Is Any Anti-Spyware Enough?

Network administrators are a generally conscientious and careful
bunch. Their home PC’s, for example, are likely to be well protected
against almost every type of threat conceivable, from hackers to
viruses to adware to spyware. They most likely avoid infection by these
threats through prudent downloading, frequent definition updates, and
scheduled scans. But are the systems on the networks they administer as
well protected? Current opinion would suggest not.

The traditional mainstay of network security, the firewall,
it is of little use when combating spyware or adware: A great deal of it uses port 80.

Although spyware is often used as a single term to describe both
adware and spyware, it is worth knowing the difference between the two.
Adware refers applications that facilitate the display of advertising
information on your system, and may include the obvious, like pop-up
ads, to the less obvious, such as browser search bar hijacking. Adware
watches your browsing preferences and activities, and points you in the
direction of sites that match. Likewise it shows you ads that it
believes will appeal to your interests.

Spyware, or more accurately system monitoring software, presents a
very different set of threats and associated risks. Spyware is software
that is capable of recording and transmitting information from
keystrokes such as passwords and user ID’s. In addition, some spyware
software can make it possible for a remote user to access your system
across the Internet. Either of these scenarios are enough to give even
the most seasoned network administrator nightmares.

If you think your network is safe from either spyware or adware, the
chances are you are wrong says Richard Stiennon, VP of Threat Research
at Webroot, one of a growing legion of companies producing anti-spyware
software. “We estimate that somewhere between 20 percent and 50 percent
of Internet-born network traffic is created by spyware or adware.”
Research by Webroot also reveals that 80 percent of systems on
corporate networks have adware installed on them, and more alarmingly,
15 percent have system monitoring software running in the background.
“Adware is a headache as it leads to poor performance or system
crashes,” says Stiennon “but system monitors represent a very real
security issue as they record user interactions such as keystrokes and
web cam traffic.”

Stiennon is not alone in his estimates of the depth of adware and
spyware penetration. A spokesperson for Microsoft told us the
company believes spyware to be directly responsible for more than a
third of application crashes reported to its support staff, and that
spyware and adware may be linked to as many as half the crashes
its customers experience.

Also on Spyware at ENP

  • Spy on the Spyware with tcpdump
  • RSA: Symantec Battles Spyware, Bots and Microsoft
  • RSA: Microsoft’s Free Anti-Spyware Challenges New Market

  • Unlike viruses, which try and trick you into opening a file or
    installing an application in order to infect your system, a great deal
    of spyware and adware takes a more straightforward approach. It simply
    asks for your permission. Each time you install an application, or
    allow an ActiveX object to run from a Web page, you open the door for
    spyware or adware to be installed. Of course installing applications or
    viewing Web pages from known safe sources represents a very low level
    of risk. But other downloads like small utilities from largely unknown
    software companies, or active content from a Web site can be another
    matter entirely.

    Once installed, there is little you can do to prevent one piece of
    spyware or adware from inviting other pieces of spyware from also
    installing themselves, and so on, in a ever increasing cycle.

    Like a virus, spyware or adware is an unwanted visitor that can
    realistically be of no good use. Unlike viruses, however, which often
    seek to destroy, disable or decommission your PC, spyware or adware is
    more than happy to let your PC continue to run as well as is absolutely
    possible. A PC that is running allows ads to be displayed, or
    information to be collected. A system that is not running is of no use
    to spyware or adware pushers.

    The problems created by spyware and adware are many and varied. Both
    threats use valuable processing power and hog bandwidth on your network
    connection, or cause your PC to crash. On a home system, apart from
    the very obvious and frightening personal privacy considerations, these
    problems can be at best extremely annoying. On a corporate network,
    where the problem is magnified in direct proportion to the number of
    PC’s, and the privacy considerations arguably even more sensitive,
    spyware and adware presents perhaps the single most significant threat
    to productivity and security since the advent of hacking or

    Another problem with spyware and adware is that the processes
    developed to combat them are still in their relative infancy. Although
    companies like Webroot, Tenebril, Microsoft, and a host of others are
    working to produce more effective spyware and adware screening systems
    with an increasing level of success, the nature of spyware and the
    companies that make money from it are proving tough nuts to crack.

    Unlike viruses, which are nearly always the malicious prank of an
    individual with little more to gain that disrupting the status quo,
    spyware and adware are the tools for business operations worth tens of
    millions of dollars. This financial incentive leads spyware and adware
    writers to be extremely resourceful when it comes to ways that they can
    circumvent commonly deployed protective measures.

    As for the traditional mainstay of network security, the firewall,
    it is of little use when combating spyware or adware says Chris
    Carillo, Founder and Head of Development at Tenebril Inc. “A great deal
    of spyware uses TCP/IP port 80 to send and receive information from the
    Internet. This means that to block the traffic generated by the spyware
    or adware, you would have to prevent Internet browsing from within your
    organization.” As you can imagine, this is a step that few
    organizations are willing to take.

    The big money incentive behind adware and spyware has the companies
    that create the software employing some very creative measures to
    ensure that their territories, once established, are safe for as long
    as possible. This leads to some significant challenges for vendors who
    make and market spyware detection systems. Unlike viruses, which have a
    single ‘signature’ that makes the malicious code identifiable within a
    file before it is downloaded and installed, spyware or adware presents
    more of a challenge.

    “Many spyware applications rely on a mutation process that changes
    the contents of the file, and so makes the common signature matching
    processes used by anti-virus applications meaningless. A signature that
    matches now, may not match in, say, six hours” says Carillo.

    This ability to mutate occurs primarily in one of two ways. Either
    the application connects to a site on the Internet from which a new
    executable code is downloaded, or the application is simply written to
    mutate at a given point, such as when a system is restarted.

    Although the latest anti-spyware offerings are become increasingly
    effective at identifying and removing spyware or adware, anti-spyware
    authors face an uphill battle when it comes to completely banishing
    spyware from a system. The problem, says Carillo, is that anything but a
    complete cleansing of spyware from a PC is ineffective.

    “One piece of
    spyware inevitably leads to another, and within as short a period as 24
    hours, your PC will have as many infections on it as when you started.
    If you don’t remove it all, you may as well not remove any.”

    Latest Articles

    Follow Us On Social Media

    Explore More