The problem is that these software spies are starting to get nasty. Spyware is being written and propagated with the express purpose of recording personal data such as passwords and credit card numbers, or hijacking your browser and bookmarking porn or other undesirable sites, or grabbing your web dialler. Some spyware even features self-updating code so that conventional freeware removal tools have no effect.
What’s more, unlike viruses and worms, most people with spyware on their computers have asked for it, albeit unwittingly. Many websites may ask you to register or sign up to them to receive content, and by doing so you may agree that spyware can operate on your PC – but this critical point is often buried in lengthy Ts & Cs where most users won’t see it.
And it isn’t a small-scale problem. Research in the US in Spring 2004 showed that 1 in 3 PCs scanned had spyware hidden on its hard drive. A total of 650,000 PCs were scanned, finding more than 18 million spyware tools.
Nor is spyware confined to home users. The average amount of spyware on business machines is similar to home users’ – largely because most companies don't have centralised, managed anti-spyware protection in place. Certain spyware – such as that used by P2P networks like Kazaa – is also bandwidth hungry as it communicates a lot of data between machines, which can be a problem on corporate networks.
It’s becoming such a sizeable problem in the US that the Government voted unanimously in Spring 2004 to approve the first-ever anti-spyware bill. The Securely Protect Yourself Against Cyber Trespass (Spy Act), approved by the US House of Representatives, would levy fines up to $3 million for those who illegally collect personal information, change a browser's default home page or bookmarks, log keystrokes, or steal identities.
So how has spyware been allowed to get this far without being restrained? The key problem is that we have accepted spyware in a variety of forms for too long. A cookie – the website marketeer’s long time friend – is a form or spyware. Microsoft uses various forms of friendly spyware to help most of us in our everyday work, by tracking what documents and applications we’ve used recently and giving us quick, one-click access to them.
But in the same way that Internet worms evolved to take advantage of email, malware authors are now taking spyware away from its neutral roots into Internet crime – whether by hijacking browsers and diallers, keystroke logging or laying the groundwork for mass spamming. These authors are also using tricks from the virus world by finding and exploiting browser vulnerabilities to their advantage.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.