Page 2

By Paul F. Roberts  |  Posted 2005-06-21 Print this article Print

How does spyware make its way onto all those networks? IT staff at most organizations that have had to battle the pernicious programs, including Family Credit and SLUSD, admit that they dont know.

Spyware is typically distributed with other programs in installation bundles, such as freeware and computer games. Those bundles might be downloaded directly from an adware vendors Web site or from an affiliate Web site, experts say.

Advertisers recoil from dubious online marketing tactics. Click here to read more.
Direct Revenue LLC, of New York, an online marketing company, has more than 20 million installations of its three ad programs—Aurora, Ceres and SolidPeer—mostly through bundling arrangements with P2P (peer-to-peer) software and "a slew" of other consumer programs, such as instant messaging smiley-face enhancements, Web browser tool bars, and clock and weather programs, downloaded from Direct Revenue affiliate sites, according to J.P. Maheu, Direct Revenues CEO.

Claria Corp., in Redwood City, Calif., also an online marketer, had software running on 40 million desktops at the end of last year, according to Reed Freeman, Clarias chief privacy officer.

Bundling relationships benefit both sides. Application vendors such as Kazaa P2P maker Sharman Networks Ltd. collect fees from adware vendors for each installation, and adware vendors, such as Claria, ride the popularity of the third-party software onto users PCs.

Adware and spyware bundling deals are often too good to ignore, even for companies that might look askance at helping to distribute spyware and adware programs, said Ben Edelman, a Harvard University Law School student and an expert on spyware. "Kazaa comes with stuff because Gator [Claria] pays $1 per install," Edelman said. "If that was [5 cents], Kazaa would think of something else."

The adware money is also enticing to the thousands of small-business owners who operate many of the affiliate Web sites, especially if the site owner doesnt understand the technical details of how adware works, said Anne Fognano of Leesburg, Va., who runs, Cleverbabies. com and

"People who are educated about the problem do the right thing, but there are people who will run anything if it makes a buck," Fognano said.

But pay-per-install commissions are also fueling a scourge of sites that execute drive-by downloads, depositing wares on users computers without warning or consent, said David Moll, CEO of anti-spyware company Webroot Software, in Boulder, Colo. Drive-by-download sites use software exploits, often targeting holes in Microsofts porous Internet Explorer browser, to push Java and ActiveX code to vulnerable machines, Moll said.

Often, those sites install software that is clearly malicious, such as Trojan horse back-door programs, viruses and keyloggers. Just as often, however, legitimate adware programs are part of the package, anti-spyware experts say.

An analysis in April of one drive-by-download site showed how Java code was used to silently install a gaggle of adware from 180Solutions and its competitor, Integrated Search Technologies, including such ad-delivery wares as 180Search Assistant, ISTbar, PowerScan and SideFind, all without displaying end-user licensing agreements, according to a post on Spywareguide. com by Jan Hertsens and Wayne Porter.

With networks of thousands or tens of thousands of affiliates, online marketers said its hard to stay on top of all sites distributing their wares. That lack of oversight may already be breeding shadow networks of corrupt affiliates, experts warn.

Roger Thompson, director of malicious-content research at Computer Associates International Inc., of Islandia, N.Y., said he has noted the appearance, in recent months, of complex networks of shell Web sites that he believes are designed to pull in Web surfers from Internet search engines and download malicious code.

The collections of hundreds or even thousands of registered Web domains, which Thompson likens to "spiders nests," all link to one IP address that uses exploits, such as the Internet Explorer iFrame exploit, to install malicious code, often with different bundles of programs each day, he said.

Thompson said he believes that adware vendors are benefiting from the drive-by downloads and that commissions from the adware vendors could be channeled to shadowy, possibly criminal, groups that sponsor the Web pages. "There are so many people involved, and the sites change so often—with new partners every day—its very hard to tell where its all going," he said.

Widespread distributions of adware and spyware pose a major problem for companies in such regulated industries as financial services and health care, said Webroots Moll. "How can a financial services company be compliant with [the] Gramm-Leach-Bliley [Act] if they have keyloggers on their machines?" he asked. "How can a health care institution be compliant with HIPAA [Health Insurance Portability and Accountability Act] if they have Trojans?"

Next Page: Seeking help.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel