Spyware is a term whose use is becoming increasingly frequent in the lexicon of internet security threats. Just as computer users begin to think that their systems are protected against current menaces – various types of computer malware and spam, etc, so they are faced with yet another challenge. But just how big a threat is spyware for the corporate and home computer user today?

Spyware is any form of technology that allows information to be gained regarding a person, or an organisation, through their usage of the internet, without their knowledge. This information is then relayed to marketing organisations, or other interested parties, ostensibly to allow them to target the user/company with relevant adverting and/or information, often in the form of spam. It is not considered as a virus, and cannot be prevented with traditional antivirus software, or firewall.

Spyware should not be confused with adware. Adware is a form of technology that provides advertising (often in the form of pop-up banners on the internet). It differs from spyware in that it is generally not targeted advertising, and does not transmit information on the internet user's profile. Adware often goes hand in hand with freeware– the user receives the freeware, which is funded by revenue gained from advertising – receiving the adverts being a kind of trade-off for the use of the programme.  At face value this seems like a fair deal.  However the picture becomes slightly more complex, as many types of adware can contain spyware to gain additional information on the computer user's internet surfing habits – and even gain access to information contained on their machine.

Who is at risk?
Anyone who accesses the internet is potentially at risk.  It is difficult to obtain precise statistics about the exact number of internet users affected, as more often than not, spyware runs on computer systems covertly - the user being oblivious to its existence.  Even if the user is aware of its presence, many do not yet consider it as a real threat, but rather as a nuisance, so may take no action, and not report it to the network administrator (in the case of corporate users). However, it could be argued that the extensive increase in spam experienced over the last two years is indication, in itself, of the extent of the problem.

So, while the internet user browses through the web, spyware programmes can be gathering information that can compromise the confidentiality and integrity if their data, as well as causing system slow-down - by recording the different internet pages users have visited, scanning their internet history details, existing cookies on their machines, information on the various software programmes they have installed, and information contained on their hard disk.  More malicious forms of spyware (see below) such as Trojan horses can even go as far as recording keyboard strokes (key loggers) - as a result confidential information such as passwords and bank account details may no longer be secure. There are even types of spyware that can gather details on unused storage space and bandwidth on a network, and enable this to be used for its own ends, creating itself a vast network around the world – all of this unbeknownst to the network manager, who believes that (having taken reasonable conventional measures of protection) his  network is secure.

What exactly is Spyware, and how does it propagate?
Spyware generally propagates through internet usage, and through the downloading of adware or freeware.  It is particularly prevalent in Instant Messaging programmes (ICQ), in audio players (RealPlayer) and peer to peer systems (Kazaa, Limewire).

Spyware, itself, is either a complete programme, or part of a programme inserted into other software destined for completely different use – here demonstrating techniques such as social engineering, or those akin to the malicious code programmes known as Trojan horses.

One type of common spyware is the BHO (Browser Helper Objects), which attaches itself to internet browsers, such as Internet Explorer, in the form of an additional menu toolbar.  The BHO has access to all the files and actions of the internet surfer, so can record all the sites he/she has visited, and all information sent to these sites – including passwords and personal details. The programme then sends this data to a designated server – it is at this point when it becomes classified as a spyware.  Malicious code (Trojans) can be added to Browser Help Objects.  When several such codes are running simultaneously on a computer system, they can conflict, causing errors on the internet browser – providing evidence to the computer user that covert programmes may be running on their machine.  The most common types such code are Aureate, Brilliant Digital /BDE Projector, and UCmore.

Other types of frequent spyware are Alexa, Doubleclick, Gator, Comet Cursor, Cydoor and News Net.

There are also other types of technology that can be corrupted and optimised by spyware.  These include cookies, web bugs (tiny, invisible gif images which monitor internet usage and send information back to a designated server), ActiveX  technology (originating from Microsoft) which enables various operations to be carried out on the computer of an internet user when visiting a web page containing Active X code, etc.

Justification?
Some may argue that by gathering information on the internet user's surfing habits, they are able to provide them with targeted advertising – in the form of banner advertising, or pop-up windows that appear when the internet browser is first opened, and when the internet user accesses certain web sites. However, there is a clear link between this and the proliferation of spam in recent times.  Many types of spyware enable the creation of databases of email addresses, to which advertising emails are sent, some targeted, many not.  Some types of spyware may even go as far as creating databases of contact details, whose owners may then become the target of paper-based advertising, or telemarketing campaigns.

'Anonymity of details' has also been cited in defence of the use of spyware.  It has been claimed that various information collected and distributed to designated servers is only scrutinised on a collective basis, allowing organisations to monitor trends, rather than analysing data of the individual.  However, this argument fails notably when taking into account the creation huge databases of details –which are then sold on a commercial basis, often at a very high price.

Many freeware programmes do in fact inform the user of the existence of spyware within the software.  However, more often than not they are carefully placed in the midst of a long licensing agreement, written in legal English – which very few users take the time to read thoroughly.  Non native English speakers face the increased challenge of reading such a document in a foreign language, as they are not always translated.  Some licensing agreements contain opt-in clauses, including for the user's authorisation of the download of spyware onto their machine. However more often than not, 'spyware' is not given its true definition. Moreover, in many instances, such clauses are pre-ticked (i.e. giving authorisation), the user is required to un-tick the box if they do not wish for such programmes to be loaded onto their machine. Accepting the terms of the licensing agreement, and being able to enjoy the use of the freeware often go hand in hand.  If the user refuses the spyware, the programme, in certain cases, will not function.  However, spyware contained within a freeware programme will often continue to run should the user uninstall the programme once it has been downloaded onto his/her machine.

All of this gives freeware a bad name – possibly leading the internet public to believe that spyware is the price to pay for the use of free computer programmes.  This is not the case – and could be compared to a computer user being afraid to use email for fear of becoming infected with a virus. Freeware is often a means of gaining publicity for companies today.  Many use it as a marketing tool, often proposing a more elaborate version of the software for a fee.  It helps gain brand recognition.  Much freeware is supported by advertising, as illustrated at the beginning of this document.  There is a lot of good quality freeware around, which is spyware-free, including peer to peer programmes.  All that is required is a certain amount of research on the part of the internet user to know which programmes are safe – and a certain amount of education of internet users by internet security companies.

Is it legal?
According to European law, 'Everyone has the right to respect for their private and family life, their home and their correspondence.'  (Convention for the Protection of Human Rights and Fundamental Freedom.)

The European Community Directive 95/46 specifies, 'Personal data shall mean any information relating to an identified or identifiable natural person', and stipulates that any use of personal data is not permissible unless '...the data subject has unambiguously given his consent...'

The European Community Directive 2002/58 stipulates that the status of spyware, or other technologies deploying the same characteristics, '(...) so-called spyware, web bugs, hidden identifiers and other similar devices can enter the user's terminal without their knowledge in order to gain access to information, to store hidden information or to trace the activities of the user and may seriously intrude upon the privacy of these users. The use of such devices should be allowed only for legitimate purposes, with the knowledge of the users concerned.'

It would seem that the law protects the rights of the internet user.  Yet although various cases have already been brought before the courts of justice (Doubleclick, for example, was fined $450,000 in USA in 2002, and had to commit to the respect of the privacy of internet users), as ever any issue linked to internet usage is extremely difficult to legislate.  Until these issues are resolved, the internet user should take steps to protect himself against such infringements of his privacy.

Recognising the threat.

Although it may not be instantly obvious that spyware programmes are running on a computer (as discussed above), there are signs that can indicate their presence:

- Corruption of the internet browser
- Significant slow down of the user's machine
- Appearance of high number of pop-up screens when opening the browser

The user (or network administrator) can monitor activity at the firewall if it is set to monitor outgoing, as well as incoming, traffic.  Anomalous outgoing traffic can often indicate unwanted feedback to the spyware's designated server.

Taking preventative measures.

There are measures that can be taken to reduce the threat of spyware.

- Users should take care when downloading freeware, or adware and study the terms and conditions – however cumbersome this may be
- Users should also research the authenticity of seemingly 'free' software before downloading onto their machine
- Use of a firewall will help detect non-authorised programmes contained in outgoing traffic – and can therefore help block spyware programmes from leaving the user's computer/network (though it cannot detect spyware programmes that are contained within another programme).
- Use of an updated antivirus programme will help reduce the risk of infiltration by malicious code, such as Trojans
- Use of an anti-spyware programme will help increase overall protection.  As certain types of spyware become recognised, anti-spyware vendors can produce rules to prevent them from entering internet users'systems.

http://www.trendmicro-europe.com
http://www.trendmicro-europe.com

Trend Micro would like to thank Laure Brignone of the University of Paris II Panthéon-Assas for her contribution to this report.

Matthieu Brignon is a marketing director for Trend Micro.