Spyware: The Next Real ThreatBy Ryan Naraine | Posted 2004-12-09 Email Print
Re-Thinking HR: What Every CIO Needs to Know About Tomorrow's Workforce
A Computer Associates exec warns that spyware will soon become an even bigger headache for enterprises than viruses.
NEW YORKSpyware will replace the mass-mailing worm as the biggest nuisanceand security threatfacing businesses in 2005.
That's the chilling assessment from Roger Thompson, director of content research security management at Computer Associates International Inc.
Thompson used the spotlight of the InfoSecurity 2004 conference here to highlight the growing threat from spyware and adware "pests" and issue a call to arms for a unified industry approach to fighting back.
"The only things multiplying faster than definitions for what constitutes spyware, is the malware itself," Thompson said, warning that the threat from spyware will make mass-mailing viruses seem trivial.
"The mass-mailers became a problem because they were spreading faster than we could issue updates to block them. They're still around today, but we've figured out ways to keep them at bay. They cease to be a real strategic threat to corporations," Thompson said.
Spyware, on the other hand, which uses covert techniques to install itself on computers and track user activity to serve up annoying advertisements, presents a legitimate threat because of the way malicious code can be executed on infected systems.
Spyware, otherwise known as adware, has become the preferred delivery mechanism for malicious Trojans capable of relaying information to other computers or locations on the Web. According to anti-virus vendor Symantec Corp., spyware authors can actively or passively hijack user passwords, log-in details, credit card numbers and other sensitive personal information.
Because spyware is often tied to peer-to-peer applications, experts warn that individual files or other corporate data could be stolen by spyware programs running on infected systems.
"Your data is at risk and there's nothing we can do right now to stop it," Thompson said. He confirmed a researcher's recent findings that the best-performing anti-spyware scanner is not capable of detecting all the "critical" files and registry entries installed by the malicious programs.
"Spyware is built for functionality. No one, except the spyware author, knows what the program is capable of doing. They're changing frequently and they're becoming impossible to manage," Thompson said.
He explained that spyware writers use "tricklers" to silently reinstall spyware components after they are removed. "This makes it even worse than the mass-mailers. They change the components frequently and even when you remove registry key entries, the program simply reinstalls it," Thompson warned.
He said legitimate companies that market P2P applications such as Kazaa and Grokster have built spyware acceptance into complicated EULAs (end-user license agreements). "When you install the P2P program, you agree in advance to accept all future changes, even the changes made by the tricklers," he said.Kazaa, which is distributed by Sharman Networks, has been fingered by CA as the worst pest on its spyware list. The Islandia, N.Y.-based CA reckons that Kazaa users suffer from degrading network performance and storage consumption because of the embedded spyware and adware that comes with the application.
During his presentation at the security conference, Thompson predicted that malicious spyware writers will take advantage of P2P and instant messaging usage in the workplace to wreak havoc.
While activities such as file-sharing or downloading shareware are currently viewed as a mere nuisance, Thompson warned that the industry cannot afford to ignore the growing evidence that spyware "will soon become an even bigger headache than viruses."
He suggested businesses treat any program that offers remote access as a potential threat. "Even the network management tools that you use to access desktops can be spyware in the wrong context.
"Remember, a virus is a single program with a single registry key. With spyware, we're talking about thousands of programs with lots of registry keys. We don't even know the motive of the spyware authors. It's very hard to find legitimate use for a spyware program, no matter how hard we try," he added.
He said spyware running on enterprise computers is an "enormous threat" because there is absolutely no knowledge of the kinds of data being transmitted to the mother ship. "They're usually working over Port 80 so nothing is stopping it. The possibility for corporate espionage is enormous."
Thompson said he believes the industry will benefit from the passage of anti-spyware legislation. Congress is debating four anti-spyware bills, including HR 2929, which was introduced by U.S. Rep. Mary Bono to require that users give explicit permission before tracking software is installed.
"We need to monitor the activities of the adware purveyors to ensure they behave. The first step is to make sure we strengthen the rules for these companies. The fight back will be a combination of legislation and technology," Thompson said.
Check out eWEEK.com's for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's Weblog.