|
|
|
 |
|
|
|
||||
|
More Internet Chat Dedicated server Domain names Online games Voip Web hosting Home |
In the field of computing, the term spyware refers to a broad category of malicious software designed to intercept or take partial control of a computer's operation without the informed consent of that machine's owner or legitimate user. While the term taken literally suggests software that surreptitiously monitors the user, it has come to refer more broadly to software that subverts the computer's operation for the benefit of a third party. In simpler terms, spyware is a type of program that watches what users do with their computer and then sends that information over the internet. Spyware can collect many different types of information about a user. More benign programs can attempt to track what types of websites a user visits and send this information to an advertisement agency. More malicious versions can try to record what a user types to try to intercept passwords or credit card numbers. Yet other versions simply launch popup advertisements. History and development The first recorded use of the term spyware occurred on October 17, 1994 in a Usenet post that poked fun at Microsoft's business model. Spyware later came to refer to espionage equipment such as tiny cameras. However, in early 2000 the founder of Zone Labs, Gregor Freund, used the term in a press release for the ZoneAlarm Personal Firewall. Since then, computer-users have used the term in its current sense. Spyware, adware, and tracking The term adware frequently refers to any software which displays advertisements, whether or not it does so with the user's consent. Programs such as the Eudora mail client display advertisements as an alternative to shareware registration fees. These classify as "adware" in the sense of advertising-supported software, but not as spyware. Adware in this form does not operate surreptitiously or mislead the user, and provides the user with a specific service. Many of the programs frequently classified as spyware function as adware in a different sense: their chief observed behaviour consists of displaying advertising. Claria Corporation's Gator Software and Exact Advertising's BargainBuddy provide examples of this sort of program. Visited Web sites frequently install Gator on client machines in a surreptitious manner, and it directs revenue to the installing site and to Claria by displaying advertisements to the user. The user experiences a large number of pop-up advertisements. Other spyware behaviours, such as reporting on websites the user visits, frequently accompany the displaying of advertisements. Monitoring web activity aims at building up a marketing profile on users in order to sell "targeted" advertisement impressions. The prevalence of spyware has cast suspicion upon other programs that track Web browsing, even for statistical or research purposes. Some observers describe the Alexa Toolbar, an Internet Explorer plug-in published by Amazon.com, as spyware (and some anti-spyware programs report it as such) although many users choose to install it. Spyware, virus and worm Spyware differs from viruses and worms in that it does not usually self-replicate. Like many recent viruses, however, spyware - by design - exploits infected computers for commercial gain. Typical tactics furthering this goal include delivery of unsolicited pop-up advertisements; theft of personal information (including financial information such as credit card numbers); monitoring of Web-browsing activity for marketing purposes; or routing of HTTP requests to advertising sites. Effects and behaviors A piece of spyware rarely "lives" alone: an affected computer can rapidly become infected with large numbers of spyware components. Users frequently notice unwanted behavior and degradation of system performance. A spyware infestation can create significant unwanted CPU activity, disk usage, and network traffic which thereby slows down legitimate uses of these resources. Stability issues, such as application or system-wide crashes, are also common. Spyware which interferes with networking software commonly causes difficulty connecting to the Internet. In some cases of spyware infection, the user has no awareness of spyware and assumes that the system performance, stability, and/or connectivity issues relate to hardware, to Microsoft Windows installation problems, or to a virus. Some owners of badly infected systems resort to contacting technical support experts, or even buying an entire new computer system because the existing system "has become too slow." Badly infected systems may require a clean reinstall of all their software in order to restore the system to working order. This can become a time-consuming task, even for experienced users. Only rarely does a single piece of software render a computer unusable. Rather, a computer rarely has only one infection. As the 2004 AOL study noted, if a computer has any spyware at all, it typically has dozens of different pieces installed. The cumulative effect, and the interactions between spyware components, typically cause the stereotypical symptoms reported by users: a computer which slows to a crawl, overwhelmed by the many parasitic processes running on it. Moreover, some types of spyware disable software firewalls and anti-virus software, and/or reduce browser security settings, thus opening the system to further opportunistic infections, much like an immune deficiency disease. Documented cases have also occurred where a spyware program has disabled other spyware programs that have been installed by its competitors. Some other types of spyware (Targetsoft, for example) modify system files to make themselves harder to remove. (Targetsoft modifies the "Winsock" Windows Sockets files. The deletion of the spyware-infected file "inetadpt.dll" will interrupt normal networking usage.) Unlike users of many other operating systems, a typical Windows user has administrator privileges on the system, mostly for convenience. Because of this, any program which the user runs (intentionally or not) has unrestricted access to the system. Spyware, along with other threats, has led some Windows users to move to other platforms such as Linux or Apple Macintosh, which are less attractive targets for malware, since programs are not granted unrestricted access to the operating system due to the Unix underpinnings that both Linux and Mac OS X are built upon. Remedies and prevention As the spyware threat has worsened, a number of techniques have emerged to counteract it. These include programs designed to remove or to block spyware, as well as various user practices which reduce the chance of getting spyware on a system. Nonetheless, spyware remains a costly problem. When a large number of pieces of spyware have infected a Windows computer, the only remedy may involve backing up user data, and fully reinstalling the operating system. Anti-spyware programs Lavasoft's Ad-Aware, one of a few reliable freeware anti-spyware programs, after scanning the hard drive of an infected Windows XP system.Many programmers and some commercial firms have released products designed to remove or block spyware. Steve Gibson's OptOut, mentioned above, pioneered a growing category. Programs such as Lavasoft's Ad-Aware SE and Patrick Kolla's Spybot - Search & Destroy rapidly gained popularity as effective tools to remove, and in some cases intercept, spyware programs. More recently Microsoft acquired the GIANT AntiSpyware software, rebadging it as Windows AntiSpyware beta and releasing it as a free download for Windows XP, Windows 2000, and Windows 2003 users. In early spring, 2006, Microsoft renamed the beta software to Windows Defender, currently "beta 2." The renamed software for now exists as a time-limited beta test product that will expire (beta 1 in July 2006, and beta 2 in December, 2006). Microsoft has also announced that the product will ship (for free) with Windows Vista. Other well-known anti-spyware products include Webroot Spy Sweeper, Trend Micro's Anti-Spyware, PC Tools' Spyware Doctor, and Sunbelt's CounterSpy (which uses a forked codebase from the GIANT Anti-Spyware, now called Microsoft's Windows Defender). Blue Coat Systems released a gateway anti-spyware solution in 2004. Major anti-virus firms such as Symantec, McAfee and Sophos have come later to the table, adding anti-spyware features to their existing anti-virus products. Early on, anti-virus firms expressed reluctance to add anti-spyware functions, citing lawsuits brought by spyware authors against the authors of web sites and programs which described their products as "spyware". However, recent versions of these major firms' home and business anti-virus products do include anti-spyware functions, albeit treated differently from viruses. Symantec Anti-Virus, for instance, categorizes spyware programs as "extended threats" and now offers real-time protection from them (as it does for viruses). Real-time protection blocks spyware in the process of installing itself. Here, Windows AntiSpyware blocks an instance of the AlwaysUpdateNews spyware.Anti-spyware programs can combat spyware in two ways: 1. real-time protection, which prevents the installation of spyware detection and removal of spyware. Writers of anti-spyware programs usually find detection and removal simpler, and many more programs have become available which do so. Such programs inspect the contents of the Windows registry, the operating system files, and installed programs, and remove files and entries which match a list of known spyware components. Real-time protection from spyware works identically to real-time anti-virus protection: the software scans incoming network data and disk files at download time, and blocks the activity of components known to represent spyware. In some cases, it may also intercept attempts to install start-up items or to modify browser settings. Because many spyware and adware are installed as a result of browser exploits or user error, using security software (some of which are antispyware, though many are not) to sandbox browsers can also be effective to help restrict any damage done. Earlier versions of anti-spyware programs focused chiefly on detection and removal. Javacool Software's SpywareBlaster, one of the first to offer real-time protection, blocked the installation of ActiveX-based and other spyware programs. To date, other programs such as Ad-Aware and Windows AntiSpyware now combine the two approaches, while SpywareBlaster remains focused on prevention. Like most anti-virus software, many anti-spyware/adware tools require a frequently-updated database of threats. As new spyware programs are released, anti-spyware developers discover and evaluate them, making "signatures" or "definitions" which allow the software to detect and remove the spyware. As a result, anti-spyware software is of limited usefulness without a regular source of updates. Some vendors provide a subscription-based update service, while others provide updates gratis. Updates may be installed automatically on a schedule or before doing a scan, or may be done manually. Not all programs rely on updated definitions. Some programs rely partly (for instance many antispyware programs such as Windows Defender, Spybot's Tea timer, Spysweeper) or fully (programs falling under the class of Hips such as BillP's WinPatrol), on historical observation. They watch certain configuration parameters (such as certain portions of the Windows registry or browser configuration) and report any change to the user, without judgment or recommendation. Their chief advantage is that they do not rely on updated definitions. The disadvantage is that they can offer no guidance. The user is left to determine "what did I just do, and is this configuration change appropriate?" Others like Windows Defender's Spynet use community based information to help guide users(by looking at decisions made by others) and for analysts to spot fast spreading spyware. If a spyware program is not blocked and manages to get itself installed, it may resist attempts to terminate or uninstall it. Some programs work in pairs: when an anti-spyware scanner (or the user) terminates one running process, the other one respawns the killed program. Likewise, some spyware will detect attempts to remove registry keys and immediately add them again. Usually, booting the infected computer in safe mode allows an anti-spyware program a better chance of removing persistent spyware. New breed of spyware (Look2Me spyware by NicTechNetworks is a good example) are starting to hide inside system critical process and startup even in safe mode. With no process to terminate they are harder to detect and remove. Sometimes they do not even leave any on-disk signatures. Another twist on spyware hiding is the increasing use of rootkit technology.[18] Another popular method is hiding using NTFS Alternate_Data_Streams. Many spyware these days also have specific counter measures against well known anti-malware products and may present them from running or being installed. An example of one that uses all three methods is Gromozon. Gromozon represents a new breed of malware. It uses Alternate_Data_Streams to hide. A rootkit hides it even from Alternate_Data_Streams scanners and actively stops popular rootkit scanners from running. |
|||