Much as in their battle against unsolicited spam e-mail, enterprises are having success in reducing the impact of spyware programs, but a new breed of targeted attacks combined with a constantly changing array of delivery methods has kept the malicious code on IT administrators radar.
With Internet phone specialist Vonage recently coming under attack from security researchers for its advertising practices, for which it has been accused of funding nefarious adware providers, and social networking site MySpace.com becoming the unsuspecting delivery tool of other malicious code writers, it is clear that spyware remains a real threat.
However, industry experts concede that most large businesses have become sufficiently mature in their efforts at blocking out mainstream spyware attacks.
The challenge for enterprises moving forward, analysts say, will be in warding off spyware attacks crafted by organized criminals that are specifically aimed at their companies, or smaller groups of businesses, and pulling together disparate security technologies to help fight so-called blended threats that use spyware along with other malicious programs to help find new ways onto corporate networks.
Ben Edelman, a well-recognized spyware researcher and consultant based in Cambridge, Mass., said there is debate over whether the volume of spyware programs has been reduced, but he considers those statistics unimportant in the face of more-targeted attacks motivated strictly by hackers ability to generate income.
Another emerging spyware delivery method has arrived in the form of freely distributed Web browser applications that serve primarily to direct end users to sites that harbor spyware, such as the so-called Safety Browser attack unearthed by researchers in May.
“In general there have been small downturns in the number of spyware attacks, but the numbers were also preposterously high as it became such a popular area over the last few years,” Edelman said.
“The interesting development of late has been [malware writers] shifting their primary focus to new ways of delivery; the rise of anti-spyware programs and Microsofts distribution of security updates has improved the landscape somewhat, but you also have people finding sound business models for making money off spyware, and they wont stop until the money goes away.”
Whereas the spyware programs of days past were largely scatter-shot attacks meant to draw in anyone gullible enough to download their code or visit the Web sites they were hidden on, Edelman said that increasingly organized groups of malware writers are shifting their attentions toward ripping off specific firms, and their customers.
Along with well-known attempts to dupe users of popular sites such as eBay and Google, researchers claim they have come across programs that were aimed at customers of small regional banks and other lesser known businesses.
Real-world examples of such attacks remain hard to come by, as businesses dont often advertise the fact that theyve been attacked, but the problem is indeed growing, said John Pescatore, analyst with Stamford, Conn.-based Gartner.
“The people writing the more targeted code want to install something within a certain company to gather a specific type of information that they can use to make money, from account information to intellectual property,” Pescatore said.
“They dont care if they get on a million PCs, they know its potentially better to focus their efforts on one company at a time and push for real results that make them money.”
The analyst said that enterprises will also increasingly face blended attacks, such as threats that use spyware to deliver Trojan Horse viruses that mine databases for valuable information.
When combined with efforts to single-out specific businesses, such attacks could become even more dangerous as they are designed with the goal of finding new ways to slip through the cracks of popular anti-virus applications.
To that end, Gartner is telling its clients to move away from stand-alone anti-spyware technologies in favor of tools that are tightly integrated with antivirus and other network security technologies.
If businesses become too convinced that they have become effective at stopping spyware with existing tools, they could become vulnerable to future attacks, Pescatore said.
“The majority of larger enterprises think they have spyware down to a dull roar, as with spam, and theyve bought solutions and are using network prevention tools that have effectively stopped a lot of todays threats,” he said.
“But half of these companies are using point products, and it remains to be seen if that can protect them from hybrid attacks; thats why were advocating integrated security applications.”
Progress Against Attacks
Whether or not the business world, and security industry, has made progress in defeating spyware remains very much open for debate.
Some experts see the drop-off in attacks as a sign that things may be improving, but others say the complexity of emerging attacks, in particular their use of social tools such as MySpace to market themselves to end users, shows that the battle is only just beginning.
As with e-mail-borne viruses and spam, enterprises will make headway in fighting spyware, but doing so will be a demanding job, and they will never be completely finished with the task, said Richard Stiennon, analyst with research firm IT-Harvest, of Birmingham, Mich.
“To me, this evolution mirrors what went on with spam, its still here more than ever, but companies have gotten things down to a more manageable level,” Stiennon said.
“But the fact is that the criminal level is growing, this isnt just adware aimed at click fraud anymore. Its about using Web sites to deliver drive-by attacks, which seems a lot more threatening in a lot of ways.”
Anti-malware applications specialists Face Time Security Labs expanded its online threat resource, SpywareGuide.com, on July 20, in attempt to help inform users about the growing use of instant messaging systems, chat rooms, P2P file sharing services and collaboration software to distribute spyware.
While the sophistication of the programs themselves isnt advancing significantly, the variety of attacks and delivery methods should still be alarming to enterprises and consumers alike, the company said.
To truly defeat the people writing the programs, security vendors and business customers need to become as determined as resourceful as the malware authors themselves, said Chris Boyd, the security research manager who runs the site for Foster City, Calif.-based FaceTime.
“Companies need to be every bit as vicious and malicious toward the people creating the attacks, and those paying them to do so, as the attackers themselves have been,” said Boyd.
“We need to punish the affiliates, and anyone the [malware writers] do business with, and try to trace the money trail and shut these people down.”
“Is it as big a problem as it has ever been? Thats hard to say,” he said.
“People talk in terms of bigger threats that could materialize but realistically spyware writers are doing the same things theyve done for years, and just adopting new techniques to avoid filters.”