Spyware: Difference between revisions
→Spyware, "adware", and tracking: verbose circumlocutions are bad |
|||
Line 190: | Line 190: | ||
===Guides=== |
===Guides=== |
||
*[http://absolutely.ugtech.net/adware.php Absolutely© Adware and Spyware article - http://absolutely.ugtech.net/adware.php] |
|||
* [http://www.boredguru.com/modules/articles/index.php?storytopic=16 Computer Security] — Tips and tricks for manually removing common trojans, adware and spyware. |
* [http://www.boredguru.com/modules/articles/index.php?storytopic=16 Computer Security] — Tips and tricks for manually removing common trojans, adware and spyware. |
||
* [http://www.virusspy.com Spyware Tutorials] — Information on removing Spyware and Viruses |
* [http://www.virusspy.com Spyware Tutorials] — Information on removing Spyware and Viruses |
Revision as of 03:20, 16 July 2005
Spyware is a broad category of malicious software intended to intercept or take partial control of a computer's operation without the user's informed consent. While the term taken literally suggests software that surreptitiously monitors the user, it has come to refer more broadly to software that subverts the computer's operation for the benefit of a third party.
Spyware differs from viruses and worms in that it does not usually self-replicate. Like many recent viruses, spyware is designed to exploit infected computers for commercial gain. Typical tactics furthering this goal include delivery of unsolicited pop-up advertisements; theft of personal information (including financial information such as credit card numbers); monitoring of web-browsing activity for marketing purposes; or routing of HTTP requests to advertising sites.
As of 2005, spyware affects only computers running Microsoft Windows operating systems. There have been no reported observations of spyware for Mac OS X, Linux, or other platforms.
History and development
The first recorded use of the term spyware occurred on October 16, 1995, in a Usenet post that poked fun at Microsoft's business model. Spyware later came to refer to espionage equipment such as tiny cameras. However, in 1999 the founder of Zone Labs, Gregor Freund, used the term in a press release for the Zone Alarm Personal Firewall.[2] Since then, computer users have used the term in its current sense. 1999 also saw the introduction of the first popular freeware program to include built-in spyware: a humorous and popular game called "Elf Bowling" spread across the Internet in November of 1999, and many users learned with surprise that the program actually transmitted user-information back to the game's creator, Nsoft.
In 2000, Steve Gibson of Gibson Research released the first anti-spyware program, OptOut, in response to the growth of spyware, and many more software antidotes have appeared since then.[3] International Charter now offers software developers a Spyware-Free Certification programme.[4]
According to an October 2004 study by America Online and the National Cyber-Security Alliance, 80% of surveyed users' computers had some form of spyware, with an average of 93 spyware components per computer. 89% of surveyed users with spyware reported that they did not know of its presence, and 95% reported that they had not given permission for it to be installed.[5]
Spyware, "adware", and tracking
The term adware frequently refers to any software which displays advertisements, whether or not it does so with the user's consent. Programs such as the Eudora mail client and the Opera Web browser display advertisements as an alternative to shareware registration fees. These classify as "adware" in the sense of advertising-supported software, but not as spyware. They do not operate surreptitiously or mislead the user.
Many of the programs frequently classified as spyware function as adware in a different sense: their chief observed behavior consists of displaying advertising. Claria Corporation's Gator provides an example of this sort of program. Visited websites frequently install Gator on client machines in a surreptitious manner, and it directs revenue to the installing site and to Claria by displaying advertisements to the user. The user's experience is that their computer begins displaying a large number of pop-up advertisements.
Other spyware behaviors, such as reporting on web sites the user visits, are frequently accompany the displaying of advertisements. The goal of monitoring Web activity is to build up a marketing profile on the user in order to sell "targeted" advertisement impressions. The prevalence of spyware has cast suspicion upon other programs that track web browsing, even for statistical or research purposes. Some observers describe the Alexa Toolbar, an Internet Explorer plug-in published by Amazon.com, as spyware (and some anti-spyware programs report it as such) although many users choose to install it.
Routes of infection
Spyware does not directly spread in the manner of a computer virus or worm: generally, an infected system does not attempt to transmit the infection to other computers. Instead, spyware gets on a system through deception of the user or through exploitation of software vulnerabilities.
The most direct route by which spyware can get on a computer is for the user to install it. However, users are unlikely to install software if they know that it may disrupt their working environment and compromise their privacy. So many spyware programs deceive the user, either by piggybacking on a piece of desirable software, or by tricking the user to do something that installs the software without realizing it.
Classically, the definition of a Trojan horse involves something dangerous that comes in the guise of something desirable. Some spyware programs are distributed in just this manner. The distributor of spyware presents the program as a useful utility -- for instance as a "Web accelerator" or as a helpful software agent. Users download and install the software, only to find out later that it can cause harm. For example, Bonzi Buddy, a spyware program targeted at children, claims that:
- He will explore the Internet with you as your very own friend and sidekick! He can talk, walk, joke, browse, search, e-mail, and download like no other friend you've ever had! He even has the ability to compare prices on the products you love and help you save money! Best of all, he's FREE! [6]
Spyware can also come bundled with shareware or other downloadable software. The user downloads a program -- for instance, a music program or a file-trading utility -- and installs it; the installer additionally installs the spyware. Although the desirable software itself may do no harm, the bundled spyware does. In some cases, spyware authors have paid shareware authors to bundle spyware with their software, as with the Gator spyware now marketed by Claria. In other cases, spyware authors have repackaged desirable software with installers that add spyware.
A third way of distributing spyware involves tricking users by manipulating security features designed to prevent unwanted installations. The design of the Internet Explorer web browser is intended not to allow web sites to initiate an unwanted download. Instead, a user action - such as clicking on a link - has to trigger a download. However, links can prove deceptive: for instance, a pop-up ad may appear like a standard Windows dialog box. The box contains a message such as "Would you like to optimize your Internet access?" with links which look like buttons reading Yes and No. No matter which "button" the user presses, a download starts, placing the spyware on the user's system. Later versions of Internet Explorer offer fewer avenues for this attack.
Some spyware authors infect a system by attacking security holes in the web browser or in other software. When the user navigates to a web page controlled by the spyware author, the page contains code which attacks the browser and forces the download and install of spyware. This has become known as a "drive-by download", by analogy to drive-by shooting in which the user is a hapless bystander. Common attacks target security vulnerabilities in Internet Explorer and in the Microsoft Java runtime.
Internet Explorer also serves as a point of attachment for these programs, which install themselves as Browser Helper Object plugins.
In a few cases, a worm or virus has delivered a payload of spyware. For instance, some attackers used the W32.Spybot.Worm worm to install spyware that popped up pornographic ads on the infected system's screen.[7] By directing traffic to ads set up to channel funds to the spyware authors, they can profit even by such clearly illegal behavior.
Effects and behaviors
Windows-based computers can rapidly accumulate a great many spyware components. The consequences of a moderate to severe spyware infection (privacy issues aside) generally include a substantial loss of system performance (over 50% for bad infections), and major stability issues (crashes and hangs). Difficulty in connecting to the Internet is another common symptom.
Spyware infection occasions more visits to professional computer repairers than any other single cause. In many cases, the user has no awareness of spyware and assumes that the system performance, stability, and/or connectivity issues relate to hardware, to Windows installation problems, or to a virus. To have spyware professionally removed typically costs about $50 US. Owners of badly infected systems not infrequently buy an entire new computer system because the existing system "has become too slow".
Only rarely does a single piece of software render a computer unusable. Rather, a computer rarely has only one infection. As the 2004 AOL study noted, if a computer has any spyware at all, it typically has dozens of different pieces installed. The cumulative effect, and the interactions between spyware components, typically cause the stereotypical symptoms reported by users -- a computer which slows to a crawl, overwhelmed by the many parasitic processes running on it. Moreover, some types of spyware disable software firewalls and anti-virus software, and reduce browser security settings, opening the system to further opportunistic infections, much like an immune deficiency disease.
Some spyware products have additional consequences. Stealth dialers may attempt to connect directly to a particular telephone number rather than to a user's own intended ISP: where connecting to the number in question involves long-distance or overseas charges, this can result in massive telephone bills which the user has no choice but to pay.
A few spyware vendors, notably 180 Solutions, have written what the New York Times has dubbed "stealware" — spyware applications that redirect affiliate links to major online merchants such as eBay and Dell, effectively hijacking the commissions that the affiliates would have expected to earn in the process. [8]
Some other types of spyware (Targetsoft, for example) modify system files to make themselves harder to remove. (Targetsoft modifies the Winsock (Windows Sockets) files. The deletion of the spyware-infected file "inetadpt.dll" will interrupt normal networking usage.)
Spyware, along with other threats, has led some former Windows users to move to other platforms such as Linux or Apple Macintosh.
Typical examples
A few examples of common spyware programs may serve to illustrate the diversity of behaviors found in these attacks.
CoolWebSearch, a group of programs, installs through the exploitation of Internet Explorer vulnerabilities. The programs direct traffic to advertisements on Web sites including coolwebsearch.com. To this end, they display pop-up ads, rewrite search engine results, and alter the infected computer's hosts file to direct DNS lookups to these sites. [9]
Internet Optimizer, also known as DyFuCa, redirects Internet Explorer error pages to advertising. When users follow a broken link or enter an erroneous URL, they see a page of advertisements. However, because passworded Web sites (HTTP Basic authentication) use the same mechanism as HTTP errors, Internet Optimizer makes it impossible for the user to access passworded sites. [10]
180 Solutions transmits extensive information to advertisers about the web sites which users visit. It also alters HTTP requests for affiliate advertisements linked from a Web site, so that the advertisements make unearned profit for the 180 Solutions company. It opens pop-up ads that cover over the Web sites of competing companies. [11]
User consent and legality
Gaining unauthorized access to a computer is illegal, under computer crime laws such as the United States Computer Fraud and Abuse Act. Since the owners of computers infected with spyware generally claim that they never authorized the installation, a prima facie reading would suggest that the promulgation of spyware would count as a criminal act. Law enforcement has often pursued the authors of other malware programs, such as viruses. Nonetheless, few prosecutions of writers of spyware have occurred, and many such producers operate openly as above-board businesses. Some have, however, faced lawsuits.
Spyware producers primarily argue in defense of the legality of their acts that, contrary to the users' claims, users do in fact give consent to the installation of their spyware. Spyware that comes bundled with shareware applications may appear, for instance, described in the legalese text of an end-user license agreement (EULA). Many users habitually ignore these purported agreements, but many commercial software firms argue that an EULA (or clickwrap agreement) constitutes a legal contract. Under this argument, spyware companies such as Claria purport that users have consented to the installation of their software.
Nonetheless, it seems unlikely that this argument would apply to spyware installed by more surreptitious means, such as in a drive-by download where the user receives no opportunity to agree to or to reject the installation.
Some jurisdictions, such as the U.S. state of Washington, have passed laws criminalizing forms of spyware. [12] The Washington law makes it illegal for anyone other than the owner or operator of a computer to install software that alters web browser settings, monitors keystrokes, or disables computer security software.
New York Attorney General Eliot Spitzer has pursued spyware companies for fraudulent installation of software.[13] In a suit brought in 2005 by Spitzer, California firm Intermix Media, Inc. ended up settling by agreeing to pay $7.5 million and to stop distributing spyware. Intermix's spyware spread via drive-by download, and deliberately installed itself in ways that made it difficult to remove.[14]
A particular spyware practice has attracted lawsuits: the replacement of web site advertisements. Some spyware programs alter the text of web pages, replacing advertisements which fund the web site with ones which fund the spyware author. In June 2002, a number of large publishers sued Claria for replacing advertisements, but settled out of court.
One legal issue not yet been pursued involves whether courts can hold advertisers responsible for spyware which displays their ads. In many cases, the companies whose advertisements appear in spyware pop-ups do not directly do business with the spyware firm. Rather, the advertised company contracts with an advertising agency, which in turn contracts with an online subcontractor who gets paid by the number of "impressions" or appearances of the advertisement. Some major firms such as Dell Computer and Mercedes-Benz have "fired" advertising agencies which have run their ads in spyware.[15]
In a sort of turnabout, a few spyware companies have threatened Web sites which have posted descriptions of their products. In 2003, Gator (now known as Claria) filed suit against the web site PC Pitstop for describing the Gator program as "spyware".[16] PC Pitstop settled, agreeing not to use the word "spyware", but continues to publish descriptions of the harmful behavior of the Gator/Claria software. [17]
Remedies and prevention
As the spyware threat has worsened, a number of techniques have emerged to counteract it. These include programs designed to remove or to block spyware, as well as various user practices which reduce the chance of getting spyware on a system.
Nonetheless, spyware remains a costly problem. When a large number of pieces of spyware have infected a Windows computer, the only remedy may involve backing up user data, and fully reinstalling the operating system.
Anti-spyware programs
Many programmers and commercial firms have released products designed to remove or block spyware. Steve Gibson's OptOut, mentioned above, pioneered a growing category. Programs such as Lavasoft's Ad-Aware and Patrick Kolla's Spybot - Search & Destroy rapidly gained popularity as effective tools to remove, and in some cases intercept, spyware programs. More recently Microsoft acquired the Giant Anti-Spyware software, rebadging it as Windows AntiSpyware Beta and releasing it as a free download for Windows XP users.
Major anti-virus firms such as Symantec and McAfee have come later to the table, adding anti-spyware features to their existing anti-virus products. Early on, anti-virus firms expressed reluctance to add anti-spyware functions, citing lawsuits brought by spyware authors against the authors of Web sites and programs which described their products as "spyware". However, recent versions of these major firms' home and business anti-virus products do include anti-spyware functions, albeit treated differently from viruses. Symantec Anti-Virus, for instance, categorizes spyware programs as "extended threats" and does not offer real-time protection from them as it does for viruses.
Anti-spyware programs fall into two main camps: those which offer real-time protection and those which only offer scanning and removal of spyware. Scanning and removal involves much less implementation, and so many more programs have become available which do so. The program inspects the contents of the Windows Registry, the operating system files, and installed programs, and removes files and entries which match a list of known spyware components. Real-time protection from spyware works identically to real-time anti-virus protection: the software scans incoming network data and disk files at download time, and blocks the activity of components known to represent spyware. In some cases, it may also intercept attempts to install start-up items or to modify browser settings
Malicious programmers have released a large number of fake anti-spyware programs, and widely-distributed web banner ads now spuriously warn users that their computers have been infected with spyware, directing them to purchase programs which do not actually remove spyware — or worse, may add more spyware of their own.[18] [19]
Security practices
To deter spyware, computer users have found a number of techniques useful in addition to installing anti-spyware software.
One common one is to use a Web browser other than Microsoft's Internet Explorer, such as Mozilla Firefox and Opera. While other Web browsers have also had security vulnerabilities, Internet Explorer has contributed to the spyware problem in two ways: first, many spyware programs hook themselves into IE's functionality (as a Browser Helper Object or a toolbar); second, malicious Web advertisers have frequently used security holes in Internet Explorer to force the browser to download spyware. Many users of non-IE browsers on Windows report that they have switched from IE because of security concerns, including spyware. [20]
Internet Explorer's security can be raised by ensuring that it's kept up to date on security patches, and by altering settings in the browser -- particularly disabling scripting technologies such as ActiveX. However, websites that make use of ActiveX will not work in this scenario. The version of IE which comes with Windows XP Service Pack 2 also has substantially improved security defaults, although spyware infections are still quite possible.
Some Internet sites -- particularly colleges and universities -- have taken a different approach to blocking spyware: they use their network firewalls and Web proxies to block access to Web sites known to install spyware. On March 31, 2005, Cornell University's IT department released a report detailing the behavior of one particular piece of proxy-based spyware, Marketscore, and the steps the university took to intercept it.[21] Many other educational institutions have taken similar steps against Marketscore and other spyware. Spyware programs which redirect network traffic cause greater technical-support problems than programs which merely display ads or monitor user behavior, and so are more likely to attract institutional attention.
One path by which spyware gets installed is via certain shareware programs which are offered for download. Downloading programs only from reputable sources can provide some protection from this source of attack. One site, CleanSoftware.org, has been founded as an alternative to other popular Windows software sites, offering only software that has been verified not to contain "nasties" such as spyware. Recently, C|Net revamped their download directory and will only keep files that pass inspection by Ad-Aware and Spyware Doctor.
Notable programs distributed with spyware
- Kazaa
- EDonkey2000 (the last version(s), however, do not include spyware anymore)
- Bearshare
- DivX (except for the paid version, and the 'standard' version without the encoder)
- WeatherBug
- Atomic clock sync
- Bonzi Buddy
- LimeWire (except for the non-windows versions, the paid versions, and the free versions after 3.9.3)
- Wildtangent
- AOL Instant Messenger
- Gator
- ErrorGuard
- FlashGet (free version)
- Download Accelerator Pro
- Grokster
- Dope Wars
- Cliprex DVD player
- Note: Many related P2P networking software may also contain some type of known spyware. Users should read software licenses carefully.
See also
- Adware
- Computer barnacle
- Computer Security Audits
- Exploit
- Keystroke logging
- Malware
- Stopping e-mail abuse
References
- ^ "AOL/NCSA Online Safety Study". America Online & The National Cyber Security Alliance. October 2004.
- ^ Bonzi.com. http://www.bonzi.com/bonzibuddy/bonzimail.asp. Retrieved July 10, 2005.
- Clover, Andrew (2005). "Parasites, or unsolicited commercial software". Retrieved July 10, 2005.
- Edelman, Ben (2005). "'Spyware': Research, Testing, Legislation, and Suits". Retrieved July 10, 2005.
- ^ Edelman, Ben (2005). "WhenU Violates Own Privacy Policy", Retrieved July 14, 2005.
- ^ Festa, Paul. "See you later, anti-Gators?". News.com. October 22, 2003.
- ^ Gormley, Michael. "Intermix Media Inc. says it is settling spyware lawsuit with N.Y. attorney general". Yahoo! News. June 15, 2005.
- ^ Gormley, Michael. "Major advertisers caught in spyware net". Business Week. June 24, 2005.
- Hardmeier, Sandi "Malware: Help prevent the Infection". Microsoft. March 22, 2005
- Healan, Mike "Browser Hijacking". Spywareinfo. Jan 12, 2005
- ^ Howes, Eric L. "The Spyware Warrior List of Rogue/Suspect Anti-Spyware Products & Web Sites". Retrieved July 10, 2005.
- ^ "Parasite information database". Doxdesk.com. Retrieved July 10, 2005.
- ^ Roberts, Paul F. "Spyware-Removal Program Tagged as a Trap". eWeek. May 26, 2005.
- ^ Schuster, Steve. "Blocking Marketscore: Why Cornell Did It". Cornell University, Office of Information Technologies. March 31, 2005.
- "Security at Home: Spyware". Microsoft.com. Retrieved July 10, 2005.
- ^ "Security Response: W32.Spybot.Worm". Symantec.com. Retrieved July 10, 2005.
- ^ "Spyware Certification". International Charter. Retrieved July 10, 2005.
- ^ "State Sues Major "Spyware" Distributor". Office of New York State Attorney General. April 28, 2005.
- Wagner, Christian (2004). "Spyware/AdWare/Malware FAQ and Removal Guide". Retrieved July 10, 2005.
- ^ Wienbar, Sharon. "The Spyware Inferno". News.com. August 13, 2004.
External links
Anti-spyware software
- Lavasoft Ad-Aware SE Personal [22] — (Freeware Version)
- Spybot - Search & Destroy [23] — Free software, one of the better spyware removers available with immunization and real-time filter
- HijackThis (mirrors: 1 2 3 4) — Offers utilities to manually select the removal of spyware. A tool for more advanced users.
- Microsoft Anti-Spyware — Includes real-time filter[24] — (Still in beta as of July 2005)
- PestPatrol [25]
- Spyware Doctor [26] — Current PC Magazine Editors' Choice (requires payment for removal of infections)
- Javacool SpywareBlaster — Prevents many spyware programs from running but does not actually scan for spyware[27]
- Acronis Privacy Expert Suite — 2005 PC Magazine Editors' Choice anti-spyware and security suite
- Corrupt Antispyware — List of corrupt antispyware software with clear evidence of corruption.
Communities
- Bleeping Computer Spyware Removal Tutorials — tutorials for HijackThis, Spybot, and Ad-Aware.
- CastleCops [28] — Free discussion based spyware/hijack cleanup. Site also has several web accessible master spyware database lists.
- Geeks To Go — Hijack assistance and malware removal forum.
- Google Spyware Removal Group
- ProcessLibrary.com — site providing users with detailed information on individual running processes.
- Security Forums HijackThis Logs // Malware Removal Forum — Spyware and malware removal forum
- Spywareinfo Forums — help for removing adware, spyware and malware.
Guides
- Absolutely© Adware and Spyware article - http://absolutely.ugtech.net/adware.php
- Computer Security — Tips and tricks for manually removing common trojans, adware and spyware.
- Spyware Tutorials — Information on removing Spyware and Viruses
- Magoo's Guide to Eliminating Spyware — Infomation on how to get rid of spyware and keep it from coming back
- CareOfWindowsXP Spyware guide — Advice on spyware for beginners
Prevention
- Financial investors who support spyware — A list of investment firms which support large scale spyware companies
- How Spyware And The Weapons Against It Are Evolving — Article discussing why the spyware problem has grown and possible remedies
- Spyware Prevention and Removal — How to prevent Spyware and Adware, and a guide to removing it should the worst happen
- Dealing with unwanted spyware and parasites