The spyware problem has gotten so bad, experts said at the recent Black Hat 2006 that it is unlikely it can ever be solved on a technical level. Instead, the solution will have to come from regulators and law enforcement agencies.
"It's not technically feasible to stop spyware. You will not be able to stop this technically "This problem lives at the legal-technical boundary. We can't go around arresting people," said Dan Kaminsky, senior security researcher and founder of Doxpara Research, speaking on a spyware panel at Black Hat USA 2006 . "We need to create standards that clearly delineate legitimate code from illegitimate code where you throw people in jail."
In a number of recent surveys involving spyware, administrators have listed it as their top security concern. Trojans, keyloggers and other stealthy malicious programs have replaced mail-borne viruses and worms as the weapons of choice for attackers looking to plant their wares on thousands or millions of machines.
Antispyware vendor Webroot Software compiles quarterly statistics on the spread of spyware, and its latest figures, which are due to be published later this month, show that about 31% of PCs unknowingly contain at least one Trojan.
The U.S. Department of Justice, Federal Trade Commission and a host of industry coalitions have made stopping spyware a top priority, but their efforts have met with limited success.
Eileen Harrington, a deputy director in the FTC's Consumer Protection Bureau, said her commission is hamstrung by statutory limitations in its efforts to stop spyware distribution. She said the FTC is working to get broader authority, especially in regard to investigations that cross international boundaries.
"It sounds lame to sit up here and say there's only so much we can do, but it's true," Harrington said. "We all know saying, 'Don't do that anymore' in a civil action isn't that effective. It's very tough under the law to get financial remedies. We're pushing for new statutory authority to help us do our job internationally."
Harrington also said a recent appeals court decision that set forth strict guidelines on how and when the FTC can force organisations to surrender ill-gotten money could seriously harm the commission's ability to win judgments against spyware distributors.
"The effect of the decision has been troubling to us because we'd have to name every single affiliate [in a spyware distribution network] and trace every dime," she said. "Needless to say, we don't necessarily agree with the court's decision."
She added, however, that the FTC does have a large settlement with a spyware distributor in the works that will require the company to pay back all of the money it made through spyware.
In the meantime, spyware distributors are becoming more creative and devious. Stealthy malware that hides its presence on machines and collects confidential data is now the norm, the panelists said.
"We're seeing a huge increase in the usage of rootkits and custom packing and encryption algorithms," said Gerhard Eschelbeck, CTO and senior vice president of engineering at Webroot.
Kaminsky suggested that a modified form of whitelisting could hold some promise for preventing spyware infections.
Implementing such an approach is a tough task, however. Defining good and bad programs through their behaviour is extremely difficult, given that some legitimate applications can exhibit rootkit-like behavior on occasion, and vice versa, the panelists said.
"The challenge is how you manage your whitelist," Eschelbeck said.