Defining the real spyware

Some anti-spyware products may leave you no better off

Some anti-spyware products may leave you no better off

Traditionally, anti-virus programs have provided protection from malware - programs deliberately created to perform an unauthorised, typically harmful, action. Viruses, worms and Trojans are all obvious examples of malware.

But there are other ways for hackers, spammers and other cybercriminals to harm users. Criminals can use non-viral, but potentially hostile programs such as adware, riskware and pornware to attack users or hijack their machines. Such programs can be legitimate applications, but their potential for misuse means that users increasingly see them as undesirable and want a means to identify them.

This heterogeneous mix of programs gets lumped together under the umbrella term 'spyware', but it is worth asking what exactly spyware is. Is it a new phenomenon? How real is the threat and does it justify the publicity given to it?

There is no industry standard definition of spyware, but nearly all definitions include characteristics that apply to different kinds of Trojans, including backdoor Trojans, Trojan proxies and password-stealing Trojans. Such programs have been around for almost 10 years, since the first AOL password stealers appeared, although they were not called spyware at that time.

Many suppliers also include adware under the spyware umbrella. Adware programs launch advertisements on infected machines and redirect search engine results to promotional websites. They have much in common with spam, although they do not arrive via e-mail.

They do, however, waste bandwidth, raise potential HR and legal problems and pose a threat to company confidentiality.

This leaves riskware and pornware. Although legitimate, riskware can be misused by cybercriminals. One example is remote administration utilities. The past few years have seen a fusion of traditional virus techniques with those of hackers. In this changing climate, riskware programs have come into their own as a means of dropping viruses onto victim machines or as a means of stealing data.

The same is true of pornware - malware-related programs that use a computer's modem to connect to pornographic pay-to-view services or download pornographic content from the web without the consent of the user.

It is clear that there is a terminology problem here. The various programs now often lumped together as spyware are not new phenomena, although the use of the term 'spyware' is.

Although such programs are not new, their use for malicious purposes has increased. Viruses were typically isolated acts of cybervandalism aimed at spreading themselves to other discs or programs and only sometimes damaging data on the infected machine. They did not represent the holistic threat to enterprises and users of today's malware.

So what has changed? As well as the convergence of virus writing and hacking techniques, there has been a growing commercialisation of malware. Malware does more things and affects systems in a much wider sense than it did in the 1990s. Much of it is designed to distribute spam, steal confidential data or co-ordinate distributed denial of service attacks. The bad guys are now more intent on making money or selling their technology to others to make money and many spyware programs help them do so.

This has resulted in a greater focus on these programs and there has also been a growth in the number of standalone 'spyware' products. One reason for the emergence of such products is the ethical scruples of traditional anti-virus suppliers. Until the late 1990s, malicious code could be clearly defined. This has become much more difficult with some of the programs that fall under the spyware umbrella.

How do you distinguish between legitimate remote administration tools and a backdoor Trojan? Intent is the key factor, but it is not so easy to draw this distinction in software.

Traditional anti-virus suppliers have always been justifiably scrupulous about what they detected. If it could not be clearly defined as a 'bad thing' that fell into one of the established categories, they were reluctant to add it to their databases.

You may remember the heated debates about the Friend Greeting application in 2002: this was effectively a spam utility that would send itself to a user's contacts. Many system administrators requested detection from their anti-virus suppliers, who were hesitant about adding it to their databases. They did not want to label a program as a worm or Trojan when it came with a clear end-user licence agreement and required the user to opt in to its marketing methods in advance. Dealing with such applications is much less clear-cut than dealing with traditional threats.

Companies that have developed products to detect such programs have no such historical baggage and have been more than happy to add detection for the disparate array of programs now re-christened as spyware. Faced with the growth of such programs, many system administrators have bought into this because they perceive that anti-virus suppliers do not deal with the threat and yet want the means to block applications they know can do them harm.

But there is a clear gap between perception and reality. Many peopleÕs perception is that traditional anti-virus suppliers do not deal with spyware. The new kids on the block, by contrast, dedicated specifically to detecting spyware, are seen as dealing with these threats better. With some traditional anti-virus suppliers reaching for their chequebooks to buy anti-spyware companies, the myth has grown that anti-virus programs cannot detect spyware.

The reality, of course, is that a number of anti-virus suppliers have included detection of spyware programs for many years. The key to understanding this reality is to reach into the spyware bag and examine its contents more closely.

Once you realise it is filled with Trojans, adware, diallers, remote administration tools and many other programs that can be potentially misused, it becomes clear that detection has been around for a while, although without the fanfare that now accompanies spyware.

The key issue for  anti-virus suppliers offering detection of non-viral, potentially hostile programs is to call things by their true name, and assure users they detect the threats that have been dumped into the new spyware category.

David Emm is senior technology consultant, Kaspersky Lab UK

Kaspersky Lab can be found at InfoSecurity at stand number 550

Read more on IT risk management