Spyware - Definition

Strictly defined, spyware consists of computer software that gathers and reports information about a computer user without the user's knowledge or consent. More broadly, the term spyware can refer to a wide range of related malware products which fall outside the strict definition of spyware. These products perform many different functions, including the delivery of unrequested advertising (pop-up ads in particular), harvesting private information, re-routing page requests to illegally claim commercial site referral fees, and installing stealth phone dialers.

Spyware as a category overlaps with adware. The more unethical forms of adware tend to coalesce with spyware. Malware uses spyware for explicitly illegal purposes. Exceptionally, many web browser toolbars may count as spyware.

Data collecting programs installed with the user's knowledge do not, technically speaking, constitute spyware, provided the user fully understands what data they collect and with whom they share it. However, a growing number of legitimate software titles install secondary programs to collect data or distribute advertisement content without properly informing the user about the real nature of those programs. These barnacles can drastically impair system performance, and frequently abuse network resources. In addition to slowing down throughput, they are often have design features making them difficult or impossible to remove from the system.

The first recorded use of the term spyware occurred on October 16, 1995 in a Usenet post that poked fun at Microsoft's business model. Spyware later came to refer to espionage equipment such as tiny cameras. However, in 1999 Zone Labs used the term when they made a press release for the Zone Alarm Personal Firewall. Since then, computer users have used the term in its current sense. 1999 also saw the introduction of the first popular freeware program to include built-in spyware: a humorous and popular game called "Elf Bowling" spread across the Internet in November of 1999, and many users were surprised to learn that the program actually transmitted user information back to the game's creator, Nsoft. For many Internet users, this was their first experience with spyware.

In 2000 Steve Gibson of Gibson Research released the first ever anti-spyware program, OptOut, in response to the growth of spyware, and many more software antidotes have appeared since then. More recently Microsoft (http://www.microsoft.com) has released anti spyware program and the International Charter now offers software developers a Spyware Free Certification (http://www.icharter.org/certification/software/spyware_free/index.html) programme.

According to a study by the National Cyber-Security Alliance, 80% of home PCs are infested with spyware [[1] (http://www.net-security.org/press.php?id=1973)].

Spyware and viruses

Spyware can closely resemble computer viruses, but with some important differences. Many spyware programs install without the user's knowledge or consent. In both cases, system instability commonly results.

A virus, however, replicates itself: it spreads copies of itself to other computers if it can. Spyware generally does not self-replicate. Whereas a virus relies on users with poor security habits in order to spread, and spreads so far as possible in an unobtrusive way (in order to avoid detection and removal), spyware usually relies on persuading ignorant or credulous users to download and install itself by offering some kind of bait. For example, One typical spyware program targeted at children, Bonzi Buddy, claims that:

He will explore the Internet with you as your very own friend and sidekick! He can talk, walk, joke, browse, search, e-mail, and download like no other friend you've ever had! He even has the ability to compare prices on the products you love and help you save money! Best of all, he's FREE! [2] (http://www.bonzi.com/bonzibuddy/bonzimail.asp)

A typical piece of spyware installs itself in such a way that it starts every time the computer boots up (using CPU cycles and RAM, and reducing stability), and runs at all times, monitoring Internet usage and delivering targeted advertising to the affected system. It does not, however, attempt to replicate onto other computers — it functions as a parasite but not as an infection. [3] (http://www.spywareguide.com/product_show.php?id=512)

A virus generally aims to carry a payload of some kind. This may do some damage to the user's system (such as, for example, deleting certain files), may make the machine vulnerable to further attacks by opening up a "back door", or may put the machine under the control of malicious third parties for the purposes of spamming or denial-of-service attacks. The virus will in almost every case also seek to replicate itself onto other computers. In other words, it functions not only as a parasite, but as an infection as well.

The damage caused by spyware, in contrast, usually occurs incidentally to the primary function of the program. Spyware generally does not damage the user's data files; indeed (apart from the intentional privacy invasion and bandwidth theft), the overwhelming majority of the harm inflicted by spyware comes about simply as an unintended by-product of the data-gathering or other primary purpose.

A virus does deliberate damage (to system software, or data, or both); spyware does accidental damage (usually only to the system software). In general, neither one can damage the computer hardware itself (but see CIH virus). Certain special circumstances aside, in the worst case the user will need to reformat the hard drive, reinstall the operating system and restore from backups. This can prove expensive in terms of repair costs, lost time and productivity. Instances have occurred of owners of badly spyware-infected systems purchasing entire new computers in the belief that an existing system "has become too slow."

Consequences

Unprotected Windows-based computers, particularly those used by children or credulous adults, can rapidly accumulate a great many spyware components. The consequences of a moderate to severe spyware infection (privacy issues aside) generally include a substantial loss of system performance (over 50% in extreme cases), and major stability issues (crashes and hangs). Difficulty in connecting to the Internet also commonly occurs as some spyware (perhaps inadvertently) modifies the DLLs needed for connectivity.

As of 2004, spyware infection causes more visits to professional computer repairers than any other single cause. In more than half of these cases, the user has no awareness of spyware and initially assumes that the system performance, stability, and/or connectivity issues relate to hardware, Windows installation problems, or a virus. (On the other hand, older versions of Windows itself, as well as CPU undercooling, can manifest spyware-like symptoms, specifically including instability or slowness.)

Some spyware products have additional consequences. Stealth dialers attempt to connect directly to a particular telephone number rather than to the user's own ISP: where connecting to the number in question involves long-distance or overseas charges, this can result in massive telephone bills which the user has no choice but to pay.

A few spyware vendors, notably 180 Solutions, have written what the New York Times has dubbed "stealware" — spyware applications that redirect affiliate links to major online merchants such as eBay and Dell, effectively hijacking the commissions that the affiliates would have expected to earn in the process. [4] (http://www.benedelman.org/spyware/180-affiliates/)

Some other types of spyware (Targetsoft, for example) even go to the extent of modifying system files to make themselves harder to remove. (Targetsoft modifies the Winsock (Windows Sockets) files. The deletion of the spyware-infested file inetadpt.dll will result in interrupting normal networking usage.)

Installation

Spyware normally installs itself through one of three methods:

1. The spyware component comes bundled with an otherwise apparently useful program. The makers of such packages usually make them available for download free of charge, so as to encourage wide uptake of the spyware component. This applies especially with file-sharing clients such as Kazaa and earlier versions of Bearshare. (To address this concern and to discourage the U.S. Congress from regulating the P2P "industry", P2P United formed to promise informed consent and easy removal. Kazaa does not form part of P2P United. -- Note furthermore that anti-spyware removers generally do not remove spyware applications from their databases because of such changes. (Lavasoft has come under criticism from some on its support forums for reaching agreements with former vendors of spyware to be removed from their database. Lavasoft representatives say they remove spyware if it no longer meets their inclusion criteria.)
2. The spyware takes advantage of security flaws in Internet Explorer.
3. Internet Explorer can also install spyware on your computer either via a drive-by download with or without any prompt. A drive-by download takes advantage of easy installation via an ActiveX control (or several ActiveX components) with or without a prompt, depending on security settings within Internet Explorer.

Spyware can also install itself on a computer via a virus or an e-mail trojan program, but this does not commonly occur.

An HTTP cookie, a well-known mechanism for storing information about Internet users on their own computers, often stores an individual identification number for subsequent recognition of a website visitor. However, the existence of cookies and their use generally does not hide from users, who can also disallow access to cookie information. Nevertheless, to the extent that a Web site uses a cookie identifier (ID) to build a profile about the user, who does not know what information accumulates in this profile, the cookie mechanism could count as a form of spyware. For example, a search engine website could assign an individual ID code to a user the first time he or she visits and store all search terms in a database with this ID as a key on all subsequent visits (until the expiry or deletion of the cookie). The search engine could use this data to select advertisements to display to that user, or could — legally or illegally — transmit derived information to third parties.

Granting permission for web-based applications to integrate into one's system can also load spyware. These browser helper objects — known as Browser Hijackers — embed themselves as part of a web browser.

Spyware usually installs itself by some stealthy means. User agreements for software may make references (sometimes vague) to allowing the issuing company of the software to record users' Internet usage and website surfing. Some software vendors allow the option of buying the same product without this overhead.

Solutions

Use of automatic updates (on Windows systems), antivirus, and other software upgrades will help to protect systems. Software bugs and exploits remaining in older software leave computers vulnerable, because malfactors rapidly learn how to exploit unpatched systems.

A number of software applications exist to help computer users search for and remove spyware programs. (See sections Spyware Removal Programs and External Links.) Some programs purge a system of spyware, only to install their own.

As some spyware takes advantages of Internet Explorer vulnerabilities, using a less vulnerable browser, such as Mozilla Firefox or Opera, may also help.

Disabling ActiveX in Internet Explorer also prevents some infections, however websites using ActiveX will not work in this case.

Currently-known spyware does not target non-Windows systems, such as those running Mac OS or Linux. However, browser cookies can attack such systems.

Known spyware

The following (incomplete) list of spyware programs classifies them by their effects:

Generating pop-ups:

• 180 Solutions
• DirectRevenue
• lop (advertising, pop ups, security risk, tries to dial out at random)

Generating pop-ups, damaging and/or slowing computers:

• Bonzi Buddy
• Cydoor
• Gator, made by the Claria Corporation (Advertising, pop ups, privacy violation, significant security risk, partially disables firewalls, some stability issues. Gator has a reputation as difficult to remove once installed.)
• New.net (security risk, stability issues, common cause of inability to connect)
• ShopAtHomeSelect

Hijacking browsers:

• CoolWebSearch - most well-known browser hijacker
• Euniverse
• Xupiter

Committing fraud:

• XXXDial

Stealing information:

• Back Orifice (arguably better categorized as a Trojan Horse, since its open source code militates against secrecy and -- unlike most spyware -- it has no commercial motive. Also has legitimate uses such as remote administration.)
• VX2

Masquerading as a spyware-remover:

• Spyware Nuker

Miscellaneous:

• Internet Optimizer (Advertising, fake alert messages, possible privacy violation, security risk)
• MarketScore (Claims to speed up Internet connections: serious privacy violation, loss of Internet connection on some systems)
• CnsMin (Made in China; privacy violation. Preset in many Japanese PCs as JWord!)

Known programs bundling adware

• Kazaa
• DivX (except for the paid version, and the 'standard' version without the encoder)

Spyware removal programs

• Ad-aware
• Microsoft AntiSpyware (as of January 2005, in beta phase) [5] (http://www.microsoft.com/spyware)
• HijackThis [6] (http://www.merijn.org/) - checks for and fixes browser hijacking
• PestPatrol [7] (http://www.pestpatrol.com/)
• Spybot - Search & Destroy
• SpyKiller [8] (http://www.spykiller.com)
• Spy Sweeper
• Spy Subtract [9] (http://intermute.com)

See also

• Adware
• Computer barnacle
• Exploit
• Keystroke logging
• Malware
• Stopping e-mail abuse

External links

Removal

• Spyware/AdWare/Malware FAQ and Removal Guide (http://www.io.com/~cwagner/spyware/).
• doxdesk.com parasite database (http://www.doxdesk.com/parasite/) — Removal instructions for most common spyware/adware/malware parasites.
• Ad-Aware (http://www.lavasoft.de) — a well-known anti-spyware package.
• Spybot - Search & Destroy (http://www.safer-networking.org/index.php?page=spybotsd) — well-regarded removal tools.
• MacScan (http://macscan.securemac.com) — detects and removes spyware in the Macintosh environment. (Download currently disabled pending the release of an update.)
• Merijn.org (http://merijn.org) (mirrors: 1 (http://spywareinfo.com/~merijn) 2 (http://209.133.47.200/~merijn/) 3 (http://ftp.officefive.org.uk/sites/www.spywareinfo.com/~merijn/) 4 (http://www.richardthelionhearted.com/~merijn)) — offers utilities to remove several spyware problems which Ad-Aware or Spybot Search & Destroy cannot currently fix.
• Bleeping Computer Spyware Removal Tutorials (http://www.bleepingcomputer.com/forums/tutecat38.html) — tutorials for HijackThis, Spybot, and Ad-Aware.
• Remove Spyware and Adware (http://www.2-spyware.com) — resource page with help tips, spyware and adware removal tools.
• Spywareinfo Forums (http://forums.spywareinfo.com/index.php) — help for removing adware, spyware and malware.
• Spyware Removal (http://www.spywareremove.com) — Weblog on Spyware removal, has good info on Spyware Phishing, and includes free downloads for Spyware Prevention software
• Computer Security (http://www.boredguru.com/modules/articles/index.php?storytopic=16) — Tips and tricks for manually removing common trojans, adware and spyware.
• Spyware Guide (http://www.spywareguide.com/) (free online removal)

Prevention

• Financial investors who support spyware (http://www.benedelman.org/spyware/investors/) A list of investment firms which support large scale spyware companies.
• Spyware Guide (http://www.pcreview.co.uk/article-7086.php) How to prevent Spyware and Adware, and a guide to removing it should the worst happen.
• How to Find, Remove and Prevent Spyware, Internet Intruders, and Pop-Ups (http://chinese-school.netfirms.com/computer-article-spyware-pop-ups.html).
• Easy Security (http://www.adorons.com/download_adorons_toolbar.html) Free tool that blocks drive by downloads and Active X installations.
• Encyclopedia of Spyware parasites (http://www.2-spyware.com). Prevention and removal instructions included.
• SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) — software that prevents the installation of ActiveX-based spyware.
• ThreatSense (http://www.threatsense.com) — An information services company which compiles data about the business entities and individuals behind spyware threats and engages end-users in discussion about future threats. See ThreatSense's "Contract With Internet Users".
• SpywareInfo (http://www.spywareinfo.org) — a site that has many articles on spyware along with a weekly newsletter providing up-to-date information.
• Dealing with unwanted spyware and parasites (http://mvps.org/winhelp2002/unwanted.htm).
• Tutorial on Internet safety (http://www.bleepingcomputer.com/forums/tutorial82.html)
• The Spyware Inferno (http://news.com.com/2010-1032-5307831.html) - article on the rise of spyware, with a hierarchical list of different kinds of spyware based on levels of danger.
• Spyware informaton, cleaning and database (http://spywareinfo.surasoft.com) - Spyware information and searchable database.
• Spybot Search & Destroy (http://ejrs.com/spybot).
• How to avoid and remove Spyware (http://www.dehumanizer.com/wiki/index.php/How_to_avoid_and_remove_Spyware) - short article on prevention and removal