End users often complain about stringent security policies at enterprises with well-enforced security measures. However, like all well-meaning advice, there are always good reasons for such stringent conditions. One never knows when the latest MP3 music player, free games or "useful" little application will have vicious spyware embedded within.
"Spyware or adware are hidden software programs that transmit user information via the Internet to advertisers in exchange for free downloaded software," said Lee Boon Kuey, managing director for Southeast Asia and India, Network Associates.
"Spyware is perhaps best described as split-personality software," said Ross Wilson, senior regional director, Southeast Asia, Symantec. It resides on the computer's hard drive and usually has a practical and attractive set of primary features. This core functionality has nothing to do with spying. It might be a utility or a MP3 player or some kind of game, which are usually offered as a kind of freeware.
Recently, a few advertising companies are producing software that will attempt to download a browser plug-in or program when a visitor views a page with their ads on it. They can then use the plug-in to monitor where the surfer is and pop ads in front of the browser window. Should the computer be set to accept plug-in automatically, the user might never even know that an adware or spyware has been installed onto their machine.
"The problem is, apart from its primary features, spyware also has a second, less conspicuous component," said Wilson. This second component gathers information about your computing habits and sends that information over the Internet to the software's publisher. Because this secondary action often goes on without your knowledge, software with this kind of dual functionality has come to be known as spyware.
Other ad companies have been releasing freeware "Internet tools", such as bandwidth speed testers, that appear to load adware onto the PC, change the browser's home page and settings, and closely monitor what the user does online. Some purport to be search tools, while others claim to speed up downloads or even to block pop-up ads.
According to Jin Chong, director, 7-Network, the problem with spyware is very serious both at home and at the enterprise.
"This technology was initially created to collect information such as surfer's habits, trends and where they used to go," said Chong. "But it has now been modified to send sensitive information like credit cards and passwords — information that would allow hackers to attack."
Most people do not realise that they have spyware running at their own PC. "What compounds the problems is that even IT specialists, managers and IT vendors are not aware of the existence of spyware," added Chong.
From a technical perspective, the differences between spyware and trojans are not significant, said Lionel Phang, managing director, Asia South region, Trend Micro. Usually, for antivirus applications, if the software is installed without the users' knowledge, it will thus be categorised as a virus. It will be treated as a virus with the end user having the options to remove or quarantine the said software.
One of the challenges for spyware is on the exact definition of spyware. For example, when such software is installed with the owner's knowledge. When a company installs a software that tracks and monitors how its IT resources are being used to ensure its employees do not misuse its IT resources during working hours. In this situation, one could argue that the software isn't really spyware as the owner or the company is aware of the spyware.
Spyware creates a open connection between the desktop PC, which can be viewed as a "backdoor".
"Someone can exploit that and sends in malicious code like trojan," said Lee from NAI. "While trojans do not replicate, it actually contains a damaging payload that may cause text or graphics to appear on the screen, or it may cause corruption or erasure of data."
There are both legitimate and illegitimate adware around. The difference is that legitimate adware companies will disclose the nature of data that is collected and transmitted in their privacy statement. However, there is still almost no way for the user to actually control what data is being sent.
"If there is spyware on your computer, it is likely you installed it yourself," said Wilson. "When you downloaded that free music player or utility, you may not have known the software was also designed to collect and transmit information about you."
Legitimate spyware also stands in a grey area between whether it is actually a boon or a bane to the end users. It can be viewed as a way for shareware authors to make money from their product, other than by selling it to the users. Some media companies would offer these authors to place banner ads in their products in exchange for a portion of the revenue from banner sales.
In some cases, it may even make your online commercial experience more focused and convenient. For example, some spyware tracks the kinds of online ads that users choose to follow. The publisher will then use this data to replace random ads with those relating to your areas of interest. The net result is the ads seen by the user in his software's interface become more relevant to him. However, some users may be averse to this kind of market profiling and prefer not to trade their privacy for commercial convenience.
"In most cases, publishers disclose this secondary functionality in end user agreements. However, most of us never read end user agreements, at least not completely," said Wilson. "We just click OK and go, especially when we're downloading freeware. And sometimes, even if you read an entire agreement, the description of the spyware component is too ambiguous to make clear what the component does. In any case, there may be spyware on your computer, and you may be wondering whether it's dangerous, or even legal."
By downloading these types of shareware or freeware, users could be downloading additional tracking software onto the PC that would use the Internet connection and reports statistical data to the "mothership" server, exposing the enterprise to possible breaches. At its least harmful level, the information could also be used to track surfing habits.
In the latest ploy, which combines some aspects of spam with pop-up ads, marketeers push ads to the PC through the Windows Messenger service. This administrative feature in Windows 2000 and XP systems is used to spawn a pop-up similar in appearance to a dialog box, regardless whether the browser is open or not. The ads can pop up anytime the terminal is connected to the Internet, even when the users are merely composing a Word document.
Last December, many computer users received a "Friend Greetings" electronic card in their e-mail in-boxes. But before they could see the card, the recipients were directed to FriendGreetings.com, where they were instructed to install a program. However, the problem is that most people did not read the fine print of the program's license. By installing the application, they gave the company permission to take all the addresses from their Outlook address book and to send everyone listed there a Friend Greetings card in their name. This is what many worms and viruses have done for years, except that this time, it is done legally and with the users' permissions. While these methods do not break any laws, they are not exactly respectable business practices.
According to Chong, currently, spyware manifests itself in ways such as annoying pop-up ads, creating more junk mail and slowing down the computer for no apparent reason.
While there have not been reported cases of major credit card fraud due to spyware, it does not mean that there is none or it will never happen. "Recently, all major online transaction facility banned transactions from Singapore because of the increase in the number of frauds," said Chong. "I think this has to do with spyware feeding credit card information to the hackers. Spyware is tasked to send information from your PC to the designated servers or people. Like a spy, once they are in your system, you will never know what else they can do."
"Although some spyware has been used to make malicious attacks or to further identity theft, most spyware is a legal, if annoying, technology," said Wilson. It is often used to gather data for marketing purposes and therefore has a valid, generally benign purpose.