Spyware tightens grip on user PCs

[Mr T.]

Spyware tightens grip on user PCs

Dot.life - where technology meets life, every Monday
By Mark Ward
Technology correspondent, BBC News website


Spyware tries to stay on your computer for a long time

If you can say one good thing about computer viruses it is that they spring up and die away quite quickly.

The well-established ways to defend yourself against them mean you can swiftly find them, fix the problem and forget about them.

Sadly, the same cannot be said of spyware - the software that can smuggle itself on to Windows computers.

Infection vector

You can catch spyware lots of ways; visit the wrong website, open the wrong spam e-mail, use the wrong peer-to-peer file sharing program, or fail to keep your PC protected with a firewall and anti-virus software.

What will happen if you do fall victim depends on the spyware writers' motives. Some programs just want to bombard you with ads. Others hijack browser settings and the most malicious steal personal details such as login names and passwords.

Chances are that you already have some spyware on your PC. In most surveys about 90% of PCs are found to have several pieces of the surreptitious software installed.

And spyware, unlike viruses, is designed to stay in place for a long time, said Richard Stiennon, vice president of threat research at anti-spyware firm Webroot.

Elliot Spitzer has accused firms of peddling spyware

Programs want to stay in place so that their creators can make money from them, said Mr Stiennon - again in contrast to most virus writers who tend to disdain financial gain.

Pornographers, spammers and many dubious web enterprises are happy to pay the spyware makers to make sure their adverts reach a wide audience - almost none of whom would sign up for such marketing messages given the choice.

The amount of money being made from spyware is a good motivation.

Webroot estimates that spyware makers are raking in up to $2bn per year. While some disagree with the size of this estimate there's no doubt that the amount of cash some spyware firms are making is significant.

Legal case

Currently spyware exists in a legal grey area, said Ben Edelman, a Harvard economics PhD student who also studies the stuff.

While there is no legislation that specifically outlaws spyware, the way that the programs get on to computers is ethically dubious.

Many innocuous looking programs such as download accelerators, smiley icon makers, peer-to-peer interfaces and other utilities also include spyware software.

The question, said Mr Edelman, is whether users know what they are getting when they install these programs.

"The basic argument is one of user consent," said Mr Edelman.

Anti-spyware firms recommend that PC owners switch browsers

Many makers of spyware and adware claim they have been installed legitimately because users have to click a "yes" button when software bearing spyware installs.

But, said Mr Edelman, the user agreements are often very long, sometimes more than 50 pages, and its unreasonable to expect that users read all this and know what they are getting.

"My claim is that the installations are deceptive," said Mr Edelman who favours a more transparent approach where users are told exactly what they are getting and what they are signing up for.

Legal action against firms that do not do enough to warn users about what they have signed up for has already begun.

New York attorney general Elliot Spitzer has filed a lawsuit against a company called Intermix claming that it does not do enough to warn users about what they are signing up for.

For its part Intermix denies any wrongdoing and issued a statement that it did not promote or condone spyware.

For PC users keen to avoid spyware there are several remedies they can take. Firstly they should use anti-spyware programs regularly to keep PCs free of the programs.

Spybot and AdAware are the most popular anti-spyware programs but Webroot, Microsoft and Symantec all produce them too.

Secondly, if they use Microsoft's Internet Explorer, they should make sure it is up-to-date with patches, and that pop-up blockers are turned on. It might also be worth using an alternative browser such as Opera or Firefox that do not have as many security problems as IE.

[Garf]

Quote:

Originally Posted by Mr T.

It might also be worth using an alternative browser such as Opera or Firefox that do not have as many security problems as IE.

I always find quotes like this interesting. Everyone seems happy to suggest that it is Microsoft's fault that there are so many security issues, but the simple truth is that it is simply the biggest target, and thus more people are having a go. It is exactly the same with Microsoft Outlook, where malicious code is simply designed to exploit specific weaknesses.

anyway, I ramble, as usual...

[turbanator]

That Elliot Spitzer looks shifty to me - -oh, he's a GOOD guy

[calski]

Quote:

Originally Posted by Garf

I always find quotes like this interesting. Everyone seems happy to suggest that it is Microsoft's fault that there are so many security issues, but the simple truth is that it is simply the biggest target, and thus more people are having a go. It is exactly the same with Microsoft Outlook, where malicious code is simply designed to exploit specific weaknesses.

anyway, I ramble, as usual...

Sorry Garf, can't agree there. You're right in suggesting that the fact that they're saturated throughout the market makes them a target, but let's face it, the code beneath a LOT of the M$ products is so poor that it's not even a challenge to exploit its inherent weaknesses.

One of the advantages of Open Source has always been that the open source community, largely, doesn't like to release crappy code since there is an element of "pride" in their efforts - other members of the community would quickly tear it to shreds... M$ coders, and I have been told this by a top coder at XBOX are pressurised to get their code finished and out there ASAP with no proper testing...

calski

[Fathoms Down]

Quote:

Originally Posted by Garf

I always find quotes like this interesting.

Me too.

It comes down to the fact that web browsers are written by and used by humans so there will never be such a thing as a secure browser. The biggest targets will always attract the attackers as they are such an attractive target no matter if that target is produced as a closed source or open source product.

[Billy the Kangaroo]

You can download Ad-Aware SE Personal Edition for free from lavasoft

http://www.lavasoft.de/support/download/

I do an update of definition files ( like virus checkers do ) and a full system check every month or so ( takes about 30 mins ) and it always has to quarantine a few files even tho I have firewall, virus checker active.

Guess that indicates some of the sites I visit ?

[calski]

Quote:

Originally Posted by Fathoms Down

Me too.

It comes down to the fact that web browsers are written by and used by humans so there will never be such a thing as a secure browser.

I agree, however even M$ doesn't consider IE to be a web browser. My understanding of it is that it doesn't (IE that is) conform to web standards and is a "renderer" simply bundled in with the OS (this may be different with later revisions but I doubt it...). How many times did we hear the M$ argument of "it's part of the OS" when it faced litigation for it's strategy in the Browser wars?

IE was developed on old code, remodelled to add new features but is still inherently crap because of it's age and flawed design... but then we seem to have these debates on YD every three months

calski

[Dominic]

Quote:

Everyone seems happy to suggest that it is Microsoft's fault that there are so many security issues, but the simple truth is that it is simply the biggest target, and thus more people are having a go.

But there are places where they AREN'T the biggest target, and yet they still get the biggest share of security issues. If "the biggest target will always have the most flaws exposed" were all there was to it, then what's going on with the Apache web server?

Far more web servers run Apache than MS's IIS (68% against 21% according to a Netcraft study last year). And yet, IIS is the biggest target & suffers the most from attacks.

Either Apache is magically immune to the "The biggest get all the attacks" problem, or MS genuinely produce crappy code and suffer accordingly.

[Garf]

Well, the debates are obviously going to go on - referring to Microsoft as being "M$" hardly lends you an air of objectivity and openess in debating.

The purpose of a professional developer is to write, modify or acquire software that meets the needs of their target audience, and thus generate income. Several recent reports indicate that IE is still used by over 50% of internet users. This simple statistic leads to the inevitable conclusion that it is phenomenally successful software. You may think that its handling of ActiveX scripting is clumsy - irrelevent. Microsoft's bundling of the software with its operating systems may insult your sense of fair play - irrelevent. You may know for a fact that the software is outdated, has few benefits to knowledgeable users, contains more than its share of flaws - all irrelevant.

Microsoft are a business out to gain market share and ultimately make money. They sell a browser which holds 50% of the entireplent's market. High ideals about refusing to sacrifice time-to-market or market share for quality of code are all well and good, but they have to be balanced in the business plan. The vast majority of users do not give a monkeys about the quality of the product, and even if they do, Microsoft put the product in front of them anyway and they use it. Microsoft are a business, and from a business perspective, Microsoft are getting it right. You may not agree with them or their product, but they are getting it right.