• United States
by Richard Koontz, special to Network World

Spyware removal tools stop snoopers

Sep 29, 20034 mins

Each day companies are faced with increasingly sophisticated attacks on privacy and security that evade traditional firewalls and are immune to anti-virus technology. The most threatening and rapidly growing attacks come in the form of spyware. Spyware is any software surreptitiously installed on a system that can monitor and record aspects of the system and broadcast this information back to a third party.

Staying one step ahead of spyware creators requires a dedicated removal tool. Anti-spyware utilities are pattern-based, adaptive programs that scan systems to find and remove Trojans, key loggers, dialers, adware and cookies.

In many ways anti-spyware tools look like anti-virus software in a network. They use clients, an anti-spyware server and an administration console. Because spyware changes on a daily basis, automatic spyware-definition updates from vendors are critical. Updates are pulled from an anti-spyware server via the Internet and pushed to clients using a centralized control panel.

The most sophisticated anti-spyware vendor research labs will generate long lists of characteristics that tell users what spyware resides on a machine, where it is located and what it is doing. Anti-spyware programs rely on these characteristics lists and use them to remove Windows registry entries, individual files and, in some cases, entire spyware directories from a hard drive.

Spyware generally installs an executable along with other files in various locations throughout an operating system. These files are called spyware traces. Removing spyware without a dedicated anti-spyware tool leaves a trace. Moreover, elementary spyware-removal utilities simply remove the traces, which might stop the symptoms but don’t get to the root of the problem.

But unlike typical viruses, not all spyware should be automatically removed. As such, administrators need to define user profiles based on programs their users need.

For example, RemEye is a console application that installs a WinVNC server. It is often employed as an easy-to-use installer and can be a good administration tool. But because it installs with a default password of “abcd,” it also makes an excellent Trojan horse. Many pieces of spyware also are linked to legitimate applications and are required for those applications to function.

Sophisticated anti-spyware tools will not only find all trace files associated with a spy, but also offer a comprehensive database of spyware descriptions detailing the characteristics and threat-level associated with each spy found. An up-to-date database is essential to help administrators develop anti-spyware user profiles.

Once user profiles have been created, removing spyware is a straightforward process. In a typical removal scenario, a client is infected with a piece of spyware, and once a scheduled scan is run, the anti-spyware application finds and quarantines (disables) the spy based on the user profile. At this point, the spy can be permanently removed or reinstalled.

Spyware is changing on a weekly and sometimes even daily basis. Some types of spyware now can shoot back when fired on in an attempt to remove anti-spyware utilities. In other cases, spyware changes names and jump from one location to another when it realizes it has been detected and is about to be destroyed.

As a result, the anti-spyware strategies that worked yesterday might not work tomorrow. The rapid metamorphosis points to the need for an automated update system, as well as a dedicated anti-spyware program that has the ability to adapt as it encounters new spyware patterns.

However IT professionals choose to address the issue, spyware in corporate environments pose a significant threat to worker productivity, and network and data security. Anti-spyware protection can augment corporate privacy and security efforts, and is becoming a necessary part of doing business in today’s Internet-enabled world.

Koontz is vice president of software development for Webroot Software. He can be reached at