Security Laboratory

Security Laboratory

Advances in Spyware

Peter Giannoulis

Statistics tell us that 90% of the computer systems on the Internet right now are infected with spyware or some other type of malware.[1] It has become such a common problem that the American House of Representatives has passed the "Internet Spyware Prevention Act" which will become law if also passed by Congress.[2] The numbers are quite staggering and the incredible amount of unprotected computer systems has caught the eye of criminal minds that seek to control this resource for their own ends.

Adware programs are installed on the user’s computer system in order to assist a third-party in advertising directly to the user. It usually manifests itself in the form of pop-up ads, banners and browser toolbars and does not collect personal information about you unless it is bundled with another form of malware. Adware is mostly a nuisance and can be somewhat embarrassing if a pop-up for an unwanted site appears on one's computer while others are watching.

Spyware, on the other hand, are programs that are installed on the user's computer system for the sole purpose of monitoring their activity.[3] Spyware is typically masked as a legitimate program that promises to make a user’s life easier such as a search helper or a web browser plug-in. But it can also be installed without the user’s knowledge via malicious web sites or viruses. Their use of the computer system is now being monitored by the spyware creator. Information such as the running programs, visited web sites, and written emails are sent to the author of the spyware to use in whatever evil way their minds can imagine. One particularly nasty type of spyware is a key logger program that records and sends every keystroke the user performs on their system to a file and then, to the spyware author. This is an easy and convenient way for attackers to obtain a user's banking information, email passwords, data on current projects, or any other information that is store on the system for that matter.

When bundled with a rootkit, spyware becomes much more difficult, if not impossible, to locate. Rootkits have been in existence for many years, but they were currently made famous by Sony. These are programs that conceal their presence from the user by trojanizing local programs on the computer system. Some examples would be to hide the directory the rootkit is installed in from Windows Explorer and the DOS "dir" command, or to hide the running processes from Task Manager. Since the tools the user would use to find the rootkits have been compromised they would be unable to determine if they are infected.

What can users do to prevent their exposure to spyware? Besides the usual advice such as running the latest anti-spyware software that comes with your operating system, or with more recent anti-virus software, watch the web sites that you visit and be careful what you click on. When going to a web site for the first time it’s important to check and see if it is operated by reputable people. This can be accomplished by checking the website against web rating pages such as SenderBase from IronPort[4], or McAfee's SiteAdvisor[5]. Consider running the Browsing Appliance from VMware[6] to restrict access that websites may have to the operating system. You should also utilize web browsers such as Firefox[7] or Opera[8] that do not allow code to execute automatically when visiting new sites.

As the industry is becoming more aware of how to combat spyware, attackers are continuously thinking of more innovative methods to infect larger amounts of computer systems. We must remember that an attacker's purpose in creating spyware is to make money. And make no mistake, collecting personally identifiable information is a big money making scheme. Attackers are not about to give that up without a fight.

Be careful out there.

About the author
Peter Giannoulis, GSEC, GCIH, GCIA, GCFA, GWAS, CISSP, is an information security consultant for Access 2 Networks, a Toronto, Ontario based security consulting firm. He also serves as a technical director for GIAC.