On the lookout for spyware

Organizations are increasingly eyeing spyware as a threat that needs to be blocked from reaching end users’ desktops.

A catchword for software programs that watch what end users are doing at their computers, spyware is said to encompass everything from marketing cookies, pop-ups and adware downloaded with peer-to-peer file-sharing programs to malicious Trojans and keyloggers designed to steal personal data. Even at its most benign, spyware is generating anger in corporations that see it jamming up user desktops, causing malfunctions and slowdowns.

“It’s an insidious scourge of the Internet” says Lisa Hagen, IT manager at biotechnology manufacturing firm Labcyte in Sunnyvale, Calif. “These are pieces of software that get installed unbeknownst to you.”

Over the past year, Hagen has seen instances where employees’ desktop machines were “acting weird” from the effects of adware, which Hagen tries to combat by having employees use anti-spyware software, including StopZilla. Other IT managers recount similar stories.

Daniel VanMeter, system security specialist at Kansas University Medical Center in Kansas City, says he’s seen increasing numbers of network users approach the IT department to complain that their machines won’t boot up or are malfunctioning. It often turns out there are hundreds of different spyware/adware programs interfering with each other, causing the computer to choke on them, he notes.

Vendors respond

Spyware complaints were once heard mainly among home PC users. Thus, most spyware-eradication software is designed for individual users. But as corporations increasingly express alarm, anti-spyware software developers are leaping into the corporate market, selling multi-user licenses with centralized management for security professionals.

Anti-virus vendors, which have long gone after dangerous keyloggers and Trojans that get lumped into the spyware category, are broadening their reach to go after adware. Trend Micro recently added the anti-spyware freeware Spybot to its anti-virus software.

David Stang, co-founder and vice president of research at anti-spyware vendor PestPatrol, which recently entered the corporate market, says detecting and eradicating spyware relies on the kind of signature-based technique used to define a computer virus.

“There’s an analogy with anti-virus, and the techniques for wrestling with it remain the same,” Stang says. PestPatrol’s database runs to 23,000 spyware signatures, and the company typically adds about 75 new signatures per week.

The adware components in spyware often are designed so they are hard to detect and eradicate because one adware program “may add 30 registry entries and a half-dozen files,” Stang says.

Anti-spyware software has a tougher job than anti-virus software cleaning up desktop computers, he adds.

Peer-to-peer file-transfer software such as Grokster and marketing adware such as Claria’s Gator software are said to be among the most prevalent adware “downloaders.” Downloaders typically report back to servers about what users are doing on the Web and present advertising information.

A problem facing software vendors targeting spyware is that as the number of “pests” grows, so will the size of the software to detect it. PestPatrol’s anti-spyware software today is 2M bytes “and it’s going to get bigger,” Stang says.

The larger the program, the greater the possibility of slowing the desktop machine. And that concerns McAfee, whose VirusScan 8.0 product for the first time also targets about 200 spyware/adware programs considered among the worst.

“We prefer to call them ‘potentially unwanted programs,'” says Vincent Gullotto, vice president at McAfee’s Avert research lab, who adds that McAfee is considering how to add more PUPS detections into future versions of its anti-virus software without causing performance degradation. McAfee intends to unveil an approach that might involve new technologies by this fall, he says.

Gullotto notes the term PUPS is legally less contentious, because some firms, such as marketing firm Claria, have objected to the “spyware” label

McAfee customers often ask the firm to detect and eradicate PUPs they have found in employees’ computers. McAfee often ends up reviewing the end-user licensing agreement (EULA) that is downloaded with the PUPs

A gray area

If the software is violating its own EULA, such as sending passwords out through a back door, McAfee will eradicate it. But there is a gray area where the user might have given consent to download marketing adware. In which case, McAfee has to spend more time considering the legal ramification of wiping it from the computer.

“It’s a quagmire,” Gullotto says.

McAfee’s legal counsel’s view is that employees don’t have the legal right to consent to downloading software because they don’t own machines.

Marketing adware has brought about legal debate related to issues such as consent, privacy and free speech that arose years ago with so-called cookies, says Mark Rasch, senior vice president and chief security counsel at managed security services firm Solutionary.

“But what’s really bad about spyware is that most people can’t reasonably know what’s going on – and that the stuff gums up their computer,” he says. “Corporations need to inform the user on the issue of consent and what spyware is and what it’s doing. And they should make anti-spyware available to block it.”

Kevin Kingdon, analyst with security consultancy Intellitrove, says anti-virus vendors are “playing catch-up” with spyware blocking, adding the most effective anti-spyware software he’s seen so far to combat the worst of it is the $25 desktop software SpyCop.

Other approaches to spyware eradication include filtering at least some of it out at the Internet gateway, according to some IT professionals.

Online stock brokerage firm OptionsExpress in Chicago blocks signature-based unwanted programs, including keystroke loggers and the Gator client, at the Internet gateway, says Ben Stein, vice president of IT infrastructure. The firm is using StillSecure’s Border Guard appliance, he says.

Claria, which last October changed its name from Gator and makes the Gator application and other marketing software, says it couldn’t have executives speak directly to questions because it is in the “quiet period” before an IPO. But in an e-mailed response, Claria says it operates the “world’s largest behavioral ad network” and targets its advertisements to segments of its “large, permission-based audience of users based on a broad range of anonymously identified behaviors exhibited across the Internet.”

The company estimates that it has an audience of 43 million users worldwide and has had about 425 advertisers use its services. Claria rejects the notion that Gator disrupts a desktop machine’s operations.