Spyware


Strictly defined, spyware is computer software that gathers information about a computer user without the user’s knowledge or informed consent, and then transmits this information to an organisation that expects to be able to profit from it in some way. Data-collecting programs installed with the user’s knowledge are not, properly speaking, spyware, if the user fully understands what data is being collected and with whom it is being shared.

More broadly, the term spyware is applied to a wide range of related malware products which are not spyware in the strict sense. These products perform many different functions, including the delivery of unrequested advertising (pop-ups in particular), harvesting private information, re-routing page requests to illegally claim commercial site referral fees, and installing stealth phone diallers.

Spyware and viruses

Spyware is very similar to a virus, but clearly distinct. In both cases, the program is installed without the user’s knowledge or consent. In both cases, system instability is a common result.

A virus, however, is self-replicating: it spreads copies of itself to other computers if it can. Spyware generally is not self-replicating. Where a virus relies on users with poor security habits in order to spread, and spreads so far as possible in an unobtrusive way (in order not to be detected and removed), spyware usually relies on persuading ignorant or credulous users to download and install it by offering some kind of bait. One typical spyware program targeted at children, for example, claims that:

He will explore the Internet with you as your very own friend and sidekick! He can talk, walk, joke, browse, search, e-mail, and download like no other friend you’ve ever had! He even has the ability to compare prices on the products you love and help you save money! Best of all, he’s FREE!

In reality, it installs itself in such a way that it starts up every time the computer starts up (using CPU cycles and RAM, and reducing stability), and runs at all times, monitoring Internet usage and delivering targeted advertising to the child.

A virus generally aims to carry a payload of some kind: in other words, to do some damage to the user’s system (such as, for example, delete certain files). The damage caused by spyware, in contrast, is usually incidental to the primary function of the program. Spyware generally does not damage the user’s data files; indeed (apart from the intentional privacy invasion and bandwidth theft), the overwhelming majority of the harm inflicted by spyware is simply an unintended by-product of the data-gathering or other primary purpose.

A virus does deliberate damage (to system software, or data, or both); spyware does accidental damage (usually only to the system software). In general, neither one can damage the computer hardware itself. Certain special circumstances aside, the worst-case outcome is a need to reformat the hard drive and reinstall the operating software, and restore from backups. The cost to have this done professionally is typically well over £100. The cost of lost time and productivity can be much higher than this. It is not uncommon for the owner of a badly spyware infected system to purchase an entire new computer in the belief that the existing system “has become too slow.

Consequences

Unprotected Windows-based computers, particularly those used by children or credulous adults, can rapidly accumulate a great many spyware components several hundred individual instances is common. The consequences of a moderate to severe spyware infection (privacy issues aside) generally include a substantial loss of system performance (over 50% in severe cases), and major stability issues (crashes and hangs). Difficulty connecting to the Internet is another common symptom.

Spyware infection is now (as of 2004) responsible for more visits to professional computer repairers than any other single cause. In more than half of these cases, the user is unaware of the spyware problem and initially assumes that the system performance, stability, and/or connectivity issues are related to hardware, Windows installation problems, or a virus.

Some spyware products have additional consequences. Dialers attempt to connect directly to a particular telephone number rather than to the user’s own ISP: where the number in question is interstate or overseas, this can result in massive telephone bills which the user has no choice but to pay. To further compound the situation, some telephone companies have taken advantage of the situation by charging more for dialing the locations where these scams originate. Eircom, the former state telecom operator in Ireland has placed a number of small Pacific islands (where the scams originate) in a special $6/min tariff band. Unlike the band of special premium rate numbers, telephone subscribers cannot block these numbers.

Installation

Spyware is normally installed through either one of two common methods. The first is to hide a spyware component within an otherwise apparently useful program. Often, the containing program is made available for download free of charge, so as to encourage wide uptake of the spyware component. The second common method is to take advantage of security flaws in Internet Explorer. Spyware can also be installed on a computer by a virus or an e-mail trojan program, but this is not common.

The HTTP cookie is a well-known mechanism for storing information about an Internet user on their own computer, often used to assign wesbite visitors an individual identification number for subsequent recognition. However, the existence of cookies and their use is generally not concealed from users, who can also disallow access to cookie information. Nevertheless, to the extent that a Web site uses a cookie identifier to build a profile about the user, who does not know what information is added to this profile, the cookie mechanism could be considered a form of spyware. For example, a search engine website could assign a user an individual ID the first time he visits and store all search terms in a database with this ID as a key on all subsequent visits (until the cookie expires or is deleted). This data could be used to select advertisements to display to that user, or could legally or illegally be transmitted to third parties.

Another cause is granting permission for web-based applications to integrate into your system. These browser helper objects embed itself as part of your web browser.

Spyware is usually installed by some stealthy means. If you read the user agreements for the software you download and install, references (sometimes vague) are cited for allowing the issuing company of the software to record your internet usage and website surfing. Some software vendors allow you to buy the same product without this overhead.

Neglect is an additional cause. Use of automatic updates, antivirus, and other software upgrades will protect your system. Software bugs and exploits remain with older software, because the public is more aware how to invade your system.

Spyware Categories

Here are some brief explanations as to what types of Spyware are out there and what they set out to do:

Adware

Explanation: Program that creates advertisements on your PC.

Note that many websites have their own advertising, unrelated to adware.

Official definition:
“Adware is any software application in which advertising banners are displayed while the program is running. The authors of these applications include additional code that delivers the ads, which can be viewed through pop-up windows or through a bar that appears on a computer screen. The justification for adware is that it helps recover programming development cost and helps to hold down the cost for the user.
Adware has been criticised for occasionally including code that tracks a user’s personal information and passes it on to third parties, without the user’s authorisation or knowledge.”

Browser Hijacker

Explanation: Program that changes some settings in your browser.

Commonly:
– Changing your “search” page to pass all searches to a certain pay-per-search site
– Changing your default home page to the company page (most of often porn sites)
– Transmitting URLs viewed toward the company server

Browser Helper Object (BHO)

Explanation:

This category contains mostly dubious browser plugins such as “Search Assistants”, toolbars etc. that have been known to transmit user data to their creators.

Commercial Keylogger

Explanation: Program designed to monitor user activity. May be used with or without consent.

Because it is sold commercially, most anti-virus vendors do not detect it.

Commercial Network Management Tool

Explanation: Tools of this kind are mostly used in (large) corporations. They can log network traffic passively (sniffing) or examine the logs of proxies etc. Nothing is installed on the individual computers, the software runs on a central server, They can only log things that pass through the network, not local things like entered passwords, keystrokes or screenshots.

Dialer

Explanation: A program that (secretly) changes your dialup connection setting so that instead of calling your local internet provider, your PC calls some very expensive 0900 or international phone number without your knowledge or permission.

Generic Malware

Explanation: Generic category for all unwanted software that secretly executes unwanted actions

Remote Administration Tool

Explanation: A tool that is intended to be used by network administrators to remotely control a PC on the network, usually for support or inventory purposes.

Due to the nature of the program, the possibility exists to be exploited for spying purposes.

Trojan

Explanation: A hacker tool that is secretly installed on your PC and that allows the attacker to get almost complete over your computer.

Virus

Explanation: Malware that spreads itself automatically by infesting other files on your PC

Official description:
“Software which attaches to other software. A boot virus inserts its code into the boot record or master boot record of a disk, so that when the machine boots from that disk, the virus code is executed. A file virus inserts its code into an executable file, so that when that file is executed, the virus is executed as well. A macro virus attaches itself to documents like Word or Excel.”

Worm

Explanation: Virus-like program that spreads automatically to other computers, by sending itself out by email or by any other means.

Official description:
“A program that propagates itself by attacking other machines and copying itself to them. Both worms and viruses are self-replicating code that travels from machine to machine by various means. Both worms and viruses have, as their first objective, merely propagation. Both can be destructive, depending on what payload, if any, they have been given. But there are some differences: worms may replace files, but do not insert themselves into files. In contrast, viruses insert themselves in files, but do not replace them.”

“Spyware” Wikipedia: The Free Encyclopedia.