Fight Spyware Like You Mean It!

In the process, I discovered why the PC malware problem has proven so intractable. I also learned a lot by going through the process of collecting the pieces and parts necessary to compare anti-spyware packages. Finally, I interviewed Eric Howes, a noted spyware researcher at the University of Illinois, who has found that today's most popular anti-spyware software packages are far less effective than many believe (see sidebar, below).

Spyware or Virus?

First, here's a quick excursion into malware terminology. Important differences exist. To fight effectively, you've first got to know what you're fighting.

A virus is characterized by its ability--or, some would argue, its imperative--to reproduce. Viruses are self-contained. They infect computer systems through a variety of ingenious means that are primarily of their own connivance. Viruses are especially likely to spread when files are copied, executed or opened, or when infected attachments are opened or executed.

Spyware is characterized by the ability to insinuate itself onto systems, but only when visitors come to it. For example, downloading an infected file can introduce spyware to a system. Generally, spyware shows no interest in reproducing. Instead, spyware typically gathers passwords, user IDs, and other information on the systems it infests. It may ultimately seek to transmit that information through either a backdoor or other covert means of networked communications to online mischief-makers, hackers or outright criminals.

Spyware and viruses share several characteristics. Both operate in "stealth mode," which means they seldom if ever advertise their presence directly. Both are highly unlikely to seek permission from a user before taking up residence on a target computer. But spyware, unlike a virus, may sometimes provide a notification buried in a lengthy end-user license agreement (EULA) for other software. Or spyware may ask a user if it can be installed, though without explaining the likely results of such an installation. Also, both spyware and viruses may come disguised within files that purport to be benign, useful or desirable. In other words, as a Trojan Horse.

Similarly, the symptoms of virus infection and spyware infestation share many traits. These include: slowed system performance or outright system instability; the appearance of strange, uninvited processes and start-up items in the Windows run-time environment; and bouts of system or network activity that are neither under user control nor run with user permission.

If you're interested in learning more about spyware, two sites to visit are Spyware Warrior and Spyware Guide. Independent virus information is available from many sites, including Virus Bulletin and VirusList. Vendor sites for anti-spyware and anti-virus software (Symantec/Norton, Panda Software, etc.) are also good sources for related news, alerts and information.

To get a sense of how a single type of spyware can mutate and proliferate, check out a fascinating example at the CoolWebSearch Chronicles site. This documents all known variants of the infamous CoolWebsearch spyware. The site also explains how to deal with this notoriously vexing spyware in its many known forms and guises.

Where Comparisons Fail

For this TechBuilder Recipe, I tried to create my own test bed to compare the effectiveness and usability of leading anti-spyware packages, including Webroot Spy Sweeper, Sunbelt Software CounterSpy, and Microsoft AntiSpyware (still in beta mode as of this writing). But I quickly ran straight into both prongs of the test-bed trap. I think these will also trap most system builders who would like to help protect their clients' systems.

First, I didn't have the time (or budget) to spend 100 or more hours visiting all known or suspected spyware sites to create an objective test bed that mirrored the real world as much as possible. Second, the real world changes so quickly--with known items mutating regularly and new items showing up with near equal frequency--that I found it nearly impossible to create a real-world map. Thus, I had to content myself with understanding the problem and learning why the situation is so difficult to handle.

A partial answer to this dilemma may be found in recent announcements from the three vendors mentioned above. Webroot, Sunbelt Software and Microsoft are all enlisting robots help to speed the process of spyware identification and counter-measure development. These robots are made of software, not steel, and instead of performing repetitive tasks on an assembly line, they ceaselessly prowl the Web for evidence of spyware in active content. When they find evidence, they log and report it in real time. This kind of perpetual scanning is the only way to keep up with spyware. The use of software robots offers an eventual hope of achieving 100 percent effectiveness ratings for anti-spyware software tools. But neither the industry, nor the tools they use, are there quite yet. Anti-spyware Best Practices

Though I wasn't able to compare the effectiveness of leading anti-spyware software, I was able to distill the best practices for handling spyware and adware. Any system builder will help their clients by following these best practices:

• Use at least two anti-spyware packages: Because no single package attains 100 percent detection or repair ratings, you must use more than one anti-spyware package to keep your systems ship-shape. My recommendation is to use two. Run the first one as a real-time blocker, and let it scan and repair frequently. (For example, Microsoft AntiSpyware scans nightly by default.) Then schedule the second package as a backup scan; use its repair tool about once a week. Automate the operations of both packages, if possible, so the user won't forget or postpone this essential activity.
• Keep up with Windows and other software updates: Spyware, like viruses and other malware, often exploits vulnerabilities in the runtime environment. Keep Windows patched, and keep anti-spyware software and definitions updated. Here again, an automatic or scheduled update is the best way to ensure you're not fighting today's problems with yesterday's tools.
• Provide adequate browser security : For Windows XP SP2 and Windows Server 2003, the base environment (if current) provides ample browser protection, including managing browser helper objects, active content and scripts, default page and search assignments, and blocking pop-ups and other means that spyware uses to infest systems. Users of older versions of Windows should take care to lock down browsers and block or limit active content and scripts. Security-scanning tools like AuditMyPC.com--which includes firewall tests, spyware check, pop-up handling test, and more--will not only help system builders check and assess individual PCs, but also suggest remedies and provide further information when needed.
• Educate your users: Though nobody wants to read End User License Agreements (EULAs), these often contain information that warn users to steer clear of certain Web sites and to avoide installing certain downloads--but only if they read the fine print. Users need to either take responsibility for such perusal, or steer clear of any and all software that a company or organization neither supplies nor sanctions.

Sidebar: Spyware Sleuthing With Eric Howes

Eric Howes is a researcher at the University of Illinois who has been chasing spyware for the last five years, or about as early as anybody began to notice evidence of spyware in the wild. In late 2004 Howes published the results of his several-month study of spyware here. During this study he systematically exposed an unprotected machine to a broad range of spyware representing common threats that most users are likely to encounter. Howes created a reference image of that system for ready re-use, ran all of the anti-spyware packages he could identify against that test bed, and compared their results. To say the least, his findings are unsettling.

While respected sources like ICSA and Virus Bulletin routinely report 100 percent effectiveness from multiple anti-virus packages in their yearly surveys or comparisons, Howes' best results barely topped 90 percent effectiveness. Those ratings came from Sunbelt Software's CounterSpy and Microsoft's AntiSpyware. But many better known anti-spyware products--including Spybot Search and Destroy, LavaSoft Ad-Aware SE, and Webroot SpySweeper--typically reported effectiveness ratings in the range of only 60 percent to 75 percent.

Preparing this spyware test bed took more than 100 hours, Howes says. He also painstakingly went through the process of using the InControl 5 software package to create before-and-after snapshots for all infestations. That way Howes could compare logs; investigate all new and changed files; detect all Registry adds, edits, and deletes; and pick through all the temporary Internet files left behind in the current user's account directory. (& ; userprofile % ; \Local Settings\Temporary Internet Files is a symbolic specification for this directory that will work for anyone logged in on a modern Windows system. As a pretty typical example, my own system's Temporary Internet Files directory right now contains more than 9,500 files.) This is a huge amount of data to sift through and analyze. Howes has been saving this data for the past nine months in Zip format, and he has already collected more than 2 GB worth of such data.

Howes' advice to any system builder who is considering building their own anti-spyware test bed: "You can't just look at the pure functionality of the software, as you can with viruses. You have to look at the context of the user experience and the mechanisms and types of delivery used."

Howes continues: "Then you have to understand exactly how unwanted information or software arrives on a computer. You must visit the Web site and go through the user's experience, rather than simply evaluating the functions of the left-behind software itself. Spyware/adware research has to look at business practices, human decision making, and user interactions."

This takes more time and effort than producing virus signatures and related repair scripts or routines. It also explains why anti-spyware vendors need anywhere from two to five days to post a response to a new problem, while anti-virus vendors routinely post responses within 24 hours.

For the complete results on Howes' testing, see his Test Guide. An equally valuable Feature Comparison of numerous anti-spyware programs is also available here.

ED TITTEL is a technology writer who has contributed to more than 100 computer books; a trainer; and a consultant who specializes in IT certification and information security, with a special emphasis on Windows desktops.