Analysts say spyware writers are gaining the upper hand over computer security experts.
By Lamont Wood
With an estimated 72 percent of PCs in homes now bogged down by an average 24 spyware infections each, and with the number of websites disseminating spyware skyrocketing, the question arises: who's winning the war on spyware?
Indeed, the latest "State of Spyware" quarterly report released by Webroot Software, a security software firm in Boulder, CO (from which the figures above were taken) contains chilling news: the bad guys are now bringing up their big guns, so-called "rootkit" technology and "polymorphic" code. Both are being used more and more extensively in spyware, and most old-line anti-virus programs are helpless against them, claims Richard Stiennon, Webroot's vice president of threat research.
Spyware programs often exploit browser security holes to download themselves onto a user's hard drive, where they surreptitiously send back information about the user's Web-browsing habits. With rootkit technology, these files can make themselves invisible to the host computer's operating system, allowing spyware or virus files to take up residence deep within the machine and operate undetected.
Anti-virus programs that scan hard drives for malicious code aren't much help. Rootkit files "know when they are being scanned and stop doing anything," says industry analyst Rob Enderle, head of the Enderle Group in San Jose, CA. "They are incredibly dangerous, and operate at a level where the current generation of anti-malware products cannot operate."
The danger posed by rootkit technology was brought to the fore this month when a security expert discovered that Sony BMG Music Entertainment had placed rootkit files on as many as 20 popular music CDs, to keep them from being pirated by PC users. Sony has apologized and offered a fix -- but three examples of malicious software have already been found that took advantage of the rootkit files left on PCs by the Sony CDs, and several class action lawsuits are in the works.
Another virulent spyware tool, polymorphic software, uses multiple files with random names, so that each infection is unique, requiring a unique disinfectant. Your computer's operating system might spot one, but removing it manually won't solve the problem, since the infecting files monitor each other, and if one is removed the others summon a replacement from the Web.
"You have to understand which file to get rid of first -- it's like grabbing the tail of a snake," Stiennon says. But the main problem is that scanning for the dozen or so infection routes used by most older viruses no longer works, he says.
The war is still a long way from over, though, says Craig Schmugar, a virus research manager at McAfee Inc., the noted security software vendor in Santa Clara, CA. Both rootkits and polymorphic code have been around for several years, he says, and there are counter-measures that can be marshaled against them.
"Do the bad guys have an A-bomb? There has been speculation about that for years," Schmugar says. "There have been flare-ups, and there have been zero-day attacks [that is, malicious code using a trick unknown to the software vendors until the day of the attack], but most have been mitigated by good security policies and procedures. Then it becomes a race to implement the anti-technology."
But today there's a new factor changing the way viruses are created and delivered: money.
"Several years ago one of the ways we received sample viruses was directly from the authors, who wanted their five minutes of fame," says Schmugar. "It might come from an anonymous address, or from someone who says they had 'found' it. There are still some of those, but now money is the driving factor. They get advertising money from affiliate programs, so it behooves them to conceal their installation as long as they can."
In other words, lone, anti-social hackers have turned into an underground of socially aware advertisers, according to Schmugar, seeking to turn the world's PCs into little zombie billboards that can spring to life at the spyware writer's request. "Botmasters" have also arisen, he says, who control multiple infected computers by passing commands to them through Internet Relay Chat channels. They can test their "bot" spyware against multiple anti-virus programs until it proves it can survive, and then download it to the other machines they control.
In fact, last week federal agents arrested a man in California for allegedly controlling a vast network of 400,000 infected PCs. He supposedly rented them out to spammers or people who wanted to launch denial-of-service attacks (which flood a website with traffic and make is unusable), asking as little as 20 cents per infected machine. Now he faces federal prison, because some of those machines belonged to the U.S. Navy.
While viruses used to be circulated as e-mail attachments, today they are disseminated from websites that users are tricked into visiting. The sites cannot be traced because they're set up by infected bots, at arms-length from the botmaster, Schmugar explains.
Although increasingly many advertisers don't want to be associated with spyware, that backlash won't put an end to these electronic invasions. There are always other advertisers, typically pornographers, who don't care, says Schmugar.
But there is also hope. For instance, viruses based on Microsoft Word macro files and Visual Basic scripts are essentially extinct, Schmugar adds.
Enderle, however, believes that the situation is already unmanageable. "With the Internet a virus can spread in hours, and it takes 24 hours to make a patch," says Enderle. "What we need is a new architecture."
Indeed, Enderle says he is looking forward to the release of Vista, the next upgrade of Microsoft Windows, expected around August 2006. According to him, it eliminates the most commonly exploited vulnerabilities of Windows.
Until then, the only sure remedy for an infected PC is to erase the hard drive and reload it with its original, pristine operating system and software. "Probably, within the next year, every family in the country will have to do that at least once," Enderle says.