Not all spyware is as harmless as cookies

Ban downloads and implement personal firewalls to protect corporate systems

Ban downloads and implement personal firewalls to protect corporate systems.

Trojans, worms and viruses continue to hog the headlines and diligent network managers have powerful firewalling, anti-virus and patch management policies protecting the fortress. But what good is all this if a Trojan can enter through the front gate?

Spyware is any software unwittingly downloaded that gathers information about the user and the network. Sometimes the user pulls in spyware without realising the danger, sometimes it arrives through secret passages in the browser code. Once inside, it gathers information to build a profile of the user's habits and online environment. It breaches the firewall with the implicit permission of the user.

At its simplest, spyware may only be a cookie, a small text file downloaded through the browser by virtually all websites. Cookies come in two main varieties. The vanilla variety is arguably well meant and useful. It stores personal information so a visitor can re-enter a website without typing in their user name and password. They may also store preferences for personalised pages, usually called "My something".

When a cookie is recognised on a user's computer, scripts can track them around the site and gain more information about the visitor's interests and preferences. Typically benevolent, the cookie is only accessible to the originating website and is only active while the user is on that site. Another example is the shopping trolley cookie, which "carries" your purchases to the virtual checkout and then self-destructs.

Advertising cookies

The second variety is the darker, advertising cookie. These are downloaded secretly to benefit the authoring company and its ring of partners. These cookies may only ply the surfer with targeted ads while on a website but there are ways to stalk surfers beyond the original site and across the internet.

Banner ads and web bugs can be legitimately placed on websites to expose visitors to any page carrying the bug. The tracker can note all pages visited, user names, e-mail addresses used, searches performed and other information for building a personal profile. Based on this, the user is subjected to customised advertising and spam.

Because cookies are simple text files, they cannot plant malicious code, but innocent data can be used maliciously. Imagine employees from company A visiting competitor company B's website to check on products and pricing. This offers B the opportunity to place a persistent cookie on the PC of every visitor from A. The intelligence gathered can show patterns of corporate behaviour. If the cookie comes from a web bug, placing ads on the pages of competitors and other sites can reveal much more detailed patterns.

If company A is rumoured to be considering a merger with company C, placing a web bug on C's site will pick up any increased activity or interest from B. All of this is legal - and almost unstoppable.


Butler Group analyst Maxine Holt warned users that spyware offers hackers an ideal opportunity to install hacking toolkits on end-users' PCs. "An important point to remember is that the use of a toolkit typically automates basic tasks for a hacker, such as scanning for vulnerabilities." She said such toolkits would allow the hacker to discover vulnerabilities remotely and Trojans can be implanted without the hacker needing to take direct action.

Many freeware or shareware web downloads contain spyware, or adware, to plug their advertisers. Not all are so benign. Downloaded aids, such as toolbars, become a constant part of the browser and many do useful jobs, but some hide keyloggers that record every key press or may even install a server backdoor through which hackers enter the network.

Protecting your systems

The best protection against this malware is to outlaw downloads explicitly in a policy document and bar them electronically, where practical.

Gunter Ollmann, manager of X-Force Security Assessment Services at Internet Security Systems, warned that senior executives are often the worst culprits for unauthorised downloading. "Policies should apply to all ranks in an organisation. Some of the worst machines I have seen are owned by financial directors. Besides the usual business data, I have found some most interesting content," he said.

There are tools users can install to stop spyware. However, Jan Sundgren, an analyst at Forrester Research, said although these are the most cost-effective way of dealing with the problem, many personal firewalls control application access to the internet and can stop adware from sending out information.

Sundgren said, "An advantage of using a firewall with application control is that your defence is not based on signatures of known adware. Also, the enterprise versions of these firewalls allow for centralised management."

It is not just corporate information that is at risk. In July, a Devon man was cleared of knowingly downloading child pornography when a computer expert discovered 11 Trojans on his hard drive. Though it was not proven that these downloaded the images, it is not impossible to believe. The victim temporarily lost custody of his daughter and almost lost his liberty. If a similar event occurred in the corporate world, an enterprise pleading ignorance might not be given the benefit of the doubt.

What are web bugs?

Web bugs are usually banner ads but can be as small as one pixel. When a browser downloads the graphics for a page, the graphical elements do not all come from the web server hosting the site.

Many of the third-party graphics download from the originating site and some of these may be marketing companies or even business competitors seeking to gain information about the user's web surfing habits.

In itself, a web bug is harmless but the contact with its host server makes the link that offers the chance to plant a cookie and get the IP address, or sometimes the e-mail address, of the surfer. Web bugs from third-party sites also feature in the current trend of using HTTP e-mails, in which case the e-mail address is revealed to the bugging site.

By comparing results from different sites or synchronising the database with other bugging sites, a detailed picture of the surfer can be developed and sold on.

How to protect against spyware

  • Ensure all web traffic is firewalled
  • Block any suspicious outward traffic at the firewall
  • Use anti-spyware software regularly, such as Symantec Internet Security, Spybot S&D and Adaware
  • Bar unsanctioned software downloads wherever possible
  • Monitor computer inventories, especially mobile devices, for illegal software additions
  • Implement a security policy addressing internet access
  • Block third-party cookies.

Useful sites

An example security policy


Spybot Search and Destroy

Spyware/adware remover

Source: Forrester Research

Read more on IT strategy