MAY 03, 2004 (COMPUTERWORLD) - Bruce Edwards began to understand that spyware was more than a consumer PC problem when his users started complaining loudly about poor performance and an increase in pop-up ads. But it wasn't until after he'd checked all of his organization's PCs that Edwards understood the full scope of the problem.

"My customer workstations were really gummed up," says Edwards, LAN administrator at the Administrative Office of the Courts in Little Rock, Ark. All 200 machines in his offices were running a wide range of spyware, and many were running multiple programs. The programs ran in the background without the users' knowledge, downloading information on Web surfing activities and uploading advertising in the background for use in pop-up ads. As the volume of these hidden programs grew, they began using up system resources and choking off network bandwidth. Annoyed with all the pop-up ads, some users downloaded free pop-up blocker programs that installed even more spyware.

Spyware programs discreetly install themselves on PCs, establish a back channel over which to download information about the user and typically upload advertisements—often over HTTP Port 80. Programs designed specifically to deliver targeted advertising are also called adware. But adware and other types of software that install without the user's explicit consent and establish background communications—including surveillance programs, key loggers, remote control tools and Trojans—are also described as spyware.

Companies have traditionally viewed spyware as a nuisance that's best handled by desktop support groups. But IT organizations are beginning to view it as a security risk as well because spyware is becoming more common and the programs are growing more sophisticated.

Edwards used PestPatrol, a spyware scanning and removal tool, to clean up the mess. But the big issue for him isn't system performance or productivity-sapping pop-ups—it's the uneasy feeling that these programs have opened an unauthorized communication channel that could put sensitive court documents at risk. He worries that, in addition to downloading data on Web surfing activity, a spyware program may capture user log-in and password information, or that a benign adware program may provide a communications pathway that could be hijacked for uploading more malicious software. Analysts say that while some adware programs simply monitor Web surfing activity and serve up annoying pop-up ads, others could be stealing e-mail addresses and passwords, allowing background downloads of more malicious software, or sending sensitive data to competitors. "We think the capability to do that is there," says John Pescatore, an analyst at Stamford, Conn.-based Gartner Inc.

Getting In

Spyware applications may install themselves after a user clicks on a pop-up dialog box, opens an e-mail attachment or downloads freeware. In some cases, unpatched Windows machines may be vulnerable to "drive-by" attacks, in which malicious code embedded in a viewed Web site exploits Internet Explorer vulnerabilities and lax security settings to install itself without the user clicking on anything.

As spyware accumulates, it consumes increasing amounts of resources. A single program may install upward of 300 files and make 500 registry entries, says Roger Thompson, vice president of development at PestPatrol Inc. in Carlisle, Pa.

Spyware programs may also be used in corporate espionage. Thor Larholm, senior security researcher at network security tool vendor PivX Solutions LLC in Newport Beach, Calif., says a hacker stole one company's trade secrets by using an adware program's communications channel to plant a Trojan on corporate desktops.

The adware was set up to communicate with the adware producer's Web page in order to retrieve new advertisements. The attacker used a "man-in-the-middle" attack to alter the Web page with malicious code that could exploit an Internet Explorer vulnerability on unpatched Windows machines. Because the target company's PCs were vulnerable, the attacker was able to install the backdoor program. "By hijacking the adware traffic, he gained access to five machines," Larholm says. The attacker spent two months collecting trade information and data on new projects before the hole was detected and closed. The lesson, Larholm says: "Any kind of unknown code running on desktops is a liability."

Reports of such nightmare scenarios are rare, but they worry Sean, a security engineer at a large financial services company who asked that his full name and company not be used. "I don't think we deal with [spyware] the way we should. I think it's going to get worse," he says. A disruption in day-to-day workflows caused by spyware "could translate into big bucks" for his company, he adds. But until a major incident occurs, Sean doubts his organization will act. "There's not enough senior management buy-in to the problem. Our hands are full just handling the antivirus stuff," he says.

Preventive Measures

Keeping spyware out isn't easy, users and vendors say. Antivirus software and Web content filters can help. But preventing spyware problems also requires installation of desktop firewall software on every Windows machine to detect and block attempts to install spyware, whether by the user or through the social engineering tricks spyware creators play to get users to click on a misleadingly worded pop-up window. It requires rigorous patching and updating of Windows and Internet Explorer vulnerabilities. And it requires the blocking of all executable e-mail file attachments.

Another way to thwart spyware downloads is by giving Windows XP users restricted access rather than full administrator access to their local machines. "Linux users would never run the computer as root and read e-mail ... but that's what Windows users do all the time," says Mikko Hypponoen, antivirus research director at San Jose-based F-Secure Inc. Many spyware programs simply can't install if the user doesn't have local admin rights. "In talking with large companies on a weekly basis ... I'm surprised how many still provide users with full admin privileges on the desktop," says Candace Worley, product manager for McAfee VirusScan. Sean, at the financial services company, acknowledges that many of the more than 100,000 employees in his organization have full admin rights to their machines. But, he says, "it's not practical to lock down the desktop completely," because users demand some flexibility.

Patching is critical, but it won't block all exploits, says Larholm, who until recently provided a list of unpatched Internet Explorer vulnerabilities on the PivX Web site. That list once had 32 entries. "Today I would estimate that there are still 14 unpatched vulnerabilities. About half of those allow for command execution. About half of the remaining ones allow cross-domain scripting," says Larholm. Microsoft Corp.'s upcoming Service Pack 2 will remedy many of those, he says.

SP2 is expected to create application compatibility issues, but Gartner's Pescatore recommends implementing it as soon as possible. "We'll see a pretty high incidence of breakage, but it's one you should be doing," he says.

Still, SP2 won't help Sean's company. It's still using Version 5.5. of Internet Explorer, he says, noting that many large corporations aren't using the most up-to-date versions of their Web browsers "because newer versions can break intranet applications."

Pete Simpson, ThreatLab manager at Reading, England-based Clearswift Ltd., which sells Web and e-mail content filters, says blocking all executable file attachments is critical because antivirus software doesn't always detect embedded spyware. Pete Munro, network manager at a U.K.-based vertical-market software vendor, once intercepted an e-mail file attachment purporting to be a wedding invitation. If executed, the attachment would have installed a copy of iSpyNow, a commercial surveillance spyware program. Says Munro, who asked that his company not be named, "Our source code is very valuable. If anyone stole it, changed it or deleted it, that could cause us a lot of trouble."

Munro blocked the attachment at the e-mail gateway. Users are also protected by not having local admin privileges on their machines. Munro says he's glad the gateway did its job because his antivirus scanner ignored the attachment. "From their point of view it's a commercial program," he says.

Such programs are clearly a threat, yet most antivirus tools and even some antispyware programs don't detect commercial software and adware that include end-user license agreements.

"Vendors producing different types of advertisement software are threatening to sue us because we're making them look bad," says Hypponoen. To avoid such issues, he says his company provides signatures only for malicious programs used for "criminal intent." Both Network Associates Inc. and Symantec Corp. have begun to add some spyware-detection capabilities to their corporate offerings, but both struggle with the same issues. "The Symantecs and McAfees have been very slow to add spyware capabilities, and it's not clear to me why—because it's a big problem," says Pescatore.

Ultimately, IT organizations don't care whether spyware programs are legitimate adware, commercial surveillance programs or malware. They need to know about anything that's not part of the standard system. "If you have tons of spyware on your machines, you're letting other companies use your private property to earn money. That's a big corporate liability," says Larholm. "If anyone should be monitoring your employees it, should be you."