Charles Engelke's Blog

February 26, 2004

Spyware… the next real threat

Filed under: RSA 2004 — Charles Engelke @ 5:06 pm

That’s the claim of Roger Thompson, VP of Product Development for
PestPatrol, a company that makes products to detect and remove
spyware. So he’s hardly an impartial observer of the issue. Still,
spyware is one of my main concerns about our own security, and I
hope this is a useful talk.

We’re in one of the large theaters for this track, but it’s still
packed. I think this is the most attended session I’ve been to yet.

The speaker has been involved with virus detection and related
areas for a long time, since the mid-80s. He wrote early tools for
that, because he realized that existing utilities were good at finding
data was lost, but not good and finding data that was deliberately

We’re in the “fourth age” of viruses. The first was from 1987 through
1995. The second from 1995 to 1999; the third from 1999 to 2002,
and the fourth age started in 2001. When Windows 95 came out, it
stopped most existing viruses cold, because they couldn’t work with
a protected mode operating system; so Microsoft is “the best
antivirus company.” So macro viruses started being big; the “second
age” of viruses. The last big macro virus problem was in March 1999
with the Melissa virus. That was the last major virus created in
the United States, because the writer got in trouble and casual
writers decided to stop. The third age was characterized by
e-mail viruses; eventually companies started blocking executable
attachments, and e-mail programs started making it harder to launch
them. The fourth age consists of genuine worms like Code Red and
NIMDA that exploit things like buffer overflows; and spyware.

They define spyware as follows: “The term spyware program means any
computer program or software intended to aid an unauthorized person in
causing a computer, outside the knowledge of
the computers user or owner” in doing stuff. (Couldn’t copy it in
12 seconds!)

Overt spyware includes keyloggers, RATS, and backdoors. Network
management tools like PC Anywhere, Ethereal, and NetCat, which have
legitimate uses but can be abused. Adware is the third class.
Authors claim adware isn’t meant to cause harm. It’s largely
uninvited (despite being announced deep in a EULA’s fine print).
Spyware spreads; no one but the author knows what it does, and it
can clog your machine. In all these ways, spyware is like viruses.

How does spyware differ from viruses? Well, it’s legal. It’s typically
created by a corporate team. The motives are different: spyware is
aimed at profit.

Peer-to-peer (P2P). “You’ll never find a more wretched hive of
scum and villainy. We must be cautious.” (Obi Wan Kenobi). Kazaa
is pretty innocent, except for basic copyright issues. Kazaa’s
installer tells you what it will install, and makes you agree to
it. (Interesting, his demo screenshots are from a virtual machine.)
It warns that the third-party software it installs might have different
licenses that you should read. It lists the programs, and what they
do. It then installs about 750 files, and 1500 registry keys. Many
of them hook into the TCP/IP stack, and watch all network traffic
that way (they used to just hook to a browser). If you delete the
programs instead of uninstalling them properly, you’re networking
won’t work!

He’s showing a tool that tracks network traffic by process, and
you can see the spyware programs sending data as you use Internet
Explorer or other network tools. It’s hard to understand this
traffic if you sniff it; some of it is encrypted.

One installation puts all these programs on your machine, but you
have to uninstall them individually. And if you don’t get them all,
they’ll all reinstall themselves.

A big security risk isn’t the known functionality of this spyware,
but how it could be used by other programs. “Every worm targets
Kazaa now.” (Grokster does a lot more of this than Kazaa.)

Here’s an anti-spyware scanner. Write scanner.bat: “Echo %1 is spyware”.
You’ll never have any false negatives. Okay, cute.

We will be seeing more and more adware, and more greyware (maybe adware,
or maybe malicious spyware), and worms
and hackers targeting adware. You can never relax.

This has been an excellent talk. Is today’s program that much better
than yesterday’s, or am I getting better at picking sessions? In
any case, it’s been a big improvement on earlier days.


Blog at

%d bloggers like this: