Spyware shifts from marketing to robbery

March 8, 2008 – 4:19 PM

Need examples of why spyware is so insidious? Headlines from the last few months are full of them, said Richard Stiennon, VP of threat research for Boulder, Colo.-based security firm Webroot. Spyware probably contributed to the data thievery companies like Lexis-Nexis, BJ’s Wholesale Club and Bank of America suffered, he said.

That’s the big point of a new report Webroot has released on spyware activity for the second quarter of 2005: Spyware pushers are shifting their focus from pay-per-click advertising to identity theft. And they’re quickly expanding their network of infected machines in the process.

“The big marketing opportunity for spyware writers is over,” Stiennon said. “Now they are competing with each other, going after bigger and better targets, using URL monitors, keystroke loggers and Trojan horses to steal your information.”

The report comes about a week before the Anti-Spyware Coalition is set to meet and discuss feedback it’s received since releasing a rough draft of spyware definitions July 12. The coalition — formed earlier this year when the nonprofit Center for Democracy and Technology teamed up with several tech firms and security organizations — hopes to weave the feedback into a final document to be released this fall.

Paul Kurtz, executive director of the Cyber Security Industry Alliance, said the Anti-Spyware Coalition’s work is vitally important given the damage spyware can do.

“Spyware can be so broad,” he said. “We allow forms of it on our computers every day. That’s the big issue we need to think about today. There must be common rules and procedures for defining and removing it. If we can establish a common template to determine what should be removed as spyware, we’d at least be putting everyone on the same sheet.”

Despite awareness, infection rate stays high
Awareness is up. Antispyware legislation is pending at the federal level and in 19 states. And the security market is flush with new tools to scan and clean systems. Yet the spyware infection rate for enterprise desktops remains above 80%, the report said.

To date, Webroot’s Enterprise SpyAudit has scanned nearly 60,000 systems representing more than 20,000 companies; finding the number of spyware instances per infected machine up by 19% this year, the report said.

The firm’s research team also saw evidence that spyware pushers are aggressively growing their distribution channels. The report said the number of Web sites distributing spyware has quadrupled since the start of the year to 300,000 unique URLs. Meanwhile, the company has seen the number of spyware traces in its spyware definition database double in the same period to over 100,000.

Stiennon said spyware pushers are also working hard to test their wares against a range of antispyware software and are successfully using rootkits to avoid detection.

New names for new spyware
The report also offers a list of programs Webroot has fingered as spyware, including a new one called Look2Me. This spyware may monitor Web surfing activity and report back usage statistics to a centralized server, the report said. It may also display pop-up ads and install several other pieces of spyware.

“Once installed, Look2Me may update itself and install other applications,” the report said. “These applications are usually other pieces of spyware. Look2Me may download and execute third-party programs on your computer without your knowledge or consent.”

Look2Me is usually installed using ActiveX drive-by download sites or flaws in common Web applications, the report said, adding, “Look2Me is very difficult to remove due to its injection into system-level processes. Look2Me may also install other pieces of spyware and adware, which decrease your computer’s performance, and may display pop-up advertisements.”

“When you look at where this is going, you think, ‘when will this end?” Stiennon said. “Our feeling is that we haven’t seen anything yet. Profit motive opens a whole new world.”

The next big story
While Stiennon doesn’t see the spyware war ending anytime soon, he predicts executives will start being held more accountable when they fail to stop the malware from stealing data and damaging the company’s reputation.

“The next big story in this saga will be when the big CEOs start getting fired over this year’s breaches,” he said. “When you can’t detect something like a keystroke logger, you’ve got a problem. I’ve been on road for eight weeks talking to clients, and more often I’m hearing them say, ‘we really want to stay off the front page of the Wall Street Journal.'”

He believes the Anti-Spyware Coalition’s work will help give companies a better idea of what to look for and how to respond when spyware infections are uncovered. But the overall impact may be limited.

“Activities of a coalition like this won’t have a direct impact in turning the tide,” he said. “But it shows a maturing in the industry where the players are at least talking to each other. In the end, though, you can’t issue a document that will improve security. It’s all about personal behavior.”

http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1118610,00.html