Spyware - The Threat for the 21st Century

Spyware has eclipsed other forms of malicious software (malware) as a significant threat to home and office computers, and currently affects 90% of internet connected computers.  During the first years of the 21st century, the spyware threat has escalated rapidly and led to a new class of security software being developed that is specifically designed to counter this threat.  Webroot's Spy Sweeper software is a 5-star example of the type of security software that is essential for safe online computing. 

 What is Spyware and why should I care?

The anti-spyware group "Anti-Spyware Coalition" (ASC), an alliance of software companies, security firms and consumer organizations, has agreed a set of guidelines for detecting invasive finalized spyware. The final draft of the ASC's "risk-modeling description" aims to give an objective definition, for the first time, on whether a software program is hostile. A draft of this description was thrown open to the public for comment in October.  The final version is essentially an expanded and polished version of the October draft. The ASC defines spyware and other potentially unwanted software technologies as: "deployed without appropriate user consent and/or implemented in ways that impair user control over: material changes that affect their user experience, privacy, or system security; use of their system resources, including what programs are installed on their computers; and/or collection, use, and distribution of their personal or other sensitive information." (emphasis added)

Spyware, then, is a broad category of malicious software intended to intercept or take partial control of a computer's operation without the user's informed consent.  While the term "spyware" taken literally suggests software that surreptitiously monitors the user, it has come to refer more broadly to software that subverts the computer's operation for the benefit of a third party without the consent of the owner / operator.

Spyware differs from viruses and worms in that it does not usually self-replicate. Like many recent viruses, however, spyware is designed to exploit infected computers for commercial gain. Typical tactics furthering this goal include delivery of unsolicited pop-up advertisements; theft of personal information (including financial information such as credit card numbers); monitoring of Web-browsing or other computer activity for marketing purposes; or routing of HTTP requests to advertising sites. Some spyware has evolved to become a conduit for other malware such as worms and trojans.  In the 21st century, malware is evolving to become a true blended threat where the lines between categories are blurring.

As of 2006, spyware affects only computers running Microsoft Windows operating systems. There have been no reported observations of spyware for Mac OS X, Linux, or other platforms.  This is not to say such software can not and will not be written.  For a variety of reasons, some technical and others related to market share, Windows platforms and Internet Explorer in particular have been the targets of choice for spyware authors.

Spyware, "adware", and tracking

The term "adware" frequently refers to any software which displays advertisements, whether or not it does so with the user's consent. Programs such as the Eudora mail client and the Opera Web browser display advertisements as an alternative to shareware registration fees. These classify as "adware" in the sense of advertising-supported software, but not as spyware. They do not operate surreptitiously or mislead the user.

Many of the programs frequently classified as spyware function as adware in a different sense: their chief observed behavior consists of displaying advertising. Claria Corporation's Gator Software provides an example of this sort of program. Visited Web sites frequently install Gator on client machines in a surreptitious manner, and it directs revenue to the installing site and to Claria by displaying advertisements to the user. The user's experience is that their computer begins displaying a large number of pop-up advertisements, often in a chaotic and unstoppable manner which can quickly render the computer desktop useless or camouflage other nefarious activity (like searching for personal data in the background).

Other spyware behaviors, such as reporting on Web sites the user visits, frequently accompany the displaying of advertisements. The goal of monitoring Web activity is to build up a marketing profile on the user in order to sell "targeted" advertisement impressions. The prevalence of spyware has cast suspicion upon other programs that track Web browsing, even for statistical or research purposes. Some observers describe the Alexa Toolbar, an Internet Explorer plug-in published by Amazon.com, as spyware (and some anti-spyware programs report it as such) although many users choose to install it.

Routes of infection

Spyware does not directly spread in the manner of a computer virus or worm: generally, an infected system does not attempt to transmit the infection to other computers.  Instead, spyware gets on a system through deception of the user or through exploitation of software vulnerabilities.

The most direct route by which spyware can get on a computer is for the user to install it. However, users are unlikely to install software if they know that it may disrupt their working environment and compromise their privacy. So many spyware programs deceive the user, either by piggybacking on a piece of desirable software, or by tricking the user to do something that installs the software without realizing it.  This latter technique is often found in peer to peer software or IM programs.

Classically, the definition of a Trojan horse involves something dangerous that comes in the guise of something desirable. Some spyware programs are distributed in just this manner. The distributor of spyware presents the program as a useful utility—for instance as a "Web accelerator" or as a helpful software agent. Users download and install the software, only to find out later that it can cause harm.

A third way of distributing spyware involves tricking users by manipulating security features designed to prevent unwanted installations. The design of the Internet Explorer Web browser is intended not to allow Web sites to initiate an unwanted download. Instead, a user action, such as clicking on a link, has to trigger a download. However, links can prove deceptive: for instance, a pop-up ad may appear like a standard Windows dialog box. The box contains a message such as "Would you like to optimize your Internet access?" with links which look like buttons reading Yes and No.  No matter which "button" the user presses, a download starts, placing the spyware on the user's system. Later versions of Internet Explorer offer fewer avenues for this attack.

Some spyware authors infect a system by attacking security holes in the Web browser or in other software. When the user navigates to a Web page controlled by the spyware author, the page contains code which attacks the browser and forces the download and install of spyware. This has become known as a "drive-by download", by analogy to drive-by shooting in which the user is a hapless bystander. Common attacks target security vulnerabilities in Internet Explorer and in the Microsoft Java runtime. Given that Internet Explorer is still the most widely used browser and that many users' systems are not up to date, it creates an attractive entry point for the less scrupulous advertisers.

Internet Explorer also serves as a point of attachment for these programs, which install themselves as Browser Helper Object plugins (BHO). While some BHOs are useful or desirable, others are hostile and it can be difficult for the end user to determine which is which.

Changing nature of Malware threat

The number of "classic" viruses introduced and infecting user computers dropped dramatically in 2005. According to data released by PandaLabs, less than one percent of the new threats detected in 2005 were viruses, whereas threats like Trojans and worms still had a significant presence compared to the previous year. Viruses, often described as threats that add their code to other executable files in order to carry out their malicious actions, have reached a new low in infection rates. Frequently, the aim of the creators of this type of threat is fame. However, legislation against computer crime in many countries worldwide has led to a dramatic drop in the number of new specimens of this type. Now, few of the previous generation of "script kiddies" or amateur virus writers are willing to run the risk.  Those viruses that are coming to the internet or infecting computers are often targeted and are designed to lead to financial gain.  In place of Viruses, the spyware / adware threat and worm / trojan malware is now the most common threat faced by the computer user.

What can a user do? 

There are some free tools to remove malware, the best known being Spybot, Ad-aware from Lavasoft and the new Microsoft product in development (beta).  Although they are reasonably effective in removing malware they each have a significant flaw.  Rather than guard your system actively, Spybot and Ad-aware use passive scanners that clean on request. It's a bit like locking the stable door after the horse has bolted.  While the Microsoft anti spyware product is a hot topic of discussion in the press these days, I found nothing in its beta release that threatens my conviction that Spy Sweeper is the best available.

In order to consider your computer protected, you need:

Spy Sweeper Comes Through

Spy Sweeper is really very easy to use. It regularly and automatically updates its library of malware fingerprints and at latest count had over 122,000!  It has almost no impact on system performance unless you trigger a manual scan. It's important to note that a manual scan is only necessary if you have reason to believe you may have picked up a threat.

At $29.95 per year such protection is not too expensive for what it offers.  Spy Sweeper offers comprehensive protection and is backed up by a reputable company.  Spy Sweeper guards 24/7 against malware being installed in the first place and is widely agreed to be one of the most effective such programs available. To sum up, you really do need a tool to protect your computer and your family from malware.

What's so great about Spy Sweeper?

Start with its remarkable speed that doesn't sacrificing thorough scanning. Slow or on demand products are an interruption to your work, or they take so much time that you won't use them as often as you should.  During testing on a system with over 100GB of data, after completing its assigned task, Spy Sweeper's results screen appeared so fast that I thought it must be some sort of error message.  Spy Sweeper even proactively checks an files on removable media or program CDROMs. The application correctly identified and offered to remove spyware threats on a test system that I keep in nearly pristine condition. None was a false positive, a problem I've found with competing products. Further, Spy Sweeper has been

The three most crucial features any anti-malware program needs  are: reliability,  frequency of definition file updates and clear explanations of malware objects. Like anti-virus software, anti-spyware utilities are only as good as their latest definition or signature files.  According to Spy Sweeper's publisher, it routinely publishes 2 updates every week. Meanwhile, my own informal checks for its competitors in recent months suggest that competitors Spybot and Ad-aware provide updates significantly less frequently. In addition, Spy Sweeper easily provides the clearest explanation of each potential spyware object that it identifies. It also includes links to more detailed information from an online database.  Webroot is so good at identifying and describing threats it is routinely referred to in the press as a source for describing emerging (and emergency) threats.  You can't get better than that.

Webroot's Spy Sweeper scans and detects spyware programs on your computer, then helps you delete the threat. There are already free programs available that do the same thing - so what extras does Spy Sweeper offer? To find out, we ran a scan of our system using Spy Sweeper and its competitor AdAware, the best-known free spyware removal program.
AdAware finished its test in just under a minute, while Spy Sweeper kept us waiting for nearly six. Despite this, Spy Sweeper found exactly the same number of spy programs as AdAware. We ran the same test again on a number of systems and came up with comparable results. However, when we ran Spy Sweeper on a system that had already been cleaned by AdAware, the program found 36 programs that AdAware claimed already to have done away with. We didn't have the same problem when we reversed the scenario and ran AdAware on a system that had already been cleaned by Spy Sweeper. Also, Spy Sweeper doesn't just wait until you run a scan to clear your PC of spyware. It includes a real-time monitor that looks for newly installed spyware and catches it the moment it launches. We tested this by installing a program called Hotbar that we knew came with some spyware, and Spy Sweeper detected it as soon as it started up. AdAware can't do this.  Spy Sweeper can even remove threats from 180search and coolwebsearch - threats that are legendarily difficult to remove.  You could do the same thing with tools like Hijackthis! and registry editors, but Spy Sweeper is both safer and more reliable to depend on.  Besides, the technically sophisticated can save time by running Spy Sweeper and proofing the results using techy tools.  That's what I do.  I have never found Spy Sweeper to report a false negative or a false positive.  Few tools are that reliable.

After reviewing a number of tools, Spy Sweeper from Webroot stands out. They also publish the successful Window Washer cleanup tool. Additionally, there are other "tools" that are either imitators, or worse, trojans themselves that will infect your computer rather than clean it.  Be careful - don't click on any pop-up that advertises "click here for an instant scan".  The banners at the top and bottom of this page will take you directly to Webroot's home page where you can try out the tool and purchase if you like.

A free Website, StopBadware.org, launched Wednesday, January 25, plans to provide a list of programs that contain spyware and other malicious software. It will also identify companies that develop the programs and distribute them on the Internet. Consumers can then decide if a program is safe to download. "For too long, these companies have been able to hide in the shadows of the Internet," says John Palfrey, who heads the Berkman Center of Internet & Society at Harvard Law School and is spearheading the project. "What we're after is a more accountable Internet." The initiative is being run by Harvard and the Oxford Institute and is backed by high-tech heavyweights including Google and Sun Microsystems. Consumer Reports' WebWatch is serving as a special adviser. In addition to spyware, the hit list of the StopBadware coalition includes malicious "adware" programs that serve up onslaughts of pop-up ads or software that contains hidden viruses and worms.  By checking StopBadware.org, its organizers say, consumers can choose, in the first place, not to download a program containing the malicious software. The coalition is encouraging consumers to visit the Website to log their experiences with harmful programs.