The Increasing Complexity of the New Spyware Landscape
Oct 23, 2007 4:00 AM PT
Spyware was originally designed to observe users' Internet patterns and deliver pop-up ads based on their individual browsing and shopping preferences. Now, although pop-up ads continue to be a nuisance, hackers are far more focused on spyware as crimeware: computer programs designed expressly to facilitate illegal activity online.
This change in approach is largely due in part to monetary gain. Hackers, once satisfied with infamy as their reward, wrote viruses with little to no financial gain. Now, it's all about the money. Criminal enterprises are willing to pay top dollar for the latest and greatest in spyware, and there is no shortage of programmers willing to participate.
The Painful Truth and What Lies Beneath
In the U.S., it is estimated that 80 percent of home computer users have some form of potentially unwanted software in their systems. Moreover, the longer spyware stays on a system undetected, the more data it can transmit back to its creators who, in turn, sell that personal information to other criminals. As such, it is essential that consumers protect themselves and their assets.
Programmers have come a long way since "plain vanilla" adware. Here are some of the most dangerous online threats used by cyber criminals today:
- Botnets: A botnet is a collection of compromised, broadband-enabled PCs, hijacked during virus and worm attacks and infected with software that links them to a server where they receive "instructions" from a bot herder -- a criminal who controls the network.
A computer can be "inducted" into a botnet, an army of computers that, although their owners are unaware of it, have been remotely configured to transmit spam or viruses to other computers via the Internet. The purpose of a botnet is to steal a small percentage of all of the "zombies''' computing power and use it aggregately to distribute spam, launch denial of service attacks, install malicious software on ever more computers, or embed keyloggers, which capture sensitive data from infected computers.
Worse, while the users' computing power is being stolen, their passwords, bank information and credit card numbers are also being stolen and sold repeatedly.
- Phishing attacks: Phishing is a kind of e-mail fraud wherein the perpetrator sends out legitimate-looking e-mails, typically with links to fraudulent Web sites that appear to come from well known and trustworthy sources. Phishers attempt to gather personal and financial information for purposes of identity theft.
Phishers can replicate Web sites and other branding of businesses, banks, merchants and credit card companies so well that an estimated 3 to 5 percent of recipients unknowingly furnish Phishers with data.
Moreover, many Phishing sites host spyware. While these criminals are stealing identities, they are setting the PC up for future malicious activities.
- Trojans (or back door programs): Trojans are designed to disrupt computer activity and send information to an unauthorized third party for the purposes of identity theft. This type of spyware attempts to gain complete control over computer systems. If a system is infected, there is virtually no limit to what these programs can do.
While Trojans are not capable of spreading by themselves, there are some worms that carry Trojans, using them to infect machines as they spread. Some of the functions that a remote access trojan can perform include: uploading and downloading potentially unwanted files in stealth; making changes to the registry; deleting files, stealing passwords, account numbers and other personal identifiers and confidential information; logging keystrokes; and more.
This technique works particularly well if a hacker has infiltrated legitimate Web sites, such as YouTube, MySpace and other sites where users let down their guard, thinking they are among like-minded "friends."
- Keyloggers: A keylogger is a hardware device or software program that records to a log file (usually encrypted) every keystroke the user makes. The log file created by the keylogger can then be sent to a specified third party. A keylogger recorder can capture instant messages, e-mail and any information typed on a keyboard. Some keylogger programs also record e-mail addresses and Web site URLs.
Although there are legitimate applications for keyloggers -- such as law enforcement monitoring criminals' activities, employers ensuring that employees use work computers for business purposes only, and parental supervision -- they are most often used to record personal data for identity theft and other fraudulent activities. Hackers can deliver keyloggers to unsuspecting users as a Trojan or as part of a worm or virus.
- Browser exploits: Because it is the most widely used browser by far, Internet Explorer is a top target for hackers. The Internet relies heavily on ActiveX, a Windows technology that enables Web sites to run programs on PCs. Once running on the system, an ActiveX control can perform the same tasks as other Windows applications, including opening files, connecting to a network and calling up other programs.
Although security has been upgraded with Service Pack 2 and Internet Explorer 7, hackers will always find flaws; the size of the user base and therefore the number of users they can infect make finding exploits irresistible.
- Rootkits: These malicious software programs can be used to gain unauthorized remote access to PCs and launch additional attacks. Rootkits can use many techniques, including monitoring keystrokes, changing system log files or existing system applications, creating a back door into the system, and starting attacks against other computers on the network. Rootkits are generally organized into a set of tools programmed to target a particular operating system.
- Malicious Web sites: Hackers are increasingly spreading spyware and other malicious code via infected Web sites rather than e-mail. Sometimes they create their own malicious Web sites -- sites on which users can become infected just by visiting. More often, they find exploits in legitimate Web sites and, without the site owners' knowledge, embed malicious code into the site.
The sites most likely to infect include free adult sites, unauthorized celebrity sites, disreputable online pharmacies, free casinos, gaming and song lyrics sites.
- Rogue antispyware: Posing as legitimate software applications, rogue antispyware programs typically offer free PC scans, ostensibly to detect spyware. The software generates false positives and displays alerts in order to scare the consumer into purchasing their product.
Rogue antispyware makers usually deliver their offers via pop-up ads. Not only do these programs fail to remove spyware, but most will actually download spyware and other malicious software onto the PC. If purchased with a credit card, that information is compromised as well. Some common rogues are System Doctor, Spyhealer, SpyAxe, Winfixer and DriverCleaner. For a comprehensive list of rogue anti-spyware applications, see Spyware Warrior.
Education and Protection
Most users do not understand the nature of today's threats and therefore cannot be on guard against them. The ubiquity of computers, particularly home computers, has led owners to treat them like refrigerators or toasters -- plugging them in, adjusting some initial settings, and using them until they break or until a different set of features is desired. This is a recipe for disaster because without education and the right security software, the end user doesn't stand a chance.
Prevention is the best way to cope with hacking and it starts with following these simple rules:
- With a wireless network, buy a router with a built-in firewall. The default settings should suffice for most users.
- Use good anti-spyware and anti-virus software. Make sure the anti-spyware blocks trojans and keyloggers.
- Make sure you are running the latest definitions (updates) of all your security software.
- Buy software only from reputable vendors.
- If a site prompts a software download in order to view it, don't.
- If a site prompts a codec install, don't.
- Ensure the wireless network is encrypted. The newest type of wireless encryption is WPA2.
- Do not click on links that are not identifiable (for example, URLs that are random strings of numbers).
- Store the URLs of favorite e-commerce sites in "Favorites" to reduce typing errors.
- Do not respond to e-mails from financial institutions or other businesses asking for personal information, especially passwords, account numbers or credit card numbers.
- Be vigilant! Hackers know that the weak link in the security chain is always the end-user, and they are counting on a lack of education and attention.
Robust computer security requires strict maintenance, and safe surfing requires a firewall, anti-virus, anti-spyware and phishing protection. All this software needs to be updated continually with the latest definitions.
Users need to make sure their browsers and operating systems are running the latest security updates provided by the manufacturers. With good software protection and less than a half an hour a week of maintenance, anxious criminals will have difficulty accessing and exploiting vulnerabilities.
Robert Scaduto is the executive vice president and chief technology officer at iS3, makers of STOPzilla anti-spyware and ANTIfraud. Mr. Scaduto can be reached at email@example.com.