The War against Adware and Spyware

By Tom Schmidt

How far will today's adware and spyware vendors go to evade detection? Consider Websearch, one of the most commonly reported adware programs.

Websearch features a number of noteworthy attributes. It modifies the default home page and search settings of Internet Explorer, installs itself as a toolbar to Internet Explorer, and adds a number of icons to the system tray. It also sends user information to a predetermined Web site, including keywords from searches. It also uses an interesting technique known as a 'watchdog process' to prevent manual removal of components of the program. If a user attempts to stop a process associated with the adware program, a second running process restarts it as soon as it has been stopped, thereby increasing the difficulty of removing the program.

And that's not all. Researchers have found more and more adware and spyware vendors frequently update their programs to evade detection and removal. In some cases, the functionality of the programs may be updated as well. For example, researchers found that the adware program Aurora updated itself 13.6 times per day during the last six months of 2005. The top self-updating spyware program was Apropos, which self-updated 1.3 times per day.

File locking is another technique that adware programmers employ to make it difficult for the file to be scanned by anti-spyware and antivirus applications. File locking restricts access to a file to one user or process. While this is sometimes done by legitimate applications to prevent sharing violations, it is also used by programs to prevent the file from being read or scanned. ISTBar, one of the top 10 adware programs reported in the second half of 2005, employs file locking.

With adware and spyware vendors going to such lengths to ply their trade, it is incumbent upon enterprise users to familiarize themselves with these security risks. This Perspective looks at recent trends in adware and spyware and recommends specific steps to mitigate their stealthy behavior.

Top offenders
What are the most common adware and spyware programs? According to researchers:

• Adware Between July 1 and December 31, 2005, the most commonly reported adware program was Websearch, which accounted for 19% of the top 10 adware programs reported. This program was not present in the top 10 reported adware programs in the first six months of the year.
• Spyware In the second half of 2005, CometCursor was the most commonly reported spyware program, accounting for 42% of the top 10 spyware programs reported. It was the fourth most frequently reported spyware program in the first half of 2005 but was not present in the top 10 spyware programs in the second half of 2004. CometCursor is an Internet Explorer browser help object that installs a toolbar, which has links to affiliate sites.

The risk level of an adware or spyware program is rated according to how it affects the performance and privacy of compromised computers and whether the program exhibits stealthy behavior or resists removal from the computer. During the last six months of 2005, three of the top 10 adware programs earned a "high risk" rating: BetterInternet, Lop, and IEPlugin. A program given a high risk rating may have a significant impact on the system's stability and/or performance; it may expose confidential information; it may resist complete removal; or it may exhibit stealthy behaviors, such as silent installation, the absence of a user interface, and concealment of application processes.

Prevention and mitigation
Because adware and spyware can be placed on a user's computer by exploiting software vulnerabilities, researchers recommends that users update their antivirus software regularly. Security administrators should also take extra measures to ensure that patch levels on all computers are up-to-date. Users and administrators should employ defense in-depth, which means deploying a properly configured firewall and integrated antivirus and intrusion detection systems. In addition, users should exercise caution when installing any software through a Web browser and avoid downloading any software from sources that are not known and trusted.

Organizations also need to develop and enforce acceptable usage policies. System administrators should regularly audit systems to ensure that no unauthorized software is installed or operating on the system. Furthermore, administrators and end users should read the EULAs (End User License Agreements) of all software programs before agreeing to their conditions.

Users should always exercise caution when removing spyware. Programs should be removed as non-intrusively as possible to minimize any problems that might result from the removal of the program. In order to avoid such problems, it may be necessary to ignore some non-critical aspects of these programs, such as benign registry keys left behind during the uninstall process, as these keys may be necessary for other programs to run.

Conclusion
According to the StopBadware Web site, a self-styled "Neighborhood Watch" campaign aimed at fighting adware, spyware, and other malicious software, some 59 million Americans have some form of "badware" on their computers. The organization also estimates that badware is big business, amounting to $2 billion per year.

The threat landscape is coming to be dominated by cybercriminals, who rely on malicious code featuring so-called stealth capabilities to defraud unsuspecting users. By employing rootkit techniques, attackers hope to make adware and spyware that much harder to detect and remove. An increasing amount of malicious code will utilize rootkit techniques for these purposes.

Make no mistake: adware and spyware are among the fastest-growing risks to consumers and organizations today. That's why the ability to automatically detect and repair the effects of these intrusions in real time is the key to keeping client systems safe.

Tom Schmidt writes frequently about information security topics. He has more than 15 years' experience as a writer and editor in high-tech publishing.