No such thing as spyware

The rising number of cyber-criminals creating more and more different malicious programs, attacks and cyber-frauds have resulted in the media and public paying more attention to security issues. New solutions and services, such as patch and vulnerability management, intrusion prevention, etc., appeared during the last year or so.

New threats are appearing as well. But are they really all that new?

Spyware is a brand new word in the threats list and it is being used widely. Everyone is talking about spyware: many dedicated anti-spyware products have appeared on the market, all of them brand new.

But what exactly is spyware? What threats does new term cover? My favorite definition of the term can be found at Information week.

“Spyware is software that’s installed without your informed consent. Spyware communicates personal, confidential information about you to an attacker. The information might be reports on your Web-surfing habits, or the software might be looking for even more sinister information, such as sniffing out your credit card numbers and reporting those numbers.”

Exactly. This is a good definition which we can use to describe software designed to spy on user actions and report on infected machines.

Did we have such software in the past? Of course we did. The first malicious software designed to spy and steal confidential information was detected back in 1996 – the AOL Password-Stealing Trojans.

Have we already seen other malicious programs which can be described as spyware? Certainly! There are many different kinds of Trojans designed to:

  • steal passwords/logins (including bank account information)
  • log user activity (keyboard, screenshots, applications being run)
  • backdoor trojans which have spy abilities

Thus, what people are calling spyware is not new at all…

Anything else that can be called spyware? Yes. Numerous advertising tools (adware/advware) which report such information as visited Web pages and Web search requests. Sometimes this information is confidential.

And there’s even more. Legitimate keyloggers for example, freeware/shareware/commercial utilities which log keystrokes and/or monitor other user activities.

Are we done? No, there are still more programs that report user information to outside sources. For example, if you post to a forum your email client will report your email address. If you are browsing the Internet your IP address, Windows and browser version can all be logged as you surf.

Can we or should we class these programs as spyware? Definitely not. This is where we reach the border between so-called spyware and non-spyware.

And the border is fuzzy. Because the issue is not always what the program does, but how it’s being used. We call the border-line programs riskware, and detect many of them as ‘not-a-virus’. We leave it up to users to decide what to do next: if they want or need the program, they can keep it. However, if it was installed without their consent or is doing something they don’t want or need, we find it for them, so they know what’s going on in their computer and can make an informed choice.

So, technically speaking, spyware simply doesn’t exist as a stand-alone cyberthreat.

The programs which are being called spyware are, from a technical point of view, simply a limited sub-set of Trojans, advertising software and some riskware:

  • Trojan spies and some backdoors
  • most adware
  • riskware – potentially hostile programs that require users to make conscious choices about using them

In short, there is no such thing as spyware.

On the other hand there are many anti-spyware programs produced by vendors who actively promote their products as dedicated anti-spyware solutions.

An interesting review was published in latest PC Magazine {USA edition, Feb 22 2005, pages 82-91}. They compared how a number of security suites (anti-viruses) and dedicated anti-spyware products removed so-called spyware. Guess what? Some traditional solutions are better at removing these threats than dedicated ones.

Unfortunately, there are no adequate consumer tests to separate effective solutions from ersatz-security programs. In the PC Magazine tests, there were only 24 “spyware” samples tested. In reality, there are hundreds of malicious programs in the wild that fit into this category. For instance, we know of over 200 adware families (with numerous variants in each). We need better and more in-depth tests in the future.

To cut a long story short, the term spyware is basically a marketing gimmick: just to separate new ersatz-security products from traditional ones, just to push almost zero-value products to the security market.

We need to avoid this trap. There is nothing worse for the computer security community than false alarms and/or users with a misplaced sense of safety.

No such thing as spyware

Your email address will not be published. Required fields are marked *



APT trends report Q1 2024

The report features the most significant developments relating to APT groups in Q1 2024, including the new malware campaigns DuneQuixote and Durian, and hacktivist activity.

Subscribe to our weekly e-mails

The hottest research right in your inbox