The world of spyware evolves
- By William Jackson
- Jan 31, 2008
The spyware community has polarized, a panel of security experts said Thursday at a Washington workshop hosted by the Anti-Spyware Coalition. Adware distributors, under pressure from the Federal Trade Commission and anti-spyware technology, have mostly quit the business or are going legit. But the really bad players are getting worse, producing more stealthy and sophisticated malware.
'Nuisance adware is mostly dead,' said FTC Commissioner Jonathan Leibowitz.
Venture capital funding of companies that are paid to deliver annoying pop-up ads to your Web browser is largely a thing of the past, Leibowitz said. He pointed to several successful civil actions against major distributors who have since gone out of business or gone straight.
And reports of spyware infections have gone down, said Jeffrey Fox, technology editor for Consumer Reports. According to annual surveys, infections have gone from one in four respondents in 2004 to one in 11 in 2007. In the same time, the estimated cost of spyware has dropped from $3.5 billion a year to $1.7 billion.
But, to quote Miracle Max in The Princess Bride, 'there is a big difference between mostly dead and completely dead.'
While adware and spyware are less visible, Trojans delivering malware to computers are more stealthy, sophisticated, and harder to detect and remove.
'I'm here to tell you, there is some malware circulating on the Internet that is impossible for an automated program to remove,' said Janie Whitty, administrator of the Lavasoft Online Support forums who works with malware victims.
Susannah Fox, associate director of the Pew Internet and American Life Project, said there is a lot of misplaced trust among users of rapidly evolving technology.
'We are seeing a changing game,' with the growth of broadband and wireless connectivity and more powerful portable devices, she said. It is a faster, more mobile and more participatory environment, and 'most Americans are jumping in without considering the implications.'
Despite the FTC's legal success, Leibowitz said there is a limit to what civil enforcement can do. The line between what constitutes legal and illegal software and permissible and impermissible behavior by an application is not always clear, and he is reluctant for the FTC to go too far in defining it.
'I don't know that we want to overly regulate the space,' he said. 'It's when enforcement doesn't work and the market doesn't work' that the agency should turn to rule making. Currently, 'we try to go after the clear and worst offenders,' to send a message to the marketplace.
The marketplace does work. The social networking site Facebook recently altered a program of using information about members' purchases in ads sent to that members' network of friends. This raised concerns about privacy violations, and Leibowitz said he would have supported an investigation of Facebook if the company had not responded quickly. In this case, 'the marketplace worked,' he said.
Given the limitations of enforcement in a rapidly evolving environment, a lot of responsibility falls on end users to protect themselves and on technology companies to provide the tools.
Unfortunately, anti-spyware still is a maturing technology, Jeffrey Fox said. Tests by Consumer Reports found that anti-spyware tools detect only about 75 to 80 percent of the malicious code thrown at them, compared with 90 percent or better for most antivirus engines.
Users also need to mature. Most Internet users are reactionary, said Susannah Fox, changing their online habits only after being victimized. And the situation is growing worse with Web 2.0, which more actively involves end users than passive Web browsing.
'I don't think there is any expectation of privacy in Web 2.0,' said David Marcus, security research manager for McAfee Avert labs. 'Certain formats are custom made for delivering potentially inappropriate content. You are going to see a lot of changes' in how malicious code is delivered, installed and hidden.
William Jackson is freelance writer and the author of the CyberEye blog.