WHAT ARE ADWARE AND SPYWARE, REALLY?

Symantec Corporation said recently that it found itself forced to start dealing with spyware and adware simply because users of Symantec antivirus programs really couldn’t tell the difference between a system infected with malware (virus, Trojan, worm, and so forth) and a system infested with adware or spyware.

For the past 3 months, nearly one out of every five calls for help to Symantec ended up involving spyware or adware rather than what they call malware. To The Point readers know that I’ve been using the opposite terminology. Viruses, trojans and worms were in one category, and spyware and adware I called malware.

Stop and think about the most common symptoms. As it happens, some forms of spyware or adware can present the same sorts of telltales that viruses and Trojans can—namely diminished performance, system instability that can be occasional or more constant, mysterious appearance of new processes, Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) ports opened for no apparent reason.

However, other symptoms of adware or spyware—such as increased pop-up ads, or changes to default home pages or search engines—seldom occur from viruses or trojans, if ever.

These days, virus experts recognize that certain threats should rightly be called blended, in that they combine virus, worm, and sometimes even trojan characteristics within a single executable.

But in some cases, the same is true for spyware, in that it may include trojan characteristics (reporting of data gathered or harvested from user machines has to occur somehow, and some such software uses Internet Relay Chat [IRC] or other instant messaging services, or may simply open specific ports to signal its readiness to serve up information on demand; other types are more aggressive and include back doors or clients designed for unadvertised and unauthorized remote access).

Likewise, some adware also includes mechanisms to transfer ads to user machines so that they can be displayed even when a PC isn’t logged on to the Internet – and boy, can that ever give you a case of the creeps the first time that happens!

The boundaries between viruses, trojans, adware, and spyware are getting harder to draw cleanly.

Symantec isn’t the only vendor with a well-known set of anti-virus tools that is taking steps to exclude adware and spyware using its protective shielding. There’s an increasing trend among the major players to make anti-spyware/anti-adware part of their offerings, and to include such functionality in their bundled products.

But where a sense of urgency and importance in protecting one’s PC from malware is pretty well understood and established, protecting oneself against adware, spyware, and other forms of unwanted software and content is really just starting to take hold. I hope the readers of my column developed this sense of urgency long ago.

In a July 2004 report from Trend Micro (makers of PC-Cillin, another well-known anti-virus package with growing anti-spyware and anti-adware coverage) includes this chilling statement:

“Reports now show that nearly one in three computers are infected with a Trojan Horse or system monitor planted by spyware. These hidden software programs gather and transmit information about a person or organization via the Internet without their knowledge.”

According to definitions, it’s hard to say what’s spyware and what’s malware because of these capabilities—it’s really both!

Microsoft’s Protect Your PC web page now makes this case. The company clearly recognizes the importance of patching a PC’s operating system, and strongly recommends the use of a firewall, and stresses use of up-to-date anti-virus software.

Where once it omitted mention of any need to protect PCs against adware, spyware, spam, and other forms of unwanted software and content now it issues its own anti-spyware product for free. I’ve recommended that you use it.

I’d argue that the company’s more protective security defaults in Windows XP Service Pack 2 (SP2), along with the pop-up blocker in Internet Explorer (IE) and the more capable Windows Firewall, signify Microsoft’s growing sensitivity to such matters.

So – What Are Spyware and Adware, Really?

Their essence is that both types of software enter a system uninvited and often without soliciting permission.

Adware may sometimes claim it’s been granted permission because of terms and conditions buried somewhere in fine print in a multipage software license or end user license agreement—you know, the ones where you click “I agree” without necessarily reading all the fine print.

Most experts agree that claims of full and open disclosure as a result are not credible or terribly ethical.

Spyware seldom seeks to cloak itself in respectability, but some kinds of spyware—especially browser cookies designed to profile visitors who return to a Web site—may also be granted user permission through licenses or usage agreements.

What’s different about spyware as compared to adware is that it gathers information about users so it can report it to a third party. What’s different about adware as compared to spyware is that it seeks to create conduits for sending or displaying advertisements (and may also collect user information to better target ad selection based on user preferences, sites visited, items purchased, and so forth) as a primary objective.

How would you classify an item of software with the following characteristics?

• Shows up uninvited, and attempts to foil various potential means of detection (anti-virus, anti-spyware/anti-adware, and sometimes even firewall software). Does everything it can to stay hidden and remain undetected. These are characteristic of spyware, adware, viruses and trojans alike.

• Scans all files on the computer on which it resides (especially e-mail messages, documents, text files, and other sources of personal information), harvesting names, addresses, phone numbers, social security numbers, bank account information, credit card numbers and other related data, and so forth). It stores all of this information in some covert manner, possibly encrypted. This is a typical characteristic of more malicious forms of spyware.

• When some time or data collection threshold is passed, opens a “safe” port on the infected computer and uploads all harvested data to a server elsewhere on the Internet. As soon as the upload concludes, the open ports are closed and the software goes back into hiding.

Alternatively, the software could create an e-mail message, and then use a client e-mail package to send it or employ its own built-in Simple Mail Transfer Protocol (SMTP) engine. This opens a back door to communicate private, confidential information without a user’s knowledge or consent and is characteristic of spyware and some trojans.

First, it’s important to know that no known virus or spyware exhibits this exact collection of characteristics. Security experts also believe that viruses and trojans are changing from a hobbyist or “mountain climber” mentality (those who do things for fun, or because they can or want to prove they can) to more of a professional criminal mentality.

Now that repeated exploits have demonstrated how vulnerable common operating systems and applications can be, professional criminals can’t help but recognize serious opportunities to practice identity theft and use that information to steal money from unsuspecting Internet users.

Many American households carry $20,000 or more in combined lines of credit and unused credit card balances; without careful fraud detection and alerting from card issuers, those same households might have to wait until their next statement to realize they’ve been victimized.

Right now, the code to do all of the things described in the preceding list already exists in bits and pieces, so now new technology is needed to stitch them together and create a single program with all those characteristics.

Facing a threat of this nature, who cares if it’s spyware or a trojan? In fact, it’s a blended threat and one with economic consequences of enormously grave proportions. Although I’m aware of nothing like this in the wild just yet, it’s probably just a matter of time before something indeed comes along.

To be continued.

Dennis Turner