Industry wrings its hands in vain
Its arrival on users' PCs has been surreptitious, and many users still don't know it's there. It is already the fourth biggest threat that worries security managers, and the nascent anti-spyware industry is set to grow from $12 million in 2003 to $305 million in 2008, according to IDC numbers.
Spyware is that threat, and it is already regarded as being responsible for a third of all Windows XP crashes.
According to a Forrester research group survey of 200 security managers, around 65 percent of companies will either purchase or upgrade anti-spyware software this year, making it the most popular security technology of 2005.
So, what is spyware, what effect does it have, and how can you stop it targeting your networks?
One of the immediate issues we need to confront is the confusion between adware and spyware. Adware is a piece of software installed as an additional component that feeds advertising to you or points your browser home page to sites feeding advertising.
Generally, it should have the express consent of the end user and also involve an uninstall function. Some consider adware to be a legitimate alternative offered to consumers who do not wish to pay for software. Programs, games or utilities can be designed and distributed as freeware, but some features might be blocked until you pay to register it.
Spyware – also dubbed sneakware or snoopware – is much more insidious. Some freeware applications that contain adware track your surfing habits in order to serve ads targeted at you. When adware becomes intrusive, it should be redefined as spyware and it becomes something you should avoid for privacy and security reasons.
Spyware works similarly to adware, but is usually a separate program installed unknowingly when you install another freeware-type program or application. Once installed, it monitors user activity on the internet and covertly transmits that information to its master.
It can gather information about email addresses, passwords and creditcard numbers, which has led to fears that it can be a route to identity theft, or the loss of corporate information. Many programs will hide deep in Windows or re-install themselves after removal, making them very hard to eradicate.
Microsoft, whose products spyware takes advantage of, describes it as "unwanted software" collecting information from your PC without your consent or control. The company, which started to see spyware as a major problem from early in 2004, tracing it back from error reports of application crashes, believes that the threat strikes right at the heart of a key issue – customers' ability to control which software runs on their machines.
According to the U.S. ISP Earthlink, based on the scans it has carried out, there are an average of 28 spyware items on each PC.
Horst Joepen, chief executive of Webwasher, which produces a gateway protection product called Content Security Management Suite, believes spyware is a very serious threat.
"We get a lot of calls from customers, and it can easily take two hours to get a desktop cleaned up from spyware, as well as the loss of productivity," he says.
"At the moment, there is only evidence of spyware searching for passwords in accounts and targeting creditcard transactions in corporate accounts.
"But it is only a matter of time before spyware is used in corporate espionage, and taught to go and get corporate information. It just has to know where to search and what to look for."
The problem with spyware is that some of the infections on PCs can be difficult to detect. Many users, however, see a common symptom – that their computer seems to have a mind of its own.
A slow computer can be a sign that spyware has finagled itself on to a PC on your network. The PC might seem to be running slowly, but you get used to how it reacts to booting up programs. A sudden change in how your computer is running could be a sign of spyware or adware hidden on your machine.
Another clue to being infected with spyware is getting bounced back mail and evidence of emails being sent without your knowledge. Maybe you have an unrecognized icon in the lower-right corner of your screen in the Windows system tray, or if you have an external modem, there are blinking lights indicating data transfers when you are not doing anything online.
There are also offline symptoms that can cause concern. Hidden keyloggers can capture passwords and usernames, so if the bank or creditcard accounts that you access online appear to have been tampered with, or there are transactions you don't recognize, spyware on your computer might be to blame.
So what is being done to stop spyware? Education and guidance, self-regulation and legislation sum up the best efforts so far at combating spyware.
In the U.S., anti-spyware legislation is already going through Congress. The proposed Securely Protect Yourself Against Cyber Trespass (SPY ACT) bill would allow fines of up to $3 million for makers of software that steals personal information from a user's computer or hijacks its browser. But critics say the bill will too easily allow adware companies to continue installing software on users' machines as long as they can prove some form of user consent.
Microsoft has said that it supports legislation, and will cooperate with law enforcement agencies and organizations such as the Center for Democracy and Technology (www.cdt.org)
"Legislation is one part of an overall strategy, but it can only be done on a more refined basis, and used as a tool to address the most egregious issues," says Paul Bryan, director of product management, Windows AntiSpyware.
"An anti-spyware strategy also has to be based around technology, guidance and engagement, and industry collaboration."
But when it comes to self-regulation and coordinating an approach to prevent new threats, there has been little progress. No trade group of anti-spyware technology developers has emerged to replace the Consortium of Anti-Spyware Technology Vendors (Coast), which collapsed earlier this year.
Barbara Newman, chief privacy officer at IAB (U.K.), knows the industry is aware of the threat it faces from the law.
"One of the issues the online ad industry faces is that legitimate, useful performance tracking and targeting tools are being bundled into blanket spyware definitions. We need to take the initiative and be transparent about what we're doing," she says.