What is spyware? According to Wikipedia, "Spyware is computer software that is installed surreptitiously on a personal computer to intercept or take partial control over the user's interaction with the computer, without the user's informed consent."
The term spyware
as it suggests, is software whose purpose is to monitor and report a computer user's behavior and personal information. Spyware collects
personal information, surfing habits, sites visited, spyware software can install additional
software, take over a user's browser, pop-up websites that
cause more harmful viruses known as executables because they execute when the computer user opens them. Spyware can change a user's computer settings, slow connection
speeds, change the user's home pages, and delete or corrupt other programs.
Running anti-spyware software is the best way to find and remove spyware from a user's PC.
For spyware removal click here to download STOPzilla, award-winning anti-spyware.
History & development
According to Wikipedia.org, "the first recorded use of
the term spyware
occurred on October
16, 1995 in a Usenet post that
poked fun at Microsoft's
business
model. Spyware at first denoted hardware
meant for espionage
purposes. However, in early 2000 the founder of Zone Labs,
Gregor Freund, used the term in a press
release for the ZoneAlarm Personal Firewall.
Since then, "spyware" has taken on its present sense. According to a
2005 study by AOL and
the National Cyber-Security Alliance, 61 percent of surveyed users' computers
had some form of spyware. 92 percent of surveyed users with spyware reported
that they did not know of its presence, and 91 percent reported that they had
not given permission for the installation of the spyware. As of 2006, spyware
has become one of the preeminent security threats to computer systems running
Microsoft Windows operating systems. Computers where Internet
Explorer (IE) is the primary browser
are particularly vulnerable to such attacks not only because IE is the most
widely-used, but because its tight
integration with Windows allows spyware access to crucial parts of the
operating system."
Spyware, virus and worm
Spyware, unlike worms and viruses, doesn't typically self-replicate. Spyware usually exploits computers for commercial gain. Unsolicited pop-up advertisements;
theft of personal info (such as credit card numbers, passwords and bank accounts); monitoring of surfing
activity for marketing
purposes; or re-routing of HTTP
requests.
Routes of infection
Malicious websites attempt
to install spyware on readers' computers.
Spyware does not directly
spread in the manner of a computer virus or worm: generally, an infected system
does not attempt to transmit the infection to other computers. Instead, spyware
gets on a system through deception of the user or through exploitation of
software vulnerabilities.
Most spyware is installed
without users' knowledge. Since they tend not to install software if they know
that it will disrupt their working environment and compromise their privacy,
spyware deceives users, either by piggybacking
on a piece of desirable software such as Kazaa, or by tricking
them into installing it (the Trojan horse method). Some
"rogue" anti-spyware programs masquerade as security software, while
being spyware themselves.
Spyware can also come
bundled with shareware or other downloadable software, as well as music CDs.
The user downloads a program and installs it, and the installer additionally
installs the spyware. Although the desirable software itself may do no harm,
the bundled spyware does. In some cases, spyware authors have paid shareware
authors to bundle spyware with their software. In other cases, spyware authors
have repackaged desirable freeware with installers that add spyware.
A third way of
distributing spyware involves tricking users by manipulating security features
designed to prevent unwanted installations. Internet Explorer prevents websites
from initiating an unwanted download. Instead, it requires a user action, such
as clicking on a link. However, links can prove deceptive: for instance, a pop-up ad
may appear like a standard Windows dialog box.
The box contains a message such as "Would you like to optimize your
Internet access?" with links which look like buttons reading Yes
and No. No matter which "button" the user presses, a download
starts, placing the spyware on the user's system. Later versions of Internet
Explorer offer fewer avenues for this attack.
Some spyware authors
infect a system through security holes in the Web browser or in other software.
When the user navigates to a Web page controlled by the spyware author, the
page contains code which attacks the browser and forces the download and
installation of spyware. The spyware author would also have some extensive
knowledge of commercially-available anti-virus and firewall software. This has
become known as a "drive-by download", which leaves the user a
hapless bystander to the attack. Common browser
exploits target security vulnerabilities in Internet Explorer and in the Sun
Microsystems Java runtime.
The installation of
spyware frequently involves Internet Explorer. Its popularity and history of
security issues have made it the most frequent target. Its deep integration
with the Windows environment and scriptability make it an obvious point of
attack into Windows. Internet Explorer also serves as a point
of attachment for spyware in the form of Browser Helper Objects, which modify the
browser's behaviour to add toolbars or to redirect traffic.
In a few cases, a worm
or virus
has delivered a spyware payload. Some attackers used the Spybot worm
to install spyware that put pornographic pop-ups on the infected system's
screen. By directing traffic to ads set
up to channel funds to the spyware authors, they profit personally.
Effects and behaviors
A spyware program is
rarely alone on a computer: an affected machine can rapidly be infected by many
other components. Users frequently notice unwanted behavior and degradation of
system performance. A spyware infestation can create significant unwanted CPU activity, disk usage, and network
traffic, all of which slow the computer down. Stability issues, such as
application or system-wide crashes, are also common. Spyware, which interferes
with networking software commonly causes difficulty connecting to the Internet.
In some infections, the
spyware is not even evident. Users assume in those situations that the issues
relate to hardware, Windows installation problems, or a virus. Some owners of
badly infected systems resort to contacting technical
support experts, or even buying a new computer because the existing system
"has become too slow". Badly infected systems may require a clean
reinstallation of all their software in order to return to full functionality.
Only rarely does a single
piece of software render a computer unusable. Rather, a computer is likely to
have multiple infections. As a 2004 AOL study noted, if a computer has any
spyware at all, it typically has dozens of different pieces installed. The
cumulative effect, and the interactions between spyware components, causes the
symptoms commonly reported by users: a computer, which slows to a crawl,
overwhelmed by the many parasitic processes running on it. Moreover, some types
of spyware disable software firewalls and anti-virus software, and/or
reduce browser security settings, thus opening the system to further opportunistic infections, much like an immune
deficiency disease. Some spywares disable or even remove competing spyware
programs, on the grounds that more spyware-related annoyances make it even more
likely that users will take action to remove the programs. One spyware maker,
Avenue Media, even sued a competitor, Direct Revenue, over this; the two later settled with an agreement not to disable each
others' products.
Advertisements
Many spyware programs
display advertisements. Some programs simply display pop-up ads on a regular
basis; for instance, one every several minutes, or one when the user opens a
new browser window. Others display ads in response to specific sites that the
user visits. Spyware operators present this feature as desirable to
advertisers, who may buy ad placement in pop-ups displayed when the user visits
a particular site. It is also one of the purposes for which spyware programs
gather information on user behavior.
Many users complain about
irritating or offensive advertisements as well. As with many banner ads,
many spyware advertisements use animation or flickering banners which can be
visually distracting and annoying to users. Pop-up ads for pornography
often display indiscriminately. Links to these sites may be added to the
browser window, history or search function. When children are the users, this
could possibly violate anti-pornography laws in some jurisdictions.
A further issue in the
case of some spyware programs has to do with the replacement of banner ads
on viewed web sites. Spyware that acts as a web proxy
or a Browser Helper Object can replace references
to a site's own advertisements (which fund the site) with advertisements that
instead fund the spyware operator. This cuts into the margins of
advertising-funded Web sites.
Identity theft and fraud
In one case, spyware has
been closely associated with identity
theft. In August 2005, researchers from security software firm
Sunbelt Software believed that the makers of the common CoolWebSearch
spyware had used it to transmit "chat sessions, user names,
passwords,
bank information, etc.", but it turned out that "it actually (was)
its own sophisticated criminal little trojan that's independent of CWS."
This case is currently under investigation by the FBI.
The Federal Trade Commission estimates that
27.3 million Americans have been victims of identity theft, and that financial
losses from identity theft totaled nearly $48 billion for businesses and
financial institutions and at least $5 billion in out-of-pocket expenses for
individuals.
Spyware-makers may commit
wire fraud
with dialer
program spyware. These can reset a modem to dial up a premium-rate telephone number instead of the
usual ISP. Connecting to these suspicious
numbers involves long-distance or overseas charges which invariably result in
high call costs. Dialers are ineffective on computers that do not have a modem,
or are not connected to a telephone line.
Personal relationships
Spyware has been used to
surreptitiously monitor electronic activities of partners in intimate
relationships, generally to uncover evidence of infidelity. At least one
software package, Loverspy, was specifically marketed for this purpose.
Depending on local laws regarding communal/marital property, observing a
partner's online activity without their consent may be illegal; the author of
Loverspy and several users of the product were indicted in California in 2005
on charges of wiretapping and various computer crimes.
Spyware and cookies
Anti-spyware programs
often report Web advertisers' HTTP cookies, the small text files that track browsing
activity, as spyware. While they are not always inherently malicious, many
users object to third parties using space on their personal computers for their
business purposes, and many anti-spyware programs offer to remove them.
Criminal law
Unauthorized access to a
computer is illegal under computer crime laws, such as the U.S. Computer Fraud and Abuse Act, the
U.K.'s Computer Misuse Act and similar laws in other
countries. Since the owners of computers infected with spyware generally claim
that they never authorized the installation, a prima facie
reading would suggest that the promulgation of spyware would count as a
criminal act. Law enforcement has often pursued the authors of other malware,
particularly viruses. However, few spyware developers have been prosecuted, and
many operate openly as strictly legitimate businesses, though some have faced
lawsuits.
Spyware producers argue
that, contrary to the users' claims, users do in fact give consent to
installations. Spyware that comes bundled with shareware applications may be
described in the legalese text of an end-user license agreement (EULA). Many
users habitually ignore these purported contracts, but spyware companies such
as Claria claim these demonstrate that users have consented.
Despite the ubiquity of
EULAs and of "clickwrap" agreements, under which a single click can
be taken as consent to the entire text, relatively little case law has
resulted from their use. It has been established in most common law
jurisdictions that a clickwrap agreement can be a binding contract in
certain circumstances. This does not, however, mean that every such
agreement is a contract
or that every term in one is enforceable.
Some jurisdictions,
including the U.S. states of Iowa and Washington, have passed laws criminalizing some forms of
spyware. Such laws make it illegal for anyone other than the owner or operator
of a computer to install software that alters Web-browser settings, monitors
keystrokes, or disables computer-security software.
In the United
States, lawmakers introduced a bill in 2005 entitled the Internet Spyware Prevention Act,
which would imprison creators of spyware.
Remedies and prevention
As the spyware software threat has
worsened, a number of techniques have emerged to counteract it. These spyware detector programs are designed to remove or to block spyware, as well as various user
practices which reduce the chance of getting spyware on a system.
Nonetheless, spyware and spyware protection
remains a costly problem. When a large number of pieces of spyware have
infected a Windows computer, the only remedy may involve backing up user data,
and fully reinstalling the operating system.
Anti-spyware programs
Click
here for software for removing
spyware.
Many programmers and some
commercial firms have released spyware removal products designed to remove or block spyware.
Steve Gibson's OptOut pioneered a growing category. Programs such as
Lavasoft's Ad-Aware SE (free scans for non-commercial users, must pay
for other features) and Patrick Kolla's free spyware removal tool, Spybot - Search & Destroy rapidly
gained popularity as effective tools to remove, and in some cases intercept,
spyware programs.
- STOPzilla
- PCSafe.com
- PCTool's Spyware Doctor
- Ad-Aware from Lavasoft
- Spyware Blaster
- Webroot Software's SpySweeper
- Spyware Terminator
Anti-spyware programs can
combat spyware in two ways:
- 1. They can provide real time protection against the
installation of spyware software on your computer. This type of spyware
protection works the same way as that of anti-virus protection in that the
anti-spyware software scans all incoming network data for spyware software
and blocks any threats it comes across.
- 2. Spyware removal programs can be used solely
for detection and removal of spyware software that has already been
installed onto your computer. This type of spyware protection is normally
much easier to use and more popular. With this spyware protection software
you can schedule weekly, daily, or monthly scans of your computer to
detect and remove any spyware software that has been installed on your
computer. This type of spyware sweeper software scans the contents of the
windows registry, operating system files, and installed programs on your
computer and will provide a list of any threats found, allowing you to
choose what you want to delete and what you want to keep.
Spyware remover programs will do a spyware search on the
contents of the Windows registry, the operating system files, and installed
programs, and remove files and entries which match a list of known spyware
components. Real-time protection from spyware works identically to real-time
anti-virus protection: the software scans disk files at download time, and
blocks the activity of components known to represent spyware. In some cases, it
may also intercept attempts to install start-up items or to modify browser
settings. Because many spyware and adware are installed as a result of browser
exploits or user error, using security software (some of which are anti-spyware,
though many are not) to sandbox browsers can also be effective
to help restrict any damage done.
Earlier versions of spyware removal tools focused chiefly on detection and removal of the spyware. Spyware Blaster, one of the first to offer real-time protection,
blocked the installation of ActiveX-based and other spyware programs.
Like most anti-virus
software, many anti-spyware/adware tools such as spyware doctor and spyware blaster, require a frequently-updated database
of threats. As new spyware programs are released, anti-spyware developers
discover and evaluate them, making "signatures" or
"definitions" which allow the software to detect and remove the
spyware. As a result, anti-spyware software is of limited usefulness without a
regular source of updates. Some vendors provide a subscription-based update
service, while others provide updates free. Updates may be installed
automatically on a schedule or before doing a scan, or may be done manually.
If a spyware removal program is not blocked and manages to get itself installed, it may resist attempts to terminate or uninstall it. Some programs work in pairs: when an anti-spyware scanner (or the user) terminates one running process, the other one respawns the killed program. Likewise, some spyware will detect attempts to remove registry keys and immediately add them again. Usually, booting the infected computer in safe mode allows an anti-spyware program a better chance of removing persistent spyware. Killing the process tree can also work.