The Sad State of Spyware

By Larry Seltzer  |  Posted 2005-04-22 Print this article Print

Opinion: One year after the FTC workshop on spyware, things have gotten worse.

Theres reason to be optimistic about many security problems, but others are less encouraging. One of the worst is the problem of spyware and adware, which, in the year since the FTC held a workshop on it, has metastasized badly. As detailed by spyware hunter Eric L. Howes, use of misleading and illegal techniques has mushroomed in the last year, but the FTC has brought action in only two cases, neither of them involving actual adware or spyware vendors. The two cases instead involve shady anti-spyware vendors, certainly worth pursuing, but only a side-effect of the real problem.

Actually, the extent of this side-effect is indicative of just how bad things have become: Howes Rogue Anti-Spyware List began about a year ago and has grown to almost 200 phony and hypocritical products.
The most common technique they use is a free demo version that uses false positive detection of spyware as a goad to purchase the product. But some go further, actually installing adware, lacking privacy policies, and stealing each others databases. What, youre surprised?

In the meantime, the actual adware out there (when we say spyware, we mostly mean adware; the two terms have come to be intertwined for reasons which arent entirely logical) has become more aggressive, utilizing vulnerabilities in Windows to install themselves. The adware industry, which showed up at the workshop, makes all manner of lame excuses for itself, blaming, among others, users for not being more savvy about these things and not reading the lengthy license agreements in which the companies often state that they will install other software when and how they please.

I think its fair to say that other forms of threats and malware, for the most part, are in retreat. Users who want to can protect themselves in almost all cases automatically and unobtrusively. But adware is growing as a threat, and adware vendors are getting more aggressive. They even have the temerity to attempt to silence their critics, as Ben Edelman has documented in his "Threats Against Spyware Detectors, Removers, and Critics" page. Some have succeeded in bullying anti-spyware companies into removing signatures.

Howes is most distressed at the attempt by adware vendors to distance themselves from the act of infecting the system by using third-party "pay-per-install" affiliate networks to attach the programs to other applications. Its not hard to see how theyll get away with this by using legal intimidation and obfuscation.

There is good news, although I have to feel that Ill defer my optimism until its clearly warranted. Windows XP SP2 has many new features that make illicit installations of programs more difficult—but not at all impossible. Good anti-spyware products are emerging, even from companies, such as Microsoft, that are difficult to bully, and the anti-virus industry is finally awakening to the notion that it should be blocking threats like these. (Its about time.) ISPs are also beginning to provide software to protect users.

Howes is encouraged at some legal developments, but this worries me also. Id rather see the federal government go after miscreant adware vendors than either state attorneys general or the plaintiffs bar. Since the feds dont seem inclined to go after the problem, even though they claim they have the legal authority to do so, Ill stick with my downcast attitude. As long as there are teenagers, it seems computers will get infected with adware.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog. More from Larry Seltzer
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel