The State of Spyware: Where the Battle's Headed
Spyware and adware burrow into your PC. Anti-spyware programs dig them out. A new round of spyware and adware burrows into your PC. New and updated anti-spyware programs dig them out. While the war against spyware seems deadlocked, there's hope that the good guys will win. We spoke with Gregor Freund, founder of Zone Labs and developer of the ZoneAlarm Internet Security Suite, to find out the latest strategies used by both sides and to learn how the future might play out.
PC World: What's the difference between adware and spyware?
Gregor Freund: Adware and spyware are both major threats to a consumer's PC, but the main difference lies in the intent. Spyware is used to pilfer personal information for criminal activities such as identity theft and financial scams, whereas Adware focuses on aggregating personal information to serve advertising content.
Spyware may be the more insidious threat, but adware can also create security and computing problems for consumers. Often, a user has not consciously consented to the profiteering resulting from their personal information. The notification of the program's intent may be hidden deep in a lengthy EULA [End User License Agreement]. Adware can create a logjam [in users'] computing resources, resulting in significantly decreased performance of their systems. And since adware can be uninstalled without the user's knowledge, there typically is no support or upgrades issued. If a user installs new software that conflicts with the adware, a user may not even know the cause of the problem. And adware can have its own security holes, allowing a hacker to gain access to a PC though the program.
That being said, we recognize that some programs that behave as adware may offer a legitimate benefit to a consumer, and they may have intentionally installed the program. We evaluate each software program as appropriate (and upon request), and make our security decisions based upon our findings.
PCW: What are the latest tricks that spyware creators are using?
Freund: Spyware has changed drastically over the last few years. We're talking about both legal and illegal players. They're starting to use a wide variety of tricks that are traditionally more associated with malicious viruses, things like rootkits that put spyware directly in the kernel [of the OS]. This approach is geared not only for getting onto people's machines but staying stuck onto people's machines. Anti-spyware software traditionally would scan your system every day or so and would remove what it found on your machine. [Now] once a piece of spyware has been established on your machine it becomes extremely hard to removea?|Spyware creators are modifying executables rapidly. We see instances where they're being updated ten times a day.
PCW: What are the latest technologies and techniques that you, and other antispyware vendors, are using to fight back?
Freund: They key to success in fighting spyware is prevention--not just removal. We have a whole list of behaviors that we consider dangerous. If we see an unknown application and an unknown component, we watch its behavior. Many pieces of spyware monitor what URLs you are going to. We've added what's called an "OS firewall" that monitors that kind of behavior. When we find suspicious behavior, we check with our database. "Do we know these guys?" We then ask the user: "Are you aware of this application?" It catches spyware before it has a chance of establishing itself.
PCW: Who are the biggest culprits?
Freund: There's a very, very strong criminal element creating spyware, but there's a legal element creating adware, which is also pretty daunting. These companies are extremely profitable. They're making millions of dollars of revenue. That's a much, much more formidable enemy than a bunch of people that build a virus in a back room.
PCW: What are the similarities and differences between fighting spyware and fighting viruses?
Freund: I know I'm going to eat my words, but by and large, viruses are relatively harmless because there was no other motivation besides hacking for glory. There have been very destructive viruses, but not that many. If you're writing viruses, you're trying to create as much noise as you can, because you're trying to get your name out there. If you're writing spyware, you're trying to be as quiet as possible. You're trying to slide in under the radar. You see a lot of smaller attacks, but a lot more of them, and a lot more targeted attacks. If you have thousands of smaller attacks, it makes it trickier to stop them.
PCW: Do anti-spyware vendors work together the way antivirus vendors do?
Freund: All of the vendors work together already. Security researchers all exchange samples and technologies. I dona??t think there's a lack of coordination between the vendors. We're all trying to build the best possible product.
PCW: Do anti-spyware vendors use the same nomenclature that antivirus companies do?
Freund: We see the spyware vendors making minor changes to their software very, very often to avoid detection. In our virus database, we used to have a lot of polymorphic viruses. That has kind of died out. The spyware [developer community], is picking up on a lot of these tricks. When the thing changes every hour or so, it's hard to agree on a name. In many cases, we dona??t care what it's called, we just stop it. One of the issues we run into is [a] gray zone: [spyware or adware that] has some useful features but also carries this whole payload that's designed to steal your data.
PCW: Some well-known companies are affiliated with companies distributing if not spyware at least adware. How responsible are they?
Freund: A long list of very reputable companies [is] actually using adware and spyware as an advertising medium. One of the things I would love to see is that large-budget advertisers stop using that as a medium. I think that advertising approach is irresponsible. There are enough legitimate ways on the Internet to use your ad dollars [that] you dona??t have to use these forums. It does fuel significantly the industrya?| I wish there were a code of conduct for adware that we just don't support [it] even though it might not be illegal.
PCW: What's the future of the fight against spyware?
Freund: You have to really differentiate between the legal side and the illegal side. The legal side, through a combination of [business community] consensus and defense mechanisms, will go away. There are just better ways of making a living than tracking unsuspecting users and hiding things in fine print. I find it a very appalling business model.
On the illegal side, we'll find many more [players]. Frankly, as more and more of the economy is accessible over the Internet, you will see more and more resources shift to online white-collar crime. Trojan horses, spyware, and other malicious code will be the primary means of attack. There are offshore companies spying on each other using Trojan horses and spying on journalists covering them. There will be a lot more attacks but they will be less visible. You'll see fewer headlines but more insidious danger.
So long as you see a big headline, people get their defenses up. As it becomes more and more of a daily crime in thousands of smaller cases, journalists are going to take their eyes off it. I think we have to do a lot more to promote public awareness.