How Your Identity Is Stolen

Identity thieves steal your personal information by getting you to download spyware software onto your computer. As the name suggests, spyware is software that “spies” on your details and your activity and sends it to the thieves. Some of this software is sophisticated enough to monitor and record the keys you press on your keyboard - including when and where you store passwords to things like your bank accounts!

If you’re an average internet user, you probably already have hundreds of spyware files on your system accidentally downloaded during normal surfing. In another article, I discussed some of the more common sources of spyware. So getting them out is important and urgent!

How To Protect Yourself

The first step is to download Anti-Spyware Software. There are several free versions but you get what you pay for. Given the large risk, I strongly recommend using paid versions.

The second and most important step is to use it! Spyware removal software can’t help you if you don’t use it. In most instances, the software is pretty easy to use and comes with clear and easy to follow instructions.

The third step is to repeat the process every few weeks. Identity thieves don’t stop trying, so you need to regularly check for spyware and get rid of it!

If you’re not sure, you need to find out. Here’s why…

Spyware is software that you unknowingly download onto your system.

At best, this information is used to display unwanted advertisements. These can be a pain and depending on the content, embarrassing or offensive.

At worst, it can be used to spy on your personal information (including credit card details) and send them to criminals.

In addition, spyware usually makes changes to your registry files in hundreds of locations, causing your computer to slow down its processing speed. This means that your computer would take much longer to do its tasks.

So removing spyware is a task you should look at.

Should You Go Free or Paid Versions?

If you’re on a tight budget, Microsoft Spyware Removal Tool is a free tool you can use to do that. It’s pretty simple to use and can run without much input from you. So you don’t need to be a whiz to get results from it.

For best results though, I recommend paid spyware removal software. The reason why is because most of these clean your registry files more thoroughly than the free versions.

Use Your Spyware Removal Software Regularly

Regardless of which version you use, you should do it regularly. You’d be surprised how often you download spyware. So the more often you do it, the less your system will get clogged up.

If you’re someone who needs prompting, perhaps you could consider diarising to run the software every month at the latest. Or you could schedule the software to automatically scan your system at a time and frequency that suits you.

Did you know that when your computer becomes filled with popups and slows to a halt, it is usually spyware at the backend causing your problem?

One of the solutions to eliminate this is to lock down your browser.  We are going to show you how to lock down and maintain your locked down Internet Explorer.  There are also similar options that you can set for other web browsers.

What most people don’t know is that most websites do not have to send you cookies for the site to work and display perfectly. However many sites send things in cookies that create spyware and browser hi-jacks on your computer without you knowing.

To prevent this you need to set your privacy level to high.   How to do this is simple.  Go to the Internet Explorer menu bar and do the following:

1. Select Tools
2. Internet Options
3. then click on the tab that says privacy
4. move the slider till it says high.
5. Click on apply and ok to save the settings.

Now your browser is locked down.

If you go to a site that requires cookies you can enable them individually for websites you trust (ie: your bank). You can usually tell when you are on a site that requires cookies because it will sometimes tell you or when you submit a form it simply will not work. No this is sometimes a bit of a pain but it is well worth it if you keep spyware and viruses off your system.

To do that on the same page where you adjusted your privacy is a button that says sites. Click on Sites and type in the URL of the website (ie: www.bankofamerica.com) then click on the allow button.

Note: Locking down your browser will not take off the spyware or fix any current problems.

The question is, what is exactly is spyware? This article will finally clarify what spyware is and tips you can use to protect yourself from spyware in the future.

Spyware are computer programs that exist on your computer’s hard drive. They come in different types. Some spyware creep in the shadows of your hard drive, some are watching your browser and taking notes of websites that you visit.

Most of the time, it then communicates to other parties by using your internet access. Other spyware watch and take note of your keystrokes whenever you visit a financial services website. These are also known as “Keyloggers.” Keyloggers are a type of spyware that sends sensitive financial information including your username and password to other parties across the internet.

So, how does spyware get installed in your computer?

The spyware is downloaded through the internet and it occurs when a user knowingly downloads another piece of software and the spyware is attached to that application. Spyware can also occur through download by visiting websites.

Known as “drive by’s,” these downloads happen automatically without the user’s permission once a user has simply visited a particular website.

Is Spyware Dangerous?

All spyware is not necessarily dangerous. However,it does represent a risk because of the damage it is capable of doing.

For example, the spyware that watches your keystrokes when you visit financial websites and then communicates this data to other unknown parties exposes you and your financial livelihood to risk.

These other parties can then potentially access your bank, investment and loan accounts online without your knowledge or permission, wreaking havoc. Other types of spyware can actually gain control of your computer and distribute that control to other parties. As a result, unknown parties can potentially gain access to any sensitive data on your hard drive.

How to Protect Your Computer From Spyware?

The most effective way to protect you and your computer from spyware is to use a computer program that is designed specifically to identify and get rid of such bugs.

Such programs include:

ParetoLogic AntiSpyware - Built for those who enjoy knowing that they have complete control over the security of their PC, ParetoLogic Anti-Spyware delivers Active Protection in the form of real-time blocking. Sleek performance, an elegant user interface, and ease of use wrap around powerful technology and exclusive functionality. Going beyond simple detect and remove capabilities, ParetoLogic Anti-Spyware puts the power in your hands to take a pro-active stance against the intrusive and malicious spyware that threaten your PC and privacy.

For a Free Download, click here.

PC Tools Spyware Doctor - Award-winning spyware protection to secure your PC against privacy and tracking threats. Spyware Doctor is a top-rated malware and spyware removal utility that detects, removes and protects your PC from thousands of potential spyware, adware, trojans, keyloggers, spybots and tracking threats.

For a Free Download, click here.

ParetoLogic XoftSpy - Detects and removes all the spyware trying to install on your PC. Key features include complete PC scanning, including running processes, registry entries, files & folders; detects and removes spyware, adware, pop-up generators, keyloggers, Trojans, browser hijackers & malware; automatic definition & feature updates; comprehensive customer technical support; protects against identity theft and credit card fraud.

For a Free Download, Click here.

Webroot Spy Sweeper - Quickly provides maximum protection with minimal interaction. Spy Sweeper gives you 360 degrees of protection. Powerful Smart Shields offer real-time protection by blocking known & emerging spyware threats as you browse - before they ever reach your computer and personal information. If your PC is already infected, Spy Sweeper’s advanced discovery methods locate and completely destroy malicious spyware that hides within your PC - even spyware that hides using rootkit technology.

For a Free Download, Click here.

If you have never scanned your system, there is a good chance that you have a spyware program lurking on your hard drive. It could be relatively benign, content to simply exist.

Or, it could be maliciously communicating your sensitive data to outside parties. Use a dedicated spyware removal program such as Paretologic AntiSpyware, PC Tools Spyware Doctor, Paretologic Xoftspy, and Webroot Spy Sweeper to search and destroy these bugs before they can cause any significant damage to your computer or personal financial details.

Adware

Typically, adware components install alongside a shareware or freeware application and bring targeted advertisements to your computer. These advertisements create revenue for the software developer. Adware displays web-based advertisements through pop-up windows or through annoying advertising banners.

Browser Helper Object (BHO)

A Browser Helper Object (BHO) may appear as a helpful browser toolbar within Microsoft Internet Explorer (IE). Malicious BHO’s can change your default home page to point to some other site or send histories of your web-browsing habits to third-parties for the purposes of targeted advertising.

Browser Hijackers

Browser hijackers can take control of your web browser. They may alter your browser settings or change your default home page to point to some other site and they are capable of sending personal information to third-parties. They may not be detected by firewall software as they are capable of appearing as part of IE itself. Due to the variety of functions a browser hijacker can possess, it can be categorized as a Trojan.

Dialers

Generally, this is software that is installed on your PC that dials a phone number.  Some dialers connect to Internet Service Providers (ISPs) and are designed to provide genuine assistance. However, malicious dialers can attempt to connect you to long-distance or toll numbers without your consent, resulting in expensive phone bills.  Dialers are frequently used by pornography websites. A dialer disconnects the user from a dial-up Internet connection, and reconnects them to another dial-up telephone number where the user is then billed at a very high rate.

Keyloggers

Also known as ‘key loggers’ or ‘keystroke loggers’, these are programs that run in the background on your computer and are capable of recording every keystroke you make on your keyboard. Keyloggers can store information, which could very well include personal details and passwords that you have typed into your computer, such that it can later be retrieved by third-parties.

Layered Service Provider (LSP)

LSPs are pieces of code that are used to monitor, intercept and control communication between WinSock and the Internet application that calls WinSock (e.g. your Internet Browser). Malicious LSPs can be used to steal information that you submit through the Internet.

Malware

A generic term used to encompass malicious spyware, including adware, Trojans, browser hijackers, keyloggers, dialers and tracking cookies.  Malware is an encompassing term that also includes viruses, spyware, adware, worms, Trojan horses and other computer afflictions.  According to Consumer Reports, spyware infections caused 850,000 people to replace their computers in the first half of 2007.

Spyware

A stealthy application that makes use of your Internet connection, gathering and transmitting information on various activities you conduct on your computer to third-parties. This information is often collected and sent without your knowledge or consent. Like adware, spyware often installs as a third-party component bundles with a freeware or shareware application, which can make the distinction between the two somewhat ambiguous. In some places on the Internet, you may also see ‘Spyware’ used as a generic term to encompass malware.

Tracking Cookies

Internet browsers write and read cookies, which are small text files with small amounts of data (such as web site settings)which are placed onto your computer by visiting certain web sites. In many cases, cookies provide a benefit to users as they can retain settings for when you next visit a web site. In some instances, however, cookies are used to consolidate and track your behaviour across different web sites, providing marketers with information about your web browsing habits.

Trojans

Like spyware, Trojans (also known as Trojan horses) can slip into your system and run without your knowledge. They are capable of possessing a variety of functions. For example, some use your computer’s modem to dial long-distance or toll numbers (like a dialer), potentially generating expensive phone bills. Unlike viruses and worms, Trojans do not replicate themselves.

Remember - Clicking links in pop-ups or viewing e-mail messages with graphics or HTML can invite spyware into your system. Spyware is often bundled with useful or entertaining software, such as games. Most spyware comes from the Internet, but removable media is another source.  Spyware is integrated into some commercial media, primarily software. Some Sony music CDs automatically install digital rights management software when inserted into computer CD-ROM drives. Sony’s intention was for the software to prevent users from copying and redistributing copyrighted material. However, many CDs installed rootkit cloaking software, which created a security hole in infected computers. Removing the software disabled CD drives. Sony’s first patch made the problem worse.

Some of the Apple Video iPods made in China inadvertently shipped with Windows malware.  In Japan, promotional MP3 players distributed by the MacDonald’s hamburger chain contained data-stealing spyware. Apple iTunes for Windows contained a since-patched  security vulnerability that enabled evildoers at remote locations to control a user’s computer.

There are several signs that spyware is on your computer system. Pop-up ads may appear whether or not you are browsing the  Internet, your browser’s home page may be reset to a page you have not chosen, your Internet connection may be markedly slower, or you may notice new items in your startup menu.  Some spyware and adware are browser plug-ins in the form of toolbars, which enable advertisers to redirect your home page. Many add unwanted bookmarks. More rarely, spyware can include a remote administration tool that can allow an attacker to control your computer.  Spyware in the form of a key logger can record your keyboard strokes for later retrieval, but these are rare.

Always make sure your anti-spyware protection is up to date!

Malicious websites attempt to install spyware on readers’ computers.

Spyware does not directly spread in the manner of a computer virus or worm: generally, an infected system does not attempt to transmit the infection to other computers. Instead, spyware gets on a system through deception of the user or through exploitation of software vulnerabilities.

Most spyware is installed without users’ knowledge.  Since they tend not to install software if they know that it will disrupt their working environment and compromise their privacy, spyware deceives users, either by piggybacking on a piece of desirable software such as Kazaa, or by tricking them into installing it (the Trojan horse method).  Some “rogue” anti-spyware programs masquerade as security software, while being spyware themselves.

The distributor of spyware usually presents the program as a useful utility—for instance as a “Web accelerator” or as a helpful software agent. Users download and install the software without immediately suspecting that it could cause harm. For example, Bonzi Buddy, a program bundled with spyware and targeted at children, claims that:

He will explore the Internet with you as your very own friend and sidekick! He can talk, walk, joke, browse, search, e-mail, and download like no other friend you’ve ever had! He even has the ability to compare prices on the products you love and help you save money! Best of all, he’s FREE!

Spyware can also come bundled with shareware or other downloadable software, as well as music CDs.  The user downloads a program and installs it, and the installer additionally installs the spyware. Although the desirable software itself may do no harm, the bundled spyware does. In some cases, spyware authors have paid shareware authors to bundle spyware with their software.  In other cases, spyware authors have repackaged desirable freeware with installers that add spyware.

A third way of distributing spyware involves tricking users by manipulating security features designed to prevent unwanted installations. Internet Explorer prevents websites from initiating an unwanted download. Instead, it requires a user action, such as clicking on a link. However, links can prove deceptive: for instance, a pop-up ad may appear like a standard Windows dialog box.  The box contains a message such as “Would you like to optimize your Internet access?” with links which look like buttons reading Yes and No. No matter which “button” the user presses, a download starts, placing the spyware on the user’s system. Later versions of Internet Explorer offer fewer avenues for this attack.

Some spyware authors infect a system through security holes in the Web browser or in other software. When the user navigates to a Web page controlled by the spyware author, the page contains code which attacks the browser and forces the download and installation of spyware.  The spyware author would also have some extensive knowledge of commercially-available anti-virus and firewall software.  This has become known as a “drive-by download”, which leaves the user a hapless bystander to the attack.  Common browser exploits target security vulnerabilities in Internet Explorer and in the Sun Microsystems Java runtime.

The installation of spyware frequently involves Internet Explorer. Its popularity and history of security issues have made it the most frequent target.  Its deep integration with the Windows environment and scriptability make it an obvious point of attack into Windows. Internet Explorer also serves as a point of attachment for spyware in the form of Browser Helper Objects, which modify the browser’s behaviour to add toolbars or to redirect traffic.

In a few cases, a worm or virus has delivered a spyware payload. Some attackers used the Spybot worm to install spyware that put pornographic pop-ups on the infected system’s screen. By directing traffic to ads set up to channel funds to the spyware authors, they profit personally.

Effects and behaviors

A spyware program is rarely alone on a computer: an affected machine can rapidly be infected by many other components. Users frequently notice unwanted behavior and degradation of system performance. A spyware infestation can create significant unwanted CPU activity, disk usage, and network traffic, all of which slow the computer down.  Stability issues, such as application, system not turning on, and system-wide crashes, are also common.  Spyware, which interferes with networking software commonly causes difficulty connecting to the Internet.

In some infections, the spyware is not even evident. Users assume in those situations that the issues relate to hardware, Windows installation problems, or a virus.  Some owners of badly infected systems resort to contacting technical support experts, or even buying a new computer because the existing system “has become too slow”.  Badly infected systems may require a clean reinstallation of all their software in order to return to full functionality.

Only rarely does a single piece of software render a computer unusable. Rather, a computer is likely to have multiple infections. As a 2004 AOL study noted, if a computer has any spyware at all, it typically has dozens of different pieces installed.  The cumulative effect, and the interactions between spyware components, causes the symptoms commonly reported by users: a computer, which slows to a crawl, overwhelmed by the many parasitic processes running on it. Moreover, some types of spyware disable software firewalls and anti-virus software, and/or reduce browser security settings, thus opening the system to further opportunistic infections, much like an immune deficiency disease.  Some spywares disable or even remove competing spyware programs, on the grounds that more spyware-related annoyances make it even more likely that users will take action to remove the programs.  One spyware maker, Avenue Media, even sued a competitor, Direct Revenue, over this; the two later settled with an agreement not to disable each others’ products.

Some other types of spyware (for example, Targetsoft) modify system files so they will be harder to remove. Targetsoft modifies the “Winsock” Windows Sockets files. The deletion of the spyware-infected file “inetadpt.dll” will interrupt normal networking usage. Unlike users of many other operating systems, a typical Windows user has administrative privileges, mostly for convenience. Because of this, any program the user runs (intentionally or not) has unrestricted access to the system too. Spyware, along with other threats, has led some Windows users to move to other platforms such as Linux or Apple Macintosh, which are significantly less susceptible to malware.  This is because these programs are not granted unrestricted access to the operating system by default.  As with other operating systems, Windows users too are able to follow the principle of least privilege and use non-administrator least user access accounts, or to reduce the privileges of specific vulnerable Internet-facing proceses such as Internet Explorer (through the use of tools such as DropMyRights). However as this is not a default configuration, few users do this.

Advertisements

Many spyware programs display advertisements. Some programs simply display pop-up ads on a regular basis; for instance, one every several minutes, or one when the user opens a new browser window. Others display ads in response to specific sites that the user visits. Spyware operators present this feature as desirable to advertisers, who may buy ad placement in pop-ups displayed when the user visits a particular site. It is also one of the purposes for which spyware programs gather information on user behavior.

Many users complain about irritating or offensive advertisements as well. As with many banner ads, many spyware advertisements use animation or flickering banners which can be visually distracting and annoying to users. Pop-up ads for pornography often display indiscriminately. Links to these sites may be added to the browser window, history or search function. When children are the users, this could possibly violate anti-pornography laws in some jurisdictions.

A number of spyware programs break the boundaries of illegality; variations of “Zlob.Trojan” and “Trojan-Downloader.Win32.INService” have been known to show undesirable child pornography, key gens, cracks and illegal software pop-up ads which violate child pornography and copyright laws.

A further issue in the case of some spyware programs has to do with the replacement of banner ads on viewed web sites. Spyware that acts as a web proxy or a Browser Helper Object can replace references to a site’s own advertisements (which fund the site) with advertisements that instead fund the spyware operator. This cuts into the margins of advertising-funded Web sites.

“Stealware” and affiliate fraud

A few spyware vendors, notably 180 Solutions, have written what the New York Times has dubbed “stealware”, and what spyware researcher Ben Edelman terms affiliate fraud, a form of click fraud. Stealware diverts the payment of affiliate marketing revenues from the legitimate affiliate to the spyware vendor.

Spyware which attacks affiliate networks places the spyware operator’s affiliate tag on the user’s activity—replacing any other tag, if there is one. The spyware operator is the only party that gains from this. The user has their choices thwarted, a legitimate affiliate loses revenue, networks’ reputations are injured, and vendors are harmed by having to pay out affiliate revenues to an “affiliate” who is not party to a contract.

Affiliate fraud is a violation of the terms of service of most affiliate marketing networks. As a result, spyware operators such as 180 Solutions have been terminated from affiliate networks including LinkShare and ShareSale.

Identity theft and fraud

In one case, spyware has been closely associated with identity theft.  In August 2005, researchers from security software firm Sunbelt Software believed that the makers of the common CoolWebSearch spyware had used it to transmit “chat sessions, user names, passwords, bank information, etc.”, but it turned out that “it actually (was) its own sophisticated criminal little trojan that’s independent of CWS.” This case is currently under investigation by the FBI.

The Federal Trade Commission estimates that 27.3 million Americans have been victims of identity theft, and that financial losses from identity theft totaled nearly $48 billion for businesses and financial institutions and at least $5 billion in out-of-pocket expenses for individuals.

Spyware-makers may commit wire fraud with dialer program spyware. These can reset a modem to dial up a premium-rate telephone number instead of the usual ISP. Connecting to these suspicious numbers involves long-distance or overseas charges which invariably result in high call costs. Dialers are ineffective on computers that do not have a modem, or are not connected to a telephone line.

Digital rights management

Some copy-protection technologies have borrowed from spyware. In 2005, Sony BMG Music Entertainment was found to be using rootkits in its XCP digital rights management technology Like spyware, not only was it difficult to detect and uninstall, it was so poorly written that most efforts to remove it could have rendered computers unable to function. Texas Attorney General Greg Abbott filed suit, and three separate class-action suits were filed. Sony BMG later provided a workaround on its website to help users remove it.

Beginning in April 25, 2006, Microsoft’s Windows Genuine Advantage Notifications application installed on most Windows PCs as a “critical security update”. While the main purpose of this deliberately non-uninstallable application is making sure the copy of Windows on the machine was lawfully purchased and installed, it also installs software that has been accused of “phoning home” on a daily basis, like spyware.  It can be removed with the RemoveWGA tool.

Personal relationships

Spyware has been used to surreptitiously monitor electronic activities of partners in intimate relationships, generally to uncover evidence of infidelity. At least one software package, Loverspy, was specifically marketed for this purpose. Depending on local laws regarding communal/marital property, observing a partner’s online activity without their consent may be illegal; the author of Loverspy and several users of the product were indicted in California in 2005 on charges of wiretapping and various computer crimes.

Spyware and cookies

Anti-spyware programs often report Web advertisers’ HTTP cookies, the small text files that track browsing activity, as spyware. While they are not always inherently malicious, many users object to third parties using space on their personal computers for their business purposes, and many anti-spyware programs offer to remove them.

Examples of spyware

These common spyware programs illustrate the diversity of behaviors found in these attacks. Note that as with computer viruses, researchers give names to spyware programs which may not be used by their creators. Programs may be grouped into “families” based not on shared program code, but on common behaviors, or by “following the money” of apparent financial or business connections. For instance, a number of the spyware programs distributed by Claria are collectively known as “Gator”. Likewise, programs which are frequently installed together may be described as parts of the same spyware package, even if they function separately.

CoolWebSearch, a group of programs, takes advantage of Internet Explorer vulnerabilities. The package directs traffic to advertisements on Web sites including coolwebsearch.com. It displays pop-up ads, rewrites search engine results, and alters the infected computer’s hosts file to direct DNS lookups to these sites.

Internet Optimizer, also known as DyFuCa, redirects Internet Explorer error pages to advertising. When users follow a broken link or enter an erroneous URL, they see a page of advertisements. However, because password-protected Web sites (HTTP Basic authentication) use the same mechanism as HTTP errors, Internet Optimizer makes it impossible for the user to access password-protected sites.

Zango (formerly 180 Solutions) transmits detailed information to advertisers about the Web sites which users visit. It also alters HTTP requests for affiliate advertisements linked from a Web site, so that the advertisements make unearned profit for the 180 Solutions company. It opens pop-up ads that cover over the Web sites of competing companies.

HuntBar, aka WinTools or Adware.Websearch, was installed by an ActiveX drive-by download at affiliate Web sites, or by advertisements displayed by other spyware programs—an example of how spyware can install more spyware. These programs add toolbars to IE, track aggregate browsing behavior, redirect affiliate references, and display advertisements.

Movieland, also known as Moviepass.tv and Popcorn.net, is a movie download service that has been the subject of thousands of complaints to the Federal Trade Commission (FTC), the Washington State Attorney General’s Office, the Better Business Bureau, and other agencies. Consumers complained they were held hostage by a cycle of oversized pop-up windows demanding payment of at least $29.95, claiming that they had signed up for a three-day free trial but had not cancelled before the trial period was over, and were thus obligated to pay.[31][32] The FTC filed a complaint, since settled, against Movieland and eleven other defendants charging them with having “engaged in a nationwide scheme to use deception and coercion to extract payments from consumers.”

Zlob trojan, or just Zlob, Downloads itself to your computer via an ActiveX codec and reports information back to Control Server. Some information can be as your search history, the Websites you visited, and even Key Strokes. More recently, Zlob has been know to hijack Routers set to defaults.

Spyware Gurus are committed to keeping you up to date on the latest threats and we will be updating this list regularly.

We source the web for the latest research and identities of new spyware and malware infections so that you don’t have to and also for your protection.

Our Spyware, Adware and Malware database is a comprehensive list of current threats identified from such renowned sources as PC Tools Software (the creaters of our highly recommended Spyware Doctor) and other leading online security companies.

In the coming weeks we will be offering the following information for you:

1. Infection Database — Browse through a list of available infections
2. Threat levels — This section explains the criteria that Software uses to classify threat levels associated with malware infections
3. Glossary — To view a brief summary of malware terms and concepts

So stay tuned…

The term adware frequently refers to any software which displays advertisements, whether or not the user has consented. Programs such as the Eudora mail client display advertisements as an alternative to shareware registration fees. These classify as “adware” in the sense of advertising-supported software, but not as spyware. Adware in this form does not operate surreptitiously or mislead the user, and provides the user with a specific service.

Most adware is spyware in a different sense than “advertising-supported software,” for a different reason: it displays advertisements related to what it finds from spying on you. Claria Corporation’s Gator Software and Exact Advertising’s BargainBuddy are examples. Visited Web sites frequently install Gator on client machines in a surreptitious manner, and it directs revenue to the installing site and to Claria by displaying advertisements to the user. The user receives many pop-up advertisements.

Other spyware behavior, such as reporting on websites the user visits, occurs in the background. The data is used for “targeted” advertisement impressions. The prevalence of spyware has cast suspicion upon other programs that track Web browsing, even for statistical or research purposes. Some observers describe the Alexa Toolbar, an Internet Explorer plug-in published by Amazon.com, as spyware, and some anti-spyware programs such as Ad-Aware report it as such. Many of these adware distributing companies are backed by millions of dollars of adware-generating revenues. Adware and spyware are similar to viruses in that they can be malicious in nature. However, people are now profiting from these threats, making them more and more popular.

Similarly, software bundled with free, advertising-supported programs such as P2P act as spyware, (and if removed disable the ‘parent’ program) yet people are willing to download it. This presents a dilemma for proprietors of anti-spyware products whose removal tools may inadvertently disable wanted programs. For example, recent test results show that bundled software (WhenUSave) is ignored by popular anti-spyware program Ad-Aware, (but removed as spyware by most scanners) because it is part of the popular (but recently decommissioned) eDonkey client. To address this dilemma, the Anti-Spyware Coalition has been working on building consensus within the anti-spyware industry as to what is and isn’t acceptable software behavior. To accomplish their goal, this group of anti-spyware companies, academics, and consumer groups have collectively published a series of documents including a definition of spyware, risk model, and best practices document.

Spyware, virus and worm

Unlike viruses and worms, spyware does not usually self-replicate. Like many recent viruses; however, spyware—by design—exploits infected computers for commercial gain. Typical tactics furthering this goal include delivery of unsolicited pop-up advertisements; theft of personal information (including financial information such as credit card numbers); monitoring of Web-browsing activity for marketing purposes; or routing of HTTP requests to advertising sites.

Routes of infection

Malicious websites attempt to install spyware on readers’ computers.

Spyware does not directly spread in the manner of a computer virus or worm: generally, an infected system does not attempt to transmit the infection to other computers. Instead, spyware gets on a system through deception of the user or through exploitation of software vulnerabilities.

Most spyware is installed without users’ knowledge. Since they tend not to install software if they know that it will disrupt their working environment and compromise their privacy, spyware deceives users, either by piggybacking on a piece of desirable software such as Kazaa, or by tricking them into installing it (the Trojan horse method). Some “rogue” anti-spyware programs masquerade as security software, while being spyware themselves.

The distributor of spyware usually presents the program as a useful utility—for instance as a “Web accelerator” or as a helpful software agent. Users download and install the software without immediately suspecting that it could cause harm. For example, Bonzi Buddy, a program bundled with spyware and targeted at children, claims that:

“He will explore the Internet with you as your very own friend and sidekick! He can talk, walk, joke, browse, search, e-mail, and download like no other friend you’ve ever had! He even has the ability to compare prices on the products you love and help you save money! Best of all, he’s FREE!”

Spyware can also come bundled with shareware or other downloadable software, as well as music CDs. The user downloads a program and installs it, and the installer additionally installs the spyware. Although the desirable software itself may do no harm, the bundled spyware does. In some cases, spyware authors have paid shareware authors to bundle spyware with their software. In other cases, spyware authors have repackaged desirable freeware with installers that add spyware.

A third way of distributing spyware involves tricking users by manipulating security features designed to prevent unwanted installations. Internet Explorer prevents websites from initiating an unwanted download. Instead, it requires a user action, such as clicking on a link. However, links can prove deceptive: for instance, a pop-up ad may appear like a standard Windows dialog box. The box contains a message such as “Would you like to optimize your Internet access?” with links which look like buttons reading Yes and No. No matter which “button” the user presses, a download starts, placing the spyware on the user’s system. Later versions of Internet Explorer offer fewer avenues for this attack.

Some spyware authors infect a system through security holes in the Web browser or in other software. When the user navigates to a Web page controlled by the spyware author, the page contains code which attacks the browser and forces the download and installation of spyware. The spyware author would also have some extensive knowledge of commercially-available anti-virus and firewall software. This has become known as a “drive-by download”, which leaves the user a hapless bystander to the attack. Common browser exploits target security vulnerabilities in Internet Explorer and in the Sun Microsystems Java runtime.

The installation of spyware frequently involves Internet Explorer. Its popularity and history of security issues have made it the most frequent target. Its deep integration with the Windows environment and scriptability make it an obvious point of attack into Windows. Internet Explorer also serves as a point of attachment for spyware in the form of Browser Helper Objects, which modify the browser’s behaviour to add toolbars or to redirect traffic.

In a few cases, a worm or virus has delivered a spyware payload. Some attackers used the Spybot worm to install spyware that put pornographic pop-ups on the infected system’s screen. By directing traffic to ads set up to channel funds to the spyware authors, they profit personally.

Effects and behaviors

A spyware program is rarely alone on a computer: an affected machine can rapidly be infected by many other components. Users frequently notice unwanted behavior and degradation of system performance. A spyware infestation can create significant unwanted CPU activity, disk usage, and network traffic, all of which slow the computer down. Stability issues, such as application, system not turning on, and system-wide crashes, are also common. Spyware, which interferes with networking software commonly causes difficulty connecting to the Internet.

In some infections, the spyware is not even evident. Users assume in those situations that the issues relate to hardware, Windows installation problems, or a virus. Some owners of badly infected systems resort to contacting technical support experts, or even buying a new computer because the existing system “has become too slow”. Badly infected systems may require a clean reinstallation of all their software in order to return to full functionality.

Only rarely does a single piece of software render a computer unusable. Rather, a computer is likely to have multiple infections. As a 2004 AOL study noted, if a computer has any spyware at all, it typically has dozens of different pieces installed. The cumulative effect, and the interactions between spyware components, causes the symptoms commonly reported by users: a computer, which slows to a crawl, overwhelmed by the many parasitic processes running on it. Moreover, some types of spyware disable software firewalls and anti-virus software, and/or reduce browser security settings, thus opening the system to further opportunistic infections, much like an immune deficiency disease. Some spywares disable or even remove competing spyware programs, on the grounds that more spyware-related annoyances make it even more likely that users will take action to remove the programs. One spyware maker, Avenue Media, even sued a competitor, Direct Revenue, over this; the two later settled with an agreement not to disable each others’ products.

Some other types of spyware (for example, Targetsoft) modify system files so they will be harder to remove. Targetsoft modifies the “Winsock” Windows Sockets files. The deletion of the spyware-infected file “inetadpt.dll” will interrupt normal networking usage. Unlike users of many other operating systems, a typical Windows user has administrative privileges, mostly for convenience. Because of this, any program the user runs (intentionally or not) has unrestricted access to the system too. Spyware, along with other threats, has led some Windows users to move to other platforms such as Linux or Apple Macintosh, which are significantly less susceptible to malware. This is because these programs are not granted unrestricted access to the operating system by default. As with other operating systems, Windows users too are able to follow the principle of least privilege and use non-administrator least user access accounts, or to reduce the privileges of specific vulnerable Internet-facing processes such as Internet Explorer (through the use of tools such as DropMyRights). However as this is not a default configuration, few users do this.

Advertisements

Many spyware programs display advertisements. Some programs simply display pop-up ads on a regular basis; for instance, one every several minutes, or one when the user opens a new browser window. Others display ads in response to specific sites that the user visits. Spyware operators present this feature as desirable to advertisers, who may buy ad placement in pop-ups displayed when the user visits a particular site. It is also one of the purposes for which spyware programs gather information on user behavior.

Many users complain about irritating or offensive advertisements as well. As with many banner ads, many spyware advertisements use animation or flickering banners which can be visually distracting and annoying to users. Pop-up ads for pornography often display indiscriminately. Links to these sites may be added to the browser window, history or search function. When children are the users, this could possibly violate anti-pornography laws in some jurisdictions.

A number of spyware programs break the boundaries of illegality; variations of “Zlob.Trojan” and “Trojan-Downloader.Win32.INService” have been known to show undesirable child pornography, key gens, cracks and illegal software pop-up ads which violate child pornography and copyright laws.

A further issue in the case of some spyware programs has to do with the replacement of banner ads on viewed web sites. Spyware that acts as a web proxy or a Browser Helper Object can replace references to a site’s own advertisements (which fund the site) with advertisements that instead fund the spyware operator. This cuts into the margins of advertising-funded Web sites.

“Stealware” and affiliate fraud

A few spyware vendors, notably 180 Solutions, have written what the New York Times has dubbed “stealware”, and what spyware researcher Ben Edelman terms affiliate fraud, a form of click fraud. Stealware diverts the payment of affiliate marketing revenues from the legitimate affiliate to the spyware vendor.

Spyware which attacks affiliate networks places the spyware operator’s affiliate tag on the user’s activity—replacing any other tag, if there is one. The spyware operator is the only party that gains from this. The user has their choices thwarted, a legitimate affiliate loses revenue, networks’ reputations are injured, and vendors are harmed by having to pay out affiliate revenues to an “affiliate” who is not party to a contract.

Affiliate fraud is a violation of the terms of service of most affiliate marketing networks. As a result, spyware operators such as 180 Solutions have been terminated from affiliate networks including LinkShare and ShareSale.

Identity theft and fraud

In one case, spyware has been closely associated with identity theft. In August 2005, researchers from security software firm Sunbelt Software believed that the makers of the common CoolWebSearch spyware had used it to transmit “chat sessions, user names, passwords, bank information, etc.”, but it turned out that “it actually (was) its own sophisticated criminal little trojan that’s independent of CWS.” This case is currently under investigation by the FBI.

The Federal Trade Commission estimates that 27.3 million Americans have been victims of identity theft, and that financial losses from identity theft totaled nearly $48 billion for businesses and financial institutions and at least $5 billion in out-of-pocket expenses for individuals.

Spyware-makers may commit wire fraud with dialer program spyware. These can reset a modem to dial up a premium-rate telephone number instead of the usual ISP. Connecting to these suspicious numbers involves long-distance or overseas charges which invariably result in high call costs. Dialers are ineffective on computers that do not have a modem, or are not connected to a telephone line.

Digital rights management

Some copy-protection technologies have borrowed from spyware. In 2005, Sony BMG Music Entertainment was found to be using rootkits in its XCP digital rights management technology. Like spyware, not only was it difficult to detect and uninstall, it was so poorly written that most efforts to remove it could have rendered computers unable to function. Texas Attorney General Greg Abbott filed suit, and three separate class-action suits were filed. Sony BMG later provided a workaround on its website to help users remove it.

Beginning in April 25, 2006, Microsoft’s Windows Genuine Advantage Notifications application installed on most Windows PCs as a “critical security update”. While the main purpose of this deliberately non-uninstallable application is making sure the copy of Windows on the machine was lawfully purchased and installed, it also installs software that has been accused of “phoning home” on a daily basis, like spyware. It can be removed with the RemoveWGA tool.

Personal relationships

Spyware has been used to surreptitiously monitor electronic activities of partners in intimate relationships, generally to uncover evidence of infidelity. At least one software package, Loverspy, was specifically marketed for this purpose. Depending on local laws regarding communal/marital property, observing a partner’s online activity without their consent may be illegal; the author of Loverspy and several users of the product were indicted in California in 2005 on charges of wiretapping and various computer crimes.

Spyware and cookies

Anti-spyware programs often report Web advertisers’ HTTP cookies, the small text files that track browsing activity, as spyware. While they are not always inherently malicious, many users object to third parties using space on their personal computers for their business purposes, and many anti-spyware programs offer to remove them.

Examples of spyware

These common spyware programs illustrate the diversity of behaviors found in these attacks. Note that as with computer viruses, researchers give names to spyware programs which may not be used by their creators. Programs may be grouped into “families” based not on shared program code, but on common behaviors, or by “following the money” of apparent financial or business connections. For instance, a number of the spyware programs distributed by Claria are collectively known as “Gator”. Likewise, programs which are frequently installed together may be described as parts of the same spyware package, even if they function separately.

• CoolWebSearch, a group of programs, takes advantage of Internet Explorer vulnerabilities. The package directs traffic to advertisements on Web sites including coolwebsearch.com. It displays pop-up ads, rewrites search engine results, and alters the infected computer’s hosts file to direct DNS lookups to these sites.

• Internet Optimizer, also known as DyFuCa, redirects Internet Explorer error pages to advertising. When users follow a broken link or enter an erroneous URL, they see a page of advertisements. However, because password-protected Web sites (HTTP Basic authentication) use the same mechanism as HTTP errors, Internet Optimizer makes it impossible for the user to access password-protected sites.

• Zango (formerly 180 Solutions) transmits detailed information to advertisers about the Web sites which users visit. It also alters HTTP requests for affiliate advertisements linked from a Web site, so that the advertisements make unearned profit for the 180 Solutions company. It opens pop-up ads that cover over the Web sites of competing companies.

• HuntBar, aka WinTools or Adware.Websearch, was installed by an ActiveX drive-by download at affiliate Web sites, or by advertisements displayed by other spyware programs—an example of how spyware can install more spyware. These programs add toolbars to IE, track aggregate browsing behavior, redirect affiliate references, and display advertisements.

• Movieland, also known as Moviepass.tv and Popcorn.net, is a movie download service that has been the subject of thousands of complaints to the Federal Trade Commission (FTC), the Washington State Attorney General’s Office, the Better Business Bureau, and other agencies. Consumers complained they were held hostage by a cycle of oversized pop-up windows demanding payment of at least $29.95, claiming that they had signed up for a three-day free trial but had not cancelled before the trial period was over, and were thus obligated to pay. The FTC filed a complaint, since settled, against Movieland and eleven other defendants charging them with having “engaged in a nationwide scheme to use deception and coercion to extract payments from consumers.”

• Zlob trojan, or just Zlob, Downloads itself to your computer via an ActiveX codec and reports information back to Control Server. Some information can be as your search history, the Websites you visited, and even Key Strokes. More recently, Zlob has been know to hijack Routers set to defaults.

Legal issues related to spyware

Criminal law

Unauthorized access to a computer is illegal under computer crime laws, such as the U.S. Computer Fraud and Abuse Act, the U.K.’s Computer Misuse Act and similar laws in other countries. Since the owners of computers infected with spyware generally claim that they never authorized the installation, a prima facie reading would suggest that the promulgation of spyware would count as a criminal act. Law enforcement has often pursued the authors of other malware, particularly viruses. However, few spyware developers have been prosecuted, and many operate openly as strictly legitimate businesses, though some have faced lawsuits.

Spyware producers argue that, contrary to the users’ claims, users do in fact give consent to installations. Spyware that comes bundled with shareware applications may be described in the legalese text of an end-user license agreement (EULA). Many users habitually ignore these purported contracts, but spyware companies such as Claria claim these demonstrate that users have consented.

Despite the ubiquity of EULAs and of “clickwrap” agreements, under which a single click can be taken as consent to the entire text, relatively little case law has resulted from their use. It has been established in most common law jurisdictions that a clickwrap agreement can be a binding contract in certain circumstances. This does not, however, mean that every such agreement is a contract or that every term in one is enforceable.

Some jurisdictions, including the U.S. states of Iowa and Washington, have passed laws criminalizing some forms of spyware. Such laws make it illegal for anyone other than the owner or operator of a computer to install software that alters Web-browser settings, monitors keystrokes, or disables computer-security software.

In the United States, lawmakers introduced a bill in 2005 entitled the Internet Spyware Prevention Act, which would imprison creators of spyware.

Administrative sanctions

An administrative fine, first of its kind in Europe, has been taken by the Independent Authority of Posts and Telecommunications (OPTA) from the Netherlands. It applied fines in total value of Euro 1,000,000 for infecting 22 million computers. The spyware is called DollarRevenue. The law articles which have been violated are art. 4.1 of the Dutch telecommunications law; the fines have been given based on art. 15.4 taken together with art. 15.10. A part of these fines has to be paid by the directors of these companies in their own person, i.e. not from the accounts of their companies, but from their personal fortunes. Since a protest procedure has been taken, the fines will have to be paid after a Dutch law court will take a decision in this case. The culprits maintain that the evidence for violating the two law articles has been obtained illegally. The names of the directors and the names of the companies have not been revealed, since it is not clear that OPTA is allowed to make such information public.

Civil law

Former New York State Attorney General and former New York State Governor Eliot Spitzer has pursued spyware companies for fraudulent installation of software. In a suit brought in 2005 by Spitzer, the California firm Intermix Media, Inc. ended up settling by agreeing to pay US$7.5 million and to stop distributing spyware.

The hijacking of Web advertisements has also led to litigation. In June 2002, a number of large Web publishers sued Claria for replacing advertisements, but settled out of court.

Courts have not yet had to decide whether advertisers can be held liable for spyware which displays their ads. In many cases, the companies whose advertisements appear in spyware pop-ups do not directly do business with the spyware firm. Rather, they have contracted with an advertising agency, which in turn contracts with an online subcontractor who gets paid by the number of “impressions” or appearances of the advertisement. Some major firms such as Dell Computer and Mercedes-Benz have sacked advertising agencies which have run their ads in spyware.

Libel suits by spyware developers

Litigation has gone both ways. Since “spyware” has become a common pejorative, some makers have filed libel and defamation actions when their products have been so described. In 2003, Gator (now known as Claria) filed suit against the website PC Pitstop for describing its program as “spyware”. PC Pitstop settled, agreeing not to use the word “spyware”, but continues to describe harm caused by the Gator/Claria software. As a result, other anti-spyware and antivirus companies have also used other terms such as “potentially unwanted programs” or greyware to denote these products.

Before Internet Explorer 7 was released, the browser would automatically display an installation window for any ActiveX component that a website wanted to install. The combination of user naiveté towards malware and the assumption by Internet Explorer that all ActiveX components are benign, led, in part, to the massive spread of spyware. Many spyware components would also make use of flaws in Javascript, Internet Explorer and Windows to install without user knowledge or permission.

The Windows Registry contains multiple sections that by modifying keys values allows software to be executed automatically when the operating system boots. Spyware can exploit this design to circumvent attempts at removal. The spyware typically will link itself from each location in the registry that allows execution. Once running, the spyware will periodically check if any of these links are removed. If so, they will be automatically restored. This ensures that the spyware will execute when the operating system is booted even if some (or most) of the registry links are removed.

Trend Micro Inc. defines Spyware as

“Spyware is any piece of software, installed or employed without a user’s knowledge, that watches, logs, and reports on that user’s electronic movements. Spyware can track personal information, demographic information, and psychosocial information (e.g., stance on current issues).”

McAfee Inc. Defines Spyware as

“Software that transmits personal information to a third party without the user’s knowledge or consent.”

Symantec Inc. does not define Spyware on their website, but offers the following statement:

“Spyware can be downloaded from Web sites, email messages, instant messages, and from direct file-sharing connections. Additionally, a user may unknowingly receive spyware by accepting an End User License Agreement from a software program.”