Spyware:
A Risk to
Computer Security
Gina Doerr
3 May 2002
Information
Systems and Security
Mr. David
Wills
Executive Summary
Topics researched
in this report include an explanation of what spyware is, examples of different
software containing spyware, how Congress is planning to put a stop to it, and
actions a computer user can do to protect themselves from spyware.
Explanation of Spyware
How Congress is planning to stop Spyware
Types of Spyware
How users can protect a computer
Questions for the Final:
1.
What is
spyware? A Trojan horse program hidden in adware that monitors Internet and
other computer usage.
2. What is
the name of the act presented to Congress, but has yet to become a law?
The
Spyware Control and Privacy Protect Act
Ever have that feeling when someone is watching you that causes you to
look over your shoulder or to look around the room until you see who is staring
at you? When you are on a computer, you might still get that same feeling like
you are being watched, only this time you cannot see who is doing the watching.
Every time you connect to the Internet, every form you fill out, every keyword
search you enter, and websites that you visit are all open to the possibility
of being monitor by software you probably did not even know is installed on
your computer. The potential risk of security that spyware creates is a cause
for concern to anybody utilizing a computer. Topics researched in this report
include an explanation of what spyware is, examples of different software
containing spyware, how Congress plans stop it, and actions a computer user can
do to protect themselves from spyware.
Explanation of Spyware
To explain
what spyware is and how it works, one first has to understand the history
behind it. Freeware and shareware are popular ways to get software from the Internet
without paying for it. The reason why it is possible for these types of
software to be distributed for free is because it is paid for by companies that
place ads into the program, earning it the name of adware (Tom-Cat, 2002).
Adware is any software application in which advertising banners are displayed
while the program is running (Tech
Target, 2001). Most adware programmers provide a free version of the software,
the one with the ads, or a registered version where the ads are taken out
(Simply…2002). However, the tradeoff
for downloading freeware (or adware) is that many now contain a Trojan horse
hidden within the software. There is a code that tracks a user's personal
information and passes it on to third parties. The worst part is that because
the user does not even know that this activity is occurring, it is occurring
without the proper authorization from the user (Tech Target, 2001). This Trojan
horse has been named spyware; still other nicknames are snoopware or malware.
Spyware
is an “independent, executable program on your computer that collects data
about Internet usage without the user of the program knowing that the software
is even installed and performing” (Tom-Cat, 2002). One main act of spyware is
that when it traces the user’s Internet habits, it sends this information
secretly back to a outside server, usually owned by the developer of the
freeware or adware that has been downloaded and installed into that computer
(Tom-Cat, 2002). The primary reason why spyware was started in the first place
was to collect demographic information for advertising purposes (Counter…(1),
2002). Basically, it profiles consumer, “tracking their web habits, then
sending that information to remote servers where it is determined which ads
best fit the user’s profiles” (Mello, 2000). Information about the user is also
sold to marketing companies for a profit.
Unfortunately, spyware is capable of doing
more then simple market analysis.
Spyware has the ability to “monitor keystrokes, scan files on hard drives,
read cookies, change default settings, see what websites users visits and for
how long, and is designed to send all this information back to the programmer.
Because spyware is an executable program it is not limited in the ways websites
are that use cookies” (Counter…(1), 2002). Spyware is more dangerous due to the
fact that it has the capability to spy on all activities on a computer, causing
a high alert for a security risk (Counter…(1), 2002).
On Windows
95 and 98, privileges of a spyware program include ability to read, write and
delete files, and download and install other software. This action is called
AutoInstall or AutoUpdate, which is not secure. It opens the computer to other
spyware programs and crackers. The spyware can even format the hard drive of
the computer. Windows NT, on the other hand, has the ability to limit spyware a
bit, but it would still be able to do anything the user could do. This could be
a risk if the software was installed on a computer that one with administrator
privileges uses (Counter…(1), 2002).
With both
operating systems, a unique code is placed on the computer to identity it and
to track it. The problem with spyware is that it can go easily unnoticed. It is
known to “hide in the background, not appearing on the directory list of
programs, and some even reinstalls itself even after it has been deleted”
(Counter…(2), 2002). It might even remain active after the removal the freeware
that contained the spyware (King, 2001). While it is clear that such a program
is a security risk, as well as invasion of privacy, too many Internet companies
that are filing for bankruptcy are finding that spyware is an attractive way to
make quick money by selling the information gathered to the highest bidder of
marketing research or other agencies (Mello, 2000).
Steven
Gibson of Gibson Research, a privacy software expert, explains that “any
software is guilty of information theft if it is using a back channel to
communicate information though the Internet without the explicit, informed consent
for such use by the user” (Tech Target, 2001).
Not all
adware is spyware, however. “To become spyware, the program has to be entering
the system without notifications. Many adware companies are now offering
consumer options such as ‘Opt In’, and disclosure statements before any
information is collected” (Tom-Cat, 2002), therefore making the information
gathering process an option. Also, many companies are revising their privacy
policies and wording the End User License Agreement in a way that is clear and
understandable (Tom-Cat, 2002). Yet, there are still some software companies
that cleverly word their policy to hide the fact that a spyware maybe
installed, or some have even conveniently failed to mention such software in
the policy at all (Tom-Cat, 2002). The following is from Transcom’s Beeline and
is an example of how an End User License Agreement may read. It states that: "By becoming an End
User, you hereby agree that Transcom may share with other parties both
aggregate information and limited individual information gathered during your
use of Transcom’s Beeline and /or the Internet. You also agree that locator
information about you may be gathered, processed or used as provided in the
following instances: email address, physical address and/or other data that
enable the recipient to personally identify the End User" (Gibson,
2000). While Transcom openly admits to
watching and recording the end user’s use of not only their product but of also
the Internet, there are many other software companies to beware of that are not
so honest.
How Congress plans on stopping Spyware
As of
today, “spyware is not an illegal type of software” (Simply…2002). However,
with actions from Congress, this may change in the near future. Co-Founder of
People for Internet Responsibility, Lauren Weinstein believes that "user
information sent to a third party should be fully disclosed and approved by the
user. This does not mean by hiding that disclose in a licensing agreement that
most people will never see or that can be changed at anytime" (Mello,
2000).
Congress
is even realizing how threatening spyware can be. Senator John Edwards
introduced two Internet privacy bills to Congress in 2000. The Spyware Control
and Privacy Protect Act (S3180) will require “manufactures of spyware software
to give consumers clear and conspicuous notice, at the time of installation
that the software contains spyware. Under this act, consumers will be notified
of what information is being collected and to who will be receiving it, and then
the spyware program will not be activated until the user decides” (Krebs,
2000). This method is called "Opt In", where companies ask permission
from the user first before collecting information. Currently most companies are
using the "Opt Out” method, where companies collect data without the
user’s permission (Glanz, 2001). Also, information must be sent and stored
securely and encrypted, allowing users access to the information collected to
correct any errors to ensure accuracy. If this act is passed into law, it will
allow the user to sue the software programmers for $500,000 per violation of
their own policy. However, there are some spyware that are exempt from this
act. For example, employers using spyware to monitor Internet usage of their
employees will not fall under this act (Krebs, 2000).
The second
act introduced to Congress is the Electronic Privacy Protection Act (HR 5571).
It would require physical devices to be attached to the outside of a computer
that contains monitoring software. Again, this would fall under the employer
monitoring the employee category, not necessarily the spyware that comes
bundled with freeware.
To file a
complaint against a violation of privacy, the Federal Trade Commission (FTC)
handles complaints about deceptive or unfair business practices (Simply…2002).
Their web address is www.ftc.gov.
Types of Spyware
There are
many popular software applications on the Internet that contain spyware. This
next section will expose a few of them and explain what the spyware code in them
does to a computer, as well as user’s security and violation of privacy.
Aureate,
who changed its name to Radiate, has been around long enough to be installed in
over 30 million computers worldwide. Radiate collects demographic data that
advertisers can use to target audiences. Some features include ads being
displayed even while the user is not connected to the Internet; splash screens;
customized demographic collections; and real time surveys. Besides transmitting
ads, Radiate can also update itself. The EULA states that the "software
will connect to the Internet ubiquitously to download advertisement and /or
provide software updates." Radiate puts a numerical identifier on the
computer allowing it know who sees their ads, the frequency it is viewed, and
then reports that information back to the software company. According to the
EULA, from time to time Radiate will share this information to other ad serves
such as Flycase, 24/7 Media, Doubleclick, AdForce, Adsmart, and Teknosurf. The software has also been known to cause
browser instability and crashes. Some Aureate/Radiate files to search for on a
computer include: admage.dll, advert.dll, amcis.dll, amcisz.dll, anadsc.ocx,
anadsv.ocx, htmdent.exe, ipcclient.dll, msipscv.exe, and tfde.dll (Privacy Power,
2000).
Comet
Cursor by Comet Systems is software that changes the cursor when the user
visits certain websites. All Comet Cursors (expect in Real Player 7) contains a
global unique identifier, also know as a download number. Comet Cursor is a
“browser extension that gives websites the power to change the cursor,
substituting it for any image or animation” instead of the usual arrow (Privacy
Power, 2000). It then collects the IP address and operating system information,
the type of browsers used, and the time of visit. The software then contacts
its server to record what URL the user was at when the cursor changed, and what
URL the user chose to view immediately after seeing the cursor change (Privacy
Power, 2000). Users can prevent Comet Cursor from automatically installing
itself by setting a prompt on download signed Active X. Do this by clicking on
the Tool tab, Internet Options, Security, Custom Level, Download Signed Active
X Controls, check “Prompt.”
Cydoor
is similar to Radiate. It places advertising in its software and uses a global
unique identifier. The software does not even have be Internet related, the
user only needs to access the Internet occasionally so ads can be downloaded
secretly in the background and stored in a protected ad cache within each
user's computer. Ad loads and reports are transmitted the moment the user
connects to the Internet. Cydoor will also inquire for information concerning
gender, age, interest, marital status, and education. Like Radiate, it measures
how many people their ads reach and the frequency they are viewed. The trouble
with Cydoor is that “if the user terminates the host software, Cydoor will
install itself without it. This also happens if the host software is installed,
then later uninstall, Cydoor will not uninstall with it, and it does not
provide an uninstall option” (Privacy Power, 2000).
Hot
bar is a browser toolbar that collects and stores information about the user in
its server. By monitoring browsing habits, it determines which ads to deliver
to the user’s browser, which button to display on the toolbar, and delivers a
flash popup to any URL the advertiser chooses. Hot bar stores the IP address,
domain name, URL of the websites visited, hot bar cookie number, and the date
and time logged on. It also remembers search terms typed into search engines,
what toolbar button the user clicked on, what links clicked on, and the amount
of time spent at each session. Worst of all, if personal information is entered
into forms, Hotbar may collect this information as well, if the site forwards
the entered information via form scripts (Simply…2002).
How to protect a Computer
Although having spyware on one’s computer is a risk, there are
several ways to prevent this from happening and to remove them if it does happen.
First, if
one is not sure of a freeware/shareware program, it should always be checked
out first before it is downloaded to avoid the risk of installing spyware into
the computer. There are several websites to go to that contain large databases
of software names known to contain spyware. Just to name a few, some websites
are: spychecker.com; tom-cat.com; surasoft.com; spywareinfo.com; and
idcide.com.
Another
way of protecting a computer is by using a free download from LavaSoft.com
called Ad-aware. Ad-aware works very much like an anti-virus protection
program, where it will check your drives for spyware programs. It will scan
memory, registry, and hard drives for known spyware and gives the user options
to choose the ones they would like to have automatically removed and then
removes them safely for their computer. Ad-aware is kept up to date of new
software names that contain spyware with RefUpdate. Also, from LavaSoft is
Ad-watch, which is an “anti-spyware monitor that silently runs in the background
waiting for spyware to try to install or modify the registry.” Ad-aware will
stop this action from happening and immediately alerts the user (Tom-Cat,
2002). However, RadLight version 3.03, a multi-media software, will delete
Ad-aware if installed. According to its End User License Agreement, RadLight
will search for the default “Ad-aware
installation path" and remove it if found. It will then install two
spyware applications, WhenU.com's “Save now”, and New.net's web navigation
plugin (McWilliams, 2002). Ad-aware
users must re-install Ad-aware again to make sure it is working correctly.
Finally,
firewalls can also alert users of any spyware presence and its activities. One
free firewall that blocks spyware communications is Zone Alarm by Zone
Labs. It is a firewall that monitors
all Internet traffic, alerting the user of any software trying to transmit data
leaving thought the Internet. It allows the users the option of either allowing
the transmission to take place or to block it. It also makes the computer's
ports in "stealth mode", which means it is invisible to the Internet
and to hackers (Simply…2002).
In
conclusion, while downloading freeware may be the inexpensive way to acquire
software, one has to be careful about which freeware they choose to download.
Although there are adware that do not contain spyware, more often then not,
adware software has a Trojan horse code within its programs. The potential
security risk and invasion of privacy puts all Internet users in jeopardy.
Until laws are passed that prevent this type of software to be distributed,
computer users must protect their information by only downloading trusted
software; using Ad-aware to find existing spyware on the computer system; or
installing a firewall like Zone Alarm to alert of all and any suspicious
Internet usage.
Counter Exploitation (1). “The Trouble with Spyware and
Advertising-supported
Software.” (2002) http://cexx.org/problem.htm 20 April
2002.
Counter Exploitation (2). “What is Spyware.” (2002) http://cexx.org/whatis.htm
20 April
2002.
Gibson, Steven. “Fine Print Funny Business.” Gibson
Research Corporation. (2000)
http://grc.com/oo/fineprint.htm 13
April 2002.
Glanz, William. “Protecting Personal Data.” Insight on
the News. (16 April 2001)
http://www.findarticles.com/cf_0/m1571/14_17/75819902/p1/article.jhtml
20 April
2002.
King, Mike. “Ad-aware.” Computer Weekly. (18 January
2001)
http://www.findarticles.com/cf_0/m0COW/2001_Jan_18/69673216/p1/article.jhtml
20 April
2002.
Krebs, Brain. “Sen. Edwards Intro’s Spyware Control Act.” Newsbytes.
(9 October 2000)
http://www.findarticles.com/cf_0/m0NEW/2000_Oct_9/65908292/p1/articles.jhtml
20 April
2002.
McWilliams, Brain. “Anti-Spyware Program Targeted by
Multimedia Player.” Newsbytes.
(23 April
2002) http://www.newsbytes.com/news/02/176075.html
25 April 2002.
Mello, John P. “Is this an Intelligent Agent?” CFO, The
Magazine for Senior Financial
Executives. (Winter,
2000)
http://www.findarticles.com/cf_0/m3870/15_16/68160585/p1/article.jhtml
20 April 2002.
Privacy Power. “Adware, Badware, Spyware Profiles.” (2000)
http://www.accs-net.com/smallfish/index.html
27 April 2002.
Simply the Best. “Spyware.” Security Tools-Shareware.
(2002)
http://www.simplythebest.net/info/spyware.html
13 April 2002.
Tech Target. “Adware.” (2001)
http://whatis.techtarget.com/definition/0,289893,sid9_gci521293,00.html
13 April 2002.
Tom-Cat Internet Solutions. “Is it Adware, or is it
Spyware?” (2002)
http://www.tom-cat.com/adware.html
13 April 2002.