Spyware is more like a parasite than a virus

It is becoming a favorite dictate of the security pundit that “spyware is a virus.�?
Written by Richard Stiennon, Contributor

It is becoming a favorite dictate of the security pundit that “spyware is a virus.�? That would be so nice if true. The desire seems to be to not create a separate box for spyware. That way there will be no need for these upstart anti-spyware vendors, no need for a separate anti-spyware product, and no need to think differently about the threat space.

Well, there is a need to think differently about the threat space. A need that this blog fulfills. There is finally a criminal business model that fits the Internet. There are several cyber criminal business models but lets save the others for another day. In an article at CIO-Update I discuss the money to be had by spreading illicit adware and making pennies a day from your “customers�? who get served pop-ups, or have redirected home pages or for-pay search results. We are dealing with big numbers here, $1.6 Billion annually by my conservative calculations.

So, how is spyware different from a virus? There are three ways. Spyware is more difficult to detect, more difficult to remove, and harder to find and classify. Let’s talk today about why it is more difficult to detect. The other two we will explore over the next couple of weeks.

I am writing this in a small private hotel in Bath, just down the hill from the Royal Crescent, an immense semi-circle of four story flats that can be had for as little as 625 thousand pounds each. Bath is a bustling, beautiful city built on the ruins of an ancient Roman settlement the only evidence for which is the still operating hot water spring baths the Romans used. (insert transition sentence that justifies bringing up Bath, hey this is a blog, I get to wander). The ideal piece of spyware hides underneath the Windows OS. The only evidence for it is the action it has to take to generate revenue. This surreptitious behavior is what makes it so insidious. Sometimes the impact on the user experience is so low that the user has no idea they have picked up a parasite in their online meanderings. It is not until there are several dozen pieces of spyware and adware on a system that the user notices that there is something seriously wrong with their PC. That is when the help desk gets the call: “hey, there is something wrong with my computer, it is getting really slow.�? I have heard dozens of stories from people who first loaded an anti-spyware product on their machine and found hundreds of traces and tens of pieces of malware eating away at their CPU utilization, using up bandwidth and finally causing it to crash.

Let’s face it the Windows OS evolved from a single user computing environment (DOS). It was not originally designed to be multi-tasking. It is still pretty sloppy at memory management and gets really bogged down if you try to run too many applications at once. As a matter of fact… but wait Windoze is also a topic for another day. More on that later then. Leave it at the fact that multiple applications all listening to the browser and the keyboard and sometimes the onboard microphone or camera pretty much breaks Windows.

How many viruses have infected your PC today? None, right? You may have received ten or twelve copies of Netsky or MyDoom but your Anti-Virus product caught it and quarantined it before it could do any harm. How many pieces of spyware do you have? Well now, you can’t answer that question. You have to scan your machine to find them. If you have been doing any extensive browsing or if you have down-loaded a piece of freeware you have gotten infected and have to take steps to clean yourself, I mean your computer.

Spyware is different from a virus because in many cases you invited it in. You were even asked to accept the terms of an end user license agreement (EULA) that said exactly what it was going to do to your computer. It installed in dozens of places. In the case of CWS (Cool Web Search) it used 6 levels of randomization to make it almost impossible to detect and remove all of its components. There are listener programs that look to see if you remove the other components and reinstalls the spyware next time you reboot.

Spyware is nastier that viruses and is harder to detect.

Originally published at www.threatchaos.com  

Editorial standards