They have innocuous-sounding names—ShopAtHomeSelect, CoolWebSearch, Searchex, IEDriver—and are called many things: spyware, adware, scumware or the euphemistic PUPs (for “potentially unwanted programs”). But theres no disputing that, by any label, programs that monitor users online behavior, legally or illegally, are a big business and a big headache for computer users and IT administrators.
Spyware is a $2 billion-a-year industry, according to Webroot Software Inc., judging from rough estimates of the number of adware installations and the amount of money generated by each installation. Its an industry girded by business relationships that tie legitimate advertisers to online marketing companies, small application vendors, Web site operators and shadowy online groups with iniquitous ties. The industry is a Wild West of aggressive marketing, loose oversight and big profits—all flowing from consumer behavior and the surreptitious programs that track, mine and shape that behavior.
Cleaning up the spyware economy will be a challenge, experts say. Enterprises face an explosion of spyware and adware that threatens compliance efforts and intellectual property. As with anti-spam legislation, anti-spyware laws working their way through Congress wont fix the problem by themselves. While regulators and the high-tech industry seek solutions, organized online crime groups are using spyware to fuel an epidemic of identity theft and online fraud.
At Family Credit Counseling Service, in Rockford, Ill., spyware became a big problem in the last 12 months, said Joshua Beard, a technical support specialist at the nonprofit organization, which provides financial counseling services to individuals.
“It started with those little search bars that come up, which were an annoyance more than anything,” Beard said. The problem escalated into a major IT headache in the last six months, as the spyware and adware infections multiplied and began causing more damage.
Technicians for the San Lorenzo Unified School District, in California, had a similar story, said Art Cipriano, director of IT. “We were continuously receiving work orders to fix slow computers and getting panic calls of pop-ups taking over computers,” Cipriano said. “Many times, [the computers] were so severely infected we ended up just [reformatting] them.”
About one-third of application crashes reported to Microsoft Corp., in Redmond, Wash., are caused by spyware, according to Brendan Foley, senior product manager of Microsofts Windows Antispyware group.
Next Page: The spyware source.
Page 2
How does spyware make its way onto all those networks? IT staff at most organizations that have had to battle the pernicious programs, including Family Credit and SLUSD, admit that they dont know.
Spyware is typically distributed with other programs in installation bundles, such as freeware and computer games. Those bundles might be downloaded directly from an adware vendors Web site or from an affiliate Web site, experts say.
Direct Revenue LLC, of New York, an online marketing company, has more than 20 million installations of its three ad programs—Aurora, Ceres and SolidPeer—mostly through bundling arrangements with P2P (peer-to-peer) software and “a slew” of other consumer programs, such as instant messaging smiley-face enhancements, Web browser tool bars, and clock and weather programs, downloaded from Direct Revenue affiliate sites, according to J.P. Maheu, Direct Revenues CEO.
Claria Corp., in Redwood City, Calif., also an online marketer, had software running on 40 million desktops at the end of last year, according to Reed Freeman, Clarias chief privacy officer.
Bundling relationships benefit both sides. Application vendors such as Kazaa P2P maker Sharman Networks Ltd. collect fees from adware vendors for each installation, and adware vendors, such as Claria, ride the popularity of the third-party software onto users PCs.
Adware and spyware bundling deals are often too good to ignore, even for companies that might look askance at helping to distribute spyware and adware programs, said Ben Edelman, a Harvard University Law School student and an expert on spyware. “Kazaa comes with stuff because Gator [Claria] pays $1 per install,” Edelman said. “If that was [5 cents], Kazaa would think of something else.”
The adware money is also enticing to the thousands of small-business owners who operate many of the affiliate Web sites, especially if the site owner doesnt understand the technical details of how adware works, said Anne Fognano of Leesburg, Va., who runs Clevermoms.com, Cleverbabies. com and Cleverdads.com.
“People who are educated about the problem do the right thing, but there are people who will run anything if it makes a buck,” Fognano said.
But pay-per-install commissions are also fueling a scourge of sites that execute drive-by downloads, depositing wares on users computers without warning or consent, said David Moll, CEO of anti-spyware company Webroot Software, in Boulder, Colo. Drive-by-download sites use software exploits, often targeting holes in Microsofts porous Internet Explorer browser, to push Java and ActiveX code to vulnerable machines, Moll said.
Often, those sites install software that is clearly malicious, such as Trojan horse back-door programs, viruses and keyloggers. Just as often, however, legitimate adware programs are part of the package, anti-spyware experts say.
An analysis in April of one drive-by-download site showed how Java code was used to silently install a gaggle of adware from 180Solutions and its competitor, Integrated Search Technologies, including such ad-delivery wares as 180Search Assistant, ISTbar, PowerScan and SideFind, all without displaying end-user licensing agreements, according to a post on Spywareguide. com by Jan Hertsens and Wayne Porter.
With networks of thousands or tens of thousands of affiliates, online marketers said its hard to stay on top of all sites distributing their wares. That lack of oversight may already be breeding shadow networks of corrupt affiliates, experts warn.
Roger Thompson, director of malicious-content research at Computer Associates International Inc., of Islandia, N.Y., said he has noted the appearance, in recent months, of complex networks of shell Web sites that he believes are designed to pull in Web surfers from Internet search engines and download malicious code.
The collections of hundreds or even thousands of registered Web domains, which Thompson likens to “spiders nests,” all link to one IP address that uses exploits, such as the Internet Explorer iFrame exploit, to install malicious code, often with different bundles of programs each day, he said.
Thompson said he believes that adware vendors are benefiting from the drive-by downloads and that commissions from the adware vendors could be channeled to shadowy, possibly criminal, groups that sponsor the Web pages. “There are so many people involved, and the sites change so often—with new partners every day—its very hard to tell where its all going,” he said.
Widespread distributions of adware and spyware pose a major problem for companies in such regulated industries as financial services and health care, said Webroots Moll. “How can a financial services company be compliant with [the] Gramm-Leach-Bliley [Act] if they have keyloggers on their machines?” he asked. “How can a health care institution be compliant with HIPAA [Health Insurance Portability and Accountability Act] if they have Trojans?”
Page 3
Executives at leading online marketing companies said their affiliate agreements prohibit drive-by downloads or installations that arent specifically user-authorized. “I can tell you we have a strict set of rules [about disclosure], and were removing distributors who are found to not be in compliance with our policies,” said Direct Revenues Maheu. Direct Revenue said it has terminated contracts with six distributor partners in the last 12 months, but it declined to name the partners, citing “legal reasons.”
180Solutions is policing its network of 7,000 to 10,000 affiliate sites, according to Dan Todd, 180s president and co-founder, although the company declined to list specific actions it has taken, aside from a single July 2004 lawsuit against Aztec Marketing Solutions Ltd., which accused the affiliate of using drive-by downloads.
But pressure from outside the adware industry is the most likely agent of change in the spyware business. Two federal anti-spyware bills covering certain installation, removal and monitoring behaviors, as well as disclosure requirements, recently passed the U.S. House of Representatives, and lawmakers are optimistic that some anti-spyware legislation may be signed into law by years end, according to Rep. Mary Bono, R-Calif., who co-authored HR 29, also called the Spy Act.
Other players in the adware and spyware food chain are also taking steps to cut down on the prevalence of the programs. Commission Junction Inc., a 70,000-member Web site affiliate network based in Santa Barbara, Calif., recently banned 180Solutions affiliates from its network and told members they could not distribute third-party software without explicit approval from Commission Junction, according to company officials.
LinkShare Corp., another affiliate marketing network, is also asking affiliates to reapply so that their sites can be vetted, said Shawn Collins of Summit, N.J., an authority on affiliate networking. Still, IT administrators are skeptical that new laws and pressure from advertisers will make much of a difference when it comes to ending the spyware and adware problem. “As with spam, a lot of this stuff comes from overseas,” said Family Credits Beard. “You cant really legislate whats going on.”
Administrators are looking to other means, such as anti-spyware software and switching from such vulnerable platforms as Windows and IE. At the University of Toledo, in Ohio, for example, administrators are encouraging use of browsers other than IE and are evaluating Apple Computer Inc.s new Apple Mini for no other reason than to end spyware infections, said Joe Sawasky, interim CIO at the university.
Beard said he is exploring the use of the Firefox browser at his organization. “I dont really know if theres a big fix. As long as people keep writing software to get around whats out there trying to block it, there will always be new problems,” he said.
Check out eWEEK.coms for the latest security news, reviews and analysis.