Many users vaguely understand the security risks, privacy invasions, and performance costs associated with having spyware secretly and maliciously installed on their computers. Fewer users know the many forms spyware takes and the truly evil activities it performs. Beyond a general sense that spyware is uninvited, malicious software, average users know very little about it.

Until recently, people have dismissed spyware as less important to contend with than viruses and spam. I believe spyware poses an even greater threat than viruses and spam. Spyware can be as debilitating as the nastiest of viruses. The financial threats spyware poses are far ranging and more serious than e-mail credit card scams (phishing), and the privacy issues and liabilities spyware exposes are grim. Small and medium business must understand what spyware is and the threats spyware poses. In this, the first of two articles, I'll explain why spyware represents greater risk than you might have realized. In the second article, we'll analyze spyware solutions, and pick the best.

A spyware sampler
To simply call spyware uninvited softwareis misleading. Spyware installed on your PC can modify the Windows Registry and add dynamic link libraries (DLLs) and download program files (DPFs, e.g., hostile ActiveX or Java VM objects) to your system. Some spyware exploits Web browsers (especially Internet Explorer) by installing ActiveX controls, browser helper objects (BHO), and toolbars, or by modifying browser Internet options, including home pages, favorites lists, and context menu items. Some spyware even alters TCP/IP settings and hosts files.

Online spyware encyclopedia and glossaries identify tens of thousands of malicious code considered spyware. Some commonly encountered types of spyware include:

• Adware
• Browser session hijackers
• Remote Administration Tools (RATs)
• Tracking agents
• Double agent spyware.

Let's take a brief look at how each of these adds to your risk.

Not all adware is (technically) spyware, but many experts feel that even permission-ware is spyware when it delivers unsolicited advertising. Common delivery methods include unrequested browser windows (popups) and ad-sponsored applications. There are currently nearly 800 ad-sponsored and spyware-encumbered software offerings. This diverse group includes free versions of games (Midnight Oil Solitaire); FTP clients (FTP Works); e-mail clients (Eudora; music players; Web and system utility software; and more, often coming with a catch. The software developer receives revenue from advertisers who display advertising in windows or toolbar features of the so-called freeware. Some adware (e.g., FlashTrack) tracks a user's Web activities and search queries. It then sends this information to advertising servers like Aureate and Aveo, which return targeted advertising (commonly, popup ads) based on keywords and phrases. As many parents know, even seemingly benign keywords like "kittens" can expose their children to objectionable material, including pornography.

Browser session hijacking is a kind of virtual world bait-and-switch. Spyware (Icoo, WurldMedia, Xupiter Toolbar, Lop, BonziBuddy, CoolWebSearch) redirects browser sessions and search queries, taking users to Web sites and search engines they didn't intend to visit. The hijacked user can be exposed to undesirable or suspect content and advertising. The hijackers earn referral commissions and affiliate fees by selectively referring the user to an e-commerce site that offers some service or product similar to the site the user intended.

Certain Remote Administration Tools (RATs) and keyloggers are examples of Trojan horse spyware. As the names imply, these give attackers administrative control, or extraordinary eavesdropping and intercept capabilities. Acting remotely, an attacker can intercept and log user keystrokes, monitor application and browser activities, and even intercept WebCam streams. BackOrifice and Sub7 are examples of attacker RATs and pose a DDoS threat. Commercial RATs like NetObserve and Spyagent are ostensibly sold for "legitimate tracking" by managers, parents and suspicious spouses. The recent and notorious Bankhook.A is a keystroke-logging BHO delivered as an attachment to an e-mail message. Once installed, Bankhook tries to find banking account access data on a PC.

Tracking agents, Web bugs, and data miners are virtual dumpster divers. They can monitor your Web browsing, shopping, e-mail, and instant messaging activities, and might gather system configuration and personal information as well. Some tracking companies use this information to deliver targeted advertising, but others sell or abuse what they gather. Alexa, a popular search toolbar, is also a data miner. Transponder/VX2 mines e-mail addresses, browser histories, and also scrounges data from Web forms and configuration files. Gator/GAIN (now Claria) claims to be permission-ware, but anti-spyware experts claim the client, which auto-completes forms and saves passwords, tracks user buying habits.

Double agent spyware. Sadly, some software that advertises as anti-spyware is itself spyware. Users download trial- or freeware versions of so-called security software they expect will remove adware, only to learn that these versions are in fact adware. Reputable anti-spyware vendors like PestPatrol and Kephyr Labs identify RedV EasyInstaller and SpyBlast as spyware. If you think there's no worse behavior than this, think again: some anti-spyware (SpyWiper) hijacks home pages, hoping to scare unwitting users into purchasing their product (virtual protection racketeering!).

Assessing the spyware threat level
In the vernacular of Homeland Security, the spyware "threat level" is somewhere between Elevated and High. If your business operates in a regulated environment, place the threat level between High and Severe. Consider these threats:

• Disclosure of sensitive or regulated information. Spyware that tracks browser activity doesn't distinguish between intranet or Internet requests. Hyperlinks, browser histories, favorites lists, and cached Web form data can contain business records, proprietary information, trade secrets, credit card and personal data, medical and financial data, and account passwords, which may be abused by the collection agent or sold to third parties.
• Users may fall victim to felony-class criminal acts. Keyloggers reveal sensitive personal and company information, including passwords, credit card and financial information, and potentially embarrassing personal information. An intercepted WebCam stream might reveal embarrassing activities. The opportunities spyware creates for fraud, identity theft, and personal or business-targeted extortion should be taken very seriously.
• Loss of productivity. Spyware steals CPU and bandwidth while it is running. Spyware isn't the best-written software in the world and commonly causes system instability and the dreaded blue screen of death . Spyware removal is often non-trivial, disruptive, or destructive. Some spyware remains on your system after you have uninstalled the freeware, and some might reinstall itself if not entirely removed. If spyware extensively infests your network, you can spend as much time repairing and remediating systems as you would following a virus incident or backdoor attack.
• System and Network Intrusions. The information collected by trackers, miners and RATs is gold for any attacker engaged in an information gathering expedition, which is the preparation stage in a targeted attack. Hosts identified in hyperlinks and system configuration information help attackers map networks and services. Some organizations (unwisely) transmit account names and passwords in plain text across intranet links. Need I say more?
• Tarnished brand image and loss of business. Your company can be affected by spyware, even if every computer you operate is spyware-free. If hijacking spyware victimizes your company, you'll lose sales opportunities when users are redirected away from your site, to a competitor. Hijacking spyware has also been used to scam companies who pay fees for advertising referrals. A disreputable ad company, hired to drive traffic to e-merchant sites of its patrons, might embed spyware in a "must have" toolbar. The spyware replaces the user's default search engine, and sends users to pages of its patrons, even when they are not a suitable match. The patrons pay for these contrived referrals but often do not derive the expected revenue per click-through.
• Exposure to litigation. Some employees may react strongly to the delivery of objectionable, especially sexually explicit advertising, and may respond by claiming sexual harassment. Whether the claim has merit or not, the publicity, court time, expense, and loss of credibility can be more than your company wants to deal with.

I hope I've convinced you that spyware is a serious threat. In my next article, I'll describe methods to identify and remediate systems infected with spyware, and methods to provide ongoing protection. I'll also recommend spyware removal and blocking software to assist you in these processes, along with some emerging "best antispyware" practices. See you next week.