acm-header
Sign In

Communications of the ACM

Spyware

Why Spyware Poses Multiple Threats to Security


Spyware is becoming a relentless onslaught from those seeking to capture and use private information for their own ends. Spyware is annoying and negatively impacts the computing experience. Even worse, there are real and significant threats to corporate and even national security from those who use and abuse spyware.

There is much debate in Congress, state legislatures, and industry about what constitutes spyware. While that debate is an important one in terms of possible remedies, we can count the cost that unfettered spyware is having on individual users as well as on corporate networks. Regardless of whether we agree to divide the term spyware into various subsets such as adware or malware, the truth is any software application, if downloaded unknowingly or unwittingly, and without full explanation, is unacceptable and unwelcome.

With that understanding as a backdrop, the following is a working definition of spyware: Any software intended to aid an unauthorized person or entity in causing a computer, without the knowledge of the computer's user or owner, to divulge private information. This definition applies to legitimate business as much as to malicious code writers and hackers who are taking advantage of spyware to break into users' PCs.

Many PC users have unwittingly loaded, or unknowingly had spyware downloaded onto their computers. This happens when a user clicks "yes" in response to a lengthy and often extremely technical or legalistic end user licensing agreement. Or it happens when a user simply surfs the Web, where self-activating code is simply dropped onto their machines in what is known as a "drive-by download."


Theft through spyware could be the most important and least understood espionage tactic in use today.


Back to Top

Spyware Dangers Real and Pervasive

The dangers of spyware are not always known and are almost never obvious. Usually, you know when you have a virus or worm—they are quite obvious. Spyware silently installs itself on a PC, where it might start to take any number of different and unwanted actions, including:

  • "Phone home" information about an individual, their computer, and their surfing habits to a third party to use to spam a computer user or push pop-up ads to their screen;
  • Open a computer to a remote attacker using a Remote Access Trojan (RAT) to remotely control a computer;
  • Capture every keystroke a user types—private or confidential email, passwords, bank account information—and report it back to a thief or blackmailer;
  • Allow a computer to be hijacked and used to attack a third party's computers in a denial-of-service attack that can cost enterprises millions and expose them to legal liability; and
  • Probe a system for vulnerabilities that can enable a hacker to steal files or otherwise exploit a computer system.

Back to Top

Spyware Harms Computer Performance

The misuse of technology and hijacking of spyware is a real and present danger to security and privacy. The ill effects of spyware do not stop there. Spyware seriously degrades computer performance and productivity.

Testing at our company's research laboratory earlier this year revealed that the addition of just one adware pest slowed a computer's boot time by 3.5 minutes. Instead of just under two minutes to perform this operation, it took the infected PC close to seven minutes. Multiply that by a large number of PCs and you have a huge productivity sinkhole. Add another pest and the slowdown doubles again.

We also tested Web page access, and again it took much longer once a pest was added to a clean machine. Almost five times longer in fact for a Web page to load on an infected PC. The pest also caused three Web sites to be accessed, rather than the one requested, and caused the PC to transmit and receive much greater amounts of unknown data—889 bytes transmitted compared to 281 transmitted from the clean machine, and 3,086 bytes received compared to 1,419 bytes received by the clean machine. This translates into significant increases in bandwidth utilization. Managing bandwidth costs money.

Increased costs due to unnecessary consumption of bandwidth on individual PCs, and the necessary labor costs in rebuilding systems to ensure they are no longer corrupt are virtually unquantifiable. System degradation is time consuming for the individual PC user and even more so for network administrators managing corporate networks. Even new PCs straight from the factory come loaded with thousands of pieces of spyware, all busy "phoning home" information about the user and slowing down computing speeds.

Back to Top

National Security Threats

As noted here, keystroke loggers and other programs embedded with spyware can be used to steal critical data. Literally thousands of spyware applications are downloaded every day in large organizations whose employees use the Internet. The probability is high that at least some of those applications are designed to steal passwords and other critical data. Theft through spyware could be the most important and least understood espionage tactic in use today.

Another disturbing threat posed by spyware goes directly to the ability of terrorists or others to disable computer networks in times of crisis. In the past year, spyware has been used to essentially hijack large numbers of personal computers and organize them into "Bot Armies." Some of the organizers of these armies use them to send millions of spam email messages without user knowledge. Advertisements offering this service have even appeared in Europe and Asia.

The potential exists to move beyond annoyance to something much worse—targeted distributed denial-of-service (DDoS) attacks aimed at disrupting major business or government activity. A DDoS attack coordinated through thousands of individual PCs, owned by innocent and even unwitting users, could be a very difficult threat to address quickly, effectively, and fairly.

Individual PC users are never aware their machine is being used to disrupt Internet traffic. There is currently little or no recourse to a legal solution even if the occurrence can be monitored.

Back to Top

Possible Solutions

Only a combination of education and protection, disclosure through legislation, active prosecution, and planning will provide the answer needed to address the spyware threat. None of these solutions by themselves is enough.

The first line of defense is education and protection. Any individual, business, or government agency currently connected to the Internet must realize they are part of a complex network that is inextricably intertwined. Creators of spyware take advantage of that fact, plus the knowledge that most PC users are not sophisticated technologists. The technology industry has begun to make computer users aware of the spyware threat by the creation of and active outreach by several groups and organizations, including the Consortium of Anti-Spyware Technology (COAST).

Consumer education about spyware and promotion of comprehensive anti-spyware software aimed at detecting and removing unwanted pests is fundamental to this outreach, which is modeled after the decade-long effort by anti-virus software companies to raise awareness about virus threats. However, individual computer users, precisely because of the insidious nature of spyware, can only do so much to protect themselves, and are not personally responsible for controlling the spread of spyware.

Which brings us to the second line of defense—disclosure legislation. All applications, including those bundled and downloaded along with free software and with legitimate commercial applications, should be readily identifiable by users prior to installation and made easy to remove or uninstall. It is this transparent disclosure, and the ability of individual users to decide what does and does not reside on their systems, that must be legislated. Individuals should have the ability to make fully informed decisions about what they choose to download onto their machines, while understanding the implications of doing so.

The third line of defense is aggressive prosecution. The deceptive practices employed by many spyware developers are already illegal under existing laws against consumer fraud and identity theft. Law enforcement agencies at the federal and state level should be encouraged to aggressively pursue and prosecute those who clandestinely use spyware to disrupt service, steal data, or engage in other illegal activity. Appropriate agencies should work closely with their counterparts in other countries to address this issue.

The final line of defense is planning. A spyware Bot Army DDoS targeted at key federal, state, or local agencies is well within the realm of possibility. Such an attack could be very damaging, especially if it was designed to conceal a more conventional attack, or disrupt a response to such an attack. Overcoming this type of DDoS attack could itself be highly disruptive to both individuals and businesses. It is critical that responsible bodies plan for both spyware-related DDoS attacks and responses to those attacks. If necessary, those plans should be coordinated with businesses and others. Again, this coordination should include working with responsible bodies in other countries.

Spyware is a significant threat to the effective functioning and continued growth of the Internet. It also poses threats to national security. Given the dangers it represents, it is important that business and government work together to address the issue and safeguard the productivity and security of the Internet computing environment.

Back to Top

Author

Roger Thompson is director of malicious content research at Computer Associates.


©2005 ACM  0001-0782/05/0800  $5.00

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.

The Digital Library is published by the Association for Computing Machinery. Copyright © 2005 ACM, Inc.


 

No entries found