By Elizabeth Millard April 4, 2006 7:16AM "If you want to avoid spyware, there are certain parts of the Web you should stay away from. They're the dark alleys of the Internet world. Basically, you visit a game cheat site, and you're vulnerable for spyware. A kids site will open you up to adware," said Dave Cole, director of Symantec Security Response.Although spyware has been called the plague of the Internet, some people still regard the invasive software as a kind of digital Avian flu -- it is bad, and potentially very threatening, but happening to someone else.
That, many experts note, is a big mistake.
The prevalence of spyware, which usually slithers onto a system undetected during a download of other content, is formidable and poses a very real danger to every Internet user.
"You name it, spyware can do it," said Craig Schmugar, virus research manager at McAfee Avert Labs, which monitors Internet threats. "Everything from stealing your identity, turning your machine into a spam relay machine to popping up ads on your system. It can degrade your system performance to the point that using your machine is unbearable."
Defining the Threat
Spyware is a term that can be broken down into two categories, Schmugar said.
In the first category are the illegal, information-stealing threats that include Trojan viruses and "keylogger" programs that track user input. These are the villains of the Internet, and they pose a considerable risk to users. These types of programs are on the rise because the data extracted can be quite profitable to sellers.
Not all spyware is designed to be so harmful, though. The second category consists of programs intended to simply redirect users to different Web sites, or to collect general information on browsing habits.
"Advertisers often use spyware to cover competitors' Web sites," said Ben Edelman, a Harvard University researcher who focuses on spyware. "Where better can Netflix get a new customer than someone about to sign up with Blockbuster?"
If Netflix wanted to employ spyware, the company would hire an ad network, which then would hire another ad network, which would buy ad space from a spyware vendor, Edelman noted. This chain of companies distances the legitimate business from spyware activity while still giving it an edge in the marketplace.
Although this type of spyware, also called adware, might not be designed to hijack a system or steal identities, it still can be annoying. Working in the background, it can gobble up processing power, severely slow down a system, and even cause frequent crashes. It might also prompt a significant increase in pop-up ads, an Internet phenomenon that is almost universally despised.
"The advertisers are profiting from this, as are the adware makers, and those affiliates who distribute the adware," said Schmugar. "A significant number of affiliates are indirectly violating adware makers' terms of service by exploiting system vulnerabilities to silently install adware."
Spy vs. You
Although some spyware is relatively benign, especially the type that simply tries to get users to view ads or visit a rival site, other types are downright scary.
Keylogging programs, for example, can capture passwords, user IDs, and personal information. This is not just the kind of stuff that absentminded people put on a Post-It note, either. Through keylogging, a phisher can read every e-mail sent, see every Web site visited, watch every e-commerce transaction, and secretly view private instant-messaging chats.
With all that information, identity theft would be child's play, and even worse, it could extend into every facet of a person's digital life. A phisher could send e-mails from a user's account, with keylogging software attached, that would then infect the person's entire network of family and friends.
As unsettling as it might be to have one's identity hijacked, the effect on someone's finances could be devastating. With this level of personal information, a phisher might set up an electronic checking account, transfer every dollar of a victim's bank account into it, and walk away. Just as a user is wrangling with the bank over what happened, the credit card bills are likely to start arriving.
Many phishing victims have reported feeling violated by the actions, as if the phisher had come into their homes while they were sleeping and cleaned them out.
But, to extend the metaphor, phishing can be even worse than outright property theft. Thanks to insurance, most valuables can be replaced. But with phishing, someone's information might be sold again and again on the underground data market, forcing a victim to spend thousands of dollars, and months of time, trying to clear his or her good name and recover financially.
Other scenarios might not be as frightening as losing one's digital identity, but prove annoying and frustrating nonetheless. A spyware creator could hijack a user's system, turning the computer into a spam-spewing zombie, or so severely cripple the machine that it is nearly unusable.
Who's At Risk?
People who surf the Web in a corporate environment usually are protected. Computer network experts have become adept at putting up firewalls, blocking suspicious e-mail attachments, and watching for dubious download activity. Well aware of the spyware problem, many companies also do periodic sweeps of their systems to remove any unwanted programs that sneaked through their filters.
But many home users are not so fortunate. Some have installed antispyware protection, but in general, many are at risk, said Harvard's Edelman. Also vulnerable are libraries, airports, and hotels, all of which offer open Internet access without spyware blockers.
According to antivirus software company Symantec, visiting certain Web sites also can affect the likelihood of being infected with spyware. In a recent experiment, researchers started with a fresh installation of Windows XP containing the latest security updates and spent an hour visiting well-known sites in major categories like gaming, shopping, travel, and kid-oriented fare.
What was left behind on the machines was compelling, Symantec noted. Sites for kids produced the most adware, downloading over 350 applications onto the system, but no pieces of spyware. In contrast, gaming sites caused only 23 adware applications to appear, but four spyware programs. Going to shopping sites resulted in no adware or spyware.
"What this experiment tells us is that if you want to avoid spyware, there are certain parts of the Web you should stay away from," said Dave Cole, director of Symantec Security Response. "They're the dark alleys of the Internet world. Basically, you visit a game cheat site, and you're vulnerable for spyware. A kids site will open you up to adware."
Tool Kit
There are several spyware blockers and cleaners on the market, and Edelman noted that many users download programs like Ad-Aware, Webroot, and Counterspy.
A company started last year, SiteAdvisor, provides a system of automated testers that patrols the Web and gives out spyware safety ratings, allowing people to see if their favorite sites are really spyware havens. After downloading SiteAdvisor's software, people will see a small box in their browser with a red, yellow, or green icon to indicate the spyware threat level.
Antispyware tools work by scanning a computer system to find suspicious-looking programs that seem to have no business being in the machine, like adware, password crackers, remote-administration tools, jokes, and other applications. Some of what is caught is legitimate, which is why everything is usually presented in list format to a user, who can then sort the wanted from the junk.
Lately, though, even antispyware programs must be viewed with suspicion. A major trend has been the use of pop-ups by firms that allegedly provide free system scans and spyware cleaning. When a user chooses to accept the offer, he gets a message informing him that his system is riddled with spyware, even if it is perfectly clean. The irony is that during the scan, spyware is actually being installed.
"Stick with what you trust," said Symantec's Cole. "Don't use something from a pop-up ad that tries to scare you into downloading it because it has a funky, scary alert message."