Recent developments in adware and spyware

According to Reuters, a California man was indicted earlier this month on federal charges of creating a robot-like network of hijacked computers that helped him and two others bring in $100,000 for installing unwanted adware.

The indictment from a federal grand jury in Seattle also accused Christopher Maxwell, 20, and two unidentified conspirators of crippling Seattle's Northwest Hospital with a 'botnet' attack in January 2005.

Authorities said the hospital attack caused $150,000 in damages, shut down the intensive care unit, and disabled doctors' pagers.

If he is convicted, Maxwell will face a maximum 10 years in prison and a $250,000 fine.

Reuters quoted the following statement by U.S. Attorney John McKay: 'Some people consider botnets a mere annoyance or inconvenience for consumers, but they are highly destructive. In this case, the impact of the botnet could have been deadly.'

Let there be no misunderstanding: adware and spyware are among the fastest-growing risks to consumers and organizations today. This article looks at recent developments in adware and spyware, as well as recommended steps to reduce the risks posed by these programs.

Growing volumes

While adware and spyware are not categorized as malicious code, Symantec monitors them using many of the same methods used for tracking malicious code development and proliferation. This involves an ongoing analysis of reports and data delivered from over 120 million client, server, and gateway email systems, as well as filtration of 25 million email messages per day. Symantec then compiles the most common reports and analyzes them to determine the appropriate categorization.

Adware programs enable the delivery and display of advertising content onto the user's device. This may be done without the user's prior consent or knowledge. It is often, but not always, presented in the form of pop-up windows or bars that appear on the screen.

Adware isn't always a security risk. In some cases, it simply delivers an advertising message to the user's screen. But depending upon its functionality and the context in which it is deployed, adware can constitute a security risk.

According to the latest edition of the Symantec Internet Security Threat Report, during the first six months of 2005, the prevalence of adware increased dramatically over the two previous reporting periods. Between January 1 and June 30, 2004, adware comprised 4 percent of the top 50 programs reported to Symantec. In the second half of 2004, it made up 5 percent of the top 50 programs. Between January 1 and June 30, 2005, however, it made up 8 percent of the top 50 reported programs.

For their part, spyware programs can secretly monitor system activity and either relay the information back to another computer or hold it for subsequent retrieval. In some cases, spyware is used by organizations to monitor Internet usage or by parents to monitor their children's Internet usage. Spyware can be surreptitiously placed on users' systems in order to gather confidential information such as usernames, passwords, banking information, and credit card details. This can be done through keystroke logging and by capturing email and instant messaging traffic.

Spyware is one of the fastest-growing risks, increasing at an estimated rate of 50 to 100 percent year over year, according to some security experts.

The chief offenders

The most frequently reported adware program between January 1 and June 30, 2005 was ShopAtHomeAgent, which accounted for 19 percent of the top 10 adware programs reported. It downloads and displays advertisements; however, it may also redirect access to certain Web sites through www.shopathomeselect.com.

The second most common adware program in this period was Istbar, which accounted for 14 percent of the top 10 reports. Istbar is a family of adware programs that install via an Internet Explorer toolbar, often using aggressive, persistent techniques.

CoolWebSearch was the third most commonly reported adware, making up just over 13 percent of the top 10 reports. CoolWebSearch is a large family of security risk programs that can be manually installed or bundled with another program. The programs have been observed hijacking searches, which are then redirected to the CoolWebSearch Web site or an affiliate.

Turning to spyware, Webhancer was the most reported program in the first six months of 2005, accounting for 29 percent of the top 10 spyware programs reported overall. (It was also the most reported spyware program in 2004.) Webhancer monitors the user's browsing habits, sending the information back to its centralized servers. While the program includes an End User Licensing Agreement (or EULA), it is also capable of updating itself from servers. This means that updated versions may contain additional functionality that the user may not have agreed to as part of the original EULA.

Apropos was the second most reported spyware program in this period, making up 27 percent of the top 10 spyware reports. An Internet Explorer browser helper object (or BHO) installed by an ActiveX control, Apropos installs a toolbar that links to Web sites and sends information back to its server.

The third most reported spyware program, Marketscore, is a new addition to the top 10, making up 19 percent of the top 10 reported spyware programs. When Marketscore is installed on a computer, it starts a proxy service. Once this service has executed, all of the system's Internet connections will be routed through the Marketscore's proxy, called OSSProxy.

Of the top 10 adware programs reported in the first six months of 2005, five hijacked browsers. During this same period, two spyware programs performed this function.

Prevention and mitigation

Because adware and spyware can be placed on a user's computer by exploiting software vulnerabilities, Symantec recommends that users update their antivirus software regularly. Security administrators should also take extra measures to ensure that patch levels on all computers are up-to-date. Users and administrators should employ defense in-depth, which means deploying a properly configured firewall and integrated antivirus and intrusion detection systems. In addition, users should exercise caution when installing any software through a Web browser and avoid downloading any software from sources that are not known and trusted.

Besides the deployment of defense in-depth, Symantec recommends that acceptable usage policies be put in place and enforced. System administrators should regularly audit systems to ensure that no unauthorized software is installed on them. In all cases, administrators and end users should read the EULAs of all software programs before agreeing to their conditions.

Security risks such as adware and spyware have the potential to compromise users' personal information and privacy, and their prevalence is increasing globally. Enterprises should consider an approach that detects these risks in a way that is non-intrusive, allowing users to make informed decisions based upon their own level of acceptable risk.