The ASC [Anti-Spyware Coalition] drafted a definition of “spyware” in August 2005. The ASC defines “spyware and other potentially unwanted technologies” as those that “impair users’ control over material changes that affect their user experience, privacy, or system security; use of their system resources, including what programs are installed on their computers; or collection, use, and distribution of their personal or otherwise sensitive information.”
“Spyware” is something of a grey area, so there’s no copy-book definition for it. However, as the name suggests, it’s often loosely defined as software that is designed to gather data from a computer and forward it to a third party without the consent or knowledge of the computer’s owner. This includes monitoring key strokes, collecting confidential information (passwords, credit card numbers, PIN numbers, etc.), harvesting e-mail addresses, or tracking browsing habits. There’s a further by-product of spyware where such activities inevitably affect network performance, slowing down the system and thereby affecting the whole business process.
The reason “spyware” is such a grey area is that it is really just a catch-all term for a wide assortment of malware-related programs, rather than a defined category. Most “spyware” definitions apply not only to “adware”, “pornware” and “riskware” programs, but also to many Trojan programs: Backdoor Trojans, Trojan Proxies and PSW Trojans. Such programs have been around for almost 10 years, when the first AOL password stealers appeared. However, at this time the term “spyware” had not yet been used.
Another reference to spyware is “Adware”. In this case, spyware can exist in the form of malicious backdoor programs that open up ports, initiate an ftp server, or collect keystroke information and transmit it back to the attacker. Spyware can exist in the form of legal (and acceptable) commercial applications that give network administrators a great deal of power both over what they can affect, and see happening on managed systems.
Although such programs are not new, their use for malicious purposes has increased in recent years and they have received much greater attention, both from the media and from “spyware”-only vendors.
No such thing as Spyware
By Eugene Kaspersky
The rising number of cyber-criminals creating more and more different malicious programs, attacks and cyber-frauds have resulted in the media and public paying more attention to security issues. New solutions and services, such as patch and vulnerability management, intrusion prevention, etc., appeared during the last year or so.
New threats are appearing as well. But are they really all that new?
Spyware is a brand new word in the threats list and it is being used widely. Everyone is talking about spyware: many dedicated anti-spyware products have appeared on the market, all of them brand new.
But what exactly is spyware? What threats does new term cover? My favorite definition of the term can be found at Information week.
"Spyware is software that's installed without your informed consent. Spyware communicates personal, confidential information about you to an attacker. The information might be reports on your Web-surfing habits, or the software might be looking for even more sinister information, such as sniffing out your credit card numbers and reporting those numbers."
Exactly. This is a good definition which we can use to describe software designed to spy on user actions and report on infected machines.
Did we have such software in the past? Of course we did. The first malicious software designed to spy and steal confidential information was detected back in 1996 - the AOL Password-Stealing Trojans.
Have we already seen other malicious programs which can be described as spyware? Certainly! There are many different kinds of Trojans designed to:
- steal passwords/logins (including bank account information)
- log user activity (keyboard, screenshots, applications being run)
- backdoor Trojans which have spy abilities
Thus, what people are calling spyware is not new at all...
Anything else that can be called spyware? Yes. Numerous advertising tools (adware/advware) which report such information as visited Web pages and Web search requests. Sometimes this information is confidential.
And there's even more. Legitimate keyloggers for example, freeware/shareware/commercial utilities which log keystrokes and/or monitor other user activities.
Are we done? No, there are still more programs that report user information to outside sources. For example, if you post to a forum your email client will report your email address. If you are browsing the Internet your IP address, Windows and browser version can all be logged as you surf.
Can we or should we class these programs as spyware? Definitely not. This is where we reach the border between so-called spyware and non-spyware.
And the border is fuzzy. Because the issue is not always what the program does, but how it's being used. We call the border-line programs riskware, and detect many of them as 'not-a-virus'. We leave it up to users to decide what to do next: if they want or need the program, they can keep it. However, if it was installed without their consent or is doing something they don't want or need, we find it for them, so they know what's going on in their computer and can make an informed choice.
So, technically speaking, spyware simply doesn't exist as a stand-alone cyberthreat.
The programs which are being called spyware are, from a technical point of view, simply a limited sub-set of Trojans, advertising software and some riskware:
- Trojan spies and some backdoors
- Most adware
- Riskware - potentially hostile programs that require users to make conscious choices about using them
In short, there is no such thing as spyware.
On the other hand there are many anti-spyware programs produced by vendors who actively promote their products as dedicated anti-spyware solutions.
An interesting review was published in latest PC Magazine {USA edition, Feb 22 2005, pages 82-91}. They compared how a number of security suites (anti-viruses) and dedicated anti-spyware products removed so-called spyware. Guess what? Some traditional solutions are better at removing these threats than dedicated ones.
Unfortunately, there are no adequate consumer tests to separate effective solutions from ersatz-security programs. In the PC Magazine tests, there were only 24 "spyware" samples tested. In reality, there are hundreds of malicious programs in the wild that fit into this category. For instance, we know of over 200 adware families (with numerous variants in each). We need better and more in-depth tests in the future.
To cut a long story short, the term spyware is basically a marketing gimmick: just to separate new ersatz-security products from traditional ones, just to push almost zero-value products to the security market.
We need to avoid this trap. There is nothing worse for the computer security community than false alarms and/or users with a misplaced sense of safety.
