Spyware and Adware Continue to Plague PCs

Courtesy of InformationWeek

The characters who create and distribute spyware eventually reach a crossroads. Some clean up their acts, present themselves as adware aficionados, and do their best to legitimize questionable marketing techniques. Others continue their shady work on the sly. One major player reached a dead end: Adware pusher Claria last week revealed plans to exit the controversial business.

Efforts to control the parasitic code are widening as watchdog groups employ new tactics and law enforcement cracks down on suspects. The Center for Democracy and Technology last week issued a report that points the finger not just at adware distributors, but also at nearly a dozen of their clients, including Club Med Americas, NetZero, and ProFlowers. "These advertisers see the benefits of advertising with these companies that engage in unfair and deceptive practices, but they haven't seen the downside," says Ari Schwartz, deputy director of the nonprofit public policy group.

StopBadware.org, a new watchdog group, last week added four popular programs to its "badware" list: file-sharing program Kazaa, spyware removal software SpyAxe, download manager MediaPipe, and Screensaver.com's Waterfalls 3 screensaver. And the Los Angeles City Attorney's office revealed that it filed the first criminal spyware case in California, charging three people with running companies that distributed spyware in the guise of legitimate software tools.

IT departments have been fighting spyware and adware—they're different, but both troublesome—for several years, and there's something to show for their efforts: Fewer machines are getting infected. While spyware infected 81% of consumer PCs last year, that's down from 91% in 2004, according to anti-spyware vendor Webroot, which scanned more than 2 million PCs to arrive at those findings.

That's progress, but there were setbacks, too. The average spyware count on each machine climbed in 2005, to 25 instances, and the programs are increasingly malicious, with more Trojan horses than before.

It's not just a consumer problem. Spyware was reported by 80% of respondents last year in an FBI survey of 2,066 companies.

Spyware also is growing in seriousness and complexity, as miscreants use the embedded code to pilfer funds and steal data that can be sold. Adware tends to be less sinister, but it's problematic in other ways, slowing PCs and clogging networks with the traffic it generates. "I know there's a major difference functionally," says Scott Larsen, IS manager at the online group travel agency Groople. "Obviously, the repercussions of spyware versus adware are different. But they're one and the same in one respect: I don't want them on my box."

A year ago, the IT team at Groople found spyware on at least one of its PCs every day or two and spent part of most days digging it out. The company installed anti-spyware software from Trend Micro and Microsoft at its Internet gateway and on PCs and laptops, at a cost of about $10,000. Spyware infestations have dropped to one every two weeks, and staffers now spend only an hour every few weeks getting rid of it.

An average company spends more than $1.5 million a year getting rid of the junk, according to a study of more than 600 IT managers conducted last summer by research firm NewDiligence for security software vendor FaceTime Communications. Worldwide business spending on anti-spyware software will jump from $214 million this year to nearly $1.4 billion by 2010, predicts research firm Radicati Group.

Criminal Intent

Spyware purveyors are part of a shadowy underworld. Israeli authorities this month indicted a couple for creating Trojan horse software and selling it to private detective agencies to spy on the business rivals of their clients. Victims included an automobile importer, public relations firm, and television company, according to published reports.

Israeli officials allege Michael Haefrati crafted the malware—a variant of a keystroke-logging program called Hotword, according to Dave Cole, director of Symantec Security Response—and provided technical support while his wife Ruth marketed it to private investigators and at times inserted the virus into victims' computers herself. The indictment suggests that the couple, whose company, Target-Eva, was registered to operate in Israel, the United Kingdom, and the United States, tried to market the software to legitimate security agencies as early as 2000 but began selling it illicitly after private investigators two years ago solicited them to modify Hotword.

There's also the example set by spyware purveyor Carlos Enrique Perez-Melara, who was indicted last summer for distributing a program called Loverspy. Here's how it worked, according to the indictment: For $89, a buyer could get Loverspy through a Texas Web site, which directed people to servers in Perez-Melara's San Diego apartment. On the site, people selected an innocuous-looking electronic greeting card featuring puppies, kittens, or flowers that contained the malware. Purchasers could send the E-card to as many as five E-mail addresses. When the targets opened the E-card, Loverspy would be secretly installed on their PCs.

According to the Justice Department, all activities on the PCs—E-mail, Web site visits, passwords entered—were captured and forwarded on to the purchasers, either directly or through Perez-Melara's servers. Loverspy gave purchasers the ability to remotely control the victims' PCs, including accessing, changing, and deleting files, even turning on Webcams connected to them. The government contends that more than 1,000 people bought Loverspy and installed it on 2,000 computers. A person who received spam touting the product tipped off authorities. The indictment also charged four purchasers of Loverspy with computer hacking. No trial date has been set for Perez-Melara, who's on the lam in El Salvador.

Spyware can even be a threat to personal safety, as stalkers use keystroke loggers, says Schwartz of the Center for Democracy and Technology, which led the formation of the Anti-Spyware Coalition, a group that includes America Online, Microsoft, and Symantec. He cites a recent case in Michigan where a batterer secretly installed keystroke-logging software on his estranged wife's computer and tracked her and their kids by reading her E-mail and viewing her online activities. "He followed them from battered women's shelter to battered women's shelter," Schwartz says. "That's kind of the worst-case scenario."

Much of the spyware aimed at stealing individual identities, money, and corporate trade secrets involves organized criminal groups, says Chris Painter, deputy chief of the Department of Justice's computer crime and intellectual property section. "If there's a way to make money, they're going to try to find it," he says.

These criminal groups may be patterned after the Shadowcrew Organization, a one-stop online marketplace for identity theft busted by the government a year and a half ago, Painter says. Shadowcrew operated in the United States and eight other countries. Members of the gang found each other through chat rooms and Web sites that attract criminals. "We see a lot of cooperation among groups," he says. "Once money is involved, it's a good reason for people to team up."

The culprits offer specialized skills: writing malicious code, placing spyware on PCs, creating false IDs and ATM cards from stolen information, and selling stolen identities. Spyware is an international problem, and much of the malware placed on people's PCs originates from countries, including those in Eastern Europe, where educated but underemployed people can be drawn to virtual crime. That makes it tougher to stop. The feds busted people in Shadowcrew by infiltrating the gang with undercover agents.

What these groups and individuals do is clearly criminal, and they have no defenders. But there's another class of software trying to claw its way to respectability.

Nobody's Friend

Adware, spyware's close cousin, is loaded onto PCs to track user Internet behavior in order to deliver pop-up ads to market specific products or services. People often load adware onto PCs along with free content such as toolbars, games, and wallpaper. Like spyware, adware can be delivered clandestinely when users visit an unscrupulous Web site that exploits a browser vulnerability to make the transfer.

It's possible, albeit inexcusable, that advertisers might be unaware that spyware is delivering their messages. Anti-spyware gadfly Ben Edelman analyzed HTML coding to trace a pop-up ad from music retailer Columbia House to spyware transmitter ICanNews. Columbia House had retained aQuantive to place its ads on the Web, which subcontracted ad placement to Yfdmedia, which contracted Azoogle, which signed up MyGeek, which engaged ICanNews. "The net effect is that the user was shown this pop-up ad when the user never consented to receive this kind of advertising," Edelman says.

The largest adware companies say they give users' sufficient notice about adware and its properties, and they shun the spyware label. But critics, including corporate users, don't see the difference. "As much as these companies want to call it adware, spyware sure feels like the right name, because it's really surreptitious," says Jonathan Johnson, senior VP of corporate and legal affairs at Overstock.com, an online retailer that itself once used adware but now is suing a competitor that used it to deliver ads to people looking at the Overstock site (see story, "Are Pop-Ups Unfair Competition?").

Adware has well-heeled backers. Claria raised more than $58 million from U.S. Venture Partners and Greylock Partners, 180solutions received $40 million from Spectrum Equity, and WhenU.com obtained back- ing of $35 million from ABS Capital Partners and Trident Capital.

Adware pioneer Claria last week disclosed plans to leave the adware market by June. Claria, founded in the late 1990s as Gator, has retained Deutsche Bank Securities to sell its adware assets and is in discussions with a number of interested buyers. Alex Eckelberry, CEO of anti-spyware software maker Sunbelt Software, says he wouldn't be surprised if two other major adware companies—180solutions and WhenU—bid on Claria's adware business. Eckelberry suggests that venture capital firms that funded Claria see the adverse publicity surrounding adware as diminishing the company's value.

But Claria may not be getting out of the business of placing software on PCs. It's focusing on a new service it will introduce next month called PersonalWeb, which automatically generates personalized Web pages that provide users with information they want, such as sports scores or community news.

180solutions has given up its wild ways, Baur says. Photo by Andy Reynolds

Is Reform Possible?

Adware's critics are relentless. The Center for Democracy and Technology in January asked the Federal Trade Commission to take action against adware company 180solutions for repeated and deliberate attempts to dupe Internet users into downloading intrusive software. Last month, adware critic Edelman posted information on his Web site showing that new software 180solutions developed to prevent unauthorized downloads didn't work and that unethical business partners could get around it to plant adware on PCs.

180solutions' executive VP of business development, York Baur, says the company has changed the way it conducts business. "The only valid criticism is that we were perhaps naive about the world of Web publishing earlier on in our history, and it has taken us through 2005 to truly take control of that ownership of [our] network and get practices that we think are poor cleaned up," Baur says.

180solutions, like other adware companies, offers users bundles of free products from thousands of content providers in exchange for placement of software on their computers to deliver targeted ads based on the Web sites they visit. 180solutions' premier product is Zango, which offers a variety of games as well as tools to access simultaneously AOL, Yahoo, and MSN instant messages; burn CDs and DVDs; and get desktop TV listings, astrology readings, and weather forecasts. In addition, scores of scripts and software are available. Soon the company will offer video programming, too.

180solutions' problem was that it paid others to distribute that software and didn't make sure its distributors had people's permission. The company has more than 5,000 affiliates—it calls them Web publishers—that are paid to place adware on computers and are responsible for 90% of its adware downloads. Until a year ago, 180solutions used distributors to sign up affiliates. Last year, it severed relations with six of its distributors, acquired a seventh, and started using an automated system to manage affiliate relations. The company now deals directly with its affiliates and vets each one by requiring banking and payment histories and checking each Web site to see if it meets 180solutions' standards, Baur says.

The company makes money from advertisers, mostly direct marketers that pay to have pop-up ads appear on users' computers, often when the adware software detects the consumer perusing a competitor's E-commerce site or seeking services and products similar to those offered by the advertiser. Based on the contract, 180solutions is paid per view or, when a purchase is made through the ad link, per acquisition.

180solutions says its user base numbers more than 20 million, and its revenue last year topped $50 million. The company says it spent $2.5 million on software—known as S3 for Safe and Secure Search—that's supposed to keep affiliates from surreptitiously installing 180solutions software on users' PCs, but it's not perfect. Co-founder Ken Smith, writing in a blog, blamed the recent failure of the software to prevent unauthorized downloads on his company's detection and reporting mechanisms, not the S3 technology.

Skeptics aren't buying it, and they're trying to pressure advertisers not to use 180solutions. "We want to give fair notice to companies thinking about advertising with 180solutions that they keep this in mind," says Schwartz of the Center for Democracy and Technology. Azoogle, one of the largest third-party online ad networks, heeded that advice and terminated its relationship with 180solutions this month.

Adware makers need to rein in out-of-control affiliates. In January, according to the Justice Department, Jeanson James Ancheta confessed to using servers he controlled to transmit malicious code over the Web to scan for and exploit vulnerable computers, redirecting thousands of PCs to an Internet Relay Chat channel that he controlled. Ancheta generated $60,000 in advertising affiliate earnings by directing more than 400,000 infected computers to servers he controlled where adware he had modified was surreptitiously downloaded. Ancheta also admitted to commandeering computers to create botnets—or robot networks—to launch denial-of-service attacks and transmit spam. He also earned about $3,000 from selling access to his botnets.

Serious Business

Among Ancheta's victims were the Weapons Division of the U.S. Naval Air Warfare Center in China Lake, Calif., and the Defense Information Systems Agency, the combat support unit responsible for IT and communications. The 20-year-old agreed to pay $15,000 to the two Defense Department units as restitution and forfeit all proceeds from his illegal activity, including $60,000 in cash, his computer equipment, and a BMW. He faces up to 25 years in prison; a federal judge will decide sentencing on May 1.

Adware provider WhenU.com doesn't use affiliates, but it, too, has had to change some practices. When CEO Bill Day, one-time head of the search site About .com, joined WhenU as CEO in 2004, one of his first actions was to stop marketing its software through banner ads on Web sites, for which WhenU paid the site operator a fee per download. Customers of WhenU's newer pop-up ads include ABC, which last fall used WhenU to promote two new shows, Invasion and Commander In Chief.

It's possible that adware could shake off its troubled youth and become a legit form of advertising—even if, like telemarketing, it's never exactly loved. Day notes that advertisers pay WhenU only when users click on ads, a model similar to that used by paid-search companies like Google and Yahoo. Users get only about an ad an hour, maybe less, says Day, who claims 10 million to 15 million users and growing revenue.

If adware cleans up its act, it might eventually get the likes of the Center for Democracy and Technology off its back, and it could become a viable way for people to get content free. But that won't necessarily help business IT people, who still will have one more potentially risky and bandwidth-eating software program to keep off their networks.

Defining The Problem

It's not just adware companies feeling the backlash. The Australian media has had a field day reporting that skier Dale Begg-Smith, who won a gold medal in the 2006 Winter Olympics in the men's mogul event, was once a spyware master. The Australian reports say Begg-Smith's defunct Adscpm.com Web site spawned 20 million pop-ups a day, though Begg-Smith's associates are quoted as insisting the 21-year-old skier was involved in legitimate businesses.

Sony BMG Music Entertainment last year got nabbed selling music CDs that contained a rootkit—software that can be used by hackers to hide malicious code from antivirus and anti-spyware defenses—within the copy-protection scheme used to prevent music CDs from being copied to computers. To prevent software for digital rights management from easily being thwarted, Sony BMG used a rootkit to hide the copy-protection files from customers and make them difficult to remove. Bloggers, researchers, and law enforcement cried foul, and Sony BMG eventually recalled the CDs and alerted users about how to remove the DRM software.

It's enough to cause concern among PC users. Princeton University computer science and public affairs professor Edward Felten is a typical—and anxious—one. He knows there are tools on the Web that could help with his new hobby of music editing. But because of the threat of malicious software, "I'm less prone to try new software," Felten laments. "I'm more careful of what Web sites I go to. I spend time trying to protect myself."

That's important, but unfortunate. Spyware, Felten says, causes him "to shy away from small companies, shy away from using software from sites I don't know." That hesitation could mean a lost opportunity—adding to the price we pay for spyware.