I wrote about spyware for the first time last year in "Still Waiting for a Truly Secure System"( see the URL below). I described how a Microsoft Internet Explorer (IE)-based Trojan horse infected my laptop, leading to weeks of investigation into what ended up being a new threat at the time--spyware. Since then, spyware has become the most dangerous and insidious form of electronic attack. If you're not already evaluating corporate antispyware solutions, I recommend that you start immediately. You'll be shocked to discover what your employees have installed, unknowingly, on their systems.
What Is Spyware?
Microsoft describes spyware as software that performs tasks on your computer without your consent. Spyware can be programs that present advertising in Web browsers or standalone applications (sometimes called adware), but it can also include all kinds of malicious software (malware), including trackers, key loggers, email harvesters, and more. Because of the large number of spyware types--antispyware vendor Sunbelt Software documents 36 different varieties--the name spyware isn't very descriptive of this pervasive threat. Unfortunately, the name has stuck, but it's important to remember that spyware encompasses far more than just software that tracks your movements online.
Spyware is far more malicious than viruses and other similar, but suddenly old-fashioned electronic attacks. That's because spyware is cunningly written to subvert the security systems in place on your PC and adapt to antispyware solutions. Some spyware installs itself in multiple locations on your PC, for example, with each instance monitoring the others. When your antispyware application finds and deletes one instance, the other copies create more instances on the fly, with unique names, and located in unique locations on your hard disk. I liken spyware to cancer: In some ways, it's the perfect software--able to not just stay alive, but to grow in adverse conditions. However, spyware, like cancer, is not good for the host. PCs infected with spyware can cough up your personal information, such as credit card numbers, and slow your machine to a crawl.
Financial Incentives of Spyware
Spyware exists because people can use it to make money. Sunbelt founder and chief operating officer (COO) Stu Sjouwerman told me that two primary financial incentives are behind spyware, and neither is particularly upstanding. The more legitimate of the two schemes, if you can call it that, exists solely to push advertising. This type of spyware, which is primarily adware and arguably legal, presents itself as a well-meaning software application and often includes an End User License Agreement (EULA), whereby you apparently agree that you want advertising to spontaneously spawn on your PC. And here's an interesting fact: Antispyware vendors such as Sunbelt and Microsoft actually receive cease and desist legal threats from the purveyors of legal adware, even when their insidious software is clearly designed to surreptitiously install on users' PCs.
The second scheme is pure black market, the electronic equivalent of the Russian Mafia, as Sjouwerman calls it. This even more malicious form of spyware is purely illegal and encompasses everything from credit card number harvesting to identity theft. The illegal spyware market even buys and sells networks of bots, groups of compromised computers that can be used for almost any purpose without the knowledge of their owners.
Finding a Managed Antispyware Solution
Although it's heartening to see major security vendors finally attacking the spyware problem for consumers, solving the problem for corporations is a larger problem. That's because managed corporate desktops are often connected with many other PCs and servers, and given the right credentials, they can access the most privileged data stored on the planet.
When you evaluate a corporate antispyware solution, you need to look for several important features. First, the program should be centrally managed and support various agent deployment types so that different kinds of organizations can easily roll out the product regardless of the organization's infrastructure. It should be policy based and integrate with Active Directory (AD) if it's a Windows-based solution. The client agents should support real-time monitoring, which is the primary benefit of consumer-oriented antispyware solutions.
I don't know of any tools today that support all that functionality, but Sunbelt's CounterSpy Enterprise comes close, and an update due in the first half of 2005 will provide the much-needed real-time monitoring functionality. Sunbelt's products also benefit from an agreement with Microsoft, in which the company will provide Sunbelt with antispyware definitions through July 2007. And Microsoft, of course, plans to ship a corporate antispyware solution by the end of 2005.
The Future of Spyware Fighting
In the early days of antispyware (i.e., 1 year ago) otherwise unknown companies such as Lavasoft offered first-generation tools for dealing with different kinds of malware. Today, spyware and antispyware technology has matured to the point at which more pervasive security toolkits are needed. That is, spyware isn't a problem that should be attacked individually; it's part of a wider security problem that encompasses many areas, including antivirus, email protection, and firewall. Therefore, I expect to see many vendors offering security suite products for both consumers and businesses.
Sunbelt is one such company. By the end of 2005, Sunbelt CounterSpy Enterprise will morph into a more complete security console that also provides protection against viruses. And although Microsoft hasn't announced plans to combine its enterprise-oriented antispyware and antivirus tools--both of which will ship in late 2005--I do expect the company to at least package them and, eventually, combine them. Microsoft is, after all, the company that popularized the office productivity suite.
In the meantime, most enterprises already have established security policies and antivirus solutions. But you should begin evaluating corporate antispyware solutions as well. By the end of 2005, I believe spyware will be a bigger problem than all other electronic attack types combined. Don't be caught with your (virtual) pants down.
If you're evaluating or deploying corporate antispyware solutions, please drop me a line. There's a lot more to this story, and I'm interested in all your spyware-related experiences.
Still Waiting for a Truly Secure System