Spyware is computer software that collects personal information about users without their informed consent. The term, coined in 1995 but not widely used for another five years, is often used interchangeably with adware and malware (software designed to infiltrate and damage a computer). The term spyware has a very broad meaning. The commonly accepted defination is that any program installed without the users explicit concent or any program that transmits any information that the user is unaware of back to a third party can be reffered to as spyware.
Personal information is usually secretly recorded with a variety of techniques, including logging keystrokes, recording Internet web browsing history, and scanning documents on the computer’s hard disk. Purposes range from overtly criminal (theft of passwords and financial details) to the merely annoying (recording Internet search history for targeted advertising, while consuming computer resources). Spyware may collect different types of information. Some variants attempt to track the websites a user visits and then send this information to an advertising agency. More malicious variants attempt to intercept passwords or credit card numbers as a user enters them into a web form or other applications.
The spread of spyware has led to the development of an entire anti-spyware industry. Its products remove or disable existing spyware on the computers they are installed on and prevent its installation. A large number of these so called ‘anti-spyware’ products are in fact spyware themselves. A number of companies have incorporated forms of spyware into their products. These programs are not considered malware, but are still spyware as they watch and observe for advertising purposes. It is debatable whether such ‘legitimate’ uses of adware/spyware are malware since the user often has no knowledge of these ‘legitimate’ programs being installed on their computer and is generally unaware that these programs are infringing on their privacy. In any case, these programs still use the resources of the host computer without permission.
In early 2001, Steve Gibson of Gibson Research realized that advertising software had been installed on his system, and suspected it was stealing his personal information. After analysis, he determined that it was adware from the companies Aureate (later Radiate) and Conducent. Gibson developed and released the first anti-spyware program, OptOut. Many more have appeared since then.
According to a November 2004 study by AOL and the National Cyber-Security Alliance, 80% of surveyed users’ computers had some form of spyware, with an average of 93 spyware components per computer (such counts usually include ‘cookies’ which report back to a website, but are not software as such). 89% of surveyed users with spyware reported that they did not know of its presence, and 95% reported that they had not given permission for the installation of the spyware.
As of 2006, spyware has become one of the preeminent security threats to computer systems running Microsoft Windows operating systems. In an estimate based on customer-sent scan logs, a certain anti-spyware vendor said that 9 out of 10 computers connected to the Internet are infected. Computers where Internet Explorer (IE) is the primary browser are particularly vulnerable to such attacks not only because IE is the most widely-used but because its tight integration with Windows allows spyware access to crucial parts of the operating system. The security of Internet explorer has been vastly improved with the advent of Windows XP service pack 2.
Spyware, adware and tracking
The term adware frequently refers to any software which displays advertisements, whether or not the user has consented. Programs such as the Eudora mail client display advertisements as an alternative to shareware registration fees. These classify as "adware" in the sense of advertising-supported software, but not as spyware. Adware in this form does not operate surreptitiously or mislead the user, and provides the user with a specific service.
Most spyware is adware in a different sense: it displays advertising. Claria Corporation’s Gator Software and Exact Advertising’s BargainBuddy are examples. Visited Web sites frequently install Gator on client machines in a surreptitious manner, and it directs revenue to the installing site and to Claria by displaying advertisements to the user. The user receives many pop-up advertisements.
Other spyware behavior, such as reporting on websites the user visits, occurs in the background. The data is used for "targeted" advertisement impressions. The prevalence of spyware has cast suspicion upon other programs that track Web browsing, even for statistical or research purposes. Some observers describe the Alexa Toolbar, an Internet Explorer plug-in published by Amazon.com, as spyware (and some anti-spyware programs report it as such). Many users, however, choose to install it without knowing the overall effects.
Similarly, software bundled with free, advertising-supported programs such as P2P act as spyware, (and if removed disable the ‘parent’ program) yet people are willing to download it. This presents a dilemma for proprietors of anti-spyware products whose removal tools may inadvertently disable wanted programs. These recent test results show how a bundled software (WhenUSave) is ignored by popular anti spyware program AdAware, (but removed as spyware by most scanners) because it is part of the popular (but recently decommissioned) Edonkey client.
Spyware, virus and worm
Unlike viruses and worms, spyware does not usually self-replicate. Like many recent viruses, however, spyware — by design — exploits infected computers for commercial gain. Typical tactics furthering this goal include delivery of unsolicited pop-up advertisements; theft of personal information (including financial information such as credit card numbers); monitoring of Web-browsing activity for marketing purposes; or routing of HTTP requests to advertising sites.
Routes of infection
Spyware does not directly spread in the manner of a computer virus or worm: generally, an infected system does not attempt to transmit the infection to other computers. Instead, spyware gets on a system through deception of the user or through exploitation of software vulnerabilities.
Most spyware is installed without users being aware. Since they tend not to install software if they know that it will disrupt their working environment and compromise their privacy, spyware deceives users, either by piggybacking on a piece of desirable software, or tricking them into installing it (the trojan horse method). Some "rogue" anti-spyware programs even masquerade as security software.
The distributor of spyware usually presents the program as a useful utility — for instance as a "Web accelerator" or as a helpful software agent. Users download and install the software without immediately suspecting that it could cause harm. For example, Bonzi Buddy, a spyware program targeted at children, claims that:
He will explore the Internet with you as your very own friend and sidekick! He can talk, walk, joke, browse, search, e-mail, and download like no other friend you’ve ever had! He even has the ability to compare prices on the products you love and help you save money! Best of all, he’s FREE.
Spyware can also come bundled with shareware or other downloadable software, as well as music CDs. The user downloads a program and installs it, and the installer additionally installs the spyware. Although the desirable software itself may do no harm, the bundled spyware does. In some cases, spyware authors have paid shareware authors to bundle spyware with their software. In other cases, spyware authors have repackaged desirable free software with installers that add spyware.
A third way of distributing spyware involves tricking users by manipulating security features designed to prevent unwanted installations. Internet Explorer prevents websites from initiating an unwanted download. Instead, it requires a user action, such as clicking on a link. However, links can prove deceptive: for instance, a pop-up ad may appear like a standard Windows dialog box. The box contains a message such as "Would you like to optimize your Internet access?" with links which look like buttons reading Yes and No. No matter which "button" the user presses, a download starts, placing the spyware on the user’s system. Later versions of Internet Explorer offer fewer avenues for this attack.
Some spyware authors infect a system through security holes in the Web browser or in other software. When the user navigates to a Web page controlled by the spyware author, the page contains code which attacks the browser and forces the download and installation of spyware. The spyware author would also have some extensive knowledge of commercially-available anti-virus and firewall software. This has become known as a "drive-by download", which leaves the user a hapless bystander to the attack. Common browser exploits target security vulnerabilities in Internet Explorer and in the Java runtime.
The installation of spyware frequently involves Internet Explorer. Its popularity and history of security issues have made it the most frequent target. Its deep integration with the Windows environment and scriptability make it an obvious point of attack into Windows. Internet Explorer also serves as a point of attachment for spyware in the form of Browser Helper Objects, which modify the browser’s behaviour to add toolbars or to redirect traffic. Spyware writers have howver moved onto other browsers such as firefox due to their increased usage.
In a few cases, a worm or virus has delivered a spyware payload. Some attackers used the Spybot worm to install spyware that put pornographic pop-ups on the infected system’s screen. By directing traffic to ads set up to channel funds to the spyware authors, they profit personally.
Effects and behaviors
A spyware program is rarely alone on a computer: an affected machine can rapidly be infected by many other components. Users frequently notice unwanted behavior and degradation of system performance. A spyware infestation can create significant unwanted CPU activity, disk usage, and network traffic, all of which slow the computer down. Stability issues, such as application or system-wide crashes, are also common. Spyware which interferes with networking software commonly causes difficulty connecting to the Internet.
In some infections, the spyware is not even evident. Users assume in those situations that the issues relate to hardware, to Windows installation problems, or a virus. Some owners of badly infected systems resort to contacting technical support experts, or even buying a new computer because the existing system "has become too slow". Badly infected systems may require a clean reinstall of all their software in order to return to full functionality, in most cases losing any data stored on the computer. In most cases if your computer is serviced by a reputable dealer such as ourselves this is not usually necessary.
Only rarely does a single piece of software render a computer unusable. Rather, a computer will likely have multiple infections. As the 2004 AOL study noted, if a computer has any spyware at all, it typically has dozens of different pieces installed. The cumulative effect, and the interactions between spyware components, cause the symptoms commonly reported by users: a computer which slows to a crawl, overwhelmed by the many parasitic processes running on it. Moreover, some types of spyware disable software firewalls and anti-virus software, and/or reduce browser security settings, thus opening the system to further opportunistic infections, much like an immune deficiency disease. Some spyware has disabled or even removed competing spyware programs, on the grounds that more spyware-related annoyances make it even more likely that users will take action to remove the programs. One spyware maker, Avenue Media, even sued a competitor, Direct Revenue, over this; the two later settled with an agreement not to disable each others’ products.
Some other types of spyware (Targetsoft or Sahs agent, for example) modify system files so they will be harder to remove. Targetsoft modifies the "Winsock" Windows Sockets files. The deletion of the spyware-infected file "inetadpt.dll" will interrupt normal networking usage. Unlike users of many other operating systems, a typical Windows user has administrative privileges, mostly for convenience. Because of this, any program the user runs (intentionally or not) has unrestricted access to the system. Spyware, along with other threats, has led some Windows users to move to other platforms such as Linux or Apple Macintosh, which are less attractive targets for malware. This is because these programs are usually not granted unrestricted access to the operating system due to the Unix system of only allowing kernel access to ‘sudo’ users. Mac OSX used on the Apple Mac is basically ‘Darwin linux’ with a front end (desktop) written by Apple. As these operating systems become more widely used however Virus and spyware writers are now turning their attention to these machines, as they now offer a reasonable financial return. A large number of security flaws have recently been discovered in the latest version of Apples operinting system for example. Also a machine can be infected by cross platform software such as the latest security flaw found in adobe acrobat which is used on windows, unix and mac OSX operating systems.
Many spyware programs display advertisements. Some programs simply display pop-up ads on a regular basis; for instance, one every several minutes, or one when the user opens a new browser window. Others display ads in response to specific sites that the user visits. Spyware operators present this feature as desirable to advertisers, who may buy ad placement in pop-ups displayed when the user visits a particular site. It is also one of the purposes for which spyware programs gather information on user behavior. Pop-ups are one of users’ most common complaints about spyware.
Many users complain about irritating or offensive advertisements as well. As with many banner ads, many spyware advertisements use animation or flickering banners which can be visually distracting and annoying to users. Pop-up ads for pornography often display indiscriminately. When children are the users, this could possibly violate anti-pornography laws in some jurisdictions.
A further issue in the case of some spyware programs has to do with the replacement of banner ads on viewed web sites. Spyware that acts as a web proxy or a Browser Helper Object can replace references to a site’s own advertisements (which fund the site) with advertisements that instead fund the spyware operator. This cuts into the margins of advertising-funded Web sites.
"Stealware" and affiliate fraud
A few spyware vendors, notably 180 Solutions, have written what the New York Times has dubbed "stealware", and what spyware-researcher Ben Edelman terms affiliate fraud, also known as click fraud. Stealware diverts the payment of affiliate marketing revenues from the legitimate affiliate to the spyware vendor.
Spyware which attacks affiliate networks places the spyware operator’s affiliate tag on the user’s activity—replacing any other tag, if there is one. The spyware operator is the only party that gains from this. The user has their choices thwarted, a legitimate affiliate loses revenue, Networks’ reputations are injured, and vendors are harmed by having to pay out affiliate revenues to an "affiliate" who is not party to a contract.
Affiliate fraud is a violation of the terms of service of most affiliate marketing networks. As a result, spyware operators such as 180 Solutions have been terminated from affiliate networks including LinkShare and ShareSale. A number of spyware vendors have recently been fined large amounts of money for their activities.
Identity theft and fraud
In one case, spyware has been closely associated with identity theft. In August 2005, researchers from security software firm Sunbelt Software believed that the makers of the common CoolWebSearch spyware had used it to transmit "chat sessions, user names, passwords, bank information, etc.", but it turned out that "it actually (was) its own sophisticated criminal little trojan that’s independent of CWS." This case is currently under investigation by the FBI.
That case aside, identity theft remains theoretically possible as keyloggers are routinely packaged with spyware. Information security researcher John Bambenek estimates that identity thieves have stolen over $24 billion US dollars of account information in the United States alone.
Spyware-makers may commit wire fraud with dialer program spyware. These can reset a modem to dial up a premium-rate telephone number instead of the usual ISP. Connecting to these suspicious numbers involves long-distance or overseas charges which invariably result in high charges. Dialers are ineffective on computers that do not have a modem, or are not connected to a telephone line.
Some copy-protection technologies have borrowed from spyware. In 2005, Sony BMG Music Entertainment was found to be using rootkits in its XCP digital rights management technology. Like spyware, not only was it difficult to detect and uninstall, it was so poorly written that most efforts to remove it could have rendered computers unable to function. Texas state attorney general Greg Abbott filed suit, and three separate class-action suits were filed. Wikipedia has further information on the Sony case here 2005_Sony_BMG_CD_copy_protection_scandal (opens in a new window)
Beginning April 25, 2006, Microsoft’s Windows Genuine Advantage Notifications application install on most Windows PCs as a "critical security update". While the main pupose of this deliberately non-uninstallable application is making sure the copy of Windows on the machine was lawfully purchased and installed, it also installs software that has been accused of "phoning home" on a daily basis, like spyware.
Spyware and cookies
Because of the wide definition of spyware Anti-spyware programs often report Web advertisers’ HTTP cookies, the small text files that track browsing activity, as spyware. While they are not inherently malicious, many users object to third parties using space on their personal computers for their business purposes, and so many anti-spyware programs offer to remove them.
Examples of spyware
These common spyware programs illustrate the diversity of behaviors found in these attacks. Note that as with computer viruses, researchers give names to spyware programs which may not be used by their creators. Programs may be grouped into "families" based not on shared program code, but on common behaviors, or by "following the money" of apparent financial or business connections. For instance, a number of the spyware programs distributed by Claria are collectively known as "Gator". Likewise, programs which are frequently installed together may be described as parts of the same spyware package, even if they function separately.
CoolWebSearch, a group of programs, takes advantage of Internet Explorer vulnerabilities. The package directs traffic to advertisements on Web sites including coolwebsearch.com. It displays pop-up ads, rewrites search engine results, and alter the infected computer’s hosts file to direct DNS lookups to these sites.
Internet Optimizer, also known as DyFuCa, redirects Internet Explorer error pages to advertising. When users follow a broken link or enter an erroneous URL, they see a page of advertisements. However, because password-protected Web sites (HTTP Basic authentication) use the same mechanism as HTTP errors, Internet Optimizer makes it impossible for the user to access password-protected sites.This is commonly installed by so called ‘crack’ or warez sites.
180 Solutions (now Zango) transmits detailed information to advertisers about the Web sites which users visit. It also alters HTTP requests for affiliate advertisements linked from a Web site, so that the advertisements make unearned profit for the 180 Solutions company. It opens pop-up ads that cover over the Web sites of competing companies.
HuntBar, aka WinTools or Adware.Websearch, is a small family of spyware programs distributed by trafficSyndicate. trafficSyndicate.com is a trademark of IBIS, LLC. It is installed by an ActiveX drive-by download at affiliate Web sites, or by advertisements displayed by other spyware programs — an example of how spyware can install more spyware. These programs add toolbars to IE, track browsing behavior, redirect affiliate references, and display advertisements.
Legal issues related to spyware
Unauthorized access to a computer is illegal under computer crime laws, such as the U.S. Computer Fraud and Abuse Act, the U.K.’s Computer Misuse Act and similar laws in other countries. Since the owners of computers infected with spyware generally claim that they never authorized the installation, a prima facie reading would suggest that the promulgation of spyware would count as a criminal act. Law enforcement has often pursued the authors of other malware, particularly viruses. However, few spyware developers have been prosecuted, and many operate openly as strictly legitimate businesses, though some have faced lawsuits.
Spyware producers argue that, contrary to the users’ claims, users do in fact give consent to installations. Spyware that comes bundled with shareware applications may be described in the legalese text of an end-user license agreement (EULA). Many users habitually ignore these purported contracts, but spyware companies such as Claria claim these demonstrate that users have consented. Often these EULA agreements are many pages long which means that only the most vigilant of computer users will ever read them.
Despite the ubiquity of EULAs and of "clickwrap" agreements, under which a single click can be taken as consent to the entire text, relatively little case law has resulted from their use. It has been established in most common law jurisdictions that a clickwrap agreement can be a binding contract in certain circumstances. This does not, however, mean that every such agreement is a contract or that every term in one is enforceable.
New York State Attorney General and Governor-elect Eliot Spitzer has pursued spyware companies for fraudulent installation of software. In a suit brought in 2005 by Spitzer, the California firm Intermix Media, Inc. ended up settling by agreeing to pay US$7.5 million and to stop distributing spyware.
The hijacking of Web advertisements has also led to litigation. In June 2002, a number of large Web publishers sued Claria for replacing advertisements, but settled out of court.
Courts have not yet had to decide whether advertisers can be held liable for spyware which displays their ads. In many cases, the companies whose advertisements appear in spyware pop-ups do not directly do business with the spyware firm. Rather, they have contracted with an advertising agency, which in turn contracts with an online subcontractor who gets paid by the number of "impressions" or appearances of the advertisement.
If a spyware program is not blocked and manages to get itself installed, it may resist attempts to terminate or uninstall it. Some programs work in pairs: when an anti-spyware scanner (or the user) terminates one running process, the other one respawns the killed program. Likewise, some spyware will detect attempts to remove registry keys and immediately add them again.
A new breed of spyware (Look2Me spyware by NicTechNetworks is a good example) is starting to hide inside system-critical processes and start up even in safe mode. With no process to terminate they are harder to detect and remove. Sometimes they do not even leave any on-disk signatures. Rootkit technology is also seeing increasing use, as is the use of NTFS alternate data streams.
Malicious programmers have released a large number of fake anti-spyware programs, and widely distributed Web banner ads now spuriously warn users that their computers have been infected with spyware, directing them to purchase programs which do not actually remove spyware — or worse, may add more spyware of their own.
The recent proliferation of fake or spoofed antivirus products has occasioned some concern. Such products often bill themselves as antispyware, antivirus, or registry cleaners, and sometimes feature popups prompting users to install them. They are called rogue software.
Some known offenders include:
PAL Spyware Remover
WinAntiVirus Pro 2006
On 2006-01-26, Microsoft and the Washington state attorney general filed suit against Secure Computer for its Spyware Cleaner product. On 2006-12-04, the Washington attorney general announced that Secure Computer had paid $1 million to settle with the state. As of that date, Microsoft’s case against Secure Computer remained pending.
Spyware may get installed via certain shareware programs offered for download. Downloading programs only from reputable sources can provide some protection from this source of attack. Recently, CNet revamped its download directory: It now tests programs for spyware using popular antispyware utilities.
With the changing climate and the number of fines against spyware vendors many program authors are removing spyware from their programs.
Notable programs formerly distributed with spyware
AOL Instant Messenger (At the time of writing AOL Instant Messenger still packages Viewpoint Media Player, and WildTangent)
DivX (except for the paid version, and the "standard" version without the encoder). DivX announced removal of GAIN software from version 5.2.
LimeWire (all free Windows versions up to 3.9.3)
FlashGet (trial version prior to program being made freeware)
BearShare (spyware removed in latest version)