Digg this story   Add to del.icio.us  
When Spyware Crosses the Line
Kelly Martin, 2004-06-23

"Spyware" isn't harmless software when it starts hijacking your browser, downloading updates, and displaying adult porn images to small children.

One of my friends called me in a panic the other day. It seems his 8-year-old daughter was surfing the Internet, searching for Barbie dolls, games designed for children, and other things of interest to 8-year-old girls, when something bad popped up on the screen. She may not have understood what she saw, but she knew it was bad and so she called Mom and Dad.

You can probably guess what popped on the screen. That's right, a page with explicit, graphic pornography. But wait, there's more. It gets worse.

Bookmarks for "mature porn" also popped up all over the computer, placed everywhere from the desktop to the Quick Links toolbar of the browser, to the Favorites area in Internet Explorer -- and these links appeared for all three users who can login to this system. The browser was also redirected, or "hijacked" to display an explicit porn site as the home page, and any attempt to change it back were to no avail. An application also started running secretly in the background, ensuring any attempts to remove these links would be replaced.

My friend, who works in the software industry, knew that their family computer had been infected with spyware. Nowadays it only takes a single click. He also knew what to do. He ran the free spyware removal tool, Spybot Search & Destroy, to no avail. Then he ran another popular free tool, Ad-aware, also to no avail. He made sure he had downloaded all the updates to both these tools, then ran them again in safe mode. Both tools found the spyware hijacker, but were unable to remove it despite multiple reboots. Still, the links to mature porn would reappear. His daughters were told not to use the computer until this "spyware" was removed - which in this case, was proving surprisingly difficult to remove.

As it turns out, the "spyware" in question had self-updating code, and had updated itself to a newer version that could not yet be removed by any of the major anti-spyware tools. Instead, my friend spent significant time figuring out how to manually delete a malicious, system-level application that he never installed.

Self-updating code. Hijacked home pages. Applications installed without your knowledge. Toolbars you don't want and never asked for. Your movements on the Web are tracked and recorded. All this, and yet we still call this stuff "spyware"?

It's a sad day for the Internet community when an 8-year-old girl, through a single click, is not only subjected to graphic pornography but has caused a nefarious, hard-to-remove application to be installed. An application that porn at every turn -- plus gives you links to more porn that cannot be removed without a significant investment in a parent's time and frustration.

When spyware crosses the line, it's not spyware anymore. It's a virus -- and in my opinion, should be dealt with by the anti-virus companies.

Drawing the line

An entire cottage industry has sprung up with the advent of spyware, and a few people are making a great deal of money using shady tactics. For the most part these people and companies can be identified, tracked and held accountable for their actions. Yet today, it rarely happens. Why?

I believe one of the problems is that a clear line has yet to be drawn between what is "acceptable" spyware versus what is unacceptable. Clearly, porn hijackers, self-updating applications, and domain-blocking applications are unacceptable. Yet I would argue that any application that gets installed without your knowledge is unacceptable and by nature crosses the line. And of course, the line from here to the legality of such things is very murky indeed.

Not only can spyware be installed on a fully patched Windows machine running the latest anti-virus software, spyware companies and the slimeballs who run them have been known to find, use and exploit undisclosed IE vulnerabilities to their advantage and for financial gain. In the Internet community that I grew up with, one that existed long before the Web, that kind of activity would never have been allowed to sustain.

Patch the cheese, please

Before you hit that add comment link at the bottom of this page, understand that the spyware issue has little to do with a lapse in a user's desktop security. The bane of good security practice whereby you patch/firewall/anti-virus everything in sight still won't fully protect you -- spyware gets installed through ActiveX, or by exploiting zero day vulnerabilities that (eventually) get patched in Internet Explorer.

Simply disable ActiveX, right? Well, it's not quite that easy. Some of the sites you visit may know you're running IE and believe that they truly need to use ActiveX. Other options? Here's one: try surfing the web with IE configured to "ask" about running ActiveX scripts and controls. But be forewarned. It will nag you worse than your ex-wife's cranky mother.

Spyware is largely (though not exclusively) an Internet Explorer problem. And like it or not, Internet Explorer, the swiss-cheese of the Internet, commands about 80% of the world's browsing. But individuals can freely switch to Firefox or Opera and effectively bypass the spyware problem, at least for now. Sure, security holes can, have and will be found in these browsers too but the difference in their security track records compared to Internet Explorer is absolutely night and day. Corporations and Enterprises can use desktop management software to centrally distribute these new browsers, and save money by not having to license anti-spyware applications to clean up the mess that's been swept through IE.

I give accolades to Scott Granneman for having the guts to tell people it's time to dump Internet Explorer. Never mind all the features competing browsers have that enhance the browsing experience. Personally I think it's worth switching for the spyware problem alone.

I've read comments from people who've said they've been using Microsoft Internet Explorer for many years and have never encountered a single case of spyware. Oh really? My response to that is very simple: what planet are you living on?!

It's not the benign spyware that I worry about, either. It's the ease with which these more malicious "spyware" applications can install themselves without your knowledge -- and hijack your browser so it displays porn to an eight year old girl. Then it updates itself so you can't remove it. This is "spyware" that has clearly crossed the line.


Kelly Martin has been working with networks and security since 1986, and he's editor for SecurityFocus, Symantec's online magazine.
    Digg this story   Add to del.icio.us  
Comments Mode:
When Spyware Crosses the Line 2004-06-24
Laga Mahesa
When Spyware Crosses the Line 2004-06-24
Steve Poirot
another good tool 2004-06-24
Anonymous (1 replies)
another good tool 2004-06-28
Anonymous
When Spyware Crosses the Line 2004-06-24
Anonymous (1 replies)
When Spyware Crosses the Line 2004-06-28
Anonymous
When Spyware Crosses the Line 2004-06-24
raggi (1 replies)
When Spyware Crosses the Line 2004-06-24
Mac Man
Lude and lascivious act? 2004-06-24
Brad
When Spyware Crosses the Line 2004-06-24
Glauber Ribeiro (1 replies)
When Spyware Crosses the Line 2004-06-24
Anonymous
When Spyware Crosses the Line 2004-06-24
Anonymous (4 replies)
When Spyware Crosses the Line 2004-06-24
Anonymous
When Spyware Crosses the Line 2004-06-25
Anonymous
When Spyware Crosses the Line 2004-06-26
Anonymous
When Spyware Crosses the Line 2004-06-30
blacklight
When Spyware Crosses the Line 2004-06-24
Anonymous (1 replies)
When Spyware Crosses the Line 2004-06-24
TechSupport (1 replies)
When Spyware Crosses the Line 2004-06-24
same thing
When Spyware Crosses the Line 2004-06-24
Anonymous (1 replies)
Spyware? This should be re-classified 2004-06-25
TheHornedReaper (1 replies)
When Spyware Crosses the Line 2004-06-25
Anonymous
Same thing happened to me 2004-06-25
Anonymous
What about going after the TRUE source? 2004-06-25
nosebreaker.com
When Spyware Crosses the Line 2004-06-25
Mark S Panko
Two things worth noting 2004-06-25
Anders Bengtsson (1 replies)
When Spyware Crosses the Line 2004-06-25
Anonymous
When Spyware Crosses the Line 2004-06-25
sandalle
When Spyware Crosses the Line 2004-06-25
Anonymous
Why even run IE ? 2004-06-26
thomassoares AT hotmail DOT com
I always wondered how it is legal. 2004-06-26
Call the cops.
When Spyware Crosses the Line 2004-06-26
A French User
When Spyware Crosses the Line 2004-06-26
England1215
When Spyware Crosses the Line 2004-06-27
Devin McGrane
When Spyware Crosses the Line 2004-06-27
Cleber S. Leite
Who Profits 2004-06-27
Chris Woodruffe
When Spyware Crosses the Line 2004-06-28
Anonymous
When Spyware Crosses the Line 2004-06-28
Anon-e-mouse
When Spyware Crosses the Line 2004-06-28
Martin, Sweden
When Spyware Crosses the Line 2004-06-28
kerberos_daemon
When Spyware Crosses the Line 2004-06-28
Anonymous
It's parents fault !!!!!!!!!! 2004-06-28
Anonymous (3 replies)
It's parents fault !!!!!!!!!! - Not! 2004-06-29
An InfoSec Engineer (1 replies)
Parents fault 2004-06-30
Aenox
It's parents fault !!!!!!!!!! 2004-06-30
Anonymous
When Spyware Crosses the Line 2004-06-28
Anonymous
When Spyware Crosses the Line 2004-06-28
estrinyefim@yahoo.com
Don't use internet Explorer! 2004-06-29
Anonymous
When Spyware Crosses the Line 2004-06-29
VTofHHH
Never gotten spyware 2004-06-29
Jason S. (1 replies)
Never gotten spyware 2004-07-01
Erya
When Spyware Crosses the Line 2004-06-30
Richard Chirgwin
When Spyware Crosses the Line 2004-06-30
Anonymous
When Spyware Crosses the Line 2004-06-30
Anonymous
When Spyware Crosses the Line 2004-06-30
Anonymous
When Spyware Crosses the Line 2004-06-30
Anonymous
No sympathy 2004-07-01
Anonymous
Spyware in the Consumer and Corporate Desktop: A Security Engineer's Reply 2004-07-02
Mary B. Winfield, Platinum Precision Software Inc.
No need to remove spyware. 2004-07-05
Anonymous
When Spyware Crosses the Line 2004-07-05
Anonymous
When Spyware Crosses the Line 2004-07-06
Lambert, Ryan
When Spyware Crosses the Line 2005-08-02
Anonymous


 

Privacy Statement
Copyright 2010, SecurityFocus