisdictions that a clickwrap agreements can be a binding contract in certain circumstances . This does not however mean that every clickwrap agreement is a contract or that every term in a clickwrap contract is enforceable. It seems highly likely that many of the purported contract terms presented in clickwrap agreements would be dismissed in most jurisdictions as being contrary to public policy. Many spyware clickwrap agreements appear to be intentionally ambiguous and excessive in length with key contract terms made inconspicuous. These are all grounds on which similar agreements have been rejected as contracts of adhesion.
Nor is there any possibility that a contract could exist in the case of spyware installed by surreptitious means, such as in a drive-by download where the user receives no opportunity to either agree or refuse the contract terms.
Some spyware EULAs claim that removal of the spyware once installed is illegal . Such claims are untrue since by definition breach of contract is a matter of civil, not criminal law and breach of contract is not illegal by definition. Such notices may themselves be criminal however since they might be considered to make a deliberately false statement for the purpose of material gain, a common law definition of fraud.
Some jurisdictions, such as the U.S. state of Washington, have passed laws criminalizing forms of spyware. [http://www.leg.wa.gov/wsladm/billinfo1/dspBillSummary.cfmbillnumber=1012&year=2005] The [http://www.leg.wa.gov/pub/billinfo/2005-06/Htm/Bills/House%20Passed%20Legislature/1012-S.PL.htm Washington law] makes it illegal for anyone other than the owner or operator of a computer to install software that alters Web-browser settings, monitors keystrokes, or disables computer security software.
New York Attorney General Eliot Spitzer has pursued spyware companies for fraudulent installation of software. In a suit brought in 2005 by Spitzer, California firm Intermix Media, Inc. ended up settling by agreeing to pay $7.5 million and to stop distributing spyware. Intermix s spyware spread via drive-by download, and deliberately installed itself in ways that made it difficult to remove.
Another spyware behavior which has attracted lawsuits is the replacement of Web advertisements. In June 2002, a number of large Web publishers sued Claria for replacing advertisements, but settled out of court. Claria s is not the only spyware which replaces advertisements, thus diverting revenue from the ad-bearing Web site to the spyware author.
One legal issue not yet been pursued involves whether courts can hold advertisers responsible for spyware which displays their ads. In many cases, the companies whose advertisements appear in spyware pop-ups do not directly do business with the spyware firm. Rather, the advertised company contracts with an advertising agency, which in turn contracts with an online subcontractor who gets paid by the number of impressions or appearances of the advertisement. Some major firms such as Dell Computer and Mercedes-Benz have fired advertising agencies which have run their ads in spyware.
In a sort of turnabout, a few spyware companies have threatened Web sites which have posted descriptions of their products. In 2003, Gator (now known as Claria) filed suit against the Web site PC Pitstop for describing the Gator program as spyware . PC Pitstop settled, agreeing not to use the word spyware , but continues to publish descriptions of the harmful behavior of the Gator/Claria software. [http://www.pcpitstop.com/gator/default.asp]
=Remedies and prevention=
As the spyware threat has worsened, a number of techniques have emerged to counteract it. These include programs designed to remove or to block spyware, as well as various user practices which reduce the chance of getting spyware on a system.
Nonetheless, spyware remains a costly problem. When a large number of pieces of spyware have infected a Windows computer, the only remedy may involve backing up user data, and fully reinstalling the operating system.
==Anti-spyware programs==
Many programmers and commercial firms have released products designed to remove or block spyware. Steve Gibson s OptOut , mentioned above, pioneered a growing category. Programs such as Lavasoft s Ad-Aware and Patrick Kolla s Spybot - Search & Destroy rapidly gained popularity as effective tools to remove, and in some cases intercept, spyware programs. More recently Microsoft acquired the GIANT Anti-Spyware software, rebadging it as Windows AntiSpyware Beta and releasing it as a free download for Windows XP, Windows 2000, and Windows 2003 users. The Windows AntiSpyware Beta is a time-limited beta test that will expire at the end of December 2005.
Major anti-virus firms such as Symantec, McAfee and Sophos have come later to the table, adding anti-spyware features to their existing anti-virus products. Early on, anti-virus firms expressed reluctance to add anti-spyware functions, citing lawsuits brought by spyware authors against the authors of web sites and programs which described their products as spyware . However, recent versions of these major firms home and business anti-virus products do include anti-spyware functions, albeit treated differently from viruses. Symantec Anti-Virus, for instance, categorizes spyware programs as extended threats and does not offer real-time protection from them as it does for viruses.
Anti-spyware programs can combat spyware in two ways: real-time protection , which prevents spyware from being installed, and scanning and removal of spyware. Scanning and removal is usually simpler, and so many more programs have become available which do so. The program inspects the contents of the Windows registry, the operating system files, and installed programs, and removes files and entries which match a list of known spyware components. Real-time protection from spyware works identically to real-time anti-virus protection: the software scans incoming network data and disk files at download time, and blocks the activity of components known to represent spyware. In some cases, it may also intercept attempts to install start-up items or to modify browser settings.
Earlier versions of anti-spyware programs focused chiefly on scanning and removal. Javacool Software s SpywareBlaster was one of the first to offer real-time protection, blocking the installation of ActiveX-based and other spyware programs. To date, other programs such as Ad-Aware and Windows AntiSpyware now combine the two approaches, while SpywareBlaster remains focused on real-time protection.
Like most anti-virus software, anti-spyware software requires a frequently-updated database of threats. As new spyware programs are released, anti-spyware developers discover and evaluate them, making signatures or definitions which allow the software to detect and remove the spyware. As a result, anti-spyware software is of limited usefulness without a regular source of updates. Some vendors provide a subscription-based update service, while others provide updates gratis. Updates may be installed automatically on a schedule or before doing a scan, or may be done manually.
If a spyware program is not blocked and manages to get itself installed, it may resist attempts to terminate or uninstall it. Some programs work in pairs: when an anti-spyware scanner (or the user) terminates one running process, the other one respawns the killed program. Likewise, some spyware will detect attempts to remove registry keys and immediately add them again. Usually, booting the infected computer in safe mode allows an anti-spyware program a better chance of removing persistent spyware.
Malicious programmers have released a large number of fake anti-spyware programs, and widely distributed Web banner ads now spuriously warn users that their computers have been infected with spyware, directing them to purchase programs which do not actually remove spyware—or worse, may add more spyware of their own.
==Security practices==
To deter spyware, computer users have found a number of techniques useful in addition to installing anti-spyware software.
Many systems install a web browser other than Microsoft s Internet Explorer (IE), such as Opera (web browser) or Mozilla Firefox. While other web browsers have also had security vulnerabilities, Internet Explorer has contributed to the spyware problem in two ways: first, many spyware programs hook themselves into IE s functionality (as a Browser Helper Object or a toolbar); second, malicious Web advertisers have frequently used security holes in Internet Explorer to force the browser to download spyware. Many users of non-IE browsers on Windows report that they have switched from IE because of security concerns, including concerns about spyware. [http://www.spreadfirefox.com/q=forum/44]
Internet Explorer users can improve security by keeping up-to-date on security patches, and by altering settings in the browser — particularly those disabling scripting technologies such as ActiveX. (However, Web sites that make use of ActiveX will not work in this scenario.) The version of IE which comes with Windows XP also has substantially-improved security defaults, although spyware infections can still occur.
Some Internet sites — particularly colleges and universities — have taken a different approach to blocking spyware: they use their network firewall (networking)s and Web proxy to block access to Web sites known to install spyware. On March 31, 2005, Cornell University s Information Technology department released a report detailing the behavior of one particular piece of proxy-based spyware, Marketscore , and the steps the university took to intercept it. Many other educational institutions have taken similar steps against Marketscore and other spyware. Spyware programs which redirect network traffic cause greater technical-support problems than programs which merely display ads or monitor users behavior, and so may attract institutional attention more readily.
Spyware may get installed via certain shareware programs offered for download. Downloading programs only from reputable sources can provide some protection from this source of attack. One site, [http://www.cleansoftware.org/ CleanSoftware.org], founded as an alternative to other popular Windows software sites, offers only software verified not to contain nasties such as spyware. Recently, [http://www.download.com/ C|Net] revamped their download directory and will only keep files that pass inspection by Ad-Aware and Spyware Doctor.
=Notable programs distributed with spyware=
*Bearshare *Bonzi Buddy *DIVX (except for the paid version, and the standard version without the encoder. DivX announced removal of GAIN software from version 5.2) *Dope Wars *Download Accelerator Pro *ErrorGuard *FlashGet (free version) *Grokster *Kazaa *RadLight *WeatherBug *WildTangent
==Notable programs formerly distributed with spyware==
*AOL Instant Messenger *EDonkey2000 *LimeWire (spyware was included in all versions other than the non-windows versions, the paid versions, and the free versions after 3.9.3)
==See also== *Adware *Computer security audit *Exploit (computer science) *Keystroke logging *Malware *Stopping e-mail abuse
=References=
=External links=
==Communities==
==Guides==
==Prevention==
|
|