Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Spyware Threat Isn't Dead, Experts Say

Traditional spyware attacks being replaced by more clandestine, malware-style deployments

WASHINGTON -- Anti-Spyware Coalition Public Workshop 2008 -- Spyware isn't extinct, but it's undergoing a major evolution, experts said here today.

Change was the theme as some of the industry's top spyware experts gathered here to discuss problems and solutions with the technology. The bottom line: Traditional spyware is on the decline, but the threat continues to endanger users as malware authors' tactics become more sophisticated.

The good news is that old-school spyware -- as typified by pop-ups and applets that are obvious and disruptive to the end user -- is dying, the experts said. "Nuisance adware is mostly dead now," said FTC commissioner Jon Leibowitz in his keynote speech. "That's encouraging, because it's rare that we can look at a whole method of attack and say that we're making real progress in stopping it."

About one in every six users harbored spyware on their computers in 2005, but the figures in 2007 were one in 11, said Jeffrey Fox, technology editor at Consumer Reports. "That's still a lot," he said. "About 850,000 users had to replace their computers in 2007 because they had spyware problems they just couldn't resolve. But it happened less in 2007 than in 2006, and it happened less in 2006 than in 2005."

The bad news is that spyware is increasingly being deployed in more clandestine fashion, using methods that are difficult to detect, said David Marcus, security research and communications manager at McAfee's Avert Labs unit. "Spyware is being delivered in more Trojan-like methods now, using a lot of the same distribution methods as other malware," he said. "So you might see a dropoff in traditional spyware, but it's offset by the tremendous increase we've seen in the broader category of malware."

Thanks to crackdowns by law enforcement and a growing negative image associated with pop-ups and "interruption marketing," there is a growing chasm between legitimate online advertising and old-school adware, experts say. Purveyors of spyware now must decide whether they want to be distributors of unwanted software -- and face potential criminal prosecution -- or get the user's permission to install "behavior-based" tools that do limited monitoring of a user's online behavior in order to deliver targeted advertising.

"The field is bifurcating," said Eric Goldman, assistant professor at the Santa Clara University School of Law. "The gray areas are becoming smaller. Adware is now tainted -- it's not seen as a legitimate marketing method. Ultimately, it was a lousy consumer experience, and fewer and fewer companies want to be associated with it. Now the people who distribute spyware are doing it using methods that are harder to detect, because they usually have a more malicious purpose in mind."

It is this latter group that continues to worry the experts, because purveyors of malicious spyware are developing increasingly cunning methods of creating spyware. "There are some new types of malware that are just impossible for an automated software product to remove from a user's machine," said Janie Whitty, administrator of the Lavasoft Online Support Forums. "In fact, we've seen some users crash their machines by loading too many anti-spyware tools, hoping to find some tool that will remove it."

The situation has improved somewhat in recent years, as state and local governments have passed legislation that outlaws the distribution of software that is too difficult to remove. Leibowitz cited several recent cases in which the FTC successfully prosecuted cases against spyware purveyors.

Still, spyware will continue to be deployed, both legitimately and illegitimately, across client machines, predicted Alissa Cooper, a policy analyst at the Center for Democracy and Technology. "Client-side software that monitors end user behavior will always be around," she said.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

McAfee Inc. (NYSE: MFE)

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-25
An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch versions < 1.18. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML ...
PUBLISHED: 2021-01-25
When handler-router component is enabled in servicecomb-java-chassis, authenticated user may inject some data and cause arbitrary code execution. The problem happens in versions between 2.0.0 ~ 2.1.3 and fixed in Apache ServiceComb-Java-Chassis 2.1.5
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated blind OS Command Injection.
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a NULL Pointer Dereference that leads to a DoS in discoveryd