The spy threat from the internet

Browsing the web can let unwanted visitors into your system - and simple anti-virus software can't catch them. Michael Pollitt tracks a silent enemy
Click to follow

Picked up anything nasty from browsing lately? While viruses, internet worms and hackers may be stopped by anti-virus software and firewalls, the latest spyware arrives through Microsoft's Internet Explorer. And unless it starts popping up adverts or installing unwanted toolbars, you're not going to know it's there. "Spyware is now probably the largest mass fraud area the world has ever seen," says Nick Ray, chief executive officer for the intrusion protection specialists Prevx Ltd. "Once they've got hold of your PC, they can do virtually anything."

Picked up anything nasty from browsing lately? While viruses, internet worms and hackers may be stopped by anti-virus software and firewalls, the latest spyware arrives through Microsoft's Internet Explorer. And unless it starts popping up adverts or installing unwanted toolbars, you're not going to know it's there. "Spyware is now probably the largest mass fraud area the world has ever seen," says Nick Ray, chief executive officer for the intrusion protection specialists Prevx Ltd. "Once they've got hold of your PC, they can do virtually anything."

Although installing free software commonly introduces spyware, an increasing proportion sneaks in unnoticed. "Attackers are looking at new infection methods that bypass anti-virus and firewalls. They can download and execute code on your machine as part of the process of web browsing," says Ray. Called a "drive-by download", it relies on invisible code in web pages. You don't even need to click.

Barb Rose, the director of communications for the spyware protection company PestPatrol, is in a better position than most to avoid this. The company has a vast spyware information database: it knows what's out there and how to remove it. Where spyware doesn't silently self-install, users will be duped into giving consent. Be warned: spyware will take over, throwing up adverts, diverting your web searches and monitoring where you go on the web.

"Spyware also spreads through the use of downloaders; programs which, once installed, begin to secretly download and install other programs on a user's machine. If a single downloader gets onto a computer, it will soon be running dozens of spyware programs, with no further action required on the part of the user," says Rose.

But surely you'd notice? Not necessarily. Spyware is hidden on your hard drive. It can change security rights, open a "port" out to the internet through your firewall, and switch off Windows functionality. Worse still, much spyware is self-repairing and silently updating, defeating all but the most determined attempts to remove it manually.

Rose thinks that spyware is becoming one of the greatest threats to computing today. "Its malicious code can destroy files, steal personal information, and hijack your computer for use in mass-mailings or attacks on other computers. Even just popping up adverts, a practice which at first seems annoying but harmless, can quickly hog a system's resources and reduce it to an unusable state," she says. No wonder 15 per cent of Dell's support calls are spyware-related, while Microsoft says it causes more than 50 per cent of the Windows operating system failures reported. (A major focus of Microsoft's free SP2 Update is to close holes in Internet Explorer exploited by spyware; it succeeds with many, but not all.)

However, it's the invisible spyware that's causing concern. A survey in June by Webroot Software, a protection software company, with Earthlink, an American ISP, showed that one in three personal computers scanned had a hidden system monitor or Trojan horse program. Nick Lewis, Webroot UK's managing director, also worries that drive-by downloads are getting worse: "From the volume of calls we get, it does seem to be an increasing problem."

Spyware is motivated by money, adds Lewis, who suggests that virus writers have turned to spyware to make cash from pop-up adverts, premium-rate diallers and information-stealing key loggers. "The people writing the code don't want to be detected. If they are detected, the last thing they want is to be removed."

Prevx's Ray sees more sinister motives: "The people writing spyware are selling it to organised crime. Organised crime is making money by fraud, stealing passwords, stealing e-mail addresses and hijacking people's machines in order to use them as zombies for spam and distributed denial of service attacks." As The Independent reported on 31 July, criminals can buy services that range from sending one million revenge e-mails, to bringing a commercial website to its knees.

Some spyware is based on programs known as "browser helper objects", which piggy-back onto Microsoft's Internet Explorer. "Once it does this, the browser helper object can interact with or override any portion of Internet Explorer, intercepting requests, altering windows, and so on. This allows for very powerful, very helpful tools," says Rose. She continues: "It also allows for very dangerous spyware."

Consider this real example. A small pop-up advert appears. Then, within seconds, in a process involving a Microsoft security vulnerability, hidden pop-under adverts and a hacked website, a "browser helper object" is secretly downloaded and installed. Later when you visit your online bank (the software watched for Lloyds TSB and Barclays), it quietly captures your user name and password from inside Internet Explorer and sends them to a remote computer. You've just become a drive-by spyware victim.

So what is Microsoft doing to stop this? Stuart Okin, chief security advisor for Microsoft UK, says spyware is part of a wider trend of computer-related criminal activity. "Microsoft continues to work with governments, law enforcement agencies, partners and customers to combat such activities and help bring these criminals to justice."

The real problem for Microsoft - security vulnerabilities aside - is that spyware writers find deception easy. Okin promises improvements with the Windows XP Service Pack 2, whose new features include improved security settings, a pop-up blocker and download monitoring.

"For spyware specifically, Windows XP SP2 takes steps to mitigate deceptive software, focusing on blocking potential entry points and distribution methods," says Okin. Microsoft also wants to help customers trust the software they're using.

Perhaps that's the problem. Users do trust anti-virus and firewalls (which you must have), yet they're not spyware-proof. Some vendors are taking action. "Symantec sees spyware as a growing problem for a large number of users, which was the driver for the inclusion of spyware detection in the 2004 version of Norton AntiVirus," says a spokesperson for the company.

Firewalls won't prevent drive-by downloads either, but they might stop installed spyware contacting the outside world. If you do get infected, spyware removal tools such as PestPatrol, Lavasoft's Ad-Aware, Spybot Search & Destroy and Webroot's SpySweeper, can be problematic, with users saying that one tool misses what another finds. Plus, the big risks - as with viruses - come from the new, unrecognised threats.

One suggestion that security experts make is to drop Internet Explorer altogether. One alternative is Mozilla ( www.mozilla.org) and its siblings, including Firefox and Thunderbird: apart from being nicer browsers, they are more security-aware. A more radical option is to use the Linux operating system. A simpler answer is to join the burgeoning ranks whose standard line-up now includes not only a firewall and antivirus software, but anti-spyware software too. "Think of us as a last resort in terms of protection," says Ray. "Our product is designed to deal with threats that cannot be stopped by other mechanisms."

That product - Prevx Home - is a piece of free software that stops worms, hackers and spyware by preventing suspicious or known bad behaviour. Certainly, a version still in development that The Independent tried against a spyware-laden Armenian website successfully forestalled vigorous silent install attempts. Annoyances such as home page or search hijacking, and new toolbars are also repelled while a paid-for professional version offers greater protection. Browsing the increasingly dangerous internet just got a bit safer - for now.

Comments